ch03 - Seneca - School of Information & Communications

Download Report

Transcript ch03 - Seneca - School of Information & Communications

Working with
Active Directory Sites
Lesson 3
Skills Matrix
Technology Skill
Objective Domain
Objective #
Introducing Active
Directory Sites
Configure sites
2.3
Configuring Active
Directory Replication
Configure Active
Directory replication
2.4
Logical Versus Physical Structure
Logical
• Forest
• Trees
• Domains
• OUs
• Leaf objects
Physical
• IP Subnets/Sites
• Domain Controllers
Active Directory Sites
• Sites are defined by IP subnets that are wellconnected, which means that network
infrastructure between them is fast and reliable.
– In most cases, an Active Directory site will map to a
single LAN.
• Multiple sites will be joined together by site links.
• Intersite replication takes place along site links
that you defined within Active Directory Sites and
Services.
Sites
• When clients log on to Active Directory, they
use DNS to query the Active Directory site
topology to locate the closest available
domain controller and other network
resources.
• Domain controllers use the site topology to
establish replication partners that provide
efficiency and keep the Active Directory
database consistent.
Default-First-Site-Name
• When you install the forest root domain
controller in an Active Directory forest, the
Active Directory Installation Wizard creates a
single site called Default-First-Site-Name.
• The forest root domain controller server
object is placed within the Servers folder of
this site.
• The site can be renamed to more accurately
reflect a physical location.
Default-First-Site-Name
Active Directory Replication
• The process of duplicating Active Directory
information between domain controllers for the
purposes of fault tolerance and redundancy.
• Based on a multimaster replication model, in which
the domain controllers from each domain
participate in the replication process for that
domain.
– They also replicates forest-wide schema and
configuration information.
• Active Directory sites are the means by which
administrators can control replication traffic.
Active Directory Replication
• Domain controllers that reside within the same site
participate in intrasite replication.
– Transmit changes to the Active Directory database
almost as soon as they occur.
• Domain controllers located in different sites will
participate in intersite replication.
– Occurs on a scheduled basis (every 180 minutes by
default – site link).
– Intersite replication traffic is also compressed by
default to decrease the use of network bandwidth.
– Remember the goal is to minimize bandwidth usage.
Active Directory Replication
• Remember:
– Intra means internal, such as an intranet
(your own network).
– Inter means external, such as the Internet (a
conglomeration of networks).
Active Directory Replication
Understanding the Replication Process
• Replication within Active Directory will occur
when one of the following conditions is met:
– An object is added or removed from Active
Directory.
– The value of an attribute has changed.
– The name of an object has changed.
Understanding the Replication Process
• To track changes from different sources and
determine which objects need to be replicated
from one domain controller to another, each
domain controller uses the following:
– Update sequence number (USN) that keeps
track of changes that are made at each DC and
thus keeps track of which updates should be
replicated to other domain controllers.
– Each Active Directory attribute has a version ID
associated with it that keeps track of how many
times that attribute has been changed.
– timestamp, the time when the modification took
place.
Understanding the Replication Process
• When replicating information between sites, Active
Directory will designate a bridgehead server in
each site to act as a gatekeeper in managing siteto-site replication.
– Allows intersite replication to update only one
domain controller within a site (usually over a slower
WAN link).
– After a bridgehead server is updated, it updates the
remainder of its domain controller partners with the
newly replicated information.
– Active Directory convergence describes the amount
of time that it takes for this process to take place so
that all domain controllers in the environment
contain the most up-to-date information.
Active Directory Replication
Knowledge Consistency Checker (KCC)
• Each domain controller uses an internal process
called the Knowledge Consistency Checker (KCC)
to map the logical network topology between the
domain controllers.
• For each domain controller in the site, the KCC will
select one or more replication partners for that
domain controller and will create connection
objects between the domain controller and its new
replication partners.
– Each connection object is a one-way connection.
Viewing Active Directory Connection Objects
• Open the Active Directory Sites and Services
MMC snap-in.
• Click the Sites folder, select the desired site,
and then click the Servers folder.
• Expand the server name for which you wish
to view connection objects and right-click
NTDS Settings. Click Properties.
Viewing Active Directory Connection Objects
Viewing Active Directory Connection Objects
Creating a New Site
• In Active Directory Sites and Services, rightclick the Sites folder and select New Site.
• In the New Object-Site dialog box, key the
name for the site based on your plan.
• Select the DefaultIPSiteLink from the list of
site names and click OK to complete the site
creation.
Creating a New Subnet
• In Active Directory Sites and Services, rightclick the Subnets folder.
• Select New Subnet from the menu.
