Windows 2000 Active Directory Replication and Sites

The logical components of Active Directory include domains, organizational units (OUs), users, groups, and computers, all designed to map to political requirements of a business. The physical components of Active Directory are based on technical issues. The Active Directory uses the concept of sites to map to an organization's physical network. A site is a collection of well connected computers.

It is important to understand that there is no specified relationship between Active Directory sites and Active Directory domains. A single domain can span multiple sites. A single site may contain multiple domains.

There are two main reasons to use Active Directory sites. These are as follows:

Service Requests

Clients use domain controllers for network services such as logon authentication, through the use of sites, clients can easily connect to the domain controller that is located closest to them. Sites can also be used to coordinate printer locations, a user can find the closest printer through querying Active Directory.
Replication

Through the use of sites, the Active Directory can automatically determine the best methods for performing replication operations. Sites take into account an organization's network infrastructure and are used by the AD to determine the most efficient method for synchronizing information between domain controllers.

Replication

The basic objects that are used for managing replication include subnets, sites, and site links. Each of these components work together in determining how information is used to replicate data between domain controllers:

Subnets - A subnet is a partition of a TCP/IP network. All of the computers that are located on a given subnet are generally well connected.
Sites - An Active Directory site is a logical object that can contain servers and other objects related to AD replication. Specifically, a site is a grouping of related subnets. Sites are created to match the physical network structure of an organization.
Site Links - Site links are created to define the types of connections that are available between the components of a site. Site links can reflect the relative costs for a network connection and can reflect the bandwidth that is available for communications.

When managing replication traffic within Active Directory sites, there are two main areas of synchronization:

Intrasite Replication

Intrasite replication refers to the synchronization of Active Directory information between domain controllers that are located in the same site. In accordance with the concept of sites, these machines are usually well connected by a high-speed LAN.

Intrasite Replication uses the Remote Procedure Call (RPC) Protocol. This protocol is optimized for transmitting and synchronizing information on fast and reliable network connections. The information is not compressed, using the expense of network bandwidth in place of processor intensive compression schemes.
Intersite Replication

     Intersite replication occurs between domain controllers in different sites. Usually, this means that there is a WAN or other type of costly network connection between the various machines. Intersite replication is optimized for minimizing the amount of network traffic that occurs between sites.

     There are two different protocols that may be used to transfer information between sites: RPC over IP and SMTP. RPC over IP requires a live connection between two or more domain controllers in different sites. RPC over IP was designed for slower WAN links in which packet loss and corruption may often occur. SMTP is a store and forward protocol which delivers data to one server which will attempt to forward the data to it's next destination. If the destination is offline, it will wait and try again at speficic intervals. SMTP is an inherently insecure network protocol. You must, therefore, take advantage of Windows 2000's Certificate Services functionality if you use SMTP for Active Directory replication.

     Intersite Replication also addresses low-bandwidth situations and less reliable network connections by compressing Active Directory information. As the administrator, you can also change how often replication occurs between sites.

The RPC Protocol used in intrasite replication is the same protocol used in intersite replication which is refered to as RPC over IP. When configuring in Active Directory Sites and Services, RPC is used to specify it is intrasite, IP is used when RPC will be used for intersite replication. Point being, they are the same protocol although they are specified differently.

Site Links and Site Link Bridges

The overall topology of intersite replication is based on the use of site links and site link bridges. Site links are logical connections that define a path between two Active Directory sites. Site link bridges are used to connect site links together so that the relationship can be transitive.

Both site links and site link bridges are used by the Active Directory services to determine how information should be synchronized between domain controllers in remote sites. The Knowledge Consistency Checker (KCC) forms a replication topology based on the site topology created. This service is responsible for determining the best way to replicate information within and between sites.

When creating site links for you network, you need to consider the following factors: Transport, Cost, and Schedule.

Transport - The protocol in which you will use. You can use RPC over IP or SMTP for transferring information over a site link. SMTP requires the use of Certificate Services.
Cost - Multiple site links can be created between sites. The cost refers to the type of connection, either slow or expensive. The lower the cost value of a link, the more likely the link is to be used for replication. A T1 link would have a lower cost value than an ISDN link.
Schedule - The schedule will determine when information should be replicated. Replication requires network resources and occupies bandwidth. You should should find a balance between consistent directory information and the need to conserve bandwidth.

