Overview Of Active Directory Sites And Services Computer Science

Active Directory Sites and Services snap-in is used to manage the site-specific inter-site replication topology object implementation. It provides the service container that can be used to view service related objects that are published in "AD DS".

There have two sections that can provide detailed information in the Active Directory Sites and Services, which are "site management" and "service publication".

Site management

Site is a set of computers that are connected by a high-speed network, such as a local area network (LAN).

In AD DS, site object represents the aspects of the physical site. In between domain controllers, it can be specifically, manage, and replication of the directory data.

Following are the objects that we can manage in the Active Directory Sites and Services:

Sites

Subnets

Servers

NTDS Settings

Connections

Site links

IP and SMTP intersite transports

Sites

There have an NTDS Site Setting object in every site which will identify the inter-site topology generator (ISTG). ISTG is a domain controller in the site that will generates connection objects in difference site. Advanced replication management tasks will also perform by this object.

Site objects are located in the Sites container and it can accomplish the following tasks:

Create new sites

Delegate control over sites by using Group Policy and permissions

Subnets

Subnet is an object that can identify the ranges of IP addresses within a site. It can use to accomplish the following tasks:

Create new subnets

Associate subnets with sites

Provide a location for a site that can be used by the printer location tracking feature in Group Policy

Servers

A server is domain controllers in the replication topology. It will create automatically when add the Active Directory Domain Services server role. Following is the task that can use server objects to accomplish:

Act as preferred bridgehead servers in identify domain controllers. Use to control inter-site replication so it only occurs between domain controllers that already specify.

Move servers between sites. Move domain controllers to new site if user already creates a new site and also installed domain controller with IP addresses which map with the new site.

NTDS Settings

NTDS Setting object is representing the domain controller in the replication system. It is stores connective object which will make replication possible between two or more domain controller.

Bellow is the task that can accomplish by NTDS Settings objects.

Generate the replication topology. NTDS Setting object have Check Replication Topology command which can signals the ISTG to check all of the connection between domain controllers. It also can perform add or remove any connection in the domain.

Enable / disable the global catalog on a server. If enable the global catalog, the domain controller will replicates the read-only directory partitions that make up the global catalog in the forest.

.Connections

Connection object is identifying the replication partners of servers in a site. It contains information of others servers send replication to the first server. It also store schedules of control replication in the site.

A connection object for a server contains information about the other server that sends replication to the first server. Connection objects store schedules that control replication within a site. They will automatically poll a replication partner for new changes once every hour by default. For inter-site replication, user no need to manage schedules on connection objects since it will derive their schedule from the site link object and it will created automatically by the replication system.

Connection objects can use to accomplish the following tasks:

Identify replication partnerships of servers in the site

Force replication over a connection. when don't want to wait for scheduled replication or to test replication over a connection

Site links

Site links represent the flow of replication between sites. We can configure the site properties to manage inter-site replication.

Following task can be accomplished by Site link object:

Add and remove sites.

Set the cost of replication, when there are multiple routes those replications could take to reach a destination site, so it can determines the likelihood the replication occurs over this site link.

Set the site link schedule. Determines the available hours and days of replication in the site link.

Set the replication interval. Determines how long a replication can occur in the site when it is available.

Service publication

Some services will publish information automatically when they are installed. Like Certificate Services, Message Queuing, and Exchange Server.

Active Directory Sites and Services will exposes published service-related objects in the Services node. But by default, this node is not visible. If want to view this node, open Active Directory Sites and Services, then on the View menu click the Show Services Node.

The published objects in services node is use by respective application administrators. Because of this, these objects are available in documentation for the service or application.

3.2 Changing site link properties: Active Directory

To control which sites replicate directly to each other, you can use the cost, schedule, and in the Active Directory Domain Services (AD DS) site link object properties of the interval.

These settings control inter-site replication, as follows:

Schedule: The time during which replication can occur. The default setting allows replication at all times.

Interval: The number of minutes between replication polling by intersite replication partners within the open schedule window. The default setting is every 180 minutes.

Cost: The relative priority of the link. The default setting is 100. Lower relative cost increases the priority of the link over other, higher-cost links.

