Training Guide Configuring Advanced Windows Server 2012 R2 Services(2014)
Chapter 2. Active Directory sites and replication
Even though large organizations can be spread out over countries or continents, that same large organization might only have one Active Directory domain. Branch offices might be located in the same city or in cities that are hundreds of miles or kilometers from each other. As any user in the organization might be signing on in any of these locations, it’s important to ensure that each domain controller has an up-to-date version of the Active Directory database. This is where Active Directory sites and replication become important. Active Directory sites enable you to enter representations of physical locations into the Active Directory database. These sites and the links between them are used to automatically create an efficient replication topology. An efficient replication topology ensures that when a user’s password is changed by the service desk on a domain controller in a remote city city the updated password is available for the user at the domain controller in at the user’s branch office. In this chapter you find out how to configure Active Directory sites and how to manage and monitor Active Directory replication.
Lessons in this chapter:
Lesson 1: Configuring sites
Lesson 2: Active Directory replication
Before you begin
To complete the practice exercises in this chapter, you need to have deployed computers SYD-DC, MEL-DC, CBR-DC, and ADL-DC as described in the Introduction, using the evaluation edition of Windows Server 2012 R2.
Lesson 1: Configuring sites
Sites enable you to map physical locations, such as branch offices, into Active Directory. Sites make it possible for Active Directory clients to locate the closest instance of a particular resource, for example ensuring that a user signing on to a computer in the Sydney office isn’t authenticated by a domain controller in the New York office. In this lesson you will find out how to configure sites and subnets, move domain controllers between sites, and ensure that service (SRV) records are correctly configured.
After this lesson, you will be able to:
Configure sites and subnets
Manage registration of SRV records
Move domain controllers between sites
Estimated lesson time: 45 minutes
Configure sites and subnets
Active Directory sites enable you to configure Active Directory so that it understands which network locations have a fast local network connection. Generally this means the computers are in the same building, although if your organization has a group of buildings in the same area that are connected by a high-speed network, you use a single Active Directory site configuration.
You configure sites by associating them with IP address ranges. For example, you might associate the subnet 192.168.10.0 /24 with the Active Directory Site BNE-Site. (The standardized international three-character abbreviations for capital cities/airport codes are used in these examples to ensure a consistent naming scheme.) Any computers that have an Internet Protocol (IP) address in this range would be located in that site. You can configure network addresses using IPv4 or IPv6 networks. When you install Active Directory for the first time, a default site, named Default-First-Site-Name is created. You configure sites using the Active Directory Sites and Services console shown in Figure 2-1.
FIGURE 2-1 The Active Directory Sites and Services console
It’s important that you add sites for each separate location in your organization. If you don’t, Active Directory assumes that all computers are located on the same fast network and this might cause problems with other products as well as with Active Directory. Microsoft Products, such as System Center 2012 R2 Configuration Manager and Exchange Server 2013 use Active Directory site information when generating network topologies.
Separate different locations that are connected by a slow wide-area network (WAN) or expensive WAN link. For example, if your organization has a branch office in Sydney and another branch office in Melbourne, and these branch offices are connected by a WAN link that is rated at 512 kilobits per second (Kbps), you configure the Sydney and Melbourne branch offices as separate sites.
Control which domain controllers are used for authentication. When users log on to the network, they perform authentication against an available domain controller located in their Active Directory site. Although users are still able to sign on and authenticate against a domain controller in another site if one isn’t available in their local site, you should strongly consider placing a domain controller at any site with a sufficient number of users. What counts as “a sufficient number of users” varies depending on the speed and reliability of the site’s connection to the rest of the organization’s network. In some cases you might deploy a read only domain controller (RODC) to aid authentication at some branch office sites.
Control service localization. As mentioned earlier, many Microsoft products, such as System Center 2012 R2 Configuration Manager, Exchange Server, and technologies such as BranchCache and DFS (Distributed File System), use Active Directory sites as a way of determining network topology. To ensure that these products and technologies work well, you should ensure that each Active Directory site is configured properly.
Control Active Directory replication. You can use Active Directory sites to manage domain controller replication. The default settings make it possible for replication to occur 24 hours a day, 7 days a week. You can use Active Directory site configuration to instead configure replication to occur according to a specific schedule. You read more about replication in Lesson 2.
Quick check
What is the name of the first Active Directory site created when you promote the first domain controller in a new forest?
Quick check answer
The name of the first Active Directory site created when you promote the first domain controller in a new forest is Default-First-Site-Name.
Creating sites
To create a site using the graphical user interface, perform the following steps:
1. In the Active Directory Sites and Services console, click the Sites node.
2. On the Action menu, click New Site.
3. In the New Object – Site dialog box, shown in Figure 2-2, enter a name for the site and specify the site link for the site. Selecting DEFAULTIPSITELINK is fine at this point because you can alter things later after you’ve configured some site links. Click OK to create the site.
FIGURE 2-2 Create a new Active Directory site
You can use the New-ADReplicationSite Windows PowerShell cmdlet to create a new site. For example, to create a new site named HBA-SITE that is associated with the default IP site link, issue the command:
New-ADReplicationSite HBA-SITE
After you’ve created a site, you need to associate it with IP address ranges. You can’t do that until you’ve added IP address ranges as subnets. When you create a subnet, you specify an IPv4 or IPv6 network prefix. For an IPv4 network you specify the network address and the subnet in CIDR notation. For example, you specify network 192.168.15.0 with a subnet mask of 255.255.255.0 as 192.168.15.0 /24.
Real World: Assumed knowledge
In the distant past there were specific Microsoft exams that tested your ability to subnet TCP/IP networks. These days the ability to create subnets and supernets and calculate the number of hosts on the resultant network is an assumed skill.
Creating subnets
To create a subnet, perform the following steps:
1. In the Active Directory Sites and Service console, click Subnets under the Sites node.
2. On the Action menu, click New Subnet.
3. In the New Object – Subnet dialog box, specify the network prefix of the subnet and specify the site associated with the subnet as shown in Figure 2-3. Click OK to create the subnet.
FIGURE 2-3 The New Object – Subnet dialog box
You can create a new subnet from Windows PowerShell with the New-ADReplicationSubnet cmdlet. For example, to create a new subnet that has the address 192.168.16.0/24 and associate it with the HBA-SITE site, issue the command:
New-ADReplicationSubnet –Name "192.168.16.0/24" –Site HBA-SITE
You can verify which subnets are associated with a particular Active Directory site by viewing the properties of that site. You can’t change which subnets are associated with a site by editing the site properties. You can only change which site is associated with a specific subnet by editing the subnet properties. You do this using the Site drop-down menu shown in Figure 2-4. You can associate multiple subnets with an Active Directory site, but you can’t associate multiple Active Directory sites with a specific subnet.
FIGURE 2-4 Configuring the subnet properties
Real World: All roads lead to Roma
A few years back I was discussing replication issues with a guy I met at TechEd Australia who worked for a big company, which had branch offices scattered across the state of Queensland. The guy was telling me how the company found the cause of some replication issues with its site in Cairns. Apparently site replication had always been problematic, and no one had been able to figure out why until someone looked at the subnets associated with the Cairns site and discovered that someone had accidentally associated the subnet for the Roma branch office with the Cairns site. Driving from Cairns to Roma takes about 15 hours. To complicate things further, the two locations didn’t have a direct link to each other, but they were instead both directly connected to the Brisbane site. A drive from Cairns to Roma through Brisbane would probably take about 25 hours, assuming you didn’t need to make any stops. After the subnet was associated with the correct site, the problem resolved itself.
Creating site links
Site links enable you to specify how different Active Directory sites are connected to each other. When you add a site, you’re asked to specify the site link, and the DEFAULTIPSITELINK site link is the default option even if another site link is available. Sites that are connected to the same site link are considered to be able to replicate with each other directly. For example, if all of the sites in Figure 2-5 are associated with the DEFAULTIPSITELINK site link, each site assumes that it could replicate directly with the others. For example, a domain controller in the Melbourne site attempts to replicate directly with a domain controller in the Canberra site. With this topology, you instead configure site links for Melbourne-Sydney, Adelaide-Sydney, and Canberra-Sydney. This way, domain controllers in Canberra, Melbourne, and Adelaide only replicate with the Sydney site rather than attempting to directly replicate with each other.
FIGURE 2-5 Configure site links that mirror network topology
You can create a new IP site link using the Active Directory Sites and Services console. When you create a site link, you specify the sites that use the link as shown in Figure 2-6.
FIGURE 2-6 The New Object – Site Link dialog box
You can configure the cost and replication schedule of a site link after it is created by editing the site link properties as shown in Figure 2-7. The default Cost is 100, and site links that have lower costs are preferred for replication over site links that have a higher cost. Replication occurs every 180 minutes by default, 24 hours a day. You can modify when replication occurs by configuring a replication schedule.
FIGURE 2-7 The Site Link properties dialog box
You can create a site link using the New-ADReplicationSiteLink cmdlet. For example, to create a new site link named ADL-CBR that links the ADL-SITE and CBR-SITE sites, issue the command:
New-ADReplicationSiteLink "ADL-CBR" –SitesIncluded ADL-SITE, CBR-SITE
Creating site link bridges
Site link bridges create transitive links between site links. Site link bridges are only necessary when you have cleared the Bridge All Site Links check box for the transport protocol as shown in Figure 2-8. It’s only necessary to do this with complex network topologies as site link bridges are automatically created based on the topology created when you configure site links.
FIGURE 2-8 The transport protocol properties
You can create a site link bridge using the Active Directory Sites and Services console by specifying the two site links that will be in the bridge as shown in Figure 2-9. A site link bridge must contain at least two site links.
FIGURE 2-9 The New Object – Site Link Bridge dialog box
You can create a new site link bridge in Windows PowerShell using the New-ADReplicationSiteLinkBridge cmdlet. For example, to create a new site link bridge named MEL-ADL-CBR using the MEL-ADL and MEL-CBR site links, issue the command:
New-ADReplicationSiteLinkBridge "MEL-ADL-CBR" –SiteLinksIncluded "MEL-ADL", "MEL-CBR"
Manage SRV record registration
Domain controllers use special Domain Name System (DNS) resource records, known as SRV records to enable clients to locate them. SRV records are sometimes termed locator records because they make it possible for clients to locate resources using DNS queries. SRV records map to existing host records. For example, each domain controller in a domain has a _kerberos and an _ldap SRV record as shown in Figure 2-10 that maps to the domain controller’s fully qualified domain name (FQDN).
FIGURE 2-10 The domain controller SRV records
As Figure 2-11 shows, SRV records contain the following information:
Service Whereas domain controllers provide the kerberos and ldap services, an SRV record can also provide information about servers that host Finger, Ftp, Http, Msdcs, Nntp, Telnet, or Whois services.
Protocol The protocol that is available depends on the service, although this is usually TCP or UDP.
Port number This specifies the port number to be used with the service.
Weight This setting makes it possible to indicate preference of one record over another. By default this is set to 100.
Priority This setting enables you to configure service priority for services that support prioritization. It is set to 0 for the kerberos and ldap SRV records used by domain controllers.
FIGURE 2-11 The SRV resource record properties
Unless something goes wrong, you are unlikely to need to modify the default SRV resource records. By default, the Netlogon service on domain controllers running Windows Server 2012 and Windows Server 2012 R2 reregisters SRV records every 60 minutes. You can manually reregister a domain controller’s SRV records by restarting the Netlogon service.
More Info: Real-life diagnosis
The following TechNet blog post from a Microsoft Premier Field Engineer (PFE) describes diagnosing and resolving problems with SRV records: http://blogs.technet.com/b/askpfeplat/archive/2012/07/09/the-case-of-the-missing-srv-records.aspx.
Moving domain controllers
When you deploy a new domain controller, the domain controller promotion process performs a lookup to determine which Active Directory site the domain controller should be a member of based on its IP address. If you haven’t created a subnet in the Active Directory Sites and Services console that maps to the IP address of the server that you are promoting to the domain controller, the domain controller is instead assigned to the first Active Directory site, which is Default-First-Site-Name unless you have changed it.
The domain controller does not automatically reassign itself to a new site if you create the subnet and site objects in the Active Directory Sites and Services console if it has already been added to the Default-First-Site-Name site. In this instance, you need to manually move the domain controller to the new site. You can move the domain controller using the Active Directory Sites And Services console by right-clicking the domain controller that you want to move, clicking Move, and selecting the destination site on the Move Server dialog box, as shown in Figure 2-12.
FIGURE 2-12 The Move Server dialog box
You can also move a domain controller to a different site using the Move-ADDirectoryServer powershell cmdlet. For example, to move the server PERTH-DC to the Perth-Site Active Directory site, execute the following command:
Move-ADDirectoryServer –Identity "PERTH-DC" –Site "Perth-Site"
More Info: Move-ADDirectoryServer
To learn more about the Move-ADDirectoryServer cmdlet, consult the following article: http://technet.microsoft.com/en-us/library/ee617235.aspx.
Lesson summary
Subnets enable you to associate IP addresses in either IPv4 or IPv6 format with network locations.
Sites enable you to connect one or more subnets to represent a location where all the hosts on those subnets share a high-speed network.
Site links enable you to connect sites.
Site link bridges enable you to connect site links. You should only do this if you want to override the replication topology automatically generated by Active Directory.
SRV records make it possible for clients to use DNS to locate servers that provide services, such as LDAP and Kerberos, to the network.
You might need to move domain controllers to different sites if you installed them before you configured sites and subnets.
Lesson review
Answer the following questions to test your knowledge of the information in this lesson. You can find the answers to these questions and explanations of each answer choice in the “Answers” section at the end of this chapter.
1. You want to manually reregister a specific domain controller’s SRV records. Which service should you restart to accomplish this goal?
A. Netlogon
B. Secondary Logon
C. Active Directory Domain Services
D. DNS Server
2. You installed two domain controllers at a new branch office site before you created the appropriate objects using the Active Directory Sites and Services console. You have since created the appropriate subnet and site objects. Which of the following Windows PowerShell cmdlets could you use to move these domain controllers to the newly created appropriate site?
A. New-ADReplicationSubnet
B. New-ADReplicationSiteLink
C. Move-ADDirectoryServer
D. New-ADReplicationSite
3. Your organization has just opened a new branch office in the city of Hobart. You have assigned this branch office the IPv4 address range 10.100.10.0/24. Which of the following Windows PowerShell cmdlets would you use to add this IPv4 address range to Active Directory so that it is used when determining replication topology?
A. New-ADReplicationSiteLink
B. Move-ADDirectoryServer
C. New-ADReplicationSite
D. New-ADReplicationSubnet
4. Your organization has just opened a new branch office in the city of Hobart. You have used the Active Directory Sites and Services console to enter the IP address range used at the site into Active Directory. You now want to create an Active Directory site called HBA-SITE and to associate it with this IP address range. Which of the following Windows PowerShell cmdlets could you use to accomplish this goal?
A. New-ADReplicationSite
B. New-ADReplicationSubnet
C. Move-ADDirectoryServer
D. New-ADReplicationSiteLink
5. Your organization has just opened a new branch office in the city of Hobart. You want to associate the newly created HBA-SITE site with the SYD-SITE site as these two sites are connected to each other by a high-speed broadband link. Which of the following Windows PowerShell cmdlets could you use to accomplish this goal?
A. New-ADReplicationSite
B. New-ADReplicationSubnet
C. New-ADReplicationSiteLink
D. Move-ADDirectoryServer
Lesson 2: Active Directory replication
Replication makes it possible for changes that are made on one Active Directory domain controller to be replicated to other domain controllers in the domain and in some cases to other domain controllers in the forest. This lesson explains Active Directory replication, and in it you find out how to configure password replication for Read Only Domain Controllers, discover how to monitor and manage replication using a variety of tools, and see how to upgrade SYSVOL replication so that it uses DFS.
After this lesson, you will be able to:
Configure replication to RODCs
Configure password replication to RODCs
Monitor and manage replication
Upgrade SYSVOL replication
Estimated lesson time: 45 minutes
Active Directory partitions
Rather than replicating the Active Directory database in its entirety, the replication process is made more efficient by splitting the database into logical partitions. Replication occurs at the partition level, with some partitions only replicating to domain controllers within the local domain, some partitions replicating only to enrolled domain controllers, and some partitions replicating to all domain controllers in the forest. Active Directory includes the following default partitions:
Configuration partition This partition stores forest-wide Active Directory structure information including domain, site, and domain controller location data. The configuration partition also holds information about DHCP server authorization and Active Directory Certificate Services certificate templates.. The configuration partition replicates to all domain controllers in the forest.
Schema partition The schema partition stores definitions of all objects and attributes as well as the rules for creating and manipulating those objects. There are a default set of classes and attributes that cannot be changed, but it’s possible to extend the schema and add new attributes and classes. Only the domain controller that holds the Schema Master FSMO role is able to extend the schema. The schema partition replicates to all domain controllers in the forest.
Domain partition The domain partition holds information about domain-specific objects such as organizational units, domain-related settings, user, group, and computer accounts. A new domain partition is created each time you add a new domain to the forest. The domain partition replicates to all domain controllers in a domain. All objects in every domain partition are stored in the global catalog, but these objects are stored only with some, not all, of their attribute values.
Application partitions Application partitions store application-specific information for applications that store information in Active Directory. There can be multiple application partitions, each of which is used by different applications. You can configure application partitions so that they replicate only to some domain controllers in a forest. For example, you can create specific application partitions to be used for DNS replication so that DNS zones replicate to some, but not all, domain controllers in the forest.
Domains running at the Windows Server 2008 and higher functional level support attribute-level replication. Rather than replicate the entire object when a change is made to an attribute on that object, such as when group membership changes for a user account, only the attribute that changes is replicated to other domain controllers. Attribute-level replication substantially reduces the amount of data that needs to be transmitted when objects stored in Active Directory are modified.
Understanding multi-master replication
Active Directory uses multi-master replication. This means that any writable domain controller is able to make modifications of the Active Directory database and to have those modifications propagate to the other domain controllers in the domain. Domain controllers use pull replication to acquire changes from other domain controllers. A domain controller may pull changes after being notified by replication partners that changes are available. A domain controller notifies its first replication partner that a change has occurred within 15 seconds and additional replication partners every 3 seconds after the previous notification. Domain controllers also periodically poll replication partners to determine whether changes are available so that those changes can be pulled and applied to the local copy of the relevant partition. By default, polling occurs once every 60 minutes. You can alter this by editing the properties of the connection object in the Active Directory Sites and Services console as shown in Figure 2-13.
FIGURE 2-13 Configure the replication-polling schedule
Knowledge Consistency Checker (KCC)
The Knowledge Consistency Checker (KCC) runs on each domain controller. The KCC is responsible for creating and optimizing the replication paths between domain controllers located at a specific site. In the event that a domain controller is added or removed from a site, the KCC automatically reconfigures the site’s replication topology. The KCC topology organization process occurs every 15 minutes by default. Although you can change this value by editing the registry, you can also trigger an update using the repadmin command-line tool with the KCC switch.
More Info: KCC
To learn more about the KCC, consult the following article: http://technet.microsoft.com/en-us/library/cc961781.aspx.
Store and forward replication
Active Directory supports store and forward replication. For example, the Canberra and Melbourne branch offices are enrolled in a custom application partition. These branch offices aren’t connected to each other, but they are connected to the Sydney head office. In this case, changes made to objects stored in the application partition at Canberra can be pulled by the domain controller in Sydney. The Melbourne domain controller can then pull those changes from the domain controller in Sydney as shown in Figure 2-14.
FIGURE 2-14 An example of store and forward replication
Conflict resolution
In an environment that supports multi-master replication, it’s possible that updates may be made to the same object at the same time in two or more different places. Active Directory includes sophisticated technologies that minimize the chance that these conflicts will cause problems, even when conflicting updates occur in locations that are distant from each other.
Each domain controller tracks updates by using update sequence numbers (USNs). Each time a domain controller updates, either by processing an update performed locally or by processing an update acquired through replication, it increments the USN and associates the new value with the update. USNs are unique to each domain controller as each domain controller processes a different number of updates to every other domain controller.
When this happens, the domain controller that wrote the most recent change, known as the last writer, wins. Because each domain controller’s clock might not be precisely synchronized with every other domain controller’s clock, last write isn’t simply determined by a comparison of timestamps. Similarly because USNs are unique to each domain controller, a direct comparison of USNs is not made. Instead the conflict resolution algorithm looks at the attribute version number. This is a number that indicates how many times the attribute has changed and is calculated using USNs. When the same attribute has been changed on different domain controllers, the attribute with the higher attribute version number wins. If the attribute version number is the same, the attribute modification timestamps are compared, with the most recent change being deemed authoritative.
If you add or move an object to a container that was deleted on another domain controller at the same time, the object is moved to the LostAndFound container. You can view this container when you enable the Advanced Features option in the Active Directory Users and Computers console as shown in Figure 2-15.
FIGURE 2-15 The LostAndFound container
RODC replication
Read-only domain controllers (RODCs) are a special type of domain controller that are suitable for branch office locations that require a local domain controller for authentication but don’t have a secure location where the server can be stored. The key difference between an RODC and a writable domain controller is that RODCs aren’t able to update the Active Directory database and that they only host password information for a subset of security principals.
Real World: Servers and biscuits
I once visited a branch office of a company where the two local servers were stored in a locked wardrobe in the staff break room. Although it’s reasonable to object to this arrangement because of the security implications, it was redeemed by the presence of a large jar with chocolate biscuits.
When a client in a site that only has RODCs needs to make a change to the Active Directory database, that change is forwarded to a writable domain controller in another site. When considering replication, remember that all RODC-related replication is incoming and that other domain controllers do not pull updates from the AD DS database hosted on an RODC.
RODCs use the usual replication schedule to pull updates from writeable domain controllers except in some special cases. In certain cases, RODCs perform inbound replication using a replicate-single-object (RSO) operation. These cases include:
The password of a user whose account password is stored on the RODC is changed.
