Click OK.This completes the process of creating a new site link object using the Active Directory Sites and Services tool.. If there are two site links available between two sites, the l
Trang 12 Highlight the Inter-Site Transports folder in the left tree pane of the Active Directory Sites and Services console Expand the Inter-Site Transports folder.
3 Right-click either the IP or SMTP folder (depending on what protocol the network is based on) in the left tree pane of the Active Directory Sites and Services console Select New Site Link from the context menu.
4 Selecting New Site Link option opens a New Object – Site Link dialog box.
5 Type the name of the new site link object in the Name box in the New Object – Site
Linkdialog box
6 Select two or more sites for establishing connection from the Sites not in this site link box, and click Add as shown in Figure 14.5.
7 Click OK.This completes the process of creating a new site link object using the Active
Directory Sites and Services tool Figure 14.6 shows the final screen shot of the process
Figure 14.5 Selecting Sites to Establish Connection
Figure 14.6 ADSS Tool After Creating the New Site Link
Trang 2Configuring Site Link Cost
Site link costs are calculated to determine how expensive an organization considers the network
con-nection between two sites that the site link is connecting
Higher costs represent more expensive connections If there are two site links available between two sites, the lowest cost site link will be chosen Each site link is assigned an IP or SMTP transport protocol, a cost, a replication frequency, and an availability schedule All these parameters reflect the characteristics of the physical network connection
The cost assigned to a site link is a number on an arbitrary scale that should reflect, in some sense, the expense of transmitting traffic using that link Cost can be in the range of 1 to 32,767, and lower costs are preferred.The cost of a link should be inversely proportional to the effective band-width of a network connection between sites For example, if you assign a cost of 32,000 to a 64 kbps line, then you should assign 16,000 to a 128 kbps line and 1000 to a 2 Mbps line It makes sense to use a high number for the slowest link in your organization As technology improves and communication becomes cheaper, it’s likely that future WAN lines will be faster than today’s, so there’s little sense in assigning a cost of two for your current 128 kbps line and a cost of 1 for your
256 kbps line
Site link costs are configured using the Active Directory Sites and Services tool of Windows Server 2003.The following procedure walks you through assigning and configuring site link costs
Configure site link costs
1 To open the Active Directory Sites and Services tool, click Start | Control Panel |
Administrative Tools , and then double-click Active Directory Sites and Services.
2 Highlight the Sites folder in the left tree pane of the Active Directory Sites and Services console and expand the Sites folder.
3 Highlight the Inter-Site Transports folder in the left tree pane of the Active Directory Sites and Services console and expand the Inter-Site Transports folder.
4 Right-click the site link whose cost you want to configure in the left tree pane of the
Active Directory Sites and Services console, and select Properties Selecting
Properties opens a dialog box
5 Type the value for the cost of replication of the site link object in the Cost box in the
dialog box as shown in Figure 14.7
Trang 36 Click OK.This completes the process of configuring the site link costs using the Active
Directory Sites and Services tool
Site Replication
An essential process for any domain that has multiple DCs is replication Replication ensures that each copy of the domain data is up to date, and is done by sending information about changes from one DC to another In Windows Server 2003, every DC is capable of making changes to the database that has domain user and computer accounts
Types of Replication
Replication in a Windows Server 2003 environment is one of two types:
■ Intra-site replication Replication that occurs between DCs within a site
■ Inter-site replication Replication that occurs between DCs in different sites
It is important to understand the differences between these methods when planning the site structure and replication
Intra-site Replication
Intra-site replication occurs between DCs within a site.The system implementing such replication uses
high-speed, synchronous Remote Procedure Calls (RPCs)
Within a site, a ring topology is created by the KCC between the DCs for replication (see
Figure 14.8).The KCC is a built-in process that runs on all DCs and helps in creating replication
topology It runs every 15 minute by default and delegates the replication path between DCs based
on the connection available.The KCC automatically creates replication connections between DCs
Figure 14.7 The Cost of the Site Link Object
Trang 4within the site.The ring topology created by the KCC defines the path through which changes flow within the site All the changes follow the ring until every DC receives them
