Module 4: Managing Security
Download
Report
Transcript Module 4: Managing Security
Module 4: Configuring
Active Directory Sites and
Replication
Module Overview
• Overview of Active Directory Domain Services Replication
• Overview of AD DS Sites and Replication
• Configuring and Monitoring AD DS Replication
2
Lesson 1: Overview of Active Directory Domain
Services Replication
• How Active Directory Replication Works
• How AD DS Replication Works Within a Site
• Resolving Replication Conflicts
• Optimizing Replication
• What Are Directory Partitions?
• What Is Replication Topology?
• How Directory Partitions and the Global Catalog
Are Replicated
• How the Replication Topology Is Generated
• Demonstration: Creating and Configuring
Connection Objects
3
How Active Directory Replication Works
Active Directory replication:
• Uses a multimaster model
• Uses pull replication
• Uses store and forward replication
• Uses loose consistency with convergence
Changes that initiate replication include:
• Addition of an object to Active Directory
• Modification of an object’s attribute values
• Deletion of an object from the directory
4
How AD DS Replication Works Within a Site
In a single site:
• Domain controllers notify replication partners when
updates are applied
• For normal updates, the change notification happens
15 seconds after the change is applied
• Notifications for security related changes are
sent immediately
• Replication updates are not compressed
5
Resolving Replication Conflicts
In a multimaster replication model, replication conflicts can
arise when:
• The same attribute is changed on two domain controllers
simultaneously
• An object is moved or added to a deleted container on
another domain controller
• Two objects with the same relative distinguished name are
added to the same container on two different domain controllers
To resolve replication conflicts, AD DS uses:
• Version number
• Time stamp
• Server GUID
6
Optimizing Replication
• In a multimaster replication model, AD DS updates
can be replicated using multiple paths
• AD DS uses update sequence numbers, high watermarks,
and up-to-dateness vectors to ensure that updates
are replicated to a specific domain controller only once
7
What Are Directory Partitions?
Instance (AD LDS)
AD DS
Contains:
Definitions and rules for
creating and manipulating
objects and attributes
Forest
Schema
Configuration
Domain
Information about the
Active Directory structure
Information about domainspecific objects
<Domain>
Configurable
replication
<Application>
Information about
applications
Active Directory
Database
8
Tree/Root
Trust
Forest
Trust
Parent/Child
Trust
Shortcut Trust
Realm
Trust
External
Trust
9
Instance là một bộ các directory partition có
liên quan
• Trong nhiều trường hợp, một instance có thể là một
domain controller
• Trong môi trường Active Directory, mỗi một domain
controller gồm có ba directory partition.
Configuration – Mục configuration lưu các thông tin cấu hình
có liên quan đến forest mà trong đó domain controller tồn tại.
Mục cấu hình lưu các đối tượng cấu hình có liên quan đến
những thứ như vị trí, dịch vụ và directory partition.
Schema – Partition này làm việc giống như các giản đồ cơ sở
dữ liệu khác. Nó định nghĩa các lớp, thuộc tính cho mọi đối
tượng có thể trong toàn bộ Active Directory.
Domain – Partition này lưu các đối tượng cụ thể cho miền.
Các đối tượng này gồm có những thứ như user, computer và
group.
10
What Is Replication Topology?
A1
A1
A2
A2
B2
A3
A3
A4
A4
B3
B1
Domain controllers
controllers in
Domain
from
various
domains
the
same
domain
Domain A Topology
Domain A Topology
Domain B Topology
11
How Directory Partitions and the Global Catalog
Are Replicated
Global catalog
server
A1
A2
B2
A3
A4
B3
B1
Global catalog
server
Global catalog
server
Domain controllers
from various domains
Domain A topology
Domain B topology
Schema and configuration
topology
Global catalog replication
12
How the Replication Topology Is Generated
Active Directory uses the KCC (Knowledge Consistency Checker) to
establish a replication path between domain controllers
• Each domain controller has two replication partners
for each Active Directory partition
• The KCC creates two one-way connection objects
between replication partners to ensure that no two domain
controllers are ever more than three network hops away
• When a new domain controller is added to a site,
the KCC recalculates connection objects
• Connection objects can replicate one or more partitions
13
How the Replication Topology Is Generated
Active Directory uses the KCC (Knowledge Consistency Checker) to
establish a replication path between domain controllers
• The Knowledge Consistency Checker (KCC) is an Active
Directory component that is responsible for the generation
of the replication topology between domain controllers.
