active directory replication - ronak

8/8/2019 Active Directory Replication - Ronak

1/32

ACTIVE DIRECTORY

REPLICATION

Course: Network Operating System.Done By: Ronak S Aswaney, ID:0710229.

Date: 15/02/10.

1


2/32

Objectives

Describe how Active Directory identifies data

that needs to be replicated.

Understand each process that is carried out

to identify the data to be replicated.

2


3/32

Identifying Data to Replicate

Identify Domain Controllers

Update Sequence Number

High-watermark Value

Up-to-dateness Vector

Propagation Dampening

Conflict Resolution

3


4/32

Identifying Data to Replicate -

Introduction Active directory uses a multi master model for replication.

This means you can make changes to Active Directory onany domain controller.

Then those changes are then replicated to other domaincontrollers.

When you make a change to Active Directory, such as adding a new useror changing a users telephone number, the replication process begins.

Replication is performed at the attribute level, not the objectlevel.

For e.g. if a users fax number is changed, then only the new fax

number of the user would be replicated; other attributes of the userweren't changed, this makes the replication process very efficient.

4


5/32


IntroductionReplication involves two types of updates:

Originating Updates

An originating update is a change to Active Directory that wasmade on the local domain controller. For e.g. if a users password is changed on DC1, then it is an

originating update on DC1.

Replicated UpdatesA replicated update is a change that was made through

replication. For e.g. if a users password is changed on DC1, and the change is

replicated to DC2, then it is a replicated update on DC2.

5


6/32


Introduction Active Directory doesnt rely on a time-based system to

replicate directory changes.

Time-based systems have a lot of fall backs.

E.g. If time gets unsynchronized or a clock delays or stops, this willcause data to be lost or the directory to get corrupt.

Active directory uses another method:

The Domain controllers track objects using Update SequenceNumbers (USNs).

Each DC maintains its own USN count, which is independent from all

other domain controllers. Every time the Active Directory databaseon a DC is modified, the USN is incremented by one and the update

object and attributes are stamped with the USN.

6


7/32


Introduction The use of the multi-master model does introduce an

additional consideration.

It makes it possible for two domain controllers in the samedomain to show different information, even for the sameobject.

This is caused by latency, which is the idea that thereplication process takes some time.

The latency could be only a few seconds or possible a fewminutes . In large, geographically dispersed networks, thelatency could be hours.

Once replication has finished and all the domain controllerscontain the same information for every object, the directorydatabase is said to have reached convergence.

7


8/32


What is a Domain Controller? A network server which holds a directory database that manages

user access to a network, which includes logging on, authentication,and access to the network resources.

There are several Identifiers for a domain controller: NTDS Settings Server Object

Server GUID

Database GUID

8


9/32

NTDS Settings Server Object

The NTDS Settings Server object :

is contained in the configuration partition.

It identifies the server as a domain controller.

You can access the object by using Active Directory Sites and

Services.

It holds a link to the domain controllers computer account andcannot be deleted by an administrator on the local computer.

9


10/32

Server GUID / Database GUID

The server globally unique identifier (GUID) is used to identify

replication partners.

The Database GUID, is used by domain controllers to identify

other domain controllers during replication requests.

The database GUID changes if a domain controller is restored frombackup in order to ensure that changes are replicated correctly.

10


11/32


The USN is a 64 bit number used to identify changes to data in

Active Directory.

Each object in the directory has two USNs: One set when the object is created.

One set every time the object is updated.

Also, each attribute of an object has two USNs: The first USN is for the local Domain controller.

The second USN is from the Domain Controller that performed the

originating write operation.

11


12/32


We will look at the following scenarios:

Creation of new user account. Replication of new user account.

Updating attribute of user account.

Replicating change of users account attribute.

12


13/32

Creation of new user account

Attribute USN Version # Timestamp Org. DSAGUID Org. USN

A 8412 1 2004-08-19 10:23:42 DC1 DSA GUID 8412

B 8412 1 2004-08-19 10:23:42 DC1 DSA GUID 8412

C 8412 1 2004-08-19 10:23:42 DC1 DSA GUID 8412

D 8412 1 2004-08-19 10:23:42 DC1 DSA GUID 8412

13


14/32

Replication of new user account

14


15/32

Updating attribute of user account

15


16/32

Replicating change of user

accounts attrib

ute

16


17/32


It is used to quickly identify which objects need to be

replicated from a specific replication partner for a specificnaming context.

