Windows User GroupWindows User Group
Active DirectoryActive Directory
ObjectivesObjectives
Where did Active Directory come Where did Active Directory come fromfrom
Why is AD the way it isWhy is AD the way it is What is AD fundamentallyWhat is AD fundamentally What does this mean to youWhat does this mean to you Where is AD goingWhere is AD going
AgendaAgenda
Directory Services HistoryDirectory Services History What is Active DirectoryWhat is Active Directory How to implement ADHow to implement AD Active Directory FuturesActive Directory Futures
• Windows 2003 R2Windows 2003 R2• Active Directory Federation ServicesActive Directory Federation Services
Security Security
Identity - The catalog of what you Identity - The catalog of what you have and who you arehave and who you are
Authentication – How do you know Authentication – How do you know that someone is who they claim to bethat someone is who they claim to be• What you areWhat you are• What you haveWhat you have• What you knowWhat you know
Authorization – What can they do?Authorization – What can they do? Auditing – Who did what?Auditing – Who did what?
Directory ServicesDirectory Services External (Public) DirectoriesExternal (Public) Directories
• X.500 (de jure)X.500 (de jure)• DNS (de facto)DNS (de facto)• RFC 2247RFC 2247• PKI (not a DS but here for discussion)PKI (not a DS but here for discussion)
Internal DirectoriesInternal Directories• IBM Mainframe (eg RACF, NetBIOS)IBM Mainframe (eg RACF, NetBIOS)• UNIX (e.g. Host file, NIS, YP)UNIX (e.g. Host file, NIS, YP)• Novell Bindery/NDSNovell Bindery/NDS• Banyan StreetTalkBanyan StreetTalk• LDAPLDAP
Active Directory Design GoalsActive Directory Design Goals
Maintain Download compatibility with Maintain Download compatibility with NetBIOS domainsNetBIOS domains
Utilize Kerberos Realms as the primary Utilize Kerberos Realms as the primary native namespacenative namespace
Utilize LDAP as the access/query Utilize LDAP as the access/query protocolprotocol
Support PKISupport PKI Dynamically extensibleDynamically extensible Performance/costPerformance/cost
RFC 2247 is the KeyRFC 2247 is the Key X.500 never achieved global operational stabilityX.500 never achieved global operational stability DNS became the defacto global naming standardDNS became the defacto global naming standard RFC 2247 mapped the X.500 naming standard into the DNS RFC 2247 mapped the X.500 naming standard into the DNS
nomenclaturenomenclature Administrative boundaries moved from the OU (x.500) to Administrative boundaries moved from the OU (x.500) to
the DC (DNS). This is a point of contention with x.500-based the DC (DNS). This is a point of contention with x.500-based directory services to this day.directory services to this day.
The Domain Component mapped directly into the kerberos The Domain Component mapped directly into the kerberos realm and NetBIOS Domain namespace model. realm and NetBIOS Domain namespace model.
NetBIOS Shortnames became the Relative Distinguished NetBIOS Shortnames became the Relative Distinguished Name (RDN)Name (RDN)
PKI Security boundaries mapped into the DC authority level. PKI Security boundaries mapped into the DC authority level. PKI cross-signed trusted mapped into the inter-domain trust PKI cross-signed trusted mapped into the inter-domain trust
model. model.
Active Directory Functional Active Directory Functional ComponentsComponents
DatabaseDatabase• Optimize for queriesOptimize for queries• Efficient use of space (sparse data)Efficient use of space (sparse data)• Replication EngineReplication Engine
Protocol HeadersProtocol Headers• NetBIOSNetBIOS• LDAPLDAP• DAPDAP• KerberosKerberos• PKIPKI• otherother
Management InterfacesManagement Interfaces
AD Database IssuesAD Database Issues Database structureDatabase structure
• BootstrappingBootstrapping• Attribute granularityAttribute granularity• Attribute-level permissioningAttribute-level permissioning• Multi-valued attributesMulti-valued attributes• Linked value integrityLinked value integrity
Schema ExtensibilitySchema Extensibility ReplicationReplication
• Replication topologyReplication topology• Replication protocolsReplication protocols• Collision detection/resolutionCollision detection/resolution
AD NamespacesAD Namespaces Forest CommonForest Common
• Schema ContextSchema Context Small and rarely ChangesSmall and rarely Changes Common throughout the forestCommon throughout the forest
• Configuration ContextConfiguration Context• Global CatalogGlobal Catalog
Contains a subset of attributesContains a subset of attributes Glues the forest together Glues the forest together
DomainDomain• Domain Naming ContextDomain Naming Context
Contains all details of each domains objectsContains all details of each domains objects• Application NamespacesApplication Namespaces
Floating Single Master OperationsFloating Single Master Operations
Forest-Wide RolesForest-Wide Roles• Schema MasterSchema Master• Domain Naming MasterDomain Naming Master
Domain-Wide RolesDomain-Wide Roles• Primary Domain Controller EmulatorPrimary Domain Controller Emulator• RID Master RID Master • Infrastructure Master Infrastructure Master
Updates user-group relationshipsUpdates user-group relationships
What’s new with AD Branch What’s new with AD Branch Offices this year?Offices this year?
Windows Server 2003 Branch Office Windows Server 2003 Branch Office guide released to webguide released to web• 250 pages of proven and supported 250 pages of proven and supported
recommendations. recommendations. • New Branch Office Monitoring tool New Branch Office Monitoring tool
(Brofmon)(Brofmon)• V1.1 of guide shippedV1.1 of guide shipped
Upcoming Win2k03 Sp1 changes:Upcoming Win2k03 Sp1 changes:• ADLB.EXE and DCDIAG.EXE have fixes ADLB.EXE and DCDIAG.EXE have fixes
(both updates are in the Branch Office (both updates are in the Branch Office Guide)Guide)
Ultrasound is a FRS monitoring tool Ultrasound is a FRS monitoring tool which shipped late 03’ which shipped late 03’
What’s upcoming with AD What’s upcoming with AD Branch Offices?Branch Offices?
