Microsoft Official Course

Module 8
Designing and Implementing an
Active Directory Domain Services
Topology
Module Overview

Designing and Implementing AD DS Sites

Designing AD DS Replication
Designing the Placement of Domain Controllers
Virtualization Considerations for Domain
Controllers
• Designing Highly Available Domain Controllers
Lesson 1: Designing and Implementing AD DS
Sites

Benefits of Deploying AD DS Sites

Options for Designing AD DS Sites
Collecting Information for an AD DS Site Design
How Does Automatic Site Coverage Work?
Considerations for Designing AD DS Sites
• Demonstration: Creating Site Objects
Benefits of Deploying AD DS Sites

• AD DS sites are highly connected portions of your

enterprise
• Similar to, but not the same as, network sites (physical locations)
• AD DS sites are objects that support:
• Replication
• Changes to AD DS must be replicated to all domain controllers
• Some domain controllers are separated by slow, expensive links
• Strike a balance between replication cost and convergence
• Service localization
• Client authentication
• DFS
• Active Directory–aware (site-aware) applications
• Searching for a location property—for example, a printer location
Options for Designing AD DS Sites

Single-site
Single-site model
model Multiple-site
Multiple-site model
model

Select if one or more of the Select if one or more of the

following are true: following are true:

• All computers are in one physical • Your organization has several

location physical locations

• The physical locations are • The links between locations are

connected with high-speed links slow or unreliable

• All domain controllers are in one • You have other requirements for
location segregating AD DS-related
network traffic
Collecting Information for an AD DS Site Design

• Collect the following information about the

existing network:
• Geographic locations, communication links, and
available bandwidth
• IP subnets assigned to each location
• Number of users and computers in each domain, in each
location
• Domain controller and global catalog server placement
• Site-aware applications
How Does Automatic Site Coverage Work?

All domain controllers use a common algorithm for

determining automatic site coverage:
1. The domain controller builds a list of target sites—that
is, sites that have no domain controllers for its domain
2. The domain controller builds a list of candidate sites—
that is, sites that have domain controllers for this
domain.
3. The domain controller registers SRV records that are
specific to the target site for the domain controllers for
this domain in the selected site
Considerations for Designing AD DS Sites

When designing a site topology:

• Create a site for any location that contains a domain
controller
• Create a site for any location that has a server that runs
a site-aware application
• Ensure that the IP subnets map to the correct site
objects
• Follow recommendations for when to configure
additional sites for branch offices
• Give sites meaningful names
• Move or deploy domain controllers to the AD DS sites
Demonstration: Creating Site Objects

In this demonstration, you will see how to:

• Create a new AD DS site
• Create a new AD DS subnet
Lesson 2: Designing AD DS Replication

AD DS Replication Components
What Are the KCC and ISTG?
Options for Designing Replication Topologies
Considerations for Choosing a Replication Protocol
Planning Global Catalog and RODC Replication
Planning for SYSVOL Replication
Considerations for Designing Site Links and
Bridgehead Servers
• Considerations for Designing Site Link Bridging
AD DS Replication Components

To properly design AD DS replication, you must

understand the purpose of each replication
component:
• Connection Objects
• Notification
• Polling
What Are the KCC and ISTG?

• Knowledge Consistency Checker

• The KCC generates the replication topology for the AD
DS forest
• Intrasite and intersite replications have different
topologies
• InterSite Topology Generator
• The ISTG manages the intersite topology for replication
• One domain controller per site has the role of ISTG
• You can transfer the ISTG role manually
Options for Designing Replication Topologies

Hub-and-
Ring
Spoke
Topology
Topology

Full-Mesh Hybrid
Topology Topology
Considerations for Choosing a Replication
Protocol
There are three levels of connectivity for replication of
AD DS information, including:
• Uniform, high-speed, synchronous RPC-over-IP within sites
• Point-to-point, synchronous, low-speed RPC-over-IP between sites
• Low-speed, asynchronous SMTP between sites

When choosing a replication protocol, consider the

following:
• Replication within a site always uses RPC-over-IP
• Replication between sites can use either RPC-over-IP or SMTP-over-
IP
• Replication between sites over SMTP is supported for only the
schema partition, Configuration partition, and global catalog
replication
Planning Global Catalog and RODC Replication

In addition to the regular replication process within

your forest, you should also understand consider
the placement of:
• RODCs
• Global catalog servers
Planning for SYSVOL Replication

