Hi everyone
This article is about the replication mechanism of Active Directory Domain Services (AD DS). I will talk about the techniques that are used in AD DS replication and illustrate how an AD DS replication occurs after an Active Directory modification. Let me first introduce you what the Active Directory replication is and why it is used.
Active Directory Domain Services are based on an object database which is used for central administration purposes. All the objects (i.e. users, computers etc) in a network is described in this database. Domain controller is the core element for this technology. Because domain controller (which holds the active directory database) is so critical, high availability and redundancy is a must for this service. For high availability, administrators use more than one domain controller in their environment and all the domain controllers have the same object database (actually, try to have the same).
Active Directory Domain Services utilizes multimaster model. This means, each domain controller can accept modification to Active Directory database (except the Read Only Domain Controller – RODC). Modification can be; a creation of a user, adding a description to a computer object or so. Therefore, each domain controller has a different database content in some sort and replication is the process for domain controllers to make their database contents the same (actually it is nearly impossible in a large environment but may be possible in a small environment. Therefore the term loosely consistent is more convenient for replicated databases). In short, Active Directory Replication targets each domain controller has the same content in it’s AD database.
So I think we are all clear about the purpose of Active Directory replication process. But if there are so many domain controllers in an environment, how Active Replication can achive each domain controllers database to converge? Microsoft uses 4 main technologies for this purpose. These are:
i) Multimaster Replication: every DC can receive update, so eliminate the dependency on a single domain controller to maintain directory operations.
ii) Pull Replication: DCs pull (not push) changes therefore reduces unnecessary network traffic.
iii) Store-and-forward Replication: Not one DC is responsible for replication. Instead each DC communicates with a subset of domain controllers for replication. Therefore, replication load is balanced.
iv) State-based Replication: Each DC tracks the state of replication updates. Therefore, there is less conflicts and less unnecessary replications.
To make these technologies more clear, let me give you an example. Suppose we have three domain controllers in our main office; DC01, DC02 and DC03. As Multimaster Replication model is used, each DC can receive updates. Lets assume a new user is created on DC01 (i.e. teo), a new computer account is created on DC02 (i.e. comp01) and a new group is created on DC03 (i.e. ITstuff), so each DC has different object than the others. To apply these changes on the other DCs, Pull Replication mechanism is used. I mean, DC01 requests the changes from DC02 and DC03. This is also valid for the other two; DC02 requests the changes from DC01 and DC03, DC03 requests the changes from DC01 and DC02. Figure 1 illustrates the general steps during replication.
Figure 1: General steps during a replication process
If we have more DCs in branch offices , Store-and-forward Replication mechanism is going to be used. I mean that (i.e.) DC03 sends all the updates it knows to branch office domain controllers DC04, DC05 and DC06. These 3 branch office DCs are not communicating with DC01 or DC02 directly (Figure 2). Because DC04, DC05 and DC06 are all replication partners with DC03 only.
Figure 2: Store-and-forward Replication
But what if DC01 tries to send the update to DC03 that it got from DC02? DC03 is already aware of the update because it got the update from DC02 before. State-based Replication is the mechanism for this unnecessary replications and conflicts. DC01 gets the information that DC03 does not need the update by this mechanism (USN, High-Watermark Values, Up-to-dateness Vectors, Change Stamps, details later) and therefore doesn’t send the changes to DC03.
As I explain the main technologies that are used in Active Directory replication, I can talk about what kind of information is replicated during Active Directory replication and what criteria are considered about replication objects. So lets start with the Active Directory replication object types.
During replication, 4 types of data are replicated between domain controllers (Figure 3). These are:
i) Domain Data that is stored in domain directory partitions (users, computers etc)
ii) Configuration Data (sites, site links etc)
iii) Schema Data (classes, attributes etc)
iv) Application Data (DNS data etc)
Figure 3: Replicated information types
So what are the criteria during replication? How the DCs know about which update is the latest, which one is unnecessary? For this kind of decisions, Microsoft uses different mechanisms. These are:
i) Update Sequence Numbers (USN)
ii) High-Watermark Values
iii) Up-to-dateness vectors and propagation dampening
iv) Change stamps and conflict resolution
Update Sequence Numbers (USN): With every update, domain controller assigns USN to the update and increase it by 1. For example, if I define a telephone number for teo (my new user on DC01) and it is USN is 2000; with the update that I do, the USN number increases by 1 and becomes 2001. The USN is specific to domain controller. What I mean by that is; for the same object, each DC can have different USN.
The USN is used in three different ways. These are local USN, uSNChanged and originating USN. Local USN identifies the USN of the changed attribute. The uSNChanged attribute is stored with each object and identifies the highest USN for any attribute for the object. The originating USN value is set only for originating updates (the update that applied on DC itself) and is replicated to all other domain controllers as part of the attribute replication. Let me give you an example to better clear the definitions out:
Suppose on DC01, our new user’s (teo) office location was changed and the USN was increased to 2002. Both the local USN and the uSNChanged attribute will be set to 2002. If the next update applied to the directory on that server were an addition of job title for the same user, the local USN on the job title attribute and the uSNChanged attribute for the user object would both be changed to 2003. But the local USN for the office location attribute would remain at 2002. It was the USN for the last update that changed that particular attribute. When this update is sent to DC02, DC02 will give it’s local USN and uSNChanged values to the update but originating USN will not be modified by DC02. This un-modified value (originating USN) is used for propagation dampening process which is described later.
High-Watermark Values: These values are used to manage what information is replicated between domain controllers. Actually it is the latest uSNChanged value that a domain controller has received from it’s specific replication partner. This value is specific to domain controller.
During replication process, source DC sends the uSNChanged value to destination DC and destination DC mark this value as the High-Watermark of it’s replication partner. During the next replication process, destination DC sends the value to the source DC. By this information, source DC understands which updates destination DC has and sends only the changes with higher uSNChanged value.
Up-to-dateness vectors and propagation dampening: Up-to-dateness vectors are used to keep track of all of the originating updates that a domain controller has received from any domain controller. Limiting the updates sent during replication by using Up-to-dateness vectors is called propagation dampening. I will give examples about Up-to-dateness vectors later.
Change stamps and conflict resolution: If a replication conflict occurs:
i) Adding or modifying an object on one DC at the same time that the container object for the same object is deleted on another DC
ii) Adding objects with the same relative distinguished name into the same container via different DCs
Change Stamp is used to solve the problem. It consists of three components. These are:
a) Version number (when an object is created, this number is 0. With every change to the object, it increases by 1)
b) Last write time (the time recorded when the object is modified)
c) Originating server (GUID of the server where the last originating update is applied to the object)
So this is the end of the first part of my article. I tried to explain what the Active Directory replication is, what kind of data is replicated, what mechanisms are used for replication and what values are used in these mechanisms. In the second part, I will explain the replication mechanism with the aid of an example scenario. Hope that the article is helpful. See you later.
RSS feed for comments on this post.
