Windows Server 2008 Active Directory, Configuring
Question No: 81 – (Topic 1)
You have a domain controller that runs Windows Server 2008 R2. The Windows Server Backup feature is installed on the domain controller.
You need to perform a non-authoritative restore of the domain controller by using an existing backup file.
What should you do?
Restart the domain controller in Directory Services Restore Mode. Use the WBADMIN command to perform a critical volume restore.
Restart the domain controller in Directory Services Restore Mode. Use the Windows Server Backup snap-in to perform a critical volume restore.
Restart the domain controller in safe mode. Use the Windows Server Backup snap-in to perform a critical volume restore.
Restart the domain controller in safe mode. Use the WBADMIN command to perform a critical volume restore.
Almost identical to B26
http://technet.microsoft.com/en-us/library/cc816627(v=ws.10).aspx Performing Nonauthoritative Restore of Active Directory Domain Services
A nonauthoritative restore is the method for restoring Active Directory Domain Services (AD DS) from a system state, critical-volumes, or full server backup. A nonauthoritative restore returns the domain controller to its state at the time of backup and then allows normal replication to overwrite that state with any changes that occurred after the backup was taken. After you restore AD DS from backup, the domain controller queries its replication partners. Replication partners use the standard replication protocols to update AD DS and associated information, including the SYSVOL shared folder, on the restored domain controller.
You can use a nonauthoritative restore to restore the directory service on a domain controller without reintroducing or changing objects that have been modified since the backup. The most common use of a nonauthoritative restore is to reinstate a domain controller, often after catastrophic or debilitating hardware failures. In the case of data corruption, do not use nonauthoritative restore unless you have confirmed that the problem is with AD DS.
Nonauthoritative Restore Requirements
You can perform a nonauthoritative restore from backup on a Windows Server 2008 system that is a standalone server, member server, or domain controller.
On domain controllers that are running Windows Server 2008, you can stop and restart AD DS as a service.
Therefore, in Windows Server 2008, performing offline defragmentation and other database management tasks does not require restarting the domain controller in Directory Services Restore Mode (DSRM). However, you cannot perform a nonauthoritative restore after simply stopping the AD DS service in regular startup mode. You must be able to start the domain controller in Directory Services Restore Mode (DSRM). If the domain controller cannot be started in DSRM, you must first reinstall the operating system.
To perform a nonauthoritative restore, you need one of the following types of backup for your backup source:
System state backup: Use this type of backup to restore AD DS. If you have reinstalled the operating system, you must use a critical-volumes or full server backup. If you are restoring a system state backup, use the wbadmin start systemstaterecovery command.
Critical-volumes backup: A critical-volumes backup includes all data on all volumes that contain operating system and registry files, boot files, SYSVOL files, or Active Directory files. Use this type of backup if you want to restore more than the system state. To restore a critical-volumes backup, use the wbadmin start recovery command.
Full server backup: Use this type of backup only if you cannot start the server or you do not have a system state or critical-volumes backup. A full server backup is generally larger
than a critical-volumes backup. Restoring a full server backup not only rolls back data in AD DS to the time of backup, but it also rolls back all data in all other volumes. Rolling back this additional data is not necessary to achieve nonauthoritative restore of AD DS.
Question No: 82 – (Topic 1)
You have two servers named Server1 and Server2. Both servers run Windows Server 2008 R2. Server1 is configured as an Enterprise Root certification authority (CA).
You install the Online Responder role service on Server2.
You need to configure Server2 to issue certificate revocation lists (CRLs) for the enterprise root CA.
Which two tasks should you perform? (Each correct answer presents part of the solution. Choose two.)
Import the enterprise root CA certificate.
Import the OCSP Response Signing certificate.
Add the Server1 computer account to the CertPublishers group.
Set the Startup Type of the Certificate Propagation service to Automatic.
