Active Directory Replication

IT administrators have been working with and around Active Directory since the introduction of the technology in Windows 2000 Server. Windows 2000 Server was released on February 17, 2000 but many administrators began working with Active Directory in late 1999 when it was released to manufacturing (RTM) on December 15, 1999.

In this part of our tutorial we’ll speak about AD replication.

Active Directory Replication

Active Directory replication is the method of transferring and updating Active Directory objects from one DC to another DC.

The connections between DCs are built based on their locations within a forest and site. Each site in Active Directory contains one or more subnets, which identify the range of IP addresses associated with the site. By mapping the IP address of a DC to a subnet, Active Directory knows which DCs are in which site. Connections are configured between sites to ensure that Active Directory objects are replicated between sites.

Technologies

Active Directory replication relies on the following technologies to operate successfully:

  1. DNS
  1. Remote procedure call (RPC)
  1. SMTP (optional)
  1. Kerberos
  1. LDAP

Main components

There are four main components of replication in Active Directory:

  • Multimaster replication

Multimaster replication, compared to single-master replication as used in Windows NT 4.0, ensures that each domain controller can receive updates for objects for which it is authoritative. This provides fault tolerance within an Active Directory environment.

  • Pull replication

Pull replication ensures that DCs request object changes instead of changes being pushed (especially unnecessarily). Pulling slightly reduces replication traffic between DCs.

  • Store-and-forward replication

Store-and-forward replication ensures that every DC communicates with a subset of DCs to transfer the object changes that have occurred. With store-and-forward, every DC would communicate with every other DC, which is inefficient. Store-and-forward replication balances the replication load among the DCs within an Active Directory environment.

  • State-based replication

State-based replication ensures that each DC tracks the state of replication updates which eliminates conflicts and unnecessary replication.

Replication management

Replication is managed by the Knowledge Consistency Checker (KCC).

The KCC manages replication between DCs in a single site by using automatically created connections. The KCC reads configuration data and reads and writes connection objects for DCs. The KCC only uses RPC to communicate with the directory service.

Intrasite replication does not use compression and changes are sent to DCs immediately. However, intersite replication relies on user-defined links that must be created. The KCC uses these links to create a topology so that replication is managed across the site-to-site links.

Site connections can be controlled on a schedule and the replication data is compressed to minimize bandwidth usage. The default replication schedule for site-to-site connections is 180 minutes which is usually way too long for the vast majority of organization. This can be configured to as low as 15 minutes in the GUI, and even faster by modifying the registry.

A replication packet size is calculated based on the amount of RAM in the DC. By default, the packet size limits are 1/100th the size of RAM, with a minimum of 1 MB and a maximum of 10 MB. Additionally, the maximum number of objects in a packet is 1/1,000,000th the size of the system RAM, with a minimum of 100 objects, and a maximum of 1,000 objects. Therefore, in modern servers that have more than 1 GB or RAM, replication packet sizes will either contain up to 10 MB of data or up to 1,000 objects. The maximum packet size and object limit can be configured by modifying the registry in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters location.

Primary replication components

The following are components the primary replication components:

  • Knowledge Consistency Checker (KCC)

The KCC is a process that runs on each DC and communicates directly with Ntdsa.dll to read and write replication objects.

  • Directory System Agent (DSA)

The DSA is a directory service component that runs as Ntdsa.dll on each DC. It provides an interface for services and processes to read the directory database.

  •  Extensible Storage Engine (ESE)

The ESE manages directory database records, which may contain one or more columns.

  • Remote Procedure Call (RPC)

Directory replication is communicated by using the RPC protocol. RPC is a communication protocol that allows developers to execute code on a local or remote system without having to develop specific code for remote execution. The KCC also uses RPC to communicate with DCs to request information when building a replication topology.

  • Intersite Topology Generator (ISTG)

The ISTG manages the intersite inbound replication connection objects for a specific site. There is one ISTG server in each site. By default, the first DC in each site is the ISTG. To find the ISTG in a site named HQ in a domain named tailspintoys.com, you can run the Get- ADObject -Identity “cn=NTDS Site Settings,cn=HQ,cn=sites,cn=configuration,dc=tailspintoys,dc=com” -Properties interSiteTopologyGenerator |Select interSiteTopologyGenerator Windows PowerShell command.

The Active Directory objects that are used by the KCC and its components include:

  • Sites

Sites are Active Directory objects in the site class, which correspond to the subnets in a given site.

  • Subnets

Subnet objects are in the subnet class, and define the network IP subnet that is corresponded with a site.

  • Servers

A server object, in the server class, represents server computers, including DCs. Server objects are treated as security principals which are stored in a separate directory partition and have separate globally unique identifiers (GUIDs).

  • NTDS Settings

NTDS Setting objects are in the nTDSDSA class, and represent an instance of Active Directory on a specific DC.

  • Connections

Connection objects are in the nTDSConnection class, and define a one-way, inbound route from a source DC to the DC that is storing the connection object.

  • Site Links

Site Link objects are in the siteLink class, and identify the protocol and schedule to replicate data between two or more sites.

  • NTDS Site Settings

NTDS Site Setting objects are in the nTDSSiteSettings class, and identify site-wide settings for Active Directory. There is only one NTDS Site Settings object per site in the Sites container.

  • Cross-reference

Cross-reference objects are in the crossRef class, and store the location of Active Directory partitions in the Partitions container.

The diagram below shows a typical two-site Active Directory environment with some of the replication components.

Replication commands and tools

Beginning with Windows PowerShell in Windows Server 2012, there are 25 cmdlets to specifically manage Active Directory replication. These cmdlets offer functionality such as viewing replication information, configuring sites, managing site links, and forcing replication to occur.

The RepAdmin.exe command line tool is also available to provide information and configure Active Directory replication.

Another replication tool is the Active Directory Replication Status Tool. It is available at http://www.microsoft.com/en-us/download/details.aspx?id=30005. You can use it to analyze and troubleshoot Active Directory replication issues.

More information about Active Directory basisc you will find in our AD tutorial for beginners.