Module 4: Configuring

Active Directory®
Domain Sevices Sites
and Replication
Module Overview
• Overview of Active Directory Domain Services Replication

• Overview of AD DS Sites and Replication

• Configuring and Monitoring AD DS Replication

Lesson 1: Overview of Active Directory Domain
Services Replication
• How AD DS Replication Works

• How AD DS Replication Works Within a Site

• Resolving Replication Conflicts

•Optimizing Replication
• What Are Directory Partitions?

• What Is Replication Topology?

• How Directory Partitions and the Global Catalog

Are Replicated
• How the Replication Topology Is Generated

• Demonstration: Creating and Configuring

Connection Objects
How AD (active directory) DS (Domain Server) Replication Works
Active Directory replication:
• Uses a multimaster model

• Uses pull replication

• Uses store and forward replication

• Uses loose consistency with convergence

Changes that initiate replication include:

• Addition of an object to AD DS

• Modification of an object’s attribute values

• Deletion of an object from the directory

 How AD DS Replicates Within a Single Site

In a single site:
• Domain controllers notify replication partners when
updates are applied
• For normal updates, the change notification happens
15 seconds after the change is applied

• Notifications for security-related changes are

sent immediately

• Replication updates are not compressed

 Resolving Replication Conflicts

In a multimaster replication model, replication conflicts can

arise when:
• The same attribute is changed on two domain controllers
simultaneously: last time/version/time override another server GUID
• An object is moved or added to a deleted container(eg.OU) on
another domain controller: drop into lost & find

• Two objects with the same relative distinguished name are

added to the same container on two different domain controllers:
• the first name assigned override the latter names

To resolve replication conflicts, AD DS uses:

• Version number • Time stamp • Server GUID

Optimizing Replication (Not full mesh)

• In a multimaster replication model, AD DS updates

can be replicated using multiple paths
• AD DS uses update sequence numbers, high watermarks,
and up-to-dateness vectors to ensure that updates
are replicated to a specific domain controller only once
What Are Directory Partitions?

Contains:
Definitions and rules for
creating and manipulating
objects and attributes

Forest Schema Information about the

Active Directory structure

Configuration
Information about domain-
Domain specific objects
<Domain>

Configurable Information about

replication applications
<Application>

Active Directory
Database
What Is Replication Topology?

A1
A1 A2
A2 B2

B1

A3
A3 A4
A4 B3

Domain controllers
Domain controllers in the Domain A Topology
Domain A Topology
from various
same domain domains
Domain B Topology
How Directory Partitions and the Global Catalog
Are Replicated

Global catalog A1 A2 B2
server

B1

Global catalog
A3 A4 B3
server

Global catalog
server
Domain controllers Domain A topology
from various domains
Domain B topology
Schema and configuration
topology
Global catalog replication
 How the Replication Topology Is Generated

Active Directory uses the KCC to establish a replication pull direction

between domain controllers

• Each domain controller has two replication partners

for each Active Directory partition

• The KCC creates two one-way connection objects

between replication partners to ensure that no two domain
controllers are ever more than three network hops away

• When a new domain controller is added to a site,

the KCC recalculates connection objects

• Connection objects can replicate one or more partitions

Demonstration: Creating and Configuring
Connection Objects
In this demonstration, you will see how to create
connection objects and configure existing connection
objects
Lesson 2: Overview of AD DS Sites
and Replication
• What Are AD DS Sites and Site Links?

• Discussion: Why Implement Additional Sites?

• Demonstration: Configuring AD DS Sites

• How Replication Works Between Sites

• Comparing Replication Within Sites and Between Sites

• Demonstration: Configuring AD DS Site Links

• What Is the Inter-site Topology Generator?

• How Unidirectional Replication Works

 What Are AD DS Sites and Site Links?

Sites: A1

rk A2
fast,
rk
IP Subnet

h IP Subnet
Site
fferent domain servers within the same site for objects in

B1 B2 Site Link

B3
IP Subnet
IP Subnet
Site
Discussion: Why Implement Additional Sites?
• Why would an organization choose to implement
additional sites?
• What are the benefits and disadvantages of creating
additional sites?
Demonstration: Configuring AD DS Sites
In this demonstration, you will see how to:
• Create sites and subnets

• Move domain controllers to other sites

How Replication Works Between Sites

You can configure: A1

A2
• Replication paths
between sites
• Replication schedules
and frequency
Site
• Replication protocols

B1 B2 Site Link

B3

Site
Comparing Replication Within Sites and
Between Sites

Replication Within Sites:

A1
Assumes fast and highly
IP
IP Subnet
Subnet
reliable network links

A2 Does not compress

Replication replication traffic
IP
IP Subnet
Subnet

Uses a change notification

mechanism
A1 Replication Between Sites:
IP
IP Subnet
Subnet
Assumes limited available
Replication
Replication
A2 bandwidth and unreliable
IP
IP Subnet
Subnet network links
B1
Compresses all replication
IP
IP Subnet
Subnet traffic between sites
Replication
B2 Occurs on a manual schedule
Replication
Replication
IP
IP Subnet
Subnet
Demonstration: Configuring AD DS Site Links
In this demonstration, you will see how to:
• Configure the default site link

• Create additional site links

• Add sites to the site links

What Is the Inter-site Topology Generator?

Inter-site topology
generator
A1
Bridgehead
IP Subnet server
• The inter-site
A2
topology generator
defines the
replication between Replication

sites on a network
IP Subnet

B1
Replication
IP Subnet
B2
Inter-site
topology
generator Replication

IP Subnet
Bridgehead server
How Unidirectional Replication Works

• Unidirectional replication
ensures that changes to a
read-only domain
controller are never
replicated to any other
domain controller
Lesson 3: Configuring and Monitoring
AD DS Replication
• What Is a Bridgehead Server?

• Demonstration: Configuring Bridgehead Servers

• Demonstration: Configuring Replication Availability

and Scheduling
• What Is Site Link Bridging?

• Demonstration: Modifying Site Link Bridges

• What Is Universal Group Membership Caching?

• Demonstration: Configuring Universal Group

Membership Caching
• Demonstration: Tools for Monitoring and
Managing Replication
What Is a Bridgehead Server?

A bridgehead server:
Bridgehead Server
IP Subnet
• Sends and receives
A1
replicated data
• Is designated for IP Subnet
each partition in
the site

Replication

IP Subnet

IP Subnet B1

Bridgehead Server
Demonstration: Configuring Bridgehead Servers
In this demonstration, you will see how to configure bridgehead servers
2 Bridgehead servers within 1 single site
Step:Click site, property, general, add IP
Demonstration: Configuring Replication
Availability and Frequency
In this demonstration, you will see how to configure the site
link object to manage replication between sites
What Is Site Link Bridge?

B1 B2

B3
IP Subnet
IP Subnet

Site Link Site B Site Link

AB BC

Site Link
Bridge
A1 C2

A2 C1

Site A Site C
IP Subnet IP Subnet
IP Subnet IP Subnet
Demonstration: Modifying Site Link Bridges
In this demonstration, you will see how to:
• Disable site link bridge (if firewall between 2 sites) :AD
sites and services> inter –site transport, right click IP >
uncheck site link bridge
• Create a new site link bridge
 What Is Universal Group Membership Caching?

Enables domain controllers with Global Catalog

Bridgehead server role in Server
A1
a small site which has Bridgehead
IP Subnet
server
NO global catalog servers to A2
cache data of
universal group membership
from the Global Catalog servers IP Subnet

in other big sites

IP Subnet B1

IP Subnet
Bridgehead server
Demonstration: Configuring Universal Group
Membership Caching
In this demonstration, you will see how to:
• Configure universal group membership caching for a site

• Configure the source for caching

Demonstration: Tools for Monitoring and
Managing Replication
In this demonstration you will see how to:
• Identify the domain controller holding the ISTG role

• Force the KCC to run, and then to force replication

• Use Repadmin, NLTest, and DCDiag

Lab: Configuring Active Directory Sites and
Replication
• Exercise 1: Configuring AD DS Sites and Subnets

• Exercise 2: Configuring AD DS Replication

• Exercise 3: Monitoring AD DS Replication

Logon information
Virtual machine NYC-DC1, LON-DC1,
MIA-RODC, NYC-RAS

User name Administrator

Password Pa$$w0rd

Estimated time: 60 minutes

Lab Review
• What additional changes would you need to make to the
AD DS site configuration if you needed to ensure that all
replication traffic in the New-York site passed through
NYC-DC2?
• What additional changes would you need to make if you
implemented another WAN connection between Tokyo and
London, and wanted to use that WAN connection for AD
DS replication instead of routing all replication changes
through NewYork-Site?
• Why did you force the domain controllers in the lab to
update their IP addresses in DNS?
Module Review and Takeaways
• Review questions

• Considerations for configuring AD DS sites and replication

• Tools