Author: Will Szymkowski
Published on: May 31, 2015
If you have ever worked with Active Directory Users and Computers at some point it is possible that you might have also looked at or wondered about Active Directory Sites and Services. as you know ADUC is based around day to day operational task such as Password Reset / Account Creations etc.
Active Directory Sites and Services is where all of the backgroud replication happens. It is also critical to have Active Directory Sites and Services configured properly to ensure you have the most efficent replicaiton of your Active Directory Domain.
AD Sites and Services Terms
Computer Objects: these are the Domain Controllers that are present with in AD Sites and Services
Subnets: subnets are used to identify sites within your Active Directory domain
Global Catalog: this is a forest wide authentication mechanism which can be enabled or disabled from AD Sites and Services
Inter-Site Replication: this is the replicaiton between domain controllers and logical Active Directory Sites
Intra-Site Replication: this is the replication between domain controllers in the same logical site
Bridge Head Servers: these are the domain controllers that replicate data from one site to another. Each Site will have one designated bridge head server.
Preferrend Bridge Head Servers: these are server/s that are assigned to specifically replicate Active Directory data between AD Sites
Automatic Connections: these are the connections that are made automatically by the KCC (knowledge Consistency Checker)
Manual Connections: these are connections that are made manually by administrators
Site Link: these are links which allow different sites with network connectivity to replicate among each other. KCC creates the required connections for all of the Sites and DC’s with in the Site Link
Site Link Bridge: these are links that are used to connect Sites that do not have a direct network connection and can replicate through a Hub Site.
KCC (Knowledge Consistency Checker): this is a built-in mechanism that is on all domain controllers which auto creates bidirectional connections to other DC’s within the same Active Directory site. This also auto creates connections between sites which are also called bridge head servers.
Active Directory Sites and Services Overview
The screenshot below is an overview of AD Sites and Services. As you can see there are Subnets, Sites (HQ, Site2, Site3). There are also Computer objects which are all of the DC’s in this environment. Each Computer object will have NTDS Settings, this is where you can see each of the connections that are made to other DC’s in your domain. These connections are Bidirectional. You will also see that they are Automatically Generated connections, which means the KCC (Knowledge Consistency Checker) created them.
As you can see from the previous screenshot and the one below that both of these sites have connecitons created to DC3 (site3). This allows changes to be replicated from HQ and Site2 to Site3.
As you can see when we look at the NTDS Settings for Site3 there are 2 auto generated connections. One to DC (HQ) and the other to DC2 (Site2). This ensures that when changes need to be replicated from DC3 they will be updated on the DC’s in Site2 and HQ.
In the screenshot below under Inter-Site Transports (replication between Sites) you will see by default the DefaultSiteLink. The DefaultSiteLink is created by default and the sites are automatically added to the DefaultSiteLink so that the Inter-Site Topology Generator can create connections between sites with specific DC’s. 1 DC is assigned this role and it is based on the Knowledge Consistency Checker. You can also go into the Properties of the DefaultSiteLink and modify some of the settings.
In the Properties of the DefaultSiteLink you can see that all of the Sites are added to this Site Link. There is also a Cost and a Replicate interval below. The Cost represents the most preferred link to use if there are multiple paths that can be used. In this case we only have 1 Site Link (DefaultSiteLink) so the Cost is irrelevent. The replication interval by default is 180 minutes (3 hours). This is how often the Bridge Head Servers in each site will replicate the changes from each respective site. I always like to have the most up to date data so I have changed the value to 15 minutes (which is the lowest you can set it).
The screenshot below is the Schedule for the DefaultSiteLink. You can configure this to only allow replication based on a specific day or time. This is useful if you have site links that are high latency where you would not replicate to happen during business hours or after hours where you may be transfering backups over the network or something of that nature. Typically I always allow replication all times of the day (which is the default).
Based on the screenshot below you are probably thinking that there are multiple NTDS Settings? That is correct. There are NTDS Settings for the Site level and the DC level. Each has their own options and settings that you can configure. If you click on a Site and in the right pane you will see NTDS Settings right click select Properties.
In the NTDS Site settings there are a couple of things you can do. You can set the Schedule of how often the Inter-Site Topology Generator runs (default is every hour). You can also specify if you want to use Universal Group Membership Caching. This setting allows you to cache Global Catalog Group Memberships for a specific Site. This helps decrease the replication for Global Catalog Data and also will all you to search Universal Groups when a Global Catalog DC is not available. This setting is off by default. This setting is only useful in the event you do not have a DC in the site that is also a Global Catalog.
As I had stated eariler, there is also NTDS Settings for Sites and DC’s. The both screenshot outlines the NTDS Settings for the DC specifically.
From the Properties window from the NTDS Settings on the DC this is where you can specifically set the Global Catalog setting for the DC. This is typically selected when you promote a DC. If for whatever reason you need to remove the GC role from a DC this is how you do it. Also if a DC is not currently a GC role holder then this is also where you can set it.
Based on the info above, I have illustrated a high level overview of AD Sites and Services. In Part 2 of this serise I will go into more detail regarding Site Links, Bridge Head Servers, Site Link Costs, and Subnets.
Active Directory Sites and Services (Part 2) (Click Here)