Test

1,056 views
1,006 views

Published on

Published in: Technology, Education
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,056
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
78
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Test

  1. 1. 70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 7: Active Directory Replication
  2. 2. Objectives <ul><li>Describe how Active Directory identifies data that needs to be replicated </li></ul><ul><li>Describe how the Active Directory replication topology is generated </li></ul><ul><li>Describe and control when Active Directory replication occurs </li></ul>
  3. 3. Objectives (continued) <ul><li>Monitor and troubleshoot Active Directory replication </li></ul><ul><li>Describe SYSVOL and how its replication differs from Active Directory replication </li></ul>
  4. 4. Identifying Data to Replicate <ul><li>Active Directory uses multi-master model </li></ul><ul><ul><li>Changes made on any DC </li></ul></ul><ul><ul><li>Replicated to all DCs </li></ul></ul><ul><li>Replication is performed at attribute level </li></ul><ul><ul><li>Not object level </li></ul></ul><ul><li>Replication involves two types of updates: </li></ul><ul><ul><li>Originating updates </li></ul></ul><ul><ul><li>Replicated updates </li></ul></ul>
  5. 5. Identifying Data to Replicate (continued) <ul><li>Originating update: </li></ul><ul><ul><li>Change made on local domain controller </li></ul></ul><ul><li>Replicated update </li></ul><ul><ul><li>Change made through replication </li></ul></ul><ul><li>Update Sequence Numbers (USNs) </li></ul><ul><ul><li>Used to track changes </li></ul></ul><ul><ul><li>Unique for each DC </li></ul></ul>
  6. 6. Identifying Data to Replicate (continued) <ul><li>Update Sequence Numbers (USNs) </li></ul><ul><ul><li>Incremented by one when change is made </li></ul></ul><ul><ul><li>Updated object and attributes are stamped with USN </li></ul></ul><ul><ul><li>Comparing USNs from different domain controllers is meaningless </li></ul></ul><ul><li>Is possible for two domain controllers in same domain to show different information </li></ul><ul><ul><li>Caused by latency </li></ul></ul>
  7. 7. Identifying Data to Replicate (continued) <ul><li>Convergence </li></ul><ul><ul><li>All DCs have same data </li></ul></ul><ul><ul><li>Replication is complete </li></ul></ul><ul><ul><ul><li>For the moment </li></ul></ul></ul>
  8. 8. Identifying Domain Controllers <ul><li>Identifiers for domain controller: </li></ul><ul><ul><li>Domain controller’s computer account </li></ul></ul><ul><ul><li>Records registered in DNS </li></ul></ul><ul><ul><li>NTDS Settings Server object </li></ul></ul><ul><ul><li>Server GUID </li></ul></ul><ul><ul><li>Database GUID </li></ul></ul>
  9. 9. Update Sequence Number <ul><li>64-bit number </li></ul><ul><li>Used to identify changes to data </li></ul><ul><li>Each object has: </li></ul><ul><ul><li>usnCreated </li></ul></ul><ul><ul><ul><li>Set when object created </li></ul></ul></ul><ul><ul><li>usnChanged </li></ul></ul><ul><ul><ul><li>Set every time object is updated </li></ul></ul></ul>
  10. 10. Update Sequence Number (continued) <ul><li>Each attribute of object has two USNs: </li></ul><ul><ul><li>USN for local domain controller </li></ul></ul><ul><ul><li>USN from domain controller that performed originating write operation </li></ul></ul>
  11. 11. Creation of New User Account
  12. 12. Replication of New User Account
  13. 13. Updating Attribute of User Account
  14. 14. Replicating Change of User Account’s Attribute
  15. 15. High-watermark Value <ul><li>Used to identify which objects may need to be replicated </li></ul><ul><li>Table on each domain controller </li></ul><ul><li>Stores highest USN from each of replication partners </li></ul><ul><li>Source domain controller sends updates </li></ul><ul><ul><li>Starting with object that has lowest usnChanged value </li></ul></ul>
  16. 16. High-watermark Value (continued)
  17. 17. High-watermark Value (continued)
  18. 18. Up-to-dateness Vector <ul><li>Helps source domain controller filter out attributes that do not need to be replicated </li></ul><ul><li>Table on each domain controller </li></ul><ul><li>Stores highest originating USN </li></ul><ul><li>Based on all possible sources of original updates to a single destination </li></ul>
  19. 19. Up-to-dateness Vector (continued)
  20. 20. Determining Which Attributes Need to be Replicated
  21. 21. Propagation Dampening <ul><li>Up-to-dateness vector can be used to provide propagation dampening </li></ul>
  22. 22. Propagation Dampening (continued)
  23. 23. Propagation Dampening (continued)
  24. 24. Propagation Dampening (continued)
  25. 25. Propagation Dampening (continued)