R2 – Branch Office Team building R2 – Branch Office Team building branch office solution for role branch office solution for role deploymentdeployment
V 2.0 of the AD Branch Office Guide V 2.0 of the AD Branch Office Guide should ship March ‘05should ship March ‘05• New chapter on Disaster Recovery for New chapter on Disaster Recovery for
branchesbranches• New tool and process for converting all New tool and process for converting all
manual connections to KCC generatingmanual connections to KCC generating Longhorn server - branch appliance Longhorn server - branch appliance
for authentication\authorizationfor authentication\authorization
AD Branch Office ScenarioAD Branch Office Scenario
BODC nDC
BODC4DC
BODC3DC
BODC2DC
BHDC1 - GCDNS
10.0.0.12branches.corp.contoso.com
BHDC2 - GCDNS
10.0.0.13branches.corp.contoso.com
HUBDC2DNS
10.0.0.11branches.corp.contoso.com
HUBDC1 - FSMODNS
10.0.0.10branches.corp.contoso.com
BHDC3 - GCDNS
10.0.0.14branches.corp.contoso.com
BHDC4 - GCDNS
10.0.0.15branches.corp.contoso.com
Staging-Site
BODC1DC
BOSite1 BOSite2 BOSite3 BOSite4 BOSiten
HQDC1 - FSMO10.0.0.3
DNShq.corp.contoso.com
ROOTDC1- GC10.0.0.1
DNScorp.contoso.com
STAGINGDC1DNSGC
10.0.0.25branches.corp.contoso.com
ROOT2DC2 - FSMO10.0.0.2
DNScorp.contoso.com
Data-Center-Site
MOMSVR10.0.0.26
MOM Servercorp.contoso.com
TOOLMGRSVR10.0.0.4
Monitoring Servercorp.contoso.com
HQDC2 - GC10.0.0.5
DNShq.corp.contoso.com
TSDCSERVER10.0.0.20
ADS Servercorp.contoso.com
What Makes a Branch Office What Makes a Branch Office Design Interesting?Design Interesting?
IP connectivity incl. WAN, link speed, Dial IP connectivity incl. WAN, link speed, Dial on demand, routers, firewalls, IPSECon demand, routers, firewalls, IPSEC
Name resolution incl. DNS server, zone and Name resolution incl. DNS server, zone and client configurationclient configuration
Active Directory replication to a large Active Directory replication to a large number of replication partnersnumber of replication partners
FRS replicationFRS replication Group policy implementationGroup policy implementation ConsiderationsConsiderations
• Proper care of DNS name resolution will Proper care of DNS name resolution will guarantee replication successguarantee replication success
• IPSEC preferred firewall solutionIPSEC preferred firewall solution
New Features in Windows 2003 for New Features in Windows 2003 for Branch Office DeploymentsBranch Office Deployments
KCC improvementsKCC improvements• KCC/ISTG inter-site topology generationKCC/ISTG inter-site topology generation• Bridgehead Server load-balancing and connection object Bridgehead Server load-balancing and connection object
load-balancing tool (ADLB.EXE)load-balancing tool (ADLB.EXE)• KCC redundant connection object mode for branch KCC redundant connection object mode for branch
officesoffices• No more “keep connection objects” mode if replication No more “keep connection objects” mode if replication
topology is not 100% closedtopology is not 100% closed• Better event logging to find disconnected sitesBetter event logging to find disconnected sites
Replication improvementsReplication improvements• Linked-Valued ReplicationLinked-Valued Replication• More replication prioritiesMore replication priorities
Intra-Site before Inter-SiteIntra-Site before Inter-Site NC priorities: Schema -> Config -> domain -> GC -> DNSNC priorities: Schema -> Config -> domain -> GC -> DNS Notifications clean-up after site moveNotifications clean-up after site move
• Lingering Object detectionLingering Object detection
New Features in Windows 2003 for New Features in Windows 2003 for Branch Office DeploymentsBranch Office Deployments
No GC full-syncNo GC full-sync• In Windows 2000, schema changes that In Windows 2000, schema changes that
changed the PAS triggered GC full syncchanged the PAS triggered GC full sync• Removed in Windows 2003Removed in Windows 2003
Universal Group CachingUniversal Group Caching DNS ImprovementsDNS Improvements Install from mediaInstall from media FRS improvementsFRS improvements Plus many more….Plus many more….
Active Directory DeploymentActive Directory DeploymentFor Branch OfficesFor Branch Offices
Active Directory DesignActive Directory Design• Forest designForest design• Decide on centralized or decentralized Decide on centralized or decentralized
deploymentdeployment• Domain designDomain design• DNS designDNS design• Site topology and replication designSite topology and replication design• Capacity planningCapacity planning• Monitoring designMonitoring design
Active Directory deploymentActive Directory deployment• Deploying and monitoring non-branch domainsDeploying and monitoring non-branch domains• Deploying branches domain in hub siteDeploying branches domain in hub site• Deploying and monitoring a staging siteDeploying and monitoring a staging site• Deploying and monitoring the branch sitesDeploying and monitoring the branch sites
Active Directory DeploymentActive Directory DeploymentFor Branch OfficesFor Branch Offices
Active Directory DesignActive Directory Design• Forest designForest design• Decide on centralized or decentralized Decide on centralized or decentralized
deploymentdeployment• Domain designDomain design• DNS designDNS design• Site topology and replication designSite topology and replication design• Capacity planningCapacity planning• Monitoring designMonitoring design
Active Directory deploymentActive Directory deployment• Deploying and monitoring non-branch domainsDeploying and monitoring non-branch domains• Deploying branches domain in hub siteDeploying branches domain in hub site• Deploying and monitoring a staging siteDeploying and monitoring a staging site• Deploying and monitoring the branch sitesDeploying and monitoring the branch sites
Forest DesignForest Design Follow recommendations in Windows 2003 Follow recommendations in Windows 2003
Deployment Kit (Chapter 2)Deployment Kit (Chapter 2)• http://www.microsoft.com/downloads/details.aspx?http://www.microsoft.com/downloads/details.aspx?
