Using Active Directory Sites and Services

[Previous] [Next]

Active Directory Sites and Services is a snap-in for the Microsoft Management Console (MMC) that administrators use to create and manage the sites that make up a Microsoft Windows 2000 network as well as to establish links between sites. A site, in Active Directory terminology, is defined as a group of computers on one or more Internet Protocol subnets that are well connected. A subnet is network that is a component of a larger network. For more information on subnets, see Chapter 13.

Well connected means that the systems share a network transport that provides low-cost, high-speed communications between the machines and typically refers to systems in a single location that are connected by LANs. Systems that aren't well connected are those that use relatively slow, expensive communications. Active Directory consists of one or more sites, but sites aren't part of the namespaces you deal with when you create the Active Directory hierarchy.

When designing trees and forests for Active Directory installation, the boundaries between forests, trees, domains, and organizational units (OUs) are often politically motivated. For example, Active Directory for a large corporation might consist of separate trees corresponding to corporate divisions, domains for individual departments, and OUs for workgroups. Sites, on the other hand, are always based on geographical locations and the types of connections between those locations.

As an example, suppose this imaginary corporation has two divisions, each of which has its own Fast Ethernet LAN running at 100 Mbps. If the two divisions are located in separate buildings on the same campus, they might have a high-speed fiber-optic connection between the two LANs, also running at 100 Mbps. In this case, because all of the computers in the two divisions are equally well connected, they can be said to form a single site. If, on the other hand, the two divisions are located in separate cities and are connected by a T-1 operating at only 1.544 Mbps, the divisions would form two separate sites because all of the computers on the network aren't equally well connected.

Sites don't appear as objects in the Active Directory namespace; they're completely separate from the hierarchy of forests, trees, and domains. A site can contain objects from different domains, and a domain's objects can be split among different sites. The basic reasons for dividing an enterprise network into sites is to take advantage of the efficient communications between well-connected systems while regulating the traffic over slower, costlier connections. Specifically, Active Directory uses sites during authentication and replication.

  • Authentication When a user logs on to the network from a workstation, the system authenticates the user with a domain controller at the same site whenever possible. This speeds up the authentication process and helps to reduce WAN traffic.
  • Replication Domain controller replication activities that must cross site boundaries are subject to special conditions because of the need to use WAN connections.

Sites in Active Directory are associated with particular IP subnets used by your network. During the authentication process, the workstation transmits information about the subnet on which it resides. Domain controllers use this information to locate an Active Directory server on the same subnet as the workstation.

The use of sites during replication is more complex. When two domain controllers are located at the same site, replication takes place at full LAN speed: usually from 10 to 100 Mbps. Two domain controllers located in different buildings or cities, on the other hand, are likely to be connected using WAN technology that is far slower and also far more expensive than LAN technology. Therefore, maximizing the efficiency of the communications between sites is typically a matter of when and how often replications that use WAN links occur.

Defining Site Objects

When you create the first Windows 2000 domain controller on your network, the Active Directory Installation Wizard creates your first site, names it Default-First-Site-Name (yes, that's actually the name), and associates it with the server you've just promoted. You can supply a more descriptive name for this site if you want or leave it as is. If all the Active Directory servers on your network will be located near enough to each other to communicate by using LAN connections, you don't need any other sites or the Sites and Services snap-in. As you promote each server on the network to a domain controller, Active Directory will add it to the site and automatically configure the replication topology between the servers.

If you will have servers at remote locations, however, you can create additional sites by using Sites and Services. By creating subnet objects and associating them with specific sites, you give Active Directory the information it needs to automatically add each server that is subsequently promoted to a domain controller to the appropriate site, based on the subnet where the machine is located. If you move a server to new location at a different site, however, you must also manually move the server object to the new site object. Thus, if you plan to install and configure a domain controller at the home office and then ship it to a remote location, you'll have to use Sites and Services to move the server object to the appropriate site.

To move a server to a new site, follow these steps:

  1. Open Active Directory Sites and Services.
  2. Click the plus sign (+) next to Sites to open the list of available sites.
  3. To open the list of servers, click the site where the server currently is.
  4. Right-click the server you want to move, and choose Move from the shortcut menu (Figure 12-1).
  5. In the Move Server window, select the new site for the server and click OK.

click to view at full size.

Figure 12-1. Moving a server from one site to another.

Subnet Objects

Active Directory uses subnet objects to define the boundaries of a site. Subnet objects each consist of a network address and a subnet mask used by some or all of the computers in a site. You can associate a site with multiple subnet objects so that if your network has multiple subnets in a single location, you can include all of them in a single site. On a network with two or more sites, subnet objects are needed for the Active Directory Installation Wizard to place the server objects for newly promoted domain controllers into the correct sites. Without subnet objects, the wizard is likely to create the server object in the wrong place. If this occurs, you can manually move the server object to the proper site by using the method described in the previous section.

