• FAQs
• Articles
• Tutorials
• Web Tools
• Reference
• Blog
• Proxy
• Software
• Cell Phones

• Active Directory Articles
• Understanding Active Directory
• Active Directory Management Tools
• Active Directory Objects
• Active Directory replication
• Active Directory Security
• Active Directory Security Principal Accounts
• Active Directory Terminology and Concepts
• Backing Up and Restoring Active Directory
• Configuring and Troubleshooting Active Directory Replication
• Managing Active Directory Performance
• Publishing Resources in Active Directory
• Troubleshooting Active Directory availability
• What is New in Windows Server 2003 Active Directory
• Deploying Software through Group Policy
• Group Policy Terminology and Concepts
• Implementing and Managing Group Policy Objects
• Implementing Folder Redirection using Group Policy
• Planning a Group Policy
• Troubleshooting Group Policy
• Creating and Managing Domain Controllers
• Creating and Managing Forests and Domains
• Forest and Domain Functional Levels
• The Global Catalog Server
• Managing Recipient Objects Address List and Distribution and Administrative Groups
• Operations Master Roles
• Understanding Forests and Domains
• Understanding Group Types and Scopes
• Understanding Organizational Units
• Understanding Trust Relationship
• Articles Menu
• » Windows Server
• » Microsoft Networking
• » Microsoft Security
• » Active Directory
• » Microsoft IIS
• » Microsoft IPSec
• » Microsoft DNS
• » Microsoft DHCP
• » Microsoft WINS
• » Microsoft Filesystems
• » Remote Access
• » Microsoft Exchange
• » Microsoft SMS
• » Microsoft ISA Server
• » Microsoft Biztalk Server
• Main Menu
• » Networking
• » Physical Layer
• » Data Link Layer
• » Network Layer
• » Network Security
• » Wireless Networks
• » VoIP
• » Telephony
• » Mobile Telephony
• » Electronics
• » Radio
• » Television
• » Cryptology
• » Passwords
• » Smart Cards
• » Privacy
• » Malware
• » Vulnerabilities
• » Unix
• » Macintosh
• » Microsoft Windows
• » The Web
• » Web Publishing
• » E-mail
• » Instant Messaging
• » Databases
• » Computer Hardware
• » CPU's
• » Memory
• » Storage
• » Video
• » Audio
• » Multimedia
• » Satellite
• » Java
• » IT Management
• » Science
• » Miscellaneous

Active Directory Replication

The Importance of Active Directory Replication

The initial versions of Windows NT were designed as single master network environments. The primary domain controller (PDC) was responsible for managing the master copy of the domain database. The PDC was therefore responsible for replicating any changes to the backup domain controllers (BDCs). In these environments, any changes had to be performed on the PDC who then replicated these database changes to the BDCs. What this meant was that in cases where the PDC was unavailable, no changes were made to the domain database. From this simple discussion, it is clear that the single master environment of the earlier versions of Windows NT had a limitation when it came to reliability and continuously ensuring that changes could be made to the domain database.

In the majority of network environments, more than one domain controller has to exist to provide fault tolerance, and improve reliability and performance. Fault tolerance is present when business continuity exists when one domain controller fails because the other domain controller(s) in the environment are able to supply network resources. Having multiple domain controllers in your network environment improves performance because the processing load can be distributed to all domain controllers.

Active Directory differs from the design of the earlier Windows NT domain environments because it is designed to be a scalable, distributed multimaster replicated database. Information on network resources within the organization is stored within the Active Directory database. In addition to this, all domain controllers host a full replica of the domain information for its own domain. Domain controllers in Windows 2000 and Windows Server 2003 environments hold a read/write copy of the Active Directory database. Domain controllers in these environments therefore maintain and manage the replica of all Active Directory objects (network resources) located in the domain to which it is a member of.

In Windows 2000 and Windows Server 2003 environments, in Active Directory terminology, each domain controller contains a full copy of its own directory partition. Another term used to refer to directory partition is naming context. In Active Directory environments, a directory tree contains all Active Directory objects in the forest. A forest is the grouping of two or more domain trees or domains that do not have a common contiguous namespace, that is, they have non-contiguous namespaces. In Active Directory, the directory tree is partitioned. This enables portions of the tree to be distributed to domain controllers in other domains in the forest. Back to Active Directory terminology, the copy of the directory partition that holds all the attributes for each directory partition object is called a replica. The replica on each domain controller has read and write attributes.

In Active Directory, changes can be made to the Active Directory database on any domain controller within the Active Directory environment. To overcome the limitations of the Windows NT domain environments illustrated earlier, each domain controller must include all information that is created or changed on any other domain controller. Active Directory replication ensures that the information or data between domain controllers remains updated and consistent. Replication is the process that ensures that changes made to a replica on one domain controller are transferred to replicas on the remainder of the domain controllers. It is Active Directory replication that ensures that Active Directory information hosted by domain controllers is synchronized.

The multimaster environment of Active Directory eliminates the domain controllers as single points of failure because an Administrator can perform changes to the Active Directory database on any domain controller, and these changes are replicated to the other domain controllers within the domain.

