Course Transcript

Microsoft Windows Server 2012 R2 -

Configuring Advanced Services: AD Replication
Active Directory Sites
1. Windows Server 2012 R2 AD DS Replication

2. Windows Server 2012 R2 Active Directory Sites

3. Windows Server 2012 R2 AD Sites and Replication

4. Windows Server 2012 R2 RODC Replication

5. Monitoring Windows Server 2012 R2 Replication

6. Windows Server 2012 R2 AD Domains and Trusts

Windows Server 2012 R2 AD DS Replication
Learning Objective
After completing this topic, you should be able to
◾ match each AD Domain Services partition to its correct description

1. Meet your instructor

Microsoft Windows Server 2012 R2 - Configuring Advanced Services: AD Replication

[Welcome to Microsoft Windows Server 2012 R2 - Configuring Advanced Services: AD

Replication.]

Hello! My name is Jason Gates and I am a Microsoft Certified Trainer, or MCT. Now Active
Directory is a multimaster environment or directory and so replication is really important. In this
course, we will talk about how replication works and how to configure and optimize replication.
And that means having an understanding around what a site is, what a site link is and what a
subnet object is, and how to control replication using site link costs and site link schedule.

So those are some of the important things we are going to be looking at. We will also talk about
how read-only domain controllers participate in replication, and so we will talk about how to
configure them. So let's have a look here at replication.

[The goal of this course is to configure an AD DS site infrastructure and to configure, manage,
and troubleshoot replication between sites and domain controllers.]

2. AD DS replication
Now to really understand the Active Directory, or AD, application, we have to look at the
characteristics of the Active Directory database. The Active Directory database is partitioned.
So if you look inside a domain controller, or DC, there's a file there called NT Directory
Services, or NTDS, and that file is made up of different partitions. Now each partition has a
different scope of replication...has to do with its contents and we see that diagrammed here. For
instance, some of the contents or partitions are forest-wide, and they go to every domain
controller that's in the forest, that shares a copy of that same partition. Some of the other
partitions are domain-wide in scope, and of course, a good example of that is the domain
partition, which contains users and groups and computers for that particular domain.

And those users and computers and groups, well whenever those are modified, or changed, or
new ones are added, that content is replicated to any other server that also has that domain
partition, a copy of it. So this is where we get the idea that a domain is a domain boundary.
Because each participating domain controller on a per domain basis shares the same domain
partition. Now there are other partitions besides these. There might be application partitions or
DNS partitions that are either forest-wide or domain specific. A lot depends on the scope of
replication and what those partitions are for.

Now let's describe the benefits of Active Directory replication and some of its key
characteristics. First of all, Active Directory replication is multimaster, which is really exciting,
because it means that you are not limited as to where you can introduce a change. Any writable
domain controller can receive a change to its objects and can be modified. So you can have
administrators all over the globe introducing changes in an effective manner. Now there is an
exception to that, and that's the new read-only domain controllers, or RODCs. Well like their
name implies, they are read-only. Another key benefit to Active Directory replication is, its goal
is fast convergence, which means, when a change occurs, we want the other domain
controllers to know about that change as quickly as possible. And the Active Directory
replication engine is designed to do just that. It's aware of where the domain controllers are
located in respect to each other. It knows domain controllers are nearby or it knows domain
controllers that are on the other side of a WAN link, and we will treat the way they replicate
differently; all, however, with the goal of fast convergence. Now this is administratively
controlled; an administrator can come in and actually control the bandwidth that's used,
particularly between sites. This makes Active Directory replication smart as well as fast.

Another characteristic of Active Directory replication is its methods of replication. It relies on a

notification-based model, where changes are pulled down rather than pushed. Pulling down
changes is more effective because it avoids a lot of unnecessary traffic. You don't have DCs
pushing their changes on to other DCs who already have them. Another noteworthy point is,
Active Directory's ability to receive a change, and then just pass it on, or store and forward.
Changes are not replicated in kind of a hub-and-spoke manner, but more like a fire brigade,
where each DC is passing along a bucket. Only in the case of Active Directory, each domain
controller has multiple partners to whom it will pass its changes along to.

Now finally, a change is replicated within a site differently than between sites. Within a site, it's
a matter of minutes, if not seconds. Intersite replication on the other hand, well that can be
minutes or even days, and a lot of it depends on the site link settings and how the administrator
configured them.

Because Active Directory is multimaster in nature, replication conflicts might occur. Because
well you can have an administrator on one domain controller making a change to the same
object as another administrator on a separate domain controller. Now those types of conflicts
are going to be rare because Active Directory replication is based on attribute-by-attribute basis.
What that means is, if one administrator changes like the postal code and someone else
changes the telephone number, password, or some other attribute, well there is really no
conflict, even if it's against the same object. But if it happens to be the same attribute, right,
done roughly around the same time on two separate domain controllers, well conflict will ensue.

One of the things you need to know is that Active Directory has a way of arbitrating those types
of conflicts by using a change stamp. That is, every change actually gets a version number, it
gets a timestamp, and it identifies who, what originating DC made the change. So when these
objects are replicated, an arbitrator is in place, and that has to do with that change stamp.

[Let's consider an example. The following are the attributes of a user: objectClass: User
givenname: Jane sn: Doe postalCode: 12345 telephoneNumber: 5559123 If one administrator
changes the postal code and someone else changes the telephone number or password or
some other attribute, there is really no conflict. But if two administrators changes the same field
at the same time, then there is conflict. Whenever there is a change, each change will be
associated with a version number, originating time, originating DC GUID.]
Now when we describe replication and how it works, we want to break it down into the individual
components. And here is a list of what pieces contribute to a replication. We have of course the
domain controllers themselves and they are represented in Active Directory as server objects.
And they have connection objects between its replication partners. Now who determines who
replicates with who? Well that's the job of the KCC; that's the brain of Active Directory
replication, which stands for the Knowledge Consistency Checker; I just like that...Knowledge
Consistency Checker. Now it has some help when it comes to replicating between sites. That's
the inter-site topology generator. It does the math in determining the most effective route for
moving changes between sites.

And then sites themselves are objects as our site links. These objects incidentally are all stored
in a special partition in Active Directory, called the configuration partition. And that is shared
among all the DCs within the forest. And these components then are what actually, collectively
make the replication topology work.

3. AD DS SYSVOL replication
Now so far we have talked about Active Directory replication in regards to the objects inside the
database, like user objects and computer objects, and such. But there are other objects that
have to be replicated for Active Directory that are actually outside of the database. Every
domain controller has this folder called Domain System Volume, or SYSVOL, and inside this
system volume folder are important file-based objects that relate to Active Directory. Some
really important stuff here, like for instance, policies and scripts and Netlogon share for the
scripting property in a user account, that's where you put those scripts. Well these are a very
important parts of Active Directory. The distribution and the power that comes with Group
Policies and the automation that comes with scripts, we certainly want every domain controller
to have the latest scripts, so we can actually deliver that, if needed.

So the SYSVOL folder is also replicated, but it uses a special file-based replication service. And
depending on the functional level, it's either going to be File Replication Service, or FRS, which
is the legacy engine that goes back to Windows 2000 or it's going to be the newer DFSR,
Distributed File System Replication, which was introduced with Windows Server 2008.

Now you might be curious, why are there two engines for replicating the content of the SYSVOL
folder, FRS and DFSR? Well the reason behind this is, greater efficiency and reliability with
DFSR. The FRS, well it did its job in its day, but well that goes back to 2003. The preferred
replication engine for the content of the SYSVOL folder is DFSR.

Now some of the key reasons why this is highly recommended is that DFSR is more efficient, it
uses the remote differential compression algorithm, which means it's only going to replicate file
changes and that's going to be a lot better for you over a WAN link. It has other properties,
better healing, and monitoring properties, and it's going to be better suited for the newer read-
only domain controllers. There is a lot of reason to consider DFSR. Now if you have upgraded
from Windows Server 2003, then you are using FRS. So you want to migrate to the new
replication engine DFSR, for the sake of these benefits that I just listed off. If you did a brand-
new installation of Active Directory with Windows Server 2008, 2008 R2, or 2012, well then you
are already using DFSR as the engine behind SYSVOL.

So you have upgraded from Windows Server 2003, and you need to migrate your SYSVOL
replication from FRS to DFSR. So how do you do that? Well couple of things. First of all, you
need to raise that functional level to at least Windows Server 2008. Most likely, you are going to
raise it to Windows Server 2012. Then you need to carefully, methodically, use the dfsrmig
tool, the migration tool, which shifts within Windows Server. Now this tool alters the state of
SYSVOL replication in a kind of a transitioned process. You will need to run this tool actually
several times, moving through each one of these states, providing sufficient time in between, so
that replication can complete.

Each time you run this tool, you are actually advancing the transition of SYSVOL replication.
Eventually, DFSR will be in charge and FRS will be retired. Now this doesn't happen all at once,
you actually go through this procedure multiple...you know, through this staged process,
multiple times.

So my word of advice to you, if you are ever in a position where you actually have to run this
tool, is to be patient. You will need to wait sufficiently, between each time you run this tool on
each phase, for replication to complete. And then of course, validate your progress as you go
along.

[This flowchart depicts the SYSVOL replication from FRS to DFSR process. The first step is
where the FRS upgrades the functional level to Windows Server 2008. The second step is
where the preparation takes place. That is FRS uses the DFSR mig tool to shift within Windows
Server. The third step is where redirection takes place. That is FRS retires and DFS takes
charge. Repeat the steps 1, 2, and 3 until DFS takes the complete charge. The fourth step is
where elimination takes place. That is the replication process is validated and FRS is
eliminated.]

No doubt, by now you are familiar with the read-only domain controller. The read-only domain
controller is unique when we talk about replication. Because it has a one-way relationship with
the rest of Active Directory. That is, a read-only domain controller never replicates to other
RODCs, nor is it the source of originating changes. If a user wants to change something against
an RODC, where the RODC refers back to a writable domain controller. Now this is important,
because it reduces the amount of replication traffic over the WAN link, but it also reduces
exposure. I know one company, for instance, they had a junior administrator in a branch office.
And what they did is, they accidentally restored a really old backup to a writable DC that went
out and replicated these changes and corrupted the entire forest.

