1 / 56

Active Directory Site Configuration and Management

Learn how to create sites, configure subnets, create site links, and manage Active Directory connections for efficient directory structure development and replication topology check.

derrickt
Download Presentation

Active Directory Site Configuration and Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Goals • Create sites to develop a directory structure • Configure a subnet • Create site links • Configure site link attributes • Create site link bridges • Configure connections in Active Directory • Select a bridgehead server for inter-site replication

  2. Goals (2) • Check replication topology • Create a server object in a site • Manage server objects • Designate a global catalog server • Designate a site license server

  3. (Skill 1) Creating Sites to Develop a Directory Structure • A siteis a logical representation of your physical structure • In general, sites are physical locations or buildings, but there are cases in which a single site might span multiple buildings • Think of a site as a location where all computers are connected by high-speed, reliable, cost-effective links

  4. (Skill 1) Creating Sites to Develop a Directory Structure (2) • Site membership • In the majority of cases, site membership is defined by your IP structure • On a routed IP network, each physical location will typically have its own addressing range

  5. (Skill 1) Creating Sites to Develop a Directory Structure (3) • Active Directory defines the address ranges associated with each site by examining the subnet object associated with each site • A subnet object is simply an object created in Active Directory that is assigned a range of IP addresses and is associated with a site

  6. (Skill 1) Creating Sites to Develop a Directory Structure (4) • When you install Active Directory on a Windows Server 2003 server, the operating system creates the Default-First-Site-Name site by default • This site is created in the Sitescontainer • To manage a small LAN, one site is sufficient • For large environments, for example with multiple physical locations, you must create additional sites manually • You can create a different site for each of these locations in the Active Directory Sites and Servicesconsole

  7. (Skill 2) Configuring a Subnet (2) • Two components of a subnet • IP address • Subnet mask

  8. (Skill 2) Configuring a Subnet (3) • IP address • A unique address assigned to each computer on a TCP/IP network • Identifies the location of a host computer on a network in the same way that a street address identifies a house on a city street

  9. (Skill 2) Configuring a Subnet (4) • Each IP address has two sections • A network address (network ID), which indicates the network on which the computer is running • A host address (or host ID), which uniquely identifies a given host on a TCP/IP network

  10. (Skill 2) Configuring a Subnet (5) • Subnet mask • Distinguishes the network address from the host address • Dictates where the network ID ends and the host address begins in an IP address

  11. (Skill 2) Configuring a Subnet (6) • If you do not know the subnet mask and the subnet address of your subnet, run the ipconfig /allcommand to view the details of the subnet • The Ipconfig command checks the TCP/IP configuration on the computer • It gets host computer TCP/IP configuration information, including the IP address, subnet mask, default gateway, DNS server(s), WINS server(s), NBT node type, domain suffix, and most other configured TCP/IP parameters

  12. (Skill 2) Configuring a Subnet (7) • Active Directory uses the IP addresses of client computers and member servers to associate them with the correct sites • The primary component of a site is a list of the domain controllers that exist in the site

  13. (Skill 2) Configuring a Subnet (8) • Using the list of domain controllers that exist in the site • To correctly place domain controllers, Active Directory attempts to find a match between the computer’s IP address and a subnet object only during the initial promotion process • Subsequently, the server must be manually moved between sites • If the server’s IP address does not correspond to any of the subnet objects already defined in Active Directory, the directory service simply places the domain controller in the Default-First-Site-Name site

  14. (Skill 2) Configuring a Subnet (10) • To roll out a large number of domain controllers without having to manually move them to the appropriate sites • Create the first domain controller for each site at a central location • Ship these servers to their appropriate remote locations • Create site objects for each location, create and associate subnet objects with each site, and create site links as needed • Manually move the first server for each site out of the Default-First-Site-Name site and into its correct site • Ship the rest of the servers to their appropriate remote site and install them there

  15. (Skill 3) Creating Site Links • Site links are connections between sites that form the core of Active Directory inter-site replication • You must create links between two sites before replication can occur • In the absence of a site link, you cannot make connections between computers in the two sites

  16. (Skill 3) Creating Site Links (2) • Site links are not generated automatically and must be manually created in the Active Directory Sites and Services console • A site link can contain more than two sites, but this is typically not advisable unless you have a mesh topology between the sites in question • In general, it is best to create site links as necessary to match the physical topology of your network

  17. (Skill 3) Creating Site Links (3) • Default site link • When you install Active Directory on a Windows Server 2003 server, the Active Directory Installation Wizard automatically creates a site link named DEFAULTIPSITELINK in the IP container • You can rename the DEFAULTIPSITELINK object according to your preference • When you create site links, you can use SMTP or IP as the transport protocol

