SolutionBase: A look at Windows Server 2003's Active Directory Sites And Services

Learn how to use the Active Directory Sites And Services utility.

The Active Directory Sites And Services console is, in most small to medium Active Directory organizations, overlooked more often than not. After all, it's typically only larger organizations that get into the most complex of Active Directory designs, calling for multiple sites, each of them with multiple IP subnets. Even if you’ve had an occasion to use this console in the past, you might have only used it for one specific purpose.

In this article I will examine the Active Directory Sites And Services console, seeing what it does, how it has been improved since Windows 2000, how it is used, and how to perform a few common tasks with it.

What we won’t be doing here
A complete coverage of all things related to Active Directory Sites And Services, including how and why sites are configured, is beyond the scope of this article. As well, a full discussion on the myriad of tasks that you will use this console for would take far more room than we have here. If you’d like to become a Windows Server 2003 Active Directory guru, be sure to pick up a copy of Active Directory for Microsoft Windows Server 2003 Technical Reference by Stan Reimer and Mike Mulcare, ISBN 0735615772, 2003 Microsoft Press.

What does it do?
The Active Directory Sites And Services console is the primary interface for creating, configuring, and managing sites, IP subnets, global catalog servers, site links between sites, replication protocols and site link bridges. We will examine each of these areas in more detail throughout this discussion.

The tasks that are generally performed using Active Directory Sites And Services are broken down into three groups: those for servers, those for sites, and those for replication between sites.

Server tasks include the following:
  • Selecting a query policy
  • Enabling or disabling a global catalog server
  • Designating a preferred bridgehead server for a site
  • Moving a domain controller between sites
  • Checking the replication topology
  • Deleting extinct server metadata

Site tasks include:
  • Creating a site
  • Renaming a site
  • Deleting a site
  • Creating a subnet
  • Associating a subnet with a site
  • Deleting a subnet
  • Selecting another licensing computer
  • Caching universal group memberships
  • Delegating control of a site
  • Connecting to a forest
  • Connecting to a domain controller
  • Revealing the services node

Site replication tasks include:
  • Creating a site link
  • Deleting a site link
  • Creating a site link bridge
  • Deleting a site link bridge
  • Configuring site link replication availability
  • Configuring site link cost
  • Configuring site link replication frequency
  • Ignoring replication schedules
  • Enabling or disabling site link bridges
  • Adding a site to a site link
  • Manually adding connections
  • Forcing replication over a connection

Of these tasks, most of them deal with creating and managing multiple sites within Active Directory. As such, I will not be able to examine each and every one of them. The most common tasks that you will perform with Active Directory Sites And Services will include the following:
  • Creating a Group Policy Object for the site level
  • Enabling or disabling a global catalog server
  • Caching universal group memberships

What’s different since Windows 2000 Server?
If you’re upgrading from Windows 2000 Server, and you’ve previously used the Active Directory Sites And Services console, you’ll likely not notice any changes to the look and feel of the console. The only real change from its Windows 2000 version is that new features of Active Directory have been introduced. If you're making the leap from Windows NT 4.0 to Windows Server 2003, rest easy knowing that this is an entirely new console that you’ll have to learn your way around.

Microsoft has made some cosmetic changes to the look of all of the MMC consoles in Windows Server 2003 as well. Rather than having one-level menu choices for Console, Windows, and Help and another level of Choices for Action and View, Windows Server 2003 puts all of the pull-down menus on the same line. Most of the choices within the respective menus remain unchanged, however.

Finding your way around
To start Active Directory Sites And Services, log into your server using the default Administrator account or an account that has Domain Admin and Enterprise Admin credentials. Click Start | All Programs | Administrative Tools | Active Directory Sites And Services. When you do, you'll see the screen shown in Figure A.

Figure A
Active Directory Sites And Services under Windows Server 2003

Domain Admin credentials
Note that for some operations, you will need to have Domain Admin credentials in the forest root domain, and for other operations, you will need to have Domain Admin credentials in the domain of concern. For server and site replication tasks, you will typically need to have Domain Admin credentials in the forest root domain. For site tasks, you will typically need to have Domain Admin credentials in the domain of concern within the forest.

If you've ever worked with an MMC before, you'll be familiar with the layout. Across the top you'll find a set of pull-down menus. Beneath that is a button bar that provides one-click functionality to frequently used procedures. Finally, you'll see two panes. The left pane provides a tree view of the pertinent Active Directory configuration. The right pane shows the objects for containers highlighted in the left pane.

