1. The document discusses implementing Active Directory Domain Services (AD DS) sites and replication, including configuring AD DS sites, site links, and intersite replication.
2. It describes tools for monitoring AD DS replication such as Repadmin and Dcdiag and best practices for deploying read-only domain controllers.
3. The lab scenario involves optimizing AD DS replication between a London HQ site and branch office sites in Toronto and a test site to address slow sign-ins and resource access.
In presentation describe the structure of active directory architecture & also several components like object , attribute, Schema, Containers , Object Types, Data Model, Security Model & other components also describe.
In presentation describe the structure of active directory architecture & also several components like object , attribute, Schema, Containers , Object Types, Data Model, Security Model & other components also describe.
Active Directory Introduction
Active Directory Basics
Components of Active Directory
Active Directory hierarchical structure.
Active Directory Database.
Flexible Single Master Operations (FSMO)Role
Active Directory Services.
Some useful Tool
Windows Server 2022 is now in preview, the next release in our Long-Term Servicing Channel (LTSC), which will be generally available later this calendar year. It builds on Windows Server 2019, our fastest adopted Windows Server ever. This release includes advanced multi-layer security, hybrid capabilities with Azure, and a flexible platform to modernize applications with containers.
Many Windows shops want to move to the cloud, but are overwhelmed by the numerous options. In this talk we will take a look at how to move your Active Directory environment into AWS and provide some tips and tricks on how to make the most of the options available.
Many Windows shops want to move to the cloud, but are overwhelmed by the numerous options. In this talk we will take a look at how to move your Active Directory environment into AWS and provide some tips and tricks on how to make the most of the options available.
Active Directory Introduction
Active Directory Basics
Components of Active Directory
Active Directory hierarchical structure.
Active Directory Database.
Flexible Single Master Operations (FSMO)Role
Active Directory Services.
Some useful Tool
Windows Server 2022 is now in preview, the next release in our Long-Term Servicing Channel (LTSC), which will be generally available later this calendar year. It builds on Windows Server 2019, our fastest adopted Windows Server ever. This release includes advanced multi-layer security, hybrid capabilities with Azure, and a flexible platform to modernize applications with containers.
Many Windows shops want to move to the cloud, but are overwhelmed by the numerous options. In this talk we will take a look at how to move your Active Directory environment into AWS and provide some tips and tricks on how to make the most of the options available.
Many Windows shops want to move to the cloud, but are overwhelmed by the numerous options. In this talk we will take a look at how to move your Active Directory environment into AWS and provide some tips and tricks on how to make the most of the options available.
Introduction to Microservices with Docker and KubernetesDavid Charles
Â
Slides used to accompany a talk to introduce Microservices and two related technologies; Docker and Kubernetes. A large part of this talk is a live demonstration of Docker and Kubernetes features so the slides are just to support.
Technical feature review of features introduced by MongoDB 3.4 on graph capabilities, MongoDB UI tool: Compass, improvements on the replication and aggregation framework stages and utils. Operations improvements on Ops Manager and MongoDB Atlas.
Module 11: Optimizing Data Access for Branch Offices
Many organizations maintain a large number of file resources that need to be organized and made highly available to users. These file resources are often stored on servers and provided to users who are distributed geographically in widespread locations. In this module, you will learn how to provide efficient access to network resources with minimal traffic over a WAN link.
Lessons
Branch Office Data Access
DFS Overview
Overview of DFS Namespaces
Configuring DFS Replication
Configuring BranchCache
Lab : Implementing DFS
Installing the DFS Role Service
Configuring the Required Namespace
Configuring DFS Replication
Lab : Implementing BranchCache
Performing Initial Configuration Tasks for BranchCache
Configuring BranchCache Clients
Configuring BranchCache on the Branch Server
Monitoring BranchCache
After completing this module, students will be able to:
Describe the challenges experienced when providing data access to branch offices.
Identify the basic components of DFS.
Describe DFS namespaces.
Explain how to configure DFS replication.
Discuss how to configure BranchCache.
Module 3: Configuring and Troubleshooting DNS
This module introduces you to Domain Name System (DNS), which is the foundation name service in Windows Server 2008 R2. It is vital that you understand how to deploy, configure, manage, and troubleshoot this critical service.
Lessons
Installing the DNS Server Role
Configuring the DNS Server Role
Configuring DNS Zones
Configuring DNS Zone Transfers
Managing and Troubleshooting DNS
Lab : Configuring and Troubleshooting DNS
Selecting a DNS Configuration
Deploying and Configuring DNS
Troubleshooting DNS
After completing this module, students will be able to:
Install the DNS server role.
Configure the DNS server role.
Create and configure DNS zones.
Configure zone transfers.
Manage and troubleshoot DNS.
MongoDB.local DC 2018: Solving Your Backup Needs Using MongoDB Ops Manager, C...MongoDB
Â
Backup is an important part of your MongoDB deployment. Come and learn about the different offerings MongoDB has to help meet your backup requirements.
MongoDB.local Austin 2018: Solving Your Backup Needs Using MongoDB Ops Manage...MongoDB
Â
Backup is an important part of your MongoDB deployment. Come and learn about the different offerings MongoDB has to help meet your backup requirements.
Solving Your Backup Needs Using MongoDB Ops Manager, Cloud Manager and AtlasMongoDB
Â
Backup is an important part of your MongoDB deployment. Come and learn about the different offerings MongoDB has to help meet your backup requirements.
