The initial Windows NT versions were designed as single master network environments. The primary domain controller (PDC) was responsible for managing the domain database’s master copy. The PDC was therefore responsible for replicating any changes to the backup domain controllers (BDCs). In these environments, any changes had to be performed on the PDC, which then replicated these database changes to the BDCs. What this meant was that in cases where the PDC was unavailable, no changes were made to the domain database. From this simple discussion, it is clear that the single master environment of the earlier Windows NT versions had a limitation when it came to reliability and continuously ensuring that changes could be made to the domain database.
In most network environments, more than one domain controller has to exist to provide fault tolerance and improve reliability and performance. Fault tolerance is present when business continuity exists when one domain controller fails because the other domain controller(s) in the environment supplies network resources. Having multiple domain controllers in a network environment improves performance because the processing load can be distributed to all domain controllers.
Active Directory differs from the design of the earlier Windows NT domain environments because it is a scalable, distributed multi-master replicated database. Information on network resources within the organization is stored in the Active Directory database. In addition to this, all domain controllers host a full replica of the domain information for its own domain. Domain controllers in Windows 2000 and Windows Server 2003 environments hold a read/write copy of the Active Directory database. Domain controllers in these environments therefore maintain and manage the replica of all Active Directory objects (network resources) located in the domain to which it is a member of.
In Windows 2000 and Windows Server 2003 environments, in Active Directory terminology, each domain controller contains a full copy of its own directory partition. Another term used to refer to directory partition is naming context. In Active Directory environments, a directory tree contains all Active Directory objects in the forest. A forest is the grouping of two or more domain trees or domains that do not have a common contiguous namespace. That is, they have non-contiguous namespaces. In Active Directory, the directory tree is partitioned. This enables portions of the tree to be distributed to domain controllers in other domains in the forest. The copy of the directory partition that holds all the attributes for each directory partition object is called a replica. The replica on each domain controller has read and write attributes.
In Active Directory, changes can be made to the Active Directory database on any domain controller within the Active Directory environment. To overcome the limitations of the Windows NT domain environments illustrated earlier, each domain controller must include all information that is created or changed on any other domain controller. Active Directory replication ensures that the information or data between domain controllers remains updated and consistent. Replication is the process that ensures that changes made to a replica on one domain controller are transferred to replicas on the remainder of the domain controllers. It is Active Directory replication that ensures that Active Directory information that domain controllers host is synchronized.
Active Directory’s multi-master environment eliminates the domain controllers as single points of failure because an Administrator can perform changes to the Active Directory database on any domain controller and these changes are replicated to the other domain controllers within the domain.
What Information is Replicated in Active Directory
In Active Directory, there are certain actions that are considered Active Directory replication triggers. The activities that trigger or initiate Active Directory replication are summarized below:
- When an object is created.
- When an object is deleted.
- When an object is moved.
- When an object is changed or modified.
Domain controllers typically contain the following directory partition replicas or naming context replicas:
- Configuration: The configuration partition or naming context (NC) contains objects that relate to the logical structure of the forest, structure of the domain, and replication topology. Each domain controller in the forest contains a read/write copy of the configuration partition. Any objects stored in the configuration partition are replicated to each domain controller in each domain and in a forest.
- Domain: The domain partition or naming context (NC) contains all objects that are stored in a domain. Each domain controller in a domain has a read/write copy of the domain partition. Objects in the domain partition are replicated to only the domain controllers within a domain.
- Schema: The schema partition or naming context (NC) contains objects that can be created in the Active Directory and the attributes that these objects can contain. Domain controllers in a forest have a read-only copy of the schema partition. Objects stored in the schema partition are replicated to each domain controller in domains/forests.
- Application: The application partition is a new feature introduced in Windows Server 2003. This partition contains application specific objects. The objects or data that applications and services store here can comprise of any object type excluding security principles. Security principles are Users, Groups, and Computers. The application partition typically contains DNS zone objects and dynamic data from other network services such as Remote Access Service (RAS) and Dynamic Host Configuration Protocol (DHCP).