Server Objects

Server objects are always children of site objects and are created by the Installation Wizard whenever it promotes a Windows 2000 Server to a domain controller. Don't confuse an Active Directory server object with the computer object that the wizard also creates during the promotion process. The two, although linked, are completely separate objects with different purposes. You can manually create server objects in the Sites and Services snap-in, but this shouldn't be necessary.

When Active Directory installation includes two or more sites, the Installation Wizard uses the subnets associated with the site objects to determine which site is appropriate for the server object. If no site is associated with the subnet used by a new domain controller, the wizard still creates the server object. Afterward, you'll have to create the site where the server belongs and move the server to it. Or you'll need to create a new subnet object and associate it with an existing site.

Understanding Domain Replication

Replication is the process of copying Active Directory data between domain controllers to ensure that all of them possess the same information. The Windows 2000 multiplemaster replication capabilities make the entire replication process more complex than it is in Microsoft Windows NT. On a Windows NT network, servers write all domain directory changes to the primary domain controller first, which then propagates the information to the backup domain controllers. This process is single-master replication. In Windows 2000, administrators can modify Active Directory by writing to any domain controller. All of the domain controllers execute periodic replication events that copy their modifications to all the other domain controllers. The schedule and topology for these replication events differ depending on whether the domain controllers are at the same or different sites. The following sections examine these two different replication scenarios.

Intrasite Replication

Replication between domain controllers in the same site is known as intrasite replication and is completely automatic and self-regulating. A module called the knowledge consistency checker (KCC) creates connections between the domain controllers in the site and triggers replication events whenever anyone modifies the directory information on a domain controller. Because all of the domain controllers in the site are assumed to be well connected, the replication process is designed to keep latency (that is, the delay between directory writes and their propagation to the other domain controllers) to a minimum, even at the expense of network bandwidth.

The KCC dynamically creates connection objects in Active Directory; when communication between domain controllers in the same site is disrupted, the KCC immediately creates new connections to ensure timely contact between the systems. Timely contact within a site means that no domain controller is more than three connections (or hops) away from any other domain controller. Administrators can create additional connection objects, which can improve communication between controllers and reduce latency further by decreasing the maximum number of hops allowed, but this approach also increases the system resources used by the replication process, including processor cycles, disk accesses, and network bandwidth. As a general rule, the replication topology within a site requires no administrative maintenance.

Intersite Replication

When you create multiple sites in Active Directory, the domain controllers assume that the network connections between the sites are slower than those within a site, more expensive, or both. As a result, the domain controllers use intersite replication to attempt to minimize the replication traffic between sites and also to provide administrators with a much more flexible replication topology.

When you have domain controllers in multiple sites, Active Directory still creates a default replication topology automatically during the installation process. However, distinct differences exist between the default replication patterns for intrasite and intersite topologies. These differences include the following:

  • Number of connections The KCC still automatically creates connections between domain controllers in different sites, but it creates fewer of them. The three-hop-maximum rule isn't observed between sites, in the interests of minimizing the bandwidth used.
  • Replication schedule Replication activities within a site are triggered by changes to the Active Directory database on a domain controller. Replication between sites takes place at scheduled times and intervals. Administrators can customize the schedule to take advantage of time periods when traffic is low and bandwidth is less expensive.
  • Compression Domain controllers transmit replication data uncompressed within a site, thus saving the processor cycles needed to decompress the data at the destination. Traffic between sites is always transmitted in compressed form, to conserve bandwidth.

One of the primary functions of the Sites and Services snap-in is to configure the replication pattern between sites. To do this, you create site link and site link bridge objects that specify how and when replication data should be transmitted between sites. The following sections examine the functions of Sites and Services and how you use it to create a customized domain controller replication topology for your network.

Launching Sites and Services

The Sites and Services tool is a standard snap-in for the MMC application, which you launch by selecting Active Directory Sites and Services from Administrative Tools in the Start menu's Programs group. The snap-in module is called Dssite.msc; you can also launch Sites and Services by executing that filename from the command line or the Run dialog box.

Viewing Replication Objects

The Sites and Services interface uses the same console tree and results panes as many of the other Active Directory administration tools. The Sites container in the console tree contains the Default-First-Site-Name object automatically created by the Active Directory installation, and two other containers called the Inter-Site Transports container and the Subnets container. When you create additional sites, they appear as separate objects in the Sites container. Administrator-created objects appear in the containers under Sites, subnet objects in the Subnets container, and site link and site link bridge objects in the Inter-Site Transports container.

