test

70-294: MCSE Guide to Microsoft Windows Server 2003 Active

Directory, Enhanced

Chapter 7: Active Directory

Replication

Guide to MCSE 70-294, Enhanced 2

Objectives

• Describe how Active Directory identifies data that needs to be replicated

• Describe how the Active Directory replication topology is generated

• Describe and control when Active Directory replication occurs


Objectives (continued)

• Monitor and troubleshoot Active Directory replication

• Describe SYSVOL and how its replication differs from Active Directory replication


Identifying Data to Replicate

• Active Directory uses multi-master model • Changes made on any DC

• Replicated to all DCs

• Replication is performed at attribute level• Not object level

• Replication involves two types of updates:• Originating updates

• Replicated updates


Identifying Data to Replicate (continued)

• Originating update:• Change made on local domain controller

• Replicated update • Change made through replication

• Update Sequence Numbers (USNs)• Used to track changes

• Unique for each DC



• Update Sequence Numbers (USNs)• Incremented by one when change is made

• Updated object and attributes are stamped with USN

• Comparing USNs from different domain controllers is meaningless

• Is possible for two domain controllers in same domain to show different information• Caused by latency



• Convergence• All DCs have same data

• Replication is complete• For the moment


Identifying Domain Controllers

• Identifiers for domain controller: • Domain controller’s computer account

• Records registered in DNS

• NTDS Settings Server object

• Server GUID

• Database GUID


Update Sequence Number

• 64-bit number • Used to identify changes to data • Each object has:

• usnCreated• Set when object created

• usnChanged• Set every time object is updated


Update Sequence Number (continued)

• Each attribute of object has two USNs:• USN for local domain controller

• USN from domain controller that performed originating write operation


Creation of New User Account


Replication of New User Account


Updating Attribute of User Account


Replicating Change of User Account’s Attribute


High-watermark Value

• Used to identify which objects may need to be replicated

• Table on each domain controller• Stores highest USN from each of replication

partners • Source domain controller sends updates

• Starting with object that has lowest usnChanged value


High-watermark Value (continued)


Up-to-dateness Vector

• Helps source domain controller filter out attributes that do not need to be replicated

• Table on each domain controller• Stores highest originating USN • Based on all possible sources of original updates

to a single destination


Up-to-dateness Vector (continued)


Determining Which Attributes Need to be Replicated


Propagation Dampening

• Up-to-dateness vector can be used to provide propagation dampening


Propagation Dampening (continued)


Conflict Resolution

• Problems occur• When changes are made to same object at the same

time on different domain controllers

• Replicating at the attribute level minimizes replication conflicts


Conflict Resolution (continued)

• Attribute conflicts resolved using:• Version

• Timestamp

• Originating DSA GUID

• Move under deleted parent• Object automatically moved to “lost and found”

container


Conflict Resolution (continued)

• New object name conflict• Two objects are created with same relative

distinguished name

• One object is renamed• To system-wide unique value

• Object with higher version number keeps name


Determining Replication Topology

• Replication topology• Combination of paths used to replicate changes

between domain controllers

• Every naming context has its own

• Connection object• Identifies replication partners

• Unidirectional

• Does not specify individual naming context


Determining Replication Topology (continued)

• Intra-site replication • Process of updating domain controllers within same site

• Inter-site replication • Process of updating domain controllers between sites


Connection Objects

• Logical construct• Provide representation of connection between two

or more domain controllers• Created in one of two ways

• Automatically by: • Knowledge Consistency Checker (KCC)

• Inter-Site Topology Generator (ISTG)

• Manually by:• Active Directory administrator


Connection Objects (continued)

• KCC does not optimize any connection objects created using a manual process• Administrator wholly responsible for maintaining

manual connections in the event of misconfiguration issues or unavailability


Activity 7-1: Manually Creating Connections

• Objective: This exercise is designed to familiarize you with the process of manually creating replication connection objects

• Manually create a connection using Active Directory Sites and Services


Intra-site Replication

• KCC is responsible for the replication topology within a site• Checks replication topology every 15 minutes

