Active Directory Replication (Part 2) Paige Verwolf

Support Professional Microsoft Corporation

Directory Replication Framework

Domain Controller Identification

Domain Controller Computer Account NTDS Settings Server Object Server GUID Database GUID Record Registration in DNS Update Sequence Number (USN)

Domain Controller Identification

daffy-duck.Replmon.com
Run Dcpromo.exe Record registration using DNS Object creation

Replmon.com

Ntds.dit

Domain Controller Identification (2)

NTDS Settings Server Object

Linked to Computer Account Object (CAO) Reanimated if deleted elsewhere and replicated to local domain controller Does not allow administrator to delete object on local computer Used to identify replication partners Name resolution very important for replication Each DC registers a CNAME record in DNS (used to locate the DC) 00000000-0000-0000-000000000000 (alias DC2.Microsoft.com) Used by DCs to identify other DCs in replication requests Used to store vector information of changes from other DCs Initially, server GUID and database GUID are identical If DC is restored from backup, the database GUID is changed

Server GUID

Database GUID

Domain Controller Identification (3)

Records register with DNS after Netlogon is started. Windows 2000 domain controllers can register one or more DNS records. Service location (SRV) records are used in identifying an available service on a host. These records have an ldap prefix. <DnsDomainName> refers to the DNS domain name used during promotion of the server when the domain tree is joined or created. It refers to the DNS domain name of the root domain. You can identify the correct DNS entries that should exist for a Windows 2000 installation by viewing the Netlogon.dns text file. This file is located in the %SystemRoot%\System32\Config folder.

Update Sequence Number (USN)

64-bit DWORD DC local meaning Assigned to new object update transaction

If transaction is stopped, the USN is not assigned to any object usnCreated, usnChanged

Each object carries two USNs

Each property carries two USNs Indexed property in the database Independent from system time

System clocks do not matter, even if they are changed

Object Creation
Add new user DC1

USN: 4710
Object: usnCreated : 4711 Property P1: P2: P3: P4: Value Value Value Value Value USN 4711 4711 4711 4711 Version# 1 1 1 1

USN: 4711
Object: usnChanged : 4711 Timest. TS TS TS TS Org. DB GUID DC1 DB GUID DC1 DB GUID DC1 DB GUID DC1 DB GUID Org USN 4711 4711 4711 4711

Object Replicated
User replicated DC1 USN: 4711 DC2 USN: 1745 USN: 1746

Object: usnCreated : 1746 Property P1: P2: P3: P4: Value Value Value Value Value USN 1746 1746 1746 1746 Version# 1 1 1 1

Object: usnChanged : 1746 Timest. TS TS TS TS Org. DB GUID DC1 DB GUID DC1 DB GUID DC1 DB GUID DC1 DB GUID Org USN 4711 4711 4711 4711

Object Modification
user password change

USN: 2001

DC2 USN: 2002

Object: usnCreated : 1746 Property P1: P2: P3: P4: Value Value Value Value Value USN 1746 2002 1746 1746 Version# 1 2 1 1

Object: usnChanged : 2002 Timest. TS TS TS TS Org. DB GUID DC1 DB GUID DC2 DB GUID DC1 DB GUID DC1 DB GUID Org USN 4711 2002 4711 4711

Change Replicated
Modified address replicated DC1 USN: 5039 DC2 USN: 5040 USN: 2002

Object: usnCreated : 4711 Property P1: P2: P3: P4: Value Value Value Value Value USN 4711 5040 4711 4711 Version# 1 2 1 1

Object: usnChanged : 5040 Timest. TS TS TS TS Org. DB GUID DC1 DB GUID DC2 DB GUID DC1 DB GUID DC1 DB GUID Org USN 4711 2002 4711 4711

High-Watermark Vector

Table on each domain controller

Replication partners Highest known USN

Used to detect recent changes on replication partners

High-Watermark Vector DC4

DC1
USN 4711

DC2
USN 2052

DC4
USN 3388

DSA GUID Highest known USN DC1 GUID 4711 DC3 GUID 1217 DC4s High-Watermark Vector

DC3
USN 1217

This example assumes that DC1 and DC3 are DC4s replication partners

Up-to-Dateness Vector

Up-to-dateness related to a specific naming context List of pairs:

Originating-DC-GUID (database GUID) Highest-Originating-USN

Only these domain controllers are added from the originating updates that are received (even through replication)

Up-to-Dateness Vector (2) DC1

USN 4711

DC2
USN 2052

DC4
USN 3388

DSA GUID Highest originating USN DC1 GUID 4711 DC2 GUID 2050 DC4s Up-to-Dateness Vector

DC3
USN 1217

This example assumes that only DC1 and DC2 (and possibly DC4) performed originating write operations

