3/5/2017 Active Directory Replication

TechieBird
Home | Windows | Network | Interview Questions | Database | Virtualization | Knowledge Base | Contact Us
Quick Links Active Directory Replication
Windows 2003 KB

Windows 2008 KB

Windows 2012 KB

Network KB
The initial Windows NT versions were designed as single master network environments. The primary domain
controller (PDC) was responsible for managing the domain database’s master copy. The PDC was therefore
MS Cluster FAQ's
responsible for replicating any changes to the backup domain controllers (BDCs). In these environments, any
Knowledge Base changes had to be performed on the PDC, which then replicated these database changes to the BDCs.
Home
What this meant was that in cases where the PDC was unavailable, no changes were made to the domain
database. From this simple discussion, it is clear that the single master environment of the earlier Windows NT
versions had a limitation when it came to reliability and continuously ensuring that changes could be made to
Virtualization the domain database.

Command reference In most network environments, more than one domain controller has to exist to provide fault tolerance and
improve reliability and performance. Fault tolerance is present when business continuity exists when one domain
Exchange Q&A controller fails because the other domain controller(s) in the environment supplies network resources. Having
multiple domain controllers in a network environment improves performance because the processing load can be
DNS FAQ's distributed to all domain controllers.

Active Directory differs from the design of the earlier Windows NT domain environments because it is a scalable,
DHCP FAQ's
distributed multi­master replicated database. Information on network resources within the organization is stored
in the Active Directory database. In addition to this, all domain controllers host a full replica of the domain
information for its own domain. Domain controllers in Windows 2000 and Windows Server 2003 environments
Active Directory hold a read/write copy of the Active Directory database. Domain controllers in these environments therefore
FAQ's maintain and manage the replica of all Active Directory objects (network resources) located in the domain to
which it is a member of.
AD History
In Windows 2000 and Windows Server 2003 environments, in Active Directory terminology, each domain
Configuring New controller contains a full copy of its own directory partition. Another term used to refer to directory partition is
naming context. In Active Directory environments, a directory tree contains all Active Directory objects in the
Domain
forest. A forest is the grouping of two or more domain trees or domains that do not have a common contiguous
http://www.techiebird.com/active_directory_replication.html 1/8
3/5/2017 Active Directory Replication

Deleted Object
namespace. That is, they have non­contiguous namespaces.
Recovery in AD
In Active Directory, the directory tree is partitioned. This enables portions of the tree to be distributed to domain
Global Catalog Server
controllers in other domains in the forest. The copy of the directory partition that holds all the attributes for each
directory partition object is called a replica. The replica on each domain controller has read and write attributes.

In Active Directory, changes can be made to the Active Directory database on any domain controller within the
NetDom Command
Active Directory environment. To overcome the limitations of the Windows NT domain environments illustrated
earlier, each domain controller must include all information that is created or changed on any other domain
Replmon Command
controller.
NTDS Utility Guide
Active Directory replication ensures that the information or data between domain controllers remains updated
FSMO Guide and consistent. Replication is the process that ensures that changes made to a replica on one domain controller
are transferred to replicas on the remainder of the domain controllers. It is Active Directory replication that
FSMO Failure ensures that Active Directory information that domain controllers host is synchronized.

Active Directory’s multi­master environment eliminates the domain controllers as single points of failure because
Network Interview
an Administrator can perform changes to the Active Directory database on any domain controller and these
Questions
changes are replicated to the other domain controllers within the domain.
SQL Interview
Questions

Active Directory Trust

Group Policy Guide

IIS 6.0

RAID Levels

RPC Guide
What Information is Replicated in Active Directory
Domain & Forest
Functional Levels In Active Directory, there are certain actions that are considered Active Directory replication triggers. The
activities that trigger or initiate Active Directory replication are summarized below:
SQL Failover Cluster
When an object is created.
When an object is deleted.
When an object is moved.
When an object is changed or modified.
http://www.techiebird.com/active_directory_replication.html 2/8
3/5/2017 Active Directory Replication

Domain controllers typically contain the following directory partition replicas or naming context replicas:

# Configuration The configuration partition or naming context (NC) contains objects that relate to the logical
structure of the forest, structure of the domain, and replication topology. Each domain controller in the forest
contains a read/write copy of the configuration partition. Any objects stored in the configuration partition are
replicated to each domain controller in each domain and in a forest.

# Domain The domain partition or naming context (NC) contains all objects that are stored in a domain. Each
domain controller in a domain has a read/write copy of the domain partition. Objects in the domain partition are
replicated to only the domain controllers within a domain.

# Schema The schema partition or naming context (NC) contains objects that can be created in the Active
Directory and the attributes that these objects can contain. Domain controllers in a forest have a read­only copy
of the schema partition. Objects stored in the schema partition are replicated to each domain controller in
domains/forests.

