1、Updated: July 16, 2009Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2How the Active Directory Replication Model WorksIn this section Active Directory Replication Model Architecture Active
2、 Directory Replication Model Physical Structure Active Directory Data Updates Domain Controller Notification of Changes Identifying and Locating Replication Partners Urgent Replication Network Ports Used by Active Directory Replication Related Information Active Directory data takes the form of obje
3、cts that have properties, or attributes. Each object is an instance of an object class, and object classes and their respective attributes are defined in the Active Directory schema. The values of the attributes define the object, and a change to a value of an attribute must be transferred from the
4、domain controller on which it occurs to every other domain controller that stores a replica of that object. Note In Windows 2000 Server and Windows Server 2003, the directory service is named Active Directory. In Windows Server 2008 and Windows Server 2008 R2, the directory service is named Active D
5、irectory Domain Services (AD DS). The rest of this topic refers to Active Directory, but the information is also applicable to AD DS. Thus, Active Directory replicates directory data updates at the attribute level. In addition, updates from the same directory partition are replicated as a unit to th
6、e corresponding replica on the destination domain controller over the same connection to optimize network usage. The information in this section applies to organizations that are designing, deploying, or operating an Active Directory infrastructure that satisfies the following requirements: A Domain
7、 Name System (DNS) infrastructure is in place that manages the name resolution for domain controllers in the forest. Active Directory-integrated DNS is assumed, wherein DNS zone data is stored in Active Directory and is replicated to all domain controllers that are DNS servers. All Active Directory
8、sites have local area network (LAN) connectivity. IP connectivity is available between all datacenter locations and branch sites.The limits for data that can be replicated in one replication cycle are as follows: Values that can be transferred in one replication cycle (replication of the current set
9、 of updates between a source and destination domain controller): no limit. Values that can be transferred in one replication packet: approximately 100. Replication exchanges continue during the course of one replication cycle until no values are left to send. Values that can be written in a single d
10、atabase transaction: 5,000. The effect of this limit depends on the forest functional level: Windows 2000 forest functional level: The minimum unit of replication at this level is the entire attribute. Therefore, changes to any value in the linked, multivalued member attribute results in replicating
11、 the entire attribute. For this reason, the supported size of group membership is limited to 5,000. Windows Server 2003 or Windows Server 2003 interim forest functional level: The minimum unit of replication is a single value of a linked, multivalued attribute. Therefore, the limitation on group mem
12、bership is effectively removed.This section covers the interactions that take place between individual domain controllers to synchronize directory data in an Active Directory forest.Active Directory Replication Model ArchitectureActive Directory replication operates within the directory service comp
13、onent of the security subsystem. The directory service component, Ntdsa.dll, is accessed through the Lightweight Directory Access Protocol (LDAP) network protocol and LDAP C application programming interface (API) for directory service updates, as implemented in Wldap32.dll. The updates are transpor
14、ted over Internet Protocol (IP) as packaged by the replication remote procedure call (RPC) protocol. Simple Mail Transfer Protocol (SMTP) can also be used to prepare non-domain updates for Transmission Control Protocol (TCP) transport over IP.The Directory Replication System (DRS) client and server
15、components interact to transfer and apply Active Directory updates between domain controllers.When SMTP is used for the replication transport, Ismserv.exe on the source domain controller uses the Collaborative Data Object (CDO) library to build an SMTP file on disk with the replication data as the a
16、ttached mail message. The message file is placed in a queue directory. When the mail is scheduled for transfer by the mail server application, the SMTP service (Smtpsvc) delivers the mail message to the destination domain controller over TCP/IP and places the file in the drop directory on the destin
17、ation domain controller. Ismserv.exe applies the updates on the destination.The following diagram shows the client-server architecture for replication clients and LDAP clients.Replication and LDAP Client-Server Architecture The following table describes the replication architecture components.Replic
18、ation Architecture Components Component Description Ntdsapi.dll Manages communication with the directory service over RPC.Private DRS clientPrivate version of Ntdsapi.dll that runs on domain controllers to make RPC calls for replication.Wldap32.dll Client library with APIs for access to directory se
19、rvice.Asn.1 Encodes and decodes LDAP requests for transport over TCP/IP or UDP/IP.Drs.idl Set of functions for replication (for example, Get-Changes) and maintenance (for example, Get replication status)MAPI (address Entry protocol for address book applications such as Microsoft Outlook.book)Domain
20、rename Carries out domain rename instructions.Ntdsa.dll The directory service module, which supports the Windows Server 2003 and Windows 2000 replication protocol and LDAP, and manages partitions of data.ISMServ.exe Prepares replication data in e-mail message format for SMTP protocol transport.CDO l
21、ibrary Used by Ismserv.exe to package replication data into a mail message.Smtpsvc SMTP service.Note If Windows NT 4.0 backup domain controllers (BDCs) are operating in the forest, Windows NT4 Net APIs provide an entry to the security accounts manager (SAM) on the primary domain controller (PDC) emu
22、lator.The protocols that are used by Active Directory replication are described in the following table. RPC and SMTP are the replication transport protocols. LDAP is a directory access protocol, and IP is a network wire protocol.Active Directory Access and Replication Protocols Protocol Description
23、LDAP The primary directory access protocol for Active Directory. Windows Server 2003 family, Windows XP, Windows 2000 Server family, and Windows 2000 Professional clients, as well as Windows 98, Windows 95, and Windows NT 4.0 clients that have the Active Directory client components installed, use LD
24、AP v3 to connect to Active Directory. IP Routable protocol that is responsible for the addressing, routing, and fragmenting of packets by the sending node. IP is required for Active Directory replication.Replication RPC The Directory Replication Service (Drsuapi) RPC protocol, used in the enabling o
25、f administration and monitoring of Active Directory replication, to communicate replication status and topology and network topology from a client running administrative tools to a domain controller. RPC is required by Active Directory replication.Replication Simple Mail Transfer Protocol (SMTP)Repl
