Chapter 11. Site Topology

Introduction

Active Directory needs information about the underlying network to determine how domain controllers should replicate and what domain controller(s) are optimal for a given client to authenticate with. This network information is often referred to as the site or replication topology, and it consists of numerous object types that represent various aspects of the network.

At a high level, a site is a logical collection of high-speed LAN segments. One or more subnets can be associated with a site, and this mapping is used to determine which site a client belongs to, based on its IP address. Sites are connected via site links, which are analogous to WAN connections. Finally, each domain controller in a site has one or more connection objects, which define a replication connection to other domain controllers.

These site topology objects are contained under the Sites container within the Configuration naming context. Figure 11-1 shows an example of the site topology hierarchy using the Active Directory Sites and Services snap-in.

Directly under the Sites container are the individual site containers, plus containers that store the site link objects (cn=Inter-site Transports) and subnets (cn=Subnets). Three objects are included within a site:

  • An NTDS Site Settings (nTDSSiteSettings) object that contains attributes that can customize replication behavior for the whole site

  • A License Site Settings (licensingSiteSettings) object that can be used to direct hosts within the site to the appropriate licensing server

  • A Servers container

The Servers container contains a server object for each domain controller that is a member of the site, along with any other servers that need to be represented in the site topology (e.g., DFS servers). Figure 11-1 shows a site topology hierarchy.

Site topology hierarchy

Figure 11-1. Site topology hierarchy

A server object can contain an NTDS Settings (nTDSDSA) object, which distinguishes domain-controller server objects from other server objects. The NTDS Settings object stores several attributes that are used to customize replication behavior for a specific domain controller. The NTDS Settings object can contain one or more nTDSConnection objects, which define the replication connections between domain controllers.

The Anatomy of Site Topology Objects

Table 11-1 through Table 11-7 contain some of the important attributes of the various site topology objects.

Table 11-1. Attributes of site objects

Attribute

Description

cn

RDN of the object. This is the name of the site (e.g., Raleigh).

gpLink

Contains a prioritized list of GPOs that are linked to the site.

siteObjectBL

Multivalued attribute that contains a list of distinguished names for each subnet that is associated with the site.

Table 11-2. Attributes of nTDSSiteSettings objects

Attribute

Description

cn

RDN of the object, which is always equal to NTDS Site Settings.

interSiteTopologyGenerator

Distinguished name of the NTDS Settings object of the current ISTG.

msDS-Preferred-GC-Site

If universal group caching is enabled, contains the distinguished name of the site that domain controllers should refresh their cache from. See Enabling Universal Group Membership Caching for more information.

options

Bit flag that determines if universal group caching is enabled, whether site link transitivity is disabled, and if replication schedules should be ignored. For more information see Configuring Universal Group Caching for a Site.

schedule

Octet string that represents the default replication schedule for the site.

Table 11-3. Attributes of subnet objects

Attribute

Description

cn

RDN of the object. Contains the network number and bit mask for the subnet (e.g., 10.10.1.0/24).

siteObject

Distinguished name of the site object the subnet is associated with.

Table 11-4. Attributes of siteLink objects

Attribute

Description

cn

RDN of the object. Contains the name of the link.

cost

Number that represents the site link cost. See Modifying the Cost for a Site Link for more information.

replInterval

Interval in minutes that replication occurs over the site link.

schedule

Octet string that represents the replication schedule for the site link.

siteList

Multivalued list of distinguished names of each site that is associated with the site link. See Finding the Site Links for a Site for more information.

Table 11-5. Attributes of server objects

Attribute

Description

bridgeheadTransportList

Multivalued attribute that contains the list of transports (e.g., IP or SMTP) for which the server is a preferred bridgehead server.

cn

RDN of the object. This is set to the hostname of the associated server.

dNSHostName

Fully qualified domain name of the server. This attribute is automatically maintained for domain controllers.

serverReference

Distinguished name of the corresponding computer object contained within one of the domain-naming contexts.

Table 11-6. Attributes of nTDSDSA (NTDS Settings) objects

Attribute

Description

cn

RDN of the object, which is always equal to NTDS Settings.

invocationID

GUID that represents the DIT (ntds.dit) on the domain controller.

hasMasterNCs

Multivalued attribute containing the list of writable naming contexts (does not include application partitions) stored on the domain controller.

hasPartialReplicaNCs

Multivalued attribute containing the list of read-only naming contexts stored on the domain controller. This will be populated only if the domain controller is a global catalog server.

msDS-Behavior-Version

Number that represents the functional level (i.e., operating system) of the domain controller.

msDS-HasDomainNCs

Contains the distinguished name of the writable domain-naming context stored on the domain controller.

msDs-HasInstantiatedNCs

A combination of all available read-only and writable naming contexts stored on the domain controller.

msDS-hasPartialReplicaNCs

Multivalued attribute that contains distinguished names of each read-only naming context stored on the domain controller. This will be populated only if the domain controller is a global catalog server.

msDS-hasMasterNCs

Multivalued attribute that contains distinguished names of each writable naming context and application partition stored on the domain controller.

options

Bit flag that determines whether the domain controller is a global catalog server.

queryPolicyObject

If set, the distinguished name of the LDAP query policy object to be used by the domain controller.

Table 11-7. Attributes of nTDSConnection objects

Attribute

Description

cn

RDN of the object. For KCC-generated connections, this is a GUID.

enabledConnection

Boolean that indicates whether the connection is available to be used.

fromServer

Distinguished name of the NTDS Settings object of the domain controller this connection replicates with.

ms-DS-ReplicatesNCReason

Multivalued attribute that stores reason codes for why the connection exists. There will be one entry per naming context the connection is used for.

options

Bit flag where a value of 1 indicates the connection was created by the KCC and a value of 0 means the connection was manually created. See Creating a connection Object for more information.

schedule

Octet string that represents the replication schedule for the site link.

transportType

Distinguished name of the transport type (e.g., IP or SMTP) that is used for the connection.

Creating a Site

Problem

You want to create a site.

Solution

Using a graphical user interface

  1. Open the Active Directory Sites and Services snap-in (dssite.msc).

  2. Right-click on the Sites container and select New Site.

  3. Beside Name, enter the name of the new site.

  4. Under Link Name, select a site link for the site.

  5. Click OK twice.

Using a command-line interface

Create an LDIF file called create_site.ldf with the following contents:

dn: cn=<SiteName>,cn=sites,cn=configuration,<ForestRootDN>
changetype: add
objectclass: site

dn: cn=Licensing Site Settings,cn=<SiteName>,cn=sites,cn=configuration,↵
<ForestRootDN>
changetype: add
objectclass: licensingSiteSettings

dn: cn=NTDS Site Settings,cn=<SiteName>,cn=sites,cn=configuration,<ForestRootDN>
changetype: add
objectclass: nTDSSiteSettings

dn: cn=Servers,cn=<SiteName>,cn=sites,cn=configuration,<ForestRootDN>
changetype: add
objectclass: serversContainer

Then run the following command:

> ldifde -v -i -f create_site.ldf

You also can create a site by issuing the following three AdMod commands:

> admod -config -rb "cn=<SiteName>,cn=sites" -add objectclass::site
> admod -config -rb "cn=NTDS Site Settings,cn=<SiteName>,cn=sites" -add↵
 objectclass::nTDSSiteSettings
> admod -config -rb cn=Servers,cn=<SiteName>,cn=sites" -add↵
 objectclass::serversContainer

Using PowerShell

To create a new site by using PowerShell, use the following syntax:

New-ADReplicationSite -Name "<SiteName>" -Description "<SiteDescription>"

Discussion

To create a site in Active Directory, a few objects must be created. The first is a site object, which is the root of all the other objects. The site object contains the following:

nTDSSiteSettings

This object stores replication-related properties about a site, such as the replication schedule, current ISTG role holder, and whether universal group caching is enabled.

serversContainer

This container is the parent of the server objects that are part of the site. All the domain controllers that are members of the site will be represented in this container.

After a site is created in PowerShell, you’ve essentially got an empty site. If you didn’t do anything else, the site would not be of much value. To make it usable, you need to assign subnet objects to it (see Changing a Subnet’s Site Assignment), and add the site to a siteLink object to link the site to other sites (see Modifying the Sites That Are Part of a Site Link). At that point, you can promote or move domain controllers into the site, and it should be fully functional.

Using PowerShell

The PowerShell solution obfuscates the creation of the site objects. Running the PowerShell command syntax automatically creates the three site objects.

Listing Sites in a Domain

Problem

You want to obtain the list of sites in a domain.

Solution

Using a graphical user interface

  1. Open the Active Directory Sites and Services snap-in (dssite.msc).

  2. Click on the Sites container.

    The list of sites will be displayed in the right pane.