A DNS record update occurs where the DNS client performing the update attempts to use the RODC to process the update and is then redirected by the RODC to a writable DC that hosts the appropriate Active Directory Integrated DNS zone.
Client attributes including client name, DnsHostName, OsName, OsVersionInfo, supported encryption types, and LastLogonTimeStamp are updated.
These updates occur outside the usual replication schedule as they involve objects and attributes that are important to security. For example, a user at a site that uses RODCs calls the service desk to have his or her password reset. The service desk staff member, located in another site, resets the password using a writable domain controller. If a special RSO operation isn’t performed, it is necessary to wait for the change to replicate to the site before the user is able to sign-on with the newly reset password.
Configure RODC password replication
If a writable domain controller is compromised then it’s possible that any of the user accounts that were stored on that domain controller might be compromised. If it’s a writable domain controller then every account in the domain is at risk. RODCs ameliorate the risk by only allowing specific accounts to be stored on the RODC. If the RODC is compromised then only a fraction of the accounts in the domain are at risk. Rather than having to reset all of the accounts in the organization, you can delete the RODC computer account and automatically reset all of the user and computer accounts stored on the RODC in a simple action. You configure which accounts can be stored on the RODC by configuring RODC password replication.
Members of the Allowed RODC Password Replication security group are able to have their passwords replicated to the RODC as long as they aren’t members of a group that has a Deny setting in the Password Replication Policy. The following groups have a Deny setting by default:
Account Operators
Administrators
Backup Operators
Denied RODC password replication group
Server Operators
The Password Replication Policy tab of an RODC’s computer account properties dialog box displays the configuration of allowed and denied security groups for password replication to that RODC. This tab is shown in Figure 2-16. The Password Replication Policy is unique to each RODC, and it enables you to ensure that the passwords that are replicated to each RODC are unique to that RODC. For example, if you have an RODC in the Perth site and one in the Hobart site, it’s unlikely that users in the Perth site will be authenticating in the Hobart site and that users from the Hobart site will authenticate using the RODC in Perth. Configuring separate password replication policies for each RODC ensures that only the passwords of users in Perth are replicated to the Perth RODC and that only the passwords of users in Hobart are replicated to the Hobart RODC. The easiest way to ensure that only relevant account passwords replicate to a site is to create a separate security group for each location, populate it with the relevant accounts, and add that group to that site’s RODC Password Replication Policy.
FIGURE 2-16 Configure the Password Replication Policy
You can check which passwords have replicated to a specific RODC by clicking the Advanced button on the Password Replication Policy tab of the RODC’s computer account’s Properties. You can also use the dialog box shown in Figure 2-17 to populate the RODC with passwords. When you populate an RODC with passwords, authentication is faster the first time a user signs on at the site because the authentication can be performed locally and doesn’t need to occur against a writable domain controller in another site.
FIGURE 2-17 View the stored account passwords
Rather than figure out a user’s group membership to determine whether a user’s password can be replicated to an RODC, you can use the Resultant Policy tab of the Advanced Password Replication Policy dialog box, shown in Figure 2-18, to determine whether a specific user’s password will be replicated to the RODC. This dialog box doesn’t tell you which group membership is blocking the password replication, but it enables you to verify that a sensitive user’s account is blocked from replication.
FIGURE 2-18 The Resultant Password Replication Policy
In the event that an RODC is compromised, you can automatically configure Active Directory to reset the passwords of all of the user and computer accounts by deleting the RODC’s computer account. When you attempt to delete the RODC’s computer account, you are prompted with the Deleting Domain Controller dialog box, shown in Figure 2-19. When you use this dialog box, you can also choose to export the list of accounts that were cached on the RODC, which enables you to perform follow-up activities such as contacting users to inform them why their account password has been reset. If you reset computer account passwords, you need to rejoin the computers to the domain.
FIGURE 2-19 The Deleting Domain Controller dialog box
Quick check
You delete the computer account of an RODC and choose to reset the passwords of computer accounts. What step do you need to take next to restore the computers to normal functionality?
Quick check answer
You need to rejoin the computers to the domain to restore normal functionality.
Monitor and manage replication
You can use the Active Directory Sites and Services console to trigger replication. You can trigger replication on a specific domain controller by right-clicking the connection object and clicking Replicate Now as shown in Figure 2-20. When you do this, the domain controller replicates with all of its replication partners.
FIGURE 2-20 Trigger domain controller replication
You can also monitor replication as it occurs using DirectoryServices performance counters as shown in Figure 2-21. Through Performance Monitor, you can view inbound and outbound replication, including the number of inbound objects in the queue and pending synchronizations.
FIGURE 2-21 Use Performance Monitor to view replication performance
Repadmin
You can use the repadmin command-line tool to manage and monitor replication. This tool is especially useful at enabling you to diagnose where there are problems in a replication topology. For example, when you use repadmin with the replsummary option, as shown in Figure 2-22, you can generate information showing when replication between partners has failed. You can also use this option to view information about the largest intermission between replication events.
FIGURE 2-22 Use repadmin to view a replication summary
Real World: Finding lost domain controllers
Sometimes, for undetermined reasons, a domain controller stops replicating with the other domain controllers. The reason might be that the domain controller picks up accounts created on other domain controllers but changes made on this specific domain controller don’t replicate to the rest of the organization. Or it might be something much odder. If you’re investigating a quirky issue related to Active Directory, it always helps at the start to run repadmin /replsummary as a quick method of determining whether all of the domain controllers are playing along or one of them has wandered off the track without anyone noticing.
You can view specific inbound replication traffic by using the /showrepl switch. Figure 2-23 shows detail about inbound replication traffic, including the objects that were replicated and the date stamps associated with that replication traffic.
FIGURE 2-23 View the inbound replication traffic
Rather than viewing the properties of an RODC’s computer account in the Active Directory Administrative Center or the Active Directory Users and Computers console when you want to determine which users have had their password replicated to the RODC, you can instead use repadmin with the /prp switch to determine this information. Figure 2-24 shows how to use repadmin to determine which account passwords are being stored on the RODC named ADL-DC.
FIGURE 2-24 View the RODC Password Replication Policy
Using repadmin with the /kcc switch, as shown in Figure 2-25, enables you to force the KCC to recalculate a domain controller’s inbound replication topology. Although this process happens automatically, you might want to manually trigger this operation in cases where the replication topology has changed radically and you don’t want to wait for your organization’s domain controllers to recalculate the topology as they would normally.
FIGURE 2-25 Recalculate the topology
In addition to this functionality, you can use repadmin to perform the following tasks:
The /queue switch enables you to display inbound replication requests that a domain controller must make to reach a state of convergence with source replication partners.
Use the /replicate switch to force replication of a specific directory partition to a specific destination domain controller.
Use the /replsingleobj switch when you need to replicate a single object between two domain controllers.
The /rodcpwdrepl option enables you to populate RODCs with the passwords of specific users.
Use the /showutdvec to display the highest USN value recorded for committed replication operations on a specific DC.
More Info: Repadmin.exe
For more information about Repadmin, consult the following TechNet article: http://technet.microsoft.com/en-us/library/cc770963(v=ws.10).aspx.
Upgrade SYSVOL replication
SYSVOL is a special folder located on each domain controller in the %SystemRoot%\SYSVOL folder. This folder hosts logon scripts, group policy templates, and other Active Directory items. SYSVOL is replicated to all domain controllers in a domain. Prior to the introduction of Windows Server 2008, SYSVOL used File Replication Service (FRS) to perform replication. With the introduction of Windows Server 2008, Distributed File System (DFS), a much more efficient replication technology became available to replicate the contents of SYSVOL.
