8/8/2019 Active Directory Replication - Ronak
1/32
ACTIVE DIRECTORY
REPLICATION
Course: Network Operating System.Done By: Ronak S Aswaney, ID:0710229.
Date: 15/02/10.
1
8/8/2019 Active Directory Replication - Ronak
2/32
Objectives
Describe how Active Directory identifies data
that needs to be replicated.
Understand each process that is carried out
to identify the data to be replicated.
2
8/8/2019 Active Directory Replication - Ronak
3/32
Identifying Data to Replicate
Identify Domain Controllers
Update Sequence Number
High-watermark Value
Up-to-dateness Vector
Propagation Dampening
Conflict Resolution
3
8/8/2019 Active Directory Replication - Ronak
4/32
Identifying Data to Replicate -
Introduction Active directory uses a multi master model for replication.
This means you can make changes to Active Directory onany domain controller.
Then those changes are then replicated to other domaincontrollers.
When you make a change to Active Directory, such as adding a new useror changing a users telephone number, the replication process begins.
Replication is performed at the attribute level, not the objectlevel.
For e.g. if a users fax number is changed, then only the new fax
number of the user would be replicated; other attributes of the userweren't changed, this makes the replication process very efficient.
4
8/8/2019 Active Directory Replication - Ronak
5/32
Identifying Data to Replicate -
IntroductionReplication involves two types of updates:
Originating Updates
An originating update is a change to Active Directory that wasmade on the local domain controller. For e.g. if a users password is changed on DC1, then it is an
originating update on DC1.
Replicated UpdatesA replicated update is a change that was made through
replication. For e.g. if a users password is changed on DC1, and the change is
replicated to DC2, then it is a replicated update on DC2.
5
8/8/2019 Active Directory Replication - Ronak
6/32
Identifying Data to Replicate -
Introduction Active Directory doesnt rely on a time-based system to
replicate directory changes.
Time-based systems have a lot of fall backs.
E.g. If time gets unsynchronized or a clock delays or stops, this willcause data to be lost or the directory to get corrupt.
Active directory uses another method:
The Domain controllers track objects using Update SequenceNumbers (USNs).
Each DC maintains its own USN count, which is independent from all
other domain controllers. Every time the Active Directory databaseon a DC is modified, the USN is incremented by one and the update
object and attributes are stamped with the USN.
6
8/8/2019 Active Directory Replication - Ronak
7/32
Identifying Data to Replicate -
Introduction The use of the multi-master model does introduce an
additional consideration.
It makes it possible for two domain controllers in the samedomain to show different information, even for the sameobject.
This is caused by latency, which is the idea that thereplication process takes some time.
The latency could be only a few seconds or possible a fewminutes . In large, geographically dispersed networks, thelatency could be hours.
Once replication has finished and all the domain controllerscontain the same information for every object, the directorydatabase is said to have reached convergence.
7
8/8/2019 Active Directory Replication - Ronak
8/32
Identify Domain Controllers
What is a Domain Controller? A network server which holds a directory database that manages
user access to a network, which includes logging on, authentication,and access to the network resources.
There are several Identifiers for a domain controller: NTDS Settings Server Object
Server GUID
Database GUID
8
8/8/2019 Active Directory Replication - Ronak
9/32
NTDS Settings Server Object
The NTDS Settings Server object :
is contained in the configuration partition.
It identifies the server as a domain controller.
You can access the object by using Active Directory Sites and
Services.
It holds a link to the domain controllers computer account andcannot be deleted by an administrator on the local computer.
9
8/8/2019 Active Directory Replication - Ronak
10/32
Server GUID / Database GUID
The server globally unique identifier (GUID) is used to identify
replication partners.
The Database GUID, is used by domain controllers to identify
other domain controllers during replication requests.
The database GUID changes if a domain controller is restored frombackup in order to ensure that changes are replicated correctly.
10
8/8/2019 Active Directory Replication - Ronak
11/32
Update Sequence Number
The USN is a 64 bit number used to identify changes to data in
Active Directory.
Each object in the directory has two USNs: One set when the object is created.
One set every time the object is updated.
Also, each attribute of an object has two USNs: The first USN is for the local Domain controller.
The second USN is from the Domain Controller that performed the
originating write operation.
11
8/8/2019 Active Directory Replication - Ronak
12/32
Update Sequence Number
We will look at the following scenarios:
Creation of new user account. Replication of new user account.
Updating attribute of user account.
Replicating change of users account attribute.
12
8/8/2019 Active Directory Replication - Ronak
13/32
Creation of new user account
Attribute USN Version # Timestamp Org. DSAGUID Org. USN
A 8412 1 2004-08-19 10:23:42 DC1 DSA GUID 8412
B 8412 1 2004-08-19 10:23:42 DC1 DSA GUID 8412
C 8412 1 2004-08-19 10:23:42 DC1 DSA GUID 8412
D 8412 1 2004-08-19 10:23:42 DC1 DSA GUID 8412
13
8/8/2019 Active Directory Replication - Ronak
14/32
Replication of new user account
14
8/8/2019 Active Directory Replication - Ronak
15/32
Updating attribute of user account
15
8/8/2019 Active Directory Replication - Ronak
16/32
Replicating change of user
accounts attrib
ute
16
8/8/2019 Active Directory Replication - Ronak
17/32
High-watermark Value
It is used to quickly identify which objects need to be
replicated from a specific replication partner for a specificnaming context.