  3. Double-click on a site to view its properties.

Using a command-line interface

Run one of the following commands to list the sites in a forest:

> dsquery site

or:

> adfind -sites -f (objectcategory=site)

Run one of the following commands to view the properties for a particular site:

> dsget site "<SiteName>"

or:

> adfind -sites -rb "cn=<SiteName>"

Using PowerShell

You can obtain a list of sites in a domain by using PowerShell, as follows:

Get-ADReplicationSite -Filter * | Select Name

Discussion

Site objects are stored in the Sites container (e.g., cn=sites,cn=configuration,dc=adatum,dc=com) in the Configuration naming context. For more information on creating sites, see Creating a Site.

Renaming a Site

Problem

You want to rename a site.

Solution

Using a graphical user interface

  1. Open the Active Directory Sites and Services snap-in (dssite.msc).

  2. Click on the Sites container.

  3. In the right pane, right-click the site you want to rename and select Rename.

  4. Enter the new name of the site and press Enter.

Using a command-line interface

The following command will change the cn of a site:

> dsmove "<SiteDN>" -newname "<NewSiteName>"

You can also rename a site with AdMod, using the following syntax:

> admod -b "<SiteDN>" -rename "<NewSiteName>"

Using PowerShell

To rename a site by using PowerShell, use the following syntax:

Rename-ADObject -Identity "<Site DN>" -NewName "<NewSiteName>"

Discussion

Renaming a site in Active Directory involves changing the cn of the site object. The largest concern with renaming a site, as with any other AD object, is to ensure that no applications reference the site by name. A best practice to avoid this pitfall is to reference AD objects by their GUIDs, which will not change even when the object is renamed.

See Also

MSDN: Object Names and Identities; MSDN: Using objectGUID to Bind to an Object

Deleting a Site

Problem

You want to delete a site.

Solution

Using a graphical user interface

  1. Open the Active Directory Sites and Services snap-in (dssite.msc).

  2. Click on the Sites container.

  3. In the right pane, right-click the site you want to delete and select Delete.

  4. Click Yes twice.

Using a command-line interface

You can remove a site and its associated objects by issuing the following AdMod command syntax:

> admod -b "cn=<SiteName>,cn=sites,cn=configuration,<ForestRootDN>" -del↵
 -treedelete

Using PowerShell

To delete a site by using PowerShell without confirmation, use the following syntax:

Remove-ADReplicationSite -Identity "<SiteName>" -Confirm:$False

Discussion

When deleting a site, be very careful to ensure that no active server objects exist within it. If you delete a site that contains domain controllers, it will disrupt replication for all domain controllers in that site. A more robust solution would be to first perform a query for all server objects using the distinguished name of the site as the base DN. If no servers were returned, then you could safely delete the site. If server objects were found, you should move them before deleting the site.

It is also worth noting that deleting a site does not delete any of the subnets or site links that are associated with the site.

See Also

Creating a Site for more on creating a site; Creating a Subnet for creating a subnet

Delegating Control of a Site

Problem

You want to delegate permission of an AD site to allow it to be administered by another user or group.

Solution

Using a graphical user interface

The following example will delegate administration of the managedBy attribute of a site:

  1. Open the Active Directory Sites and Services snap-in (dssite.msc).

  2. Click on the Sites container.

  3. In the right pane, right-click the site you want to delegate and select Delegate Control.

  4. Click Next to bypass the initial Welcome screen of the Delegation of Control Wizard.

  5. Click Add to select the users or groups that you want to delegate control to. Click Next to continue.

  6. Select “Create a custom task to delegate” and click Next.

  7. Click “Only the following objects in the folder.” Place a checkmark next to site objects and click Next.

  8. Deselect the General permissions and then select the Property-specific permissions.

  9. Place a checkmark next to “Write managedBy.” Click Next to continue.

  10. Click Finish.

Using a command-line interface

The following code will allow a group called SiteAdmins to manage the managedBy attribute of sites within adatum.com:

> dsacls cn=Sites,cn=Configuration,dc=adatum,dc=com /I:S /G adatum.comSiteAdmins:WP;;managedBy

Discussion

Using a graphical user interface

You can delegate control over a site via the Delegation of Control Wizard or by using dsacls at the command line. The Delegation of Control Wizard allows you to delegate one preconfigured task—managing Group Policy links—or create a custom task to delegate. When delegating a custom task, first you must determine whether you are delegating permission over the entire site and all objects contained therein or whether you only are going to delegate control over specific child objects. For example, you can delegate control over all computer objects within a site. Once you’ve made this determination, then you’ll designate the specific permissions that you’re delegating; you can delegate anything from full control of the entire object down to granting read permissions on a single attribute.

Configuring Universal Group Caching for a Site

Problem

You want to configure a site so that it does not require access to a global catalog server during most user logins.

Solution

Using a graphical user interface

  1. Open the Active Directory Sites and Services snap-in (dssite.msc).

  2. In the left pane, browse to the site you want to enable group caching for and click on it.

  3. In the right pane, double-click on the NTDS Site Settings object.

  4. Under Universal Group Membership Caching, check the box beside Enable Universal Group Caching.

  5. If you want to force the cache refresh from a particular site, select a site; otherwise, leave the default set to <Default>.

  6. Click OK.

Using a command-line interface

You can use ldifde to enable universal group caching. Create a file called enable_ univ_cache.ldf with the following contents, but change <SiteName> to the name of the site you want to enable, and <ForestRootDN> to the distinguished name of the forest root domain:

dn: cn=NTDS Site Settings,cn=<SiteName>,cn=sites,cn=configuration,<ForestRootDN>
changetype: modify
replace: options
options: 32
-

Then use the following command to import the change:

> ldifde -i -f enable_univ_cache.ldf

You also can perform this change using a combination of AdFind and AdMod, using the following syntax:

> adfind -config -rb "cn=NTDS Site Settings,cn=<SiteName>,cn=Sites" options -adcsv | admod options::{{.:SET:32}}

Note

To explicitly set the site that domain controllers in this site should use to refresh universal group membership, configure the msDS-Preferred-GC-Site attribute on the NTDS Site Settings object with the DN of the desired site.

Using PowerShell

To enable a site for universal group membership caching, use the following syntax:

Set-ADReplicationSite -Identity <SiteName> -UniversalGroupCachingEnabled:$True

To enable a site for universal group membership caching while also setting the site to refresh the cache from, use the following syntax:

Set-ADReplicationSite -Identity <SiteName> -UniversalGroupCachingEnabled:$True -UniversalGroupCachingRefreshSite:<RefreshSiteName>

Discussion

An authenticating domain controller is required to contact a global catalog server (if it is not one itself) in order to process any client authentication requests. This is necessary because of the need to verify universal group memberships for any clients attempting to access the domain. Universal group caching was introduced in Windows Server 2003 to reduce the impact of this requirement. Universal group caching can be enabled on a site-by-site basis and allows domain controllers to cache universal group information locally. This largely removes the need to query the global catalog during client logon, though a global catalog will still need to be contacted the first time a new user logs on because no membership information will be cached in that case. The local DC will also need to contact a GC at regular intervals to update its cached information.

You can enable universal group caching manually by enabling bit 5 (32 in decimal) on the options attribute of the NTDS Site Settings object. The ldifde solution blindly writes a value of 32 to that attribute, which is not ideal since it will overwrite any existing values that may already be in place.

See Also

Searching with a Bitwise Filter for more on viewing bitwise attributes; Modifying a Bit-Flag Attribute for information on configuring bitwise values; Set-ADReplicationSite cmdlet reference

Creating a Subnet

Problem

You want to create a subnet.

Solution

Using a graphical user interface

  1. Open the Active Directory Sites and Services snap-in (dssite.msc).

  2. Right-click on the Subnets container and select New Subnet.

  3. In the Prefix dialog box, enter the Address and Mask (e.g., for IPv4 enter 192.168.1.0/24 and for IPv6 enter 3FFE:FFFF:0:C000::/64) and then select the site the subnet is part of.

