| The job of configuring and creating sites belongs to the administrators who manage Active Directory, but those who manage the network must be well informed and possibly involved in the design. Whether Active Directory and the network are handled by the same or different groups, they affect each other, and undesired network utilization or failed network connectivity may result. For example, if the Active Directory administrator defines the entire enterprise as a single site and several Active Directory changes happen each day, replication connections would exist across the enterprise, and replication traffic might be heavy, causing poor network performance for other networking services. On the other side, if the network administrator allows only specific ports to communicate between certain subnets, adding Active Directory might require that additional ports be opened or involve specific network requirements on the servers at each location. Creating a Site When creating a site, Active Directory and network administrators must decide how often AD will replicate between sites. They also must share certain information such as the line speed between the sites and the IP addresses of the servers that will be replicating. Knowing the line speed helps determine the correct cost of a site link. For the network administrator, knowing which IP addresses to expect network traffic from on certain ports is helpful when troubleshooting or monitoring the network. To create a site, the AD administrator needs a site name and subnet and also needs to know which other sites will replicate to the new site. To create a site, follow these steps: 1. | Log on to a server or a Windows XP workstation with Windows Server 2003 Administration Tools installed. For simplicity, log on with an account that has the rights to create a site; usually, an account with Enterprise Administrator rights will suffice.
| 2. | Choose Start, All Programs, Administrative Tools, Active Directory Sites and Services. If the console is missing, proceed to the next step; otherwise, skip to step 7.
| 3. | Choose Start, Run. Type MMC.exe and click OK.
| 4. | Choose File, Add/Remove Snap-in.
| 5. | Click Add in the Add/Remove Snap-in window.
| 6. | Select Active Directory Sites and Services from the Add Stand-alone Snap-in page and click Add. Click Close and then OK in the Add/Remove Snap-in window.
| 7. | In the console window, click the plus sign next to Active Directory Sites and Services.
| 8. | Right-click the Sites container and choose New Site.
| | | 9. | Type in the name of the site and select any existing site link, as shown in Figure 19.1. Then click OK to create the site.
Figure 19.1. Creating a new site. 
| 10. | A pop-up window might appear, stating what tasks still need to be completed to properly create a site. Read the information, take notes if necessary, and click OK.
|
Creating Site Subnets After you create a site, it should be listed in the console window. To complete the site creation process, follow these steps: 1. | Within the console window, right-click the Subnets container and choose New Subnet.
| 2. | Type in the address of the subnet and subnet mask, select the appropriate site from the list at the bottom of the window, and click OK to create the new subnet and associate it with the new site. If you are not sure about the address to enter, just enter the IP address and subnet mask of a device on that network, and the wizard will select the correct network number for you.
|
Adding Domain Controllers to Sites If a new domain controller is added to a forest, it will dynamically join a site with a matching subnet if the site topology is already configured and subnets have been previously defined. If an existing domain controller is being moved to a new site or the site topology or replication strategy has changed, you can follow these steps to move a domain controller to a different site: 1. | Log on to a server or a Windows XP workstation with Windows Server 2003 Administration Tools installed. For simplicity, log on with an account that has the rights to create a site; usually, an account with Enterprise Administrator rights will suffice.
| 2. | Choose Start, All Programs, Administrative Tools, Active Directory Sites and Services. If the console is missing, proceed to the next step; otherwise, skip to step 7.
| 3. | Choose Start, Run. Then type MMC.exe and click OK.
| | | 4. | Choose File, Add/Remove Snap-in.
| 5. | Click Add in the Add/Remove Snap-in window.
| 6. | Select Active Directory Sites and Services from the Add Stand-alone Snap-in page and click Add. Click Close and then OK in the Add/Remove Snap-in window.
| 7. | In the console window, click the plus sign next to Active Directory Sites and Services.
| 8. | Locate the site that contains the desired domain controller. You can browse the site servers by expanding the Sites container, expanding a site within it, and selecting the Servers container of the site, as shown in Figure 19.2.
Figure 19.2. Browsing site servers. 
| 9. | When you locate the desired server, take note of the source site, right-click the server name, and choose Move.
| 10. | When a window opens listing all the sites in the forest, select the destination site and click OK to initiate the server move.
| 11. | When the move is complete, verify that the domain controller has been placed in the correct Servers container of the desired site.
|
If necessary, manually create replication connections if the desired connections are not automatically created by the Inter-Site Topology Generator (ISTG) within 15 minutes after moving the server. For information on the ISTG and replication connections, refer to Chapter 7, "Active Directory Infrastructure." Configuring Licensing for the Enterprise Within Active Directory, server licensing is replicated to a designated site-licensing server. Each site-licensing server replicates its licensing information to the licensing servers in other sites so that each server has the enterprise licensing information. Licensing replication follows the replication interval set on the individual server from within the Licensing applet in the Control Panel of each server. The first domain controller in a site becomes the site-licensing server. To change the site-licensing server, follow these steps: 1. | Log on to a server or a Windows XP workstation with Windows Server 2003 Administration Tools installed. For simplicity, log on with an account that has the rights to create a site; usually, an account with Enterprise Administrator rights will suffice.
| 2. | Choose Start, All Programs, Administrative Tools, Active Directory Sites and Services. If the console is missing, proceed to the next step; otherwise, skip to step 7.
| 3. | Choose Start, Run. Then type MMC.exe and click OK.
| 4. | Choose File, Add/Remove Snap-in.
| 5. | Click Add in the Add/Remove Snap-in window.
| 6. | Select Active Directory Sites and Services from the Add Stand-alone Snap-in page and click Add. Click Close and then OK in the Add/Remove Snap-in window.
| 7. | In the console window, click the plus sign next to Active Directory Sites and Services.
| | | 8. | Select the desired site in the left pane. Then, in the right pane, right-click Licensing Site Settings and choose Properties, as shown in Figure 19.3.
