22
Module Overview
• Overview of Active Directory Domain Services Replication
• Overview of AD DS Sites and Replication
• Configuring and Monitoring AD DS Replication
33
Lesson 1: Overview of Active Directory Domain Services Replication
• How Active Directory Replication Works
• How AD DS Replication Works Within a Site
• Resolving Replication Conflicts
• Optimizing Replication
• What Are Directory Partitions?
• What Is Replication Topology?
• How Directory Partitions and the Global Catalog Are Replicated
• How the Replication Topology Is Generated
• Demonstration: Creating and Configuring Connection Objects
44
How Active Directory Replication Works
Active Directory replication:
• Uses a multimaster model
• Uses pull replication
• Uses store and forward replication
• Uses loose consistency with convergence
• Addition of an object to Active Directory
• Modification of an object’s attribute values
• Deletion of an object from the directory
Changes that initiate replication include:
55
How AD DS Replication Works Within a Site
In a single site:
• Domain controllers notify replication partners when updates are applied
• For normal updates, the change notification happens 15 seconds after the change is applied
• Notifications for security related changes are sent immediately
• Replication updates are not compressed
66
Resolving Replication Conflicts
In a multimaster replication model, replication conflicts can arise when:
• The same attribute is changed on two domain controllers simultaneously
• An object is moved or added to a deleted container on another domain controller
• Two objects with the same relative distinguished name are added to the same container on two different domain controllers
To resolve replication conflicts, AD DS uses:
• Version number • Time stamp • Server GUID
77
Optimizing Replication
• In a multimaster replication model, AD DS updates can be replicated using multiple paths
• AD DS uses update sequence numbers, high watermarks, and up-to-dateness vectors to ensure that updates are replicated to a specific domain controller only once
88
What Are Directory Partitions?
Active Directory Database
Active Directory Database
Configurablereplication
Domain
Forest Schema
Configuration
<Domain>
<Application>
Definitions and rules for creating and manipulating objects and attributes
Information about the Active Directory structure
Information about domain-specific objects
Information about applications
Contains:
Instance (AD LDS)Instance (AD LDS) AD DSAD DS
99
Forest(root)
Tree/RootTrust
Tree/RootTrust
Forest Trust
Forest Trust
Shortcut TrustShortcut TrustExternal
TrustExternal
Trust
Kerberos Realm
Realm Trust
Realm Trust
Domain D
Forest 1
Domain BDomain ADomain E
Domain F
Forest(root)
Domain P Domain Q
Parent/ChildTrust
Parent/ChildTrust
Forest 2
Domain C
1010
Instance là một bộ các directory partition có liên quan
• Trong nhiều trường hợp, một instance có thể là một domain controller
• Trong môi trường Active Directory, mỗi một domain controller gồm có ba directory partition.
Configuration – Mục configuration lưu các thông tin cấu hình có liên quan đến forest mà trong đó domain controller tồn tại. Mục cấu hình lưu các đối tượng cấu hình có liên quan đến những thứ như vị trí, dịch vụ và directory partition.
Schema – Partition này làm việc giống như các giản đồ cơ sở dữ liệu khác. Nó định nghĩa các lớp, thuộc tính cho mọi đối tượng có thể trong toàn bộ Active Directory.
Domain – Partition này lưu các đối tượng cụ thể cho miền. Các đối tượng này gồm có những thứ như user, computer và group.
1111
Domain A TopologyDomain controllers in the same domainDomain controllers in the same domain
A1 A2
A3 A4
What Is Replication Topology?
Domain A Topology
Domain B Topology
A1 A2
A3 A4
B1
B2
B3
Domain controllers from various domainsDomain controllers from various domains
1212
How Directory Partitions and the Global Catalog Are Replicated
Domain A topology
Domain B topologySchema and configurationtopologyGlobal catalog replication
A1 A2
A3 A4
B1
B2
B3
Domain controllers from various domainsDomain controllers from various domains
Global catalogserver
Global catalogserver
Global catalogserver
Global catalogserver
Global catalogserver
Global catalogserver
1313
How the Replication Topology Is Generated
• Each domain controller has two replication partners for each Active Directory partition
• The KCC creates two one-way connection objects between replication partners to ensure that no two domain controllers are ever more than three network hops away
• When a new domain controller is added to a site, the KCC recalculates connection objects
• Connection objects can replicate one or more partitions
Active Directory uses the KCC (Knowledge Consistency Checker) to establish a replication path between domain controllers
1414
• The Knowledge Consistency Checker (KCC) is an Active Directory component that is responsible for the generation of the replication topology between domain controllers.
• This article describes the role of one server per site, known as the Inter-Site Topology Generator, which is responsible for managing the inbound replication connection objects for all bridgehead servers in the site in which it is located.
Active Directory uses the KCC (Knowledge Consistency Checker) to establish a replication path between domain controllers
How the Replication Topology Is Generated
1515
Demonstration: Creating and Configuring Connection Objects
In this demonstration, you will see how to create connection objects and configure existing connection objects
1616
Lesson 2: Overview of AD DS Sites and Replication
• What Are AD DS Sites and Site Links?
• Discussion: Why Implement Additional Sites?
• Demonstration: Configuring AD DS Sites
• How Replication Works Between Sites
• Comparing Replication Within Sites and Between Sites
• Demonstration: Configuring AD DS Site Links
• What Is the Inter-site Topology Generator?
• How Unidirectional Replication Works
1717
•Sites are used to organize well-connected computers within an organization to optimize network bandwidth. Excessive network traffic can occur between remote locations due to frequent exchange of large amounts of data and directory information.
1818
What Are AD DS Sites and Site Links?
Site
IP SubnetIP Subnet
IP SubnetIP Subnet
A1
A2
Site LinkSite Link
IP SubnetIP SubnetIP SubnetIP Subnet
Site
B3
B1 B2
Sites:
• Identify network locations with fast reliable network connections
• Are associated with subnet objects in Active Directory
1919
Use sites to optimize network bandwidth
•Workstation logon traffic.
•Replication traffic:
When a change occurs in Active Directory, sites can be used to control how and when the change is replicated to domain controllers in another site.
•Distributed file system (Dfs) topology
When a shared file or folder has multiple locations, a user will be directed to a server in his or her own site. Localizing the availability of servers in a site reduces traffic across slow links.
•File Replication service (FRS)
FRS is used to replicate the contents of the SYSVOL directory, which includes logon and logoff scripts, Group Policy settings, and system policies
2020
Assess the need for sites•Available bandwidth.
•Anticipated replication traffic.
•Placement of domain controllers.
2424
Discussion: Why Implement Additional Sites?
• Why would an organization choose to implement additional sites?
• What are the benefits and disadvantages of creating additional sites?
2525
Demonstration: Configuring AD DS Sites
In this demonstration, you will see how to:
• Create sites and subnets
• Move domain controllers to other sites
Site
A1
A2
Site LinkSite Link
Site
B3
B1 B2
You can configure:
• Replication paths between sites
• Replication schedulesand frequency
• Replication protocols
How Replication Works Between Sites
2727
Comparing Replication Within Sites and Between Sites
Replication Within Sites:
Assumes fast and highly reliable network links
Does not compress replication traffic
Uses a change notification mechanism
Replication Between Sites:
Assumes limited available bandwidth and unreliable network links
Compresses all replication traffic between sites (10:1)
Occurs on a manual schedule
IP SubnetIP Subnet
A1
A2
IP SubnetIP Subnet
ReplicationReplication
IP SubnetIP Subnet
A1
A2
IP SubnetIP Subnet
ReplicationReplication
IP SubnetIP Subnet
B1
B2
IP SubnetIP Subnet
ReplicationReplication
ReplicationReplication
2828
Demonstration: Configuring AD DS Site Links
In this demonstration, you will see how to:
• Configure the default site link
• Create additional site links
• Add sites to the site links
2929
What Is the Inter-site Topology Generator?
IP SubnetIP Subnet
A1
A2
Bridgehead server
Bridgehead server
ReplicationReplication
B2
Bridgehead serverBridgehead server
B1
ReplicationReplication
IP SubnetIP Subnet
IP SubnetIP Subnet
ReplicationReplication
IP SubnetIP Subnet
Inter-site topology generatorInter-site topology generator
• The inter-site topology generator defines the replication between sites on a network
Inter-site topologygenerator
Inter-site topologygenerator
3030
How Unidirectional Replication Works
• Unidirectional replication ensures that changes to a read-only domain controller are never replicated to any other domain controller
3131
Lesson 3: Configuring and Monitoring AD DS Replication
• What Is a Bridgehead Server?