  4. Click OK.

Using a command-line interface

Create an LDIF file called create_subnet.ldf with the following contents:

dn: cn=<Subnet>,cn=subnets,cn=sites,cn=configuration,<ForestRootDN>
changetype: add
objectclass: subnet
siteObject: cn=<SiteName>,cn=sites,cn=configuration,<ForestRootDN>

Then run the following command:

> ldifde -v -i -f create_subnet.ldf

You can also create a subnet using AdMod. The following command creates a subnet for 10.1.1.0/24 in the adatum.com domain and associates the subnet with the Dallas site:

> admod -b "cn=10.1.1.0/24,cn=subnets,cn=sites,cn=configuration,dc=adatum,dc=com" objectClass::subnet siteObject::"cn=Dallas,cn=sites,cn=configuration,dc=adatum,dc=com" -add

Using PowerShell

You can create a subnet object and associate it with an existing site by using PowerShell. The following command creates a new subnet for 10.1.1.0/24 and associates the subnet to the Dallas site:

New-ADReplicationSubnet -Name 10.1.1.0/24 -Site Dallas

Discussion

Subnet objects reside in the Subnets container in the Configuration NC (e.g., cn=subnets,cn=sites,cn=configuration,dc=adatum,dc=com). The RDN of the subnet should be the subnet address and bit-mask combination (e.g., 10.1.1.0/24). The other important attribute to set is siteObject, which should contain the DN of the site that the subnet is associated with.

See Also

New-ADReplicationSubnet cmdlet reference

Listing the Subnets

Problem

You want to list the subnet objects in Active Directory.

Solution

Using a graphical user interface

  1. Open the Active Directory Sites and Services snap-in (dssite.msc).

  2. Click on the Subnets container in the left pane.

    The list of subnets will be displayed in the right pane.

  3. To view the properties of a specific subnet, right-click on the one you want to view and then click Properties.

Using a command-line interface

The following command will list all subnets:

> dsquery subnet

You can also list all configured subnets with AdFind, as follows:

> adfind -subnets -f (objectCategory=subnet)

To display the properties of a particular subnet with AdFind, use this syntax:

> adfind -subnets -rb "cn=<Subnet>"

Using PowerShell

To list all of the subnets with PowerShell, use the following command:

Get-ADReplicationSubnet -Filter * | Select Name

To get all of the properties of a specific subnet, use the following syntax:

Get-ADReplicationSubnet -Identity <Subnet> -Properties *

Discussion

Using PowerShell

To display the site that subnets are associated with, use the following command:

Get-ADReplicationSubnet -Filter * | Select Name,Site

See Also

Get-ADReplicationSubnet cmdlet reference

Finding Missing Subnets

Problem

You want to find the subnets that are missing from your site topology. Missing subnets can result in clients not authenticating against the most optimal domain controller, which can degrade performance.

Solution

Having all of your subnets in Active Directory is important because a client that attempts to log on from a subnet that is not associated with any site may authenticate with any domain controller in the domain. This can result in the logon process taking longer to complete.

One way to dynamically determine missing subnets is to query each domain controller for 5807 events and then to look at the netlogon.log file. Each IP address that has a NO_CLIENT_SITE entry needs to be addressed by adding a subnet to a corresponding site.

Here is an example of a 5807 event log entry:

Event Type:         Warning
Event Source:       NETLOGON
Event Category:     None

Event ID:         5807
Date:             12/11/2012
Time:             4:42:20 AM
User:             N/A
Computer:         DC1
Description:
During the past 4.18 hours there have been 48 connections to this Domain 
Controller from client machines whose IP addresses don't map to any of the 
existing sites in the enterprise. Those clients, therefore, have undefined 
sites and may connect to any Domain Controller including those that are in 
far distant locations from the clients.
A client's site is determined by the mapping of its subnet to one of the existing
sites. To move the above clients to one of the sites, please consider creating
subnet object(s) covering the above IP addresses with mapping to one of the 
existing sites.
The names and IP addresses of the clients in question have been logged on this
computer in the following log file '%SystemRoot%debug
etlogon.log' and,
potentially, in the log file '%SystemRoot%debug
etlogon.bak' created if the
former log becomes full. The log(s) may contain additional unrelated debugging
information.
To filter out the needed information, please search for lines which contain text
'NO_CLIENT_SITE:'. The first word after this string is the client name and the
second word is the client IP address. The maximum size of the log(s) is
controlled by the following registry DWORD value
'HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
NetlogonParametersLogFileMaxSize'; the default is 20000000 bytes. The current
maximum size is 20000000 bytes. To set a different maximum size, create the 
above registry value and set the desired maximum size in bytes.

Instead of scraping the event logs on every domain controller, you can look directly at the %SystemRoot%debug etlogon.log file on each domain controller and parse out all of the NO_CLIENT_SITE entries.

Here is an example of some of the NO_CLIENT_SITE entries from the netlogon.log file:

12/11 20:02:35 [1316] ADATUM: NO_CLIENT_SITE: WIN8-CLIENT02 192.168.0.143
12/11 20:09:25 [1316] ADATUM: NO_CLIENT_SITE: 2012-SERVER05 192.168.10.245
12/11 20:12:08 [1316] ADATUM: NO_CLIENT_SITE: WIN8-CLIENT14 172.16.0.14
12/11 20:17:35 [1316] ADATUM: NO_CLIENT_SITE: WIN8-CLIENT02 192.168.0.143
12/11 20:17:37 [1316] ADATUM: NO_CLIENT_SITE: WIN8-CLIENT02 192.168.0.143
12/11 20:20:51 [4156] ADATUM: NO_CLIENT_SITE: 2012-SERVER09 192.168.1.8
12/11 20:32:38 [1316] ADATUM: NO_CLIENT_SITE: WIN8-CLIENT01 10.16.0.77

If you wanted to get creative and automate a solution to do this, you could write a script that goes out to each domain controller, opens the netlogon.log file, and retrieves NO_CLIENT_SITE entries. Then you could examine all of the IP addresses and create subnets in Active Directory that would contain them. You could associate all of those subnets with a placeholder site or even use the Default-First-Site-Name site (if it still exists). Then, once a week (or another desired length of time), you could look at the sites that were created or that were associated with the default site and determine what site they should actually be associated with.

Using PowerShell

You can get a list of all 5807 events from the System event log on the local computer by running the following command:

Get-WinEvent -LogName System | where {$_.ID -eq "5807"}

You can also get the events on a remote computer by using the following syntax:

Get-WinEvent -ComputerName <NameOfDC> -LogName System | where {$_.ID -eq "5807"}

Deleting a Subnet

Problem

You want to delete a subnet object.

Solution

Using a graphical user interface

  1. Open the Active Directory Sites and Services snap-in (dssite.msc).

  2. Click on the Subnets container.

    The list of subnets will be displayed in the right pane.

  3. Right-click on the subnet you wish to remove and select Delete.

  4. Click Yes to confirm.

Using a command-line interface

You can delete a subnet object using the built-in dsrm utility or AdMod. The dsrm utility takes the following syntax (note the parameter at the end to avoid being prompted for confirmation):

> dsrm cn=<SubnetName>,cn=subnets,cn=sites,cn=configuration,<ForestRootDN>↵
 -noprompt

To remove a subnet using AdMod, use this syntax:

> admod -b cn=<SubnetName>,cn=subnets,cn=sites,cn=configuration,<ForestRootDN>↵
 -del

Using PowerShell

To delete a site without a confirmation prompt, use the following syntax:

Remove-ADReplicationSubnet <SubnetName> -Confirm:$False

Discussion

Before removing a subnet, you should confirm that it is not in use by examining the netlogon.log file on domain controllers. If IP addresses within the subnet range appear in the logfile, it may point to activity from the subnet.

Changing a Subnet’s Site Assignment

Problem

You want to change the site object that a particular subnet is associated with.

Solution

Using a graphical user interface

  1. Open the Active Directory Sites and Services snap-in (dssite.msc).

  2. Click on the Subnets container.

  3. Locate the desired subnet and then right-click it and click Properties.

  4. In the Site drop-down box, select the name of the site that the subnet should be associated with and click OK.

Using a command-line interface

> admod -b cn=<SubnetName>,cn=Subnets,cn=Sites,cn=Configuration,<ForestRootDN> objectClass::subnet siteObject::<NewSiteDN>

Note

For <SubnetName>, use the format “192.168.1.0/24”, for example.

Using PowerShell

Set-ADReplicationSubnet -Identity <SubnetName> -Site <SiteName>

Discussion

Since the site topology that you create in Active Directory is meant to map to your physical network topology, an Active Directory subnet object can be associated with only a single AD site at any one time. If you modify your site configuration or need to delete a site object for any reason, you should configure any subnets associated with that site that are still active on your network so that they are associated with another Active Directory site. This will ensure that any clients that reside on those subnets will be able to locate resources such as domain controllers appropriately, without sending authentication requests across site links unnecessarily.

See Also

Finding Missing Subnets to find missing subnets on your network; Deleting a Subnet for more on deleting subnet objects

Creating a Site Link

Problem

You want to create a site link to connect two or more sites together.

