Hands-On Microsoft Server 2003 Windows Active Directory

Chapter 8
Active Directory Replication

Objectives
Describe and understand how Active Directory replication works Describe the Active Directory replication topology Manage and monitor Active Directory replication Understand the role of operations masters Troubleshoot Active Directory replication
Hands-On Microsoft Windows Server 2003 Active Directory

The Replication Process

Active Directory uses a multi-master model for replication Replication is performed at the attribute level Two domain controllers (DCs) in the same domain can show different information due to latency The database reaches convergence once replications have finished
Hands-On Microsoft Windows Server 2003 Active Directory

Tracking Replication
DCs track object changes using Update Sequence Numbers (USNs) The changed objects and attributes are stamped with a USN Each DC maintains a table that lists the USNs it has received from the other DCs An update is required if the USN on the source DC is higher (newer) than the last USN seen on the destination server
Hands-On Microsoft Windows Server 2003 Active Directory

Replication Timing
Intra-site replication is automatic and cannot be scheduled or compressed The DC will wait a few seconds after the first change A DC will send a notification of change to each of its replication partners Small changes made at almost the same time are collected into batches Inter-site replication is time-based and is determined by a schedule set in a site link
Hands-On Microsoft Windows Server 2003 Active Directory

Urgent Replication
No delay between updates is observed Triggered by:
An account lockout A Local Security Authority (LSA) secret change The relative identifier (RID) master role is assigned to a new server

Hands-On Microsoft Windows Server 2003 Active Directory

Password Replication
Passwords need to be synchronized between DCs more frequently than the default Each domain has one DC that holds the role of primary domain controller (PDC) emulator A password change is replicated immediately to the PDC emulator A logon with an incorrect password prompts the authenticating DC to contact the PDC emulator to check for a password change
Hands-On Microsoft Windows Server 2003 Active Directory

Replication Topology
A replication topology is the combination of paths used to replicate changes between DCs Active Directory information is divided into partitions or NCs
Schema partition Configuration partition Domain partition Application partition (optional)
Hands-On Microsoft Windows Server 2003 Active Directory

Replication Topology (continued)

Every DC holds a replica of the schema and configuration partition Every DC in a single domain holds a replica of its specific domain partition

Hands-On Microsoft Windows Server 2003 Active Directory

Intra-site Replication
The Knowledge Consistency Checker (KCC) creates the replication topology automatically The default replication topology is a bidirectional ring The KCC ensures that no more than three hops are required to replicate a change The KCC automatically creates additional connection objects to ensure replication is successful
Hands-On Microsoft Windows Server 2003 Active Directory

10

Automatically Generated Connection Objects

Hands-On Microsoft Windows Server 2003 Active Directory

11

Inter-site Replication
The inter-site replication topology is generated by the KCC The first DC in a site will take on the role of Intersite Topology Generator (ISTG) The ISTG is responsible for choosing a bridgehead server

Hands-On Microsoft Windows Server 2003 Active Directory

12

Replication Updates
An originating update is a change made on the local DC A replicated update is a change made through replication

Hands-On Microsoft Windows Server 2003 Active Directory

13

Replication Updates (continued)

Propagation dampening prevents updates from happening more than once
An up-to-dateness vector is a list of DC pairs and the last USN received from each The source DC checks its up-to-dateness vector to determine if the destination has received changes

Hands-On Microsoft Windows Server 2003 Active Directory

14

Replication Conflicts
Replicating at the attribute level minimizes replication conflicts A timestamp is used to resolve a conflict when the same attribute is changed on the same object at the same time on two different DCs The update with the highest globally unique identifier (GUID) is used when the timestamps are the same
Hands-On Microsoft Windows Server 2003 Active Directory

15

Managing Active Directory Replication

All DCs are placed in the same site by default Additional sites should be created if some DCs or client computers are connected through a wide area network (WAN) link

Hands-On Microsoft Windows Server 2003 Active Directory

16

Managing Active Directory Replication (continued)

A site link is used to control the replication of Active Directory changes from one site to another
The network transport can be Remote Procedure Call (RPC) or Simple Mail Transfer Protocol (SMTP) Member sites must use the same replication protocol Costs are used to assign priorities to site links Site link schedules can be customized
Hands-On Microsoft Windows Server 2003 Active Directory