By using an RODC instead, you reduce that kind of exposure. You don't have those kinds of
things happening. Because an RODC can never originate those kinds of changes. Instead, it
stores user passwords that you authorize and it supports the authentication for the population of
users that are within its proximity. That's the idea behind in RODC, really ideal for branch office
situations, where you don't have a lot of physical security and you want to reduce the risk of
accidental or malicious corruption.
Windows Server 2012 R2 Active Directory Sites
Learning Objective
After completing this topic, you should be able to
◾ recognize how to configure Active Directory sites in a given scenario

1. AD sites
So what is the purpose of an Active Directory site? Well that's an important question. We all
already know that an Active Directory site is one of the components that is part of the Active
Directory replication model. Question is, what is it for? An Active Directory site is really
important; in that, it defines physical locations. It identifies those connections that are well
connected and those connections, which are not well connected, and that has no latency when
regards to traveling to that from one network to the other. Now the reason that's important is,
well we have clients who need to consume the resources and services of those domain
controllers.

We have replication between domain controllers that also needs to be managed. And we might
have applications that also use those services. These are the reasons we define sites. The
three reasons we define sites – and that is, to control who our clients authenticate with. We
want them to authenticate with domain controllers that are in the same location on a well-
connected network, if at all possible. We don't want a client authenticating to a domain
controller, or DC, miles and miles away, if there's one near it. We also want to be able to control
replication between the domain controllers. Maybe we have got a really slow saturated link, and
we want to reduce that replication traffic. These are several of the reasons why we create sites
to control our replication and to control authentication.

So why create multiple sites? Well there are several factors that influence how many sites you
need to create. First of all, it has a lot to do with where your domain controllers are located. If
they are in separate locations, then you have to consider how many users are in those
locations, and whether or not they can authenticate over a WAN link to a DC in a remote
location or whether or not they have to have a local DC to authenticate to. Another important
factor is, how available are the networks? Even if you have multiple locations, you may not
need multiple sites. Especially, if they are connected on a highly available network connection
with really low latency.

But if you have one that has high latency, well less than 10 MB, or maybe it's not available 24
hours, seven days a week, maybe it's like a satellite link. Well then those are going to be things
you definitely want to create multiple sites for. Or even if you have a well-connected network,
maybe you just want to control which DCs the users are going to authenticate to. That's another
reason to consider creating multiple sites.

So how does a client actually locate a domain controller in its site? Each client uses a DC
locator process where it queries DNS for domain controller information. Now this domain
controller information is contained in SRV records or service records. Now some of these
records are actually organized in DNS by site. Now that does mean that every domain controller
must have these registered SRV records. So as a side note, if they are missing, you can go to
the DC and start and stop the net logon service to force the recreation of these SRV records.
They must be there. Now with the help of the domain controllers and these SRV records, a
client will learn which site it's located in, and the name of the nearest domain controller. Part of
this determination is made based on the subnet address information.

You see when a site is created, we also create a subnet object and we associate that with the
site or multiple subnet objects and associate that with the site. Now another part of this
determination is made with the help of Active Directory's configuration partition. You see it's the
configuration partition that actually contains the subnet address, subnet object information, and
the site information, and the site link information, so the whole Active Directory topology
information. This information is then replicated to all the domain controllers in the forest, which
means with the help of DNS, every domain controller in the forest can actually identify the site in
which the client is located, and also compare it to the site in which the domain controller is
located, and then indicate this information, reflect it back to the client, so the client knows where
the nearest DC is, what site it's a part of, and what sites other domain controllers are a part of.

[The DNS Manager window is open. In the navigation, under DC1 - Forward Lookup Zones -
easynomad.com - _sites - HQ, _tcp folder is selected. The details of this folder are displayed in
the view pane. The view pane displays the Service Location (SRV) records - _gc, _kerberos,
_ldap.]

2. AD sites and replication

Now when it comes to AD replication, there are two mindsets the KCC has to account for. There
is intrasite replication and inter-site replication. In regards to intra or within a site, if you have got
multiple domain controllers there, the KCC or the Knowledge Consistency Checker creates
connection objects or relationships among those DCs. And it has several assumptions that we
are making, when we are talking about intrasite replication. First of all, this is really a fast
replication. We are talking that we have very fast notification, within just 5 to 15 seconds or so,
when a change is made, it is letting its partners know, "Hey, I have a change, come and get it."

This also means that the traffic is going to be not compressed because we don't have to go to
that extra effort. Because the assumption is, if we are on the same site, we are on a well-
connected network. Intrasite replication then is very different than inter-site replication.

Now let's talk about inter-site replication, which has a different set of assumptions. And this of
course is because the connections between these locations may not be as available; at least
that's the assumption. So here we are assuming a limited bandwidth and we are going to then
compress the actual replication information between the two locations.

Now by separating our domain environment into different sites, we can create these site links
and we can control replication because these locations are on a low bandwidth situation. What
that means is, I can define as an administrator, how frequent I want these domain controllers in
these different locations to replicate with each other. I can indicate when replication is even
available, that's the replication schedule. I can also indicate, if I have multiple paths that the
domain controllers can elect to use, I can indicate which ones have priority by indicating what is
called the link cost. Now all of these kinds of controls are important when I have a very
widespread environment, where I have domain controllers in multiple locations, and I need to
control that replication traffic over these slow links.
But I might have site links and sites not because of low bandwidth situations. So you can
actually go in and configure and change the actual replication behavior even between sites.
You can make inter-site replication behave just like intrasite replication, with a couple of
configuration changes. Why would you consider doing that? Well, a lot of networks today are
actually well connected and highly available. You might think, well then why use any sites at all?
Well, still sites have another purpose to remember and that's to actually indicate where clients
can log into. So I might still create sites and create site links and use that in the intrasite kind of
way. But I might still want to control which domain controllers my clients are authenticating to.

Now as we stated earlier, site links help us shape how Active Directory replicates between
sites. Now in this example, we have this link cost and that's going to help us...help Active
Directory determine the preferred path of replication, and who it should replicate with. You see
site links are transitive or bridged in nature. And these link costs that we apply to these links will
indicate preference. So in this example, our branch servers prefer to replicate with domain
controllers in the Headquarter site because the link cost is 100.

They could replicate with each other and they could do that, especially if the DCs in the HQ site
are unavailable. But that would be a cumulative cost of 200. The ability to actually go across to
multiple links here and bridge through these sites is called site link bridging, and it assumes a
strong routing model. Now what if we never want these branch servers to replicate with each
other? Well we can disable this site link bridging. Now be careful, if you do that, because you
could isolate domain controllers. And again, that might be a necessary step if you don't have a
fully routed environment.

So how do you go about actually defining your replication environment? It has a lot to do with
these different components that we are talking about, each one represented by an object in
Active Directory, these objects are again stored in the configuration partition. So to build this up,
these are the different components that you are going to have to build. You are going to have
the domain controllers represented as server objects. Each site that you create needs to have
associated with it, these objects called subnet objects.

So you'll create a site, you'll create the subnet objects, and you'll associate them together. The
other thing that you are going to need to do of course is, create the links between them. So
you'll create your multiple sites, and then create a site link. And then the properties of the site
link, that's where you can define the cost, and the schedule, and the frequency. And so those
are the different components that you need to bring together, that will inform Active Directory
about the physical topology, and how you wanted to replicate.
Windows Server 2012 R2 AD Sites and
Replication
Learning Objective
After completing this topic, you should be able to
◾ sequence the steps to configure a new site link object in Windows Server 2012

1. Demo: Configuring sites and replication

All right, I want to look at Active Directory sites and the site topology. To do that, I'm going to go
into the Active Directory Sites and Services tool. And you can see here the different
components that contribute to Active Directory replication are represented in this tool. We have
Inter-Site Transports for my links, my subnet objects, and then the individual sites themselves
are these blue buildings. And if I dig into the building areas here into my sites, I have the actual
individual servers that might be associated with the site.

And a site typically is going to have domain controllers. You can create empty sites for other
site aware applications like System Center Configuration Manager or maybe Distributed File
System, or DFS. But they have got this container called Servers, where I can place my domain
controllers. And attached to my domain controllers are NTDS Settings which are the actual
replication objects or relationship objects or connection objects and they are represented here
in the details pane. So if I click on DC10, here, you can see my connection objects, notice these
are automatically generated. And that's all the work of...you got it, the KCC, the Knowledge
Consistency Checker.

[The instructor opens the Active Directory Sites and Services window.]

Now couple of things here I want to bring to your attention, notice that it says From Server, so
that's the pull nature of replication. So this DC10 pulling down changes from DC14 and DC1
from the Headquarters, or HQ, site, this server is in the EAST site. So this is inter-site
replication relationships. If I go down to DC1 in HQ, and I look at its relationships, it has a
corresponding one here to DC10 from the EAST site. But it also has some intrasite replication
connection objects for DC14 and DC13. And these connection objects represent what we are
actually replicating. So if I go to the Properties of these, I can actually see the partitions, the
actual replication partition. So here is the Forest Zone...there and if I arrow over, get my mouse
out of the way, arrow over, I can see there is the Schema and there is the Configuration. So
these are the different partitions that I'm replicating from DC13. And it also says Partially
Replicated Naming Context, that's for the global catalog.

Now one of the things that's missing from this is the domain partitions that belong to DC1. And
that's because DC13 and DC1 belong to separate domains. So that's why you have this specific
naming context just listing the forest partitions.

[The Active Directory Sites and Services window is open. In the navigation pane, under Sites -
EAST - Servers - DC10 - NTDS Settings is selected. In the view pane, DC1 and DC14 from HQ
site are displayed. In the navigation pane, under Sites - HQ - DC1, the instructor clicks NTDS
Settings, right-clicks DC13 in the view pane, and clicks Properties in the shortcut menu. The
<automatically generated> Properties dialog box is displayed. In the Replicate from section, the
Server field displays DC13, Site field displays HQ, Replicated Naming Context(s) field displays
ForestDnsZones.corp.brocadero.com;Schema; Configuration, and the Partially Replicated
Naming Context(s) field displays All other domains. In the <automatically generated> Properties
dialog box, the instructor clicks Cancel.]