familyid=6cde6ee7-5df1-4394-92ed-familyid=6cde6ee7-5df1-4394-92ed-2147c3a9ebbe&displaylang=en2147c3a9ebbe&displaylang=en
Reasons for having multiple forestsReasons for having multiple forests• Political / organizational reasonsPolitical / organizational reasons
Unlikely in branch office scenariosUnlikely in branch office scenarios• Too many locations where domain controllers Too many locations where domain controllers
must be deployedmust be deployed Complexity of deploymentComplexity of deployment
• Too many objects in the directoryToo many objects in the directory Should be partitioned on domain levelShould be partitioned on domain level GCs too big?GCs too big?
• Evaluate not deploying GCs to branch officesEvaluate not deploying GCs to branch offices• Windows 2003: Universal group cachingWindows 2003: Universal group caching
Recommendation: Deploy single forest for Recommendation: Deploy single forest for Branch OfficesBranch Offices
Active Directory DeploymentActive Directory DeploymentFor Branch OfficesFor Branch Offices
Active Directory DesignActive Directory Design• Forest designForest design• Decide on centralized or decentralized Decide on centralized or decentralized
deploymentdeployment• Domain designDomain design• DNS designDNS design• Site topology and replication designSite topology and replication design• Capacity planningCapacity planning• Monitoring designMonitoring design
Active Directory deploymentActive Directory deployment• Deploying and monitoring non-branch domainsDeploying and monitoring non-branch domains• Deploying branches domain in hub siteDeploying branches domain in hub site• Deploying and monitoring a staging siteDeploying and monitoring a staging site• Deploying and monitoring the branch sitesDeploying and monitoring the branch sites
Centralized vs. Decentralized Domain Centralized vs. Decentralized Domain Controller DeploymentController Deployment
The number of sites with domain The number of sites with domain controllers defines the scope of the controllers defines the scope of the deploymentdeployment
Deployment optionsDeployment options• Centralized deploymentCentralized deployment
Domain controllers are located in datacenters / hub Domain controllers are located in datacenters / hub sites onlysites only
Users in branches logon over WAN linkUsers in branches logon over WAN link• De-centralized deploymentDe-centralized deployment
All branches have domain controllersAll branches have domain controllers Users can logon even if WAN is downUsers can logon even if WAN is down
• Mixed modelMixed model Some branches have DCs, some don’tSome branches have DCs, some don’t
Centralized deployment has lower cost of Centralized deployment has lower cost of ownershipownership• Easier to operate, monitor, troubleshootEasier to operate, monitor, troubleshoot
Design Considerations for Domain Design Considerations for Domain Controller PlacementController Placement
Local DC requires physical securityLocal DC requires physical security Domain controller managementDomain controller management
• Monitoring, auditing, SP deployment etc. must be Monitoring, auditing, SP deployment etc. must be guaranteedguaranteed
Required services – business driversRequired services – business drivers• File & Print, email, database, mainframeFile & Print, email, database, mainframe• Most of them require Windows logonMost of them require Windows logon• Logon requires DC availabilityLogon requires DC availability• Can the business still run even if WAN is down?Can the business still run even if WAN is down?
Is the business in the branch focused on a LOB application that Is the business in the branch focused on a LOB application that requires WAN access (mainframe)?requires WAN access (mainframe)?
Logon locally or over the WANLogon locally or over the WAN• WAN logon requires acceptable speed and line availabilityWAN logon requires acceptable speed and line availability• WAN only an option if WAN is reliableWAN only an option if WAN is reliable
Cached credentials only work for local workstation logonCached credentials only work for local workstation logon Terminal Service clients use local logonTerminal Service clients use local logon
In many cases, network traffic is importantIn many cases, network traffic is important• Client logon traffic – directory replication trafficClient logon traffic – directory replication traffic
Design Considerations for Global Design Considerations for Global Catalog PlacementCatalog Placement
No factor in single domain deploymentNo factor in single domain deployment• Turn on GC flag on all DCsTurn on GC flag on all DCs• No extra cost associatedNo extra cost associated
GC not needed for user logon anymore in GC not needed for user logon anymore in multi-domain deploymentsmulti-domain deployments• Universal Group CachingUniversal Group Caching
GC placement driven by application GC placement driven by application requirements in multi-domain deploymentsrequirements in multi-domain deployments• Exchange 2000\2003 serversExchange 2000\2003 servers• OutlookOutlook
Active Directory DeploymentActive Directory DeploymentFor Branch OfficesFor Branch Offices
Active Directory DesignActive Directory Design• Forest designForest design• Decide on centralized or decentralized Decide on centralized or decentralized
deploymentdeployment• Domain designDomain design• DNS designDNS design• Site topology and replication designSite topology and replication design• Capacity planningCapacity planning• Monitoring designMonitoring design
Active Directory deploymentActive Directory deployment• Deploying and monitoring non-branch domainsDeploying and monitoring non-branch domains• Deploying branches domain in hub siteDeploying branches domain in hub site• Deploying and monitoring a staging siteDeploying and monitoring a staging site• Deploying and monitoring the branch sitesDeploying and monitoring the branch sites
Domain DesignDomain DesignRecommendation for Branch Office DeploymentRecommendation for Branch Office Deployment
Use single domainUse single domain• Typically only single administration areaTypically only single administration area• Central administration (users and policies)Central administration (users and policies)• Replication traffic higher, but more flexible model Replication traffic higher, but more flexible model
(roaming users, no GC dependencies)(roaming users, no GC dependencies)• Database size no big concernDatabase size no big concern
If high number of users work in central If high number of users work in central locationlocation• Create different domains for headquarters and Create different domains for headquarters and
branchesbranches If number of users very high ( > 50,000)If number of users very high ( > 50,000)
• Create geographical partitionsCreate geographical partitions High number of domains discouragedHigh number of domains discouraged
• Examples: One domain / branch, one domain / Examples: One domain / branch, one domain / statestate
• Increases complexity of deploymentIncreases complexity of deployment
Active Directory DeploymentActive Directory DeploymentFor Branch OfficesFor Branch Offices
Active Directory DesignActive Directory Design• Forest designForest design• Decide on centralized or decentralized Decide on centralized or decentralized
deploymentdeployment• Domain designDomain design• DNS designDNS design• Site topology and replication designSite topology and replication design• Capacity planningCapacity planning• Monitoring designMonitoring design
Active Directory deploymentActive Directory deployment• Deploying and monitoring non-branch domainsDeploying and monitoring non-branch domains• Deploying branches domain in hub siteDeploying branches domain in hub site• Deploying and monitoring a staging siteDeploying and monitoring a staging site• Deploying and monitoring the branch sitesDeploying and monitoring the branch sites
DNS Design DNS Design RecommendationsRecommendations
DNS server placementDNS server placement• Put DNS server on all domain controllersPut DNS server on all domain controllers
DNS client (resolver) configurationDNS client (resolver) configuration• Primary DNS server: Local machinePrimary DNS server: Local machine• Secondary DNS server: Same site DNS server or Secondary DNS server: Same site DNS server or
hub DNS serverhub DNS server• Windows 2000: Different configuration for Windows 2000: Different configuration for
forest root DCsforest root DCs DNS zone configurationsDNS zone configurations
• Use AD integrated zones (application partitions)Use AD integrated zones (application partitions)• Use DNS forwardingUse DNS forwarding
No NS records for Branch Office DCsNo NS records for Branch Office DCs• Configure zonesConfigure zones
DNS DesignDNS DesignManaging SRV (locator) records and autositecoverageManaging SRV (locator) records and autositecoverage
SRV records are published by netlogon in SRV records are published by netlogon in DNSDNS• On site level and domain/forest levelOn site level and domain/forest level• Clients search for services in the client site first, Clients search for services in the client site first,
and fall back to domain/forest leveland fall back to domain/forest level Branch Office deployments require specific Branch Office deployments require specific
configurationconfiguration• Large number of domain controllers creates Large number of domain controllers creates
scalability problem for domain level registrationscalability problem for domain level registration If more than 1200 branch office DCs want to register SRV If more than 1200 branch office DCs want to register SRV
records on domain level, registration will failrecords on domain level, registration will fail• Registration on domain/forest level is in most Registration on domain/forest level is in most
cases meaninglesscases meaningless DC cannot be contacted over WAN / DOD link anywaysDC cannot be contacted over WAN / DOD link anyways If local look-up in branch fails, client should always If local look-up in branch fails, client should always
fallback to hub onlyfallback to hub only Disable autositecoverageDisable autositecoverage Use group policy for configurationUse group policy for configuration
Using GPOs for DNS SettingsUsing GPOs for DNS Settings Create new Global Group for Hub DCsCreate new Global Group for Hub DCs
• Add all non-Branch Office DCs as group Add all non-Branch Office DCs as group membersmembers
Create new GPO (BranchOfficeGPO) Create new GPO (BranchOfficeGPO) • Configure DC locators records not registered by Configure DC locators records not registered by
branch DCsbranch DCs• Configure refresh intervalConfigure refresh interval
In BranchOfficeGPO properties, deny “Apply In BranchOfficeGPO properties, deny “Apply Group Policy” to Hub DCsGroup Policy” to Hub DCs• Negative list is easier to manage than positive Negative list is easier to manage than positive
listlist No damage if DC is not added to groupNo damage if DC is not added to group Smaller number of hub DCs than Branch Office DCsSmaller number of hub DCs than Branch Office DCs
Edit Default Domain Controllers PolicyEdit Default Domain Controllers Policy• Disable automated site coverageDisable automated site coverage• Important that this is configured for ALL DCs, not Important that this is configured for ALL DCs, not
only Branch Office DCsonly Branch Office DCs
Active Directory DeploymentActive Directory DeploymentFor Branch OfficesFor Branch Offices
Active Directory DesignActive Directory Design• Forest designForest design• Decide on centralized or decentralized Decide on centralized or decentralized
deploymentdeployment• Domain designDomain design• DNS designDNS design• Site topology and replication designSite topology and replication design• Capacity planningCapacity planning• Monitoring designMonitoring design
Active Directory deploymentActive Directory deployment• Deploying and monitoring non-branch domainsDeploying and monitoring non-branch domains• Deploying branches domain in hub siteDeploying branches domain in hub site• Deploying and monitoring a staging siteDeploying and monitoring a staging site• Deploying and monitoring the branch sitesDeploying and monitoring the branch sites
Replication PlanningReplication PlanningImprovements in Windows 2003Improvements in Windows 2003
Windows 2000Windows 2000• Topology creation had scalability limitsTopology creation had scalability limits• Required to manage connection objects Required to manage connection objects
manuallymanually Windows 2003 has many Windows 2003 has many
improvements to fully automate improvements to fully automate topology managementtopology management• New KCC / ISTG algorithmNew KCC / ISTG algorithm• Bridgehead server loadbalancingBridgehead server loadbalancing• KCC redundant connection object modeKCC redundant connection object mode
