Establishing Replication Path for new Domain Controllers
When you add domain controllers to a site, there must be a method for establishing a replication path between them.
Active Directory accomplishes this with replication components and the Knowledge Consistency Checker (KCC)[1].
Replication Components and the Knowledge Consistency Checker
Active Directory uses replication components and the Knowledge Consistency Checker (KCC) to establish a replication path between two components. Replication components are responsible for the actual replication of data between domain controllers, while the KCC is responsible for determining the most efficient replication topology based on the available network connections. When a new domain controller is added to a domain, the KCC is responsible for establishing a replication topology that connects the new domain controller with the other domain controllers in the domain. The KCC does this by analyzing the network topology and available connections to determine the most efficient replication path between domain controllers.
Once the KCC has determined the replication topology, replication components are used to replicate data between domain controllers. Active Directory uses two types of replication: intrasite replication, which occurs between domain controllers in the same site, and intersite replication, which occurs between domain controllers in different sites. Intrasite replication is handled by the replication engine, which replicates changes immediately between all domain controllers in the same site. Intersite replication, on the other hand, is handled by the intersite messaging service (ISM), which manages replication schedules and bandwidth usage between sites.
As data is replicated between domain controllers, the KCC continually monitors the replication topology and adjusts it as necessary to ensure optimal replication performance. This includes monitoring network connections for availability and adjusting replication paths based on changes to the network topology. Overall, Active Directory uses replication components and the KCC to establish and maintain an efficient replication topology, ensuring that changes made on one domain controller are quickly and accurately replicated to all other domain controllers in the domain.
Understanding Purpose of Replication Components
In Active Directory, the KCC automatically configures the connections between domain controllers for replication.
You can change those connections and create new connections; however, you should understand the purpose of the replication components before you modify the physical structure.
The KCC
The KCC is a built-in process on all domain controllers that creates, reviews, and makes modifications to the Active Directory replication topology (replication plan) at specified intervals to ensure that complete replication occurs. The KCC creates connections to keep your replication topology intact without manual intervention, even in the case of extended failures and outages. However, these connections can be created manually if they are not correctly configured; the KCC enables replication via a series of objects. To understand how the KCC functions, you need to understand server objects and computer objects.
Server Objects and Computer Objects: All computers running Windows 2000 in a domain are represented in Active Directory by a computer object. When you create a domain controller, the Active Directory Installation Wizard creates a secondary object that is distinct from the computer object for that domain controller. This is called a server object.
The Server Object, replication, and Site Management: Although the server object contains a reference to the corresponding computer object, and both objects refer to the same computer, the properties of each object type are different. The table below lists some of the differences between computer objects and server objects:
The server object
The computer object
Use
Represents domain controllers only
Represents all computers
Function
To manage the domain controller specifically in replication and site management
To manage authentication of the identity of the computer and audit activities associated with it
Access
Via Active Directory Sites and Services
Via Active Directory Users and Computers
You now know that server objects represent domain controllers, and domain controllers are used to replicate database information between sites. Because sites are also based on subnets, the site of the server object must be consistent with its IP subnet.
Where the necessary site object does not exist, the Active Directory Installation Wizard cannot place a server object in the proper location. To fix this problem, you must move a server object from one site to another to keep the server object's site consistent with its IP subnet. Replication starts with the server object and ends with the connection object.
As you saw above, the server object is the parent of an NTDS Settings object. The NTDS Settings object is a container for all connection objects for that server object and is created automatically when Active Directory is installed. The key to replication, however, is the connection object.
Connection object
A connection object[2] represents a one-way replication path between two server objects and points to the replication source. Domain controllers that are linked by a connection object are replication partners.
Creating connection objects for full replication
In Windows 2000 networks, unlike in NT domains, every domain controller can accept changes to the Active Directory database.
This means it is very important that two-way replication take place, so that all of domain controller A's changes are copied to domain controller B, and vice-versa. To replicate directory information between two domain controllers fully, two connection objects are required.
The following series of images reviews the replication path:
To replicate directory information between domain controller A and domain controller B fully, two connection objects are required.
One connection object enables replication from domain controller A to domain controller B
This connection object exists in the NTDS settings object of domain controller B.
A second connection object enables replication from the domain controller B to domain controller A.
This second connection object exists in the NTDS settings object of the domain controller A.
Methods of creating connection objects
To set up full replication, you need to create connection objects. There are two ways to create connection objects:
Automatically by the KCC running on the destination domain controlle
Manually by an administrator
In the next lesson, we will discuss intra- and intersite replication.
Creating Connection Objects
It is important that you be familiar with the steps required for complete replication between two domain controllers.
Click the link below to review this process for creating connection objects.
A connection object specifies which domain controllers replicate with which other domain controllers, how often, and which naming contexts are involved. Unlike sites, subnets, and site links, which you generally need to manually configure, connection objects are generally managed by the domain controllers themselves. The idea is that you should logically construct the site topology with good definitions for sites, subnets, and site links, and Active Directory will be able to figure out the best way to interconnect the actual domain controllers within and between the sites.
It is occasionally not possible to allow AD to manage all of these connections, but it is a very good goal to work toward, and you should endeavor not to modify or supplement connection objects unless you have no other choice. Earlier versions of Active Directory were not able to properly load balance replication connections between domain controllers, so a domain controller in a hub site could become overwhelmed with replication traffic from spoke domain controllers.
This scenario often caused administrators to opt to attempt to manage replication connections manually or with the Active Directory Load Balancing (ADLB) tool. Fortunately, beginning with Windows Server 2008, Active Directory gained the ability to automatically load balance replication connection to read-only domain controllers (RODCs).
Windows Server 2008 R2 extended this capability to load balancing of replication connections with all types of domain controllers.
You can view connection objects with AD Sites and Services as well as the Get- ADReplicationConnection cmdlet. Both the MMC snap-in and Windows PowerShell enable you to make changes to connection objects, and AD Sites and Services allows you to create new connection objects.
When you manually create or modify a connection object, Active Directory will no longer automatically manage that connection object.
With this in mind, you should endeavor not to manually edit or create connection objects and instead maintain an accurate site topology that the KCC can use to build and maintain the correct connection object topology.
If the name of the connection object in the MMC does not display as <automatically generated> that means that Active Directory is not managing the connection object.
Order for Creating connection objects in Active Directory
The correct order is as follows:
A connection object is created enabling replication from EXCALIBUR to EXCELSIOR.
A connection object appears in the NTDS settings of EXCELSIOR.
A connection object is created enabling replication from EXCELSIOR to EXCALIBUR.
A connection object appears in the NTDS settings of EXCALIBUR.
[1]Knowledge Consistency Checker (KCC): A built-in service that runs on all domain controllers and automatically establishes connections between individual machines in the same site.
[2]Connection object: An object that represents a one-way replication path between two server objects and points to the replication source.