Active Directory Replication

Active Directory ReplicationPreviously we discussed the structure of Active Directory and provided best practices for Active Directory-integrated DNS. In this article we’ll talk about replication.

Those of you who administered a Windows NT domain are familiar with the concept of a Primary Domain controller (PDC) with one or more Backup Domain Controllers (BDC). The primary domain controller was responsible for managing the master copy of the domain database. It was responsible for replicating any changes to the backup domain controllers. All changes had to be performed on the PDC who then replicated these changes to the BDCs. In effect this meant that when the PDC was unavailable, no changes were made to the domain database, obviously a limitation.

Active Directory is different from this design and is much more scalable with a distributed, multi-master, replicated database. In Active Directory, each domain controller holds a full copy of its own directory partition, or naming context. In Active Directory, a directory tree contains all Active Directory objects in the forest. A forest is the grouping of two or more domain trees or domains that do not have a common contiguous namespace, that is, they have non-contiguous namespaces. In Active Directory, the directory tree is partitioned. This enables portions of the tree to be distributed to domain controllers in other domains in the forest. Back to Active Directory terminology, the copy of the directory partition that holds all the attributes for each directory partition object is called a replica. Every has read and writes attributes, meaning changes can be made on any domain controller.

Active Directory replication ensures that the information or data between domain controllers remains updated and consistent. It is Active Directory replication that ensures that Active Directory information hosted by domain controllers is synchronized between every domain controller.The multi-master environment of Active Directory eliminates the domain controllers as single points of failure because an Administrator can perform changes to the Active Directory database on any domain controller, and these changes are replicated to the other domain controllers within the domain.

What Exactly Is Replicated in Active Directory
The domain controllers in Active Directory contain the following directory partition replicas:

Schema – The schema partition contains objects that can be created in Active Directory and which attributes these objects can contain. Domain controllers in a forest have a read-only copy of the schema partition. Objects stored in the schema partition are replicated to each domain controller in domains/forests.

Configuration – The configuration partition contains the objects relevant to the logical structure of the forest, structure of the domain, and replication topology (remember our first article in this series?) Each domain controller in the forest contains a read/write copy of the configuration partition. Any objects stored in the configuration partition are replicated to each domain controller in each domain, and in a forest.

Domain – The domain partition or naming context (NC) contains all objects that are stored in a domain. Each domain controller in a domain has a read/write copy of the domain partition. Objects in the domain partition are replicated to only the domain controllers within a domain.

Application – The application partition contains objects or data that applications and services store.  For example; DNS, RAS, and DHCP.
Interesting to know is that replication is triggered when certain actions occur in the database. Triggers are when an object is created, deleted, moved, or modified.

Replication Types
There are two types of Active Directory replication that can be defined:  intrasite replication and intersite replication.
Intra-site Replication – Intra-site replication takes place between domain controllers within the same site, making it a fairly uncomplicated process. When changes are made to the replica of Active Directory on one particular domain controller, the domain controller contacts the other domain controllers within the same site and it then checks the information it contains against information hosted by the other domain controllers. Intra-site replication uses the Remote Procedure Call (RPC) protocol to perform replication data over fast and reliable network connections.

Inter-site Replication – Inter-site replication takes place between sites and uses either RPC over IP or SMTP to replicate the data. Inter-site replication has to be manually configured and occurs between two domain controllers that are so-called bridgeheads. This role is assigned to at least one domain controller within a site. It is only these bridgeheads that replicate data with domain controllers in different domains by performing inter-site replication with its partners and packets are compressed to save bandwidth. Inter-site replication takes place over site links by a polling method which is every 180 minutes by default.

Replication Topology
Setting up your Active Directory replication topology there at least 4 different methods you should consider:

  • Ring Topology – In a ring topology, each domain controller in a site has two inbound and outbound replication partners. There are never more than three hops between domain controllers in a site.
  • Full Mesh Topology – Typically used in smaller organizations where redundancy is important and the number of sites is limited. The disadvantage of this topology is that it is expensive and not really scalable.
  • Hub And Spoke Topology – This topology is typically implemented in large organizations where scalability is important and redundancy is less important. In this topology, one or multiple hub sites exist that have slower WAN connections to multiple spoke sites. The hub sites are then connected to each another through high speed WAN connections.
  • Hybrid Topology – The hybrid topology is combination of any of the topologies mentioned.

When choosing a replication strategy you want to take into consideration the physical connectivity of your network, looking at sites connected with slow and fast speed connections and which site link bridges need to be created.