Active Directory needs information about the network to determine how domain controllers should replicate and what domain controller(s) are optimal for a given client to authenticate with. This network information is often referred to as the site or replication topology, and consists of numerous object types that represent various aspects of the network. At a high level, a site is a collection of high-speed LAN segments. One or more subnets can be associated with a site, and this mapping is used to determine which site a client (based on IP address) belongs to. Sites are connected via site links, which are analogous to WAN connections. Finally, each domain controller in a site has one or more connection objects, which defines a replication connection to another domain controller. These site topology objects are contained under the Sites container within the Configuration naming context. Figure 11-1 shows an example of the site topology hierarchy using the Active Directory Sites and Services snap-in. Figure 11-1. Site topology hierarchy Directly under the Sites container are the individual site containers, plus containers that store the site link objects (cn=Inter-site Transports) and subnets (cn=Subnets). There are three objects included within a site, an NTDS Site Settings (nTDSSiteSettings) object that contains attributes that can customize replication behavior for the whole site, a License Site Settings (licensingSiteSettings) object that can be used to direct hosts within the site to the appropriate licensing server, and a Servers container. The Servers container contains a server object for each of the domain controllers that are members of the site, along with any other servers that need to be represented in the site topology (e.g., DFS servers). A server object can contain a NTDS Settings (nTDSDSA) object, which distinguishes domain controller server objects from other server objects. The NTDS Settings object stores several attributes that are used to customize replication behavior for a specific domain controller. The NTDS Settings object can contain one or more nTDSConnection objects, which define the replication connections between domain controllers. The Anatomy of Site Topology Objects Table 11-1 through Table 11-7 contain some of the important attributes of the various site topology objects. Table 11-1. Attributes of site objects Attribute | Description |
---|
cn | RDN of the object. This is the name of the site (e.g., Raleigh). | gpLink | Contains a prioritized list of GPOs that are linked to the site. | siteObjectBL | Multivalued attribute that contains a list of distinguished names for each subnet that is associated with the site. | Table 11-2. Attributes of nTDSSiteSettings objects Attribute | Description |
---|
cn | RDN of the object, which is always equal to NTDS Site Settings. | interSiteTopologyGenerator | Distinguished name of the NTDS Settings object of the current Inter-site Topology Generator (ISTG). | msDS-Preferred-GC-Site | If universal group caching is enabled, this contains the distinguished name of the site that domain controllers should refresh their cache from. This attribute is new to Windows Server 2003. See Recipe 7.9 for more information. | options | Bit flag that determines if universal group caching is enabled, whether site link transitivity is disabled, and if replication schedules should be ignored. For more information see Recipe 11.11. | schedule | Octet string that represents the default replication schedule for the site. | Table 11-3. Attributes of subnet objects Attribute | Description |
---|
cn | RDN of the object. Contains the network number and bit mask for the subnet (e.g., 10.1.3.0/24). | siteObject | Distinguished name of the site object the subnet is associated with. | Table 11-4. Attributes of siteLink objects Attribute | Description |
---|
cn | RDN of the object. Contains the name of the link. | cost | Number that represents the site link cost. See Recipe 11.10 for more information. | replInterval | Interval in minutes that replication occurs over the site link. | schedule | Octet string that represents the replication schedule for the site link. | siteList | Multivalued list of distinguished names of each site that is associated with the site link. See Recipe 11.8 for more information. | Table 11-5. Attributes of server objects Attribute | Description |
---|
bridgeheadTransportList | Multivalued attribute that contains the list of transports (e.g., IP or SMTP) for which the server is a preferred bridgehead server. | cn | RDN of the object. This is set to the hostname of the associated server. | dNSHostName | Fully qualified domain name of the server. This attribute is automatically maintained for domain controllers. | serverReference | Distinguished name of the corresponding computer object contained within one of the domain-naming contexts. | Table 11-6. Attributes of nTDSDSA (NTDS Settings) objects Attribute | Description |
---|
cn | RDN of the object, which is always equal to NTDS Settings. | invocationID | GUID that represents the DIT (ntds.dit) on the domain controller. | hasMasterNCs | Multivalued attribute containing the list of writeable naming contexts (does not include application partitions) stored on the domain controller. | hasPartialReplicaNCs | Multivalued attribute containing the list of read-only naming contexts stored on the domain controller. This will be populated only if the domain controller is a global catalog server. | msDS-Behavior-Version | Number that represents the functional level (i.e., operating system) of the domain controller. This attribute is new to Windows Server 2003. | msDS-HasDomainNCs | Contains the distinguished name of the writeable Domain naming context stored on the domain controller. This attribute is new to Windows Server 2003. | msDs-HasInstantiatedNCs | A combination of all available read-only and writeable naming contexts stored on the domain controller. This attribute is new to Windows Server 2003. | msDS-hasPartialReplicaNCs | Multivalued attribute that contains distinguished names of each read-only naming context stored on the domain controller. This will be populated only if the domain controller is a global catalog server. This attribute is new to Windows Server 2003. | msDS-hasMasterNCs | Multivalued attribute that contains distinguished names of each writeable naming context and application partition stored on the domain controller. This attribute is new to Windows Server 2003. | options | Bit flag that determines if domain controller is a global catalog server. | queryPolicyObject | If set, the distinguished name of LDAP query policy object to be used by the domain controller. | Table 11-7. Attributes of nTDSConnection objects Attribute | Description |
---|
cn | RDN of the object. For Knowledge Consistency Checker (KCC) generated connections, this is a GUID. | enabledConnection | Boolean that indicates if the connection is available to be used. | fromServer | Distinguished name of the NTDS Settings object of the domain controller this connection replicates with. | ms-DS-ReplicatesNCReason | Multivalued attribute that stores reason codes for why the connection exists. There will be one entry per naming context the connection is used for. | options | Bit flag where a value of 1 indicates the connection was created by the KCC and a value of 0 means the connection was manually created. See Recipe 11.22 for more information. | schedule | Octet string that represents the replication schedule for the site link. | transportType | Distinguished name of the transport type (e.g., IP or SMTP) that is used for the connection. | |