Figure 19.3. Opening the Licensing Site Settings properties page. 
| 9. | Within the Licensing Site Settings property page, note the licensing computer at the bottom of the window and, if desired, click the Change button to specify a computer.
| 10. | In the Select Computer window, type in the name of the desired domain controller and click OK.
| 11. | Back on the Licensing Site Settings property page, click OK to change the licensing server for the site.
|
Configuring Server/Workstation Licensing Options To get proper licensing usage information for the entire enterprise, the administrator must understand how licensing information is replicated. Each server replicates its licensing information to the site-licensing server based on a replication interval set in the Licensing applet located in the Control Panel within the server console. The default is set to 24 hours, so licensing information is replicated to the site-licensing server once a day. Adding Licenses When per-user or per-device client access licenses need to be added to properly track Windows and possibly BackOffice, Exchange, and SMS licenses, the licenses should be added directly on the site-licensing server. This ensures that the licenses show up on the licensing server immediately. Many administrators do not understand licensing, so they either disable the licensing logging service or add licenses several times until they realize that the added licenses show up on the licensing server only after replication. Establishing Site Links Site links establish connectivity between domain controllers to allow Active Directory replication to be managed and scheduled. The Active Directory database, global catalog, Group Policies, and domain controller SYSVOL share replicate according to the replication schedule configured in a site link. For more information on site links, refer to Chapter 7. To create an IP-based site link, follow these steps: 1. | Log on to a server or a Windows XP workstation with Windows Server 2003 Administration Tools installed. For simplicity, log on with an account that has the rights to create a site; usually, an account with Enterprise Administrator rights will suffice.
| 2. | Choose Start, All Programs, Administrative Tools, Active Directory Sites and Services. If the console is missing, proceed to the next step; otherwise, skip to step 7.
| 3. | Choose Start, Run. Type MMC.exe and click OK.
| 4. | Choose File, Add/Remove Snap-in.
| 5. | Click Add in the Add/Remove Snap-in window.
| | | 6. | Select Active Directory Sites and Services from the Add Stand-alone Snap-in page and click Add. Click Close and then OK in the Add/Remove Snap-in window.
| 7. | In the console window, click the plus sign next to Active Directory Sites and Services.
| 8. | Expand the Sites container and double-click the Inter-Site Transports container.
| 9. | Right-click the IP container and select New Site Link.
| 10. | Enter a name for the site link, select a site that will replicate Active Directory using this site link, and click Add. Repeat this step until all the desired sites are in the right window, as shown in Figure 19.4.
Figure 19.4. Adding sites to a site link. 
| 11. | Click OK to create the site link.
| 12. | Back in the Active Directory Sites and Services console, right-click the new site link in the right pane and choose Properties.
| 13. | At the top of the window, enter a description for the site link. For example, enter Site link between site A and site B. Keep the description simple but informative.
| 14. | At the bottom of the window, enter a cost for the site link and enter the replication frequency. This number indicates how often Active Directory will attempt to replicate during the allowed replication schedule.
| 15. | Click the Change Schedule button to configure specific intervals when Active Directory should not replicate and click OK.
| 16. | Click OK in the Site Link property page to complete the site link configuration.
|
After the site link is configured, the Active Directory connections between domain controllers in different sites may generate new connections to optimize replication. Delegating Control at the Site Level Control is sometimes delegated at the site level to give network administrators the rights to manage Active Directory replication without giving them the rights to manage any additional Active Directory objects. Site delegation can also do just the opposite, effectively denying network administrators the right to access Active Directory objects on a per-site basis. Specific administrative rights can be granted using the built-in Delegate Control Wizard, whereas others can be set for all the site objects using a site's Group Policies. To delegate control at the site level, follow these steps: 1. | Log on to a server or a Windows XP workstation with Windows Server 2003 Administration Tools installed. For simplicity, log on with an account that has the rights to create a site; usually, an account with Enterprise Administrator rights will suffice.
| 2. | Choose Start, All Programs, Administrative Tools, Active Directory Sites and Services. If the console is missing, proceed to the next step; otherwise, skip to step 7.
| 3. | Choose Start, Run. Type MMC.exe and click OK.
| 4. | Choose File, Add/Remove Snap-in.
| 5. | Click Add in the Add/Remove Snap-in window.
| 6. | Select Active Directory Sites and Services from the Add Stand-alone Snap-in page and click Add. Click Close and then OK in the Add/Remove Snap-in window.
| 7. | In the console window, click the plus sign next to Active Directory Sites and Services.
| 8. | Right-click the Sites container and select Delegate Control.
| 9. | Click Next on the Delegate Control Wizard Welcome screen.
| 10. | Using the Add button, select the user, users, or groups that will delegate control over the site and click Next to continue. You may choose an Active Directory group created for the organization's networking team or the default group named Network Configuration Operators.
| 11. | In the Active Directory Object Type page, select This Folder, Existing Objects in This Folder and Creation of New Objects in This Folder, which is the default option to delegate control, and then click Next. The permissions granted will trickle down to each of the containers below the initial Sites container. If you don't want this outcome, return to step 8 and select the appropriate site or subnet container.
| | | 12. | On the Permissions page, check the desired permissions type boxes and choose each permission the administrator or, in this case, the networking group should have.
| 13. | Click Next and then Finish to complete the Delegate Control Wizard.
|
|
