Windows Server 2016-Manage Site Replication (ii)

To keep directory data on all domain controllers consistent and up-to-date, Active directory replicates directory changes on a regular basis. Replication is based on standard network protocols and uses change tracking information to prevent unnecessary replication and to increase efficiency by using linked value replication.

Replication in this chapter refers to Active Directory database replication, database replication between domain controllers in the same site and between different sites. The same site, the domain controller in a tell network environment, replication efficiency is high. When domain controllers are at different sites, replication efficiency and time requires careful planning by the domain administrator to achieve best results due to network speed constraints.

First, replication overview:

Replication occurs only in a multi-domain controller environment, and replication does not occur if there is only one domain controller in the domain. Replication is divided between intra-site replication and intersite replication. In-site replication automatically creates the best replication topology through the KCC (Knowledge consistency Checker), creating replication links between sites through ISTG (intersite topology generators).

1.1. How to copy:

A. Single master replication:

Domain controllers in Windows NT environments are divided into two categories: PDC and BDC. The PDC refers to the primary domain controller, and BDC refers to the backup domain controller. There can be more than one PDC,BDC per domain, the Active Directory database in the BDC is copied from the PDC, and only the PDC can create, modify, and delete object data in the domain, such as user accounts, computer accounts, printers, and so on, the BDC Active Directory database is a read-only database. This replication model is called single-master replication.

B. Multi-master replication:

Starting with Windows Server 2000, Active Directory uses a multi-master replication schema, where each domain controller can modify the domain object from its own home, the domain no longer has the difference between the primary domain controller and the backup domain controller (essentially, there is a difference), and any domain controller can modify the active The contents of the directory. In order to maintain Active Directory authority, the Active Directory database content on all domain controllers should be the same.

The AD DS domain service uses multi-host replication, where multiple host replication replicates the Active Directory database between peer domain controllers, and each domain controls permissions that have full control over the Active Directory database. Domain controllers with multi-master replication use the KCC to automatically create replication links between domain controllers (up to a maximum of 3 domain controllers), and each domain controller automatically calculates the best replication topology based on the bandwidth of the site. Administrators can also configure replication topologies manually for specific user environments.

In the multi-master replication schema mode, any domain controller in the forest can process and update replication, so as long as one or more servers remain operational, administrators and applications can update the data and continue to work as usual, but pay attention to the location of the FSMO role.

The advantage of using multi-master replication for domain controllers is efficient, with the disadvantage of generating large amounts of network traffic. The AD DS domain service automatically creates a replication topology, and when any domain controller information changes, it passes through the domain controller's replication partner, and then the replication partner initializes. After initialization succeeds, replication begins between the databases, knowing that all domain controllers are synchronized.

In an Active Directory database, a small subset of data is replicated in a single-master replication mode. When an object is deleted, the request is received and processed first by a domain controller (containing the FSMO role), and the data is synchronized to the other domain controllers after processing is complete.

1.2. Replication protocol:

When data is replicated between domain controllers, the following protocols are used.

• IP Protocol --the protocol can be used to replicate data within or between sites, and encryption and authentication mechanisms will be used for data replication.
  

• SMTP Protocol --this protocol can only be used between sites.
  

1.3. Replication partners:

Replication partners are divided into direct replication partners and indirect replication partners.

A. Direct replication partners

The source domain controller (the domain controller that has the data update) does not replicate the update data to all domain controllers in the same site, but instead to the direct replication partners of that domain controller. Direct replication partners are created automatically by the KCC, which is the most efficient replication between the source domain controller and the direct replication partner, and determines which domain controller is the direct replication partner for the domain controller. Replication occurs first to the direct replication partner, and the updates are replicated to the other domain controllers by the direct replication partners.

B. Indirect replication partners

Indirect replication partners, domain controllers that update data through domain controller forwarding, and do not replicate data directly from the source domain controller.

1.4. Directory partition synchronization:

Domain controllers are divided into several different partitions, each of which accomplishes different functions.

• schema directory partition : The schema directory partition stores definitions of all objects and properties, as well as rules for establishing and controlling them. All domains in the forest share a single copy of the same schema directory partition, which is replicated to all domain controllers in all domains in the forest.
  

• Configure directory partitions : Configure directory partitions to store information for the entire Active Directory structure. Include domain, site, domain controller. All domains in the forest share a single copy of the same configuration partition, which is replicated to all domain controllers in all domains in the forest.
  

• domain directory partitions : Each domain has a domain directory partition that stores objects related to the domain, such as users, groups, computers, organizational units, and so on. Each domain has a domain directory partition, and the value can be replicated to all domain controllers within that domain and will not be replicated to domain controllers in other domains.
  

• application Directory Partitioning : In general, an application directory partition is created by an application that stores data about the application. application directory partitions are replicated to specific domain controllers in the forest, not to all domain controllers.
  

1.5. Replication mechanism:

Site replication uses the following mechanism to complete replication updates.

