Module 4: Managing Security

Download Report

Transcript Module 4: Managing Security

Module 4: Configuring
Active Directory Sites and
Replication
Module Overview
• Overview of Active Directory Domain Services Replication
• Overview of AD DS Sites and Replication
• Configuring and Monitoring AD DS Replication
Lesson 1: Overview of Active Directory Domain
Services Replication
• How Active Directory Replication Works
• How AD DS Replication Works Within a Site
• Resolving Replication Conflicts
•Optimizing Replication
• What Are Directory Partitions?
• What Is Replication Topology?
• How Directory Partitions and the Global Catalog
Are Replicated
• How the Replication Topology Is Generated
• Demonstration: Creating and Configuring
Connection Objects
How Active Directory Replication Works
Active Directory replication:
• Uses a multimaster model
• Uses pull replication
• Uses store and forward replication
• Uses loose consistency with convergence
Changes that initiate replication include:
• Addition of an object to Active Directory
• Modification of an object’s attribute values
• Deletion of an object from the directory
How AD DS Replication Works Within a Site
In a single site:
• Domain controllers notify replication partners when
updates are applied
• For normal updates, the change notification happens
15 seconds after the change is applied
• Notifications for security related changes are
sent immediately
• Replication updates are not compressed
Resolving Replication Conflicts
In a multimaster replication model, replication conflicts can
arise when:
• The same attribute is changed on two domain controllers
simultaneously
• An object is moved or added to a deleted container on
another domain controller
• Two objects with the same relative distinguished name are
added to the same container on two different domain controllers
To resolve replication conflicts, AD DS uses:
• Version number
• Time stamp
• Server GUID
Optimizing Replication
• In a multimaster replication model, AD DS updates
can be replicated using multiple paths
• AD DS uses update sequence numbers, high watermarks,
and up-to-dateness vectors to ensure that updates
are replicated to a specific domain controller only once
What Are Directory Partitions?
Contains:
Definitions and rules for
creating and manipulating
objects and attributes
Forest
Schema
Configuration
Domain
Information about the
Active Directory structure
Information about domainspecific objects
<Domain>
Configurable
replication
<Application>
Active Directory
Database
Information about
applications
What Is Replication Topology?
A1
A1
A2
A2
B2
A3
A3
A4
A4
B3
B1
Domain controllers
controllers in
Domain
from
various
domains
the
same
domain
Domain A Topology
Domain A Topology
Domain B Topology
How Directory Partitions and the Global Catalog
Are Replicated
Global catalog
server
A1
A2
B2
A3
A4
B3
B1
Global catalog
server
Global catalog
server
Domain controllers
from various domains
Domain A topology
Domain B topology
Schema and configuration
topology
Global catalog replication
How the Replication Topology Is Generated
Active Directory uses the KCC to establish a replication path between
domain controllers
• Each domain controller has two replication partners
for each Active Directory partition
• The KCC creates two one-way connection objects
between replication partners to ensure that no two domain
controllers are ever more than three network hops away
• When a new domain controller is added to a site,
the KCC recalculates connection objects
• Connection objects can replicate one or more partitions
Demonstration: Creating and Configuring
Connection Objects
In this demonstration, you will see how to create connection
objects and configure existing connection objects
Lesson 2: Overview of AD DS Sites
and Replication
• What Are AD DS Sites and Site Links?
• Discussion: Why Implement Additional Sites?
• Demonstration: Configuring AD DS Sites
• How Replication Works Between Sites
• Comparing Replication Within Sites and Between Sites
• Demonstration: Configuring AD DS Site Links
• What Is the Inter-site Topology Generator?
• How Unidirectional Replication Works
What Are AD DS Sites and Site Links?
Sites:
A1
• Identify network
locations with fast
reliable network
connections
A2
IP Subnet
• Are associated with
subnet objects in
Active Directory
Site
B1
B2
B3
IP Subnet
Site
IP Subnet
IP Subnet
Site Link
Discussion: Why Implement Additional Sites?
• Why would an organization choose to implement
additional sites?
• What are the benefits and disadvantages of creating
additional sites?
Demonstration: Configuring AD DS Sites
In this demonstration, you will see how to:
• Create sites and subnets
• Move domain controllers to other sites
How Replication Works Between Sites
You can configure:
A1
A2
• Replication paths
between sites
• Replication schedules
and frequency
Site
• Replication protocols
B1
B2
B3
Site
Site Link
Comparing Replication Within Sites and
Between Sites
Replication Within Sites:
A1
Assumes fast and highly
reliable network links
IP Subnet
Does not compress
