In the last blog post we described how to deploy additional domain controllers in a domain, and the additional domain controllers have many benefits, such as balancing user access to AD, and helping to avoid domain crashes caused by a single domain controller corruption. As we learned from the previous blog, all domain controllers in the domain have an Active Directory with the same content, and Active Directory content is dynamic, meaning that any domain controller modifies Active Directory. Other domain controllers will replicate this Active Directory change.
Today we're going to consider the question of which domain controller's Active Directory content should be based if there are multiple domain controllers in the domain, but they do not have the same Active Directory content. Some friends may wonder, how can this happen? If a domain controller is not online for a few days because of a change in hardware, and other domain controllers have modified Active Directory during that time, this scenario will appear when the domain controller is back on line.
When domain controllers find that the contents of each other's Active Directory are inconsistent, they need to analyze the priority of Active Directory to determine which domain controller's Active Directory content will prevail. The priority of Active directory is mainly to consider three factors, namely:
1 Version number
2 times
3 GUID
The version number refers to the number of times the Active Directory object has been modified, with a higher version number preferred. For example, the user administrator password on two domain controllers A and B,a domain controllers in the domain was modified 4 times, and the user administrator password on the 12345;B domain controller was modified 5 times and finally changed to 123456. Then A and B find that the password for the administrator in their Active Directory is inconsistent, when a and B analyze the version number and find the version number 4 and 5, then a will copy the Active Directory content of B to the local active In Direcotry. After such a round of replication, the Active Directory content of A and B is a new balance, and the version numbers of all the objects in their Active Directory are completely the same.
If both A and B two domain controllers have been modified 4 times for the administrator password, the version number is the same. In this case, two domain controllers are compared to the time factor, to see which domain controller to complete the modification time depends on the latter priority. Here we mention that time in Active Directory is a very important factor, that the time error for computers in the domain cannot exceed 5 minutes, and that Active Directory has a tombstone time limit, which we will elaborate later.
If the version number and time of the A and B two domain controllers are exactly the same, then the GUID of the two domain controllers will be compared, which is obviously a completely random result. In general, the exact same time is very rare, so the GUID factor is only an alternative.
With so many Active Directory priority principles, let's introduce a concrete example to help you understand it. As shown in the following illustration, there are two domain controllers Florence and Firenze in the domain. There is now a user Jianguo in the domain and we have backed up Active Directory on Firenze. Now we accidentally remove Jianguo from the Florence, and obviously Firenze will quickly remove Jianguo from Active Directory to keep up with Florence's Active Directory. So what should we do to get Jianguo back?