If I actually, in comparison, go to DC14's connection object, I can see that in its Replicated
Naming Context, I got the forest, because they are part of the same forest. But look, there is the
domain DNS zones and then there is the actual domain that DC1 belongs to, that's
corp.brocadero.com. And Partially Replicated Naming Context is blank, because well, DC14 is
not a global catalog server.

So this shows you kind of the different partitions in the way that replication now works, where
we have these connection objects. Now you can manually create these connection objects, if
you want to, but it's not necessary usually when you have the KCC. You can tell the KCC and
kick it off and tell, "Hey, go check the replication topology and evaluate it." And then it runs its
algorithms so you can force it to re-evaluate your topology...do some additional match making.
You can also use these connection objects to force replication, so I can do a Replicate Now,
and pull changes down.

[The Active Directory Sites and Services window is open. In the view pane, the instructor right-
clicks DC14, and clicks Properties in the shortcut menu. The <automatically generated>
Properties dialog box is displayed. In the Replicate from section, the Server field displays DC14,
Site field displays HQ, Replicated Naming Context(s) field displays
ForestDnsZones.corp.brocadero.com;DomainDnsZones.corp.brocadero.com;corp and the
Partially Replicated Naming Context(s) field displays All other domains. In the <automatically
generated> Properties dialog box, the instructor clicks Cancel. In the view pane, the instructor
right-clicks DC13, and clicks Replicate Now in the shortcut menu. The Replicate Now message
box is displayed. In the message box, the instructor clicks OK.]

Now when I do that from an inter-site replication and trigger basically that immediate
notification, if I go to DC10 and do Replicate Now, I get a slightly different message. Well that's
because we are intra-site, and so some...that replication is going to be somewhat dependent
on, the connection between DC1 and DC10. So that's a look there at that actual sites
themselves. Now in order to actually construct this and so that the domain controllers and
clients have an intelligent identification as to what sites they belong to, this is where Subnets
come into this. So clients can identify what sites they are part of and we can find the nearest
site in part because of what we do is, we associate subnet objects to these different sites and
then also DNS assists us with Service Location, or SRV, records. So we can see, here is our
subnet objects and they are associated with different sites, you can have multiple subnets
associated with multiple sites.

[The Active Directory Sites and Services window is open. In the view pane, the instructor right-
clicks DC10, and clicks Replicate Now in the short-cut menu. The Replicate Now message box
is displayed. In the message box, the instructor clicks OK. In the navigation pane, the instructor
expands and clicks Subnets.]

You can also come in here and set up Internet Protocol version 6, or IPv6, subnets as well. The
actual SRV records that are registered by the domain controllers can be found up here. So if I
go into DNS, this is my DNS interface, you can see that there is this area called Microsoft
domain controller service, or msdcs, and in this particular zone, I have site information listed. So
I can see, here is my branch site, and here are the different domain controllers that would be
advertised and available for Branch1. Here is a server for EAST, tcp, and these are SRV
records offering Lightweight Directory Access Protocol, or LDAP, and Kerberos services. So
they are associated with these different sites based on, of course, where they are located in
Active Directory Sites and Services. As well as, if we look now in the actual domain, we have
got their actual registered Host records, which also plays an important role. So here is DC1 at
10.0.3.1.

So a client runs the domain controller, or DC, locator service to find the domain controller
nearest it and what site it is. It sends a query to DNS and that's where the information here,
these SRV records organized by sites are going to be able to reply with an accurate list of
domain controllers, and much depends on your site topology on how you define them.

[The Active Directory Sites and Services window is open. The instructor opens the DNS
Manager window. In the navigation pane, under Forward Lookup Zones, the instructor expands
and clicks corp.brocadero.com.]

Now another important contributing part to your site construction has to do with the actual links
themselves. So this is also going to be a factor that will affect replication in client logon. And so
this shows the actual relationships between the sites. So we have got these connections or site
links between HQ and the Recovery site, HQ and WEST, HQ and EAST, and HQ and Branch1.
You will notice that we have got different cost values and different replication intervals that are
available.

So there might be different reasons, of course, we might construct these links...a lot has to do
with the physical WAN topology and what we are using those sites for. We might have a
situation where we have well-connected offices, but we really want to allow clients to log in to
the nearest domain controller or we might need to control replication. So let's say I needed a
slow replication down and so I create...I have this lag site, a recovery site as it is called. So I
have the properties of this, I might actually affect how frequent I do my replication. Or I can
come in and alter the schedule, so when replication is actually going to be available. And there
are a variety of ways that you can see that I have done this. It's just kind of a sample of different
ways in which you might construct your different replication availability, on that particular link.
So you can do it every 4 hours, you might do it more frequently or less frequently depending of
course on the available bandwidth.

[The Active Directory Sites and Services window is open. In the navigation pane, the instructor
expands Inter-Site Transports, clicks IP, and double-clicks HQ-Recovery in the view pane. The
HQ-Recovery Properties dialog box is displayed. In the dialog box, the instructor clicks Change
Schedule, and the Schedule for HQ-Recovery dialog box is displayed. This dialog box displays
a table that displays the replication availability from Sunday through Saturday from 12.00 AM to
12.00 AM. The instructor clicks cancel.]

And what you need to control, now another important thing here I want to point out is, you can
actually have multiple sites be part and associated with the site link, if you need to. You also
have the ability to control the Cost. And costs are important because that's going to help in the
case that a replication, you know, when that KCC triggers and needs to re-evaluate inter-site
topology relationships with the help of Inter-site Topology Generator, or ISTG, or DCs need to
replicate with other DCs, and clients need to find DCs and other branch offices, this cost wise
can become important.

[The HQ-Recovery Properties dialog box is open. Under Sites in this site link, HQ and Recovery
are displayed. The cost field is set 150 and the Replicate every field is set to 10080 minutes.
The instructor clicks Cancel.]

So let's actually talk about this for a moment. So let's say, for instance, that you have got this
site here HQ-Recovery at a 150 cost, you have this branch site at 200, and they are all actually
connected to HQ. So an actual topology might look something like this, where you have your
HQ site. And I have connected to that, I have my branch site with the site link between HQ and
branch and it is at 200, that's my current cost value, you can see that in the column over there.
But then I also have a couple of other sites here, I have the WEST site, and I have that
RECOVERY site. And there might be a variety of reasons why I have a RECOVERY site. It
could be a failback for client logon from branch site, especially, if I don't have DCs in branch
sites. Or it could be for replication purposes, so if I delete objects, I have an area that gets
replicated to less often. Microsoft Support doesn't recommend creating lag sites, but
nonetheless, it's a common practice. So I might have branch offices here replicating with 200,
and then I have this WEST site and then I have this RECOVERY site.

[The Active Directory Sites and Services window is open. The instructor illustrates the
importance of cost with the help of a flow chart. The flow chart explains the cost involved in
connecting the branch office (B), west site (W), and recovery site (R) with the head quarters
(HQ). The cost for connecting the branch site and the head quarters is 200.]

Now notice the cost values associated with this; this current WEST is a 100, and then the
RECOVERY site is 150. As we talked about this earlier, one of the things I want to point out
here is, if for whatever reason I have a DC here in the branch site trying to replicate with HQ
and the HQ is no longer available, then the question is, who is it going to replicate with next.
And the current cost assessment, it's going to replicate with, WEST, because 200 and 100 is
300, while 200 and 150 is 350.

Now if that's what I want, then of course I want to leave that. But what if I built this RECOVERY
site as a failback in the event that something goes wrong with the domain controllers in HQ and
I needed to be more available, so then I need to, of course, change that to 50, so that its
preference is going to be, you know, 250 rather than 300. So that will kind of steer the
replication in this direction.

[The instructor continues with the flow chart. The cost for connecting the west site and the head
quarters is 100 and the cost for connecting the recovery site and the head quarters is 150.]

So I can of course do that by going back into RECOVERY and altering the Cost. Much again
depends on what you are intending to do? What is the purpose of that particular site? Why do
you create and design your sites? Is it for client logon? Is it for replication? Is it for both? Is this
supporting application? What is the physical topology? What is the routability underneath it? So
there are multiple factors that are going to kind of control and affect how you actually make
decisions regarding the cost and replication interval. So that's a look at some of the basic
components that contribute together to create your site topology.
[The Active Directory Sites and Services window is open. The instructor double-clicks HQ-
Recovery in the view pane, and the HQ-Recovery Properties dialog box is displayed. In the
Cost field, the instructor types 50, and clicks OK.]

Okay, so let's get our hands dirty and build a site. Remember there are multiple parts to this
process, it's not just the site, but also the subnets, the site link, and any additional settings that I
might need. So I'm going to start off here by right-clicking, creating a New Site. I am going to
call it NORTH. And when you are creating a new site, you actually have to associate with the
site link. Even if you haven't created the site link that will ultimately be attached to this site and
needs to at least, temporarily be associated with the link. So I'm going to just choose the default
one. And there is a default site link as there is the default site. Many people will actually rename
these. I left them here for demonstration purposes. But this is the default location, if no site is
indicated, this is where servers will actually end up.

[The Active Directory Sites and Services window is open. In the navigation pane, the instructor
right-clicks Sites, clicks New Site in the shortcut menu, and the New Object - Site dialog box is
displayed. In the Name field, the instructor types NORTH, under Select a site link object for this
site. Site link objects are located in the Sites\Inter-Site Transports container, selects
DEFAULTIPSITELINK, and clicks OK.]

Now I have created my site here as NORTH, there are no servers attached yet, but I'm not quite
done. I also need to build the subnets in the site link. So let's come to the Subnets section here,
you can see multiple subnets, but I am missing one for the NORTH location. And that's the 5
network and it's a 24-bit mask, 255.25.255, of course, associated here with the NORTH site,
this is where I do the association, and I click OK to that. And there I got my subnet. So that's an
important piece for clients to locate domain controllers to know where NORTH sits, and we will
actually see it in action here in a moment.

So next I want to go and create my actual links. Here are the existing links that I have, I need
one for HQ and NORTH, and I will just call it HQ-NORTH.

