|
|
|
|
DOMAIN SYNCHRONIZATION AND REPLICATION In the previous section, it was discovered that log on scripts are executed only on the domain controller processing the log on request. If the log on script resides on a server other than the server validating the log on request, it is not executed. The replication service provides a mechanism for copying these log on scripts [and other directories and files] to each backup domain controller in the network. Periodically, the NT Server PDC synchronizes the domain account database to each BDC in the network. It sends only the changes to each BDC (this limits traffic). Synchronization is necessary in order to keep the domain accounts database consistent across the domain, remembering of course, that BDC’s can validate log on requests by users. If any change is made to the domain accounts database [like adding or modifying a user] it will take a finite time for the BDC’s in the domain to be updated with the altered account information. If the user attempts to log on during this time before the changes are replicated, and this request is validated by a BDC, then the user will not be granted the correct rights or privileges because the BDC is using an outdated domain accounts database. The registry entry which controls the frequency of the automatic synchronization for the domain accounts database is HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\Pulse and is set to 300 seconds (5 minutes) by default. If you change the value of this parameter, you must restart the netlogon service for the changes to take effect.
With the introduction of NT Server v3.5, the parameter HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\ReplicationGovernor (which as a range of 0-100, with a default of 100), defines the percentage in both size of the data transferred and the frequency of the data transfer. When set to 100, a default of 128Kbytes is used; when set to 50, a buffer size of 64Kbytes is used and the BDC will have an outstanding synchronization only 50% of the time. Setting the value too low will increase the time duration between synchronization. This parameter is set on each BDC [the PDC and BDC must be running NT 3.5 or greater]. Reducing the size of the parameter increases the time between calls, and reduces the buffer size used during each call. This essentially frees up the WAN link for use by other services, preventing the synchronization from consuming the entire WAN bandwidth. For larger networks, it is desirable to install the BDC on site where the PDC is located. This installs the domain accounts database onto the BDC. The BDC is then shipped to the destination site, and connected back into the network. This ensures that the entire domain accounts database is not transferred across the WAN link when the BDC is installed. A typical scenario of using BDC’s is as follows, where a company has a number of branch offices located geographically, each connected via low speed WAN links. The PDC is located in head office, and each regional site is equipped with a BDC. This ensures that domain log on requests are processed locally, and not sent across the WAN link for validation. Providing a BDC at each regional office ensures users can still log on to the domain even if the WAN link or PDC goes down.
\<winnt_root>\system32\repl\import by default. Files to be exported to other computers [Domain Controllers, NT Servers or Windows NT Workstation] are exported from the directory \<winnt_root>\system32\repl\export This has special permissions already assigned, and administrators should place exported data and files under this share point. Remember that domain log on scripts reside under the import directory, so if you want these to be replicated to BDC’s within the domain, the log on scripts should be copied to the export directory. Replication is recommended where only one copy of the file needs to be maintained, and where the data [usually log on scripts or mandatory profiles] need to be available on each domain controller in the network that validates log on requests. It is also handy for such this as phone lists and address books. A file that is deleted under the export directory will not be deleted on the imported computers.
The export computer provides the files and directories which will be replicated to other computers. These must be Windows NT Server computers. The import computers receive the replicated files and store this information under the REPL$ share point. These can be Windows NT Domain Controllers, Windows NT Servers, or Windows NT Workstation based computers.
If the export directory resides on an NTFS partition, the REPLICATOR GROUP on the export server should be given FULL CONTROL to the exported directory tree.
If the import computer is in the export servers domain, or a trusting domain, then use the domain account created earlier for replication.
In the diagram below, the Administrator has selected the PDC as the export computer, to bring up the properties associated with the export computer. The replication tab controls how replication is handled by this computer.
When the administrator clicks on the replication tab, the Directory Replication dialog box appears. In the diagram below, the administrator has clicked on the Manage button to specify the directories to be exported or locked.
In addition, the status of any replication or replicated directories is available, showing when the last replication occurred and whether it is up to date. This status information is handy for troubleshooting replication problems.
Salam Saif Said AL-Riyami Sultanate
of Oman |
|
|
Domain Synchronization across a WAN link
