Active Directory Replication , Hi.. Lets talk about Active Directory Replication how it works, what topology, protocols and types of replications used in active directory. So first what is replication. ? Active Directory replication is a process where in a domain controller any creation, modification, deletions are happened to a objects ( Users, Computers, Groups, etc..) that will sync with other domain controller this process is like from originating domain controller to destination domain controller which they are connected as one to another called connection object this process is called replication. This is for providing fault tolerance to active directory database.
Active Directory creates a replication topology with the idea that all writeable domain controllers in domain should communicate active directory information to each other; in addition to communicating forest-wide information with other domains. Sites and subnets defined within active directory will dictate the path used by replication traffic on the network, as well as form the basis for how active directory information is distributed.
So Lets discuss about Replication types..Active Directory has two types of replications models..
1. Intrasite Replication and 2. Intersite Replication.
1. Intrasite Replication :- Intrasite replication happens between domain controllers with in the same site. Each domain controller uses an internal process called the KCC Knowledge Consistency Checker to map the logical network topology between the domain controllers. For each domain controller in the site, the KCC will select one or more replication partners for that domain controller and will create connection objects between the domain controller and its new replication partners. Each connection object is a one-way connectioni. Therefore, in a site with threee domain controllers, DCA might have a connection object to DCB, but DCB might not have connection ohject with DCA.
Note: KCC only creates the connection objects but it will not replicate. Replication will happen with the help of RPC (Remote Procedure Call) protocol.
The KCC is a service that runs on domain controllers as part of the Local Security Authority(LSA) service. It cannot be deactivated or removed.
Little bit in depth about KCC:-
The KCC's selection of replication partners and its creation of replication objects is the "Rule of Three", which states that no single domain controller should be more than three network hops away from any domain controller that can originate a change to the Active directory database to minimize the amount of time required for a change to reach all DCs. The KCC is fully automated and does not require administrator intervention unless you have a definite business reason for manually configuring the KCC topology. In fact, there is a significant disadvantage to configuring Active Directory replication links manually.
If we add domain controllers to a site, they become part of the intrasite replication within that site. The KCC will adjust the intrasite replication topology by creating new connection objects to reflect the addition of the newly added DC. We can view these connection objects within the NTDS settings section within the Active Directory sites and Services snap-in for each server object.
The KCC runs every 15 minutes and analyzes the best path and placement for connection objects. If a domain controller or a link between domain controllers has failed, the KCC automatically updates the topology by removing this connection from the list of possible replication paths. Lets take simple example Consider a single domain containing 2 sites: Site-A and Site-B. Site-A contains two DCs: DC1 and DC2. Site-B contains a single DC, DC3, with a replication connection between DC2 and DC3. In this example, if DC2 fails, the KCC will detect this failure and create a new connection object between DC1 and DC3. By default, intrasite replication is configured to minimize latency to allow changes t take place quickly. Latency is the amount of time or delay it takes for changes to be replicated to all participating domain controllers. The KCC minimizes latency in intrasite replication in a number of ways,
-- The KCC creates a dual counter-rotating ring for the replication path. If one domain controller in the ring fails, traffic is routed in the opposite direction to allow replication to continue.
--As the site grows, additional connection objects are created to ensure that no more than three hops for replication exist between domain controllers.
--Intrasite replication traffic is not compressed, resulting in fewer CPU cycles at each domain controller during a replication event.
--Domain controllers use change notification to inform one another when changes need to be replicated. Each domain controller will hold a change for 15 seconds before forwarding it, after which it will transmit the changes to each of its replication partners in 3-second intervals. Because the maximum number of hops between domain controllers is three, the maximum replication latency for changes to reach their final destination is 15 seconds plus 3 seconds per replication partners. Certain operations, such as password change or an account lockout, will be transmitted using urgent replication, which means that the change will placed at the "beginning of the line" and will be applied before any other changes that are waiting to be replicated.
Although the KCC process of creating a replication path is fully automatic, it is nonetheless possible to create manual connection objects between domain controllers within the same domain. Creating manual replication connections will allow you t override the replication topology created by the KCC. However, once a manual connection object is created, all automatic connection objects are ignored. Creating manual connection objects also removes the KCC's ability to perform on-the-fly modifications to the replication topology if a domain controller or site link becomes unavailable.
2. Intersite Replication:- In a single word Intersite replication happens between sites like from Site-A to Site-B. Here site represents physical locations. Example : Site-A is USA and Site-B is Australia like that.
