Why is needed Active Directory Sites
Nowadays, most companies do business from multiple office locations, which might be spread across a single metropolitan area or encompass an entire state, country, or even multiple international locations. Active Directory includes the concept of sites, which are groupings of computers and other objects that are connected by a high speed
local area network (LAN) connection.
An individual site includes computers that are on one or more Internet Protocol (IP) subnets. It can encompass one building or several adjacent buildings in a campus setting. Image below shows an example with two sites, one located in Los Angeles and the other in Dallas. Sites are connected with each other by slower wide area network (WAN) connections that might not always be available and are always configured with separate IP subnets. It is important to configure diverse locations connected by WAN links as separate sites to optimize the use of the WAN link, especially if your company needs to pay for the link according to the length of time it is active or the amount of data sent across it.
The following are several benefits that you achieve by creating sites:
■ Configurable replication: You can configure replication between sites to take place at specified intervals and only during specified times of the day. Doing so enables you to optimize bandwidth usage so that other network traffic between sites can proceed without delay.
■ Isolation of poorly connected network segments: You can place network segments connected by less reliable connections such as dial-up links in their own site and bridge these sites according to network connectivity.
■ Site-based policies: If certain locations such as branch offices need policies that should not be applied elsewhere on the network, you can configure site-based Group Policy to apply these policies.
The following are several factors you should take into account when planning the site structure of your organization:
■ Physical environment: You should assess the geographic locations of your company’s business operations, together with the nature of their internal and external links. It might be possible to include multiple locations (for example, on a campus) in a single site if they are connected by reliable high-speed links (such as a T3 line).
■ Data replication versus available bandwidth: A location that needs the most up-to-date Active Directory information and is connected with a high-speed link can be on the same site as the head office location. When properly configured, the network’s site structure should optimize the process of Active Directory Domain Services (AD DS) replication.
■ Types of physical links between sites: You should assess the type, speed, availability, and utilization of each physical link. AD DS includes site link objects that you can use to determine the replication schedule between sites that it links. A cost value can also be associated with it; this value determines when and how often replication can occur.
■ Site links and site link bridges: Active Directory provides for site links and site link bridges so that you can group sites together for optimized intersite replication.
These concepts are discussed later in this article.
How to configure sites and subnets
Active Directory provides the Active Directory Sites and Services snap-in, which enables you to perform all configuration activities pertinent to sites. When you first open this snap-in, you will notice folders named Subnets and Inter-Site Transports as well as a site named Default-First-Site-Name. By default, the new domain controller is placed in this site when you first install Active Directory. You can rename this site to whatever you want, just as you can rename a file or folder.
This section shows you how to create sites, add domain controllers to sites, and associate IP subnets with specific sites.
You can create additional sites by using the Active Directory Sites and Services snap-in, as described by the following procedure:
Step 1. Click Start > Administrative Tools > Active Directory Sites and Services.
Step 2. Right-click Sites and choose New Site.
Step 3. In the New Object – Site dialog box shown in next screenshot, type the name of the site. Select a site link object from the list provided and then click OK.
Step 4. Windows informs you that the site has been created and reminds you of several other tasks that you should perform, as shown in next image. Click OK.
After you have created the new site, it appears in the console tree of Active Directory Sites and Services. The new site includes a default Servers folder that includes all domain controllers assigned to the site, as well as a NTDS Site Settings container that is described in a later section.
Adding Domain Controllers
The first task you should undertake is to add one or more domain controllers to your new site. To do this, proceed as follows:
Step 1. Open Active Directory Sites and Services and expand the site that currently holds the domain controller that you want to move to the new site.
Step 2. Select the Servers folder to display the domain controllers currently located in this site in the details pane.
Step 3. Right-click the server you want to move and choose Move.
Step 4. In the Move Server dialog box shown in below image, select the site to which you want to move the server and then click OK.
Creating and Using Subnets
Recall that the purpose of using sites is to control Active Directory replication across slow links between different physical locations. By default, Active Directory does not know anything about the physical topology of its network. You must configure Active Directory according to this topology by specifying the IP subnets that belong to each site you have created. Use the following procedure to assign subnets to each site:
Step 1. In the console tree of Active Directory Sites and Services, right-click the
Subnets folder and choose New Subnet.
Step 2. In the New Object – Subnet dialog box shown in next image, enter the IPv4 or IPv6 subnet address prefix being configured.
Step 3. Select the site for this network prefix from the sites listed and then click OK. The subnet you have added appears in the console tree under the Subnets folder.
You can view and edit a limited number of properties for each subnet in Active Directory Sites and Services. Right-click the subnet and choose Properties. The various tabs of the Properties dialog box shown in next image enable you to do the following:
■ General: Provide a description of the site. You can also change the site to which the subnet is assigned. The description is for information purposes and helps you document the purpose of the site for others who might be administering the site later.
