Module 4: How to Create the Physical Structure of Active Directory in Windows Server 2019/2022

Using the Domain Administrator Account in Microsoft Windows Server

The Domain Administrator account is a built-in, highly privileged user account that has full access to manage all components of an Active Directory domain.

Common Tasks Performed Using the Domain Admin Account:

Create/Manage User Accounts
Configure Group Policies (GPOs)
Add/Remove Domain Controllers
Install Active Directory Roles and Features
Manage DNS, DHCP, and other core services
Access and manage file shares and permissions
Audit logs and event viewer for security tracking
Perform backups and system restores
Delegate permissions and OU administration

Replication components are the core elements that ensure data synchronization across domain controllers. Key components include:

Active Directory Database (NTDS.dit): Stores directory information.
Knowledge Consistency Checker (KCC): Builds and maintains replication topology.
Replication Topology: Defines how domain controllers communicate.
Connection Objects: Logical links between domain controllers for replication.
Replication Protocols: Includes RPC over IP and SMTP for transporting data.

Active Directory uses two main protocols to replicate data between domain controllers:

✅ 1. RPC over IP (Remote Procedure Call over Internet Protocol)

Usage:
- Primary replication protocol used within a site and between sites.
Purpose:
- Ensures secure, reliable, and fast replication of Active Directory data.
Default:
- Enabled by default for all replication types.
Ports Used:
- TCP 135 (RPC Endpoint Mapper) and a dynamic port range (49152–65535 on newer Windows versions).

✅ 2. SMTP (Simple Mail Transfer Protocol)

Usage:
- Only used for replicating the Schema and Configuration partitions, not domain data.
- Only used for inter-site replication when RPC is not available.
Limitations:
- Cannot replicate passwords or domain-specific data.
- Not used in typical domain controller replication.

In a multi-site Active Directory (AD) environment, linking multiple sites ensures efficient replication and authentication across geographically dispersed networks.

Best Practices

Create a Site Link for each connection (e.g., Site A <–> Site B).
Assign appropriate costs — lower cost = higher preference.
Schedule replication during low-traffic hours.
Use Bridgehead Servers carefully (can be manually set or auto-selected).
Use IP subnets to map computers to correct sites.

Modifying the Physical Structure of Active Directory

The physical structure of Active Directory (AD) reflects the network topology and controls how replication occurs between different locations (sites).

🔧 What Is the Physical Structure?

While the logical structure (domains, OUs, trees) controls how resources are grouped and managed, the physical structure defines how and where data travels within the network. It includes:

Sites
Subnets
Site Links
Bridgehead Servers

🔄 Why Modify the Physical Structure?

You may need to modify the physical structure to:

Reflect changes in your organization’s physical offices or network layout
Improve replication efficiency between geographically dispersed sites
Optimize authentication and logon traffic
Introduce new datacenters or remove decommissioned ones

In Active Directory (AD), server objects (particularly domain controllers) are associated with specific sites, which are defined by IP subnets. If a server changes its physical or network location, you may need to manually move the server object to the appropriate site for proper replication and authentication behavior.

Why Move a Server Object?

The IP subnet no longer matches the site’s subnet (e.g., after a server relocation)
To optimize replication traffic
To ensure clients authenticate with the closest domain controller
During datacenter migration or AD restructuring

🛠️ How to Move a Server Object Between Sites

🔹 Step 1: Open Active Directory Sites and Services

Press Win + R, type dssite.msc, and press Enter.

🔹 Step 2: Locate the Current Server Object

Navigate through:
Sites > [Old Site Name] > Servers
Find the server (typically a domain controller) you want to move.

🔹 Step 3: Move the Server

Right-click the server object > Select Move.
In the “Move Server” dialog box, choose the target site.
Click OK.

🔹 Step 4: Update IP Subnet Mapping (if needed)

Ensure the new site has an IP subnet matching the server’s IP.
If not, create one:
1. Right-click Subnets > New Subnet
2. Enter the server’s network prefix (e.g., 192.168.10.0/24)
3. Associate it with the new site

Site Links in Active Directory (AD) define replication paths between sites. They help control how domain controllers communicate across different geographic or network locations. By default, all sites are connected via the DEFAULTIPSITELINK, but creating custom site links allows for more efficient and controlled replication.

What Are Site Links?

A Site Link:

Connects two or more AD sites.
Determines the replication schedule, frequency, and cost.
Uses IP (or SMTP, rarely used) as the transport protocol.

🛠️ How to Create a Site Link (Step-by-Step)

🔹 Step 1: Open Active Directory Sites and Services

Press Win + R → type dssite.msc → press Enter.

🔹 Step 2: Expand the Inter-Site Transports

Expand Sites → Inter-Site Transports → Click IP.

🔹 Step 3: Create a New Site Link

Right-click on IP → Select New Site Link.
Give the site link a descriptive name (e.g., SiteLink_NY_London).
Select the sites to connect by holding Ctrl and clicking them.
Click Add to include them in the link.
Click OK.

A Site Link Bridge connects two or more site links to allow transitive replication across multiple Active Directory sites—even if they are not directly linked. This is useful in complex networks where you want controlled, optimized replication over multiple links.

What is a Site Link Bridge?

A Site Link Bridge groups site links so replication can flow indirectly between sites.
It enables transitive replication, just like how routing protocols use hops.
For example:
If Site A links to Site B, and Site B links to Site C → Site A can replicate with Site C via a bridge.

🔧 Default Behavior

By default:

“Bridge all site links” option is enabled.
This treats all IP-based site links as part of a single bridge (i.e., transitive by default).
You only need to create manual site link bridges if:
- You disable “Bridge all site links”, or
- You need custom replication routes or strict control over traffic flow.

