Archive for the ‘Certification Saturdays’ Category

70-294 Concepts: Preferred Bridgehead Server

Here are the design considerations when evaluating a Preferred Bridgehead Server for multi-site deployments of Active Directory:

  • It is best practice to have more than one bridgehead server per site.
  • But if you want to “control” or “manage” site-to-site-replication, you must only choose one preferred bridgehead server.
  • If replication fails in a 3+ site environment, and there are preferred bridgehead servers, change the bridgehead server. Non-fully IP Routable networks may require another (non problem) site to replicate to and the failed PBHS may reside there
  • To avoid single point of failure with PBHS, you need to either have multiple PBHS at each site, or NONE – but this will reduce management.
  • If poor performance on a DC (which is also an app server) make another DC the PBHS, typically the RRAS DC if there is one.
  • Use PBHS for controlling replication traffic, not GC
  • PBHS can be configured for IP and/or SMTP (seperately)
  • Use IP by default, SMTP for unreliable connections
  • SMTP requires a Enterprise Certificate Authority (ECA)
Tags: , , , ,

70-294 Concepts: Active Directory Site Links

graduationWhen designing Active Directory Site Links:

  • On non-fully IP routed networks, disable automatic site links, implement a site link bridge
  • A site link is a set of sites which communicate at the same cost, and can be automatically configured to route in a redundant path between sites within a site-link
  • In a fully routed network, you do not need site link bridges unless you wanted to specifically control the flow of replication changes.
  • Controls which sites are connected and at what cost, but does not directly control which servers replicate with one another, this would be the role of a Preferred Bridgehead Server
  • Best Practice to create site links from corporate to branches, little benefit in having a tiered site line corp->branch->branch
  • You cannot create site-links between networks which are not IP routed
  • Site link bridging is used when an IP network is not fully routed; or if replication is not converging properly (used when site’s are 2+ hops away)
  • Site links are for same domain only, and are between IP-routable networks unless you use a ip bridge to connect two non-routable network in the same domain;
  • If two non-routable domains are separated by a site in a different domain, you will need to have a DC setup in that site or you will need a routable network
  • IP Replication for single domain sites; SMTP not available

70-294 Concept: FSMO > Infrastructure Master

graduationHere are the design considerations surrounding the FSMO Role: Infrastructure Master:

  • This FSMO is responsible for tracking object changes in Active Directory
  • Like to be with the RID (since you place the RID where most changes occur)
  • Should not be on a GC Server, unless GC is installed on all DCs

Exam Alert: In general FSMO Roles should never be placed “anywhere”, they should always be placed somewhere intentionally; yet there are sometimes the “best answer” is “any other domain controller”.

70-294 Concepts: Where to place Global Catalogs

graduationWhen designing a multi-site environment, here are the considerations you should take when deciding which sites require a Global Catalog:

  • Use a Global Catalog instead of Universal Group Membership when AD information is required by an application at another site
  • Uses more bandwidth compared to Universal Group Memberships
  • Requires greater computer resources compared to Universal Group Memberships
  • When you want to control Global Catalog replication, use the Preferred Bridgehead Server setting
  • IgnoreGCFailures registry key; apply to all DC to prevent GC failures from preventing logon
Tags: , , ,

70-294 Concept: Cache Universal Group Membership

graduationEnable Universal Group Membership instead of Global Catalog in Active Directory Sites where:

  • There is low WAN usage <90%
  • The need for a GC is purely for authenticiation, and logon times are slow
  • Use only needed in multi-domain environments
  • The hardware is unable to support a Global Catalog

Exam Alert: Uniersal Group Membership, while technicially a caching mechanism, is not considered “cached credentials” for the purpose of answering exam questions. So if the exam states that you do not want to use cached credentails, UGM is okay – they are referring to using cached credentials on the local PC.

70-294 Concept: Where to place Domain Controllers

graduationPlace your Domain Controllers at sites where any of the following is true:

  • There are more than 100 users
  • The WAN connection is slower than 256k
  • The WAN utalization is > 90%
  • The WAN availability is < 95%
  • Users/Applications query LDAP or Global Catalog data
Tags: , , ,