1 / 126

Replication

Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@ sevecek.com | www.sevecek.com |. Replication. Active Directory Replication. Intro. Central Database. LDAP – Lightweight Directory Access Protocol database query language similar to SQL

Sophia
Download Presentation

Replication

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | www.sevecek.com | Replication

  2. Active Directory Replication Intro

  3. Central Database • LDAP – Lightweight Directory Access Protocol • database query language • similar to SQL • TCP 389, SSL TCP 636, GC TCP 3268, GC SSL TCP 3269 • Windows NT 4.0 SAM • SMB/CIFS TCP 445 (or NetBIOS) • password resets, SAM queries • Kerberos • UDP/TCP 88

  4. Design Considerations • Distributed system • DCs disconnected for very long times • several months • Multimaster replication • with some FSMO roles

  5. Design Considerations • Example: Caribean cruises, DC/IS/Exchange on board with tens of workstations and users, some staff hired during journey. No or bad satelite connectivity only. DCs synced after ship is berthed at main office. • Challenge: Must work independently for long time periods. Different independent cruise-liners/DCs can accomodate changes to user accounts, email addresses, Exchange settings. Cannot afford lost of any one.

  6. Database • Microsoft JET engine • JET Blue • common with Microsoft Exchange • used by DHCP, WINS, COM+, WMI, CA, CS, RDS Broker • %WINDIR%\NTDS\NTDS.DIT • ESENTUTL • Opened by LSASS.EXE

  7. Installed services LSASS TCP 445 SMB + NamedPipes Security Accounts Manager UDP, TCP 88Kerberos Kerberos Key Distribution Center UDP, TCP 389 LDAP Active Directory Domain Services NTDS.DIT

  8. Installed services NT4.0 LSASS NTLM Pass-through TCP 445 SMB + NamedPipes SAM Connect to Domain UDP, TCP 88Kerberos KDC Windows 2000+ UDP, TCP 389 LDAP NTDS LDAP/ADSI Client

  9. Restartable AD DS • Windows Server 2008 • Active Directory Domain Services service • LSASS.EXE • Can log on DS Restore Mode Admin • HKLM\System\CurrentControlSet\Control\LSA • DsrmAdminLogonBehavior = 1

  10. DNS Best Practice DC1 DC2 AD AD DNS DNS

  11. Active Directory Replication Logical Structure

  12. Logical Structure • Partitions • separate “subdatabases” • replication domains • RootDSE (RootDirectoryServicesEnterprise) • Schema • Configuration • Domain • can contain user accounts • Application • can contain user accounts • Global Catalogue

  13. Replication domains RootDSE1 RootDSE2 Domain A Domain A RootDSE4 RootDSE5 Config Config Domain B Domain B Schema Schema Config Config RootDSE3 App1 Schema Schema Domain A RootDSE6 App1 Config Domain B Schema Config App1 Schema App2

  14. Global Catalogue Dublin Paris helen@idtt.com MBX1 judith@idtt.com MBX2 SMTP ExchangeHUB London kamil@idtt.com MBX1 Prague ian@idtt.com MBX3

  15. Global Catalogue Dublin Paris helen@idtt.com judith@idtt.com SMTP ExchangeHUB London GC kamil@idtt.com Prague kamil@idtt.com MBX1 judith@idtt.com MBX2 ian@idtt.com MBX3 helen@idtt.com MBX1 ian@idtt.com

  16. Global Catalogue (DC data)

  17. Global Catalogue (GC data)

  18. GC and Logon Paris Paris U E U D DC4 GC DC3 U C Kamil SID #1 U D Kamil SID #2 U E Kamil SID #3 U E Judith SID #3 DL A Prague London G B DL E DC1 DC2 U C SRV Kamil

  19. GC and Logon Paris Paris U E U D DC4 GC DC3 U C Kamil SID #1 U D Kamil SID #2 U E Kamil SID #3 U E Judith SID #3 DL A Prague London G B DL E DC1 DC2 U C SRV Kamil

  20. GC and Logon Paris Paris U E U D DC4 DL A London DC3 G B DC1 U C Kamil Ticket U C Kamil SID #1 Prague U D Kamil SID #2 DL E U E Kamil SID #3 DC2 G B Kamil SID #4 DL E Kamil SID #5 SRV

  21. Active Directory Replication Attribute Notes

  22. Attribute Types • string, integer, datetime, boolean, binary • DN reference • multivalue • up to 5000 items • linked multivalue • unlimited, requires 2003 Forest Level • backlink • memberOf • computed • primaryGroupToken, tokenGroups, lastLogonTimestamp • write/only attributes • unicodePwd

  23. Group membership Sales member CN=Kamil,OU=London,DC=... member CN=Judith,OU=Paris,DC=... Link member CN=Victor,OU=London,DC=... member CN=Stan,OU=London,DC=... Judith Backlink memberOf CN=Sales,OU=Groups,DC=... memberOf CN=IS Access,OU=Groups,DC=...