Solution

Using a graphical user interface

  1. Open the Active Directory Sites and Services snap-in (dssite.msc).

  2. Expand the Sites container.

  3. Expand the Inter-Site Transports container.

  4. Right-click on IP (or SMTP) and select New Site Link.

  5. For Name, enter the name for the site link.

  6. Under “Sites not in this site link”, select at least two sites and click the Add button.

  7. Click OK.

Using a command-line interface

The following LDIF would create a site link connecting the SJC and Dallas sites:

dn: cn=Dallas-SJC,cn=IP,cn=inter-site
transports,cn=sites,cn=configuration,<ForestRootDN>
changetype: add
objectclass: siteLink
siteList: cn=SJC,cn=sites,cn=configuration,<ForestRootDN>
siteList: cn=Dallas,cn=sites,cn=configuration,<ForestRootDN>

If the LDIF file were named create_site_link.ldf, you’d then run the following command:

> ldifde -v -i -f create_site_link.ldf

You also can also create a site link using AdMod, as follows:

> admod -b "cn=<SiteLinkName>,cn=IP,cn=inter-site transports, cn=sites,cn=configuration,<ForestRootDN>" objectclass::sitelink "sitelist:++:cn=<FirstSite>,cn=sites,cn=configuration,<ForestRootDN>;cn=<SecondSite>,cn=sites,cn=configuration,<ForestRootDN>" cost::50 replInterval::180 -add

Using PowerShell

You can create a site link object by using PowerShell, as shown in the following syntax:

New-ADReplicationSiteLink -Name <SiteLinkName> -SitesIncluded <Site1Name>,<Site2Name> -ReplicationFrequencyInMinutes <NumberOfMinutesForReplication> -Cost <SiteLinkCost>

Discussion

Without site links, domain controllers would not be able to determine the optimal partners to replicate with. The cost that is associated with a site defines how expensive the link is. A lower cost is less expensive (or faster) than a higher cost. Link costs are inversely proportional to bandwidth, so a faster link should be configured with a lower cost than a low-speed one. (Sometimes bandwidth costs can play a role, too.) Site link costs are manually configured items, which means that the administrator can control how inter-site replication should take place on the network.

Using PowerShell

By default, a new site link created with New-ADReplicationSiteLink will utilize the IP transport protocol. If SMTP is needed, the -InterSiteTransportProtocol parameter can be used and SMTP can be specified.

Finding the Site Links for a Site

Problem

You want to list the site links that are associated with a site.

Solution

Using a command-line interface

You can list the site links associated with a particular site using DSQuery or AdFind. DSQuery uses the following syntax:

> dsquery * "cn=inter-site transports,cn=sites,cn=configuration,<ForestRootDN>"-filter "(&(objectcategory=siteLink)(siteList=cn=<SiteName>,cn=sites,cn=configuration,<ForestRootDN>))" -scope subtree -attr name

To obtain this information using AdFind, use the following:

> adfind -config -f "(&(objectcategory=siteLink)(siteList=cn=<SiteName>,cn=sites,cn=configuration,<ForestRootDN>))" name

Using PowerShell

Get-ADObject -SearchBase "cn=sites,cn=configuration,<ForestRootDN>" -Filter {objectCategory -eq "siteLink" -and siteList -eq "cn=<SiteName>,cn=sites,cn=configuration,<ForestRootDN>"}

Discussion

A site can be included as a part of zero or more site links. A site with no site links would be considered orphaned from the site topology, since there is no way to determine how and where it connects into the topology. Branch office sites may have only a single site link back to a hub, while a hub site may have numerous links that connect it to the rest of the world.

Finding the site links associated with a site consists of performing a query for all siteLink objects that have the DN of the site included in the siteList attribute for a link. The siteList attribute is a multivalued attribute that contains all the sites that are connected via the site link.

Modifying the Sites That Are Part of a Site Link

Problem

You want to modify the sites associated with a site link.

Solution

Using a graphical user interface

  1. Open the Active Directory Sites and Services snap-in (dssite.msc).

  2. In the left pane, expand Sites→Inter-Site Transports.

  3. Click either the IP or SMTP folder, depending on where the site link is stored.

  4. In the right pane, double-click on the link you want to modify.

  5. Under the General tab, you can add and remove sites that are associated with the site link.

  6. Click OK.

Using a command-line interface

Create an LDIF file called modify_site_link.ldf with the following contents. Replace <LinkName> with the name of the link and <SiteName> with the site to add to the link:

dn: cn=<LinkName>,cn=IP,cn=inter-site transports,cn=sites,cn=configuration,<ForestRootDN>
changetype: modify
add: siteList

siteList: cn=<SiteName>,cn=sites,cn=configuration,<ForestRootDN>
-

Then run the following command:

> ldifde -v -i -f modify_site_link.ldf

You can also add sites to a site link using AdMod, as follows:

> admod -b "cn=<LinkName>,cn=IP,cn=inter-site transports,cn=sites,cn=configuration, <ForestRootDN>" siteList:+:"cn=<SiteName>,cn=sites,cn=configuration,<ForestRootDN>"

Using PowerShell

To add one or more sites to a site link by using PowerShell, use the following syntax:

Set-ADReplicationSiteLink "<SiteLinkName>" -SitesIncluded @{Add="<SiteName1>","<SiteName2>"}

To remove one or more sites from a site link by using PowerShell, use the following syntax:

Set-ADReplicationSiteLink "<SiteLinkName>" -SitesIncluded @{Remove="<SiteName1>","<SiteName2>"}

Discussion

To associate a site with a site link, add the DN of the site to the siteList attribute of the siteLink object that represents the link. To remove a site from a link, remove the DN associated with the site from the siteList attribute. For example, to remove a site from a site link using AdMod, replace siteList:+: with siteList:-:.

See Also

Finding the Site Links for a Site for finding the links associated with a site

Modifying the Cost for a Site Link

Problem

You want to modify the cost for a site link.

Solution

Using a graphical user interface

  1. Open the Active Directory Sites and Services snap-in (dssite.msc).

  2. In the left pane, expand Sites→Inter-Site Transports.

  3. Click either the IP or SMTP folder, depending on where the site link is stored.

  4. In the right pane, double-click on the link you want to modify.

  5. Under the General tab, you can change the cost for the site link.

  6. Click OK.

Using a command-line interface

Create an LDIF file called modify_site_link_cost.ldf with the following contents. Replace <LinkName> with the name of the link you want to modify and <LinkCost> with the cost:

dn: cn=<LinkName>,cn=IP,cn=inter-site
transports,cn=sites,cn=configuration,<ForestRootDN>
changetype: modify
replace: cost
cost: <LinkCost>
-

Then run the following command:

> ldifde -v -i -f modify_site_link_cost.ldf

You can also modify the cost of a site link using AdMod, as follows:

> admod -b "cn=<LinkName>,cn=IP,cn=inter-site transports,cn=sites,cn=configuration,<ForestRootDN>" cost::<LinkCost>

Using PowerShell

You can modify the cost of a site link using the Quest cmdlets or ADSI, as follows:

Set-ADReplicationSiteLink "<LinkName>" -Cost <LinkCost>

Discussion

The cost attribute is one of the most important attributes of siteLink objects. cost is used by the KCC to determine what connection objects should be created to allow domain controllers to replicate data.

cost is inversely proportional to bandwidth—the lower the cost, the greater the bandwidth. (Don’t forget about looking at the bandwidth costs, too.) The number you use for the cost is also arbitrary; the default is 100. You could use 100–1,000 as the range for your site link costs, or you could use 1–10. The actual number isn’t important, so long as you configure the values to be relative based on the other site links you’ve configured. The costs that you assign to your site links should be configured according to the physical topology of your network, where you assign the lowest costs to the highest-speed links (or lowest-cost links), and higher costs to lower-speed links between two sites.

Enabling Change Notification for a Site Link

Problem

You want to enable change notification between sites so that replication will occur as changes occur rather than according to a set schedule.

Solution

Using a graphical user interface

  1. Open the Active Directory Sites and Services snap-in (dssite.msc).

  2. In the left pane, expand Sites→Inter-Site Transports.

  3. Click either the IP or SMTP folder, depending on where the site link is stored.

  4. In the right pane, double-click on the link you want to modify.

  5. On the Attribute Editor tab, scroll to the options attribute and then click Edit.

  6. Enter a 1 to enable change notification and then click OK.

  7. Click OK to close the site link properties window.

Using a command-line interface

> adfind -b cn=<SiteLinkName>,cn=IP,cn=Inter-site Transports,cn=Sites, cn=Configuration,cn=<ForestRootDN>" options -adcsv | admod options::{{.:SET:1}}

Using PowerShell

Set-ADReplicationSiteLink <SiteLinkName> -Add @{Options=1}

Discussion

By default, intra-site replication occurs on the basis of change notifications where replication occurs almost immediately after a change occurs, while domain controllers in different sites will, by default, only replicate with each other on a set schedule. To configure a particular site link to use the change-notification mechanism for replication, you can set bit 1 of its options attribute. Keep in mind that this will create more frequent replication traffic on the site link in question, but it will ensure that changes made in one site can be replicated to the other site much more quickly than by using the default inter-site replication schedules.

