1
00:00:01,140 --> 00:00:05,880
In this demonstration, we'll configure our site topology for our environment.

2
00:00:05,880 --> 00:00:10,280
Recall that we have in my timw.info forest I have a

3
00:00:10,280 --> 00:00:12,320
root domain and a child domain.

4
00:00:12,320 --> 00:00:15,200
I have two read/write domain controllers in the root.

5
00:00:15,200 --> 00:00:19,170
In the child, I have a read/write and a read‑only domain controller.

6
00:00:19,170 --> 00:00:23,440
Now, remember that I give you the topology diagram in the exercise files,

7
00:00:23,440 --> 00:00:25,010
so don't forget about that, okay?

8
00:00:25,010 --> 00:00:28,450
We again are on our windows 11 administrative workstation,

9
00:00:28,450 --> 00:00:31,340
and we'll want to open up the Sites and Services console.

10
00:00:31,340 --> 00:00:37,080
So I'm going to do a Run and do a dssite.msc to quickly shortcut that process.

11
00:00:37,080 --> 00:00:38,000
Yes, I'm a nerd.

12
00:00:38,000 --> 00:00:39,340
I love to touch type.

13
00:00:39,340 --> 00:00:42,690
I type like 85 words a minute, so it's just faster for me

14
00:00:42,690 --> 00:00:44,680
to type these more than anything else.

15
00:00:44,680 --> 00:00:45,450
Okay, so again,

16
00:00:45,450 --> 00:00:49,750
our goal here is to inform Active Directory of the physical

17
00:00:49,750 --> 00:00:52,630
topology of our forest and of our domains.

18
00:00:52,630 --> 00:00:54,070
So let's expand Sites,

19
00:00:54,070 --> 00:00:56,880
and we can see that all of the domain controllers in the

20
00:00:56,880 --> 00:00:59,450
forest go in Default‑First‑Site‑Name.

21
00:00:59,450 --> 00:01:04,300
Now I'm going to pretend that my headquarters, my timw.info, is in Nashville.

22
00:01:04,300 --> 00:01:07,820
So I'm going to actually reuse Default‑First‑Site‑Name and

23
00:01:07,820 --> 00:01:10,950
I'm going to rename it Nashville‑HQ.

24
00:01:10,950 --> 00:01:12,980
Now, I'm now going to right‑click Sites,

25
00:01:12,980 --> 00:01:16,970
and we'll imagine that we have another site in Memphis.

26
00:01:16,970 --> 00:01:19,280
I'm in Tennessee in theU.S., by the way.

27
00:01:19,280 --> 00:01:21,970
And then we select a site link for this site.

28
00:01:21,970 --> 00:01:26,350
The default IP site link, of course, is called DEFAULTIPSITELINK,

29
00:01:26,350 --> 00:01:28,450
and I'll leave that alone.

30
00:01:28,450 --> 00:01:30,570
It tells us here that we've created the site,

31
00:01:30,570 --> 00:01:34,350
but to finish the configuration we need to ensure that Memphis is

32
00:01:34,350 --> 00:01:37,170
linked to other sites with site links as appropriate.

33
00:01:37,170 --> 00:01:40,610
We have to add subnets and then we have to install or move

34
00:01:40,610 --> 00:01:42,700
domain controller objects over there,

35
00:01:42,700 --> 00:01:45,700
so I want to make sure to do that sooner rather than later.

36
00:01:45,700 --> 00:01:47,490
Let me lay out my subnets here.

37
00:01:47,490 --> 00:01:50,410
Let me right‑click the Subnets, and go to New Subnet,

38
00:01:50,410 --> 00:01:52,930
and I'm going to call this Nashville‑1.

39
00:01:52,930 --> 00:02:00,850
And I'm going to call this in our Nashville headquarters we've got 10.1.0.0/24.

40
00:02:00,850 --> 00:02:03,370
That's in Memphis‑HQ, as you can see.

41
00:02:03,370 --> 00:02:09,150
So we're creating using CIDR notation an IPv4 and/or IPv6

42
00:02:09,150 --> 00:02:13,280
designation, I'm using IPv4 here, and I'm going to add in the

43
00:02:13,280 --> 00:02:16,030
subnets in the Nashville‑HQ location.

44
00:02:16,030 --> 00:02:17,430
Let me do that one more time.

45
00:02:17,430 --> 00:02:22,370
And I also have in Nashville, 10.2.0.0/24.

46
00:02:22,370 --> 00:02:23,270
Let me link that up.

47
00:02:23,270 --> 00:02:25,580
And then for the child domain in Memphis,

48
00:02:25,580 --> 00:02:28,990
let me add the subnet or subnets there, there's two of them.

49
00:02:28,990 --> 00:02:35,080
I'll call this one 10.3.0.0/24, this is Memphis.

50
00:02:35,080 --> 00:02:41,730
And then lastly, I will do one more subnet, 10.4.0.0/24, also in Memphis.

51
00:02:41,730 --> 00:02:45,300
Lastly, we want to make sure that our servers are placed appropriately.