Microservices
Patterns and Practices
Introduction and Definitions
Monolithic vs. Microservices
Advantages
Decomposition
Data Management
Communication
Deployment
Docker
In this session we will talk through deployment scenarios, design considerations and introduce AWS Active Directory Service. AWS Directory Service is a managed service that allows you to connect your AWS resources with an existing on-premises Microsoft Active Directory or to set up a new, stand-alone directory in the AWS cloud.
The French Revolution, which began in 1789, was a period of radical social and political upheaval in France. It marked the decline of absolute monarchies, the rise of secular and democratic republics, and the eventual rise of Napoleon Bonaparte. This revolutionary period is crucial in understanding the transition from feudalism to modernity in Europe.
For more information, visit-www.vavaclasses.com
Francesca Gottschalk - How can education support child empowerment.pptxEduSkills OECD
Â
Francesca Gottschalk from the OECDâs Centre for Educational Research and Innovation presents at the Ask an Expert Webinar: How can education support child empowerment?
Biological screening of herbal drugs: Introduction and Need for
Phyto-Pharmacological Screening, New Strategies for evaluating
Natural Products, In vitro evaluation techniques for Antioxidants, Antimicrobial and Anticancer drugs. In vivo evaluation techniques
for Anti-inflammatory, Antiulcer, Anticancer, Wound healing, Antidiabetic, Hepatoprotective, Cardio protective, Diuretics and
Antifertility, Toxicity studies as per OECD guidelines
2024.06.01 Introducing a competency framework for languag learning materials ...Sandy Millin
Â
http://sandymillin.wordpress.com/iateflwebinar2024
Published classroom materials form the basis of syllabuses, drive teacher professional development, and have a potentially huge influence on learners, teachers and education systems. All teachers also create their own materials, whether a few sentences on a blackboard, a highly-structured fully-realised online course, or anything in between. Despite this, the knowledge and skills needed to create effective language learning materials are rarely part of teacher training, and are mostly learnt by trial and error.
Knowledge and skills frameworks, generally called competency frameworks, for ELT teachers, trainers and managers have existed for a few years now. However, until I created one for my MA dissertation, there wasnât one drawing together what we need to know and do to be able to effectively produce language learning materials.
This webinar will introduce you to my framework, highlighting the key competencies I identified from my research. It will also show how anybody involved in language teaching (any language, not just English!), teacher training, managing schools or developing language learning materials can benefit from using the framework.
Unit 8 - Information and Communication Technology (Paper I).pdfThiyagu K
Â
This slides describes the basic concepts of ICT, basics of Email, Emerging Technology and Digital Initiatives in Education. This presentations aligns with the UGC Paper I syllabus.
Operation âBlue Starâ is the only event in the history of Independent India where the state went into war with its own people. Even after about 40 years it is not clear if it was culmination of states anger over people of the region, a political game of power or start of dictatorial chapter in the democratic setup.
The people of Punjab felt alienated from main stream due to denial of their just demands during a long democratic struggle since independence. As it happen all over the word, it led to militant struggle with great loss of lives of military, police and civilian personnel. Killing of Indira Gandhi and massacre of innocent Sikhs in Delhi and other India cities was also associated with this movement.
Instructions for Submissions thorugh G- Classroom.pptxJheel Barad
Â
This presentation provides a briefing on how to upload submissions and documents in Google Classroom. It was prepared as part of an orientation for new Sainik School in-service teacher trainees. As a training officer, my goal is to ensure that you are comfortable and proficient with this essential tool for managing assignments and fostering student engagement.
The Roman Empire A Historical Colossus.pdfkaushalkr1407
Â
The Roman Empire, a vast and enduring power, stands as one of history's most remarkable civilizations, leaving an indelible imprint on the world. It emerged from the Roman Republic, transitioning into an imperial powerhouse under the leadership of Augustus Caesar in 27 BCE. This transformation marked the beginning of an era defined by unprecedented territorial expansion, architectural marvels, and profound cultural influence.
The empire's roots lie in the city of Rome, founded, according to legend, by Romulus in 753 BCE. Over centuries, Rome evolved from a small settlement to a formidable republic, characterized by a complex political system with elected officials and checks on power. However, internal strife, class conflicts, and military ambitions paved the way for the end of the Republic. Julius Caesarâs dictatorship and subsequent assassination in 44 BCE created a power vacuum, leading to a civil war. Octavian, later Augustus, emerged victorious, heralding the Roman Empireâs birth.
Under Augustus, the empire experienced the Pax Romana, a 200-year period of relative peace and stability. Augustus reformed the military, established efficient administrative systems, and initiated grand construction projects. The empire's borders expanded, encompassing territories from Britain to Egypt and from Spain to the Euphrates. Roman legions, renowned for their discipline and engineering prowess, secured and maintained these vast territories, building roads, fortifications, and cities that facilitated control and integration.
The Roman Empireâs society was hierarchical, with a rigid class system. At the top were the patricians, wealthy elites who held significant political power. Below them were the plebeians, free citizens with limited political influence, and the vast numbers of slaves who formed the backbone of the economy. The family unit was central, governed by the paterfamilias, the male head who held absolute authority.
Culturally, the Romans were eclectic, absorbing and adapting elements from the civilizations they encountered, particularly the Greeks. Roman art, literature, and philosophy reflected this synthesis, creating a rich cultural tapestry. Latin, the Roman language, became the lingua franca of the Western world, influencing numerous modern languages.