Answer: A,B Explanation: Further information:
http://technet.microsoft.com/en-us/library/cc770413(v=ws.10).aspx Online Responder Installation, Configuration, and Troubleshooting Guide
Public key infrastructure (PKI) consists of multiple components, including certificates, certificate revocation lists (CRLs) and certification authorities (CAs). In most cases, applications that depend on X.509 certificates, such as Secure/Multipurpose Internet Mail Extensions (S/MIME), Secure Sockets Layer (SSL) and smart cards, are required to validate the status of the certificates used when performing authentication, signing, or encryption operations. The certificate status and revocation checking is the process by which the validity of certificates is verified based on two main categories: time and revocation status.
Although validating the revocation status of certificates can be performed in multiple ways,
the common mechanisms are CRLs, delta CRLs, and Online Certificate Status Protocol (OCSP) responses.
http://technet.microsoft.com/en-us/library/cc772393(v=ws.10).aspx Active Directory Certificate Services Step-by-Step Guide
Set Up an Online Responder http://technet.microsoft.com/en-us/library/cc731099.aspx Creating a Revocation Configuration
Question No: 83 – (Topic 1)
Your company has a single-domain Active Directory forest. The functional level of the domain is Windows Server 2008.
You perform the following activities: Create a global distribution group.
Add users to the global distribution group.
Create a shared folder on a Windows Server 2008 member server.
Place the global distribution group in a domain local group that has access to the shared folder.
You need to ensure that the users have access to the shared folder. What should you do?
Add the global distribution group to the Domain Administrators group.
Change the group type of the global distribution group to a security group.
Change the scope of the global distribution group to a Universal distribution group.
Raise the forest functional level to Windows Server 2008.
Answer: B Explanation:
In Microsoft Active Directory, what are security and distribution groups?
In Microsoft Active Directory, when you create a new group, you must select a group type. The two group types, security and distribution, are described below:
Security: Security groups allow you to manage user and computer access to shared resources. You can also control who receives group policy settings. This simplifies administration by allowing you to set permissions once on multiple computers, then to change the membership of the group as your needs change. The change in group membership automatically takes effect everywhere. You can also use these groups as email distribution lists.
Distribution: Distribution groups are intended to be used solely as email distribution lists. These lists are for use with email applications such as Microsoft Exchange or Outlook. You can add and remove contacts from the list so that they will or will not receive email sent to the distribution group. You can#39;t use distribution groups to assign permissions on any objects, and you can#39;t use them to filter group policy settings. http://technet.microsoft.com/en-us/library/cc781446(v=ws.10).aspx
Question No: 84 – (Topic 1)
Your company has an Active Directory domain.
You log on to the domain controller. The Active Directory Schema snap-in is not available in the Microsoft Management Console (MMC).
You need to access the Active Directory Schema snap-in. What should you do?
Add the Active Directory Lightweight Directory Services (AD LDS) role to the domain controller by using Server Manager.
Log off and log on again by using an account that is a member of the Schema Administrators group.
Use the Ntdsutil.exe command to connect to the Schema Master operations master and
open the schema for writing.
Answer: D Explanation:
http://technet.microsoft.com/en-us/library/cc732110.aspx Install the Active Directory Schema Snap-In
You can use this procedure to first register the dynamic-link library (DLL) that is required for the Active Directory Schema snap-in. You can then add the snap-in to Microsoft Management Console (MMC).
To install the Active Directory Schema snap-in
To open an elevated command prompt, click Start, type command prompt and then right- click Command
Prompt when it appears in the Start menu. Next, click Run as administrator and then click OK.
To open an elevated command prompt in Windows Server 2012, click Start, type cmd, right click cmd and then click Run as administrator.
Type the following command, and then press ENTER: regsvr32 schmmgmt.dll
Click Start, click Run, type mmc and then click OK.
On the File menu, click Add/Remove Snap-in.
Under Available snap-ins, click Active Directory Schema, click Add and then click OK.
To save this console, on the File menu, click Save.
In the Save As dialog box, do one of the following:
To place the snap-in in the Administrative Tools folder, in File name, type a name for the snap-in, and then click Save.
To save the snap-in to a location other than the Administrative Tools folder, in Save in navigate to a location for the snap-in. In File name, type a name for the snap-in, and then click Save
Question No: 85 – (Topic 1)
Your company has an Active Directory domain. All servers run Windows Server 2008 R2. Your company uses an Enterprise Root certificate authority (CA).
