Windows User Group Active Directory. Objectives Where did Active Directory come from Where did Active Directory come from Why is AD the way it is Why

Windows User GroupWindows User Group

Active DirectoryActive Directory

ObjectivesObjectives

Where did Active Directory come Where did Active Directory come fromfrom

Why is AD the way it isWhy is AD the way it is What is AD fundamentallyWhat is AD fundamentally What does this mean to youWhat does this mean to you Where is AD goingWhere is AD going

AgendaAgenda

Directory Services HistoryDirectory Services History What is Active DirectoryWhat is Active Directory How to implement ADHow to implement AD Active Directory FuturesActive Directory Futures

• Windows 2003 R2Windows 2003 R2• Active Directory Federation ServicesActive Directory Federation Services

Security Security

Identity - The catalog of what you Identity - The catalog of what you have and who you arehave and who you are

Authentication – How do you know Authentication – How do you know that someone is who they claim to bethat someone is who they claim to be• What you areWhat you are• What you haveWhat you have• What you knowWhat you know

Authorization – What can they do?Authorization – What can they do? Auditing – Who did what?Auditing – Who did what?

Directory ServicesDirectory Services External (Public) DirectoriesExternal (Public) Directories

• X.500 (de jure)X.500 (de jure)• DNS (de facto)DNS (de facto)• RFC 2247RFC 2247• PKI (not a DS but here for discussion)PKI (not a DS but here for discussion)

Internal DirectoriesInternal Directories• IBM Mainframe (eg RACF, NetBIOS)IBM Mainframe (eg RACF, NetBIOS)• UNIX (e.g. Host file, NIS, YP)UNIX (e.g. Host file, NIS, YP)• Novell Bindery/NDSNovell Bindery/NDS• Banyan StreetTalkBanyan StreetTalk• LDAPLDAP

Active Directory Design GoalsActive Directory Design Goals

Maintain Download compatibility with Maintain Download compatibility with NetBIOS domainsNetBIOS domains

Utilize Kerberos Realms as the primary Utilize Kerberos Realms as the primary native namespacenative namespace

Utilize LDAP as the access/query Utilize LDAP as the access/query protocolprotocol

Support PKISupport PKI Dynamically extensibleDynamically extensible Performance/costPerformance/cost

RFC 2247 is the KeyRFC 2247 is the Key X.500 never achieved global operational stabilityX.500 never achieved global operational stability DNS became the defacto global naming standardDNS became the defacto global naming standard RFC 2247 mapped the X.500 naming standard into the DNS RFC 2247 mapped the X.500 naming standard into the DNS

nomenclaturenomenclature Administrative boundaries moved from the OU (x.500) to Administrative boundaries moved from the OU (x.500) to

the DC (DNS). This is a point of contention with x.500-based the DC (DNS). This is a point of contention with x.500-based directory services to this day.directory services to this day.

The Domain Component mapped directly into the kerberos The Domain Component mapped directly into the kerberos realm and NetBIOS Domain namespace model. realm and NetBIOS Domain namespace model.

NetBIOS Shortnames became the Relative Distinguished NetBIOS Shortnames became the Relative Distinguished Name (RDN)Name (RDN)

PKI Security boundaries mapped into the DC authority level. PKI Security boundaries mapped into the DC authority level. PKI cross-signed trusted mapped into the inter-domain trust PKI cross-signed trusted mapped into the inter-domain trust

model. model.

Active Directory Functional Active Directory Functional ComponentsComponents

DatabaseDatabase• Optimize for queriesOptimize for queries• Efficient use of space (sparse data)Efficient use of space (sparse data)• Replication EngineReplication Engine

Protocol HeadersProtocol Headers• NetBIOSNetBIOS• LDAPLDAP• DAPDAP• KerberosKerberos• PKIPKI• otherother

Management InterfacesManagement Interfaces

AD Database IssuesAD Database Issues Database structureDatabase structure

• BootstrappingBootstrapping• Attribute granularityAttribute granularity• Attribute-level permissioningAttribute-level permissioning• Multi-valued attributesMulti-valued attributes• Linked value integrityLinked value integrity

Schema ExtensibilitySchema Extensibility ReplicationReplication

• Replication topologyReplication topology• Replication protocolsReplication protocols• Collision detection/resolutionCollision detection/resolution

AD NamespacesAD Namespaces Forest CommonForest Common

• Schema ContextSchema Context Small and rarely ChangesSmall and rarely Changes Common throughout the forestCommon throughout the forest

• Configuration ContextConfiguration Context• Global CatalogGlobal Catalog

Contains a subset of attributesContains a subset of attributes Glues the forest together Glues the forest together

DomainDomain• Domain Naming ContextDomain Naming Context

Contains all details of each domains objectsContains all details of each domains objects• Application NamespacesApplication Namespaces

Floating Single Master OperationsFloating Single Master Operations

Forest-Wide RolesForest-Wide Roles• Schema MasterSchema Master• Domain Naming MasterDomain Naming Master

Domain-Wide RolesDomain-Wide Roles• Primary Domain Controller EmulatorPrimary Domain Controller Emulator• RID Master RID Master • Infrastructure Master Infrastructure Master

Updates user-group relationshipsUpdates user-group relationships

What’s new with AD Branch What’s new with AD Branch Offices this year?Offices this year?

