1. Trang chủ
  2. » Công Nghệ Thông Tin

Microsoft press windows server 2008 active directory resource kit - part 2 pot

91 443 0

Đang tải... (xem toàn văn)

Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống

THÔNG TIN TÀI LIỆU

Thông tin cơ bản

Định dạng
Số trang 91
Dung lượng 1,9 MB

Nội dung

Chapter 2: Active Directory Domain Services Components 53 domain trusts the NA.ADatum.com domain, and the EMEA.ADatum.com domain trusts the ADatum.com domain, then transitivity means that the EMEA.ADatum.com domain also trusts the NA.ADatum.com domain Therefore, users in the NA.ADatum.com domain can access resources in the EMEA.ADatum.com domain and vice versa The transitive trusts also apply to the tree root trusts The NA.ADatum.com domain trusts the ADatum.com domain, and the ADatum.com domain trusts the TreyResearch.com domain Therefore, the NA.ADatum.com domain and the TreyResearch.com domain also share a transitive-trust relationship Shortcut Trusts In addition to the automatic, two-way transitive trusts that are created when a new child domain is created, shortcut trusts can be created between domains in the forest Shortcut trusts are used to optimize performance when accessing resources between domains that are connected through transitive trusts A shortcut trust is desirable when there is frequent resource access between domains that are remotely connected through the domain tree or forest For example, the trusts at A Datum could be configured as illustrated as Figure 2-10 Forest Trust WoodgroveBank Forest ADatum Forest ADatum.com WoodgroveBank.com Parent-child trust EMEA.ADatum.com NA.ADatum.com Shortcut trust Research.EMEA.ADatum.com Sales.NA.ADatum.com Figure 2-10 Trusts in the ADatum forest If a security group in the Research.EMEA.ADatum.com domain has a frequent need to access a shared resource in the Sales.NA.ADatum.com domain, and with only transitive trusts established between the domains, users in the Research.EMEA.ADatum.com domain must be referred to a domain controller in every domain in the tree between them and the domain that contains the resource This is not efficient if the need is frequent A shortcut trust is a direct trust that will efficiently enable users in the Sales.EMEA.ADatum.com domain to be referred to a domain controller in the Research.NA.ADatum.com domain—without traversing the entire directory tree to get there Figure 2-10 illustrates this shortcut trust Shortcut trusts can be configured as one-way or two-way trusts Shortcut trusts are not transitive 54 Part I: Windows Server 2008 Active Directory Overview Forest Trusts A forest trust is a two-way transitive trust between two separate forests With a forest trust, security principals in one forest can be given access to resources in any domain in a completely different forest Also, users can log on to any domain in either forest using the same UPN Figure 2-10 illustrates a forest trust between the ADatum.com forest and the WoodgroveBank.com forest Note In order to configure a forest trust, both forests must be at the Windows Server 2003 forest functional level or higher Forest trusts can be very useful in a Windows Server 2008 environment If an organization requires more than one forest for political or technical reasons, the use of a forest trust means that it is easy to assign access to resources across all the domains, regardless of which forest the user or resource is in If two companies that have deployed Windows Server 2008 forests merge, the two forests can be logically joined by using the trust Although forest trusts provide some excellent functionality, they are also subject to some limitations: ■ Forest trusts are not transitive to other forests For example, if ADatum.com has a forest trust with WoodgroveBank.com, and WoodgroveBank.com has a forest trust with Fabrikam.com, ADatum.com does not automatically have a forest trust with Fabrikam.com ■ Forest trusts only make authentication possible between forests; they not provide any other functionality For example, each forest will still have a unique global catalog, schema, and configuration directory partition No information is replicated between the two forests—the forest trust just makes it possible to assign access to resources between forests ■ In some cases, you may not want to have all the domains in one forest trust all the domains in another forest If this is the case, you can set up one-way, nontransitive external trusts between individual domains in two separate forests As an alternative, you can also configure selective authentication on the forest trust, which means that you must explicitly enable users from a trusted domain to access resources on a server in the trusting domain More Info For more information on planning forest trusts, see Chapter External Trusts An external trust is a trust relationship that can be created between AD DS domains that are in different forests or between an AD DS domain and a Windows NT 4.0 or earlier domain Chapter 2: Active Directory Domain Services Components 55 External trusts can be used to provide access to resources in a domain outside of the forest that is not already joined by a forest trust or to create a direct trust between two domains that are joined by a forest trust An external trust is different from a forest trust in that the external trust is configured between any two domains in either forest, not just between the forest root domains In addition, external trusts have the following characteristics: ■ External trusts are not transitive Only two domains participate in the trust relationship ■ You must configure both sides of the trust relationship If you want to configure a twoway trust, you must configure a trust for each direction ■ External trusts enforce SID filtering by default in Windows Server 2008 SID filtering is used to verify that incoming authentication requests made from security principals in the trusted domain contain only SIDs of security principals in the trusted domain SID filtering ensures that administrators in the trusted domain cannot use the SIDHistory attribute to gain unauthorized access to resources in the trusting domain Realm Trusts The last type of trust is a realm trust A realm trust is configured between a Windows Server 2008 domain or forest and a non-Windows implementation of a Kerberos v5 realm Kerberos security is based on an open standard, and there are several other implementations of Kerberos-based network security systems