2. Highlight the Inter-Site Transports folder in the left tree pane of the Active Directory Sites and Services console. Expand the Inter-Site Transports folder. 3. Right-click either the IP or SMTP folder (depending on what protocol the network is based on) in the left tree pane of the Active Directory Sites and Services console. Select New Site Link from the context menu. 4. Selecting New Site Link option opens a New Object – Site Link dialog box. 5. Type the name of the new site link object in the Name box in the New Object – Site Link dialog box. 6. Select two or more sites for establishing connection from the Sites not in this site link box, and click Add as shown in Figure 14.5. 7. Click OK.This completes the process of creating a new site link object using the Active Directory Sites and Services tool. Figure 14.6 shows the final screen shot of the process. 516 Chapter 14 • Working with Active Directory Sites Figure 14.5 Selecting Sites to Establish Connection Figure 14.6 ADSS Tool After Creating the New Site Link 301_BD_W2k3_14.qxd 5/24/04 9:09 AM Page 516 Configuring Site Link Cost Site link costs are calculated to determine how expensive an organization considers the network con- nection between two sites that the site link is connecting. Higher costs represent more expensive connections. If there are two site links available between two sites, the lowest cost site link will be chosen. Each site link is assigned an IP or SMTP transport protocol, a cost, a replication frequency, and an availability schedule. All these parameters reflect the characteristics of the physical network connection. The cost assigned to a site link is a number on an arbitrary scale that should reflect, in some sense, the expense of transmitting traffic using that link. Cost can be in the range of 1 to 32,767, and lower costs are preferred.The cost of a link should be inversely proportional to the effective band- width of a network connection between sites. For example, if you assign a cost of 32,000 to a 64 kbps line, then you should assign 16,000 to a 128 kbps line and 1000 to a 2 Mbps line. It makes sense to use a high number for the slowest link in your organization.As technology improves and communication becomes cheaper, it’s likely that future WAN lines will be faster than today’s, so there’s little sense in assigning a cost of two for your current 128 kbps line and a cost of 1 for your 256 kbps line. Site link costs are configured using the Active Directory Sites and Services tool of Windows Server 2003.The following procedure walks you through assigning and configuring site link costs. Configure site link costs 1. To open the Active Directory Sites and Services tool, click Start | Control Panel | Administrative Tools, and then double-click Active Directory Sites and Services. 2. Highlight the Sites folder in the left tree pane of the Active Directory Sites and Services console and expand the Sites folder. 3. Highlight the Inter-Site Transports folder in the left tree pane of the Active Directory Sites and Services console and expand the Inter-Site Transports folder. 4. Right-click the site link whose cost you want to configure in the left tree pane of the Active Directory Sites and Services console, and select Properties. Selecting Properties opens a dialog box. 5. Type the value for the cost of replication of the site link object in the Cost box in the dialog box as shown in Figure 14.7. Working with Active Directory Sites • Chapter 14 517 301_BD_W2k3_14.qxd 5/24/04 9:09 AM Page 517 6. Click OK.This completes the process of configuring the site link costs using the Active Directory Sites and Services tool. Site Replication An essential process for any domain that has multiple DCs is replication. Replication ensures that each copy of the domain data is up to date, and is done by sending information about changes from one DC to another. In Windows Server 2003, every DC is capable of making changes to the database that has domain user and computer accounts. Types of Replication Replication in a Windows Server 2003 environment is one of two types: ■ Intra-site replication Replication that occurs between DCs within a site. ■ Inter-site replication Replication that occurs between DCs in different sites. It is important to understand the differences between these methods when planning the site structure and replication. Intra-site Replication Intra-site replication occurs between DCs within a site.The system implementing such replication uses high-speed, synchronous Remote Procedure Calls (RPCs). Within a site, a ring topology is created by the KCC between the DCs for replication (see Figure 14.8).The KCC is a built-in process that runs on all DCs and helps in creating replication topology. It runs every 15 minute by default and delegates the replication path between DCs based on the connection available.The KCC automatically creates replication connections between DCs 518 Chapter 14 • Working with Active Directory Sites Figure 14.7 The Cost of the Site Link Object 301_BD_W2k3_14.qxd 5/24/04 9:09 AM Page 518 within the site.The ring topology created by the KCC defines the path through which changes flow within the site. All the changes follow the ring until every DC receives them. The KCC analyzes the replication topology within a site to ensure efficiency. If a DC is added or removed, it reconfigures the ring