Your SlideShare is downloading. ×
Test
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Test

935

Published on

Published in: Technology, Education
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
935
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
73
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. 70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 7: Active Directory Replication
  • 2. Objectives
    • Describe how Active Directory identifies data that needs to be replicated
    • Describe how the Active Directory replication topology is generated
    • Describe and control when Active Directory replication occurs
  • 3. Objectives (continued)
    • Monitor and troubleshoot Active Directory replication
    • Describe SYSVOL and how its replication differs from Active Directory replication
  • 4. Identifying Data to Replicate
    • Active Directory uses multi-master model
      • Changes made on any DC
      • Replicated to all DCs
    • Replication is performed at attribute level
      • Not object level
    • Replication involves two types of updates:
      • Originating updates
      • Replicated updates
  • 5. Identifying Data to Replicate (continued)
    • Originating update:
      • Change made on local domain controller
    • Replicated update
      • Change made through replication
    • Update Sequence Numbers (USNs)
      • Used to track changes
      • Unique for each DC
  • 6. Identifying Data to Replicate (continued)
    • Update Sequence Numbers (USNs)
      • Incremented by one when change is made
      • Updated object and attributes are stamped with USN
      • Comparing USNs from different domain controllers is meaningless
    • Is possible for two domain controllers in same domain to show different information
      • Caused by latency
  • 7. Identifying Data to Replicate (continued)
    • Convergence
      • All DCs have same data
      • Replication is complete
        • For the moment
  • 8. Identifying Domain Controllers
    • Identifiers for domain controller:
      • Domain controller’s computer account
      • Records registered in DNS
      • NTDS Settings Server object
      • Server GUID
      • Database GUID
  • 9. Update Sequence Number
    • 64-bit number
    • Used to identify changes to data
    • Each object has:
      • usnCreated
        • Set when object created
      • usnChanged
        • Set every time object is updated
  • 10. Update Sequence Number (continued)
    • Each attribute of object has two USNs:
      • USN for local domain controller
      • USN from domain controller that performed originating write operation
  • 11. Creation of New User Account
  • 12. Replication of New User Account
  • 13. Updating Attribute of User Account
  • 14. Replicating Change of User Account’s Attribute
  • 15. High-watermark Value
    • Used to identify which objects may need to be replicated
    • Table on each domain controller
    • Stores highest USN from each of replication partners
    • Source domain controller sends updates
      • Starting with object that has lowest usnChanged value
  • 16. High-watermark Value (continued)
  • 17. High-watermark Value (continued)
  • 18. Up-to-dateness Vector
    • Helps source domain controller filter out attributes that do not need to be replicated
    • Table on each domain controller
    • Stores highest originating USN
    • Based on all possible sources of original updates to a single destination
  • 19. Up-to-dateness Vector (continued)
  • 20. Determining Which Attributes Need to be Replicated
  • 21. Propagation Dampening
    • Up-to-dateness vector can be used to provide propagation dampening
  • 22. Propagation Dampening (continued)
  • 23. Propagation Dampening (continued)
  • 24. Propagation Dampening (continued)
  • 25. Propagation Dampening (continued)
  • 26. Conflict Resolution
    • Problems occur
      • When changes are made to same object at the same time on different domain controllers
    • Replicating at the attribute level minimizes replication conflicts
  • 27. Conflict Resolution (continued)
    • Attribute conflicts resolved using:
      • Version
      • Timestamp
      • Originating DSA GUID
    • Move under deleted parent
      • Object automatically moved to “lost and found” container
  • 28. Conflict Resolution (continued)
    • New object name conflict
      • Two objects are created with same relative distinguished name
      • One object is renamed
        • To system-wide unique value
      • Object with higher version number keeps name
  • 29. Determining Replication Topology
    • Replication topology
      • Combination of paths used to replicate changes between domain controllers
      • Every naming context has its own
    • Connection object
      • Identifies replication partners
      • Unidirectional
      • Does not specify individual naming context
  • 30. Determining Replication Topology (continued)
    • Intra-site replication
      • Process of updating domain controllers within same site
    • Inter-site replication
      • Process of updating domain controllers between sites
  • 31. Connection Objects
    • Logical construct
    • Provide representation of connection between two or more domain controllers
    • Created in one of two ways
      • Automatically by:
        • Knowledge Consistency Checker (KCC)
        • Inter-Site Topology Generator (ISTG)
      • Manually by:
        • Active Directory administrator
  • 32. Connection Objects (continued)
    • KCC does not optimize any connection objects created using a manual process
