If you’re in charge of a small or midsize IT department, the chances are pretty good that you’ve given only a cursory glance to the Active Directory Sites And Services console, which is installed on each of your domain controllers. For the most part, only organizations with relatively complex Active Directory hierarchies — those calling for multiple sites, domains, forests, partitions, etc. — generally have a need to use this tool on a regular basis. Even if you’ve only used this tool a little in the past, it was probably for one specific purpose, such as the creation of a group policy object.
Let’s examine the Active Directory Sites And Services console that ships with Windows Server 2008. You will learn what operations are carried out by this tool and how the tool has improved since Windows Server 2003. You will also learn how to perform a few common tasks.
What does it do?
Microsoft indicates that the purpose of the Active Directory Sites And Services tool is to “administer the replication topology both within a site in a local area network (LAN) and between sites in a wide area network (WAN).” In simpler terms, the Active Directory Sites And Services tool is the primary interface for creating, configuring, and managing Active Directory sites and IP subnets, managing global catalog servers, site links, and site link brides, and inter-site replication. Each of these areas is examined in more detail in this article.
The article breaks down common Active Directory Sites And Services tasks into three groups:
- Server-centric tasks
- Site tasks
- Site replication tasks
Server tasks include:
- Selecting a query policy.
- Enabling a global catalog server.
- Disabling a global catalog server.
- Designating a preferred bridgehead server for a site.
- Moving domain controllers between sites.
- Checking the replication topology.
- Deleting extinct server metadata.
Site tasks include:
- Creating a site.
- Renaming a site.
- Deleting a site.
- Creating a subnet.
- Associating a subnet with a site.
- Deleting a subnet.
- Selecting another licensing computer.
- Caching universal group memberships.
- Delegating control of a site.
- Connecting to a forest.
- Connecting to a domain controller.
- Revealing the services node.
Site replication tasks include:
- Creating a site link.
- Deleting a site link.
- Creating a site link bridge.
- Deleting a site link bridge.
- Configuring site link replication availability.
- Configuring site link cost.
- Configuring site link replication frequency.
- Ignoring replication schedules.
- Enabling or disabling site link bridges.
- Adding a site to a site link.
- Manually adding connections.
- Forcing replication over a connection.
Most of these tasks deal with creating and managing multiple sites within Active Directory; as such, not all are examined in-depth in this article.
The most common tasks that you will perform with Active Directory Sites And Services are:
- Creating a Group Policy Object at the site level.
- Enabling or disabling a global catalog server.
- Caching universal group memberships.
What’s different since Windows Server 2003?
The basic Active Directory tools (including this one) have undergone little change in Windows Server 2008. The more significant changes you should look for include the following:
- Attribute Editor tab: On every object Properties screen, you will now see a tab labeled Attribute Editor. The information on this tab provides direct access to every one of the object’s Active Directory attributes. From here, you can both view and change any object property without having to hunt for it in the GUI — if the GUI even provides a field for every property. This new feature is a very welcome addition to the tool, and you’ll also find it in the other Active Directory tools that ship with Windows Server 2008. This new tab is shown in Figure A.
Figure A
The Attribute Editor tab
- Protect Object From Accidental Deletion: On every object’s Properties page in the Object tab is a box labeled Protect Object From Accidental Deletion. Enabling this checkbox (Figure B) means that deleting an object becomes a two-step process, which is much less error prone.
Figure B
Protect Object From Accidental Deletion checkbox
- Find button: On the toolbar, at the very right-hand side, you will now see a Find button that allows you to quickly locate objects you want to manipulate.
- Group Policy Management: The Group Policy tab is no longer on a site properties page; Group Policy Management is now accomplished solely via the Group Policy Management console. Microsoft began the process of eliminating the user of Active Directory Sites and Services for group policy management in Windows Server 2003 and has finalized that process in Windows Server 2008.
These are the main changes and, as you can tell, are not that much of an impact. Although the Find button is nice, it’s the Attribute Editor tab that’s the real bonus in this version, as is the addition of the Group Policy Management console.
Finding your way around
In Windows Server 2008, there are a couple of ways you can access the Active Directory Sites And Services tool. Regardless of the method you choose, you need to log on to the server using an account that has both Domain Admin and Enterprise Admin rights.
From a Windows Server 2008 domain controller, you can use the new Server Manager tool and browse to Roles | Active Directory Domain Services | Active Directory Sites And Services, as shown in Figure C.
Figure C
Active Directory Sites And Services in the context of the Server Manager
Even though Windows Server 2008 ships with the new Server Manager, you don’t have to use it. As has always been the case, you can start Active Directory Sites And Services from Start | All Programs | Administrative Tools | Active Directory Sites And Services.
If you’ve ever worked with the Microsoft Management Console, you’ll be familiar with the layout. There’s a set of pull-down menus across the top of the window. Beneath the menu bar is a button bar that provides one-click functionality to frequently used procedures.
