1. Trang chủ
  2. » Công Nghệ Thông Tin

The Best Damn Windows Server 2003 Book Period- P55 potx

10 178 0

Đang tải... (xem toàn văn)

THÔNG TIN TÀI LIỆU

Thông tin cơ bản

Định dạng
Số trang 10
Dung lượng 498,83 KB

Nội dung

301_BD_W2k3_13.qxd 5/12/04 12:42 PM Page 506 Working with Active Directory Sites In this chapter:  Understanding the Role of Sites  Relationship of Sites to Other Active Directory Components  Creating Sites and Site Links  Understanding Site Replication Introduction In the previous chapter, we saw the logical structure of the network as defined by forests and domains. Sites and the subnets, of which sites are comprised, define the physical structure of an Active Directory network. Sites are important in an enterprise-level mul- tiple location network, for creating a topology that optimizes the process of replicating Active Directory information between domain controllers (DCs). Sites are used for replication and for optimizing the authentication process by reducing authentication traffic across slow, high-cost WAN links. Site and subnet information is also used by Active Directory-enabled services to help clients find the nearest service providers. In this chapter, we discuss the role of sites in the Active Directory infrastructure, and how replication, authentication, and distribution of services information work within and across sites. We explain the relationship of sites with domains and subnets, and how to create sites and site links. You’ll also learn about site replication and how to plan, create, and manage a replica- tion topology. We’ll walk you through the steps of configuring replication between sites, and discuss how to troubleshoot replication failures. Chapter 14 507 301_BD_W2k3_14.qxd 5/24/04 9:09 AM Page 507 Understanding the Role of Sites In today’s distributed network environment, the communication must always be rapid and reliable. Geographical and other restrictions resulted in the need to create smaller networks, known as subnets.These subnets provide rapid and reliable communication between locations, which can also be attained in larger networks by using Microsoft Windows Server 2003 Active Directory Sites. They ensure rapid and reliable communication by using the methods offered by Microsoft Windows Server 2003 Active Directory Sites to regulate inter-subnet traffic. A site defines the network structure of a Windows Server 2003 Active Directory. A site consists of multiple Internet Protocol (IP) subnets linked together by rapid and reliable connections.The pri- mary role of sites is to increase the performance of a network by economic and rapid transmission of data.The other roles of sites are replication and authentication.The Active Directory physical structure manages when and how the authentication and replication must take place.The Active Directory physical structure allows the management of Active Directory replication scheduling between sites.The performance of a network is also based on the location of objects and logon authentication as users log on to the network. Replication Replication is defined as the practice of transferring data from a data store present on a source com- puter to an identical data store present on a destination computer to synchronize the data. In a net- work, the directory data must live in one or more places on the network to be equally available to all users.The Active Directory directory service manages a replica of directory data on one or more DCs, ensuring the availability of directory data to all users.The Active Directory works on the con- cept of sites to perform replication efficiently, and uses the Knowledge Consistency Checker (KCC) to choose the best replication topology for the network automatically. Authentication The authentication process includes the confirmation of the source and integrity of infor- mation, such as verifying the identity of a user or computer.An important characteristic of authentication in the Windows Server 2003 family is its support for single sign-on.The single sign-on feature allows a user to log on to the network once, using a single password, and authenticate to any computer in a network. Interactive logon authentication verifies the user’s logon information to either a domain account or to a local computer. Network authentication verifies the user’s identification to a network service to which the user tries to gain access. Windows Server 2003 supports Kerberos V5 and Secure Socket Layer/Transport Layer Security (SSL/TLS) authentication mechanisms. Distribution of Services Information Active Directory distributes a wide range of service information.The DCs are also used to distribute directory information and generate responses for each service request.The Active Directory dis- tributes service-centric information such as configurations and bindings.The distribution of this type of information enables the services to be more accessible by clients and is easily manageable for 508 Chapter 14 • Working with Active Directory Sites 301_BD_W2k3_14.qxd 5/24/04 9:09 AM Page 508 administrators. Figure 14.1 shows how the services information is accessed between the client, server, and a DC in a network. In Figure 14.1, the client shares the services information between a client, server, and a DC in three steps: 1. The client makes a request. 2. The client receives the services information from a DC as a response. 3. The clients available on the network server then use the services information. Certain sets of services are distributed by the directories by default, including file and print ser- vices, storage management, Active Directory, and management services.These sets of services can be modified in the directories to meet the needs of your network environment.The distribution of ser- vices to the directory provides the following benefits: ■ Resource availability This Active Directory model is a service-centric model that enables the client to provide access to the distributed network services. Since the services information is distributed to the directory, clients needn’t store the resource’s location. ■ Administration Distributing services in Active Directory enables the administrator to resolve configuration-related problems in a network centrally, instead of having to visit individual computers.This feature ensures that all the services employ the latest configura- tion information. ■ Publishing services This process enables the data or operations available to the network users. Publishing a service in Active Directory enables users and administrators to move from a machine-centric view