Roman architecture and engineering achievements were monumental. They perfected the arch, vault, and dome, constructing enduring structures like the Colosseum, Pantheon, and aqueducts. These engineering marvels not only showcased Roman ingenuity but also served practical purposes, from public entertainment to water supply.
Synthetic Fiber Construction in lab .pptxPavel ( NSTU)
Â
Synthetic fiber production is a fascinating and complex field that blends chemistry, engineering, and environmental science. By understanding these aspects, students can gain a comprehensive view of synthetic fiber production, its impact on society and the environment, and the potential for future innovations. Synthetic fibers play a crucial role in modern society, impacting various aspects of daily life, industry, and the environment. ynthetic fibers are integral to modern life, offering a range of benefits from cost-effectiveness and versatility to innovative applications and performance characteristics. While they pose environmental challenges, ongoing research and development aim to create more sustainable and eco-friendly alternatives. Understanding the importance of synthetic fibers helps in appreciating their role in the economy, industry, and daily life, while also emphasizing the need for sustainable practices and innovation.
A Strategic Approach: GenAI in EducationPeter Windle
Â
Artificial Intelligence (AI) technologies such as Generative AI, Image Generators and Large Language Models have had a dramatic impact on teaching, learning and assessment over the past 18 months. The most immediate threat AI posed was to Academic Integrity with Higher Education Institutes (HEIs) focusing their efforts on combating the use of GenAI in assessment. Guidelines were developed for staff and students, policies put in place too. Innovative educators have forged paths in the use of Generative AI for teaching, learning and assessments leading to pockets of transformation springing up across HEIs, often with little or no top-down guidance, support or direction.
This Gasta posits a strategic approach to integrating AI into HEIs to prepare staff, students and the curriculum for an evolving world and workplace. We will highlight the advantages of working with these technologies beyond the realm of teaching, learning and assessment by considering prompt engineering skills, industry impact, curriculum changes, and the need for staff upskilling. In contrast, not engaging strategically with Generative AI poses risks, including falling behind peers, missed opportunities and failing to ensure our graduates remain employable. The rapid evolution of AI technologies necessitates a proactive and strategic approach if we are to remain relevant.
Introduction to AI for Nonprofits with Tapp NetworkTechSoup
Â
Dive into the world of AI! Experts Jon Hill and Tareq Monaur will guide you through AI's role in enhancing nonprofit websites and basic marketing strategies, making it easy to understand and apply.
2. Module Overview
⢠AD DS Replication Overview
⢠Configuring AD DS Sites
⢠Configuring and Monitoring AD DS Replication
3. Lesson 1: AD DS Replication Overview
⢠What Are AD DS Partitions?
⢠Characteristics of AD DS Replication
⢠How AD DS Replication Works Within a Site
⢠Resolving Replication Conflicts
⢠How Replication Topology Is Generated
⢠How RODC Replication Works
⢠How SYSVOL Replication Works
4. What Are AD DS Partitions?
Active Directory Database
Configuration
Schema
<Domain>
<Application>
Forest-wide information about the
Active Directory structure
Forest-wide definitions and rules for
creating and manipulating objects and
attributes
Information about domain-specific
objects
Information about applications
5. Characteristics of AD DS Replication
⢠Multimaster replication ensures:
⢠Accuracy (integrity)
⢠Consistency (convergence)
⢠Performance (keeping replication traffic to a reasonable level)
⢠Key characteristics of Active Directory replication include:
⢠Multimaster replication
⢠Pull replication
⢠Store-and-forward
⢠Partitions
⢠Automatic generation of an efficient, robust replication topology
⢠Attribute-level and multi-value replication
⢠Distinct control of intrasite and intersite replication
⢠Collision detection and remediation
6. How AD DS Replication Works Within a Site
⢠Intrasite replication uses:
⢠Connection objects for inbound replication to a domain
controller
⢠KCC to automatically create topology
⢠Efficient (maximum three-hop) and robust (two-way)
topology
⢠Notifications in which the domain controller tells
its downstream partners that a change is available
⢠Polling, in which the domain controller checks with
its upstream partners for changes
⢠Downstream domain controller
directory replication agent
replicates changes
⢠Changes to all partitions held by
both domain controllers are replicated
DC01
DC03
DC02
7. Resolving Replication Conflicts
⢠In multimaster replication models, replication conflicts arise
when:
⢠The same attribute is changed on two domain controllers
simultaneously
⢠An object is moved or added to a deleted container on
another domain controller
⢠Two objects with the same relative distinguished name are
added to the same container on two different domain
controllers
⢠To resolve replication conflicts, AD DS uses:
⢠Version number
⢠Time stamp
⢠Server GUID
8. Domain A topology Global
Catalog
Server
Global
Catalog
Server
A3 A4
B1
B2
B3
A3 A4
Domain B topology
B1
B2
B3
Global
Catalog
Server
A1 A2
Global catalog replication
Schema and configuration
topology
Domain
Controllers
in Another
Domain
How Replication Topology Is Generated
9. How RODC Replication Works
⢠When an RODC is implemented:
⢠The KCC detects that it is an RODC and creates one-way only
connection objects (red) from one or more source domain controllers
⢠Write referrals are sent to the source domain controllers from the
RODC (blue)
⢠An RODC performs Replicate Single Object inbound replication
during:
⢠Password changes
⢠DNS updates to a writable DNS server
⢠Updates to various client attributes
RODC
Source Domain
Controllers
10. How SYSVOL Replication Works
⢠SYSVOL contains logon scripts, Group Policy templates, and
GPOs with their content
⢠SYSVOL replication can take place using:
⢠FRS, which is primarily used in Windows Server 2003 and
older domain structures
⢠DFS Replication, which is used in Windows Server 2008 and
newer domains
⢠To migrate SYSVOL replication from the FRS to DFS
Replication:
⢠The domain functional level must be at least Windows
Server 2008
⢠Use the Dfsrmig.exe tool to perform the migration
11. Lesson 2: Configuring AD DS Sites
⢠What Are AD DS Sites?
