TSF Data Replication Consistency

In general, directory data resides in more than one place on the network. Through replication, the directory service maintains replicas of directory data on multiple DCs, ensuring directory availability and performance for all users. AD uses a multi-master replication model, allowing authorized users to make directory changes at any DC, not just at a designated primary DC.

The AD service allows for specific data to be replicated within the TOE. The AD namespace includes a directory information tree structure to facilitate the management of large size installations.

Additionally, the AD includes the Global Catalog (GC), which is a partial index of select objects in the domain tree, combined with a search engine. The GC server returns the location of an object based on an object attribute provided by the user.

 Tree: A tree is a set of one or more Windows Server 2008 R2 domains sharing a common schema, configuration, and GC, joined together to form a contiguous namespace. All domains in a given tree trust each other through transitive hierarchical Kerberos trust relationships. A larger tree can be constructed by joining additional domains as children to form a larger contiguous namespace. Enterprises can be a single-tree or a multi-tree. Naming within a given tree is always contiguous.

 Forest: A forest is a set of one or more trees that do not form a contiguous namespace. All trees in a forest share a common schema, configuration, and GC. All trees in a forest trust each other through transitive, hierarchical Kerberos trust relationships. Unlike trees, a forest does not need a distinct name. A forest exists as a set of cross-reference objects and Kerberos trust

relationships known to the member trees. Trees in a forest form a hierarchy for the purposes of Kerberos trust; the tree name at the root of the trust tree can be used to refer to a given forest.

 GC server: A GC server is a DC that stores specific information about all objects in a forest. The GC stores a replica of every directory partition in the forest. It stores full replicas of the schema and configuration directory partitions, a full replica of the domain directory partition for which the DC is authoritative, and partial replicas of all other domain directory partitions in the forest.

When an “attributeSchema” object has the “isMemberOfPartialAttributeSet” attribute set to

“TRUE,” the attribute is replicated from the domain directory partition to the corresponding directory partition replicas on all authoritative DCs and also to all GC Servers.

Any DC within a forest potentially could be a replication partner of another. Replication partners are determined by a replication topology. A replication topology is a set of AD connections by which DCs in a forest communicate over the network to synchronize the directory partition replicas that they have in common.

The replication topology determines the replication partnerships between source and destination DCs.

As a replication source, the DC must determine the replication partners it must notify when changes occur. As a replication destination, the domain controller participates in replication either by responding to notification of changes from a source, or by requesting changes to initiate replication when it starts up or in response to a schedule.

The Knowledge Consistency Checker (KCC) is an element of AD that creates the replication topology. It creates connection objects on destination DCs that represent the inbound connection from the

replication source DC. For each source DC that is represented by an inbound connection object, the KCC writes information to the “repsFrom” attribute of the directory partition object for each directory partition that the destination DC has in common with the source DC. This information is local to the destination DC and is not replicated.

A source DC keeps track of its replication partners that pull changes from it and uses the information to locate partners for change notification. This information is not provided by the KCC, but rather by the source DC itself during a replication cycle. The first time a DC receives a request for changes from a new destination, the source creates an entry for the destination in the “repsTo” attribute on the respective directory partition object.

Whenever the source has changes, it sends a notification to all replication partners that are identified in the “repsTo” value for the respective directory partition. Like the “repsFrom” data, this information is stored locally on the DC and is not replicated. When updates occur, the source DC checks the “repsTo”

attribute to determine the identities of its destination replication partners. The source DC notifies them one by one that changes are available.

There are two types of TSF data replicated consistently throughout the TOE. They consist of Group Policy Objects (GPOs) and Directory Store (DS) data. GPOs are used to define configurations for groups of users and computers. GPOs store Group Policy information in two locations: a Group Policy Container (GPC) and a Group Policy Template (GPT). A GPC is a DS container that stores GPO properties that have settings in the GPO. As a DS Container the Group Policy Container is replicated throughout the domain with the rest of the DS data.

A GPT is a folder structure that stores Administrative Template-based policies, security settings, and applications available for software installation, and script files. When adding, removing, or modifying the contents of the SYSVOL folder on a DC, those changes are replicated to the SYSVOL folders on all other DCs in the domain. SYSVOL content uses the same replication schedule as the DS for inter-site replication.

Along with the GPO, all DCs contain three types of DS data: domain, schema, and configuration. In the case of the GC server a forth category consisting of a partial replica of domain data for all domains is added. Each type of data is separated into distinct directory partitions that form the basic units of replication for the DS. These partitions are as follows:

 Domain partition: all objects in the directory for a given domain; the data is replicated to every domain controller in that domain, but not beyond its domain.

 Schema partition: all object types (with attributes) that can be created in AD; the data is common to all domains in the domain tree or enterprise, and replicated to all DCs in the enterprise.

 Configuration partition: replication topology and related metadata; the data is common to all domains in the domain tree or enterprise, replicated to all DCs in the enterprise.

GC server also contains:

 Domain data (partial replica) for all forest domains: a read-only partial replica of the domain directory partition for all other domains in the enterprise and contains a subset of the

properties for all objects in all domains in the enterprise.

The DS is a multi-master enabled database. This means that changes occur at any DC in the enterprise.

This introduces the possibility of conflicts that can potentially lead to problems once the data is replicated to the rest of the enterprise. The DS addresses these potential conflicts in two ways.

One way, is by having a conflict resolution algorithm handle discrepancies in values by resolving to the DC to which changes were written last (that is, "the last writer wins"), while discarding the changes in all other DC’s.

For specific instances when conflicts are too difficult to resolve using the "last writer wins" approach, the DS updates certain objects in a single-master fashion. In a single-master model, only one DC in the entire directory is allowed to process updates. For management flexibility, this model is extended to include multiple roles, and the ability to transfer roles to any DC in the enterprise. This extended model is referred to as Flexible Single Master Operation (FSMO). In Windows 7 and Windows Server 2008 R2 there are four FSMO roles:

 Schema master: the single DC responsible for performing updates to the directory schema.

 Domain naming master: the DC responsible for making changes to the forest-wide domain name space of the directory. It can also add or remove cross-references to domains in external directories.

 Relative Identifier (RID) master: the single DC responsible for processing RID Pool requests for certain unique security identifiers from all DCs within a given domain. Users, computers, and groups that are stored in AD are assigned SIDs, which are unique alphanumeric numeric strings that map to a single object in the domain. SIDS consist of a domain-wide SID concatenated with a monotonically-increasing RID that is allocated by each DC in the domain. Each DC is assigned a pool of RIDs.

 Infrastructure daemon: the DC responsible for updating an object's SID and distinguished name in a cross-domain object reference.

The first two FSMO roles must be unique within a forest. The last two must be unique within each domain within a forest.

DS replication is not based on time, but on Update Sequence Numbers (USNs). Each DC holds a table containing entries for its own USN and the USNs of its replication partners. During replication, the DC compares the last known USN of its replication partner (saved in the table), with the current USN that the replication partner provides. If there have been recent changes (that is, if the replication partner provides a higher USN), the data store requests all changes from the replication partner (this is known as pull replication). After receiving the data, the directory store sets the USN to the same value as that of the replication partner.

If properties on the same object are changed on different DCs, the DCs reconcile the data by property version number, then by time stamp if the version numbers are the same, then by comparing the buffer size of a binary memory copy operation performed on each property. If the two buffers are equal, the attributes are the same, one is discarded.

Note that all reconciliation operations are logged, and authorized administrators have the option of recovering and using the rejected values.