AD Sites and Services … Not Again!

So, in the post Larger Sites tips, I mentioned enabling Change Notification Replication on Site Links to increase the frequency of cross-site replication. In the post Missing Subnets I used Log Analytics to look for subnets that are shown as missing within the netlogon.log file.

In a multiple forest environment with trusts between the forests, each forest should know about all the sites in the other forests to ensure that logons can be directed to the nearest domain controller. There is a good blog post at Waynes World IT explaining in a bit more detail about cross forest authentication and site discovery.

So, how do we keep all the forests in sync? How can we give the network team the ability to add a subnet without necessarily giving them delegated access to AD Sites and Services? How can we have backups in case something goes awry? We could use PowerShell scripting, store everything in a YAML/JSON file, make use of New/Set-ADReplication* cmdlets. When I was recently looking in to this for my current environment, this was the route I was going down. Then it dawned on me, we could use PowerShell DSC!

PowerShell DSC has a whole AD Resource available for exactly this purpose! You can check out everything that is available on GitHub. So, how do we go about making this work? Well, ideally you will want to use a Pull Server as this automatically makes the modules available to clients to use. I already use Azure Log Analytics, which has the ability to host Azure DSC configurations as a pull server. My domain controllers already have the MMA installed and are reporting in. We can then use Azure DevOps to host the configuration files in source control (providing a backup!) and then pipelines to push the config in to Azure Automation. Remember, if you are doing this, your Source Control and Build/pipeline tooling will become Tier-0 due to them configuring your directory. As a result you might want to put in place a dedicated platform or you need to ensure your environment is heavily protected.

So, how do we go about this? Well, we need to manage sites, subnets and site links. This means we are going to use 3 DSC Resources, ADReplicationSite, ADReplicationSubnet and ADReplicationSiteLink. So, what would my configuration look like?

#Requires -module @{ModuleName = 'ActiveDirectoryDsc';ModuleVersion = '4.0.0.0'}
Configuration ADSS
{
 Import-DscResource -ModuleName ActiveDirectoryDsc
 node localhost
 {
  
  ADReplicationSite 'HeadOffice'
  {
   Name  = 'HeadOffice'
   Ensure  = 'Present'
  }
  ADReplicationSite 'SeattleOffice'
  {
   Name  = 'SeatttleOffice'
   Ensure  = 'Present'
  }
  ADReplicationSite 'SeattleOffice'
  {
   Name  = 'NewYorkOffice'
   Ensure  = 'Present'
  }
  
  ADReplicationSubnet 'HOSubnet'
  {
   Name  = '10.0.0.0/16'
   Site  = 'HeadOffice'
   DependsOn = '[ADReplicationSite]HeadOffice'
   Ensure  = 'Present'
  }
  ADReplicationSubnet 'SeattleSubnet'
  {
   Name  = '10.1.0.0/16'
   Site  = 'SeattleOffice'
   DependsOn = '[ADReplicationSite]SeattleOffice'
   Ensure  = 'Present'
  }
  ADReplicationSubnet 'NewYorkSubnet'
  {
   Name  = '10.2.0.0/16'
   Site  = 'NewYorkOffice'
   DependsOn = '[ADReplicationSite]NewYorkOffice'
   Ensure  = 'Present'
  }
  
  ADReplicationSiteLink 'HO-Seattle'
  {
   Name       = 'HO-Seattle'
   SitesIncluded     = @('HeadOffice', 'SeattleOffice')
   Cost       = 20
   ReplicationFrequencyInMinutes = 15
   Ensure      = 'Present'
   DependsOn      = @('[ADReplicationSite]HeadOffice','[ADReplicationSite]SeattleOffice')
  }
  ADReplicationSiteLink 'HO-NewYork'
  {
   Name       = 'HO-NewYork'
   SitesIncluded     = @('HeadOffice', 'NewYorkOffice')
   Cost       = 20
   ReplicationFrequencyInMinutes = 15
   Ensure      = 'Present'
   DependsOn      = @('[ADReplicationSite]HeadOffice','[ADReplicationSite]NewYorkOffice')
  }
 }
}
ADSS

So, what is the above actually doing? First, we create the sites ‘Head Office’, ‘Seattle Office’ and ‘New York Office’. Then we assign an IPv4 Subnet to each site. To stop the subnet being created before the site, we add the depends on clause. Lastly, we create a site link between Head Office and Seattle then Head Office and New York.

Now, you can check this in to source control, run your pipeline/deployment tasks and the new sites will be provisioned on the domain controllers that you have using the configuration. You can do extra protection such as permissions preventing commit to master forcing a pull request and review. You can take it further by writing and running Pester tests to ensure that the MOF file compiles correctly before publishing.

Why am I getting excited about all this? Well, given it’s all in GitHub, you can see the changes that are coming. First I have a PR for adding the description to a site, I have done the work to add description to subnets and will shortly be working on adding the Change Notification Replication setting to DSC. Making it all easier to configure and control.

One thought on “AD Sites and Services … Not Again!

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.