Creating Site Objects

Creating additional site objects in Active Directory is simply a matter of right-clicking the Sites container and choosing New Site from the context menu. When the Create New Object dialog box appears (see Figure 12-2), you supply a name for the site object and select a site link that it should use to define the transport mechanism for the site. The Active Directory Installation Wizard creates the Defaultipsitelink object during the installation process, so this object is always available if you haven't yet created any other site links. After the site object is created, you can move server objects into it and associate them with the subnets on which they're located.

click to view at full size.

Figure 12-2. The New Object - Site dialog box.

Examining Site Object Properties Each site object in Active Directory has a Servers container holding objects representing the servers in the site, a Licensing Site Settings object, and an NTDS Settings object. The site object's Properties window enables you to specify a description for the site and its location, as well as containing the standard Object, Security, and Group Policy tabs found in the windows for so many other Active Directory objects.

The Licensing Site Settings object specifies the computer and domain licensing the site. In the Properties window for the NTDS Settings object, you can disable the KCC's automatic generation of a replication topology either within the site, between this site and other sites, or both. If you want to manually configure the replication behavior for a site, you can enable these options, but this is usually unnecessary. You can create additional connections to supplement those created by the KCC and configure the site's replication behavior in other ways without disabling its core functionality.

Creating Server and Connection Objects

Server objects are created during the installation of Active Directory on each domain controller, in the site associated with the subnet on which the server is located. Each server object contains an NTDS Settings object, which in turn contains the objects that represent that server's connections to other domain controllers on the network. These connections must exist for domain controllers to replicate their Active Directory data. All connections, whether created automatically by the KCC or manually by an administrator, appear as objects associated with a server. A connection object is a unidirectional conduit to another domain controller on the network, either in the same or another site. For replication traffic to travel in both directions, separate connection objects must exist for each of the two servers.

The KCC automatically creates connection objects that ensure the continued replication of Active Directory data to all of the functioning domain controllers in each domain. When the status of your network changes—such as when a domain controller goes down and forces the replication traffic between any other two domain controllers in the site to travel over more than three hops—the KCC creates new connection objects to reduce that traffic path to three hops or fewer. When the nonfunctioning domain controller becomes operational again, the KCC can remove connection objects to bring the replication traffic back to its recommended topology.

Normally, the only reason you'd manually create connection objects is to customize your network's replication topology. If, for example, you want replication activities to occur only at specific times, you can create a connection object and configure its schedule. You can also create connection objects to decrease the number of hops between specific domain controllers.

The major difference between manually created connection objects and those created by the KCC is that the manual objects remain in place until you remove them manually; the KCC doesn't remove them no matter how the replication topology changes. Connection objects created by the KCC, however, are removed automatically as the replication topology changes. To create a connection object, follow these steps:

  1. Right-click a server's NTDS Settings object in the Sites and Services' console tree, and choose New Active Directory Connection from the shortcut menu. This displays the Find Domain Controllers dialog box.
  2. Select the domain controller you want to create a connection to, and click OK to open the New Object Connection dialog box.
  3. Supply a name for the new connection, and click OK. The program adds a connection object to the details pane.

The Properties window for a connection object contains the familiar Object tab and Security tab as well as an Active Directory Connection tab, shown in Figure 12-3. On this tab, you can supply a descriptive phrase for the connection, select the mode of transport for the replication messages (IP, RPC, or SMTP), and schedule the replication events.

Figure 12-3. The Active Directory Connection tab of the Properties window.

The dialog box displayed when you click the Change Schedule button (Figure 12-4) enables you to specify the hours of the day during which replication should occur and the interval between replication events (either once, twice, or four times an hour). Keep in mind that this connection controls only the replication messages traveling from the server under which the object appears to the server you selected as the destination when creating the object. Traffic going in the other direction is controlled by the other server's connection object (if it exists).

click to view at full size.

Figure 12-4. The Schedule dialog box.

Creating Subnet Objects

The Subnets container is where administrators create objects representing the IP subnets on the network and associate them with specific site objects. When you promote the first server to a domain controller, the Active Directory Installation Wizard creates a site and places the server object in that site. If you create additional sites, subnet objects are used to ensure that each subsequent domain controller you install is placed in the appropriate site. During the promotion process, the wizard identifies the subnet on which the server resides and searches Active Directory for a corresponding subnet object. When the wizard finds the subnet object, it reads its properties to determine the site with which that subnet is associated, and it creates the new server object in that site.

Subnet objects aren't essential to Active Directory's replication topology. You can create sites and move the server objects into them manually. However, if you'll be installing a lot of servers, subnet objects automate the construction of the replication topology and make the entire site deployment process more manageable. To create a subnet object, follow these steps:

  1. Right-click the Subnets container in the console tree of the Sites and Services snap-in, and choose New Subnet from the shortcut menu.
  2. In the New Object - Subnet dialog box (Figure 12-5), type the name for the object, which must be the subnet's network address and mask.
  3. Select the site with which that subnet is to be associated, and click OK.
  4. click to view at full size.

