Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2
What Is the Active Directory Replication Model?
In this section
Replication Model Components
Technologies Related to Active Directory Replication
Active Directory Replication Dependencies
Related Information
Active Directory replication is the means by which changes to directory data are transferred between ___domain controllers in an Active Directory forest. The Active Directory replication model defines the mechanisms that allow directory updates to be transferred automatically between ___domain controllers to provide a seamless replication solution for the Active Directory distributed directory service.
Note
In Windows 2000 Server and Windows Server 2003, the directory service is named Active Directory. In Windows Server 2008 and Windows Server 2008 R2, the directory service is named Active Directory Domain Services (AD DS). The rest of this topic refers to Active Directory, but the information is also applicable to AD DS.
Note
- This discussion of the replication model and related mechanisms for transferring directory data between ___domain controllers does not include the topic of replication topology. Replication topology is the set of connections that are generated by the Knowledge Consistency Checker (KCC) to enable replication to take place between ___domain controllers.
Active Directory is distributed by means of directory partitions. In addition to directory partitions that store forest-wide data, each ___domain controller stores a replica of a single ___domain directory partition, which contains data that is specific to one or more closely aligned business units—the users, computers, organizational units, and network resources that are managed by the same set of service and data administrators. Because each ___domain controller stores only one ___domain directory partition, Active Directory can scale to hundreds or thousands of domains storing millions of objects.
To efficiently synchronize data between ___domain controllers that store the same ___domain, Active Directory replication transfers updates according to directory partition. Each ___domain controller receives directory updates to the data that is stored in its ___domain only, as well as updates that are stored in the two directory partitions that store configuration and schema data for the forest.
Note
- In Windows Server 2003 forests, ___domain controllers can also store application directory partitions, which store application data that can be replicated to only the ___domain controllers that store the directory partition, irrespective of ___domain.
Active Directory replication manages the transfer of these updates to the appropriate ___domain controllers automatically, keeping ___domain data up-to-date among all ___domain controllers in the ___domain, regardless of ___location. In the process, all ___domain controllers in the forest are also updated with changes to forest-wide data.
Replication Model Components
To globally distribute the directory service, the Active Directory replication model incorporates the components in the following table.
Replication Model Components and Advantages
| Component | Description | Advantage |
|---|---|---|
Multimaster replication |
Every ___domain controller can receive originating updates to data for which it is authoritative, rather than having a single ___domain controller that receives all original updates (single-master replication, such as Windows NT 4.0 replication). |
Provides fault tolerance, eliminating the dependency on a single ___domain controller to maintain directory operations. |
Pull replication |
Domain controllers request (pull) changes rather than send (push) changes that might not be needed. |
Reduces unnecessary network traffic. |
Store-and-forward replication |
Each ___domain controller communicates with a subset of ___domain controllers to transfer replication changes, rather than one ___domain controller being responsible for communicating with every other ___domain controller that requires the change. |
Balances the replication load among many ___domain controllers. |
State-based replication |
Each ___domain controller tracks the state of replication updates. |
Conflicts and unnecessary replication are reduced. |
The Active Directory replication model ensures:
Domain controller availability. Multimaster replication ensures that all ___domain controllers are available for updates, eliminating the potential for slow service if only a single updatable ___domain controller were available.
Efficient transfer of data. State-based and pull replication ensures the minimum replication traffic and the maximum efficiency to retrieve only the changes that are needed.
Reliable consistency. Directory consistency is guaranteed within the same period of replication latency.
Conflict resolution. Even if two administrators change the same attribute on different ___domain controllers at the same time, conflict resolution ensures that only one of the values is replicated to all ___domain controllers.
Replication Latency
Multimaster replication involves latency — the period of time for an update that occurs on the originating ___domain controller to reach all other ___domain controllers that need it. To address replication latency, multimaster replication ensures loose consistency with convergence, as follows:
Loose consistency means that the replicas are not guaranteed to be consistent with each other at any particular point in time because changes can originate from any replica at any time.
Convergence means that if the system is allowed to reach a steady state in which no new updates are occurring and all previous updates have been completely replicated, all replicas of the same directory partition are guaranteed to converge on the same set of values.