Windows Server 2003 Branch Office Windows Server 2003 Branch Office guide released to webguide released to web• 250 pages of proven and supported 250 pages of proven and supported

recommendations. recommendations. • New Branch Office Monitoring tool New Branch Office Monitoring tool

(Brofmon)(Brofmon)• V1.1 of guide shippedV1.1 of guide shipped

Upcoming Win2k03 Sp1 changes:Upcoming Win2k03 Sp1 changes:• ADLB.EXE and DCDIAG.EXE have fixes ADLB.EXE and DCDIAG.EXE have fixes

(both updates are in the Branch Office (both updates are in the Branch Office Guide)Guide)

Ultrasound is a FRS monitoring tool Ultrasound is a FRS monitoring tool which shipped late 03’ which shipped late 03’

What’s upcoming with AD What’s upcoming with AD Branch Offices?Branch Offices?

R2 – Branch Office Team building R2 – Branch Office Team building branch office solution for role branch office solution for role deploymentdeployment

V 2.0 of the AD Branch Office Guide V 2.0 of the AD Branch Office Guide should ship March ‘05should ship March ‘05• New chapter on Disaster Recovery for New chapter on Disaster Recovery for

branchesbranches• New tool and process for converting all New tool and process for converting all

manual connections to KCC generatingmanual connections to KCC generating Longhorn server - branch appliance Longhorn server - branch appliance

for authentication\authorizationfor authentication\authorization

AD Branch Office ScenarioAD Branch Office Scenario

BODC nDC

BODC4DC

BODC3DC

BODC2DC

BHDC1 - GCDNS

10.0.0.12branches.corp.contoso.com

BHDC2 - GCDNS


HUBDC2DNS


HUBDC1 - FSMODNS


BHDC3 - GCDNS


BHDC4 - GCDNS


Staging-Site

BODC1DC

BOSite1 BOSite2 BOSite3 BOSite4 BOSiten

HQDC1 - FSMO10.0.0.3

DNShq.corp.contoso.com

ROOTDC1- GC10.0.0.1

DNScorp.contoso.com

STAGINGDC1DNSGC


ROOT2DC2 - FSMO10.0.0.2

DNScorp.contoso.com

Data-Center-Site

MOMSVR10.0.0.26

MOM Servercorp.contoso.com

TOOLMGRSVR10.0.0.4

Monitoring Servercorp.contoso.com

HQDC2 - GC10.0.0.5

DNShq.corp.contoso.com

TSDCSERVER10.0.0.20

ADS Servercorp.contoso.com

What Makes a Branch Office What Makes a Branch Office Design Interesting?Design Interesting?

IP connectivity incl. WAN, link speed, Dial IP connectivity incl. WAN, link speed, Dial on demand, routers, firewalls, IPSECon demand, routers, firewalls, IPSEC

Name resolution incl. DNS server, zone and Name resolution incl. DNS server, zone and client configurationclient configuration

Active Directory replication to a large Active Directory replication to a large number of replication partnersnumber of replication partners

FRS replicationFRS replication Group policy implementationGroup policy implementation ConsiderationsConsiderations

• Proper care of DNS name resolution will Proper care of DNS name resolution will guarantee replication successguarantee replication success

• IPSEC preferred firewall solutionIPSEC preferred firewall solution

New Features in Windows 2003 for New Features in Windows 2003 for Branch Office DeploymentsBranch Office Deployments

KCC improvementsKCC improvements• KCC/ISTG inter-site topology generationKCC/ISTG inter-site topology generation• Bridgehead Server load-balancing and connection object Bridgehead Server load-balancing and connection object

load-balancing tool (ADLB.EXE)load-balancing tool (ADLB.EXE)• KCC redundant connection object mode for branch KCC redundant connection object mode for branch

officesoffices• No more “keep connection objects” mode if replication No more “keep connection objects” mode if replication

topology is not 100% closedtopology is not 100% closed• Better event logging to find disconnected sitesBetter event logging to find disconnected sites