• In the New Object-Subnet dialog box, enter
the IP address and subnet mask that
correspond to the segment in your design.
• Select the site you wish to associate with
this subnet and click OK.
Creating a New Subnet
Configuring Intersite Replication
• Cost
– Allows the administrator to define the path that
replication will take.
– If more than one path can be used to replicate
information, cost assignments will determine which
path is chosen first.
– A lower-numbered cost value will be chosen over a
higher-numbered cost value.
– Cost values can use a value of 1 to 99,999.
– Chosen by the Active Directory administrator and
are relational only to one another.
Configuring Intersite Replication
• Schedule
– The schedule of the site link object
determines when the link is available to
replicate information.
– By default, newly created site link objects are
available for replication 24/7.
Configuring Intersite Replication
• Frequency
– A site link’s frequency determines how often
information will be replicated over a
particular site link.
– Keep in mind that replication will take place
only during scheduled hours.
– The default replication frequency for a new
site link is 180 minutes, but it can be
configured to take place as frequently as
every 15 minutes and as infrequently as
once per week.
Replication Protocol
• For both intrasite and intersite replication,
Active Directory uses Remote Procedure
Calls over Internet Protocol (RPC over IP) by
default for all replication traffic.
– RPC is commonly used to communicate with
network services on various computers,
whereas IP is responsible for the addressing
and routing of the data.
– RPC over IP replication keeps data secure
while in transit by using both authentication
and encryption.
Replication Protocol
• Simple Mail Transport Protocol (SMTP) is an
alternative solution for intersite replication when
a direct or reliable IP connection is not available.
– Use asynchronous replication, meaning that each
replication transaction does not need to complete
before another can start because the transaction
can be stored until the destination server is
available.
– SMTP cannot replicate domain directory partitions.
– Requires an enterprise certification authority (CA)
that is fully integrated with Active Directory.
Replication Protocol
• Unlike RPC over IP, SMTP does not adhere to
schedules and should be used only when
replicating between different domains over
an extremely slow or unreliable WAN link.
Creating a New Site Link Object
• In Active Directory Sites and Services,
expand the Inter-Site Transports folder.
Summary of Replication Methods
Refreshing the Intrasite Replication Topology
• In Active Directory Sites and Services,
expand Sites, followed by the site where you
wish to run the KCC.
• Expand Servers and double-click one of the
domain controllers.
• In the details pane, right-click NTDS Settings,
click All Tasks and select Check Replication
Topology.
Determining Which Server Holds the ISTG
Role
• In Active Directory Sites and Services,
expand the Sites folder and then expand the
appropriate site.
• In the Details pane, right-click NTDS Site
Settings and then select Properties. The
Properties page displays the server holding
the ISTG role.
Determining Which Server Holds the ISTG
Role
• To force the KCC to regenerate the intersite
topology, right-click NTDS Settings.
• Click All Tasks and then select Check
Replication Topology.
• The ISTG is the one domain controller in the
site that generates connection objects from
domain controllers in different sites. It also
performs advanced replication management
tasks.
Forcing Manual Replication
• In Active Directory Sites and Services,
expand Sites, followed by the site that
contains the connection for which you wish
to force replication.
• Locate the server in the Servers container
that provides the connection object.
• Click NTDS Settings in the console tree.
• In the details pane, right-click the connection
for which you want replication to occur and
select Replicate Now.
Monitoring Replication
• Dcdiag
• Repadmin
Dcdiag
• A command-line tool used for monitoring
Active Directory.
– Perform connectivity and replication tests,
reporting errors that occur.
– Report DNS registration problems.
– Analyze the permissions required for
replication.
– Analyze the state of domain controllers within
the forest.
Repadmin
• A command-line tool used for the following:
– To view the replication topology from the
perspective of each domain controller.
– To manually create a replication topology if site link
bridging is disabled because the network is not fully
routed.
– To force replication between domain controllers
when you need updates to occur immediately
without waiting for the next replication cycle.
– To view the replication metadata, which is the
combination of the actual data and the up-to-date
vector or USN information. This is helpful in
determining the most up-to-date information prior to
seizing an operations master role.
Summary
• You learned how to define and manage sites
and site links.
• You learned how to determine a site strategy
based on the physical network
infrastructure.
• You learned how to use Active Directory
Sites and Services to configure replication.
Summary
• You learned how to understand the
differences between intrasite and intersite
replication.
• You learned how to describe the role of the
Intersite Topology Generator (ISTG) and
Knowledge Consistency Checker (KCC) in
site replication.
Summary
• You learned how to optimize replication by
configuring bridgehead servers and site link
bridging.
• You learned how to monitor replication using
dcdiag and repadmin.