Active Directory Sites

			Active Directory Sites and Services - The Forgotten Configuration

Segmenting your Active Directory is not just a matter of getting a VPN up between sites, getting DNS going and then walking away, there is the much forgotten configuration of Active Directory Sites and Services - yes, funny enough, this tool is indeed crucial for controlling your Active Directory from a Multiple Site Point of view.... Who knew!

Sites and Services is crucial to the correct configuration and operation of your Active Directory Architecture when dealing with Multiple Sites. A lot of the time, when you use 2 and maybe even 3 different sites with a decent link between them, you may never see why you should use this, as your Replication may still work without problems for a while, but eventually, it will catch up to you, and you will start seeing the problems that lack of configuration can cause.

Lets take a look at how you should configure sites and services, and some of the basic concepts to Grasp

			1. FOR EACH PHYSICAL YOU MUST HAVE A LOGICAL

Physical Vs Logical? what am I talking about? Its actually quite simple, For every physical location you have that hosts a Domain Controller, you must have a logical site. Sites and Services allows you to create as many sites as you need, and is the central point for administering site locations, subnet assignments, replication links and the ability to schedule replication and specify multiple paths for replication redundancy

A site is defined by Microsoft as "a region of your network with high bandwidth connectivity and, by definition, is a collection of well-connected computers—based on Internet Protocol (IP) subnets"

Now, this can be somewhat misguiding, as people will look at this and say, "well, my sites are connected by a fiber connection, that high bandwidth connectivity, I don't need to worry about sites" This is wrong. Whilst AD will replicate efficiently and act as it should over a link like that, The whole idea of Sites and Services is to segment your Active Directory Logically to match your Physical layout. Not configuring this can and will place unwanted and unnecessary traffic across your WAN links. You will see why a little later

If you were to have two sites, Say Office and Warehouse, in your organization, you would need to split these sites within AD into Logical Sites, and assign a subnet to each site (I will discuss more on subnets in a minute). This controls localized authentication and correct segmentation when your clients try to logon, as well as keeping replication to a controllable level.

Sites and Services utilizes a magical little tool called the KCC (Knowledge Consistency Checker) which controls all the connections between sites. It discovers DC's in a site and builds replication links between them. KCC is a very intelligent tool, and these days, with the average size of links out there, rarely needs to be altered. In the case however, that you need to control Link Connections and schedules yourself, you can disable KCC and create your own links, This is not advised if you do not have a strong background in Active Directory and how it replicates.

In the vast majority of Corporations, KCC should be allowed to do its thing, and create your links inter and intra site for you

			2. TRANSFER PROTOCOLS

Sites and Service allows the use of two protocols when dealing with Replication Data, IP (RPC) and SMTP, these days, the use of SMTP is virtually non existent when dealing with replication. It is designed for when you do not have full time connectivity between sites. As you may have guessed, the IP protocol is the default and the most suitable for replication and can usually be left as is.

			3. SUBNETS

Anyone in the networking world will know what a subnet is. For those that are reading this, chances are you already have a VPN setup between sites and have an understanding that you must have different subnets per site, so I wont even touch on that.

Active Directory Sites and Services, allows you to assign a Subnet or Subnets to a Site. It does this purely to control and provide localized authentication. Without subnet assignment, your client machines can and will logon to any DC in your WAN environment, causing delays in logons and performance.

To add to this, throw in the equation where you have sites that may only have client machines and no Local Domain Controller. In this scenario, you do not need to create site for these machines, but you may want to assign their subnet to a site with a larger pipe, to ensure that these remote machines logon via a pipe that can handle the traffic. Simply create a new subnet and assign it to the site in question and you are done.

I myself have numerous sites within Active Directory, but I have a significantly larger pipe in my main office, so I assign all my remote sites to my main office and away we go.

			4. COSTS

KCC bases its replication path on a least cost theory. Costs are the cost that you assign depending on a link speed, and come more into play in an environment which is fully meshed, meaning that there may be multiple paths for a connection to occur.

The lower a cost that you assign to a link, the more preferentially KCC will treat it. Basically the logic here is, links with a higher cost should be used as a failsafe. If Connection A fails, Use Connection B, or Connection C

			5. GLOBAL CATALOG

The GC role is crucial to the location of objects within Active Directory. The GC basically knows where everything is within your AD backbone, whether its child domains, or trusted forests etc...the GC knows all. It is important that for every site that you have a DC, you should have a Global Catalog. This will ensure again, that local lookups occur and that you have redundant copies of the GC across your Active Directory Infrastructure

			6. REDUNDANT TERMS (Opinion Based)

There is still a few terms thrown around in the world, such as things like Site Bridges. With the size of pipes available today, I have never seen a site bridge need to be used. AD replication improvements, and the introduction of private IP networks etc, reduce the need for these settings and make life when dealing with Sites and Services, a much more pleasant experience.

			7. FINAL RECAP

For a hands on Technical Look at how to configure Sites and Services, I highly advise reading through this Microsoft Implementation Article. Rather than placing my own screen shots and configuration settings, you can view some generic ones here with step by step guides on how to configure them.

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/activedirectory/stepbystep/adsrv.mspx

This article has been written purely to introduce and reinforce the point that AD Sites and Services are indeed a real necessity when dealing with multi site Domains.

Last updated: