Friday, August 9, 2013

Active Directory - Sites and Services

The main purpose of this Snap-in is to configure the replication topology of your network environment, By default after we install the first Domain-Controller the first site is created and called “Default-First-Site” ,the replication can occur in both ways:
·       The first option is to create replication between two Domain Controllers in the same site, in a LAN network.

·         The second option is to create replication between two sites; here we create replication between two LAN networks that connected in a WAN.

The secondary’s purpose to use Sites and Services Snap – in:
·         First we can check our replication topology and get all the info that we need about our servers or domain controllers.
·         We can create Subnets in two sites to specify different ranges between the sites to reduce network traffic ,for example :
-          Site 1 = –
-          Site 2 = –
·         And of course we here we specify our DC to be a Global Catalog server.
So when we talk about Replication let’s understand what replicated, for doing that we firs need to understand Active-Directory Partitions:
The active directory database is separated into 5 different partitions, at a single forest all domains controllers have at Minimum two of those partitions that common: Schema and Configuration partition those two partitions located in the “Forest-Level”, so let’s understand the partitions:

Schema Partition:
This partition is unique because we have only one Schema per forest. The schema partition is stored on each DC in our forest. The schema partition contains all our Object and Attributes that been created in our Active-Directory. The Schema information replicated to each DC in the forest and for that reason we need to follow the Schema definition.

Configuration Partition:
Like the Schema the “Configuration Partition” is also unique because she’s in the forest level and we have only one partition in the entire forest, like the schema partition it’s replicated to all DC in the forest. The configuration partition contains all the information about the Active –Directory Structure in our forest. For that reason we can see in this partition all the information about our Domain Controllers, Services and Sites that exists in the forest.

Domain Partition:
The “Domain Partition” can be found on each Domain –Controller in our forest. This partition contains all the information that we need about Specific objects that created in the domain (Users, groups, Computers and more), the domain partition replicated to all domain controllers. All those object located and stores in Global Catalog.

Application Partition:
The “Application Partitions” store information about applications installed in Active-Directory, an application partitions cannot contain Security Principals objects (Users and more) , not like the Domain Partition here the object NOT stored in a global catalog.

Replication Topology:
Replication is the route which replication data travels throughout your
Network Environment. Replication occurs between two domain controllers at a time.
To create a replication topology, we need to specify in AD which replica goes to each domain controller.
Now if you remember we said before that we have two partitions that belongs to the entire Forest (Schema and Configuration) in other words each DC in the forest holds replica of them, if we have different domains in our forest the DC inside them will also replicate the Domain Partition

Knowledge Consistency Checker (KCC):
This feature is built in process that runs on each DC and verifies that the replication process of the partition that this DC contains will be as it supposes to be with the right order. The KCC runs by default every 15 minutes.

Global Catalog and Replication of Partitions:
The Global Catalog allows us to sheer object from our Active Directory to the entire Forest and Domains. Those resources are stored in the Global Catalog and can be searched by users (nice example will be to search any object in active directory like users or computers), so as you understand without the Global Catalog every server will needs to search on every DC in the forest and that’s not good for us .
By Microsoft recommendation you suppose to have at least one Global Catalog server, hosted on Domain Controller .the Global Catalog is hosted on a Domain Controller and hosted all attributes & objects from Active Directory.
The default permeations to work with Global Catalog need to be members of the Schema Admins.
The global catalog contains the following list:
1.       Default attributes for each object type (Users, Computers…).
2      All attributes that we need when we set query in AD such as a user's first and last name, and logon name.
3       Information which helps determines the location of an object in AD.
         Permissions of every object type (That’s ensure that users will receive all the results that they have permissions on, object without permissions will not display on the query respond).

So let’s make the conclusion of GC:
·        A global catalog server is a domain controller that contains full and writable replica of its domain directory.
·        A global catalog server is a domain controller that contains read-only replica of all other domain directory partitions in the forest (Store only the important attributes of an object).

Microsoft recommends having a global catalog server for every active directory site in an enterprise network.

More about sites and Subnets:
Sites in DC can help us to define our Physical network structure, we can separate sites with TCP\IP subnets .A single site can contain more than one subnet.

What is Replication Monitor?
·          Displays replicating information both directly and transitively, with this tool we can monitor our replication topology, we also can see which objects have not replicated from a Domain-Controller and create Triggers the KCC to recalculate the replication topology.

We can set replication monitor from each Domain Controller, or any computer that runs server 2003.

How to configure replication monitor:

  1. Open Start->Run and Type: Replmon and press OK.
  2. Now in View Screen press Options.
  3.  Now you will see “Active Directory Replication Monitor Options page” ,go to status logging tab .and press “Display Changed Attributes when Replication Occurs
  4. Click “Monitored servers” and add your desirable Domain-Controller.

Repadmin.exe Tool:
This tool can help us create tasks related to our replication topology.
With this tool we can see our replication topology (On each DC) .we also can use Repadmin to Force replication and view the replication Metadata.

Dcdiag Tool:
We can use this tool to analyzes the state of Domain Controllers and check for every problem that occur, we can see problems related to connectivity, Replication, topology integrity, and interstice health.

At a command prompt, type:

            Dcdiag +
Switch                          Description
/v                                  provides verbose results. When you use /v, the output from dcdiag
 Provides a lot of information that can help you troubleshoot a
/f: LogFile                    Redirects output to a specified log file.

No comments:

Post a Comment

My Presentations