Understanding ADAM replication and configuration sets
Applies To: Windows Server 2003 R2
Replication and configuration sets
Active Directory Application Mode (ADAM) uses replication to provide fault tolerance and load balancing for directory services. ADAM uses a type of replication called multimaster replication. Through replication, ADAM copies directory data updates that are made to a directory partition on one ADAM instance to other ADAM instances that hold copies of the same directory partition. ADAM instances that hold copies of the same directory partition or partitions form a logical grouping called a configuration set.
Multimaster replication
Multimaster replication simply means that you can make changes to directory data on any ADAM instance. ADAM replicates these changes to other members of the configuration set automatically. Multimaster replication is characterized by loose data consistency with convergence. When you make changes to data on a given directory partition at one ADAM instance, replicas of that directory partition that are stored on other ADAM instances become inconsistent with the most up-to-date replica of the directory partition (the partition where the changes were made). However, as changes get replicated through the configuration set, all partition replicas once again become identical; that is, they converge to the most recent data.
Configuration sets
ADAM instances replicate data based on participation in a configuration set. All ADAM instances that are joined to the same a configuration set must replicate a common configuration directory partition and a common schema directory partition. ADAM instances in a configuration set can also replicate any number of application directory partitions. ADAM instances in a configuration set are not required to replicate all application directory partitions in the configuration set. A single ADAM instance can replicate all—or any subset of—the application directory partitions in its configuration set. An ADAM instance cannot, however, replicate an application directory partition from a different configuration set. For more information about the types of directory partitions in ADAM, see Understanding ADAM data and data stores.
The following illustration shows an example of two ADAM configuration sets, each with two ADAM instances. As shown in the illustration, a single computer can run multiple ADAM instances, each in a different configuration set.
Note
An ADAM instance can be joined to a configuration set only during installation of the instance.
Preventing replication conflicts
What if two different users make changes to the same data on replicas of the same directory partition on two different ADAM instances? In such a case, each ADAM instance attempts to replicate the changes, creating a conflict. To resolve this conflict, replication partners that receive these conflicting changes examine the attribute data that is contained in the changes, each of which holds a version and a time stamp. ADAM instances accept the change with the higher version and discard the other change. If the versions are identical, ADAM instances accept the change with the more recent time stamp.
If two or more values in a multivalued attribute on an object are updated simultaneously on two different ADAM instances, only one of the updated values will be replicated. In other words, simultaneous updates to a multivalued attribute that occur on two different ADAM instances are considered in conflict, even if the updates apply to different values within the multivalued attribute. The only exception to this rule is for linked value attributes (such as group memberships), which do allow for simultaneous updates to different values within the linked value attribute.
Replication topology
Knowledge Consistency Checker (KCC), a process that runs as part of each ADAM instance, automatically constructs the most efficient topology for replication traffic to follow, based on the network. The KCC regularly recalculates the replication topology to adjust for any network changes that occur in the environment.
Note
An ADAM configuration set maintains its own replication topology, separate from any Active Directory replication topology that might also exist. Directory partitions cannot be replicated between ADAM instances and Active Directory domain controllers.
Ensuring replication security
To ensure replication security, ADAM authenticates replication partners before replication, and replication authentication always occurs over a secure channel. ADAM uses Security Support Provider Interface (SSPI) to establish the appropriate authentication security level between replication partners. The method used for replication authentication within a configuration set depends on the value of the msDS-ReplAuthenticationMode attribute on the configuration directory partition. After replication partners have successfully authenticated, all replication traffic between the two partners is encrypted.
The following table describes the security levels for replication authentication and the corresponding msDS-ReplAuthenticationMode attribute value for each security level. The default replication security level for a new, unique ADAM instance is 1, unless a local workstation user account is specified as the ADAM service account. If a local workstation account is specified as the ADAM service account, the replication security level is set to 0.
Replication security level | Authentication mode | Description | Supported environments |
---|---|---|---|
Mutual authentication with Kerberos |
2 |
Kerberos authentication, using service principal names (SPNs), required. If Kerberos authentication fails, the ADAM instances will not replicate. |
Configuration set must be fully contained in an Active Directory domain, forest, or forest trust. |
Negotiated |
1 |
Kerberos authentication (using SPNs) is attempted first. If Kerberos fails, NTLM authentication is attempted. If NTLM fails, the ADAM instances will not replicate. |
Configuration set can contain Microsoft® Windows NT® 4.0 member servers. |
Negotiated pass-through |
0 |
All ADAM instances in the configuration set use an identical account name and password as the ADAM service account. |
Configuration set can include computers that are joined to one or more workgroups or that are joined to multiple domains or forests without trust relationships. |
For information about modifying the replication security level of a configuration set, see Modify the replication security level of a configuration set.
To help maintain ADAM replication security, the following best practices are recommended:
Use the highest level of replication security that your environment can support.
In Active Directory environments, run ADAM on member servers, rather than on domain controllers, whenever possible.
If you run ADAM on a domain controller in an Active Directory environment, do not use the Network Service account as the ADAM service account. Instead, use a domain user account that does not have administrative privileges.
In workgroup and Windows NT 4.0 environments, do not use an account with administrative privileges as an ADAM service account.
Use separate configuration sets for applications with strict isolation requirements.
For more information about ADAM replication requirements for service accounts, see Selecting an ADAM service account. For more information about service principal names (SPNs) and replication security, see Administering ADAM service principal names.