This is also an optional component. KCC automatically creates connection objects between those domain controllers across which replication occurs.
Although you can create or configure connection objects manually to force replication over a particular connection, normally you should allow replication to be automatically optimized by the KCC based on the information you provide in the Active Directory Sites and Services console about your deployment. Create connection objects manually only if the connections that are automatically configured by the KCC do not connect specific domain controllers that you want to connect.
1. Let us observe the connection objects created, by selecting the NTDS Settings of DC1.
KCC automatically created these objects. You can create your own but it is absolutely unnecessary.
Global Catalog servers
The Global Catalog is the central database of information about objects in a tree or forest. The first domain controller in a forest automatically becomes the global catalog server. A Global catalog server stores a full copy of all objects in the directory for its host domain and a partial copy of all objects for all other domains in the forest. This storage strategy provides efficient searches without unnecessary referrals to other domain controllers.
The global catalog performs three key functions:
1. It enables a user to log on to a network by providing universal group membership information to a domain controller when a logon process is initiated.
2. It enables finding directory information regardless of which domain in the forest actually contains the data.
3. It resolves user principal names (UPNs) when the authenticating domain controller does not have knowledge of the account.
Universal Group caching
If you do not have a Global Catalog at a site, the universal group membership caching feature can optimize the login process. Universal group membership caching allows a domain controller to process user logon requests without contacting a global catalog server. The cache is refreshed periodically as is determined in the replication schedule. This feature eliminates the need to deploy global catalog servers into smaller remote office locations in order to avoid logon failures in the event that the network link connecting the remote site to the rest of the organization is disconnected.
The universal group membership caching feature must be set for each site and requires a domain controller to run a Windows Server 2003 operating system. When a user attempts to log on the first time after a Windows Server 2003 domain controller has been configured to enable the universal group membership caching feature, the domain controller obtains the universal group membership information for the user from a global catalog. The universal group membership information is then cached on the domain controller for the site indefinitely and is periodically refreshed.
The next time the user attempts to log on, the authenticating Windows Server 2003 domain controller obtains the universal group membership information from its local cache without contacting a global catalog. We will now observe that DC1 is already a Global Catalog server. We will now create DC3 as the Global Catalog server for the NC site.
1. Click Start Æ Administrative Tools Æ Active Directory Sites and Services. Expand
Servers and select the NTDS Settings for DC1, right click and select Properties.
Observe that the Global Catalog checkbox is already selected. DC1 was the first Domain Controller in the forest, so it automatically became the Global Catalog server. 2. Using this procedure, make DC3 the Global Catalog server in the NC site. Expand
Servers and select the NTDS Settings for DC3, right click and select Properties. Select
3. We will now designate DC3 as the Universal Group caching server. Select the NC site and, in the right hand pane, right click NTDS Site Settings and select Properties.
4. Select the Enable Universal Group Membership Caching checkbox. Click OK. Close all windows to finish this lab.
Let’s summarize what we have accomplished so far:
• Ben and Brady Ice Cream Corp., has 2 sites, CA and NC. • CA has two Domain Controllers, DC1 and DC2.
• NC has one Domain Controller, DC3.
• The subnet for CA is 200.200.201.0 and the subnet for NC is 200.200.202.0. • A Windows Server 2003 server configured as a router connects the two networks. • DC1 and DC3 are bridgehead servers and inter-site replication will take place
between these 2 servers.
• DC1 and DC3 are also Global Catalog servers. • DC3 is the Universal Group caching server.
Lab 4
Monitoring Active Directory
Replication
You will learn how to:
• Install Active Directory support tools
• Use Replication Monitor to monitor and troubleshoot
• Use Active Directory command-line tools for
generating reports and troubleshooting
• Create a batch file to automate domain wide replication
• Use Active Directory Sizer to plan the number of servers
Scenario – Part Four
The Operations Manager would now like to move on to the Monitoring and Reporting phase of the project. He inquires if the system set up could monitor the replication traffic and generate weekly reports so that he is assured the system continues to work as designed. Your answer is to set up Replication Monitor and other tools for monitoring, reporting and automating replication between domain controllers. To begin with, you will configure Active Directory support tools to monitor the network and will then train the Operations Manager in how to generate and analyze the reports created by Replication Monitor.
You will then create a script that the Operations Manager can run by simply double clicking on an icon on his desktop that will trigger replication between all domain controllers at all sites. The Operations Manager is very excited about this.
Finally, you will also set up the Active Directory Sizer tool so that the Operations Manager can determine the number of servers required to optimize the network as the company grows.
The Operations Manager is now ecstatic and inquires how soon all this can be delivered. You get to work immediately.
Installing the Active Directory support tools
We will now install additional tools from the Windows Server 2003 CD. These tools will help us monitor and troubleshoot Active Directory services.
1. Log in to DC1 as Administrator. Insert the Windows Server 2003 CD. When the CD runs, select Perform additional tasks and then select Browse this CD. Double click
Support, double click Tools, and then double click the SUPTOOLS.MSI file to start
the installation of the support tools.
