Partition Replication

Applies To: Windows Server 2008 R2

Active Directory Domain Services (AD DS) data is logically partitioned so that all domain controllers in the forest do not store all objects in the directory. Active Directory objects are instances of schema-defined classes, which consist of named sets of attributes. When a change is made to an object in a directory partition, the value of the changed attribute or attributes must be updated on all domain controllers that store a replica of the same directory partition. Domain controllers communicate data updates automatically through Active Directory replication. Communication about updates is always specific to a single directory partition at a time.

Different categories of data are stored in replicas of different directory partitions, as follows:

  • Domain directory partition: Also known as the domain naming context (NC), contains domain-specific objects such as computer, user, and group accounts.
  • Configuration directory partition: Contains forest-wide data that controls site and replication operations.
  • Schema directory partition: Contains schema definitions for the forest.
  • Application directory partitions: Contain data that is particular to specific applications. Application directory partition replicas can be replicated to any set of domain controllers in a forest, irrespective of domain.

Managed Entities

The following is a list of the managed entities that are included in this managed entity:

Name Description

Schema

The Active Directory schema is the set of definitions that defines the kinds of objects, and the types of information about those objects, that can be stored in Active Directory Domain Services (AD DS). The definitions are themselves stored as objects so that AD DS can manage the schema objects with the same object management operations that are used for managing the rest of the objects in the directory.

There are two types of definitions in the schema: attributes and classes. Attributes and classes are also referred to as schema objects or metadata.

Attributes are defined separately from classes. Each attribute is defined only once and can be used in multiple classes. For example, the Description attribute is used in many classes, but it is defined once in the schema, which helps ensure consistency.

Classes, also referred to as object classes, describe the possible directory objects that can be created. Each class is a collection of attributes. When you create an object, the attributes store the information that describes the object. The User class, for example, is composed of many attributes, including Network Address, Home Directory, and so on. Every object in AD DS is an instance of an object class.

Aspects

The following is a list of all aspects that are part of this managed entity:

Name Description

Discovery of replication partners

Domain controllers must be able to communicate with their replication partners to initiate replication. So that domain controllers can communicate properly, the following conditions must be true:

  • Domain controller service (SRV) resource records must be registered with the Domain Name System (DNS) server.
  • Domain controllers must be able to query and locate the service (SRV) resource records of other domain controllers from the DNS server.
  • Domain controllers must be able to establish remote procedure call (RPC) communications with one another.
  • Replication partners must be online, accessible, and advertising.

 

 

KCC Initialization

The Knowledge Consistency Checker (KCC) is a process that runs on each domain controller. The KCC creates and maintains the replication topology between domain controllers.

KCC Replication Path Computation

The Knowledge Consistency Checker (KCC) is a component of Active Directory Domain Services (AD DS) that is responsible for generating the replication topology between domain controllers. Generating an efficient and fault-tolerant replication topology is an integral part of achieving data consistency between domain controllers.

Replication Change List Creation

Each domain controller periodically generates a list of changes that were made to the Active Directory database. These changes represent the information that must be replicated to other domain controllers to keep the database consistent. If the change list cannot be generated, changes cannot be communicated to other domain controllers and the database will not be consistent.

Replication Changes

The replication process in Active Directory Domain Services (AD DS) ensures that domain controllers are able to maintain a consistent and updated Active Directory database. Because the Active Directory database holds essential information about user, group, and computer accounts, as well as other resources and services and the network configuration, keeping this information consistent on all the domain controllers is important. Failure of the Active Directory replication process can result in the following problems:

  • Failure of applications that rely on consistent Active Directory information to function properly
  • Logon rejections
  • Password change failures
  • Network service failures
  • Incorrect or outdated information retrieval

For more information, see How Active Directory Replication Topology Works (https://go.microsoft.com/fwlink/?LinkID=93526).

Schema Attribute Definition Replication

The schema is the Active Directory component that defines all the objects and attributes that the directory service uses to store data. To ensure data integrity on directory objects, it is imperative that attribute definitions are replicated. Replication between domain controllers requires that the schema be consistent. If the schema is not consistent, replication failures occur for all domain controllers with inconsistent schema versions.

SPN Generation

The client and the server verify their respective identities before replication occurs. This verification process is known as mutual authentication. The client verifies (that is, authenticates) the server's service by composing a Service Principal Name (SPN) using known data or data that is retrieved from sources other than the service itself.

When a domain controller sends change notifications to its replication-partner domain controllers in the domain, the domain controller keeps a list of domain controllers in the repsTo attribute for the directory partition object. The Knowledge Consistency Checker (KCC) typically removes domain controllers from this list if they do not replicate for more than 24 hours. The removal process occurs at set intervals as one of the last steps in KCC processing.

 

Active Directory