Specifically developed for Branch Office Specifically developed for Branch Office deploymentsdeployments
Replication Planning Replication Planning KCC/ISTGKCC/ISTG
ISTG = Inter-Site Topology GeneratorISTG = Inter-Site Topology Generator• Computes least cost spanning tree Inter-Computes least cost spanning tree Inter-
Site replication topologySite replication topology Does not require ISM ServiceDoes not require ISM Service
• Windows 2000: ISTG uses ISM serviceWindows 2000: ISTG uses ISM service Runs every 15 minutes by defaultRuns every 15 minutes by default
Replication Planning Replication Planning KCC/ISTGKCC/ISTG
Vastly improved inter-site topology Vastly improved inter-site topology generation (KCC/ISTG) scalabilitygeneration (KCC/ISTG) scalability• Complexity: approximately O(d*s)Complexity: approximately O(d*s)
d = number of domainsd = number of domainss = number of sitess = number of sitesWin2000: approximately O(d*sWin2000: approximately O(d*s²)²)
Scales to more than 5,000 sitesScales to more than 5,000 sites• Still single threaded – uses only one CPU on SMP Still single threaded – uses only one CPU on SMP
DCsDCs• Performance: 4,000 sites: 10 secs (700 Mhz test Performance: 4,000 sites: 10 secs (700 Mhz test
system)system)• Ongoing tests in scalability labOngoing tests in scalability lab
Can generate different topology than Can generate different topology than Windows 2000 KCC/ISTGWindows 2000 KCC/ISTG• Requires Windows 2003 forest functional levelRequires Windows 2003 forest functional level
Replication Planning Replication Planning Bridgehead Server SelectionBridgehead Server Selection
Windows 2000Windows 2000• On a per site basis, for each domain, one DC On a per site basis, for each domain, one DC
per NC used as Bridgeheadper NC used as Bridgehead Windows 2003Windows 2003
• On a per site basis, for each domain, all DCs On a per site basis, for each domain, all DCs per NC used as Bridgeheadper NC used as Bridgehead
• KCC picks DC randomly amongst bridgehead KCC picks DC randomly amongst bridgehead candidates when connection object is createdcandidates when connection object is created
For both incoming and outgoing connection objectsFor both incoming and outgoing connection objects
Replication Planning Replication Planning Bridgehead Server Load-BalancingBridgehead Server Load-Balancing
KCC/ISTG randomly chooses Bridgehead KCC/ISTG randomly chooses Bridgehead ServerServer• Both incoming and outgoing replicationBoth incoming and outgoing replication
Once connection object is established, it is Once connection object is established, it is not rebalanced when changes happennot rebalanced when changes happen• Adding new servers does not affect existing Adding new servers does not affect existing
connection objectsconnection objects Has to be used with care in Branch Office Has to be used with care in Branch Office
DeploymentsDeployments• Necessary to control what servers are used as Necessary to control what servers are used as
Bridgehead ServersBridgehead Servers Recommendation: Use preferred Recommendation: Use preferred
Bridgehead Server List and load balancing Bridgehead Server List and load balancing tooltool
Replication Planning Replication Planning Preferred Bridgehead Server ListPreferred Bridgehead Server List
Some servers should not be used as BridgeheadsSome servers should not be used as Bridgeheads• PDC operations master, Exchange facing GCs, Authentication PDC operations master, Exchange facing GCs, Authentication
DCsDCs• Weak hardwareWeak hardware
Solution: Preferred Bridgehead Server ListSolution: Preferred Bridgehead Server List• Allows administrator to restrict what DCs can be used as Allows administrator to restrict what DCs can be used as
Bridgehead ServersBridgehead Servers• If Preferred Bridgehead Server List is defined for a site, If Preferred Bridgehead Server List is defined for a site,
KCC/ISTG will only use members of the list as BridgeheadsKCC/ISTG will only use members of the list as Bridgeheads Warning:Warning:
• If Preferred Bridgehead Server List is defined, make sure If Preferred Bridgehead Server List is defined, make sure that there are at least 2 DCs per NC in the listthat there are at least 2 DCs per NC in the list
• If there is no DC for a specific NC in the list, replication will If there is no DC for a specific NC in the list, replication will not occur out of site for this NCnot occur out of site for this NC
• Don’t forget application partitionsDon’t forget application partitions If branches have GCs, all bridgeheads should be GCsIf branches have GCs, all bridgeheads should be GCs
Replication Planning Replication Planning Active Directory Load Balancing Tool (ADLB)Active Directory Load Balancing Tool (ADLB)
ADLB complements the KCC/ISTGADLB complements the KCC/ISTG• Real load balancing of connection objectsReal load balancing of connection objects• Stagers schedules using a 15 minute intervalStagers schedules using a 15 minute interval
Hub-outbound replication onlyHub-outbound replication only Hub-inbound replication is serializedHub-inbound replication is serialized
• Does not interfere with the KCCDoes not interfere with the KCC KCC is still needed / prerequisiteKCC is still needed / prerequisite Tool does not create manual connection objects, but Tool does not create manual connection objects, but
modifies “from-server” attribute on KCC created connection modifies “from-server” attribute on KCC created connection objectsobjects
Can create a previewCan create a preview• Allows using the tool as an advisorAllows using the tool as an advisor
Single exe / command line toolSingle exe / command line tool• Runs on a single server / workstationRuns on a single server / workstation• Uses ISTG in hub site to re-balance connection objectsUses ISTG in hub site to re-balance connection objects
Not needed for fault tolerance, only as Not needed for fault tolerance, only as optimizationoptimization• Can be run on any scheduleCan be run on any schedule
Replication Planning Replication Planning KCC Redundant Connection Objects ModeKCC Redundant Connection Objects Mode
GoalGoal• Create stable, simple and predictable replication topologyCreate stable, simple and predictable replication topology• Like mkdsx scripts for Windows 2000Like mkdsx scripts for Windows 2000