What Information is Replicated in Active Directory

In Active Directory, there are certain actions that are considered Active Directory replication triggers. The activities that trigger or initiate Active Directory replication is summarized below:

• When an object is created.
• When an object is deleted.
• When an object is moved.
• When an object is changed or modified.

Domain controllers typically contain the following directory partition replicas or naming context replicas:

• Configuration: The configuration partition or naming context (NC) contains objects that relate to the logical structure of the forest, structure of the domain, and replication topology. Each domain controller in the forest contains a read/write copy of the configuration partition. Any objects stored in the configuration partition are replicated to each domain controller in each domain, and in a forest.
• Domain: The domain partition or naming context (NC) contains all objects that are stored in a domain. Each domain controller in a domain has a read/write copy of the domain partition. Objects in the domain partition are replicated to only the domain controllers within a domain.
• Schema: The schema partition or naming context (NC) contains objects that can be created in the Active Directory directory, and the attributes which these objects can contain. Domain controllers in a forest have a read-only copy of the schema partition. Objects stored in the schema partition are replicated to each domain controller in domains/forests.
• Application: The application partition is a new feature introduced in Windows Server 2003. This partition contains application specific objects. The objects or data that applications and services store here can comprise of any object type excluding security principles. Security principles are Users, Groups, and Computers. The application partition typically contains DNS zone objects, and dynamic data from other network services such as Remote Access Service (RAS), and Dynamic Host Configuration Protocol (DHCP).

An Overview of Active Directory Replication Terminology, Concepts and Objects

In Active Directory, there are numerous concepts, and objects that are used to create a replication topology. These are described below:

• Sites: A site can be defined as a grouping or set of Internet Protocol (IP) subnets that are connected by a highly reliable, fast and inexpensive link. This is usually a local area network (LAN) or metropolitan area network (MAN). Domains can have domain controllers in multiple sites. A site can have domain controllers from multiple domains. In Active Directory, sites have the following main roles or purposes:
• A site determines the closest domain controller at workstation logon.
• A site operates as a replication boundary. As a replication boundary, a site optimizes replication between sites because it can be used to improve on and more efficiently manage Active Directory replication.
• A site also functions as a resource locator boundary. Clients are only able to access resources that are accessible in a particular site.
• Site Links: Site links are logical connections that are established between sites is Active Directory that define a path between these sites. A site link defines the direction of Active Directory replication between sites. You can use either RPC over IP or SMTP as the transport protocol for moving replication data over a site link. Site links are assigned the following:
• Cost: With replication, the concept of cost indicates the cost of the physical link between two Active Directory sites and is utilized to detail optimal connection paths between one site and another site. When a site link is assigned a cost, the type of connection is taken into consideration. For replication, the lower costing links are used over higher costing links.
• Interval: Replication over a site link takes place at predetermined time intervals. When assigning the replication interval, it is important not to set the value to too high or too low. An exceptionally high value means that changes take a longer time to be replicated, while an exceptionally lower value means that replication occurs too regularly.
• Schedule: A replication schedule and interval are basically used together. An interval is associated with a schedule. A schedule deals with when the replication of data is going to occur.
• Site link bridge: In Active Directory, you can use a site link bridge to link sites that share common Active Directory data but who do not have a site link. The data typically shared by these sites is the Application directory partition.
• Connection objects: In Active Directory, domain controllers replicate with specific replication partners. The partners that domain controllers replicate with are defined by connection objects. Connection object enable data to be replicated in Active Directory because they define inbound replication paths. Domain controllers and their associated connections are defined in a topology map. The Directory Replication Agent (DRA) handles replication between domain controllers. The Directory Replication Agent uses the connection objects in the topology map to find out those partners that are relevant when replicating changes to directory partitions. The DRA sends a replication request to the partners of a domain controller when the domain controller needs to update its copy of Active Directory. Administrators can manually create connection objects, or they can leave these objects to be created by the Knowledge Consistency Checker (KCC). When the KCC creates connection objects, it is an automatic process. The KCC runs on all domain controllers in Active Directory. As an Administrator, you can create a manual connection object between any two domain controllers in a forest. If you want data to flow in two directions, you should create two connection objects. You can create manual connection objects between domain controllers in the same site or in different sites. The Knowledge Consistency Checker by default creates automatic connection objects. It references the site topology and then uses the information on sites and site links to automatically create connection objects. The KCC checks the site topology at regular intervals to determine whether the connection objects are still valid, and then changes connection objects based on its reviews. It is the KCC that is accountable for making certain that data in the directory partitions are replicated in sites. You can disable the automatic creation of connection objects on a per site and forest wide basis.
• The Inter Site Topology Generator (ISTG): Intersite connection objects are created by the Inter Site Topology Generator (ISTG) and not the KCC. The first domain controller in a site has the role of Inter Site Topology Generator. There is only one ISTG within a particular site. It is the ISTG that is responsible for ensuring that the site has a replica of the configuration, domain and schema partitions.
• SYSVOL data and the File Replication Service (FRS): The system volume contains scripts and group policies. SYSVOL data is hosted on every domain controller. Changes to SYSVOL are replicated to domain controllers within the same domain via File Replication System (FRS) replication. With FRS replication, the full file is replicated and not just the actual changes that were made to the file. This differs to Active Directory replication. With Active Directory only the changes that were made to Active Directory objects are replicated.
• Replication methods/protocols: Active Directory replication can utilize one of two protocols to send replication data between domain controllers:
• Remote Procedure Call (RPC): This is the main protocol used by Active Directory to send replication data. RPC's encryption capabilities are beneficial for replicating data in Active Directory in the network.
• Simple Mail Transport Protocol (SMTP): SMTP is typically utilized for sending replication data in bulk, and for sending replication data over unreliable network connections.

