Synchronizing Active Directory Domain Controllers
Although you need only a single domain controller for each domain, a single domain controller can become a single point of failure. Instead, you can add additional domain controllers to a domain to increase its availability. The Active Directory directory service uses a two-way replication strategy to ensure consistency among domain controllers in a single domain. Active Directory domain controllers support multi-master replication to synchronize data on each domain controller and to ensure consistent information.
The information stored in Active Directory on every domain controller (whether or not it is a global catalog server) is partitioned into three categories: domain, schema, and configuration data. Each of these categories is in a separate directory partition (also called a Naming Context). The directory partitions are the units of replication. The domain data partition contains all of the objects in the directory for the domain. Data in each domain is replicated to every controller in the domain, but not beyond.
If the domain controller is a global catalog server, it also contains a fourth category of information: a partial replica of the domain data directory partition for all domains. This partial replica contains a subset of the properties for all objects in all domains. (A partial replica is read-only; a complete replica is read/write.)
By default, the partial set of attributes stored in the global catalog includes those attributes most frequently used in search operations, because one of the primary functions of the global catalog is to support clients querying the directory. Using global catalogs to perform partial domain replication instead of doing full domain replication reduces WAN traffic.
The following figure shows replication within a site. Three domain controllers (one of which is a global catalog) replicate schema data and configuration data, as well as all directory objects (with a complete set of attributes for each object).
.gif "Replication of data between domain controllers")
Active Directory attempts to establish a topology that allows at least two connections to every domain controller so that if a domain controller becomes unavailable, directory information can still reach all online domain controllers through the other connection. Active Directory also automatically evaluates and adjusts for changes in the state of the network. For example, when a domain controller is added to a site, the replication topology is adjusted to incorporate the new addition efficiently.
Replication Between Sites
You can also use Active Directory to optimize both server-to-server and client-to-server traffic over WAN links. Having multiple sites can provide redundancy in the event of a geographical disaster. Best practices for setting up multiple sites include the following:
- Set up a site in every geographic area that requires fast access to the latest Active Directory information.
- Place at least one domain controller at every site and make at least one domain controller in each site a global catalog. Sites that do not have their own domain controllers and at least one global catalog are dependent on other sites for directory information and are less efficient.
For information about securing replication across WAN links, see "Security Between Replication Partners" in the Windows 2000 Server Resource Kit Online Books.
See Also
Copyright © 2005 Microsoft Corporation.
All rights reserved.