Enabled on a per site levelEnabled on a per site level ImplementationImplementation
• Creates two redundant connection objectsCreates two redundant connection objects Each branch site replicates from two different Bridge Head ServersEach branch site replicates from two different Bridge Head Servers Two different Bridge Head Servers replicate from each siteTwo different Bridge Head Servers replicate from each site Replication schedule is staggered between connection objectsReplication schedule is staggered between connection objects
• Fail-over is disabledFail-over is disabled If replication from one Bridge Head fails, the branch can still If replication from one Bridge Head fails, the branch can still
replicate from the other Bridge Headreplicate from the other Bridge Head• Schedule hashing is enabledSchedule hashing is enabled
Inbound connections start replication at random time inside the Inbound connections start replication at random time inside the replication windowreplication window
Only DCs in same site are used for redundant connection Only DCs in same site are used for redundant connection objectsobjects
Demoting DC causes KCC to create new connection objectDemoting DC causes KCC to create new connection object
Replication Planning Replication Planning KCC Redundant Connection Objects ModeKCC Redundant Connection Objects Mode
Schedule for redundant connection objectsSchedule for redundant connection objects• Use schedule defined on site-linkUse schedule defined on site-link
Like, window open 8pm to 2am, replicate once every Like, window open 8pm to 2am, replicate once every 180 minutes (= 2 replications)180 minutes (= 2 replications)
• Divide by “2” and staggerDivide by “2” and stagger Connection object 1 replicates once between 8pm and Connection object 1 replicates once between 8pm and
11pm11pm Connection object 2 replicates once between 11pm Connection object 2 replicates once between 11pm
and 2amand 2am• Second replication usually causes little network Second replication usually causes little network
traffictraffic Monitoring becomes even more criticalMonitoring becomes even more critical
• Important to act quickly if hub DC Important to act quickly if hub DC becomes unavailablebecomes unavailable
Replication Planning Replication Planning KCC Redundant Connection Objects ModeKCC Redundant Connection Objects Mode
HUB Site
Branch01
BranchDC01
BH1
Branch02
BranchDC02
Site Link 1Duration 8h
Replicate every240 Min.
Site Link 2Duration 8h
Replicate every240 Min.
0:00 - 0:15 and2:00 -2:15
4:00 - 4:15 and6:00 - 6:15
0:16 - 0:30 and2:16 - 2:30
4:16 - 4:30 and6:16 and 6:30
240 Min 240 Min240 Min240 Min
Replication is open from 0:00 and 8:00 a.m. Replication is open from 0:00 and 8:00 a.m.
BH2
Replication Planning Replication Planning Recommendations: Sites, Site-Links and TopologyRecommendations: Sites, Site-Links and Topology
Create single site for hub siteCreate single site for hub site• Leverage KCC load-balancing between Bridgehead serversLeverage KCC load-balancing between Bridgehead servers
Create site-links between Branch Office sites and Create site-links between Branch Office sites and hub sitehub site• No redundant site-links or connection objects are neededNo redundant site-links or connection objects are needed
Disable transitivity of site-linksDisable transitivity of site-links• Not only for performance, but also to avoid branch-branch Not only for performance, but also to avoid branch-branch
fail-over connection objectsfail-over connection objects Disable auto-site coverageDisable auto-site coverage Use KCC/ISTG servicesUse KCC/ISTG services
• Use KCC redundant connection objects modeUse KCC redundant connection objects mode Use ADLB to load-balance connection objectsUse ADLB to load-balance connection objects Use Universal Group Caching to remove Use Universal Group Caching to remove
requirement for GC in branchrequirement for GC in branch• Unless branch application requires GCUnless branch application requires GC
Active Directory DeploymentActive Directory DeploymentFor Branch OfficesFor Branch Offices
Active Directory DesignActive Directory Design• Forest designForest design• Decide on centralized or decentralized Decide on centralized or decentralized
deploymentdeployment• Domain designDomain design• DNS designDNS design• Site topology and replication designSite topology and replication design• Capacity planningCapacity planning• Monitoring designMonitoring design
Active Directory deploymentActive Directory deployment• Deploying and monitoring non-branch domainsDeploying and monitoring non-branch domains• Deploying branches domain in hub siteDeploying branches domain in hub site• Deploying and monitoring a staging siteDeploying and monitoring a staging site• Deploying and monitoring the branch sitesDeploying and monitoring the branch sites
Capacity Planning Capacity Planning Replication PlanningReplication Planning
Branch Office DCsBranch Office DCs• Usually low load onlyUsually low load only• Use minimum hardwareUse minimum hardware
Datacenter DCsDatacenter DCs• Depends on usageDepends on usage• See Windows 2003 Deployment Kit for See Windows 2003 Deployment Kit for
DC capacity planningDC capacity planning Bridgehead serversBridgehead servers
• Require planningRequire planning
Capacity PlanningCapacity PlanningFormulas to compute number of BridgeheadsFormulas to compute number of Bridgeheads
Hub outbound replication is multi-threadedHub outbound replication is multi-threaded Hub inbound replication is single-threadedHub inbound replication is single-threaded Hub outbound: Hub outbound: OC = (H * O) / (K * T)OC = (H * O) / (K * T)
• OC = outbound connectionsOC = outbound connections• H = sum of hours available for outbound H = sum of hours available for outbound
replicationreplication• O = concurrent connection objectsO = concurrent connection objects• K = Number of replications required / dayK = Number of replications required / day• T = time necessary for outbound replication T = time necessary for outbound replication
(usually one hour)(usually one hour) Hub inbound: Hub inbound: IC = R / NIC = R / N
• IC = inbound connectionsIC = inbound connections• R = Length of replication in minutesR = Length of replication in minutes
Capacity Planning Capacity Planning Bridgehead Server OverloadBridgehead Server Overload
