Additional Study Topics: Utilities | Groups | Migration Issues | RIS
I.
Managing and
troubleshooting Active Directory replication
Windows 2000
manages the replication process and traffic automatically, and some Windows 2000
administrators may never make a single change to the replication environment within their
organization. However, other administrators may find a great need for tweaks and
customizations. The only way to know the customization needs of any organization is to
become an expert on the concept of AD, and leverage that knowledge to understand the
process and requirements of the organization in question.
A. What is
Active Directory replication?
1. The process
of keeping all the data within Active Directory consistent and up to date between all of
the organization’s domain controllers and between the domains themselves
2. All domains
within a forest replicate some information between each other.
3. Windows 2000
servers within a domain replicate data to legacy NT domain controllers in a unique way.
4. All domains
should contain multiple domain controllers for fault tolerance, and all domain controllers
within a domain are forced to replicate on a very consistent basis.
5. Data
exchanged in the replication process varies depending on the type of object and the type
of replication (i.e., intrasite versus intersite).
B. Naming
contexts
1. All AD
domains consist of two naming contents, scheme and configuration.
a. The
replication of each is performed separately and under different configuration rules.
b. A complete
copy of both contents for any one particular domain is called a “full replica.”
2. Replication
of naming context
a. Configuration
is replicated to all domain controllers within the forest.
b. Schema
i.
All domain
controllers within the forest
c. Domain
i.
Specific to
each domain, to all domain controllers within the domain, and to the Global Catalog
servers within the forest
3. Single-master
and multimaster replication
a. Legacy
versions of NT are single-master domains, meaning only one server can host a read/write
copy of the domain at any one time. All changes as well as replication stem through that
one server.
b. New to NT
family with Windows 2000, all domain controllers hold a read/write copy of the domain data
and are responsible for ensuring any changes they receive are replicated to all of the
other domain controllers.
i.
Nice new
benefit to Windows 2000
ii.
Distinct new
concern in managing the replication traffic
4. Store and
forward
a. Ability for a
domain controller to receive updates to the directory and then forward those updates to
the other servers “near” them on behalf of the server implementing the change
b. Scalability
limitation of legacy NT domains, resulting in increased bandwidth consumed by replication
c. Updates sent
can be sent to multiple servers across a WAN link via a bridgehead server taking
responsibility for updating the other servers within the remote site.
C. How domain
controllers track changes
1. Update
sequence numbers (USNs)
a. Each domain
controller keeps a counter for each of the naming contexts used to assign a unique number
sequence to every change made to the data.
b. Whenever a
write to the AD data is initiated, the USN is updated and the new number is assigned to
all the objects within the AD that are added or modified via this change.
c. Each domain
controller maintains its own USN.
2. High-watermark
vector
a. Used to
determine if changes are available to be replicated
b. Maintained on
each domain controller for each naming context
c. Consists of a
two-part table in which all domain controllers that have a connection object to this
server are assigned a globally unique identifier (GUID) and are monitored for the highest
USN seen from that server so far.
3. Up-to-dateness
vector
a. Sometimes a
server has already received its updates from a different server and doesn’t need to
replicate, even though the high-watermark vector seems to indicate it does. The
up-to-dateness vector allows replication traffic to be reduced when the server has already
received an update from another server.
b. Also a
two-column table with one column containing the GUID
c. Second column
contains the USN that tracks the originating updates, and has an entry for every system it
knows has made an originating write.
d. USN entry is
the highest USN seen for an originating write from that particular domain controller.
e. For Instance,
if a replication has an originating USN of 2033 and the up-to-dateness vector shows that
the destination computer has already seen a USN of 2033 from the computer that performed
the originating write, the change does not have to be replicated.
4. Making
changes to Active Directory
a. All changes
within AD are classified as one of two types: originating update or replicated update.
b. There are
four kinds of AD modifications: addition, change, move, or deletion.
c. When new
items are created by a server they are marked as “originating” in that
server’s databases and are then assigned a version number of 1, as well as a time
stamp and the GUID of the originating domain controller.
d. There are two
USNs assigned to every object.
i.