of the network to a service-centric view. Working with Active Directory Sites • Chapter 14 509 Figure 14.1 Services Information Shared between a Client, Server, and a Domain Client Server Domain Controller 2 1 3 301_BD_W2k3_14.qxd 5/24/04 9:09 AM Page 509 Relationship of Sites to Other Active Directory Components A site is as a collection of inter-connected computers that operates over IP subnets. A site is also a place on a network having high bandwidth connectivity.The relationship of sites to Active Directory components is based on the following network operations performed by sites: ■ Control of replication occurrences ■ Changes made with the sites ■ How efficiently DCs within a domain can communicate Relationship of Sites and Domains A site can contain one or more domains, and a domain can be part of one or more sites. Sites and domains do not have to maintain the same namespace. Sites and domains are interrelated to each other because sites control replication of the domain information. For more information on the working of domains, see Chapter 12,“Working with Forests and Domains” and Chapter 15,“Working with Domain Controllers.” Physical vs. Logical Structure of the Network The sites present in an Active Directory denote the physical structure of a network, domains represent the logical or administrative structure of the organization.The physical structure information is available as site and site link objects in the directory.This information is used to build the most efficient replica- tion topology. Generally,Active Directory Sites and Services are used to define sites and site links. 510 Chapter 14 • Working with Active Directory Sites Figure 14.2 The Relationship of the Sites and Domains Present in a Network Domain Site Domain Site Site Domain 301_BD_W2k3_14.qxd 5/24/04 9:09 AM Page 510 This partitioning of physical (sites) and logical (domains) structure offers the following advantages: ■ You can develop and manage the logical and physical structures of your network independently. ■ You do not have to base domain namespaces on your physical network. ■ You can deploy DCs for multiple domains within the same site. ■ You can deploy DCs for the same domain in multiple sites. The Relationship of Sites and Subnets In Active Directory, a site consists of a set of computers that are inter-connected in a local area net- work (LAN). Computers within the same site typically exist in the same building, or on the same campus network. A single site consists of one or more IP subnets. Sites and subnets are represented in Active Directory by site and subnet objects, which we create through the Active Directory Sites and Services administrative tool. Each site object is associated with one or more subnet objects. Creating Sites and Site Links In this section, we’ll look at creating sites and site links, as well as planning for your site.As with most other administrative tasks in Windows Server 2003, planning is a key component that improves the end result and reduces error and downtime. Site Planning You should plan thoroughly before creating and deploying an Active Directory. Site planning enables you to optimize the efficiency of the network and reduce administrative overhead. High-performance sites are developed based on the proper planning of the physical design of your network. Site planning enables you to determine exactly which sites you should create and how they can be linked using site links and site link bridges. Site information is stored in the configuration partition, which enables you to create sites and related information at any point in your deployment of Active Directory. Site planning enables you to publish site information in the directory for use by applications and services. Generally, the Active Directory consumes the site information.You’ll see how replication impacts site planning later in the chapter. Criteria for Establishing Separate Sites When you initially create a domain, a single default Active Directory site called Default-Site-First- Name is created.This site represents your entire network. A domain or forest consisting of a separate site can be highly efficient for a LAN connected by high-speed bandwidth. Working with Active Directory Sites • Chapter 14 511 301_BD_W2k3_14.qxd 5/24/04 9:09 AM Page 511 If a single LAN consists of a separate subnet or if a network consists of multiple subnets connected by a high-speed connection, establishing a separate site topology offers the following advantages: ■ Simplified replication management ■ Regular directory updates between all DCs Establishing separate site topology enables all replication to occur as intra-site replication, which requires no manual replication configuration. A separate site design enables DCs to receive updates with respect to directory changes. Creating a Site Sites are created using the Active Directory Sites and Services tool of Windows Server 2003.This tool can also be used to create new sites, site links, subnets, and so forth. Use the following steps to create a new site. Create a new site 1. To open the Active Directory Sites and Services tool, click Start | Control Panel | Administrative Tools | Active Directory Sites and Services.The Active Directory Sites and Services console opens. 2. Highlight the Sites folder in the left-hand tree pane of the Active Directory Sites and Services console. Right-click and select Sites folder New | Site option from the context menu. 3. Selecting the New Site option opens a New Object – Site dialog box. 4. Type the name of the site in the Name box present in the New Object – Site dialog box. 5. Select an initial site link object for the site from the New Object – Site dialog box. 6. Click OK.This completes the process of creating a site using the Active Directory Sites and Services tool. Figure 14.3 shows the initial site link object of the site. 512 Chapter 14 • Working with Active Directory Sites Figure 14.3 The Initial Site Link Object for the Site 301_BD_W2k3_14.qxd 5/24/04 9:09 AM Page 512 Renaming a Site Renaming a site is one of the first tasks you should perform when administering a site structure. When you create a site initially, it is created with the default name Default-First-Site-Name.This name can be changed based on the purpose of the site, such as the name of the physical location. A site is also renamed when a network of an organization is expanded by one or more sites. Even if an organization is located in a single location, it makes sense to rename the Default-First-Site-Name, because you never know when the network will expand. Renaming a site enables administrators to differentiate sites present in a network easily and perform administration tasks efficiently. When a DC becomes aware that its site has been renamed, it will update its DNS records appropriately. Because of issues with cached DNS lookups and client caching of site names that will lead to temporary delays in connectivity directly after a rename, it’s best to name and rename sites as early as possible in the deployment. After renaming a site, it’s advisable to manually force replication with other DCs in the same site. Sites are renamed using the Active Directory Sites and Services tool of Windows Server 2003. Use the following procedure to rename a site. Rename a new site 1. To open the Active Directory Sites and Services tool, click Start | Control Panel | Administrative Tools. Double-click Active Directory Sites and Services.The Active Directory Sites and Services dialog box opens. 