Menu choices
Pull-down menus that you can access include:
  • File: Here you can access the Options menu, which allows you to clean up console information. You can also quit Active Directory Sites And Services by clicking Exit.
  • Action: This menu allows you to perform different actions depending on which container object you've selected. These actions often mirror those found on a context menu.
  • View: This menu choice allows you to customize the appearance of the Active Directory Sites And Services console. You can change how objects appear, how many columns are displayed, and even filter out objects you don't want to appear.
  • Window: This menu choice allows you to display multiple MMC windows and control how those windows appear on your server.
  • Help: Obviously, this choice allows you to access the help files for the Active Directory Sites And Services console, Group Policy in general, and the MMC in general.

The button bar
Like most MMCs, Active Directory Sites And Service’s button bar mostly closely resembles a Web browser. Like browser buttons, these buttons are relatively self-explanatory. Left to right, these buttons are:
  • Back
  • Forward
  • Up One Level
  • Show/Hide Console
  • Copy
  • Paste
  • Delete
  • Properties
  • Refresh
  • Export List
  • Help

You'll notice that as you go from container to container in the left pane, that sometimes buttons will change or become unavailable.

The console tree
The left pane is called the console tree. This tree displays all of the container objects for Active Directory. Somewhat similar in nature to the Hive in the Windows Registry, you'll navigate through the console tree to get to Active Directory objects. Default objects you'll find in Active Directory Sites And Services under the Sites container include:
  • Site Name: The default site name is, as in Figure A, Default-First-Site-Name. All servers within the site will be located in this container from which they can be further configured and managed.
  • Inter-Site Transports: This container holds the IP and SMTP site link objects that are used to link sites to one another. A default instance of each protocol is created and given the name DEFAULTIPSITELINK and First SMTP Site Link, respectively.
  • Subnets: This container will hold all subnets that are configured within the site. By default, no subnets are created with the installation of Windows Server 2003.

Common tasks
Armed with your brief introduction into the Active Directory Sites And Services console, let’s get down to business and use it to perform some of the more common tasks.

Implementing a site Group Policy Object
Recall that Group Policy is applied in the following order in Active Directory: site, domain, OU, local. As such, you may have the need at some time to create or configure a GPO at the site level.

To work with site level GPOs, right-click on a server object within the desired site and click Properties from the context menu. Switch to the Group Policy tab, seen in Figure B, and configure the GPO as you would normally if you were using Active Directory Users And Computers or the Group Policy Management Console.

Figure B
Configuring a site level Group Policy Object

Configuring a Global Catalog Server
Looking back at Figure A, examine the figure carefully and notice that under the console tree on the left side there exists the NTDS Settings object. In the right pane of the window exists the NTDS Site Settings object. Don’t get them confused.

By default, only the first domain controller that is installed in a new forest is configured as a global catalog server. You can create additional global catalog servers by expanding the specific server node you wish to configure as a global catalog server and right-clicking on the NTDS Settings object located under it. The NTDS Settings Properties dialog box will open as seen in Figure C. To configure the domain controller to act as a global catalog server, select the Global Catalog server option and click OK to close the Properties dialog box.

Figure C
Configuring a Global Catalog server

Implementing Universal Group Caching
In Windows 2000 Server, a user logon event required the services of a Global Catalog server to authenticate the user against Active Directory. In Windows Server 2003, Universal Group Caching adds a new twist to this process, allowing a user to logon to the network without the need to contact a Global Catalog server.

When Universal Group Caching is configured, a user’s universal group membership is cached on a Domain Controller the first time she logs on to the network using that Domain Controller. The cache information is considered valid for a period of time, after which is it is refreshed from the Global Catalog. The default is eight hours, although you can modify this if required. When caching is configured, users in remote locations without Global Catalog servers experience quicker logon times. As well, a failure of a Global Catalog server will not necessarily prevent the successful logon of a user to the network.

Universal Group Caching is configured at the site level by using the NTDS Site Settings object, seen previously in Figure A. Right-click on the NTDS Site Settings object and select Properties from the context menu. The NTDS Site Settings Properties dialog box opens.

To enable caching, select the Enable Universal Group Membership Caching option. You can opt to have the cache refreshed from a specific site or from the nearest site that has a Global Catalog server by using the <Default> option as seen in Figure D.

Figure D
Configuring Universal Group Caching

There’s more where that came from
Of course, as I mentioned earlier, there are quite a few other high-level tasks that the Active Directory Sites And Services console is used for, including site creation and management, site link creation and management and subnet creation and management. To understand the process, and the purpose, for these tasks you first must have a good understanding of highly complex, multi-site Active Directory design and implementation. A great place to get started on learning these often complex topics is the Windows Server 2003 Deployment Kit. You can download the book entitled Designing and Deploying Directory and Security Services for free from Microsoft's Web site.