⢠Why Implement Additional Sites?
⢠Demonstration: Configuring AD DS Sites
⢠How Replication Works Between Sites
⢠What Is the Intersite Topology Generator?
⢠Optimizing Domain Controller Coverage in
Multiple Site Scenarios
⢠How Client Computers Locate Domain Controllers
Within Sites
12. What Are AD DS Sites?
⢠Sites identify network locations with fast, reliable network
connections
⢠Sites are associated with subnet objects
⢠Sites are used to manage:
⢠Replication when domain controllers separated by slow, expensive
links
⢠Service localization:
⢠Domain controller authentication (LDAP and Kerberos)
⢠Active Directory-aware (site aware)
services or applications A2
A1
Site
IP Subnets
13. Why Implement Additional Sites?
Create additional sites when:
⢠A part of the network is separated by a slow link
⢠A part of the network has enough users to warrant hosting
domain controllers or other services in that location
⢠You want to control service localization
⢠You want to control replication between
domain controllers
Site
A2
Site
A2
A3
A1
IP Subnets IP Subnets
A1
15. How Replication Works Between Sites
Replication within sites:
⢠Assumes fast, inexpensive, and
highly reliable network links
⢠Does not compress traffic
⢠Uses a change notification
mechanism
Replication between sites:
⢠Assumes higher cost, limited
bandwidth, and unreliable
network links
⢠Has the ability to compress
replication
⢠Occurs on a configured schedule
⢠Can be configured for
immediate and urgent
replications
A2
Replication
IP Subnets
A1
Replication
IP Subnets
A1
A2
Replication
IP Subnets
B1
B2
Replication
16. What Is the Intersite Topology Generator?
ISTG defines the replication between AD DS sites
on a network
Site
Link
Replication
IP Subnets
ISTG
Replication
IP Subnets
ISTG
17. Optimizing Domain Controller Coverage in
Multiple Site Scenarios
⢠Domain controllers register SRV records as follows:
⢠_tcp.adatum.com: All domain controllers in the domain
⢠_tcp.sitename._sites.adatum.com: All services in a specific site
⢠Clients query DNS to locate services in specific sites
18. How Client Computers Locate Domain
Controllers Within Sites
The process for locating a domain controller occurs as follows:
1. New client queries for all domain controllers in the domain
2. Client attempts LDAP ping to find all domain controllers
3. First domain controller responds
4. Client queries for all domain controllers in the site
5. Client attempts LDAP ping to find all domain controllers in the site
6. Client stores domain controller and site name for further use
7. Domain controller is used for the full logon process, including
authentication, building the token, and building the list of GPOs to
apply
⢠Domain controller offline? Client queries for domain
controllers in registry stored site
⢠Client moved to another site? Domain controller refers client
to another site
19. Lesson 3: Configuring and Monitoring AD DS
Replication
⢠What Are AD DS Site Links?
⢠What Is Site Link Bridging?
⢠What Is Universal Group Membership Caching?
⢠Managing Intersite Replication
⢠Demonstration: Configuring AD DS Intersite
Replication
⢠Best Practices When Deploying RODCs to Support
Remote Sites
⢠Demonstration: Configuring Password Replication
Policies
⢠Tools for Monitoring and Managing Replication
20. What Are AD DS Site Links?
⢠Site links contain sites:
⢠Within a site link, a connection object can be created between
any two domain controllers
⢠The default site link, DEFAULTIPSITELINK, is not always
appropriate given your network topology
SEA
AMSBeijing
HQ
HQ-SEA
Site Link
SEA
AMSBeijing
HQ
DEFAULTIPSITELINK
21. What Is Site Link Bridging?
⢠By default, automatic site link bridging:
⢠Enables ISTG to create connection objects between site
links
⢠Allows disabling of transitivity in the properties of the IP
transport
⢠Site link bridges:
⢠Enable you to create transitive site
links manually
⢠Are useful only when transitivity
is disabled
SEA
AMSBeijing
HQ
HQ-SEA
Site Link
Beijing
AMS
SEA
Site Link
Bridge
HQ-Beijing
Site Link
HQ-AMS
Site Link
22. What Is Universal Group Membership Caching?
Universal group membership caching enables
domain controllers in a site with no global catalog
servers to cache universal group membership
Global
Catalog
Server
IP Subnets
Bridgehead
Server
IP Subnets
Bridgehead
Server
23. Managing Intersite Replication
⢠Site link costs:
⢠Replication uses the connections with the lowest cost
⢠Replication:
⢠Polling: Downstream bridgehead polls upstream partners
⢠Default is 3 hours
⢠Minimum is 15 minutes
⢠Recommended is 15 minutes
⢠Replication schedules:
⢠24 hours a day
⢠Can be scheduled
24. Demonstration: Configuring AD DS Intersite
Replication
In this demonstration, you will see how to configure
AD DS intersite replication
25. Best Practices When Deploying RODCs to
Support Remote Sites
Password replication
policies are:
⢠Used to determine which
usersâ credentials should be
cached on the RODC
⢠Determined by the Allowed List
and the Denied List
28. Lab: Implementing AD DS Sites and Replication
⢠Exercise 1: Modifying the Default Site
⢠Exercise 2: Creating Additional Sites and Subnets
⢠Exercise 3: Configuring AD DS Replication
⢠Exercise 4: Monitoring and Troubleshooting
AD DS Replication
Logon Information
Virtual machines: 20412C-LON-DC1
20412C-TOR-DC1
User Name: AdatumAdministrator
Password: Pa$$w0rd
Estimated Time: 30 minutes
29. Lab Scenario
A. Datum Corporation has deployed a single AD DS domain with all
the domain controllers located in the London data center. As the
company has grown and added branch offices with large numbers of
users, it has become apparent that the current AD DS environment
does not meet the company requirements. Users in some of the
branch offices report that it can take a long time for them to sign in on
their computers. Access to network resources such as the companyâs
Microsoft ExchangeÂŽ 2013 servers and the Microsoft SharePointÂŽ
servers can be slow, and they fail sporadically.
As one of the senior network administrators, you are responsible for
planning and implementing an AD DS infrastructure that will help
address the business requirements for the organization. You are
responsible for configuring AD DS sites and replication to optimize the
user experience and network utilization within the organization.
30. Lab Review
⢠You decide to add a new domain controller to the
LondonHQ site named LON-DC2. How can you
ensure that LON-DC2 is used to pass all
replication traffic to the Toronto site?
⢠You have added the new domain controller
named LON-DC2 to the LondonHQ site. Which
AD DS partitions will be modified as a result?
⢠In the lab, you created a separate site link for the
Toronto and TestSite sites. What might you also
have to do to ensure that LondonHQ does not
automatically create a connection object directly
with the TestSite site?
Editor's Notes
Presentation: 60 minutes
Lab: 30 minutes
After completing this module, the students will be able to:
Describe how Active DirectoryÂŽ Domain Services (ADÂ DS) replication works.
Explain how to configure ADÂ DS sites to help optimize authentication and replication traffic.
Explain how to configure and monitor ADÂ DS replication.
Required materials
To teach this module, you need the MicrosoftÂŽ Office PowerPointÂŽ file 20412C_05.pptx.
Important:
We recommend that you use PowerPoint 2007 or newer to display the slides for this course. If you use PowerPoint Viewer or an older version of Office PowerPoint, the slides might not display correctly.
Preparation tasks
To prepare for this module:
Read all of the materials for this module.
Practice performing the demonstrations.
Practice performing the labs.
Work through the Module Review and Takeaways section, and determine how you will use this section to reinforce student learning and promote knowledge transfer to on-the-job performance.
As you prepare for this class, it is imperative that you complete the labs yourself so that you understand how they work and the concepts that are covered in each. This helps you to provide meaningful hints to students who might find it difficult to complete a lab. Prior practice with the labs also helps to guide your lecture and ensure that you cover the concepts in the labs.
Introduce this module by stressing how important it is that an enterprise utilizes multiple domain controllers within ADÂ DS. This concept provides a natural segue to a discussion regarding how important it is that administrators understand replication and how it works.
Ask the students what would happen if information does not replicate consistently to all domain controllers. For example, if a user creates a user object on one domain controller, but that information does not replicate to all other domain controllers, the user will be able to authenticate only to the domain controller in which the account was created. This could result in a random experience of logon success and failures.
Point out that multiple sites enable an enterpriseâs administrator to control replication with the added benefit of providing a way to provide efficient authentication and local access to site-aware resources.
Briefly describe the topics in this lesson. This content has changed little since earlier versions of WindowsÂŽ operating systems, so if your students have previous experience with ADÂ DS replication, you can summarize the information in these topics instead of going into detailed conversation about the topic content.
Briefly describe the information that each ADÂ DS partition stores.
You may want to consider using the Active Directory Service Interfaces Editor (ADSI Edit) to show each partitionâs contents.
Review the likely size and replication frequency of each partition given a typical deployment of ADÂ DS. These factors can have a significant effect on ADÂ DS planning and performance.
Point out that Active Directoryâintegrated DNS actually uses application partitions for distribution between domain controllers. By default, two application partitions for DNS zones are created in this case: ForestDNSZones, and DomainDNSZones. The ForestDNSZones zone replicates to all domain controllers, which are DNS servers in the forest. The DomainDNSZones zone replicates to all domain controllers, which are DNS servers in the domain. In the Microsoft Windows 2000 Server, the default was that DNS records were replicated in the domain to every domain controller, even if a domain controller was not a DNS server. For non-Active Directoryâintegrated DNS zones, because no zones are stored in the ADÂ Ds, no partition is created for them.
Discuss the replication model. It is important that the students understand that they can make changes from any domain controller in the domain, except for read-only domain controllers (RODCs), and that those changes then replicate to all other domain controllers. Compare this with a single master replication model, where you make changes on one domain controller only.
Ask the students what benefits and disadvantages result from using a multimaster replication model. Stress that this model results in a more complicated replication process than the single master model, but it provides more redundancy and scalability.
Use that as a transition to introduce the concepts of integrity, convergence, and performance. In a multimaster database, these must be balanced.
Go on to define the key design characteristics of ADÂ DS replication, which the slide shows.
Use this slide to explain how ADÂ DS replication works within a site. Discuss, demonstrate, or illustrate the role of the knowledge consistency checker (KCC) in creating connection objects to create an efficient (three-hop maximum) and robust (two-way) topology.
