Windows Server 2008 R2 Unleashed (47 page)

and then the interval check period is increased to 8 hours.

ptg

It is important that administrators configure and test the manually configured external

time source on the PDC emulator.

Describing Connection Objects

Connection objects are automatically generated by the AD DS Knowledge Consistency

Checker (KCC) to act as pathways for replication communication. They can be manually

established, as well, and essentially provide a replication path between one domain

controller and another. If, for example, an organization wants to have all replication

pushed to a primary domain controller (PDC) before it is disseminated elsewhere, direct

connection objects can be established between the two domain controllers.

Creating a connection object is a straightforward process. After one is created, Windows

Server 2008 R2 does not attempt to automatically generate a new one across the same

route unless that connection object is deleted. To manually set a connection object to

replicate between domain controllers, perform the following steps:

1. Open Active Directory Sites and Services.

2. Expand Sites\\Servers\\NTDS Settings, where Servername

is the source server for the connection object.

3. Right-click NTDS Settings and choose New Active Directory Domain Services

Connection.

4. Select the target domain controller, and click OK.

5. Name the connection object, and click OK.

Understanding AD DS Replication in Depth

199

6. Right-click the newly created connection object, and select Properties to open a

properties page for the object. You can then modify the connection object to fit any

specific schedule, transport, and so on.

NOTE

The connection objects that appear as automatically generated were created by the

KCC component of AD DS to provide for the most efficient replication pathways. You

must, therefore, have a good reason to manually create these pathways because the

automatically generated ones usually do the trick.

Understanding Replication Latency

Administrators who are not accustomed to AD DS’s replication topology might become

confused when they make a change in AD and find that the change is not replicated imme-

diately across their environment. For example, an administrator might reset a password on

a user’s account, only to have that user complain that the new password does not immedi-

ately work. The reason for these types of discrepancies simply lies in the fact that not all

AD changes are replicated immediately. This concept is known as replication latency.

ptg

Because the overhead required in replicating change information to all domain controllers

immediately is large, the default schedule for replication is not as often as might be desired.

Replication of critical information can be forced through the following procedure:

1. Open Active Directory Sites and Services.

2. Drill down to Sites\\Servers\\ NTDS Settings, where

7

Servername is the server that you are connected to and that the desired change

should be replicated from.

3. Right-click each connection object, and choose Replicate Now.

Another useful tool that can be used to force replication is the repadmin command-line

tool. This tool is installed as part of a default Windows Server 2008 R2 domain controller

install. After being installed, repadmin can be used to force replication for the entire direc-

tory, specific portions of the directory, or to sync domain controllers across site bound-

aries. If the bandwidth is available, a batch file can be effectively written to force

replication between domain controllers, converging the directory as quickly as possible.

The default replication schedule can be modified to fit the needs of your organization. For

example, you might decide to change the default schedule of 180 minutes to a schedule as

low as every 15 minutes. To make this change, perform the following steps:

1. Open Active Directory Sites and Services.

2. Drill down to Sites\Inter-Site Transports\IP.

3. Right-click the site link that requires schedule changes and choose Properties.

4. Change the Replicate every field to the new replication interval, as shown in

Figure 7.1.

200

CHAPTER 7

Active Directory Infrastructure

FIGURE 7.1

Setting the intersite replication interval.

ptg

5. Click OK to save any schedule changes.

Of course, changing this schedule comes with some caveats, namely watching for

increased frequency of high network bandwidth utilization. You should match the trade-

off of your organization’s needs with the increased resource consumption levels required.

Understanding Active Directory Sites

The basic unit of AD DS replication is known as the site. Not to be confused with actual

physical sites, the AD site is simply a group of highly connected computers and domain

controllers. Each site is established to more effectively replicate directory information

across the network. In a nutshell, domain controllers within a single site will, by default,

replicate more often than those that exist in other sites. The concept of the site consti-

tutes the centerpiece of replication design in AD DS.

NOTE

Intrasite replication is approximately 15 seconds when the forest functional level is set

to Windows Server 2003 or higher. The intrasite replication is set to 5 minutes for

Windows 2000 Server forest functional level.

