test
DESCRIPTION
TRANSCRIPT
70-294: MCSE Guide to Microsoft Windows Server 2003 Active
Directory, Enhanced
Chapter 7: Active Directory
Replication
Guide to MCSE 70-294, Enhanced 2
Objectives
• Describe how Active Directory identifies data that needs to be replicated
• Describe how the Active Directory replication topology is generated
• Describe and control when Active Directory replication occurs
Guide to MCSE 70-294, Enhanced 3
Objectives (continued)
• Monitor and troubleshoot Active Directory replication
• Describe SYSVOL and how its replication differs from Active Directory replication
Guide to MCSE 70-294, Enhanced 4
Identifying Data to Replicate
• Active Directory uses multi-master model • Changes made on any DC
• Replicated to all DCs
• Replication is performed at attribute level• Not object level
• Replication involves two types of updates:• Originating updates
• Replicated updates
Guide to MCSE 70-294, Enhanced 5
Identifying Data to Replicate (continued)
• Originating update:• Change made on local domain controller
• Replicated update • Change made through replication
• Update Sequence Numbers (USNs)• Used to track changes
• Unique for each DC
Guide to MCSE 70-294, Enhanced 6
Identifying Data to Replicate (continued)
• Update Sequence Numbers (USNs)• Incremented by one when change is made
• Updated object and attributes are stamped with USN
• Comparing USNs from different domain controllers is meaningless
• Is possible for two domain controllers in same domain to show different information• Caused by latency
Guide to MCSE 70-294, Enhanced 7
Identifying Data to Replicate (continued)
• Convergence• All DCs have same data
• Replication is complete• For the moment
Guide to MCSE 70-294, Enhanced 8
Identifying Domain Controllers
• Identifiers for domain controller: • Domain controller’s computer account
• Records registered in DNS
• NTDS Settings Server object
• Server GUID
• Database GUID
Guide to MCSE 70-294, Enhanced 9
Update Sequence Number
• 64-bit number • Used to identify changes to data • Each object has:
• usnCreated• Set when object created
• usnChanged• Set every time object is updated
Guide to MCSE 70-294, Enhanced 10
Update Sequence Number (continued)
• Each attribute of object has two USNs:• USN for local domain controller
• USN from domain controller that performed originating write operation
Guide to MCSE 70-294, Enhanced 11
Creation of New User Account
Guide to MCSE 70-294, Enhanced 12
Replication of New User Account
Guide to MCSE 70-294, Enhanced 13
Updating Attribute of User Account
Guide to MCSE 70-294, Enhanced 14
Replicating Change of User Account’s Attribute
Guide to MCSE 70-294, Enhanced 15
High-watermark Value
• Used to identify which objects may need to be replicated
• Table on each domain controller• Stores highest USN from each of replication
partners • Source domain controller sends updates
• Starting with object that has lowest usnChanged value
Guide to MCSE 70-294, Enhanced 16
High-watermark Value (continued)
Guide to MCSE 70-294, Enhanced 17
High-watermark Value (continued)
Guide to MCSE 70-294, Enhanced 18
Up-to-dateness Vector
• Helps source domain controller filter out attributes that do not need to be replicated
• Table on each domain controller• Stores highest originating USN • Based on all possible sources of original updates
to a single destination
Guide to MCSE 70-294, Enhanced 19
Up-to-dateness Vector (continued)
Guide to MCSE 70-294, Enhanced 20
Determining Which Attributes Need to be Replicated
Guide to MCSE 70-294, Enhanced 21
Propagation Dampening
• Up-to-dateness vector can be used to provide propagation dampening
Guide to MCSE 70-294, Enhanced 22
Propagation Dampening (continued)
Guide to MCSE 70-294, Enhanced 23
Propagation Dampening (continued)
Guide to MCSE 70-294, Enhanced 24
Propagation Dampening (continued)
Guide to MCSE 70-294, Enhanced 25
Propagation Dampening (continued)
Guide to MCSE 70-294, Enhanced 26
Conflict Resolution
• Problems occur• When changes are made to same object at the same
time on different domain controllers
• Replicating at the attribute level minimizes replication conflicts
Guide to MCSE 70-294, Enhanced 27
Conflict Resolution (continued)
• Attribute conflicts resolved using:• Version
• Timestamp
• Originating DSA GUID
• Move under deleted parent• Object automatically moved to “lost and found”
container
Guide to MCSE 70-294, Enhanced 28
Conflict Resolution (continued)
• New object name conflict• Two objects are created with same relative
distinguished name
• One object is renamed• To system-wide unique value
• Object with higher version number keeps name
Guide to MCSE 70-294, Enhanced 29
Determining Replication Topology
• Replication topology• Combination of paths used to replicate changes
between domain controllers
• Every naming context has its own
• Connection object• Identifies replication partners
• Unidirectional
• Does not specify individual naming context
Guide to MCSE 70-294, Enhanced 30
Determining Replication Topology (continued)
• Intra-site replication • Process of updating domain controllers within same site
• Inter-site replication • Process of updating domain controllers between sites
Guide to MCSE 70-294, Enhanced 31
Connection Objects
• Logical construct• Provide representation of connection between two
or more domain controllers• Created in one of two ways
• Automatically by: • Knowledge Consistency Checker (KCC)
• Inter-Site Topology Generator (ISTG)
• Manually by:• Active Directory administrator
Guide to MCSE 70-294, Enhanced 32
Connection Objects (continued)
• KCC does not optimize any connection objects created using a manual process• Administrator wholly responsible for maintaining
manual connections in the event of misconfiguration issues or unavailability
