Active Directory Sites and services
Topics Covered
Introduction to active directory sites and services
Terms related to replication and sites
Steps how to creates sites, subnets and site connector
Steps to create connection agreements and bridgehead server
Sites and Services
The entire success of a large active directory topology or network depends on how sites and
replication is managed. Active directory provides a fine technology to manage replication within
and between multiple domain scenarios. Site and services is the tool to manage this.
So before going ahead, let go through some terms.
Site : A site is a set of Internet Protocol (IP) subnets connected by a highly reliable and fast link,
usually a local area network (LAN). Or in a simple language a site is collection of DCs and
Server used for managing replication and find resources and services like GC, DC, LDAP, etc.
The main use of a site is to physically group computers to optimize network traffic. Site provides
authentication and replication traffic. A single domain can contains multiple sites or a site can
span multiple domains.
A domain with multiple sites
A site with Multiple Domain
Subnet : A subnet is a subdivision of an IP network. A site can contain multiple subnets and a
site can span multiple domains.
Site Links : Site links are used for connecting two sites. Site links are logical connectors
between two or more sites. Once you have created a site link, the KCC (Knowledge Consistency
Checker) automatically generates the replication topology. KCC used site link to determine the
path of replication between two sites.
Cost : Cost is define as a metric used by KCC to determine the shortest path to reach a site. The
cost ranges from 1 to 100. The lowest is always preferable.
Site Link Bridges : A site link bridge connects two or more site links in a transport where
transitivity has been disabled in order to create a transitive and logical link between two sites that
do not have an explicit site link. For example, site link BOM-DEL connects the BOMBAY and
DELHI sites. Site link DEL-MAD connects the DELHI and MADRAS sites. Site link bridge
BOM-DEL-MAD connects site links BOM-DEL and DEL-MAD.
Inter-Site Topology Generator (ISTG) : The inter site topology generator in an active directory
process that defines the replication between the sites on a network. A single domain controller in
each site I automatically designated to be the inter-site topology generator. Because this action is
performed by the inter-site topology, you are not required to take any action to determine the
replication topology and the bridgehead server roles.
The domain controller that holds the inter-site topology generator role performs two functions:
• It automatically selects one or more domain controllers to become bridgehead servers. This
way, if a bridgehead server becomes unavailable, it automatically selects another bridgehead
server, if possible.
• It runs the KCC to determine the replication topology and resultant connection objects that
the bridgehead servers can use to use to communicate with bridgehead server of other sites.
Bridgehead Servers : Bridge server is a DC which manages inter-site replication for a site. KCC
automatically designates a DC as bridgehead server or you can manually create a preferred
bridgehead server. Any replication updates are received from another site it is first received by
bridgehead server and then bridgehead server replicates the same to all DCs in the current
domain. Same way any replication updates are sent by the local bridgehead server to other site
remote bridgehead server. Thus we can conclude that we required bridgehead server in each site
and each bridgehead server sends and receives replication update from other bridgehead server
of other site.
Replication
Active directory replication is a process of replication of active directory database or information
between DCs in same active directory forest. Every DC maintains local domain database and
configuration and schema information about entire forest. The entire active directory database is
divided into 3 basic partitions called as Schema Partition, Configuration Partition and Domain
Partition. The domain partition is replicated by a DC to all the other DCs in same domain only
whereas Schema partition and Configuration Partition is replicated to all DCs in entire forest.
Global Catalogs also takes part in replication. Active Directory uses remote procedure call (RPC)
over Internet Protocol (IP) to transfer replication data between domain controllers. RPC over IP
is used for both intersite and intrasite replication. To keep data secure while in transit, RPC over
IP replication uses both authentication (using the Kerberos V5 authentication protocol) and data
encryption.
