Establishing
Site Links
Site links
establish connectivity between domain controllers to allow Active
Directory replication to be managed and scheduled. The Active Directory
database, global catalog, group policies, and the domain controller
SYSVOL directory replicate according to the replication schedule
configured in a site link.
To create an IP-based site
link, follow these steps:
1. | Launch
Server Manager on a domain controller.
| 2. | Expand the Roles folder.
| 3. | Expand the Active Directory Domain Services folder.
| 4. | Expand the Active Directory Sites and Services snap-in.
| 5. | Expand the Sites folder.
| 6. | Expand the Inter-Site Transports folder, and select the
IP folder.
| 7. | Right-click
the IP container and select New Site Link.
| 8. | Enter a name for the site link, select a site that will
replicate Active Directory using this site link, and click Add. Repeat
this step until all the desired sites are in the right pane, as shown in
Figure 3
for Oakland and Boston sites.
| 9. | Click OK
to create the site link.
| 10. | Back in the Active Directory Sites and Services console,
right-click the new site link in the right pane, and choose Properties.
| 11. | At the top of the window, enter a description for the
site link. Keep the description simple but informative. For example,
enter Site link between Oakland and Boston.
| 12. | At the bottom of the window, enter a cost for the site
link. This determines the preferred link if more than one is available.
See the text following these steps for a discussion of site link costs
and Table 5
for some typical costs. In this example, the connection between Oakland
and Boston is a T3 and the cost is set to 220.
Table 5. Typical Link Types, Speeds, and Site Link Costs| Link
Type | Link Speed (bps) | Cost |
|---|
| Dial-up 9600 | 9,600 | 1042 | | Dial-up 14.4 | 14,400 | 884 | | Dial-up 28.8 | 28,800 | 702 | | Dial-up 33.6 | 33,600 | 671 | | Leased 56 | 56,000 | 586 | | ISDN Single | 64,000 | 567 | | Fractional T1 - 1 Ch | 64,000 | 567 | | DS0 | 64,000 | 567 | | ISDN Dual | 128,000 | 486 | | Fractional T1 - 2 Ch | 128,000 | 486 | | Fractional T1 - 4 Ch | 256,000 | 425 | | Fractional T1 - 8 Ch | 512,000 | 378 | | DS1/T1 | 1,544,000 | 321 | | DS2/T2 | 6,312,000 | 269 | | 10BaseT | 10,000,000 | 256 | | DS3/T3 | 44,736,000 | 220 | | OC1 | 51,840,000 | 217 | | 100BaseT | 100,000,000 | 205 | | FDDI | 100,000,000 | 205 | | OC3/STM1 | 155,520,000 | 197 | | OC12/STM4 | 622,080,000 | 177 | | 1000BaseT | 1,000,000,000 | 171 | | OC48/STM16 | 2,488,320,000 | 160 | | OC192/STM64 | 9,953,280,000 | 146 |
| 13. | Enter the replication frequency. This number indicates
how often Active Directory will attempt to replicate during the allowed
replication schedule. The default is 180 minutes. The lowest this can be
set to between sites is 15 minutes. In most well-connected
organizations, the frequency is usually set to 15.
| 14. | Click the Change Schedule button to configure specific
intervals when Active Directory should not replicate. This is not
typically used in modern well-connected networks. Click OK to leave
unchanged.
| 15. | Click OK
on the Site Link property page to complete the site link configuration.
|
After the site
link is configured, the Active Directory connections between domain
controllers in different sites will generate new connections to optimize
replication when the KCC runs. The cost of a site link is an arbitrary
value that is selected by the administrator to reflect the speed and
reliability of the physical connection between the sites. When you lower
the cost value on the link, the priority is increased. Site links have a
replication interval and a schedule that are independent of the cost.
The cost is used by the KCC to prefer one site link path over another.
Cost values determine which
connector is preferred for data transfer. Costs are associated with
address spaces and connected routing group information. When costs are
assigned to the links, the KCC will compute the replication topology
automatically and clients will automatically go to the cheapest link.
Link costs can be based on the following formula:
Cost = 1024/log(bw/1000)
Where
bw = Bandwidth of the link between the two sites in bits per second (bps)
Cost = Site link cost setting
Table 5 lists the cost values for some typical bandwidths. The values
in the cost column would be entered into the Cost field of the site link
properties.
Of course, in a simple
network with only a single WAN connection between locations, the site
link cost value can be left at the default value of 100 with little
impact. In this configuration, all links are considered equal by the
KCC.
In general, a site link
topology serves to provide an Active Directory-integrated method for
defining preferred routes between physically remote sites connected by
WAN links.
The site links created for
Company ABC are shown in Table 6. The site links represent the hub-and-spoke topology on the
Company ABC WAN, with the appropriate costs based on the link speeds.
Table 6. Company ABC Site Links and Sites| Site
Link Name | Cost | Replication Interval | Sites |
|---|
| Oakland-Boston | 220 | 15 | Oakland, Boston | | Oakland-Paris | 321 | 15 | Oakland, Paris | | Oakland-Tokyo | 321 | 15 | Oakland, Tokyo |
Note
Once the Active Directory site
topology has been defined, it is important to remove all the sites from
the default site link (DEFAULTIPSITELINK). This prevents replication
connections from being generated by the KCC automatically. It is also a
best practice to delete the default site and site link—that is,
Default-First-Site-Name and DEFAULTIPSITELINK. This ensures that they
don’t get mistakenly used.
Delegating Control at
the Site Level
Control is sometimes
delegated at the site level to give network administrators the rights to
manage Active Directory replication without giving them the rights to
manage any additional Active Directory objects. Site delegation can also
do just the opposite, effectively denying network administrators the
right to access Active Directory objects on a per-site basis. Specific
administrative rights can be granted using the built-in Delegate Control
Wizard, whereas others can be set for all the site objects using a
site’s group policies.
To delegate control at the
site level, follow these steps:
1. | Launch
Server Manager on a domain controller.
| 2. | Expand the Roles folder.
| 3. | Expand the Active Directory Domain Services folder.
| 4. | Expand the Active Directory Sites and Services snap-in.
| 5. | Expand the Sites folder.
| 6. | Right-click the Sites container and select Delegate
Control.
| 7. | Click Next
on the Delegate Control Wizard Welcome screen.
| 8. | Using the Add button, select the user, users, or groups
that will delegate control over the site, and click OK. You can choose
an Active Directory group created for the organization’s networking team
or the default group named Network Configuration Operators.
| 9. | Click Next to continue.
| 10. | On the Active Directory Object Type page, select This
Folder, Existing Objects in This Folder, and Creation of New Objects in
This Folder, which is the default option to delegate control. The
permissions granted will trickle down to each of the containers below
the initial Sites container. If you don’t want this outcome, return to
step 6 and select the appropriate site or subnet container.
| 11. | Click Next to continue.
| 12. | On the Permissions page, check the desired permissions
type check boxes and choose each permission the administrator or, in
this case, the networking group should have.
| 13. | Click Next and then click Finish to complete the
Delegate Control Wizard.
|
|
