• Reset a computer account
•  

15.4. Move domain controllers to the correct Active Directory sites

For now, we have defined Active Directory sites, their associated subnet and the site link that connects our Active Directory sites.
However, at this time, all of our domain controllers are still located in the default Active Directory site (Default-First-Site-Name).
This means that for Active Directory, all of our domain controllers are physically located in one place. Which is wrong.

To move a domain controller, right-click on it and click "Move".

In the "Move Server" window that appears, select the target Active Directory site where you want to move it (virtually).

Note that you can also drag and drop your domain controllers by dragging them to the "Servers" folder of the target Active Directory site.

Now, our domain controllers are associated with the correct Active Directory sites :

• our "BRUX-DC1" and "BRUX-DC2" domain controllers are located at Brussels
• our "PARIS-DC1" and "PARIS-DC2" domain controllers are located at Paris

Now that all the servers have been moved to their respective Active Directory sites, you can delete the default Active Directory site (which is empty).

Confirm the deletion of the "Default-First-Site-Name" site by clicking on Yes.

And confirm the deletion of the child objects, since this Active Directory site is empty.

Important : the KCC service, which automatically manages the replication topology transparently, checks every 15 minutes that the replication topology of your Active Directory infrastructure is still suitable for your Active Directory configuration.
It will therefore be necessary to wait up to 15 minutes for this new configuration to be really taken into account. The changes should then be replicated automatically to your other domain controllers.

If you want this new configuration to be taken into account directly, you can force the update of the replication topology by running this command :

Batch

repadmin /kcc

15.5. Manage replication by Active Directory site

In each Active Directory site, you have :

• a servers container (in other words : a folder containing the list of domain controllers present on this site)
• a "NTDS Site Settings" object which contains various settings for this Active Directory site

Right click "Properties" on the "NTDS Site Settings" object.

In the "NTDS Settings Properties" window that appears, you can :

• click on the "Change Schedule" button to manage the replication on this site
• enable or disable universal group membership caching

If you have universal groups in your Active Directory infrastructure and no domain controller acts as a "Global Catalog" on your Active Directory site, it's worth checking the "Enable Universal Group Membership Caching" to avoid having to contact a domain controller at a remote site each time.
If you have at least 1 global catalog on this site, you don't need to check this box, as the necessary information can be found by contacting the global catalog located on this Active Directory site.

Important : remember that Microsoft recommends defining at least 1 domain controller as a "Global Catalog" at each geographic site, as explained at the very beginning of our tutorial.

If you click the "Change Schedule" button, a "Schedule for NTDS Site Settings" window will appear.
Thanks to this window, you can choose at what time of the week you want to allow replication and whether the replication should be done once, twice or four times per hour.

If you display the properties of a server present in the "Servers" folder of the desired site, you can find out :

• his name : BRUX-DC1
• the domain in which it's located : informatiweb.lan
• the type of domain controller : Global Catalog
• its description, if you add one

You will also be able to choose whether this server should be used as the preferred bridgehead for inter-site replications.
To do this, select the "IP" transport and click on "Add".
Now, Active Directory will know that it needs to use this server to replicate between the site where this server is located and the remote site.

On the remote site, we chose the "PARIS-DC1" server as the bridgehead server.
Active Directory replication between the Brussels site and the Paris site will therefore be carried out between the "BRUX-DC1" server (of Brussels) and the "PARIS-DC1" server (of Paris).

By selecting a domain controller, you will find a "NTDS Settings" object that corresponds to the settings of the domain controller.
Right click "Properties" on it.

As you can see, this domain controller is already acting as a "Global Catalog".

In the "Connection" tab of this "NTDS Settings" object, you will be able to see the connection objects created automatically by KCC.

And as you can see, currently :

• our BRUX-DC1 server replicates data from our 3 other domain controllers
• our BRUX-DC1 server replicates its data on our domain controllers : BRUX-DC2 (of the Brussels site) and PARIS-DC2 (of the Paris site)

16. Static routing

When VPN connections are established, accessing resources at a remote Active Directory site is usually not a problem.
But if they are not established, access to remote sites may not be possible because the remote network ID will not be found.

To ensure that your servers can access remote subnets, the best is to create a static route on the servers and client PCs through Group Policies.
Since the destination subnet is different from one Active Directory site to another, we are going to create 2 GPOs and link one to each Active Directory site.

On one of the domain controllers (of your choice), open the "Group Policy Management" console and create a new Group Policy object.
Note that these policy objects will be replicated automatically to other domain controllers in the same domain anyway.

In our case, we created 2 GPOs :

• StaticRouteForSite1 : for servers and client PCs at site 1 (Brussels)
• StaticRouteForSite2 : for servers and client PCs at site 2 (Paris)

Start by modifying the 1st GPO object : StaticRouteForSite1.

In the "Computer Configuration -> Policies -> Windows Settings -> Scripts (Startup/Shutdown)" section, double-click on "Startup".

Click on : Add.

Click on : Browse.

A window appears and a "Scripts\Startup" folder is selected by default.
In this folder, create an "add_route.bat" file and indicate this inside :

Batch

route -p ADD 10.0.2.0 MASK 255.255.255.0 10.0.1.10

The script appears in the list.

Edit the 2nd GPO and go to the same section.

A window with another "Scripts\Startup" folder (which is different for each GPO) appears.
Create a new "add_route.bat" file with this content :

Batch

route -p ADD 10.0.1.0 MASK 255.255.255.0 10.0.2.10

Now that the 2 GPOs have been created and modified, you must link them to the Active Directory sites created previously.
To do this, right-click on the "Sites" folder and click on "Show Sites".

Click on the "Select All" button, then click OK.

Now that your Active Directory sites are displayed, right click "Link an Existing GPO" on the Brussels site.

Select the "StaticRouteForSite1" object and click OK.

The object "StaticRouteForSite1" is now linked to the "Brussels" Active Directory site.

Do the same for the "StaticRouteForSite2" GPO to link to the "Paris" Active Directory site.

As explained previously, GPOs will be replicated automatically to other domain controllers in the domain.
To know the replication status of your group policies, select your Active Directory domain and click on the "Detect" button in the "Status" tab.

As you can see, our other 3 domain controllers were synced to this one, so the data was replicated there.

In order for the static route to be created on your domain controllers, you will need to restart them.
If you don't want to restart them, then use the "route -p ..." commands defined previously.

Once the route has been created on the servers at site 1, run this command to verify that the route has been created :

Batch

route print

Plain Text

Persistent Routes :
...
10.0.2.0   255.255.255.0   10.0.1.10   1

On site 2, this same command will give :

Plain Text

Persistent Routes :
...
10.0.1.0   255.255.255.0   10.0.2.10   1