    Figure 12-5. The New Object - Subnet dialog box.

Any servers on that subnet that you promote to domain controllers will be automatically added to this site. You can associate multiple subnets with a single site to support a network of almost any size.

The network address is the portion of the IP address that identifies the network on which a computer resides. The number of bits masked refers to how many of each IP address's 32 bits the system uses to identify the network. The design of the network and the IP addresses you use for workstations determine the value for this number. For example, if your organization has a class B network address (which uses 16 bits to identify the network) and uses a further 8 bits to identify subnets, the result is a total of 24 out of 32 bits that are devoted to the network address. The value for the subnet object's name field would therefore be something like

Creating Site Link Objects

The InterSite Transports container is where you create the site link and site link bridge objects that dictate how replication traffic is to be transmitted between sites. Two containers within InterSite Transports represent the two transport protocols supported by Active Directory: Internet Protocol (IP) and Simple Mail Transport Protocol (SMTP).

A site link object represents the WAN mechanism used to transmit data between two sites, such as a leased T-1 connection or an Asynchronous Transfer Mode (ATM) backbone, in the case of IP, or any means by which systems send e-mail using SMTP. Active Directory creates a default site link object called Defaultipsitelink when it creates the network's first site during the promotion of the first server to a domain controller. If all your sites are linked using technologies with exactly the same speed, you don't need to create additional site links. When you have different technologies connecting sites, however, you create multiple site link objects in order to have different replication schedules for each one.

When creating a site link object, you select two or more sites that are connected by the transport mechanism and specify a cost value for the link. The cost value enables you to assign priorities to the various WAN connections, based on their relative speeds. A higher cost value indicates that a connection is more expensive to use, and the KCC schedules less frequent replications on its connections between those two sites as a result. Each increment in the cost value represents 15 minutes in the replication schedule. A cost value of 3, for example, would cause replication to occur every 45 minutes.

To create a site link object, follow these steps:

  1. Right-click either the IP or SMTP transport in the console tree of Sites and Services, and choose New Site Link from the shortcut menu.
  2. In the New Object Site Link dialog box, specify a name for the object, and select the sites that the link connects. If the link is to represent a point-to-point connection like a T-1, you select only two sites. For a technology like an ATM backbone, which can connect several sites, you would select more than two site objects. When the site link object connects more than two site objects, you can assume that any one of the chosen sites can transmit to any other chosen site.
  3. Click the OK button, and the manager creates the link object.

Site link objects can't route replication traffic. This means that if a site link connects site A to site B and another link connects site B to site C, site A can't transmit to site C. For this to occur, you must create a site link bridge, as explained in "Creating Site Link Bridge Objects."

Configuring Site Links Right-click the new link object and select Properties to configure its properties. The Properties window for a site link object (shown in Figure 12-6) contains the standard Object tab and Security tab, as well as a General tab on which you can provide a description of the object and specify the sites connected by the link. You can add new sites to the link as needed after creating the object.

click to view at full size.

Figure 12-6. The General tab of the Site Link Properties window.

The General tab also contains fields with which to specify the cost for the link (from 1 to 32,767) and the interval between replication events (from 15 to 10,080 minutes). Clicking the Change Schedule button enables you to specify time periods during which replication is or is not permitted. If you want to limit replication activities to nonpeak traffic hours, for example, you can specify that replication events not occur between the hours of 9 A.M. and 5 P.M. The KCC observes the site link object's scheduling limitations when it dynamically creates connections between domain controllers.

Although the cost value determines the interval between replication events, you can adjust the frequency of replication by using the Replicate Every selector on the General tab of the Site Link Properties window. If clients are consistently receiving incorrect directory information from domain controllers, increase the frequency of replication.

Creating Site Link Bridge Objects

Site link bridge objects function much like site links, except that instead of grouping sites, they group site links. A site link bridge object typically represents a router in the network infrastructure. You create a site link bridge object to enable route replication traffic between linked sites. When you create a site link bridge containing two links that connect site A to site B and site B to site C, the bridge makes it possible for site A to transmit replication data to site C through site B.

The procedure for creating a site link bridge object is virtually identical to that of creating a site link object, except that you select two or more site links instead of sites. You don't need to specify a routing cost for a site link bridge because Active Directory automatically computes it by adding up the routing costs of all of the bridge's sites. Thus, a site link bridge object containing two sites with routing costs of 3 and 4 would have a routing cost of 7.

Microsoft Windows 2000 Server Administrator's Companion, Vol. 1
Microsoft Windows 2000 Server Administrators Companion (IT-Administrators Companion)
ISBN: 1572318198
EAN: 2147483647
Year: 2000
Pages: 366 © 2008-2017.
If you may any questions please contact us: