Configuring and Managing Forest and Domain Trusts
Configuring and Managing AD DS Sites and Replication
Windows Active Directory Domain Services (AD DS) is a leading identity management solution for organizations of all sizes. An AD DS deployment can be as simple as a single domain controller or as complex as a multi-domain forest spread across the globe. Managing sites, domains, and forests in an AD DS environment is critical to a healthy and reliable Active Directory infrastructure. This course is intended to provide the information needed to successfully manage Windows AD sites, domains, forests, trust relationships, and replication.
In this course, we start by reviewing AD DS forest and domain trusts. Then we examine forest design considerations to create a scalable environment that can meet future demands. Next, we investigate Active Directory sites, site links, and how they relate to the organization's network configuration. Finally, we evaluate AD DS replication and how site links can optimize replication in an AD DS environment.
- Windows AD domains, forests, and trust relationships
- Windows AD forests and domain design considerations
- Creating a two-way forest trust
- Active Directory sites and site topology
- Creating an Active Directory site
- Windows AD sites and replication
- Creating Active Directory site links
- System administrators with responsibilities for managing hybrid identities
- Subject matter experts in configuring and managing Active Directory workload on-premises and in Azure
- Anyone preparing for the Azure AZ-800: Administering Windows Server Hybrid Core Infrastructure exam
- A basic understanding of deploying and managing Microsoft Windows servers
- Windows Server installation media and an environment to run Windows Server (trial available at https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-2022)
Up next, we create site links in Active Directory. Let's review the current configuration. We have three sites all connected over land connections. In this example, the connections between site 1 and 2 and the connections between sites 2 and 3 are the primary replication path. The connection between site 1 and 3 is not optimal and should only be used for replication if the other two site links are unavailable. All sites are part of the DEFAULTIPSITELINK. This is the site link created by default in Active Directory. In the demo coming up, we create three site links that represent each connection, then we set the cost for each link giving the site Link_1-2 and 2-3 a higher priority with a lower number.
Finally, we change the replication time from the default of 180 minutes to 30 minutes. Once finished, our configuration will look similar to the image on the screen. To follow along, you'll need at least one domain controller with multiple sites as outlined in the last demonstration. Also required is administrative rights or domain admin rights in the root forest domain. Let's get started on the Windows AD Domain controller. Here we are in the Active Directory Domain controller. Let's start by opening in Active Directory Sites and Services. Go to site 1 and drill down to NTDS Settings. Notice the replication connections are coming from site 2 and site 3. You can close this, we'll come back to it shortly.
Next, we'll create our site links. Go to Inter-Site Transports and go to the IP container. Notice the default IP site link. This has a cost of 100 and the default replication interval of 180 minutes. If we open it, it shows we have all three sites in the site length. We'll leave this as it is, cancel to close the window. Next, right-click on 'IP' and select new site link. Give it a name: Link_1-2 for the first example. Select the corresponding sites the site link will connect. This example will connect site 1 and site 2. Click 'OK', and we'll repeat the steps for the remaining site links. We'll go new site link. This one will be Link_2-3, and we'll add site 2 and site 3. For the last, we'll do a new site link, and this one is named Link_1-3. And we'll add site 1 and site 3. Next, open Link_1-2. We'll update the cost from 100-50 and set the replication interval to 30 minutes. 'Apply' and 'OK'. We'll do the same for Link_2-3. The cost is 50 and the replication interval is 30. 'Apply' and 'OK.'
Now we'll open Link_1-3. If you recall, this is a lower priority link that should only be used if there's a problem with connectivity in the other links. Set the cost to 200 and replication time to 30 minutes. 'Apply' and 'OK'. And one last thing, let's open up the default IP site link. This has a cost of 100 and that's lower than our Link_1-3 that has a cost of 200. Now we could try to remove our three sites, but if we do that we get a message that we have to have at least two sites in here. Also, we should not delete the default site link because this was created by the system and will be used as the default site link for any sites not defined in another site link. So, let's change the cost of 500. That will make this site link the lowest priority out of all of them. Let's click 'Apply' and 'OK'. Now we have our three site links all with a higher priority than the default site link, with link 1-2 and 2-3 being the highest priority. Next we'll check to see if the changes have been updated.
Let's go to site 1 and drill down to NTDS Settings. Under NTDS settings, it still shows the same replication topology we had before. Let's right click on 'NTDS Settings' and go to All Tasks, and select 'Check Replication Topology'. This will force the knowledge consistency checker to run. We'll go back to Active Directory Sites and Services and do a refresh. Now, if we go to site 1 and drill down to NTDS Settings, the topology has changed. Now the only connection coming in is from site 2. Also, after giving the environment time for changes to replicate in the Knowledge Consistency Checker timed to run on each domain controller, we can see that site 2 is replicating from site 1 and site 3. And site 3 is replicating from site 2. That matches the site link cost we previously configured. That is how to create and modify site links in Windows Active Directory.
Travis Roberts is a Cloud Infrastructure Architect at a Minneapolis consulting firm, a Microsoft MVP, MCT, and author. Travis has 20 years of IT experience in the legal, pharmaceutical, and marketing industries and has worked with IT hardware manufacturers and managed service providers. In addition, Travis has held numerous technical certifications throughout his career from Microsoft, VMware, Citrix, and Cisco.