for maximum efficiency. It also configures the ring so that there will be not more than three hops between any two DCs within the site, which sometimes results in the creation of multiple rings (see Figure 14.9). Working with Active Directory Sites • Chapter 14 519 Figure 14.8 Ring Topology for Replication Server 1 Server 2 Server 3 Server 4 Figure 14.9 The Three-Hop Rule of Intra-site Replication Server 1 Server 2 Server 3 Server 4 Server 5 Server 6 301_BD_W2k3_14.qxd 5/24/04 9:09 AM Page 519 Inter-site Replication Inter-site replication takes place between DCs in different sites.The drawback of inter-site communi- cation is that it has to be configured manually. Active Directory builds an efficient inter-site replica- tion topology with the information provided by the user.The directory saves this information as site link objects. A DC running a service called the Inter-site Topology Generator (ISTG) is used to build the topology. An ISTG is an Active Directory process that runs on one DC in a site and considers the cost of inter-site connections. It ensures that the previous DCs are no longer available, and checks to determine if new DCs have been added.The KCC process updates the inter-site replica- tion topology. A least-cost spanning-tree algorithm is used to eliminate superfluous replication paths between sites. An inter-site replication topology is updated regularly to respond to any changes that occur in the network. It would be useful if the traffic needs to cross a slower Internet link. An inter-site replication across site links occurs every 180 minutes; this can be changed if neces- sary. In addition, you can schedule the availability of the site links for use. By default, a site link is accessible to carry replication 24 hours a day, 7 days a week, and this can also be changed if necessary. A site link can also be configured to use low-speed synchronous RPCs over TCP/IP or asynchronous SMTP transport.That is, replication within a site always uses RPC over IP, while replication between sites can use either RPC over IP or SMTP over IP. Replication between sites over SMTP is supported for only DCs of different domains. DCs of the same domain must replicate by using the RPC over IP transport. Hence, a site link can be configured to point-to-point, low-speed synchronous RPC over IP between sites, and low-speed asynchronous SMTP between sites Planning, Creating, and Managing the Replication Topology An important job when implementing replication topology is planning, creating, and managing the replication topology discussed in this section. Planning Replication Topology There are three key points to understand before planning replication topology: ■ Before starting a replication planning process, we need to first finish the forest, domain, and DNS. ■ It is essential to have an understanding of Active Directory replication, the File Replication Service (FRS), and system volume (SYSVOL) replication used to replicate group policy changes. ■ For Active Directory replication, a rule of thumb is that a given DC that acts as a bridge- head server should not have more than 50 active simultaneous replication connections at any given time. 520 Chapter 14 • Working with Active Directory Sites 301_BD_W2k3_14.qxd 5/24/04 9:09 AM Page 520 Creating Replication Topology The next step is to create the replication topology. ■ Active Directory replication is a one-way pull replication whereby the DC that needs updates (target DC) gets in touch with the replication partner (source DC).Then, the source DC selects the updates that the target DC needs, and copies them to the target DC. Because Active Directory uses a multi-master replication model, each DC functions as both source and target for its replication partners. From the view of a DC, it has both inbound and outbound replication traffic, depending on whether it is the source or the destination of a replication sequence. ■ Inbound replication is the incoming data transfer from a replication partner to a DC, while outbound replication is the data transfer from a DC to its replication partner. ■ System policies and logon scripts that are stored in SYSVOL use FRS to replicate. Each DC keeps a copy of SYSVOL for network clients to access. FRS is also used for the Distributed File System (DFS). ■ Components of the replication topology such as the KCC, connection objects, site links, and site link bridges are to be checked by the administrator. ■ There are two methods for creating a replication topology: ■ Use the KCC to create connection objects.This method is recommended if there are 100 or fewer sites. ■ Use a scripted or third-party tool for the creation of connection objects.This method is recommended if there are more than 100 sites. Managing Replication Topology Data is usually replicated based on a change notification within sites. It’s up to the administrator to force immediate replication.To do so for all data on a given connection in a single direction, per- form the following steps: 1. Choose Start | Programs | Administrative Tools | Active Directory Sites and Services. Expand Sites in the left tree pane. 2. Expand the name of the site that has to replicate to. 3. Expand the name of the server for replicating. 4. Select the server’s NTDS Settings object.The right console pane will be populated with the server’s inbound connection objects. 