Microsoft Official Course

Module 5
Implementing Active Directory
Domain Services Sites and
Replication
Notes Page Over-flow Slide. Do Not Print Slide.
Module Overview

• AD DS Replication Overview
• Configuring AD DS Sites
• Configuring and Monitoring AD DS Replication
Lesson 1: AD DS Replication Overview

• What Are AD DS Partitions?

• Characteristics of AD DS Replication
• How AD DS Replication Works Within a Site
• Resolving Replication Conflicts
• How Replication Topology Is Generated
• How RODC Replication Works
• How SYSVOL Replication Works
What Are AD DS Partitions?

Forest-wide information about the

Active Directory structure

Configuration
Forest-wide definitions and rules for
creating and manipulating objects and
attributes
Schema
Information about domain-specific
objects
<Domain>

Information about applications

<Application>

Active Directory Database

Characteristics of AD DS Replication

• Multimaster replication ensures:

• Accuracy (integrity)
• Consistency (convergence)
• Performance (keeping replication traffic to a reasonable level)
• Key characteristics of Active Directory replication include:

• Multimaster replication
• Pull replication
• Store-and-forward
• Partitions
• Automatic generation of an efficient, robust replication topology
• Attribute-level and multi-value replication
• Distinct control of intrasite and intersite replication
• Collision detection and remediation
 How AD DS Replication Works Within a Site

• Intrasite replication uses:

• Connection objects for inbound replication to a domain
controller
• KCC to automatically create topology
• Efficient (maximum three-hop) and robust (two-way)
topology
• Notifications in which the domain controller tells
its downstream partners that a change is available
• Polling, in which the domain controller checks with
its upstream partners for changes
• Downstream domain controller
directory replication agent
replicates changes DC01 DC02

• Changes to all partitions held by

DC03
both domain controllers are replicated
Resolving Replication Conflicts

• In multimaster replication models, replication conflicts arise

when:
• The same attribute is changed on two domain controllers
simultaneously
• An object is moved or added to a deleted container on
another domain controller
• Two objects with the same relative distinguished name are
added to the same container on two different domain
controllers
• To resolve replication conflicts, AD DS uses:
• Version number
• Time stamp
• Server GUID
How Replication Topology Is Generated
Global A1 A2
Catalog B2
Server

B1
Domain
Controllers
in Another
Domain
Global
Catalog
Server

A3 A4
Global B3
Domain A topology
Catalog
Domain B topology
Server
Schema and configuration
topology
Global catalog replication
How RODC Replication Works

• When an RODC is implemented:

• The KCC detects that it is an RODC and creates one-way only
connection objects (red) from one or more source domain controllers
• Write referrals are sent to the source domain controllers from the
RODC (blue)
• An RODC performs Replicate Single Object inbound replication
during:
• Password changes
• DNS updates to a writable DNS server RODC
• Updates to various client attributes

Source Domain
Controllers
How SYSVOL Replication Works

• SYSVOL contains logon scripts, Group Policy templates, and

GPOs with their content
• SYSVOL replication can take place using:
• FRS, which is primarily used in Windows Server 2003 and
older domain structures
• DFS Replication, which is used in Windows Server 2008 and
newer domains
• To migrate SYSVOL replication from the FRS to DFS
Replication:
• The domain functional level must be at least Windows
Server 2008
• Use the Dfsrmig.exe tool to perform the migration
Lesson 2: Configuring AD DS Sites

• What Are AD DS Sites?

• Why Implement Additional Sites?
• Demonstration: Configuring AD DS Sites
• How Replication Works Between Sites
• What Is the Intersite Topology Generator?
• Optimizing Domain Controller Coverage in
Multiple Site Scenarios
• How Client Computers Locate Domain Controllers
Within Sites
 What Are AD DS Sites?

• Sites identify network locations with fast, reliable network

connections
• Sites are associated with subnet objects
• Sites are used to manage:
• Replication when domain controllers separated by slow, expensive
links
• Service localization:
• Domain controller authentication (LDAP and Kerberos)
• Active Directory-aware (site aware) A1
services or applications A2

Site

IP Subnets
Why Implement Additional Sites?

Create additional sites when:

• A part of the network is separated by a slow link
• A part of the network has enough users to warrant hosting
domain controllers or other services in that location
• You want to control service localization
• You want to control replication between
domain controllers
A1
A1

A2 A2

A3 Site

IP Subnets IP Subnets
Site
Demonstration: Configuring AD DS Sites

In this demonstration, you will see how to configure

AD DS sites
Notes Page Over-flow Slide. Do Not Print Slide.
How Replication Works Between Sites

A1 Replication within sites:

Replication
• Assumes fast, inexpensive, and
A2
highly reliable network links
• Does not compress traffic
• Uses a change notification
IP Subnets
mechanism

Replication between sites:

• Assumes higher cost, limited
A1 Replication bandwidth, and unreliable
network links
A2
• Has the ability to compress
IP Subnets replication
• Occurs on a configured schedule
B1 Replication • Can be configured for
B2 immediate and urgent
replications
IP Subnets Replication
What Is the Intersite Topology Generator?

ISTG defines the replication between AD DS sites

on a network
ISTG Replication

Replication IP Subnets

Site
ISTG Link

IP Subnets
Optimizing Domain Controller Coverage in
Multiple Site Scenarios
• Domain controllers register SRV records as follows:
• _tcp.adatum.com: All domain controllers in the domain
• _tcp.sitename._sites.adatum.com: All services in a specific site
• Clients query DNS to locate services in specific sites
 How Client Computers Locate Domain
Controllers Within Sites
The process for locating a domain controller occurs as follows:
1. New client queries for all domain controllers in the domain
2. Client attempts LDAP ping to find all domain controllers
3. First domain controller responds
4. Client queries for all domain controllers in the site
5. Client attempts LDAP ping to find all domain controllers in the site
6. Client stores domain controller and site name for further use
7. Domain controller is used for the full logon process, including
authentication, building the token, and building the list of GPOs to
apply
• Domain controller offline? Client queries for domain
controllers in registry stored site
• Client moved to another site? Domain controller refers client
to another site
Lesson 3: Configuring and Monitoring AD DS
Replication

• What Are AD DS Site Links?

• What Is Site Link Bridging?
• What Is Universal Group Membership Caching?
• Managing Intersite Replication
• Demonstration: Configuring AD DS Intersite
Replication
• Best Practices When Deploying RODCs to Support
Remote Sites
• Demonstration: Configuring Password Replication
Policies
• Tools for Monitoring and Managing Replication
 What Are AD DS Site Links?

• Site links contain sites:

• Within a site link, a connection object can be created between
any two domain controllers
• The default site link, DEFAULTIPSITELINK, is not always
appropriate given your network topology

SEA SEA

HQ-SEA
Site Link

HQ Beijing HQ
Beijing AMS AMS
DEFAULTIPSITELINK
What Is Site Link Bridging?

• By default, automatic site link bridging:

• Enables ISTG to create connection objects between site
links
• Allows disabling of transitivity in the properties of the IP
transport
• Site link bridges:
• Enable you to create transitive site
SEA
links manually
HQ-SEA Site Link
• Are useful only when transitivity Site Link SEA Bridge
is disabled

HQ
Beijing Beijing AMS
AMS

HQ-Beijing HQ-AMS
Site Link Site Link
What Is Universal Group Membership Caching?

Universal group membership caching enables

domain controllers in a site with no global catalog
servers to cache universal group membership
Global
Catalog
Bridgehead
Server
Server

IP Subnets

Bridgehead
Server

IP Subnets
Managing Intersite Replication

• Site link costs:

• Replication uses the connections with the lowest cost
• Replication:
• Polling: Downstream bridgehead polls upstream partners
• Default is 3 hours
• Minimum is 15 minutes
• Recommended is 15 minutes
• Replication schedules:
• 24 hours a day
• Can be scheduled
Demonstration: Configuring AD DS Intersite
Replication

In this demonstration, you will see how to configure

AD DS intersite replication
Notes Page Over-flow Slide. Do Not Print Slide.
Best Practices When Deploying RODCs to
Support Remote Sites

Password replication
policies are:
• Used to determine which
users’ credentials should be
cached on the RODC
• Determined by the Allowed List
and the Denied List
Demonstration: Configuring Password
Replication Policies

In this demonstration, you will see how to configure

password replication policies
Notes Page Over-flow Slide. Do Not Print Slide.
Tools for Monitoring and Managing Replication

• Repadmin.exe examples:
• repadmin /showrepl Lon-dc1.adatum.com
• repadmin /showconn Lon-dc1 adatum.com
• repadmin /showobjmeta Lon-dc1 "cn=Linda Miller,ou=…"
• repadmin /kcc
• repadmin /replicate Tor-dc1 Lon-dc1 dc=adatum,dc=com
• repadmin /syncall Lon-dc1.adatum.com /A /e

• Dcdiag.exe /test:testName:
• FrsEvent or DFSREvent
• Intersite
• KccEvent
• Replications
• Topology

• Windows PowerShell
Lab: Implementing AD DS Sites and Replication

• Exercise 1: Modifying the Default Site

• Exercise 2: Creating Additional Sites and Subnets
• Exercise 3: Configuring AD DS Replication
• Exercise 4: Monitoring and Troubleshooting
AD DS Replication
Logon Information

Virtual machines: 20412C-LON-DC1

20412C-TOR-DC1
User Name: Adatum\Administrator
Password: Pa$$w0rd
Estimated Time: 30 minutes
Lab Scenario

A. Datum Corporation has deployed a single AD DS domain with all

the domain controllers located in the London data center. As the
company has grown and added branch offices with large numbers of
users, it has become apparent that the current AD DS environment
does not meet the company requirements. Users in some of the
branch offices report that it can take a long time for them to sign in on
their computers. Access to network resources such as the company’s
Microsoft Exchange® 2013 servers and the Microsoft SharePoint®
servers can be slow, and they fail sporadically.
As one of the senior network administrators, you are responsible for
planning and implementing an AD DS infrastructure that will help
address the business requirements for the organization. You are
responsible for configuring AD DS sites and replication to optimize the
user experience and network utilization within the organization.
Lab Review

• You decide to add a new domain controller to the

LondonHQ site named LON-DC2. How can you
ensure that LON-DC2 is used to pass all
replication traffic to the Toronto site?
• You have added the new domain controller
named LON-DC2 to the LondonHQ site. Which
AD DS partitions will be modified as a result?
• In the lab, you created a separate site link for the
Toronto and TestSite sites. What might you also
have to do to ensure that LondonHQ does not
automatically create a connection object directly
with the TestSite site?
Module Review and Takeaways

• Review Questions
• Best Practice
• Common Issues and Troubleshooting Tips
Notes Page Over-flow Slide. Do Not Print Slide.