available Realm trusts can be created between any Kerberos realms that support the Kerberos v5 standard Realm trusts can be either one-way or two-way, and they can also be configured to be transitive or nontransitive Sites All of the AD DS logical components discussed so far are almost completely independent of the physical infrastructure for your network For example, when you design the domain structure for a corporation, where the users are located is not the most important question you need to ask All the users in a domain may be located in a single office building, or they may be located in offices around the world This independence of the logical components from the network infrastructure comes about largely as a result of the use of sites in AD DS Sites provide the connection between the logical AD DS components and the physical network infrastructure A site is defined as an area of the network where all domain controllers are connected by a fast and reliable network connection In most cases, a site contains one or more Internet Protocol (IP) subnets on a local area network (LAN) or very high-speed wide area network (WAN) and connected to the rest of the network with slower WAN connections On the Disc To display information on the sites AD DS forest, run the ListADDSSites.ps1 Windows PowerShell script on the CD 56 Part I: Windows Server 2008 Active Directory Overview The primary reason for creating sites is to be able to manage any network traffic that must use slow network connections Sites are used to control network traffic within the Windows Server 2008 network in three different ways: ■ Replication One of the most important ways that sites are used to optimize network traffic is in the management of replication traffic between domain controllers For example, within a site, any change made to the directory will be replicated within a few minutes The replication schedule between sites can be managed so that the replication traffic will occur less frequently or during nonworking hours By default, replication traffic between sites is compressed to conserve bandwidth, while replication traffic within a site is not compressed (Chapter goes into much more detail on the differences between intersite and intrasite replication.) ■ Authentication When a user logs on to a Windows Server 2008 domain from a Windows 2000, Windows XP Professional, or Windows Vista client, the client computer will always try to connect a domain controller in the same site as the client As discussed in Chapter 3, every domain controller registers site-specific service locator (SRV) records—when the client computer tries to locate a domain controller, it will always query the DNS servers for these site records This means that the client logon traffic will remain within the site ■ Site-aware network services The third way that sites can preserve network bandwidth is by limiting client connections to site-aware applications and services on the site For example, by using Distributed File System (DFS), you can create multiple replicas of a folder in different sites on the network Because DFS is designed to be aware of the site configuration, client computers always try to access a DFS replica in their own site before crossing a WAN link to access the information in another site As well, Exchange Server 2007 uses the AD DS site configuration to define the message routing topology within the organization Messages sent between Exchange Servers in the same site will always be sent directly from the source Exchange Server to the destination Exchange Server, even if a message needs to be sent to several servers in the same site Only single copies of messages are sent between Exchange Servers in different sites, even if the messages are intended for users on several different Exchange Servers in the destination site Every computer on a Windows Server 2008 network will be assigned to a site When AD DS is installed in a Windows Server 2008 environment, a default site called Default-First-SiteName is created, and all computers in the forest will be assigned to that site unless additional sites are created When additional sites are created, the sites are linked to IP subnets When a server running Windows Server 2008 is promoted to become a domain controller, the domain controller is automatically assigned to a site that corresponds to the computer’s IP address If needed, domain controllers can also be moved between sites using the Active Directory Sites and Services administrative tool Client computers determine their sites the first time they start up and log on to the domain Because the client computer does not know which site it belongs to, it will connect to any Chapter 2: Active Directory Domain Services Components 57 domain controller in the domain As part of this initial logon process, the domain controller will inform the client which site it belongs to, and the client will cache that information for the next logon Note If a domain controller or a client computer has an IP address that is not linked to a specific site, that computer will be placed in the Default-First-Site-Name site Every computer that is part of a Windows Server 2008 domain must belong to a site As mentioned earlier in this chapter, there is no direct connection between sites and the other logical concepts in AD DS One site can contain more than one domain, and one domain can cross multiple sites For example, as shown in Figure 2-11, the Seattle site contains both the ADatum.com domain and the NA.ADatum.com domain The TreyResearch.com domain is spread across multiple sites ADatum.com NA.ADatum.com Calgary_Site Seattle_Site Denver_Site Vancouver_Site TreyResearch.com Figure 2-11 Sites and domains within an AD DS forest Note Sites are discussed in more detail in several other chapters in this book Chapter details the role of DNS and sites for client logons Chapter addresses the role of sites in replication and how to create and configure sites Chapter goes into detail on designing an optimal site configuration for an AD DS forest Organizational Units By implementing multiple domains in a forest, either in a single tree or in multiple trees, Windows Server 2008 AD DS can scale to provide directory services for almost any size network Many of the components of AD DS, such as the global catalog and automatic transitive trusts, are designed to make the use and management of this enterprise directory efficient regardless of how big the