      • Administrator wholly responsible for maintaining manual connections in the event of misconfiguration issues or unavailability
  • 33. Activity 7-1: Manually Creating Connections
    • Objective: This exercise is designed to familiarize you with the process of manually creating replication connection objects
    • Manually create a connection using Active Directory Sites and Services
  • 34. Intra-site Replication
    • KCC is responsible for the replication topology within a site
      • Checks replication topology every 15 minutes
      • Attempts to create a replication topology made up of bidirectional ring
      • Adds additional connection objects to ensure that no more than three hops are required
  • 35. Example Bidirectional Ring Replication Topology with Additional Connectors
  • 36. Global Catalog Replication
    • Global catalog
      • Holds partial read-only replica of domain naming context for each domain in forest
    • Topology generated for replicating domain’s master replicas is used
    • Connection objects are added to connect read-only replicas to topology
  • 37. Inter-site Replication
    • One domain controller in each site is designated as ISTG
      • Oldest server in site by default
      • Responsible for creating connection objects with domain controllers located in other sites
      • Attempts to create minimum number of connections
      • Also responsible (by default) for choosing bridgehead server
  • 38. Bridgehead Server
    • Used to designate particular domain controller for replication purposes
    • Has historical (Windows NT) origin
    • Functions as single point of contact in site for given naming context
      • All replication traffic between bridgehead servers at each site
  • 39. Bridgehead Server (continued)
  • 40. Controlling Replication Frequency
    • Main factors that control replication frequency
      • Location of replication partners
      • Type of data being replicated
  • 41. Intra-site Replication Schedule
    • Based on a notify-pull process
    • Begins when object is modified at domain controller
    • Replication partner pulls updates from source domain controller
    • Maximum time for update to propagate approximately 45 seconds
    • Traffic not compressed by default
  • 42. Inter-site Replication Schedule
    • Time-based
      • Replicating changes at set intervals
      • Default:
        • Every 3 hours
    • Data compressed by default
    • Replication schedule/replication interval can be set
  • 43. Example Site Link Replication Schedule and Interval
  • 44. Urgent Replication
    • Occurs immediately within site
    • Between sites:
      • Will still observe normal replication intervals and restrictions
    • Trigger events:
      • Account lockout
      • Changing certain policies
      • Local Security Authority (LSA) secret change
      • RID master role assigned to new server
  • 45. Password Replication
    • Important for passwords to be synchronized between domain controllers
    • Password changes are replicated differently than urgent or nonurgent replication
    • PDC emulator
      • One domain controller in domain
  • 46. Password Replication (continued)
    • Password change replicated immediately to the PDC emulator
    • On failed logon
      • Authenticating domain controller forwards authentication request to PDC emulator
      • PDC emulator attempts to authenticate user
  • 47. Monitoring and Troubleshooting Replication
    • Symptoms of replication failure include
      • Log-on failure
      • Other inconsistencies in Active Directory
    • Most problems with Active Directory replication are caused by:
      • Administrator error
      • Network infrastructure glitches
  • 48. Monitoring and Troubleshooting Replication (continued)
    • Active Directory Replication Monitor
      • Monitor replication traffic between domain controllers
      • Display a list of domain controllers in a domain
      • Verify replication topology
      • Manually force replication
      • Check a domain controller’s current USN and unreplicated objects
      • Display bridgehead servers and trusts
  • 49. SYSVOL
    • Folder called sysvol
    • Created during the promotion of domain controller
    • Used to share files containing scripts, etc.
    • Stored in %SYSTEMROOT%SYSVOL by default
    • File Replication Service (FRS)
      • Used to replicate changes in SYSVOL
  • 50. SYSVOL Replication
    • SYSVOL replication independent from Active Directory object replication
    • Uses File Replication Service (FRS)
    • FRS configures replication topology to match connection objects of domain controller
    • Inter-site replication frequency controlled by schedule on replication partner’s connection object
  • 51. Troubleshooting SYSVOL Replication
    • Check File Replication Service event log
    • Confirm that domain controllers can resolve fully qualified domain names (FQDNs) of replication partners
    • Confirm File Replication Service is started
    • Check for sufficient disk space
    • Check that file(s) are not being filtered out by FRS
  • 52. Summary
    • Active Directory uses multi-master model for replication
    • Active Directory uses system based on update sequence numbers
      • Are unique for each domain controller
    • Replication topology for intra-site replication is created by KCC
    • Replicating attribute-level changes minimizes replication conflicts
  • 53. Summary (continued)
    • Use Active Directory Replication Monitor to view both intra-site and inter-site replication information
    • SYSVOL is a share available on every domain controller in a domain
      • Used to store files such as logon scripts

×