     To create site links and site link bridges, you will use the Active Directory Sites and Services tool from the Administrative Tools program group. Expand Sites -> Inter-Site Transports -> IP objects. You can rename the DEFAULTIPSITELINK to something like corpT1. Under the properties for this site link, you can configure the description, cost, replication scheduling, etc... You can also create another site link named something like corpdial. Assign it a higher cost and longer replication interval. The "Change Schedule" button allows you to set times in which replication should and should not occur.

     To create a site link bridge, right-click IP object and select New Site Link Bridge. Name it something like corpbridge. corpT1 and corpdial site links will already be added to the site link bridge.

Bridgehead Servers

     By default, all of the servers in one site will communicate with the servers in another site. You can, however control replication between sites by using bridgehead servers. This method is useful for minimizing replication traffic in larger networks, and allows you to dedicate machines that are better connected to receive replicated data.

     A bridgehead server is used to specify which domain controllers are preferred for transferring replication information between sites. A bridgehead server participates in intersite replication and then uses intrasite replication to replicate directory information within it's site.

     In the AD Sites and Services, right-click a domain controller and select Properties. Select the transport protocol and make the DC a bridgehead server for that transport protocol.

Connection Objects

     In most cases it is good practice to allow the Active Directory's replication mechanisms to automatically schedule and manage replication functions. In some cases you may want to have additional control over replication. You can setup different types of replication schedules through the use of connection objects. These are done with the AD Sites and Services admin tool. Expand a server object, right-click the NTDS Settings object, and select New AD Connection. You can configure many things on the connection, such as: protocol, schedule, and the DCs that will participate in the replication. Additionally, once created, you can right-click the connection and choose Replicate Now.

Active Directory Sites and Services Administration Tool

The administration tool AD Sites and Services is used to create sites and subnets in Active Directory. The first site is named "Default-First-Site-Name" by default. You can rename this to whatever you need.

Under the sites container in AD Sites and Services, you can expand a site and add servers to the site. This will be the Domain Controllers in the site which will relate to replication. You may also specify the preferred bridgehead server here.

The Active Directory Sites and Services Administration Tool can be used to configure the following:

Subnets
Sites
Site Links
Site Link Bridges
Bridgehead Servers
Connection Objects
Replication Parmeters

2 Connection objects are needed between two domain controllers to replicate
in both directions. A single connection object only allows replication in
one direction.
	DomainA -> DomainB - NTDS Settings object of DomainB
	DomainB -> DomainA - NTDS Settings object of DomainA

Site Links manage replication between sites, Connection objects manage
replication between domain controllers.

3 sites xyz, xy connected with a cost of 3, yz connected with a cost of 4.
x and z are connected through y. The cost of xz is the sum of the links
used by the bridge, 7.

Site Links:
	Can connect more than 2 sites
	Default COST = 100
	Default Schedule = ALL TIMES
	Default Replication Interval = 3 hours

When create a Site Link Bridge, first turn off the "Bridge all site links"
feature.

To display replication partners for dc2.domain.com:
	repadmin.exe /showreps dc2.domain.com

To display highest Update Sequence Number (USN) on dc2.domain.com:
	repadmin.exe /showvector dc=domain,dc=com dc2.domain.com

To display connection object for dc2.domain.com:
	repadmin.exe /showconn dc2.domain.com

KCC Logging:
repadmin /kcc
	adjusts HKLM\ System\ CurrentControlSet\ Services\ NTDS\ Diagnostics
	9 internal processing
	Knowledge Consistency Checker > 3
	After changing, wait 15 minutes.

Printer Locations:
	Must have 1 site and at least 2 subnets to enable.
	Naming Scheme: \usa\seattle\building1\floor2\
	               max name chars: 32, max total: 260
	Enable Location Tracking: Computer Config\ Adm Templates\ Printers\
	                          "Pre-populate printer search location"
	To name Location: AD Sites & Services\ Subnet\ properties\ location
	                  tab