Managing Active Directory sites and subnets

Divide and Conquer

Creating Site Links

After you have created sites and the IP subnets there, it's time to set up the site links. If your lines have different bandwidths, it may make sense to create different site links. You can then schedule when replication is possible as a function of the site links and create site associations on the basis of IP or SMTP, although IP is used in most cases.

To establish a new site link, under Inter-Site Transports right-click on IP | New Site Link . When assigning the name, it is best to use a designation that allows conclusions to be drawn about the respective locations (e.g., Liverpool , Manchester ) or the type of connection between the various branches. At this point, you can also decide which sites to connect with this site link. A site can be a member of several links.

Replication takes place through those site links with the lowest defined costs. If you click on IP , you will see the site links on the right. Once you have created the site link, its properties can be edited. On the General tab, define the interval at which you want to replicate the information between the sites. By default, replication is set to three hours and the costs are set to 100 . If you click the Change Schedule button, you can specify the times at which replication is allowed with this site link.

At this point you can also create site link bridges, which are used by Active Directory if two sites have no physical connection but are connected by a third site through which you want AD replication to take place. These bridges are created automatically. If you want to do this manually, you have to disable the automatic mechanism under Inter-Site Transports by right-clicking IP | Properties and checking the box beside Bridge all site links .

Site links can also be set up in PowerShell,

New-ADReplicationSiteLink CORPORATE-BRANCH1 -SitesIncluded CORPORATE,BRANCH1 -OtherAttributes @{,options'=1}

and the cost and time frame for synchronization is defined with the command:

Set-ADReplicationSiteLink CORPORATE-BRANCH1 -Cost 100 -ReplicationFrequencyInMinutes 15

Assigning Domain Controllers

Any DCs that are already installed to the correct site need to be moved manually. To do so, right-click on the server in the Active Directory Sites and Services snap-in and select Move in the context menu. DCs can also be moved to new locations in PowerShell,

Get-ADDomainController <name of server> | Move-ADDirectoryServer -Site <name of site>

or you can drag and drop them to different locations. Windows sets up the replication links automatically. To see these, select Sites | <Site> | Servers | <Server> | <Servername> | NTDS Settings . You can set up manual connections here by selecting New Active Directory Connection from the context menu.

In PowerShell, you can display the replication connections, display detailed information about the individual sites, display only the name, and get a list of DCs and sites:

Get-ADReplicationConnection
Get-ADReplicationSite -Filter *
Get-ADReplicationSite -Filter * | ft Name
Get-ADDomainController -Filter * | ft Hostname,Site

If replication problems occur in Active Directory, first make sure the DCs experiencing replication difficulties are configured for the correct site. To do this, type the command

nltest /dsgetsite

at the command prompt.

Knowledge Consistency Checker

Once you have created the routing topology, the Knowledge Consistency Checker (KCC) automatically sets up the links between the DCs. KCC automatically configures AD replication according to the sites, the links, the schedules and costs, and the DCs that exist there. The service is completely automatic and runs on each domain controller in the forest. It does not link every single DC to every single other DC; rather, it sets up an intelligent topology.

KCC checks every 15 minutes that the existing connections are working and automatically changes the replication topology, if needed. Within a site, the service creates a ring topology, attempting to have no more than three other DCs between two separate domain controllers.

During data transfer between various sites, the AD data is not transferred by all DCs to DCs on other sites (as previously mentioned) but only by one DC at a time. This DC, known as the bridgehead server, automatically replicates with other bridgehead servers on other sites (Figure 3). At the respective site, the domain controllers in turn replicate with each other. KCC automatically determines which DCs at a site become the bridgehead servers. The selection of the bridgehead servers at a site is handled by the intersite topology generator (ISTG), which is part of KCC (Figure 4).