Q

How USNs and Invocation IDs ensure the latest Active Directory state

Active Directory sync is a delicate game -- any change could throw things off. USNs and Invocation IDs can help keep track of Active Directory state.

How do you ensure domain controllers maintain the latest Active Directory state?

Active Directory (AD) is not a static entity, but rather a dynamic data set -- residing on a domain controller within the data center -- which both enforces established rules and tracks the current state of users and systems throughout the network domain. Windows-based networks can accommodate more than one domain controller. Multiple domain controllers may be essential for larger, more complicated or physically segregated networks....

And changes in any domain controller instance are ultimately replicated to the other domain controllers within the network. It's a process known as multi-master replication.

However, there is a serious synchronization problem when changes can occur on any domain controller. AD relies on several elements to track changes and to ensure timely synchronization. The two most important elements are update sequence numbers (USNs) and Invocation IDs.

A USN is a 64-bit number that increments every time a change takes place on the domain controller (such as object creation, modification or deletion). The USN never decreases and is always unique, so domain controllers will never use the same USN at the same time. Unique USNs are better than a time stamp because it's almost impossible to keep clocks synchronized or account for latencies between network segments. Once the originating USN is incremented, the changes are replicated to other domain controllers, which will also increment corresponding USNs by the same amount.

Once AD changes are ready to be replicated, it's important to identify all of the domain controllers that must be updated. This uses two elements: globally unique identifiers (GUIDs), which are basically the static "name" of each domain controller, and an Invocation ID, which basically details the current "state" of any AD updates. For example, when a domain controller is restored, the Invocation ID is reset, so the other domain controllers will be sure to send any changes to the restored domain controller since the backup was taken. This is an important wrinkle. If the domain controller is restored improperly, the Invocation ID may not be reset to update the domain controller to match other domain controllers -- resulting in major AD replication problems for the enterprise.

There are other elements involved in AD replication that are used to determine the changes that are needed and that prevent unneeded replication that might consume vital network bandwidth (or even runaway replication cycles), but USNs and Invocation IDs are the most common data elements used to coordinate AD replication between domain controllers.

This was first published in August 2014

Dig deeper on Microsoft Active Directory Design and Administration

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close