One tracks
where the object was initially created.
ii.
The other
tracks the last change made to the object.
e. Every time an
object is modified, the version number is increased by one, and the USN used to track
changes is updated.
f. Items deleted
by the administrator are not actually removed from AD, but rather marked with a special
change called a “tombstone.”
i.
The object
and the tombstone are then replicated to all other domain controllers.
ii.
Using
tombstones prevents other domain controllers from recreating the deleted object during the
next replication
iii.
Objects
marked with tombstones have to be removed from the domain at a later time to clear space
in Active Directory.
iv.
Garbage
collection is used to permanently delete tombstone objects once they are no longer needed.
Garbage collection also removes unused log files and defrags the database.
5. Conflict
resolution
a. When the same
object is modified at (roughly) the same time on two separate domain controllers, a
conflict will occur during the next migration.
b. All domain
controllers follow the same simple rules when dealing with conflicts, and no exceptions
are ever made.
c. When a domain
controller receives a conflict, the version number is checked first, the object with the
highest version number is kept, and the other object is discarded.
d. If the two
conflicting objects have the same version number, the time stamps of the object are
checked. This is the only occasion that time is used during the replication process, due
to the inherent problems of using time in these situations.
D. Network and
Knowledge Consistency Checker (KCC) topology
1. KCC
automatically handles replication traffic within a network.
2. KCC will
generate a virtual replication topology within a site and will run on all domain
controllers every 15 minutes.
3. Bidirectional
ring configuration is used for fault tolerance in the replication process within the site.
4. Ring is
constructed so that no domain controller is more than three hops away from any other
domain controller in the domain.
5. A separate
bidirectional ring is created for each naming context in the domain.
6. Once the
virtual topology for the AD has been created, the KCC creates Connection objects, which
are unidirectional paths along which replication can take place.
a. Connection
objects are automatically added and removed by the KCC as changes are made to the domain.
b. Users can
create their own Connection objects, but those objects will be owned by the user or
process that created them, and will not be managed by the KCC.
c. Management of
Connection objects is handled through the Sites and Services snap-in.
E. Overview of
sites, subnets, links, and replication
1. Creating new
sites
a. A site (as
covered earlier in the class) is a group of computers networked together by a reliable
high-speed network (normally 10MB or better).
b. Sites can
contain multiple IP subnets, but any one subnet cannot span multiple sites.
c. Sites are
created with the Active Directory Sites and Services snap-in.
d. All new sites
must have a site link, which connects it to another site in the network.
e. The
DefaultIPSiteLink is created by default when the first site and forest are created.
f. All site
links can be modified through two attributes: cost and replication schedule.
g. Site link
bridges can be used to connect multiple site links together and control the flow of
replication within a domain.
2. Managing
intrasite replication
a. Intrasite
replication is assumed to be fast and reliable, which means all replication traffic occurs
as often as necessary.
b. All changes
are stored for five minutes before an announcement of the update is made, to allow time
for further modifications.
c. Intrasite
replication does not use compression, as the bandwidth is assumed to be less valuable than
system resources.
d. All
replication partners will indicate a pull request from the domain server advertising an
update to get the new changes.
e. Urgent
replication
i.
Some
modifications, such as account lockouts, need to occur as fast as possible and can’t
wait for the 15 minute replication window. These types of updates are immediately sent to
the PDC emulator and then replicated to the other AD servers within the site.
3. Managing
intersite replication
a. When
replication occurs between sites, bandwidth is assumed more valuable than system
resources, and all data is sent in a highly compressed format.
b. Replication
protocols (Note: These have been covered in class already.)
i.
IP/RPC: Fast
and efficient; default and should be used when possible
ii.
SMTP:
IP-based as well, but sends information in encrypted e-mail messages to allow for less
stable network connections
c. Replication
with NT 4.0 backup domain controllers
i.
PDC emulated,
used to simulate traditional NT domain structure for legacy controllers
ii.
Can increase
the amount of latency implemented within the domain
iii.
Does not
support the store and forward features of Windows 2000 AD servers and the benefits of
using sites
d. Password
changes
i.
