Step-by-Step Guide to Setting up ISM-SMTP Replication

Introduction

This guide demonstrates how to set up Simple Mail Transfer Protocol (SMTP)-based replication between two Windows® 2000–based domain controllers, each belonging to a different domain.

The Windows 2000 operating system offers three degrees of connectivity for Active Directory^TM service information:

• Uniform high speed (within a site).
• Point-to-point synchronous low speed (Remote Procedure Call, or RPC, between sites).
• SMTP between sites.

Windows 2000 also allows you to have domains that span multiple sites, provided that those sites have at least point-to-point synchronous low speed RPC connectivity between each other.

A few points need to be made regarding Active Directory replication:

• Intra-site replication always uses RPC.
• Inter-site replication uses RPC or SMTP.
• Inter-site replication using SMTP is not supported for domain controllers (DCs) that are replicas for the same domain.

If you have a site that has no physical connection to the rest of your network, but that can be reached using the Simple Mail Transfer Protocol (SMTP), that site has mail-based connectivity only. SMTP replication is used only for replication between sites. You also cannot use SMTP replication to replicate between domain controllers in the same domain—only inter-domain replication is supported over SMTP (that is, SMTP can be used only for inter-site, inter-domain replication). SMTP replication can be used only for schema, configuration, and global catalog partial replica replication. SMTP replication observes the automatically generated replication schedule.

Inter-site Messaging Architecture

This section summarizes the Inter-site Messaging (ISM) architecture in Windows 2000 Active Directory.

When sites are on opposite ends of a WAN link (or the Internet), it is not always desirable—or even possible—to perform synchronous, RPC-based directory replication. For example, in some cases the only method of communication between two sites is e-mail. To support such configurations, you must be able to replicate across asynchronous, store, and forward transports (such as SMTP).

The ISM architecture:

• Provides a simple inter-site point-to-point data pipe for use for Active Directory replication.
• Allows for an ISV-extensible set of underlying transports.
• Generalizes the interface such that the data pipes can be used by other Windows 2000 services that require inter-site communication.

The ISM architecture currently does not:

• Provide an upper bound on the delivery time of delivered data.
• Route messages between sites using more than one hop (for example, sending a message between sites using intermediate sites as forwarders).
• Route messages within a site (like exchanging data between DCs of a domain that spans sites through a bridgehead that is not a DC of that domain).
• Ensure order of delivery.
• Permit installing a replica DC using this mechanism.

The set of transports used for inter-site communication must be extensible; therefore, each transport is defined in a separate plug-in DLL. These plug-in DLLs are loaded into the Inter-site Messaging service, which runs on all DCs that are candidates for performing inter-site communication (default: all DCs).

The ISM service directs send and receive requests to the appropriate transport plug-in DLL, which then routes the message to the ISM service running on the target machine.

Note that the ISM module provides no encryption or compression services. It is the responsibility of the transport plug-in DLL to provide encryption and/or compression. The SMTP plug-in DLL developed by Microsoft does perform encryption and compression so replication over the Microsoft SMTP plug-in can be considered secure and efficient. If however, you are using a third party transport plug-in DLL and you are concerned about confidentiality of directory replication, you should confirm support of encryption by the third party transport plug-in DLL.

Prerequisites

At a minimum, you need to set up two Windows 2000 domain controllers (DCs). Each DC should host a different domain partition (host different Windows 2000 domains) and be members of the same forest. This guide assumes a parent/child relationship between the two Windows 2000 domains.

You can create this base configuration by running through the Common Infrastructure and Setting up Additional Domain step-by-step guides before going through the instructions in this document.

If you are not using the common infrastructure, you need to make the appropriate changes to this instruction set.

If you choose to use SMTP over site links, you must install and configure an enterprise certification authority (CA). For assistance, see the Step-by-Step Guide to Setting up a Certificate Authority. The domain controllers obtain certificates from the CA, which the domain controllers then use to sign and encrypt the mail messages that contain directory replication information, ensuring the authenticity of directory updates. SMTP replication uses 56-bit encryption.

Note: This guide does not include the creation of subnet objects, as they are not necessary to test SMTP replication. In a real-world environment, subnet objects would be required since geographically diverse sites would necessitate correct behavior of the locator service. For more information on subnet objects, see the Step-by-Step Guide to Active Directory Sites and Services.

To set up a base configuration for this instruction set:

1. For instructions on how to install the root domain, see Windows 2000 Server Help, or the "Step-by-Step Guide to a Common Infrastructure for Windows 2000 Server Deployment"
2. Install an Enterprise Certificate Authority on this DC (HQ-RES-DC-01), which now hosts the root domain. For instructions on how to set up and configure an Enterprise CA, see "Step-by-Step Guide to Setting up a Windows 2000 Certificate Authority."
3. Create a child domain of the root domain. For instructions on how to set up and configure a child domain, see, "Step-by-Step Guide to Setting up Additional Domain Controllers."
4. After the child domain setup is complete (BR3-VAN-DC-01 in this example), the DC hosting this partition automatically requests an X.509 certificate from the Enterprise CA, which is installed on the DC hosting the root domain (parent domain in this guide). This should occur within 10 minutes. Use the Certificate snap-in to confirm the X.509 request succeeded.