See Also

Modifying a Bit-Flag Attribute for more on modifying bitwise attributes; Modifying Replication Schedules for more on modifying replication schedules

Modifying Replication Schedules

Problem

You want to change the times of day or week that a particular site link (IP or SMTP) is available for replication.

Solution

  1. Open the Active Directory Sites and Services snap-in (dssite.msc).

  2. In the left pane, expand Sites→Inter-Site Transports.

  3. Click either the IP or SMTP folder, depending on where the site link is stored.

  4. In the right pane, double-click on the link you want to modify.

  5. On the General tab, click Change Schedule.

  6. Select the times and days of the week that you wish to allow or disallow replication, and select the Replication Available or Replication Not Available radio button, as appropriate.

  7. Click OK twice to save the changes.

Using a command-line interface

To configure a site link to be available 24 hours a day, seven days a week, use the following syntax:

> admod -b cn=<SiteLinkName>,cn=<TransportName>,cn=Inter-site↵
Transports,cn=sites,cn=configuration,<ForestRootDN> schedule::0

Using PowerShell

The following PowerShell command will configure a site link to allow replication Monday through Friday from midnight to 7:45 a.m. and from 5:00 p.m. to 11:45 p.m. while allowing replication all day and night on Saturday and Sunday:

$schedule = New-Object -TypeName System.DirectoryServices.ActiveDirectory.ActiveDirectorySchedule;$schedule.ResetSchedule();$schedule.SetSchedule ("Monday","Zero","Zero","Seven","FortyFive");$schedule.SetSchedule ("Monday","Seventeen","Zero","TwentyThree","FortyFive");$schedule.SetSchedule ("Tuesday","Zero","Zero","Seven","FortyFive");$schedule.SetSchedule ("Tuesday","Seventeen","Zero","TwentyThree","FortyFive");$schedule.SetSchedule ("Wednesday","Zero","Zero","Seven","FortyFive");$schedule.SetSchedule ("Wednesday","Seventeen","Zero","TwentyThree","FortyFive");$schedule.SetSchedule ("Thursday","Zero","Zero","Seven","FortyFive");$schedule.SetSchedule ("Thursday","Seventeen","Zero","TwentyThree","FortyFive");$schedule.SetSchedule ("Friday","Zero","Zero","Seven","FortyFive");$schedule.SetSchedule ("Friday","Seventeen","Zero","TwentyThree","FortyFive");$schedule.SetSchedule ("Saturday","Zero","Zero","TwentyThree","FortyFive");$schedule.SetSchedule ("Sunday","Zero","Zero","TwentyThree","FortyFive");Set-ADReplicationSiteLink "<SiteLinkName>" -ReplicationSchedule $schedule

Discussion

When you configure an inter-site replication link, you can specify a particular schedule during which the link will be available for replication. By default, inter-site links can pass replication traffic 24 hours a day, seven days a week, but you can restrict this so that it is only available for specific hours of the day and/or days of the week. This might be useful for a heavily utilized link that you do not want to have overloaded with replication traffic. For example, a bank headquarters may wish to prevent replication traffic from being initiated during a two-hour time period at the end of every day while its branch offices are transmitting daily report information.

Using PowerShell

The SetSchedule method is used, which allows each day of the week to have a different schedule, if desired. This is handy when, for example, replication is available all day and all night on weekends. An alternative is to use the SetDailySchedule method, which will use the same replication schedule for every day of the week.

See Also

Forcing Replication from One Domain Controller to Another to force replication from one DC to another; MSDN: ActiveDirectorySchedule Class

Disabling Site Link Transitivity or Site Link Schedules

Problem

You want to disable site link transitivity to control replication manually.

Solution

Using a graphical user interface

  1. Open the Active Directory Sites and Services snap-in (dssite.msc).

  2. In the left pane, expand Sites→Inter-Site Transports.

  3. Right-click either the IP or SMTP folder, depending on which protocol you want to disable transitivity or ignore schedules for.

  4. Select Properties.

  5. To disable site link transitivity, uncheck “Bridge all site links”.

  6. To ignore site link schedules, check “Ignore schedules”.

  7. Click OK.

Using PowerShell

To disable site link transitivity and site link schedules, use the following syntax:

Set-ADObject "cn=ip,cn=inter-site transports,cn=sites,cn=configuration,<ForestRootDN>" -Replace @{Options=2}

Discussion

Active Directory site links, by default, are transitive, which means that if site A is linked to site B, and site B is linked to site C, then site A is also linked (through site B) to site C. The KCC uses transitivity when making decisions about creating connection objects. You can, however, disable this behavior if you so choose. Typically, this is not something you’ll want to do without a very good reason. Disabling transitivity may be necessary, for example, in some legacy deployments that have a lot of sites and find that the KCC is having a hard time keeping up. Since Windows Server 2003, the KCC has been greatly improved, and site link transitivity should not cause these problems.

The other reason you might want to disable transitivity is if you need to make replication more deterministic—that is, you want to exert more manual control over the process. Disabling transitivity makes it much easier to determine where the KCC will attempt to establish connection objects, because the KCC on a domain controller will not be able to replicate with domain controllers that are not in sites that are directly linked. There can be other reasons, one of which is when you have nonroutable networks.

We mention site link schedules here primarily because the same attribute (i.e., options) that determines site link transitivity also determines whether link schedules are enforced. If you enable the ignore schedules option for a particular transport (i.e., IP or SMTP), the KCC ignores any preconfigured link schedules. If you later disable this setting, link schedules will go back into effect.

Using PowerShell

There are multiple value variations for the options attribute. By setting the value to 4, it reverts the settings to the default (all site links bridged with schedules enabled). By setting the value to 3, it disables site link bridging while ignoring schedules. By setting the value to 1, it enables site link bridging and ignores schedules.

See Also

Modifying a Bit-Flag Attribute for more on setting a bit-flag attribute

Creating a Site Link Bridge

Problem

You want to create a site link bridge because you’ve disabled site link transitivity.

Solution

Using a graphical user interface

  1. Open the Active Directory Sites and Services snap-in (dssite.msc).

  2. In the left pane, expand Sites→Inter-Site Transports.

  3. Right-click either the IP or SMTP folder, depending on which protocol you want to create a site link bridge for.

  4. Select New Site Link Bridge.

  5. Enter a name for the bridge.

  6. Highlight two or more site links in the left box.

  7. Click the Add button.

  8. Click OK.

Using a command-line interface

Create an LDIF file called create_site_link_bridge.ldf with the following contents, where <Link1> and <Link2> refer to the site links to be bridged:

dn: cn=<BridgeName>,cn=IP,cn=inter-site transports,cn=sites,cn=configuration,;<ForestRootDN>
changetype: add
objectclass: siteLinkBridge
siteLinkList: cn=<Link1>,cn=IP,cn=Inter-site
Transports,cn=sites,cn=configuration,<ForestRootDN>
siteLinkList: cn=<Link2>,cn=IP,cn=Inter-site
Transports,cn=sites,cn=configuration,<ForestRootDN>

Then run the following command:

> ldifde -v -i -f create_site_link_bridge.ldf

You can also create a site link bridge using AdMod, as follows:

> admod -b "cn=<BridgeName>,cn=IP,cn=inter-site transports,cn=sites,cn=configuration,<ForestRootDN>" objectclass::sitelinkBridge "sitelinklist:++:cn=<FirstSiteLink>,cn=IP,cn=inter-site transports,cn=sites,cn=configuration,<ForestRootDN>;cn=<SecondSiteLink>,cn=IP, cn=inter-site transports,cn=sites,cn=configuration,<ForestRootDN>" -add

Using PowerShell

To create a site link bridge by using PowerShell, use the following syntax:

New-ADReplicationSiteLinkBridge "<BridgeName>" -SiteLinksIncluded "<SiteLink1>","<SiteLink2>"

Discussion

If you’ve disabled site link transitivity or have networks that lack direct routes between sites, you should create site link bridges. Creating a site link bridge to link several links is analogous to creating a site link to link several sites. Let’s take an example where site link transitivity is disabled and we have four sites, among which site A has a link to site B and site C has a link to site D. If site link transitivity has been disabled and we want domain controllers in sites A and B to replicate with sites C and D, we need to create a site link bridge to bridge the A–B link with the C–D link.