You need to ensure that revoked certificate information is highly available. What should you do?
Implement an Online Certificate Status Protocol (OCSP) responder by using an Internet Security and Acceleration Server array.
Publish the trusted certificate authorities list to the domain by using a Group Policy Object (GPO).
Implement an Online Certificate Status Protocol (OCSP) responder by using Network Load Balancing.
Create a new Group Policy Object (GPO) that allows users to trust peer certificates. Link the GPO to the domain.
Answer: C Explanation:
Answer: Implement an Online Certificate Status Protocol (OCSP) responder by using Network Load Balancing.
http://technet.microsoft.com/en-us/library/cc731027(v=ws.10).aspx AD CS: Online Certificate Status Protocol Support
Certificate revocation is a necessary part of the process of managing certificates issued by certification authorities (CAs). The most common means of communicating certificate status is by distributing certificate revocation lists (CRLs). In the Windows Server庐 2008 operating system, public key infrastructures (PKIs) where the use of conventional CRLs is not an optimal solution, an Online Responder based on the Online Certificate Status Protocol (OCSP) can be used to manage and distribute revocation status information.
What does OCSP support do?
The use of Online Responders that distribute OCSP responses, along with the use of CRLs, is one of two common methods for conveying information about the validity of certificates. Unlike CRLs, which are distributed periodically and contain information about all certificates that have been revoked or suspended, an Online Responder receives and responds only to requests from clients for information about the status of a single certificate. The amount of data retrieved per request remains constant no matter how many revoked certificates there might be.
In many circumstances, Online Responders can process certificate status requests more efficiently than by using CRLs.
Adding one or more Online Responders can significantly enhance the flexibility and scalability of an organization#39;s PKI.
Implementing an OCSP Responder: Part V High Availability
There are two major pieces in implementing the High Availability Configuration. The first step is to add the OCSP Responders to what is called an Array. When OCSP Responders are configured in an Array, the configuration of the OCSP responders can be easily maintained, so that all Responders in the Array have the same configuration. The configuration of the Array Controller is used as the baseline configuration that is then applied to other members of the Array. The second piece is to load balance the OCSP Responders. Load balancing of the OCSP responders is what actually provides fault tolerance.
Question No: 86 – (Topic 1)
Your company has an Active Directory domain. You have a two-tier PKI infrastructure that contains an offline root CA and an online issuing CA. The Enterprise certification authority is running Windows Server 2008 R2.
You need to ensure users are able to enroll new certificates. What should you do?
Renew the Certificate Revocation List (CRL) on the root CA. Copy the CRL to the CertEnroll folder on the issuing CA.
Renew the Certificate Revocation List (CRL) on the issuing CA, Copy the CRL to the SysternCertificates folder in the users#39; profile.
Import the root CA certificate into the Trusted Root Certification Authorities store on all client workstations.
Import the issuing CA certificate into the Intermediate Certification Authorities store on all client workstations.
Answer: A Explanation:
Offline Root Certification Authority (CA)
A root certification authority (CA) is the top of a public key infrastructure (PKI) and generates a self-signed certificate. This means that the root CA is validating itself (self-
validating). This root CA could then have subordinate CAs that effectively trust it. The subordinate CAs receive a certificate signed by the root CA, so the subordinate CAs can issue certificates that are validated by the root CA. This establishes a CA hierarchy and trust path.
If a root CA is in some way compromised (broken into, hacked, stolen, or accessed by an unauthorized or malicious person), then all of the certificates that were issued by that CA are also compromised. Since certificates are used for data protection, identification, and authorization, the compromise of a CA could compromise the security of an entire organizational network. For that reason, many organizations that run internal PKIs install their root CA offline. That is, the CA is never connected to the company network, which makes the root CA an offline root CA. Make sure that you keep all CAs in secure areas with limited access.
To ensure the reliability of your CA infrastructure, specify that any root and non-issuing intermediate CAs must be offline. A non-issuing CA is one that is not expected to provide certificates to client computers, network devices, and so on. This minimizes the risk of the CA private keys becoming compromised, which would in turn compromise all the certificates that were issued by the CA.