Information Sent to Prepare for Replication

Naming context for which changes are requested Maximum number of object update entries requested Maximum number of values requested High-USN-Changed value of naming context of replication partner Complete Up-to-Dateness Vector

Used for propagation dampening

Replication: DC4 DC1

USN 4711

Step 1: User added to DC2

No changes for DC4

DC2
USN 2052 -> 2053

DC4
USN 3388

DC4: Up-to-Dateness Vector DSA GUID Highest originating USN

DC3
USN 1217

DC1 GUID DC2 GUID

4711 2050

DC4: High-Watermark Vector

DSA GUID Highest known USN DC1 GUID 4711 DC3 GUID 1217

Replication: DC4 (2) DC1

USN 4711 -> 4712

Step 2: User replicated to DC1

No changes for DCS4 NOTE: Write originated on DC2

DC2
USN 2053

DC4
USN 3388

DC4: Up-to-Dateness Vector DSA GUID Highest originating USN

DC3
USN 1217

DC1 GUID DC2 GUID

4711 2050

DC4: High-Watermark Vector

DSA GUID Highest known USN DC1 GUID 4711 DC3 GUID 1217

Replication: DC4 (3) DC1 Step 3: DC4 initiates replication

USN 4712

with DC1

Sends NC, highest known USN DC1 for this NC, number of objects, number of values, Up-to-Dateness Vector

DC2
USN 2053

DC4
USN 3388

NC, 4711, 100, 100, vector

DC4: Up-to-Dateness Vector DSA GUID Highest originating USN

DC3
USN 1217

DC1 GUID DC2 GUID

4711 2050

DC4: High-Watermark Vector

DSA GUID Highest known USN DC1 GUID 4711 DC3 GUID 1217

 Step 4: DC1 replicates new user to DC1 Replication: DC4 (4) DC4 USN 4712

Data, 4712, vector

Sends data, last-object-changed USN, state data DC4 uses this data to improve its up-todateness

DC2
USN 2053

DC4
USN 3388 -> 3389

DC4: Up-to-Dateness Vector DSA GUID Highest originating USN

DC3
USN 1217

DC1 GUID DC2 GUID

4711 2053

DC4: High-Watermark Vector

DSA GUID Highest known USN DC1 GUID 4712 DC3 GUID 1217

DC1 Replication: DC4 (5) USN

4712

Step 5: DC2 replicates new user to DC3

No changes for DC4

DC2
USN 2053

DC4
USN 3389

DC4: Up-to-Dateness Vector DSA GUID Highest originating USN

DC3
USN 1217 -> 1218

DC1 GUID DC2 GUID

4711 2053

DC4: High-Watermark Vector

DSA GUID Highest known USN DC1 GUID 4712 DC3 GUID 1217

DC1 Replication: DC4 (6) Step 6: DC4 initiates replication USN

4712

with DC3

Sends NC, highest known USN DC3 for this NC, number of objects, number of values, up-to-dateness vector

DC2
USN 2053

DC4
USN 3389

DC4: Up-to-Dateness Vector DSA GUID Highest originating USN

DC3
USN 1218

DC1 GUID DC2 GUID

4711 2053

DC4: High-Watermark Vector

DSA GUID Highest known USN DC1 GUID 4712 DC3 GUID 1217

DC1 Replication: DC4 (7) Step 7: DC3 replication reply USN

4712

Determines, that DC4 already is upto-date Sends last-object-changed USN, upto-dateness vector, but no data.

DC2
USN 2053

DC4
USN 3389

DC4: Up-to-Dateness Vector DSA GUID Highest originating USN

DC3
USN 1218

1218, vector

DC1 GUID DC2 GUID

4711 2053

DC4: High-Watermark Vector

DSA GUID Highest known USN DC1 GUID 4712 DC3 GUID 1218

Urgent Replication

Initiated by Security Accounts Manager (SAM) or Local Security Authority (LSA), not by LDAP writes for:

Changing the account lockout policy Changing the domain password policy Replicating a newly locked out account Changing an LSA secret (trust account) Change in RID master role owner

These trigger an immediate replication cycle within the site Uses notification

Conflict Resolution

Conflict resolution

Resolution: higher version number -> higher timestamp -> higher GUID of originating write DSA

Conflict Resolution (2)

Attribute Value Conflict

For example, user changes password on DC1, administrator changes users password on DC2 Resolution: higher version number -> higher timestamp -> higher GUID of originating write DSA
For example, administrator creates user in OU1 on DC1, second administrator deletes OU1 on DC2 Resolution: OU1 is deleted, user moved to lost and found container

Move Under Deleted Parent

Conflict Resolution (3)

Object Creation Name Conflict

For example, two administrators create two user objects with identical RDNs on two domain controllers at the same time Resolution: One object (identified by its GUID) receives a system-wide unique value on the conflicting attribute (here the RDN) Resolution: higher version number -> higher timestamp -> higher GUID of originating write DSA