replication traffic
A2
IP Subnet
Replication
Uses a change notification
mechanism
A1
IP Subnet
IP Subnet
Replication
A2
B1
IP Subnet
Replication
B2
IP Subnet
Replication
Replication Between Sites:
Assumes limited available
bandwidth and unreliable
network links
Compresses all replication
traffic between sites
Occurs on a manual schedule
Demonstration: Configuring AD DS Site Links
In this demonstration, you will see how to:
• Configure the default site link
• Create additional site links
• Add sites to the site links
What Is the Inter-site Topology Generator?
Inter-site topology generator
A1
IP Subnet
• The inter-site
topology generator
defines the
replication between
sites on a network
Bridgehead
server
A2
Replication
IP Subnet
B1
Replication
IP Subnet
B2
Inter-site topology
generator
Replication
IP Subnet
Bridgehead server
How Unidirectional Replication Works
• Unidirectional replication
ensures that changes to a
read-only domain
controller are never
replicated to any other
domain controller
Lesson 3: Configuring and Monitoring
AD DS Replication
• What Is a Bridgehead Server?
• Demonstration: Configuring Bridgehead Servers
• Demonstration: Configuring Replication Availability
and Scheduling
• What Is Site Link Bridging?
• Demonstration: Modifying Site Link Bridges
• What Is Universal Group Membership Caching?
• Demonstration: Configuring Universal Group
Membership Caching
• Demonstration: Tools for Monitoring and
Managing Replication
What Is a Bridgehead Server?
A bridgehead server:
IP Subnet
• Sends and receives
replicated data
• Is designated for
each partition in
the site
Bridgehead Server
A1
IP Subnet
Replication
IP Subnet
IP Subnet
B1
Bridgehead Server
Demonstration: Configuring Bridgehead Servers
In this demonstration, you will see how to configure
bridgehead servers
Demonstration: Configuring Replication
Availability and Frequency
In this demonstration, you will see how to configure the site
link object to manage replication between sites
What Is Site Link Bridging?
B1
B2
IP Subnet
Site Link AB
B3
IP Subnet
Site B
Site Link BC
Site Link Bridge
A1
C2
A2
Site A
IP Subnet
IP Subnet
C1
Site C
IP Subnet
IP Subnet
Demonstration: Modifying Site Link Bridges
In this demonstration, you will see how to:
• Disable site link bridging
• Create a new site link bridge
What Is Universal Group Membership Caching?
Global Catalog Server
A1
• Enables domain
controllers in a site
with no global
catalog servers to
cache universal
group membership
IP Subnet
Bridgehead
server
A2
IP Subnet
IP Subnet
IP Subnet
B1
Bridgehead server
Demonstration: Configuring Universal Group
Membership Caching
In this demonstration, you will see how to:
• Configure universal group membership caching for a site
• Configure the source for caching
Demonstration: Tools for Monitoring and
Managing Replication
In this demonstration you will see how to:
• Identify the domain controller holding the ISTG role
• Force the KCC to run, and how to force replication
• Use Repadmin, NLTest, and DCDiag
Lab: Configuring Active Directory Sites and
Replication
• Exercise 1: Configuring AD DS Sites and Subnets
• Exercise 2: Configuring AD DS Replication
• Exercise 3: Monitoring AD DS Replication
Logon information
Virtual machine
NYC-DC1, LONDC1, MIA-RODC,
NYC-RAS
User name
Administrator
Password
Pa$$w0rd
Estimated time: 60 minutes
Lab Review
• What additional changes would you need to make to the
AD DS site configuration if you needed to ensure that all
replication traffic in the New-York site passed through
NYC-DC2?
• What additional changes would you need to make if you
implemented another WAN connection between Tokyo and
London, and wanted to use that WAN connection for AD
DS replication instead of routing all replication changes
through NewYork-Site?
• Why did you force the domain controllers in the lab to
update their IP addresses in DNS?
Module Review and Takeaways
• Review questions
• Considerations for configuring AD DS sites and replication
• Tools
Beta Feedback Tool
Beta feedback tool helps:
•



•
Collect student roster information, module feedback, and
course evaluations.
Identify and sort the changes that students request, thereby
facilitating a quick team triage.
Save data to a database in SQL Server that you can later
query.
Walkthrough of the tool
Beta Feedback
Overall flow of module:
•


Which topics did you think flowed smoothly, from topic to
topic?
Was something taught out of order?
Pacing:
•



Were you able to keep up? Are there any places where the
pace felt too slow?
Were you able to process what the instructor said before
moving on to next topic?
Did you have ample time to reflect on what you learned? Did
you have time to formulate and ask questions?
Learner activities:
•



Which demos helped you learn the most? Why do you think
that is?
Did the lab help you synthesize the content in the module?
Did it help you to understand how you can use this
knowledge in your work environment?
Were there any discussion questions or reflection questions
that really made you think? Were there questions you
thought weren’t helpful?