welcome to the next free video in the activedirectory training course. in the last video i looked at how to create sites and subnets.in this video i will look at how these sites can be configured to replicate active directorytraffic in an efficient way that matches the current state of your network.first of all i will start with just the new york site. in this particular case let’ssay the new york site has 7 domain controllers in it. if a client were to login to the network,they would be authenticated by one of the domain controllers. if the user then changedtheir password and logged off and logged on a second time, they may be authenticated bya different domain controller. for this reason you want replication within a site to happenquickly.
this type of replication is called intrasitereplication. intrasite replication is replication that happens between domain controllers inthe one site. you will be happy to know that active directory handles this kind of replicationwithout any configuration. it does this by connecting all the domain controllers in thatsite together in a ring. you can see that the 7 domain controllers are each connectedto two other domain controllers. this gives some redundancy and also reduces the numberof connections required in sites with a large number of domain controllers.in windows server 2003 and above, intrasite replication will start 15 seconds after achange has been made on a domain controller. with such a small delay, all domain controllerson this network will receive the change in
less than a minute.if the number of domain controllers on this network were increased to 8, the delay fora change to replicate to every domain controller starts to increase. each domain controllerwill wait 15 seconds before sending replication data to the next domain controller.to reduce the delay, active directory will automatically create additional connectionsbetween some of the domain controllers when you have 8 or more domain controllers in theone site. this ensures that there are no more than 3 hops between one domain controllerin the site and any other domain controller. the extra connections ensure that changesin the site are propagated to each domain controller in less than a minute. all theseconnections are created automatically in active
directory inside the site so you never needto worry about configuring replication inside an individual site.the next part of replication in active directory is between sites. this kind of replicationis called intersite replication. in this example consider the link between new york and washington.in order for these two sites to replicate changes between each other there must be asite link connecting the two sites. this is not created automatically and needs to becreated by an administrator. in this example new york has 7 domain controllersand washington has 3 domain controllers. in order for replication to occur, active directorywill automatically pick a domain controller in each site to act as what is called a bridgehead server. the bridge head server in each
site will replicate changes between the sites.when a change is made on a domain controller, it will be replicated to all other domaincontrollers in that site. when the change reaches the bridge head server, the bridgehead server is responsible for replicating that change to the other bridge head serverin the other site. this system is a lot more efficient than individual domain controllersattempting to replicate changes to other sites. active directory will automatically choosea domain controller in each site to act as a bridge head server for you. if that domaincontroller is shut down or is no longer available, a new domain controller will be chosen. insome cases you may have a particular domain controller or domain controllers that youwant to use as the bridge head server. active
directory allows you to select a domain controlleror domain controllers to be the bridge head server for that site. these are called preferredbridge head servers. be warned however, if you choose your own bridge head servers andthese servers are not available, no replication will occur between the two sites until oneof those preferred bridge head servers comes back online.once you have a site link configured, you can configure some options on that site link.the first option allows a schedule to be configured which will determine when replication willoccur. in some cases, companies may configure this replication to happen after businesshours. the next setting allows a cost to be configuredfor that site link. the cost is a numerical
value that is applied to a site link tellingactive directory what priority these links should be used. to better understand how costswork, let’s now consider what happens when the london office is added to the network.the london office is connected to the new york office by a direct link. in order forreplication to occur a site link is created between london and new york.the link between london and new york is unreliable and at times will go down for hours at a time.for this reason another link is established between washington and london. this link ismore reliable but is charged according to how much traffic is transferred over it andthus the company only wants to use this link when they have to.in this example the london to new york site
link and the new york to washington site linkare given a cost of 40. the site link between washington and london is given a cost of 100.the cost of transferring data between sites is calculated by adding up the value of thesites links. the route with the lowest cost will be used.in order for data to go from washington to london the lowest cost would be via new york.why? the washington to new york site link and the new york to london site link add upto a value of 80. this is lower than the cost of the link between washington and londonwhich has a value of 100. if the link between london and new york wasto go down then the washington to london link would now become the link with the lowestcost. traffic from new york to london would
now travel over the washington to london sitelink. if the link between new york and london wereto come back up, it would be seen once again as the route with the lowest cost and thusthe site link between washington and london would no longer be used.the last option to consider when creating a site link is which transport the site linkwill use. the two options for this are rpc over ip and smtp. rpc over ip is often referredto as just ip and supports everything active directory needs. in the real world you aremore than likely only going to use the ip transport for active directory as it supportseverything. the second transport, smtp, supports everythingexcept file replication services. at the domain
level, file replication is used to replicatethe sysvol share containing all the login scripts and group policies. for this reasonyou can’t have a functional domain infrastructure using just the smtp transport. items likethe login scripts and group policy would simply not be replicated between domain controllersusing only the smtp transport protocol. items like active directory changes can be replicatedusing the smtp transport as well as changes in the schema. for these reasons the smtptransport could be used between different domains in the forest. using the smtp transportwill not replicate everything at the domain level.the fundamental difference between the smtp and ip transport is that smtp transport usesasynchronous communication whereas ip uses
synchronous. asynchronous communication cansend replication information without the need to get a response back. if you have an unreliablenetwork a large block of smtp information could be sent over the network without waitingfor the other side to confirm that it has received anything. ip in contrast uses synchronouscommunication which means that it waits for a response each time data is sent. if no responseis received, it stops sending data. with network speeds getting better and morereliable, in the real world i would just use the ip transport for your site links. in theold days, the smtp transport was used mainly for networks that were unreliable or not directlyroutable using the ip protocol. now days with the ip protocol being the default protocolused in computing, there is unlikely to be
