1
00:00:00,940 --> 00:00:04,430
Let's look at configuring and managing AD DS replication.

2
00:00:04,430 --> 00:00:07,170
First, we recall that in Windows Server,

3
00:00:07,170 --> 00:00:12,410
a domain controller is a specialized post that contains the Active Directory

4
00:00:12,410 --> 00:00:17,830
database. And I had mentioned that AD DS consists of a number of partitions, and

5
00:00:17,830 --> 00:00:22,680
these partitions are scoped differently in terms of the replication partners.

6
00:00:22,680 --> 00:00:26,310
The configuration partition is forest‑wide,

7
00:00:26,310 --> 00:00:30,280
so this partition is going to contain references to the overall

8
00:00:30,280 --> 00:00:33,480
structure of the forest. You may have just a single forest,

9
00:00:33,480 --> 00:00:35,580
single domain, or within your forest,

10
00:00:35,580 --> 00:00:38,640
you may have a domain tree or multiple domain trees.

11
00:00:38,640 --> 00:00:41,070
All of that metadata is in the configuration

12
00:00:41,070 --> 00:00:42,850
partition, and hopefully it makes sense.

13
00:00:42,850 --> 00:00:45,960
You want that to replicate to all domain controllers

14
00:00:45,960 --> 00:00:48,040
across all domains in the forest.

15
00:00:48,040 --> 00:00:51,460
The schema partition is also forest‑wide. This tracks all

16
00:00:51,460 --> 00:00:53,200
of the objects and their attributes.

17
00:00:53,200 --> 00:00:53,530
Again,

18
00:00:53,530 --> 00:00:57,430
this is critical. If you extend the Active Directory schema in your forest,

19
00:00:57,430 --> 00:01:01,880
you want all DCs across all domains in that forest to be aware of that update

20
00:01:01,880 --> 00:01:06,420
as soon as possible. Within each domain, we have the domain partition, and

21
00:01:06,420 --> 00:01:11,280
this partition is domain‑specific. It contracts all of your domain user group

22
00:01:11,280 --> 00:01:13,460
and organizational unit information.

23
00:01:13,460 --> 00:01:18,710
And so this isn't as necessary to have in all domains. It's just each domain,

24
00:01:18,710 --> 00:01:23,030
this is its working partition. Then we have the application partition.

25
00:01:23,030 --> 00:01:25,800
This is going to be used for two different purposes.

26
00:01:25,800 --> 00:01:29,700
One, administrators can create their own custom application

27
00:01:29,700 --> 00:01:33,400
directory partitions where you can have line of business data and

28
00:01:33,400 --> 00:01:37,120
then control the domain controller scope, in other words, within a

29
00:01:37,120 --> 00:01:41,980
domain or across the entire forest on how you want to spread that

30
00:01:41,980 --> 00:01:43,600
application partition data.

31
00:01:43,600 --> 00:01:46,530
Now, when you're doing Active Directory‑integrated DNS,

32
00:01:46,530 --> 00:01:50,620
which I certainly hope you are, the AD integration happens by means

33
00:01:50,620 --> 00:01:53,570
of two special purpose application partitions.

34
00:01:53,570 --> 00:01:57,860
There's forestDnsZones that replicates your DNS forest‑wide and

35
00:01:57,860 --> 00:02:02,100
domainDnsZones, and you can control the scope. Again, in a forest where

36
00:02:02,100 --> 00:02:06,200
you're just using the default trust relationships among domain trees

37
00:02:06,200 --> 00:02:08,300
and within parent and child domains,

38
00:02:08,300 --> 00:02:11,560
it would make sense that you would replicate those zones forest‑wide,

39
00:02:11,560 --> 00:02:13,780
but you can control that as an administrator.

40
00:02:13,780 --> 00:02:16,640
There's the two partitions, as you can see on the slide.

41
00:02:16,640 --> 00:02:20,590
Now let's look at some fun facts with Active Directory replication.

