Active Directory Replication and Domain Design

Active Directory Replication and Domain Design

AD Replication Essentials

• AD Replication: Essential for Active Directory's functionality, operating without distinctions between forest, tree, and domain structures.

• Sites: Defined by subnets with fast internal connections, allowing frequent replication.

• Site Links: Represent slower connections between sites, dictating less frequent replication due to bandwidth limitations.

• Bridgeheads: Domain Controllers (DCs) that manage replication between sites.

Site Links

• Connection Objects: Exist between domain controllers.

• Default Site Link: The "DEFAULTIPSITELINK" might not accurately represent network topology.

Replication Process

• Originating Writes (OW): Replication is based on OW, where changes increment an object's OW property.

• When differences are detected, objects are replicated from DCs with higher OW values to those with lower values.

• Tools for Managing Replication: AD Sites & Services, PowerShell, and Repadmin (legacy).

DNS Importance

• Critical Role: DNS is crucial; AD cannot function without it.

• Enhanced Functions: AD-DNS integration & integration with BIND 8.2.x.

• DNS Namespace Concepts:

  • External (Published) Namespaces: Resolvable on the internet.

    • Keeping internal and external namespaces the same is not recommended.

  • Internal (Hidden) Namespaces:

    • Any domain and Top-Level Domains (TLDs) can be used internally.

    • .internal is reserved for private name addressing.

DNS Features & AD Security

• Dynamic DNS.

• Standard DNS Zones vs. AD-integrated DNS:

  • Standard: Stored in a text file.

  • AD-integrated: Stored as objects in AD and replicated via AD.

• AD DS Security:

  • Kerberos Authentication:

    • Secure authentication without transmitting passwords over the network.

    • Prevents password abuse via brute-force attacks.

    • Involves information packets exchanged for authentication, verifying knowledge without exposure.

  • IPsec Usage.

Additional AD Services

• AD LDS: Lightweight Directory Services, a 'smaller AD' for applications.

• AD FS: Federation Services, enabling Single Sign-On (SSO) for web applications.

• AD CS: Certificate Services, providing Public Key Infrastructure (PKI) (covered later in the course).

• AD RMS: Rights Management Services, securing confidential information.

• RODC: Read-Only Domain Controller.

• Group Policy Central Store: GPO Admin Templates on PDC.

• DFS-R replication (Sysvol): Distributed File System Replication, the replication method since 2008.

• AD database mounting tool: DSAMain.exe for AD snapshots.

• GlobalNames DNS zone: Creates “aliases” for long DNS names.

Legacy Windows AD Improvements

• Windows 2003 AD Domain Rename tool.

• Cross-forest transitive trust capabilities.

• AD DS replication compression disable support.

• Schema attribute deactivation.

• Incremental universal group membership replication.

• AD-integrated DNS zones in application partitions.

• AD lingering objects removal.

Domain Trusts

• Transitive Trust: Automatic two-way trust between domains in the same forest. If A trusts B, and C trusts B, then A also trusts C.

• Explicit Trust: Manual, one-way or two-way trust.

• Shortcut Trust: Explicit trust between two domains in the tree.

• Cross-forest Transitive Trust: Trust between two AD forests.

Domain Namespace

• Recommended to register the external DNS name.

  • Advantages: Internal/external domain consistency, TLD differences.

  • Beneficial for email.

• Internal and external TLDs should differ for security.

Domain Design Features

• Active Directory Recycle Bin.

• Fine-grained password policies.

• Domain rename function.

• Cross-forest transitive trusts.

• Domain controller virtualization support.

• Server Core and PowerShell enhancements.

• Domain controller promotion from media.

Remote Location DC Considerations

• Consider a DC at a remote location if:

  • 100+ Users.

  • Bandwidth limitations.

  • Slow or unreliable WAN link.

  • Frequent LDAP Traffic.

• If a Domain Controller (DC) is in a site, a DNS server should also be present.

  • The Netlogon service relies on DNS to locate DCs.

• Cached Credentials (DC & GC):

  • Necessary for logon.

  • GC or Universal group membership Caching.

Foundations of Multiple-Domain Design

• Domain: Forms a Security & Administration Boundary.

  • Local Security (SAM database), AD (NTDS.dit), Trusts.

  • Group Policies, Password Policies.

• Domain: Uses Multi-Master Replication.

  • Changes to AD can be made from any DC.

  • Active Directory Database.

  • Limited WAN link; Large Domain partitions encourage separate (sub)domains.

• Tree: A group of domains.

Choosing a Domain Structure

• AD = Tree Structure.

• Design Models:

  • Single-domain model.

  • Multiple-domain model.

  • Multiple trees in a single-forest model.

  • Federated-forests model.

  • Peer-root model.

