BREAKING NEWS

CEH

Linux

RedHat

Friday 30 May 2014

Active Directory sites and services


Active Directory directory service is the heart of Microsoft Windows 2000. Just about every administrative task you'll perform will affect Active Directory in some way. Active Directory technology is based on standard Internet protocols and has a design that helps you clearly define the structure of your network.

What is active directory site and service?

  • Active Directory Sites and Services is a Microsoft Management Console (MMC) snap-in in the Windows Server 2008 R2 operating system that you can use to administer the replication of directory data among all sites in an Active Directory Domain Services (AD DS) forest. This snap-in also provides a view of the service-specific objects that are published in AD DS.
  • Administrators who are responsible for forest-wide service administration can use Active Directory Sites and Services to manage the intersite replication topology for the forest. Administrators who are responsible for application services can be delegated responsibility for the service containers into which application-specific objects are published.
  • When you add the Active Directory Domain Services server role to a server, Active Directory Sites and Services is added to the Administrative Tools menu.
  • You can use the Active Directory Sites and Services snap-in to manage the site-specific objects that implement the intersite replication topology. These objects are stored in the Sites container in Active Directory Domain Services (AD DS).
  • In addition, Active Directory Sites and Services provides a view of the Services container, which you can use to view service-related objects that are published in AD DS.
The following sections provide detailed information about site management and service publication with Active Directory Sites and Services:
  •  Site management
  • Service publication
  •  Additional references

Site management

  • In your physical network, a site represents a set of computers that are connected by a high-speed network, such as a local area network (LAN). Typically, all computers in the same physical site reside in the same building or perhaps the same campus network.
  • In AD DS, a site object represents the aspects of the physical site that you can manage, specifically, replication of directory data between domain controllers. You can use Active Directory Sites and Services to manage the objects that represent the sites and the servers that reside in those sites.
  •  Site objects and their related objects are replicated to all domain controllers in an Active Directory forest. You can manage the following objects in Active Directory Sites and Services:
  • Sites
  • Subnets
  • Servers
  • NTDS Settings
  • Connections
  • Site links
  • IP and SMTP intersite transports

Sites

Site objects are located in the Sites container. You can use site objects to accomplish the following tasks:
• Create new sites
• Delegate control over sites by using Group Policy and permissions
In every site, there is an NTDS Site Settings object. This object identifies the intersite topology generator (ISTG). The ISTG is the one domain controller in the site that generates connection objects from domain controllers in different sites. It also performs advanced replication management tasks.

Subnets

Subnet objects identify the ranges of IP addresses within a site. You can use subnet objects to accomplish the following tasks:
• Create new subnets
• Associate subnets with sites
• Provide a location for a site that can be used by the printer location tracking feature in Group Policy

Servers

Server objects are created automatically when you add the Active Directory Domain Services server role. Servers represent domain controllers in the replication topology.
You can use server objects to accomplish the following tasks:

• Identify domain controllers that will act as preferred bridgehead servers.
You can use preferred bridgehead servers to control intersite replication so that it occurs only between those domain controllers that you specify and not between domain controllers that might be less able to handle intersite replication traffic.

• Move servers between sites. If you create a new site and you have already installed domain controllers with IP addresses that map to the new site, you can move the domain controllers to the new site.

NTDS Settings

Every server object contains an NTDS Settings object, which represents the domain controller in the replication system. The NTDS Settings object stores connection objects, which make replication possible between two or more domain controllers.

You can use NTDS Settings objects to accomplish the following tasks:

• Generate the replication topology. The Check Replication Topology command for the NTDS Settings object signals the ISTG to perform a check of all connections between domain controllers and add or remove any connections that are needed.

• Enable or disable the global catalog on a server. When you enable the global catalog, the domain controller replicates the read-only directory partitions that make up the global catalog in the forest.

Connections


Replication partners of servers in a site are identified by connection objects. Replication occurs in one direction. A connection object for a server contains information about the other server (the "from" server) that sends

replication to the first server. Connection objects store schedules that control replication within a site. By default, they automatically poll a replication partner for new changes once every hour. For intersite replication, connection objects derive their schedule from the site link object. You do not have to manage schedules on connection objects. Connection objects are created automatically by the replication system.

You can use connection objects to accomplish the following tasks:

• Identify replication partnerships of servers in the site

• Force replication over a connection, when you do not want to wait for scheduled replication or to test replication over a connection

Site links


Site links represent the flow of replication between sites. You can manage intersite replication by configuring site properties: over what time periods replication can occur, how often replication occurs within a certain time period, and the preferred routes between two sites.

