3.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

3.1 © 2004 Pearson Education, Inc.

Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure

Lesson 3: Configuring Site Settings and Inter-Site Replication

Goals

Create sites to develop a directory structure

Configure a subnet

Create site links

Configure site link attributes

Create site link bridges

Configure connections in Active Directory

Select a bridgehead server for inter-site replication




Goals (2)

Check replication topology

Create a server object in a site

Manage server objects

Designate a global catalog server

Designate a site license server




A site is a logical representation of your physical structure

In general, sites are physical locations or buildings, but there are cases in which a single site might span multiple buildings

Think of a site as a location where all computers are connected by high-speed, reliable, cost-effective links

(Skill 1)

Creating Sites to Develop a Directory Structure




Site membership

In the majority of cases, site membership is defined by your IP structure

On a routed IP network, each physical location will typically have its own addressing range

Creating Sites to Develop a Directory Structure (2)

(Skill 1)




Active Directory defines the address ranges associated with each site by examining the subnet object associated with each site

A subnet object is simply an object created in Active Directory that is assigned a range of IP addresses and is associated with a site


(Skill 1)




When you install Active Directory on a Windows Server 2003 server, the operating system creates the Default-First-Site-Name site by default

This site is created in the Sites container

To manage a small LAN, one site is sufficient

For large environments, for example with multiple physical locations, you must create additional sites manually

You can create a different site for each of these locations in the Active Directory Sites and Services console


(Skill 1)




Two components of a subnet

IP address

Subnet mask

Configuring a Subnet (2)

(Skill 2)




IP address

A unique address assigned to each computer on a TCP/IP network

Identifies the location of a host computer on a network in the same way that a street address identifies a house on a city street


(Skill 2)




Each IP address has two sections

A network address (network ID), which indicates the network on which the computer is running

A host address (or host ID), which uniquely identifies a given host on a TCP/IP network


(Skill 2)




Subnet mask

Distinguishes the network address from the host address

Dictates where the network ID ends and the host address begins in an IP address


(Skill 2)




If you do not know the subnet mask and the subnet address of your subnet, run the ipconfig /all command to view the details of the subnet

The Ipconfig command checks the TCP/IP configuration on the computer

It gets host computer TCP/IP configuration information, including the IP address, subnet mask, default gateway, DNS server(s), WINS server(s), NBT node type, domain suffix, and most other configured TCP/IP parameters


(Skill 2)




Active Directory uses the IP addresses of client computers and member servers to associate them with the correct sites

The primary component of a site is a list of the domain controllers that exist in the site


(Skill 2)




Using the list of domain controllers that exist in the site

To correctly place domain controllers, Active Directory attempts to find a match between the computer’s IP address and a subnet object only during the initial promotion process

Subsequently, the server must be manually moved between sites

If the server’s IP address does not correspond to any of the subnet objects already defined in Active Directory, the directory service simply places the domain controller in the Default-First-Site-Name site


(Skill 2)




To roll out a large number of domain controllers without having to manually move them to the appropriate sites Create the first domain controller for each site at a central

location

Ship these servers to their appropriate remote locations

Create site objects for each location, create and associate subnet objects with each site, and create site links as needed

Manually move the first server for each site out of the Default-First-Site-Name site and into its correct site

Ship the rest of the servers to their appropriate remote site and install them there


(Skill 2)




Site links are connections between sites that form the core of Active Directory inter-site replication

You must create links between two sites before replication can occur

In the absence of a site link, you cannot make connections between computers in the two sites

Creating Site Links

(Skill 3)




Site links are not generated automatically and must be manually created in the Active Directory Sites and Services console

A site link can contain more than two sites, but this is typically not advisable unless you have a mesh topology between the sites in question

In general, it is best to create site links as necessary to match the physical topology of your network

Creating Site Links (2)

(Skill 3)




Default site link

When you install Active Directory on a Windows Server 2003 server, the Active Directory Installation Wizard automatically creates a site link named DEFAULTIPSITELINK in the IP container

You can rename the DEFAULTIPSITELINK object according to your preference

When you create site links, you can use SMTP or IP as the transport protocol


(Skill 3)




SMTP replication

Sends an Active Directory replication as attachments in encrypted e-mail messages

Advantage of using SMTP replication

It is asynchronous, which means that it is not time sensitive

This makes it useful in situations where the link separating the sites is slow or unreliable


(Skill 3)




SMTP replication

Has no difficulty passing through Network Address Translation (NAT) devices to get to a particular destination

It is rarely used because it can only be used for replication between different domains


(Skill 3)




SMTP replication

SMTP is never a valid choice for a site link if you need to replicate information between different sites in the same domain

This is because SMTP is capable of replicating only the configuration and scheme Active Directory partitions

