Overview Of Active Directory Sites Services Computer Science

Active Directory Sites and Services snap-in can used to manage the site-specific objects that implement the intersite replication topology. It can provide a view of the Services container which can use to view service-related objects that are published in AD DS.

There have two sections that can provide detailed information about site management and service publication with Active Directory Sites and Services:

Site management

Site represents a set of computers that are connected by a high-speed network, such as a local area network (LAN).

In AD DS, a site object represents the aspects of the physical site that can manage, specifically, replication of directory data between domain controllers. Active Directory Sites and Services can use to manage the objects that represent the sites and the servers that reside in those sites.

Site objects and their related objects are replicated to all domain controllers in an AD DS forest. Following are the objects that we can manage in the Active Directory Sites and Services:

Sites

Subnets

Servers

NTDS Settings

Connections

Site links

IP and SMTP intersite transports

Sites

This object identifies the intersite topology generator (ISTG). The ISTG is the one domain controller in the site that generates connection objects from domain controllers in different sites. It also performs advanced replication management tasks.

Site objects are located in the Sites container and it can accomplish the following tasks:

Create new sites

Delegate control over sites by using Group Policy and permissions

Subnets

Subnet is an object that can identify the ranges of IP addresses within a site. It can use to accomplish the following tasks:

Create new subnets

Associate subnets with sites

Provide a location for a site that can be used by the printer location tracking feature in Group Policy

Servers

Servers represent domain controllers in the replication topology. It will created automatically. Following is the task that can use server objects to accomplish:

Identify domain controllers that will act as preferred bridgehead servers. It use to control intersite replication so that it occurs only between those domain controllers that already specify and not between domain controllers that might be less able to handle intersite replication traffic.

Move servers between sites. User can move the domain controllers to the new site if they already create a new site and already installed domain controller with IP addresses that map to the new site.

NTDS Settings

NTDS Setting object is representing the domain controller in the replication system. It is stores connective object which will make replication possible between two or more domain controller.

Bellow is the task that can accomplish by NTDS Settings objects.

Generate the replication topology. NTDS Setting object have Check Replication Topology command which can signals the ISTG to check all of the connection between domain controllers. It also can perform add or remove any connection in the domain.

Enable or disable the global catalog on a server. If enable the global catalog, the domain controller will replicates the read-only directory partitions that make up the global catalog in the forest.

.Connections

Replication partners of servers in a site are identified by connection objects and it only occurs in one direction. A connection object for a server contains information about the other server that sends replication to the first server. Connection objects store schedules that control replication within a site. By default, they automatically poll a replication partner for new changes once every hour. For intersite replication, connection objects derive their schedule from the site link object. Connection objects are created automatically by the replication system.

Connection objects can use to accomplish the following tasks:

Identify replication partnerships of servers in the site

Force replication over a connection if do not want to wait for scheduled replication or to test replication over a connection

Site links

Site links represent the flow of replication between sites that can manage intersite replication by configuring site properties.

Site link objects can use to accomplish the following tasks:

Add and remove sites that use the site link

Set the cost of replication over the site link, which determines the likelihood that replication occurs over this site link when there are multiple routes that replication could take to reach a destination site

Set the site link schedule, which determines the hours and days that replication is available (can occur) over the site link

Set the replication interval, which determines how often replication occurs over the site link when replication is available

Service publication

Some services, such as Certificate Services, Message Queuing, and Exchange Server, publish information in the Sites container in AD DS automatically when they are installed. Other services can be published in the directory with programming interfaces.

Active Directory Sites and Services exposes published service-related objects in the Services node. This node is not visible by default. To view this node, open Active Directory Sites and Services, and then, on the View menu, click Show Services Node.

The objects in the Services node in Active Directory Sites and Services are published for use by the respective application administrators. For this reason, information about these objects is available in documentation for the service or application.

3.2 Changing site link properties: Active Directory

To control which sites replicate directly to each other, you can use the cost, schedule, and in the Active Directory Domain Services (AD DS) site link object properties of the interval.

These settings control intersite replication, as follows:

Schedule: The time during which replication can occur. The default setting allows replication at all times.

Interval: The number of minutes between replication polling by intersite replication partners within the open schedule window. The default setting is every 180 minutes.

Cost: The relative priority of the link. The default setting is 100. Lower relative cost increases the priority of the link over other, higher-cost links.

Below is the procedures of configure the Site Link Schedule, Interval, and Cost.

Configure the Site Link Schedule to Identify Times During Which Intersite Replication Can Occur

Open Active Directory Sites and Services: On the Start menu, point to Administrative Tools, and then click Active Directory Sites and Services.

In the console tree, expand Sites and Inter-Site Transports, and then click IP.

In the details pane, right-click the site link object that you want to configure, and then click Properties.

In the SiteLinkName Properties dialog box, click Change Schedule.

In the Schedule for SiteLinkName dialog box, select the block of days and hours during which you want replication to occur or not occur (that is, be available or not available), and then click the appropriate option.

Click OK twice.