Now I have to have at least two sites to be part of a site link, I can have more than two though.
And by having more than two, whatever parameters and settings I put around the site link,
those are what are going to be used by the Inter-site Topology Generator to create the
necessary replication relationships in the intra-site situation. So it can be more than two sites, if
I need. In this case, I'm just associating HQ and NORTH.

[The Active Directory Sites and Services window is open. In the navigation pane, the instructor
expands and right-clicks Subnets, clicks New Subnet in the shortcut menu, and the New Object
- Subnet dialog box is displayed. In the Prefix field, the instructor types 10.0.5.0/24, under
Select a site object for this prefix, selects NORTH, and clicks OK. In the navigation pane of the
Active Directory Sites and Services window, the instructor expands Inter-Site Transports, right-
clicks IP, clicks New Site Link in the shortcut menu, and the New Object, Site Link dialog box is
displayed. Under Sites not in this site link, the instructor selects HQ and clicks Add, selects
NORTH and clicks Add, in the Name field, types HQ-NORTH, and clicks OK.]

All right, so far so good. Now if I need to, I can actually come in here if I have already installed
my domain controller, and I can actually move it to the new site that I just created. In my case, I
haven't actually installed it, so what I am going to do is, flip over to DC11. And here I have
started the promotion wizard, it's ready to become a domain controller, I have got the
credentials defined, it's a domain controller for an existing domain, I click Next to this.

Now what happens now is, it evaluates its current configuration. It's going to look at the site
topology, it's going to give me the options here in the moment to be able to choose between
DNS, Global Catalog, or Read only domain controller. But what it does, also do is, it looks at the
subnet objects that I just created and it goes – Hey, this server is 10.0.5.11, that's associated
with the NORTH site, and so pre-populate the site field.

[The Active Directory Sites and Services window is open. The instructor opens DC11 NORTH
and the Active Directory Domain Services Configuration Wizard is displayed. On the
Deployment Configuration page, under Select the deployment operation, Add a domain
controller to an existing domain option is selected, the Domain field is set to
corp.brocadero.com, and under Supply the credentials to perform this operation,
CORP\administrator (Current user) is displayed, the instructor clicks Next, and the Domain
Controller Options page is displayed. On this page, under Specify domain controller capabilities
and site information, Domain Name System (DNS) server and Global Catalog (GC) checkboxes
are selected, and the Site name field is set to NORTH.]

So there you have it, right in action there, that location awareness, it's part of Active Directory,
so I can actually force a different site, if I want to. But I am going to go ahead and complete this
wizard, give it a couple of more clicks. And this is useful by the way, this Install from media, or
IFM especially in the case of replicating over a WAN link, you can reduce the impact by using a
backup set instead from another domain controller. Or pick a domain controller that's nearest to
the NORTH site. So you can actually control that as well that way, I like the IFM, it helps, it
saves me a lot of time with branch site type of replications.

All right, so we're going to click Next, and this is just about ready to kick off and begin the
installation, just looking at some final prerequisites. I think it's happy enough, we're going to
click Install. All right, so it's going to go ahead and chug away and what we should see in the
end is back in the original domain controller is eventually we're going to see a domain controller
object appear in the NORTH site.

[The Domain Controller Options page of the Active Directory Domain Services Configuration
Wizard is open. In the Password and Confirm password fields, the instructor types the
password, clicks Next, and the DNS Options page is displayed. On this page, the instructor
clicks Next, and the Additional Options page is displayed. On this page, the instructor clicks
Next, and the Paths page displayed. On this page, the Database folder field is set to
C:\Windows\NTDS, the Log files folder field is set to C:\Windows\NTDS, the SYSVOL folder
field is set to C:\Windows\SYSVOL, the instructor clicks Next, and the Review Options page is
displayed. On this page, the instructor clicks Next, and the Prerequisites Check page is
displayed. On this page, the instructor clicks Install, and opens DC1 CORP. The Active
Directory Sites and Services window is displayed.]

Now I showed you how to create sites using the sites and services user interface, or UI. The
another way to create sites is to use PowerShell. So if I open up my PowerShell editor, you can
see there is a variety of different commands that we can use that also perform a lot of these
important...these site commands. So I can interrogate first of all and look at the list of sites that I
have. So you can see here, these are my current sites, including the new one I just made called
NORTH. I can create a new one called Portland using a very simple cmdlet called New-
ADReplicationSite. And then let's see my new list of sites and there is Portland.

You can also use a text file to create sites and pipe the content of a text file to the New-
ADReplicationSite command. Here is what my text file looks like. It's just a list of site
names and I'll kick that one off. And there they are. So really easy to do. I can create new site
links and new site objects, here is a site link between Portland and Sydney, and include several
important parameters like the cost and the frequency, and those can be defined with additional
switches, I can create a new subnet object. And this one is a useful command, and this one
allows me to interrogate my site topology and locate any sites where subnets have not been
created. So subnets are an important part of this and you can see that the new sites that I
imported for my text file, all need subnet objects.

[The instructor opens the Windows PowerShell window. At the administrator command prompt
the instructor selects and runs the following command: Get-ADReplicationSite -Filter *|ft Name
The output of this command is Name -------- Default-First- Site-Name HQ EAST Branch1 WEST
NORTH Then the instructor selects and runs the following command: New-ADReplicationSite
Portland The output of this command is Name -------- Default-First- Site-Name HQ EAST
Branch1 WEST NORTH Portland The instructor selects and runs the following command:
import-csv -path c:\sites\sites.csv|New-ADReplicationSite Then the instructor selects and
executes the following command: Get-ADReplicationSite -Filter *|ft Name The output of this
command is Name -------- Default-First- Site-Name HQ EAST Branch1 WEST NORTH Portland
Tokyo Sydney Madrid Delhi The instructor selects and runs the following commands: new-
adreplicationsitelink -name "Portland<-->Sydney" -sitesincluded Portland Sydney -cost 50 -
replicationfrequencyinminutes 10080 New-ADReplicationSubnet 10.0.1.0/24 -Site Portland get-
adreplicationsite -filter * -property subnets|where-object {!$_.subnets - eq "*"}|format-table name
The output is as follows: Name -------- Default-First- Site-Name Tokyo Sydney Madrid Delhi]

So PowerShell is another very powerful way to actually create your site environment. And it also
has a lot of great replication health commands and just retrieving configuration information as
well. So if I come in here, let's do a quick refresh, we can see the changes that I just made. So
here is a lot of the new...here is Madrid, here is Portland, these are the new ones that I created
using PowerShell, here is the new site link.

If I go to NORTH now, and there is DC11, and in a little bit, it will have some connection objects,
once the KCC finishes evaluating with the help of that inter-site topology generator. After
evaluating the connections and the site links and the like, and it will automatically create some
additional objects. So let's take a few minutes more for it to do that. But that's how you can
create some sites, subnet site links using the UI and using PowerShell.

[The Windows PowerShell command prompt is open. The instructor opens the Active Directory
Sites and Services window and clicks Refresh. The instructor expands Inter-Site Transports,
expands NORTH, Servers, DC11, and clicks NTDS Settings.]

All right, just a little bit more food for our thought here and that is, remember intrasite replication
is really fast and based on change notification whereas inter-site replication is based on cost
and replication intervals and schedules. But what if you are creating sites merely because of
client logons, and you were well-connected and you can support very similar intrasite replication
model as you can inter-site. In other words, here if I look at this particular connection, I can't go
any less frequent than 15 minutes. But if I've got a really good connection, maybe I want to
support change notification. Well you can do that, you can support basically its intrasite
replication, but doing that for both between sites and within the site.

[The Active Directory Sites and Services window is open. In the navigation pane, under Sites -
Inter-Site Transports, the IP folder is selected. In the view pane, the instructor double-clicks
Portland<-->Sydney, and the Portland<-->Sydney Properties dialog box is displayed. Under
Sites not in this site link, Branch1, Default-First-Site-Name, Delhi, East, HQ, Madrid, NORTH,
Tokyo, and WEST are displayed, under Sites in this site link, Portland, Sydney are displayed,
the Cost field is set to 50, the Replicate every field is set to 15 minutes, and the instructor clicks
Cancel.]

To do that, I'm going to actually go into Active Directory Service Interfaces, or ADSI, editor,
adsiedit.msc, and you need to connect to the Configuration partition here and that's
because it contains all my site information. If I go into the Sites container here, going to Inter-
Site Transports and IP, I can see all of my different sites. And so which site do I want to enable
change notification for replication? Well, you can select whatever site supports that, that has
that kind of bandwidth, and let's say this one does and go to the Properties of it. And then I can
scroll down through this Attribute Editor, these are all the different attributes attached to that
object; the one I'm looking for is options. And I just need to change that to a 1. Now if there is a
pre-existing value in here, you have to do a little Boolean or math. But if it's not set, it's the
easiest way you just put a 1 in there and click OK. And now see where it changes, now a flag
has been enabled to use change notification between HQ and NORTH. So that's how you do
that.

[The Active Directory Sites and Services window is open. From Start, the instructor clicks Run,
and the Run dialog box is displayed. In the Open field displays adsiedit.msc, the instructor
clicks OK, and the ADSI Edit window is displayed. In the navigation pane, the instructor
expands CN=Configuration,DC=corp, expands CN=Sites, expands CN=Inter-Site Transports,
clicks CN=IP, right-clicks CN=HQ-NORTH in the view pane, clicks Properties in the shortcut
menu, and the CN=HQ-NORTH Properties dialog box is displayed. On the Attribute Editor tab,
under Attributes, the instructor double-clicks options, and the Integer Attribute Editor dialog box
is displayed. In the Value field, the instructor types 1, clicks OK, and the options attribute is set
to 0x1 = (USE_NOTIFY). In the CN=HQ-NORTH Properties dialog box, the instructor clicks
OK.]
Windows Server 2012 R2 RODC Replication
Learning Objective
After completing this topic, you should be able to
◾ recognize how to view accounts that have been authenticated by your Read-only
domain controller

1. RODC and password replication policy

Read-only domain controllers, or RODCs, are an important Active Directory role because, of
course, they don't contain sensitive security information like administrator passwords, that
makes them ideal for the branch office or the perimeter network where physical security is not
guaranteed. Now there are several things you need to consider when it comes to placing your
RODCs. For instance, how many users are in that location? How available is that WAN link? Do
you have applications in that site that requires a writable domain controller and don't tolerate
right failures? What client versions do you have? Because those matter too. A Vista client and
earlier without any service packs, well they might require some hot fixes. Another useful
question is asked how are you going to support that RODC? Do you have locally trained
Information Technology, or IT, experts in that region or location? Or do you have remote
management setup? And then how are you going to prepare that environment? You might have
to run adprep with the rodcprep switch first in order to actually introduce an RODC.