Guide to MCSE 70-294, Enhanced 33
Activity 7-1: Manually Creating Connections
• Objective: This exercise is designed to familiarize you with the process of manually creating replication connection objects
• Manually create a connection using Active Directory Sites and Services
Guide to MCSE 70-294, Enhanced 34
Intra-site Replication
• KCC is responsible for the replication topology within a site• Checks replication topology every 15 minutes
• Attempts to create a replication topology made up of bidirectional ring
• Adds additional connection objects to ensure that no more than three hops are required
Guide to MCSE 70-294, Enhanced 35
Example Bidirectional Ring Replication Topology with Additional Connectors
Guide to MCSE 70-294, Enhanced 36
Global Catalog Replication
• Global catalog• Holds partial read-only replica of domain naming
context for each domain in forest
• Topology generated for replicating domain’s master replicas is used
• Connection objects are added to connect read-only replicas to topology
Guide to MCSE 70-294, Enhanced 37
Inter-site Replication
• One domain controller in each site is designated as ISTG• Oldest server in site by default
• Responsible for creating connection objects with domain controllers located in other sites
• Attempts to create minimum number of connections
• Also responsible (by default) for choosing bridgehead server
Guide to MCSE 70-294, Enhanced 38
Bridgehead Server
• Used to designate particular domain controller for replication purposes
• Has historical (Windows NT) origin• Functions as single point of contact in site for
given naming context• All replication traffic between bridgehead servers at
each site
Guide to MCSE 70-294, Enhanced 39
Bridgehead Server (continued)
Guide to MCSE 70-294, Enhanced 40
Controlling Replication Frequency
• Main factors that control replication frequency • Location of replication partners
• Type of data being replicated
Guide to MCSE 70-294, Enhanced 41
Intra-site Replication Schedule
• Based on a notify-pull process• Begins when object is modified at domain
controller• Replication partner pulls updates from source
domain controller• Maximum time for update to propagate
approximately 45 seconds• Traffic not compressed by default
Guide to MCSE 70-294, Enhanced 42
Inter-site Replication Schedule
• Time-based• Replicating changes at set intervals
• Default:• Every 3 hours
• Data compressed by default• Replication schedule/replication interval can be
set
Guide to MCSE 70-294, Enhanced 43
Example Site Link Replication Schedule and Interval
Guide to MCSE 70-294, Enhanced 44
Urgent Replication
• Occurs immediately within site • Between sites:
• Will still observe normal replication intervals and restrictions
• Trigger events:• Account lockout
• Changing certain policies
• Local Security Authority (LSA) secret change
• RID master role assigned to new server
Guide to MCSE 70-294, Enhanced 45
Password Replication
• Important for passwords to be synchronized between domain controllers
• Password changes are replicated differently than urgent or nonurgent replication
• PDC emulator• One domain controller in domain
Guide to MCSE 70-294, Enhanced 46
Password Replication (continued)
• Password change replicated immediately to the PDC emulator
• On failed logon• Authenticating domain controller forwards
authentication request to PDC emulator
• PDC emulator attempts to authenticate user
Guide to MCSE 70-294, Enhanced 47
Monitoring and Troubleshooting Replication
• Symptoms of replication failure include • Log-on failure
• Other inconsistencies in Active Directory
• Most problems with Active Directory replication are caused by:• Administrator error
• Network infrastructure glitches
Guide to MCSE 70-294, Enhanced 48
Monitoring and Troubleshooting Replication
(continued)
• Active Directory Replication Monitor• Monitor replication traffic between domain controllers
• Display a list of domain controllers in a domain
• Verify replication topology
• Manually force replication
• Check a domain controller’s current USN and unreplicated objects
• Display bridgehead servers and trusts
Guide to MCSE 70-294, Enhanced 49
SYSVOL
• Folder called sysvol• Created during the promotion of domain controller• Used to share files containing scripts, etc.• Stored in %SYSTEMROOT%\SYSVOL\ by
default• File Replication Service (FRS)
• Used to replicate changes in SYSVOL
Guide to MCSE 70-294, Enhanced 50
SYSVOL Replication
• SYSVOL replication independent from Active Directory object replication
• Uses File Replication Service (FRS)• FRS configures replication topology to match
connection objects of domain controller• Inter-site replication frequency controlled by
schedule on replication partner’s connection object
Guide to MCSE 70-294, Enhanced 51
Troubleshooting SYSVOL Replication
• Check File Replication Service event log• Confirm that domain controllers can resolve fully
qualified domain names (FQDNs) of replication partners
• Confirm File Replication Service is started• Check for sufficient disk space• Check that file(s) are not being filtered out by FRS
Guide to MCSE 70-294, Enhanced 52
Summary
• Active Directory uses multi-master model for replication
• Active Directory uses system based on update sequence numbers • Are unique for each domain controller
• Replication topology for intra-site replication is created by KCC
• Replicating attribute-level changes minimizes replication conflicts
Guide to MCSE 70-294, Enhanced 53
Summary (continued)
• Use Active Directory Replication Monitor to view both intra-site and inter-site replication information
• SYSVOL is a share available on every domain controller in a domain • Used to store files such as logon scripts