■ Location: Provide a description of the location of the site. This is also for information purposes.
■ Object: View the site’s Active Directory canonical name (CN) and its update sequence number (USN), and protect it from accidental deletion.
■ Security: Modify security permissions assigned to the object.
■ Attribute Editor: View and edit attributes set by Active Directory for the site.
Configuring Active Directory Replication
You have learned that all domain controllers act as peers and that most changes to AD DS can be made at any domain controller. AD DS uses the process of multimaster replication to propagate these changes to other domain controllers in the domain. In addition, the global catalog is replicated to other global catalog servers in the forest. Application directory partitions are replicated to a subset of domain controllers in the forest, and the schema and configuration partitions are also replicated to all domain controllers in the forest. You can see that replication is an important process that must take place in a timely manner so that updates to AD DS are synchronized properly among all domain controllers in the forest. The amount of replication necessary to maintain AD DS could easily overwhelm network bandwidth, especially on slow-speed WAN links.
Concepts of Active Directory Replication
In general, the process of replication refers to the copying of data from one server to another. This can include both the AD DS database and other data such as files and folders. In particular, Active Directory replicates the following components or partitions of the database to other domain controllers:
■ Domain partition: Contains all domain-specific information such as user, computer, and group accounts. This partition is replicated to all domain controllers in its domain but is not replicated to other domains in the forest.
■ Configuration partition: Contains forestwide configuration information. This partition is replicated to all domain controllers in the forest.
■ Schema partition: Contains all schema objects and attributes. This partition is replicated from the schema master to all other domain controllers in the forest.
■ Application directory partitions: These partitions contain application-specific (such as DNS) information that is replicated to specific domain controllers in the forest.
■ Global catalog: As introduced in Chapter 1, the global catalog contains partial information on all objects in each domain that is replicated to all global catalog servers in the forest.
Active Directory replicates all data in these partitions to the specified domain controllers in the domain so that every domain controller has an up-to-date copy of this information. By default, any domain controller can replicate data to any other domain controller; this process is known as multi-master replication. A read-only domain controller (RODC) can receive updated information from another domain controller (inbound replication), but it cannot replicate any information to other servers. If your domain that is spread across more than one site, a single domain controller in each site known as a bridgehead server replicates information to bridgehead servers in other sites; other domain controllers in each site replicate information to domain controllers in their own site only.
An RODC can receive updates to the schema, configuration, and application directory partitions and the global catalog from any Windows Server 2003 or 2008 domain controller in its domain; however, it can receive updates to the domain partition from domain controllers running Windows Server 2008 only.
Intersite and Intrasite Replication
Most of the discussion in this chapter centers around the topic of intersite replication because this is the type of replication that you will need to configure and troubleshoot.
However, you should keep in mind that replication also occurs between domain controllers on the same site, in other words, intrasite replication. The KCC automatically configures intrasite replication so that each domain controller replicates with at least two others. In this way, should one replication partner become temporarily unavailable, no domain controller will miss an update. The KCC uses a default bidirectional ring topology, with additional connections as required to limit the number of hops between replication partners to three or less.
Intrasite replication is totally automatic and requires no additional configuration after you have established your site topology. It is possible to modify intrasite replication if required; configuration of replication intervals.
An RODC supports inbound replication of Active Directory including the SYSVOL folder only. This type of replication is referred to as one-way replication. It
is what makes an RODC suitable for a location such as a branch office where physical security can become an issue. In one-way replication, changes to the AD DS database are replicated to the RODC but outbound replication does not occur; consequently, any changes to the database configured at the RODC are not saved in the database. Note that you can prevent certain attributes from replicating to the RODC.
It is also possible to configure one-way replication connections between other domain controllers. However, this is not recommended because several problems can occur, such as health check topology errors, staging issues, and problems with the DFS replication database. Microsoft recommends that administrators make changes only at servers designated as primary servers. You can also configure share permissions on the destination servers so that normal users have only Read permissions. Then it is not possible to replicate changes backward from the destination servers and you have, in effect, a one-way replication scheme.
A bridgehead server is the domain controller designated by each site’s KCC to take control of intersite replication. The bridgehead server receives information replicated from other sites and replicates it to its site’s other domain controllers. It ensures that the greatest portion of replication occurs within sites rather than between them. In most cases, the KCC automatically decides which domain controller acts as the bridgehead server. However, you can use Active Directory Sites and Services to specify which domain controller will be the preferred bridgehead server by using the following steps:
Step 1. In Active Directory Sites and Services, expand the site in which you want to specify the preferred bridgehead server.
Step 2. Expand the Servers folder to locate the desired server, right-click it, and then choose Properties.
Step 3. From the list labeled Transports available for inter-site data transfer, select the protocol(s) for which you want to designate this server as a preferred bridgehead server and then click Add.
