• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content







Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    test2 test2 Presentation Transcript

    • 70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 7: Active Directory Replication
    • Objectives
      • Describe how Active Directory identifies data that needs to be replicated
      • Describe how the Active Directory replication topology is generated
      • Describe and control when Active Directory replication occurs
    • Objectives (continued)
      • Monitor and troubleshoot Active Directory replication
      • Describe SYSVOL and how its replication differs from Active Directory replication
    • Identifying Data to Replicate
      • Active Directory uses multi-master model
        • Changes made on any DC
        • Replicated to all DCs
      • Replication is performed at attribute level
        • Not object level
      • Replication involves two types of updates:
        • Originating updates
        • Replicated updates
    • Identifying Data to Replicate (continued)
      • Originating update:
        • Change made on local domain controller
      • Replicated update
        • Change made through replication
      • Update Sequence Numbers (USNs)
        • Used to track changes
        • Unique for each DC
    • Identifying Data to Replicate (continued)
      • Update Sequence Numbers (USNs)
        • Incremented by one when change is made
        • Updated object and attributes are stamped with USN
        • Comparing USNs from different domain controllers is meaningless
      • Is possible for two domain controllers in same domain to show different information
        • Caused by latency
    • Identifying Data to Replicate (continued)
      • Convergence
        • All DCs have same data
        • Replication is complete
          • For the moment
    • Identifying Domain Controllers
      • Identifiers for domain controller:
        • Domain controller’s computer account
        • Records registered in DNS
        • NTDS Settings Server object
        • Server GUID
        • Database GUID
    • Update Sequence Number
      • 64-bit number
      • Used to identify changes to data
      • Each object has:
        • usnCreated
          • Set when object created
        • usnChanged
          • Set every time object is updated
    • Update Sequence Number (continued)
      • Each attribute of object has two USNs:
        • USN for local domain controller
        • USN from domain controller that performed originating write operation
    • Creation of New User Account
    • Replication of New User Account
    • Updating Attribute of User Account
    • Replicating Change of User Account’s Attribute
    • High-watermark Value
      • Used to identify which objects may need to be replicated
      • Table on each domain controller
      • Stores highest USN from each of replication partners
      • Source domain controller sends updates
        • Starting with object that has lowest usnChanged value
    • High-watermark Value (continued)
    • High-watermark Value (continued)
    • Up-to-dateness Vector
      • Helps source domain controller filter out attributes that do not need to be replicated
      • Table on each domain controller
      • Stores highest originating USN
      • Based on all possible sources of original updates to a single destination
    • Up-to-dateness Vector (continued)
    • Determining Which Attributes Need to be Replicated
    • Propagation Dampening
      • Up-to-dateness vector can be used to provide propagation dampening
    • Propagation Dampening (continued)
    • Propagation Dampening (continued)
    • Propagation Dampening (continued)
    • Propagation Dampening (continued)
    • Conflict Resolution
      • Problems occur
        • When changes are made to same object at the same time on different domain controllers
      • Replicating at the attribute level minimizes replication conflicts
    • Conflict Resolution (continued)
      • Attribute conflicts resolved using:
        • Version
        • Timestamp
        • Originating DSA GUID
      • Move under deleted parent
        • Object automatically moved to “lost and found” container
    • Conflict Resolution (continued)
      • New object name conflict
        • Two objects are created with same relative distinguished name
        • One object is renamed
          • To system-wide unique value
        • Object with higher version number keeps name
    • Determining Replication Topology
      • Replication topology
        • Combination of paths used to replicate changes between domain controllers
        • Every naming context has its own
      • Connection object
        • Identifies replication partners
        • Unidirectional
        • Does not specify individual naming context
    • Determining Replication Topology (continued)
      • Intra-site replication
        • Process of updating domain controllers within same site
      • Inter-site replication
        • Process of updating domain controllers between sites
    • Connection Objects
      • Logical construct
      • Provide representation of connection between two or more domain controllers
      • Created in one of two ways
        • Automatically by:
          • Knowledge Consistency Checker (KCC)
          • Inter-Site Topology Generator (ISTG)
        • Manually by:
          • Active Directory administrator
    • Connection Objects (continued)
      • KCC does not optimize any connection objects created using a manual process
        • Administrator wholly responsible for maintaining manual connections in the event of misconfiguration issues or unavailability
