70-294 Concepts: Active Directory Site Links

graduationWhen designing Active Directory Site Links:

  • On non-fully IP routed networks, disable automatic site links, implement a site link bridge
  • A site link is a set of sites which communicate at the same cost, and can be automatically configured to route in a redundant path between sites within a site-link
  • In a fully routed network, you do not need site link bridges unless you wanted to specifically control the flow of replication changes.
  • Controls which sites are connected and at what cost, but does not directly control which servers replicate with one another, this would be the role of a Preferred Bridgehead Server
  • Best Practice to create site links from corporate to branches, little benefit in having a tiered site line corp->branch->branch
  • You cannot create site-links between networks which are not IP routed
  • Site link bridging is used when an IP network is not fully routed; or if replication is not converging properly (used when site’s are 2+ hops away)
  • Site links are for same domain only, and are between IP-routable networks unless you use a ip bridge to connect two non-routable network in the same domain;
  • If two non-routable domains are separated by a site in a different domain, you will need to have a DC setup in that site or you will need a routable network
  • IP Replication for single domain sites; SMTP not available

70-294 Concept: FSMO > Infrastructure Master

graduationHere are the design considerations surrounding the FSMO Role: Infrastructure Master:

  • This FSMO is responsible for tracking object changes in Active Directory
  • Like to be with the RID (since you place the RID where most changes occur)
  • Should not be on a GC Server, unless GC is installed on all DCs

Exam Alert: In general FSMO Roles should never be placed “anywhere”, they should always be placed somewhere intentionally; yet there are sometimes the “best answer” is “any other domain controller”.

70-294 Concepts: Where to place Global Catalogs

graduationWhen designing a multi-site environment, here are the considerations you should take when deciding which sites require a Global Catalog:

  • Use a Global Catalog instead of Universal Group Membership when AD information is required by an application at another site
  • Uses more bandwidth compared to Universal Group Memberships
  • Requires greater computer resources compared to Universal Group Memberships
  • When you want to control Global Catalog replication, use the Preferred Bridgehead Server setting
  • IgnoreGCFailures registry key; apply to all DC to prevent GC failures from preventing logon

Wireless computers on a Active Directory domain

keep the antenna highOn an Active Directory domain it can be risky to implement consumer grade wireless networks, not necessarily because of the week security (since some support great authentication mechanism) but because they do not typically establish their network connection until after you disconnect from the network. In an environment where you have shared workstations or rely upon group policies for application installation, these tasks will not take place.

In this environment, the user will logon to the network using cached credentials (if they exist) before the network is established wirelessly. Password policies, or non caches credentials pose an obvious problem. If the user does logon with an old cached credential (because the password was changed on another machine) it will not be able to access network resources until you first lock and then unlock the workstation so it can refresh the local credentials to match active directory.

From a software installation standpoint, distributed through group policies, these settings will never be noticed in time. Sure, the machine policies will be updated in the background every 90 minutes, but when the computer restarted, it will try to install the software, but be unable to find the network resources.

What are the options around this… Basically, you can either fight with this process (as most people unknowingly do, and simply chalk it up to a Microsoft problem)… or you can purchase an enterprise grade wireless network card which supports boot time networking. This setting is typically an advanced or manual setting which needs to be selected. But once this is enabled, all of these wireless woes disappear.

[Edit: 05/2010 – in searching for another post I realized that I neglected to mention in this article 802.1x which not only supports boot time authentication, but machine and/or certificate based authentication. I’ll write a follow-on article to this later on, but is works great, and even many consumer grade wireless devices support this option, as do most wireless adapters.]

Powered by WordPress.com.

Up ↑