# Application The application partition is a new feature introduced in Windows Server 2003. This partition
contains application specific objects. The objects or data that applications and services store here can comprise of
any object type excluding security principles. Security principles are Users, Groups, and Computers. The
application partition typically contains DNS zone objects and dynamic data from other network services such as
Remote Access Service (RAS) and Dynamic Host Configuration Protocol (DHCP).

An Overview of Active Directory Replication Terminology, Concepts, and Objects

In Active Directory, there are numerous concepts and objects that are used to create a replication topology.
These are described below:

# Sites A site can be defined as a grouping or set of Internet Protocol (IP) subnets that are connected by a
highly reliable, fast, and inexpensive link. This is usually a local area network (LAN) or metropolitan area network
(MAN). Domains can have domain controllers in multiple sites. A site can have domain controllers from multiple
domains. In Active Directory, sites have the following main roles or purposes:

A site determines the closest domain controller at workstation logon.

A site operates as a replication boundary. As a replication boundary, a site optimizes replication between sites
because it can be used to improve on and more efficiently manage Active Directory replication.

A site also functions as a resource locator boundary. Clients are only able to access resources that are accessible
in a particular site.

http://www.techiebird.com/active_directory_replication.html 3/8
3/5/2017 Active Directory Replication

# Site Links Site links are logical connections that are established between sites is Active Directory that define a
path between these sites. A site link defines the direction of Active Directory replication between sites. Either
RPC over IP or SMTP can be used as the transport protocol for moving replication data over a site link. Site links
are assigned the following:

# Cost With replication, the concept of cost indicates the cost of the physical link between two Active Directory
sites and is utilized to detail optimal connection paths between one site and another site. When a site link is
assigned a cost, the type of connection is taken into consideration. For replication, the lower costing links are
used.

# Interval Replication over a site link takes place at predetermined time intervals. When assigning the
replication interval, it is important not to set the value to too high or too low. An exceptionally high value means
that changes take longer to be replicated, while an exceptionally lower value means that replication occurs too
regularly.

# Schedule A replication schedule and interval are basically used together. An interval is associated with a
schedule. A schedule deals with when the replication of data is going to occur.

# Site link bridge In Active Directory, users can use a site link bridge to link sites that share common Active
Directory data but who do not have a site link. The data that these sites typically share is the Application
directory partition.

# Connection objects In Active Directory, domain controllers replicate with specific replication partners.
Connection objects define the partners that domain controllers replicate with. Connection objects enable data to
be replicated in Active Directory because they define inbound replication paths. Domain controllers and their
associated connections are defined in a topology map. The Directory Replication Agent (DRA) handles replication
between domain controllers. The Directory Replication Agent uses the connection objects in the topology map to
find out those partners that are relevant when replicating changes to directory partitions.

The DRA sends a replication request to the partners of a domain controller when the domain controller needs to
update its copy of Active Directory. Administrators can manually create connection objects or they can leave
these objects to be created by the Knowledge Consistency Checker (KCC). When the KCC creates connection
objects, it is an automatic process. The KCC runs on all domain controllers in Active Directory. An Administrator
can create a manual connection object between any two domain controllers in a forest. In order for data to flow
in two directions, users should create two connection objects.

Users can create manual connection objects between domain controllers in the same site or in different sites. The
Knowledge Consistency Checker by default creates automatic connection objects. It references the site topology
and then uses the information on sites and site links to automatically create connection objects. The KCC checks
the site topology at regular intervals to determine whether the connection objects are still valid, then changes
connection objects based on its reviews. It is the KCC that is accountable for making certain that data in the
directory partitions are replicated in sites. Users can disable the automatic creation of connection objects on a
http://www.techiebird.com/active_directory_replication.html 4/8
3/5/2017 Active Directory Replication
directory partitions are replicated in sites. Users can disable the automatic creation of connection objects on a
per site and forest wide basis.

# Inter Site Topology Generator (ISTG) Intersite connection objects are created by the Inter Site Topology
Generator (ISTG) and not the KCC. The first domain controller in a site has the role of Inter Site Topology
Generator. There is only one ISTG within a particular site. It is the ISTG that is responsible for ensuring that the
site has a replica of the configuration, domain, and schema partitions.

# SYSVOL data and the File Replication Service (FRS) The system volume contains scripts and group
policies. SYSVOL data is hosted on every domain controller. Changes to SYSVOL are replicated to domain
controllers within the same domain via File Replication System (FRS) replication. With FRS replication, the full
file is replicated and not just the actual changes that were made to the file. This differs from Active Directory
replication. With Active Directory, only the changes that were made to Active Directory objects are replicated.

# Replicatio methods/protocols Active Directory replication can utilize one of two protocols to send
replication data between domain controllers:

­­>Remote Procedure Call (RPC) This is the main protocol that Active Directory uses to send replication data.
RPC’s encryption capabilities are beneficial for replicating data in Active Directory in the network.

­­>Simple Mail Transport Protocol (SMTP) SMTP is typically utilized for sending replication data in bulk and
for sending replication data over unreliable network connections.

Active Directory Replication Types

In Windows 2000 and Windows Server 2003, the types of Active Directory replication that can be defined are
intrasite replication and intersite replication.

