1 / 53

Objectives

70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 7: Active Directory Replication. Objectives. Describe how Active Directory identifies data that needs to be replicated Describe how the Active Directory replication topology is generated

cahil
Download Presentation

Objectives

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, EnhancedChapter 7: Active Directory Replication

  2. Objectives • Describe how Active Directory identifies data that needs to be replicated • Describe how the Active Directory replication topology is generated • Describe and control when Active Directory replication occurs Guide to MCSE 70-294, Enhanced

  3. Objectives (continued) • Monitor and troubleshoot Active Directory replication • Describe SYSVOL and how its replication differs from Active Directory replication Guide to MCSE 70-294, Enhanced

  4. Identifying Data to Replicate • Active Directory uses multi-master model • Changes made on any DC • Replicated to all DCs • Replication is performed at attribute level • Not object level • Replication involves two types of updates: • Originating updates • Replicated updates Guide to MCSE 70-294, Enhanced

  5. Identifying Data to Replicate (continued) • Originating update: • Change made on local domain controller • Replicated update • Change made through replication • Update Sequence Numbers (USNs) • Used to track changes • Unique for each DC Guide to MCSE 70-294, Enhanced

  6. Identifying Data to Replicate (continued) • Update Sequence Numbers (USNs) • Incremented by one when change is made • Updated object and attributes are stamped with USN • Comparing USNs from different domain controllers is meaningless • Is possible for two domain controllers in same domain to show different information • Caused by latency Guide to MCSE 70-294, Enhanced

  7. Identifying Data to Replicate (continued) • Convergence • All DCs have same data • Replication is complete • For the moment Guide to MCSE 70-294, Enhanced

  8. Identifying Domain Controllers • Identifiers for domain controller: • Domain controller’s computer account • Records registered in DNS • NTDS Settings Server object • Server GUID • Database GUID Guide to MCSE 70-294, Enhanced

  9. Update Sequence Number • 64-bit number • Used to identify changes to data • Each object has: • usnCreated • Set when object created • usnChanged • Set every time object is updated Guide to MCSE 70-294, Enhanced

  10. Update Sequence Number (continued) • Each attribute of object has two USNs: • USN for local domain controller • USN from domain controller that performed originating write operation Guide to MCSE 70-294, Enhanced

  11. Creation of New User Account Guide to MCSE 70-294, Enhanced

  12. Replication of New User Account Guide to MCSE 70-294, Enhanced

  13. Updating Attribute of User Account Guide to MCSE 70-294, Enhanced

  14. Replicating Change of User Account’s Attribute Guide to MCSE 70-294, Enhanced

  15. High-watermark Value • Used to identify which objects may need to be replicated • Table on each domain controller • Stores highest USN from each of replication partners • Source domain controller sends updates • Starting with object that has lowest usnChanged value Guide to MCSE 70-294, Enhanced

  16. High-watermark Value (continued) Guide to MCSE 70-294, Enhanced

  17. High-watermark Value (continued) Guide to MCSE 70-294, Enhanced

  18. Up-to-dateness Vector • Helps source domain controller filter out attributesthat do not need to be replicated • Table on each domain controller • Stores highest originating USN • Based on all possible sources of original updates to a single destination Guide to MCSE 70-294, Enhanced

  19. Up-to-dateness Vector (continued) Guide to MCSE 70-294, Enhanced

  20. Determining Which Attributes Need to be Replicated Guide to MCSE 70-294, Enhanced

  21. Propagation Dampening • Up-to-dateness vector can be used to provide propagation dampening Guide to MCSE 70-294, Enhanced

  22. Propagation Dampening (continued) Guide to MCSE 70-294, Enhanced

  23. Propagation Dampening (continued) Guide to MCSE 70-294, Enhanced

  24. Propagation Dampening (continued) Guide to MCSE 70-294, Enhanced

  25. Propagation Dampening (continued) Guide to MCSE 70-294, Enhanced

  26. Conflict Resolution • Problems occur • When changes are made to same object at the same time on different domain controllers • Replicating at the attribute level minimizes replication conflicts Guide to MCSE 70-294, Enhanced

  27. Conflict Resolution (continued) • Attribute conflicts resolved using: • Version • Timestamp • Originating DSA GUID • Move under deleted parent • Object automatically moved to “lost and found” container Guide to MCSE 70-294, Enhanced

  28. Conflict Resolution (continued) • New object name conflict • Two objects are created with same relative distinguished name • One object is renamed • To system-wide unique value • Object with higher version number keeps name Guide to MCSE 70-294, Enhanced

  29. Determining Replication Topology • Replication topology • Combination of paths used to replicate changes between domain controllers • Every naming context has its own • Connection object • Identifies replication partners • Unidirectional • Does not specify individual naming context Guide to MCSE 70-294, Enhanced