An Overview of Active Directory Replication Terminology, Concepts, and Objects
In Active Directory, there are numerous concepts and objects that are used to create a replication topology. These are described below:
- Sites: A site can be defined as a grouping or set of Internet Protocol (IP) subnets that are connected by a highly reliable, fast, and inexpensive link. This is usually a local area network (LAN) or metropolitan area network (MAN). Domains can have domain controllers in multiple sites. A site can have domain controllers from multiple domains. In Active Directory, sites have the following main roles or purposes:
- A site determines the closest domain controller at workstation logon.
- A site operates as a replication boundary. As a replication boundary, a site optimizes replication between sites because it can be used to improve on and more efficiently manage Active Directory replication.
- A site also functions as a resource locator boundary. Clients are only able to access resources that are accessible in a particular site.
- Site Links: Site links are logical connections that are established between sites is Active Directory that define a path between these sites. A site link defines the direction of Active Directory replication between sites. Either RPC over IP or SMTP can be used as the transport protocol for moving replication data over a site link. Site links are assigned the following:
- Cost: With replication, the concept of cost indicates the cost of the physical link between two Active Directory sites and is utilized to detail optimal connection paths between one site and another site. When a site link is assigned a cost, the type of connection is taken into consideration. For replication, the lower costing links are used.
- Interval: Replication over a site link takes place at predetermined time intervals. When assigning the replication interval, it is important not to set the value to too high or too low. An exceptionally high value means that changes take longer to be replicated, while an exceptionally lower value means that replication occurs too regularly.
- Schedule: A replication schedule and interval are basically used together. An interval is associated with a schedule. A schedule deals with when the replication of data is going to occur.
- Site link bridge: In Active Directory, users can use a site link bridge to link sites that share common Active Directory data but who do not have a site link. The data that these sites typically share is the Application directory partition.
- Connection objects: In Active Directory, domain controllers replicate with specific replication partners. Connection objects define the partners that domain controllers replicate with. Connection objects enable data to be replicated in Active Directory because they define inbound replication paths. Domain controllers and their associated connections are defined in a topology map. The Directory Replication Agent (DRA) handles replication between domain controllers. The Directory Replication Agent uses the connection objects in the topology map to find out those partners that are relevant when replicating changes to directory partitions. The DRA sends a replication request to the partners of a domain controller when the domain controller needs to update its copy of Active Directory. Administrators can manually create connection objects or they can leave these objects to be created by the Knowledge Consistency Checker (KCC). When the KCC creates connection objects, it is an automatic process. The KCC runs on all domain controllers in Active Directory. An Administrator can create a manual connection object between any two domain controllers in a forest. In order for data to flow in two directions, users should create two connection objects. Users can create manual connection objects between domain controllers in the same site or in different sites. The Knowledge Consistency Checker by default creates automatic connection objects. It references the site topology and then uses the information on sites and site links to automatically create connection objects. The KCC checks the site topology at regular intervals to determine whether the connection objects are still valid, then changes connection objects based on its reviews. It is the KCC that is accountable for making certain that data in the directory partitions are replicated in sites. Users can disable the automatic creation of connection objects on a per site and forest wide basis.
- The Inter Site Topology Generator (ISTG): Intersite connection objects are created by the Inter Site Topology Generator (ISTG) and not the KCC. The first domain controller in a site has the role of Inter Site Topology Generator. There is only one ISTG within a particular site. It is the ISTG that is responsible for ensuring that the site has a replica of the configuration, domain, and schema partitions.
- SYSVOL data and the File Replication Service (FRS): The system volume contains scripts and group policies. SYSVOL data is hosted on every domain controller. Changes to SYSVOL are replicated to domain controllers within the same domain via File Replication System (FRS) replication. With FRS replication, the full file is replicated and not just the actual changes that were made to the file. This differs from Active Directory replication. With Active Directory, only the changes that were made to Active Directory objects are replicated.
- Replicatio methods/protocols: Active Directory replication can utilize one of two protocols to send replication data between domain controllers:
- Remote Procedure Call (RPC): This is the main protocol that Active Directory uses to send replication data. RPC’s encryption capabilities are beneficial for replicating data in Active Directory in the network.