2. Highlight the Sites folder in the left-hand tree pane of the Active Directory Sites and Services console. Expand the Sites folder, and you’ll see the sites shown with icons of small, yellow office buildings. 3. Right-click the site you want to rename and select the Rename option from the context menu. 4. Type the new name of the site in the Name box in the left console pane. 5. Click OK.This completes the process of renaming a site using the Active Directory Sites and Services tool. Creating Subnets Subnets are associated with the Active Directory sites to match client computers. As you know, the subnets are denoted by a range of IP addresses.The Active Directory Sites and Services user inter- face prevents you from having to provide the subnet names manually; instead, you are prompted for a network address. Subnets are created using the Active Directory Sites and Services tool of Windows Server 2003.You can use the following steps to create subnets. Working with Active Directory Sites • Chapter 14 513 301_BD_W2k3_14.qxd 5/24/04 9:09 AM Page 513 Create subnets 1. To open the Active Directory Sites and Services tool, click Start | Control Panel | Administrative Tools, and then double-click Active Directory Sites and Services. The Active Directory Sites and Services console opens. 2. Highlight the Sites folder in the left tree pane of the Active Directory Sites and Services console. Expand the Sites folder. 3. Right-click Subnets and select New Subnet from the context menu. 4. Selecting the New Subnet option opens a New Object – Subnet dialog box. 5. Type the network address and subnet mask in the form of dotted decimal notation in the text boxes present in the New Object – Subnet dialog box. 6. Select a site object for this subnet from the list provided in the New Object – Subnet dialog box. 7. Click OK.This completes the process of creating a subnet using the Active Directory Sites and Services tool. Associating Subnets with Sites After creating sites and subnets, the next step is to associate your subnets with sites.You specify the subnets associated with each site on your network by creating subnet objects in the Active Directory Sites and Services console.The association of subnets with sites enables the computers on the Active Directory network to use the subnet information to find a DC in the same site, so that authentica- tion traffic will not cross over WAN links.Active Directory also uses subnets during the replication process to determine the best routes between DCs. Subnets are associated with sites using the Active Directory Sites and Services tool of Windows Server 2003. Once you’ve created sites and subnets, you need to associate them.The following steps walk you through that process. Associate subnets with sites 1. To open the Active Directory Sites and Services tool, click Start | Control Panel | Administrative Tools, and then double-click Active Directory Sites and Services. 2. Highlight the Subnet folder present in the left tree pane of the Active Directory Sites and Services console. 3. Right-click the newly created subnet and select the Properties option; this will open a Properties dialog box. 4. Associate any site with this subnet by selecting the available site from the site drop-down menu, and click OK, as shown in Figure 14.4. 514 Chapter 14 • Working with Active Directory Sites 301_BD_W2k3_14.qxd 5/24/04 9:09 AM Page 514 5. Click OK.This completes the process of associating a subnet with a site using the Active Directory Sites and Services tool. Creating Site Links After creating and defining the scope of each site, the next step in the site configuration process is establishing connections between the sites.The physical connectivity between the sites is established between the Active Directory databases by site link objects. A site link object is an Active Directory object that embodies a set of sites that can communicate at uniform cost.A site link that connects only two sites using the IP transport typically corresponds to a WAN link. A site link that connects more than two sites typically corresponds to Asynchronous Transfer Mode (ATM) and metropolitan area network (MAN) through leased lines and IP routers. Each site link is based on the following four components: ■ Transport The networking technology to move the replication traffic. ■ Sites The sites that the site link connects. ■ Cost The value to calculate the site links by comparing to others, in terms of speed and reliability charges. ■ Schedule The times and frequency at which the replication will occur. Site links are created using the Active Directory Sites and Services tool of Windows Server 2003. Use the following steps to create site links. Create site links 1. To open the Active Directory Sites and Services tool, click Start | Control Panel | Administrative Tools, and then double-click Active Directory Sites and Services. Working with Active Directory Sites • Chapter 14 515 Figure 14.4 Subnet Dialog Box for Associating/Changing the Site 301_BD_W2k3_14.qxd 5/24/04 9:09 AM Page 515 . networks by using Microsoft Windows Server 2003 Active Directory Sites. They ensure rapid and reliable communication by using the methods offered by Microsoft Windows Server 2003 Active Directory Sites. Consistency Checker (KCC) to choose the best replication topology for the network automatically. Authentication The authentication process includes the confirmation of the source and integrity of infor- mation,. in three steps: 1. The client makes a request. 2. The client receives the services information from a DC as a response. 3. The clients available on the network server then use the services information. Certain

Ngày đăng: 04/07/2014, 23:21