Windows Server 2008 R2 Unleashed (114 page)

TABLE 18.3

Common Subnet Mask to Prefix Length

Subnet Mask

Prefix Length

255.0.0.0

8

255.255.0.0

16

255.255.255.0

24

3. Select the appropriate site from the list at the bottom of the window to associate it

with the new subnet.

4. Click OK to create the new subnet.

Repeat this for each subnet in the locations. Table 18.4 lists the resulting entries for the

sample Company ABC.

TABLE 18.4

Company ABC Sites and Subnets

Location

Site Name

Subnets

Oakland, USA

Oakland

192.168.3.0/24

2001:db8:1234:5678::/64

Boston, USA

Boston

192.168.10.0/24

Configuring Sites

557

TABLE 18.4

Company ABC Sites and Subnets

Location

Site Name

Subnets

Paris, France

Paris

192.168.11.0/24

Tokyo, Japan

Tokyo

192.168.12.0/24

Adding Domain Controllers to Sites

If a new domain controller is added to a forest, it will dynamically join a site with a

matching subnet if the site topology is already configured and subnets have been previ-

ously defined. However, a preexisting domain controller will not change sites automati-

cally, unlike workstations and member servers. A domain controller has to be moved

manually if the topology changes. If an existing domain controller is being moved to a

new site or the site topology or replication strategy has changed, you can follow these

steps to move a domain controller to a different site:

1. Launch Server Manager on a domain controller.

2. Expand the Roles folder.

3. Expand the Active Directory Domain Services folder.

4. Expand the Active Directory Sites and Services snap-in.

ptg

5. Expand the Sites folder.

6. Locate the site that contains the desired domain controller to move. You can browse

the site servers by expanding the site and selecting the Servers container of the site,

as shown in Figure 18.2.

18

FIGURE 18.2

Browsing for site servers.

558

CHAPTER 18

Windows Server 2008 R2 Administration

7. When you locate the desired server, take note of the source site, right-click the server

name, and choose Move.

8. When a window opens listing all the sites in the forest, select the destination site,

and click OK to initiate the server move.

9. When the move is complete, verify that the domain controller has been placed in

the correct Servers container of the desired site.

NOTE

Although you can manually create replication connections if the desired connections

are not automatically created by the intersite topology generator (ISTG) within 15 min-

utes after moving the server, the fact that the automatic creation did not happen usual-

ly indicates a problem with site configuration and replication. For more information on

the ISTG and replication connections, refer to Chapter 7, “Active Directory

Infrastructure.”

Establishing Site Links

ptg

Site links establish connectivity between domain controllers to allow Active Directory repli-

cation to be managed and scheduled. The Active Directory database, global catalog, group

policies, and the domain controller SYSVOL directory replicate according to the replication

schedule configured in a site link. For more information on site links, refer to Chapter 7.

To create an IP-based site link, follow these steps:

1. Launch Server Manager on a domain controller.

2. Expand the Roles folder.

3. Expand the Active Directory Domain Services folder.

4. Expand the Active Directory Sites and Services snap-in.

5. Expand the Sites folder.

6. Expand the Inter-Site Transports folder, and select the IP folder.

7. Right-click the IP container and select New Site Link.

8. Enter a name for the site link, select a site that will replicate Active Directory using

this site link, and click Add. Repeat this step until all the desired sites are in the right

pane, as shown in Figure 18.3 for Oakland and Boston sites.

9. Click OK to create the site link.

10. Back in the Active Directory Sites and Services console, right-click the new site link

in the right pane, and choose Properties.

11. At the top of the window, enter a description for the site link. Keep the description

simple but informative. For example, enter Site link between Oakland and Boston.

12. At the bottom of the window, enter a cost for the site link. This determines the

preferred link if more than one is available. See the text following these steps for a

Configuring Sites

559

FIGURE 18.3

Adding sites to a site link.

discussion of site link costs and Table 18.5 for some typical costs. In this example,

ptg

the connection between Oakland and Boston is a T3 and the cost is set to 220.