The High-watermark table is consisted on each DC. The

highest USN from each replication partners is stored in thetable.

17


18/32


Example high-watermark table:

18


19/32


Determining which objects may need to be replicated:

DC2 requests changesfrom DC3, it sends the

high-watermark valuealong.

Only objects withan usnChangedvalue > 1532, willbe considered for

replication.

19


20/32


It helps the source domain controller to filter out attributes

that do not need to be replicated.

When a destination domain controller contacts a source domaincontroller, the destination DC sends its up-to-dateness vector.

This allows the DC to determine which attributes the destination

domain controller does and does not have updated value.

The up-to-dateness vector table stores the highest originatingUSN received from every source DC. And it stores information

of all the DCs interconnected with each other.

20


21/32


Example of up-to-dateness vector table:

What difference did you notice between High-watermark value& up-to-dateness vector? 21


22/32

Propagation Dampening

Propagation Dampening?

Propagation dampening is used to prevent unnecessary replication

by preventing updates from being sent to servers that are already

updated. Up-to-dateness vector tables & high-watermark tables can be used

to provide Propagation Dampening.

We will look at 4 scenarios and examples

Creation of new user account on a specific DC.

Replication of user account. DC requests updates from another DC.

DC responding to the request, sending new high-watermark value, and

vector data.

22


23/32

Creation of new user account on DC4

No changes are directly made to DC2.

23


24/32

Replication of user account to

DC4s first replication partner

DC4 notifies DC1 it has updates.

The user account it then replicated.

Still, no changes are made on DC2.

24


25/32

DC2 request updates from DC1

25

DC2 sends DC1 the following information when requesting updates:The naming context updates.

The High-watermark value of DC, which DC2 obtains.The maximum number of object order entries requested.

The maximum number of values requested.DC2s up-to-dateness vector table.

Still, no changes are made on DC2.


26/32

DC1 replies back to DC2

Dc1 responds with data.

New user account.

New High-watermark value.

Updated Vector Data.This is when the DC2 table is changed !

26


27/32

Conflict Resolution

As you all know, the multi-master model allows changes to be

made on any domain controllers.

What if changes are made to the same object at the same

time on different DCs? This causes a conflict, but fortunately Active directory has built-in

safe guards to prevent this from happening Conflict Resolution.

We will discuss the following situations:

Attribute update conflict.

Move under deleted parent.

New object name conflict.

27


28/32

Attribute update conflict

Remember, the changed attribute is only replicated, not the entireobject; this itself minimizes replication conflicts.

If an email address of a user is changed on DC1, and the mobilenumber of the same user changed on DC2, at the same given time;this is NOT a conflict.

A conflict occurs when the same attribute is being changed on twodifferent DCs at the same time.

The version, timestamps, originating DSA GUID are used to resolvethe conflict.

Initially, the version number is checked. If the version number is

higher than the previous one, then its updated. If the version numbers are same, then the timestamps are checked. If

the timestamps are different, then the updated timestamp is writtenin the directory.

If the timestamps are identical, then the org. DSA GUID is used toupdate the change. This is how the conflict is resolved.

28


29/32

Move Under DeletedParent

Say an Administrator deleted an organizational unit on DC1.

However simultaneously another administrator is creates anew user account on DC2 in the same organizational unit

which has already been deleted. In this case, the new object created on DC2 will be moved to a

lost and found container.

This is one of the conflicts whish can take place, and as

described above is the method used to resolve this replication.

29


30/32

New object name conflict

This occurs when two objects are created with the same

distinguished name in the same container of different domaincontrollers.

Because objects in the same container must have differentrelative distinguished names, one of the objects is renamed.

The timestamps & org. DSA GUID are used to resolve this

issue.

The object with the higher timestamp keeps the original name.

If the timestamps are identical, then the org. DSA GUID is used.

30


31/32

Overview

Identifying Data to Replicate


Update Sequence Number High-watermark Value

Up-to-datenessVector

P

ropagation Dampening Conflict Resolution

31


32/32

ANY QUESTIONS ?

THANK YOU FOR LISTENING !

32

active directory replication - ronak

Documents