The KCC analyzes the replication topology within a site to ensure efficiency If a DC is added
or removed, it reconfigures the ring for maximum efficiency It also configures the ring so that there will be not more than three hops between any two DCs within the site, which sometimes results in the creation of multiple rings (see Figure 14.9)
Figure 14.8 Ring Topology for Replication
Server 1
Server 2
Server 3
Server 4
Figure 14.9 The Three-Hop Rule of Intra-site Replication
Server 1
Server 2
Server 3
Server 4
Server 5
Server 6
Trang 5Inter-site Replication
Inter-site replication takes place between DCs in different sites.The drawback of inter-site
communi-cation is that it has to be configured manually Active Directory builds an efficient inter-site replica-tion topology with the informareplica-tion provided by the user.The directory saves this informareplica-tion as site
link objects A DC running a service called the Inter-site Topology Generator (ISTG) is used to build
the topology An ISTG is an Active Directory process that runs on one DC in a site and considers the cost of inter-site connections It ensures that the previous DCs are no longer available, and checks to determine if new DCs have been added.The KCC process updates the inter-site replica-tion topology A least-cost spanning-tree algorithm is used to eliminate superfluous replicareplica-tion paths between sites
An inter-site replication topology is updated regularly to respond to any changes that occur in the network It would be useful if the traffic needs to cross a slower Internet link
An inter-site replication across site links occurs every 180 minutes; this can be changed if neces-sary In addition, you can schedule the availability of the site links for use By default, a site link is accessible to carry replication 24 hours a day, 7 days a week, and this can also be changed if necessary
A site link can also be configured to use low-speed synchronous RPCs over TCP/IP or asynchronous SMTP transport.That is, replication within a site always uses RPC over IP, while replication between sites can use either RPC over IP or SMTP over IP Replication between sites over SMTP is supported for only DCs of different domains DCs of the same domain must replicate by using the RPC over IP transport Hence, a site link can be configured to point-to-point, low-speed synchronous RPC over IP between sites, and low-speed asynchronous SMTP between sites
Planning, Creating, and
Managing the Replication Topology
An important job when implementing replication topology is planning, creating, and managing the replication topology discussed in this section
Planning Replication Topology
There are three key points to understand before planning replication topology:
■ Before starting a replication planning process, we need to first finish the forest, domain, and DNS
■ It is essential to have an understanding of Active Directory replication, the File Replication Service (FRS), and system volume (SYSVOL) replication used to replicate group policy changes
■ For Active Directory replication, a rule of thumb is that a given DC that acts as a bridge-head server should not have more than 50 active simultaneous replication connections at any given time
Trang 6Creating Replication Topology The next step is to create the replication topology
■ Active Directory replication is a one-way pull replication whereby the DC that needs
updates (target DC) gets in touch with the replication partner (source DC).Then, the source DC selects the updates that the target DC needs, and copies them to the target
DC Because Active Directory uses a multi-master replication model, each DC functions as both source and target for its replication partners From the view of a DC, it has both inbound and outbound replication traffic, depending on whether it is the source or the destination of a replication sequence
■ Inbound replication is the incoming data transfer from a replication partner to a DC, while outbound replication is the data transfer from a DC to its replication partner
■ System policies and logon scripts that are stored in SYSVOL use FRS to replicate Each
DC keeps a copy of SYSVOL for network clients to access FRS is also used for the Distributed File System (DFS)
■ Components of the replication topology such as the KCC, connection objects, site links, and site link bridges are to be checked by the administrator
■ There are two methods for creating a replication topology:
■ Use the KCC to create connection objects.This method is recommended if there are 100 or fewer sites
■ Use a scripted or third-party tool for the creation of connection objects.This method is recommended if there are more than 100 sites
Managing Replication Topology Data is usually replicated based on a change notification within sites It’s up to the administrator to force immediate replication.To do so for all data on a given connection in a single direction, per-form the following steps:
1 Choose Start | Programs | Administrative Tools | Active Directory Sites and
Services Expand Sites in the left tree pane.