• Notification Update replication
  

• Emergency replication
  

• Timed Check Replication
  

A. Notifying update replication

Domain controller A establishes a user account, and the new account is the initial update. After the update is complete, the domain controller a server sends an update notification after 15 seconds. This update notification does not notify the domain controllers in all domains at the same time, the first domain controller B is notified by the replication topology, and domain controller B replicates the new account to the domain controller B database after it has received replication information, replicating only the changed data, which belongs to the incremental update, which is a "pull" copy. After 3 seconds, notify domain controller C again. And so on, copy the updated data to the other domain controllers.

B. Emergency replication

Emergency replication forces the immediate updating of Active Directory data on a domain controller in a "push" mechanism, and the emergency copy operation mode immediately passes the change notification to all replication partners without waiting for the end of the pause time. Emergency replication is used in the following situations: Inactive account, RID serial number change, domain controller machine account change, etc. Domain Policy supports emergency replication mode, such as specifying an account lockout policy at the domain level, or specifying a password policy to immediately connect and publish replication to all domain controllers. This replication process is "push" replication, and the target domain controller accepts Active Directory data changes and new policies.

C. Timed Check replication

Periodically checks for replication to perform replication at a specified time in a scheduled manner. By default (hourly in the site, every 3 hours between sites) Check 1 replication status per hour, including update notification replication and emergency replication, detect notification updates and emergency replication data synchronization, loss of data or replication is not completed, and if so, the initial domain controller will be notified to "pull" Replication does not have updated data, replication will execute immediately.

1.6. Replication topology:

The Active Directory replication topology is circular, and the topology is created automatically by the KCC. The KCC process runs on each domain controller and helps the domain controller establish replication link objects to other domain controllers. If a linked object is not created between the domain controller and the domain controller, the domain controller will not replicate between them. After the linked object is created successfully, there is a "< auto generate >" identified in front of the replication partner.

A. Automatic topology:

The topology between domain controllers is recommended for automatic completion by the KCC.

B. Parent-child domain replication topology

If the replication topology is a parent-child domain, replication can function correctly, only the data that is replicated is different, the data from the parent domain is accepted for the schema partition and the configuration partition, and the domain controllers within the parent domain accept data from the domain controllers in the parent domain.

C.GC Replication Topology

1.7. In-Site replication

Domain controllers in the same site are typically connected over a high-speed network and do not transmit data in a compressed manner while replicating.

A. Copy link

Intra-site replication refers to a domain controller in the same site. The KCC process on each domain controller recalculates the replication topology when the number of domain controllers in the domain changes, such as increasing or decreasing the domain controller. The KCC is able to automatically calculate the replication links used by domain controllers for replication, and when the number of domain controllers is small, the KCC tends to use a ring topology for database replication in the domain. When the content of the Active Directory database for a domain controller changes, the topology that this change does not automatically generate is a double-loop topology, with two replication partners per domain controller, and replication of Active Directory in both clockwise and counterclockwise two directions.

B. How to copy

When a domain controller replicates a database, replication is typically implemented using pull replication with notifications.

When a data update is performed on a domain controller, the in-station replication starts automatically after 15 seconds, and then the update notification is sent to the nearest replication partner. If the source domain controller has more than one replication partner, the default is to notify each partner successively in 3-second intervals. When an update notification is received, the partner domain controller sends a directory update to the source domain controller. The source domain controller should request a copy operation to respond. A 3-second notification interval prevents the source domain controller from being overwhelmed by simultaneous update requests from replication partners.

For some directory updates within the site, the 15-second wait time is not used, and replication is generated immediately. This immediate replication, called emergency replication, is used for important directory updates, including account lockout assignments and account lockout policies, domain password policies, or changes to passwords on domain control accounts.

C. Replication restrictions

The standard ring topology is not suitable for environments with many domain controllers. Domain controllers have a strict restriction that the interval between the source domain controller and the target domain controller cannot exceed three domain controllers. For example, if the DC1 Active Directory database changes, then DC1 can be copied to DC2,DC2 and then copied to DC3, but DC3 can no longer replicate to dc4! Since DC1 can be copied to DC2,DC2 can then be copied to DC3, but DC3 cannot be copied to dc4! Because there are more than 2 domain controllers from DC1 to DC4 intermediate intervals. This limitation is to avoid the latency problems caused by the ring topology when replicating in large networks. For example, if there are 100 domain controllers in a large network with an average interval of 5 minutes for domain controller replication, it may take about 500 minutes to replicate from the first domain controller to the last domain controller! This delay cannot be accepted. Therefore, in a large network, the KCC uses a mesh topology, and the mesh topology is not as regular as the ring topology, and each domain controller may have multiple replication partners. Therefore, the replication topology of the domain controller is eventually planned by the KCC and, of course, it is possible to specify the replication partner for the domain controller itself.

1.8. Replication between different sites

Replication links between different sites are different from the replication links within the site. Within each site is a domain controller called the Intersite topology generator, which is responsible for creating a replication topology between sites and selecting a domain controller from a domain controller in the site as the replication (source/destination) domain controller. Also known as bridgehead servers. When site data is replicated, the bridgehead servers within the site are responsible for replicating the update data to the bridgehead servers within the target site, and the bridgehead servers within the site accept the update data and then replicate the data to the domain controllers within the site using the in-site data replication method.

Windows Server 2016-Manage Site Replication (ii)