Active Directory Cookbook for windows server 2003- P37 ppsx

In the left pane, expand Sites, expand the site where the server you want to set as a bridgehead is contained and expand the Servers container 3.. Recipe 11.17 Configuring a Domain Contr

Trang 1

11.13.4 See Also

MS KB 271997 (Description of Bridgehead Servers in Windows 2000)

Recipe 11.14 Setting a Preferred Bridgehead Server for a Site

11.14.1 Problem

You want to set a preferred bridgehead server for a site

11.14.2 Solution

11.14.2.1 Using a graphical user interface

1 Open the Active Directory Sites and Services snap-in

2 In the left pane, expand Sites, expand the site where the server you want to set as a bridgehead is contained and expand the Servers container

3 Right-click on the server you want to set as the bridgehead and select Properties

4 Highlight IP, SMTP, or both, pertaining to the protocol(s) for which you want the server

to be a bridgehead

5 Click the Add button

6 Click OK

11.14.2.2 Using a command-line interface

Create an LDIF file called set_bridgehead_server.ldf with the following contents:

dn:

cn=<DCName>,cn=servers,cn=<SiteName>,cn=sites,cn=configuration,<ForestRootDN>

changetype: modify

add: bridgeheadTransportList

bridgeheadTransportList: cn=IP,cn=Inter-site

Transports,cn=sites,cn=configuration,<ForestRootDN>

-

then run the following command:

> ldifde -v -i -f set_bridgehead_server.ldf

11.14.2.3 Using VBScript

' This code sets a preferred bridgehead server for a particular transport ' - SCRIPT CONFIGURATION -

strServer = "<DomainControllerName>" ' e.g dc1

strServerSite = "<SiteName>" ' e.g Default-First-Site-Name strTransport = "<TransportName>" ' e.g either IP or SMTP

' - END CONFIGURATION -

Trang 2

set objRootDSE = GetObject("LDAP://RootDSE")

set objServer = GetObject("LDAP://cn=" & strServer & ",cn=Servers,cn=" & _ strServerSite & ",cn=sites," & _

objRootDSE.Get("configurationNamingContext") ) objServer.Put "bridgeHeadTransportList", _

"cn=" & strTransport & ",cn=Inter-site Transports,cn=sites," _ & objRootDSE.Get("configurationNamingContext")

objServer.SetInfo

WScript.Echo "Successfully set bridgehead server: " & strServer

11.14.3 Discussion

Setting a preferred bridgehead server can give you more control over which domain controllers participate in inter-site replication, but it is also limiting The KCC typically selects bridgehead servers dynamically, but if you set preferred bridgehead servers, the KCC will not select new ones if the preferred servers become unavailable Therefore, you should ensure that if you do select preferred bridgehead servers, you select at least two for a given partition in a site

As a general rule, you shouldn't set preferred bridgehead servers if at all possible

11.14.4 See Also

MS KB 271997 (Description of Bridgehead Servers in Windows 2000)

Recipe 11.15 Listing the Servers

11.15.1 Problem

You want to list the server objects in the site topology

1 Open LDP

2 From the menu, select Connection Connect

3 For Server, enter the name of a domain controller (or leave blank to do a serverless bind)

4 For Port, enter 389

5 Click OK

6 From the menu, select Connection Bind

7 Enter credentials of a domain user

8 Click OK

9 From the menu, select Browse Search

Trang 3

10 For BaseDN, type the Sites container's DN (e.g.,

cn=sites,cn=configuration,dc=rallencorp,dc=com)

11 For Scope, select Subtree

12 For Filter, enter (objectcategory=server)

13 Click Run

> dsquery server [-site <SiteName>]

' This code lists the server objects in the site topology

set objRootDSE = GetObject("LDAP://RootDSE")

strBase = "<LDAP://cn=sites," & _

objRootDSE.Get("ConfigurationNamingContext") & ">;"

strFilter = "(objectcategory=server);"

strAttrs = "distinguishedName;"

strScope = "subtree"

set objConn = CreateObject("ADODB.Connection")

objConn.Provider = "ADsDSOObject"

objConn.Open "Active Directory Provider"

set objRS = objConn.Execute(strBase & strFilter & strAttrs & strScope)

objRS.MoveFirst

while Not objRS.EOF

Wscript.Echo objRS.Fields(0).Value

objRS.MoveNext

wend

Each Active Directory domain controller is represented in the site topology by a server object that is associated with a specific site Replication decisions are made based on links from this site

to other sites that contain domain controllers

Other types of services can also add server objects to the site topology The way you can

distinguish which ones are domain controllers is the presence of a NTDS Settings (nTDSDSA) object that is a child of the server object Only domain controllers will have that object

Recipe 11.16 Moving a Domain Controller to a

Different Site

11.16.1 Problem

You want to move a domain controller to a different site This may be necessary if you promoted the domain controller without first adding its subnet to Active Directory In that case, the domain controller will be added to the Default-First-Site-Name site

