Windows Server 2003站台設定與管理

林寶森jeffl@ms11.hinet.net

The Logical Structure of Active Directory

DomainDomain

Domain

Domain

Domain

DomainOU

OU OU

Domain TreeDomain Tree

DomainDomain

ForestForest

Organizational UnitOrganizational Unit

ObjectsObjects

Domains Organizational Units Trees and Forests Schema

Domains Organizational Units Trees and Forests Schema

The Physical Structure of Active Directory

• Sites• Domain controllers• WAN links

SiteSite

Domain ControllersDomain Controllers

WAN LinkWAN Link

SiteSite

How Replication Works

Site AOriginating UpdateOriginating Update

Domain Controller A

DomainController B

DomainController C

Replicated UpdateReplicated Update

Replicated UpdateReplicated Update

Active Directory Update Move Delete

Add Modify

Change Notification

Change Notification

Multimaster Replication with a Loose Convergence

Multimaster Replication with a Loose Convergence

Optimizing Replication

Originating UpdateOriginating Update

Replicated UpdateReplicated Update

GUIDGUID USNUSN

UpdateUpdate

UpdateUpdate

GUIDGUID USNUSN

Up-To-Dateness Vector

Up-To-Dateness Vector

Domain Controller A

DomainController B

Replicated UpdateReplicated Update

GUIDGUID USNUSNDomain

Controller CPropagation DampeningPropagation Dampening

What Is Replication Topology?

Domain Controllers from the Same DomainDomain Controllers from the Same Domain

A1 A2

A3 A4

Domain A TopologySchema and ConfigurationTopology

Domain A TopologyDomain B TopologySchema and ConfigurationTopology

A1 A2

A3 A4

B1

B2

B3

Domain Controllers from Various DomainsDomain Controllers from Various Domains

Automatic Generation of Replication Topology

A1A2

A7A6

A3

A5

A4

KCCKCC

KCC

KCCKCC

KCC

KCC

A8

KCC

Automatic Generation of Replication Topology

What is Global Catalog Server?

Domain

Domain

DomainDomainDomain

Domain Domain

Global Catalog ServerGlobal Catalog Server

Global CatalogGlobal Catalog

ResultResult

QueryQuery

Global Catalog and Replication of Partitions

Partial Directory Partition Replica

Schema

Configuration

Global Catalog Server

Holds read only copy of all domain directory partitionsHolds read only copy of all domain directory partitions

contoso.msftnamerica.contoso.msft

contoso.msftnamerica.contoso.msft

A1 A2

A3 A4

B1

B2

B3

Domain A TopologySchema/Config Topology

Domain A TopologyDomain B TopologySchema and ConfigurationTopology

Sites and Subnets

Chicago

Seattle

Los Angeles

New York

SiteIP subnetIP subnetIP subnetIP subnet

IP subnetIP subnetIP subnetIP subnet

Fast Reliable Inexpensive

Fast Reliable Inexpensive

If Bandwidth Usage is High within a Location, Consider Separate Sites

If Bandwidth Usage is High within a Location, Consider Separate Sites

Replication Within Sites vs. Between Sites

Replication Within Sites:

Assumes fast and highly reliable network linksDoes not compress replication trafficUses a change notification mechanism

Replication Between Sites:

Assumes limited available bandwidth and unreliable network links

Compresses all replication traffic between sites

Occurs on a manual schedule

IP SubnetIP Subnet

A1

A2

IP SubnetIP Subnet

ReplicationReplication

IP SubnetIP Subnet

A1

A2

IP SubnetIP Subnet

ReplicationReplication

IP SubnetIP Subnet

B1

B2

IP SubnetIP Subnet

ReplicationReplication

ReplicationReplication

Choosing Inter-Site Replication Transports

• Remote Procedure Calls (RPCs) over TCP/IP– Synchronous Transfer– Requires Reliable Connections– Generates Less Traffic– Can be Used with DCs in Same Domain

• Simple Message Transport Protocol– Asynchronous Transfer – Used with Unreliable Connections– Generates More Traffic– Cannot be Used with DCs in Same Domain