See Also

Disabling Site Link Transitivity or Site Link Schedules for disabling site link transitivity

Finding the Bridgehead Servers for a Site

Problem

You want to find the bridgehead servers for a site.

Solution

Using a graphical user interface

  1. The replmon.exe utility is no longer available in Windows Server 2008 and later; for 2008 and later servers the command-line interface option is appropriate. Open the Replication Monitor from the Support Tools (replmon.exe)

  2. From the menu, select View→Options.

  3. In the left pane, right-click on Monitored Servers and select Add Monitored Server.

  4. Use the Add Monitored Server Wizard to add a server in the site you want to find the bridgehead server(s) for.

  5. In the left pane, right-click on the server and select Show BridgeHead Servers→In This Server’s Site.

Using a command-line interface

> repadmin /bridgeheads [<ServerName>] [/verbose]

Using PowerShell

To search for all bridgehead servers in a site, use the following syntax:

Get-ADObject -Filter {objectClass -eq "server"} -SearchBase "cn=<SiteName>,cn=sites,cn=configuration,<ForestRootDN>" -SearchScope subtree -Properties * | Where {$_.bridgeheadTransportList -ne $NULL} | Select Name,bridgeheadTransportList

To search for all bridgehead servers across all sites in the domain, use the following syntax:

Get-ADObject -Filter {objectClass -eq "server"} -SearchBase "cn=sites,cn=configuration,<ForestRootDN>" -SearchScope subtree -Properties * | Where {$_.bridgeheadTransportList -ne $NULL} | Select Name,bridgeheadTransportList

Discussion

Bridgehead servers are responsible for replicating data between sites. Instead of all domain controllers replicating the same naming contexts outside of the site, the bridgehead servers act as a funnel for replication into and out of a site. Any domain controller in a site can become a bridgehead server, and bridgeheads are designated by the KCC for each writable partition in the site. You can control which servers are designated as bridgehead servers by defining preferred bridgehead servers (see Setting a Preferred Bridgehead Server for a Site for more on how to do this).

Setting a Preferred Bridgehead Server for a Site

Problem

You want to set a preferred bridgehead server for a site.

Solution

Using a graphical user interface

  1. Open the Active Directory Sites and Services snap-in (dssite.msc).

  2. In the left pane, expand Sites, expand the site where the server you want to set as a bridgehead is contained, and expand the Servers container.

  3. Right-click on the server you want to set as the bridgehead and select Properties.

  4. Highlight IP, SMTP, or both, depending on the protocol(s) for which you want the server to be a bridgehead.

  5. Click the Add button.

  6. Click OK.

Using a command-line interface

Create an LDIF file called set_bridgehead_server.ldf with the following contents:

dn: cn=<DCName>,cn=servers,cn=<SiteName>,cn=sites,cn=configuration,<ForestRootDN>
changetype: modify
add: bridgeheadTransportList
bridgeheadTransportList: cn=IP,cn=Inter-site
Transports,cn=sites,cn=configuration,<ForestRootDN>
-

Then run the following command:

> ldifde -v -i -f set_bridgehead_server.ldf

You can also set the preferred bridgehead server with AdMod, using the following syntax:

Admod -b cn=<DCName>,cn=servers,cn=<SiteName>,cn=sites,cn=configuration,<ForestRootDN> bridgeheadTransportList:+:"cn=IP,cn=Inter-site transports,cn=sites,cn=configuration,<ForestRootDN>"

Using PowerShell

You can set a preferred bridgehead server using the following syntax. Note that the transport can be set as IP or SMTP.

Set-ADObject -Identity "cn=<DCName>,cn=servers,cn=<SiteName>,cn=sites,cn=configuration, <ForestRootDN>" -Add @{bridgeHeadTransportList="cn=<Transport>,cn=Inter-site Transports,cn=sites,cn=configuration,<ForestRootDN>"}

Discussion

Setting a preferred bridgehead server can give you more control over which domain controllers participate in inter-site replication, but it is also limiting. The KCC typically selects bridgehead servers dynamically, but if you set preferred bridgehead servers, the KCC will not select new ones if the preferred servers become unavailable. Therefore, you should ensure that if you do select preferred bridgehead servers, you select at least two for a given partition in a site.

Note

As a general rule, you shouldn’t set preferred bridgehead servers if at all possible.

Listing the Servers

Problem

You want to list the server objects in the site topology.

Solution

Using a graphical user interface

  1. Open the Active Directory Sites and Services snap-in (dssite.msc).

  2. In the left pane, expand Sites and then expand the site where you want to list the servers.

  3. Expand Servers under the site to list the servers in the site.

Using a command-line interface

> dsquery server [-site <SiteName>]

To list all servers in the site topology using AdFind, use the following syntax:

> adfind -config -rb cn=sites -f (objectcategory=server)

To restrict the results to a specific site, do the following:

> adfind -config -rb cn=<SiteName>,cn=sites -f (objectcategory=server)

Using PowerShell

To list all servers in the site topology by using PowerShell, use the following syntax:

Get-ADObject -SearchBase "cn=sites,cn=configuration,<ForestRootDN>" -Filter {objectCategory -eq "server"} | Select Name

To list all servers in a specific site, use the following syntax:

Get-ADObject -SearchBase "cn=<SiteName>,cn=sites,cn=configuration,<ForestRootDN>" -Filter {objectCategory -eq "server"} | Select Name

Discussion

Each Active Directory domain controller is represented in the site topology by a server object that is associated with a specific site. Replication decisions are made based on links from this site to other sites that contain domain controllers.

Other types of services can also add server objects to the site topology. The way you can distinguish which ones are domain controllers is the presence of an NTDS Settings (nTDSDSA) object that is a child of the server object. Only domain controllers will have that object.

Moving a Domain Controller to a Different Site

Problem

You want to move a domain controller to a different site.

Solution

Using a graphical user interface

  1. Open the Active Directory Sites and Services snap-in (dssite.msc).

  2. In the left pane, expand Sites, expand the site where the server you want to move is contained, and expand the Servers container.

  3. Right-click on the server you want to move and select Move.

  4. Select the site to move the server to.

  5. Click OK.

Note

You can also drag and drop the server object from one site to another, if desired. To do so, drag the server object to the desired Servers container under the destination site.

Using a command-line interface

You can move a domain controller to a new site using either the built-in DSMove utility or AdMod. DSMove takes the following syntax:

> dsmove "cn=<ServerName>,cn=servers,cn=<CurrentSite>,cn=sites,cn=configuration,<ForestRootDN>" -newparent "cn=servers,cn=<NewSite>,cn=sites,cn=configuration,<ForestRootDN>"

To move a DC using AdMod, use the following syntax:

> admod -b "cn=<ServerName>,cn=servers,cn=<CurrrentSite>,cn=sites,cn=configuration,<ForestRootDN> -move "cn=servers,cn=<NewSite>,cn=sites,cn=configuration,<ForestRootDN>

Using PowerShell

To move a domain controller to a different site by using PowerShell, use the following syntax:

Move-ADObject -Identity "cn=<ServerName>,cn=servers,cn=<CurrentSite>,cn=sites,cn=configuration,<ForestRootDN>" -TargetPath "cn=servers,cn=<NewSite>,cn=sites,cn=configuration,<ForestRootDN>"

Discussion

After you move a server to a new site, you might want to monitor replication to and from that server to make sure that any new connections that are needed get created and start replicating. See Viewing the Replication Status of Several Domain Controllers for more on viewing the replication status of a server.

Configuring a Domain Controller to Cover Multiple Sites

Problem

You want to configure a domain controller to cover multiple sites, which will cause clients in all of those sites to use that domain controller for authentication and directory lookups.

Solution

Using a graphical user interface

  1. Run the Group Policy Management snap-in.

  2. Locate the GPO that applies to the domain controller.

  3. Right-click on the policy and then click Edit.

  4. In the Group Policy Management Editor, browse to Computer Configuration→Administrative Templates→System→Net Logon→DC Locator DNS Records.

  5. Double-click the “Specify sites covered by the DC Locator DNS SRV records” setting.

  6. Click Enabled and then enter the sites that the DC should cover in the Sites dialog box. Each site should be separated by a space.

  7. Click OK and then close the Group Policy Management Editor.

Discussion

In an Active Directory environment, it is perfectly valid to have a site that does not contain its own domain controller. In fact, if you model the site topology after your real network, some sites will lack their own domain controllers unless you’ve deployed a branch office architecture or have very few sites. If you create sites without any domain controllers, the site links between the sites will determine which domain controllers will cover or advertise their services to the site. When a domain controller covers for a remote site, it needs to publish site-specific DNS resource records that clients in the remote site can use to find the domain controller. Active Directory will select DCs to cover DC-less sites automatically, but you can hardcode the list of sites a specific domain controller should cover by using a Group Policy setting as described in the preceding section.

