Saturday, October 1, 2016

YouTube Active Directory Video

Here is the English script of our YouTube video - Active Directory part 1. We also have a German video.

So before we come to some of recently changes in Active Directory, we want to make a short review of the existing Active Directory replication procedure.
There were two design decisions, on which Active Directory was built.
As a consequence of those two design decisions we get most of the active directory structure we got today.
The first design decision was to have a Multi-master architecture.
Why? Because of the problems we had with the single master approach with the old primary domain controller or PDC. There were high availability issues.
Did that design goal work?

Well, almost. As you know there are still five FSMO roles, Flexible Single Master Operation two for the forest and three for the domain. And one of them is just for backward compatibility, so they almost got there. And if you think that the PDC Emulator is not used any more then we will come back to this on Part 4 when we deal with the complexity of cloning a virtual machine.
And the second design goal.?
This was an interesting one, they did not want to be dependent on time synchronization. Now to be clear, they do have a time stamp and they send it with the replication between the domain controllers, but they wanted to avoid a situation where the controllers getting out of time sync could lead to an update be missed. This could happen if they were completely dependent on the time stamp.
Lets tale an example. Lets imagine  we have a change on DC1, made a different change to the same object on DC2 and then changed it again on DC1.
Let us see how it would work If the times were synchronized between the servers, and we used a time stamp.
An update would come to DC1, he would pass it on to  DC2 and the time stamp would say 1 second past midnight.
A update comes to DC2, he updates in his database, the stamp says  1 and a half seconds past midnight.
Now another update comes to DC1, he passes it to DC2, time stamp says 2 seconds past midnight, everything works fine.
But imagine if DC2 was one and a half seconds ahead? What could happen?
An update would come to DC1, he would pass it on to  DC2 and the time stamp would say 1 second past midnight.
A update comes to DC2, he updates in his database, the stamp says  not 1 and a half seconds past midnight but 3 seconds.
Now the next update comes to DC1, gets sent on to DC2 and gets rejected because DC2 says, I already  have seen a change with a later time stamp.
Now let us be clear, Active Directory does use a stamp, and it is not the sole means of reserving conflicts, the situation we just saw is prevented by a  volatility vector, we will see this later in the course in part 3)
However time changes are not so common these days. Why, because, the domain controllers authenticate with each other using Kerberos. How far can the servers be out of sync and Kerberos will still work? The default is five minutes. Any longer than that and Kerberos will think it is a replay attack and reject the authentication. So the design decision may not seem so useful any more but it is important for us to remember that this is the way it is built.
So what do they use instead of a time stamp?, they use a USN. Update Sequence Number. Not a universal SN, although I sometimes see documentation that way it is just local to the domain Server.
So here we have a Domain Server. DC1.
Let us say we have a change to make to AD on this server.
We call this originating update.
So he uses the next USN when the change is committed. Let us say the USN was 4710, it is now 4711.
He sends this change to the other Domain Controllers.
DC2 gets the change. Now he updates his database.
His own USN is 1745 he changes to 1746 and writes the update.
Which USN does he use?
Both, He writes both the originating USN and his USN.
Now what happens if DC2 went offline and missed some changes. dozes off for a while?
Bit like Grandpa dozing off in an action movie.
Perhaps there is a network problem, perhaps the server is down.
But there are changes to the active directory
Now the active directory server comes up again, but he has missed some changes.
What does Grandpa say when he wakes up?
“What have I missed?”
And can you tell him exactly he has missed?
No, you don't know when he dozed off.
So here we see that DC2 has missed a number of updates.
Now DC2 comes online, how does he know what he has missed?
There is a high water mark where the DC knows the highest number that he has received so that he can send a request for all changes after this.
DC2 does not really store the name of the server, he has an Invocation ID.
Now this is just a sample, so we will stop here before getting in to the invocation ID.  if you would like to continue this series, or you have technical considerations, please contact me on the address on the slide.