Presentation is loading. Please wait.

Presentation is loading. Please wait.

Active Directory Replication (Part 2) Paige Verwolf Support Professional Microsoft Corporation © 1999 Microsoft Corporation. All rights reserved.

Published byMercy Long Modified over 5 years ago

Similar presentations

Presentation on theme: "Active Directory Replication (Part 2) Paige Verwolf Support Professional Microsoft Corporation © 1999 Microsoft Corporation. All rights reserved."— Presentation transcript:

1 Active Directory Replication (Part 2) Paige Verwolf Support Professional Microsoft Corporation
© 1999 Microsoft Corporation. All rights reserved.

2 Directory Replication Framework
Domain Controller Identification Domain Controller Computer Account NTDS Settings Server Object Server GUID Database GUID Record Registration in DNS Update Sequence Number (USN) © 1999 Microsoft Corporation. All rights reserved.

3 Domain Controller Identification
daffy-duck.Replmon.com Run Dcpromo.exe Record registration using DNS Object creation Replmon.com Ntds.dit

4 Domain Controller Identification (2)
NTDS Settings Server Object Linked to Computer Account Object (CAO) Reanimated if deleted elsewhere and replicated to local domain controller Does not allow administrator to delete object on local computer Server GUID Used to identify replication partners Name resolution very important for replication Each DC registers a CNAME record in DNS (used to locate the DC) (alias DC2.Microsoft.com) Database GUID Used by DCs to identify other DCs in replication requests Used to store vector information of changes from other DCs Initially, server GUID and database GUID are identical If DC is restored from backup, the database GUID is changed © 1999 Microsoft Corporation. All rights reserved.

5 Domain Controller Identification (3)
Records register with DNS after Netlogon is started. Windows 2000 domain controllers can register one or more DNS records. Service location (SRV) records are used in identifying an available service on a host. These records have an “ldap” prefix. <DnsDomainName> refers to the DNS domain name used during promotion of the server when the domain tree is joined or created. It refers to the DNS domain name of the root domain. You can identify the correct DNS entries that should exist for a Windows 2000 installation by viewing the Netlogon.dns text file. This file is located in the %SystemRoot%\System32\Config folder.

6 Update Sequence Number (USN)
64-bit DWORD DC local meaning Assigned to new object update transaction If transaction is stopped, the USN is not assigned to any object Each object carries two USNs usnCreated, usnChanged Each property carries two USNs Indexed property in the database Independent from system time System clocks do not matter, even if they are changed © 1999 Microsoft Corporation. All rights reserved.

7 Object Creation USN: 4710 USN: 4711 Add new user DC1
Object: usnCreated : 4711 Object: usnChanged : 4711 Property Value USN Version# Timest. Org. DB GUID Org USN P1: Value 4711 1 TS DC1 DB GUID 4711 P2: Value 4711 1 TS DC1 DB GUID 4711 P3: Value 4711 1 TS DC1 DB GUID 4711 P4: Value 4711 1 TS DC1 DB GUID 4711 © 1999 Microsoft Corporation. All rights reserved.

8 Object Replicated User replicated DC1 DC2 USN: 1745 USN: 1746
Object: usnCreated : 1746 Object: usnChanged : 1746 Property Value USN Version# Timest. Org. DB GUID Org USN P1: Value 1746 1 TS DC1 DB GUID 4711 P2: Value 1746 1 TS DC1 DB GUID 4711 P3: Value 1746 1 TS DC1 DB GUID 4711 P4: Value 1746 1 TS DC1 DB GUID 4711 © 1999 Microsoft Corporation. All rights reserved.

9 Object Modification user password change DC2 USN: 2001 USN: 2002
Object: usnCreated : 1746 Object: usnChanged : 2002 Property Value USN Version# Timest. Org. DB GUID Org USN P1: Value 1746 1 TS DC1 DB GUID 4711 P2: Value 2002 2 TS DC2 DB GUID 2002 P3: Value 1746 1 TS DC1 DB GUID 4711 P4: Value 1746 1 TS DC1 DB GUID 4711 © 1999 Microsoft Corporation. All rights reserved.

10 Change Replicated Modified address replicated DC1 DC2 USN: 5039
Object: usnCreated : 4711 Object: usnChanged : 5040 Property Value USN Version# Timest. Org. DB GUID Org USN P1: Value 4711 1 TS DC1 DB GUID 4711 P2: Value 5040 2 TS DC2 DB GUID 2002 P3: Value 4711 1 TS DC1 DB GUID 4711 P4: Value 4711 1 TS DC1 DB GUID 4711 © 1999 Microsoft Corporation. All rights reserved.