Replication improvementsReplication improvements• Linked-Valued ReplicationLinked-Valued Replication• More replication prioritiesMore replication priorities

Intra-Site before Inter-SiteIntra-Site before Inter-Site NC priorities: Schema -> Config -> domain -> GC -> DNSNC priorities: Schema -> Config -> domain -> GC -> DNS Notifications clean-up after site moveNotifications clean-up after site move

• Lingering Object detectionLingering Object detection

New Features in Windows 2003 for New Features in Windows 2003 for Branch Office DeploymentsBranch Office Deployments

No GC full-syncNo GC full-sync• In Windows 2000, schema changes that In Windows 2000, schema changes that

changed the PAS triggered GC full syncchanged the PAS triggered GC full sync• Removed in Windows 2003Removed in Windows 2003

Universal Group CachingUniversal Group Caching DNS ImprovementsDNS Improvements Install from mediaInstall from media FRS improvementsFRS improvements Plus many more….Plus many more….

Active Directory DeploymentActive Directory DeploymentFor Branch OfficesFor Branch Offices

Active Directory DesignActive Directory Design• Forest designForest design• Decide on centralized or decentralized Decide on centralized or decentralized

deploymentdeployment• Domain designDomain design• DNS designDNS design• Site topology and replication designSite topology and replication design• Capacity planningCapacity planning• Monitoring designMonitoring design

Active Directory deploymentActive Directory deployment• Deploying and monitoring non-branch domainsDeploying and monitoring non-branch domains• Deploying branches domain in hub siteDeploying branches domain in hub site• Deploying and monitoring a staging siteDeploying and monitoring a staging site• Deploying and monitoring the branch sitesDeploying and monitoring the branch sites





Forest DesignForest Design Follow recommendations in Windows 2003 Follow recommendations in Windows 2003

Deployment Kit (Chapter 2)Deployment Kit (Chapter 2)• http://www.microsoft.com/downloads/details.aspx?http://www.microsoft.com/downloads/details.aspx?

familyid=6cde6ee7-5df1-4394-92ed-familyid=6cde6ee7-5df1-4394-92ed-2147c3a9ebbe&displaylang=en2147c3a9ebbe&displaylang=en

Reasons for having multiple forestsReasons for having multiple forests• Political / organizational reasonsPolitical / organizational reasons

Unlikely in branch office scenariosUnlikely in branch office scenarios• Too many locations where domain controllers Too many locations where domain controllers

must be deployedmust be deployed Complexity of deploymentComplexity of deployment

• Too many objects in the directoryToo many objects in the directory Should be partitioned on domain levelShould be partitioned on domain level GCs too big?GCs too big?

• Evaluate not deploying GCs to branch officesEvaluate not deploying GCs to branch offices• Windows 2003: Universal group cachingWindows 2003: Universal group caching

Recommendation: Deploy single forest for Recommendation: Deploy single forest for Branch OfficesBranch Offices





Centralized vs. Decentralized Domain Centralized vs. Decentralized Domain Controller DeploymentController Deployment

The number of sites with domain The number of sites with domain controllers defines the scope of the controllers defines the scope of the deploymentdeployment

Deployment optionsDeployment options• Centralized deploymentCentralized deployment

Domain controllers are located in datacenters / hub Domain controllers are located in datacenters / hub sites onlysites only

Users in branches logon over WAN linkUsers in branches logon over WAN link• De-centralized deploymentDe-centralized deployment

All branches have domain controllersAll branches have domain controllers Users can logon even if WAN is downUsers can logon even if WAN is down

• Mixed modelMixed model Some branches have DCs, some don’tSome branches have DCs, some don’t

Centralized deployment has lower cost of Centralized deployment has lower cost of ownershipownership• Easier to operate, monitor, troubleshootEasier to operate, monitor, troubleshoot

Design Considerations for Domain Design Considerations for Domain Controller PlacementController Placement

Local DC requires physical securityLocal DC requires physical security Domain controller managementDomain controller management

• Monitoring, auditing, SP deployment etc. must be Monitoring, auditing, SP deployment etc. must be guaranteedguaranteed

Required services – business driversRequired services – business drivers• File & Print, email, database, mainframeFile & Print, email, database, mainframe• Most of them require Windows logonMost of them require Windows logon• Logon requires DC availabilityLogon requires DC availability• Can the business still run even if WAN is down?Can the business still run even if WAN is down?

Is the business in the branch focused on a LOB application that Is the business in the branch focused on a LOB application that requires WAN access (mainframe)?requires WAN access (mainframe)?

