371 11.13.4 See Also MS KB 271997 (Description of Bridgehead Servers in Windows 2000) Recipe 11.14 Setting a Preferred Bridgehead Server for a Site 11.14.1 Problem You want to set a preferred bridgehead server for a site. 11.14.2 Solution 11.14.2.1 Using a graphical user interface 1. Open the Active Directory Sites and Services snap-in. 2. In the left pane, expand Sites, expand the site where the server you want to set as a bridgehead is contained and expand the Servers container 3. Right-click on the server you want to set as the bridgehead and select Properties. 4. Highlight IP, SMTP, or both, pertaining to the protocol(s) for which you want the server to be a bridgehead. 5. Click the Add button. 6. Click OK. 11.14.2.2 Using a command-line interface Create an LDIF file called set_bridgehead_server.ldf with the following contents: dn: cn=<DCName>,cn=servers,cn=<SiteName>,cn=sites,cn=configuration,<ForestRootDN> changetype: modify add: bridgeheadTransportList bridgeheadTransportList: cn=IP,cn=Inter-site Transports,cn=sites,cn=configuration,<ForestRootDN> - then run the following command: > ldifde -v -i -f set_bridgehead_server.ldf 11.14.2.3 Using VBScript ' This code sets a preferred bridgehead server for a particular transport ' SCRIPT CONFIGURATION strServer = "<DomainControllerName>" ' e.g. dc1 strServerSite = "<SiteName>" ' e.g. Default-First-Site-Name strTransport = "<TransportName>" ' e.g. either IP or SMTP ' END CONFIGURATION 372 set objRootDSE = GetObject("LDAP://RootDSE") set objServer = GetObject("LDAP://cn=" & strServer & ",cn=Servers,cn=" & _ strServerSite & ",cn=sites," & _ objRootDSE.Get("configurationNamingContext") ) objServer.Put "bridgeHeadTransportList", _ "cn=" & strTransport & ",cn=Inter-site Transports,cn=sites," _ & objRootDSE.Get("configurationNamingContext") objServer.SetInfo WScript.Echo "Successfully set bridgehead server: " & strServer 11.14.3 Discussion Setting a preferred bridgehead server can give you more control over which domain controllers participate in inter-site replication, but it is also limiting. The KCC typically selects bridgehead servers dynamically, but if you set preferred bridgehead servers, the KCC will not select new ones if the preferred servers become unavailable. Therefore, you should ensure that if you do select preferred bridgehead servers, you select at least two for a given partition in a site. As a general rule, you shouldn't set preferred bridgehead servers if at all possible. 11.14.4 See Also MS KB 271997 (Description of Bridgehead Servers in Windows 2000) Recipe 11.15 Listing the Servers 11.15.1 Problem You want to list the server objects in the site topology. 11.15.2 Solution 11.15.2.1 Using a graphical user interface 1. Open LDP. 2. From the menu, select Connection Connect. 3. For Server, enter the name of a domain controller (or leave blank to do a serverless bind). 4. For Port, enter 389. 5. Click OK. 6. From the menu, select Connection Bind. 7. Enter credentials of a domain user. 8. Click OK. 9. From the menu, select Browse Search. 373 10. For BaseDN, type the Sites container's DN (e.g., cn=sites,cn=configuration,dc=rallencorp,dc=com). 11. For Scope, select Subtree. 12. For Filter, enter (objectcategory=server). 13. Click Run. 11.15.2.2 Using a command-line interface > dsquery server [-site <SiteName>] 11.15.2.3 Using VBScript ' This code lists the server objects in the site topology. set objRootDSE = GetObject("LDAP://RootDSE") strBase = "<LDAP://cn=sites," & _ objRootDSE.Get("ConfigurationNamingContext") & ">;" strFilter = "(objectcategory=server);" strAttrs = "distinguishedName;" strScope = "subtree" set objConn = CreateObject("ADODB.Connection") objConn.Provider = "ADsDSOObject" objConn.Open "Active Directory Provider" set objRS = objConn.Execute(strBase & strFilter & strAttrs & strScope) objRS.MoveFirst while Not objRS.EOF Wscript.Echo objRS.Fields(0).Value objRS.MoveNext wend 11.15.3 Discussion Each Active Directory domain controller is represented in the site topology by a server object that is associated with a specific site. Replication decisions are made based on links from this site to other sites that contain domain controllers. Other types of services can also add server objects to the site topology. The way you can distinguish which ones are domain controllers is the presence of a NTDS Settings (nTDSDSA) object