Now there is another consideration I want to bring to your attention regarding site topologies
and the replication relationship an RODC has to other domain controllers. And that is basically,
it needs access to a writable domain controller, or DC, 2008 or above. If you have a fully routed
environment, and you have site link bridging enabled, well then that RODC can reach across
the site, and if need be, across another site, and locate a writable domain controller.
Remember, RODCs don't replicate with other RODCs. So your actual replication topology
needs to support a replication path so that those RODCs can find a writable DC. Now if you
have site link bridging disabled, well that is going to complicate things a little bit. You need to
again ensure a replication path exists, so any site that has an RODC in it needs to be able to
find a writable domain controller. Now what does that mean for you? Well it could mean that you
have to manually create site link bridges or create additional site links or it could mean you
need to make changes as to where you place your domain controllers.

The reason RODCs are so effective at protecting your network is that they don't contain
passwords. So when a branch user attempts to authenticate to an RODC, that RODC will
authenticate the user, but it does that by referring first to a writable domain controller. Now this
does not help much, of course, if the WAN link is slow or it's busy or it's down. So to provide
fast and resilient authentication for those branch office situations, you can actually create what
is known as a password replication policy that is kind of like an exceptions list. It tells the RODC
to locally cache passwords for the branch office users that you specify in the policy. So even if
that WAN link is down, that RODC can authenticate like any other domain controller, but only
for those users whose passwords had been cached.

Now when you go to deploy an RODC, one of the things that I like is the fact that you can also
pre-populate that cache with any of those branch office users' passwords, so it is ready to go
out of the gate. Now because branch offices are typically considered less secure and the RODC
is more vulnerable in those locations than your DCs that are locked away in the data center,
well we are concerned, of course, about that being compromised or stolen. That is why they are
in RODC. If an RODC is ever compromised or stolen, the good news is that the only passwords
that are actually exposed are those that had been cached. The better news is that Active
Directory also has this nifty trick in it that allows you to respond in the event you have an
emergency like this.

And that is with just a single click or two, you can actually reset all of those passwords that are
attached to a particular RODC. That means with just a couple of clicks, you can regain your
peace of mind, restore your sanity, please your boss, may be reach nirvana, I don't know.

2. Demo: Deploying an RODC

In this demonstration, I want to show you how to deploy an RODC using the stage deployment.
We can install it two different ways, we can use the PowerShell or Server Manager wizard, and
do kind of a one-end installation without staging it. A stage deployment allows me to actually
pre-create the RODC computer accounts, specify the settings that I want, and then attach it
from the branch office, and complete the installation. So one of the things I need to do before I
do a stage deployment is, I will make sure that I meet the prerequisites.

So that means making sure that I have the current or correct functional level that has to be
greater than Windows 2003. And you can see here, I have got a couple of ways of determining
that, one is using the PowerShell command. And if I use the PowerShell command, that comes
up and that shows me my domain mode. So my domain mode being a Windows Server 2012, in
this case, you can see that right here. And then, of course, there are also commands to do this
with the Active Directory forest. And if I need to change it, I can use the Set commands to
change the actual mode.

Now I also may need to run adprep to prepare it. If I have 2003 domain controllers, I need at
least one writable DC that is running Windows Server 2008 to interact and replicate with the
RODC. Now assuming that I actually meet those requirements, what is the next thing I need to
do? Well I need to actually add the RODC computer account to prestage it. And so this is the
command that I actually use here, it's Add-addsreadonlydomaincontroller.

[The Windows PowerShell window is open. At the administrator command prompt, the instructor
selects and runs the following command: Get-ADDomain corp.brocadero.com The output
displays the domain information of the domain, corp.brocadero.com.]

So I am going to go ahead and execute that command. You can see down here in the output, it
is asking me for DomainControllerAccountName, so let's do RODC2. And what is the name of
the domain? We will do corp.brocadero.com is the name of my domain. And what site do
I want to specify? branch1. So that actually completed.

Now I can actually see the results of that by going into Active Directory Users and Computers.
And let's Refresh my screen here. Here is the RODC computer account. Notice, it says it is
unoccupied, so I have not completed the installation, but it is staged and ready to go. So when I
go to that Windows Server 2012, it is going to occupy this role. I can go through the Install-
DomainController command or Server Manager and complete the installation.
[The Windows PowerShell window is open. At the administrator command prompt, the instructor
selects and runs the following command: Add-addsreadonlydomaincontrolleraccount Under
Supply values for the following parameters, the instructor types RODC2 as the
DomainControllerAccountName, corp.brocadero.com as DomainName, branch1 as SiteName,
and presses the Enter key. The output of this command is displayed in a tabular format.
Message Context Reb ------------- ------------
------- Operation comple... DCPromo.General1 The instructor opens the Active
Directory Users and Computers window, clicks Refresh, and clicks Domain Controllers under
corp.brocadero.com in the navigation pane.]

Now I can also prestage this from in here. I don't actually have to use PowerShell, I can pre-
create the RODC computer account, and walk through this wizard. A lot of the same questions
are going to come up. What credentials am I going to use to perform the installation? I can
specify that here or I can use PowerShell again. Now whatever account I use in Windows
Server 2012, it needs to be a member of the domain admins account. It does not necessarily
mean that the user account that manages the server has to be in the domain admins account.
So I can specify a user account and give it administrative rights but not domain admin rights to
actually manage the server. But this has to do with the credentials for performing the
installation.

What is the name of this server? Let's give it RODC3, since I have a 2. It is going to verify that
computer name, make sure it is unique in the environment. It is going to ask me, what site I
want to make it a member of. Now you don't want multiple RODCs in our branch office site, so
we want to put it in separate sites. I will just choose the default site here. Next thing it's going to
do is, it's going to look at the current DNS configuration, and it's going to ask me a couple of
questions similar to what I found when I actually ran this in PowerShell and that has to do with,
well I can actually indicate this in PowerShell with some switches and that has to do with
whether or not I wanted to be a DNS server and whether or not I want to be a global catalog
server.

Now I did not get prompted for that in the interactive PowerShell command because those are
assumed, so those are turned on by default. There are some switches that allow me to turn off.

[The Active Directory Users and Computers window is open. In the navigation pane, under
corp.brocadero.com, Domain Controllers is selected. In the view pane, the instructor right-
clicks, clicks Pre-create Read-Only Domain Controller account, and the Active Directory
Domain Services Installation Wizard is displayed. On the Welcome to the Active Directory
Domain Services Installation Wizard page, the instructor clicks Next and the Network
Credentials page is displayed. On this page, the My current logged on credentials
(CORP\Administrator) option is selected by default, the instructor clicks Next, and the Specify
the Computer Name page is displayed. The Full DNS computer name field displays
corp.brocadero.com by default, the instructor types RODC3 in the Computer name field and the
Full DNS computer name field is automatically populated with RODC3.corp.brocadero.com. The
instructor clicks Next and the Select a Site page is displayed. On this page, under Sites, the
instructor selects Default-First-Site-Name, clicks Next, and the Additional Domain Controller
Options page is displayed.]

In the case of the graphical user interface, or GUI, I can actually come in here and toggle those
features on or off here, if I want to reduce the role of the particular RODC server. But this of
course makes name resolution available from that server as well as the Global catalog
services. So that's essentially it is here where I can actually indicate what account I want to
administer the RODC server. So I can specify a particular account. So maybe I want to use my
branchadmin account from that location, and then Finish this off. And it does the
same...essentially the same thing that PowerShell did.

Now it does exactly the same thing not essentially. If I come in here, I can actually dig into this. I
can go into make changes to those settings, if I want to, in regards to who is managing this
server, so here is the Managed By, you can see the branch admin specified. And there are
some other settings in there, we will look at later in the demo.

[The Additional Domain Controller Options page is open. On this page, under Select additional
options for this domain controller, DNS server and Global Catalog checkboxes are selected by
default, the instructor clicks Next, and the Delegation of RODC Installation and Administration
page is displayed. On this page, the instructor clicks Set, and the Select User or Group dialog
box is displayed. In the Enter the object name to select field, the instructor types branchadmin,
and presses the Enter key, and the Select User or Group dialog box closes. The Group or user
field of the Delegation of RODC Installation and Administration page now displays
CORP\branchadmin, the instructor clicks Next and the Summary page is displayed. On this
page, the instructor clicks Next, and the Completing the Active Directory Domain Services
Installation Wizard page is displayed. On this page, the instructor clicks Finish. In the view of
the Active Directory Users and Computers window, the instructor right-clicks RODC2, clicks
Properties in the shortcut menu, and the RODC2 Properties dialog box is displayed. The
instructor clicks the Managed By tab. The Name field displays
corp.brocadero.com/User/branchadmin and the instructor closes the dialog box.]

Now the second half of this installation looks like this. Let's go to the RODC2 server. Now on
the RODC2 server, the first thing I need to do is, install the binaries. So I have done that using
PowerShell, install-windowsfeature ad-domain-services. So I have
successfully installed Active Directory.

If I run the Get command, you can see that there is a little red X next to Active Directory
Domain Services. So I am good there. Now to actually complete the installation, if I wanted to
use PowerShell, I can use install-addsdomaincontroller, and then provide any
additional switches and parameters that I might need. I can also do this from Server Manager in
the Add Active Directory Roles, the Promotion option. So when I go into Server Manager, and I
click on Active Directory Domain Services, or AD DS. After the binaries are installed, it tells me
there is additional configuration, I click More, and essentially it launches me into this screen
here.