If your organization has upgraded from a Windows Server 2003 Active Directory environment, SYSVOL may still be configured to use FRS rather than DFS. After you have upgraded all domain controllers so that the minimum domain functional level is Windows Server 2008, you can use the Dfsrmig.exe utility to migrate SYSVOL replication so that it uses DFS rather than FRS.
If your domain was deployed from the beginning using Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, or Windows Server 2012 R2 domain controllers, SYSVOL is already configured to use DFS rather than FRS replication. You can verify that SYSVOL is using DFS using the dfsrmig.exe command with the /getglobalstate switch as shown in Figure 2-26.
FIGURE 2-26 Upgrade SYSVOL replication
More Info: dfsrmig.exe
For more information about dfsrmig.exe, consult the following TechNet article: http://technet.microsoft.com/en-au/library/dd641227(v=ws.10).aspx.
Lesson summary
Active Directory domain controllers perform multi-master replication.
Domain controllers pull updates from replication partners.
RODCs are unable to update Active Directory.
The Password Replication Policy is unique to each RODC and determines which account passwords are stored on the RODC.
When you remove an RODC from the domain, you can configure an automatic password reset for all account passwords stored on the RODC.
You can use repadmin to manage and monitor Active Directory replication.
You can use dfsrmig.exe to migrate a domain that uses FRS for SYSVOL replication so that it uses DFSR.
Lesson review
Answer the following questions to test your knowledge of the information in this lesson. You can find the answers to these questions and explanations of each answer choice in the “Answers” section at the end of this chapter.
1. As a part of a security audit, you are attempting to verify which user accounts have replicated to the RODC named ADL-RO DC. This RODC is running on the server core version of Windows Server 2012 R2. Which of the following commands could you use to accomplish this goal?
A. Repadmin /prp view ADL-RODC Reveal
B. Repadmin /replsummary ADL-RODC
C. Repadmin /kcc ADL-RODC
D. Repadmin /showrepl ADL-RODC
E. Repadmin /syncall ADL-RODC
2. You have just substantially changed the structure of your organization’s WAN links. You want to trigger an update on SYD-DC of the inbound replication topology. Which of the following commands could you use to accomplish this goal?
A. Repadmin /prp view SYD-DC Reveal
B. Repadmin /syncall SYD-DC
C. Repadmin /showrepl SYD-DC
D. Repadmin /kcc SYD-DC
E. Repadmin /replsummary SYD-DC
3. You are in the process of diagnosing replication problems to a DC named CBR-DC, which is located in your organization’s Canberra branch office. You want to view information about the failure and success percentages of both inbound and outbound replication operations. Which of the following commands could you use to accomplish this goal?
A. Repadmin /showrepl CBR-DC
B. Repadmin /syncall CBR-DC
C. Repadmin /kcc CBR-DC
D. Repadmin /prp view CBR-DC Reveal
E. Repadmin /replsummary CBR-DC
4. You want to force the domain controller MEL-DC to immediately perform synchronization with all its replication partners. Which of the following commands would you use to accomplish this goal?
A. Repadmin /showrepl MEL-DC
B. Repadmin /syncall MEL-DC
C. Repadmin /kcc MEL-DC
D. Repadmin /replsummary MEL-DC
E. Repadmin /prp view MEL-DC Reveal
5. You are attempting to diagnose some replication problems with the domain controller BNE-DC. You want to show status information on this domain controller’s most recent attempts to perform inbound replication. Which of the following commands would you use to accomplish this goal?
A. Repadmin /syncall MEL-DC
B. Repadmin /kcc MEL-DC
C. Repadmin /showrepl MEL-DC
D. Repadmin /replsummary MEL-DC
E. Repadmin /prp view MEL-DC Reveal
6. Up until last night, the Perth site has had an RODC that was kept in a locked cupboard. This RODC was used to authenticate computer and user accounts in the Perth site. In the early hours of the morning, the Perth site was robbed and the RODC was stolen. As a part of your response to this incident, you are in the process of deleting the computer account of the Perth site RODC. Which of the following steps might you need to take after removing this account? (Choose all that apply.)
A. Assign users new passwords.
B. Enable user accounts.
C. Rejoin computers to the domain.
D. Enable computer accounts.
7. What is the minimum domain functional level required before you can update SYSVOL replication to use DFS instead of FRS?
A. Windows Server 2003
B. Windows Server 2008
C. Windows Server 2008 R2
D. Windows Server 2012
8. You have recently transitioned from a Windows Server 2003 domain functional level to a Windows Server 2012 R2 domain functional level. Which of the following utilities would you use to determine whether FRS or DFS is being used to support SYSVOL replication?
A. dfsrmig.exe
B. repadmin.exe
C. dcdiag.exe
D. dnscmd.exe
The goal of this section is to provide you with hands-on practice with the following:
Creating Active Directory sites
Creating Active Directory subnets
Creating site links
Modifying site link cost and replication schedule
Deploying an RODC
Configuring an RODC replication
Monitoring replication
Removing an RODC and resetting accounts
To perform the exercises in this section, you need access to an evaluation version of Windows Server 2012 R2. You should also have access to virtual machines SYD-DC, MEL-DC, CBR-DC, and ADL-DC, the setup instructions for which are as described in the Appendix. You should ensure that you have a checkpoint of these virtual machines that you can revert to at the end of the practice exercises. You should revert the virtual machines to this initial state prior to beginning these exercises.
Exercise 1: Create Active Directory sites
In this exercise, you create Active Directory sites in the Contoso.com domain named ADL-SITE, CBR-SITE, and MEL-SITE. You also rename the default first site to SYD-SITE. To complete this exercise, perform the following steps:
1. Power on SYD-DC and sign on as contoso\don_funk with the password Pa$$w0rd.
2. In the Server Manager console, click the Tools menu and then click Active Directory Sites And Services.
3. In the Active Directory Sites And Services console, right-click Default-First-Site-Name and click Rename.
4. Rename the Default-First-Site-Name site SYD-SITE as shown in Figure 2-27.
FIGURE 2-27 Rename the default site
5. Right-click the Sites node and click New Site.
6. In the New Object – Site dialog box, type ADL-SITE, click the DEFAULTIPSITELINK item as shown in Figure 2-28, and then click OK. In the Active Directory Domain Services dialog box, click OK.
FIGURE 2-28 Create the ADL-SITE
7. Right-click the Sites node and click New Site.
8. In the New Object – Site dialog box, type MEL-SITE, click the DEFAULTIPSITELINK item, and click OK.
9. In the Active Directory Domain Services dialog box, click OK.
10. Right-click the Sites node and click New Site.
11. In the New Object – Site dialog box, type CBR-SITE, click the DEFAULTIPSITELINK item, and click OK.
12. Verify that the list of sites in the Active Directory Sites And Services console matches Figure 2-29.
FIGURE 2-29 The Active Directory Sites And Services configuration
Exercise 2: Create Active Directory subnets
In this exercise, you create IPv4 subnets and associate them with different Active Directory sites. To complete this exercise, perform the following steps:
1. In the Active Directory Sites And Services console on SYD-DC, right-click the Subnets node and click New Subnet.
2. In the Prefix text box of the New Object – Subnet dialog box, type 10.10.10.0/28 and click SYD-SITE as shown in Figure 2-30. Click OK.