Viewing the Site Coverage for a Domain Controller

Problem

You want to view the sites that a domain controller covers.

Solution

Using a command-line interface

In the following command, replace <DomainControllerName> with the name of the domain controller you want to view site coverage for:

> nltest /server:<DomainControllerName> /DsGetSiteCov

Discussion

Configuring a Domain Controller to Cover Multiple Sites describes how to configure a domain controller to cover multiple sites. Disabling Automatic Site Coverage for a Domain Controller describes how you can prevent a domain controller from covering for any sites other than its own.

See Also

MSDN: DsGetDcSiteCoverage

Disabling Automatic Site Coverage for a Domain Controller

Problem

You want to prevent a domain controller from covering sites outside of the one in which it resides.

Solution

Using a graphical user interface

  1. Run regedit.exe from the command line or select Start→Run.

  2. Expand HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNetlogonParameters.

  3. Right-click on Parameters and select New→DWORD Value.

  4. For the name, enter AutoSiteCoverage.

  5. Double-click on the new value, enter 0 under Value data, and click OK.

Using a command-line interface

> reg add HKLMSystemCurrentControlSetServicesNetlogonParameters /v AutoSiteCoverage /t REG_DWORD /d 0

Using PowerShell

$strRegPath = "HKLM:SystemCurrentControlSetServicesNetlogonParameters"
set-ItemProperty -path $strRegPath -name "AutoSiteCoverage" -value 0

Discussion

If you want to reduce the load on a domain controller, one way is to prevent it from covering for other sites. Automatic site coverage happens when a site does not contain any domain controllers.

See Also

Viewing the Site Coverage for a Domain Controller for viewing the site coverage for a domain controller

Finding the Site for a Client

Problem

You want to find which site a client computer is located in.

Solution

Using a command-line interface

In the following command, replace <HostName> with the name of the host you want to find the site for:

> nltest /server:<HostName> /DsGetSite

Note

You’ll use the /server: <HostName> parameter even if you are specifying a client computer.

Microsoft provides a DsGetSiteName method that can be used by languages such as Visual Basic and C++ to retrieve site coverage information. In fact, the nltest command shown in the CLI solution is a wrapper around this method.

The IADsTool interface provides a wrapper around this method:

set objIadsTools = CreateObject("IADsTools.DCFunctions")
strSite = objIadsTools.DsGetSiteName("<HostName>")
Wscript.Echo "Site: " & strSite

Discussion

Each domain controller has a server object that is contained within a site. Clients are different—they are associated with a site based on their IP address, and the corresponding subnet that it matches is in the Subnets container. The client site information is important because it determines the domain controller the client authenticates with. If the client’s IP address does not match the subnet range of any of the subnets stored in Active Directory, it will randomly pick a site to use, which means it could authenticate against any domain controller in the domain. See Forcing a Host into a Particular Site for a way to hardcode the site association for a client.

See Also

Forcing a Host into a Particular Site for forcing a host into a particular site; MSDN: DsGetSiteName

Forcing a Host into a Particular Site

Problem

You want to force a host to be in a particular site.

Solution

Using a graphical user interface

  1. Run regedit.exe.

  2. Expand HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNetlogonParameters.

  3. Right-click on Parameters and select New→String Value.

  4. Enter SiteName for the name.

  5. Double-click on the new value, enter the name of the site under Value data, and click OK.

Using a command-line interface

> reg add HKLMSystemCurrentControlSetServicesNetlogonParameters↵
 /v SiteName /t
REG_SZ /d <SiteName>

Using PowerShell

$strRegPath = "HKLM:SystemCurrentControlSetServicesNetlogonParameters"
set-ItemProperty -path $strRegPath -name "SiteName" -value "<SiteName>"

Discussion

You can bypass the part of the DC Locator process that determines a client’s site by hardcoding it in the Registry. This is generally not recommended and should primarily be used as a troubleshooting tool. If a client is experiencing authentication delays due to a misconfigured site or subnet object, you can hardcode its site so that it temporarily points to a more optimal location (and domain controller) to see whether this alleviates the problem. However, in a situation like this, your ultimate goal should be to properly configure your sites and subnets so that the DC Locator process can function without this kind of manual intervention.

Warning

Unlike client computers, hardcoding a domain controller via this solution does not change the site of the domain controller.

See Also

Finding the Site for a Client for finding the site for a client

Creating a connection Object

Problem

You want to create a connection object to manually set up replication between two servers.

Solution

Using a graphical user interface

  1. Open the Active Directory Sites and Services snap-in (dssite.msc).

  2. In the left pane, expand Sites, expand the site that contains the connection object you want to check, expand the Servers container, and expand the server for which you want to create the connection object.

  3. Right-click on the NTDS Settings object, click New, and then click Connection.

  4. Select the replication partner and click OK.

  5. Enter the name for the connection and click OK.

Using a command-line interface

> repadmin /add <PartitionDN> <DC1DNSName> <DC2DNSName>

Discussion

Hopefully you will not need to create connection objects manually, since creating and maintaining connection objects is the job of the KCC. It can be a lot of work to keep your connection objects up to date by yourself, especially if you have a large topology. The KCC uses complex algorithms to determine the best partners for a domain controller to replicate with.

It is sometimes necessary to create connections manually if you find a replication problem and need to get replication going again between one or more sites. By creating a connection and forcing replication to occur over that connection, you can get servers back in sync quickly.

See Also

Listing the connection Objects for a Server for listing the connection objects for a server

Listing the connection Objects for a Server

Problem

You want to view the connection objects associated with a domain controller.

Solution

Using a graphical user interface

  1. Open the Active Directory Sites and Services snap-in (dssite.msc).

  2. In the left pane, expand Sites, expand the site that contains the connection object you want to check, expand the Servers container, expand the server that contains the connection object, and click on the NTDS Settings object.

    In the right pane, under the Name column, the snap-in will display which connection objects were automatically generated by the KCC and which ones were manually generated.

Using a command-line interface

> repadmin /showconn [<DomainControllerName>]

Using PowerShell

Get-ADObject -SearchBase "cn=<DCName>,cn=servers,cn=<SiteName>,cn=sites,cn=configuration,<ForestRootDN>" -Filter {objectClass -eq "nTDSConnection"} -Properties * | FL Name,fromServer

Discussion

connection objects are used to replicate inbound changes to a domain controller. By viewing the connection objects for a server, you can see what domain controllers it receives updates from. connection objects are created automatically by the KCC, but they can be created manually if necessary.

See Also

Creating a connection Object for creating a connection object

Finding the ISTG for a Site

Problem

You want to find the Inter-Site Topology Generator (ISTG) for a site.

Solution

Using a graphical user interface

  1. Open the Active Directory Sites and Services snap-in (dssite.msc).

  2. Click on the site you are interested in.

  3. In the right pane, double-click on the NTDS Site Settings object.

    The ISTG will be displayed under Inter-Site Topology Generator if one is present.

Using a command-line interface

You can query for this information using repadmin:

> repadmin /istg

You can also use AdFind, as follows:

> adfind -config -rb "cn=ntds site settings,cn=<SiteName>,cn=sites"intersitetopologygenerator

Using PowerShell

Get-ADObject -Identity "cn=NTDS Site Settings,cn=<SiteName>,cn=sites,cn=configuration,<ForestRootDN>" -Properties interSiteTopologyGenerator | Select interSiteTopologyGenerator

Discussion

One domain controller in every site is picked as the ISTG for that site. While each domain controller is responsible for creating its own intra-site connection objects, the ISTG for a site is responsible for creating the inter-site connection objects for the bridgehead servers in the site.

The current ISTG for a site is stored in the interSiteTopologyGenerator attribute of the site’s NTDS Site Settings object. The distinguished name of ISTG’s NTDS Settings object is stored in the interSiteTopologyGenerator attribute.

Disabling inter-site topology generation is synonymous with disabling the KCC for a site. See Disabling the KCC for a Site for more information on disabling the KCC.

Transferring the ISTG to Another Server

Problem

You want to move the ISTG for a site to another domain controller. This happens automatically if you take the current ISTG offline, but you may want to transfer the role to a server that is more optimal in your environment.

Solution

Using a graphical user interface

  1. Open the Active Directory Sites and Services snap-in (dssite.msc).

  2. Click on the site you are interested in.

  3. In the right pane, double-click on the NTDS Site Settings object.

  4. Open the Attribute Editor tab and then modify the interSiteTopologyGenerator attribute to include the DN of the NTDS Settings object of the domain controller you want to transfer the ISTG role to.