Configure the Site Link Interval to Identify How Often Replication Polling Can Occur During the Schedule Window

Open Active Directory Sites and Services: On the Start menu, point to Administrative Tools, and then click Active Directory Sites and Services.

In the console tree, expand Sites and Inter-Site Transports, and then click IP.

In the details pane, right-click the site link object that you want to configure, and then click Properties.

In Replicate every _____ minutes, specify the number of minutes for the intervals at which replication polling occurs during an open schedule, and then click OK.

Configure the Site Link Cost to Establish a Priority for Replication Routing

Open Active Directory Sites and Services: On the Start menu, point to Administrative Tools, and then click Active Directory Sites and Services.

In the console tree, expand Sites and Inter-Site Transports, and then click IP.

In the details pane, right-click the site link object that you want to configure, and then click Properties.

In Cost, specify the number for the comparative cost of using the site link, and then click OK.

3.4 Creating a Site Link Bridge Design

A site link bridge connects two or more site links and enables transitivity between site links. Each site link in a bridge must have a site in common with another site link in the bridge. The Knowledge Consistency Checker (KCC) uses the information on each site link to compute the cost of replication between sites in one site link and sites in the other site links of the bridge. Without the presence of a common site between site links, the KCC also cannot establish direct connections between domain controllers in the sites that are connected by the same site link bridge.

By default, all site links are transitive, so must keep transitivity enabled by not changing the default value of Bridge all site links. However, it will need to disable Bridge all site links and complete a site link bridge design if:

The IP network is not fully routed. While disable Bridge all site links, all site links are considered non-transitive and then can create and configure site link bridge object model of the actual routing of the network behavior.

Need to control the replication flow of the changes made in Active Directory Domain Services (AD DS). When disabling Bridge all site links, the site link bridge becomes the equivalent of a disjointed network. All site links within the site link bridge can route transitively, but they do not route outside of the site link bridge.

Controlling AD DS replication flow

There have two scenarios that need a site link bridge design to control replication flow:

Controlling replication failover

If an organization has a hub-and-spoke network topology, and they do not want the satellite sites to create replication connections to other satellite sites if all domain controllers in the hub site fail. In such scenarios, it must disable Bridge all site links and create site link bridges so that replication connections are created between the satellite site and another hub site that is just one or two hops away from the satellite site.

Controlling replication through a firewall

If two domain controllers representing the same domain in two different sites are specifically allowed to communicate with each other only through a firewall, then can disable Bridge all site links and create site link bridges for sites on the same side of the firewall.

Topic 4: Configure the global catalog4.1 Enabling Universal Group Membership Caching in a Site

In a multi-domain forest, when a user logs on to a domain, a global catalog server must be contacted to determine the universal group memberships of the user. A universal group can contain users from other domains, and it can be applied to access control lists (ACLs) on objects in all domains in the forest. Therefore, universal group memberships must be ascertained at domain logon so that the user has appropriate access in the domain and in other domains during the logon session. Only global catalog servers store the memberships of all universal groups in the forest.

If a global catalog server is not available in the site when a user logs on to a domain, the domain controller must contact a global catalog server in another site.

In multi-domain forests where remote sites do not have a global catalog server, then need to contact a global catalog server over a potentially slow wide area network (WAN) connection can be problematic and a user can potentially be unable to log on to the domain if a global catalog server is not available.

Enable Universal Group Membership Caching in a Site

In a branch site that has no global catalog server and in a forest that has multiple domains, we can use bellow procedure to enable Universal Group Membership Caching in a site. So the global catalog server does not have to be contacted across a wide area network (WAN) link for every initial user logon. When enable this setting, we can specify the site of a global catalog server to contact when the cache must be updated. In most cases, the closest global catalog server is located in the hub site.

To enable Universal Group Membership Caching in a site

Open Active Directory Sites and Services: On the Start menu, point to Administrative Tools, and then click Active Directory Sites and Services.

In the console tree, expand Sites, and then click the site in which you want to enable Universal Group Membership Caching.

In the details pane, right-click the NTDS Site Settings object, and then click Properties.

Under Universal Group Membership Caching, select Enable Universal Group Membership Caching.

In the Refresh cache from list, click the site that you want the domain controller to contact when the Universal Group membership cache must be updated, and then click OK.

4.2 Understanding the Global Catalog

The global catalog is the set of all objects in an Active Directory Domain Services (AD DS) forest. A global catalog server is a domain controller that stores a full copy of all objects in the directory for its host domain and a partial, read-only copy of all objects for all other domains in the forest.

Attributes that replicate to the global catalog

Read-only copies of objects that make up the global catalog are described as "partial" because they include a limited set of attributes. The attributes that are required by the schema plus the attributes that are most commonly used in user search operations. These attributes are marked for inclusion in the partial attribute set (PAS) as part of their schema definitions.

The most common searches are stored in the global catalog of all the properties of domain objects, it making the search more effective and will not affect the user network with unnecessary referrals to the domain controller performance. Without the need for a global catalog server, storage does not require large amounts of data.

