Skip to main content

Active Directory Replication

Active Directory Replication: is the process by which a change made to an Active Directory objects on one domain controller is propagate to another domain controller. Type of change can be addition, modification, container change or deletion of an object.

When a change occurs, domain controller notify to other domain controller which is called Change Notification. Then replication partners generates Change Request. Then the source domain controller send the Update to replication partners. The delay between the time a change occurs and the time it is propagated to all domain controllers in the site is known as Replication Latency.
15 Sec for first direct replication partner (Configurable)
3 sec for rest replication partner (Configurable)
Security updates like Password lock do not wait for 15 sec and replicates immediately and known as Urgent Replication.

Changes can take place on any DC. It may possible that same change take place on multiple DC at same time and this can cause a replication conflicts.
The globally unique stamp on each update is used to resolve replication conflicts and to assist in restoring Active Directory objects. This contains Attribute version number, Domain controller system time, Domain controller GUID.
Active Directory Replication Conflicts types can be below:
 --> Attribute conflicts
 --> Deleted container conflicts
 --> RDN conflicts


Replication Convergence is the process of determining multiple path for fault tolerance.

Replication Dampening is the process of preventing unnecessary replication.
KCC and ISTG is responsible for Replication Convergence and Propagation Dampening.

Active Directory Replication can be differentiate into two types-

Intra-Site Replication: is designed to replicate changes quickly to DCs within the same site and is performed using change notification. In the case of intra-site replication, DC1 will notify DC2 that is has changes that need to be replicated and DC2 will pull those changes from DC1, wise versa. Active Directory Replication takes place in pull operations, not pushes.
--> Replication between Domain Controllers in the Same Site.
--> Avoids Unnecessary Traffic Though Change Notification Mechanism.
--> Security- Sensitive Changes Immediately Replicated (Also known as Urgent Replication)

Inter-Site Replication: is designed to replicate changes with some interval to DCs between different sites. Site Links is require to connect Domain Controllers in Different Sites.

Bridgehead Server replicates between DC’s in different sites. Knowledge Consistency Checker (KCC) automatically makes connections between sites and decides Bridgehead Server. Also reconfigure the connections when links go down.

Site: is a logical representation of your physical structure. In general, sites are physical location or buildings, but there are cases in which a single site might span multiple buildings. Think of a site as a location where are computers are connected by high-speed, reliable, cost-effective links.
Site Membership: In the majority of cases, site membership is defined by your IP structure. On a routed IP network, each physical location will typically have its own addressing range.
Subnet object: is simply an object created in Active Directory that is assigned a range of IP Addresses and associated with a site.

Site Links:are connections between sites that form the core of Active Directory inter-site replication.  When you create site links, you can use SMTP or IP as the transport protocol. You must create links between two sites before replication can occur. In the absence of a site link, you cannot make connections between computers in the two sites. Site links are not generated automatically and must be manually created in Active Directory Sites and Services console. A site link can contain more than two sites, but this is typically not advisable unless you have a mesh topology between the sites in question.

SMTP Replication: Sends an Active Directory replication as attachments encrypted e-mail messages. It is asynchronous, which means that it is not time sensitive. It is useful in situations, where the link separating the sites is slow or unreliable. SMTP replication passes through NAT devices to get to a particular destination. SMTP replication rarely used because it can only be used between different domains.
SMTP replication is never a valid choice for a site link if you need to replicate information between different sites in the same domain. This is because SMTP is capable of replicating only the configuration and scheme Active Directory partitions. SMTP cannot replicate the domain partition. Only forest-wide configuration setting can be replicated using SMTP.
SMTP is a bit complicated to configure, because it requires e-mail servers that are encryption-capable. Key Management Server is used with Exchange to configure SMTP. SMTP replication also requires a Certificate Authority (CA) to issue the certificates used by the SMTP server to generate encryption.

IP Replication: IP Replication actually means Remote Procedure Call (RPC) over IP. RPC (135.137.139) is a common protocol used in Microsoft products. It has a few distinct advantages and disadvantages.