  • Placeholder domain model.

  • Special-purpose domain model.

Adding Additional Domains

• Decentralized administration.

• Geographic limitations.

• Unique DNS namespace considerations.

• Enhanced security concerns.

AD Rename

• Renaming an AD DS Domain: Modifying Domain name and/or NetBios name.

  • Using a “Brute-force” method.

• Domain Rename Limitations:

  • Cannot reduce the number of domains in a forest.

  • The current root domain cannot be demoted.

  • Cannot transfer current domain names in one cycle.

• Domain Rename Prerequisites:

  • The entire forest must be at least Windows Server 2008 functional level.

  • New DNS zones must be created.

  • Domain rename must run from a console server.

  • Shortcut trust relationships might need to be created, based on Forest Functional Level (FFL) and Domain Functional Level (DFL).

Domain Rename Procedure (Not for Exam)

• Step 1: List Current Forest Description.

• Step 2: Modify Forest Description with New Domain Names.

• Step 3: Upload Rename Script to DCs.

• Step 4: Prepare DCs for Domain Rename.

• Step 5: Execute Domain Rename Procedure.

• Step 6: Post-Rename Tasks:

  1. Open a command prompt (cmd.exe).

  2. Enter netdom computername OldServerName /add:NewServerName.

  3. Enter netdom computername OldServerName /makeprimary:NewServerName.

  4. Restart the server.

  5. Enter netdom computername NewServerName /remove:OldServerName.

Routing and Remote Access (RRAS)

• Partial repetition from network course but under Windows.

• RRAS includes Windows routing functionality:

  • Static routes or RIP.

• DHCP-relay agent (Cisco = IP helper).

• NAT (PAT).

AD and DCs

• AD/DC = Multi-master.

• Update Sequence Number (USN):

  • A 128-bit number on each DC.

  • Incremented by 1 with each change.

  • DCs track the 'last-known' USN.

  • Time synchronization is critical to prevent USN collisions.

  • Mitigation: Property version numbers, including time-stamp.

AD Replication Details

• Connection objects:

  • Paths for replication.

  • Automatically generated by the Knowledge Consistency Checker (KCC).

  • Can be manually created or altered via AD Sites and Services under NTDS settings (not recommended).

• Replication Latency:

  • Changes aren't instantaneous.

  • "Replicate now", Repadmin, and PowerShell are options for immediate replication.

Configuring Intersite Replication

• Configuration involves site links, their names, the sites they connect, and replication schedules.

AD Sites

• DCs within a site replicate more frequently and faster than between sites:

  • 15 seconds with FFL 2008+, otherwise 5 minutes.

• Site Functionality:

  • RODC/ROGC.

  • GC universal group membership caching.

  • KCC & Intersite Topology Generator (ISTG).

  • Off-premises Domain join.

• Sites are linked to an (IP) subnet via AD Sites and Services or PowerShell using New-ADReplicationSubnet.

AD Sites Continued

• Site Links:

  • Must be created (one default exists).

  • Use IP or SMTP.

  • Create a Site link per WAN connection.

• Site links are 'bridged' by default:

  • Every DC can communicate through every site link, providing redundancy.

  • Disabling this affects which DCs can replicate with each other, necessitating explicit links between sites.

KCC and ISTG

• Every DC has a KCC:

  • It generates the most efficient replication topology every 15 minutes.

• The KCC has two components:

  • Intersite KCC for within-site replication.

  • Intersite Topology Generator (ISTG) between sites.

    • Only one DC in each site has the ISTG role.

    • Up to 5000 sites can be created.

• The KCC assigns a cost to each site link:

  • Lower cost is preferred.

  • High cost links are for backup, similar to OSPF cost.

KCC and ISTG (Continued)

• The bridgehead server collects data for replication between sites. Modification is possible (preferred BHS):

  • Customization forfeits automated functions.

• WAN link speed influences replication.

• For AD/DC replication, a clear overview is essential:

  • Each “island” should have a DC and GC.

KCC and ISTG: Single or Multiple Sites

• Choice depends on bandwidth between segments.

  • Single site is simpler to manage but causes more intersite traffic.

• Configuration:

  • Subnet association.

  • Site links and link cost.

  • Replication schedule.

  • SMTP or IP (RPC); IP is faster and more efficient.

    • SMTP: Use if WAN connections aren't always on or for encryption via CA.

    • SMTP cannot be used to replicate everything.

KCC and ISTG: Replication Options

• In Windows 2016, replication can start and track via CD/DVD, USB, or tape if the WAN connection is too slow.

• Replication can then continue over the WAN link.

  • Time and schedule can be adjusted.

• Universal Group Membership Caching.

• Intersite Replication:

  • Compression increases CPU cycles.

  • Disable compression if needed.