So to handle all this domains, tree and replication a proper replication topology or method should
be implemented. Active directory provides this solution with the help of Sites and KCC. The
Knowledge Consistency Checker (KCC) on each domain controller automatically builds the
most efficient replication topology for intrasite replication, using a bidirectional ring design. This
bidirectional ring topology attempts to create at least two connections to each domain controller
(for fault tolerance) and no more than three hops between any two domain controllers (to reduce
replication latency). To prevent connections of more than three hops, the topology can include
shortcut connections across the ring. The KCC updates the replication topology regularly.
The KCC actually creates a separate replication topology for each directory partition (schema,
configuration, domain, application). Within a single site, these topologies are usually identical
for all partitions hosted by the same set of the domain controllers
Replication Topology is the route by which replication data travels throughout a network.
Replication occurs between two domain controllers at a time. Over time, replication
synchronizes information in Active Directory for an entire forest of domain controllers. To create
a replication topology active directory must determine which domain controller's replicate data
with other domain controllers.
The Knowledge Consistency Checker (KCC) is a built-in process that runs on each domain
controller and regenerates the replication topology for all directory partitions that are contained
on that domain controller. The KCC runs at specified intervals of every 15 minutes by default
and designates replication routes between domain controllers that are most favorable connections
that are available at the time
By default, the frequency of replication is every 180 minutes. The minimum replication
frequency is 15 minutes. The maximum is 10,080 minutes, which is the equivalent of one full
week.
How KCC Works
To generate a replication topology automatically, the KCC evaluates information in the
configuration partition on sites, the cost sending data between these sites (cost refers to the
relative value of the replication paths), any existing connection objects, and the replication
protocols that the KCC can domain controller's directory partitions to other domain controllers.
If replication within the site becomes impossible or has a single point of failure, the KCC
automatically established new connection objects between domain controllers to domain Active
Directory replication
Types of replication
• Intra-Site replication : It is a replication of directory information between two or more
DCs in same site.
• Inter-Site replication : It is a replication of directory information between two or more
DCs in different sites.
Particulars Intrasite replication Intersite replication
Protocol used IP/RPC IP/RPC or SMTP
Frequency of replication Periodic replication
Default is 5-15 min.
Schedule replication
Default is 180 min
Compression NO YES
Scenario
Now to understand and implement Active directory sites and topology, we will go through a
scenario for a Pharmaceutical company has offices at 3 locations in India. Lets go to details for
each location.
Office 1 – Mumbai Head Office
4 Domain Controllers HODC1 – 10.0.0.1/24
HODC2 – 10.0.0.2/24
HODC3 – 10.0.0.3/24
1 Global Catalog HODC1 – 10.0.0.1/24
2000 Users
300 Universal Group
1 DNS Server
(This Server host Primary Zone – AD
Integrated)
HODC1 – 10.0.0.1/24
Office 2 – Delhi Office
3 Domain Controllers DELDC1 – 10.1.0.1/24
DELDC2 – 10.1.0.2/24
1 Global Catalog DELDC1 – 10.1.0.1/24
1000 Users
200 Universal Group
1 DNS Server
(This Server host Primary Zone – AD
Integrated)
DELDC1 – 10.1.0.1/24
Office 3 – Chennai Office
1 Domain Controllers CHNDC1 – 10.2.0.1/24
50 Users
20 Universal Group
1 DNS Server
(This Server host Stub Zone)
CHNDC1 – 10.2.0.1/24
Infrastructure Setup
The Mumbai office is connected to Delhi office with 2 Mbps leased line
The Delhi office is connected to Chennai office with 1 Mbps leased line
Now based on the above scenario with have created and Active directory topology with sites.
Steps for creating site
1. Click Start, point to Administrative Tools, and then click Active Directory Sites and
Services.
2. Right-click the Sites container, and then click New Site.
Vision Infosystems (VIS)
Page No. : 95
3. In the New Object–Site dialog box, type the name of the new site in the Name box.
Assign a site link to the site by selecting a site link in the Link Name column, and then
click OK.