that is a child of the server object. Only domain controllers will have that object. Recipe 11.16 Moving a Domain Controller to a Different Site 11.16.1 Problem You want to move a domain controller to a different site. This may be necessary if you promoted the domain controller without first adding its subnet to Active Directory. In that case, the domain controller will be added to the Default-First-Site-Name site. 374 11.16.2 Solution 11.16.2.1 Using a graphical user interface 1. Open the Active Directory Sites and Services snap-in. 2. In the left pane, expand Sites, expand the site where the server you want to move is contained, and expand the Servers container. 3. Right-click on the server you want to move and select Move. 4. Select the site to move the server to. 5. Click OK. 11.16.2.2 Using a command-line interface > dsmove "cn=<ServerName>,cn=servers,cn=<CurrentSite>,[RETURN] cn=sites,cn=configuration,<ForestRootDN>" -newparent "cn=servers,cn=<NewSite>,[RETURN] cn=sites,cn=configuration,<ForestRootDN>" 11.16.2.3 Using VBScript ' This code moves a server to a different site. ' SCRIPT CONFIGURATION ' Should contain the common name of the server object strDC = "<DomainControllerName>" ' e.g. dc02 ' Name of servers current site strCurrentSite = "<CurrentSite>" ' e.g. Default-First-Site-Name ' Name of site you want to move server to strNewSite = "<NewSite>" ' e.g. Raleigh ' END CONFIGURATION strConfigDN = GetObject("LDAP://RootDSE").Get("configurationNamingContext") strServerDN = "LDAP://cn=" & strDC & ",cn=servers,cn=" & _ strCurrentSite & ",cn=sites," & strConfigDN strNewParentDN = "LDAP://cn=servers,cn=" & strNewSite & ",cn=sites," & strConfigDN Set objCont = GetObject(strNewParentDN) objCont.MoveHere strServerDN, "cn=" & strDC 11.16.3 Discussion After you move a server to a new site, you might want to monitor replication to and from that server to make sure that any new connections that are needed get created and start replicating. See Recipe 12.2 for more on viewing the replication status of a server. 11.16.4 See Also MS KB 214677 (Automatic Detection of Site Membership for Domain Controllers) 375 Recipe 11.17 Configuring a Domain Controller to Cover Multiple Sites 11.17.1 Problem You want to configure a domain controller to cover multiple sites, which will cause clients in those sites to use that domain controller for authentication and directory lookups. 11.17.2 Solution 11.17.2.1 Using a graphical user interface 1. Run regedit.exe from the command line or Start Run. 2. In the left pane, expand HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Services Netlogon Parameters. 3. If the SiteCoverage value does not exist, right-click on Parameters in the left pane and select New Multi-String Value. For the name, enter SiteCoverage. 4. In the right pane, double-click on the value and on a separate line, enter each site the server should cover. 5. Click OK. 11.17.2.2 Using a command-line interface > reg add HKLM\System\CurrentControlSet\Services\Netlogon\Parameters /v[RETURN] "SiteCoverage" /t REG_MULTI_SZ /d <Site1>\0<Site2> 11.17.2.3 Using VBScript ' This code configures a domain controller to cover multiple sites. ' SCRIPT CONFIGURATION strDC = "<DomainControllerName>" ' e.g. dc01 arrSites = Array("<Site1>","<Site2>") ' Array of sites to cover ' END CONFIGURATION strNTDSReg = "SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" const HKLM = &H80000002 set objReg = GetObject("winmgmts:\\" & strDC & "\root\default:StdRegProv") objReg.SetMultiStringValue HKLM, strNTDSReg, _ "SiteCoverage", _ arrSites WScript.Echo "Site coverage set for " & strDC 11.17.3 Discussion It is perfectly valid to have a site that does not contain its own domain controller. In fact, if you model the site topology after your real network, some sites will lack their own domain controllers unless you've deployed a branch office architecture or have very few sites. If you create sites without any domain controllers, the site links between the sites determine what domain controllers will "cover" or advertise their services to the site. When a domain controller 376 covers for a remote site, it needs to publish site-specific DNS resource records, which clients in the site use to find the domain controller. Active Directory will select DCs to cover DC-less sites automatically, but you can hard-code the list of sites a specific domain controller should cover by modifying the Registry as described in the Solution section. 