SMTP cannot replicate the domain partitionOnly forest-wide configuration settings can be

replicated using SMTP


(Skill 3)




SMTP replication

SMTP is a bit complicated to configure, because it requires e-mail servers that are encryption-capable

Key Management Server is used with Exchange to configure SMTP

SMTP replication also requires a Certificate Authority (CA) to issue the certificates used by the SMTP server to generate encryption


(Skill 3)




IP replication

IP replication actually means Remote Procedure Call (RPC) over IP

RPC is a common protocol used in Microsoft products

It has a few distinct advantages and disadvantages


(Skill 3)




IP replication

RPC is fairly efficient (compared to SMTP) and it provides rapid data transfer over reasonably fast, reliable links

On the other hand, RPC is synchronous, which means that it is very time sensitive, and that makes it a poor choice for slow links


(Skill 3)




IP replication

After the initial session is established, RPC chooses random port numbers and references these port numbers in the packet’s RPC header, thus RPC cannot be translated by NAT devices

RPC is the only protocol choice available for replicating changes within a single domain


(Skill 3)




Options you can configure in the Properties dialog box while creating site linksDescription: You can enter a description for the site link

in this text box

Sites not in this site link: Provides a list of available sites from which you can choose to add sites for the site link

Cost: This setting is used by Active Directory to decide which

route to use when replicating information

The cheapest available route is used based on the overall cost


(Skill 3)




Options you can configure in the Properties dialog box while creating site links

Replicate every: This setting is used to configure the interval at which replication will take place over the link

Change Schedule:

You use this button to open a dialog box where you can configure the interval at which replication will take place over the link

By default, the site link will always be available for replication


(Skill 3)




After you create site links, you will have to configure inter-site replication

To do this, you configure the following site link attributes

Site link cost

Replication frequency

Replication availability information

Configuring Site Link Attributes

(Skill 4)




Site link cost

The Cost field in a site link is used when Active Directory must determine which is the better of two possible replication paths

If there are two or more replication paths to a given site, Active Directory will add the costs associated with all site links along each path and use the path with the lowest final value

Configuring Site Link Attributes (2)

(Skill 4)




Site link cost

In a larger environment, it is much easier to use a cost “scale” that is based on available bandwidth to create relational costs that try to determine every possible path

The best solution is to use a mathematically derived scale, starting with a maximum cost value for your slowest link and dividing the cost by 2 each time your bandwidth doubles


(Skill 4)





You can control the frequency at which inter-site replication occurs by specifying a value (an integer) for the replication frequency

Active Directory will check for replication updates after the specified duration

The replication interval ranges from a minimum of 15 minutes to a maximum of 10,080 minutes (equal to one week’s time)


(Skill 4)





For any replication to occur, a site link has to be available

The interval applies only within the “window” of time provided by the link’s schedule

If a site link is unavailable when the replication update is scheduled, replication will not occur

The default site link replication frequency is 180 minutes


(Skill 4)





You also need to specify the availability of a site link for replication

SMTP is asynchronous, meaning that it ignores all schedules by default

Therefore, for most practical scenarios, the schedule for SMTP site links serves no purpose


(Skill 4)





You must configure site link replication availability on SMTP site links under these conditions

The site link is using scheduled connections

The SMTP queue is not on a schedule

There is no intermediary, such as a proxy server, involved in the exchange of information between servers


(Skill 4)




Figure 3-14 The Schedule for TestSiteLink1 dialog box

(Skill 4)




Site link bridges

Are a means of linking two or more sites for replication

Help replicate your network configuration in order to efficiently route network traffic

All use the same transport and are automatically bridged, by default

Such site links are also called transitive

Creating Site Link Bridges

(Skill 5)




Understanding how Active Directory replication can be controlled across a WAN

Active Directory does not simply replicate between sites

It must replicate between individual domain controllers, including replicating between domain controllers in the same site

Connection objects define which domain controllers are replication partners, both in intra-site and inter-site replication

Configuring Connections in Active Directory

(Skill 6)




In addition to creating your own connection objects, you can also modify the replication settings for automatically generated connection objects

Once you modify an automatically generated connection, it becomes a manual connection

This means that it has all of the difficulties associated with any other manual connection

Configuring Connections in Active Directory (13)

(Skill 6)




When performing inter-site replication, the most important consideration is usually bandwidth usage

The KCC typically only creates connection objects between bridgehead servers for inter-site replication

This reduces traffic by limiting the number of connections established between sites

Selecting a Bridgehead Server for Inter-Site Replication

(Skill 7)




The KCC periodically checks the topology to ensure that replication can be performed

When major network restructuring occurs, you can speed up the replication process by forcing topology regeneration

This process is referred to as triggering the KCC

It can be performed fairly easily from within the Active Directory Sites and Services console

Checking Replication Topology

(Skill 8)




