351 Table 11-4. Attributes of siteLink objects Attribute Description siteList Multivalued list of distinguished names of each site that is associated with the site link. See Recipe 11.8 for more information. Table 11-5. Attributes of server objects Attribute Description bridgeheadTransportList Multivalued attribute that contains the list of transports (e.g., IP or SMTP) for which the server is a preferred bridgehead server. cn RDN of the object. This is set to the hostname of the associated server. dNSHostName Fully qualified domain name of the server. This attribute is automatically maintained for domain controllers. serverReference Distinguished name of the corresponding computer object contained within one of the domain-naming contexts. Table 11-6. Attributes of nTDSDSA (NTDS Settings) objects Attribute Description cn RDN of the object, which is always equal to NTDS Settings. invocationID GUID that represents the DIT (ntds.dit) on the domain controller. hasMasterNCs Multivalued attribute containing the list of writeable naming contexts (does not include application partitions) stored on the domain controller. hasPartialReplicaNCs Multivalued attribute containing the list of read-only naming contexts stored on the domain controller. This will be populated only if the domain controller is a global catalog server. msDS-Behavior-Version Number that represents the functional level (i.e., operating system) of the domain controller. This attribute is new to Windows Server 2003. msDS-HasDomainNCs Contains the distinguished name of the writeable Domain naming context stored on the domain controller. This attribute is new to Windows Server 2003. msDs- HasInstantiatedNCs A combination of all available read-only and writeable naming contexts stored on the domain controller. This attribute is new to Windows Server 2003. 352 Table 11-6. Attributes of nTDSDSA (NTDS Settings) objects Attribute Description msDS- hasPartialReplicaNCs Multivalued attribute that contains distinguished names of each read-only naming context stored on the domain controller. This will be populated only if the domain controller is a global catalog server. This attribute is new to Windows Server 2003. msDS-hasMasterNCs Multivalued attribute that contains distinguished names of each writeable naming context and application partition stored on the domain controller. This attribute is new to Windows Server 2003. options Bit flag that determines if domain controller is a global catalog server. queryPolicyObject If set, the distinguished name of LDAP query policy object to be used by the domain controller. Table 11-7. Attributes of nTDSConnection objects Attribute Description cn RDN of the object. For Knowledge Consistency Checker (KCC) generated connections, this is a GUID. enabledConnection Boolean that indicates if the connection is available to be used. fromServer Distinguished name of the NTDS Settings object of the domain controller this connection replicates with. ms-DS- ReplicatesNCReason Multivalued attribute that stores reason codes for why the connection exists. There will be one entry per naming context the connection is used for. options Bit flag where a value of 1 indicates the connection was created by the KCC and a value of 0 means the connection was manually created. See Recipe 11.22 for more information. schedule Octet string that represents the replication schedule for the site link. transportType Distinguished name of the transport type (e.g., IP or SMTP) that is used for the connection. Recipe 11.1 Creating a Site 11.1.1 Problem You want to create a site. 353 11.1.2 Solution 11.1.2.1 Using a graphical user interface 1. Open the Active Directory Sites and Services snap-in. 2. Right-click on the Sites container and select New Site. 3. Beside Name, enter the name of the new site. 4. Under Link Name, select a site link for the site. 5. Click OK twice. 