a need to use the smtp protocol on the vastmajority of production networks. active directory replication tends to be quite light on thebandwidth as only changes are replicated and thus even on slow unreliable links i wouldpersonally still give the ip transport a go before using the smtp transport. for yourinformation, the choice of transport only applies to intersite site replication. domaincontrollers in the same site are always replicated using the ip transport.the last thing that i want to cover before i look at how to configure replication inwindows server 2008 is the knowledge consistency checker or kcc. once you configure your sitesand site links, the knowledge consistency checker will automatically make connectionsbetween the sites for you. if a network goes
down between two sites, the kcc will automaticallyreconfigure the connections between the sites to ensure that active directory replicationwill happen. in our previous example, when the link betweennew york and london went down, the kcc’s job was to create a connection between washingtonand london for replication to occur. the kcc does this in the background and does not needto be configured. you can create your own connections in active directory as well, buton most networks it is simpler and easier to allow the kcc to perform these steps foryou. the kcc also creates the connections that are used for intrasite replication anddetermines which domain controllers will be used for bridge head servers.the kcc does this with information from the
active directory database. if the same copyof the active directory database is in multiple locations the kcc will always come up withthe same result. if two different domain controllers have a different copy of the active directorydatabase, that is some changes have not yet replicated, the result the kcc comes up withmay be different. what this means is that on a network thatis replicating well all domain controllers given enough time will create the same linksbetween sites and their domain controllers. if you are finding that connections are notbeing made between your domain controllers, check for replication errors in the eventviewer and also dns related errors. replication problems can stem from domain controllershaving difficulty resolving the ip address
of other domain controllers.i will now change to my windows server 2008 r2 domain controller to look at how to configurereplication. i have already created sites and subnets inthe previous video, so all that is left to be done is to create the site links for thesesites to replicate over. to do this, i will open active directory sites and services fromadministrative tools under the start menu. to configure the sites links, i will expanddown to inter site transports. there are two transports available under here, ip and smtp.when i open ip there is already a default site link called default site link. this iscreated by default when active directory when it is first installed.if you never create any additional site links
in active directory all of your sites thatyou create will be linked to each other using the default site link. when this occurs, theknowledge consistency checker will ensure that all your sites replicate with each other;however, the replication may not be a good match for your network topology. microsoftrecommends that you do not put more than 3 sites in the one site link.first of all i will rename the default site link to new york to washington. you are freeto rename the default site link or create a new site link and remove the default sitelink or simply leave the default site link in active directory unused.to match my network topology i need to create two more site links. to do this, i will rightclick ip under inter site transports and select
the option new site link. this site link iwill call new york to london. once i enter in the name, i need to add the sites thatwill use this site link, in this case london and new york.in this case i will be adding only 2 sites to each site link; however, there is nothingstopping you from adding more. as you will see in a minute, the knowledge consistencychecker will determine which connections to create based on which sites are in the sitelinks. finally i need to create one more site linkfor my back up link from washington to london. this is created the same way i created theother site links. once the site links are created, i need to configure them.first of all i will open the properties for
the new york to london site link. at the bottomnotice the cost value assigned to this site link is 100, the default value. i will changethis value to 40 so this site link will get preference over the backup site link thati just created. under this is how often replication will occurover this site link. the default is 180 minutes or every 3 hours. this setting can be as lowas 15 minutes. at the bottom is a button to change the replicationschedule. when i press this i can select the times that active directory replication willoccur and can also configure it to be disabled at certain times. for example, i could disablereplication if i wanted to do for monday through friday during business hours.now that i have finished configuring this
site link, i will exit out of here and openthe properties for the new york to washington site link. since this site link was originallythe default site link, all 3 sites are in here so i will remove the london site sinceit is no longer required in this site link. i will also change the replication cost to40 so this site link is favoured over the backup site link from washington to london.now my 3 site links are created. the washington to london site link i will leave on the defaultcost of 100. it will only be used if one of the other site links is not available. bydefault, the knowledge consistency checker will create links that connects sites togetherthat are connected by other sites. for example, since new york is in two different site links,the knowledge consistency checker knows that
washington can reach london via new york.the knowledge consistency checker will do this automatically but if your own site linkbridges, you can select the option new site link bridges. by default site link bridgeswill be created automatically and creating a manual bridge will be ignored anyway unlessyou disable automatic site bridging. when i open the properties of the ip transport,you will notice the tickbox to ignore schedules. this is a quick and easy way to override anyschedules that have been configured. under this is a tick box for bridge all site links.if you deselect this, you will need to manually create all the site links bridges betweenyour sites. unless you have a good reason for doing this i would leave this option ticked.it is generally easier to allow the knowledge
consistency checker to work out the site linkbridges from your site links. if you have configured them correctly it should make somegood choices for these site link bridges. when i right click on the smtp transport,you will notice that i have the same options as ip. given the choice of transports i wouldalways use the ip transport where possible, but on some networks you may see the smtptransport used. configuring of the smtp transport is the same as the ip transport the only differenceis the functionality that it supports is different. for this reason i won’t configure any smtptransports. if i now expand down to ny dc 1 and open theproperties for the server, on the general tab i can see which transports this serverwill use. by default ip and smtp will both
be enabled so the knowledge consistency checkerwill create both types of connection where required. in this case i have not createda transport for smtp and assigned any sites to it. until i perform this step the knowledgeconsistency checker will not create any smtp connections.by default the knowledge consistency checker runs every 15 minutes so i will pause thevideo and return later to allow it some time to run.now that the knowledge consistency checker has had some time to run, i will expand downuntil i see ntds settings which contains the settings for this server. when i open theproperties for the ntds settings and go to the connections tab, you can see all the incomingand outgoing connections from this server.
