Domain Controllers - Part III: Domain Controllers and Site Replication

Forests, domains and organizational units are considered logical structure because they don’t follow any subnet or network boundary. The physical structure of the Active Directory, which uses subnet/network boundaries, consists of domain controllers and sites.

The computer that stores a replica (copy) of the account and security information of the domain and defines the domain is known as the domain controller. A Windows domain controller is a Windows server with an NTFS partition running Active Directory services. The directory data (account and security information) is stored in the NTDS.DIT file on an NTFS partition on the domain controller. Access to domain objects is controlled by access control lists (ACLs). ACLs contain the permissions associated with objects that control which users can gain access to an object and what type of access users can gain to the objects. Lastly, the domain controller manages user-domain interactions including user logon processes, authentication and directory searches.

Active Directory uses multi-master replication. This means that there is no master domain controller/primary domain controller as there was in Windows NT. Instead, all domain controllers store writable copies of the directory. When a change is made to the one of the domain controller, it is the job of the domain controller to replicate those changes to other domain controllers within the same domain within a short period of time. By adding a domain controller to a domain, the server is automatically configured for replication.

A site is one or more IP subnets connected by a high-speed link (128 Kbps or higher), typically defined by geographical locations. Sites are based on IP subnets of which any subnet can only belong to one site. Multiple subnets can be assigned to a single site. When a user logs on, Active Directory clients locate an Active Directory server in the same site as the user.

When an update occurs on a domain controller, the replication engine waits for a configurable interval, which is five minutes by default. It then sends a notification message to the first replication partner, informing it of the change. Each additional direct partner is notified after a configurable delay, which is 30 seconds by default. Items that are security-sensitive are immediately replicated and partners are notified immediately. If no changes occur during a configuration period, which is one hour by default, a domain controller initiates replication with its replication partners to ensure that no changes from the originating domain controller were missed.

One reason to use sites is to control replication traffic. When a domain controller replicates to another domain controller in a site, replication information is done without being scheduled. Urgent changes such as password changes, account lockout policy changes, freshly locked accounts and domain password policies are replicated immediately. In addition, the replication data sent is sent uncompressed, which keeps the domain controller processing down to a minimum.

The default replication pattern used by the Active Directory is optimized for a single location or site with high-speed connectivity. However if your network includes multiple locations or sites, the replication pattern would have to be configured so that a domain controller will replicate all changes to the domain controllers within a site and have a single domain controller to replicate across a slower WAN link to the other sites.

A bridgehead server is a single server located in each site that is designated to perform site-to-site replication. Bridgehead servers are designated automatically or they can be assigned manually by an administrator. The link between bridgehead servers are assigned schedules of what times of day the link is available to carry replication traffic. The replication interval indicates how often the bridgehead servers poll the other side of the link for replication changes.  

The first site in Active Directory is called “Default-First-Site-Name", which is created automatically for the administrator. This site is a member of the default site link called "DEFAULTIPSITELINK", which is also created automatically for the administrator. If the administrator creates two additional sites ("site1" and "site2" for example), the administrator must define a Site Link that each site is going to be a member of before they can be written to Active Directory.

By default, all site links are bridged or transitive; that is, all site links for a specific transport implicitly belong to a single site link bridge for that transport. If your IP network is not fully routed IP network, you do not need to configure any site link bridges. Replication within sites requires little or no planning because it is fully automatic. However, when you have multiple sites, you should use the following steps to optimize Active Directory synchronization traffic: 

1. Identify sites that are well connected through backbones, and create low-cost site links between these sites.
2. Identify sites that are all connected to each other with a comparable transport, and create medium-cost site links between them — for example, full mesh links (remote sites that are connected over telecommunication links), frame relay cloud links (a point-to-point system that uses a private virtual circuit), medium area network (MAN) links with T1 connections.
3. Identify remaining WAN links.
4. Create a site link for each pair of sites that cross a WAN link.
5. Create a schedule that meets user needs.
6. Avoid high-frequency times.

 Site Replication

• Replication traffic is not compressed to save processor processing.
• Replication partners notify each other when changes need to be replicated, to reduce replication latency.
• Replication partners poll each other for changes on a periodic basis.
• Replication uses the remote procedure call (RPC) transport.
• Replication connections can be created between any two domain controllers located in the same site. Connections can be made with multiple domain controllers to reduce replication latency.

 Inter-site Replication

• Replication traffic is compressed to save bandwidth.
• Replication partners do not notify each other when changes need to be replicated, to save bandwidth.
• Replication partners poll each other for changes on a specified polling interval, during scheduled periods only.
• Replication uses the TCP/IP or SMTP transport.
• Replication connections are only created between bridgehead servers (servers that handles all inter-site replication for that domain). Connections between bridgehead servers using the lowest cost route, according to site link cost. Connections will only be created over higher cost routes if all of the domain controllers in lower cost routes are unreachable.

As mentioned before, you should have more than one controller for fault tolerance and for faster authentication. Placing domain controllers and DNS Servers at the different physical sites greatly improves the performance of the directory in a wide area network (WAN) since authentication will be done locally and not through a slow WAN link. Of course, having multiple servers at a site will offer fault tolerance and load balancing for requests. In addition, don’t forget to have multiple global catalog servers. 

To create a site 

1. Click the Start button, select the Program option, select the Administrative Tools option and select the Active Directory Sites and Services option.
2. Right-click the Sites folder, and select the New Site option.
3. In Name, type the name of the new site
4. Click a site link object, and then click OK.
5. Associate a subnet with a site for this newly created site.
6. Move a domain controller from an existing site into this new site, or install a new domain controller.
7. If you want to choose a specific licensing computer, other than the one automatically selected, select another licensing computer.
8. Delegate control of the site.

 To create a site link 

1. Click the Start button, select the Program option, select the Administrative Tools option and select the Active Directory Sites and Services option.
2. In the console tree, right-click the inter-site transport protocol you want the site link to use, and then click New Site Link.
3. In Name, type the name to be given to the link.
4. Click two or more sites to connect, and then click Add.
5. Configure the site link's cost, schedule, and replication frequency by Right-clicking the site link that you want to configure and select the Properties option.

Note: If you create a site link that uses SMTP, you must have an enterprise certification authority (Enterprise CA) available and SMTP must be installed on all domain controllers that will use the site link.  

To create a site link bridge 

1. Click the Start button, select the Program option, select the Administrative Tools option and select the Active Directory Sites and Services option.
2. In the console tree, right-click the inter-site transport folder for which you want to create a new site link bridge, and then click New Site Link Bridge.
3. In Name, type a name for the site link bridge.
4. Click two or more site links to be bridged, and then click Add.

Note: If you have enabled Bridge all site links, this procedure is redundant and will have no effect.