11.17.4 See Also MS KB 200498 (Configure a Domain Controller for Membership in Multiple Sites) Recipe 11.18 Viewing the Site Coverage for a Domain Controller 11.18.1 Problem You want to view the sites a domain controller covers. 11.18.2 Solution 11.18.2.1 Using a command-line interface In the following command, replace <DomainControllerName> with the name of the domain controller you want to view site coverage for: > nltest /server:<DomainControllerName> /DsGetSiteCov 11.18.2.2 Using VBScript Although you cannot use it directly from a scripting language like VBScript, Microsoft provides a DsGetDcSiteCoverage method that can be used by languages, such as Visual Basic and C++, to retrieve site coverage information. In fact, the nltest command shown in the CLI solution is a wrapper around this method. 11.18.3 Discussion Recipe 11.17 describes how to force a domain controller to cover multiple sites. Recipe 11.19 describes how you can disable a domain controller from covering for any sites other than its own. 11.18.4 See Also MSDN: DsGetDcSiteCoverage 377 Recipe 11.19 Disabling Automatic Site Coverage for a Domain Controller 11.19.1 Problem You want to prevent a domain controller from covering sites outside of the one it resides in. 11.19.2 Solution 11.19.2.1 Using a graphical user interface 1. Run regedit.exe from the command line or Start Run. 2. Expand HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Services Netlogon Parameters. 3. Right-click on Parameters and select New DWORD Value. 4. For the name, enter AutoSiteCoverage. 5. Double-click on the new value, enter 0 under Value data, and click OK. 11.19.2.2 Using a command-line interface > reg add HKLM\System\CurrentControlSet\Services\Netlogon\Parameters /v[RETURN] AutoSiteCoverage /t REG_DWORD /d 0 11.19.2.3 Using VBScript ' This code disables auto site coverage strNetlogonReg = "SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" const HKLM = &H80000002 Set objReg = GetObject("winmgmts:root\default:StdRegProv") objReg.SetDWORDValue HKLM, strNetlogonReg, "AutoSiteCoverage", 0 WScript.Echo "Site coverage disabled" 11.19.3 Discussion If you want to reduce the load on a domain controller, one way is to prevent it from covering for other sites. Automatic site coverage happens when a site does not have any member domain controllers. 11.19.4 See Also Recipe 11.18 for viewing the site coverage for a domain controller Recipe 11.20 Finding the Site for a Client 11.20.1 Problem You want to find which site a client computer is in. 378 11.20.2 Solution 11.20.2.1 Using a command-line interface In the following command, replace <HostName> with the name of the host you want to find the site for: > nltest /server:<HostName> /DsGetSite 11.20.2.2 Using VBScript Although you cannot use it directly from a scripting language like VBScript, Microsoft provides a DsGetSiteName method that can be used by languages, such as Visual Basic and C++, to retrieve site coverage information. In fact, the nltest command shown in the CLI solution is a wrapper around this method. The IADsTool interface provides a wrapper around this method: set objIadsTools = CreateObject("IADsTools.DCFunctions") strSite = objIadsTools.DsGetSiteName("<HostName>") Wscript.Echo "Site: " & strSite 11.20.3 Discussion Each domain controller has a server object that is contained with a site. Clients are different— they are associated with a site based on their IP address and the corresponding subnet that it matches is in the Subnets container. The client site information is important because it determines the domain controller the client authenticates with. If the client's IP address does not match a subnet range of any of the subnets stored in Active Directory, it will randomly pick a site to use, which means it could authenticate against any domain controller in the domain. See Recipe 11.21 for a way to hardcode the site association for a client. 11.20.4 See Also Recipe 11.21 for forcing a host to a particular site, MS KB 247811 (How Domain Controllers Are Located in Windows), and MSDN: DsGetSiteName Recipe 11.21 Forcing a Host to a Particular Site 11.21.1 Problem You want to force a host to be in a particular site. 11.21.2 Solution 11.21.2.1 Using a graphical user interface 379 1. Run regedit.exe from the command line or Start Run. 2. Expand HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Services Netlogon Parameters. 