directory gets 58 Part I: Windows Server 2008 Active Directory Overview Organizational units (OUs), however, are designed to make AD DS easier to administer at a smaller scale OUs are used to make the management of single domains more efficient A domain might contain tens of thousands of objects (or even millions) Managing this many objects without some means of organizing the objects into logical groupings is very difficult OUs are used to create a hierarchical structure within a domain Figure 2-12 shows an example of what the OU structure might look like at A Datum ADatum.com SeattleOU ProductOU DesignOU SalesOU CalgaryOU R&DOU DenverOU ProductOU MarketingOU ManuOU Figure 2-12 An OU structure can have many layers OUs are container objects that can contain several types of directory service objects, including the following: ■ Computers ■ Contacts ■ Groups ■ inetOrgPerson ■ Printers ■ Users ■ Shared folders ■ Organizational units Chapter 2: Active Directory Domain Services Components 59 OUs are used to group objects together for administrative purposes There are two ways that OUs can be used as administrative units: to delegate administrative rights and to manage a group of objects as a single unit Using OUs to Delegate Administrative Rights OUs can be used to delegate administrative rights For example, a user can be given the rights to perform administrative tasks for a specific OU These rights could be high-level rights, in which the user has full control of the OU and all objects in the OU, or the rights can be very limited and specific (such as only being able to reset passwords for users in that OU) The user that has been given administrative rights to an OU does not by default have any administrative rights outside the OU The OU structure is very flexible in assigning rights (also called permissions in many Windows dialog boxes and Properties sheets) to objects inside the OU The OU itself has an access control list (ACL) where you can assign rights for that OU Each object in an OU and, in fact, each attribute for each object, also has an ACL This means that you can have extremely precise control of the administrative rights anyone can have in the OU For example, you can give a Help Desk group the right to change passwords for users in an OU but not to change any other properties for the user accounts Or you can give the Human Resources department the right to modify any personal information on all user accounts in all OUs but not give them any other rights to any other attributes on the user accounts, or any rights to any other objects You can also grant rights to individual objects within the OU if there are some objects that you want to have different rights than the other objects in the OU Using OUs to Administer Groups of Objects Another reason for using OUs is to group objects together so that the objects can all be administered the same way For example, if you want to administer all of the workstations in a department the same way (such as limiting which users have the right to log on to the workstations), you can group all the workstations into an OU and configure the Logon Locally permission at the OU level This permission is applied to all workstations in that OU If a collection of users needs the same standard desktop configuration and the same set of applications, the users can be put into an OU and Group Policy can then be used to configure the desktop and to manage the installation of applications In many cases, objects in an OU will be managed through Group Policy Group Policy can be used to lock down user desktops, to give them a standardized desktop, to provide logon and logoff scripts, and to provide folder redirection Table 2-3 provides a brief list of the types of settings available in Group Policy 60 Part I: Windows Server 2008 Active Directory Overview Table 2-3 Group Policy Setting Types Setting Types Explanation Administrative templates Used to manage registry-based parameters for configuring application settings and user desktop settings, including access to the operating system components, access to control panel, and configuration of offline files Security Used to manage the local computer, domain, and network security settings, including controlling user access to the network, configuring account policies, and controlling user rights Software installation Used to centralize the management of software installations and maintenance Scripts Used to specify scripts that can be run when a computer starts or shuts down, or when a user logs on or off Folder redirection Used to store certain user profile folders on a network server These folders, such as the My Documents folder, appear to be stored locally but are actually stored on a server where they can be accessed from any computer on the network Preferences Used to manage options related to Windows settings or Control Panel settings, including drive mappings, environment variables, network shares, local users and groups, services, devices, and many more Group Policy objects will be most commonly assigned at the OU level This eases the task of administering the users in the OU because you can assign one Group Policy object—for example, an administrative template policy—to the OU, which is then enforced on all the users or computers in the OU Note OUs are not security principals This means that you cannot use an OU to assign permissions to a resource and then have all of the users in the OU automatically inherit those permissions OUs are used for administrative purposes To grant access to resources, use security groups Summary This chapter introduced the basic physical and logical components of AD DS in Windows Server 2008 Although having an understanding of the physical components is important (especially when dealing with database management, domain controller placement, and schema management), most of the work you will in AD DS will be with the logical components Most of the rest of this book deals with the logical structure of AD DS Chapter 2: Active Directory Domain Services Components 61 Additional Resources ■ Chapter 5, “Designing the Active Directory Domain Services Structure,” goes into detail about designing the AD DS logical and physical configuration ■ The Domain and Forest Trusts Technical Reference at http://technet2.microsoft.com/ windowsserver/en/library/92b3b6cb-9eb3-4dd7-b5f6-3fa9be8080821033.mspx?mfr=true provides details on trusts in an Active Directory This resource