How to operate Active Directory at...
12
07
How to operate Active Directory at a remote area?
Until the last time, I was able to build a basic environment of Active Directory.However, special precautions are required for multiple bases.This time, I will introduce the configuration of the domain environment including the low -speed line.
Separate the site by site
Building an Active Directory environment will cause a lot of communication between domain controllers, or between domain controllers and clients.This communication is not a problem in an environment built with high -speed LAN, such as one building.However, if you are connecting the Tokyo headquarters and the Osaka branch, it is not desirable that a large amount of traffic flows into the low -speed WAN line.This can take time to authenticate and hinder other communications.
In order to solve these problems, the "site" introduced in the sixth series is equipped with Active Directory.The area where high -speed communication is possible is a single site, and communication is controlled between the site and the site.It is defined as a TCP/IP subnet with a good connection to the site, that is, a highly reliable and high -speed communication.Although the definition of high -speed is not always strict, the area connected by LAN is generally regarded as high speed.
However, as in a wide area Ethernet, opinions are divided when "speed is LAN but operational form is WAN".In principle, if you want to strictly control the network traffic, you can use the same site if you want to make it easier to manage.
The purpose of the site is mainly two points: "duplicate traffic control" and "authentication traffic control".Duplicate traffic control compresses the duplicate data of the Active Directory directory datata base and controls the duplicate time.The control of the authentication traffic is limited to the domain controller that performs logon authentication.
The site is independent of the domain.In addition to configuring multiple domains on one site, a domain that straddles multiple sites can be configured.For this reason, managing the site requires the authority of "Enterprise Admins", which has the administrative authority of the entire domain (forest) instead of "Domain Admins", a domain manager.
Figure 1 ● Relationship between site and domain
The work of using the site is
- Creating a site
- サブネットオブジェクトの作成と割り当て
- サイトリンクの作成と割り当て
- ドメインコントローラを適切なサイトへ移動
It will be.Let's explain in order.
Creating a site
Even if the administrator does not create a site, Active Directory has a site named "Default-First-Site-name", and all domain controllers are automatically assigned.If there is only one site, you may not care about "default-forst-scite-name" or change it so that it is easy to understand.The site is an object that represents the area, and its names are often named the region or building.
On the other hand, if there are two or more sites, add and change the site by the following procedure.Here, a TOKYO site and OSAKA site are created as an example.
- 「Active Directoryサイトとサービス」で「Sites」を右クリックし、「新しいサイト」を選択する(画面1)
- 「新しいオブジェクト-サイト」ダイアログボックスの「名前」に、作成するサイトの名前である「TOKYO」を入力し、定義済みのサイトリンクを選択(画面2)。最初は既定のサイトリンク「DEFAULTIPSITELINK」を選ぶ
- サイトを作成すると、サイト設定に必要な操作がダイアログボックスで表示される(画面3)
- 同様の手順でOSAKAサイトを作成
Screen 1 ● Select "New Site" from "Active Directory Site and Service"
Screen 2 ● Select a defined site.At first it is only "defaultipsitelink"
Screen 3 ● The work required for the site setting is displayed.After confirming the contents, click "OK"
If you open the property of the created site, you can change the settings such as the site link described later.
(Next page, following "Creating a subnet object")