3. Right-click on Parameters and select New String Value. 4. Enter SiteName for the name. 5. Double-click on the new value, enter the name of the site under Value data, and click OK. 11.21.2.2 Using a command-line interface > reg add HKLM\System\CurrentControlSet\Services\Netlogon\Parameters /v SiteName /t[RETURN] REG_SZ /d <SiteName> 11.21.2.3 Using VBScript ' This code forces the host the script is run on to use a particular host ' SCRIPT CONFIGURATION strSite = "<SiteName>" ' e.g. Raleigh ' END CONFIGURATION strNetlogonReg = "SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" const HKLM = &H80000002 set objReg = GetObject("winmgmts:root\default:StdRegProv") objReg.SetStringValue HKLM, strNetlogonReg, "SiteName", strSite WScript.Echo "Set SiteName to " & strSite 11.21.3 Discussion You can bypass the part of the DC Locator process that determines a client's site by hard-coding it in the Registry. This is generally not recommended and should primarily be used as a troubleshooting tool. If a client is experiencing authentication delays due to a misconfigured site or subnet object, you can hard-code its site so it temporarily points to a more optimal location (and domain controller). 11.21.4 See Also Recipe 11.20 for finding the site of a client and MS KB 247811 (How Domain Controllers Are Located in Windows) Recipe 11.22 Creating a Connection Object 11.22.1 Problem You want to create a connection object to manually set up replication between two sites. 11.22.2 Solution 11.22.2.1 Using a graphical user interface 1. Open the Active Directory Sites and Services snap-in. 380 2. In the left pane, expand Sites, expand the site that contains the connection object you want to check, expand the Servers container, and expand the server for which you want to create the connection object. 3. Right-click on the NTDS Settings object and select Create New Active Directory Connection. 4. Select the replication partner and click OK. 5. Enter the name for the connection and click OK. 11.22.2.2 Using a command-line interface > repadmin /add <PartitionDN> <DC1DNSName> <DC2DNSName> 11.22.3 Discussion Hopefully you will not need to create connection objects manually. Creating and maintaining connection objects is the job of the KCC. It can be a lot of work to keep your connection objects up to date by yourself, especially if you have a large topology. The KCC uses complex algorithms to determine the best partners for a domain controller to replicate with. The Windows 2000 KCC had problems generating very large topologies, but the Windows Server 2003 version is significantly better. It is sometimes necessary to create connections manually if you find a replication problem and need to get replication going again between one or more sites. By creating a connection and forcing replication to occur over that connection, you can get servers back in sync quickly. 11.22.4 See Also Recipe 11.23 for listing the connections for a server Recipe 11.23 Listing the Connection Objects for a Server 11.23.1 Problem You want to view the connection objects associated with a domain controller. 11.23.2 Solution 11.23.2.1 Using a graphical user interface 1. Open the Active Directory Sites and Services snap-in. 2. In the left pane, expand Sites, expand the site that contains the connection object you want to check, expand the Servers container, expand the server that contains the connection object, and click on the NTDS Settings object. 3. In the right pane, under the name column, it will display which connection objects are automatically generated (by the KCC) and which ones were manually generated. . (Description of Bridgehead Servers in Windows 2000) Recipe 11.14 Setting a Preferred Bridgehead Server for a Site 11.14.1 Problem You want to set a preferred bridgehead server for a site. 11.14.2. association for a client. 11.20.4 See Also Recipe 11.21 for forcing a host to a particular site, MS KB 247811 (How Domain Controllers Are Located in Windows) , and MSDN: DsGetSiteName Recipe 11.21 Forcing. connection and forcing replication to occur over that connection, you can get servers back in sync quickly. 11.22.4 See Also Recipe 11.23 for listing the connections for a server Recipe 11.23