42
00:02:20,590 --> 00:02:21,380
As I mentioned,

43
00:02:21,380 --> 00:02:24,820
the Knowledge Consistency Checker is the component or process

44
00:02:24,820 --> 00:02:27,950
that dynamically builds connection objects between the sites

45
00:02:27,950 --> 00:02:29,690
that you define as an administrator.

46
00:02:29,690 --> 00:02:33,860
The default intra‑site replication interval is 15 seconds.

47
00:02:33,860 --> 00:02:36,650
That means, within a site, it's assumed that all

48
00:02:36,650 --> 00:02:39,050
domain controllers have high speed,

49
00:02:39,050 --> 00:02:43,500
low‑latency connectivity, so they can update basically whenever they

50
00:02:43,500 --> 00:02:47,220
want to. Between sites, remember, the reason why you define separate

51
00:02:47,220 --> 00:02:51,500
sites is so that you can put more control, and context, and bounds on

52
00:02:51,500 --> 00:02:55,530
that replication traffic. The default inter‑site replication interval

53
00:02:55,530 --> 00:02:57,840
is 180 minutes, or 3 hours.

54
00:02:57,840 --> 00:03:01,300
A site link is defined as a transitive logical connection

55
00:03:01,300 --> 00:03:03,490
between sites and their bridgehead servers.

56
00:03:03,490 --> 00:03:04,950
The idea with the site link,

57
00:03:04,950 --> 00:03:07,770
particularly the site link and connection objects that are

58
00:03:07,770 --> 00:03:11,570
built dynamically by the KCC, is that full inter‑site

59
00:03:11,570 --> 00:03:13,410
connectivity is assumed. In other words,

60
00:03:13,410 --> 00:03:15,330
you have a fully routed network.

61
00:03:15,330 --> 00:03:18,460
If your network environment is not fully routed,

62
00:03:18,460 --> 00:03:23,880
you may have to go to manually creating site links and site link bridge objects.

63
00:03:23,880 --> 00:03:27,830
A site link bridge is an administrator‑defined connection between domain

64
00:03:27,830 --> 00:03:30,990
controllers and sites that don't have direct connectivity.

65
00:03:30,990 --> 00:03:35,780
The old Windows Server 2003 and 2008 exams used to get into the

66
00:03:35,780 --> 00:03:38,350
weeds on site links and site link bridge.

67
00:03:38,350 --> 00:03:41,310
That shouldn't be an issue anymore with AZ‑800 and

68
00:03:41,310 --> 00:03:43,490
803 because dollars to donuts,

69
00:03:43,490 --> 00:03:47,240
you have full routing connectivity among all of your sites.

70
00:03:47,240 --> 00:03:50,380
What are some common Active Directory replication troubleshooting

71
00:03:50,380 --> 00:03:53,370
tools? Well, some that have been around since the beginning are old

72
00:03:53,370 --> 00:03:57,960
compiled command line tools like Repadmin. This is a great Swiss Army

73
00:03:57,960 --> 00:04:00,120
Knife to diagnose replication issues.

74
00:04:00,120 --> 00:04:04,260
There's also Dcdiag, which can look at replication, as well as Active

75
00:04:04,260 --> 00:04:07,630
Directory DNS, your FSMO roles, site connectivity.

76
00:04:07,630 --> 00:04:09,290
Those are great. Nowadays though,

77
00:04:09,290 --> 00:04:12,370
we're pretty much standardized on PowerShell. There's at least three

78
00:04:12,370 --> 00:04:15,400
PowerShell commands in the Active Directory module that you should be

79
00:04:15,400 --> 00:04:18,010
aware of. Get‑ADReplicationConnection.

80
00:04:18,010 --> 00:04:20,520
In fact, all three of these are gets, so you're basically

81
00:04:20,520 --> 00:04:22,960
just getting data back in a report.

82
00:04:22,960 --> 00:04:25,100
Show me the replication connection,

83
00:04:25,100 --> 00:04:27,700
show me replication failures. You can run

84
00:04:27,700 --> 00:04:31,670
Get‑ADReplicationPartnerMetadata against a particular

85
00:04:31,670 --> 00:04:38,000
server to see what its replication partner is, what your bridgeheads are, this sort of stuff.