What is Multi-Master support in Directory and Resource Administrator and how does it work? (NETIQKB221)

  • 7700221
  • 02-Feb-2007
  • 19-Jun-2007

Resolution

Goal

What is Multi-Master support in Directory and Resource Administrator and how does it work?

What is the purpose of the DRA Multi-Master model?

Fact

Directory and Resource Administrator 6.x
Directory and Resource Administrator 7.x
Directory and Resource Administrator 8.x

Fix

Multi-Master support allows multiple Directory and Resource Administrator (DRA) servers to share the same set of security data (ActiveViews, Policies, Roles, etc.). This support also allows multiple DRA servers to manage the same domains. The primary benefits of Multi-Master support are the ability to minimize traffic across constrained communication links, the ability for a set of DRA servers to share the same security data, and real-time fault tolerance.

ADDITIONAL QUESTIONS AND ANSWERS

Where does DRA store its security data?
DRA stores its security data (ActiveViews, Policies, Roles, etc.) in a secured area of the Administration server registry.

How are changes made to DRA security data?
When making changes to DRA security data, the DRA Admin must connect to the DRA Primary server. When making changes to user accounts, groups, contacts, etc., an Assistant Admin can connect to any DRA server (either Primary or Secondary) that is managing the domain containing the objects to be managed.

How do the DRA servers share security data?
There are two types of DRA servers - Primary and Secondary. The Primary server is where any changes to ActiveViews, Policies, Roles, etc. are made. The Primary DRA server replicates security data changes to all Secondary servers on a regularly scheduled basis. The default is every four hours, but this can be set to any interval between 30 minutes to every 12 hours.  In DRA 7.0 and prior, security data changes are applied immediately when a Secondary DRA server receives an update. Beginning in DRA 7.0 SP1 and later, the changes can be applied based on a per-server schedule.  The DRA server remains fully functional during the update process. If the DRA server is not running when the update arrives, the changes will be applied the next time the DRA server starts.  In DRA 7.5 and earlier versions, any automation policy and trigger scripts will need to be replicated manually from the Primary server to the Secondary server(s). Beginning in DRA 8.0, this information can be replicated to all Secondary DRA severs by means of the File Replication feature.

What happens if the DRA Primary server attempts to replicate security data to a Secondary DRA server, but the Secondary server is not running?
If the Secondary server is not running when the update arrives, the changes will be applied the next time the Secondary server starts. If the computer on which the Secondary DRA server is located is not available, the Primary server will retry replication at the next regularly scheduled replication time.

What is a Multi-Master set?
A Multi-Master set (MMS) consists of one Primary DRA server plus some number of Secondary servers that share the same DRA security data to manage the same set of domains and member servers/workstations.

How many Secondary servers can exist in an MMS?
There are no built-in restrictions on the number of Secondary servers that can exist in an MMS.

Can Secondary servers be on different replication schedules?
Yes.

Does a forced replication send the data to all Secondary servers?
No, you select the Secondary servers for a forced (full) replication.

How much data is sent to each Secondary server during replication?
This will vary depending on the number of ActiveViews, Assistant Admins, etc., defined and the number of rules. However, a default (as shipped) configuration results in roughly 320 Kbytes (about 260 Kbytes of data, 60 Kbytes of network overhead) being transferred from the Primary to each Secondary server during a forced refresh. A scheduled refresh will usually be somewhat less because only those areas of the data that have changed are replicated. Therefore, the range for a scheduled replication of an 'as-shipped' configuration can range from about 10 Kbytes to about 320 Kbytes. By default, th.
is replication occurs every four hours.

Which Windows 2000/2003 domain controller will DRA use to update AD?
When a DRA starts, it will use the 'Preferred' domain controller specified at the bottom of the General tab for each managed domain. DRA will read from this DC and will write AD changes to this DC. This behavior is somewhat different than that of DRA 6.x. In DRA 6.x, the DRA server dealt exclusively with the managed domain's PDC emulator. If the PDC emulator was unavailable, DRA could not function.

How does the DRA client find the appropriate DRA server?
The DRA client finds the appropriate DRA server by querying the DRA agents that run on every DC in a managed domain.

  1. The DRA client queries AD to determine the closest DC.
  2. The DRA client queries the DRA agent on the closest DC to determine the appropriate DRA server. Each DRA agent contains a list of DRA servers managing the domain in which the specific DRA agent resides. If the DRA agent is not running on the closest DC, the Assistant Admin is prompted to provide the name of the DRA server.
  3. If a DRA server is in the same AD site as the Assistant Admin's computer, the DRA agent tells the client to connect to that DRA server.
    NOTE: Because Windows NT does not have sites, this step is performed only for clients in Windows 2000 domains.
  4. If the DRA agent doesn't find a DRA server by using the steps above, the DRA agent will tell the client to connect to the first DRA server in the list of DRA servers that manages the target domain.

In addition to the above steps, the Assistant Admin can specify the DRA server to which he wants to connect.

How does Multi-Master work in a Windows NT 4 domain?
Only the PDC can accept changes in Windows NT 4 domains. As a result, each DRA server configured to manage a Windows NT 4 domain will communicate with the PDC for all read and write operations. Otherwise, DRA Multi-Master capabilities are the same for both Windows NT and Windows 2000 domains.

Because all changes must be made to the PDC, what value does Multi-Master offer in a Windows NT environment?
Although changes to domain objects must be made to the PDC, DRA also manages resources on servers and workstations, and ExA manages Exchange mailboxes. When DRA is used to manage distributed resources and Exchange environments, using multiple DRA servers can minimize the amount of traffic that traverses constrained communication links. As for Windows 2000, Multi-Master also provides real-time DRA fault tolerance.

During synchronization, does the DRA Primary server send a complete refresh of the security data or only the changes since the last replication?
A scheduled replication/synchronization will usually be somewhat less than a forced (full) replication because only those areas of the data that have changed are replicated. Therefore, the range for a scheduled replication of an 'as-shipped' configuration can range from about 10 Kbytes to about 320 Kbytes.

During synchronization, does the DRA Primary server also update the domain cache on the secondary servers?
No. The replication/synchronization of DRA security data and the refresh of the domain cache on a server are independent operations.

Which protocols does replication/synchronization use?
The replication uses standard Win32 file APIs to transfer the data and standard DCOM to tell the Secondary servers to process the replicated data. These tasks are performed using the protocols that the customer has enabled on his network.


Additional Information

Formerly known as NETIQKB221