When complete, both domain controllers should (by default) belong to the site named Default-First-Site.

When a computer running Windows 2000 Server is promoted to a domain controller, Internet Information Services and the SMTP service are installed by default.

To Set up SMTP Replication

1. On the DC hosting the parent domain (Reskit.com), click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services. The Active Directory Sites and Services snap-in appears, as illustrated in Figure 1 below.
   
   
   Figure 1. Active Directory Sites and Services snap-in before creating new site.
2. Rename the site named Default-First-Site to Headquarters by selecting Default-First-Site, right-clicking it, and clicking Rename.
3. Create a second site named Vancouver. Select Sites in the left pane, right-click Sites, and then click New Site. The Create New Object–Site dialog box appears, as illustrated in Figure 2 below.
   
   
   Figure 2. Creating a new site for the child domain
   
4. Select the DEFAULTIPSITELINK site link. In the Name box, type Vancouver, and click OK.
5. When the Active Directory message box appears, click OK. (See note about subnets earlier in this guide.)
6. Expand the Inter-Site Transports container, and select SMTP.
7. Right-click SMTP, then select New Site Link. The Create New Object–Site Link dialog box appears, illustrated below.
8. In the Name box, type HQ/VAN Site Link, and click OK as shown in Figure 3 below.
   
   
   Figure 3. Creating an SMTP site link
   
9. Click the + next to Sites, then Headquarters, then Servers. Double-click Servers. In this container, you should see two server objects. The DC for the parent domain is named HQ-RES-DC-01. The DC for the child domain is named BR3-VAN-DC-01.

To verify connection objects

1. Double-click each server object, and an NTDS Settings object is revealed.
2. Select each NTDS Settings object and ensure there is an NTDS Connection object subordinate to each NTDS Settings object. If you do not see Connection objects below each NTDS Settings object, right-click each NTDS Settings object, select All Tasks, and then click Check Replication Topology. This action forces the Knowledge Consistency Checker (KCC) to check the replication topology, thereby creating a Connection object between the two DCs.
3. Force replication between both DCs. Right-click the Connection object subordinate to each NTDS Settings object and select Replicate Now.
4. Refresh the display by pressing F5 or by right-clicking the NTDS Settings object and selecting Refresh. You should now see a Connection object.

To favor SMTP link over IP link

1. Select SMTP in the Inter-Site Transports container.
2. In the results pane, select HQ/VAN Site-Link object. Right-click this object and then click Properties. The HQ/VAN Site Link Properties dialog box appears, illustrated in Figure 4 below.
   
   
   Figure 4. Specifying the cost of site link
   
3. Note that the cost of this site link is 100, which is also the default cost for each site link. For the KCC to favor the SMTP site link over the IP site link, you need to specify a lower cost for HQ/VAN, the Default-SMTP-Site-Link object. Change the cost to 50. (The cost of the DEFAULTIPSITELINK object can be changed if necessary so that it is more than 50.). Click OK.
4. To force replication between both DCs, right-click the Connection object subordinate to each NTDS Settings object, and select Replicate Now.
5. Move the DC hosting the child domain partition to the Vancouver site. Select the server object named (in this example) BR3-VAN-DC-01. Right-click it, and then click Move.
6. Select Vancouver in the Move Server box, and then click OK. The Active Directory Sites and Services snap-in appears as in Figure 5 below.
   
   
   Figure 5. Site links generating SMTP connection
   
7. On each DC, force the KCC to check the replication topology for each NTDS Settings by right-clicking the Connection object in the right pane, and then clicking Replicate Now.

The KCC should create a new Connection object below each NTDS Settings container, now favoring the HQ/VAN Site Link, the Default-SMTP-Site-Link object. The KCC will automatically configure the SMTP mail drop folder on both DCs.

If you do not see Connection objects below each NTDS Settings object, right-click each NTDS Settings object, click All Tasks, and then click Check Replication Topology.

Important Notes

The example company, organization, products, people, and events depicted in this step-by-step guide is fictitious. No association with any real company, organization, product, person, or event is intended or should be inferred.

This common infrastructure is designed for use on a private network. The fictitious company name and DNS name used in the common infrastructure are not registered for use on the Internet. Please do not use this name on a public network or Internet.

The Active Directory structure for this common infrastructure is designed to show how Windows 2000 features work and function with the Active Directory. It was not designed as a model for configuring an Active Directory for any organization—for such information see the Active Directory documentation.

This feature information was obtained from the Microsoft Windows 2000 website at http://www.microsoft.com/windows2000 and are linked from ActiveWin.com for your convenience and is subject to Microsoft's copyright. For the most accurate information please visit the official site.

Return To The Windows 2000 Section