  18. (Skill 3) Creating Site Links (4) • SMTP replication • Sends an Active Directory replication as attachments in encrypted e-mail messages • Advantage of using SMTP replication • It is asynchronous, which means that it is not time sensitive • This makes it useful in situations where the link separating the sites is slow or unreliable

  19. (Skill 3) Creating Site Links (5) • SMTP replication • Has no difficulty passing through Network Address Translation (NAT) devices to get to a particular destination • It is rarely used because it can only be used for replication between different domains

  20. (Skill 3) Creating Site Links (6) • SMTPreplication • SMTP is never a valid choice for a site link if you need to replicate information between different sites in the same domain • This is because SMTP is capable of replicating only the configuration and scheme Active Directory partitions • SMTP cannot replicate the domain partition • Only forest-wide configuration settings can be replicated using SMTP

  21. (Skill 3) Creating Site Links (7) • SMTP replication • SMTP is a bit complicated to configure, because it requires e-mail servers that are encryption-capable • Key Management Server is used with Exchange to configure SMTP • SMTP replication also requires a Certificate Authority (CA) to issue the certificates used by the SMTP server to generate encryption

  22. (Skill 3) Creating Site Links (8) • IP replication • IP replication actually means Remote Procedure Call (RPC) over IP • RPC is a common protocol used in Microsoft products • It has a few distinct advantages and disadvantages

  23. (Skill 3) Creating Site Links (9) • IP replication • RPC is fairly efficient (compared to SMTP) and it provides rapid data transfer over reasonably fast, reliable links • On the other hand, RPC is synchronous, which means that it is very time sensitive, and that makes it a poor choice for slow links

  24. (Skill 3) Creating Site Links (10) • IP replication • After the initial session is established, RPC chooses random port numbers and references these port numbers in the packet’s RPC header, thus RPC cannot be translated by NAT devices • RPC is the only protocol choice available for replicating changes within a single domain

  25. (Skill 3) Creating Site Links (11) • Options you can configure in the Properties dialog box while creating site links • Description: You can enter a description for the site link in this text box • Sites not in this site link: Provides a list of available sites from which you can choose to add sites for the site link • Cost: • This setting is used by Active Directory to decide which route to use when replicating information • The cheapest available route is used based on the overall cost

  26. (Skill 3) Creating Site Links (12) • Options you can configure in the Properties dialog box while creating site links • Replicate every: This setting is used to configure the interval at which replication will take place over the link • Change Schedule: • You use this button to open a dialog box where you can configure the interval at which replication will take place over the link • By default, the site link will always be available for replication

  27. (Skill 4) Configuring Site Link Attributes • After you create site links, you will have to configure inter-site replication • To do this, you configure the following site link attributes • Site link cost • Replication frequency • Replication availability information

  28. (Skill 4) Configuring Site Link Attributes (2) • Site link cost • The Costfield in a site link is used when Active Directory must determine which is the better of two possible replication paths • If there are two or more replication paths to a given site, Active Directory will add the costs associated with all site links along each path and use the path with the lowest final value

  29. (Skill 4) Configuring Site Link Attributes (3) • Site link cost • In a larger environment, it is much easier to use a cost “scale” that is based on available bandwidth to create relational costs that try to determine every possible path • The best solution is to use a mathematically derived scale, starting with a maximum cost value for your slowest link and dividing the cost by 2 each time your bandwidth doubles

  30. (Skill 4) Configuring Site Link Attributes (4) • Replication frequency • You can control the frequency at which inter-site replication occurs by specifying a value (an integer) for the replication frequency • Active Directory will check for replication updates after the specified duration • The replication interval ranges from a minimum of 15 minutes to a maximum of 10,080 minutes (equal to one week’s time)

  31. (Skill 4) Configuring Site Link Attributes (5) • Replication frequency • For any replication to occur, a site link has to be available • The interval applies only within the “window” of time provided by the link’s schedule • If a site link is unavailable when the replication update is scheduled, replication will not occur • The default site link replication frequency is 180 minutes

  32. (Skill 4) Configuring Site Link Attributes (6) • Replication availability information • You also need to specify the availability of a site link for replication • SMTP is asynchronous, meaning that it ignores all schedules by default • Therefore, for most practical scenarios, the schedule for SMTP site links serves no purpose

  33. (Skill 4) Configuring Site Link Attributes (7) • Replication availability information • You must configure site link replication availability on SMTP site links under these conditions • The site link is using scheduled connections • The SMTP queue is not on a schedule • There is no intermediary, such as a proxy server, involved in the exchange of information between servers

  34. (Skill 4) Figure 3-14 The Schedule for TestSiteLink1 dialog box

  35. (Skill 5) Creating Site Link Bridges • Site link bridges • Are a means of linking two or more sites for replication • Help replicate your network configuration in order to efficiently route network traffic • All use the same transport and are automatically bridged, by default • Such site links are also called transitive