TABLE 18.5

Typical Link Types, Speeds, and Site Link Costs

Link Type

Link Speed (bps)

Cost

Dial-up 9600

9,600

1042

Dial-up 14.4

14,400

884

Dial-up 28.8

28,800

702

18

Dial-up 33.6

33,600

671

Leased 56

56,000

586

ISDN Single

64,000

567

Fractional T1 - 1 Ch

64,000

567

DS0

64,000

567

ISDN Dual

128,000

486

Fractional T1 - 2 Ch

128,000

486

Fractional T1 - 4 Ch

256,000

425

Fractional T1 - 8 Ch

512,000

378

560

CHAPTER 18

Windows Server 2008 R2 Administration

TABLE 18.5

Typical Link Types, Speeds, and Site Link Costs

Link Type

Link Speed (bps)

Cost

DS1/T1

1,544,000

321

DS2/T2

6,312,000

269

10BaseT

10,000,000

256

DS3/T3

44,736,000

220

OC1

51,840,000

217

100BaseT

100,000,000

205

FDDI

100,000,000

205

OC3/STM1

155,520,000

197

OC12/STM4

622,080,000

177

1000BaseT

1,000,000,000

171

OC48/STM16

2,488,320,000

160

OC192/STM64

9,953,280,000

146

ptg

13. Enter the replication frequency. This number indicates how often Active Directory

will attempt to replicate during the allowed replication schedule. The default is 180

minutes. The lowest this can be set to between sites is 15 minutes. In most well-

connected organizations, the frequency is usually set to 15.

14. Click the Change Schedule button to configure specific intervals when Active

Directory should not replicate. This is not typically used in modern well-connected

networks. Click OK to leave unchanged.

15. Click OK on the Site Link property page to complete the site link configuration.

After the site link is configured, the Active Directory connections between domain

controllers in different sites will generate new connections to optimize replication when

the KCC runs. The cost of a site link is an arbitrary value that is selected by the adminis-

trator to reflect the speed and reliability of the physical connection between the sites.

When you lower the cost value on the link, the priority is increased. Site links have a

replication interval and a schedule that are independent of the cost. The cost is used by

the KCC to prefer one site link path over another.

Cost values determine which connector is preferred for data transfer. Costs are associated

with address spaces and connected routing group information. When costs are assigned to

the links, the KCC will compute the replication topology automatically and clients will

automatically go to the cheapest link. Link costs can be based on the following formula:

Configuring Sites

561

Cost = 1024/log(bw/1000)

Where

bw = Bandwidth of the link between the two sites in bits per second (bps)

Cost = Site link cost setting

Table 18.5 lists the cost values for some typical bandwidths. The values in the cost column

would be entered into the Cost field of the site link properties.

Of course, in a simple network with only a single WAN connection between locations, the

site link cost value can be left at the default value of 100 with little impact. In this config-

uration, all links are considered equal by the KCC.

In general, a site link topology serves to provide an Active Directory-integrated method for

defining preferred routes between physically remote sites connected by WAN links.

The site links created for Company ABC are shown in Table 18.6. The site links represent

the hub-and-spoke topology on the Company ABC WAN, with the appropriate costs based

on the link speeds.

TABLE 18.6

Company ABC Site Links and Sites

Site Link Name

Cost

Replication Interval

Sites

ptg

Oakland-Boston

220

15

Oakland, Boston

Oakland-Paris

321

15

Oakland, Paris

Oakland-Tokyo

321

15

Oakland, Tokyo

NOTE

Once the Active Directory site topology has been defined, it is important to remove all

the sites from the default site link (DEFAULTIPSITELINK). This prevents replication con-

18

nections from being generated by the KCC automatically. It is also a best practice to

delete the default site and site link—that is, Default-First-Site-Name and DEFAULTIP-

SITELINK. This ensures that they don’t get mistakenly used.

Delegating Control at the Site Level

Control is sometimes delegated at the site level to give network administrators the rights

to manage Active Directory replication without giving them the rights to manage any

additional Active Directory objects. Site delegation can also do just the opposite, effec-

tively denying network administrators the right to access Active Directory objects on a per-

site basis. Specific administrative rights can be granted using the built-in Delegate Control

Wizard, whereas others can be set for all the site objects using a site’s group policies.

To delegate control at the site level, follow these steps:

1. Launch Server Manager on a domain controller.

2. Expand the Roles folder.

562

CHAPTER 18

Windows Server 2008 R2 Administration

3. Expand the Active Directory Domain Services folder.

4. Expand the Active Directory Sites and Services snap-in.

5. Expand the Sites folder.

6. Right-click the Sites container and select Delegate Control.

7. Click Next on the Delegate Control Wizard Welcome screen.

8. Using the Add button, select the user, users, or groups that will delegate control

over the site, and click OK. You can choose an Active Directory group created for

the organization’s networking team or the default group named Network

Configuration Operators.

9. Click Next to continue.

10. On the Active Directory Object Type page, select This Folder, Existing Objects in This

Folder, and Creation of New Objects in This Folder, which is the default option to