refers to Windows Server 2003, but the way trusts are implemented has not changed significantly in Windows Server 2008 ■ The Script Repository: Active Directory Web site located at http://www.microsoft.com/ technet/scriptcenter/scripts/default.mspx?mfr=true has several scripts that can be used to enumerate and modify the AD DS objects Related Tools Windows Server 2008 provides several tools that can be used when managing the AD DS logical and physical components Table 2-4 lists some of these tools and their uses Table 2-4 AD DS Management Tools Tool Name Description and Uses Active Directory Users and Computers Use to configure AD DS domains including configuring and managing OUs and all other domain objects Active Directory Domains and Trusts Use to configure AD DS trusts Active Directory Sites and Services Use to configure sites and replication Ntdsutil.exe or Dsbutil.exe Use to manage the AD DS data store files and to transfer FSMO roles between domain controllers ADSI Edit Use to view and modify the contents of AD DS partitions Resources on the CD ■ ListDomainControllers.ps1 is a Windows PowerShell script that lists all of the domain controllers in your domain and global catalog servers in your forest ■ ListFSMOs.ps1 is a Windows PowerShell script that lists all of the operations master servers in your forest and domain ■ ListADDSDomains.ps1 is a Windows PowerShell script that lists information about all of the domains in your forest ■ ListADDSSites.ps1 is a Windows PowerShell script that lists information about all of the sites in your forest 62 Part I: Windows Server 2008 Active Directory Overview Related Help Topics ■ “Managing Trusts” in Active Directory Domains and Trusts help ■ “Managing Forest Trusts” in Active Directory Domains and Trusts help ■ “Understanding Domains” in Active Directory Users and Computers help Chapter 4: Active Directory Domain Services Replication 129 Caution The site link bridging setting affects all site links using the transport protocol where you disable site link bridging This means that all site link bridging is disabled, and you will now have to configure site link bridges for all site links if you want transitive site connections Replication Transport Protocols Windows Server 2008 AD DS can use one of three different transport protocols for replication: ■ RPC over IP within a site All replication connections within a site must use an RPCover-IP connection This connection is synchronous, which means that the domain controller can replicate with only one replication partner at any one time The RPC connection uses dynamic port mapping The first RPC connection is made on the RPC endpoint mapper port (TCP port 135) This connection is used to determine which port the destination domain controller is using for replication Note If you are replicating the directory information through a firewall or are using routers with port filtering enabled, you can specify the port number that the domain controllers will use for replication To this, create the following registry key as a DWORD value and specify any valid port number: HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Services\NTDS \Parameters\TCP/IP Port ■ RPC over IP between sites Replication connections between sites can also use RPC over IP This RPC connection is the same as the intrasite connection with one important exception: by default, all traffic sent between sites is compressed Note When you look at the two types of RPC-over-IP connections in the Active Directory Sites And Services administrative tool, you will notice that they are identified differently in the interface The RPC over IP within a site is called RPC, and the RPC over IP between sites is called IP ■ SMTP between sites Replication connections between sites can also use SMTP to replicate information between sites SMTP can be a good choice as a replication protocol if the WAN links between company locations have very high latency SMTP uses an asynchronous connection, which means that the domain controller can replicate with multiple servers at the same time Configuring SMTP Replication Configuring SMTP replication is significantly more complicated than configuring RPC over IP replication between sites With RPC-over-IP replication, domain controllers use built-in components and Kerberos authentication to automatically configure and secure replication 130 Part I: Windows Server 2008 Active Directory Overview To configure SMTP replication, complete the following steps: Install the SMTP Server feature on the bridgehead servers in both sites When you install the SMTP Server feature, required components from the Web Server (IIS) server role are also installed Install Active Directory Certificate Services and configure the Certification Authority (CA) as an Enterprise CA The CA will be used to issue certificates to the domain controllers that will be used to sign and encrypt the SMTP messages that are exchanged between domain controllers When you install an Enterprise CA, it automatically issues domain controller certificates to domain controllers in the same domain as the Enterprise CA These domain controllers can use the certificates to secure SMTP data For domain controllers in other domains in the forest, you must manually request a Domain Controller certificate or a Directory Email Replication certificate Note You can also purchase certificates from public CAs to be used for SMTP replication Configure SMTP site links with a cost that is less than any RPC over IP site link connecting between the two sites The two sites must not have any domain controllers in the same domain Ensure that SMTP e-mail can be sent between the domain controllers If the domain controllers can communicate directly by using port 25, no further configuration is required However, in some cases, the domain controllers may need to forward the SMTP messages to a SMTP bridgehead server rather than directly to the destination bridgehead server Configuring Bridgehead Servers As mentioned earlier, replication between sites is accomplished through bridgehead servers By default, ISTG automatically identifies the bridgehead server as it calculates the intersite replication topology To view which domain controllers are operating as bridgehead servers, you can use the Repadmin /bridgeheads command The command output lists all of the current bridgehead servers in each site, including the directory partitions each bridgehead server is responsible for The