2 Expand the name of the site that has to replicate to
3 Expand the name of the server for replicating
4 Select the server’s NTDS Settings object.The right console pane will be populated with
the server’s inbound connection objects
5 In the right pane, right-click the name of the server from which you want to replicate, and
select Replicate Now.
Replication can also be forced from the command line by using the repadmin.exe utility from
the Support Tools
Trang 7Configuring Replication between Sites
To ensure that users can log on within a given span of time, it is necessary to locate DCs near them, which sometimes involves moving the DCs between sites
The purpose of a site is to help manage the replication between DCs and across slow network links In addition to creating the site and adding subnets to that site, we also need to move DCs into the site, as replication happens between DCs.The DC has to be added to a site to which it belongs
so that clients within a site can look for the DCs in the site and can log on to it
To move DCs, follow these steps:
1 Select Click Active Directory Sites and Services.
2 Choose the Sites folder and then select the site where the server is located.
3 In the site, expand the Servers folder.
4 Right-click on the DC you want to move, and choose Move.
5 Select the destination subnet from the dialog box and click OK.
Configuring Replication Frequency
Replication frequency can be configured by providing an integer value that informs the Active Directory as to how many minutes it should wait before it can use a connection to check replica-tion updates.The interval of time must be not less than 15 minutes and not more than 10,080 min-utes For any replication to happen, a site link is essential Follow these steps to configure site link replication frequency:
1 Choose Start | Programs | Administrative Tools | Active Directory Sites and
Services
2 Expand the Inter-Site Transports folder, select either the IP or SMTP folder, and then
right-click the site link for which the site replication frequency is to be set
3 Click Properties, and in the Properties dialog box for the site link, enter in the Replicate
Every box the number of minutes between replications.The default value is 180
4 Click OK.
Configuring Site Link Availability
After the DCs are moved, a site link has to be created between sites, as it provides a path through which replication takes place.The creation of site links gives the KCC information about which connection object should be created in order to replicate directory data Site links also imply where the connection object should be created Follow these steps to configure a site link:
1 Choose Start | Programs | Administrative Tools | Active Directory Sites and
Services
2 Open the Sites folder and then the Inter-Site Transports.
Trang 83 Right-click on the IP or SMTP folder depending on the protocol needed and then choose New Site Link.
4 Enter the name for the site link in the Name text box From the Sites not in this site
link list, choose the site to connect and click Add.
5 Click OK.
When creating site links, there is the option of using either IP or SMTP as the transport protocol:
■ SMTP replication SMTP can be used only for replication over site links It is asyn-chronous; that is, the destination DC does not wait for the reply, so the reply is not received in a short amount of time SMTP replication also neglects Replication Available and Replication Not Available settings on the site link schedule, and uses the replication interval to indicate how often the server requests changes When choosing SMTP, you must install and configure an enterprise certification authority (CA), as it signs the SMTP messages that are exchanged between DCs
■ IP replication All replication within a site occurs over synchronous RPC over IP trans-port.The replication within a site is fast and has uncompressed delivery of updates
Replication events occur more frequently within a site than between sites, and the over-head of compression would be inefficient over fast connections
Configuring Site Link Bridges Often, there is no need to deal with site link bridges separately, as all the links are automatically
bridged by a property known as a transitive site link Sometimes when you need to control through
which sites the data can flow, you need to create site link bridges By default, all the site links cre-ated are bridged together
The bridging enables the sites to communicate with each other If this is not enabled by the automatic bridging due to the network structure, disable the same and create an appropriate site link bridge In some cases, it is necessary to control the data flow through the sites using site link
bridges.To disable transitive site links (automatic bridging), follow these steps:
1 Choose Start | Programs | Administrative Tools | Active Directory Sites and
Services
2 Expand the Sites folder and then expand the Inter-Site Transports folder.
3 Right-click on the transport for which the automatic bridging should be turned off, and
choose Properties.