Steps for creating subnet
1. Start, point to Administrative Tools, and then click Active Directory Sites and Services.
2. Double-click the Sites folder.
3. Right-click the Subnets folder, and then click New Subnet.
4. In the New Object–Subnet dialog box, type the subnet address in the Address box. In the
Mask box, type the subnet mask that describes the range of addresses included in this
site’s subnet. Choose a site to associate this subnet, and then click OK.
To Move domain controller to a site
1. Start, point to Administrative Tools, and then click Active Directory Sites and Services.
2. In the Active Directory Sites and Services console tree, right-click the domain controller
object that you want to move to a different site, and then click Move.
3. In the Move Server dialog box, click the site to which you want to move the domain
controller object, and then click OK.
To add a new domain controller to a site
1. Click Start, point to Administrative Tools, then click Active Directory Sites and Services.
2. In the Active Directory Sites ad Services console tree, double-click the site that you want
to contain the new domain controller object.
3. Right-click the Servers folder, point to New, and then click Server.
4. In the New Object–Server dialog box, type the name for the new domain controller object
in the Name box, and then click OK.
Steps to create site link
1. Click Start, point to Administrative Tools, and then click Active Directory Sites and
Services.
2. Open the Inter-Site Transports folder and right-click either the IP or SMTP folder,
depending on which protocol you want the site to use. Select New Site Link.
3. In the New Object–Site Link dialog box, type the name to be given to the site link in the
Name field. Use a name that includes the sites that you are linking.
4. In the Sites Not In This Site Link box, click two or more sites to connect, and then click
Add. Click OK.
Steps to designate Preferred bridgehead server
1. Click Start, point to Administrative Tools, and then click Active Directory Sites and
Services.
2. In the Active Directory Sites and Services console tree, click the site that contains the
domain controller that you want to make a preferred bridgehead server.
3. In the Active Directory Sites and Services console tree, right-click the domain controller
that you want to make a bridgehead server, and then click Properties.
4. In the Properties dialog box for the domain controller, in the Transports Available For
Inter-Site Data Transfer box, select the intersite transport or transports for which this
computer will be a preferred bridgehead server. Click Add, and then click OK.
Active directory connection agreement
A connection object is an Active Directory object that represents an inbound-only connection to
a domain controller. When there is a single site, all KCCs generate connection objects for
replication within the site. When there is more than one site, a single KCC in each site generates
all connection objects for replication between sites. Connection objects can also be created
manually by an administrator. Connection objects created by the KCC are “owned” by the KCC.
Connection objects created or modified by an administrator are owned by the administrator.
Although you can create or configure connection objects manually to force replication over a
particular connection, normally you should allow replication to be automatically optimized by
the KCC based on information you provide in the Active Directory Sites and Services console
about your deployment. Create connection objects manually only if the connections that are
automatically configured by the KCC do not connect specific domain controllers that you want
to connect. Adding redundant manual connection objects to the optimal connection objects
created by the KCC can increase replication traffic.
Steps to create connection agreement
1. Click Start, point to Administrative Tools, and then click Active Directory Sites and
Services.
2. Double-click the site that contains the domain controller for which you want to create a
connection object.
3. Open the Servers folder, select the domain controller for which you are enabling the
inbound connection, right-click NTDS Settings, and then click New Active Directory
Connection.
4. In the Find Domain Controllers dialog box, select the domain controller and click OK.
5. In the New Object–Connection dialog box, type a name for the new Connection object in
the Name field. It is best to use the name of the domain controller for which you are
enabling the inbound connection. Click OK.
6. Right-click the connection object in the details pane and select Properties.
7. The Properties dialog box for the connection object, type a description of the connection
object in the Description box. Ensure that RPC appears in the Transport box. Click
Change Schedule to change the default intrasite replication schedule (four times per
hour).
8. In the Schedule For dialog box for the connection object, select the intrasite replication
frequency for this connection object, then click OK.
9. In the Properties dialog box for the connection object, click OK.
No comments:
Post a Comment