command output also displays whether or not the last replication with each bridgehead server was successful If you run the Repadmin /bridgeheads /v command, the command output displays the last attempted replication for each directory partition on the bridgehead server, as well as the last successful replication time Figure 4-15 shows the partial output from this command In some cases, you might want to control which domain controllers are going to operate as bridgehead servers Bridgehead server may require additional server resources if there are many changes to the directory information, replication is set to occur frequently, and the organization has hundreds of sites To configure which servers will be the bridgehead servers, access the computer objects in the Active Directory Sites And Services administrative tool, Chapter 4: Active Directory Domain Services Replication 131 right-click the server name, and then select Properties (Figure 4-16 shows the interface.) You are given the option of configuring the server as a preferred bridgehead server for either IP or SMTP transports Figure 4-15 Viewing bridgehead server status using Repadmin On the Disc If you configure a bridgehead server and then forget that you configured it, you may spend a lot of time troubleshooting AD DS replication if the bridgehead server fails Ensure that you document preferred bridgehead servers for both types of replication transports in the ADDSSites.xlsx job aid on the CD Figure 4-16 Configuring a preferred bridgehead server 132 Part I: Windows Server 2008 Active Directory Overview The advantage of configuring preferred bridgehead servers is that you can ensure that the domain controllers you choose will be selected as the bridgehead servers If you want complete control over which servers are used as bridgehead servers, you must configure a preferred bridgehead server for each partition that needs to be replicated into a site For example, if a site contains replicas of the ADatum.com domain directory partition, the TreyResearch.com domain directory partition, the global catalog partition, and an application directory partition, you will need to configure at least one domain controller with a replica of each of these partitions If you not configure bridgehead servers for all of the partitions, you will get a warning message like the one shown in Figure 4-17, and ISTG will log an event in the event log and then choose a preferred bridgehead server for the partition You can also configure multiple preferred bridgehead servers If you do, ISTG will choose one of the identified servers as the bridgehead server Figure 4-17 Warning message to configure bridgehead servers for each directory partition You should configure this option with caution Configuring preferred bridgehead servers limits the ability of ISTG to choose the bridgehead server—it will always select a server that is configured as a preferred bridgehead server If this server fails and no other servers have been designated as bridgehead servers for that directory partition, ISTG will not select another bridgehead server and replication will cease until the server is again available or until you have reconfigured the preferred bridgehead server options If the preferred bridgehead server does fail, you can either remove the server as a preferred bridgehead server and allow ISTG to identify a bridgehead server or choose another preferred bridgehead server Caution If the preferred bridgehead server does fail, and you choose to reconfigure the preferred bridgehead server, you need to make any configuration changes in both sites Because the bridgehead servers are not available, no information will be replicated between the sites until the configuration changes are made in both sites To make changes in a remote site, connect to a domain controller in the site in Active Directory Sites And Services Chapter 4: Active Directory Domain Services Replication 133 Troubleshooting Replication If AD DS replication fails, domain controllers will not be updated with changes made on other domain controllers This may lead to inconsistent experiences for users and administrators, depending on which domain controller they are connecting to If password or configuration changes for users are not replicated, users may not be able to log on to the network If group policy settings or the SYSVOL directory are not replicated, users may experience different group policy settings Because of the importance of AD DS replication, you should be prepared to troubleshoot AD DS replication issues Process for Troubleshooting AD DS Replication Failures The first step in troubleshooting AD DS replication failures is to identify the reason for the failure In many cases, it can be difficult to immediately identify why AD DS replication fails, so often troubleshooting is a matter of eliminating possible reasons for failure As general guidance, complete the following steps: Verify network connectivity As is the case with most troubleshooting scenarios, start by verifying that the domain controllers can communicate with each other on the network The network connection might be unavailable or network settings may not be configured properly Verify name resolution One of the most common causes for replication errors is that DNS name resolution is failing If you receive error messages indicating that the RPC server is not available or “Target account name is incorrect” errors, verify that the domain controllers can resolve the target server’s FQDN Test for authentication and authorization errors If you are receiving access denied errors during replication, then there is a problem with authentication or authorization To identify the cause of the security error, run the dcdiag /test:CheckSecurityError / s:DomainControllerName command, where DomainControllerName is the name of the domain controller that you want to test To test the connection between two domain controllers for replication security errors, run the dcdiag /test:CheckSecurityError /ReplSource:SourceDomainControllerName command This command tests the connection between the domain controller on which you run the command and the source domain controller (identified by SourceDomainControllerName) The output from these commands identifies the security issues between the domain controllers Fix the issues and then rerun the command to verify that you have addressed the issue Check the Event Viewer on the affected domain