You can use site link objects to accomplish the following tasks:

• Add and remove sites that use the site link

• Set the cost of replication over the site link, which determines the likelihood that replication occurs over this site link when there are multiple routes that replication could take to reach a destination site

• Set the site link schedule, which determines the hours and days that replication is available (can occur) over the site link

• Set the replication interval, which determines how often replication occurs over the site link when replication is available

IP and SMTP intersite transports


Replication uses remote procedure call (RPC) over either the IP transport or the Simple Mail Transfer Protocol (SMTP) transport. You can use SMTP to send replication within mail messages in environments where wide area network (WAN) links are not available. In this case, replication occurs according to the messaging schedule and not the site link schedule. By default, intersite replication uses the IP transport protocol to deliver replication packets. You can use the IP and SMTP Intersite Transport containers to accomplish the following tasks:

• Create site links. You can add site links to the replication topology as needed to accommodate new sites.
• Create site link bridges. Site links are bridged by default in AD DS, and they are not necessary in most deployments.

Service publication


Some services, such as Certificate Services, Message Queuing, and Exchange Server, publish information in the Sites container in AD DS automatically when they are installed. Other services can be published in the directory with programming interfaces.

Active Directory Sites and Services exposes published service-related objects in the Services node. This node is not visible by default. To view this node, open Active Directory Sites and Services, and then, on the View menu, click Show Services Node.

The objects in the Services node in Active Directory Sites and Services are published for use by the respective application administrators. For this reason, information about these objects is available in documentation for the service or application.



Understanding Sites, Subnets, and Site Links


Sites overview


Sites in AD DS represent the physical structure, or topology, of your network. AD DS uses network topology information, which is stored in the directory as site, subnet, and site link objects, to build the most efficient replication topology. The replication topology itself consists of the set of connection objects that enable inbound replication from a source domain controller to the destination domain controller that stores the connection object. The Knowledge Consistency Checker (KCC) creates these connection objects automatically on each domain controller. You can use the Active Directory Sites and Services snap-in to manage the site, subnet, and site link objects that combine to influence the replication topology. It is important to distinguish between sites and domains. Sites represent the physical structure of your network, while domains represent the logical structure of your organization. Site objects and their contents are replicated to all domain controllers in the forest, irrespective of domain or site.

Using sites


Domain controllers and other servers that use sites publish server objects in AD DS to take advantage of the good network connectivity that sites provide. You place domain controllers into sites according to where the domain data is needed. For example, if no users from a domain are physically located in a site, there is no reason to place a domain controller for that domain in the site.

Sites help facilitate several activities, including:

  • Replication. AD DS balances the need for up-to-date directory information with the need for bandwidth optimization by replicating information within a site whenever data is updated and between sites according to a configurable schedule.
  •  Authentication. Site information helps make authentication faster and more efficient. When a client logs on to a domain, it first requests a domain controller in its local site for authentication. By establishing sites, you can ensure that clients use domain controllers that are nearest to them for authentication, which reduces authentication latency and traffic on wide area network (WAN) connections.
  • Service location. Other services, such as Active Directory Certificate Services (AD CS), Exchange Server, and Message Queuing, use AD DS to store objects that can use site and subnet information that make it possible for clients to locate the nearest service providers more easily.

Associating sites and subnets


A subnet object in AD DS groups neighboring computers in much the same way that postal codes group neighboring postal addresses. By associating a site with one or more subnets, you assign a set of IP addresses to the
site.When you add the Active Directory Domain Services server role to create the first domain controller in a forest, a default site (Default-First-Site-Name) is created in AD DS. As long as this site is the only site in the directory, all domain controllers that you add to the forest are assigned to this site. However, if your forest will have multiple sites, you must create subnets that assign IP addresses to Default-First-Site-Name as well as to all additional sites.

Assigning computers to sites


Server objects are created in AD DS by applications or services, and they are placed into a site based on their IP address. When you add the
Active Directory Domain Services server role to a server, a server object is created in the AD DS site that contains the subnet to which the server's IP address maps. If the domain controller's IP address does not map to any site in the forest, the domain controller's server object is created in the site of the domain controller that provides the replication source for AD DS.

For a client, site assignment is determined dynamically by its IP address and subnet mask during logon.

Locating domain controllers by site


Domain controllers register service (SRV) resource records in Domain Name System (DNS) that identify their site names. Domain controllers also register host (A) resource records in DNS that identify their IP addresses. When
a client requests a domain controller, it provides its site name to DNS. DNS uses the site name to locate a domain controller in that site (or in the next closest site to the client). DNS then provides the IP address of the domain controller to the client for the purpose of connecting to the domain controller. For this reason, it is important to ensure that the IP address that you assign to a domain controller maps to a subnet that is associated with the site of the respective server object. Otherwise, when a client requests a domain controller, the IP address that is returned might be the IP address of a domain controller in a distant site. When a client connects to a distant site, the result can be slow performance and unnecessary traffic on expensive WAN links.

