Active Directory Replication

1
Chapter 8

• Active Directory Replication

2
Objectives

• Describe and understand how Active Directory
  replication works
• Describe the Active Directory replication
  topology
• Manage and monitor Active Directory replication
• Understand the role of operations masters
• Troubleshoot Active Directory replication

3
The Replication Process

• Active Directory uses a multi-master model for
  replication
• Replication is performed at the attribute level
• Two domain controllers (DCs) in the same domain
  can show different information due to latency
• The database reaches convergence once
  replications have finished

4
Tracking Replication

• DCs track object changes using Update Sequence
  Numbers (USNs)
• The changed objects and attributes are stamped
  with a USN
• Each DC maintains a table that lists the USNs it
  has received from the other DCs
• An update is required if the USN on the source DC
  is higher (newer) than the last USN seen on the
  destination server

5
Replication Timing

• Intra-site replication is automatic and cannot be
  scheduled or compressed
• The DC will wait a few seconds after the first
  change
• A DC will send a notification of change to each
  of its replication partners
• Small changes made at almost the same time are
  collected into batches
• Inter-site replication is time-based and is
  determined by a schedule set in a site link

6
Urgent Replication

• No delay between updates is observed
• Triggered by
• An account lockout
• A Local Security Authority (LSA) secret change
• The relative identifier (RID) master role is
  assigned to a new server

7
Password Replication

• Passwords need to be synchronized between DCs
  more frequently than the default
• Each domain has one DC that holds the role of
  primary domain controller (PDC) emulator
• A password change is replicated immediately to
  the PDC emulator
• A logon with an incorrect password prompts the
  authenticating DC to contact the PDC emulator to
  check for a password change

8
Replication Topology

• A replication topology is the combination of
  paths used to replicate changes between DCs
• Active Directory information is divided into
  partitions or NCs
• Schema partition
• Configuration partition
• Domain partition
• Application partition (optional)

9
Replication Topology (continued)

• Every DC holds a replica of the schema and
  configuration partition
• Every DC in a single domain holds a replica of
  its specific domain partition

10
Intra-site Replication

• The Knowledge Consistency Checker (KCC) creates
  the replication topology automatically
• The default replication topology is a
  bidirectional ring
• The KCC ensures that no more than three hops are
  required to replicate a change
• The KCC automatically creates additional
  connection objects to ensure replication is
  successful

11
Automatically Generated Connection Objects
12
Inter-site Replication

• The inter-site replication topology is generated
  by the KCC
• The first DC in a site will take on the role of
  Intersite Topology Generator (ISTG)
• The ISTG is responsible for choosing a bridgehead
  server

13
Replication Updates

• An originating update is a change made on the
  local DC
• A replicated update is a change made through
  replication

14
Replication Updates (continued)

• Propagation dampening prevents updates from
  happening more than once
• An up-to-dateness vector is a list of DC pairs
  and the last USN received from each
• The source DC checks its up-to-dateness vector to
  determine if the destination has received changes

15
Replication Conflicts

• Replicating at the attribute level minimizes
  replication conflicts
• A timestamp is used to resolve a conflict when
  the same attribute is changed on the same object
  at the same time on two different DCs
• The update with the highest globally unique
  identifier (GUID) is used when the timestamps are
  the same

16
Managing Active Directory Replication

• All DCs are placed in the same site by default
• Additional sites should be created if some DCs or
  client computers are connected through a wide
  area network (WAN) link

17
Managing Active Directory Replication (continued)

• A site link is used to control the replication of
  Active Directory changes from one site to another
• The network transport can be Remote Procedure
  Call (RPC) or Simple Mail Transfer Protocol
  (SMTP)
• Member sites must use the same replication
  protocol
• Costs are used to assign priorities to site links
• Site link schedules can be customized

18
Creating a New Site
19
Replication Message
20
Site Link Properties
21
Sample Replication Schedule
22
Replication Schedule To Be Configured
23
Monitoring Active Directory Replication
(continued)

• The Active Directory Replication Monitor can be
  used to
• Monitor replication traffic between DCs
• Display a list of DCs in a domain
• Verify replication topology
• Manually force replication
• Check a DCs current USN and unreplicated objects
• Display bridgehead servers and trusts

24
Active Directory Replication Monitor Window
25
Adding a New Server Explicitly in Replication
Monitor
26
Adding a Server by Searching Active Directory in
Replication Monitor
27
Configuring Report Options
28
Operations Masters

• Specific servers, called operations masters, are
  designated to perform certain types of updates
• The schema master is the only source for
  originating updates to the schema partition
• By default, the first DC in the forest will be
  the schema master
• The domain naming master is responsible for
  controlling the addition and removal of domains
  in the forest
• A domain naming master must be a Global Catalog
  (GC) server

29
Operations Masters (continued)

• The RID master generates RIDs and distributes a
  range of them to each DC
• By default, the first DC in a domain is the RID
  master
• A PDC emulator performs a variety of tasks for
  backward compatibility
• Acts as a PDC to Windows NT Backup domain
  controllers (BDCs)
• Allows user logged on to a pre-Windows 2000
  client to change his or her domain password
• Each DC in a domain synchronizes its time with
  the PDC emulator
• Password changes for a domain are replicated to
  the PDC emulator first

30
Operations Masters (continued)

• The infrastructure master is responsible for
  updating references in groups to objects in other
  domains
• The infrastructure master should not also be a GC
  server

31
Troubleshooting Active Directory Replication

• Slow replication between sites
• Caused by slow WAN links
• Configured site links manually
• DNS errors
• Verify that all DCs can be resolved in Domain
  Name System (DNS)
• Stopped replication between sites
• Failed WAN links
• No site link is configured

32
Troubleshooting Active Directory Replication
(continued)

• Time differences between servers
• Reset the time properly
• Excessive network traffic
• Upgrade to a faster network
• Build a dedicated segment between DCs for Active
  Directory traffic
• Slow authentication when using new passwords
• Change passwords using a DC that is local to the
  user
• Move the PDC emulator to a location with faster
  network connectivity

33
Chapter Summary

• Active Directory uses a multi-master model for
  replication
• Replication of changes is performed at the
  attribute level
• Intra-site replication occurs every five minutes
  via RPC and cannot be compressed. Inter-site
  replication is controlled with site links, and
  can be done via RPC or SMTP transports

34
Chapter Summary (continued)

• Urgent replication is performed immediately
  within a site but is limited by site links
  between sites
• Password changes are replicated immediately to
  the PDC emulator for a domain, regardless of site
  links. Standard intra-site and inter-site
  replication is issued to synchronize password
  changes with other DCs
• The replication topology for inter-site and
  intra-site replication is created by the KCC

35
Chapter Summary (continued)

• Replicating attribute-level changes minimizes
  replication conflicts
• Active Directory Replication Monitor can be used
  to view both intra-site and inter-site
  replication information
• Operations masters are used for critical Active
  Directory operations that cannot be trusted to
  multi-master replication