52
00:02:45,300 --> 00:02:49,730
Now in Nashville, rootdc1 and rootdc2 are there, so that's

53
00:02:49,730 --> 00:02:53,410
fine, but I want to take my cdc1, that's my read/write

54
00:02:53,410 --> 00:02:55,920
domain controller, and my CRODC1,

55
00:02:55,920 --> 00:02:59,170
that's my read‑only domain controller, and associate them with

56
00:02:59,170 --> 00:03:02,230
Memphis. You can't drag and drop, so let me right‑click and

57
00:03:02,230 --> 00:03:04,570
select Move, and let me choose Memphis.

58
00:03:04,570 --> 00:03:08,690
And then for CRODC1, right‑click, Move, select Memphis.

59
00:03:08,690 --> 00:03:12,690
And so at this point, we've aligned our physical LAN

60
00:03:12,690 --> 00:03:15,240
topology with Active Directory sites.

61
00:03:15,240 --> 00:03:19,800
We've also arranged our domain controllers into those appropriate sites.

62
00:03:19,800 --> 00:03:22,630
Lastly, we have our Inter‑Site, I said, lastly,

63
00:03:22,630 --> 00:03:26,980
I guess I really mean it this time, we've got two different protocols to choose

64
00:03:26,980 --> 00:03:30,550
from for your site links. There's Internet Protocol, or IP,

65
00:03:30,550 --> 00:03:32,980
which is definitely the standard nowadays.

66
00:03:32,980 --> 00:03:37,750
I mean, back in 2000, in the very early 2000s, you might have sites with

67
00:03:37,750 --> 00:03:42,010
such limited network connectivity, dial‑up modem is what I'm thinking, to

68
00:03:42,010 --> 00:03:46,280
where you could send replication updates using the Simple Mail Transfer

69
00:03:46,280 --> 00:03:48,990
Protocol, or SMTP, but nowadays,

70
00:03:48,990 --> 00:03:52,420
I mean, I don't know anybody in the industry that's using

71
00:03:52,420 --> 00:03:55,300
SMTP, but it's still there as a possibility.

72
00:03:55,300 --> 00:03:59,950
And so the DEFAULTIPSITELINK, notice that we look at the site link properties,

73
00:03:59,950 --> 00:04:03,820
in this case I'm just going to leave the one. We're saying that Memphis and

74
00:04:03,820 --> 00:04:08,360
Nashville have this site link between them, and we assign an arbitrary cost

75
00:04:08,360 --> 00:04:13,100
value and then we can adjust the replication. Remember, 180 minutes is the

76
00:04:13,100 --> 00:04:15,350
default inter‑site replication interval.

77
00:04:15,350 --> 00:04:18,650
I know I have super high speed connectivity, so I'm going to

78
00:04:18,650 --> 00:04:21,920
cut that down significantly. Now, the idea is that if you have

79
00:04:21,920 --> 00:04:24,030
multiple site links between sites,

80
00:04:24,030 --> 00:04:29,070
one may be preferred, so you can set it at a lower cost than the other manually.

81
00:04:29,070 --> 00:04:33,590
Now notice that the KCC component that's running on your domain controllers

82
00:04:33,590 --> 00:04:38,600
is always looking at latency itself, so it may choose another cost path

83
00:04:38,600 --> 00:04:42,590
depending on what it sees in terms of reachability. Notice here we can

84
00:04:42,590 --> 00:04:47,300
change the replication schedule again. This dialog is so old; it dates back

85
00:04:47,300 --> 00:04:49,640
to Windows NT in the 1990s.

86
00:04:49,640 --> 00:04:53,800
Notice that replication is allowed 24 hours a day by default, but

87
00:04:53,800 --> 00:04:57,930
you can adjust and remove some of the coloration here to specify

88
00:04:57,930 --> 00:04:59,870
intervals that are not available.

89
00:04:59,870 --> 00:05:02,510
I mean, I can't think of a reason why you wouldn't want to

90
00:05:02,510 --> 00:05:06,270
enable this around the clock nowadays, but 20‑something years ago,

91
00:05:06,270 --> 00:05:10,000
during off business hours and if you're paying a lot for your bandwidth,

92
00:05:10,000 --> 00:05:14,310
you may not want replication to take place, so this schedule is available.

93
00:05:14,310 --> 00:05:17,890
If you right click within that Inter‑Site Transports,

94
00:05:17,890 --> 00:05:20,110
you can create site links on your own.

95
00:05:20,110 --> 00:05:21,140
You give it a name,

96
00:05:21,140 --> 00:05:25,240
you specify the connectivity between the sites, and then as I mentioned

97
00:05:25,240 --> 00:05:28,590
before, you adjust the cost and the replication interval.