What Are Sites and Subnet Objects?Active Directory Sites and Services

Console Window Help

Active View

Tree

Active Directory Sites and ServicesSites

Default-First-Site-NameServers

Inter-Site Transports

Subnets

SiteInter-Site Transport ContainerSiteSubnets Container

Name Type

Redmond-Site

Default-First-Site-NameInter-Site TransportsRedmond-SiteSubnets

DENVERNTDS Settings

Default-First-Site-Name

Redmond-Site

B1

A1IP SubnetIP SubnetIP SubnetIP Subnet

IP SubnetIP Subnet

Creating a SiteNew Object - (Site)

Create in: nwtraders1560.msft/Configuration/Sites

Name:

Select a site link object for this site. (Site link objects are found in the Sites/Inter-Site Transports container.)

Link Name Transport

DEFAULTIPSITELINK IP

OK Cancel

Assign nameAssign name

Associate with site link

Associate with site link

Creating SubnetsNew Object - Subnet

Enter the subnet address and mask. This will automatically translate into a subnet name in the form network/bits-masked. Example: address 10.14.209.14 mask 255.255.240.0 becomes subnet 10.14.208.0/20.

Select a site object for this subnet.

Address:

Create in: nwtraders.msft/Configuration/Sites/Subnets

172 . 161. 0 . 200

255 . 255 . 255 . 0

Site NameDefault-First-Site-Name

Mask:

Name: 172.161.0.0/24

OK Cancel

Moving Server Objects Between Sites

Active Directory Sites and ServicesSites

Default-First-Site-NameServers

LONDON1560NTDS Settings

Inter-Site TransportsSubnetsAlternate

Services

LONDON1560

Move...

All TasksViewNew Windows from Here

Delete RenameRefreshExport List…

Properties

Help

Move...

Move Server

Select the site which should contain this server:

Site NameAlternateDefault-First-Site-Name

OK Cancel

What Are Site Links?

Site 2

IP SubnetIP Subnet

IP SubnetIP Subnet

A1

A2

RPC or SMTP

Site LinkSite Link

IP SubnetIP SubnetIP SubnetIP Subnet

Site 1

B3

B1 B2

CostCost

A site link:A site link:

Enables replication traffic between sites

Represents the physical connection between sites

Enables replication traffic between sites

Represents the physical connection between sites

Creating and Configuring Site LinksHQ-Vancouver Properties

General Object Security

HQ-Vancouver

Description

Sites Not in this Site Link: Sites in this Site Link:

Default-First-Site-Name Corp-HQVancouver

Add>>Add>>

<<Remove<<Remove

Cost:

Replicate every:

OK Cancel ApplyApply

minutes

100

180

Change Schedule...

CostCostCostCost

IntervalIntervalIntervalInterval

ScheduleScheduleScheduleSchedule

Schedule for HQ-Vancouver

OK

Cancel

Replication Not Available

Replication Available

12 • 2 • 4 • 6 • 8 • 10 • 12 • 2 • 4 • 6 • 8 • 10 • 12

Sunday through Saturday from 12 AM to 12 AM

Sunday

Monday

Tuesday

Wednesday

Thursday

Friday

Saturday

What are Site Link Bridges?

IP SubnetIP SubnetIP SubnetIP Subnet

Site B

IP SubnetIP SubnetIP SubnetIP Subnet

Site A

IP SubnetIP SubnetIP SubnetIP Subnet

A1

A2

Site Link BridgeSite Link Bridge

B2

Site Link BCSite Link BCSite Link ABSite Link AB

B1

B3

C2

C1

Site C

Creating Site Link BridgesNew Object - (Site Link Bridge)

Create in: nwtraders1560.msft/Configuration/Sites

Name:

Site Links Not in this Site Link Bridge:

Site Links in this Site Link Bridge:

DEFAULTIPSITELINK Cross-townLocal

<<Remove

Add >>Add >>

OKOK Cancel

A site link bridge must contain at least two site links.

What Is a Bridgehead Server?