26、ication protocol that can be used by Active Directory replication over IP network transport for message-based replication between sites only and for non-domain replication only.Replication SubsystemWithin the directory service component of the Active Directory architecture, the replication subsystem
27、 interacts with the operational layer to implement replication changes on the destination domain controller. The replication subsystem also determines the changes that a replication partner already has or those that are needed.The database layer manages the database capability of the directory servi
28、ce. The extensible storage engine (Esent.dll) communicates directly with individual records in the directory data store.The following diagram shows the replication subsystem components.Replication Subsystem Components The components of the replication subsystem are described in the following table.R
29、eplication Subsystem Components Component Description Ntdsa.dll Directory system agent (DSA), which provides the interfaces through which directory clients and other directory servers gain access to the directory database.Replication Directory Replication System (DRS) interface, which communicates w
30、ith the database through RPC.Operational layer Performs low-level operations on the database without regard for protocol.Database layer API that resides within Ntdsa.dll and provides an interface between applications and the directory database to protect the database from direct interaction with app
31、lications.Extensible storage engine (ESE)Manages the tables of records, each with one or more columns that comprise the directory database.Ntds.dit The directory database file.Active Directory Replication Model Physical StructureThe Active Directory replication model components that determine how Ac
32、tive Directory replication functions between domain controllers are associated with mechanisms that effect automatic transfer of changes between replicating domain controllers, as described in the following table.Active Directory Replication Model Components and Related Mechanisms Component Descript
33、ion Related Mechanisms Multimaster replicationAll domain controllers accept LDAP requests for changes to attributes of Active Directory objects for which they are authoritative, subject to security constraints that are in place. Each originating update is replicated to one or more other domain contr
34、ollers, which record it as a replicated update. LDAP updateDirectory partitionsChange notificationChange trackingConflict resolutionPull replication When an update occurs on a domain controller, it notifies its replication partner. The partner domain controller responds by requesting (pulling) the c
35、hanges from the source domain controller.DNS name resolutionKerberos authenticationChange trackingChange notificationChange requestStore-and-forward replicationDomain controllers store changes received from replication partners and forward the changes to other domain controllers so that the originat
36、ing domain controller for each change is not required to transfer changes to every other domain controller that requires the change.Change trackingKerberos authenticationDNS name resolutionChange notificationChange requestState-based replicationActive Directory replication is driven by the differenc
37、e between the current “state” (the current values of all attributes) of the directory partition replica on the source and destination domain controllers. This state includes metadata that is used to resolve conflicts and to avoid sending the full replica on each replication cycle.Change-tracking met
38、adata: Update sequence number (USN) counter Up-to-dateness vector High-watermarkThese mechanisms are implemented by the replication system in a sequence of events that occurs between two domain controllers.The following diagram shows a simplified version of the sequence between source and destinatio
39、n domain controllers when the source initiates replication by sending a change notification.Replication Sequence Active Directory Data UpdatesWhen a change is made to an object in a directory partition, the value of the changed attribute or attributes must be updated on all domain controllers that s
40、tore a replica of the same directory partition. Domain controllers communicate data updates automatically through Active Directory replication. Their communication about updates is always specific to a single directory partition at a time.Active Directory data is logically partitioned so that all do
41、main controllers in the forest do not store all objects in the directory. Active Directory objects are instances of schema-defined classes, which consist of named sets of attributes. Schema definitions determine whether an attribute can be administratively changed. Attributes that cannot be changed
42、are never updated and therefore never replicated. However, most Active Directory objects have attribute values that can be updated.Different categories of data are stored in replicas of different directory partitions, as follows: Domain data that is stored in domain directory partitions: Every domai
43、n controller stores one writable domain directory partition. A domain controller that is a global catalog server stores one writable domain directory partition and a partial, read-only replica of every other domain in the forest. Global catalog read-only replicas contain a partial set of attributes
44、for every object in the domain. Configuration data: Every domain controller stores one writable configuration directory partition that stores forest-wide data controlling site and replication operations. Schema data: Every domain controller stores one writable schema partition that stores schema def
45、initions for the forest. Although the schema directory partition is writable, schema updates are allowed on only the domain controller that holds the role of schema operations master. Application data: Domain controllers that are running Windows Server 2003 can store directory partitions that store
46、application data. Application directory partition replicas can be replicated to any set of domain controllers in a forest, irrespective of domain.Changes to AttributesActive Directory updates originate on one domain controller (originating updates) and the same update is subsequently made on other d
47、omain controllers during the replication process (replicated updates).Object update behavior is consistent and predictable: when a set of changes is made to a specific directory partition replica, those changes will be propagated to all other domain controllers that store replicas of the directory p
48、artition. How soon the changes are applied depends on the distance between the domain controllers and whether the change must be sent to other sites.The following key points are central to understanding the behavior of Active Directory updates: Changes occur at the attribute level; only the changed
49、attribute value is replicated, not the entire object. At the time of replication, only the current value of an attribute that has changed is replicated. If an attribute value has changed multiple times between replication cycles (for example, between scheduled occurrences of intersite replication), only the current value is replicated. The smallest change that can be replicated in Windows 2000 Active Directory is an entire attribute; even if the attribute is linked and multivalued, all values replicate as a single change. The smallest change that can be