11.1.2.2 Using a command-line interface Create an LDIF file called create_site.ldf with the following contents: dn: cn=<SiteName>,cn=sites,cn=configuration,<ForestRootDN> changetype: add objectclass: site dn: cn=Licensing Site Settings,cn=<SiteName>,cn=sites,cn=configuration, <ForestRootDN> changetype: add objectclass: licensingSiteSettings dn: cn=NTDS Site Settings,cn=<SiteName>,cn=sites,cn=configuration,<ForestRootDN> changetype: add objectclass: nTDSSiteSettings dn: cn=Servers,cn=<SiteName>,cn=sites,cn=configuration,<ForestRootDN> changetype: add objectclass: serversContainer then run the following command: > ldifde -v -i -f create_site.ldf 11.1.2.3 Using VBScript ' This code creates the objects that make up a site. ' SCRIPT CONFIGURATION strSiteName = "<SiteName>" ' e.g. Dallas ' END CONFIGURATION set objRootDSE = GetObject("LDAP://RootDSE") set objSitesCont = GetObject("LDAP://cn=sites," & _ objRootDSE.Get("configurationNamingContext") ) ' Create the site set objSite = objSitesCont.Create("site","cn=" & strSiteName) objSite.SetInfo ' Create the Licensing Site Settings object set objLicensing = objSite.Create("licensingSiteSettings", _ "cn=Licensing Site Settings") 354 objLicensing.SetInfo ' Create the NTDS Site Settings object set objNTDS = objSite.Create("nTDSSiteSettings","cn=NTDS Site Settings") objNTDS.SetInfo ' Create the Servers container set objServersCont = objSite.Create("serversContainer","cn=Servers") objServersCont.SetInfo WScript.Echo "Successfully created site " & strSiteName 11.1.3 Discussion To create a site in Active Directory, you have to create a number of objects. The first is a site object, which is the root of all the other objects. The site object contains the following: licensingSiteSettings This object isn't mandatory, but is created automatically when creating a site with AD Sites and Services. It is intended to point clients to a license server for the site. nTDSSiteSettings This object stores replication-related properties about a site, such as the replication schedule, current ISTG role holder, and whether universal group caching is enabled. serversContainer This container is the parent of the server objects that are part of the site. All the domain controllers that are members of the site will be represented in this container. After these objects are created, you've essentially created an empty site. If you didn't do anything else, the site would not be of much value. To make it usable, you need to assign subnet objects to it (see Recipe 11.4), and add the site to a siteLink object to link the site to other sites (see Recipe 11.7). At that point, you can promote or move domain controllers into the site, and it should be fully functional. 11.1.4 See Also MS KB 318480 (HOW TO: Create and Configure an Active Directory Site in Windows 2000) Recipe 11.2 Listing the Sites 11.2.1 Problem You want to obtain the list of sites. 355 11.2.2 Solution 11.2.2.1 Using a graphical user interface 1. Open the Active Directory Sites and Services snap-in. 2. Click on the Sites container. 3. The list of sites will be displayed in the right pane. 4. Double-click on a site to view its properties. 11.2.2.2 Using a command-line interface Run the following command to list the sites: > dsquery site Run the following command to view the properties for a particular site: > dsget site "<SiteName>" 11.2.2.3 Using VBScript ' This code lists all of the site objects. set objRootDSE = GetObject("LDAP://RootDSE") set objSitesCont = GetObject("LDAP://cn=sites," & _ objRootDSE.Get("configurationNamingContext") ) objSitesCont.Filter = Array("site") for each objSite in objSitesCont Wscript.Echo " " & objSite.Get("cn") next 11.2.3 Discussion Site objects are stored in the Sites container (e.g., cn=sites,cn=configuration,dc=rallencorp,dc=com) in the Configuration Naming Context (CNC). For more information on creating sites, see Recipe 11.1. Recipe 11.3 Deleting a Site 11.3.1 Problem You want to delete a site. 11.3.2 Solution 11.3.2.1 Using a graphical user interface 1. Open the Active Directory Sites and Services snap-in. 2. Click on the Sites container. 356 3. In the right pane, right-click the site you want to delete and select Delete. 4. Click Yes twice. 11.3.2.2 Using a command-line interface > dsrm <SiteDN> -subtree -noprompt 11.3.2.3 Using VBScript ' This code deletes a site and all child containers. ' SCRIPT CONFIGURATION strSiteName = "<SiteName>" ' e.g. Dallas ' END CONFIGURATION set objRootDSE = GetObject("LDAP://RootDSE") set objSite = GetObject("LDAP://cn=" & strSiteName & ",cn=sites," & _ objRootDSE.Get("configurationNamingContext") ) objSite.DeleteObject(0) WScript.Echo "Successfully deleted site " & strSiteName 11.3.3 Discussion When deleting a site, be very careful to ensure that no active server objects exist within it. If you delete a site that contains domain controllers, it will disrupt replication for all domain controllers in that site. A more robust VBScript solution would be to first perform an ADO query for all server objects using the distinguished name of the site as the base DN. If no servers were returned, then you could safely delete the site. If server objects were found, you should move them before deleting the site. It is also worth noting that deleting a site does not delete any of the subnets or site links that were associated with the site. This would be another good thing to add to the VBScript solution. That is, before you delete the site, delete any subnets and site links that are associated with site. Recipe 11.4 Creating a Subnet 11.4.1 Problem You want to create a subnet. 