controllers When replication fails, events describing the nature of the failure are written to the Event Viewer Check for domain controller performance issues If a domain controller does not have enough server resources, replication may fail, or the replication queues may back up For example, if the domain controller runs out of hard disk space on the drive where the AD DS data store is located, the domain controller will not accept replication changes 134 Part I: Windows Server 2008 Active Directory Overview In some cases, the domain controller performance may be the cause of delayed replication To address domain controller performance issues, consider the following: a Move applications or services to another server If the domain controller is performing multiple roles or running other applications, consider moving the roles or applications to another server on the network b Distribute AD DS and DNS roles across multiple servers AD DS integrated DNS zones provide benefits, but running both AD DS services and DNS services on a single computer can cause performance issues By distributing the load of these services, you may be able to minimize the server performance impact c Deploy domain controllers with 64-bit hardware Computers with 64-bit hardware provide significant performance gains over domain controllers with 32-bit hardware Review and modify the replication topology In large organizations with thousands of sites, calculating the replication topology can consume the processor resources on the domain controller performing the Inter-Site Topology Generator role Consider decreasing the number of sites in the organization or configuring dedicated bridgehead servers Also verify that the AD DS site link configuration corresponds with the actual WAN link configuration in your network AD DS replication should use the WAN connections with maximum available bandwidth whenever possible More Info Two excellent resources for troubleshooting specific AD DS replication errors are the Troubleshooting Active Directory Replication Problems Web page (http://technet2 microsoft.com/windowsserver/en/library/4f504103-1a16-41e1-853a-c68b77bf3f7e1033 mspx?mfr=true) and the How to Troubleshoot Intra-Site Replication Failures Web page (http://support.microsoft.com/kb/249256) Tools for Troubleshooting AD DS Replication Windows Server 2008 provides several tools for troubleshooting AD DS replication All of these tools are installed on Windows Server 2008 when the server is configured as a domain controller Active Directory Sites And Services In addition to using Active Directory Sites And Services to configure sites and replication, you can also use it perform some basic troubleshooting tasks These tasks include: ■ To this, expand the domain controller object in the AD DS site servers container, right-click NTDS Settings, point to All Tasks, and click Check Replication Topology This forces the KCC to run immediately rather than waiting for the next scheduled update Forcing the KCC to recalculate the replication topology Chapter 4: ■ Active Directory Domain Services Replication 135 Forcing a domain controller to pull replication changes Locate the domain controller to which you want to pull changes in the site servers container In the NTDS Settings container under the domain controller, right-click the connection object with the domain controller from which you want to pull changes and then click Replicate Now If both domain controllers are in the same site, you will get an error message or get a message the replication was successful If the domain controllers are in different sites, you will get a message telling you that the domain controller will attempt immediate replication Check the Event Viewer for replication errors ■ Forcing the replication of the configuration partition from or to a domain controller When you right-click the NTDS object under a domain controller other than the domain controller that is the current focus for Active Directory Sites And Services, you can choose to Replicate configuration from the selected DC or Replicate configuration to the selected DC One of the benefits of using these commands is that the configuration information will be replicated even if no connection object exists between the domain controllers This option is useful when a replication partner was removed from the domain while a domain controller was offline and the domain controller cannot locate other domain controllers to create new connection objects Repadmin The most useful tool for monitoring and troubleshooting replication is Repadmin You can use the Repadmin.exe command-line tool to view the replication topology from the perspective of each domain controller You can also use Repadmin.exe to manually create the replication topology, force replication events between domain controllers, and view the replication metadata and up-to-date state of vectors To run the Repadmin command-line tool, use the following syntax: repadmin command arguments [/u:[domain\]user /pw:{password|*}] You need to provide the user account information only if the current logged-on user is not a member of the Domain Admins group The following examples use some of the available command arguments for the Repadmin command-line tool: ■ To export the replication information on a domain controller to a csv file, use this syntax: Repadmin /showrepl DC1.Adatum.com /csv>filename.csv This command is useful because you can open the csv file by using an application like Microsoft Office Excel and search the file ■ To display the replication partners of the domain controller named DC1, use this syntax: repadmin /showreps DC1.Adatum.com 136 Part I: ■ Windows Server 2008 Active Directory Overview To display the highest USN on the domain controller named DC2, use this syntax: repadmin /showvector dc=Adatum,dc=com DC2.Adatum.com ■ To display the connection objects for the domain controller named DC1, use this syntax: repadmin /showconn DC1.Adatum.com ■ To initiate a replication event between two replication partners, use this syntax: repadmin /replicate DC2.Adatum.com DC1.Adatum.com dc=Adatum,dc=com ■ To initiate a replication event for a specified directory partition with all of its replication partners, use this syntax: repadmin /syncall DC1.Adatum.com dc= Adatum,dc=com Running this command will result in the domain controller requesting updates for all directory partitions from all direct replication partners If you want to force the