Outlining Windows Server 2008 R2 Site Improvements

Specific functionality that affects sites has evolved since the early days of Active Directory.

Windows Server 2003 introduced numerous replication enhancements that directly affect

the functionality of sites and allow for greater design flexibility in regard to site design.

Understanding Active Directory Sites

201

These changes continue to exist in Windows Server 2008 R2 and have been further

improved. These enhancements include the following:

. Read-Only Domain Controllers (RODCs) and Read-Only Global Catalogs (ROGCs)

. AD DS optionally installed on Server Core

. GC universal group membership caching

. Media-based domain controller creation

. Linked-value replication

. ISTG algorithm improvements

. No global catalog full synchronization with schema changes

. Ability to disable replication packet compression

. Lingering object detection

These concepts are elaborated more fully in later sections of this chapter.

Associating Subnets with Sites

ptg

In most cases, a specific site in AD DS physically resides in a specific subnet. This idea

stems from the fact that the site topology most often mimics, or should mimic, the physi-

cal network infrastructure of an environment.

In AD DS, sites are associated with their respective subnets to allow for the intelligent

assignment of hosts to their respective domain controllers. For example, consider the

design shown in Figure 7.2.

7

10.1.1.0/24

10.1.2.0/24

Server1

Server2

Server3

Server4

10.1.2.145

Client1

FIGURE 7.2

Sample client site assignment.

202

CHAPTER 7

Active Directory Infrastructure

Server1 and Server2, both members of Site1, are both physically members of the 10.1.1.x

subnet. Server3 and Server4 are both members of the 10.1.2.x subnet. Client1, which has a

physical IP address of 10.1.2.145, will be automatically assigned Server3 and Server4 as its

default domain controllers by AD DS because the subnets have been assigned to the sites

in advance. Making this type of assignment is fairly straightforward. The following proce-

dure details how to associate a subnet with a site:

1. Open Active Directory Sites and Services.

2. Drill down to Sites\Subnets.

3. Right-click Subnets and choose New Subnet.

4. Enter the network portion of the IP range that the site will encompass. In our exam-

ple, we use the 10.1.2.0/24 (subnet mask of 255.255.255.0), as shown in Figure 7.3.

Select a site for the subnet, and click OK.

ptg

FIGURE 7.3

Associating a subnet with a site.

Using Site Links

By default, the creation of two sites in AD DS does not automatically create a connection

linking the two sites. This type of functionality must be manually created, in the form of

a site link.

A site link is essentially a type of connection that joins together two sites and allows for

replication traffic to flow from one site to another. Multiple site links can be set up and

should normally follow the WAN lines that your organization uses. Multiple site links

Understanding Active Directory Sites

203

also ensure redundancy so that if one link goes down, replication traffic follows the

second link.

Creation of site links is another straightforward process, although you should establish in

advance which type of traffic will be utilized by your site link: SMTP or IP (refer to the

“Choosing SMTP or IP Replication” section).

Site link replication schedules can be modified to fit the existing requirements of your

organization. If, for example, the WAN link is saturated during the day, a schedule can be

established to replicate information at night. This functionality enables you to easily

adjust site links to the needs of any WAN link.

With the assumption that a default IP site link is required, the following steps will create

a simple site link to connect Site1 to Site2. In addition, the replication schedule will be

modified to allow replication traffic to occur only from 6:00 p.m. to 6:00 a.m. at one-

hour intervals:

1. Open Active Directory Sites and Services.

2. Drill down to Sites\Inter-Site Transports\IP.

3. Right-click IP and choose New Site Link to open a properties page similar to the one

shown in Figure 7.4.

ptg

7

FIGURE 7.4

Site link creation properties page.

4. Give a name to the site link that will easily identify what it is. In our example, we

named it Site1-Site2.

5. Ensure that the sites you want to connect are located in the Sites in This Site Link box.

6. Click OK to create the site link.

7. Right-click the newly created site link, and choose Properties.

204

CHAPTER 7

Active Directory Infrastructure

8. Click Change Schedule.