4. Configuring Sites and Managing Replications
**********************
The main purpose of a site is to physically group computers to optimize network traffic.
Two main roles, i.e., to facilitate authentication and to facilitate the replication of data between sites.
Each domain controller stores a copy of a specific part of the directory tree, called a directory partition. Also knows as a naming context. The copy of the directory partition is called a replica.
Active Directory replicated information intrasite and inter-site.
The KCC analyzes the replication topology within a site every 15 minutes.
When replication occurs between sites, one or more replicas in each site act as bridgeheads to another site in the topology. Bridgehead servers are the contact point for the exchange of directory information between sites.
**********************
Intersite Topology Generator (ISTG)
Site Link Transitivity
By default, all site links are transitive.
Site Link Transitivity is enabled or disabled by selecting the Bridge All Site Links check box in the Properties dialog box for either the IP or the SMTP intersite transport.
**********************
Creating Subnets
Each site must have at least one subnet, but a subnet can be assigned to only one site.
Designating a Site License Server
The License Logging service on each server in a site collects and replicates this licensing information to a centralized database on a server for the site called the site license server.
**********************
Site Links
Directory Service Remote Procedure Call (DS-RPC)
Inter-Site Management-Simple Mail Transport Protocol (ISM-SMTP)
Intrasite replication always uses RPC over IP while Intersite replication can use either RPC over IP or SMTP.
If you create the site link in the IP Container, it will use RPC over IP as its transport protocol. If you create the site link in the SMTP container, it will use SMTP as its transport protocol.
Site links are used by the KCC to determine replication paths between two sites and must be created manually. Connection objects actually connect domain controllers and are created by the KCC, though you can also manually create them if necessary.
The default site link cost in Windows Server 2003 assigns a link is 100.
The replication interval must be at least 15 and no more than 10,080 minutes (equal to one week).
**********************
Bridgehead Servers
A bridgehead server is a single domain controller in a site, the contact point, used for replication between sites.
You can specify multiple preferred bridgehead servers, but only one is active at any time in a single site.
**********************
Polling and pull replication
Notification and push replication
Notification and push replication are more efficient for intrasite replication.
The default intrasite replication schedule for manually created connection objects is four times per hour.
**********************
Universal Group Membership Caching Feature
The Universal Group Membership Caching feature allows a domain controller to process user logon requests without contacting a global catalog server when a global catalog server is unavailable.
The Universal Group Membership caching feature must be set for each site and requires a domain controller to run a Windows Server 2003 operating system.
By default, the universal group membership information contained in the cache of each domain controller is refreshed every eight hours.
**********************
Creating or Removing a Global Catalog
Global Catalogs can be created or removed using the Active Directory Sites and Services console.
**********************
Application Directory Partitions
Application directory partitions can contain any type of object, except security principals.
Members of Enterprise Admins group can manually create or manage application directory partitions using the Ntdsutil command line tool.
**********************
Security Descriptor Reference Domain
Every container and object on the network has a set of access control information attached to it. Known as a security descriptor.
**********************
Displaying Application Directory Partition Information
You can use Ntdsutil to list the domain controllers that are members of a particular replica set for an application directory partition.
**********************
Monitoring and Troubleshooting Replication
Windows Support Tools provides
Replmon.exe: Active Directory Replication Monitor
Repadmin.exe: Replication Diagnostics Tool
Dsastat.exe: Directory Services Utility
**********************
Replmon.exe must be installed on a computer running Windows Server 2003.
**********************
Common Active Directory Replication Problems
New Users are not recognized
Directory information is out of date
Service requests are not handled in a timely fashion
Domain controllers are unavailable
**********************
Administrating Users and Groups
A user account is a record that consists of all the information that defines a user to Windows Server 2003
In Windows Server 2003, authentication for domain users is based on user accounts stored in Active Directory.
Passwords can be up to 127 characters. Windows 9x, you should use a maximum of 14 characters because these operating systems support passwords of up to only 14 characters.
**********************
User Accounts Types
Three types of User accounts:
Local user account
Domain user account
Built In user account
**********************
Computer’s security database is called the local security database.
**********************
Built In user accounts:
Two commonly used built in accounts are Administrator and Guest
The purpose of the built-in Guest account is to provide users who do not have an account in the domain with the ability to log on and gain access to resources. By default, the Guest account is disabled.
**********************
You can rename and disable the Guest account, but you cannot delete it.
**********************
User Profiles and Home Folders
A user profile is a collection of folders and data that stores the user’s current desktop environment, application settings, and personal data.
**********************
There are four types of User profiles:
Local
Roaming
Mandatory
Temporary
Roaming user profiles are stored in a shared folder on the server.
A mandatory user profile is a read-only roaming profile that is stored in a shared folder on a server.
**********************
Creating User Profiles
To configure a user profile as mandatory, you must make it read-only by changing the name of the Ntuser.dat file to Ntuser.man.
**********************
Home Folders
A home folder is an additional folder that you can provide for users to store personal documents, and for older applications, it is sometimes the default folder for saving documents.
**********************
Unlocking User Accounts and Resetting Passwords
It is not possible to “lock” a user’s account; if you want to ensure that a user’s account is not accessible, you must disable the account.
No comments:
Post a Comment