domain controller to initiate replication of local changes, add the /p parameter at the end of the command Dcdiag The Dcdiag.exe tool performs a number of tests that check domain controllers for issues that might affect replication These tests include connectivity, replication, topology integrity, and intersite health tests To run the Dcdiag command-line tool, use the following syntax: dcdiag command arguments [/v /f:LogFile /ferr:ErrLog ] In the command, the optional switch /v directs the command to produce detailed output, /f directs the output to the log file, and /ferr redirects fatal error output to a separate log file To run all of the dcdiag tests on a local computer and display the results in the command prompt window, just type DCdiag and press Enter To check a remote domain controller, run DCDiag /s:Servername, where Servername is the remote domain controller name Following are a few of the tests that can be run using DCDiag: ■ Connectivity ■ Replications Checks for timely replication and any replication errors between domain Tests whether domain controllers are DNS registered, can be pinged, and have LDAP/RPC connectivity controllers ■ NetLogons Checks that the appropriate logon privileges exist to allow replication to proceed ■ Intersite Checks for failures that would prevent or temporarily hold up intersite replication and tries to predict how long it will take before the KCC is able to recover Results of this test are often not valid, especially in atypical site or KCC configurations or at the Windows Server 2008 forest functional level Chapter 4: Active Directory Domain Services Replication ■ FSMOCheck ■ Services ■ 137 Kccevent Checks that the Knowledge Consistency Checker is completing without Checks that the domain controller can contact a KDC, a Time Server, a Preferred Time Server, a PDC, and a global catalog server This test does not test any of the servers for operations master roles Checks if the appropriate domain controller services are running errors ■ Topology Checks that the KCC has generated a fully connected topology for all domain controllers Note For detailed information on how to use the Repadmin and DCDiag commandline tools, type the command name followed by /? Additional Tools Two standard server administrative tools are also useful for monitoring and troubleshooting replication The first tool is the Event Viewer One of the event logs added to all domain controllers is a Directory Service event log Most of the directory replication-related events are logged in this event log, and this should be one of the first places you look when replication fails The Reliability and Performance Monitor tool is useful for monitoring the amount of replication activity happening on the server When a server is promoted to be a domain controller, the DirectoryServices performance object and several file replication performance objects are added to the list of performance counters These performance counters can be used to monitor the level of replication traffic as well as a wide variety of other AD DS–related activities Summary One of the key aspects to managing Windows Server 2008 AD DS is understanding how replication works A stable replication environment is crucial in maintaining an up-to-date copy of all directory information on all the domain controllers in the forest, which is essential to ensure consistent user logon and directory search performance By understanding how replication works within a site and between sites, you can also design and implement the optimal replication configuration Best Practices ■ Replication within a single site happens automatically and quickly and rarely fails If all of your company’s domain controllers are connected by fast network connections, you should implement a single site 138 Part I: Windows Server 2008 Active Directory Overview ■ On the other hand, if your company has multiple locations where you install domain controllers, creating additional sites is the easiest and best way to manage AD DS– related traffic across WAN links with limited available bandwidth Not only multiple sites limit replication traffic, but they also keep client authentication traffic local ■ Develop a regular practice of monitoring AD DS replication Consider using a tool such as the Active Directory Management Pack with System Center Operations Manager to monitor replication on all domain controllers in your site If you not have a tool like this, regularly monitor the Directory Service event log and either the DFS Replication event log (if your AD DS forest is at the Windows Server 2008 functional level) or the File Replication Service event log ■ In most organizations, the most important cause of AD DS replication errors is DNS lookup errors By integrating DNS with AD DS and taking advantage of the DNS directory partitions, you can minimize the chances of DNS errors Additional Resources These resources contain additional information related to this topic: Related Information ■ Chapter 14, “Monitoring and Maintaining Active Directory,” provides details on using monitoring tools such as Event Viewer and Reliability and Performance Monitor to monitor AD DS domain controllers, including monitoring replication ■ Chapter 5, “Designing the Active Directory Domain Services Structure,” goes into detail on designing the AD DS site configuration ■ “Troubleshooting Active Directory Replication Problems” is located at http:// technet2.microsoft.com/windowsserver/en/library/4f504103-1a16-41e1-853ac68b77bf3f7e1033.mspx?mfr=true This Web site provides detailed steps for troubleshooting Active Directory replication issues and links to Knowledge Base articles that address specific Event IDs ■ The “How to Troubleshoot Intra-Site Replication Failures” Knowledge Base article at http://support.microsoft.com/kb/249256 provides details on how to troubleshoot intrasite replication errors This KB article, as well as many of the other KB articles listed next, refers to Windows Server 2003 Many of the steps in troubleshooting AD DS replication have not changed in Windows Server 2008 ■ The “Active Directory Replication Troubleshooter” located at http://blogs.technet.com/ rbeard47/pages/active-directory-replication-troubleshooter.aspx provides a detailed step-by-step process for troubleshooting Active Directory replication Chapter 4: Active Directory Domain Services Replication 139 ■ “Fixing Replication DNS Lookup Problems (Event IDs 1925, 2087, 2088)” at