Your SlideShare is downloading. ×
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply



Published on

Published in: Technology, Education
1 Like
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. 70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 7: Active Directory Replication
  • 2. Objectives
    • Describe how Active Directory identifies data that needs to be replicated
    • Describe how the Active Directory replication topology is generated
    • Describe and control when Active Directory replication occurs
  • 3. Objectives (continued)
    • Monitor and troubleshoot Active Directory replication
    • Describe SYSVOL and how its replication differs from Active Directory replication
  • 4. Identifying Data to Replicate
    • Active Directory uses multi-master model
      • Changes made on any DC
      • Replicated to all DCs
    • Replication is performed at attribute level
      • Not object level
    • Replication involves two types of updates:
      • Originating updates
      • Replicated updates
  • 5. Identifying Data to Replicate (continued)
    • Originating update:
      • Change made on local domain controller
    • Replicated update
      • Change made through replication
    • Update Sequence Numbers (USNs)
      • Used to track changes
      • Unique for each DC
  • 6. Identifying Data to Replicate (continued)
    • Update Sequence Numbers (USNs)
      • Incremented by one when change is made
      • Updated object and attributes are stamped with USN
      • Comparing USNs from different domain controllers is meaningless
    • Is possible for two domain controllers in same domain to show different information
      • Caused by latency
  • 7. Identifying Data to Replicate (continued)
    • Convergence
      • All DCs have same data
      • Replication is complete
        • For the moment
  • 8. Identifying Domain Controllers
    • Identifiers for domain controller:
      • Domain controller’s computer account
      • Records registered in DNS
      • NTDS Settings Server object
      • Server GUID
      • Database GUID
  • 9. Update Sequence Number
    • 64-bit number
    • Used to identify changes to data
    • Each object has:
      • usnCreated
        • Set when object created
      • usnChanged
        • Set every time object is updated
  • 10. Update Sequence Number (continued)
    • Each attribute of object has two USNs:
      • USN for local domain controller
      • USN from domain controller that performed originating write operation
  • 11. Creation of New User Account
  • 12. Replication of New User Account
  • 13. Updating Attribute of User Account
  • 14. Replicating Change of User Account’s Attribute
  • 15. High-watermark Value
    • Used to identify which objects may need to be replicated
    • Table on each domain controller
    • Stores highest USN from each of replication partners
    • Source domain controller sends updates
      • Starting with object that has lowest usnChanged value
  • 16. High-watermark Value (continued)
  • 17. High-watermark Value (continued)
  • 18. Up-to-dateness Vector
    • Helps source domain controller filter out attributes that do not need to be replicated
    • Table on each domain controller
    • Stores highest originating USN
    • Based on all possible sources of original updates to a single destination
  • 19. Up-to-dateness Vector (continued)
  • 20. Determining Which Attributes Need to be Replicated
  • 21. Propagation Dampening
    • Up-to-dateness vector can be used to provide propagation dampening
  • 22. Propagation Dampening (continued)
  • 23. Propagation Dampening (continued)
  • 24. Propagation Dampening (continued)
  • 25. Propagation Dampening (continued)
  • 26. Conflict Resolution
    • Problems occur
      • When changes are made to same object at the same time on different domain controllers
    • Replicating at the attribute level minimizes replication conflicts
  • 27. Conflict Resolution (continued)
    • Attribute conflicts resolved using:
      • Version
      • Timestamp
      • Originating DSA GUID
    • Move under deleted parent
      • Object automatically moved to “lost and found” container
  • 28. Conflict Resolution (continued)
    • New object name conflict
      • Two objects are created with same relative distinguished name
      • One object is renamed
        • To system-wide unique value
      • Object with higher version number keeps name
  • 29. Determining Replication Topology
    • Replication topology
      • Combination of paths used to replicate changes between domain controllers
      • Every naming context has its own
    • Connection object
      • Identifies replication partners
      • Unidirectional
      • Does not specify individual naming context
  • 30. Determining Replication Topology (continued)
    • Intra-site replication
      • Process of updating domain controllers within same site
    • Inter-site replication
      • Process of updating domain controllers between sites
  • 31. Connection Objects
    • Logical construct
    • Provide representation of connection between two or more domain controllers
    • Created in one of two ways
      • Automatically by:
        • Knowledge Consistency Checker (KCC)
        • Inter-Site Topology Generator (ISTG)
      • Manually by:
        • Active Directory administrator
  • 32. Connection Objects (continued)
    • KCC does not optimize any connection objects created using a manual process
      • Administrator wholly responsible for maintaining manual connections in the event of misconfiguration issues or unavailability