98
00:05:28,590 --> 00:05:32,580
This is a relatively simple environment here, so I think we're good to go

99
00:05:32,580 --> 00:05:37,560
within the timw.info domain tree within this forest. As long as your

100
00:05:37,560 --> 00:05:40,020
credentials support the operation, in other words,

101
00:05:40,020 --> 00:05:41,610
you're an enterprise administrator,

102
00:05:41,610 --> 00:05:45,990
we can work across our bidirectional forest trust to adjust our

103
00:05:45,990 --> 00:05:49,650
site topology in acq, our trusted forest.

104
00:05:49,650 --> 00:05:53,940
We can right‑click here, Change Forest, in this case acq.com.

105
00:05:53,940 --> 00:05:57,360
Alright, then we can expand Sites. In this case, again, we have the

106
00:05:57,360 --> 00:06:01,160
Default‑First‑Site‑Name and we have just the one domain controller.

107
00:06:01,160 --> 00:06:04,220
But then the same procedure I just showed you applies here.

108
00:06:04,220 --> 00:06:07,740
We could set up our subnets, and link our sites to those

109
00:06:07,740 --> 00:06:10,650
subnets, and link our servers to our sites, and then

110
00:06:10,650 --> 00:06:12,850
depending upon how many sites you have,

111
00:06:12,850 --> 00:06:17,320
you may want to lay in some site links where you can adjust the cost and

112
00:06:17,320 --> 00:06:21,790
replication interval. In terms of easily viewing replication metadata and

113
00:06:21,790 --> 00:06:24,280
statistics, there's always, as I said earlier,

114
00:06:24,280 --> 00:06:26,180
the repadmin command line tool.

115
00:06:26,180 --> 00:06:30,550
So here we are at an elevated PowerShell prompt on my Windows 11 workstation.

116
00:06:30,550 --> 00:06:34,890
I'm going to invoke Enter‑PSSession to do a PowerShell remoting

117
00:06:34,890 --> 00:06:38,530
session to rootdc1 using my current credentials.

118
00:06:38,530 --> 00:06:39,740
And once I'm there,

119
00:06:39,740 --> 00:06:45,050
let me do a repadmin replsummary just to get some metadata back.

120
00:06:45,050 --> 00:06:49,500
Though this is going to show replication frequency, fails, and it's

121
00:06:49,500 --> 00:06:53,210
good that we don't see any failures or error messages here, that's

122
00:06:53,210 --> 00:06:54,700
definitely what we want to see.

123
00:06:54,700 --> 00:06:59,560
Let me clear the screen. We'll also do repadmin /showrepl, and then we'll

124
00:06:59,560 --> 00:07:05,540
focus on rootdc1.timw.info, what are its replication partners, in other

125
00:07:05,540 --> 00:07:08,280
words. Well, here we can see the different partitions,

126
00:07:08,280 --> 00:07:09,730
the Schema partition,

127
00:07:09,730 --> 00:07:13,920
the DomainDnsZones partition, and we can see the bridgehead

128
00:07:13,920 --> 00:07:18,050
servers at each site and see when the last attempt to issue a

129
00:07:18,050 --> 00:07:21,550
replication update happened and whether it was successful or not,

130
00:07:21,550 --> 00:07:24,760
so it's showing us here per domain, per partition.

131
00:07:24,760 --> 00:07:27,610
Let me clear the screen one more time, and if we do a

132
00:07:27,610 --> 00:07:32,990
dcdiag /?, that'll give us a run of help.

133
00:07:32,990 --> 00:07:37,770
Let me scroll up to the top. And let's just do a DnsForwarders test,

134
00:07:37,770 --> 00:07:42,670
dcdiag /dnsforwarders to double‑check our forwarder. Again,

135
00:07:42,670 --> 00:07:48,100
we have a number of built‑in tests. Dcdiag is essentially a diagnostic suite.

136
00:07:48,100 --> 00:07:49,300
Let me scroll back up.

137
00:07:49,300 --> 00:07:53,210
It's not necessary to really deep dive on the output, I just

138
00:07:53,210 --> 00:07:55,880
want to just put a name to a face, so to speak.

139
00:07:55,880 --> 00:08:00,230
Let's take a look, repl, let's take a look at some replication options.

140
00:08:00,230 --> 00:08:03,420
How about we test connectivity, dcdiag

141
00:08:03,420 --> 00:08:07,340
/test:connectivity, and it passed those tests.

142
00:08:07,340 --> 00:08:11,160
So I'm seeing all green here, but as you can see, some of these tools

143
00:08:11,160 --> 00:08:16,230
like repadmin and dcdiag, if you are experiencing latency update

144
00:08:16,230 --> 00:08:18,680
issues with Active Directory replication,

145
00:08:18,680 --> 00:08:21,870
your first line of defense would be to check out those tools.

146
00:08:21,870 --> 00:08:25,350
And as you can see, they're very quickly done interactively

147
00:08:25,350 --> 00:08:27,090
from a command prompt environment.

148
00:08:27,090 --> 00:08:28,920
And then if you get errors back,

149
00:08:28,920 --> 00:08:37,000
you can then take the next step in your troubleshooting. Let me do an exit here to quit my remote session, and there you have it.