FIGURE 2-30 Create an Active Directory subnet
3. In the Active Directory Sites And Services console, right-click the Subnets node and click New Subnet.
4. In the Prefix text box of the New Object – Subnet dialog box, type 10.10.10.16/28, click ADL-SITE, and click OK.
5. In the Active Directory Sites And Services console, right-click the Subnets node and click New Subnet.
6. In the Prefix text box of the New Object – Subnet dialog box, type 10.10.10.32/28, click MEL-SITE as shown in Figure 2-31, and click OK.
FIGURE 2-31 Create another subnet
7. In the Active Directory Sites And Services console, right-click the Subnets node and click New Subnet.
8. In the Prefix text box of the New Object – Subnet dialog box, type 10.10.10.48/28, click CBR-SITE, and click OK.
9. Select the Subnets node and verify that the Active Directory Sites And Services console matches Figure 2-32.
FIGURE 2-32 Verify the subnet configuration
Exercise 3: Create site links
In this exercise, you create two new IP Site Links. To complete this exercise, perform the following steps:
1. On SYD-DC in the Active Directory Sites And Services console, expand the Sites\Inter-Site Transports node.
2. Right-click the IP node and click New Site Link.
3. On the New Object – Site Link dialog box, type MEL-ADL in the Name text box. Hold the Ctrl key, click ADL-SITE and MEL-SITE, and click Add as shown in Figure 2-33. Click OK.
FIGURE 2-33 Create a site link
4. Right-click the IP node and click New Site Link.
5. On the New Object – Site Link dialog box, type MEL-CBR in the Name text box. Hold the Ctrl key, click MEL-SITE and CBR-SITE, click Add, and then click OK.
6. Select the IP node of the Active Directory Sites and Services console and verify that the site links listed match those in Figure 2-34.
FIGURE 2-34 Verify the site link configuration
Exercise 4: Modify site link cost and replication schedule
In this exercise, you modify the site link cost and replication schedule of the MEL-CBR site link. To complete this exercise, perform the following steps:
1. In the Active Directory Sites And Services console on SYD-DC, expand Sites\Inter-Site Transports and click on the IP node.
2. In the list of site links, right-click MEL-CBR and click Properties.
3. On the MEL-CBR Properties dialog box, set the Cost to 150 and set the Replicate Every option to 240 as shown in Figure 2-35.
FIGURE 2-35 View the site link properties
4. On the General tab, click the Change Schedule button.
5. On the Schedule for MEL-CBR, select all of the hours on Sunday and click Replication Not Available as shown in Figure 2-36. Click OK twice.
FIGURE 2-36 The site link replication schedule
Exercise 5: Configure MEL-DC as an additional domain controller
In this exercise, you configure MEL-DC as an additional domain controller in the contoso.com domain. To complete this exercise, perform the following steps:
1. Sign on to MEL-DC as Administrator with the password Pa$$w0rd.
2. In the Server Manager console, click Local Server and verify that the IP address listed for Ethernet is set to 10.10.10.40 as shown in Figure 2-37.
FIGURE 2-37 Verify the IP address configuration
3. On the Manage menu, click Add Roles And Features.
4. On the Before You Begin page of the Add Roles And Features Wizard, click Next three times.
5. On the Select Server Roles page, click Active Directory Domain Services as shown in Figure 2-38.
FIGURE 2-38 Add the Active Directory Domain Services role
6. On the Add Roles And Features Wizard pop up, click Add Features.
7. Click Next three times and click Install.
8. Click Close to close the Add Roles And Features Wizard.
9. Click the alert item next to the notification flag and click Promote This Server To A Domain Controller.
10. On the Deployment Configuration page of the Active Directory Domain Services Configuration Wizard, click Add A Domain Controller To An Existing Domain and click Select.
11. In the Credentials for Deployment Operation, type contoso\don_funk in the User Name text box, Pa$$w0rd in the Password text box, and click OK.
12. In the Select A Domain From The Forest dialog box, click Contoso.com and click OK.
13. Verify that the Deployment Configuration page matches Figure 2-39 and click Next.
FIGURE 2-39 The Active Directory Domain Services deployment configuration
14. On the Domain Controller Options page, type the DSRM password Pa$$w0rd in both the Password and Confirm Password text boxes. Verify that the site name is set to MEL-SITE as shown in Figure 2-40 and then click Next twice.
FIGURE 2-40 Configure the domain controller options
15. On the Additional Options page, set the Replicate From drop-down menu to SYD-DC.contoso.com as shown in Figure 2-41 and then click Next three times.
FIGURE 2-41 Configure the domain controller to replicate from
16. On the Prerequisites Check page, click Install.
17. After MEL-DC restarts, sign on as contoso\don_funk with the password Pa$$w0rd.
Exercise 6: Verify site placement and trigger replication
In this exercise, you verify that MEL-DC is located in the MEL-SITE Active Directory site. To complete this exercise, perform the following steps:
1. When signed on to MEL-DC as contoso\don_funk, click Active Directory Sites And Services in the Tools menu of the Server Manger console.
2. Expand the MEL-SITE node, expand Servers and click MEL-DC as shown in Figure 2-42.
FIGURE 2-42 View the domain controller in the Active Directory Sites And Services console
3. Click NTDS Settings under MEL-DC.
4. In the Actions pane, click <Automatically Generated> and then click Replicate Now on the Action menu.
5. In the Replicate Now dialog box, shown in Figure 2-43, click OK.
FIGURE 2-43 The Replicate Now dialog box
6. In the Active Directory Sites And Services console, click the Sites\SYD-SITE\Servers\SYD-DC\NTDS Settings node.
7. In the Actions pane, click <Automatically Generated> and then click Replicate Now on the Action menu.
8. In the Replicate Now dialog box, click OK.
Exercise 7: Configure ADL-DC as an RODC
In this exercise, you configure ADL-DC as an RODC in the ADL-SITE Active Directory site. To complete this exercise, perform the following steps:
1. Sign on to ADL-DC as Administrator with the password Pa$$w0rd.
2. In the Local Server node of the Server Manager console, verify that the Ethernet address is set to 10.10.10.20 as shown in Figure 2-44.
FIGURE 2-44 Verify the ADL-DC IP address
3. On the Manage menu, click Add Roles And Features.
4. On the Before You Begin page of the Add Roles And Features Wizard, click Next three times.
5. On the Select Server Roles page, enable the Active Directory Domain Services check box.
6. On the Add Roles And Features Wizard pop-up, click Add Features.
7. On the Select Server Roles page, click Next three times and click Install. Click Close to close the Add Roles And Features Wizard.
8. Click the Notification icon next to the Manage menu on the Server Manager console and click Promote This Server To A Domain Controller as shown in Figure 2-45.
FIGURE 2-45 Promote this server to a domain controller
9. On the Deployment Configuration page of the Active Directory Domain Services Configuration Wizard, click Select.
10. On the Credentials For Deployment Operation dialog box, type contoso\don_funk and Pa$$w0rd as shown in Figure 2-46 and then click OK.
FIGURE 2-46 Provide deployment credentials
11. On the Select A Domain from the Forest dialog box, click Contoso.com and then click OK.
12. On the Deployment Configuration page, click Next.
13. On the Domain Controller Options page, click the Read Only Domain Controller (RODC) check box, type the DSRM password as Pa$$w0rd, and ensure that the site name is set to ADL-SITE as shown in Figure 2-47. Click Next.
