Active Directory Replication (Part 1) Paige Verwolf Support Professional Microsoft Corporation © 1999 Microsoft Corporation. All rights reserved.
Replication Fundamentals Multi-Master Replication Replicated Operations Object add Object modify Object move Object deletion Originating Update Update was initiated by domain controller or program Replicated Update Update was replicated from a replication partner Object Deletions Create Tombstones © 1999 Microsoft Corporation. All rights reserved.
Replication Fundamentals (2) Transitiveness of Replication Store/forward mechanism Propagation dampening based on state vector © 1999 Microsoft Corporation. All rights reserved.
Multi-Master Replication Active Directory provides multi-master replication. Multi-master replication means that all replicas of a given partition are writeable. This lets you apply updates to any replica of a given partition. Active Directory replication system propagates the changes from a given replica to all other replicas. Replication is automatic and transparent. © 1999 Microsoft Corporation. All rights reserved.
Pull Replication Active Directory uses pull replication. In pull replication a destination replica requests information from a source replica. The request specifies the information that the destination needs. When the destination receives information from the source, it applies that information (bringing itself more up-to-date). The destination’s next request to the source excludes the information just received and applied. © 1999 Microsoft Corporation. All rights reserved.
Push Replication The alternative is push replication. In push replication, a source sends information to a destination unsolicited, hoping to bring the destination more up-to-date. Push replication is problematic because it is difficult for the source to know what information the destination needs. Perhaps the destination has received the same information from another source. If a source sends information to a destination, there is no guarantee that the destination applies the information; the destination may not work. If the destination does not work and must be restored from backup, any knowledge in the source of the destination’s up-to-date information becomes invalid. Microsoft does not use push replication. © 1999 Microsoft Corporation. All rights reserved.
State-Based Replication Active Directory uses a state-based approach to replication. Each master applies updates (both originating and replicated) to its replica as they arrive. Replication is not driven from logs stored on the source replica, but from the current state of the source replica. The state includes information for resolving conflicts and information to avoid sending the full replica on each cycle. Uses a single mechanism for incremental and full synchronization, and performs fewer database updates because repeated and conflicting updates to an attribute are collapsed into a single state. Last writer wins algorithm. © 1999 Microsoft Corporation. All rights reserved.
The First Replication Transaction: Dcpromo.exe On the new domain controller, Dcpromo.exe replicates over a complete copy of the schema and configuration naming contexts, and any critical objects required for restarting in the domain naming context. Identified by the IsCriticalSystemObject attribute. The domain controller also records which computer it is using as a “source.” © 1999 Microsoft Corporation. All rights reserved.
Lightweight Directory Access Protocol Lightweight Directory Access Protocol (LDAP) is the primary access protocol for Active Directory. When you install or upgrade to Microsoft® Windows® 2000, Active Directory is created on the domain controller for which LDAP is used to access each object in the directory. © 1999 Microsoft Corporation. All rights reserved.
LDAP (2) Distinguished Name (DN) Relative Distinguished Name (RDN) The DN identifies the domain that holds the object, as well as the complete path through the container hierarchy by which the object is reached. A typical DN is shown in the following example: CN=Someone,CN=Users,DC=Microsoft,DC=Com. This DN identifies the “Someone” user object in the Microsoft.com domain. Relative Distinguished Name (RDN) The RDN is the part of the name that is an attribute of the object itself. In the preceding example, the RDN of the “Someone” user object is “CN=Someone.” The RDN of the parent object is “CN=Users.” © 1999 Microsoft Corporation. All rights reserved.
Update Requests An LDAP directory server supports four update request types: Add: Adds an object to the directory. Modify: Adds, deletes, or replaces attribute values of an object in the directory. Move: Changes the name or parent of an object (moving the object into the parent’s domain if necessary.) LDAP uses the obscure name ModifyDN for Move. Delete: Deletes an object from the directory. © 1999 Microsoft Corporation. All rights reserved.
LDAP Update An LDAP directory server processes each update request as an automatic action: The request either commits and all its effects are durable, or aborts and it has no effect. Calls an update request that commits an originating update. A replicated update is a committed update performed on one replica as a result of an originating update at another replica. There is not necessarily a one-to-one correspondence between originating and replicated updates. For example, a single replicated update may reflect a set of originating updates (even updates originating at several replicas) to the same object. © 1999 Microsoft Corporation. All rights reserved.
