Beruflich Dokumente
Kultur Dokumente
Laura E. Hunter
At a Glance:
Prior to the introduction of Windows 2000 Server and Active Directory, many corporate
environments relied on Windows NT for their server infrastructure and identity and
access
management. By the time Windows NT® 4.0 rolled out, it was a solid offering in the
network operating system (NOS) space, but it had a number of drawbacks that made it
difficult to deploy across a large enterprise.
For starters, Windows NT utilized a flat namespace to store network resources, which
meant that there wasn't a good way to separate resources into smaller subsets or to
configure any sort of granular administration. You could not, for example, configure a
departmental container for the resources in your marketing department or configure a
local administrator who had rights to reset passwords for the users within that department
only. In this manner, Windows NT security was largely all-or-nothing; if you wanted to
delegate administrative tasks to a desktop support engineer, you often were forced to
grant far more permissions than you would have otherwise.
In addition, Windows NT stored all of its information in a Security Accounts Manager
(SAM) database that was not meant to grow beyond 40MB in size. If your SAM database
grew beyond this recommended maximum (this happened around 25,000-40,000 objects,
depending on your configuration), you needed to split your environment into multiple
separate domains, which complicated both administering the network and providing
resource access to users. Each NT domain contained a single Primary Domain Controller
(PDC), which contained the only read/write copy of the SAM database; while you could
deploy one or more Backup Domain Controllers (BDCs) for fault tolerance, these BDCs
were read-only and could not perform any update, such as changing a user's password,
that required a write operation.
Finally, Windows NT relied on NetBIOS name resolution, which was broadcast-based
and often generated a great deal of traffic as users browsed for network resources,
particularly if they needed to do so across a slow or heavily-utilized WAN link.
Figure 4 Changes and updates (Click the image for a larger view)
So far, so good, right? But now there's a problem. DC2 has a change that it needs to
replicate. If the only thing to go on were USNs and high watermark vectors, at this point
DC2 would contact DC1 to replicate the same change back to DC1 that DC1 just
replicated to DC2, which would create an endless cycle of replication and chew up
progressively more and more bandwidth. To combat this, we need to a few more pieces
to the puzzle, the first of which is the up-to-dateness vector (UTD vector, or just UTDV).
The UTDV is another piece of replication metadata that is used for propagation
dampening; that is, its purpose is to prevent the same change from wasting bandwidth by
being replicated across the network over and over again. Each DC maintains a UTDV
table for every other DC that stores a replica of the naming context in question. For the
Domain NC, each DC in a domain maintains a UTDV for every DC in the domain; for
the Configuration and Schema NC, this is maintained for every DC in the forest. The
UTDV table keeps track, not only of the highest USN that each DC has received from its
replication partners, but also the highest USN value that it has received from every DC
that is replicating a given NC. To allow for this, each replicated change also includes the
following information:
• The GUID of the DC that is replicating the change. This can be a change that is
being replicated as an originating write or as a replicated write.
• The USN from the DC that is replicating the change. Again, this can be from
either an originating or a replicated write.
• The GUID of the DC that originated the change. If this GUID is the same as the
GUID of the DC that is replicating the change, then this is an originating write.
Otherwise, the UTDV table comes into play.
• The USN from the DC that originated the change. Again, if this USN is the same
as the USN of the DC that is replicating the change, then this is an originating
write. Otherwise, it's off the UTDV table.
To better illustrate this process, we'll increase the complexity of our example by adding a
third domain controller, DC3. In this instance, DC1, DC2, and DC3 are all replication
partners with one another; DC1 replicates with DC2 and DC3, DC2 with DC1 and DC3,
and DC3 with DC1 and DC2:
Step 1: DC1, DC2 and DC3 are all current with each other.
Step 2: DC3 performs a single originating write by resetting the password for the jsmith
user account. DC3 notifies DC1 and DC2 that it has changes available. DC1 and DC2
pull in the originating write from DC3, and then update their HWMV and UTDV tables
for DC3 as shown in Figure 5.
Figure 5 Updating HWMV and UTDV tables (Click the image for a larger view)
Step 3: Here's where the up-to-dateness vector comes into play. DC2 notifies DC1 that it
has changes available. DC1 then contacts DC2 requesting any new changes by sending
DC2 the following information:
Based on the HWMV of 4501, DC2 sees that it has not replicated the change in question
to DC1 (see Figure 7).
Figure 7 A change needs to be replicated
However, based on the UTDV table that DC1 transmitted before replication began, DC2
determines that DC1 doesn't actually require this change, since DC1 has already received
this change from DC3. At this point, DC1 simply updates its HWMV entry for DC2 to
reflect the incremented USN, as shown in Figure 8. However, to conserve bandwidth, the
actual data is not sent over the wire.
Local
Local Originating Originating
Server Property Value VersionID Timestamp DC's
USN DC's GUID USN
GUID
DC1 jsmith "Marketing" 2 2007-06- <DC1's 3003 <DC1's 3003
Description 07 GUID> GUID>
Property 14:03:25
DC3 jsmith "Sales and 2 2007-06- <DC3's 7003 <DC3's 7003
Description Marketing" 07 GUID> GUID>
Property 14:04:57
If DC2 receives both of these changes simultaneously, it will clearly need to determine
which one is the "winning" change. The order of tiebreakers for conflict resolution is as
follows:
1. The modification that has the higher versionID will be accepted as the "winning"
change; the "losing" change will be overwritten. In this case, the versionID is 2
for both records, so we need to move onto the second tiebreaker.
2. If both records have the same versionID, the change that has the later timestamp
will be accepted as the winning change; the losing change will be overwritten. In
this case, the timestamp from DC3's originating write is later, so jsmith's
description will be set to "Sales and Marketing." In the rare instance when both
the versionID and timestamp are identical, we need a third and definitive
tiebreaker:
3. If both records have the same versionID and timestamp, whichever write was
originated by the DC with the lower-numbered GUID will win; the write from the
higher-numbered GUID will be overwritten. So if DC1's GUID is 1234567890
and DC3's GUID is 2345678901, the originating write from DC1 would win if
both the versionID and timestamp were identical.
You are probably thinking, "Wouldn't it make more sense to have the timestamp be the
first tie-breaker?" This isn't as cut-and-dried as you might think. If timestamp were the
primary tie-breaker in Active Directory conflict resolution, the only thing that a malicious
administrator would need to do to propagate his or her changes would be to set back the
clock on one particular DC so that it would always win by way of timestamps.