  24. (Not)replicated attributes • Not replicated • logonCount • badPasswordCount • badPasswordTime • lastLogon • lastLogoff • Replicated • pwdLastSet • lockoutTime • lastLogonTimestamp (since 2003)

  25. Logon timestamps (2003 DFL) lastLogon 9:00 DC lastLogonTimestamp 11:00 lastLogon 11:38 DC Client lastLogonTimestamp 11:00 lastLogon - DC lastLogonTimestamp 11:00

  26. lastLogonTimestamp • Requires 2003 domain level • Updated only once per 14-random(5) days • DC=idtt,DC=local • msDS-LogonTimeSyncInterval • 1+ – minimum without randomization • 5+ – randomization starts • 14 – the default • ...

  27. Password changes Client Normal replication hash Password Change PDC Immediate Replication password hash DC Normal replication hash

  28. Password changes pwdLastSet pwdLastSet DC PDC pwdLastSet DC Client pwdLastSet DC

  29. Authentication failures pwd1 DC pwd1 PDC pwd1 Client DC

  30. Authentication failures pwd1 DC pwd2 PDC pwd2 pwd2 DC Client

  31. Authentication failures pwd1 pwd2 DC Client pwd2 PDC pwd2 DC

  32. Authentication failures badPasswordCount 7 PDC badPasswordCount 2 DC lockoutTime badPasswordCount 3 DC Client badPasswordCount 2 DC

  33. Security Principals • Users • login, password, SID + SID history • Computers • user + computer attributes • Service Accounts • computer + specific attributes • Groups • login, SID + SID history

  34. Computer Password Age

  35. Active Directory Replication Topology

  36. Intrasite Replication Topology DC1 DC4 DC2 DC3

  37. Originating Updates and Notifications DC1 DC4 15 sec DC2 3 sec 3 sec DC3

  38. Notification and Replication DC1 DC2 I have got some changes Random TCP DCOM Kerberos Authenticated Give me your replica Random TCP DCOM Kerberos Authenticated

  39. Intrasite Replication – 3 Hops max. DC1 DC4 DC2 DC3 DC5 DC7 DC6

  40. Intersite Replication (no Bridgeheads) DC1 DC5 DC2 DC3 DC7 DC6 DC4

  41. Intersite Replication (no Bridgeheads) DC1 15 sec DC5 DC2 3 sec DC3 schedule 3 sec DC7 DC6 DC4 3 sec 3 sec

  42. Intersite Replication with a Bridgehead DC1 15 sec DC5 DC2 schedule 3 sec DC3 3 sec DC7 DC6 DC4 3 sec 3 sec

  43. Intrasite Replication • Uses notifications by default (originating/received) • 300/30 sec on Windows 2000 • 15/3 sec on Windows 2003 • Occurs every hour as scheduled • nTDSSiteSettings • At this frequency KCC detects unavailable partners • HKLM\System\CCS\Services\NTDS\Parameters • Replicator notify pause after modify (secs) • Replicator notify pause between DSAs (secs)

  44. Intrasite Replication DC1 notification DC2 15 sec random TCP download changes random TCP download changes schedule random TCP

  45. Intersite Replication DC1 DC2 download changes schedule random TCP

  46. Intersite Replication • Does not use notifications by default • siteLink: options = USE_NOTIFY (1) • Compression used • siteLink: options = DISABLE_COMPRESSION (4) • Bridge all site links

  47. Static TCP for Replication • HKLM\System\CurrentControlSet\Services • NTDS\Parameters • TCP/IP Port = DWORD • Replication • Netlogon\Parameters • DCTcpipPort = DWORD • LSASS (Pass-through) • NTFRS\Parameters • RPC TCP/IP Port Assignment = DWORD • DFSRDIAGStaticRPC /port:xxx /Member:dc1

  48. Urgent Replication (Notification) • Intrasite only • intersite also if notification enabled • Do not wait for delay (15/3 sec) • In the case of • account lockout • password and lockout policy • RID FSMO owner change • DC password or trust account password change

  49. Immediate Replication (Notification) • Password changes • from DCs to PDC • Regardless of site boundaries • PDC downloads only the single user object • all changed attributes but only single object • From DC/PDC further with normal replication

  50. Example Replication Traffic • Atomic replication of a single object with a one byte attribute change • Notification + replication • intersite compressed • Overall 7536 B • 30 packets ~10 round trips • 50 ms round trip means 500 ms transfer time • consumption at 120 kbps • Useful data ~80 B

More Related