Active Directory Replication Part 2 Paige Verwolf Support Professional Microsoft Corporation

1
Active DirectoryReplication (Part 2)Paige
VerwolfSupport ProfessionalMicrosoft Corporation
2
Directory Replication Framework

• Domain Controller Identification
• Domain Controller Computer Account
• NTDS Settings Server Object
• Server GUID
• Database GUID
• Record Registration in DNS
• Update Sequence Number (USN)

3
Domain Controller Identification
daffy-duck.Replmon.com
Run Dcpromo.exe
Object creation
Record registration using DNS
Replmon.com
Ntds.dit
4
Domain Controller Identification (2)

• NTDS Settings Server Object
• Linked to Computer Account Object (CAO)
• Reanimated if deleted elsewhere and replicated to
  local domain controller
• Does not allow administrator to delete object on
  local computer
• Server GUID
• Used to identify replication partners
• Name resolution very important for replication
• Each DC registers a CNAME record in DNS (used to
  locate the DC)
• 00000000-0000-0000-000000000000 (alias
  DC2.Microsoft.com)
• Database GUID
• Used by DCs to identify other DCs in replication
  requests
• Used to store vector information of changes from
  other DCs
• Initially, server GUID and database GUID are
  identical
• If DC is restored from backup, the database GUID
  is changed

5
Domain Controller Identification (3)

• Records register with DNS after Netlogon is
  started.
• Windows 2000 domain controllers can register one
  or more DNS records.
• Service location (SRV) records are used in
  identifying an available service on a host. These
  records have an ldap prefix.
• ltDnsDomainNamegt refers to the DNS domain name
  used during promotion of the server when the
  domain tree is joined or created. It refers to
  the DNS domain name of the root domain.
• You can identify the correct DNS entries that
  should exist for a Windows 2000 installation by
  viewing the Netlogon.dns text file. This file is
  located in the SystemRoot\System32\Config
  folder.

6
Update Sequence Number (USN)

• 64-bit DWORD
• DC local meaning
• Assigned to new object update transaction
• If transaction is stopped, the USN is not
  assigned to any object
• Each object carries two USNs
• usnCreated, usnChanged
• Each property carries two USNs
• Indexed property in the database
• Independent from system time
• System clocks do not matter, even if they are
  changed

7
Object Creation
Add new user
DC1
USN 4710
USN 4711
Object usnCreated 4711
Object usnChanged 4711
Version
Org. DB GUID
Property
Value
USN
Timest.
Org USN
P1
4711
TS
Value
1
4711
DC1 DB GUID
P2
4711
TS
Value
1
4711
DC1 DB GUID
P3
4711
TS
Value
1
4711
DC1 DB GUID
P4
4711
TS
Value
1
4711
DC1 DB GUID
8
Object Replicated
User replicated
DC2
DC1
USN 1745
USN 1746
USN 4711
Object usnCreated 1746
Object usnChanged 1746
Version
Org. DB GUID
Property
Value
USN
Timest.
Org USN
P1
1746
TS
Value
1
4711
DC1 DB GUID
P2
1746
TS
Value
1
4711
DC1 DB GUID
P3
1746
TS
Value
1
4711
DC1 DB GUID
P4
1746
TS
Value
1
4711
DC1 DB GUID
9
Object Modification
user password change
DC2
USN 2001
USN 2002
Object usnCreated 1746
Object usnChanged 2002
Version
Org. DB GUID
Property
Value
USN
Timest.
Org USN
P1
1746
TS
Value
1
4711
DC1 DB GUID
P2
2002
TS
Value
2
2002
DC2 DB GUID
P3
1746
TS
Value
1
4711
DC1 DB GUID
P4
1746
TS
Value
1
4711
DC1 DB GUID
10
Change Replicated
Modified address replicated
DC2
DC1
USN 5039
USN 5040
USN 2002
Object usnCreated 4711
Object usnChanged 5040
Version
Org. DB GUID
Property
Value
USN
Timest.
Org USN
P1
4711
TS
Value
1
4711
DC1 DB GUID
P2
5040
TS
Value
2
2002
DC2 DB GUID
P3
4711
TS
Value
1
4711
DC1 DB GUID
P4
4711
TS
Value
1
4711
DC1 DB GUID
11
High-Watermark Vector

• Table on each domain controller
• Replication partners
• Highest known USN
• Used to detect recent changes on replication
  partners

12
High-Watermark Vector DC4
DC1
USN 4711
DSA GUID
Highest known USN
DC4
DC2
DC1 GUID
4711
USN 3388
USN 2052
DC3 GUID
1217

• DC4s High-Watermark Vector
• This example assumes that DC1 and DC3 are DC4s
  replication partners

DC3
USN 1217
13
Up-to-Dateness Vector

• Up-to-dateness related to a specific naming
  context
• List of pairs
• Originating-DC-GUID (database GUID)
• Highest-Originating-USN
• Only these domain controllers are added from the
  originating updates that are received (even
  through replication)

14
Up-to-Dateness Vector (2)
DC1
USN 4711
DSA GUID
Highest originating USN
DC4
DC2
DC1 GUID
4711
USN 3388
USN 2052
DC2 GUID
2050

• DC4s Up-to-Dateness Vector
• This example assumes that only DC1 and DC2 (and
  possibly DC4) performed originating write
  operations