2. In the Welcome screen click Next, Agree to the Agreement, enter your name on the next screen and click Install Now to start the installation. Note that a new folder called Support Tools will be created in the Program Files folder. Click Finish.
Active Directory Replication Monitor (Replmon.exe)
ReplMon is used to view the status of Active Directory replication, to force synchronization between domain controllers, to monitor replication and to view the network topology in a graphical format.
You can use ReplMon for the following important tasks: • See when a replication partner fails.
• View the history of successful and failed replication changes for troubleshooting purposes.
• View the properties of directory replication partners.
• Find all direct and transitive replication partners on the network. • Display replication topology.
• Force replication.
• Trigger the Knowledge Consistency Checker (KCC) to recalculate the replication topology.
• Display changes that have not yet replicated from a given replication partner.
• Display a list of the trust relationships maintained by the domain controller being monitored.
1. On DC1, click Start Æ Command prompt Æ type replmon and press Enter. Right click Monitored Servers and then click Add Monitored Server to start the Wizard.
2. Click Add the server explicitly by name and click Next.
3. Select Enter the name of the server to monitor explicitly and type DC1. Click
4. Using the same steps, add DC2 and DC3 as monitored servers. Your screen should now look the same as in the following figure. Observe that each Domain Controller is listed in the appropriate site. DC1 and DC3 have the symbol of the globe since they are Global Catalog servers.
5. Expand DC1. Note that each partition (component) of Active Directory is represented by the symbol of a book. Select CA\DC2. The right hand pane shows details of the replication between DC1 and DC2 such as the USN and the last successful date and time of replication. Also note that NC\DC3 has a symbol of a telephone connection. This means that it is a bridgehead server.
6. Right click DC1 and select Generate Status Report. Type Stat1 for the file name and click Save. Click OK to select all the report options. Click OK in the report status box.
7. To view the report, click File Æ Open Log Æ Stat1.log Æ Open. The report will open in Notepad and can be printed. Navigate to see the major sections of the report. It has every detail about the site, domain, FSMO roles, replication and so on. This report is extremely useful in documentation and troubleshooting. We will now create and modify objects in the Active Directory. Ensure that DC2 is unavailable by shutting it down. On DC1, use Active Directory Users and Computers to create an Organizational Unit called CA. Also, in the properties for the user Michelle Wong, enter Headquarters in the Office field and 800-555-1212 in the Telephone Number field. Next, log on to DC3. Create an OU called NC. Now log on to DC1. In the Application Directory Replication Monitor console (replmon.exe), right click DC1 and select Synchronize Each
Directory Partition with All Servers. Click OK and then Yes for the messages that tell
8. DC1 and DC3 will now replicate. DC1 will be unable to replicate with DC2.
9. Use Active Directory Users and Computers to verify that CA, NC and changes to
Michelle Wong are available on both Domain Controllers. Create another status report and save it as Stat2. Open the status report.
Restart DC2. Use Active Directory Sites and Services to replicate. Run the status
report again and note the success this time. Also, verify the results in Active Directory
Users and Computers. Close all programs.
DC1/DC2 unsuccessful
DC1/DC3 successful
Replication Diagnostics tool (Repadmin.exe)
Repadmin is a command-line tool used to view the replication topology from the perspective of each domain controller. You can also use repadmin to force replication and to find out how up-to-date each domain controller is.
1. On DC1, go to the command prompt and type repadmin /showrepl DC1 and press Enter. This command displays all the replication partners for DC1.
2. At the command prompt type repadmin /showconn DC1 and press Enter. This command displays all the connection objects for DC1.
3. At the command prompt type repadmin /replicate dc1 dc2
dc=benandbrady,dc=com and press Enter. This command replicates DC1 and DC2.
Note that the replication is from DC2 to DC1.
4. Let us now create a batch file that will replicate all connections. Open Notepad and type the following:
Save this file to the desktop as Domain Replication.bat. Note that we do not replicate between DC2 and DC3. DC1 and DC3 are bridgehead servers that participate in Inter- site Replication.
To synchronize the benandbrady.com domain, you no longer have to use any GUI based tools. Let’s double click on the file Domain Replication.bat. You will see a Command Prompt window pop up in which the batch file will run and synchronize the domain.
Directory Services utility (Dsastat.exe)
Dsastat.exe can be used to compare two directory trees across replicas within the same domain or, in the case of a global catalog, across different domains. The tool retrieves capacity statistics such as megabytes per server, objects per server and megabytes per object class and also performs comparisons of the attributes of replicated objects.
1. On DC1, go to the command prompt and type
dsastat /s:dc1;dc2 /b:”CN=Domain Controllers,DC=benandbrady,DC=com”
and press Enter. This command compares the objects in the Domain Controllers container on DC1 and DC2. Check the last section of the report: Server sizes are equal. PASS.
Domain Controller Diagnostic tool (Dcdiag.exe)
This command-line tool analyzes the state of domain controllers in a forest or enterprise and reports any problems to assist in troubleshooting.