Logon locally or over the WANLogon locally or over the WAN• WAN logon requires acceptable speed and line availabilityWAN logon requires acceptable speed and line availability• WAN only an option if WAN is reliableWAN only an option if WAN is reliable

Cached credentials only work for local workstation logonCached credentials only work for local workstation logon Terminal Service clients use local logonTerminal Service clients use local logon

In many cases, network traffic is importantIn many cases, network traffic is important• Client logon traffic – directory replication trafficClient logon traffic – directory replication traffic

Design Considerations for Global Design Considerations for Global Catalog PlacementCatalog Placement

No factor in single domain deploymentNo factor in single domain deployment• Turn on GC flag on all DCsTurn on GC flag on all DCs• No extra cost associatedNo extra cost associated

GC not needed for user logon anymore in GC not needed for user logon anymore in multi-domain deploymentsmulti-domain deployments• Universal Group CachingUniversal Group Caching

GC placement driven by application GC placement driven by application requirements in multi-domain deploymentsrequirements in multi-domain deployments• Exchange 2000\2003 serversExchange 2000\2003 servers• OutlookOutlook





Domain DesignDomain DesignRecommendation for Branch Office DeploymentRecommendation for Branch Office Deployment

Use single domainUse single domain• Typically only single administration areaTypically only single administration area• Central administration (users and policies)Central administration (users and policies)• Replication traffic higher, but more flexible model Replication traffic higher, but more flexible model

(roaming users, no GC dependencies)(roaming users, no GC dependencies)• Database size no big concernDatabase size no big concern

If high number of users work in central If high number of users work in central locationlocation• Create different domains for headquarters and Create different domains for headquarters and

branchesbranches If number of users very high ( > 50,000)If number of users very high ( > 50,000)

• Create geographical partitionsCreate geographical partitions High number of domains discouragedHigh number of domains discouraged

• Examples: One domain / branch, one domain / Examples: One domain / branch, one domain / statestate

• Increases complexity of deploymentIncreases complexity of deployment





DNS Design DNS Design RecommendationsRecommendations

DNS server placementDNS server placement• Put DNS server on all domain controllersPut DNS server on all domain controllers

DNS client (resolver) configurationDNS client (resolver) configuration• Primary DNS server: Local machinePrimary DNS server: Local machine• Secondary DNS server: Same site DNS server or Secondary DNS server: Same site DNS server or

hub DNS serverhub DNS server• Windows 2000: Different configuration for Windows 2000: Different configuration for

forest root DCsforest root DCs DNS zone configurationsDNS zone configurations

• Use AD integrated zones (application partitions)Use AD integrated zones (application partitions)• Use DNS forwardingUse DNS forwarding

No NS records for Branch Office DCsNo NS records for Branch Office DCs• Configure zonesConfigure zones

DNS DesignDNS DesignManaging SRV (locator) records and autositecoverageManaging SRV (locator) records and autositecoverage

SRV records are published by netlogon in SRV records are published by netlogon in DNSDNS• On site level and domain/forest levelOn site level and domain/forest level• Clients search for services in the client site first, Clients search for services in the client site first,

and fall back to domain/forest leveland fall back to domain/forest level Branch Office deployments require specific Branch Office deployments require specific

configurationconfiguration• Large number of domain controllers creates Large number of domain controllers creates

scalability problem for domain level registrationscalability problem for domain level registration If more than 1200 branch office DCs want to register SRV If more than 1200 branch office DCs want to register SRV

records on domain level, registration will failrecords on domain level, registration will fail• Registration on domain/forest level is in most Registration on domain/forest level is in most

cases meaninglesscases meaningless DC cannot be contacted over WAN / DOD link anywaysDC cannot be contacted over WAN / DOD link anyways If local look-up in branch fails, client should always If local look-up in branch fails, client should always

fallback to hub onlyfallback to hub only Disable autositecoverageDisable autositecoverage Use group policy for configurationUse group policy for configuration

Using GPOs for DNS SettingsUsing GPOs for DNS Settings Create new Global Group for Hub DCsCreate new Global Group for Hub DCs

• Add all non-Branch Office DCs as group Add all non-Branch Office DCs as group membersmembers

Create new GPO (BranchOfficeGPO) Create new GPO (BranchOfficeGPO) • Configure DC locators records not registered by Configure DC locators records not registered by

branch DCsbranch DCs• Configure refresh intervalConfigure refresh interval

In BranchOfficeGPO properties, deny “Apply In BranchOfficeGPO properties, deny “Apply Group Policy” to Hub DCsGroup Policy” to Hub DCs• Negative list is easier to manage than positive Negative list is easier to manage than positive

listlist No damage if DC is not added to groupNo damage if DC is not added to group Smaller number of hub DCs than Branch Office DCsSmaller number of hub DCs than Branch Office DCs