11 High-Watermark Vector
Table on each domain controller Replication partners Highest known USN Used to detect recent changes on replication partners © 1999 Microsoft Corporation. All rights reserved.

12 High-Watermark Vector DC4
USN 4711 DSA GUID Highest known USN DC4 DC2 DC1 GUID 4711 USN 3388 USN 2052 DC3 GUID 1217 DC4’s High-Watermark Vector This example assumes that DC1 and DC3 are DC4’s replication partners DC3 USN 1217 © 1999 Microsoft Corporation. All rights reserved.

13 Up-to-Dateness Vector
Up-to-dateness related to a specific naming context List of pairs: Originating-DC-GUID (database GUID) Highest-Originating-USN Only these domain controllers are added from the originating updates that are received (even through replication) © 1999 Microsoft Corporation. All rights reserved.

14 Up-to-Dateness Vector (2)
DC1 USN 4711 DSA GUID Highest originating USN DC4 DC2 DC1 GUID 4711 USN 3388 USN 2052 DC2 GUID 2050 DC4’s Up-to-Dateness Vector This example assumes that only DC1 and DC2 (and possibly DC4) performed originating write operations DC3 USN 1217 © 1999 Microsoft Corporation. All rights reserved.

15 Information Sent to Prepare for Replication
Naming context for which changes are requested Maximum number of object update entries requested Maximum number of values requested High-USN-Changed value of naming context of replication partner Complete Up-to-Dateness Vector Used for propagation dampening © 1999 Microsoft Corporation. All rights reserved.

16 Highest originating USN
Replication: DC4 DC1 Step 1: User added to DC2 No changes for DC4 USN 4711 DC4 DC2 USN 3388 USN > 2053 DC4: Up-to-Dateness Vector DSA GUID Highest originating USN DC1 GUID 4711 DC2 GUID 2050 DC3 USN 1217 DC4: High-Watermark Vector DSA GUID Highest known USN DC1 GUID 4711 DC3 GUID 1217 © 1999 Microsoft Corporation. All rights reserved.

17 Highest originating USN
Replication: DC4 (2) DC1 Step 2: User replicated to DC1 No changes for DCS4 NOTE: Write originated on DC2 USN > 4712 DC4 DC2 USN 3388 USN 2053 DC4: Up-to-Dateness Vector DSA GUID Highest originating USN DC1 GUID 4711 DC2 GUID 2050 DC3 USN 1217 DC4: High-Watermark Vector DSA GUID Highest known USN DC1 GUID 4711 DC3 GUID 1217 © 1999 Microsoft Corporation. All rights reserved.

18 Highest originating USN
Replication: DC4 (3) DC1 Step 3: DC4 initiates replication with DC1 Sends NC, highest known USN DC1 for this NC, number of objects, number of values, Up-to-Dateness Vector USN 4712 DC4 DC2 USN 3388 USN 2053 DC4: Up-to-Dateness Vector NC, 4711, 100, 100, vector DSA GUID Highest originating USN DC1 GUID 4711 DC2 GUID 2050 DC3 USN 1217 DC4: High-Watermark Vector DSA GUID Highest known USN DC1 GUID 4711 DC3 GUID 1217 © 1999 Microsoft Corporation. All rights reserved.

19 Highest originating USN
Replication: DC4 (4) DC1 Step 4: DC1 replicates new user to DC4 Sends data, last-object-changed USN, state data DC4 uses this data to improve its up-to-dateness USN 4712 Data, 4712, vector DC4 DC2 USN 2053 DC4: Up-to-Dateness Vector USN > 3389 DSA GUID Highest originating USN DC1 GUID 4711 DC2 GUID 2053 DC3 USN 1217 DC4: High-Watermark Vector DSA GUID Highest known USN DC1 GUID 4712 DC3 GUID 1217 © 1999 Microsoft Corporation. All rights reserved.

20 Highest originating USN
Replication: DC4 (5) DC1 USN 4712 Step 5: DC2 replicates new user to DC3 No changes for DC4 DC4 DC2 USN 3389 USN 2053 DC4: Up-to-Dateness Vector DSA GUID Highest originating USN DC1 GUID 4711 DC2 GUID 2053 DC3 DC4: High-Watermark Vector USN > 1218 DSA GUID Highest known USN DC1 GUID 4712 DC3 GUID 1217 © 1999 Microsoft Corporation. All rights reserved.

