m





 m


Course: Network Operating System.

Done By: Ronak S Aswaney, ID:0710229.
Date: 15/02/10.

1
Objectives

¢ Describe how Active Directory identifies data

that needs to be replicated.

¢ Understand each process that is carried out

to identify the data to be replicated.

2
M entifying Data to Replicate

¢ Identify Domain Controllers

¢ Update Sequence Number
¢ High-watermark Value
¢ Up-to-dateness Vector
¢ Propagation Dampening
¢ Conflict Resolution

3
M entifying Data to Replicate -
Mntro
ction
¢ Active directory uses a multi master model for replication.
£ This means you can make changes to Active Directory on
any domain controller.
£ Then those changes are then replicated to other domain
controllers.
¢ When you make a change to Active Directory, such as adding a new user
or changing a userǯs telephone number, the replication process begins.
¢ Replication is performed at the attribute level, not the object
level.
£ For e.g. if a users fax number is changed, then only the new fax
number of the user would be replicated; other attributes of the user
weren't changed, this makes the replication process very efficient.

4
M entifying Data to Replicate -
Mntro
ction
Replication involves two types of updates:

¢ Originating Updates
An originating update is a change to Active Directory that was
made on the local domain controller.
£ For e.g. if a users password is changed on DC1, then it is an
originating update on DC1.

¢ Úeplicated Updates
A replicated update is a change that was made through
replication.
£ For e.g. if a users password is changed on DC1, and the change is
replicated to DC2, then it is a replicated update on DC2.

5
M entifying Data to Replicate -
Mntro
ction
¢ Active Directory doesnǯt rely on a time-based system to
replicate directory changes.
¢ Time-based systems have a lot of fall backs.
£ E.g. If time gets unsynchronized or a clock delays or stops, this will
cause data to be lost or the directory to get corrupt.
¢ Active directory uses another method:
¢ The Domain controllers track objects using Update Sequence
Numbers (USNs).
£ Each DC maintains its own USN count, which is independent from all
other domain controllers. Every time the Active Directory database
on a DC is modified, the USN is incremented by one and the update
object and attributes are stamped with the USN.

6
M entifying Data to Replicate -
Mntro
ction
¢ The use of the multi-master model does introduce an
additional consideration.
£ It makes it possible for two domain controllers in the same
domain to show different information, even for the same
object.
£ This is caused by latency, which is the idea that the
replication process takes some time.
£ The latency could be only a few seconds or possible a few
minutes . In large, geographically dispersed networks, the
latency could be hours.
¢ Once replication has finished and all the domain controllers
contain the same information for every object, the directory
database is said to have reached convergence.

7
M entify Domain Controllers

¢ What is a Domain Controller?

£ A network server which holds a directory database that manages
user access to a network, which includes logging on, authentication,
and access to the network resources.

¢ There are several Identifiers for a domain controller:

£ NTDS Settings Server Object
£ Server GUID
£ Database GUID

8
Y DS Settings Server Object

¢ The NTDS Settings Server object :

£ is contained in the configuration partition.
£ It identifies the server as a domain controller.

¢ You can access the object by using Active Directory Sites and
Services.

¢ It holds a link to the domain controllers computer account and

cannot be deleted by an administrator on the local computer.

9
Server GUMD / Database GUMD

¢ The server globally unique identifier (GUID) is used to identify

replication partners.

¢ The Database GUID, is used by domain controllers to identify

other domain controllers during replication requests.
£ The database GUID changes if a domain controller is restored from
backup in order to ensure that changes are replicated correctly.

10
Up ate Seq
ence Y
mber

¢ The USN is a 64 bit number used to identify changes to data in

Active Directory.

¢ Each object in the directory has two USNs:

£ One set when the object is created.
£ One set every time the object is updated.

¢ Also, each attribute of an object has two USNs:

£ The first USN is for the local Domain controller.
£ The second USN is from the Domain Controller that performed the
originating write operation.

11
Up ate Seq
ence Y
mber

¢ We will look at the following scenarios:

£ Creation of new user account.

£ Replication of new user account.
£ Updating attribute of user account.
£ Replicating change of userǯs account attribute.

12
Creation of new
ser acco
nt

mttribute USN Version # Timestamp Org. DSm UID Org. USN

A 8412 1 2004-08-19 10:23:42 DC1 DSA GUID 8412
B 8412 1 2004-08-19 10:23:42 DC1 DSA GUID 8412

C 8412 1 2004-08-19 10:23:42 DC1 DSA GUID 8412

D 8412 1 2004-08-19 10:23:42 DC1 DSA GUID 8412

13
Replication of new
ser acco
nt

14
Up ating attrib
te of
ser acco
nt

15
Replicating change of
ser
acco
ntŨs attrib
te

16
^igh-watermark Val
e

¢ It is used to quickly identify which objects need to be

replicated from a specific replication partner for a specific
naming context.