Emphasize that there are few reasons to create connection objects manually within a site. In fact, administrators have very few options by which they can modify the replication topology within a site.
Then, move on to the replication itself. Mention that within a single site, the replication goal is to update all domain controllers as quickly as possible.
However, when a change is made on a domain controller, the domain controller waits as long as 15 seconds to notify its partners of the change. This increases the efficiency of replication if additional changes are made to the partition.
Point out that with a maximum of 15 seconds, this means that on average, changes replicate every 7.5 seconds. A maximum of three hops means that within 45 seconds (22.5 seconds on average), the entire site is updated with a change.
Introduce the directory replication agent.
Point out that all partitions that are replicated between two domain controllers on a connection object are replicated simultaneously. There is no way to time the partitions differently.
Point out that replication traffic is not compressed, because it is assumed that all domain controllers in the same site will be connected with a fast network connection with abundant available bandwidth.
Question
Describe the circumstances that result when you manually create a connection object between domain controllers within a site.
Answer
Creating a connection object manually is not typically required or recommended because the KCC does not verify or use the manual connection object for failover. The KCC will also not remove manual connection objects, which means that you must remember to delete connection objects that you create manually.
Highlight that replication conflicts are not likely to be an issue in most organizations that have a managed ADÂ DS change-control process. In most organizations, only one group is likely to make changes to the same objects in ADÂ DS, and that group should have a communication process that ensures that conflicting changes do not happen.
If the students are interested in more detail about how ADÂ DS resolves replication conflicts, draw a diagram of several domain controllers and show how attribute numbers, time stamps, and server GUIDs always result in a conflict resolution.
Begin this topic by explaining the benefits of an RODC. Stress that an RODC only has inbound connection objects so that it can replicate changes from writable domain controllers and that only replicated changes are allowed. Since RODCs are read-only, outbound connection objects are not necessary. RODCs are for scenarios with lower physical security that may get compromised. One security benefit is that RODCs never replicate information out.
Mention that there are some attributes that are never replicated to an RODC, such as Windows BitLockerÂŽ Drive Encryption, and recovery keys, and that client applications must be aware to request them from full domain controllers specifically because the RODC would always return empty values.
Mention scenarios in which changes may be made to a RODC. For example, if a malicious user gains physical access to the domain controller, the attacker may be able to make changes to the Active Directory database. However, with a RODC in place, these changes will not be replicated to any other domain controller.
Mention that with an RODC, a single connection object is created, but only from the writeable domain controller to the RODC.
Explain that it is critical that SYSVOL is synchronized between all domain controllers within a domain.
Describe the benefits of using Distributed File System (DFS) Replication instead of the File Replication Service (FRS) for replication processes.
Briefly describe the lesson content. Ask the students if their organizations include multiple locations, and if so, the types of services that those remote locations provide, such as domain controller authentication.
Provide the highest-level definition of a site: an object that supports replication and service localization. Stress the importance of maintaining subnet object-to-site mapping.
Mention that when you install ADÂ DS, a default site named Default-First-Site-Name is created. All computers, including domain controllers, are added automatically to the default site until you create additional sites.
Mention that the incorrect site implementation can cause problems laterâfor example, logon traffic over wide area network (WAN) links. Also, mention that recent versions of Microsoft Exchange Server use Active Directory sites to route email. Mention that subnets that are assigned to virtual private network (VPN) technologies such as direct access need to be configured in Active Directory Sites and Services to prevent users from logging onto a VPN gateway in one location and then receiving Group Policy Objects (GPOs) from another location over a WAN connection.
Explain that a location can contain more than one Active Directory site, or an Active Directory site may span more than one location.
An important takeaway for this topic is that the students should be able answer the question, âWould I want a separate site for this location?â
Demonstrate or discuss the most basic procedures for creating a site and assigning a subnet to the site.
Mention that many of these tasks require credentials provided by the Enterprise Admin or Domain Admin of the root domain, by default, but that you can delegate them.
Mention to the students that the default site link, DEFAULTIPSITELINK, will be the only site link available until you create additional site links.
Preparation Steps
To complete this demonstration, you must ensure that the 20412C-LON-DC1 and the 20412C-TOR-DC1 virtual machines are running. Sign in on all virtual machines as Adatum\Administrator with the password Pa$$w0rd.
Note: To complete this and subsequent demonstrations, you also need to complete Lab A, Exercise 1, Task 1. This will configure TOR-DC1 as a domain controller.
Demonstration Steps
On LON-DC1, in the Server Manager, click Tools, and then click Active Directory Sites and Services.
In Active Directory Sites and Services, expand Sites, and then click Default-First-Site-Name.
Right-click Default-First-Site-Name, and then click Rename.
Type LondonHQ, and then press Enter.
In the navigation pane, right-click Sites, and then click New Site.
In the New Object â Site dialog box, in the Name text box, type Toronto.
Select DEFAULTIPSITELINK, and then click OK.
In the Active Directory Domain Services dialog box, click OK.
In the navigation pane, right-click Subnets, and then click New Subnet.
In the New Object â Subnet dialog box, in the Prefix text box, type 172.16.0.0/24.
Under Select a site object for this prefix, click LondonHQ, and then click OK.
In the navigation pane, right-click Subnets, and then click New Subnet.
In the New Object â Subnet dialog box, in the Prefix text box, type 172.16.1.0/24.
Under Select a site object for this prefix, click Toronto, and then click OK.
In the navigation pane, expand LondonHQ, and then expand Servers.
Right-click TOR-DC1, and then click Move.
In the Move Server dialog box, select Toronto, and then click OK.
In the navigation pane, expand Toronto, and then expand Servers.
Verify that TOR-DC1 is now located in the Toronto Site.
Mention that creating sites is a primary means by which you can manage replication traffic across slow network connections. Replication between sites may be compressed, and you may configure a replication schedule.
Mention that urgent changes, such as password changes, replicate between sites immediately, and are not based on the replication schedule. Describe the difference between urgent and immediate replication.
Mention that the intersite topology generator (ISTG) creates the replication topology between sites. The ISTG uses the KCC, but also adds an additional level of complexity when managing multiple sites.
The ISTG is an Active Directory process that defines replication between sites on a network. ADÂ DS automatically designates a single domain controller in each site to act as the ISTG. Because this action occurs automatically, you do not have to perform any action to determine the replication topology and bridgehead server roles.
Discuss how service (SRV) resource records help ADÂ DS clients locate services on the network. Focus in detail on how sites play a role in this service location process.
Consider showing an example using DNS Manager.
Explain the situations where a RODC might be used for a site, or even if domain controllers should be placed in every site.
Use this topic to describe how a client locates a domain controller. Be sure to discuss how you can use sites to find the domain controller and service location, and what happens when a client moves to another site.
Briefly describe the lesson content.
Point out that even with multiple sites that have a distinct hub-and-spoke network topology, all routers go through the headquarters. If ADÂ DS has the sites on one site link, it may also create connection objects between domain controllers in the spokes.
To align your network topology with Active Directory replication, you must create specific site links and ensure that the DEFAULTIPSITELINK is not used. Additionally, you must turn off site link bridging, which the next topic discusses.
This is not a design class, so discuss the subject matter at a level that allows the students to understand why the tasks are done, but does not delve too deeply into design concepts.
To describe site link bridging, mention that by default, site links are transitive, or bridged. For example, if site A has a common site link with site B, and site B has a common site link with site C, then the two site links are bridged. Therefore, domain controllers in site A can replicate directly with domain controllers in site C, even though no site link exists between sites A and C. In other words, the effect of bridged site links is that replication between sites in the bridge is transitive.
If the routing configuration for an organization is structured so that all domain controllers in all sites can communicate directly with domain controllers in other sites, you do not need to change the default configuration. However, you can modify the replication topology, and then force additional hops in the replication process by disabling automatic site-link bridging for all site links, and creating new site link bridges.
Universal group membership caching makes it possible to log on to ADÂ DS without contacting a global catalog. Once this option is enabled and a user attempts to log on for the first time, universal group membership is cached on nonglobal catalog domain controllers.
Once this information is obtained from a global catalog, it is cached on the siteâs domain controller indefinitely, and is updated periodically. By default, updates occur every eight hours. Enabling this feature results in faster logon times for users in remote sites without global catalogs, because the authenticating domain controllers do not have to access a global catalog. Organizations may choose to use universal group membership caching for a site for which they do not want to deploy a global catalog server.
Mention that replication has improved over the years, and that the best practice recommendation for most scenarios is to have a global catalog on every domain controller. One of the historical concerns with global catalogs was the schema update in Windows 2000 Server, which would trigger global catalog re-initialization.
You may want to discuss that universal group membership caching can be a security risk when an administrator relies on removing a user out of a group, because universal group membership caching is not updated with replication and the user has up to eight hours of access, and even more when the WAN link becomes offline. This caching method is also somewhat unpredictable: When users log on the first time at a remote site, and the global catalog is not available, the behavior is different than for users who logged on previously. Because of these issues, universal group membership caching is not typically a recommended approach.
Describe the options for configuring intersite replication. The next topic provides a demonstration of these options.
Preparation Steps
To complete this demonstration, you must have the 20412C-LON-DC1 and 20412C-TOR-DC1 virtual machines running. Sign in on all virtual machines as Adatum\Administrator with the password Pa$$w0rd.
You also must have completed all previous demonstrations in this module.
Demonstration Steps
On TOR-DC1, in Server Manager, click Tools and then click Active Directory Sites and Services.
In Active Directory Sites and Services, expand Sites, and then expand Inter-Site Transports.
Click IP, right-click DEFAULTIPSITELINK, and then click Rename.
Type LON-TOR, and then press Enter.
Right-click LON-TOR, and then click Properties. Describe the Cost, Replicate every, and Change Schedule options.
In the LON-TOR Properties dialog box, next to Replicate every, configure the value to be 60 minutes.
Click Change Schedule.
Highlight the range from Monday 12 PM to Friday 4 PM, as follows:
Using the mouse, click at the Monday at 12:00 PM tile.
With the mouse button still pressed down, drag the cursor to the Friday at 4:00 PM tile.
Click Replication Not Available and then click OK.
Click OK to close the LON-TOR Properties dialog box.
In the navigation pane, right-click IP, and then click Properties.
In the IP Properties dialog box, point out and explain the Bridge all site links option.
Click OK to close the IP Properties dialog box.
Emphasize that despite the componentâs name, password replication policy, this component is not actually a policy, like a Group Policy. In fact, the password replication policy is not a centralized policy at all. Instead, each RODC maintains an individual password replication policy. Additionally, the two domain global groups are added to each RODCâs password replication policy by default, creating a centralized effect. In the end, it is the Allow and Denied lists on each RODC that determine which passwords are, and are not, cached on the RODC.