11.4.2 Solution 11.4.2.1 Using a graphical user interface 1. Open the Active Directory Sites and Services snap-in. 2. Right-click on the Subnets container and select New Subnet. 3. Enter the Address and Mask and then select which site the subnet is part of. 4. Click OK. 11.4.2.2 Using a command-line interface 357 Create an LDIF file called create_subnet.ldf with the following contents: dn: cn=<Subnet>,cn=subnets,cn=sites,cn=configuration,<ForestRootDN> changetype: add objectclass: subnet siteObject: cn=<SiteName>,cn=sites,cn=configuration,<ForestRootDN> then run the following command: > ldifde -v -i -f create_subnet.ldf 11.4.2.3 Using VBScript ' This code creates a subnet object and associates it with a site. ' SCRIPT CONFIGURATION strSubnet = "<Subnet>" ' e.g. 10.5.3.0/24 strSite = "<SiteName>" ' e.g. Dallas ' END CONFIGURATION set objRootDSE = GetObject("LDAP://RootDSE") set objSubnetsCont = GetObject("LDAP://cn=subnets,cn=sites," & _ objRootDSE.Get("configurationNamingContext") ) set objSubnet = objSubnetsCont.Create("subnet", "cn=" & strSubnet) objSubnet.Put "siteObject", "cn=" & strSite & ",cn=sites," & _ objRootDSE.Get("configurationNamingContext") objSubnet.SetInfo WScript.Echo "Successfully created subnet " & strSubnet 11.4.3 Discussion Subnet objects reside in the Subnets container (e.g., cn=subnets,cn=sites,cn=configuration,dc=rallencorp,dc=com) in the CNC. The relative distinguished name (RDN) of the subnet should be the subnet address and bit-mask combination (e.g., 10.5.3.0/24). The other important attribute to set is siteObject, which should contain the DN of the site that the subnet is associated with. 11.4.4 See Also MS KB 323349 (HOW TO: Configure Subnets in Windows Server 2003 Active Directory) Recipe 11.5 Listing the Subnets 11.5.1 Problem You want to list the subnet objects in Active Directory. 11.5.2 Solution 11.5.2.1 Using a graphical user interface 358 1. Open the Active Directory Sites and Services snap-in. 2. Click on the Subnets container. 3. The list of subnets will be displayed in the right pane. 4. To view the properties of a specific subnet, double-click on the one you want to view. 11.5.2.2 Using a command-line interface The following command will list all subnets: > dsquery subnet The following command will display the properties for a particular subnet. Replace <Subnet> with the subnet address and mask (e.g., 10.5.3.0/24): > dsget subnet "<Subnet>" 11.5.2.3 Using VBScript ' This code lists all the subnets stored in Active Directory. set objRootDSE = GetObject("LDAP://RootDSE") set objSubnetsCont = GetObject("LDAP://cn=subnets,cn=sites," & _ objRootDSE.Get("configurationNamingContext") ) objSubnetsCont.Filter = Array("subnet") for each objSubnet in objSubnetsCont Wscript.Echo " " & objSubnet.Get("cn") next 11.5.3 Discussion To display the site that subnets are associated with, include the siteObject attribute as one of the attributes to return from the query. For example, the second to last line of the VBScript solution could be modified to return the site by using this code: Wscript.Echo " " & objSubnet.Get("cn") & " : " & objSubnet.Get("siteObject") 11.5.4 See Also MS KB 323349 (HOW TO: Configure Subnets in Windows Server 2003 Active Directory) Recipe 11.6 Finding Missing Subnets 11.6.1 Problem You want to find the subnets that are missing from your site topology. Missing subnets can result in clients not authenticating against the most optimal domain controller, which can degrade performance. 