Edit Default Domain Controllers PolicyEdit Default Domain Controllers Policy• Disable automated site coverageDisable automated site coverage• Important that this is configured for ALL DCs, not Important that this is configured for ALL DCs, not

only Branch Office DCsonly Branch Office DCs





Replication PlanningReplication PlanningImprovements in Windows 2003Improvements in Windows 2003

Windows 2000Windows 2000• Topology creation had scalability limitsTopology creation had scalability limits• Required to manage connection objects Required to manage connection objects

manuallymanually Windows 2003 has many Windows 2003 has many

improvements to fully automate improvements to fully automate topology managementtopology management• New KCC / ISTG algorithmNew KCC / ISTG algorithm• Bridgehead server loadbalancingBridgehead server loadbalancing• KCC redundant connection object modeKCC redundant connection object mode

Specifically developed for Branch Office Specifically developed for Branch Office deploymentsdeployments

Replication Planning Replication Planning KCC/ISTGKCC/ISTG

ISTG = Inter-Site Topology GeneratorISTG = Inter-Site Topology Generator• Computes least cost spanning tree Inter-Computes least cost spanning tree Inter-

Site replication topologySite replication topology Does not require ISM ServiceDoes not require ISM Service

• Windows 2000: ISTG uses ISM serviceWindows 2000: ISTG uses ISM service Runs every 15 minutes by defaultRuns every 15 minutes by default

Replication Planning Replication Planning KCC/ISTGKCC/ISTG

Vastly improved inter-site topology Vastly improved inter-site topology generation (KCC/ISTG) scalabilitygeneration (KCC/ISTG) scalability• Complexity: approximately O(d*s)Complexity: approximately O(d*s)

d = number of domainsd = number of domainss = number of sitess = number of sitesWin2000: approximately O(d*sWin2000: approximately O(d*s²)²)

Scales to more than 5,000 sitesScales to more than 5,000 sites• Still single threaded – uses only one CPU on SMP Still single threaded – uses only one CPU on SMP

DCsDCs• Performance: 4,000 sites: 10 secs (700 Mhz test Performance: 4,000 sites: 10 secs (700 Mhz test

system)system)• Ongoing tests in scalability labOngoing tests in scalability lab

Can generate different topology than Can generate different topology than Windows 2000 KCC/ISTGWindows 2000 KCC/ISTG• Requires Windows 2003 forest functional levelRequires Windows 2003 forest functional level

Replication Planning Replication Planning Bridgehead Server SelectionBridgehead Server Selection

Windows 2000Windows 2000• On a per site basis, for each domain, one DC On a per site basis, for each domain, one DC

per NC used as Bridgeheadper NC used as Bridgehead Windows 2003Windows 2003

• On a per site basis, for each domain, all DCs On a per site basis, for each domain, all DCs per NC used as Bridgeheadper NC used as Bridgehead

• KCC picks DC randomly amongst bridgehead KCC picks DC randomly amongst bridgehead candidates when connection object is createdcandidates when connection object is created

For both incoming and outgoing connection objectsFor both incoming and outgoing connection objects

Replication Planning Replication Planning Bridgehead Server Load-BalancingBridgehead Server Load-Balancing

KCC/ISTG randomly chooses Bridgehead KCC/ISTG randomly chooses Bridgehead ServerServer• Both incoming and outgoing replicationBoth incoming and outgoing replication

Once connection object is established, it is Once connection object is established, it is not rebalanced when changes happennot rebalanced when changes happen• Adding new servers does not affect existing Adding new servers does not affect existing

connection objectsconnection objects Has to be used with care in Branch Office Has to be used with care in Branch Office

DeploymentsDeployments• Necessary to control what servers are used as Necessary to control what servers are used as

Bridgehead ServersBridgehead Servers Recommendation: Use preferred Recommendation: Use preferred

Bridgehead Server List and load balancing Bridgehead Server List and load balancing tooltool

Replication Planning Replication Planning Preferred Bridgehead Server ListPreferred Bridgehead Server List

Some servers should not be used as BridgeheadsSome servers should not be used as Bridgeheads• PDC operations master, Exchange facing GCs, Authentication PDC operations master, Exchange facing GCs, Authentication

DCsDCs• Weak hardwareWeak hardware

Solution: Preferred Bridgehead Server ListSolution: Preferred Bridgehead Server List• Allows administrator to restrict what DCs can be used as Allows administrator to restrict what DCs can be used as

Bridgehead ServersBridgehead Servers• If Preferred Bridgehead Server List is defined for a site, If Preferred Bridgehead Server List is defined for a site,

KCC/ISTG will only use members of the list as BridgeheadsKCC/ISTG will only use members of the list as Bridgeheads Warning:Warning:

• If Preferred Bridgehead Server List is defined, make sure If Preferred Bridgehead Server List is defined, make sure that there are at least 2 DCs per NC in the listthat there are at least 2 DCs per NC in the list

• If there is no DC for a specific NC in the list, replication will If there is no DC for a specific NC in the list, replication will not occur out of site for this NCnot occur out of site for this NC

• Don’t forget application partitionsDon’t forget application partitions If branches have GCs, all bridgeheads should be GCsIf branches have GCs, all bridgeheads should be GCs

Replication Planning Replication Planning Active Directory Load Balancing Tool (ADLB)Active Directory Load Balancing Tool (ADLB)

ADLB complements the KCC/ISTGADLB complements the KCC/ISTG• Real load balancing of connection objectsReal load balancing of connection objects• Stagers schedules using a 15 minute intervalStagers schedules using a 15 minute interval

Hub-outbound replication onlyHub-outbound replication only Hub-inbound replication is serializedHub-inbound replication is serialized

• Does not interfere with the KCCDoes not interfere with the KCC KCC is still needed / prerequisiteKCC is still needed / prerequisite Tool does not create manual connection objects, but Tool does not create manual connection objects, but

modifies “from-server” attribute on KCC created connection modifies “from-server” attribute on KCC created connection objectsobjects

Can create a previewCan create a preview• Allows using the tool as an advisorAllows using the tool as an advisor

Single exe / command line toolSingle exe / command line tool• Runs on a single server / workstationRuns on a single server / workstation• Uses ISTG in hub site to re-balance connection objectsUses ISTG in hub site to re-balance connection objects

Not needed for fault tolerance, only as Not needed for fault tolerance, only as optimizationoptimization• Can be run on any scheduleCan be run on any schedule

Replication Planning Replication Planning KCC Redundant Connection Objects ModeKCC Redundant Connection Objects Mode

GoalGoal• Create stable, simple and predictable replication topologyCreate stable, simple and predictable replication topology• Like mkdsx scripts for Windows 2000Like mkdsx scripts for Windows 2000

Enabled on a per site levelEnabled on a per site level ImplementationImplementation

• Creates two redundant connection objectsCreates two redundant connection objects Each branch site replicates from two different Bridge Head ServersEach branch site replicates from two different Bridge Head Servers Two different Bridge Head Servers replicate from each siteTwo different Bridge Head Servers replicate from each site Replication schedule is staggered between connection objectsReplication schedule is staggered between connection objects

• Fail-over is disabledFail-over is disabled If replication from one Bridge Head fails, the branch can still If replication from one Bridge Head fails, the branch can still

replicate from the other Bridge Headreplicate from the other Bridge Head• Schedule hashing is enabledSchedule hashing is enabled

Inbound connections start replication at random time inside the Inbound connections start replication at random time inside the replication windowreplication window

Only DCs in same site are used for redundant connection Only DCs in same site are used for redundant connection objectsobjects

Demoting DC causes KCC to create new connection objectDemoting DC causes KCC to create new connection object


Schedule for redundant connection objectsSchedule for redundant connection objects• Use schedule defined on site-linkUse schedule defined on site-link

Like, window open 8pm to 2am, replicate once every Like, window open 8pm to 2am, replicate once every 180 minutes (= 2 replications)180 minutes (= 2 replications)

• Divide by “2” and staggerDivide by “2” and stagger Connection object 1 replicates once between 8pm and Connection object 1 replicates once between 8pm and

11pm11pm Connection object 2 replicates once between 11pm Connection object 2 replicates once between 11pm

and 2amand 2am• Second replication usually causes little network Second replication usually causes little network

traffictraffic Monitoring becomes even more criticalMonitoring becomes even more critical

• Important to act quickly if hub DC Important to act quickly if hub DC becomes unavailablebecomes unavailable


HUB Site

Branch01

BranchDC01

BH1

Branch02

BranchDC02

Site Link 1Duration 8h

Replicate every240 Min.

Site Link 2Duration 8h

Replicate every240 Min.

0:00 - 0:15 and2:00 -2:15

4:00 - 4:15 and6:00 - 6:15

0:16 - 0:30 and2:16 - 2:30

4:16 - 4:30 and6:16 and 6:30

240 Min 240 Min240 Min240 Min

Replication is open from 0:00 and 8:00 a.m. Replication is open from 0:00 and 8:00 a.m.