Directory Objects Attributes Object class An object instance is created in the directory Defined in the schema Data storage is allocated as necessary © 1999 Microsoft Corporation. All rights reserved.
User object has this attribute
Enterprise Structure Domain: A collection of computers that shares a common directory and security policy. Domain Tree: A set of Microsoft Windows NT domains connected together (through transitive, bi-directional trust), sharing a common schema, configuration, and global catalog. Must have a contiguous name space. Forest: Is a set of one or more trees that does not form a contiguous name space. All trees in a forest share a common schema, configuration, and global catalog. All trees in a given forest trust each other through transitive bi-directional trust relationships and unlike trees, a forest does not need a distinct name. A forest exists as a set of cross-reference objects and trust relationships known to the member trees. © 1999 Microsoft Corporation. All rights reserved.
Naming Contexts Boundary for Replication Existing Naming Contexts Configuration (enterprise-wide context) Schema (enterprise-wide context) Domains in enterprise (domain-wide context) © 1999 Microsoft Corporation. All rights reserved.
Naming Contexts (2) Configuration Schema Domain All domain controllers in a forest share a common naming context that contains data such as site definitions, service configuration, and replication topology, as well as other enterprise information. Schema The objects in the directory that comprise the schema are in another naming context, which is shared among all domain controllers in the forest. Schema changes are made only at one domain controller in the enterprise that holds the master copy of the schema definition. Domain The partition of the directory that contains objects such as users, computers, printers, and volumes. Windows 2000 domain controllers always have a full copy of the domain naming context for the domain in which the domain controller belongs. © 1999 Microsoft Corporation. All rights reserved.
Directory hosted on all DCs Domains Domain directory Directory hosted on all DCs Sites Schema Configuration One or more domain controllers Multi-master replication One or more sites © 1999 Microsoft Corporation. All rights reserved.
Domain Trees and Forests Configuration and schema common to all domains Transitive trusts link domains © 1999 Microsoft Corporation. All rights reserved.
Boundaries Replication Administration Security Policy Group Policy © 1999 Microsoft Corporation. All rights reserved.
One or More Forests All domains in a forest share a common schema and global catalog Create multiple forests in the following situations: You need separate schemas You need one or more domains to be isolated from the spanning tree of transitive trusts You want total administrative autonomy © 1999 Microsoft Corporation. All rights reserved.
Global Catalog Server A domain controller that holds the global catalog By default the first domain controller installed in the forest is the global catalog server. You designate additional domain controllers as global catalog servers through Active Directory sites and Services Manager. After you make this designation, the replication topology created for the computer now includes replicating naming contexts from other domains. The naming contexts from other domains only contain a subset of each object’s attributes. The naming contexts are referred to as partial replicas. Attributes that are replicated to partial replicas are defined by the IsMemberOfPartialAttributeSet property of the attribute definition in the schema. © 1999 Microsoft Corporation. All rights reserved.
Global Catalog GC Enterprise-wide searches Resolves enterprise queries Partial replica of all domain objects hosted on one or more domain controllers Enterprise-wide searches Resolves enterprise queries © 1999 Microsoft Corporation. All rights reserved.
Where Is Active Directory Stored? Ntds.dit During the promotion process, you can specify where Active Directory is stored. Implemented as Extensible Storage Engine Jet database. Normal domain controller - comprised of each naming context. Global catalog - comprised of each naming context and a partial replica naming contexts from all other domains in the forest. © 1999 Microsoft Corporation. All rights reserved.
Ntds.dit on Domain Controllers Schema Schema Configuration Configuration Company2.com Company1.com Company1.com Ntds.dit Ntds.dit Default naming contexts on a domain controller NCs on a Global Catalog Server Full copy of schema, configuration, the domain in which the domain controller is a member, and a partial replica of other domain naming contexts. © 1999 Microsoft Corporation. All rights reserved.
Flexible Single Master Operations (FSMO) Forest FSMOs: One role owner per forest Schema master: Controls schema updates. Domain naming master: Controls the addition and removals of domains in the forest. Domain FSMOs: One role owner per domain in forest Primary domain controller (PDC) emulator: Acts as the domain PDC and master browser. Manages downlevel replication and receives preferential password change replication. RID master: Manages domain relative ID (RID) allocation pool Infrastructure master: Updates Security Identifiers (SIDs) and domain names when objects that contain cross-domain references are moved.