Domain controllers use SYSVOL to replicate logon

scripts and Group Policy objects. Windows Server
2012 uses the DFS Replication, which offers several
advantages:
• Efficient, scalable, and reliable file-replication protocol
• Differential replication
• Flexible scheduling and bandwidth-throttling
• Self-healing by using USNs
• A new MMC snap in UI management tool
• Built-in health-monitoring
• Improved support for RODCs
Considerations for Designing Site Links and
Bridgehead Servers

The KCC assumes all domain controllers can in a

site can communicate. Between sites, you represent
network paths by creating site link objects.
Considerations for sites include:
• Site links:
• Site Link Costs
• Replication Frequency
• Replication Schedules

• Bridgeheads
Considerations for Designing Site Link Bridging

When designing site link bridging, consider the following

guidelines:
• If a network is not fully routed, and if you do not have to control AD
DS replication, leave automatic site link bridging enabled
• If a network is not fully routed, configure the site link bridges to
map to the physical network connections
• To model the routing behavior of your network, create and
configure site link bridge objects
• If all site links within the bridge are required to route transitively,
add site links to a site link bridge
• You must ensure that each site link in a manual site link bridge has
one site in common with another site link in the bridge
Lesson 3: Designing the Placement of Domain
Controllers
Planning Hardware Requirements for Domain Controllers
Considerations for Deploying Domain Controllers on the
Server Core
Considerations for Planning Domain Controller Locations
Considerations for Planning Global Catalog Server Locations
Considerations for Planning Operations Master Server
Locations
Guidelines for Monitoring Active Directory Domain
Controllers
• Considerations for Branch Offices
Planning Hardware Requirements for Domain
Controllers
• Plan hardware requirements appropriately for domain
controllers.
• Free disk space is the most important resource for domain
controllers.
Drive contains Provide
Ntds.dit 0.4 GB of storage for each 1,000
users
AD DS log files At least 500 MB of available space
SYSVOL shared folder At least 500 MB of available space
Operating system files with At least 1.25 - 2 GB of available
which you run Setup space
• Allow for more disk space if the domain controller also will
host the global catalog server role.
Considerations for Deploying Domain
Controllers on the Server Core

When deploying a domain controller on a server

core:
• You must use dcpromo.exe in unattended mode
• You must manage AD DS on the server core remotely
• You should apply the same hardware requirements
• You cannot upgrade the server core domain controller
to a Windows Server 2012 full installation domain
controller
Considerations for Planning Domain Controller
Locations
When choosing whether to deploy a domain controller in a
branch office, consider the following:
• Not all locations require a domain controller
• If you deploy a domain controller in a branch, you must
create an AD DS site for that branch
• Deploy RODCs to locations where physical security is a
concern
• Always deploy domain controllers to locations that use
AD DS-intensive applications
• Place two domain controllers for each domain in each site
Considerations for Planning Global Catalog
Server Locations

In general, when designing global catalog

placement, you should follow these guidelines:
• Deploy at least one global catalog server in each site
• Deploy two global catalog servers in each site for
redundancy
• Deploy multiple global catalog servers if you have sites
with a large number of users
• Be aware of applications that require a global catalog
presence in the same site
Considerations for Planning Operations Master
Server Locations

Best practice guidance:

• Co-locate the schema master and domain naming master
on a global catalog server
• Co-locate the RID master and PDC emulator roles
• Place the infrastructure master on a domain controller that
is not a global catalog server
• Have a failover plan
Guidelines for Monitoring Active Directory
Domain Controllers

Windows Server 2012 provides several tools that

you can use for monitoring:
• Task Manager
• Resource Monitor
• Event Viewer
• Reliability Monitor
• Performance Monitor

You can also use the Best Practices Analyzer

Considerations for Branch Offices

• Data Center
• Personnel
• Secure facilities
• Authentication of branch users subject to availability and
performance of WAN
• Branch Office
• Few, if any IT personnel
• Less secure facilities
• Improved authentication
• Security issues
• Directory Service integrity
Lesson 4: Virtualization Considerations for
Domain Controllers

Considerations for Virtualizing Domain Controllers

Securing Virtualized Domain Controllers
Considerations for Deploying Domain Controllers
as Virtual Machines
• Cloning Domain Controllers
Considerations for Virtualizing Domain
Controllers

Advantages: Disadvantages:
• Consolidation • Mishandling .vhd
• Testing image files can result
in forest-wide
• Deployment
corruption
• Performance • Security
Securing Virtualized Domain Controllers

The host computer on which virtual domain

controllers are running must be managed as
carefully as writeable domain controllers
Security guidelines:
• Protect the local administrator account on the host
computer
• Use the server core as a platform for Hyper-V
• Protect .vhd files
Considerations for Deploying Domain
Controllers as Virtual Machines

Virtual domain controller limitations to consider

include:
• Avoid using differential VHDs for domain controllers
• Do not clone domain controllers with the Sysprep tool
• Do not export virtual machines with domain controllers
• Do not use Hyper-V snapshots
• Disable time synchronization with the host computer
Cloning Domain Controllers

You can safely clone existing VDCs by:

• Creating a DcCloneConfig.xml file and storing it in the
AD DS database location.
• Taking the VDC offline and exporting it.
• Creating a new virtual machine by importing the exported
VDC.