5. In the right pane, right-click the name of the server from which you want to replicate, and select Replicate Now. Replication can also be forced from the command line by using the repadmin.exe utility from the Support Tools. Working with Active Directory Sites • Chapter 14 521 301_BD_W2k3_14.qxd 5/24/04 9:09 AM Page 521 Configuring Replication between Sites To ensure that users can log on within a given span of time, it is necessary to locate DCs near them, which sometimes involves moving the DCs between sites. The purpose of a site is to help manage the replication between DCs and across slow network links. In addition to creating the site and adding subnets to that site, we also need to move DCs into the site, as replication happens between DCs.The DC has to be added to a site to which it belongs so that clients within a site can look for the DCs in the site and can log on to it. To move DCs, follow these steps: 1. Select Click Active Directory Sites and Services. 2. Choose the Sites folder and then select the site where the server is located. 3. In the site, expand the Servers folder. 4. Right-click on the DC you want to move, and choose Move. 5. Select the destination subnet from the dialog box and click OK. Configuring Replication Frequency Replication frequency can be configured by providing an integer value that informs the Active Directory as to how many minutes it should wait before it can use a connection to check replica- tion updates.The interval of time must be not less than 15 minutes and not more than 10,080 min- utes. For any replication to happen, a site link is essential. Follow these steps to configure site link replication frequency: 1. Choose Start | Programs | Administrative Tools | Active Directory Sites and Services. 2. Expand the Inter-Site Transports folder, select either the IP or SMTP folder, and then right-click the site link for which the site replication frequency is to be set. 3. Click Properties, and in the Properties dialog box for the site link, enter in the Replicate Every box the number of minutes between replications.The default value is 180. 4. Click OK. Configuring Site Link Availability After the DCs are moved, a site link has to be created between sites, as it provides a path through which replication takes place.The creation of site links gives the KCC information about which connection object should be created in order to replicate directory data. Site links also imply where the connection object should be created. Follow these steps to configure a site link: 1. Choose Start | Programs | Administrative Tools | Active Directory Sites and Services. 2. Open the Sites folder and then the Inter-Site Transports. 522 Chapter 14 • Working with Active Directory Sites 301_BD_W2k3_14.qxd 5/24/04 9:09 AM Page 522 3. Right-click on the IP or SMTP folder depending on the protocol needed and then choose New Site Link. 4. Enter the name for the site link in the Name text box. From the Sites not in this site link list, choose the site to connect and click Add. 5. Click OK. When creating site links, there is the option of using either IP or SMTP as the transport protocol: ■ SMTP replication SMTP can be used only for replication over site links. It is asyn- chronous; that is, the destination DC does not wait for the reply, so the reply is not received in a short amount of time. SMTP replication also neglects Replication Available and Replication Not Available settings on the site link schedule, and uses the replication interval to indicate how often the server requests changes .When choosing SMTP, you must install and configure an enterprise certification authority (CA), as it signs the SMTP messages that are exchanged between DCs. ■ IP replication All replication within a site occurs over synchronous RPC over IP trans- port.The replication within a site is fast and has uncompressed delivery of updates. Replication events occur more frequently within a site than between sites, and the over- head of compression would be inefficient over fast connections. Configuring Site Link Bridges Often, there is no need to deal with site link bridges separately, as all the links are automatically bridged by a property known as a transitive site link. Sometimes when you need to control through which sites the data can flow, you need to create site link bridges. By default, all the site links cre- ated are bridged together. The bridging enables the sites to communicate with each other. If this is not enabled by the automatic bridging due to the network structure, disable the same and create an appropriate site link bridge. In some cases, it is necessary to control the data flow through the sites using site link bridges.To disable transitive site links (automatic bridging), follow these steps: 1. Choose Start | Programs | Administrative Tools | Active Directory Sites and Services. 2. Expand the Sites folder and then expand the Inter-Site Transports folder. 3. Right-click on the transport for which the automatic bridging should be turned off, and choose Properties. 4. On the General tab, clear the Bridge all site links check box and click OK. To create a site link bridge, follow these steps: 1. Choose Start | Programs | Administrative Tools | Active Directory Sites and Services. 