Below is the procedures of configure the Site Link Schedule, Interval, and Cost.

Configure the Site Link Schedule to Identify Times During Which Intersite Replication Can Occur

Open Active Directory Sites and Services: On the Start menu, point to Administrative Tools, and then click Active Directory Sites and Services.

In the console tree, expand Sites and Inter-Site Transports, and then click IP.

In the details pane, right-click the site link object that you want to configure, and then click Properties.

In the SiteLinkName Properties dialog box, click Change Schedule.

In the Schedule for SiteLinkName dialog box, select the block of days and hours during which you want replication to occur or not occur (that is, be available or not available), and then click the appropriate option.

Click OK twice.

Configure the Site Link Interval to Identify How Often Replication Polling Can Occur During the Schedule Window

Open Active Directory Sites and Services: On the Start menu, point to Administrative Tools, and then click Active Directory Sites and Services.

In the console tree, expand Sites and Inter-Site Transports, and then click IP.

In the details pane, right-click the site link object that you want to configure, and then click Properties.

In Replicate every _____ minutes, specify the number of minutes for the intervals at which replication polling occurs during an open schedule, and then click OK.

Configure the Site Link Cost to Establish a Priority for Replication Routing

Open Active Directory Sites and Services: On the Start menu, point to Administrative Tools, and then click Active Directory Sites and Services.

In the console tree, expand Sites and Inter-Site Transports, and then click IP.

In the details pane, right-click the site link object that you want to configure, and then click Properties.

In Cost, specify the number for the comparative cost of using the site link, and then click OK.

3.4 Creating a Site Link Bridge Design

A site link bridge connects two or more site links and enables transitivity between site links. Each site link in a bridge must have a site in common with another site link in the bridge.

By default, all site links are transitive, so must keep transitivity enabled by not changing the default value of Bridge all site links. However, it will need to disable Bridge all site links and complete a site link bridge design if:

The IP network is not fully routed. Using when want to create and configure site link bridge object model of the actual routing of the network behavior.

Need to control the replication flow of the changes made in Active Directory Domain Services (AD DS). When disabling, site Link Bridge becomes the equivalent of a disjointed network. Site Link Bridge can route transitively but they do not route outside of the site link bridge.

Controlling AD DS replication flow

There have two scenarios that need a site link bridge design to control replication flow:

Controlling replication failover

If an organization has a hub-and-spoke network topology, and they do not want the satellite sites to create replication connections to other satellite sites if all domain controllers in the hub site fail. In such scenarios, it must disable Bridge all site links and create site link bridges so that replication connections are created between the satellite site and another hub site that is just one or two hops away from the satellite site.

Controlling replication through a firewall

If two domain controllers representing the same domain in two different sites are specifically allowed to communicate with each other only through a firewall, then can disable Bridge all site links and create site link bridges for sites on the same side of the firewall.

Topic 4: Configure the global catalog4.1 Enabling Universal Group Membership Caching in a Site

In a multi-domain forest, when a user logs on to a domain, a global catalog server must be contacted to determine the universal group memberships of the user. A universal group can contain users from other domains, and it can be applied to access control lists (ACLs) on objects in all domains in the forest. Therefore, universal group memberships must be ascertained at domain logon so that the user has appropriate access in the domain and in other domains during the logon session. Only global catalog servers store the memberships of all universal groups in the forest.

To enable Universal Group Membership Caching in a site

Open Active Directory Sites and Services: On the Start menu, point to Administrative Tools, and then click Active Directory Sites and Services.

In the console tree, expand Sites, and then click the site in which you want to enable Universal Group Membership Caching.

In the details pane, right-click the NTDS Site Settings object, and then click Properties.

Under Universal Group Membership Caching, select Enable Universal Group Membership Caching.

In the Refresh cache from list, click the site that you want the domain controller to contact when the Universal Group membership cache must be updated, and then click OK.

4.2 Understanding the Global Catalog

The global catalog is the set of all objects in an Active Directory Domain Services (AD DS) forest. It is a domain controller that stores a full copy of all objects in the directory for its host domain and a partial, read-only copy of all objects for all other domains in the forest.