# Active Directory Intrasite Replication

Intrasite replication in Active Directory takes place between domain controllers within the same site. This makes
intrasite replication an uncomplicated process. When changes are made to the Active Directory’s replica on one
particular domain controller, the domain controller contacts the remainder of the domain controllers within the
site.

The domain controller checks the information it contains against information that the other domain controllers
host. To perform this analysis, the domain controller utilizes logical sequence numbers. Intrasite replication
http://www.techiebird.com/active_directory_replication.html 5/8
3/5/2017 Active Directory Replication
host. To perform this analysis, the domain controller utilizes logical sequence numbers. Intrasite replication
utilizes the Remote Procedure Call (RPC) protocol to convey replication data over fast, reliable, network
connections. With intrasite replication, replication data is not compressed.

# Active Directory Intersite Replication

Intersite replication takes place between sites. Intersite replication can utilize either RPC over IP or SMTP to
convey replication data. This type of replication has to be manually configured. Intersite replication occurs
between two domain controllers that are called bridgeheads or bridgehead servers. The role of a bridgehead
server (BS) is assigned to at least one domain controller in a site. A BS in one site deals with replicating changes
with other BSs in different sites. Multiple bridgehead servers can be configured in a site.

It is only these BSs that replicate data with domain controllers in different domains by performing intersite
replication with its BS partners. With intersite replication, packets are compressed to save bandwidth. This
places additional CPU load on domain controllers assigned the BS role. BSs should therefore be machines that
have enough speed and processors to perform replication. Intersite replication takes place over site links by a
polling method that is every 180 minutes by default.

Initiating Replication between Active Directory Direct Replication Partners (forcing replication)

Active Directory usually automatically creates and deletes connection objects between domain controllers. There
are cases though when users might need to manually create connection objects and then force Active Directory
replication. Utilize one of the following tools or methods to force replication:

­>Active Directory Sites and Services console.

­>Repadmin.
­>Replmon.

# Active Directory Replication Topology Options

The Active Directory replication topologies typically utilized are:

­­­>Ring Topology With intrasite replication, the KCC creates a ring topology that defines the replication paths
within a site. In a ring topology, each domain controller in a site has two inbound and outbound replication
partners. The KCC creates the ring so that there is no greater than three hops between domain controllers in a
site.

­­­>Full Mesh Topology This topology is typically utilized in small organizations where redundancy is
extremely important and the number of sites is quite small. A full mesh topology is quite expensive to manage
and is not scalable.

­­­>Hub And Spoke Topology This topology is typically implemented in large organizations where scalability
http://www.techiebird.com/active_directory_replication.html 6/8
3/5/2017 Active Directory Replication
­­­>Hub And Spoke Topology This topology is typically implemented in large organizations where scalability
is important and redundancy is less important. In this topology, one or multiple hub sites exist that have slower
WAN connections to multiple spoke sites. The hub sites are usually connected to each other through high speed
WAN connections.

­­­>Hybrid Topology The hybrid topology is a combination of any of the above topologies.

How to Define an Active Directory Replication Strategy

The replication strategy implemented essentially determines when replication would occur and the manner in
which Active Directory information is replicated. Designing an effective replication strategy involves the following
steps:

# Evaluating the actual physical connectivity of the network This phase of planning typically involves
determining the site links that are necessary in the network. The user would need to identify his/her network
connections, domain controllers, and sites to determine this. Determine which:

­>Sites are connected by low speed unreliable connections – high costing connections.

­>Sites are connected by fast reliable connections – low costing connections.

­>Sites are connected by medium speed connections – medium costing connections.

Another component of this planning phase involves determining whether site link bridges need to be created.
While planning what sites are needed, remember to include the possible future growth of the organization.

# Determining the site link configuration parameters for every connection The configuration parameters
or values that need to be specified for each site link are summarized below:

­>Site link name

­>The transport protocol to be used for conveying replication data. This can be either RPC or SMTP.

­>Site link cost: The default site link cost setting is 100. The value can range between 1 and 32,767.

­>Replication interval or frequency.

­>Replication schedule or when replication should occur.

# Determine the preferred bridgehead servers Instead of using the preferred bridgehead server that the
http://www.techiebird.com/active_directory_replication.html 7/8
3/5/2017 Active Directory Replication
# Determine the preferred bridgehead servers Instead of using the preferred bridgehead server that the
Knowledge Consistency Checker (KCC) defined, the user can choose to manually configure a preferred
bridgehead server.

# Determine whether site link transitivity should be disabled If the user chooses to disable site link
transitivity, he/she must manually create site link bridges between site links to ensure site link transitivity.

AD Articles Windows FAQ's

Comments

Name

Enter your comment here

Comment by Html Comment Box

No one has commented yet. Be the first!

Home | Windows | Network | Interview Questions | Database| Knowledge Base | Contact Us

Designed by TechieBird

http://www.techiebird.com/active_directory_replication.html 8/8