DcCloneConfig.xml to
AD DS database
location
Export the VDC Import the VDC
Lesson 5: Designing Highly Available Domain
Controllers
Planning for High Availability
Components of an AD DS High Availability Design
Considerations for Designing Highly Available Domain
Controllers
Considerations for Designing Highly Available Global
Catalog Servers
Considerations for Designing a Highly Available DNS
Infrastructure
Considerations for Designing a Highly Available Network
Infrastructure
• Considerations for Backup and Recovery in AD DS
Planning for High Availability

Consider the following points when planning a high

availability strategy:
• Determine acceptable service levels
• Identify risks to your service levels
• Determine how to mitigate risks to these levels
• Plan for capacity
• Determine where hardware vendor cooperation will be
necessary
Components of an AD DS High Availability
Design

To make AD DS highly available:

• Deploy multiple domain controllers
• Distribute operations master roles
• Deploy multiple global catalog servers
• Deploy multiple DNS servers
• Provide a redundant network infrastructure
Considerations for Designing Highly Available
Domain Controllers

Consider the following when planning high

availability for domain controllers:
• Install the AD DS server role on servers with redundant
hardware
• Install at least one domain controller per branch site and at
least two per hub site
• Enable the TryNextClosestSite Group Policy setting
• Connect domain controllers to highly available network
infrastructures
• Ensure that domain controllers have all security updates
and antivirus software installed
Considerations for Designing Highly Available
Global Catalog Servers

When designing global catalog placement and high

availability, follow these guidelines:
• In a single-domain forest, configure all domain controllers
as global catalog servers
• In a multiple-domain forest, the number of global catalogs
depends on the number of users, links between sites,
applications, and other factors
Considerations for Designing a Highly Available
DNS Infrastructure

To make DNS a highly available solution, consider

the following:
• Implement at least two DNS servers per site
• Integrate DNS zones in AD DS
• Harden security on DNS servers
• Distribute primary and secondary DNS addresses to clients
via DHCP
Considerations for Designing a Highly Available
Network Infrastructure

When designing a highly available network

infrastructure:
• Use redundant network switches that connect to different
NICs on domain controllers
• Implement a backup link for branch offices via an
alternative operator
• Require an SLA with the telecom operator
• Back up the configuration of network devices, such as
switches and routers
• Provide for spare network devices on site
Considerations for Backup and Recovery in AD
DS
• Backup:
• Use either Windows Server Backup or Wbadmin.exe
• Backups can be manual or automated
• You must back up all critical volumes for AD DS:
• System volume
• Boot volume
• Volumes hosting SYSVOL, AD DS database (NTDS.dit), logs
• The Active Directory Recycle Bin:
• Cannot be disabled once it is enabled
• Now has a user interface to simplify restoration of objects
• Is enabled and accessed through the Active Directory Administration Center
• Objects are preserved in the recycle bin for the tombstone lifetime: 180 days by
default
• Restore:
• Nonauthoritative (normal) restore
• Authoritative restore
• Full Server Restore
• Alternate Location Restore
Lab: Designing and Implementing an Active
Directory Domain Services Physical Topology
Exercise 1: Designing Active Directory sites and replication
Exercise 2: Planning the placement of domain controllers
• Exercise 3: Implementing Active Directory sites and domain
controllers
Logon Information
Virtual machines:
20413A-LON-DC1
20413A-LON-RTR
20413A-LON-SVR4
User name: Adatum\Administrator
Password: Pa$$w0rd

Estimated Time: 75 minutes

Lab Scenario

A. Datum Corporation has been experiencing some

issues with its current AD DS deployment. Because
of these issues, the AD DS design team must review
the current AD DS site and replication environment,
and then provide recommendations for making
changes. You are tasked with investigating the
potential cause, and then designing a solution. You
have gathered documentation about the A. Datum
network, and are working towards a potential
network design.
Notes Page Over-flow Slide. Do Not Print Slide.
Notes Page Over-flow Slide. Do Not Print Slide.
Notes Page Over-flow Slide. Do Not Print Slide.
Lab Review

What was your approach to the Active Directory

site and replication design?
• How did you address the Active Directory domain
controller planning exercise?
Module Review and Takeaways

• Review Questions