Attributes that replicate to the global catalog

Read-only copies of objects that make up the global catalog are described as "partial" because they include a limited set of attributes. The attributes that are required by the schema plus the attributes that are most commonly used in user search operations. These attributes are marked for inclusion in the partial attribute set (PAS) as part of their schema definitions.

The most common searches are stored in the global catalog of all the properties of domain objects, it making the search more effective and will not affect the user network with unnecessary referrals to the domain controller performance. Without the need for a global catalog server, storage does not require large amounts of data.

Global catalog functionality

Global catalog for a new forest is created automatically on the first domain controller in the forest. We can add global catalog functionality to additional domain controllers or remove the global catalog from a domain controller.

Finds objects. Enables user searches for directory information throughout all domains in a forest.

Supplies user principal name authentication. Resolves a user principal name (UPN) when the authenticating domain controller has no knowledge of the user account.

Validates object references within a forest. Validate references to objects of other domains in the forest when a domain controller holds a directory object with an attribute that contains a reference to an object in another domain.

Supplies universal group membership information in a multiple-domain environment. A domain controller can discover domain local group and global group memberships for any user in its domain and the membership of these groups is not replicated to the global catalog.

4.3 Introduction to Administering the Global Catalog: Active Directory

Designate global catalog servers in sites to accommodate forest-wide directory searching and to facilitate domain client logons when universal groups are available. When universal groups are available in a domain, a domain controller must be able to locate a global catalog server to process a logon request.

Initial global catalog replication

Adding subsequent global catalog servers within the same site requires only intra-site replication and does not affect network performance. Replication of the global catalog potentially affects network performance only when add the first global catalog server in the site. The impact of this replication varies, depending on the following conditions:

The speed and reliability of the WAN link or links to the site

The size of the forest

Global catalog readiness

A global catalog server is available to directory clients when Domain Name System (DNS) servers can locate it as a global catalog server. Several conditions must be met before the global catalog server is locatable by clients. These conditions are divided into seven levels (numbered 0 to 6) of readiness, called occupancy levels. At each level, a specific degree of synchronization must be achieved before occupancy moves to the next level.

Global catalog removal

When remove the global catalog from a domain controller, the domain controller immediately stops advertising in DNS as a global catalog server. The Knowledge Consistency Checker (KCC) gradually removes the read-only replicas from the domain controller. On domain controllers running Windows Server 2008 or Windows Server 2003, the global catalog, partial, read-only directory partitions are removed in the background, and they receive a low priority so that high-priority services are not interrupted.

4.4 Configuring a Global Catalog Server: Active Directory

When conditions in a site warrant adding a global catalog server, you can configure a domain controller to be a global catalog server. Selecting the global catalog setting on the NTDS Settings object prompts the Knowledge Consistency Checker (KCC) to update the topology. After the topology is updated, read-only, partial, domain directory partitions are replicated to the designated domain controller.

Below are the procedures to configure a Global Catalog Server

Determine Whether a Domain Controller Is a Global Catalog Server

Open Active Directory Sites and Services: On Start menu, point to Administrative Tools, and then click Active Directory Sites and Services. If the User Account Control dialog box appears, provide credentials if required, and then click Continue.

In the console tree, expand the Sites container, expand the site of the domain controller that you want to check, expand the Servers container, and then expand the Server object.

Right-click the NTDS Settings object, and then click Properties.

On the General tab, if the Global Catalog box is selected, the domain controller is designated as a global catalog server.

Designate a Domain Controller to Be a Global Catalog Server

Click Start, point to Administrative Tools, and then click Active Directory Sites and Services.

In the console tree, expand the Sites container, and then expand the site in which you are designating a global catalog server.

Expand the Servers container, and then expand the Server object for the domain controller that you want to designate as a global catalog server.

Right-click the NTDS Settings object for the target server, and then click Properties.

Select the Global Catalog check box, and then click OK.

Monitor Global Catalog Replication Progress

Open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

At the command prompt, type the following command, and then press ENTER:

dcdiag /s: /v | find "%"

Repeat this command periodically to monitor progress. If the test shows no output, replication has completed.