- Install Ansible on Windows - Thu, Jul 20 2023
- Use Azure Bastion as a jump host for RDP and SSH - Tue, Apr 18 2023
- Azure Virtual Desktop: Getting started - Fri, Apr 14 2023
You are an Active Directory architect for your organization. The domain consists of two sites, each of which contains three Windows Server 2008 R2 domain controllers.
You take a domain controller named DC01 offline for maintenance, and you note that intersite Active Directory replication immediately fails. You run repadmin /kcc in both sites to force the KCC to run on all DCs, yet intersite replication still fails.
Which of the following statements best explains the root cause of this problem?
A. The sites use the SMTP replication transport instead of RPC over IP.
B. DC01 is configured as the preferred bridgehead server for its site.
C. Kerberos V5 authentication is not in use in the domain.
D. Site link bridging is disabled.
The Correct Answer, Explanation, and Analysis
The correct answer is B. By default, the Knowledge Consistency Checker (KCC) Active Directory component that exists on all domain controllers nominates one DC from each site as the bridgehead server. The bridgehead server in a site is the designated point of contact for intersite replication.
In order to exert more control over the consumption of system resources or to fine-tune replication topology, an administrator can modify the properties of a domain controller in the Active Directory Sites and Services console to specify that server as the preferred bridgehead server. This is shown in the following screenshot.
Specifying a preferred bridgehead server
The downside to manually configuring a preferred bridgehead server is that the KCC will not fail over to another DC in the event that the preferred bridgehead goes offline, which is the scenario we face in this practice item.
The reason why choice A is incorrect is that we cannot use SMTP to replicate Active Directory. Remember that we must not read into Microsoft certification exam items—stick to what is explicitly stated. The scenario states that we had AD replication occurring just fine until we took DC01 offline. Thus, we can presume that we are using RPC over IP as our default replication transport.
Choice C is incorrect because the choice is simply a red herring—the presence or absence of the Kerberos V5 authentication protocol has nothing to do with the scenario under consideration.
Finally, choice D is incorrect because site linking bridging won’t have any effect in this scenario. We recall that Active Directory site links are transitive, or bridged, by default. What this means is that if we have site 1 and site 2 connected by one site link and site 2 and site 3 connected by a second site link, DCs in site 1 and site 3 can exchange AD changes just fine by means of the site linking bridging.
However, because we have only two sites specified in this scenario, site link bridging is completely beside the point.
Bottom line: In order to be successful on Microsoft certification exams, you need to have enough theory under your belt in order to be able to rule out “red herring” distractors. You also need critical reasoning skills to tease apart multiple plausible choices to isolate the correct one.
Conclusion
I hope that you found working through this sample practice question to be fruitful to your certification studies. If you remain unclear on how site topology and Active Directory replication work, then see the companion piece that I mentioned at the beginning of this blog post. You are also free to leave your questions, comments, and concerns in the comments portion of this post.
The topic of my next post in this series is the Global Catalog subobjective.