If Active Directory information were only replicated within a single site, there would be no way to share object information in the global network. The enterprise network would be made up of many separate LANs that could not share resources, and the idea of centralized administration and single sign-on from anywhere on the network would not be feasible. Recalling that each site consists of one or more IP subnets connected by fast and reliable links.
As I said Active Directory site names generally reflect the name of a physical location and include domain controllers that participate in the domain replication process. Each site contains one or more subnets contained within that site. Consider a company that has a network located in USA with four buildings connected by high speed links. The subnets within these buildings could all be part of the same site. If we add t this network a remote site located in Australia, you would need to create an additional site with subnets that reflect the location's IP address scheme. When we install a domain controller at the Australia location within the same domain as the USA domain controllers, you will need to create a site link in order fr replication to take place between USA and Australia. A site link is a logical, transitive connection between two sites that mirrors the routed connections between networks and allows replication to occur. To crate a replication topology in a multisite network, one domain controller within each site runs the Intersite Topology Generator (ISTG), which is a process that is responsible for selecting a bridgehead server and mapping the topology to be used for replication between sites.
With the exception of the DefaultIPSITELINK, which is created automatically when you install Active Directory, all Active Directory site links need to be created manually. All site link objects possess the following characteristics:
--Site links connect two sites that communicate using the same protocol.
--Site links objects are defined manually.
--Site link objects correspond t the WAN links connecting the sites.
--The ISTG uses site links to establish an intersite replication topology.
The primary goal f intersite replication is to minimize bandwidth usage. Unlike intrasite replication, intersite replication will compress data that is replicated between sites, thus reducing the amount of network traffic used by Active Directory replication.
When we create a site link object we should configure the following three attributes t control the behavior of replication traffic over the site link:
1. Cost, 2. Schedule and 3. Frequency.
1.Cost:- Assigning a cost to a site link object allows the administrator t define the path that replication will take.If more than one path can be used t replicate information, cost assignments will determine which path is chosen first. A lower-numbered cost value will be chosen over a higher-numbered cost value. Cost values can use a value of 1 to 99,999. No absolute numbering scheme is used here. Instead, the values are chosen by the Active Directory administrator and are relational only to one another. The default cost of a newly crated site link object is 100.
2. Schedule:- The schedule of the site link object determines when the link is available to replicate information. For example :, you may configure a site link's schedule so that it can only transmit replication traffic between midnight and 5am Monday through Friday. You will typically configure this value t reflect off-peak business hours for slow or heavily utilized WAN links to ensure that link bandwidth is not bogged down by replication traffic. By default, newly created site link objects are available for replication 24/7.
3. Frequency:- A site link's frequency determines how often information will be replicated over a particular site link. Replication will take place only during scheduled hours. However, within that scheduled time it can take place as often as the frequency attribute permits. The default replication frequency for a new site link is 180 minutes, but it can be configured to take place as frequently as every 15 minutes and as infrequently as once per week.
The main points to be noted....
1. Active Directory has two types of Replication model.
2. KCC creates the connection partners, It check every 15 minutes for connection partner if any new DC added or removed also.
3. KCC service runs on every domain controller.
4. Active Directory uses RPC and SMTP protocols for Replication.
5. The Default Intersite replication frequency is 180 minutes. We can configure it to 15 minutes so replication happens every 15 minutes.
6. Intrasite replication frequency is 15 seconds. When changes occurs in DCs it hold for 15 seconds then sends to the partner DCs. Any urgent replications it will not wait for 15 seconds immediately it will replicates.
So guys I hope your clear about the Active Directory replication. If you have any questions, feedback or suggestions please let me know...The next Advanced replication concepts will discuss in next post.....
The main points to be noted....
1. Active Directory has two types of Replication model.
2. KCC creates the connection partners, It check every 15 minutes for connection partner if any new DC added or removed also.
3. KCC service runs on every domain controller.
4. Active Directory uses RPC and SMTP protocols for Replication.
5. The Default Intersite replication frequency is 180 minutes. We can configure it to 15 minutes so replication happens every 15 minutes.
6. Intrasite replication frequency is 15 seconds. When changes occurs in DCs it hold for 15 seconds then sends to the partner DCs. Any urgent replications it will not wait for 15 seconds immediately it will replicates.
So guys I hope your clear about the Active Directory replication. If you have any questions, feedback or suggestions please let me know...The next Advanced replication concepts will discuss in next post.....
1 comment:
kütahya
tunceli
ardahan
düzce
siirt
JZLBQ
Post a Comment