Directory Replication Basics for Windows 2000

This article describes new terms and design considerations, and provides a simple example, for configuring sites in your organization.

Windows 2000 Server introduces a new concept of replication topology by using sites, site links, and site-link bridges. The site configuration (or physical structure) is really a model of the physical network. Because Windows 2000 is not aware of the physical network (routed entities, and so on), you must create a site configuration that reflects the physical network.

Similarly, the domain, or logical structure, is defined separately from the site structure. Although the domain, site, and physical structures are defined and configured independently from each other, they have interdependencies that affect replication.

Description of a Site

A site is a collection of one or more subnets that are defined by the administrator. When you define subnets, they should be "well-connected" with high-bandwidth local area network (LAN) connections.

Sites can contain multiple domains, and a domain can span more than one site. If a domain spans more than one site, it must replicate by using the Internet Protocol (IP) inter-site transport. You can use the Simple Mail Transfer Protocol (SMTP) inter-site transport only for global catalog replication and replication of non-domain naming contexts, such as the configuration and schema.

You define and administer a site in the "Active Directory Sites and Services Manager" snap-in. When you install a domain controller as the first domain controller in a forest, a new site is created by default. You can also create other sites.

Description of a Connection

A connection object is a unidirectional replication connection from one domain controller to another that is created by the Active Directory replication topology generator (KCC) or the administrator. To achieve bidirectional replication, first define two unidirectional connection objects.

The KCC periodically creates connections to maintain directory connectivity without manual intervention. However, you can manually create connections. If you create a connection that is identical to the one that the KCC would create, the KCC does not create an additional connection and does not delete any manual connections.

A connection object exists under the NTDS settings object of the server that is the destination of the replication traffic. Replication is always pull-based. A connection object is between two specific servers. Connection objects can be intra-site or inter-site, depending on whether the two ends are in the same site or different sites. A connection object does not restrict the partitions that can be replicated between the two servers. The directory replicates all partitions that are common between the two servers. To illustrate, if a global catalog server (GC1) has two inbound connections from GC2 and GC3, GC1 replicates all partitions in the organization from both global catalog (GC) servers, even if this action appears redundant.

Description of a Site Link

A site link is an object that typically represents two sites that are connected physically by a wide area network (WAN) link. Although the site link may contain more than two sites, this article discusses the simplest case--a link that represents two sites.

The site link allows the administrator to assign the cost and transport for replication. This procedure defines parameters for replication. The cost is an arbitrary value that is selected by the administrator to reflect the speed and reliability of the physical connection between the sites. When you lower the cost value on the link, the priority is increased. Site links have a replication interval and a schedule that are independent of the cost. The cost is used by the KCC to prefer one site link path over another.

If a site link has more than two sites, all of the sites in the site link are considered connected in a NxN fully connected star topology.

The KCC uses site links to decide which sites to link with connections. Without site links, the KCC has no information about the sites that are reachable on the network and does not know the relative costs of the WAN links between the sites. You should add at least enough site links so that every site is transitively linked to every other site. When you do this, a directory object that is added or modified on a particular domain controller in a particular site eventually makes its way to all of the domain controllers in all of the sites.

Description of a Site-Link Bridge

A site-link bridge is a collection of two or more site links that provides a structure to build transitive links between sites and evaluate the least-cost path. For example, you may have three sites, A, B, and C, and you may create the following site links: Note that the costs are in parentheses ().

If site B is unavailable (if every domain controller in the site is unavailable), site A cannot replicate to site C because there is no site-A-to-site-C link. To resolve this problem, either create a site link from site A to site C with some cost, or create a site-link bridge that consists of links between site A and site B, and between site B and site C. The bridge infers a transitive link between site A and site C with a cost of 7.

In this example, it is as easy to create a link between site A and site C as it is to create a site-link bridge. If you have a more complex network with many sites, the site-link bridge is easier to administer because you do not need to create many links between all sites. Additionally, if the network connectivity between site A and site B is improved so that the cost of the site link is reduced, you need only to update the cost of a single site link (the site link between site A and site B) rather than multiple site links (the site link between site A and site B, and the site link between site A and site C) when you have site link bridging enabled.

Site-link bridges are only significant when you enable the Bridge all sites links option. When you enable this option, bridges are ignored and all site links are considered to be in one large bridge. The is the default behavior in Windows 2000.

A bridge allows site links that share a common site to route through that site and produce a transitive path that is the sum of the individual site links. In the example in this section, when automatic site link bridging is turned off, and there is a bridge (from site A to site B, and from site B to site C), the KCC can deduce a routed, transitive path from site A to site C with a cost of 7. Note that site B is considered only for IP routing. It does not matter to the KCC if site B has a copy of the given domain whose topology it is trying to calculate.

Bridging can be useful to constrain the KCC to take certain paths through the site-link topology.

How the Domain Structure Affects Site Replication

There are rules that govern the relationship between domains and sites. The basic rules for sites are:

1. A domain may exist at one or more sites.
2. A site may contain domain controllers for one or more domains.
3. A site-link bridge can provide replication for domains in three or more sites only if the domains have connectivity through at least one common site.
4. One site-link bridge in an organization is usually sufficient unless the network is not fully routed (for example, if the site has virtual private network (VPN) connections).
5. The site-link bridge creates transitive links. Therefore, if site A has a link to site B and site B has a link to site C, the bridge infers a transitive site link between site A and site C with a cost of AB+BC.

The following configuration demonstrates a sample network:

• Sites: New York (NY), Los Angeles (LA), and Atlanta (ATL)
• Domains: EXEC and ENG (note that the EXEC domain exists only at site LA)
• Physical network: ATL-LA=T1; LA-NY=T1; NY-ATL=128 KB
• Site links: The NY-LA cost is 2 and the ATL-LA cost is 2 (because the NY-ATL link is slow, you may not want to create a site link between these two sites)
• The site-link bridge connects site links NY-LA and LA-ATL

    NY-----(2)--+-----LA 
  EXEC          +      EXEC
  ENG          SLB    / 
                +    / 
                +   / 
                +  / 
                + / 
                 / 
               ATL
                EXEC
                ENG
  						

Note the following information about this example:

• Because of the first rule, both the EXEC and ENG domains exist at more than one site.
• Because of the second rule, site ATL and site NY contain more than one domain.
• Because of the third rule, if there is no site-link bridge, domain ENG is not replicated because there is no site common to site ATL and site NY in the replication topology that contains domain ENG. For this to work, there must be at least one domain controller at site LA for domain ENG.
• Because there is a site-link bridge for links between site NY and site LA, and between site LA and site ATL, there is a transitive or inferred link between site NY and site ATL with a cost of 4. This means that if site LA becomes unavailable, site NY and site ATL can replicate.

Advanced Topics

Certain advanced topics that relate to site replication are not discussed in this article. These topics include site-link scheduling, bridgehead server design, how to use IP or SMTP transports, and how replication works in relation to the three naming contexts (configuration, schema, and domains). In addition, the Windows 2000 Server Distributed Systems Guide that is included with the Microsoft Windows 2000 Server Resource Kit, provides more detail in chapter 6, "Active Directory Replication."