Considered
urgent updates and are immediately updated to the PDC emulator
ii.
Other AD
servers obtain the changes during normal replication.
iii.
All
authentication attempts are tried by each domain controller against the local information
before being passed to the PDC emulator for a second attempt.
e. Domain
controller and Global Catalog (GC) placement
i.
Global
Catalog servers replicate all information about all domains between each other. For this
reason their number and placement has to be factored into the domain design.
ii.
Placing a GC
server in a site can cause a substantial amount of replication traffic across the WAN to
get to that site.
iii.
Not placing a
GC server within the site can cause all client requests for GC services (including logon)
to go across the LAN and decrease network responsiveness for the users.
iv.
Each issue
has to be carefully balanced before changes are attempted.
F. Troubleshooting
Active Directory replication
1. Event logs
a. Like all
other services, all replication events are logged to the event log.
b. Some items
are logged regularly and should be considered normal and necessary.
i.
For example,
garbage collection should run every four hours or so.
2. Monitoring
replication
a. All
replication traffic can be monitored using the Windows 2000 Performance Monitor tool, as
described in Chapters 5 and 9.
b. Replication-specific
counters are included on all AD servers.
c. Total
replication traffic in and out can be monitored to determine the effect replication
traffic is having on the network and especially on any critical WAN links.
II.
Managing and
troubleshooting Domain Name System replication
A. Windows 2000
DNS features
1. Traditional
DNS infrastructures are configured to be single master models. This means that one server
will receive all data changes, and then replicate those changes out to the rest of the
organization.
a. Central
server is called the primary, and all other servers are called secondaries.
b. Updates
traditionally come from the primary, but they can be configured to be retrieved from
properly configured secondaries as well.
c. A server that
provides a DNS zone file to another DNS server is called a master.
d. This type of
structure is called a single-master, and is similar in design to that of legacy NT
domains.
e. Fully
supported by Windows 2000 domains and services
2. Active
Directory enabled domains allow for multimaster configurations, as all the zone
information is stored in the Active Directory rather than the domain object.
a. Recommended
with Windows 2000 AD domains
b. Supports
dynamic DNS better and provides for less network latency
c. Only
supported by Windows 2000 domain controllers
B. Replication
of non-Active Directory-integrated zones
1. All zones are
updated from information stored on the master server to information located on a secondary
server. (Remember, secondary servers can be master servers if they are configured
correctly.)
2. Only
information that has changed is passed during the replication.
3. Master
servers use serial numbers to track changes in the zone’s records.
4. Whenever
secondary servers are created, a reference is made to the master server that is providing
the zone records.
5. All
secondaries request zone master files whenever the service is started, and then at regular
intervals after that.
6. The list of
secondary servers permitted to receive updates from a master server (primary or secondary)
can be restricted to specific servers or open to anyone.
7. Master
servers can be configured to notify the secondary servers that a new update has occurred,
but the replication process still has to be started by the secondary.
C. Replication
of Active Directory-integrated zones
1. Replication
actually occurs with normal Active Directory replication.
2. Can be
configured to also support secondary servers, which are not Active Directory-enabled
D. Troubleshooting
Domain Name System replication
1. Failure of
replication within an Active Directory-enabled zone is typically overshadowed by the
replication failure of the domain information itself. When the domain replication is
repaired, the DNS replication will restore itself as well.
2. Failure of
standard secondary DNS servers can be harder to spot until services are failing to respond
and client queries are not answered.
a. Troubleshooting
can also be hampered by the fact that most domains have secondary servers which may mask
the failure of the first DNS server.
b. Failure is
normally identified when all records expire and are removed from the domain, causing the
server to not respond to any internal domain name queries.
c. When
replication failure is identified, ensure that network connectivity exists between the
secondary and the master.
i.
Make sure the
DNS service is started on both servers
ii.
Make sure the
master server includes the IP address of all the needed secondary servers in its list of
authorized servers
iii.
Make sure the
IP address for the master server is correct
d. Use
the NSLookup command (demonstrated earlier in class) to troubleshoot the resolution issue
and ensure all servers have the same information.