Active Directory

Contents

Managing sites

AD DS sites enable you to configure AD DS so that it understands which network locations have a fast local network connection. Generally, this means the computers are in the same building, although if your organization has a group of buildings in the same area that are connected by a high-speed network, you use a single AD DS site configuration.

An Active Directory site is a collection of TCP/IP subnets. Sites allow you to define geographic locations for Active Directory on the basis of TCP/IP subnets. You can have multiple TCP/IP subnets in a site. You should put subnets together in a site where the hosts in that site have a high-bandwidth connection to each other. Usually, this means being in the same building, but it could also mean multiple buildings with very-low-latency gigabit links between them.

For example, imagine that your organization has its head office in Melbourne and a branch office in Sydney. You can set up two sites: one site for Melbourne and the other for Sydney. This ensures that computers in the Melbourne location interact as much as possible with resources located in Melbourne, and computers in the Sydney location interact as much as possible with resources located in Sydney.

You associate the TCP/IP subnets in the head office with the Melbourne site and the TCP/IP subnets in the branch office with the Sydney site. After you do this, functionality such as replication topology is automatically configured.

You configure sites by associating them with IP address ranges. For example, you might associate the subnet 192.168.10.0 /24 with the AD DS Site BNE-Site. Any computers that have an IP address in this range would be located in that site. You can configure network addresses using IPv4 or IPv6 networks. When you install AD DS for the first time, a default site, named Default-First-Site-Name, is created. You configure sites using the Active Directory Sites And Services console, shown in Figure 4-15.

Figure 4.15

Figure 4-15 The Active Directory Sites And Services console

It’s important that you add sites for each separate location in your organization. If you don’t, AD DS assumes that all computers are located on the same fast network, and this might cause problems with other products as well as with AD DS. Microsoft products such as Exchange Server use AD DS site information when generating network topologies.

Sites enable you to do the following:

  • Separate different locations that are connected by a slow WAN or expensive WAN link For example, if your organization has a branch office in Sydney and another branch office in Melbourne, and these branch offices are connected by a WAN link that is rated at 512 kilobits per second (Kbps), you configure the Sydney and Melbourne branch offices as separate sites.

  • Control which domain controllers are used for authentication When users log on to the network, they perform authentication against an available domain controller located in their AD DS site. Although users are still able to sign on and authenticate against a DC in another site if one isn’t available in their local site, you should strongly consider placing a domain controller at any site with a sufficient number of users. What counts as “a sufficient number of users” varies depending on the speed and reliability of the site’s connection to the rest of the organization’s network. In some cases, you might deploy an RODC to aid authentication at some branch office sites.

  • Control service localization Many Microsoft products, such as Exchange Server, and technologies, such as BranchCache and DFS, use AD DS sites as a way of determining network topology. To ensure that these products and technologies work well, you should ensure that each AD DS site is configured properly.

  • Control AD DS replication You can use AD DS sites to manage domain controller replication. The default settings make it possible for replication to occur 24 hours a day, 7 days a week. Instead, you can use AD DS site configuration to configure the replication to occur according to a specific schedule.

 

Creating sites

To add a new Active Directory site, right-click the Sites node in the Active Directory Sites And Services console and select New Site. Specify the site name and select a site link object, and then select OK twice.

A site link object represents a connection between two sites. The default site link object is named DEFAULTIPSITELINK. You can change the site link object later. Figure 4-16 shows the creation of a site named Sydney.

Figure 4.16

Figure 4-16 Creating a new site

You can use the New-ADReplicationSite PowerShell cmdlet to create a new site. For example, to create a new site named HBA-SITE that is associated with the default IP site link, issue this command:

f0168-01.jpg

After you’ve created a site, you need to associate it with IP address ranges. You can’t do that until you’ve added IP address ranges as subnets. When you create a subnet, you specify an IPv4 or IPv6 network prefix. For an IPv4 network, you specify the network address and the subnet in CIDR notation. For example, you specify network 192.168.15.0 with a subnet mask of 255.255.255.0 as 192.168.15.0 /24.

Creating subnets

To add a subnet, right-click the Subnets node in Active Directory Sites And Services and then select New Subnet. You can specify the new subnet in IPv4 or IPv6 format. After you’ve specified the subnet, you have to specify which site the subnet is associated with. Figure 4-17 shows the 10.10.10.0/24 subnet associated with the Melbourne site.