• This article describes the role of one server per site,
known as the Inter-Site Topology Generator, which is
responsible for managing the inbound replication
connection objects for all bridgehead servers in the site in
which it is located.
14
Demonstration: Creating and Configuring
Connection Objects
In this demonstration, you will see how to create connection
objects and configure existing connection objects
15
Lesson 2: Overview of AD DS Sites
and Replication
• What Are AD DS Sites and Site Links?
• Discussion: Why Implement Additional Sites?
• Demonstration: Configuring AD DS Sites
• How Replication Works Between Sites
• Comparing Replication Within Sites and Between Sites
• Demonstration: Configuring AD DS Site Links
• What Is the Inter-site Topology Generator?
• How Unidirectional Replication Works
16
• Sites are used to organize well-connected computers
within an organization to optimize network
bandwidth. Excessive network traffic can occur
between remote locations due to frequent exchange
of large amounts of data and directory information.
17
What Are AD DS Sites and Site Links?
Sites:
A1
• Identify network
locations with fast
reliable network
connections
A2
IP Subnet
• Are associated with
subnet objects in
Active Directory
Site
B1
B2
IP Subnet
Site Link
B3
IP Subnet
Site
IP Subnet
18
Use sites to optimize network bandwidth
• Workstation logon traffic.
• Replication traffic:
When a change occurs in Active Directory, sites can be used to
control how and when the change is replicated to domain
controllers in another site.
• Distributed file system (Dfs) topology
When a shared file or folder has multiple locations, a user will
be directed to a server in his or her own site. Localizing the
availability of servers in a site reduces traffic across slow links.
• File Replication service (FRS)
FRS is used to replicate the contents of the SYSVOL directory,
which includes logon and logoff scripts, Group Policy settings,
and system policies
19
Assess the need for sites
•Available bandwidth.
•Anticipated replication traffic.
•Placement of domain controllers.
20
Using Site Links in a Network
21
Factors Affecting Replication
22
23
Discussion: Why Implement Additional Sites?
• Why would an organization choose to implement
additional sites?
• What are the benefits and disadvantages of creating
additional sites?
24
Demonstration: Configuring AD DS Sites
In this demonstration, you will see how to:
• Create sites and subnets
• Move domain controllers to other sites
25
How Replication Works Between Sites
You can configure:
A1
A2
• Replication paths
between sites
• Replication schedules
and frequency
Site
• Replication protocols
B1
B2
B3
Site
Site Link
Comparing Replication Within Sites and
Between Sites
Replication Within Sites:
A1
Assumes fast and highly
reliable network links
IP Subnet
Does not compress
replication traffic
A2
IP Subnet
Replication
Uses a change notification
mechanism
A1
IP Subnet
IP Subnet
Replication
A2
B1
IP Subnet
Replication
B2
IP Subnet
Replication
Replication Between Sites:
Assumes limited available
bandwidth and unreliable
network links
Compresses all replication
traffic between sites (10:1)
Occurs on a manual schedule
27
Demonstration: Configuring AD DS Site Links
In this demonstration, you will see how to:
• Configure the default site link
• Create additional site links
• Add sites to the site links
28
What Is the Inter-site Topology Generator?
Inter-site topology generator
A1
IP Subnet
• The inter-site
topology generator
defines the
replication between
sites on a network
Bridgehead
server
A2
Replication
IP Subnet
B1
Replication
IP Subnet
B2
Inter-site topology
generator
Replication
IP Subnet
Bridgehead server
29
How Unidirectional Replication Works
• Unidirectional replication
ensures that changes to a
read-only domain
controller are never
replicated to any other
domain controller
30
Lesson 3: Configuring and Monitoring
AD DS Replication
• What Is a Bridgehead Server?