  30. Determining Replication Topology (continued) • Intra-site replication • Process of updating domain controllers within same site • Inter-site replication • Process of updating domain controllers between sites Guide to MCSE 70-294, Enhanced

  31. Connection Objects • Logical construct • Provide representation of connection between two or more domain controllers • Created in one of two ways • Automatically by: • Knowledge Consistency Checker (KCC) • Inter-Site Topology Generator (ISTG) • Manually by: • Active Directory administrator Guide to MCSE 70-294, Enhanced

  32. Connection Objects (continued) • KCC does not optimize any connection objects created using a manual process • Administrator wholly responsible for maintaining manual connections in the event of misconfiguration issues or unavailability Guide to MCSE 70-294, Enhanced

  33. Activity 7-1: Manually Creating Connections • Objective: This exercise is designed to familiarize you with the process of manually creating replication connection objects • Manually create a connection using Active Directory Sites and Services Guide to MCSE 70-294, Enhanced

  34. Intra-site Replication • KCC is responsible for the replication topology within a site • Checks replication topology every 15 minutes • Attempts to create a replication topology made up of bidirectional ring • Adds additional connection objects to ensure that no more than three hops are required Guide to MCSE 70-294, Enhanced

  35. Example Bidirectional Ring Replication Topology with Additional Connectors Guide to MCSE 70-294, Enhanced

  36. Global Catalog Replication • Global catalog • Holds partial read-only replica of domain naming context for each domain in forest • Topology generated for replicating domain’s master replicas is used • Connection objects are added to connect read-only replicas to topology Guide to MCSE 70-294, Enhanced

  37. Inter-site Replication • One domain controller in each site is designated as ISTG • Oldest server in site by default • Responsible for creating connection objects with domain controllers located in other sites • Attempts to create minimum number of connections • Also responsible (by default) for choosing bridgehead server Guide to MCSE 70-294, Enhanced

  38. Bridgehead Server • Used to designate particular domain controller for replication purposes • Has historical (Windows NT) origin • Functions as single point of contact in site for given naming context • All replication traffic between bridgehead servers at each site Guide to MCSE 70-294, Enhanced

  39. Bridgehead Server (continued) Guide to MCSE 70-294, Enhanced

  40. Controlling Replication Frequency • Main factors that control replication frequency • Location of replication partners • Type of data being replicated Guide to MCSE 70-294, Enhanced

  41. Intra-site Replication Schedule • Based on a notify-pull process • Begins when object is modified at domain controller • Replication partner pulls updates from source domain controller • Maximum time for update to propagate approximately 45 seconds • Traffic not compressed by default Guide to MCSE 70-294, Enhanced

  42. Inter-site Replication Schedule • Time-based • Replicating changes at set intervals • Default: • Every 3 hours • Data compressed by default • Replication schedule/replication interval can be set Guide to MCSE 70-294, Enhanced

  43. Example Site Link Replication Schedule and Interval Guide to MCSE 70-294, Enhanced

  44. Urgent Replication • Occurs immediately within site • Between sites: • Will still observe normal replication intervals and restrictions • Trigger events: • Account lockout • Changing certain policies • Local Security Authority (LSA) secret change • RID master role assigned to new server Guide to MCSE 70-294, Enhanced

  45. Password Replication • Important for passwords to be synchronized between domain controllers • Password changes are replicated differently than urgent or nonurgent replication • PDC emulator • One domain controller in domain Guide to MCSE 70-294, Enhanced

  46. Password Replication (continued) • Password change replicated immediately to the PDC emulator • On failed logon • Authenticating domain controller forwards authentication request to PDC emulator • PDC emulator attempts to authenticate user Guide to MCSE 70-294, Enhanced

  47. Monitoring and Troubleshooting Replication • Symptoms of replication failure include • Log-on failure • Other inconsistencies in Active Directory • Most problems with Active Directory replication are caused by: • Administrator error • Network infrastructure glitches Guide to MCSE 70-294, Enhanced

  48. Monitoring and Troubleshooting Replication (continued) • Active Directory Replication Monitor • Monitor replication traffic between domain controllers • Display a list of domain controllers in a domain • Verify replication topology • Manually force replication • Check a domain controller’s current USN and unreplicated objects • Display bridgehead servers and trusts Guide to MCSE 70-294, Enhanced

  49. SYSVOL • Folder called sysvol • Created during the promotion of domain controller • Used to share files containing scripts, etc. • Stored in %SYSTEMROOT%\SYSVOL\ by default • File Replication Service (FRS) • Used to replicate changes in SYSVOL Guide to MCSE 70-294, Enhanced

  50. SYSVOL Replication • SYSVOL replication independent from Active Directory object replication • Uses File Replication Service (FRS) • FRS configures replication topology to match connection objects of domain controller • Inter-site replication frequency controlled by schedule on replication partner’s connection object Guide to MCSE 70-294, Enhanced

More Related