- Simple Mail Transport Protocol (SMTP): SMTP is typically utilized for sending replication data in bulk and for sending replication data over unreliable network connections.
Active Directory Replication Types
In Windows 2000 and Windows Server 2003, the types of Active Directory replication that can be defined are intrasite replication and intersite replication.
Active Directory Intrasite Replication
Intrasite replication in Active Directory takes place between domain controllers within the same site. This makes intrasite replication an uncomplicated process. When changes are made to the Active Directory’s replica on one particular domain controller, the domain controller contacts the remainder of the domain controllers within the site. The domain controller checks the information it contains against information that the other domain controllers host. To perform this analysis, the domain controller utilizes logical sequence numbers. Intrasite replication utilizes the Remote Procedure Call (RPC) protocol to convey replication data over fast, reliable, network connections. With intrasite replication, replication data is not compressed.
Active Directory Intersite Replication
Intersite replication takes place between sites. Intersite replication can utilize either RPC over IP or SMTP to convey replication data. This type of replication has to be manually configured. Intersite replication occurs between two domain controllers that are called bridgeheads or bridgehead servers. The role of a bridgehead server (BS) is assigned to at least one domain controller in a site. A BS in one site deals with replicating changes with other BSs in different sites. Multiple bridgehead servers can be configured in a site. It is only these BSs that replicate data with domain controllers in different domains by performing intersite replication with its BS partners. With intersite replication, packets are compressed to save bandwidth. This places additional CPU load on domain controllers assigned the BS role. BSs should therefore be machines that have enough speed and processors to perform replication. Intersite replication takes place over site links by a polling method that is every 180 minutes by default.
Initiating Replication between Active Directory Direct Replication Partners (forcing replication)
Active Directory usually automatically creates and deletes connection objects between domain controllers. There are cases though when users might need to manually create connection objects and then force Active Directory replication. Utilize one of the following tools or methods to force replication:
- Active Directory Sites and Services console
Active Directory Replication Topology Options
The Active Directory replication topologies typically utilized are:
- Ring Topology: With intrasite replication, the KCC creates a ring topology that defines the replication paths within a site. In a ring topology, each domain controller in a site has two inbound and outbound replication partners. The KCC creates the ring so that there is no greater than three hops between domain controllers in a site.
- Full Mesh Topology: This topology is typically utilized in small organizations where redundancy is extremely important and the number of sites is quite small. A full mesh topology is quite expensive to manage and is not scalable.
- Hub And Spoke Topology: This topology is typically implemented in large organizations where scalability is important and redundancy is less important. In this topology, one or multiple hub sites exist that have slower WAN connections to multiple spoke sites. The hub sites are usually connected to each other through high speed WAN connections.
- Hybrid Topology: The hybrid topology is a combination of any of the above topologies.
How to Define an Active Directory Replication Strategy
The replication strategy implemented essentially determines when replication would occur and the manner in which Active Directory information is replicated. Designing an effective replication strategy involves the following steps:
- Evaluating the actual physical connectivity of the network: This phase of planning typically involves determining the site links that are necessary in the network. The user would need to identify his/her network connections, domain controllers, and sites to determine this. Determine which:
- Sites are connected by low speed unreliable connections – high costing connections.
- Sites are connected by fast reliable connections – low costing connections.
- Sites are connected by medium speed connections – medium costing connections.
Another component of this planning phase involves determining whether site link bridges need to be created. While planning what sites are needed, remember to include the possible future growth of the organization.
- Determining the site link configuration parameters for every connection: The configuration parameters or values that need to be specified for each site link are summarized below:
- Site link name
- The transport protocol to be used for conveying replication data. This can be either RPC or SMTP.
- Site link cost: The default site link cost setting is 100. The value can range between 1 and 32,767.
- Replication interval or frequency
- Replication schedule or when replication should occur.
- Determine the preferred bridgehead servers: Instead of using the preferred bridgehead server that the Knowledge Consistency Checker (KCC) defined, the user can choose to manually configure a preferred bridgehead server.
- Determine whether site link transitivity should be disabled: If the user chooses to disable site link transitivity, he/she must manually create site link bridges between site links to ensure site link transitivity.