Trang 4

2 In the left pane, expand Sites, expand the site where the server you want to move is contained, and expand the Servers container

3 Right-click on the server you want to move and select Move

4 Select the site to move the server to

5 Click OK

> dsmove "cn=<ServerName>,cn=servers,cn=<CurrentSite>,[RETURN]

cn=sites,cn=configuration,<ForestRootDN>" -newparent

"cn=servers,cn=<NewSite>,[RETURN]

cn=sites,cn=configuration,<ForestRootDN>"

' This code moves a server to a different site

' - SCRIPT CONFIGURATION -

' Should contain the common name of the server object

strDC = "<DomainControllerName>" ' e.g dc02

' Name of servers current site

strCurrentSite = "<CurrentSite>" ' e.g Default-First-Site-Name

' Name of site you want to move server to

strNewSite = "<NewSite>" ' e.g Raleigh

strConfigDN = GetObject("LDAP://RootDSE").Get("configurationNamingContext") strServerDN = "LDAP://cn=" & strDC & ",cn=servers,cn=" & _

strCurrentSite & ",cn=sites," & strConfigDN

strNewParentDN = "LDAP://cn=servers,cn=" & strNewSite & ",cn=sites," &

strConfigDN

Set objCont = GetObject(strNewParentDN)

objCont.MoveHere strServerDN, "cn=" & strDC

After you move a server to a new site, you might want to monitor replication to and from that server to make sure that any new connections that are needed get created and start replicating See Recipe 12.2 for more on viewing the replication status of a server

11.16.4 See Also

MS KB 214677 (Automatic Detection of Site Membership for Domain Controllers)

Trang 5

Recipe 11.17 Configuring a Domain Controller to

Cover Multiple Sites

11.17.1 Problem

You want to configure a domain controller to cover multiple sites, which will cause clients in those sites to use that domain controller for authentication and directory lookups

1 Run regedit.exe from the command line or Start Run

2 In the left pane, expand HKEY_LOCAL_MACHINE SYSTEM

CurrentControlSet Services Netlogon Parameters

3 If the SiteCoverage value does not exist, right-click on Parameters in the left pane and select New Multi-String Value For the name, enter SiteCoverage

4 In the right pane, double-click on the value and on a separate line, enter each site the server should cover

5 Click OK

> reg add HKLM\System\CurrentControlSet\Services\Netlogon\Parameters

/v[RETURN]

"SiteCoverage" /t REG_MULTI_SZ /d <Site1>\0<Site2>

' This code configures a domain controller to cover multiple sites

' - SCRIPT CONFIGURATION -

strDC = "<DomainControllerName>" ' e.g dc01

arrSites = Array("<Site1>","<Site2>") ' Array of sites to cover

strNTDSReg = "SYSTEM\CurrentControlSet\Services\Netlogon\Parameters"

const HKLM = &H80000002

set objReg = GetObject("winmgmts:\\" & strDC & "\root\default:StdRegProv") objReg.SetMultiStringValue HKLM, strNTDSReg, _

"SiteCoverage", _

arrSites

WScript.Echo "Site coverage set for " & strDC

It is perfectly valid to have a site that does not contain its own domain controller In fact, if you model the site topology after your real network, some sites will lack their own domain

controllers unless you've deployed a branch office architecture or have very few sites If you create sites without any domain controllers, the site links between the sites determine what domain controllers will "cover" or advertise their services to the site When a domain controller

Trang 6

covers for a remote site, it needs to publish site-specific DNS resource records, which clients in the site use to find the domain controller Active Directory will select DCs to cover DC-less sites automatically, but you can hard-code the list of sites a specific domain controller should cover by modifying the Registry as described in the Solution section

11.17.4 See Also

MS KB 200498 (Configure a Domain Controller for Membership in Multiple Sites)

Recipe 11.18 Viewing the Site Coverage for a Domain Controller

11.18.1 Problem

You want to view the sites a domain controller covers

In the following command, replace <DomainControllerName> with the name of the domain controller you want to view site coverage for:

> nltest /server:<DomainControllerName> /DsGetSiteCov

Although you cannot use it directly from a scripting language like VBScript, Microsoft provides

a DsGetDcSiteCoverage method that can be used by languages, such as Visual Basic and C++,

to retrieve site coverage information In fact, the nltest command shown in the CLI solution is

a wrapper around this method

Recipe 11.17 describes how to force a domain controller to cover multiple sites Recipe 11.19

describes how you can disable a domain controller from covering for any sites other than its own

11.18.4 See Also

MSDN: DsGetDcSiteCoverage

Trang 7

Recipe 11.19 Disabling Automatic Site Coverage for a Domain Controller

11.19.1 Problem

You want to prevent a domain controller from covering sites outside of the one it resides in

2 Expand HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Services

Netlogon Parameters

3 Right-click on Parameters and select New DWORD Value

4 For the name, enter AutoSiteCoverage

5 Double-click on the new value, enter 0 under Value data, and click OK

> reg add HKLM\System\CurrentControlSet\Services\Netlogon\Parameters

/v[RETURN]