Global catalog functionality

Global catalog for a new forest is created automatically on the first domain controller in the forest. We can add global catalog functionality to additional domain controllers or remove the global catalog from a domain controller.

Finds objects.

Enables user searches for directory information throughout all domains in a forest, regardless of where the data is stored. Searches within a forest are performed with maximum speed and minimum network traffic.

Supplies user principal name authentication.

A global catalog server resolves a user principal name (UPN) when the authenticating domain controller has no knowledge of the user account.

Validates object references within a forest.

Use global catalog to validate references to objects of other domains in the forest. When a domain controller holds a directory object with an attribute that contains a reference to an object in another domain, the domain controller validates the reference by contacting a global catalog server.

Supplies universal group membership information in a multiple-domain environment.

A domain controller can discover domain local group and global group memberships for any user in its domain and the membership of these groups is not replicated to the global catalog. Universal groups can have members in different domains. For this reason, the member attribute of universal groups which contains the list of members in the group is replicated to the global catalog.

If a user in a multiple-domain forest logs on to a domain where universal groups are allowed, the domain controller must contact a global catalog server to retrieve any universal group memberships that the user might have in other domains.

If a global catalog server is not available when a user logs on to a domain where universal groups are available, the user's client computer can use cached credentials to log on if the user has logged on to the domain previously. If the user has not logged on to the domain previously, the user can log on only to the local computer.

4.3 Introduction to Administering the Global Catalog: Active Directory

Designate global catalog servers in sites to accommodate forest-wide directory searching and to facilitate domain client logons when universal groups are available. When universal groups are available in a domain, a domain controller must be able to locate a global catalog server to process a logon request.

Initial global catalog replication

When you add a global catalog server to a site, the Knowledge Consistency Checker (KCC) updates the replication topology, after which replication of partial domain directory partitions that are available within the site begins. Replication of partial domain directory partitions that are available only from other sites begins at the next scheduled interval.

Adding subsequent global catalog servers within the same site requires only intrasite replication and does not affect network performance. Replication of the global catalog potentially affects network performance only when add the first global catalog server in the site. The impact of this replication varies, depending on the following conditions:

The speed and reliability of the WAN link or links to the site

The size of the forest

Global catalog readiness

A global catalog server is available to directory clients when Domain Name System (DNS) servers can locate it as a global catalog server. Several conditions must be met before the global catalog server is locatable by clients. These conditions are divided into seven levels (numbered 0 to 6) of readiness, called occupancy levels.

At each level, a specific degree of synchronization must be achieved before occupancy moves to the next level. By default, domain controllers running Windows Server 2008 require all levels to be reached before the global catalog is ready for use. At level 6, all partial, read-only directory partitions have been successfully replicated to the global catalog server. When the requirements of all occupancy levels have been satisfied, the Net Logon service on the global catalog server register DNS service (SRV) resource records that identify the domain controller as a global catalog server in the site and in the forest.

Global catalog removal

When you remove the global catalog from a domain controller, that domain controller immediately stops advertising in DNS as a global catalog server. The Knowledge Consistency Checker (KCC) gradually removes the read-only replicas from the domain controller. On domain controllers running Windows Server 2008 or Windows Server 2003, the global catalog, partial, read-only directory partitions are removed in the background, and they receive a low priority so that high-priority services are not interrupted.

If universal group membership caching is adequate to satisfy logon requirements in a particular site where WAN link speeds are not adequate for the global catalog, we might decide to remove the global catalog from a domain controller

4.4 Configuring a Global Catalog Server: Active Directory

When conditions in a site warrant adding a global catalog server, you can configure a domain controller to be a global catalog server. Selecting the global catalog setting on the NTDS Settings object prompts the Knowledge Consistency Checker (KCC) to update the topology. After the topology is updated, read-only, partial, domain directory partitions are replicated to the designated domain controller. When replication must occur between sites to create the global catalog, the site link schedule determines when replication can occur.

Below are the procedures to configure a Global Catalog Server

Determine Whether a Domain Controller Is a Global Catalog Server

Open Active Directory Sites and Services: On the Start menu, point to Administrative Tools, and then click Active Directory Sites and Services. If the User Account Control dialog box appears, provide credentials, if required, and then click Continue.

In the console tree, expand the Sites container, expand the site of the domain controller that you want to check, expand the Servers container, and then expand the Server object.

Right-click the NTDS Settings object, and then click Properties.

On the General tab, if the Global Catalog box is selected, the domain controller is designated as a global catalog server.

Designate a Domain Controller to Be a Global Catalog Server

Click Start, point to Administrative Tools, and then click Active Directory Sites and Services.

In the console tree, expand the Sites container, and then expand the site in which you are designating a global catalog server.

Expand the Servers container, and then expand the Server object for the domain controller that you want to designate as a global catalog server.

Right-click the NTDS Settings object for the target server, and then click Properties.

Select the Global Catalog check box, and then click OK.

Monitor Global Catalog Replication Progress

Open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

At the command prompt, type the following command, and then press ENTER:

dcdiag /s: /v | find "%"

Repeat this command periodically to monitor progress. If the test shows no output, replication has completed.