  • 33. Activity 7-1: Manually Creating Connections
    • Objective: This exercise is designed to familiarize you with the process of manually creating replication connection objects
    • Manually create a connection using Active Directory Sites and Services
  • 34. Intra-site Replication
    • KCC is responsible for the replication topology within a site
      • Checks replication topology every 15 minutes
      • Attempts to create a replication topology made up of bidirectional ring
      • Adds additional connection objects to ensure that no more than three hops are required
  • 35. Example Bidirectional Ring Replication Topology with Additional Connectors
  • 36. Global Catalog Replication
    • Global catalog
      • Holds partial read-only replica of domain naming context for each domain in forest
    • Topology generated for replicating domain’s master replicas is used
    • Connection objects are added to connect read-only replicas to topology
  • 37. Inter-site Replication
    • One domain controller in each site is designated as ISTG
      • Oldest server in site by default
      • Responsible for creating connection objects with domain controllers located in other sites
      • Attempts to create minimum number of connections
      • Also responsible (by default) for choosing bridgehead server
  • 38. Bridgehead Server
    • Used to designate particular domain controller for replication purposes
    • Has historical (Windows NT) origin
    • Functions as single point of contact in site for given naming context
      • All replication traffic between bridgehead servers at each site
  • 39. Bridgehead Server (continued)
  • 40. Controlling Replication Frequency
    • Main factors that control replication frequency
      • Location of replication partners
      • Type of data being replicated
  • 41. Intra-site Replication Schedule
    • Based on a notify-pull process
    • Begins when object is modified at domain controller
    • Replication partner pulls updates from source domain controller
    • Maximum time for update to propagate approximately 45 seconds
    • Traffic not compressed by default
  • 42. Inter-site Replication Schedule
    • Time-based
      • Replicating changes at set intervals
      • Default:
        • Every 3 hours
    • Data compressed by default
    • Replication schedule/replication interval can be set
  • 43. Example Site Link Replication Schedule and Interval
  • 44. Urgent Replication
    • Occurs immediately within site
    • Between sites:
      • Will still observe normal replication intervals and restrictions
    • Trigger events:
      • Account lockout
      • Changing certain policies
      • Local Security Authority (LSA) secret change
      • RID master role assigned to new server
  • 45. Password Replication
    • Important for passwords to be synchronized between domain controllers
    • Password changes are replicated differently than urgent or nonurgent replication
    • PDC emulator
      • One domain controller in domain
  • 46. Password Replication (continued)
    • Password change replicated immediately to the PDC emulator
    • On failed logon
      • Authenticating domain controller forwards authentication request to PDC emulator
      • PDC emulator attempts to authenticate user
  • 47. Monitoring and Troubleshooting Replication
    • Symptoms of replication failure include
      • Log-on failure
      • Other inconsistencies in Active Directory
    • Most problems with Active Directory replication are caused by:
      • Administrator error
      • Network infrastructure glitches
  • 48. Monitoring and Troubleshooting Replication (continued)
    • Active Directory Replication Monitor
      • Monitor replication traffic between domain controllers
      • Display a list of domain controllers in a domain
      • Verify replication topology
      • Manually force replication
      • Check a domain controller’s current USN and unreplicated objects
      • Display bridgehead servers and trusts
  • 49. SYSVOL
    • Folder called sysvol
    • Created during the promotion of domain controller
    • Used to share files containing scripts, etc.
    • Stored in %SYSTEMROOT%SYSVOL by default
    • File Replication Service (FRS)
      • Used to replicate changes in SYSVOL
  • 50. SYSVOL Replication
    • SYSVOL replication independent from Active Directory object replication
    • Uses File Replication Service (FRS)
    • FRS configures replication topology to match connection objects of domain controller
    • Inter-site replication frequency controlled by schedule on replication partner’s connection object
  • 51. Troubleshooting SYSVOL Replication
    • Check File Replication Service event log
    • Confirm that domain controllers can resolve fully qualified domain names (FQDNs) of replication partners
    • Confirm File Replication Service is started
    • Check for sufficient disk space
    • Check that file(s) are not being filtered out by FRS
  • 52. Summary
    • Active Directory uses multi-master model for replication
    • Active Directory uses system based on update sequence numbers
      • Are unique for each domain controller
    • Replication topology for intra-site replication is created by KCC
    • Replicating attribute-level changes minimizes replication conflicts
  • 53. Summary (continued)
    • Use Active Directory Replication Monitor to view both intra-site and inter-site replication information
    • SYSVOL is a share available on every domain controller in a domain
      • Used to store files such as logon scripts