Finally, you’ll see three panes. The left pane provides a tree view of the Active Directory configuration. The middle pane shows the objects for the container highlighted in the left pane. The right-hand pane is the new Actions pane, which Microsoft has begun to add to many of its applications. This pane gives you a quick way to access functions available to the object selected in the middle pane. If you don’t see the Action pane, click the Show/Hide Action Pane button on the button bar (second button from the right) to see this feature. Figure D gives you a look at Active Directory Sites And Services. You’ll also see one of the Action pane items expanded to give you a look at how this works.
Figure D
Active Directory Sites And Services with the Action pane showing
Menu choices
The menu bar provides access to the following functions:
- File: From the File menu, you can access the Options window, which allows you to clean up console information (which you won’t do all that often). You can also quit Active Directory Sites And Services by clicking Exit.
- Action: The items on this menu change depending on the object you’ve selected below. Most of the time, the items on the Action menu are the same choices that you would get if you right-clicked an object.
- View: The View menu gives you a place to customize the appearance of the Active Directory Sites And Services console. You can change how objects appear, how many columns are displayed, and even filter out objects you don’t want to appear.
- Help: Help allows you to access the help files for the Active Directory Sites And Services console and the MMC in general.
The button bar
Like most MMCs, Active Directory Sites And Service’s button bar most closely resembles a Web browser. Like browser buttons, these buttons are relatively self-explanatory. Left to right, these buttons are:
- Back
- Forward
- Up One Level
- Show/Hide Console Tree
- Copy/Cut/Paste (depending on what you’re doing)
- Delete
- Properties
- Refresh
- Export List
- Help
- Show/Hide Action Pane
- Find objects in Active Directory Domain Services
You’ll notice that, as you go from container to container in the lower windows, buttons will change or become unavailable.
The console tree
The left pane is called the console tree. This pane displays all of the Site and related objects for Active Directory. To access specific objects and properties, navigate through the console as you would for any other application. After expanding the Sites folder, you’ll find the following default objects in Active Directory Sites And Services:
- Subnets: This container will hold all subnets that are configured within the site. By default, no subnets are created with the installation of Windows Server 2008.
- Inter-Site Transports: This container holds the IP and SMTP site link objects that are used to link sites to one another. A default site link instance is created for the IP and given the name DEFAULTIPSITELINK. By default, no SMTP site links are created in a brand new Windows Server 2008 domain.
- Site Name: The default site name is, as in Figure E, Default-First-Site-Name. All servers within the site will be located in this container from which they can be further configured and managed.
Figure E
Active Directory Sites And Services with a site name selected.
Common tasks
Armed with this brief introduction to the Active Directory Sites And Services tool, here are some common tasks that might be performed with this tool, albeit in smaller organizations.
Configuring a Global Catalog server
Looking back at Figure E, examine the figure carefully and notice that under the console tree on the left side exists the NTDS Settings object; in the right pane of the window exists the NTDS Site Settings object. Don’t get them confused.
By default, only the first domain controller that is installed in a new forest is configured as a global catalog server. You can create additional global catalog servers by expanding the specific server node you wish to configure as a global catalog server and right-clicking the NTDS Settings object located under it. The NTDS Settings Properties dialog box will open as seen in Figure F. To configure the domain controller to act as a global catalog server, select the Global Catalog server option and click OK to close the Properties dialog box.
Figure F
Making a server a Global Catalog server
Implementing Universal Group Caching
In Windows 2000 Server, a user logon event required the services of a Global Catalog server to authenticate the user against Active Directory. In Windows Server 2003, Universal Group Caching adds a new twist to this process, allowing a user to log on to the network without the need to contact a Global Catalog server.
When Universal Group Caching is configured, a user’s universal group membership is cached on a Domain Controller the first time she logs on to the network using that Domain Controller. The cache information is considered valid for a period of time, after which is it is refreshed from the Global Catalog. The default is eight hours, although you can modify this if required. When caching is configured, users in remote locations without Global Catalog servers experience quicker logon times. Also, a failure of a Global Catalog server will not necessarily prevent the successful logon of a user to the network.
Universal Group Caching is configured at the site level by using the NTDS Site Settings object, seen in Figure E. Right-click the NTDS Site Settings object and select Properties from the shortcut menu. The NTDS Site Settings Properties dialog box opens.
To enable caching, select the Enable Universal Group Membership Caching option. You can opt to have the cache refreshed from a specific site or from the nearest site that has a Global Catalog server by using the <Default> option, which you can see in Figure G.
Figure G
Enabling or disabling Universal Group Membership Caching
There’s more where that came from
The Active Directory Sites And Services console is used for quite a few other high-level tasks, including site creation and management, site link creation and management and subnet creation and management. To understand the process and the purpose for these tasks, you first must have a good understanding of highly complex, multi-site Active Directory design and implementation.