[The Active Directory Users and Computers window is open. The instructor navigates to the
Hyper-V Manager window. In the view pane, under Virtual Machines, the instructor double-
clicks RODC2 CORP 10.0.7.2, and the Windows PowerShell command prompt is displayed.
The Windows PowerShell window displays the output of the following command: install-
windowsfeature ad-domain-services The instructor checks the Success state of this command.
The instructor also checks the Active Directory Domain Services display name, and it is AD-
Domain-Services. Then the instructor opens the Server Manager window, in the navigation
pane clicks AD DS, clicks More in the SERVERS view pane, and the Active Directory Domain
Services Configuration Wizard is displayed.]
So I want to Add a domain controller to an existing domain. Here are the credentials that I
need to actually attach. Remember this has to be a member of domain admins group in 12.
Click Next. Now the next thing it shows me is what settings are available. Now if I am doing this
without staging it, I can actually specify these options. But because I have prestaged it and it
finds a matching computer account name, it is pulling its settings based on the initial steps I
took from the domain controller. So it is not giving me the option to toggle between DNS and
Global Catalog and the RODC role, because that has all been done ahead of time on that
staged account, that is what supplying these checkmarks. Notice, I can't even change the Site
name. Again, supplied from that pre-created computer account. So I am going to go ahead and
give it my recovery password.

Now I can overwrite this, by the way, I can reinstall a domain controller over that option there.
Now the rest of this wizard is going to be pretty straightforward in the sense that its going to be
very similar to what we do when we promote a normal writable domain controller. So I have got
some options that are going to be presented, but essentially it's the same. So this is how you
deploy a Read-only Domain Controller doing a staged deployment.

[The Active Directory Domain Services Configuration Wizard is open. On the Deployment
Configuration page, by default, under Select the deployment operation, Add a domain controller
to an existing domain option is selected, in the Domain field, corp.brocedro.com is displayed,
and under Supply the credentials to perform this operation, corp\administrator is displayed. The
instructor clicks Next, and the Domain Controller Options page is displayed. On this page, by
default, Use existing RODC account option is selected, under Specify domain controller
capabilities and site information, the Domain Name System (DNS) server, Global catalog (GC),
and Read only domain controller (RODC) checkboxes are selected, in the Site name field,
Branch1 is displayed. In the Password and Confirm password fields, instructor types the
password, clicks Next, and the Additional Options page is displayed. The Replicate from field is
set to Any domain controller by default.]

3. Demo: Password replication policy

All right, let's take a closer look at the password replication policy on an RODC. Now this is
done on the RODC computer account object from a writable domain controller. So I am going to
open this up and many of my options that I want to look at here are found on the Password
Replication Policy tab here on the GUI.

Now there are a couple of things I want to bring to your attention and show you. First of all,
notice that the Administrators account in the policy is set to Deny that means administrators
cannot cache their passwords on this RODC. Now that is an important setting and we are going
to let that stand because we don't want sensitive accounts like these administrative groups to
have their password stored on the RODC. Because the assumption is that an RODC is in a
more vulnerable location in our topology. So it's may be in a...it's not locked up in our data
center, it's out in the branch offices, it's in a preliminary network, and so forth. So we don't want
to expose our administrator passwords in the event that those machines are compromised.

Now however, we want to provide authentication even if like a WAN link goes down for may be
a select group of branch office users. Those users need to be specified here with an Allow
policy so those passwords are cached. So even if the WAN link is down, the RODC can
continue to provide domain controller authentication for that selected group of users excluding
anyone else, of course, that are not part of that group or that have been denied here.
[The Active Directory Users and Computers window is open. In the navigation pane, under
corp.brocadero.com, Domain Controllers is selected. In the view pane, the instructor double-
clicks RODC2, and the RODC2 Properties dialog box is displayed. The instructor clicks the
Password Replication Policy tab. This tab lists the groups, users, and computer names, domain
they belong to, and their settings in a tabular format. Accounts Operators, Administrators,
Backup Operators, and Server Operators belongs to the corp.brocadero.com/Builtin domain
with Deny setting. Allowed RODC Password Replication Group belongs to the
corp.brocadero.com/Users domain with Allow setting and Denied RODC Password Replication
Group belongs to the corp.brocadero.com/Users domain with Deny setting.]

Now best practice here is to actually use your own groups. There is a global kind of group for all
of your RODCs that are set to the default here, Allowed RODC Password Replication Group.
Well I am going to Add my own. I want to add and allow policy here. And I have got a Branch1
PRP Allowed Users policy or a group already defined. So we are going to include that. Notice,
it came in, set to Allow, and then I can Remove this one here. And that is the best practice in
regards to RODC. This way, if this individual RODC is compromised, only those particular
branch user passwords have to be addressed.

All right, now there are many other things that I can do here. If I go into the Advanced option, I
can see a couple of important things. First of all, I can see those passwords that have been
cached that are actually exposed on this machine. Right now this is a new RODC, so there are
no passwords that are being currently cached. Now to improve authentication when I deploy an
RODC or new user account that is going to be, you know, part of that branch, I can pre-
populate the cache using this option here. So I can indicate that I want to include particular
users, like the saturn user, and say that, "Saturn I want to be pre-populated." Now it gives me
this little note saying, "Hey, this account must be first a part of that allowed list and part of that
group, before it is actually going to cache those passwords."

[The RODC2 Properties dialog box is open. On the Password Replication Policy tab, the
instructor clicks Add, and the Add Groups, Users and Computer dialog box is displayed. In the
dialog box, the instructor clicks Allow passwords for the account to replicate to this RODC,
clicks OK, and the Select Users, Computers, Service Accounts, or Groups dialog box is
displayed. In the Enter the object names to select field, the instructor types branch1, clicks
Check Names, and the Multiple Names Found dialog box is displayed. Under Matching names,
the instructor selects Branch1 PRP Allowed Users, clicks OK, and the dialog box closes. In the
Enter the object names to select field of the Select Users, Computers, Service Accounts, or
Groups dialog box, Branch1 PRP Allowed Users is displayed, the instructor clicks OK, and the
dialog box closes. In the RODC2 Properties dialog box, the instructor clicks Allowed RODC
Password Replication Group, click Remove, and the Active Directory Domain Services
message box is displayed. In this message box, the instructor clicks Yes. In the RODC2
Properties dialog box, the instructor clicks Branch1 PRP Allowed Users, clicks Advanced, and
the Advanced Password Replication Policy for RODC2 dialog box is displayed. On the Policy
Usage tab, the instructor clicks Prepopulate Passwords, and the Select Users or Computers
dialog box is displayed. In the Enter the object names to select field, the instructor types Saturn,
presses the Enter key, and the Prepopulate Passwords dialog box is displayed. In this dialog
box, the instructor Selects Saturn, clicks Yes, and the Prepopulate Password Errors message
box is displayed. In this message box, the instructor clicks OK, and the message box closes.]

All right, then I go over here and I have another option that says accounts whose passwords
that have been authenticated to the Read-only Domain Controller. So the second option in that
drop down exposes which accounts here have actually authenticated to this machine. And you
can see I have got computer accounts and user accounts. Now the Administrator account is
listed, but its password is not being cached. So the RODC is providing authentication services,
and if necessary, can do referrals to writable domain controllers over my WAN link. Otherwise, I
might want to indicate that I want these particular accounts to be cached. And so these
accounts like Jupiter here and Saturn would need to be part of that Allowed list. So this gives
me kind of an auto trail to see what accounts have been authenticated, and which accounts are
being currently cached.

Now to further kind of validate that, I have this ability to come in and use this Resultant Policy.
And this allows me to determine whether a particular account is allowed or denied in terms of
their password and not the authentication itself. This is all assuming...we are talking about the
actual storage on the RODC, so whether or not their password can be allowed or denied based
on that password replication policy. So this allows me to actually go and say, "Let's check the
jason account and see if that one is actually been allowed or denied." Well this one here has
been denied, because Jason is not a member of that group. So this allows you to come in and
further audit...kind of your password replication policy.

[The Advanced Password Replication Policy for RODC2 dialog box is open. On the Policy
Usage tab, from the Display users and computers that meet the following criteria drop-down list,
the instructor selects Accounts have been authenticated to this Read-only Domain Controller.
The Users and computer details are displayed in a tabular format. This table display details
such as user and computer name, name of the domain they belong to, account type, password
last changed date and time, and the password expiry status. The instructor again selects
Account whose passwords are stored on this Read-Only Domain Controller from the Display
users and computers that meet the following criteria drop-down list. The instructor clicks the
Resultant Policy tab, clicks Add, and the Select Users or Computers dialog box is displayed. In
the Enter the object names to select field, the instructor types jason, clicks OK, and the dialog
box closes. The Account, Jason with the Resultant Setting, Deny (implicit) is displayed on the
Resultant Policy tab. The instructor clicks the Policy Usage tab.]

Some of these commands can also be done, all of these commands are actually can also be
done through the repadmin command line tool. So for instance, I got a couple of commands
here to demonstrate. This one here allows me to view any of those groups that have been set to
deny and they can use repadmin /prp for the password replication policy, view. And these
are the groups here that have been set to deny. And I got my administrator groups and there is
actually a group called deny as well, that you can, there is a sensitive account that you want to
ensure that it is not going to be ever cached, you can put it in this Denied RODC Password
Replication Group. And you can also do, allow. And you can see here, which groups have
actually been allowed on that RODC.

Another command that might be of user interest that users want to hear where you can actually
delete that authentication list, this is auth2. Well that is in reference to...is that is in reference
to this list right here. This is called the authentication to list or auth2 list. And one of the things
that you can do is, you can clear that list, if you ever need, to kind of see which accounts are
newly being authenticated. So this is what this command does. And then another useful
command I think is, this one here. And this one you cannot do actually in the UI, you have to do
this one from repadmin. And that's to actually take that authentication list, and move that
authentication list into its own group to allow it to cache passwords.
[The Advanced Password Replication Policy for RODC2 dialog box is open. The instructor
opens the Windows PowerShell window. At the administrator command prompt, the instructor
selects and runs the following command: repadmin /prp view code rodc2 deny The output of
this command displays the list of groups, users, and computer names who are denied password
replication and the name of the domain and container they belong to. At the administrator
command prompt, the instructor runs the following command: repadmin /prp view code rodc2
allow The output of this command displays the list of groups, users, and computer names who
are allowed password replication and the name of the domain and container they belong to.
The instructor opens the Windows PowerShell window in DC1 CORP. At the administrator
command prompt, the instructor runs the following command: repadmin /prp delete rodc2 auth2
/all]

So this is this branch1group /users_only. So it is just going to grab the user accounts,
and it is going to move that content of that list on the rodc2 into a new group called
branch1group. And ensure that that’s you are sure you want to do that? "Yeah, I want to do
that." And it says, "The group does not exist, do you want me to create it?" And we say yes to
that, creates it, grabs those groups. And notice this, the administrator account was actually
listed in that auth2 list, that authentication list on the RODC properties. But because this tool
detected that it is also a member of the administrator's group. It tells me that, that principle is
not going to be allowed to cache its password, because it is already a member of a denied
group. So that is something to keep in mind, if you are using this command.

