Professional Documents
Culture Documents
AD Replication
AD Replication
AD Replication
Domain Controller Computer Account NTDS Settings Server Object Server GUID Database GUID Record Registration in DNS Update Sequence Number (USN)
Replmon.com
Ntds.dit
Linked to Computer Account Object (CAO) Reanimated if deleted elsewhere and replicated to local domain controller Does not allow administrator to delete object on local computer Used to identify replication partners Name resolution very important for replication Each DC registers a CNAME record in DNS (used to locate the DC) 00000000-0000-0000-000000000000 (alias DC2.Microsoft.com) Used by DCs to identify other DCs in replication requests Used to store vector information of changes from other DCs Initially, server GUID and database GUID are identical If DC is restored from backup, the database GUID is changed
Server GUID
Database GUID
Records register with DNS after Netlogon is started. Windows 2000 domain controllers can register one or more DNS records. Service location (SRV) records are used in identifying an available service on a host. These records have an ldap prefix. <DnsDomainName> refers to the DNS domain name used during promotion of the server when the domain tree is joined or created. It refers to the DNS domain name of the root domain. You can identify the correct DNS entries that should exist for a Windows 2000 installation by viewing the Netlogon.dns text file. This file is located in the %SystemRoot%\System32\Config folder.
If transaction is stopped, the USN is not assigned to any object usnCreated, usnChanged
Each property carries two USNs Indexed property in the database Independent from system time
Object Creation
Add new user DC1
USN: 4710
Object: usnCreated : 4711 Property P1: P2: P3: P4: Value Value Value Value Value USN 4711 4711 4711 4711 Version# 1 1 1 1
USN: 4711
Object: usnChanged : 4711 Timest. TS TS TS TS Org. DB GUID DC1 DB GUID DC1 DB GUID DC1 DB GUID DC1 DB GUID Org USN 4711 4711 4711 4711
Object Replicated
User replicated DC1 USN: 4711 DC2 USN: 1745 USN: 1746
Object: usnCreated : 1746 Property P1: P2: P3: P4: Value Value Value Value Value USN 1746 1746 1746 1746 Version# 1 1 1 1
Object: usnChanged : 1746 Timest. TS TS TS TS Org. DB GUID DC1 DB GUID DC1 DB GUID DC1 DB GUID DC1 DB GUID Org USN 4711 4711 4711 4711
Object Modification
user password change
USN: 2001
Object: usnCreated : 1746 Property P1: P2: P3: P4: Value Value Value Value Value USN 1746 2002 1746 1746 Version# 1 2 1 1
Object: usnChanged : 2002 Timest. TS TS TS TS Org. DB GUID DC1 DB GUID DC2 DB GUID DC1 DB GUID DC1 DB GUID Org USN 4711 2002 4711 4711
Change Replicated
Modified address replicated DC1 USN: 5039 DC2 USN: 5040 USN: 2002
Object: usnCreated : 4711 Property P1: P2: P3: P4: Value Value Value Value Value USN 4711 5040 4711 4711 Version# 1 2 1 1
Object: usnChanged : 5040 Timest. TS TS TS TS Org. DB GUID DC1 DB GUID DC2 DB GUID DC1 DB GUID DC1 DB GUID Org USN 4711 2002 4711 4711
High-Watermark Vector
DC2
USN 2052
DC4
USN 3388
DSA GUID Highest known USN DC1 GUID 4711 DC3 GUID 1217 DC4s High-Watermark Vector
DC3
USN 1217
This example assumes that DC1 and DC3 are DC4s replication partners
Up-to-Dateness Vector
Only these domain controllers are added from the originating updates that are received (even through replication)
DC2
USN 2052
DC4
USN 3388
DSA GUID Highest originating USN DC1 GUID 4711 DC2 GUID 2050 DC4s Up-to-Dateness Vector
DC3
USN 1217
This example assumes that only DC1 and DC2 (and possibly DC4) performed originating write operations
Naming context for which changes are requested Maximum number of object update entries requested Maximum number of values requested High-USN-Changed value of naming context of replication partner Complete Up-to-Dateness Vector
DC2
USN 2052 -> 2053
DC4
USN 3388
DC3
USN 1217
4711 2050
DSA GUID Highest known USN DC1 GUID 4711 DC3 GUID 1217
DC2
USN 2053
DC4
USN 3388
DC3
USN 1217
4711 2050
DSA GUID Highest known USN DC1 GUID 4711 DC3 GUID 1217
with DC1
Sends NC, highest known USN DC1 for this NC, number of objects, number of values, Up-to-Dateness Vector
DC2
USN 2053
DC4
USN 3388
DC3
USN 1217
4711 2050
DSA GUID Highest known USN DC1 GUID 4711 DC3 GUID 1217
Step 4: DC1 replicates new user to DC1 Replication: DC4 (4) DC4 USN 4712
Sends data, last-object-changed USN, state data DC4 uses this data to improve its up-todateness
DC2
USN 2053
DC4
USN 3388 -> 3389
DC3
USN 1217
4711 2053
DSA GUID Highest known USN DC1 GUID 4712 DC3 GUID 1217
DC2
USN 2053
DC4
USN 3389
DC3
USN 1217 -> 1218
4711 2053
DSA GUID Highest known USN DC1 GUID 4712 DC3 GUID 1217
with DC3
Sends NC, highest known USN DC3 for this NC, number of objects, number of values, up-to-dateness vector
DC2
USN 2053
DC4
USN 3389
DC3
USN 1218
4711 2053
DSA GUID Highest known USN DC1 GUID 4712 DC3 GUID 1217
Determines, that DC4 already is upto-date Sends last-object-changed USN, upto-dateness vector, but no data.
DC2
USN 2053
DC4
USN 3389
DC3
USN 1218
1218, vector
4711 2053
DSA GUID Highest known USN DC1 GUID 4712 DC3 GUID 1218
Urgent Replication
Initiated by Security Accounts Manager (SAM) or Local Security Authority (LSA), not by LDAP writes for:
Changing the account lockout policy Changing the domain password policy Replicating a newly locked out account Changing an LSA secret (trust account) Change in RID master role owner
These trigger an immediate replication cycle within the site Uses notification
Conflict Resolution
Conflict resolution
Resolution: higher version number -> higher timestamp -> higher GUID of originating write DSA
For example, user changes password on DC1, administrator changes users password on DC2 Resolution: higher version number -> higher timestamp -> higher GUID of originating write DSA
For example, administrator creates user in OU1 on DC1, second administrator deletes OU1 on DC2 Resolution: OU1 is deleted, user moved to lost and found container
For example, two administrators create two user objects with identical RDNs on two domain controllers at the same time Resolution: One object (identified by its GUID) receives a system-wide unique value on the conflicting attribute (here the RDN) Resolution: higher version number -> higher timestamp -> higher GUID of originating write DSA