The High-watermark table is consisted on each DC. The
highest USN from each replication partners is stored in thetable.
17
8/8/2019 Active Directory Replication - Ronak
18/32
High-watermark Value
Example high-watermark table:
18
8/8/2019 Active Directory Replication - Ronak
19/32
High-watermark Value
Determining which objects may need to be replicated:
DC2 requests changesfrom DC3, it sends the
high-watermark valuealong.
Only objects withan usnChangedvalue > 1532, willbe considered for
replication.
19
8/8/2019 Active Directory Replication - Ronak
20/32
Up-to-dateness Vector
It helps the source domain controller to filter out attributes
that do not need to be replicated.
When a destination domain controller contacts a source domaincontroller, the destination DC sends its up-to-dateness vector.
This allows the DC to determine which attributes the destination
domain controller does and does not have updated value.
The up-to-dateness vector table stores the highest originatingUSN received from every source DC. And it stores information
of all the DCs interconnected with each other.
20
8/8/2019 Active Directory Replication - Ronak
21/32
Up-to-dateness Vector
Example of up-to-dateness vector table:
What difference did you notice between High-watermark value& up-to-dateness vector? 21
8/8/2019 Active Directory Replication - Ronak
22/32
Propagation Dampening
Propagation Dampening?
Propagation dampening is used to prevent unnecessary replication
by preventing updates from being sent to servers that are already
updated. Up-to-dateness vector tables & high-watermark tables can be used
to provide Propagation Dampening.
We will look at 4 scenarios and examples
Creation of new user account on a specific DC.
Replication of user account. DC requests updates from another DC.
DC responding to the request, sending new high-watermark value, and
vector data.
22
8/8/2019 Active Directory Replication - Ronak
23/32
Creation of new user account on DC4
No changes are directly made to DC2.
23
8/8/2019 Active Directory Replication - Ronak
24/32
Replication of user account to
DC4s first replication partner
DC4 notifies DC1 it has updates.
The user account it then replicated.
Still, no changes are made on DC2.
24
8/8/2019 Active Directory Replication - Ronak
25/32
DC2 request updates from DC1
25
DC2 sends DC1 the following information when requesting updates:The naming context updates.
The High-watermark value of DC, which DC2 obtains.The maximum number of object order entries requested.
The maximum number of values requested.DC2s up-to-dateness vector table.
Still, no changes are made on DC2.
8/8/2019 Active Directory Replication - Ronak
26/32
DC1 replies back to DC2
Dc1 responds with data.
New user account.
New High-watermark value.
Updated Vector Data.This is when the DC2 table is changed !
26
8/8/2019 Active Directory Replication - Ronak
27/32
Conflict Resolution
As you all know, the multi-master model allows changes to be
made on any domain controllers.
What if changes are made to the same object at the same
time on different DCs? This causes a conflict, but fortunately Active directory has built-in
safe guards to prevent this from happening Conflict Resolution.
We will discuss the following situations:
Attribute update conflict.
Move under deleted parent.
New object name conflict.
27
8/8/2019 Active Directory Replication - Ronak
28/32
Attribute update conflict
Remember, the changed attribute is only replicated, not the entireobject; this itself minimizes replication conflicts.
If an email address of a user is changed on DC1, and the mobilenumber of the same user changed on DC2, at the same given time;this is NOT a conflict.
A conflict occurs when the same attribute is being changed on twodifferent DCs at the same time.
The version, timestamps, originating DSA GUID are used to resolvethe conflict.
Initially, the version number is checked. If the version number is
higher than the previous one, then its updated. If the version numbers are same, then the timestamps are checked. If
the timestamps are different, then the updated timestamp is writtenin the directory.
If the timestamps are identical, then the org. DSA GUID is used toupdate the change. This is how the conflict is resolved.
28
8/8/2019 Active Directory Replication - Ronak
29/32
Move Under DeletedParent
Say an Administrator deleted an organizational unit on DC1.
However simultaneously another administrator is creates anew user account on DC2 in the same organizational unit
which has already been deleted. In this case, the new object created on DC2 will be moved to a
lost and found container.
This is one of the conflicts whish can take place, and as
described above is the method used to resolve this replication.
29
8/8/2019 Active Directory Replication - Ronak
30/32
New object name conflict
This occurs when two objects are created with the same
distinguished name in the same container of different domaincontrollers.
Because objects in the same container must have differentrelative distinguished names, one of the objects is renamed.
The timestamps & org. DSA GUID are used to resolve this
issue.
The object with the higher timestamp keeps the original name.
If the timestamps are identical, then the org. DSA GUID is used.
30
8/8/2019 Active Directory Replication - Ronak
31/32
Overview
Identifying Data to Replicate
Identify Domain Controllers
Update Sequence Number High-watermark Value
Up-to-datenessVector
P
ropagation Dampening Conflict Resolution
31
8/8/2019 Active Directory Replication - Ronak
32/32
ANY QUESTIONS ?
THANK YOU FOR LISTENING !
32
Top Related