1
00:00:01,340 --> 00:00:04,160
Now let's turn our attention from trust relationships to

2
00:00:04,160 --> 00:00:07,120
configuring sites and services with Active Directory.

3
00:00:07,120 --> 00:00:09,850
Remember from the previous module I said that Active

4
00:00:09,850 --> 00:00:12,510
Directory has logical and physical components.

5
00:00:12,510 --> 00:00:15,910
Sites and subnets are examples, and domain controllers, for that

6
00:00:15,910 --> 00:00:19,860
matter, are example of physical manifestations of Active Directory.

7
00:00:19,860 --> 00:00:23,440
I mean, your business has physical campus locations. In this

8
00:00:23,440 --> 00:00:26,260
example, company.pri has Denver,

9
00:00:26,260 --> 00:00:29,140
Las Vegas, and Phoenix, and so we can model the

10
00:00:29,140 --> 00:00:31,340
physical topology of our environment here.

11
00:00:31,340 --> 00:00:34,780
Now, when you have multiple regions in your business,

12
00:00:34,780 --> 00:00:37,540
does that mean by definition you need multiple domains?

13
00:00:37,540 --> 00:00:38,950
No, not necessarily.

14
00:00:38,950 --> 00:00:41,500
Does it mean that you need multiple forests again?

15
00:00:41,500 --> 00:00:42,420
Absolutely not.

16
00:00:42,420 --> 00:00:46,350
I just want to repeat that with network bandwidth being so plentiful

17
00:00:46,350 --> 00:00:50,310
nowadays and with Active Directory being able to scale into the billions

18
00:00:50,310 --> 00:00:54,560
of objects, you really should consider, if you already are sprawling in

19
00:00:54,560 --> 00:00:56,600
your Active Directory forest structure,

20
00:00:56,600 --> 00:01:00,600
begin the process of consolidating as much as you possibly can.

21
00:01:00,600 --> 00:01:05,320
In this example, we've got within a single domain three geographical locations.

22
00:01:05,320 --> 00:01:05,480
Now,

23
00:01:05,480 --> 00:01:08,770
admittedly, these three locations aren't on opposite sides of the

24
00:01:08,770 --> 00:01:12,010
world. There, you might want to consider going beyond one domain,

25
00:01:12,010 --> 00:01:15,400
because we have to think in terms of those domain controllers in each

26
00:01:15,400 --> 00:01:19,690
domain. You'll want to deploy at least two in each physical location

27
00:01:19,690 --> 00:01:21,640
for high availability purposes.

28
00:01:21,640 --> 00:01:22,560
And, as I said,

29
00:01:22,560 --> 00:01:26,690
the idea of Active Directory replication is within a domain, those domain

30
00:01:26,690 --> 00:01:30,580
controllers are communicating all the time, every 3 minutes I think it is,

31
00:01:30,580 --> 00:01:34,700
they're looking to update and synchronize their Active Directory databases,

32
00:01:34,700 --> 00:01:37,020
and then there's the SYS file contents as well.

33
00:01:37,020 --> 00:01:39,820
So, sure, if you've got one location in Denver and the

34
00:01:39,820 --> 00:01:42,090
states and another in Melbourne, Australia,

35
00:01:42,090 --> 00:01:46,050
then you certainly, even with the Internet being as strong as it possibly is,

36
00:01:46,050 --> 00:01:49,060
you're going to at least want to do multiple sites, if not

37
00:01:49,060 --> 00:01:51,440
consider multiple domains, because, again,

38
00:01:51,440 --> 00:01:53,150
within a single domain,

39
00:01:53,150 --> 00:01:56,040
those domain controllers want to communicate all the time.

40
00:01:56,040 --> 00:01:57,410
That having been said,

41
00:01:57,410 --> 00:02:01,700
the benefit of setting up sites and subnets in Active Directory allows

42
00:02:01,700 --> 00:02:05,630
you to inform Active Directory of the IP ranges of each of your domain

43
00:02:05,630 --> 00:02:07,890
controllers and your physical sites.

44
00:02:07,890 --> 00:02:11,180
And this means that when client devices attempt

45
00:02:11,180 --> 00:02:14,430
authentication based on the client's IP address,

46
00:02:14,430 --> 00:02:18,900
they will be directed to their site where they will have, presumably, the

47
00:02:18,900 --> 00:02:22,900
lowest latency connection to their local domain controllers.

48
00:02:22,900 --> 00:02:26,930
And by allowing Active Directory components to build

49
00:02:26,930 --> 00:02:29,040
that replication link topology,

50
00:02:29,040 --> 00:02:32,860
you can then adjust the default interval if you find that the domain

51
00:02:32,860 --> 00:02:36,780
controllers are still being too chatty over your site links. You can actually

52
00:02:36,780 --> 00:02:41,350
build your own site links, but the general practice nowadays is to let Active

53
00:02:41,350 --> 00:02:43,650
Directory determine those site links itself.

54
00:02:43,650 --> 00:02:46,850
There's two components to Active Directory replication. There's

55
00:02:46,850 --> 00:02:50,440
the Knowledge Consistency Checker, which determines least paths

56
00:02:50,440 --> 00:02:54,270
between sites and determines your site link structure, and the

57
00:02:54,270 --> 00:02:56,120
intersite topology generator,

58
00:02:56,120 --> 00:03:00,630
or ISTG, and that's the component in Active Directory that nominates a

59
00:03:00,630 --> 00:03:04,640
server in each site for each domain to serve as a bridgehead. Because it's

60
00:03:04,640 --> 00:03:08,990
not like every domain controller in a site is sending replication updates

61
00:03:08,990 --> 00:03:13,450
or requesting updates, more particularly, from remote sites, it's just a

62
00:03:13,450 --> 00:03:18,350
designated bridgehead in each site that's responsible for that polling and

63
00:03:18,350 --> 00:03:19,460
update process.

64
00:03:19,460 --> 00:03:20,470
And, once again,

65
00:03:20,470 --> 00:03:26,330
the ISTG dynamically determines the best bridgehead server and the KCC

66
00:03:26,330 --> 00:03:36,000
dynamically determines the best site link infrastructure. That's the best practice now in 2021, 2022. Don't mess with success.