How Do Offline CAs issue certificates?
Offline root CAs can issue certificates to removable media devices (e.g. floppy disk, USB drive, CD/DVD) and then physically transported to the subordinate CAs that need the certificate in order to perform their tasks. If the subordinate CA is a non-issuing intermediate that is offline, then it will also be used to generate a certificate and that certificate will be placed on removable media. Each CA receives its authorization to issue certificates from the CA directly above it in the CA hierarchy. However, you can have multiple CAs at the same level of the CA hierarchy. Issuing CAs are typically online and used to issue certificates to client computers, network
devices, mobile devices, and so on. Do not join offline CAs to an Active Directory Domain Services domain Since offline CAs should not be connected to a network, it does not make sense to join them to an Active Directory Domain Services (AD DS) domain, even with the Offline Domain Join [This link is external to TechNet Wiki. It will open in a new window.] option introduced with Windows 7 and Windows Server 2008 R2.
Furthermore, installing an offline CA on a server that is a member of a domain can cause problems with a secure channel when you bring the CA back online after a long offline period. This is because the computer account password changes every 30 days. You can get around this by problem and better protect your CA by making it a member of a workgroup, instead of a domain. Since Enterprise CAs need to be joined to an AD DS domain, do not attempt to install an offline CA as a Windows Server Enterprise CA. http://technet.microsoft.com/en-us/library/cc740209(v=ws.10).aspx
Renewing a certification authority
A certification authority may need to be renewed for either of the following reasons: Change in the policy of certificates issued by the CA
Expiration of the CA#39;s issuing certificate
Question No: 87 – (Topic 1)
Your company, Contoso Ltd has a main office and a branch office. The offices are connected by a WAN link. Contoso has an Active Directory forest that contains a single domain named ad.contoso.com.
The ad.contoso.com domain contains one domain controller named DC1 that is located in the main office. DC1 is configured as a DNS server for the ad.contoso.com DNS zone. This zone is configured as a standard primary zone.
You install a new domain controller named DC2 in the branch office. You install DNS on DC2.
You need to ensure that the DNS service can update records and resolve DNS queries in the event that aWAN link fails.
What should you do?
Create a new stub zone named ad.contoso.com on DC2.
Create a new standard secondary zone named ad.contoso.com on DC2.
Configure the DNS server on DC2 to forward requests to DC1.
Convert the ad.contoso.com zone on DC1 to an Active Directory-integrated zone.
Answer: D Explanation:
Answer: Convert the ad.contoso.com zone on DC1 to an Active Directory-integrated zone.
http://technet.microsoft.com/en-us/library/cc726034.aspx Understanding Active Directory Domain Services Integration
The DNS Server service is integrated into the design and implementation of Active Directory Domain Services (AD DS). AD DS provides an enterprise-level tool for organizing, managing, and locating resources in a network.
How DNS integrates with AD DS
When you install AD DS on a server, you promote the server to the role of a domain controller for a specified domain. As part of this process, you are prompted to specify a DNS domain name for the AD DS domain which you are joining and for which you are promoting the server, and you are offered the option to install the DNS Server role. This option is provided because a DNS server is required to locate this server or other domain controllers for members of an AD DS domain.
Benefits of AD DS integration
For networks that deploy DNS to support AD DS, directory-integrated primary zones are strongly recommended. They provide the following benefits:
DNS features multimaster data replication and enhanced security based on the capabilities of AD DS. In a standard zone storage model, DNS updates are conducted based on a single-master update model. In this model, a single authoritative DNS server for a zone is designated as the primary source for the zone. This server maintains the master copy of the zone in a local file. With this model, the primary server for the zone represents a single fixed point of failure. If this server is not available, update requests from DNS clients are not processed for the zone.