CauseCause• Unbalanced site-links Unbalanced site-links • Unbalanced connection objectsUnbalanced connection objects• Replication schedule too aggressiveReplication schedule too aggressive• Panic trouble-shootingPanic trouble-shooting
SymptomsSymptoms• Bridgehead cannot accomplish replication requests as fast Bridgehead cannot accomplish replication requests as fast
as they come inas they come in• Replication queues are growingReplication queues are growing• Some DCs NEVER replicate from the bridgeheadSome DCs NEVER replicate from the bridgehead
Once a server has successfully replicated from the Once a server has successfully replicated from the bridgehead, its requests are higher prioritized than a request bridgehead, its requests are higher prioritized than a request from a server that has never successfully replicatedfrom a server that has never successfully replicated
MonitoringMonitoring• Repadmin /showreps shows NEVER on last successful Repadmin /showreps shows NEVER on last successful
replicationreplication• Repadmin /queue <Repadmin /queue <DCNameDCName>>
Capacity Planning Capacity Planning Bridgehead Server Overload - SolutionBridgehead Server Overload - Solution
Turn off ISTGTurn off ISTG• prevents new connections from being prevents new connections from being
generatedgenerated Delete all inbound connection objectsDelete all inbound connection objects Correct site-link balance and scheduleCorrect site-link balance and schedule Enable ISTG againEnable ISTG again Monitor AD and FRS replication for Monitor AD and FRS replication for
recoveryrecovery
Active Directory DeploymentActive Directory DeploymentFor Branch OfficesFor Branch Offices
Active Directory DesignActive Directory Design• Forest designForest design• Decide on centralized or decentralized Decide on centralized or decentralized
deploymentdeployment• Domain designDomain design• DNS designDNS design• Site topology and replication designSite topology and replication design• Capacity planningCapacity planning• Monitoring designMonitoring design
Active Directory deploymentActive Directory deployment• Deploying and monitoring non-branch domainsDeploying and monitoring non-branch domains• Deploying branches domain in hub siteDeploying branches domain in hub site• Deploying and monitoring a staging siteDeploying and monitoring a staging site• Deploying and monitoring the branch sitesDeploying and monitoring the branch sites
Monitoring DesignMonitoring Design Monitoring is must for any Active Directory Monitoring is must for any Active Directory
DeploymentDeployment• DCs not replicating will be quarantinedDCs not replicating will be quarantined• DCs might have stale dataDCs might have stale data• Not finding issues early can lead to more problems laterNot finding issues early can lead to more problems later
I.e., DC does not replicate because of name resolution I.e., DC does not replicate because of name resolution problems, then password expiresproblems, then password expires
Use MOM for datacenter / hub siteUse MOM for datacenter / hub site• Monitor replication, name resolution, performanceMonitor replication, name resolution, performance
Windows Server 2003 Branch Office Guide ships Windows Server 2003 Branch Office Guide ships with BrofMonwith BrofMon• System to push and run scripts to Branch DCsSystem to push and run scripts to Branch DCs• Results copied to central serverResults copied to central server• Web page presents Red/Yellow/Green state per serverWeb page presents Red/Yellow/Green state per server
Evaluate available monitoring tools Evaluate available monitoring tools • MOM and third partiesMOM and third parties
Active Directory DeploymentActive Directory DeploymentFor Branch OfficesFor Branch Offices
Active Directory DesignActive Directory Design• Forest designForest design• Decide on centralized or decentralized Decide on centralized or decentralized
deploymentdeployment• Domain designDomain design• DNS designDNS design• Site topology and replication designSite topology and replication design• Capacity planningCapacity planning• Monitoring designMonitoring design
Active Directory deploymentActive Directory deployment• Deploying and monitoring non-branch domainsDeploying and monitoring non-branch domains• Deploying branches domain in hub siteDeploying branches domain in hub site• Deploying and monitoring a staging siteDeploying and monitoring a staging site• Deploying and monitoring the branch sitesDeploying and monitoring the branch sites
Active Directory DeploymentActive Directory DeploymentFor Branch OfficesFor Branch Offices
Active Directory DesignActive Directory Design• Forest designForest design• Decide on centralized or decentralized Decide on centralized or decentralized
deploymentdeployment• Domain designDomain design• DNS designDNS design• Site topology and replication designSite topology and replication design• Capacity planningCapacity planning• Monitoring designMonitoring design
Active Directory deploymentActive Directory deployment• Deploying and monitoring non-branch domainsDeploying and monitoring non-branch domains• Deploying branches domain in hub siteDeploying branches domain in hub site• Deploying and monitoring a staging siteDeploying and monitoring a staging site• Deploying and monitoring the branch sitesDeploying and monitoring the branch sites
Deploying Non-Branch DomainsDeploying Non-Branch Domains
Not different from normal deploymentNot different from normal deployment• Documented in Windows 2003 Documented in Windows 2003
Deployment KitDeployment Kit Build forest root domainBuild forest root domain Create all sites (incl. branches)Create all sites (incl. branches) Build other non-branches domains as Build other non-branches domains as
neededneeded
Active Directory DeploymentActive Directory DeploymentFor Branch OfficesFor Branch Offices
Active Directory DesignActive Directory Design• Forest designForest design• Decide on centralized or decentralized Decide on centralized or decentralized
deploymentdeployment• Domain designDomain design• DNS designDNS design• Site topology and replication designSite topology and replication design• Capacity planningCapacity planning• Monitoring designMonitoring design