• Demonstration: Configuring Bridgehead Servers
• Demonstration: Configuring Replication Availability
and Scheduling
• What Is Site Link Bridging?
• Demonstration: Modifying Site Link Bridges
• What Is Universal Group Membership Caching?
• Demonstration: Configuring Universal Group
Membership Caching
• Demonstration: Tools for Monitoring and
Managing Replication
31
What Is a Bridgehead Server?
A bridgehead server:
IP Subnet
• Sends and receives
replicated data
• Is designated for
each partition in
the site
Bridgehead Server
A1
IP Subnet
Replication
IP Subnet
IP Subnet
B1
Bridgehead Server
32
Demonstration: Configuring Bridgehead Servers
In this demonstration, you will see how to configure
bridgehead servers
33
Demonstration: Configuring Replication
Availability and Frequency
In this demonstration, you will see how to configure the site
link object to manage replication between sites
34
What Is Site Link Bridging?
B1
B2
IP Subnet
Site Link AB
B3
IP Subnet
Site B
Site Link BC
Site Link Bridge
A1
C2
A2
Site A
IP Subnet
IP Subnet
C1
Site C
IP Subnet
IP Subnet
35
Demonstration: Modifying Site Link Bridges
In this demonstration, you will see how to:
• Disable site link bridging
• Create a new site link bridge
36
What Is Universal Group Membership Caching?
Global Catalog Server
A1
• Enables domain
controllers in a site
with no global
catalog servers to
cache universal
group membership
IP Subnet
Bridgehead
server
A2
IP Subnet
IP Subnet
IP Subnet
B1
Bridgehead server
37
Demonstration: Configuring Universal Group
Membership Caching
In this demonstration, you will see how to:
• Configure universal group membership caching for a site
• Configure the source for caching
38
Demonstration: Tools for Monitoring and
Managing Replication
In this demonstration you will see how to:
• Identify the domain controller holding the ISTG role
• Force the KCC to run, and how to force replication
• Use Repadmin, NLTest, and DCDiag
39
Lab: Configuring Active Directory Sites and
Replication
• Exercise 1: Configuring AD DS Sites and Subnets
• Exercise 2: Configuring AD DS Replication
• Exercise 3: Monitoring AD DS Replication
Logon information
Virtual machine
NYC-DC1, LONDC1, MIA-RODC,
NYC-RAS
User name
Administrator
Password
Pa$$w0rd
Estimated time: 60 minutes
40
Lab Review
• What additional changes would you need to make to the
AD DS site configuration if you needed to ensure that all
replication traffic in the New-York site passed through
NYC-DC2?
• What additional changes would you need to make if you
implemented another WAN connection between Tokyo and
London, and wanted to use that WAN connection for AD
DS replication instead of routing all replication changes
through NewYork-Site?
• Why did you force the domain controllers in the lab to
update their IP addresses in DNS?
41
Module Review and Takeaways
• Review questions
• Considerations for configuring AD DS sites and replication
• Tools
42
Beta Feedback Tool
Beta feedback tool helps:
•
•
Collect student roster information, module feedback, and
course evaluations.
Identify and sort the changes that students request, thereby
facilitating a quick team triage.
Save data to a database in SQL Server that you can later
query.
Walkthrough of the tool
43
Beta Feedback
Overall flow of module:
•
Which topics did you think flowed smoothly, from topic to
topic?
Was something taught out of order?
Pacing:
•
Were you able to keep up? Are there any places where the
pace felt too slow?
Were you able to process what the instructor said before
moving on to next topic?
Did you have ample time to reflect on what you learned? Did
you have time to formulate and ask questions?
Learner activities:
•
Which demos helped you learn the most? Why do you think
that is?
Did the lab help you synthesize the content in the module?
Did it help you to understand how you can use this
knowledge in your work environment?
Were there any discussion questions or reflection questions
that really made you think? Were there questions you
thought weren’t helpful?
44