Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

ADWeek08

advertisement 
Week 8 – Manage Sites and Replication
• Configure Sites and Subnets
• Configure the Global Catalog and Application Partitions
• Configure Replication
1
Understand Sites
• Loosely related to network “sites”

A highly connected portion of your enterprise
• Active Directory objects that support


Replication
•
Active Directory changes must be replicated to all DCs
•
Some DCs might be separated by slow, expensive links
•
Balance between replication “cost” & convergence
Service localization
•
DC (LDAP & Kerberos)
•
DFS
•
Active Directory–aware (site aware) apps
•
Location property searching, for example, printer location
2
Plan Sites
• Active Directory sites may not map one-to-one with
network sites

Two locations, well connected, may be one Active Directory
site

A large enterprise on a highly connected campus (one “site”)
may be broken into multiple Active Directory sites for service
localization
• Criteria

Connection speed: < 512 kbps link is slow speed.

Service placement: If no DCs or Active Directory–aware
services, not much point in a site

User population: If the number of users warrants a DC,
consider a site

Directory query traffic by users or applications

Desire to control replication traffic between DCs
3
Create Sites
• Active Directory Sites and Services
• Default-First-Site-Name

Should be renamed
• Create a site

Assign to site link
• Create a subnet

Assign to site

A site can have >1 subnet
A subnet can be associated with
only one site
4
Manage Domain Controllers in Sites
• DCs should be in the correct site

The SERVERS container will show only DCs,
not all server
• Add a DC to a site

First DC will be in Default-First-Site-Name

Additional DCs will be added to sites based
on their subnet address

DCPromo prompts you for the site

You can right-click the Servers container of
a site and pre-create the server object
before promoting the DC
• Move DC to a new site: right-click DC and choose Move
• Delete a DC: right-click DC and choose Delete
5
Domain Controller Location: SRV Records
• Domain controllers register service locator records (SRV)
in DNS in the following locations

_tcp.contoso.com: all DCs in the domain

_tcp.siteName._sites.contoso.com: all DCs in site siteName
• Clients query DNS for domain controllers
6
Domain Controller Location: Client
New client queries for all
DCs in the domain
1.

Client queries for all DCs in
the site
5.
Retrieves SRVs from
_tcp.domain

Retrieves SRVs from
_tcp.site._sites.domain
2.
Attempts LDAP bind to all
6.
Attempts LDAP bind to all
3.
First DC to respond
7.
First DC to respond


4.
Examines client IP and
subnet definitions
Refers client to a site
Client stores site in registry

Authenticates client

Client forms affinity
Subsequently
8.

Client binds to affinity DC

DC offline? Client queries for
DCs in registry-stored site

Client moved to another site?
DC refers client to another site
7
Review Active Directory Partitions
Schema
Forest
Configuration
Definitions and rules for
creating and manipulating
objects and attributes
Information about the
Active Directory structure
Information about domainspecific objects
Domain
Domain
• Full replica (DC)
Active Directory
Database
• Read-only replica (RODC)

Does not include secrets

Replicates passwords per policy
8
Understand the Global Catalog
Schema
Configuration
Domain A
• Global catalog hosts a
partial attribute set (PAS) for
other domains in the forest
• Supports queries for objects
throughout the forest
Schema
Configuration
Schema
Domain A
Configuration
Domain B
Domain B
Global Catalog
Server
Schema
Configuration
Domain B
9
Place Global Catalog Servers
• Recommendation: Every DC a GC
• In particular

If an application in a site queries the GC (port 3268)

If a site contains an Exchange server

If a connection to a GC in another site is slow/unreliable
Schema
Configuration
Schema
Configuration
Domain A
Domain A
Make a GC?
Domain B
HEADQUARTERS
Domain B
BRANCHA
10
Configure a Global Catalog Server
• Right-click the NTDS Settings node underneath the DC
11
Universal Group Membership Caching
• Universal group membership replicated in the GC

Normal logon: user’s token built with UGs from GC

GC not available at logon: DC denies authentication
• If every DC is a GC, this is never a problem
• If connectivity to a GC is not reliable

DCs can cache UG membership for a user when user logs on

GC later not available: user authenticated with cached UGs
• In sites with unreliable connectivity to GC: enable UGMC
• Right-click NTDS Settings for site  Properties