So now if I want to have just a quick look at that, here we go. You know, let's Refresh this. Here
is my branch1group. And you can see Jupiter and Saturn with a two user accounts that are on
that policy that were automatically added to this group. Now if we go back to RODC2, you can
see there are Jupiter and Saturn once again.

All right, so that is a look here at the password replication policy properties that can be found on
an RODC computer object.

[The Windows PowerShell window is open. At the administrator command prompt, the instructor
runs the following command: repadmin /prp move rodc2 branch1group /users_only This
command will ask for confirmation. That is, confirm whether to move all user security principals
from the Auth2 list of RODC2. The instructor types Yes and presses the Enter key. The
following message is displayed. The specified group branch1group does not exist. This
operation will create this group...add the group to the RODC's Allow list. Do you wish to
continue? (yes/no) The instructor types Yes. The following message is displayed: RODC
"CN=RODC2,OU=Domain Controllers,DC=corp,DC=brocadero,DC=com":
CN=Saturn,OU=People,DC=corp,DC=brocadero,DC=com Principal successfully added to allow
list. Principal successfully deleted from auth2 list.
CN=Jupiter,OU=People,DC=corp,DC=brocadero,DC=com Principal successfully added to allow
list. Principal successfully deleted from auth2 list.
CN=Administrator,OU=Users,DC=corp,DC=brocadero,DC=com Principal on the deny list. Won't
be added to Allow. Principal successfully deleted from auth2 list. The instructor closes the
Windows PowerShell window. In the navigation pane of the Active Directory Users and
Computers window, the instructor clicks Users, clicks Refresh, double-clicks branch1group in
the view pane, and the branch1group Properties dialog box is displayed. In this dialog box, the
instructor clicks the Members tab, the Jupiter and Saturn accounts are displayed. In the
navigation pane of the Active Directory Users and Computers window, the instructor clicks
Domain Controllers, double-clicks RODC2 in the view pane, and the Advanced Password
Replication Policy for RODC2 dialog box is displayed. In this dialog box, under the Policy Usage
tab, the Jupiter and Saturn accounts are displayed, the instructor clicks Close, and the dialog
box closes.]
Monitoring Windows Server 2012 R2
Replication
Learning Objective
After completing this topic, you should be able to
◾ identify the command you can use to check for replication errors on your domain
controller

1. Monitoring replication
Active Directory, or AD, replication is effective, it is smart, it is robust, but there are still those
days. You know what I am talking about? Those days, your mama told you about...those days
where that poorly designed topology catches up with us. Those days where we had network
troubles or we had misconfigurations, or we had DNS troubles. Can I say that again? DNS,
DNS, DNS. Now no matter what the actual cause is, whenever replication fails on as well, or
even, when slow and inefficient, whenever these types of troubles happen, well several things
could potentially go wrong. We could have user authentication failed, we could have Group
Policy updates failed, we could have communications failed, applications failed, resource
access failed, even printing could potentially be affected by this. And the reason for this is
because of how critical Active Directory is, and how dependent we are and our applications are
on that. Now these failures typically don't happen all at once and often some of these Active
Directory problems are isolated. But they can also be difficult to actually track down and
address.

This is why...this is why good design is really important. It is also why active daily kind of tactical
type of monitoring is important. So all of this to say, you really want to keep Active Directory, of
course, healthy, keeping the Active Directory replication healthy, well it is usually not difficult.
But if you neglect it, well you can have one of those days that your mama talked about, and
believe me, I have had many of those days, I speak from experience.

Many of the troubles in Active Directory can actually be prevented with a lot of good intelligence
or good data. And there are scores of tools available for you to help you monitor Active
Directory. So the first step I want to share with you is to monitor your replication health and to
actually do that daily. Now for starters, you can actually go and review those Windows Event
Viewer logs. There is a Directory Service log, there are the DNS logs, there is the core
Windows logs, these are all areas where troubles are advertised. For example, some of the
things you might learn include like failed replication attempts between a couple of domain
controllers, and then you would pursue and investigate that or you might learn about a lingering
object that is an object that is supposed to have been deleted, but now it is back in circulation
and being replicated again.

And that is kind of like a zombie from the dead and that can be of course potentially
problematic. So the integrity of the database issues with that might be advertised. Now there
are other tools besides those core Windows tools. There are repadmin and dcdiag. These
are great tools that generate health reports around a lot of the aspects of Active Directory of the
surrounding services. So information around DNS, status information around authentication,
time synchronization, Active Directory protocols like remote procedure call, or RPC, network
connectivity these tools will all kind of provide input on that. Now there are command line tools,
which mean they are great candidates for batch files, which is a way I like to use these tools.
But there are also dashboard tools or visual graphic user interface, or GUI, tools like this AD
Replication Status Tool, which is downloadable from Microsoft.

Now there are other types of tools out there for helping you monitor Active Directory in your
infrastructure. Some of them are Microsoft; some of them are third party. The key thing here I
want to share with you is monitor frequently, use good tools, and one other tip, during your
monitoring exercise if you see an error show up, be careful not to panic right away. Because it
could just be your friend Joe and Sally out there doing a scheduled upgrade. So be nice to Joe
and Sally.

[The AD Replication Status Tool window consists of five tabs – Configuration/Scope Settings,
Replication Status Viewer, Replication Error Guide, What is Replication Topology, and How
Replication Topology Works. The Configuration/Scope Settings tab is selected. In the left pane,
under Check Replication Status for all DCs in, the Domain option is selected and is set to
easynomadtravel.com, and the Status is Ready. In the right pane, there are two tabs –
Environment Discovery and Replication Status Collection Details. In this instance, the
Replication Status Collection Details tab is selected. On this tab, Replication Status Collection
Status displays Completed. This tab also displays a table. This table consists of two columns.
Domain Controller and Task are the column headings. HOSTSERVER.easynomadtravel.com
and RODC1.easynomadtravel.com with Task - LDAP Query - "(objectClass=nTDSConnection)
and HOSTSERVER.easynomadtravel.com and RODC1.easynomadtravel.com with Task - Get
Domain Controller Replication Status are displayed as rows.]

2. Demo: Troubleshooting replication

All right, so let's have a look at some of these tools that can help us monitor the health of Active
Directory replication. A good one here is, repadmin, it can show me several different things.
Like for instance, I can do /showrepl, and it shows me the replication status for the different
naming context on the current domain controller, or DC. So I am running this from DC1, and
you can see here that its last attempt to replicate the DEV partition, which is indicated here at
the top, DEV, DC goes brocadero, DC goes com that is the partition, the last attempt was
successful. So each partition that has a replication partner for and that it is enlisted too. We
have got a list of kind of a status of who it is replicating with, in this case, it is DC14 for the
domain partition, and it was successful. So this is kind of a quick way to get a look at – what is
the current status with my replication partners? Is there any particular context that is failing?
And when was the most recent time that I have replicated that particular partition? That is all
revealed here with that repadmin command.

[The Windows command prompt window is open. At the administrator command prompt, the
instructor runs the following command: repadmin /showrepl The output of this command lists
the replication status for the different naming context on the current domain controller.]

Now there is a bunch of more you can do with repadmin. Like for instance, I can run
/syncall, which can trigger application. If I don't indicate the actual naming context, it just
replicates the configuration partition. So just kind of the whole replication topology itself with its
partners, but let's actually indicate, who or what I want to replicate? So I want to replicate the
domain partition which is corp, brocadero. So there is the distinguished name for that
partition on my DC.

All right, so it indicates that replication was successful with its two partners that are using the
globally unique identifier, or GUID, for the name of its partners, and so this is the GUID name
for those servers. And notice I have got a syncall terminated with no error. So I have got
some successful replication with those services, no problem, great.

[The Windows command prompt window is open. At the administrator command prompt, the
instructor runs the following command: repadmin /syncall The output displays the replication
details. Then at the administrator command prompt, the instructor runs the following command:
repadmin /syncall dc1 dc=corp,dc=brocadero,dc=com The output displays the distinguished
name for the dc1 partition.]

So the next thing I want to look at is the /replicate switch; replicate allows me to
actually indicate who I want to replicate with. Instead of synching with all my partners for
particular partition, maybe I just want to replicate my partitions with particular server. So I can
do /replicate rodc2 is going to be my destination, dc1 will be my source, that is the
server I am running this from, and again, what part...partition do I want to replicate? Well I can
do dc=corp,dc=brocadero,dc=com and this is a readonly domain controller, so I add
that flag. There we are. So successful replication between those two. So you can use this as a
kind of a replication ping tool. And for nice summary, you can just do /replsummary, alright?
It shows me any errors, it shows me the frequency of attempts, those can all be...this can be a
really great, kind of birds eye view.

[The Windows command prompt window is open. At the administrator command prompt, the
instructor runs the following command: repadmin /replicate rodc2 dc1
dc=corp,dc=brocadeo,dc=com /readonly The output of this command is Sync from dc1 to rodc2
completed successfully. Then at the administrator command prompt, the instructor runs the
following command: repadmin /replsummary The output of this command lists the domain
controllers that are failing inbound replication or outbound replication.]