all of these are created automatically bythe knowledge consistency checker. when i exit out of the properties, you willnotice here that i can see a list of all the incoming connections. on the left hand side,notice that these are automatically generated. these are created by the knowledge consistencychecker and assuming that everything else is configured correctly, that is your sites,subnets, site links and transports, these should be created automatically for you.when i right click the ndts settings, notice the option new active directory domain servicesconnection. selecting this option allows me to create a manual connection between twodomain controllers. once this connection is created this will appear with the other connections.on most networks there should not be a need
to create a manual connection as the knowledgeconsistency checker will create the required connection automatically.if you do find that a connection is missing and do not want to wait for the knowledgeconsistency checker to run again, right click ntds settings, select all tasks and then selectthe option check replication topology. this option will force the knowledge consistencychecker to run. windows will give you a confirmation dialog telling you that the knowledge consistencychecker was run and you may need to refresh the screen.looking at the connections, notice that a connection was made to london. this meansthe knowledge consistency checker has decided to make this server a bridge head server.if you want to force a replication, right
click the connection and select replicatenow. you should not need to force a replication to another domain controller in the same siteas the replication should happen very quickly. notice that forcing a replication will giveme a confirmation dialog telling me that the replication was successful. this is a fastway of testing the replication in your active directory environment to ensure that it isworking correctly. to better understand the connections thatthe knowledge consistency checker has created, i will show a graphical view of the connectionson the screen as i go through them. next notice the two connections that have been made tony dc 6 and ny dc 7. remember the connections shown here are incoming connections originatingfrom the other domain controller. outgoing
connections from this domain controller arenot shown here. if i expand down to the next domain controller,two connections have also being automatically created. expanding into ny dc 3 shows anothertwo connections; however, notice that there is now a connection traveling in both directionsfrom ny dc 2 to ny dc 3. it is important to remember that the direction of the connectiondoes not determine which way replication occurs. the direction only refers to who created theconnection. like the telephone, one party needs to call the other party to create theconnection but once done, both parties are free to talk to the other.expanding into ny dc4 shows another 2 connections. expanding into ny dc5 shows that 3 connectionshave been created. one of the connections
is to washington. this domain controller hasbeen selected as a bridge head server. this goes to show that multiple bridge head serverscan be selected in the same site. the important thing to remember is that only one bridgehead server is responsible for all replication to each remote site.if i expand into the connection for ny dc 6 and then ny dc 7, notice that this now completesa ring for the connections. each domain controller has two connections forming a ring going intoeach direction. this allows replication to occur inside the one site even if one domaincontroller were to fail. replication to the washington and london site will go throughthe one exit point respectively. if a domain controller was to become unavailable for along enough period the knowledge consistency
checker would delete and add connections asrequired. the process does take longer than the 15 minutes as the knowledge consistencychecker does not remove connections immediately when it runs. this is done to account fordomain controllers being taken off line for a short period of time for maintenance orsmall network outages. microsoft also provides a command line toolcalled repadmin which can be used to perform some of the tasks i performed in the gui.if i open a command prompt and run the command repadmin slash kcc, this will force the knowledgeconsistency checker to run. in this case it will run only on this domain controller, butif i add the parameter site colon site name, this will force the knowledge consistencychecker to run on all domain controllers in
that site.if you want to force a replication to occur, you can run repadmin slash syncall. thereare other parameters as well with this command, but the last one i will look at is bridgeheads. this will show all domain controllers working as bridge head servers in your activedirectory environment. well that’s everything you need to knowabout sites and active directory replication. in the next video i will look at user accountsin active directory. thanks for watching another free video from it free training. please considersubscribing to us on youtube to get notified when we release new videos.
This post have 0 comments
EmoticonEmoticon