As shown for the IP transport protocol in next image, the protocol you have configured appears in the list on the bottom-right of the dialog box.
The IP and SMTP replication protocols used by Active Directory to replicate the AD DS database between sites were introduced earlier in this article.
If you use SMTP replication, the data is replicated according to times you have configured for transmitting email messages. You must install and configure an enterprise certification authority (CA) and SMTP on all domain controllers that use the SMTP site link for data replication. The CA signs the SMTP messages exchanged between domain controllers, verifying the authenticity of AD DS updates. SMTP replication utilizes 56-bit encryption.
Ports Used for Intersite Replication
The default ports used by ISTG for RPC-based intersite replication are the TCP and UDP ports 135. LDAP over Secure Sockets Layer (SSL) employs TCP and UDP ports 636, Kerberos employs TCP and UDP port 88, Server Message Block (SMB) over IP uses TCP and UDP ports 445, and DNS uses TCP and UDP ports 53. Global catalog servers also utilize TCP ports 3268 and 3269. You can modify the default ports for RPC-based replication by editing the following Registry key: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNTDSParameters
Add a REG_DWORD value named TCP/IP Port and specify the desired port number. In addition, edit the following Registry key:
Add a REG_DWORD value named RPC TCP/IP Port Assignment and specify the same port number. Configure these changes at every domain controller, and make sure that you have configured all firewalls to pass traffic on the chosen port.
Active Directory permits you to schedule replication so that you can control the amount of bandwidth consumed. This is important because bandwidth affects the efficiency of replication. The frequency of replication is a trade-off between bandwidth consumption and maintaining the AD DS database in an up-to-date condition.
Although you will be mainly concerned with modifying the schedule of intersite replication, we also take a brief look at scheduling intrasite replication in this section.
Intersite Replication Scheduling
By default, intersite replication takes place every three hours (180 minutes) and occurs 24 hours a day, seven days a week. You can modify both the interval and frequency of replication, as described here.
To configure intersite replication scheduling, proceed as follows:
Step 1. In Active Directory Sites and Services, expand the Inter-Site Transports folder.
Step 2. Click the transport (normally IP) containing the site link whose schedule you want to modify. The details pane displays all site links and site link bridges you have configured
Step 3. Right-click the appropriate site link and choose Properties to display the General tab of the properties dialog box for the site link.
Step 4. In the text box labeled Replicate every, type the number of minutes between replications and then click OK.
Active Directory processes the interval you enter as the nearest multiple of 15 minutes, up to a maximum of 10,080 minutes (one week).
If you need to specify that replication not take place during certain times of the day (such as business hours when other WAN traffic must be able to proceed without delay), you can restrict the times that replication takes place. To do so, use the following procedure:
Step 1. Access the Properties dialog box for the site link whose replication times
you want to specify, as already described and shown in above image.
Step 2. To limit the time intervals in which replication can take place, click Change Schedule.
Step 3. In the Schedule for (site link name) dialog box, select the time block for which you want to deny replication and then click OK.
Step 4. In the text box labeled Replicate every, use the up/down arrows to specify the desired replication interval or type the replication interval. Then click OK
You might have to ignore the replication schedule so that replication can occur at any time of day or night. This is useful if you want to ensure that new changes are replicated in a timely manner. To do so, right-click the transport protocol in the console tree of Active Directory Sites and Services, and choose Properties. On the General tab of the protocol’s Properties dialog box, select the Ignore schedules check box and then click OK. Performing this procedure causes Active Directory to ignore availability schedules and replicate changes to AD DS at the configured interval. Site links are always available for replication. Clear the Ignore schedules check box to reenable the replication schedules.
Notice that this is the same dialog box from which you can choose whether to bridge all site links, as discussed earlier in this article.
Intrasite Replication Scheduling
By default, intrasite replication takes place once per hour. You can change this schedule to twice or four times per hour according to specific time blocks and specific connection objects. To configure intersite replication scheduling, proceed as follows:
Step 1. In Active Directory Sites and Services, expand the site in which the connection you want to schedule is located.
Step 2. Expand one of the servers included in the intersite replication to reveal the NTDS Settings folder.
Step 3. Right-click this folder and choose Properties.
Step 4. On the General tab of the connection’s Properties dialog box, click Change schedule.
Step 5. On the Schedule for dialog box, select the desired time block and replication interval (once, twice, or four times per hour) and then click OK.
Forcing Intersite Replication
If you have performed necessary actions such as adding new users or groups for a branch office, you might want Active Directory replication to occur immediately.
In such a case, you can force replication from Active Directory Sites and Services by using the following procedure:
Step 1. In the console tree of Active Directory Sites and Services, expand the server to which you want to force replication.
Step 2. Select the NTDS Settings folder to display the connection objects in the details pane.
Step 3. Right-click the desired connection object and choose Replicate Now