Share via


What Is the Active Directory Replication Model?

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

What Is the Active Directory Replication Model?

In this section

  • Replication Model Components

  • Technologies Related to Active Directory Replication

  • Active Directory Replication Dependencies

  • Related Information

Active Directory replication is the means by which changes to directory data are transferred between domain controllers in an Active Directory forest. The Active Directory replication model defines the mechanisms that allow directory updates to be transferred automatically between domain controllers to provide a seamless replication solution for the Active Directory distributed directory service.

Note

In Windows 2000 Server and Windows Server 2003, the directory service is named Active Directory. In Windows Server 2008 and Windows Server 2008 R2, the directory service is named Active Directory Domain Services (AD DS). The rest of this topic refers to Active Directory, but the information is also applicable to AD DS.

Note

  • This discussion of the replication model and related mechanisms for transferring directory data between domain controllers does not include the topic of replication topology. Replication topology is the set of connections that are generated by the Knowledge Consistency Checker (KCC) to enable replication to take place between domain controllers.

Active Directory is distributed by means of directory partitions. In addition to directory partitions that store forest-wide data, each domain controller stores a replica of a single domain directory partition, which contains data that is specific to one or more closely aligned business units—the users, computers, organizational units, and network resources that are managed by the same set of service and data administrators. Because each domain controller stores only one domain directory partition, Active Directory can scale to hundreds or thousands of domains storing millions of objects.

To efficiently synchronize data between domain controllers that store the same domain, Active Directory replication transfers updates according to directory partition. Each domain controller receives directory updates to the data that is stored in its domain only, as well as updates that are stored in the two directory partitions that store configuration and schema data for the forest.

Note

  • In Windows Server 2003 forests, domain controllers can also store application directory partitions, which store application data that can be replicated to only the domain controllers that store the directory partition, irrespective of domain.

Active Directory replication manages the transfer of these updates to the appropriate domain controllers automatically, keeping domain data up-to-date among all domain controllers in the domain, regardless of location. In the process, all domain controllers in the forest are also updated with changes to forest-wide data.

Replication Model Components

To globally distribute the directory service, the Active Directory replication model incorporates the components in the following table.

Replication Model Components and Advantages

Component Description Advantage

Multimaster replication

Every domain controller can receive originating updates to data for which it is authoritative, rather than having a single domain controller that receives all original updates (single-master replication, such as Windows NT 4.0 replication).

Provides fault tolerance, eliminating the dependency on a single domain controller to maintain directory operations.

Pull replication

Domain controllers request (pull) changes rather than send (push) changes that might not be needed.

Reduces unnecessary network traffic.

Store-and-forward replication

Each domain controller communicates with a subset of domain controllers to transfer replication changes, rather than one domain controller being responsible for communicating with every other domain controller that requires the change.

Balances the replication load among many domain controllers.

State-based replication

Each domain controller tracks the state of replication updates.

Conflicts and unnecessary replication are reduced.

The Active Directory replication model ensures:

  • Domain controller availability. Multimaster replication ensures that all domain controllers are available for updates, eliminating the potential for slow service if only a single updatable domain controller were available.

  • Efficient transfer of data. State-based and pull replication ensures the minimum replication traffic and the maximum efficiency to retrieve only the changes that are needed.

  • Reliable consistency. Directory consistency is guaranteed within the same period of replication latency.

  • Conflict resolution. Even if two administrators change the same attribute on different domain controllers at the same time, conflict resolution ensures that only one of the values is replicated to all domain controllers.

Replication Latency

Multimaster replication involves latency — the period of time for an update that occurs on the originating domain controller to reach all other domain controllers that need it. To address replication latency, multimaster replication ensures loose consistency with convergence, as follows:

  • Loose consistency means that the replicas are not guaranteed to be consistent with each other at any particular point in time because changes can originate from any replica at any time.

  • Convergence means that if the system is allowed to reach a steady state in which no new updates are occurring and all previous updates have been completely replicated, all replicas of the same directory partition are guaranteed to converge on the same set of values.