21 Highest originating USN
Replication: DC4 (6) DC1 Step 6: DC4 initiates replication with DC3 Sends NC, highest known USN DC3 for this NC, number of objects, number of values, up-to-dateness vector USN 4712 DC4 DC2 USN 3389 USN 2053 DC4: Up-to-Dateness Vector DSA GUID Highest originating USN DC1 GUID 4711 DC2 GUID 2053 DC3 USN 1218 DC4: High-Watermark Vector DSA GUID Highest known USN DC1 GUID 4712 DC3 GUID 1217 © 1999 Microsoft Corporation. All rights reserved.

22 Highest originating USN
Replication: DC4 (7) DC1 Step 7: DC3 replication reply Determines, that DC4 already is up-to-date Sends last-object-changed USN, up-to-dateness vector, but no data. USN 4712 DC4 DC2 USN 3389 USN 2053 DC4: Up-to-Dateness Vector DSA GUID Highest originating USN DC1 GUID 4711 1218, vector DC2 GUID 2053 DC3 USN 1218 DC4: High-Watermark Vector DSA GUID Highest known USN DC1 GUID 4712 DC3 GUID 1218 © 1999 Microsoft Corporation. All rights reserved.

23 Urgent Replication Initiated by Security Accounts Manager (SAM) or Local Security Authority (LSA), not by LDAP writes for: Changing the account lockout policy Changing the domain password policy Replicating a newly locked out account Changing an LSA secret (trust account) Change in RID master role owner These trigger an immediate replication cycle within the site Uses notification © 1999 Microsoft Corporation. All rights reserved.

24 Conflict Resolution Conflict resolution
Resolution: higher version number -> higher timestamp -> higher GUID of originating write DSA © 1999 Microsoft Corporation. All rights reserved.

25 Conflict Resolution (2)
Attribute Value Conflict For example, user changes password on DC1, administrator changes user’s password on DC2 Resolution: higher version number -> higher timestamp -> higher GUID of originating write DSA Move Under Deleted Parent For example, administrator creates user in OU1 on DC1, second administrator deletes OU1 on DC2 Resolution: OU1 is deleted, user moved to “lost and found” container © 1999 Microsoft Corporation. All rights reserved.

26 Conflict Resolution (3)
Object Creation Name Conflict For example, two administrators create two user objects with identical RDNs on two domain controllers at the same time Resolution: One object (identified by its GUID) receives a system-wide unique value on the conflicting attribute (here the RDN) Resolution: higher version number -> higher timestamp -> higher GUID of originating write DSA © 1999 Microsoft Corporation. All rights reserved.

27

Download ppt "Active Directory Replication (Part 2) Paige Verwolf Support Professional Microsoft Corporation © 1999 Microsoft Corporation. All rights reserved."

Similar presentations

Active Directory and Group Policy Blackhat Amsterdam Raymond Forbes.

Active Directory and Group Policy Blackhat Amsterdam Raymond Forbes.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 6 Managing and Administering DNS in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 6 Managing and Administering DNS in Windows Server 2008.
Overview of Active Directory Domain Services

Overview of Active Directory Domain Services
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
CS603 Active Directory February 1, 2001.

CS603 Active Directory February 1, 2001.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Administering Active Directory

Administering Active Directory
Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.

Hands-On Microsoft Windows Server 2003 Administration Chapter 3 Administering Active Directory.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
3.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.

3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
© N. Ganesan, Ph.D., All rights reserved. Active Directory Nanda Ganesan, Ph.D.

© N. Ganesan, Ph.D., All rights reserved. Active Directory Nanda Ganesan, Ph.D.
Understanding Active Directory

Understanding Active Directory
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 1: Introduction to Windows Server 2003.
Module 1: Introduction to Active Directory

Module 1: Introduction to Active Directory
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
Introduction to Active Directory Services Completely integrated with Microsoft Windows 2000 Server Integrates the Internet concept of namespace with the.

Introduction to Active Directory Services Completely integrated with Microsoft Windows 2000 Server Integrates the Internet concept of namespace with the.
Overview of Active Directory Domain Services Lesson 1.

Overview of Active Directory Domain Services Lesson 1.
Lesson 17. Domains and Active Directory. Objectives At the end of this Presentation, you will be able to:

Lesson 17. Domains and Active Directory. Objectives At the end of this Presentation, you will be able to:
AD DNS SRV RRs Active Directory DNS Service (SRV) Resource Records (RR)

AD DNS SRV RRs Active Directory DNS Service (SRV) Resource Records (RR)
Overview of Active Directory Domain Services Lesson 1.

Overview of Active Directory Domain Services Lesson 1.

Similar presentations

Ads by Google