Now this is only one of several tools I can use, dcdiag being the other one. If I want some
help with dcdiag, I can use /h, and it shows me a lot of information here about what dcdiag
can do. And it can do all kinds of things, it can check security, it can check connectivity, it can
check DNS, it can look at registration, it can look at, you know, enquiry event viewer for specific
logs, it can look at the sysvol health and their sysvol replication engine health, and look at
machine account and security, and authentication and replication, I mean the list goes on
several different tests that it can perform. And you just run dcdiag, all by itself. It does a batch
of default tests and retrieves information. In this case, I got a few errors, I got some successes.
So if I can scroll back here, I can see, it will tell me exactly what test that it is running, alright,
and then it tells me whether or not it was able to, in this case, locate, you know, particular
domain controller, checking and validating those intersite connection relationships, and here I
can see there are some errors for DNS registration. So some servers that may be not
responding, that don't exists any longer, here are some dynamic registration errors in the DNS
Event log, and then here's a bunch of tests that it ran that was successful. So this can be a
really useful kind of health check tool that you run on a regular-basis looking for some specific,
you know, looking for any error messages and potential issues.
[The Windows command prompt window is open. At the administrator command prompt, the
instructor runs the following command: dcdiag /h The output of this command lists all the
information about what the dcdiag command can do. Then at the administrator command
prompt, the instructor runs the following command: dcdiag This command performs all the
default tests to verify the domain controllers.]

Now you can actually tell dcdiag to run individual /test, so I just wanted to check
replication, I can actually do something like that, test:replication. May be I have got a
couple of domain controllers or I am seeing an event viewer access denied message. I try to
force replication and get access denied, one of the things that I can do is, I can use dcdiag in
that case to checksecurityerror.

Now this test, by the way, does not...is not run, it is a part of the default test. So this is a test
that I would run this particular way, if I am seeing the access denied messages, and it will check
the authentication relationship between domain controllers. So if there is like clock skew or
something wrong with the actual trust between domain controllers that are failing, then that
might generate that message, and this will go and run those tests. So those are a couple of
examples where dcdiag can be useful.

[The Windows command prompt window is open. At the administrator command prompt, the
instructor runs the following command: dcdiag /test:replications This command verifies timely
replication and replication errors between domain controllers, if any. Then at the administrator
command prompt, the instructor runs the following command: dcdiag /test:checksecurityerror
This command displays the replication details of the Active Directory security in domain
controllers.]

Of course, don't forget monitoring DNS, there is also a dns tool or test that you can run. And
this is going to check my DNS records, it is going to check registration, it is going to check
forwarding a name resolution, so this is a useful test. It is actually going to fail here because I
am not connected to the Internet.

Now these are a couple of important tools dcdiag, repadmin. Notice that I am actually
running these tools from the C: window here from CMDM, am not running them from
PowerShell even though it looks like I am running it from PowerShell. If I go into my PowerShell
prompt, there are a couple of PowerShell commands you can do too. So like get-
adreplicationfailure is a new cmdlet that looks at AD replication errors, and it shows
me the most recent error. And it is going to look for what service do I want to monitor. So dc1,
rodc2 maybe, and Enter through that. And now what it is doing is, it is like the other tools, it is
looking for any errors that occur. So here I have got a problem, a recent issue where it is trying
to replicate to my RODC, and I am receiving an error.

[The Windows command prompt window is open. At the administrator command prompt, the
instructor runs the following command: dcdiag /test:dns This command performs all the default
DNS tests. The instructor opens the Windows PowerShell window. At the administrator
command prompt, the instructor runs the following command: get-adreplicationfailure The
output of this command is cmdlet Get-ADReplicationFailure at command pipeline position 1
Supply values for the following parameters: (Type !? for Help.) Target [0]: The instructor types
dc1 and presses the Enter key. The Target[1] is displayed and the instructor types rodc2 next to
it and presses the Enter key. The Target[2] is displayed and the instructor presses the Enter
key. The output displays the information such as FailureCount, FailureType, FirstFailureTime,
LastError, Partner, Partner Guid, and Server.v]

So got a couple of tools in regards to with dcdiag and the repadmin, got a couple of
PowerShell cmdlets, these are all command-line based tools. Now what about some visual
tools? Well Microsoft provides us downloadable tool here called the Active Directory Replication
Status Tool. And this tool can be really useful, it will, like those command line tools, do a survey
of your current replication environment. You can scope the survey – Forest, Domain – here
individual targets, if you need to. And you can have it evaluate kind of the replication health and
a report back to you and you can view that here under Replication Status Viewer. So you
have got the ability to look at kind of source and destination DC. So here is my destination, here
is the source DC that is replicating with. I have got columns that indicate information about the
last time it synchronized, any consecutive failures here that it is listing. And then I have got this
useful color legend that kind of reveals any particular errors. And in particular one of the things
that it is looking for is, it is looking for lingering objects. So it is looking for like failed replication
and the longer we have failed replication, the more risk we have, and so that's where we have
got this 25%, 50% of the Tombstone Lifetime so that is...which is, by default, a 180 days here.

[The Windows PowerShell window is open. From the desktop, the instructor opens the AD
Replication Status Tool window. The Configuration/Scope Settings tab is selected. In the left
pane, under Check Replication Status for all DCs in, the Domain option is selected and is set to
easynomadtravel.com. The instructor clicks the Replication Status Viewer tab. This tab displays
the report of all the replication performed on various domains.]

So the longer I am having failed replication, I can see these error messages will reveal that to
me. And in this case, I just got not failed replication, this is kind of my starting place here, I got
failed replication, this here where the remote system is not available. Now remember some of
these errors might be transient or something, of course, to monitor those, because if they
persist, and that is why we have this legend that kind of gradiates to black, here. If it persists,
you are going to definitely need to address it, and troubleshoot it. And so that is one of the
reasons why these monitoring tools are so very useful. And additional information could be
found in here with these errors. Like for instance, here is the...when I click on that error on that
RODC, it comes up and gives me some common symptoms to that how I can validate that with
dcdiag and repadmin. So here are a couple of switches that we just looked at that can help
me learn more about why, what exactly is failing, and try to identify a root cause. And so there
are additional links in this particular tool, additional aide in referring back to those command line
tools and some possible causes. So a lot of great addition to the visual part of it is the ability to
kind of reach out over the Internet and supply you with additional information and tactics. So
that is a look here at monitoring Active Directory replication using these tools.

[The Replication Status Viewer tab of the AD Replication Status Tool window is open. The
instructor clicks the Replication Error Guide tab. The Replication Error Guide tab consists of
information on the different types of errors and the ways to resolve it.]
Windows Server 2012 R2 AD Domains and
Trusts
Learning Objective
After completing this topic, you should be able to
◾ configure sites and replication in AD for Windows Server 2012 R2

1. AD sites and replication

Now let's try an exercise on configuring sites and replication in Active Directory, or AD, for
Windows Server 2012 R2.

You are working as an AD administrator for Easy Nomad Travel. Your AD network has multiple
sites.

Question

Your company headquarters, or HQ, is the hub site, and there are three branch office
sites. You want to ensure that branch offices replicate with the hub site and not
directly with each other. How best you can achieve this?

Options:

1. Configure the site link costs between the branch and HQ sites, so that they
are lower than the site link costs between branches
2. Remove site links between branches
3. Increase the replication frequency from the branches to the HQ
4. Disable site link bridging

Answer

Option 1: Correct. Changing site link costs will enable replication traffic to flow
between branch sites, but ensure that it flows via HQ.

Option 2: Incorrect. Site links do not dictate the network path that replication traffic
takes, so removing site links would stop all replication between sites.

Option 3: Incorrect. Increasing replication frequency would not affect the path that
replication traffic takes.

Option 4: Incorrect. Disabling site link bridging will stop replication traffic between
branch offices entirely.
 Correct answer(s):

1. Configure the site link costs between the branch and HQ sites, so that they are
lower than the site link costs between branches

Question

You want to configure a new site link object. Sequence the steps to do this.

Options:

A. Open Active Directory Sites and Services

B. Expand the Inter-Site Transports folder
C. Select the Internet Protocol, or IP, folder
D. Open menu and choose New Site Link
E. Enter the Site link name

Answer

Correct answer(s):

Open Active Directory Sites and Services is ranked

First you open AD sites and services.
Expand the Inter-Site Transports folder is ranked
Secondly you expand the Inter-Site Transports folder.
Select the Internet Protocol, or IP, folder is ranked
Then you select the IP folder.
Open menu and choose New Site Link is ranked
The fourth step is to open the menu and choose New Site Link.
Enter the Site link name is ranked
Finally you enter the Site link name.
Question

One of the branch offices has a read-only domain controller, or RODC. How can you
view accounts that have been authenticated by the RODC?

Options:

1. From the Advanced section of the Password Replication Policy tab in the
RODC's computer account properties
2. By using the repadmin /prp view <hostname> auth2 command
3. By listing the users in the Authenticated Users Group
4. By using the repadmin /prp view <hostname> allow command

Answer

Option 1: Correct. RODCs use password replication policies to determine whether

they can cache a user's credentials. If they can't, they will pass the authentication
request to a writable DC. The Password Replication Policy tab in the RODC's
computer account properties, therefore shows a list of all users that have been
authenticated and have their credentials cached.

Option 2: Correct. The repadmin /prp view command lists the password replication
policy for RODCs. The auth2 parameter lists the security principals that the RODC
has authenticated.

Option 3: Incorrect. Authenticated Users automatically include all user accounts from
the domain.

Option 4: Incorrect. The repadmin /prp view command lists the password replication
policy for RODCs. However, the allow parameter lists security principals in the
msDS-RevealOnDemandGroup.

Correct answer(s):

1. From the Advanced section of the Password Replication Policy tab in the
RODC's computer account properties
2. By using the repadmin /prp view <hostname> auth2 command
Question

You want to see the replication status for the entire forest. Which of the following
commands would be most suitable?

Options:

1. repadmin /replsummary
2. repadmin /showrepl
3. dcdiag /a
4. adreplstatus /forest

Answer

Option 1: Correct. The repadmin /replsummary command collects data on

replication and summarizes it in a report.

Option 2: Incorrect. The repadmin /showrepl command displays the replication

status of a specific domain controller.

Option 3: Incorrect. The dcdiag /a command tests all the domain controllers in a site,
not specifically for replication status.

Option 4: Incorrect. The Active Directory Replication Status, or ADREPLSTATUS,

Tool is not command-line based, and does not take the forest parameter.

Correct answer(s):

1. repadmin /replsummary

© 2018 Skillsoft Ireland Limited