- Delete OU which was replicared, need t o perform authoratative restore (not lostandfound; when below is not available)
- Delete ou which was replicated, need to perform non-auth restore, and then mark single OU as auth (more granular than above, when available as an answer)
- Failued of hard drive on one dc (multi dc enviro), non-authoriataive restore
- Any restore of AD requires DSRM (Directory Services Restore Mode) – boots local uses local username/password SAM; no GPO applied
- Safe mode still boots AD, but does not apply GPO on DC
- Use NTDSUTIL to reset DSRM password on each DC seperately
- Rombstone lifespan should be greater than backup interval, use ADSIedit, script or ldp.exe to modify time (default 60 days)
When designing your 0rganizational units within a domain:
- Design first based on administrative needs
- Layout using consistant hierarchy:
- Nested/layered/Hybrid design okay (Physical site/business units; bu/site; etc)
- Avoid hybrid designs on the same level (PS/BU at the same level, hierachial, okay)
- If using sites for OU’s, avoid a design which omits a site (same with Business units)
- Use OU’s with Delegation of authority instead of child domains when possible (q89)
- When mutiple administrators are working in AD, and one moved objects into an OU, just deleted by another admin (but neither DC has replicated yet), the contents of the deleted OU go to the LostandFound folder.
- If you delete an OU, the contents of the OU go as well (except per above)
- Replication occours at the feature level in 2000; vs value level in 2003 – reducing replication collissions resulting in latest-takes-precident
Here are the design considerations when evaluating a Preferred Bridgehead Server for multi-site deployments of Active Directory:
- It is best practice to have more than one bridgehead server per site.
- But if you want to “control” or “manage” site-to-site-replication, you must only choose one preferred bridgehead server.
- If replication fails in a 3+ site environment, and there are preferred bridgehead servers, change the bridgehead server. Non-fully IP Routable networks may require another (non problem) site to replicate to and the failed PBHS may reside there
- To avoid single point of failure with PBHS, you need to either have multiple PBHS at each site, or NONE – but this will reduce management.
- If poor performance on a DC (which is also an app server) make another DC the PBHS, typically the RRAS DC if there is one.
- Use PBHS for controlling replication traffic, not GC
- PBHS can be configured for IP and/or SMTP (seperately)
- Use IP by default, SMTP for unreliable connections
- SMTP requires a Enterprise Certificate Authority (ECA)
When designing Active Directory Site Links:
- On non-fully IP routed networks, disable automatic site links, implement a site link bridge
- A site link is a set of sites which communicate at the same cost, and can be automatically configured to route in a redundant path between sites within a site-link
- In a fully routed network, you do not need site link bridges unless you wanted to specifically control the flow of replication changes.
- Controls which sites are connected and at what cost, but does not directly control which servers replicate with one another, this would be the role of a Preferred Bridgehead Server
- Best Practice to create site links from corporate to branches, little benefit in having a tiered site line corp->branch->branch
- You cannot create site-links between networks which are not IP routed
- Site link bridging is used when an IP network is not fully routed; or if replication is not converging properly (used when site’s are 2+ hops away)
- Site links are for same domain only, and are between IP-routable networks unless you use a ip bridge to connect two non-routable network in the same domain;
- If two non-routable domains are separated by a site in a different domain, you will need to have a DC setup in that site or you will need a routable network
- IP Replication for single domain sites; SMTP not available
Here are the design considerations surrounding the FSMO Role: Infrastructure Master:
- This FSMO is responsible for tracking object changes in Active Directory
- Like to be with the RID (since you place the RID where most changes occur)
- Should not be on a GC Server, unless GC is installed on all DCs
Exam Alert: In general FSMO Roles should never be placed “anywhere”, they should always be placed somewhere intentionally; yet there are sometimes the “best answer” is “any other domain controller”.
When designing a multi-site environment, here are the considerations you should take when deciding which sites require a Global Catalog:
- Use a Global Catalog instead of Universal Group Membership when AD information is required by an application at another site
- Uses more bandwidth compared to Universal Group Memberships
- Requires greater computer resources compared to Universal Group Memberships
- When you want to control Global Catalog replication, use the Preferred Bridgehead Server setting
- IgnoreGCFailures registry key; apply to all DC to prevent GC failures from preventing logon
Enable Universal Group Membership instead of Global Catalog in Active Directory Sites where:
- There is low WAN usage <90%
- The need for a GC is purely for authenticiation, and logon times are slow
- Use only needed in multi-domain environments
- The hardware is unable to support a Global Catalog
Exam Alert: Uniersal Group Membership, while technicially a caching mechanism, is not considered “cached credentials” for the purpose of answering exam questions. So if the exam states that you do not want to use cached credentails, UGM is okay – they are referring to using cached credentials on the local PC.