Does Active Directory have two types of replication?
I have been working on various networking and security projects lately that involve active directory (AD) and have noticed that our clients are still using old Microsoft AD versions. Here are a few things I’ve learned along the way about AD and some of the efficiencies gained when upgrading to a “more recent” version. Show
If you’ve been using Microsoft AD since the 2003 version or earlier, then there is a chance that you are using an old and inefficient method of replication known as file replication service (FRS) versus the more modern distributed file system replication(DFSR) method. Utilizing the “an old” version of software is not necessarily a reason to move to a new version, but in this case there are many reasons to research the new method and upgrade if the improvements warrant a change. Why is DFSR better than FRS?Both methods replicate the SYSVOL folder between domain controllers, but they do so very differently. For starters, FRS is only capable of replicating whole files, while DFSR replicates changes at the block level. This greatly reduces the amount of data that must move between domain controllers and can reduce WAN capacity requirements for larger environments significantly. As you might guess, DFSR utilizes the Microsoft Distributed File System which has many other uses. Beyond efficiency, you might consider these several reasons for moving to DFSR:
The original plan was for Windows Server 2016 to have no support for FRS. At the last minute, Microsoft changed this plan, which is a good indication that many users have not yet made the change to DFSR. It would be a large surprise for this extension to carry through to 2016R2 or whatever the next Windows Server release is called as it’s been more than a decade since there have been any changes to the FRS code. It’s very easy to determine which replication method is currently being used in your environment. From PowerShell or an administrative command prompt, run the following command: “dfsrmig /getmigrationstate” If you are using FRS, then your result will look like this: The statement about “All Domain Controllers have migrated successfully” is deceiving. The “Start” state actually translates to FRS being used for the domain and means migration has not started much less completed as the word “successfully” in the response implies. If you are using DRFS, then your result will look like the following image. The screen capture below shows the result for a domain that has completely migrated to DFSR. Any result that differs from these two examples indicates a partial migration has occurred. As before, the terminology is a bit odd, as “Eliminated” usually doesn’t really sound like a desired state for anything. In this case, however it is where you want to be as this indicates that FRS is completely eliminated from your AD replication process. The Microsoft guide for DFSR migration can be found at the following link: https://www.microsoft.com/en-us/download/details.aspx?id=4843 The guide is 52 pages long and fully explains what is required to accomplish this task. If your internal IT staff does not have the needed training or experience or simply does not have the available time to devote to this task, then we would be glad to help. If you do choose to do this on your own, do not be alarmed if the first of three migration stages takes a long time. Depending on the size of your domain and other factors, this stage can take hours or even days to complete. After you have completed the migration, you will enjoy faster and more reliable replication, reduced bandwidth usage between sites, and will have more options for instrumenting this critical part of your active directory infrastructure to keep tabs on its health. Active Directory is a system which offers centralized control of your computers. ModulesActive Directory InfrastructureLessons
Maintaining Active Directory ObjectsLessons
Group PolicyLessons
DNSLessons
Federation ServicesLessons
CertificatesLessons
How does replication work in Active Directory?Replication is managed by the Knowledge Consistency Checker (KCC). The KCC manages replication between DCs in a single site by using automatically created connections. The KCC reads configuration data and reads and writes connection objects for DCs. The KCC only uses RPC to communicate with the directory service.
What is inbound and outbound replication in Active Directory?Inbound replication is the incoming data transfer from a replication partner to a DC, and outbound replication is the data transfer from a DC to its replication partner.
What type of replication does Active Directory implement between domain controllers?After AD departed from the traditional master-slave method of replication, it now uses a multi-master approach for the replication of directory data. As the name suggests, in the multi-master approach, each domain controller acts as a master and can replicate data to the other domain controllers.
What is urgent replication in Active Directory?Urgent replication uses regular change notification between destination and source domain controller pairs that otherwise use change notification, but notification is sent immediately in response to urgent events instead of waiting the default period of 15 seconds.
|