Also emphasize that even though it is called replication policy, the cached secrets (passwords) are not replicated. As soon as a user logs onto the RODC, the RODC verifies whether the user has a stored password. If not, then the user is redirected to a full domain controller, but with a request to replicate that password. If the user is on the Allow List, the RODC will receive the password and cache it until it is changed. The password is not replicated down to the RODC unless the user logs on again.
The most manageable way to ensure that users in a branch have their credentials cached on the RODC is to have a groupâfor example Branch Office Usersâthat is on the RODCâs Allow List. Then, you can simply add users to the Branch Office Users group, and the branch office RODC will cache their credentials automatically at the users' next logon.
Preparation Steps
To complete this demonstration, you must ensure that the 20412C-LON-DC1 and 20412C-TOR-DC1 virtual machines are running. Sign in on all virtual machines as Adatum\Administrator with the password Pa$$w0rd.
You must also have completed all previous demonstrations in this module.
Demonstration Steps
On LON-DC1, from Server Manager, click Tools and then click Active Directory Users and Computers.
In the console tree, expand the Adatum.com domain, and then click the Domain Controllers organizational unit (OU).
Right-click Domain Controllers, and then click Pre-create Read-only Domain Controller account.
In the Active Directory Domain Services Installation Wizard, on the Welcome page, click Next.
On the Network Credentials page, click Next.
On the Specify the Computer Name page, type LON-RODC1, and then click Next.
On the Select a Site page, click Toronto, and then click Next.
On the Additional Domain Controller Options page, click Next.
On the Delegation of RODC Installation and Administration page, click Next.
Review your selections on the Summary page, and then click Next.
On the Completing the Active Directory Domain Services Installation Wizard page, click Finish.
In the console, click the Domain Controllers OU.
Right-click LON-RODC1, and then click Properties.
Click the Password Replication Policy tab, and then view the default policy.
Click Cancel to close LON-RODC1 Properties.
In the Active Directory Users and Computers console, click the Users container.
Double-click Allowed RODC Password Replication Group, and then click the Members tab.
Examine the default membership of Allowed RODC Password Replication Group, and then click OK. There should be no members by default.
Double-click Denied RODC Password Replication Group.
Click the Members tab.
Click Cancel to close the Denied RODC Password Replication Group properties.
Discuss how you can use the Repadmin.exe and Dcdiag.exe tools to monitor ADÂ DS replication. You may want to consider showing an example of some of the commands.
Other commands that you can discuss include:
Repadmin /bind â Useful to verify that remote procedure call (RPC) is working against a domain controller.
Repadmin /istg â Forces the ISTG to recalculate replication.
Briefly mention the ADÂ DS Management Pack on Microsoft System Center 2012 R2 Operations Manager.
Exercise 1: Modifying the Default Site
A. Datum Corporation has decided to implement additional ADÂ DS sites to optimize the network utilization for ADÂ DS network traffic. The first step in implementing the new environment is to install a new domain controller for the Toronto site. You then will reconfigure the default site and assign appropriate IP address subnets to the site.
Finally, you have been asked to change the name of the default site to LondonHQ and associate it with the IP subnet 172.16.0.0/24, which is the subnet range used for the London head office.
Exercise 2: Creating Additional Sites and Subnets
The next step you take to implement the ADÂ DS site design is to configure the new ADÂ DS site. The first site that you need to implement is the Toronto site for the North American data center. The network team in Toronto would also like to dedicate a site called TestSite in the Toronto data center. You have been instructed that the Toronto IP subnet address is 172.16.1.0/24, and the test network IP subnet address is 172.16.100.0/24.
Exercise 3: Configuring ADÂ DS Replication
Now that the ADÂ DS sites have been configured for Toronto, your next step is to configure the site links to manage replication between the sites, and then to move the TOR-DC1 domain controller to the Toronto site. Currently, all sites belong to DEFAULTIPSITELINK.
You need to modify site linking so that LondonHQ and Toronto belong to one common site link called LON-TOR. You should configure this link to replicate every hour. Additionally, you should link the TestSite site only to the Toronto site using a site link named TOR-TEST. Replication should not be available from the Toronto site to the TestSite during the working hours of 9 A.M. to 3 P.M. You then will use tools to monitor replication between the sites.
Exercise 4: Monitoring and Troubleshooting ADÂ DS Replication
After ADÂ DS sites and replication are established, A. Datum experiences replication issues. You have to use monitoring and troubleshooting tools to diagnose the issue and resolve it.
Question
You decide to add a new domain controller to the LondonHQ site named LON-DC2. How can you ensure that LON-DC2 is used to pass all replication traffic to the Toronto site?
Answer
You would have to configure this new domain controller as the preferred bridgehead server for the LondonHQ site.
Question
You have added the new domain controller named LON-DC2 to the LondonHQ site. Which ADÂ DS partitions will be modified as a result?
Answer
It is likely that all of the partitions except the schema partition will be modified. You add the new domain controller to both the domain partition and the configuration partition to ensure that ADÂ DS replication is configured correctly. If you are using Active Directoryâintegrated DNS, then the domain controller records also will update in the DNS application partitions.
Question
In the lab, you created a separate site link for the Toronto and TestSite sites. What might you also have to do to ensure that LondonHQ does not automatically create a connection object directly with the TestSite site?
Answer
You may also have to turn off automatic site-link bridging so that you disable site transitivity among LondonHQ, Toronto, and the TestSite.