http:// technet2.microsoft.com/windowsserver/en/library/43e6f617-fb49-4bb4-856153310219f9971033.mspx?mfr=true provides detailed information on how to troubleshoot replication errors related to DNS ■ “How to Troubleshoot RPC Endpoint Mapper Errors” (http://support.microsoft.com/kb/ 839880) provides detailed information on how to troubleshoot replication errors related to RPC connectivity ■ “Service Overview and Network Port Requirements for the Windows Server System” (http://support.microsoft.com/kb/832017) describes the ports required by most Windows Server services, including AD DS replication This information is very useful when configuring firewalls between domain controllers ■ “Replication Not Working Properly Between Domain Controllers After Deleting One from Sites and Services” (http://support.microsoft.com/kb/262561) describes how to use the Repadmin tool to create manual connection objects to domain controllers that have been removed from Active Directory Sites And Services ■ “Active Directory Replication Technologies” at http://technet2.microsoft.com/ windowsserver/en/library/53998db6-a972-495e-a4e7-e3ca3f60b5841033.mspx provides detailed information on how AD DS replication works ■ The Script Repository: Active Directory Web site, located at http://www.microsoft.com/ technet/scriptcenter/scripts/ad/default.mspx, has several scripts that can be used to enumerate and modify the AD DS site and site link configuration Related Tools Windows Server 2008 provides several tools that can be used when managing and troubleshooting replication Table 4-2 lists some of these tools and explains when you would use each of the tools Table 4-2 AD DS Replication Tools Tool Name Description and Use Dnslint.exe This tool is a free download from Microsoft (See http://support.microsoft.com/ kb/321045 for the download location.) This tool can be used to help diagnose common DNS name resolution issues and to verify that DNS records used specifically for AD DS replication are correct Nslookup.exe This tool is included in all Microsoft Windows server and client operating systems Nslookup is used to query DNS servers and to obtain detailed responses The information obtained using Nslookup can be used to diagnose and solve name resolution problems, verify that resource records are added or updated correctly in a zone, and debug other server-related problems Active Directory Sites And Services This tool can be used to configure sites and replication and to perform some basic AD DS replication troubleshooting tasks 140 Part I: Windows Server 2008 Active Directory Overview Table 4-2 AD DS Replication Tools (continued) Tool Name Description and Use Repadmin.exe Use this command-line tool to view the replication topology from the perspective of each domain controller You can also use Repadmin.exe to manually create the replication topology, force replication events between domain controllers, and view the replication metadata and up-to-date state of vectors DCDiag.exe Use this tool to perform tests that check domain controllers for issues that might affect replication Resources on the CD ■ ADDSSite.xlsx is a spreadsheet template for documenting AD DS site information ■ ListADDSSites.ps1 is a simple Windows PowerShell script for listing information about all of the sites in your forest Related Help Topics ■ “Checklist: Configure an Additional Site” in Active Directory Sites And Services help ■ “Checklist: Configure the Intersite Replication Schedule” in Active Directory Sites And Services help ■ “Troubleshooting Active Directory Domain Services Replication” in Active Directory Sites And Services help Part II Designing and Implementing Windows Server 2008 Active Directory In this part: Chapter 5: Designing the Active Directory Domain Services Structure 143 Chapter 6: Installing Active Directory Domain Services 217 Chapter 7: Migrating to Active Directory Domain Services 247 Chapter Designing the Active Directory Domain Services Structure In this chapter: Defining Directory Service Requirements 144 Designing the Forest Structure 156 Designing the Integration of Multiple Forests 167 Designing the Domain Structure 172 Designing Domain and Forest Functional Levels 181 Designing the DNS Infrastructure 184 Designing the Organizational Unit Structure 192 Designing the Site Topology 197 Summary 214 Best Practices 214 Additional Resources 215 In many organizations, the Active Directory Domain Services (AD DS) infrastructure may be the single most important component in the IT environment In these organizations, AD DS provides central authentication and authorization services that enable single sign-on access to many other network services in the organization This means that it is critical that the AD DS infrastructure be designed so that it addresses as many of the organization’s requirements as possible This chapter provides an overview of the planning process that you must go through before you deploy Windows Server 2008 AD DS For the most part, this chapter assumes that you are working with a large corporation with multiple business units and locations If you are working with a smaller company, many of the concepts discussed here will still apply This chapter then looks at the biggest question first: How many forests you need in your network? From there the chapter moves on to discuss splitting the forests into domains and planning for the domain namespace Once your domains are in place, you also need to create an organizational unit (OU) structure for each domain As a parallel activity to creating the AD DS logical structure, you also need to design the physical AD DS components, so this chapter also addresses how to design sites and domain controller placements 143 ... http://technet2 .microsoft. com/ windowsserver/en/library/92b3b6cb-9eb 3-4 dd7-b5f 6-3 fa9be8080 821 033.mspx?mfr=true provides details on trusts in an Active Directory This resource refers to Windows Server 20 03,... chapter ■ The “What’s New in DNS in Windows Server 20 08? ?? Web page located at http://technet2 .microsoft. com/windowsserver2008/en/library/0b0bf63 3-5 73 2- 4 b3 9-8 0 d3-a2a4330acb141033.mspx?mfr=true provides... _ldap._tcp.64c 228 cd-5f0 7-4 606-b843-d4fd11 426 4b7.domains._msdcs.Adatum.com 600 IN SRV 100 389 SEA-DC1.Adatum.com gc._msdcs.Adatum.com 600 IN A 10.10.10.10 175170ad- 026 3-4 39f-bb4c-89eacc410ab1._msdcs.Adatum.com

Ngày đăng: 07/08/2014, 02:23

TỪ KHÓA LIÊN QUAN

TÀI LIỆU CÙNG NGƯỜI DÙNG

TÀI LIỆU LIÊN QUAN