With multimaster replication, it is not necessary for every ___domain controller to replicate with every other ___domain controller. Instead, the system implements a robust set of connections that determines which ___domain controllers replicate to which other ___domain controllers to ensure that networks are not overloaded with replication traffic and that replication latency is not so long that it inconveniences users. The set of connections through which changes are replicated to ___domain controllers in an enterprise is called the replication topology.
Although it involves latency, multimaster update capability provides high availability of write access to directory objects because several servers can contain writable copies of an object. Each ___domain controller in the ___domain can accept updates independently, without communicating with other ___domain controllers. Active Directory replication resolves any conflicts that occur when multiple updates are made to a single directory object.
State-based Vs. Log-based Replication
In state-based replication, each ___domain controller (master) in the multimaster system applies updates to its replica as they arrive, without maintaining a change log file. In a typical log-based replication system (also called “change-based”), each master keeps a log of the updates that it originated and communicates its log to every other replica. After a log has arrived at a replica, the replica applies the log, bringing itself more up-to-date. In this process, the destination receives and stores a record of all changes, not just the changes it needs.
Active Directory replication relies on the current “state” (the current values of all objects) of the source replica instead of logs. The current state includes metadata that is used to resolve conflicts and to avoid sending the full replica on each replication cycle.
Generally speaking, a directory partition replica maintains all of its objects in a list ordered by last modification. This list is a log of sorts, but one whose size is a tiny fraction of the size of the replica itself. A typical replication request can be satisfied by examining only the last few objects on the list because the replication destination server is aware of how much of its replication source’s list of changes have already been processed.
Multimaster Vs. Single-master Replication
Although a single-master model is adequate for a directory that has a small number of replicas and for an environment where all of the changes can be applied centrally, this approach does not scale beyond small organizations nor does it address the needs of decentralized organizations.
Multimaster replication provides the following advantages over single-master replication:
If one ___domain controller becomes inoperable, other ___domain controllers can continue to update the directory. In single-master replication, if the master becomes inoperable, directory updates cannot take place. For example, if the failed server holds your password and your password has expired, you cannot reset your password and therefore you cannot log on to the ___domain.
Servers that are capable of making changes to the directory can be distributed across the network and can be deployed in multiple locations.
By creating multiple replicas of the directory and keeping the replicas consistent, the directory service can handle more queries per second. Directory services must handle a large number of queries compared to the number of updates they must process. A typical ratio of queries to updates is 99:1.
Pull Vs. Push Replication
In push replication, a source ___domain controller sends unsolicited information to update a destination ___domain controller. Push replication is problematic because it is difficult for the source to know what information the destination needs. The destination can receive the same information from another source. Therefore, a source can send unnecessary information to a destination.
Technologies Related to Active Directory Replication
File Replication service (FRS) is related to Active Directory replication because it requires the Active Directory replication topology. FRS is a multimaster replication service that is used to replicate files and folders in the System Volume (SYSVOL) shared folder on ___domain controllers and in Distributed File System (DFS) shared folders. FRS works by detecting changes to files and folders and then replicating the updated files and folders to other replica members, which are connected in a replication topology.
FRS uses the replication topology that is generated by the KCC to replicate the SYSVOL files to all ___domain controllers in the ___domain. SYSVOL files are required by all ___domain controllers for Active Directory to function. For more information about FRS and how it uses the Active Directory replication topology, see “FRS Technical Reference.” For more information about SYSVOL, see “Data Store Technical Reference.” For more information about DFS, see “DFS Technical Reference.”
Active Directory Replication Dependencies
Active Directory replication has the following dependencies:
DNS. The Domain Name System (DNS) that resolves DNS names to IP addresses. Active Directory requires that DNS is properly designed and deployed so that ___domain controllers can correctly resolve DNS names of replication partners.
Remote procedure call (RPC). Active Directory replication requires IP connectivity and the Remote Procedure Call (RPC) to transfer updates between replication partners.
Kerberos v5 authentication. The authentication protocol for both authentication and encryption that is required for all Active Directory RPC replication.
LDAP protocol. The primary access protocol for Active Directory. Replication of an entire replica of an Active Directory ___domain, as occurs when Active Directory is installed on an additional ___domain controller in an existing ___domain, uses LDAP communication rather than RPC.
The following diagram shows the interaction of these components within the replication process.
Replication Interactions with Other Technologies
.gif "Replication Interactions with Other Technologies")
Related Information
The following resources contain additional information that is relevant to this section.