2. Expand the Sites folder and then the Inter-Site Transports folder. Working with Active Directory Sites • Chapter 14 523 301_BD_W2k3_14.qxd 5/24/04 9:09 AM Page 523 3. Right-click on the transport that needs to be used, and choose New Site Link Bridge. 4. In the Name box, enter a name for the site link bridge. 5. From the list of Site links not in this bridge, select the site link to be added. 6. Remove any extra site links in the Site links in this bridge box and click OK. Configuring Bridgehead Servers A bridgehead server is a server that is mainly used for inter-site replication.The bridgehead server can be configured for every site that is created for each of the inter-site replication protocols.This helps to control the server that is used to replicate information to other servers. To configure a server as a bridgehead server, follow these steps: 1. Choose Start | Programs | Administrative Tools | Active Directory Sites and Services. 2. Expand the Sites folder. 3. Expand the site in which a bridgehead server has to be created, and then expand the Servers folder. 4. Right-click on the server and choose Properties. 5. In the Transports available for inter-site transfer area, select the protocol for which this server should be a bridgehead and click Add. 6. Click OK to set the properties, and then close Active Directory Sites and Services. The ability to configure a server as a bridgehead server gives you greater control over the resources used for replication between intersites. Troubleshooting Replication Failure DCs usually handle the process involved with replication automatically. Unsuccessful network links and incorrect configurations prevent the synchronization of information between DCs.There are many ways to monitor the behavior of Active Directory replication and correct problems if they occur. Troubleshooting Replication A common symptom of replication problems is that the information is not updated on some or all DCs.There are several steps that you can take to troubleshoot Active Directory replication, including: ■ Check the network connectivity The basic requirement for any type of replication to work properly in a distributed environment is network connectivity.The ideal situation is that all the DCs are connected by high-speed LAN links. In the real world, either a dial-up connection or a slow connection is common. Check to see if the replication topology is set up properly. In addition, confirm if the servers are communicating. Failed dial-up connection attempts can prevent important Active Directory information from being replicated. 524 Chapter 14 • Working with Active Directory Sites 301_BD_W2k3_14.qxd 5/24/04 9:09 AM Page 524 ■ Examine the replication topology The Active Directory Sites and Services tool helps to verify whether a replication topology is logically consistent.This is done by right- clicking the NTDS Settings within a Server object and selecting All Tasks | Check Replication Topology. If there are any errors, a dialog box will alert you to the problem. ■ Validate the event logs Whenever an error in the replication configuration occurs, events are written to the Directory Service event log.The Event Viewer administrative tool can provide the details associated with any problems in replication. ■ Verify whether the information is synchronized Many administrators forget to exe- cute manual checks regarding the replication of Active Directory information. One of the reasons for this is that Active Directory DCs have their own read/write copies of the Active Directory database.Therefore, no failures are encountered while creating new objects if connectivity does not exist. It is important to regularly check whether the objects have been synchronized between DCs.The manual check, although tedious, can prevent inconsistencies in the information stored on DCs. ■ Check router and firewall configurations Firewalls restrict the types of traffic trans- ferred between networks. In some cases, firewalls might block the types of network access that should be available for Active Directory replication to occur. ■ Verify site links Before any DCs in different sites can communicate, the sites must be connected by site links. If replication between sites doesn’t occur properly, verify whether the site links are in proper positions. Using Replication Monitor The Replication Monitor tool helps you to determine whether the DCs replicate the Active Directory information correctly.This tool is available as part of the Windows Server 2003 Support Tools, which have to be installed separately. After installing the Support Tools, go to Startup menu | Windows Support Tools | Command Prompt and enter replmon.exe, which will open the Replication Monitor console (see Figure 14.10). Working with Active Directory Sites • Chapter 14 525 Figure 14.10 Replication Monitor Console 301_BD_W2k3_14.qxd 5/24/04 9:09 AM Page 525 . Ring Topology for Replication Server 1 Server 2 Server 3 Server 4 Figure 14.9 The Three-Hop Rule of Intra-site Replication Server 1 Server 2 Server 3 Server 4 Server 5 Server 6 301_BD_W2k3_14.qxd. Expand the name of the server for replicating. 4. Select the server s NTDS Settings object .The right console pane will be populated with the server s inbound connection objects. 5. In the right. DCs, follow these steps: 1. Select Click Active Directory Sites and Services. 2. Choose the Sites folder and then select the site where the server is located. 3. In the site, expand the Servers folder. 4.