BH2

Replication Planning Replication Planning Recommendations: Sites, Site-Links and TopologyRecommendations: Sites, Site-Links and Topology

Create single site for hub siteCreate single site for hub site• Leverage KCC load-balancing between Bridgehead serversLeverage KCC load-balancing between Bridgehead servers

Create site-links between Branch Office sites and Create site-links between Branch Office sites and hub sitehub site• No redundant site-links or connection objects are neededNo redundant site-links or connection objects are needed

Disable transitivity of site-linksDisable transitivity of site-links• Not only for performance, but also to avoid branch-branch Not only for performance, but also to avoid branch-branch

fail-over connection objectsfail-over connection objects Disable auto-site coverageDisable auto-site coverage Use KCC/ISTG servicesUse KCC/ISTG services

• Use KCC redundant connection objects modeUse KCC redundant connection objects mode Use ADLB to load-balance connection objectsUse ADLB to load-balance connection objects Use Universal Group Caching to remove Use Universal Group Caching to remove

requirement for GC in branchrequirement for GC in branch• Unless branch application requires GCUnless branch application requires GC





Capacity Planning Capacity Planning Replication PlanningReplication Planning

Branch Office DCsBranch Office DCs• Usually low load onlyUsually low load only• Use minimum hardwareUse minimum hardware

Datacenter DCsDatacenter DCs• Depends on usageDepends on usage• See Windows 2003 Deployment Kit for See Windows 2003 Deployment Kit for

DC capacity planningDC capacity planning Bridgehead serversBridgehead servers

• Require planningRequire planning

Capacity PlanningCapacity PlanningFormulas to compute number of BridgeheadsFormulas to compute number of Bridgeheads

Hub outbound replication is multi-threadedHub outbound replication is multi-threaded Hub inbound replication is single-threadedHub inbound replication is single-threaded Hub outbound: Hub outbound: OC = (H * O) / (K * T)OC = (H * O) / (K * T)

• OC = outbound connectionsOC = outbound connections• H = sum of hours available for outbound H = sum of hours available for outbound

replicationreplication• O = concurrent connection objectsO = concurrent connection objects• K = Number of replications required / dayK = Number of replications required / day• T = time necessary for outbound replication T = time necessary for outbound replication

(usually one hour)(usually one hour) Hub inbound: Hub inbound: IC = R / NIC = R / N

• IC = inbound connectionsIC = inbound connections• R = Length of replication in minutesR = Length of replication in minutes

Capacity Planning Capacity Planning Bridgehead Server OverloadBridgehead Server Overload

CauseCause• Unbalanced site-links Unbalanced site-links • Unbalanced connection objectsUnbalanced connection objects• Replication schedule too aggressiveReplication schedule too aggressive• Panic trouble-shootingPanic trouble-shooting

SymptomsSymptoms• Bridgehead cannot accomplish replication requests as fast Bridgehead cannot accomplish replication requests as fast

as they come inas they come in• Replication queues are growingReplication queues are growing• Some DCs NEVER replicate from the bridgeheadSome DCs NEVER replicate from the bridgehead

Once a server has successfully replicated from the Once a server has successfully replicated from the bridgehead, its requests are higher prioritized than a request bridgehead, its requests are higher prioritized than a request from a server that has never successfully replicatedfrom a server that has never successfully replicated

MonitoringMonitoring• Repadmin /showreps shows NEVER on last successful Repadmin /showreps shows NEVER on last successful

replicationreplication• Repadmin /queue <Repadmin /queue <DCNameDCName>>

Capacity Planning Capacity Planning Bridgehead Server Overload - SolutionBridgehead Server Overload - Solution

Turn off ISTGTurn off ISTG• prevents new connections from being prevents new connections from being

generatedgenerated Delete all inbound connection objectsDelete all inbound connection objects Correct site-link balance and scheduleCorrect site-link balance and schedule Enable ISTG againEnable ISTG again Monitor AD and FRS replication for Monitor AD and FRS replication for

recoveryrecovery





Monitoring DesignMonitoring Design Monitoring is must for any Active Directory Monitoring is must for any Active Directory

DeploymentDeployment• DCs not replicating will be quarantinedDCs not replicating will be quarantined• DCs might have stale dataDCs might have stale data• Not finding issues early can lead to more problems laterNot finding issues early can lead to more problems later

I.e., DC does not replicate because of name resolution I.e., DC does not replicate because of name resolution problems, then password expiresproblems, then password expires

Use MOM for datacenter / hub siteUse MOM for datacenter / hub site• Monitor replication, name resolution, performanceMonitor replication, name resolution, performance

Windows Server 2003 Branch Office Guide ships Windows Server 2003 Branch Office Guide ships with BrofMonwith BrofMon• System to push and run scripts to Branch DCsSystem to push and run scripts to Branch DCs• Results copied to central serverResults copied to central server• Web page presents Red/Yellow/Green state per serverWeb page presents Red/Yellow/Green state per server