Connecting sites with site links


Networks usually consist of a set of local area networks (LANs) that are connected by WANs. In AD DS, site link objects represent the WAN connections between sites. Whereas replication within a site is triggered automatically when a directory update occurs, replication between sites (over slower, more expensive WAN links) is scheduled to occur every 3 hours. You can change the default schedule to occur during the periods that you specify, and at the intervals that
you specify, so that you can control WAN link traffic.


Configure an Additional Site


The tasks for configuring a new site include the following:
  • Creating the site
  • Mapping the correct IP addresses to the site by creating a subnet
  • Linking the site to another site or sites by creating a site link and adding the new site to it

Create a Site

You can use the Active Directory Sites and Services snap-in to create new sites in your environment.
Membership in the Enterprise Admins group in the forest or the Domain Admins group in the forest root domain, or equivalent, is the minimum required to complete this procedure..
To create a site
  1. Open Active Directory Sites and Services. To open Active Directory Sites and Services, click Start, click Administrative Tools, and then click Active Directory Sites and Services.
  2. In the console tree, right-click Sites, and then click New Site.
  3. In Name, type the name of the new site.
  4. In Link Name, click a site link object, and then click OK.

Create a Subnet

  •  You can use the Active Directory Sites and Services snap-in to create new subnets.
  •  Membership in the Enterprise Admins group in the forest or the Domain Admins group in the forest root domain, or equivalent, is the minimum required to complete this procedure..
To create a subnet
  1. Open Active Directory Sites and Services. To open Active Directory Sites and Services, click Start, click Administrative Tools, and then click Active Directory Sites and Services.
  2.  In the console tree, double-click Sites, right-click Subnets, and then click New Subnet.
  3.  In Prefix, type the IP version 4 (IPv4) or IP version 6 (IPv6) subnet prefix.
  4.  In Select a site object for this prefix, click the site to associate with this subnet, and then click OK.

Create a Site Link


To create a site link
  •  You can use the Active Directory Sites and Services snap-in to create new subnets.
  •  Membership in the Enterprise Admins group in the forest or the Domain Admins group in the forest root domain, or equivalent, is the minimum required to complete this procedure..
  1. Open Active Directory Sites and Services. To open Active Directory Sites and Services, click Start, click Administrative Tools, and then click Active Directory Sites and Services.
  2. In the console tree, right-click the intersite transport protocol that you want the site link to use.
Where? Active Directory Sites and ServicesSitesInter-Site TransportsIP or SMTP
3. Click New Site Link.
4. In Name, type the name for the site link.
5. In Sites not in this site link, click a site to add to the site link, and then click Add. Repeat to add more sites to the site link. To remove a site from the site link, in Sites in this link, click the site, and then click Remove.
6. When you have added the sites that you want to be connected by this site link, click OK.

Add a Site to or Remove a Site from a Site Link


When you add sites and site links to your forest, you might create a condition in which the same site is added to two site links. You also might create a condition in which a site link does not contain all the sites for which replication
is required over the site link. You can use the Active Directory Sites and Services snap-in to add sites to site links and to remove sites from site links.

Membership in the Enterprise Admins group in the forest or the Domain Admins group in the forest root domain, or equivalent, is the minimum required to complete this procedure..

To add a site to or remove a site from a site link


1. Open Active Directory Sites and Services. To open Active Directory Sites and Services, click Start, click Administrative Tools, and then click Active Directory Sites and Services.

2. In the console tree, click the intersite transport folder that contains the site link in which you are adding or removing a site.

Where?

o Active Directory Sites and ServicesSitesInter-Site TransportsIP or
SMTP

3. In the details pane, right-click the site link in which you want to add or remove a site, and then click Properties.
4. In the appropriate list, click the site that you want to add to or remove from this site link, and then click Add or Remove, respectively.


For all these site, subnet and site link additional considerations.

Additional considerations

• To perform this procedure, you must be a member of the Enterprise Admins group in the forest or the Domain Admins group in the forest root domain, or you must have been delegated the appropriate authority. As a security best practice, use Run as administrator to perform this procedure. Log on with your lowest-level user account and use administrative credentials when you manage Active Directory Domain Services (AD DS).


Configure the Intersite Replication
Schedule

You can use site link objects to control the blocks of time during which replication can occur between sites that are connected by a site link. Within those blocks of time, you can also control how often replication partners request changes from their partners. After you configure a new site link, you can check whether replication between the sites is succeeding by forcing inbound
replication over the connections of both replication partners.