Inter-site Topology Generator (ISTG)

Is a special service in Active Directory

Checks the availability of domain controllers in remote sites

Calculates the best replication paths between sites using the Cost fields for the site links

After the ISTG determines the best paths and available servers, the KCC uses this information to build the necessary inter-site connection objects

Checking Replication Topology (3)

(Skill 8)




Active Directory Replication Monitor

Used to monitor the replication process on single or multiple domain controllers in a domain

Provides a graphical view of your connection objects to each server, giving you a visual way to analyze your replication topology

You can install the Replication Monitor from the Support\Tools folder on the Windows Server 2003 installation CD

Checking Replication Topology (4)

(Skill 8)




Server objects

Are representations of your domain controllers (and in some cases, member servers) in the Active Directory Sites and Services console

Active Directory automatically creates a server object for each domain controller you install

Creating a Server Object in a Site

(Skill 9)




Server object placement

Is extremely important for proper topology generation

The location of each server object is what Active Directory uses to determine in which site each server exists

It is the only information the KCC uses to determine the replication topology

Creating a Server Object in a Site (2)

(Skill 9)




Server object placement

Active Directory automatically places each server in the site that is associated with the subnet object that matches the server’s IP address structure

This is performed once when the domain controller is created, and is never changed by Active Directory

If you promote all of your domain controllers before you create the appropriate site and subnet objects for your network, you must manually move the objects into the correct sites to allow the KCC to generate the proper replication topology


(Skill 9)




Manually creating server objects

While you can manually create server objects for your domain controllers, you should almost never need to do so

Active Directory creates server objects for you automatically unless there is a fairly major database problem or a significant case of mistaken deletion

The only other valid case for manual server object creation is when running a site-aware application on a member server


(Skill 9)




As an administrator, you must manage server settings for a site as part of your routine maintenance tasks

Routine maintenance

You need to control replication and ensure that users are able to log on within a reasonable amount of time

To accomplish these tasks and create an efficient replication topology, you may need to move server objects between sites

Managing Server Objects

(Skill 10)




Routine maintenance

You may also need to identify non-functional servers and remove them from sites

You can move or remove server objects from Active Directory only if you have Domain Administrator rights

You can also remove a non-functional server object from a site

Be very sure before you permanently remove a server object from a site

Managing Server Objects (2)

(Skill 10)




Global catalog

A database that stores a full, writable copy of the directory data for its own domain and a partial, read-only copy of the directory databases for every other domain in the forest

Is stored on domain controllers that are designated as global catalog servers

Global catalog servers are required in Active Directory to facilitate enterprise searching, UPN lookups, and universal group storage

Designating a Global Catalog Server

(Skill 11)




Global catalog servers

Windows Server 2003 automatically creates the first global catalog server on the first domain controller installed in the forest

While there is only one global catalog server in a forest by default, there is no limit to the number of global catalog servers you can have

Designating a Global Catalog Server (2)

(Skill 11)




Storage considerations

Every global catalog server requires more storage space to hold its database

Global catalog servers replicate forest-wide, which consumes additional bandwidth above and beyond that of a standard domain controller

In a Windows 2000 native mode domain, Windows 2000 Server and Windows Server 2003 clients must have access to a global catalog server in order to log on; the only exception being the members of the Domain Administrators group

(Skill 11)





Due to the important roles global catalog servers play in Active Directory, it is suggested that at least one global catalog server be placed in every physical site

However, in Windows Server 2003, a new feature called universal group caching can help reduce the number of global catalog servers required to some degree

(Skill 11)





Removing the global catalog server role from an existing global catalog server

Removes all of the information the server was storing related to other domains

The size of the Active Directory database on that server does not decrease, but is filled with “empty” space

To reduce the size of the database, reboot into Directory Services Restore mode on the server in question and compact the database with the Ntdsutil tool

Create a current backup before installing Ntdsutil

(Skill 11)





Although all domain controllers can be configured as global catalog servers, you must strike a balance when designating these servers

The global catalog maintains a subset of the directory information available within each domain

This information allows queries to be handled by the nearest global catalog server, and thus saves time and bandwidth

(Skill 11)





Figure 3-31 Designating a global catalog server

(Skill 11)




A software license gives you the legal right to use a software application or program

For each software program that you use, you need a license, which is granted to you and documented in the license agreement for the software

Designating a Site License Server

(Skill 12)




Microsoft BackOffice licensing model

Governs licensing for Client Access Licenses (CALs) in relation to Microsoft Windows Server products

CALs

Allow client computers to access a server product

Are typically sold on a one-per-connection (per server) or one-per-client (per seat) model

Designating a Site License Server (2)

(Skill 12)

3.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

Documents

site settings

site links

single site

different site

intersite replication

site license server

intersite replication

active directory sites