1. On DC1, go to the command prompt and type dcdiag /s:dc1 and press Enter. This command performs a series of tests and gives you a report showing if the Domain Controller passed or failed each test. To capture the output in a text file type dcdiag
/s:dc1 >dc1.txt and press Enter. In the C:\ drive, double click on the file dc1.txt to
Active Directory Sizer
Active Directory Sizer is a capacity planning tool to help an organization size for their Active Directory deployment. It should be used after the design phase and before the actual deployment of servers.
The Active Directory Sizer estimates the hardware required for deploying Active Directory in your organization depending on your organization's usage profile. Based on your answers to the Active Directory Sizer wizard, the tool will calculate the total workload and estimate the following for you:
• Number of domain controllers (including Global Catalog servers and bridgehead servers).
• Number and type of processor(s) per machine.
• Number of disks needed for the Active Directory database. • Memory required.
• Network bandwidth utilization.
1. Download the Active Directory Sizer from Microsoft’s web site. Locate and run the
setup.exe file to begin installation. Follow the prompts to install the application. Next,
2. In the Active Directory Sizer console, right click Domain Configuration and select
Add Domain. Type benandbrady.com in the domain name. Click Next. Type 100 for
the Number of Users and click Next.
3. Type 10 for the Average number of groups and the Interactive Logon fields. Click Next. Type 100 for the Windows computers, 10 for Other computers and 10 for other objects. Click Next for next two screens to accept the default values. In the Administration screen, type 5 for Add, 1 for Delete, 10 for Modify. Select Interval Weekly. Click Finish.
4. You will see a report for benandbrady.com showing the size of the Active Directory database, including both the Domain Database and the Global Catalog. In our example, the database is 24 MB.
In a large network, with several hundred users and computers, the size of the database will be extremely large. The size increases exponentially with the number of computers, users and groups. Hence, it is extremely important to design the sites and services carefully, such as the placement of domain controllers, Global Catalog servers and DNS servers.
The following is a sample report showing a large network of 500,000 users and 400,100 workstations and servers. You will need 68 servers – 33 Domain Controllers, 34 Global Catalog servers, and 1 bridgehead server.
As you can see, ADSizer gives you a very accurate estimate of hardware requirements based on the size of your network.
Lab 5
Upgrading the Domain & Forest Functional
Levels and Changing Single Master
Operations Roles in Benandbrady.com
You will learn how to:
• Determine the appropriate domain & forest functional role
• Upgrade domain and forest functional roles
• Verify the operations master roles
• Transfer the operations master role
Scenario – Part Five
In the final phase of this project, you will be upgrading the domain and forest functional level of benandbrady.com so that it can use all the features available in Server 2003.
In your next meeting with the Operations Manager, you explain about the default levels of the domain and forest. The default levels do not permit the use of certain features but do allow backward compatibility with Windows NT Server and Windows 2000 Server.
After determining that only Windows Server 2003 will be running on benandbrady.com, you decide to raise the forest and domain functional levels to Server 2003.
The next phase is to document the flexible single master operations roles so that they can be distributed across your network. You explain to the Operations Manager that even though all Domain Controllers are peers of each other, there are some Domain Controllers that perform specific roles.
The Operations Manager would like to have a one-on-one session with you so that he can document all the steps required to change roles.
The Management of Ben and Brady Ice Cream Corp. has been getting regular reports from the Operations Manager about the progress of the network. They are extremely happy with the professionalism and attention to details you have demonstrated in setting up the benandBrady.com domain. There was little to no interruption to normal operations. The domain is performing up to the expectation of the users and the Management.
The Management has offered you a monthly retainer to act as a Consultant and Technical Support person for the company. Your hard work has finally been rewarded with a lucrative consulting contract and lots of referrals.
Domain functional levels
Domain functional levels provide a way to enable domain-wide Active Directory features within the network environment. Windows Server 2003 has a lot of new features, some of which are not compatible with Windows 2000 and Windows NT networks. You must activate the appropriate domain functional level to benefit from the features available in Active Directory.
There are four domain functional levels:
Windows 2000 Mixed (Default): When you first install or upgrade a domain controller to
a Windows Server 2003 operating system, the domain controller is set to run in Windows 2000 mixed functionality. The Windows 2000 mixed functional level allows a Windows Server 2003 domain controller to interact with domain controllers in the domain running Microsoft Windows NT 4, Windows 2000, or Windows Server 2003.
Windows 2000 Native: The Windows 2000 native functional level allows a domain
controller running the Windows Server 2003 operating system to interact with domain controllers in the domain running Windows 2000 or Windows Server 2003. You can raise the functional level of a domain to Windows 2000 native if the domain controllers in the domain are all running Windows 2000 Server or later.
Windows Server 2003 Interim: The Windows Server 2003 interim functional level allows a
domain controller running the Windows Server 2003 operating system to interact with domain controllers in the domain running Windows NT 4 or Windows Server 2003. The Windows Server 2003 interim functional level is an option only when upgrading the first Windows NT domain to a new forest and can be manually configured after the upgrade. This functional level does not support domain controllers running Windows 2000.
Windows Server 2003: The Windows Server 2003 functional level allows a domain
controller running the Windows Server 2003 operating system to interact only with domain controllers in the domain running Windows Server 2003. You can raise the functional level of a domain to Windows Server 2003 only if all domain controllers in the domain are