With directory-integrated storage, dynamic updates to DNS are sent to any AD DS- integrated DNS server and are replicated to all other AD DS-integrated DNS servers by means of AD DS replication. In this model, any AD DS-integrated DNS servercan accept dynamic updates for the zone. Because the master copy of the zone is maintained in the AD DS database, which is fully replicated to all domain controllers, the zone can be updated by the DNS servers operating at any domain controller for the domain. With the multimaster update model of AD DS, any of the primary servers for the directoryintegrated zone can process requests from DNS clients to update the zone as long as a domain controller is available and reachable on the network.
Also, when you use directory-integrated zones, you can use access control list (ACL) editing to secure a dnsZone object container in the directory tree. This feature provides detailed access to either the zone or a specified resource record in the zone. For example, an ACL for a zone resource record can be restricted so that dynamic updates are allowed only for a specified client computer or a secure group, such as a domain administrators group. This security feature is not available with standard primary zones.
Zones are replicated and synchronized to new domain controllers automatically whenever a new one is added to an AD DS domain.
By integrating storage of your DNS zone databases in AD DS, you can streamline database replication planning for your network.
Directory-integrated replication is faster and more efficient than standard DNS replication. Further information:
Question No: 88 – (Topic 1)
Your network consists of an Active Directory forest that contains one domain. All domain controllers run.
Windows Server 2008 R2 and are configured as DNS servers. You have an Active Directory- integrated zone.
You have two Active Directory sites. Each site contains five domain controllers. You add a new NS record to the zone.
You need to ensure that all domain controllers immediately receive the new NS record. What should you do?
From the DNS Manager console, reload the zone.
From the DNS Manager console, increase the version number of the SOA record.
From the command prompt, run repadmin /syncall.
From the Services snap-in, restart the DNS Server service.
Answer: C Explanation:
Repadmin /syncall Synchronizes a specified domain controller with all of its replication partners.
http://ivan.dretvic.com/2012/01/how-to-force-replication-of-domain-controllers/ How to force replication of Domain Controllers
From time to time its necessary to kick off AD replication to speed up a task you may be doing, or just a good too to check the status of replication between DC’s.
Below is a command to replicate from a specified DC to all other DC’s.
Repadmin /syncall DC_name /Aped By running a repadmin /syncall with the /A(ll partitions) P(ush) e(nterprise, cross sites) d(istinguished names) parameters, you have duplicated exactly what Replmon used to do in Windows 2003, except that you did it in one step, not many.And with the benefit of seeing immediate results on how the operations are proceeding.
If I am running it on the DC itself, I don’t even have to specify the server name.
Question No: 89 – (Topic 1)
Your company has an Active Directory domain and an organizational unit. The organizational unit is named Web.
You configure and test new security settings for Internet Information Service (IIS) Servers on a server named IISServerA.
You need to deploy the new security settings only on the IIS servers that are members of the Web organizational unit.
What should you do?
Run secedit /configure /db iis.inf from the command prompt on IISServerA, then run secedit /configure /db webou.inf from the comand prompt.
Export the settings on IISServerA to create a security template. Import the security template into a GPO and link the GPO to the Web organizational unit.
Export the settings on IISServerA to create a security template. Run secedit /configure
/db webou.inf from the comand prompt.
Import the hisecws.inf file template into a GPO and link the GPO to the Web organizational unit.
Answer: B Explanation:
http://www.itninja.com/blog/view/using-secedit-to-apply-security-templates Using Secedit To Apply Security Templates
Secedit /configure /db secedit.sdb /cfgquot;c:\temp\custom.infquot; /silent gt;nul
This command imports a security template file, “custom.inf” into the workstation’s or server’s local security database. /db must be specified. When specifying the default secuirty database (secedit.sdb,) I found that providing no path worked best. The /cfg option informs Secedit that it is to import the .inf file into the specified database, appending it to any existing .inf files that have already been imported to this system. You can optionally include an /overwrite switch to overwrite all previous configurations for this machine. The
/silent option supresses any pop-ups and the gt;nul hides the command line output stating success or failure of the action.
Question No: 90 – (Topic 1)
Your company has a main office and three branch offices. The company has an Active Directory forest that has a single domain. Each office has one domain controller. Each office is configured as an Active Directory site.
All sites are connected with the DEFAULTIPSITELINK object.
You need to decrease the replication latency between the domain controllers. What should you do?
Decrease the replication schedule for the DEFAULTIPSITELINK object.
Decrease the replication interval for the DEFAULTIPSITELINK object.
Decrease the cost between the connection objects.
Decrease the replication interval for all connection objects.
Answer: B Explanation:
Answer: Decrease the replication interval for the DEFAULTIPSITELINK object. Personal comment:
All sites are connected with the DEFAULTIPSITELINK object. lt;- this roughly translates into all sites are connected with the first domain controller in the forest
So the topology is star shaped.
Thus, decreasing the cost between the connection objects will offer no benefit.
We know we have multiple sites linked and are using a DEFAULTIPSITELINK object. Thus, the most plausible answer is to decrease the replication interval for DEFAULTIPSITELINK.
http://www.informit.com/articles/article.aspx?p=26866amp;seqNum=5 Understanding Active Directory, Part III
Active Directory replication between domain controllers is managed by the system administrator on a site-bysite basis. As domain controllers are added, a replication path must be established. This is done by the Knowledge Consistency Checker (KCC), coupled with Active Directory replication components. The KCC is a dynamic process that runs on all domain controllers to create and modify the replication topology. If a domain controller fails, the KCC automatically creates new paths to the remaining domain controllers. Manual intervention with the KCC will also force a new path.
The Active Directory replaces PDCs and BDCs with multimaster replication services. Each domain controller retains a copy of the entire directory for that particular domain. As
changes are made in one domain controller, the originator communicates these changes to the peer domain controllers. The directory data itself is stored in the ntds.dit file.
Active Directory replication uses the Remote Procedure Call (RPC) over IP to conduct replication within a site. Replication between sites can utilize either RPC or the Simple Mail Transfer Protocol (SMTP) for data transmission. The default intersite replication protocol is RPC.
Intersite and Intrasite Replication
There are distinct differences in internal and intersite domain controller replication. In theory, the network bandwidth within a site is sufficient to handle all network traffic associated with replication and other Active Directory activities. By the definition of a site, the network must be reliable and fast. A change notification process is initiated when modifications occur on a domain controller. The domain controller waits for a configurable period (by default, five minutes) before it forwards a message to its replication partners.
During this interval, it continues to accept changes. Upon receiving a message, the partner domain controllers copy the modification from the original domain controller. In the event that no changes were noted during a configurable period (six hours, by default), a replication sequence ensures that all possible modifications are communicated. Replication within a site involves the transmission of uncompressed data.
Security-related modifications are replicated within a site immediately. These changes include account and individual user lockout policies, changes to password policies, changes to computer account passwords, and modifications to the Local Security Authority (LSA).
Replication between sites assumes that there are network-connectivity problems, including insufficient bandwidth, reliability, and increased cost. Therefore, the Active Directory permits the system to make decisions on the type, frequency, and timing of intersite replication. All replication objects transmitted between sites are compressed, which may reduce traffic by 10 to 25 percent, but because this is not sufficient to guarantee proper replication, the system administrator has the responsibility of scheduling intersite replication.
Replication Component Objects
Whereas the KCC represents the process elements associated with replication, the following comprise the Active Directory object components:
Connection object. Domain controllers become replication quot;partnersquot; when linked by a connection object.
This is represented by a one-way path between two domain controller server objects. Connection objects are created by the KCC by default. They can also be manually created by the system administrator.
NTDS settings object. The NTDS settings object is a container that is automatically created by the Active Directory. It contains all of the connection objects, and is a child of the server
Server object. The Active Directory represents every computer as a computer object. The domain controller is also represented by a computer object, plus a specially created server object. The server object#39;s parent is the site object that defines its IP subnet. However, in the event that the domain controller server object was created prior to site creation, it will be necessary to manually define the IP subnet to properly assign the domain controller a site.
When it is necessary to link multiple sites, two additional objects are created to manage the replication topology.
