2. Establishing Site Links
Site links establish connectivity between
domain controllers to allow Active Directory replication to be managed
and scheduled. The Active Directory database, Global Catalog, group
policies, and the domain controller SYSVOL directory replicate
according to the replication schedule configured in a site link.
To create an IP-based site link, follow these steps:
1. Launch Server Manager on a domain controller.
2. Expand the Tools menu and run Active Directory Sites and Services.
3. Expand the Sites folder.
4. Expand the Inter-Site Transports folder, and select the IP folder.
5. Right-click the IP container and select New Site Link.
6. Enter a name for
the site link, select at least two sites that will replicate Active
Directory using this site link, and click Add, as shown in Figure 3 for Paris and Boston sites.
Figure 3. Adding sites to a site link.
7. Click OK to create the site link.
8. Back in the Active
Directory Sites and Services console, right-click the new site link in
the right pane, and choose Properties.
9. At the top of the
window, enter a description for the site link. Keep the description
simple but informative. For example, enter Site link between Paris and Boston.
10.
At the bottom of the window, enter a cost for the site link. This
determines the preferred link if more than one is available. See the
text following these steps for a discussion of site link costs and Table 5 for some typical costs. In this example, the connection between Paris and Boston is a T1, and the cost is set to 321.
Table 5. Typical Link Types, Speeds, and Site Link Costs
11. Enter the
replication frequency. This number indicates how often Active Directory
will attempt to replicate during the allowed replication schedule. The
default is 180 minutes. The lowest this can be set to between sites is
15 minutes. In most well-connected organizations, the frequency is
usually set to 15.
12. Click the Change
Schedule button to configure specific intervals when Active Directory
should not replicate. This is not typically used in modern
well-connected networks. Click OK to leave unchanged.
13. Click OK on the Site Link property page to complete the site link configuration.
After the site link is configured, the Active
Directory connections between domain controllers in different sites
generate new connections to optimize replication when the KCC runs. The
cost of a site link is an arbitrary value that is selected by the
administrator to reflect the speed and reliability of the physical
connection between the sites. When you lower the cost value on the
link, the priority is increased. Site links have a replication interval
and a schedule that are independent of the cost. The cost is used by
the KCC to prefer one site link path over another.
Cost values determine
which connector is preferred for data transfer. When costs are assigned
to the links, the KCC computes the replication topology automatically
and clients automatically goes to the cheapest link. Link costs can be
based on the following formula:
Cost = 1024/log(bw/1000)
Where
bw = Bandwidth of the link between the two sites in bits per second (bps)
Cost = Site link cost setting
Table 5
lists the cost values for some typical bandwidths. The values in the
Cost column would be entered into the Cost field of the site link
properties.
Of course, in a simple network with only a
single WAN connection between locations, the site link cost value can
be left at the default value of 100 with little impact. In this
configuration, all links are considered equal by the KCC.
In general, a site link topology serves to
provide an Active Directory-integrated method for defining preferred
routes between physically remote sites connected by WAN links.
The site links created for Company ABC are shown in Table 6.
The site links represent the hub-and-spoke topology on the Company ABC
WAN, with the appropriate costs based on the link speeds.
Table 6. Company ABC Site Links and Sites
Note
After the Active Directory site
topology has been defined, it is important to remove all the sites from
the default site link (DEFAULTIPSITELINK). This prevents replication
connections from being generated by the KCC automatically. It is also a
best practice to delete or rename the default site and site link—that
is, Default-First-Site-Name and DEFAULTIPSITELINK. This ensures that
they don’t get mistakenly used.
3. Delegating Control at the Site Level
Control is sometimes delegated at the site
level to give network administrators the rights to manage Active
Directory replication without giving them the rights to manage any
additional Active Directory objects. Site delegation can also do just
the opposite, effectively denying network administrators the right to
access Active Directory objects on a per-site basis. Specific
administrative rights can be granted using the built-in Delegate
Control Wizard, whereas others can be set for all the site objects
using a site’s group policies.
To delegate control at the site level, follow these steps:
1. Launch Server Manager on a domain controller.
2. Expand the Tools menu and run Active Directory Sites and Services.
3. Expand the Sites folder.
4. Right-click the desired site object and select Delegate Control.
5. Click Next on the Delegate Control Wizard Welcome screen.
6. Using the Add
button, select the user, users, or groups that will delegate control
over the site, and click OK. For example, you can choose an Active
Directory group created for the organization’s networking team or the
default group named Network Configuration Operators.
7. Click Next to continue.
8. On the Tasks to Delegate page, select Create a Custom Task to Delegate, and then click Next.
9. On the Active
Directory Object Type page, select This folder, Existing Objects in
This Folder, and Creation of New Objects in This Folder, which is the
default option to delegate control. The
permissions granted trickle down to each of the containers below the
selected container, so you can manage access to all sites by selecting
the Sites container itself and using the Delegation Wizard.
10. Click Next to continue.
11. On the
Permissions page, check the desired permissions type check boxes and
choose each permission the delegated user or group should have.
12. Click Next and then click Finish to complete the Delegate Control Wizard.