  5. Click OK.

Using a command-line interface

> admod -b "cn=NTDS Site Settings,cn=<SiteName>,cn=sites,cn=configuration,;<ForestRootDN>" interSiteTopologyGenerator::"cn=NTDS Site Settings, ;cn=<NewISTGName>,cn=servers,cn=<SiteName>,cn=sites,cn=configuration,<ForestRootDN>

Using PowerShell

You can modify the Inter-Site Topology Generator for an AD site by using PowerShell, as follows:

Set-ADObject -Identity "cn=NTDS Site Settings,cn=<SiteName>,cn=sites,cn=configuration,<ForestRootDN>" -Replace @{interSiteTopologyGenerator="cn=NTDS Settings,<DCName>,cn=Servers,cn=<SiteName>,cn=Sites,cn=Configuration,<ForestRootDN>"}

Discussion

The current ISTG for a site is stored as the DN of the ISTG’s NTDS Settings object in the interSiteTopologyGenerator attribute of the site’s NTDS Site Settings object.

Domain controllers communicate their presence as the ISTG by writing to the interSiteTopologyGenerator attribute at a set interval. If you want another domain controller to assume the role of the ISTG, you need to write the distinguished name of that domain controller’s NTDS Settings object to the interSiteTopologyGenerator attribute of the NTDS Site Settings object for the site.

Two Registry settings govern the ISTG registration process, both of which are stored under the HKEY_LOCAL_MACHINESystemCurrentControlSetServicesNTDSParameters key. The interval (in minutes) in which the current ISTG should write to the interSiteTopologyGenerator attribute to inform the other DCs in the site that it is still the ISTG is stored in the KCC site generator renewal interval (minutes) value. The default is 30 minutes. The other value is named KCC site generator failover (minutes) and contains the time in minutes that each domain controller in the site should wait for the interSiteTopologyGenerator attribute to be written to before attempting to register itself as the ISTG. The default is 60 minutes.

Triggering the KCC

Problem

You want to trigger the KCC.

Solution

Using a graphical user interface

  1. Open the Active Directory Sites and Services snap-in (dssite.msc).

  2. In the left pane, browse to the NTDS Settings object for the server you want to trigger the KCC for.

  3. Right-click on NTDS Settings, select All Tasks, and check Replication Topology.

  4. Click OK.

Using a command-line interface

> repadmin /kcc <DomainControllerName>

Using PowerShell

$domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain();foreach ($domaincontroller in $domain.FindAllDomainControllers()){$domaincontroller.CheckReplicationConsistency()}

Discussion

The KCC runs every 15 minutes by default on all domain controllers to generate the intra-site topology connections. The KCC that runs on the server that is selected as the ISTG generates inter-site topology connections to other sites from the bridgehead servers in its site. In some situations—such as when you create new site, siteLink, or subnet objects—you may want to run the KCC immediately so that any new connections between domain controllers are created right away.

Determining Whether the KCC Is Completing Successfully

Problem

You want to determine whether the KCC is completing successfully.

Solution

Using a graphical user interface

  1. Open the Event Viewer of the target domain controller.

  2. Expand Applications and Services Logs.

  3. Click on the Directory Service log.

  4. In the right pane, click on the Source heading to sort by that column.

  5. Scroll down to view any events with Source: NTDS KCC.

Using a command-line interface

The following command will check to see whether the KCC is completing without errors:

> dcdiag /v /test:kccevent /s:<DomainControllerName>

Using PowerShell

The following syntax will query the Directory Service log for all events that have a source of "NTDS KCC":

Get-EventLog "Directory Service" | Where-Object {$_.Source -eq "NTDS KCC" } | FL

Discussion

The main way to debug issues with the KCC is by looking for NTDS KCC events in the Directory Service event log. If you suspect a problem or perhaps are seeing errors, you can increase the amount of logging in the event log by enabling diagnostics logging for the KCC. When KCC diagnostics logging is enabled, each KCC exception logs a significant amount of information to the event log that may help you pinpoint the problem. See Enabling Diagnostics Logging for more information on enabling diagnostics logging.

Disabling the KCC for a Site

Problem

You want to disable the KCC for a site and generate your own replication connections between domain controllers.

Solution

Using a graphical user interface

  1. Open the Active Directory Sites and Services snap-in (dssite.msc).

  2. Click on the site you are interested in.

  3. In the right pane, double-click on the NTDS Site Settings object.

  4. Modify the options attribute. To disable only intra-site topology generation, enable bit 0 (decimal 1). To disable inter-site topology generation, enable bit 4 (decimal 16). To disable both, enable both bit 4 and bit 1 (decimal 17).

  5. Click OK.

Using a command-line interface

You can disable the KCC for <SiteName> by using the ldifde utility and an LDIF file that contains the following:

dn: cn=NTDS Site Settings,<SiteName>,cn=sites,cn=configuration,<ForestRootDN>
changetype: modify
replace: options
options: <OptionsValue>
-

If the LDIF file were named disable_kcc.ldf, you would run the following command:

> ldifde -v -i -f disable_kcc.ldf

You can also perform this change using a combination of AdFind and AdMod, as follows:

> adfind -b "cn=NTDS Site Settings,cn=<SiteName>,cn=Sites,cn=configuration, ;<ForestRootDN>" options -adcsv | admod options::{{.:SET:<OptionsValue>}}

Note

The ldifde solution simply overwrites the value of the options attribute without checking to see whether any current value may be in place. See Modifying a Bit-Flag Attribute, or use the AdFind/AdMod solution for a safer method to modify bitwise values.

Using PowerShell

The following command will update the options attribute. To disable only intra-site topology generation, enter the number 1 for the value. To disable inter-site topology generation, enter the number 16 for the value. To disable both, enter the number 17 as the value.

Set-ADObject "cn=NTDS Site Settings,cn=<SiteName>,cn=sites,cn=configuration, ;<ForestRootDN>" -Replace @{Options="<OptionsValue>"}

Using PowerShell

To clear the attribute and revert to the <not set> default value, use the following command:

Set-ADObject "cn=NTDS Site Settings,cn=<SiteName>,cn=sites,cn=configuration, ;<ForestRootDN>" -Clear Options

Discussion

In some cases, you may want to disable the KCC from generating the intra-site topology connections, inter-site topology connections, or both. The connection objects that the KCC dynamically creates determine how domain controllers replicate with each other. Disabling the KCC was sometimes necessary with legacy versions of Windows due to scalability issues with the KCC and very large topologies. Since Windows Server 2003, the KCC has been greatly improved, and it is unlikely that you will need to disable the KCC. If you disable the KCC, you will need to pay close attention to any domain controller or site topology changes and manually adjust the connection objects accordingly.

Disabling the KCC can be done only at the site level. You have to modify the NTDS Site Settings object of the site for which you want to disable the KCC. The options attribute (a bit flag) on this object determines whether the KCC runs. If the 00001 bit is enabled, intra-site topology generation is disabled; if the 10000 bit is enabled (16 in decimal), inter-site topology generation is disabled. See Modifying a Bit-Flag Attribute for more on the proper way to set bit flags.

See Also

Modifying a Bit-Flag Attribute for more on setting bit flags; Creating a connection Object for creating a connection object manually

Changing the Interval at Which the KCC Runs

Problem

You want to change the interval at which the KCC runs.

Solution

Using a graphical user interface

  1. Run regedit.exe.

  2. Expand HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNTDSParameters.

  3. Right-click on Parameters and select New→DWORD Value.

  4. Enter the following for the name: Repl topology update period (secs).

  5. Double-click on the new value, and under “Value data” enter the KCC interval in number of seconds (900 is the default).

  6. Click OK.

Using a command-line interface

> reg add HKLMSystemCurrentControlSetServicesNTDSParameters /v "Repl topology
update period (secs)" /t REG_DWORD /d <NumberOfSeconds>

Using PowerShell

$strRegPath = "HKLM:SystemCurrentControlSetServicesNTDSParameters";set-ItemProperty -path $strRegPath -name "Repl topology update period (secs)" -value "<NumberOfSeconds>"

Discussion

By default, the KCC checks its connections every 15 minutes and makes changes as necessary. You can modify this interval by simply modifying the Registry.

There is another related Registry setting you should also be aware of. By default, the KCC waits five minutes after Active Directory starts up before it runs. You can change this delay by creating a REG_DWORD value called Repl topology update delay (secs) under the HKLMSystemCurrentControlSetServicesNTDSParameters key. The data for the value should be the number of seconds to wait after startup before the KCC starts. The default is 300, which is five minutes.

See Also

MS KB 271988 (Replication Topology Updates)

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.15.26.135