🛠️ Steps to Create a Site Link Bridge

🔹 Step 1: Open Active Directory Sites and Services

Win + R → type dssite.msc → Enter

🔹 Step 2: Disable “Bridge all site links” (if needed)

In the console tree, right-click IP under Inter-Site Transports.
Choose Properties.
Uncheck Bridge all site links.
Click OK.

⚠️ Only disable this if you need manual control. Otherwise, the default is usually fine.

🔹 Step 3: Create a Site Link Bridge

Right-click IP → Click New Site Link Bridge.
Give your bridge a name (e.g., Bridge_EU_Replication).
Select the site links you want to include in this bridge.
Click Add → then click OK.

A Connection Object in Active Directory defines replication paths between domain controllers (DCs) within or across sites. Normally, these are auto-generated by the Knowledge Consistency Checker (KCC), but in some cases—like troubleshooting or custom replication—you may want to create them manually.

What is a Connection Object?

It tells a destination DC which source DC to replicate from.
Used for intrasite and intersite replication.
Automatically managed by KCC, but manual creation allows more control.

🛠️ Steps to Manually Create a Connection Object

🔹 Step 1: Open Active Directory Sites and Services

Press Win + R → type dssite.msc → Enter
In the left pane, expand Sites → choose the appropriate site
Expand Servers → select the server where you want to create the connection

🔹 Step 2: Select NTDS Settings

Under the server, click NTDS Settings

🔹 Step 3: Create the Connection

Right-click NTDS Settings → choose New Active Directory Connection
In the Find Domain Controllers dialog:
- Choose a source domain controller
Click OK

🔹 Step 4: Set Replication Options (Optional)

Right-click the new connection → Properties
Set:
- Replication schedule
- Transport type (IP/SMTP)

Why Create a Global Catalog Server?

Speeds up logon in multi-domain environments
Enables forest-wide searches in Active Directory
Supports Universal Group Membership Caching
Required for Exchange Server and other directory-aware apps

✅ Prerequisites

The server must already be a Domain Controller
Make sure Active Directory Sites and Services is available

🛠️ Steps to Promote a DC to a Global Catalog Server

📍 Step 1: Open AD Sites and Services

Press Win + R, type: dssite.msc → hit Enter
Navigate to:
Sites > [Your Site Name] > Servers > [Your Server Name] > NTDS Settings

Step 2: Enable Global Catalog

Right-click on NTDS Settings → select Properties
Check the box:

✅ Global Catalog
Click OK
🕒 It may take a few minutes to replicate and update the GC status.
🔍 Verify Global Catalog Status
🔧 Using GUI:
- Reopen the NTDS Settings > Properties
- Confirm the Global Catalog box is checked
💻 Using Command Line:

dsquery server -forest | dsget server -isgc

Using Repadmin:

repadmin /showrepl

Using Event Viewer:

Look under Directory Service logs for GC-related events

Monitoring Replication Traffic in Microsoft Windows Server (Active Directory)

Replication traffic refers to the data exchanged between domain controllers to keep Active Directory (AD) information synchronized. Monitoring this traffic is essential for diagnosing delays, bandwidth issues, or replication errors.

Why Monitor Replication Traffic?

Detect replication failures or slow synchronization
Identify network bottlenecks
Ensure site link configurations are effective
Verify healthy domain controller communication

Uncategorized

Module 4: How to Create the Physical Structure of Active Directory in Windows Server 2019/2022

Using the Domain Administrator Account in Microsoft Windows Server

Common Tasks Performed Using the Domain Admin Account:

✅ 1. RPC over IP (Remote Procedure Call over Internet Protocol)

✅ 2. SMTP (Simple Mail Transfer Protocol)

Best Practices

Modifying the Physical Structure of Active Directory

🔧 What Is the Physical Structure?

🔄 Why Modify the Physical Structure?

Why Move a Server Object?

🛠️ How to Move a Server Object Between Sites

🔹 Step 1: Open Active Directory Sites and Services

🔹 Step 2: Locate the Current Server Object

🔹 Step 3: Move the Server

🔹 Step 4: Update IP Subnet Mapping (if needed)

What Are Site Links?

🛠️ How to Create a Site Link (Step-by-Step)

🔹 Step 1: Open Active Directory Sites and Services

🔹 Step 2: Expand the Inter-Site Transports

🔹 Step 3: Create a New Site Link

What is a Site Link Bridge?

🔧 Default Behavior

🛠️ Steps to Create a Site Link Bridge

🔹 Step 1: Open Active Directory Sites and Services

🔹 Step 2: Disable “Bridge all site links” (if needed)

🔹 Step 3: Create a Site Link Bridge

What is a Connection Object?

🛠️ Steps to Manually Create a Connection Object

🔹 Step 1: Open Active Directory Sites and Services

🔹 Step 2: Select NTDS Settings

🔹 Step 3: Create the Connection

🔹 Step 4: Set Replication Options (Optional)

Why Create a Global Catalog Server?

✅ Prerequisites

🛠️ Steps to Promote a DC to a Global Catalog Server

📍 Step 1: Open AD Sites and Services

Step 2: Enable Global Catalog

🔍 Verify Global Catalog Status

🔧 Using GUI:

💻 Using Command Line:

Using Event Viewer:

Monitoring Replication Traffic in Microsoft Windows Server (Active Directory)

Why Monitor Replication Traffic?

Add comment Cancel reply

Quick Links

ADDITIONAL LINKS

Categories

Subscribe Now!