Enables UGMC for all DCs in the site
12
Understand Application Directory Partitions
• Support a specific application
Schema
Configuration
Domain A
Schema
DNS
• Targeted to specific DCs
• Managed with the admin tool for
the app: e.g. DNS Manager
• Consider app partitions before
demoting a DC
Configuration
Schema
Domain A
Configuration
Domain B
Domain B
DNS
Schema
Configuration
Domain B
13
Understand Active Directory Replication
• Multimaster replication’s balancing act: “loose coupling”

Accuracy (integrity)

Consistency (convergence)

Performance (keeping replication traffic to a reasonable level)
• Key characteristics of Active Directory Replication

Multimaster replication

Pull replication

Store-and-forward

Partitions

Automatic generation of an efficient & robust replication topology

Attribute level replication

Distinct control of intrasite and intersite replication

Collision detection and remediation
14
Intrasite Replication
• Connection object: inbound replication to a DC
• Knowledge consistency checker (KCC) creates topology

Efficient (maximum three hop) & robust (two-way) topology

Runs automatically, but you can “Check Replication Topology”

Few reasons to manually create connection objects
•
Standby operations masters should have connections to masters
• Replication

Notification: DC tells its
downstream partners change
is available (15 seconds)
DC1
DC3
DC2

Polling: DC checks with its
upstream partners (1 hour) for changes

Downstream DC directory replication agent (DRA) replicates changes

Changes to all partitions held by both DCs are replicated
15
Site Links
• Intersite topology generator (ISTG) builds replication
topology between sites
• Site links

Contain sites

Within a site link, a connection object can be created between
any two DCs

Not always appropriate given your network topology!
16
Replication Transport Protocols
• Directory Service Remote Procedure Call (DS-RPC)

Appears as IP in Active Directory Sites and Services

The default and preferred protocol for intersite replication
• Inter-Site Messaging—Simple Mail Transport Protocol
(ISM-SMTP)

Appears as SMTP in Active Directory Sites and Services

Rarely used in the real world

Requires a certificate authority

Cannot replicate the domain naming context—only schema
and configuration

Any site that uses SMTP to replicate must be in a separate
domain within the forest
17
Bridgehead Servers
• Replicates changes from bridgeheads in all other sites
• Polled for changes by bridgeheads in all other sites
• Selected automatically by ISTG
• Or you can configure preferred bridgehead servers

Firewall considerations

Performance considerations
18
Site Link Transitivity and Bridges
• Site link transitivity (default)

ISTG can create connection objects between site links

Disable transitivity in the properties of the IP transport
• Site link bridges

Manually transitive site links

Useful only when transitivity is disabled
19
Control Intersite Replication
• Site link costs

Replication uses the connections with the lowest cost
• Replication

Notifications off by default. Bridgeheads do not notify partners

Polling. Downstream bridgehead polls upstream partners

•
Default: 3 hours
•
Minimum: 15 minutes
•
Recommended: 15 minutes
Replication schedules
•
24 hours a day
•
Can be scheduled
300
100
20
Whiteboard: Replication
RODC
BH
Branch
IP Subnet
Site D
IP Subnet
IP Subnet
IP Subnet
BH
IP Subnet
Site B
Site Link Bridge
BH
Site A
IP Subnet
BH
Site C
IP Subnet
21
Monitor and Manage Replication
• RepAdmin

repadmin /showrepl hqdc01.contso.com

repadmin /showconn hqdc01.contoso.com

repadmin /showobjmeta hqdc01 "cn=Linda Miller,ou=…"

repadmin /kcc

repadmin /replicate hqdc02 hqdc01 dc=contoso,dc=com

repadmin /syncall hqdc01.contoso.com /A /e
• DCDiag /test:testName

FrsEvent or DFSREvent

Intersite

KccEvent

Replications

Topology
22
Related documents
Abstract Replication, Data Analysis, and
Abstract Replication, Data Analysis, and
click here for the slide show
click here for the slide show
Replication landscape of the human genome Nataliya Petryk1,2
Replication landscape of the human genome Nataliya Petryk1,2
Information Management
Information Management
reading
reading
recovery
recovery
Yackel Foundation Additional Information 1. Include a copy of your
Yackel Foundation Additional Information 1. Include a copy of your
unit 6 molecular genetics
unit 6 molecular genetics
replicaneurs application form. guidelines
replicaneurs application form. guidelines
Download
advertisement