With multimaster replication, it is not necessary for every domain controller to replicate with every other domain controller. Instead, the system implements a robust set of connections that determines which domain controllers replicate to which other domain controllers to ensure that networks are not overloaded with replication traffic and that replication latency is not so long that it inconveniences users. The set of connections through which changes are replicated to domain controllers in an enterprise is called the replication topology.

Although it involves latency, multimaster update capability provides high availability of write access to directory objects because several servers can contain writable copies of an object. Each domain controller in the domain can accept updates independently, without communicating with other domain controllers. Active Directory replication resolves any conflicts that occur when multiple updates are made to a single directory object.

State-based Vs. Log-based Replication

In state-based replication, each domain controller (master) in the multimaster system applies updates to its replica as they arrive, without maintaining a change log file. In a typical log-based replication system (also called “change-based”), each master keeps a log of the updates that it originated and communicates its log to every other replica. After a log has arrived at a replica, the replica applies the log, bringing itself more up-to-date. In this process, the destination receives and stores a record of all changes, not just the changes it needs.

Active Directory replication relies on the current “state” (the current values of all objects) of the source replica instead of logs. The current state includes metadata that is used to resolve conflicts and to avoid sending the full replica on each replication cycle.

Generally speaking, a directory partition replica maintains all of its objects in a list ordered by last modification. This list is a log of sorts, but one whose size is a tiny fraction of the size of the replica itself. A typical replication request can be satisfied by examining only the last few objects on the list because the replication destination server is aware of how much of its replication source’s list of changes have already been processed.

Multimaster Vs. Single-master Replication

Although a single-master model is adequate for a directory that has a small number of replicas and for an environment where all of the changes can be applied centrally, this approach does not scale beyond small organizations nor does it address the needs of decentralized organizations.

Multimaster replication provides the following advantages over single-master replication:

  • If one domain controller becomes inoperable, other domain controllers can continue to update the directory. In single-master replication, if the master becomes inoperable, directory updates cannot take place. For example, if the failed server holds your password and your password has expired, you cannot reset your password and therefore you cannot log on to the domain.

  • Servers that are capable of making changes to the directory can be distributed across the network and can be deployed in multiple locations.

  • By creating multiple replicas of the directory and keeping the replicas consistent, the directory service can handle more queries per second. Directory services must handle a large number of queries compared to the number of updates they must process. A typical ratio of queries to updates is 99:1.

Pull Vs. Push Replication

In push replication, a source domain controller sends unsolicited information to update a destination domain controller. Push replication is problematic because it is difficult for the source to know what information the destination needs. The destination can receive the same information from another source. Therefore, a source can send unnecessary information to a destination.

File Replication service (FRS) is related to Active Directory replication because it requires the Active Directory replication topology. FRS is a multimaster replication service that is used to replicate files and folders in the System Volume (SYSVOL) shared folder on domain controllers and in Distributed File System (DFS) shared folders. FRS works by detecting changes to files and folders and then replicating the updated files and folders to other replica members, which are connected in a replication topology.

FRS uses the replication topology that is generated by the KCC to replicate the SYSVOL files to all domain controllers in the domain. SYSVOL files are required by all domain controllers for Active Directory to function. For more information about FRS and how it uses the Active Directory replication topology, see “FRS Technical Reference.” For more information about SYSVOL, see “Data Store Technical Reference.” For more information about DFS, see “DFS Technical Reference.”

Active Directory Replication Dependencies

Active Directory replication has the following dependencies:

  • DNS. The Domain Name System (DNS) that resolves DNS names to IP addresses. Active Directory requires that DNS is properly designed and deployed so that domain controllers can correctly resolve DNS names of replication partners.

  • Remote procedure call (RPC). Active Directory replication requires IP connectivity and the Remote Procedure Call (RPC) to transfer updates between replication partners.

  • Kerberos v5 authentication. The authentication protocol for both authentication and encryption that is required for all Active Directory RPC replication.

  • LDAP protocol. The primary access protocol for Active Directory. Replication of an entire replica of an Active Directory domain, as occurs when Active Directory is installed on an additional domain controller in an existing domain, uses LDAP communication rather than RPC.

The following diagram shows the interaction of these components within the replication process.

Replication Interactions with Other Technologies

Replication Interactions with Other Technologies

The following resources contain additional information that is relevant to this section.