Figure 4.17

Figure 4-17 New subnet

You can create a new subnet from PowerShell with the New-ADReplicationSubnet cmdlet. For example, to create a new subnet that has the address 192.168.16.0/24 and associate it with the HBA-SITE site, issue the command:

f0169-01.jpg

You can verify which subnets are associated with a particular AD DS site by viewing the properties of that site. You can’t change which subnets are associated with a site by editing the site properties; you can only do so by editing the subnet properties. You can associate multiple subnets with an AD DS site, but you can’t associate multiple AD DS sites with a specific subnet.

Creating site links

Site links enable you to specify how different AD DS sites are connected. When you add a site, you’re asked to specify the site link, and the DEFAULTIPSITELINK site link is the default option even if another site link is available. Sites that are connected to the same site link are able to replicate with each other directly. For example, if all the sites in Figure 4-18 are associated with the DEFAULTIPSITELINK site link, each site assumes that it could replicate directly with the others. When troubleshooting replication, determine whether you want all sites connected to DEFAULTIPSITELINK or if you want them to use separate site links for alternative replication paths. For example, a domain controller in the Melbourne site attempts to replicate directly with a domain controller in the Canberra site. With this topology, you instead configure site links for Melbourne-Sydney, Adelaide-Sydney, and Canberra-Sydney. This way, domain controllers in Canberra, Melbourne, and Adelaide only replicate with the Sydney site rather than attempting to replicate with each other directly.

Figure 4.18

Figure 4-18 Configuring site links that mirror network topology

You can create a new IP site link using the Active Directory Sites And Services console. When you create a site link, you specify the sites that use the link. You can configure the cost and replication schedule of a site link after it’s created by editing the Site Link properties. The default Cost is 100, and site links that have lower costs are preferred for replication over site links that have a higher cost. Replication occurs every 180 minutes by default, 24 hours a day. You can modify when replication occurs by configuring a replication schedule.

If you want replication to occur as quickly as possible, you can enable the Use Notify replication option by modifying a site link’s options attribute. You can perform this task by using the Attribute Editor tab in the site link’s properties.

You can create a site link using the New-ADReplicationSiteLink cmdlet. For example, to create a new site link named ADL-CBR that links the ADL-SITE and CBR-SITE sites, issue this command:

f0171-01.jpg

Click to view larger image

Members of the Enterprise Admins security group can create and modify site links. Members of the Domain Admins security group in the forest root domain can also perform site link management tasks. User accounts that are only members of the child domain but not the forest root domain’s Domain Admins security group are unable to manage site links.

Creating site link bridges

Site link bridges create transitive links between site links. Each site link in a bridge must have a site in common with another site link in the bridge. It’s only necessary to create a site link bridge with complex network topologies, as site link bridges are automatically created based on the topology created when you configure site links. You likely need to create a site link bridge if

  • Your IP network is not fully routed. If you disable the Bridge All Site Links option, all site links will be treated as nontransitive. You can then use your own site link bridges to reflect the manner in which traffic is routed across your network.

  • You need to control replication flow between sites. By disabling the Bridge All Site Links for the site link IP transport and creating a site link bridge, you can create a disjointed network. This ensures that site links within the bridge can route AD DS traffic transitively, but they will not route traffic outside of the site link bridge.

Moving domain controllers

When you deploy a new domain controller, the domain controller promotion process performs a lookup to determine which AD DS site the domain controller should be a member of based on its IP address. If you haven’t created a subnet in the Active Directory Sites And Services console that maps to the IP address of the server that you are promoting to the domain controller, the domain controller is instead assigned to the first AD DS site, which is Default-First-Site-Name unless you have changed it.

The domain controller does not automatically reassign itself to a new site if you create the subnet and site objects in the Active Directory Sites And Services console, if it has already been added to the Default-First-Site-Name site. In this instance, you need to move the domain controller to the new site manually. You can move the domain controller using the Active Directory Sites And Services console by right-clicking the domain controller that you want to move, selecting Move, and selecting the destination site in the Move Server dialog.

You can also move a domain controller to a different site using the Move-ADDirectoryServer PowerShell cmdlet. For example, to move the server PERTH-DC to the Perth-Site AD DS site, execute the following command:

f0171-02.jpg
Save to your account

This chapter is from the book