17

Creating a New Site

Hands-On Microsoft Windows Server 2003 Active Directory

18

Replication Message

Hands-On Microsoft Windows Server 2003 Active Directory

19

Site Link Properties

Hands-On Microsoft Windows Server 2003 Active Directory

20

Sample Replication Schedule

Hands-On Microsoft Windows Server 2003 Active Directory

21

Replication Schedule To Be Configured

Hands-On Microsoft Windows Server 2003 Active Directory

22

Monitoring Active Directory Replication (continued)

The Active Directory Replication Monitor can be used to:
Monitor replication traffic between DCs Display a list of DCs in a domain Verify replication topology Manually force replication Check a DCs current USN and unreplicated objects Display bridgehead servers and trusts
Hands-On Microsoft Windows Server 2003 Active Directory

23

Active Directory Replication Monitor Window

Hands-On Microsoft Windows Server 2003 Active Directory

24

Adding a New Server Explicitly in Replication Monitor

Hands-On Microsoft Windows Server 2003 Active Directory

25

Adding a Server by Searching Active Directory in Replication Monitor

Hands-On Microsoft Windows Server 2003 Active Directory

26

Configuring Report Options

Hands-On Microsoft Windows Server 2003 Active Directory

27

Operations Masters
Specific servers, called operations masters, are designated to perform certain types of updates The schema master is the only source for originating updates to the schema partition
By default, the first DC in the forest will be the schema master

The domain naming master is responsible for controlling the addition and removal of domains in the forest
A domain naming master must be a Global Catalog (GC) server
Hands-On Microsoft Windows Server 2003 Active Directory

28

Operations Masters (continued)

The RID master generates RIDs and distributes a range of them to each DC
By default, the first DC in a domain is the RID master

A PDC emulator performs a variety of tasks for backward compatibility

Acts as a PDC to Windows NT Backup domain controllers (BDCs) Allows user logged on to a pre-Windows 2000 client to change his or her domain password Each DC in a domain synchronizes its time with the PDC emulator Password changes for a domain are replicated to the PDC emulator first
Hands-On Microsoft Windows Server 2003 Active Directory

29

Operations Masters (continued)

The infrastructure master is responsible for updating references in groups to objects in other domains
The infrastructure master should not also be a GC server

Hands-On Microsoft Windows Server 2003 Active Directory

30

Troubleshooting Active Directory Replication

Slow replication between sites
Caused by slow WAN links Configured site links manually

DNS errors
Verify that all DCs can be resolved in Domain Name System (DNS)

Stopped replication between sites

Failed WAN links No site link is configured
Hands-On Microsoft Windows Server 2003 Active Directory

31

Troubleshooting Active Directory Replication (continued)

Time differences between servers
Reset the time properly

Excessive network traffic

Upgrade to a faster network Build a dedicated segment between DCs for Active Directory traffic

Slow authentication when using new passwords

Change passwords using a DC that is local to the user Move the PDC emulator to a location with faster network connectivity
Hands-On Microsoft Windows Server 2003 Active Directory

32

Chapter Summary
Active Directory uses a multi-master model for replication Replication of changes is performed at the attribute level Intra-site replication occurs every five minutes via RPC and cannot be compressed. Inter-site replication is controlled with site links, and can be done via RPC or SMTP transports

Hands-On Microsoft Windows Server 2003 Active Directory

33

Chapter Summary (continued)

Urgent replication is performed immediately within a site but is limited by site links between sites Password changes are replicated immediately to the PDC emulator for a domain, regardless of site links. Standard intra-site and inter-site replication is issued to synchronize password changes with other DCs The replication topology for inter-site and intrasite replication is created by the KCC
Hands-On Microsoft Windows Server 2003 Active Directory

34

Chapter Summary (continued)

Replicating attribute-level changes minimizes replication conflicts Active Directory Replication Monitor can be used to view both intra-site and inter-site replication information Operations masters are used for critical Active Directory operations that cannot be trusted to multi-master replication

Hands-On Microsoft Windows Server 2003 Active Directory

35