4 On the General tab, clear the Bridge all site links check box and click OK.
To create a site link bridge, follow these steps:
1 Choose Start | Programs | Administrative Tools | Active Directory Sites and
Services
2 Expand the Sites folder and then the Inter-Site Transports folder.
Trang 93 Right-click on the transport that needs to be used, and choose New Site Link Bridge.
4 In the Name box, enter a name for the site link bridge.
5 From the list of Site links not in this bridge, select the site link to be added.
6 Remove any extra site links in the Site links in this bridge box and click OK.
Configuring Bridgehead Servers
A bridgehead server is a server that is mainly used for inter-site replication.The bridgehead server can
be configured for every site that is created for each of the inter-site replication protocols.This helps
to control the server that is used to replicate information to other servers
To configure a server as a bridgehead server, follow these steps:
1 Choose Start | Programs | Administrative Tools | Active Directory Sites and
Services
2 Expand the Sites folder.
3 Expand the site in which a bridgehead server has to be created, and then expand the
Serversfolder
4 Right-click on the server and choose Properties.
5 In the Transports available for inter-site transfer area, select the protocol for which this server should be a bridgehead and click Add.
6 Click OK to set the properties, and then close Active Directory Sites and Services.
The ability to configure a server as a bridgehead server gives you greater control over the resources used for replication between intersites
Troubleshooting Replication Failure
DCs usually handle the process involved with replication automatically Unsuccessful network links and incorrect configurations prevent the synchronization of information between DCs.There are many ways to monitor the behavior of Active Directory replication and correct problems if they occur
Troubleshooting Replication
A common symptom of replication problems is that the information is not updated on some or all DCs.There are several steps that you can take to troubleshoot Active Directory replication,
including:
■ Check the network connectivity The basic requirement for any type of replication to work properly in a distributed environment is network connectivity.The ideal situation is that all the DCs are connected by high-speed LAN links In the real world, either a dial-up connection or a slow connection is common Check to see if the replication topology is set
up properly In addition, confirm if the servers are communicating Failed dial-up connection attempts can prevent important Active Directory information from being replicated
Trang 10■ Examine the replication topology The Active Directory Sites and Services tool helps
to verify whether a replication topology is logically consistent.This is done by
right-clicking the NTDS Settings within a Server object and selecting All Tasks | Check
Replication Topology If there are any errors, a dialog box will alert you to the problem
■ Validate the event logs Whenever an error in the replication configuration occurs, events are written to the Directory Service event log.The Event Viewer administrative tool can provide the details associated with any problems in replication
■ Verify whether the information is synchronized Many administrators forget to exe-cute manual checks regarding the replication of Active Directory information One of the reasons for this is that Active Directory DCs have their own read/write copies of the Active Directory database.Therefore, no failures are encountered while creating new objects if connectivity does not exist It is important to regularly check whether the objects have been synchronized between DCs.The manual check, although tedious, can prevent inconsistencies in the information stored on DCs
■ Check router and firewall configurations Firewalls restrict the types of traffic trans-ferred between networks In some cases, firewalls might block the types of network access that should be available for Active Directory replication to occur
■ Verify site links Before any DCs in different sites can communicate, the sites must be connected by site links If replication between sites doesn’t occur properly, verify whether the site links are in proper positions
Using Replication Monitor The Replication Monitor tool helps you to determine whether the DCs replicate the Active Directory information correctly.This tool is available as part of the Windows Server 2003 Support
Tools, which have to be installed separately After installing the Support Tools, go to Startup menu
| Windows Support Tools | Command Prompt and enter replmon.exe, which will open the
Replication Monitor console (see Figure 14.10)
Figure 14.10 Replication Monitor Console