    • Activity 7-1: Manually Creating Connections
      • Objective: This exercise is designed to familiarize you with the process of manually creating replication connection objects
      • Manually create a connection using Active Directory Sites and Services
    • Intra-site Replication
      • KCC is responsible for the replication topology within a site
        • Checks replication topology every 15 minutes
        • Attempts to create a replication topology made up of bidirectional ring
        • Adds additional connection objects to ensure that no more than three hops are required
    • Example Bidirectional Ring Replication Topology with Additional Connectors
    • Global Catalog Replication
      • Global catalog
        • Holds partial read-only replica of domain naming context for each domain in forest
      • Topology generated for replicating domain’s master replicas is used
      • Connection objects are added to connect read-only replicas to topology
    • Inter-site Replication
      • One domain controller in each site is designated as ISTG
        • Oldest server in site by default
        • Responsible for creating connection objects with domain controllers located in other sites
        • Attempts to create minimum number of connections
        • Also responsible (by default) for choosing bridgehead server
    • Bridgehead Server
      • Used to designate particular domain controller for replication purposes
      • Has historical (Windows NT) origin
      • Functions as single point of contact in site for given naming context
        • All replication traffic between bridgehead servers at each site
    • Bridgehead Server (continued)
    • Controlling Replication Frequency
      • Main factors that control replication frequency
        • Location of replication partners
        • Type of data being replicated
    • Intra-site Replication Schedule
      • Based on a notify-pull process
      • Begins when object is modified at domain controller
      • Replication partner pulls updates from source domain controller
      • Maximum time for update to propagate approximately 45 seconds
      • Traffic not compressed by default
    • Inter-site Replication Schedule
      • Time-based
        • Replicating changes at set intervals
        • Default:
          • Every 3 hours
      • Data compressed by default
      • Replication schedule/replication interval can be set
    • Example Site Link Replication Schedule and Interval
    • Urgent Replication
      • Occurs immediately within site
      • Between sites:
        • Will still observe normal replication intervals and restrictions
      • Trigger events:
        • Account lockout
        • Changing certain policies
        • Local Security Authority (LSA) secret change
        • RID master role assigned to new server
    • Password Replication
      • Important for passwords to be synchronized between domain controllers
      • Password changes are replicated differently than urgent or nonurgent replication
      • PDC emulator
        • One domain controller in domain
    • Password Replication (continued)
      • Password change replicated immediately to the PDC emulator
      • On failed logon
        • Authenticating domain controller forwards authentication request to PDC emulator
        • PDC emulator attempts to authenticate user
    • Monitoring and Troubleshooting Replication
      • Symptoms of replication failure include
        • Log-on failure
        • Other inconsistencies in Active Directory
      • Most problems with Active Directory replication are caused by:
        • Administrator error
        • Network infrastructure glitches
    • Monitoring and Troubleshooting Replication (continued)
      • Active Directory Replication Monitor
        • Monitor replication traffic between domain controllers
        • Display a list of domain controllers in a domain
        • Verify replication topology
        • Manually force replication
        • Check a domain controller’s current USN and unreplicated objects
        • Display bridgehead servers and trusts
    • SYSVOL
      • Folder called sysvol
      • Created during the promotion of domain controller
      • Used to share files containing scripts, etc.
      • Stored in %SYSTEMROOT%SYSVOL by default
      • File Replication Service (FRS)
        • Used to replicate changes in SYSVOL
    • SYSVOL Replication
      • SYSVOL replication independent from Active Directory object replication
      • Uses File Replication Service (FRS)
      • FRS configures replication topology to match connection objects of domain controller
      • Inter-site replication frequency controlled by schedule on replication partner’s connection object
    • Troubleshooting SYSVOL Replication
      • Check File Replication Service event log
      • Confirm that domain controllers can resolve fully qualified domain names (FQDNs) of replication partners
      • Confirm File Replication Service is started
      • Check for sufficient disk space
      • Check that file(s) are not being filtered out by FRS
    • Summary
      • Active Directory uses multi-master model for replication
      • Active Directory uses system based on update sequence numbers
        • Are unique for each domain controller
      • Replication topology for intra-site replication is created by KCC
      • Replicating attribute-level changes minimizes replication conflicts
    • Summary (continued)
      • Use Active Directory Replication Monitor to view both intra-site and inter-site replication information
      • SYSVOL is a share available on every domain controller in a domain
        • Used to store files such as logon scripts