Step-by-Step Guide to Active Directory Sites and Services

Introduction

The primary purpose of the Windows® 2000 Active Directory^TM Sites and Services snap-in is to administer the replication topology both within a site in a local area network (LAN) and between sites in a wide area network (WAN) in an enterprise environment.

Note: The Appendix below provides supporting definitions and explanations of how Active Directory service replication is performed. If you are not familiar with replication, you may wish to review the Appendix first.

Sites

A site is a region of your network with high bandwidth connectivity, and by definition is a collection of well-connected computers—based on Internet Protocol (IP) subnets. Because sites control how replication occurs, changes made with the Sites and Service snap-in affect how efficiently domain controllers (DC) within a domain (but separated by great distances) can communicate.

A site is separate in concept from Windows 2000-based domains because a site may span multiple domains, and a domain may span multiple sites. Sites are not part of your domain namespace. Sites control replication of your domain information and help to determine resource proximity. For example, a workstation will select a DC within its site with which to authenticate.

To ensure that the Active Directory service in the Windows 2000 operating system can replicate properly, a service known as the Knowledge Consistency Checker (KCC) runs on all DCs and automatically establishes connections between individual computers in the same site. These are known as Active Directory connection objects. An administrator can establish additional connection objects or remove connection objects, but at any point where replication within a site becomes impossible or has a single point of failure, the KCC steps in and establishes as many new connection objects as necessary to resume Active Directory replication.

Replication between sites is assumed to occur on either higher cost or slower speed connections. As such, the mechanism for inter-site (between site) replication permits the selection of alternative transports, and is established by creating Site Links and Site Link Bridges.

Default-First-Site

Your first site was set up automatically when you installed Windows 2000 Server on the first domain controller in your enterprise. The resulting first site is called Default-First-Site. You can rename this site later or leave it as is.

The replication topology of sites on your network controls:

• Where replication occurs, such as which DCs communicate directly with which other DCs in the same site. Additionally, this topology controls how sites communicate with each other.
• When replication occurs. Replication between sites can be completely scheduled by the administrator. Replication between DCs inside the same site is notification based, where notifications are sent within five minutes of a change being made to an object in the domain.

All newly promoted Domain Controllers are placed in the Site container that applies to them at time of installation. For example, a server bound for California might have been initially built and configured in the Maui, Hawaii data center—therefore the Configure Your Server wizard places the server in the Maui site. After it arrives in California, the server object can be moved to the new site using the Sites and Services snap-in.

You can use the sites portion of Sites and Services snap-in to:

• Display the valid sites within an enterprise. As an example, Default-First-Site might be a site name such as Headquarters. You can create, delete, or rename sites.
• Display the servers that participate in a site. You can delete or move servers between sites. (Note: Although you can also manually add servers, the task of adding a server is typically performed automatically during Domain Controller setup.)
• Display the applications that use site knowledge. The Active Directory topology is rooted at Sites\Default-First-Site\Servers. This contains just those servers participating in a specific site, regardless of domain. To view the connections for any given server, display Sites\Default-First-Site\Servers\{server}\NTDS Settings. For each server, there are connections and schedules that control replication to other servers in this site.
  • Connections. For two machines to have two-way replication, a connection must exist from the first machine to the second, and a complimentary connection must exist from the second machine to the first.
  • Schedules. Within a site, pull replication of new directory deltas occurs between servers approximately every five minutes. Schedules are significant within a site to force periodic notification to in-bound partners in the event that a partner has a damaged connection object. This type of notification typically occurs every six hours. In addition, schedules are very significant in controlling pull replication between sites (there is no automatic five-minute replication between sites).
• Display transports and links between sites. Transports represent the protocols used to communicate between chosen sites (for example, IP).
• Display subnets. Subnets allow the administrator to associate ranges of IP addresses with sites.

Prerequisites

At a minimum, you need to set up two Windows 2000 domain controllers (DCs). Each DC should host a different domain partition (host different Windows 2000 domains) and be members of the same forest. This step-by-step guide assumes a parent/child relationship between the two Windows 2000 domains.

You can create this base configuration by running through the Common Infrastructure and Setting up Additional Domain step-by-step guides before going through the instructions in this document.

If you are not using the common infrastructure, you need to make the appropriate changes to this instruction set.

Using the Sites Topology Tool

1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services.

Adding a Site

1. Right-click Sites in the left pane of the console, and then click New Site.
2. In the New Object–Site dialog box, type a name for the new site 
3. Select a site link object that contains the new site. If presented with a Default Site Link, you might associate this site to it at this time. Site Links are explained later in this document. Then click OK.
4. When the Active Directory message box appears, click OK.

You can now move computers from other sites into this site, under the NTDS Settings container.

To move computers into a site

1. In the Active Directory Sites and Services snap-in, right-click the computer you want to move in the left pane, click Move, and the Move Server box appears.
2. Select the site to move the computer to, and click OK.

Adding a Subnet

To define subnets for a particular site

1. In the left pane of the console, right-click Subnets under the site name.
2. On the Action menu, click New Subnet.
3. In the New Object–Subnet box, type the subnet address and subnet mask numbers.
4. Select a Site object for this subnet in the lower pane and click OK.

If you have correctly entered the subnet, it will appear in the Subnets folder.

To associate the subnet with a site

1. Right-click the subnet in the right pane of the console, and then click Properties.
2. In the Properties dialog box, select a site to associate with this subnet from the list box.
3. Click the Location tab, and enter the name of the city; in this example, Renton. Click OK.

Site Links and Site Link Bridges

Creating a Site Link

For scheduled replication to occur between multiple sites, both sites must agree on a transport to communicate. This will more than likely be IP-based.

1. Click the + next to Inter-Site Transports in the left pane to expand it (if it is not already expanded). Right click IP, and click New Site Link.
2. Enter a name for the Site Link in the New Object–Site Link dialog box, shown in Figure 7 below.
3. Select sites in the left pane, and click Add.
4. Click OK when all the sites you want to include in this site link are added to the right pane list.

To create a link between two sites

1. From the Intersite Transports node, click one of the applicable transports to select it. In this example, IP is selected.
2. If you wish to join a site to an existing Site Link, select the link from the Sites in this Link list in the right pane, right-click it, and then click Properties.
3. Add the site, click Apply, and then click OK.

Creating a Site Link Bridge

The process for creating a Site Link Bridge is identical to creating a Site Link; however, instead of providing Site names for the link, you’re now providing Site Link names for the bridge.

Important Notes

The example company, organization, products, people, and events depicted in this step-by-step guide is fictitious. No association with any real company, organization, product, person, or event is intended or should be inferred.

This common infrastructure is designed for use on a private network. The fictitious company name and DNS name used in the common infrastructure are not registered for use on the Internet. Please do not use this name on a public network or Internet.

The Active Directory structure for this common infrastructure is designed to show how Windows 2000 features work and function with the Active Directory. It was not designed as a model for configuring an Active Directory for any organization—for such information see the Active Directory documentation.

This feature information was obtained from the Microsoft Windows 2000 website at http://www.microsoft.com/windows2000 and are linked from ActiveWin.com for your convenience and is subject to Microsoft's copyright. For the most accurate information please visit the official site.

Return To The Windows 2000 Section