RPC is fairly efficient (compared to SMTP) and it provides rapid data transfer over reasonably fast, reliable links. On the other hand, RPC is synchronous, which means that it is very time sensitive, and that makes it a poor choice for slow link. After the initial session is established, RPC chooses random port numbers and references. These port numbers in the packet’s RPC header, thus RPC cannot be translated by NAT devices. RPC is the only protocol choice available for replicating changes within a single domain.


KCC Architecture and Process Components

Knowledge Consistency Checker (KCC) - The application running on each domain controller that communicates directly with the Ntdsa.dll to read and write replication objects.

Directory System Agent (DSA) - The directory service component that runs as Ntdsa.dll on each domain controller, providing the interfaces through which services and processes such as the KCC gain access to the directory database.

Extensible Storage Engine (ESE) - The directory service component that runs as Esent.dll. ESE manages the tables of records, each with one or more columns. The tables of records comprise the directory database.

Remote procedure call (RPC) - The Directory Replication Service (DRSUAPI) RPC protocol, used to communicate replication status and topology to a domain controller. The KCC also uses this protocol to communicate with other KCCs to request error information when building the replication topology.

Inter-site Topology Generator (ISTG) - is responsible for creating connection object in bridge-head server. ISTG is nothing but a KCC server (DC), which is responsible for reviewing the inter-site topology and creating inbound replication connection objects as necessary for bridgehead server in the site in which it resides.

The single KCC in a site that manages inter-site connection objects for the site.

Home

Comments

Post a Comment

Popular posts from this blog

PKI Lab Setup

Resource Forest Active Directory Domain Service – DC01 Root Certificate Authority (Offline) – RCA01 Issuing Certificate Authority – ICA01 Client Server – WS01 Account Forest ADC01 AWS01 ------------------------------------------------------------------------------------------------------------------------------------------------------ Step 1 – Installing the Domain Controller Step 2 – Installing the Root Certificate Authority Ø   Install the AD CS Role on the server (RCA01) Ø   Configure the AD CS Role ü   Click – Configure Active Directory Certificate Service on the Destination Server ü   Click Next – If you have logged in with Administration Account or Choose the Account which will be responsible for CA ü   Select Role Service to configure – For my case I am selecting only Certification Authority ü   Select Standalone CA – As this will be offline CA on a work group machine ü   Select Root CA – As this will be the Root CA Server ü   Create a new private key – Mandato
Post a Comment
Read more

What is Active Directory

Active Directory (AD)   is a  directory  service that Microsoft developed for Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Active Directory is a database that keeps track of all the user accounts and passwords in your organization. It allows you to store your user accounts and passwords in one protected location, improving your organization's security. Active Directory is subdivided into one or more domains By simple meaning,  Active Directory   is a centralize repository of  O bjects . Everything like User, Group, Service, Resources etc, is an object for Active Directory.  Active Directory  is simply a collection of all these resources. When we put all these object together under a logical grouping or boundary including network resources to construct  Active Directory  is know as  Domain . A single/ multiple  Domains  in contiguous namespace together construct a  Tree   and  single/ multiple  Trees  with a t
Post a Comment
Read more

PKI (Public Key Infrastructure)

Public Key Infrastructure A Public Key Infrastructure is basically a setup where we can generate Digital Certificates and manage Public-Key encryption . This setup consist of a set of Hardware & Software, role and policies to create, manage, distribute, use and revoke the Digital Certificate. The purpose of a Digital Certificate is to Encrypt the Data so that an authorized person can Decrypt the data. Whenever we are using an encryption and send a data from one end to another end, we need two keys. Public Key & Private Key . Public Key is use for encrypt for the data and Private Key is use for decrypt the Data. An encryption ensure the security layer but it does not ensure that only the right person is decrypting the Data. Any person having the Private Key can decrypt the data. So here we need PKI to ensure that only the right person is having the Private Key. PKI identify and authenticate the Public Key owner. Check the LAB Setup which brief you a PKI infrastructure for m
Post a Comment
Read more