Understanding Replication Between Sites

Active Directory Domain Services (AD DS) handles replication between sites, or intersite replication, differently than replication within sites because bandwidth between sites is usually limited. The Active Directory Knowledge Consistency Checker (KCC) builds the intersite replication topology using a least- cost spanning tree design. Intersite replication is optimized for bandwidth efficiency. Directory updates between sites occur automatically based on a configurable schedule. Directory updates that are replicated between sites are compressed to preserve bandwidth.

Building the intersite replication topology

AD DS uses information that you provide (through the Active Directory Sites and Services snap-in) about your sites and site links to build the most efficient intersite replication topology automatically. The directory stores the replication topology as connection objects, which the system creates automatically to form the replication topology both within sites and between sites. Connection objects identify replication partners for both intrasite replication and intersite replication. These objects always represent one-way, inbound replication to the server that contains the object. The intersite replication topology is updated regularly to respond to any changes that occur in the network. You do not have
to create or manage connection objects. However, you can control the timing of intersite replication through the information that you provide when you configure site link objects.

Determining when intersite replication occurs

AD DS preserves bandwidth between sites by minimizing the frequency of replication and by making it possible for you to schedule the availability of site links for replication. By default, intersite replication across each site link occurs every 180 minutes (3 hours). You can adjust this frequency to match your
specific needs. Be aware that increasing this frequency increases the amount of bandwidth that replication uses. In addition to scheduling the frequency of replication, you can also schedule the availability of site links for replication. By default, a site link is available to carry replication traffic 24 hours a day, 7 days a week. You can limit this schedule to specific days of the week and times of day. For example, you can schedule intersite replication so that it occurs only after normal business hours, five days a week.

If you have multiple site links configured so that there is more than one route between two sites, you can configure the cost of replication on the site link to identify a preference for one route over the other

Using replication transports

The default transport for AD DS replication within sites is Remote Procedure Call (RPC) over IP. RPC over IP is also used for intersite replication. The IP container in Active Directory Sites and Services contains objects that represent site links that use RPC over IP to package and transfer replication data

between sites. To keep data secure while it is in transit between sites, RPC over IP replication uses both authentication (with the Kerberos version 5 (V5) authentication protocol) and data encryption.

When a direct or reliable IP connection is not available, you can configure replication between sites to use Simple Mail Transfer Protocol (SMTP). However, SMTP replication functionality is limited to nondomain replication (schema, configuration, and global catalog updates). It also requires an enterprise certification authority (CA) when you use it over site links. In Windows
Server 2008 R2, the SMTP component of Intersite Messaging is optional. You must add it before you can use SMTP for replication. For more information about SMTP replication, see How Active Directory Replication Topology Works




Adding a Site to the Forest

If you want to deploy domain controllers in an area of your network that is remote from the hub site, you can create a site object in Active Directory Domain Services (AD DS) to represent the local area network (LAN) in the remote area. You must configure the site to include the subnet addresses that are assigned on the remote LAN. When you create a new site object, you must place the site into an existing site link. If you already have multiple sites, you may have to create an additional site link to connect the new site to an existing site.

After you create a new site, when you add the Active Directory Domain Services server role to a server that has an IP address that maps to that site, you can specify that the server object for the new domain controller is created in the site according to its IP address. As an alternative, you can select the site for the new domain controller and then configure its IP address to an address that maps to a subnet in that site.

Procedure requirements

The procedures in this section have the following requirements:
  • The network address or addresses (in the form network address/prefix). These addresses form the subnet object names when you create subnets.
  • A site link. To create a site, you must add the new site to an existing site link. You can use the default site link (DEFAULTIPSITELINK) if no other site link exists. If you have more than two existing sites and you are adding a site, you might add the site to an existing site link and then
    create a new site link and associate the new site with that site link. In most cases, you then remove the new site from the old site link.
  • The transport protocol that is available for replication over the site link.
When a wide area network (WAN) link is available between the sites, use the IP transport. When connectivity is intermittent or when end-to-end IP connectivity is not available, you can use Simple Mail Transfer Protocol (SMTP) for replication to the site. However, SMTP replication has restrictions. For more information about using SMTP replication, see Understanding Replication Between Sites.

To add a site to a forest, perform the following procedures:
  • Create a Site
  • Create a Subnet
  • Create a Site Link
  • Add a Site to or Remove a Site from a Site Link

Post a Comment

Subscribe to: Post Comments ( Atom )
 
Copyright © 2013 DigTuts
Powered byBlogger