Here is the English script of our YouTube video - Active Directory part 1. We also have a German video.
So before we come to some of recently changes in Active
Directory, we want to make a short review of the existing Active Directory
replication procedure.
There were two design decisions, on which Active Directory
was built.
As a consequence of those two design decisions we get most
of the active directory structure we got today.
The first design decision was to have a Multi-master
architecture.
Why? Because of the problems we had with the single master
approach with the old primary domain controller or PDC. There were high
availability issues.
Did that design goal work?
Well, almost. As you know there are still five FSMO roles, Flexible
Single Master Operation two for the forest and three for the domain. And one of
them is just for backward compatibility, so they almost got there. And if you
think that the PDC Emulator is not used any more then we will come back to this
on Part 4 when we deal with the complexity of cloning a virtual machine.
And the second design goal.?
This was an interesting one, they did not want to be
dependent on time synchronization. Now to be clear, they do have a time stamp
and they send it with the replication between the domain controllers, but they
wanted to avoid a situation where the controllers getting out of time sync could
lead to an update be missed. This could happen if they were completely
dependent on the time stamp.
Lets tale an example. Lets imagine we have a change on DC1, made a different
change to the same object on DC2 and then changed it again on DC1.
Let us see how it would work If the times were synchronized
between the servers, and we used a time stamp.
An update would come to DC1, he would pass it on to DC2 and the time stamp would say 1 second past
midnight.
A update comes to DC2, he updates in his database, the stamp
says 1 and a half seconds past midnight.
Now another update comes to DC1, he passes it to DC2, time
stamp says 2 seconds past midnight, everything works fine.
But imagine if DC2 was one and a half seconds ahead? What
could happen?
An update would come to DC1, he would pass it on to DC2 and the time stamp would say 1 second
past midnight.
A update comes to DC2, he updates in his database, the stamp
says not 1 and a half seconds past
midnight but 3 seconds.
Now the next update comes to DC1, gets sent on to DC2 and
gets rejected because DC2 says, I already
have seen a change with a later time stamp.
Now let us be clear, Active Directory does use a stamp, and
it is not the sole means of reserving conflicts, the situation we just saw is
prevented by a volatility vector, we
will see this later in the course in part 3)
However time changes are not so common these days. Why,
because, the domain controllers authenticate with each other using Kerberos.
How far can the servers be out of sync and Kerberos will still work? The
default is five minutes. Any longer than that and Kerberos will think it is a
replay attack and reject the authentication. So the design decision may not
seem so useful any more but it is important for us to remember that this is the
way it is built.
So what do they use instead of a time stamp?, they use a
USN. Update Sequence Number. Not a universal SN, although I sometimes see
documentation that way it is just local to the domain Server.
So here we have a Domain Server. DC1.
Let us say we have a change to make to AD on this server.
We call this originating update.
So he uses the next USN when the change is committed. Let us
say the USN was 4710, it is now 4711.
He sends this change to the other Domain Controllers.
DC2 gets the change. Now he updates his database.
His own USN is 1745 he changes to 1746 and writes the
update.
Which USN does he use?
Both, He writes both the originating USN and his USN.
Now what happens if DC2 went offline and missed some
changes. dozes off for a while?
Bit like Grandpa dozing off in an action movie.
Perhaps there is a network problem, perhaps the server is
down.
But there are changes to the active directory
Now the active directory server comes up again, but he has
missed some changes.
What does Grandpa say when he wakes up?
“What have I missed?”
And can you tell him exactly he has missed?
No, you don't know when he dozed off.
So here we see that DC2 has missed a number of updates.
Now DC2 comes online, how does he know what he has missed?
There is a high water mark where the DC knows the highest
number that he has received so that he can send a request for all changes after
this.
DC2 does not really store the name of the server, he has an
Invocation ID.
Now this is just a sample, so we will stop here before
getting in to the invocation ID. if you
would like to continue this series, or you have technical considerations,
please contact me on the address on the slide.
References:
https://blogs.msdn.microsoft.com/richpec/2011/10/06/the-authoritative-restore-explained/
Invocation ID