A bridgehead server:A bridgehead server:

Sends and receives replicated data

Is designated for each partition in the site

Sends and receives replicated data

Is designated for each partition in the site

IP SubnetIP Subnet

IP SubnetIP SubnetA1

Bridgehead ServerBridgehead Server

ReplicationReplication

IP SubnetIP Subnet

IP SubnetIP Subnet B1

Bridgehead ServerBridgehead Server

What Is the ISTG?

IP SubnetIP Subnet

A1

A2

Bridgehead

Server

Bridgehead

Server

ReplicationReplicationB2

Bridgehead ServerBridgehead Server

B1

ReplicationReplication

IP SubnetIP Subnet

IP SubnetIP Subnet

ReplicationReplication

IP SubnetIP Subnet

Intersite Topology GeneratorIntersite Topology Generator

Intersite Topology Generator defines the

replication between sites on a network

Intersite Topology Generator defines the

replication between sites on a network

What Is Universal Group Membership Caching?

At first logon, the local domain controller requests

information from the global catalog server

At first logon, the local domain controller requests

information from the global catalog server

After the first logon, the local domain controller uses the cached

copy of the universal group membership

After the first logon, the local domain controller uses the cached

copy of the universal group membership Small Site

Universal GroupsUniversal Groups

Large Site

User’s Cached Universal GroupUser’s Cached

Universal Group

Comparing Intra-Site Replication and Inter-Site Replication

Replication Within a Site Replication Between Sites

Change NotificationDefault 15 sec, 3 sec

Replication SchedulingDefault 180 min

Uncompressed Traffic Compressed Traffic (> 50KB)

Multiple Connections Bridgehead Servers

Knowledge Consistency Checker Inter-Site Topology Generator

Default Using RPC over IP Using IP or SMTP

Urgent Replication

Replication ComponentsKnowledge Consistency Checker configures replication connectionsKnowledge Consistency Checker configures replication connections

Site ObjectSite Object

Server Object AServer

Object AServer

Object BServer

Object B

B is replication source for AB is replication source for A A is replication source for BA is replication source for B

NTDS SettingsObject

NTDS SettingsObject

NTDS SettingsObject

NTDS SettingsObject

Connection ObjectA B

Connection ObjectA B

Connection ObjectA BConnection ObjectA B

Using Connection Objects• Connection Objects Are Created: Automatically or Manually • Connection Objects Are Created on Each Domain Controller • Use Active Directory Sites and Services to Manually Create,

Delete, and Adjust Connection Objects• Use the Replicate Now Option to Manually Initiate Replication

Connection Object

Connection ObjectDomain

Controller A1Domain

Controller A2

Creating a Connection ObjectActive Directory Sites and Services

SitesDefault-First-Site-Name

ServersLONDON1560

NTDS SettingsInter-Site TransportsSubnetsAlternate

Services

NTDS Settings

Move...New Active Directory Connection

Find Domain ControllersFile Edit View Help

Domain Controllers

Server Name Site DomainDefault-First-Site-NameDefault-First-Site-Name

LONDON1560LONDON1561

nwtraders1560.msftnwtraders1560.msft

Select a domain controller from the list below by either name or site.

(You can refresh the list by either clicking “Find Now”, or choosing “Refresh” from the View menu.)

Find Now

StopStop

Clear All

OK

Adjusting Replication

Modify the Replication Behavior by:Modify the Replication Behavior by:Modify the Replication Behavior by:Modify the Replication Behavior by:

Creating Additional Connection Objects to:

Reduce the number of hops between domain controllers

Bypass the failed server or servers

Configuring Preferred Bridgehead Servers

Resolving Replication ConflictsDomain Controller A

Originating UpdateOriginating Update

Domain Controller B

ConflictConflict

Originating UpdateOriginating UpdateStampStamp StampStamp

ConflictConflict

Version Number TimestampTimestamp Server GUID

StampStamp

Conflicts Can Be Due to: Attribute Value Adding/Moving Under a Deleted Container Object

or the Deletion of a Container Object Sibling Name

Replication of Linked Multivalued Attributes

Forest functional level What happens?

< Windows Server 2003Change triggers replication of the entire membership list

= Windows Server 2003Replication occurs by individual value instead of the whole attribute

Replication of linked multivalued attributes depends on the forest functional levelReplication of linked multivalued attributes depends on the forest functional level