Evaluate available monitoring tools Evaluate available monitoring tools • MOM and third partiesMOM and third parties









Deploying Non-Branch DomainsDeploying Non-Branch Domains

Not different from normal deploymentNot different from normal deployment• Documented in Windows 2003 Documented in Windows 2003

Deployment KitDeployment Kit Build forest root domainBuild forest root domain Create all sites (incl. branches)Create all sites (incl. branches) Build other non-branches domains as Build other non-branches domains as

neededneeded





Deploying Branches Domain in Deploying Branches Domain in Hub SiteHub Site

Install operations masterInstall operations master Install bridgehead serversInstall bridgehead servers Install and configure ADLBInstall and configure ADLB Modify domain GPO for DNS settingsModify domain GPO for DNS settings

• Auto-site coverageAuto-site coverage Configure DNS zone for NS recordsConfigure DNS zone for NS records Create branches DNS GPOCreate branches DNS GPO

• SRV record registrationSRV record registration





Deploying Staging SiteDeploying Staging Site Staging Site has special characteristicsStaging Site has special characteristics

• All replication topology must be created manuallyAll replication topology must be created manually KCC turned off Inter- and Intra-SiteKCC turned off Inter- and Intra-Site Scripts will be providedScripts will be provided

• Should not register DNS NS recordsShould not register DNS NS records Create manual connection objects between Create manual connection objects between

staging site and productionstaging site and production• Staging DC needs to be able to replicate 7/24Staging DC needs to be able to replicate 7/24

Install Automated Deployment Services (ADS)Install Automated Deployment Services (ADS) Create image for branch DCs pre-promotionCreate image for branch DCs pre-promotion





Deploying Branch SitesDeploying Branch Sites Build branch DCs in staging site from Build branch DCs in staging site from

imageimage Run quality assurance scripts Run quality assurance scripts

(provided)(provided) Move branch DC into branch siteMove branch DC into branch site Ship DCShip DC

General Considerations for Branch General Considerations for Branch Office DeploymentsOffice Deployments

Ensure that hub is a robust data center Ensure that hub is a robust data center Monitor the deploymentMonitor the deployment

• Use MOM for hub sitesUse MOM for hub sites Do not deploy all branch office domain controllers Do not deploy all branch office domain controllers

simultaneouslysimultaneously• Monitor load on Bridgehead servers as more and more Monitor load on Bridgehead servers as more and more

branches come on-linebranches come on-line• Verify DNS registrations and replicationVerify DNS registrations and replication

Balance replication load between Bridgehead Balance replication load between Bridgehead ServersServers

Keep track of hardware and software inventory Keep track of hardware and software inventory and versionsand versions

Include operations in planning processInclude operations in planning process• Monitoring plans and proceduresMonitoring plans and procedures• Disaster recovery and troubleshooting strategyDisaster recovery and troubleshooting strategy• Personnel assignment and trainingPersonnel assignment and training

Personnel assignment and trainingPersonnel assignment and training

SummarySummary Windows 2003 has many improvements for Windows 2003 has many improvements for

Branch Office deploymentsBranch Office deployments• New KCC algorithm: no more scalability limitNew KCC algorithm: no more scalability limit• KCC redundant connection object mode: Provides KCC redundant connection object mode: Provides

stabilitystability• Less replication traffic through LVR replication and Less replication traffic through LVR replication and

DNS in app partitionsDNS in app partitions Deployments are much easier to manageDeployments are much easier to manage

• No manual connection object managementNo manual connection object management• GPO for DNS locator settingsGPO for DNS locator settings• No more island problemNo more island problem

Bridgehead servers more scalableBridgehead servers more scalable Branch Office guide will have step by step Branch Office guide will have step by step

procedures for deployment and toolsprocedures for deployment and tools Total cost of deployment will be much lowerTotal cost of deployment will be much lower

AD FuturesAD Futures

Windows 2003 ‘R2’ ReleaseWindows 2003 ‘R2’ Release• CachingCaching

AD Federation ServicesAD Federation Services

User Group Future TopicsUser Group Future Topics

Advanced AD architectureAdvanced AD architecture• Multi-forest IssuesMulti-forest Issues• Exchange IssuesExchange Issues• Internet facing Internet facing

AD OperationsAD Operations• Provisioning SystemsProvisioning Systems• Monitoring SystemsMonitoring Systems• Deployment SystemsDeployment Systems

AD debuggingAD debugging AD programmingAD programming

© 2004 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Documents

Windows User Group Active Directory. Objectives Where did Active Directory come from Where did Active Directory come from Why is AD the way it is Why