  26. 26. Conflict Resolution <ul><li>Problems occur </li></ul><ul><ul><li>When changes are made to same object at the same time on different domain controllers </li></ul></ul><ul><li>Replicating at the attribute level minimizes replication conflicts </li></ul>
  27. 27. Conflict Resolution (continued) <ul><li>Attribute conflicts resolved using: </li></ul><ul><ul><li>Version </li></ul></ul><ul><ul><li>Timestamp </li></ul></ul><ul><ul><li>Originating DSA GUID </li></ul></ul><ul><li>Move under deleted parent </li></ul><ul><ul><li>Object automatically moved to “lost and found” container </li></ul></ul>
  28. 28. Conflict Resolution (continued) <ul><li>New object name conflict </li></ul><ul><ul><li>Two objects are created with same relative distinguished name </li></ul></ul><ul><ul><li>One object is renamed </li></ul></ul><ul><ul><ul><li>To system-wide unique value </li></ul></ul></ul><ul><ul><li>Object with higher version number keeps name </li></ul></ul>
  29. 29. Determining Replication Topology <ul><li>Replication topology </li></ul><ul><ul><li>Combination of paths used to replicate changes between domain controllers </li></ul></ul><ul><ul><li>Every naming context has its own </li></ul></ul><ul><li>Connection object </li></ul><ul><ul><li>Identifies replication partners </li></ul></ul><ul><ul><li>Unidirectional </li></ul></ul><ul><ul><li>Does not specify individual naming context </li></ul></ul>
  30. 30. Determining Replication Topology (continued) <ul><li>Intra-site replication </li></ul><ul><ul><li>Process of updating domain controllers within same site </li></ul></ul><ul><li>Inter-site replication </li></ul><ul><ul><li>Process of updating domain controllers between sites </li></ul></ul>
  31. 31. Connection Objects <ul><li>Logical construct </li></ul><ul><li>Provide representation of connection between two or more domain controllers </li></ul><ul><li>Created in one of two ways </li></ul><ul><ul><li>Automatically by: </li></ul></ul><ul><ul><ul><li>Knowledge Consistency Checker (KCC) </li></ul></ul></ul><ul><ul><ul><li>Inter-Site Topology Generator (ISTG) </li></ul></ul></ul><ul><ul><li>Manually by: </li></ul></ul><ul><ul><ul><li>Active Directory administrator </li></ul></ul></ul>
  32. 32. Connection Objects (continued) <ul><li>KCC does not optimize any connection objects created using a manual process </li></ul><ul><ul><li>Administrator wholly responsible for maintaining manual connections in the event of misconfiguration issues or unavailability </li></ul></ul>
  33. 33. Activity 7-1: Manually Creating Connections <ul><li>Objective: This exercise is designed to familiarize you with the process of manually creating replication connection objects </li></ul><ul><li>Manually create a connection using Active Directory Sites and Services </li></ul>
  34. 34. Intra-site Replication <ul><li>KCC is responsible for the replication topology within a site </li></ul><ul><ul><li>Checks replication topology every 15 minutes </li></ul></ul><ul><ul><li>Attempts to create a replication topology made up of bidirectional ring </li></ul></ul><ul><ul><li>Adds additional connection objects to ensure that no more than three hops are required </li></ul></ul>
  35. 35. Example Bidirectional Ring Replication Topology with Additional Connectors
  36. 36. Global Catalog Replication <ul><li>Global catalog </li></ul><ul><ul><li>Holds partial read-only replica of domain naming context for each domain in forest </li></ul></ul><ul><li>Topology generated for replicating domain’s master replicas is used </li></ul><ul><li>Connection objects are added to connect read-only replicas to topology </li></ul>
  37. 37. Inter-site Replication <ul><li>One domain controller in each site is designated as ISTG </li></ul><ul><ul><li>Oldest server in site by default </li></ul></ul><ul><ul><li>Responsible for creating connection objects with domain controllers located in other sites </li></ul></ul><ul><ul><li>Attempts to create minimum number of connections </li></ul></ul><ul><ul><li>Also responsible (by default) for choosing bridgehead server </li></ul></ul>
  38. 38. Bridgehead Server <ul><li>Used to designate particular domain controller for replication purposes </li></ul><ul><li>Has historical (Windows NT) origin </li></ul><ul><li>Functions as single point of contact in site for given naming context </li></ul><ul><ul><li>All replication traffic between bridgehead servers at each site </li></ul></ul>
  39. 39. Bridgehead Server (continued)
  40. 40. Controlling Replication Frequency <ul><li>Main factors that control replication frequency </li></ul><ul><ul><li>Location of replication partners </li></ul></ul><ul><ul><li>Type of data being replicated </li></ul></ul>
