Active Directory  «Prev 

Multiple Domains in Active Directory

You cannot have multiple Active Directory domains as a principal organizational unit (OU). An OU is a container for objects in a domain, and each object can only belong to one domain. If you need to manage objects from multiple domains, you can create a forest. A forest is a collection of one or more domains that share a common schema, configuration, and global catalog. You can then create OUs in the forest that contain objects from multiple domains. For example, you could create an OU called "Finance" that contains users and computers from both the "" domain and the "" domain. This would allow you to manage all of the finance-related objects in both domains from a single location.
Here are the steps on how to create a forest:
  1. Install Active Directory Domain Services (AD DS) on a server in each domain that you want to include in the forest.
  2. Promote one of the domain controllers to a forest root domain controller.
  3. In the Active Directory Users and Computers console, create a new forest.
  4. Add the other domain controllers to the forest.
  5. Create OUs in the forest to organize the objects from the different domains.

Domain Controllers maintain a Distributed Database

In a Microsoft Active Directory environment, domain controllers maintain a distributed database that provides authentication, authorization, and directory services. The process by which domain controllers within a particular domain receive, process, and propagate changes to other domain controllers is known as Active Directory Replication. The procedure relies on a multi-master replication model, allowing updates to be made on any domain controller and subsequently replicated to other domain controllers. Below are the key mechanisms and protocols involved in this process.

Multi-Master Replication Model

In a multi-master model, each domain controller holds a read-write copy of the Active Directory database, thereby allowing updates to be made locally. This model eliminates the single point of failure but introduces challenges in ensuring data consistency.

Replication Topology

  1. Intrasite Replication: Within a single site, the Knowledge Consistency Checker (KCC) creates a ring topology for replication. This ensures that each domain controller has at least two replication partners.
  2. Intersite Replication: For replication between sites, administrators can configure site links, costs, and schedules. The KCC then formulates an optimized replication topology.

Replication Protocols

  1. Remote Procedure Call (RPC) over IP: Used predominantly for intrasite replication.
  2. Simple Mail Transfer Protocol (SMTP): Generally used for intersite replication between domain controllers that host separate directory partitions.

Replication Process

  1. Update Sequence Number (USN): Each domain controller maintains a USN. When an object is modified, the USN is incremented, and the new value is associated with the modified object.
  2. High-Watermark Vector: During replication, each domain controller stores a high-watermark vector that denotes the highest USN it has received from its replication partners.
  3. Up-to-dateness Vector: Utilized to ensure that changes are not unnecessarily replicated, thereby reducing replication traffic.
  4. Change Notification: In intrasite replication, domain controllers use notification mechanisms to inform adjacent partners about changes, which triggers immediate replication. For intersite replication, a schedule dictates the frequency of replication.
  5. Conflict Resolution: Active Directory uses a "last writer wins" model. In case of simultaneous updates, the change with the higher USN takes precedence. Some attributes may also use timestamps for conflict resolution.

Initiating Replication

Replication can be manually initiated using the following tools:
  1. Active Directory Sites and Services (dssite.msc)
  2. Replication Monitor (Replmon)
  3. Command-line utilities like `repadmin`

Monitoring and Troubleshooting

Administrators should routinely monitor replication health using tools such as:
  1. Replication Performance Monitor counters
  2. Event Viewer
  3. `dcdiag` utility

In summary, Active Directory Replication in a Windows Server 2019 environment involves a sophisticated set of mechanisms working in concert to maintain data consistency and availability across domain controllers. Proper configuration, monitoring, and understanding of underlying protocols and algorithms are paramount for effective and secure replication.
Domains are units of replication. In addition, all of the domain controllers in a particular domain can receive changes and replicate those changes to all other domain controllers in the domain. Each domain in Active Directory is identified by a (DNS) Domain Name System domain name and requires one or more domain controllers. If your network requires more than one domain, you can easily create multiple domains.
One or more domains that share a common schema and global catalog are referred to as a forest. The first domain in a forest is referred to as the forest root domain. If multiple domains in the forest have contiguous DNS domain names, then the structure is referred to as a domain tree. A single domain can span multiple physical locations or sites and can contain millions of objects. Site structure and domain structure are separate and flexible. Furthermore, a single domain can span multiple geographical sites, and a single site can include users and computers belonging to multiple domains.