AutoSiteCoverage /t REG_DWORD /d 0

' This code disables auto site coverage

strNetlogonReg = "SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" const HKLM = &H80000002

Set objReg = GetObject("winmgmts:root\default:StdRegProv")

objReg.SetDWORDValue HKLM, strNetlogonReg, "AutoSiteCoverage", 0

WScript.Echo "Site coverage disabled"

If you want to reduce the load on a domain controller, one way is to prevent it from covering for other sites Automatic site coverage happens when a site does not have any member domain controllers

11.19.4 See Also

Recipe 11.18 for viewing the site coverage for a domain controller

Recipe 11.20 Finding the Site for a Client

11.20.1 Problem

You want to find which site a client computer is in

Trang 8

In the following command, replace <HostName> with the name of the host you want to find the site for:

> nltest /server:<HostName> /DsGetSite

Although you cannot use it directly from a scripting language like VBScript, Microsoft provides

a DsGetSiteName method that can be used by languages, such as Visual Basic and C++, to retrieve site coverage information In fact, the nltest command shown in the CLI solution is a wrapper around this method

The IADsTool interface provides a wrapper around this method:

set objIadsTools = CreateObject("IADsTools.DCFunctions")

strSite = objIadsTools.DsGetSiteName("<HostName>")

Wscript.Echo "Site: " & strSite

Each domain controller has a server object that is contained with a site Clients are different— they are associated with a site based on their IP address and the corresponding subnet that it matches is in the Subnets container The client site information is important because it

determines the domain controller the client authenticates with If the client's IP address does not match a subnet range of any of the subnets stored in Active Directory, it will randomly pick a site to use, which means it could authenticate against any domain controller in the domain See

Recipe 11.21 for a way to hardcode the site association for a client

11.20.4 See Also

Recipe 11.21 for forcing a host to a particular site, MS KB 247811 (How Domain Controllers Are Located in Windows), and MSDN: DsGetSiteName

Recipe 11.21 Forcing a Host to a Particular Site

11.21.1 Problem

You want to force a host to be in a particular site

Trang 9

2 Expand HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Services

Netlogon Parameters

3 Right-click on Parameters and select New String Value

4 Enter SiteName for the name

5 Double-click on the new value, enter the name of the site under Value data, and click OK

> reg add HKLM\System\CurrentControlSet\Services\Netlogon\Parameters /v

SiteName /t[RETURN]

REG_SZ /d <SiteName>

' This code forces the host the script is run on to use a particular host ' - SCRIPT CONFIGURATION -

strSite = "<SiteName>" ' e.g Raleigh

strNetlogonReg = "SYSTEM\CurrentControlSet\Services\Netlogon\Parameters"

const HKLM = &H80000002

set objReg = GetObject("winmgmts:root\default:StdRegProv")

objReg.SetStringValue HKLM, strNetlogonReg, "SiteName", strSite

WScript.Echo "Set SiteName to " & strSite

You can bypass the part of the DC Locator process that determines a client's site by hard-coding

it in the Registry This is generally not recommended and should primarily be used as a

troubleshooting tool If a client is experiencing authentication delays due to a misconfigured site or subnet object, you can hard-code its site so it temporarily points to a more optimal location (and domain controller)

11.21.4 See Also

Recipe 11.20 for finding the site of a client and MS KB 247811 (How Domain Controllers Are Located in Windows)

Recipe 11.22 Creating a Connection Object

11.22.1 Problem

You want to create a connection object to manually set up replication between two sites

Trang 10

2 In the left pane, expand Sites, expand the site that contains the connection object you want to check, expand the Servers container, and expand the server for which you want to create the connection object

3 Right-click on the NTDS Settings object and select Create New Active Directory

Connection

4 Select the replication partner and click OK

5 Enter the name for the connection and click OK

> repadmin /add <PartitionDN> <DC1DNSName> <DC2DNSName>

Hopefully you will not need to create connection objects manually Creating and maintaining connection objects is the job of the KCC It can be a lot of work to keep your connection objects

up to date by yourself, especially if you have a large topology The KCC uses complex

algorithms to determine the best partners for a domain controller to replicate with The Windows

2000 KCC had problems generating very large topologies, but the Windows Server 2003 version

is significantly better

It is sometimes necessary to create connections manually if you find a replication problem and need to get replication going again between one or more sites By creating a connection and forcing replication to occur over that connection, you can get servers back in sync quickly

11.22.4 See Also

Recipe 11.23 for listing the connections for a server

Recipe 11.23 Listing the Connection Objects for a

Server

11.23.1 Problem

You want to view the connection objects associated with a domain controller

2 In the left pane, expand Sites, expand the site that contains the connection object you want to check, expand the Servers container, expand the server that contains the

connection object, and click on the NTDS Settings object

3 In the right pane, under the name column, it will display which connection objects are automatically generated (by the KCC) and which ones were manually generated

Định dạng
Số trang	10
Dung lượng	34,79 KB