FIGURE 2-47 Verify the RODC deployment options
14. On the RODC Options page, shown in Figure 2-48, review the list of accounts that are blocked from password replication and click Next.
FIGURE 2-48 The RODC password replication options
15. On the Additional Options page, use the Replicate From drop-down menu to specify that replication should occur from SYD-DC.contoso.com, click Next three times, and click Install.
16. After ADL-DC restarts, sign on as Contoso\don_funk with the password Pa$$w0rd.
Exercise 8: Configure RODC replication
In this exercise, you configure replication for ADL-DC, which you configured as an RODC in the previous exercise. To complete this exercise, perform the following steps:
1. Sign on to SYD-DC as Contoso\don_funk with the password Pa$$w0rd.
2. On the Tools menu, click Active Directory Administrative Center.
3. In the Active Directory Administrative Center, click Contoso (Local).
4. In the details pane of the Active Directory Administrative Center, double-click the Users container.
5. Under the Users section in the Tasks pane, click New and then click Group.
6. In the Create Group dialog box, type the group name as ADL-Replicated-Accounts as shown in Figure 2-49 and click OK.
FIGURE 2-49 Create a security group
7. Double-click the Contoso (Local) node and then double-click the Domain Controllers node.
8. In the Details pane, click ADL-DC and click Properties.
9. In the ADL-DC dialog box, click Extensions, click the Password Replication Policy tab, and click Add.
10. In the Add Groups, Users And Computers dialog box, select the Allow Passwords For The Account To Replicate To This RODC option as shown in Figure 2-50 and click OK.
FIGURE 2-50 Specify the password replication options
11. On the Select Users, Computers, Service Accounts, Or Groups dialog box, type ADL-Replicated-Accounts, click Check Names, and click OK.
12. Verify that the ADL-DC dialog box matches Figure 2-51 and click OK.
FIGURE 2-51 Verify the password replication options
Exercise 9: View account passwords replicated to ADL-DC
In this exercise, you create a user account and add it to the group that has its password replicated to ADL-DC. You also add the account of a user who should not have his or her password replicated to the RODC to this group. You then trigger replication and verify which accounts have had password information replicated. To complete this exercise, perform the following steps:
1. While signed on to SYD-DC as Contoso\don_funk, click Active Directory Users And Computers in the Tools menu of the Server Manager console.
2. In the Active Directory Users And Computers console, expand Contoso.com and click the Users container.
3. On the Action menu, click New and click User.
4. On the New Object – User dialog box, type kim_akers in the Full Name and User Logon Name text boxes as shown in Figure 2-52 and click Next.
FIGURE 2-52 Create a new user account
5. On the New Object – User dialog box, type Pa$$w0rd in the Password and Confirm Password dialog boxes, click Next, and click Finish.
6. In the Active Directory Users And Computers console, click Don Funk. Hold down the Ctrl key and click kim_akers.
7. On the Action menu, click Add To A Group.
8. On the Select Groups dialog box, type ADL-Replicated-Accounts as shown in Figure 2-53, click Check Names, and click OK. Click OK to dismiss the Active Directory Domain Services dialog box.
FIGURE 2-53 Add a user to a group
9. In the Active Directory Users And Computers console, click the Domain Controllers node.
10. Right-click ADL-DC and click Properties.
11. On the Password Replication Policy tab, click Advanced.
12. In the Advanced Password Replication Policy for ADL-DC dialog box, click Prepopulate Passwords.
13. In the Select Users Or Computers dialog, type Don Funk;kim_akers, click Check Names, and then click OK.
14. In the Prepopulate Passwords dialog box, shown in Figure 2-54, click Yes.
FIGURE 2-54 Prepopulate the passwords
15. On the Prepopulate Password Errors list, verify that Don Funk is listed as shown in Figure 2-55. This is because the Don Funk account belongs to a group that restricts its password from being replicated to the RODC. Click OK.
FIGURE 2-55 Verify the account prepopulation error
16. Verify that the kim_akers account password has been replicated to the RODC as shown in Figure 2-56 and click Close.
FIGURE 2-56 Verify the password replication
Exercise 10: Monitor replication with repadmin
In this exercise, you monitor replication settings from the command prompt with repadmin. To complete this exercise, perform the following steps:
1. Ensure that you are signed on to MEL-DC as contoso\don_funk.
2. Right-click the Windows PowerShell item on the task bar and click Run As Administrator.
3. In the User Account Control dialog box, click Yes.
4. In the Windows PowerShell window, type the following command as shown in Figure 2-57 and press Enter to generate a replication summary:
repadmin /replsummary
FIGURE 2-57 The output of repadmin /replsummary
5. In the Windows PowerShell window, type the following command as shown in Figure 2-58 and press Enter to generate a list of accounts that have passwords replicated to RODC ADL-DC:
repadmin /prp view adl-dc reveal
FIGURE 2-58 The output of the repadmin /prp command
6. In the Windows PowerShell window, type the following command as shown in Figure 2-59 and press Enter to force the KCC to recalculate the inbound replication topology:
repadmin /kcc
FIGURE 2-59 Trigger the recalculation of the replication topology
7. In the Windows PowerShell window, type the following command as shown in Figure 2-60 and press Enter to display the most recent inbound replication activity:
repadmin /showrepl
FIGURE 2-60 View the recent replication
8. In the Windows PowerShell window, type the following command as shown in Figure 2-61 and press Enter to force the domain controller to replicate with all replication partners:
repadmin /syncall
FIGURE 2-61 Trigger synchronization
Exercise 11: Remove the RODC and reset accounts
In this exercise, you delete the RODC and configure all computer and user accounts on the RODC to be reset. To complete this exercise, perform the following steps:
1. Ensure that you are signed on to SYD-DC as Contoso\don_funk.
2. On the Tools menu of the Server Manager console, click Active Directory Users And Computers.
3. In the Active Directory Users And Computers console, expand the Contoso.com\Domain Controllers node.
4. Right-click ADL-DC and click Delete.
5. In the Active Directory Domain Services dialog box, click Yes.
6. In the Deleting Domain Controller dialog box, click Browse.
7. Configure the Save As dialog box so that you save the file as reset_accounts.csv on the Desktop.
8. Ensure that the Reset All Passwords For User Accounts That Were Cached On This Read-Only Domain Controller, Reset All Passwords For Computer Accounts That Were Cached On This Read-Only Domain Controller, and Export The List Of Accounts That Were Cached On This Read-Only Domain Controller check boxes are selected as shown in Figure 2-62 and click Delete.
FIGURE 2-62 Delete the RODC account
9. In the Delete Domain Controller dialog box, review the warnings and click OK.
10. In the Delete Domain Controller dialog box, shown in Figure 2-63, click Yes.
FIGURE 2-63 Verify the domain controller deletion
11. Verify that ADL-DC is no longer listed as a domain controller.
12. On the desktop of SYD-DC, right-click Reset_accounts.csv and click Edit.
13. Review the list of reset accounts.
Suggested practice exercises
The following additional practice exercises are designed to give you more opportunities to practice what you’ve learned and to help you successfully master the lessons presented in this chapter.
Exercise 1 Use Windows PowerShell to create a subnet for use with an Active Directory site that uses the 10.10.100.0/24 IP address range.
Exercise 2 Use Windows PowerShell to create a site named LON-SITE that is associated with the subnet created in the previous exercise.
Exercise 3 Use Windows PowerShell to create a site link that joins LON-SITE with MEL-SITE.