  36. (Skill 6) Configuring Connections in Active Directory • Understanding how Active Directory replication can be controlled across a WAN • Active Directory does not simply replicate between sites • It must replicate between individual domain controllers, including replicating between domain controllers in the same site • Connection objects define which domain controllers are replication partners, both in intra-site and inter-site replication

  37. (Skill 6) Configuring Connections in Active Directory (13) • In addition to creating your own connection objects, you can also modify the replication settings for automatically generated connection objects • Once you modify an automatically generated connection, it becomes a manual connection • This means that it has all of the difficulties associated with any other manual connection

  38. (Skill 7) Selecting a Bridgehead Server for Inter-Site Replication • When performing inter-site replication, the most important consideration is usually bandwidth usage • The KCC typically only creates connection objects between bridgehead servers for inter-site replication • This reduces traffic by limiting the number of connections established between sites

  39. (Skill 8) Checking Replication Topology • The KCC periodically checks the topology to ensure that replication can be performed • When major network restructuring occurs, you can speed up the replication process by forcing topology regeneration • This process is referred to as triggering the KCC • It can be performed fairly easily from within the Active Directory Sites and Services console

  40. (Skill 8) Checking Replication Topology (3) • Inter-site Topology Generator (ISTG) • Is a special service in Active Directory • Checks the availability of domain controllers in remote sites • Calculates the best replication paths between sites using the Cost fields for the site links • After the ISTG determines the best paths and available servers, the KCC uses this information to build the necessary inter-site connection objects

  41. (Skill 8) Checking Replication Topology (4) • Active Directory Replication Monitor • Used to monitor the replication process on single or multiple domain controllers in a domain • Provides a graphical view of your connection objects to each server, giving you a visual way to analyze your replication topology • You can install the Replication Monitor from the Support\Tools folder on the Windows Server 2003 installation CD

  42. (Skill 9) Creating a Server Object in a Site • Server objects • Are representations of your domain controllers (and in some cases, member servers) in the Active Directory Sites and Services console • Active Directory automatically creates a server object for each domain controller you install

  43. (Skill 9) Creating a Server Object in a Site (2) • Server object placement • Is extremelyimportant for proper topology generation • The location of each server object is what Active Directory uses to determine in which site each server exists • It is the only information the KCC uses to determine the replication topology

  44. (Skill 9) Creating a Server Object in a Site (3) • Server object placement • Active Directory automatically places each server in the site that is associated with the subnet object that matches the server’s IP address structure • This is performed once when the domain controller is created, and is never changed by Active Directory • If you promote all of your domain controllers before you create the appropriate site and subnet objects for your network, you must manually move the objects into the correct sites to allow the KCC to generate the proper replication topology

  45. (Skill 9) Creating a Server Object in a Site (4) • Manually creating server objects • While you can manually create server objects for your domain controllers, you should almost never need to do so • Active Directory creates server objects for you automatically unless there is a fairly major database problem or a significant case of mistaken deletion • The only other valid case for manual server object creation is when running a site-aware application on a member server

  46. (Skill 10) Managing Server Objects • As an administrator, you must manage server settings for a site as part of your routine maintenance tasks • Routine maintenance • You need to control replication and ensure that users are able to log on within a reasonable amount of time • To accomplish these tasks and create an efficient replication topology, you may need to move server objects between sites

  47. (Skill 10) Managing Server Objects (2) • Routine maintenance • You may also need to identify non-functional servers and remove them from sites • You can move or remove server objects from Active Directory only if you have Domain Administrator rights • You can also remove a non-functional server object from a site • Be very sure before you permanently remove a server object from a site

  48. (Skill 11) Designating a Global Catalog Server • Global catalog • A database that stores a full, writable copy of the directory data for its own domain and a partial, read-only copy of the directory databases for every other domain in the forest • Is stored on domain controllers that are designated as global catalog servers • Global catalog servers are required in Active Directory to facilitate enterprise searching, UPN lookups, and universal group storage

  49. (Skill 11) Designating a Global Catalog Server (2) • Global catalog servers • Windows Server 2003 automatically creates the first global catalog server on the first domain controller installed in the forest • While there is only one global catalog server in a forest by default, there is no limit to the number of global catalog servers you can have

  50. (Skill 11) Designating a Global Catalog Server (3) • Storage considerations • Every global catalog server requires more storage space to hold its database • Global catalog servers replicate forest-wide, which consumes additional bandwidth above and beyond that of a standard domain controller • In a Windows 2000 native mode domain, Windows 2000 Server and Windows Server 2003 clients must have access to a global catalog server in order to log on; the only exception being the members of the Domain Administrators group

More Related