Site link. The site link object specifies a series of values (cost, interval, and schedule) that define the connection between sites. The KCC uses these values to manage replication and to modify the replication path if it detects a more efficient one. The Active Directory DEFAULTIPSITELINK is used by default until the system administrator intervenes. The cost value, ranging from 1 to 32767, is an arbitrary estimate of the actual cost of data transmission as defined bandwidth. The interval value sets the number of times replication will occur: 15 minutes to a maximum of once a week (or 10080 minutes) is the minimum; three hours is the default. The schedule interval establishes the time when replication should occur. Although replication can be at any time by default, the system administrator may want to schedule it only during offpeak network hours.
Site link bridges. The site link bridge object defines a set of links that communicate via the same protocol. By default, all site links use the same protocol, and are transitive. Moreover, they belong to a single site link bridge. No configuration is necessary to the site link bridge if the IP network is fully routed. Otherwise, manual configuration may be necessary.
http://technet.microsoft.com/en-us/library/cc775549(v=ws.10).aspx What Is Active Directory Replication Topology?
Replication of updates to Active Directory objects are transmitted between multiple domain controllers to keep replicas of directory partitions synchronized. Multiple domains are common in large organizations, as are multiple sites in disparate locations. In addition, domain controllers for the same domain are commonly placed in more than one site.
Therefore, replication must often occur both within sites and between sites to keep domain and forest data consistent among domain controllers that store the same directory partitions. Site objects can be configured to include a set of subnets that provide local area network (LAN) network speeds. As such, replication within sites generally occurs at high speeds between domain controllers that are on the same network segment. Similarly, site link objects can be configured to represent the wide area network (WAN) links that connect LANs.
Replication between sites usually occurs over these WAN links, which might be costly in terms of bandwidth.
To accommodate the differences in distance and cost of replication within a site and
replication between sites, the intrasite replication topology is created to optimize speed, and the intersite replication topology is created to minimize cost.
The Knowledge Consistency Checker (KCC) is a distributed application that runs on every domain controller and is responsible for creating the connections between domain controllers that collectively form the replication topology. The KCC uses Active Directory data to determine where (from what source domain controller to what destination domain controller) to create these connections.
The following diagram shows the interaction of these technologies with the replication topology, which is indicated by the two-way connections between each set of domain controllers.
Replication Topology and Dependent Technologies
C:\Documents and Settings\usernwz1\Desktop\1.PNG
http://technet.microsoft.com/en-us/library/cc755994(v=ws.10).aspx How Active Directory Replication Topology Works
Replication Topology Physical Structure
The Active Directory replication topology can use many different components. Some components are required and others are not required but are available for optimization. The following diagram illustrates most replication topology components and their place in a sample Active Directory multisite and multidomain forest. The depiction of the intersite topology that uses multiple bridgehead servers for each domain assumes that at least one domain controller in each site is running at least Windows Server 2003. All components of this diagram and their interactions are explained in detail later in this section.
Replication Topology Physical Structure
C:\Documents and Settings\usernwz1\Desktop\1.PNG
In the preceding diagram, all servers are domain controllers. They independently use global knowledge of onfiguration data to generate one-way, inbound connection objects. The KCCs in a site collectively create an intrasite topology for all domain controllers in the site. The ISTGs from all sites collectively create an intersite topology. Within sites, one-way arrows indicate the inbound connections by which each domain controller replicates changes from its partner in the ring. For intersite replication, one-way arrows represent inbound connections that are created by the ISTG of each site from bridgehead servers (BH) for the same domain (or from a global catalog server [GC] acting as a bridgehead if the domain is not present in the site) in other sites that share a site link. Domains are indicated as D1, D2, D3, and D4.
Each site in the diagram represents a physical LAN in the network, and each LAN is represented as a site object in Active Directory. Heavy solid lines between sites indicate WAN links over which two-way replication can occur, and each WAN link is represented in Active Directory as a site link object. Site link objects allow connections to be created between bridgehead servers in each site that is connected by the site link.
Not shown in the diagram is that where TCP/IP WAN links are available, replication
between sites uses the RPC replication transport. RPC is always used within sites. The site link between Site A and Site D uses the SMTP protocol for the replication transport to replicate the configuration and schema directory partitions and global catalog partial, read- only directory partitions. Although the SMTP transport cannot be used to replicate writable domain directory partitions, this transport is required because a TCP/IP connection is not available between Site A and Site D. This configuration is acceptable for replication because Site D does not host domain controllers for any domains that must be replicated over the site link A-D.