DC3
USN 1217
15
Information Sent toPrepare for Replication

• Naming context for which changes are requested
• Maximum number of object update entries requested
• Maximum number of values requested
• High-USN-Changed value of naming context of
  replication partner
• Complete Up-to-Dateness Vector
• Used for propagation dampening

16
Replication DC4
DC1

• Step 1 User added to DC2
• No changes for DC4

USN 4711
DC4
DC2
USN 3388
USN 2052 -gt 2053
DC4 Up-to-Dateness Vector
DSA GUID
Highest originating USN
DC1 GUID
4711
DC2 GUID
2050
DC3
USN 1217
DC4 High-Watermark Vector
DSA GUID
Highest known USN
DC1 GUID
4711
DC3 GUID
1217
17
Replication DC4 (2)
DC1

• Step 2 User replicated to DC1
• No changes for DCS4
• NOTE Write originated on DC2

USN 4711 -gt 4712
DC4
DC2
USN 3388
USN 2053
DC4 Up-to-Dateness Vector
DSA GUID
Highest originating USN
DC1 GUID
4711
DC2 GUID
2050
DC3
USN 1217
DC4 High-Watermark Vector
DSA GUID
Highest known USN
DC1 GUID
4711
DC3 GUID
1217
18
Replication DC4 (3)
DC1

• Step 3 DC4 initiates replication with DC1
• Sends NC, highest known USN DC1 for this NC,
  number of objects, number of values,
  Up-to-Dateness Vector

USN 4712
DC4
DC2
USN 3388
USN 2053
DC4 Up-to-Dateness Vector
DSA GUID
Highest originating USN
NC, 4711, 100, 100, vector
DC1 GUID
4711
DC2 GUID
2050
DC3
USN 1217
DC4 High-Watermark Vector
DSA GUID
Highest known USN
DC1 GUID
4711
DC3 GUID
1217
19
Replication DC4 (4)
DC1

• Step 4 DC1 replicates new user to DC4
• Sends data, last-object-changed USN, state data
• DC4 uses this data to improve its up-to-dateness

USN 4712
Data, 4712, vector
DC4
DC2
USN 2053
DC4 Up-to-Dateness Vector
USN 3388 -gt 3389
DSA GUID
Highest originating USN
DC1 GUID
4711
DC2 GUID
2053
DC3
USN 1217
DC4 High-Watermark Vector
DSA GUID
Highest known USN
DC1 GUID
4712
DC3 GUID
1217
20
Replication DC4 (5)
DC1
USN 4712

• Step 5 DC2 replicates new user to DC3
• No changes for DC4

DC4
DC2
USN 3389
USN 2053
DC4 Up-to-Dateness Vector
DSA GUID
Highest originating USN
DC1 GUID
4711
DC2 GUID
2053
DC3
DC4 High-Watermark Vector
USN 1217 -gt 1218
DSA GUID
Highest known USN
DC1 GUID
4712
DC3 GUID
1217
21
Replication DC4 (6)
DC1

• Step 6 DC4 initiates replication with DC3
• Sends NC, highest known USN DC3 for this NC,
  number of objects, number of values,
  up-to-dateness vector

USN 4712
DC4
DC2
USN 3389
USN 2053
DC4 Up-to-Dateness Vector
DSA GUID
Highest originating USN
DC1 GUID
4711
DC2 GUID
2053
DC3
USN 1218
DC4 High-Watermark Vector
DSA GUID
Highest known USN
DC1 GUID
4712
DC3 GUID
1217
22
Replication DC4 (7)
DC1

• Step 7 DC3 replication reply
• Determines, that DC4 already is up-to-date
• Sends last-object-changed USN, up-to-dateness
  vector, but no data.

USN 4712
DC4
DC2
USN 3389
USN 2053
DC4 Up-to-Dateness Vector
DSA GUID
Highest originating USN
DC1 GUID
4711
DC2 GUID
2053
1218, vector
DC3
USN 1218
DC4 High-Watermark Vector
DSA GUID
Highest known USN
DC1 GUID
4712
DC3 GUID
1218
23
Urgent Replication

• Initiated by Security Accounts Manager (SAM) or
  Local Security Authority (LSA), not by LDAP
  writes for
• Changing the account lockout policy
• Changing the domain password policy
• Replicating a newly locked out account
• Changing an LSA secret (trust account)
• Change in RID master role owner
• These trigger an immediate replication cycle
  within the site
• Uses notification

24
Conflict Resolution

• Conflict resolution
• Resolution higher version number -gt higher
  timestamp -gt higher GUID of originating write DSA

25
Conflict Resolution (2)

• Attribute Value Conflict
• For example, user changes password on DC1,
  administrator changes users password on DC2
• Resolution higher version number -gt higher
  timestamp -gt higher GUID of originating write DSA
• Move Under Deleted Parent
• For example, administrator creates user in OU1 on
  DC1, second administrator deletes OU1 on DC2
• Resolution OU1 is deleted, user moved to lost
  and found container

26
Conflict Resolution (3)

• Object Creation Name Conflict
• For example, two administrators create two user
  objects with identical RDNs on two domain
  controllers at the same time
• Resolution One object (identified by its GUID)
  receives a system-wide unique value on the
  conflicting attribute (here the RDN)
• Resolution higher version number -gt higher
  timestamp -gt higher GUID of originating write DSA

27
(No Transcript)