359 11.6.2 Solution Having all of your subnets in Active Directory is important because a client that attempts to logon from a subnet that is not associated with any site may authenticate with any domain controller in the domain. This can result in the logon process taking longer to complete. Unfortunately, Microsoft has not provided an easy way to rectify this problem. Under Windows 2000, the only source of missing subnet information was the System event 5778. Here is an example: Event Type: Information Event Source: NETLOGON Event Category: None Event ID: 5778 Date: 1/27/2003 Time: 12:07:04 AM User: N/A Computer: DC2 Description: 'JSMITH-W2K' tried to determine its site by looking up its IP address ('10.21.85.34') in the Configuration\Sites\Subnets container in the DS. No subnet matched the IP address. Consider adding a subnet object for this IP address. The only way to dynamically determine missing subnets is to query each domain controller for 5778 events and map the IP addresses specified within the events to a subnet you add to the site topology. With Windows Server 2003 things are not that much better. One of the issues with the 5778 events under Windows 2000 is that they could easily fill up your System event log if you had many missing subnets. In Windows 2003, Microsoft decided to instead display a summary event 5807 that states that some number of connection attempts have been made by clients that did not map to a subnet in the site topology. Here is an example: Event Type: Warning Event Source: NETLOGON Event Category: None Event ID: 5807 Date: 1/10/2003 Time: 10:59:53 AM User: N/A Computer: DC1 Description: During the past 4.18 hours there have been 21 connections to this Domain Controller from client machines whose IP addresses don't map to any of the existing sites in the enterprise. Those clients, therefore, have undefined sites and may connect to any Domain Controller including those that are in far distant locations from the clients. 360 A client's site is determined by the mapping of its subnet to one of the existing sites. To move the above clients to one of the sites, please consider creating subnet object(s) covering the above IP addresses with mapping to one of the existing sites. The names and IP addresses of the clients in question have been logged on this computer in the following log file '%SystemRoot%\debug\netlogon.log' and, potentially, in the log file '%SystemRoot%\debug\netlogon.bak' created if the former log becomes full. The log(s) may contain additional unrelated debugging information. To filter out the needed information, please search for lines which contain text 'NO_CLIENT_SITE:'. The first word after this string is the client name and the second word is the client IP address. The maximum size of the log(s) is controlled by the following registry DWORD value 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ Netlogon\Parameters\LogFileMaxSize'; the default is 20000000 bytes. The current maximum size is 20000000 bytes. To set a different maximum size, create the above registry value and set the desired maximum size in bytes. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/ events.asp. Instead of scraping the event logs on every domain controller, you can look at the %SystemRoot%\debug\netlogon.log file on each domain controller and parse out all the NO_CLIENT_SITE entries. This is still far from an easy process, but at least the event logs are no longer cluttered with 5778 events. Here is an example of some of the NO_CLIENT_SITE entries from the netlogon.log file: 01/16 15:50:07 RALLENCORP: NO_CLIENT_SITE: RALLEN-TEST4 164.2.45.157 01/16 15:50:29 RALLENCORP: NO_CLIENT_SITE: SJC-BACKUP 44.25.26.142 01/16 16:19:58 RALLENCORP: NO_CLIENT_SITE: RALLEN-TEST4 164.2.45.157 01/16 16:20:07 RALLENCORP: NO_CLIENT_SITE: RALLEN-TEST4 164.2.45.157 01/16 16:50:07 RALLENCORP: NO_CLIENT_SITE: RALLEN-TEST4 164.2.45.157 01/16 16:57:00 RALLENCORP: NO_CLIENT_SITE: JSMITH-W2K1 10.61.80.19 01/16 17:20:08 RALLENCORP: NO_CLIENT_SITE: RALLEN-TEST4 164.2.45.157 01/16 17:50:08 RALLENCORP: NO_CLIENT_SITE: RALLEN-TEST4 164.2.45.157 If you wanted to get creative and automate a solution to do this, you could write a script that goes out to each domain controller, opens the netlogon.log file and retrieves NO_CLIENT_SITE entries. You can then examine all of the IP addresses and create subnets in Active Directory that would contain them. You could associate all of those subnets with a default site or even use the Default-First-Site-Name site. Then once a week (or whenever), you could look at the sites . (HOW TO: Configure Subnets in Windows Server 2003 Active Directory) Recipe 11.5 Listing the Subnets 11.5.1 Problem You want to list the subnet objects in Active Directory. 11.5.2 Solution 11.5.2.1. Settings") objNTDS.SetInfo ' Create the Servers container set objServersCont = objSite.Create("serversContainer","cn=Servers") objServersCont.SetInfo WScript.Echo "Successfully. to first perform an ADO query for all server objects using the distinguished name of the site as the base DN. If no servers were returned, then you could safely delete the site. If server objects