By default, site links A-B and A-C are transitive (bridged), which means that replication of domain D2 is possible between Site B and Site C, although no site link connects the two sites. The cost values on site links A-B and A-C are site link settings that determine the routing preference for replication, which is based on the aggregated cost of available site links. The cost of a direct connection between Site C and Site B is the sum of costs on site links A-B and A-C. For this reason, replication between Site B and Site C is automatically routed through Site A to avoid the more expensive, transitive route. Connections are created between Site B and Site
C only if replication through Site A becomes impossible due to network or bridgehead server conditions.
Control Replication Latency and Cost
Replication latency is inherent in a multimaster directory service. A period of replication latency begins when a directory update occurs on an originating domain controller and ends when replication of the change is received on the last domain controller in the forest that requires the change. Generally, the latency that is inherent in a WAN link is relative to a combination of the speed of the connection and the available bandwidth.
Replication cost is an administrative value that can be used to indicate the latency that is associated with different replication routes between sites. A lower-cost route is preferred by the ISTG when generating the replication topology.
Site topology is the topology as represented by the physical network: the LANs and WANs that connect domain controllers in a forest. The replication topology is built to use the site topology. The site topology is represented in Active Directory by site objects and site link objects. These objects influence Active Directory replication to achieve the best balance between replication speed and the cost of bandwidth utilization by distinguishing between replication that occurs within a site and replication that must span sites. When the KCC creates replication connections between domain controllers to generate the replication topology, it creates more connections between domain controllers in the same site than between domain controllers in different sites.
The results are lower replication latency within a site and less replication bandwidth utilization between sites.
Within sites, replication is optimized for speed as follows:
Connections between domain controllers in the same site are always arranged in a ring, with possible additional connections to reduce latency.
Replication within a site is triggered by a change notification mechanism when an update occurs, moderated by a short, configurable delay (because groups of updates frequently occur together).
Data is sent uncompressed, and thus without the processing overhead of data compression.
Between sites, replication is optimized for minimal bandwidth usage (cost) as follows: Replication data is compressed to minimize bandwidth consumption over WAN links. Store-and-forward replication makes efficient use of WAN links – each update crosses an expensive link only once.
Replication occurs at intervals that you can schedule so that use of expensive WAN links is managed.
The intersite topology is a layering of spanning trees (one intersite connection between any two sites for each directory partition) and generally does not contain redundant connections.
Topology-Related Objects in Active Directory
Active Directory stores replication topology information in the configuration directory partition. Several configuration objects define the components that are required by the KCC to establish and implement the replication topology:
Site Link Objects
For a connection object to be created on a destination domain controller in one site that specifies a source domain controller in another site, you must manually create a site link object (class siteLink ) that connects the two sites. Site link objects identify the transport protocol and scheduling required to replicate between two or more sites. You can use Active Directory Sites and Services to create the site links. The KCC uses the information stored in the properties of these site links to create the intersite topology connections.
A site link is associated with a network transport by creating the site link object in the appropriate transport container (either IP or SMTP). All intersite domain replication must use IP site links. The Simple Mail Transfer Protocol (SMTP) transport can be used for replication between sites that contain domain controllers that do not host any common domain directory partition replicas.
Site Link Properties
A site link specifies the following:
Two or more sites that are permitted to replicate with each other.
An administrator-defined cost value associated with that replication path. The cost value controls the route that replication takes, and thus the remote sites that are used as sources of replication information.
A schedule during which replication is permitted to occur.
An interval that determines how frequently replication occurs over this site link during the times when the schedule allows replication.
Default Site Link
When you install Active Directory on the first domain controller in the forest, an object named
DEFAULTIPSITELINK is created in the Sites container (in the IP container within the Inter- Site Transports container). This site link contains only one site, Default-First-Site-Name.
|Lowest Price Guarantee||Yes||No||No|
|Free VCE Simulator||Yes||No||No|