Physical Structure  «Prev 

Active Directory Multi-Master Replication

Advantages of Multi-Master Replication

This module introduces a major feature of Active Directory: multimaster replication. Active Directory was one of the first LDAP-based directories to offer multimaster replication.
Most directories replicate data from a single master server to subordinate servers. This is how replication worked in Windows NT 4.0, for example. Obviously, there are several potential problems with a single-master replication scheme, including the single point of failure for updates, geographic distance from the master to clients performing the updates, and less efficient replication due to updates having a single originating location.
To get the benefit of multimaster replication, you must first create a site topology that describes the network and helps define how domain controllers should replicate with each other. In large environments, building and maintaining a site topology can require a significant amount of work.
This module looks at the basics of how sites and replication work in Active Directory. Later, I will describe the physical infrastructure of a network layout using sites. The Knowledge Consistency Checker (KCC) sets up and manages the replication connections and provide details on how to effectively design and tailor sites, site links, and replication in Active Directory.

Ad  Windows Group Policy
Changes can be made on any domain controller in the domain
Changes can be made on any domain controller in the domain

Updates within the same site are received immediately by the local domain controllers
Updates within the same site are received immediately by the local domain controllers

Updates within the same site are received immediately by the local domain controllers
Updates within the same site are received immediately by the local domain controllers

Placing Operations Masters

One of the big reasons why Active Directory was such a huge improvement over earlier versions of Windows like NT 4.0 is that Active Directory allows for multi-master replication. This means that each DC has a read-write copy of the Active Directory database, and you can make changes from any domain controller in the domain. But some types of changes are sensitive enough that you really don’t want them being performed from multiple locations, so you have five Flexible Single Master Operations (FSMO) roles available in Active Directory.
They are called "Single Master" because only one DC can hold the role (and perform the associated task) at any given time. They are "flexible" because you can transfer the role to different servers as your domain grows and changes, and a single server can hold more than one of the FSMO roles. In each Active Directory forest, you have two FSMO roles that are unique for the entire forest:
  1. Schema Master controls any changes made to the Active Directory schema.
  2. Domain Naming Master controls the addition or removal of any new domains in a forest.

There are three other FSMO roles that are unique to a single domain. So if you have a single domain forest, you will have a total of five FSMO roles: one of each forest-wide FSMO role, and one of each domain-wide role. But if you have a forest that contains two domains, you’ll have eight FSMO roles: one of each forest-wide FSMO, and two of each domain-wide role. The three domain-wide FSMO roles are as follows:
  1. PDC Emulator controls replication with NT 4.0 backup domain controllers and processes password changes for any non-AD-aware clients.
  2. Relative Identifier (RID) Master hands out unique RIDs to each domain controller so that each DC can create new objects that each have a unique Globally Unique Identifier, or GUID.
  3. Infrastructure Master keeps a list of any users in a remote domain that are members of groups within the domain.

(FSMO) Flexible Single Master Operations

All five FSMO roles are automatically installed on the first DC created in a forest, and the domain-wide FSMOs get placed on the first DC installed in any new domain. You should place the FSMO roles on servers that are reliable and highly available, especially the PDC Emulator and RID Master. Some recommendations for FSMO placement include the following:
  1. Place the RID Master and PDC Emulator roles on the same DC.
  2. The Schema Master and Domain Naming Master should be installed on a single server that is well secured and tightly controlled. Because you won’t be performing tasks that require these roles as frequently as the three domain-wide FSMOs, your largest concern should be restricting access to the server.
  3. Place the Domain Naming Master on a server that is configured as a Global Catalog server.
  4. If you have more than one domain in your forest, the Infrastructure Master should be placed on a server that is not functioning as a Global Catalog server so that the FSMO role can replicate changes to the other domain controllers properly.
    The exception to this is if every DC in your forest is a GC, at which point the Infrastructure Master becomes unnecessary.