¢ The High-watermark table is consisted on each DC. The

highest USN from each replication partners is stored in the
table.

17
^igh-watermark Val
e

Example high-watermark table:

18
 ^igh-watermark Val
e
Determining which objects may need to be replicated:

DC2 requests changes

from DC3, it sends the
high-watermark value
along.

Only objects with

an usnChanged
value > 1532, will
be considered for
replication.

19
Up-to- ateness Vector

¢ It helps the source domain controller to filter out attributes

that do not need to be replicated.

£ When a destination domain controller contacts a source domain

controller, the destination DC sends its up-to-dateness vector.
£ This allows the DC to determine which attributes the destination
domain controller does and does not have updated value.

¢ The up-to-dateness vector table stores the highest originating

USN received from every source DC. And it stores information
of all the DCǯs interconnected with each other.

20
 Up-to- ateness Vector
Example of up-to-dateness vector table:

º at difference did you notice between Hig
watermark value

& up
to
dateness vector? 21
ropagation Dampening

¢ Propagation Dampening?
£ ropagation dampening is used to prevent unnecessary replication
by preventing updates from being sent to servers that are already
updated.
£ Up-to-dateness vector tables & high-watermark tables can be used
to provide Propagation Dampening.
¢ We will look at 4 scenarios and examples
£ Creation of new user account on a specific DC.
£ Replication of user account.
£ DC requests updates from another DC.
£ DC responding to the request, sending new high-watermark value, and
vector data.

22
Creation of new
ser acco
nt on DC4

No changes are directly made to DC2.

23
Replication of
ser acco
nt to
DC4Ũs first replication partner

DC4 notifies DC1 it has updates.

The user account it then replicated.
Still, no changes are made on DC2.

24
 DC2 req
est
p ates from DC1
DC2 sends DC1 the following information when requesting updates:
XThe naming context updates.
XThe High-watermark value of DC, which DC2 obtains.
XThe maximum number of object order entries requested.
XThe maximum number of values requested.
XDC2ǯs up-to-dateness vector table.
Still, no changes are made on DC2.

25
DC1 replies back to DC2

Dc1 responds with data.

X New user account.
XNew High-watermark value. T is is w en t e DC2 table is c anged !
XUpdated Vector Data.

26
Conflict Resol
tion

¢ As you all know, the multi-master model allows changes to be

made on any domain controllers.
¢ What if changes are made to the same object at the same
time on different DCǯs?
£ This causes a conflict, but fortunately Active directory has built-in
safe guards to prevent this from happening Ȃ Conflict Resolution.

¢ We will discuss the following situations:

£ Attribute update conflict.
£ Move under deleted parent.
£ New object name conflict.

27
mttrib
te
p ate conflict

¢ Remember, the changed attribute is only replicated, not the entire

object; this itself minimizes replication conflicts.
£ If an email address of a user is changed on DC1, and the mobile
number of the same user changed on DC2, at the same given time;
this is NOT a conflict.
£ A conflict occurs when the same attribute is being changed on two
different DCǯs at the same time.
¢ The version, timestamps, originating DSA GUID are used to resolve
the conflict.
£ Initially, the version number is checked. If the version number is
higher than the previous one, then its updated.
£ If the version numbers are same, then the timestamps are checked. If
the timestamps are different, then the updated timestamp is written
in the directory.
£ If the timestamps are identical, then the org. DSA GUID is used to
update the change. This is how the conflict is resolved.
28
ove Un er Delete arent

¢ Say an Administrator deleted an organizational unit on DC1.

However simultaneously another administrator is creates a
new user account on DC2 in the same organizational unit
which has already been deleted.
¢ In this case, the new object created on DC2 will be moved to a
Dzlost and founddz container.

¢ This is one of the conflicts whish can take place, and as

described above is the method used to resolve this replication.

29
Yew object name conflict

¢ This occurs when two objects are created with the same
distinguished name in the same container of different domain
controllers.
¢ Because objects in the same container must have different
relative distinguished names, one of the objects is renamed.

¢ The timestamps & org. DSA GUID are used to resolve this
issue.
£ The object with the higher timestamp keeps the original name.
£ If the timestamps are identical, then the org. DSA GUID is used.

30
Overview

¢ Identifying Data to Úeplicate

£ Identify Domain Controllers
£ Update Sequence Number
£ Hig
watermark Value
£ Up
to
datenessVector
£ ropagation Dampening
£ Conflict Úesolution

31
¢ mNY QUESTIONS ?

¢ THmNK YOU FOÚ LISTENIN !

32