Active Directory deploymentActive Directory deployment• Deploying and monitoring non-branch domainsDeploying and monitoring non-branch domains• Deploying branches domain in hub siteDeploying branches domain in hub site• Deploying and monitoring a staging siteDeploying and monitoring a staging site• Deploying and monitoring the branch sitesDeploying and monitoring the branch sites
Deploying Branches Domain in Deploying Branches Domain in Hub SiteHub Site
Install operations masterInstall operations master Install bridgehead serversInstall bridgehead servers Install and configure ADLBInstall and configure ADLB Modify domain GPO for DNS settingsModify domain GPO for DNS settings
• Auto-site coverageAuto-site coverage Configure DNS zone for NS recordsConfigure DNS zone for NS records Create branches DNS GPOCreate branches DNS GPO
• SRV record registrationSRV record registration
Active Directory DeploymentActive Directory DeploymentFor Branch OfficesFor Branch Offices
Active Directory DesignActive Directory Design• Forest designForest design• Decide on centralized or decentralized Decide on centralized or decentralized
deploymentdeployment• Domain designDomain design• DNS designDNS design• Site topology and replication designSite topology and replication design• Capacity planningCapacity planning• Monitoring designMonitoring design
Active Directory deploymentActive Directory deployment• Deploying and monitoring non-branch domainsDeploying and monitoring non-branch domains• Deploying branches domain in hub siteDeploying branches domain in hub site• Deploying and monitoring a staging siteDeploying and monitoring a staging site• Deploying and monitoring the branch sitesDeploying and monitoring the branch sites
Deploying Staging SiteDeploying Staging Site Staging Site has special characteristicsStaging Site has special characteristics
• All replication topology must be created manuallyAll replication topology must be created manually KCC turned off Inter- and Intra-SiteKCC turned off Inter- and Intra-Site Scripts will be providedScripts will be provided
• Should not register DNS NS recordsShould not register DNS NS records Create manual connection objects between Create manual connection objects between
staging site and productionstaging site and production• Staging DC needs to be able to replicate 7/24Staging DC needs to be able to replicate 7/24
Install Automated Deployment Services (ADS)Install Automated Deployment Services (ADS) Create image for branch DCs pre-promotionCreate image for branch DCs pre-promotion
Active Directory DeploymentActive Directory DeploymentFor Branch OfficesFor Branch Offices
Active Directory DesignActive Directory Design• Forest designForest design• Decide on centralized or decentralized Decide on centralized or decentralized
deploymentdeployment• Domain designDomain design• DNS designDNS design• Site topology and replication designSite topology and replication design• Capacity planningCapacity planning• Monitoring designMonitoring design
Active Directory deploymentActive Directory deployment• Deploying and monitoring non-branch domainsDeploying and monitoring non-branch domains• Deploying branches domain in hub siteDeploying branches domain in hub site• Deploying and monitoring a staging siteDeploying and monitoring a staging site• Deploying and monitoring the branch sitesDeploying and monitoring the branch sites
Deploying Branch SitesDeploying Branch Sites Build branch DCs in staging site from Build branch DCs in staging site from
imageimage Run quality assurance scripts Run quality assurance scripts
(provided)(provided) Move branch DC into branch siteMove branch DC into branch site Ship DCShip DC
General Considerations for Branch General Considerations for Branch Office DeploymentsOffice Deployments
Ensure that hub is a robust data center Ensure that hub is a robust data center Monitor the deploymentMonitor the deployment
• Use MOM for hub sitesUse MOM for hub sites Do not deploy all branch office domain controllers Do not deploy all branch office domain controllers
simultaneouslysimultaneously• Monitor load on Bridgehead servers as more and more Monitor load on Bridgehead servers as more and more
branches come on-linebranches come on-line• Verify DNS registrations and replicationVerify DNS registrations and replication
Balance replication load between Bridgehead Balance replication load between Bridgehead ServersServers
Keep track of hardware and software inventory Keep track of hardware and software inventory and versionsand versions
Include operations in planning processInclude operations in planning process• Monitoring plans and proceduresMonitoring plans and procedures• Disaster recovery and troubleshooting strategyDisaster recovery and troubleshooting strategy• Personnel assignment and trainingPersonnel assignment and training
Personnel assignment and trainingPersonnel assignment and training
SummarySummary Windows 2003 has many improvements for Windows 2003 has many improvements for
Branch Office deploymentsBranch Office deployments• New KCC algorithm: no more scalability limitNew KCC algorithm: no more scalability limit• KCC redundant connection object mode: Provides KCC redundant connection object mode: Provides
stabilitystability• Less replication traffic through LVR replication and Less replication traffic through LVR replication and
DNS in app partitionsDNS in app partitions Deployments are much easier to manageDeployments are much easier to manage
• No manual connection object managementNo manual connection object management• GPO for DNS locator settingsGPO for DNS locator settings• No more island problemNo more island problem
Bridgehead servers more scalableBridgehead servers more scalable Branch Office guide will have step by step Branch Office guide will have step by step
procedures for deployment and toolsprocedures for deployment and tools Total cost of deployment will be much lowerTotal cost of deployment will be much lower
AD FuturesAD Futures
Windows 2003 ‘R2’ ReleaseWindows 2003 ‘R2’ Release• CachingCaching
AD Federation ServicesAD Federation Services
User Group Future TopicsUser Group Future Topics
Advanced AD architectureAdvanced AD architecture• Multi-forest IssuesMulti-forest Issues• Exchange IssuesExchange Issues• Internet facing Internet facing
AD OperationsAD Operations• Provisioning SystemsProvisioning Systems• Monitoring SystemsMonitoring Systems• Deployment SystemsDeployment Systems
AD debuggingAD debugging AD programmingAD programming
© 2004 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.