• Attempts to create a replication topology made up of bidirectional ring

• Adds additional connection objects to ensure that no more than three hops are required


Example Bidirectional Ring Replication Topology with Additional Connectors


Global Catalog Replication

• Global catalog• Holds partial read-only replica of domain naming

context for each domain in forest

• Topology generated for replicating domain’s master replicas is used

• Connection objects are added to connect read-only replicas to topology


Inter-site Replication

• One domain controller in each site is designated as ISTG• Oldest server in site by default

• Responsible for creating connection objects with domain controllers located in other sites

• Attempts to create minimum number of connections

• Also responsible (by default) for choosing bridgehead server


Bridgehead Server

• Used to designate particular domain controller for replication purposes

• Has historical (Windows NT) origin• Functions as single point of contact in site for

given naming context• All replication traffic between bridgehead servers at

each site


Bridgehead Server (continued)


Controlling Replication Frequency

• Main factors that control replication frequency • Location of replication partners

• Type of data being replicated


Intra-site Replication Schedule

• Based on a notify-pull process• Begins when object is modified at domain

controller• Replication partner pulls updates from source

domain controller• Maximum time for update to propagate

approximately 45 seconds• Traffic not compressed by default


Inter-site Replication Schedule

• Time-based• Replicating changes at set intervals

• Default:• Every 3 hours

• Data compressed by default• Replication schedule/replication interval can be

set


Example Site Link Replication Schedule and Interval


Urgent Replication

• Occurs immediately within site • Between sites:

• Will still observe normal replication intervals and restrictions

• Trigger events:• Account lockout

• Changing certain policies

• Local Security Authority (LSA) secret change

• RID master role assigned to new server


Password Replication

• Important for passwords to be synchronized between domain controllers

• Password changes are replicated differently than urgent or nonurgent replication

• PDC emulator• One domain controller in domain


Password Replication (continued)

• Password change replicated immediately to the PDC emulator

• On failed logon• Authenticating domain controller forwards

authentication request to PDC emulator

• PDC emulator attempts to authenticate user


Monitoring and Troubleshooting Replication

• Symptoms of replication failure include • Log-on failure

• Other inconsistencies in Active Directory

• Most problems with Active Directory replication are caused by:• Administrator error

• Network infrastructure glitches


Monitoring and Troubleshooting Replication

(continued)

• Active Directory Replication Monitor• Monitor replication traffic between domain controllers

• Display a list of domain controllers in a domain

• Verify replication topology

• Manually force replication

• Check a domain controller’s current USN and unreplicated objects

• Display bridgehead servers and trusts


SYSVOL

• Folder called sysvol• Created during the promotion of domain controller• Used to share files containing scripts, etc.• Stored in %SYSTEMROOT%\SYSVOL\ by

default• File Replication Service (FRS)

• Used to replicate changes in SYSVOL


SYSVOL Replication

• SYSVOL replication independent from Active Directory object replication

• Uses File Replication Service (FRS)• FRS configures replication topology to match

connection objects of domain controller• Inter-site replication frequency controlled by

schedule on replication partner’s connection object


Troubleshooting SYSVOL Replication

• Check File Replication Service event log• Confirm that domain controllers can resolve fully

qualified domain names (FQDNs) of replication partners

• Confirm File Replication Service is started• Check for sufficient disk space• Check that file(s) are not being filtered out by FRS


Summary

• Active Directory uses multi-master model for replication

• Active Directory uses system based on update sequence numbers • Are unique for each domain controller

• Replication topology for intra-site replication is created by KCC

• Replicating attribute-level changes minimizes replication conflicts


Summary (continued)

• Use Active Directory Replication Monitor to view both intra-site and inter-site replication information

• SYSVOL is a share available on every domain controller in a domain • Used to store files such as logon scripts

test

Technology

data replication

object level replication

dcs replication

replication conflicts

replication connection

different domain controllers

attribute of object

domain controllers identifiers