• Demonstration: Configuring Bridgehead Servers
• Demonstration: Configuring Replication Availability and Scheduling
• What Is Site Link Bridging?
• Demonstration: Modifying Site Link Bridges
• What Is Universal Group Membership Caching?
• Demonstration: Configuring Universal Group Membership Caching
• Demonstration: Tools for Monitoring and Managing Replication
3232
What Is a Bridgehead Server?
A bridgehead server:
• Sends and receives replicated data
• Is designated for each partition in the site
IP SubnetIP Subnet
IP SubnetIP SubnetBridgehead ServerBridgehead Server
ReplicationReplication
IP SubnetIP Subnet
IP SubnetIP Subnet
Bridgehead ServerBridgehead Server
B1B1
A1A1
3333
Demonstration: Configuring Bridgehead Servers
In this demonstration, you will see how to configure bridgehead servers
3434
Demonstration: Configuring Replication Availability and Frequency
In this demonstration, you will see how to configure the site link object to manage replication between sites
3535
What Is Site Link Bridging?
IP SubnetIP SubnetIP SubnetIP Subnet
Site B
IP SubnetIP SubnetIP SubnetIP Subnet
Site A
IP SubnetIP SubnetIP SubnetIP Subnet
A1
A2
Site Link BridgeSite Link Bridge
B2
Site Link BCSite Link BCSite Link ABSite Link AB
B1
B3
C2
C1
Site C
3636
Demonstration: Modifying Site Link Bridges
In this demonstration, you will see how to:
• Disable site link bridging
• Create a new site link bridge
3737
What Is Universal Group Membership Caching?
IP SubnetIP Subnet
A1
A2
Bridgehead server
Bridgehead server
Bridgehead serverBridgehead server
B1
IP SubnetIP Subnet
IP SubnetIP Subnet
IP SubnetIP Subnet
Global Catalog ServerGlobal Catalog Server
• Enables domain controllers in a site with no global catalog servers to cache universal group membership
3838
Demonstration: Configuring Universal Group Membership Caching
In this demonstration, you will see how to:
• Configure universal group membership caching for a site
• Configure the source for caching
3939
Demonstration: Tools for Monitoring and Managing Replication
In this demonstration you will see how to:
• Identify the domain controller holding the ISTG role
• Force the KCC to run, and how to force replication
• Use Repadmin, NLTest, and DCDiag
4040
Lab: Configuring Active Directory Sites and Replication
• Exercise 1: Configuring AD DS Sites and Subnets
• Exercise 2: Configuring AD DS Replication
• Exercise 3: Monitoring AD DS Replication
Logon information
Virtual machineNYC-DC1, LON-DC1, MIA-RODC, NYC-RAS
User name Administrator
Password Pa$$w0rd
Estimated time: 60 minutes
4141
Lab Review
• What additional changes would you need to make to the AD DS site configuration if you needed to ensure that all replication traffic in the New-York site passed through NYC-DC2?
• What additional changes would you need to make if you implemented another WAN connection between Tokyo and London, and wanted to use that WAN connection for AD DS replication instead of routing all replication changes through NewYork-Site?
• Why did you force the domain controllers in the lab to update their IP addresses in DNS?
4242
Module Review and Takeaways
• Review questions
• Considerations for configuring AD DS sites and replication
• Tools
4343
Beta Feedback Tool
• Beta feedback tool helps: Collect student roster information, module feedback, and
course evaluations. Identify and sort the changes that students request, thereby
facilitating a quick team triage. Save data to a database in SQL Server that you can later
query.
• Walkthrough of the tool
4444
Beta Feedback
• Overall flow of module: Which topics did you think flowed smoothly, from topic to
topic? Was something taught out of order?
• Pacing: Were you able to keep up? Are there any places where the
pace felt too slow? Were you able to process what the instructor said before
moving on to next topic? Did you have ample time to reflect on what you learned? Did
you have time to formulate and ask questions?• Learner activities:
Which demos helped you learn the most? Why do you think that is?
Did the lab help you synthesize the content in the module? Did it help you to understand how you can use this knowledge in your work environment?
Were there any discussion questions or reflection questions that really made you think? Were there questions you thought weren’t helpful?