Active Directory Replication Types

In Windows 2000 and Windows Server 2003, the types of Active Directory replication that can be defined are intrasite replication and intersite replication.

Active Directory Intrasite Replication

Intrasite replication in Active Directory takes place between domain controllers within the same site. This makes intrasite replication an uncomplicated process. When changes are made to the replica of Active Directory on one particular domain controller, the domain controller contacts the remainder of the domain controllers within the site. The domain controller checks the information it contains against information hosted by the other domain controllers. To perform this analysis, the domain controller utilizes logical sequence numbers. Intrasite replication utilizes the Remote Procedure Call (RPC) protocol to convey replication data over fast, reliable network connections. With intrasite replication, replication data is not compressed.

Active Directory Intersite Replication

Intersite replication takes place between sites. Intersite replication can utilize either RPC over IP or SMTP to convey replication data. This type of replication has to be manually configured. Intersite replication occurs between two domain controllers that are called bridgeheads or bridgehead servers. The role of a bridgehead server (BS) is assigned to at least one domain controller in a site. A BS in one site deals with replicating changes with other BSs in different sites. You can configure multiple bridgehead servers in a site. It is only these BSs that replicate data with domain controllers in different domains by performing intersite replication with its BS partners. With intersite replication, packets are compressed to save bandwidth. This places additional CPU load on domain controllers assigned the BS role. BSs should therefore be machines that have enough speed and processors to perform replication. Intersite replication takes place over site links by a polling method which is every 180 minutes by default.

Initiating Replication between Active Directory direct replication partners (forcing replication)

Active Directory usually automatically creates and deletes connection objects between domain controllers. There are cases though when you might need to manually create connection objects and then force Active Directory replication. You can utilize one of the following tools or methods to force replication:

• Active Directory Sites and Services console
• Repadmin
• Replmon

Active Directory Replication Topology Options

The Active Directory replication topologies typically utilized are:

• Ring Topology: With intrasite replication, the KCC creates a ring topology that defines the replication paths within a site. In a ring topology, each domain controller in a site has two inbound and outbound replication partners. The KCC creates the ring so that there is no greater than three hops between domain controllers in a site.
• Full Mesh Topology: This topology is typically utilized in small organizations where redundancy is extremely important, and the number of sites is quite small. A full mesh topology is quite expensive to manage and is not scalable.
• Hub And Spoke Topology: This topology is typically implemented in large organizations where scalability is important and redundancy is less important. In this topology, one or multiple hub sites exist that have slower WAN connections to multiple spoke sites. The hub sites are usually connected to each another through high speed WAN connections.
• Hybrid Topology: The hybrid topology is combination of any of the above topologies.

How to Define an Active Directory Replication Strategy

The replication strategy that you implement essentially determines when replication would occur and the manner in which Active Directory information is replicated. Designing an effective replication strategy involves the following steps:

• Evaluating the actual physical connectivity of the network: This phase of planning typically involves determining the site links that are necessary in the network. You would need to identify your network connections, domain controllers and sites to determine this. You would need to determine which:
• Sites are connected by low speed unreliable connections - high costing connections.
• Sites are connected by fast reliable connections - low costing connections.
• Sites are connected by medium speed connections - medium costing connections.

Another component of this planning phase involves determining whether site link bridges need to be created. While planning what sites are needed, remember to include the possible future growth of the organization.

• Determining the site link configuration parameters for every connection: The configuration parameters or values that need to be specified for each site link is summarized below:
• Site link name
• The transport protocol to be used for conveying replication data. This can be either RPC or SMTP.
• Site link cost: The default site link cost setting is 100. The value can range between 1 and 32,767.
• Replication interval or frequency
• Replication schedule or when replication should occur.
• Determine the preferred bridgehead servers: Instead of using the preferred bridgehead server defined by the Knowledge Consistency Checker (KCC), you can choose to manually configure a preferred bridgehead server.
• Determine whether site link transitivity should be disabled: If you choose to disable site link transitivity, you must manually create site link bridges between site links to ensure site link transitivity.

Bookmark Active Directory Replication

Latest Blog Posts

• Acai Berry Spam via MSN

• Obama Seeks Power to Shut Down the Internet

• Help Beta Test Tech-FAQ 2.0!

• Windows 7 Forum

• Boston College: Ability to Use a Command Line is a Sign of Criminal Activity

• Google Hacked?

• Recycle your old phone – Make some money, and save the environment too!

• SourceForge vs. Freshmeat

• Fastest Web Browser: Google Chrome

• New Webmaster Forum