  41. 41. Intra-site Replication Schedule <ul><li>Based on a notify-pull process </li></ul><ul><li>Begins when object is modified at domain controller </li></ul><ul><li>Replication partner pulls updates from source domain controller </li></ul><ul><li>Maximum time for update to propagate approximately 45 seconds </li></ul><ul><li>Traffic not compressed by default </li></ul>
  42. 42. Inter-site Replication Schedule <ul><li>Time-based </li></ul><ul><ul><li>Replicating changes at set intervals </li></ul></ul><ul><ul><li>Default: </li></ul></ul><ul><ul><ul><li>Every 3 hours </li></ul></ul></ul><ul><li>Data compressed by default </li></ul><ul><li>Replication schedule/replication interval can be set </li></ul>
  43. 43. Example Site Link Replication Schedule and Interval
  44. 44. Urgent Replication <ul><li>Occurs immediately within site </li></ul><ul><li>Between sites: </li></ul><ul><ul><li>Will still observe normal replication intervals and restrictions </li></ul></ul><ul><li>Trigger events: </li></ul><ul><ul><li>Account lockout </li></ul></ul><ul><ul><li>Changing certain policies </li></ul></ul><ul><ul><li>Local Security Authority (LSA) secret change </li></ul></ul><ul><ul><li>RID master role assigned to new server </li></ul></ul>
  45. 45. Password Replication <ul><li>Important for passwords to be synchronized between domain controllers </li></ul><ul><li>Password changes are replicated differently than urgent or nonurgent replication </li></ul><ul><li>PDC emulator </li></ul><ul><ul><li>One domain controller in domain </li></ul></ul>
  46. 46. Password Replication (continued) <ul><li>Password change replicated immediately to the PDC emulator </li></ul><ul><li>On failed logon </li></ul><ul><ul><li>Authenticating domain controller forwards authentication request to PDC emulator </li></ul></ul><ul><ul><li>PDC emulator attempts to authenticate user </li></ul></ul>
  47. 47. Monitoring and Troubleshooting Replication <ul><li>Symptoms of replication failure include </li></ul><ul><ul><li>Log-on failure </li></ul></ul><ul><ul><li>Other inconsistencies in Active Directory </li></ul></ul><ul><li>Most problems with Active Directory replication are caused by: </li></ul><ul><ul><li>Administrator error </li></ul></ul><ul><ul><li>Network infrastructure glitches </li></ul></ul>
  48. 48. Monitoring and Troubleshooting Replication (continued) <ul><li>Active Directory Replication Monitor </li></ul><ul><ul><li>Monitor replication traffic between domain controllers </li></ul></ul><ul><ul><li>Display a list of domain controllers in a domain </li></ul></ul><ul><ul><li>Verify replication topology </li></ul></ul><ul><ul><li>Manually force replication </li></ul></ul><ul><ul><li>Check a domain controller’s current USN and unreplicated objects </li></ul></ul><ul><ul><li>Display bridgehead servers and trusts </li></ul></ul>
  49. 49. SYSVOL <ul><li>Folder called sysvol </li></ul><ul><li>Created during the promotion of domain controller </li></ul><ul><li>Used to share files containing scripts, etc. </li></ul><ul><li>Stored in %SYSTEMROOT%SYSVOL by default </li></ul><ul><li>File Replication Service (FRS) </li></ul><ul><ul><li>Used to replicate changes in SYSVOL </li></ul></ul>
  50. 50. SYSVOL Replication <ul><li>SYSVOL replication independent from Active Directory object replication </li></ul><ul><li>Uses File Replication Service (FRS) </li></ul><ul><li>FRS configures replication topology to match connection objects of domain controller </li></ul><ul><li>Inter-site replication frequency controlled by schedule on replication partner’s connection object </li></ul>
  51. 51. Troubleshooting SYSVOL Replication <ul><li>Check File Replication Service event log </li></ul><ul><li>Confirm that domain controllers can resolve fully qualified domain names (FQDNs) of replication partners </li></ul><ul><li>Confirm File Replication Service is started </li></ul><ul><li>Check for sufficient disk space </li></ul><ul><li>Check that file(s) are not being filtered out by FRS </li></ul>
  52. 52. Summary <ul><li>Active Directory uses multi-master model for replication </li></ul><ul><li>Active Directory uses system based on update sequence numbers </li></ul><ul><ul><li>Are unique for each domain controller </li></ul></ul><ul><li>Replication topology for intra-site replication is created by KCC </li></ul><ul><li>Replicating attribute-level changes minimizes replication conflicts </li></ul>
  53. 53. Summary (continued) <ul><li>Use Active Directory Replication Monitor to view both intra-site and inter-site replication information </li></ul><ul><li>SYSVOL is a share available on every domain controller in a domain </li></ul><ul><ul><li>Used to store files such as logon scripts </li></ul></ul>

×