Search This Blog

Thursday, September 1, 2011

Active Directory Replication Terminology - Part II

Automatic Site Coverage:
To ensure that clients can locate a domain controller in the nearest available site, domain controller advertises itself (registers a site-related SRV record in DNS) in any site that does not have a domain controller for that domain and for which its site has the lowest-cost connections. This functionality is commonly known as "automatic site coverage."

To disable automatic site coverage on a domain controller:

  1. Click Start, click Run, type regedit, and then click OK.
  2. Navigate to the following registry subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
  3. Click Edit, point to New, and then click DWORD Value.
  4. Type AutoSiteCoverage as the name of the new entry, and then press ENTER.
  5. Double-click the new AutoSiteCoverage registry entry.
  6. Under Value data, type 0 to disable automatic site coverage or type 1 to enable it.

Automatic Site Link Bridge
By default, all site links are bridged, or transitive. This allows any two sites that are not connected by an explicit site link to communicate directly, through a chain of intermediary site links and sites. One advantage to bridging all site links is that your network is easier to maintain because you do not need to create a site link to describe every possible path between pairs of sites.

Bridge All Site Link
The setting inside AD Sites and Services to enable or disable site link bridges. If you disable site link bridging and you are using File Replication Service (FRS) to replicate DFS replicas, which include the SYSVOL share, the DFS site-costing ability is also disabled.

To turn off automatic site link bridging for KCC operation without hampering the ability of DFS to use Intersite Messaging to calculate the cost matrix. This site option is set by running the command repadmin /siteoptions +W2K3_BRIDGES_REQUIRED. This option is applied to the NTDS Site Settings object (CN=NTDS Site Settings,CN=SiteName,CN=Sites,CN=Configuration,DC=ForestRootDomain). When this method is used to disable automatic site link bridging (as opposed to turning off Bridge all site links), default Intersite Messaging options enable the site-costing calculation to occur for DFS

Site Costed Referall,
Defining the SiteCostedReferrals Registry value on the domain controllers will alter the DFS referrals so that all local domain controllers are listed first, randomly ordered, then the “next best” site’s domain controllers, and then all others. The “next best” logic is based on site link costs where the lower cost is preferred.

Wednesday, August 31, 2011

Active Directory Replication Terminology - Part I

Following is some of the day to day Active Directory terminology.

> BridgeHeads Servers,
A bridgehead is a point at which a connection leaves or enters a site.

> ISTG (Intersite Topology Generator),
The single KCC in a site that manages intersite connection objects for the site.

> KCC (Knowledege Consistency Checker),
The Knowledge Consistency Checker (KCC) is an Active Directory component that is responsible for the generation of the replication topology between domain controllers.

So what is the relation between those three?

Knowledge Consistency Checker (KCC), runs as an application on every domain controller and communicates through the distributed Active Directory database. KCC reads configuration data and reads and writes connection objects.
One domain controller in each site is selected as the Intersite Topology Generator (ISTG). To enable replication across site links, the ISTG automatically designates one or more servers to perform site-to-site replication. These servers are called bridgehead servers.


The ISTG creates a view of the replication topology for all sites, including existing connection objects between all domain controllers that are acting as bridgehead servers. The ISTG then creates inbound connection objects for those servers in its site that it determines will act as bridgehead servers and for which connection objects do not already exist. Thus, the scope of operation for the KCC is the local server only, and the scope of operation for the ISTG is a single site.

For more information please see:
http://technet.microsoft.com/en-us/library/cc755994(WS.10).aspx

Monday, August 22, 2011

How to lock Internet Explorer setting through GPO

To lock changes in Proxy settings using GPO check the following GPO option:
User configuration->Administrative Templates->Windows Components->Internet Explorer->"Disable changing proxy settings"

Set the option ->"Disable changing proxy settings" to enable.

Wednesday, August 17, 2011

Useful command in managing Active Directory

Here's some of the list that common to use on day to day administration and troubleshooting of Active Directory:

> To summarizes the replication state and health of a forest:
Repadmin /Replsum /BySrc /ByDst

> To show the state of the last inbound replication for specified domain controller:
Repadmin /Showreps
Repadmin /Showrepl

> To show the state of the last inbound and outbound replication (change notification) for specified domain controller:
Repadmin /Showrepl /repsto

> To display the replication queue list:
Repadmin /queue
> To display all the Domain Controller in the forest:
Repadmin /Viewlist *
> To display the Intersite Topology Generator (ISTG) server for specified site:
Repadmin /ISTG
> To display the Bridgeheads servers for specified site:
Repadmin / Bridgeheads

> To synchronize a sepecified domain controller with all of the replication partners
Repadmin /syncall (DC_name) /A /e

> To list the name of Domain Contollers in a domain:
Nltest /dclist:(domainname)

> To verify if we can locate a domain controller:
Nltest /dsgetdc:(domainname)

> To display the servers that hold FSMO role:
Netdom query FSMO

> To chek the health of DNS settings:
DCdiag /test:DNS

> To query the tombstonelifetime setting in a forest:
dsquery * "cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration,dc=contoso,dc=com" -scope base -attr tombstonelifetime


Monday, August 8, 2011

Site Costed Referrals

Windows Server 2003 and above supports the ability to provide finer control over how DFS referrals are returned for the SYSVOL and NETLOGON shares.

By default, in Windows Server 2003 the DFS referral list will contain all local domain controllers of the client’s domain in the local site, randomly ordered, and then all other domain controllers in the domain randomly ordered.
Defining the SiteCostedReferrals Registry value on the domain controllers will alter the DFS referrals so that all local domain controllers are listed first, randomly ordered, then the “next best” site’s domain controllers, and then all others. The “next best” logic is based on site link costs where the lower cost is preferred.
Windows Server 2008 uses the SiteCostedReferrals behavior by default and does not require the Registry value to be set. Windows 2000 Server does not support this feature.
The SiteCostedReferrals Registry value should be defined across all domain controllers in a domain to ensure consistent behavior. The DFS service must be restarted or the domain controllers rebooted for the change to take effect.
This behavior is controlled via the following Registry value:
HKLM\System\CurrentControlSet\Services\Dfs\Parameters
Value: SiteCostedReferrals
Type: REG_DWORD
Data:
  • Windows 2003
= Disabled
0 = Disabled
1 = Enabled
  • Windows 2008
= Enabled
0 = Disabled
1 = Enabled

Search Google