Answers
This section contains the answers to the lesson review questions in this chapter.
Lesson 1
1. Correct answer: A
A. Correct. Restarting this service will reregister a specific domain controller’s SRV records in DNS.
B. Incorrect. This service allows for processes to start under alternate credentials. Restarting this service will not reregister a specific domain controller’s SRV records.
C. Incorrect. Although this service allows a domain controller to function as a domain controller, restarting this service does not reregister a specific domain controller’s SRV records.
D. Incorrect. Although a DNS server hosts SRV records, restarting this service does not reregister a specific domain controller’s SRV records.
2. Correct answer: C
A. Incorrect. You use the New-ADReplicationSubnet cmdlet to create a new Active Directory subnet.
B. Incorrect. You use the New-ADReplicationSiteLink cmdlet to create site link connecting sites.
C. Correct. You use the Move-ADDirectoryServer cmdlet to move a domain controller to a different Active Directory site.
D. Incorrect. You use the New-ADReplicationSite cmdlet to create a new Active Directory site.
3. Correct answer: D
A. Incorrect. You use the New-ADReplicationSiteLink cmdlet to create site link connecting sites.
B. Incorrect. You use the Move-ADDirectoryServer cmdlet to move a domain controller to a different Active Directory site.
C. Incorrect. You use the New-ADReplicationSite cmdlet to create a new Active Directory site.
D. Correct. You use the New-ADReplicationSubnet cmdlet to create a new Active Directory subnet. Active Directory subnets enable Active Directory to recognize IP address ranges and to use those ranges when calculating replication topologies.
4. Correct answer: A
A. Correct. You use the New-ADReplicationSite cmdlet to create a new Active Directory site. When creating the site, you can associate it with an existing subnet.
B. Incorrect. You use the New-ADReplicationSubnet cmdlet to create a new Active Directory subnet.
C. Incorrect: You use the Move-ADDirectoryServer cmdlet to move a domain controller to a different Active Directory site.
D. Incorrect. You use the New-ADReplicationSiteLink cmdlet to create site link connecting sites.
5. Correct answer: C
A. Incorrect. You use the New-ADReplicationSite cmdlet to create a new Active Directory site.
B. Incorrect. You use the New-ADReplicationSubnet cmdlet to create a new Active Directory subnet.
C. Correct. You use the New-ADReplicationSiteLink cmdlet to create site link connecting sites.
D. Incorrect. You use the Move-ADDirectoryServer cmdlet to move a domain controller to a different Active Directory site.
Lesson 2
1. Correct answer: A
A. Correct. Repadmin /prp view [DC Name] reveal lists all of the accounts that have replicated to a specific RODC. You can’t use this command with a writable domain controller.
B. Incorrect. Repadmin /replsummary provides information about the failure percentages of inbound and outbound replication in the form of a report.
C. Incorrect. Repadmin /kcc forces the KCC to recalculate inbound replication topology.
D. Incorrect. Repadmin /showrepl shows the status of the domain controller’s last attempt to perform inbound replication.
E. Incorrect. Repadmin /syncall forces the local or targeted domain controller to sync with all replication partners.
2. Correct answer: D
A. Incorrect. Repadmin /prp view [DC Name] reveal lists all of the accounts that have replicated to a specific RODC. You can’t use this command with a writable domain controller.
B. Incorrect. Repadmin /syncall forces the local or targeted domain controller to sync with all replication partners.
C. Incorrect. Repadmin /showrepl shows the status of the domain controller’s last attempt to perform inbound replication.
D. Correct. Repadmin /kcc forces the KCC to recalculate inbound replication topology.]
E. Incorrect. Repadmin /replsummary provides information about the failure percentages of inbound and outbound replication in the form of a report.
3. Correct answer: E
A. Incorrect. Repadmin /showrepl shows the status of the domain controller’s last attempt to perform inbound replication.
B. Incorrect. Repadmin /syncall forces the local or targeted domain controller to sync with all replication partners.
C. Incorrect. Repadmin /kcc forces the KCC to recalculate inbound replication topology.
D. Incorrect. Repadmin /prp view [DC Name] reveal lists all of the accounts that have replicated to a specific RODC. You can’t use this command with a writable domain controller.
E. Correct. Repadmin /replsummary provides information about the failure percentages of inbound and outbound replication in the form of a report.
4. Correct answer: B
A. Incorrect. Repadmin /showrepl shows the status of the domain controller’s last attempt to perform inbound replication.
B. Correct. Repadmin /syncall forces the local or targeted domain controller to sync with all replication partners.
C. Incorrect. Repadmin /kcc forces the KCC to recalculate inbound replication topology.
D. Incorrect. Repadmin /replsummary provides information about the failure percentages of inbound and outbound replication in the form of a report.
E. Incorrect. Repadmin /prp view [DC Name] reveal lists all the accounts that have replicated to a specific RODC. You can’t use this command with a writable domain controller.
5. Correct answer: C
A. Incorrect. Repadmin /syncall forces the local or targeted domain controller to sync with all replication partners.
B. Incorrect. Repadmin /kcc forces the KCC to recalculate inbound replication topology.
C. Correct. Repadmin /showrepl shows the status of the domain controller’s last attempt to perform inbound replication.
D. Incorrect. Repadmin /replsummary provides information about the failure percentages of inbound and outbound replication in the form of a report.
E. Incorrect. Repadmin /prp view [DC Name] reveal lists all the accounts that have replicated to a specific RODC. You can’t use this command with a writable domain controller.
6. Correct answer: C
A. Correct. When you delete the computer account of an RODC, you have the option of resetting the passwords of all user accounts that had passwords stored on the RODC. If you do this, you need to assign users new passwords and inform them of the change.
B. Incorrect. Although you can reset the passwords of user accounts, removing an RODC does not give you the option of disabling computer accounts.
C. Correct. When you delete the computer account of an RODC, you have the option of resetting computer account passwords of computer accounts that had passwords stored on the RODC. If you do this, you need to rejoin these computers to the domain.
D. Incorrect. Although you can reset the passwords of computer accounts, removing an RODC does not give you the option of disabling computer accounts.
7. Correct answer: B
A. Incorrect. The Windows Server 2003 domain functional level does not support upgrading SYSVOL replication so that it uses DFS instead of FRS.
B. Correct. The Windows Server 2008 domain functional level is the minimum required to support upgrading SYSVOL replication so that it uses DFS instead of FRS.
C. Incorrect. The Windows Server 2008 domain functional level, rather than the Window Server 2008 R2 domain functional level, is the minimum required to support upgrading SYSVOL replication so that it uses DFS instead of FRS.
D. Incorrect. The Windows Server 2008 domain functional level, rather than the Window Server 2012 domain functional level, is the minimum required to support upgrading SYSVOL replication so that it uses DFS instead of FRS.
8. Correct answer: A
A. Correct. You can use dfsrmig.exe to determine if FRS or DFS is being used for SYSVOL replication. You can also use dfsrmig.exe to migrate from using FRS to using DFS to support SYSVOL replication.
B. Incorrect. Although you use repadmin.exe to manage Active Directory replication, you can’t use repadmin.exe to determine if FRS or DFS is being used to support SYSVOL replication.
C. Incorrect. Although dcdiag.exe provides domain controller diagnostics, it cannot be used to determine if FRS or DFS is being used to support SYSVOL replication.
D. Incorrect. You use dnscmd.exe to manage DNS. You can’t use dnscmd.exe to determine if FRS or DFS is being used to support SYSVOL replication.