I was interested in what happens behind the scenes when a Domain Controller replicates to another, so I ran a packet capture to see what happens behind the scenes.
My test environment for this packet capture is a single forest, single domain environment with two DCs, both of which running Windows Server 2008 R2. On one DC, I created a new OU and several groups. The following packet data is from the replication from MetcorpOrgDC01.metcorp.org to MetcorpOrgDC02.metcorp.org (the new objects were created on DC01), so Dc02 makes requests of Dc01 and DC01 responds to Dc01.
Here are the main packets from the Active Directory replication traffic flow (minus TCP data):
Microsoft RPC connection () DCE/RPC is a specification for a remote procedure call mechanism that defines both APIs and an over-the-network protocol. A DCE/RPC server’s endpoint mapper (EPMAP) will listen for incoming calls. A client will call this endpoint mapper and ask for a specific interface, which will be accessed on a different connection. After that, the client can request calls to the server. DCERPC: Request: call_id 54 Fragment: Single opnum: 2 ctx_id: 1 DCERPC: Response: call_id 54 Fragment: Single ctx_id: 1 DCERPC: Alter_context: call_id: 55 Fragment: Single DRSUAPI V4.0 DCERPC: Alter_context: call_id: 55 Fragment: Single accept max_xmit: 5840 max_recv: 5840 Directory Replication Service: The DsReplicaSync function synchronizes a destination naming context (NC) with one of its sources. DRSUAPI: DsGetNCChanges request Microsoft RPC connection () DCE/RPC is a specification for a remote procedure call mechanism that defines both APIs and an over-the-network protocol. ADCE/RPC server’s endpoint mapper (EPMAP) will listen for incoming calls. A client will call this endpoint mapper and ask for a specific interface, which will be accessed on a different connection. After that, the client can request calls to the server. DCERPC: Request: call_id 55 Fragment: Single opnum: 2 ctx_id: 1 DCERPC: Response: call_id 55 Fragment: 1st ctx_id: 1 DCERPC: Alter_context: call_id: 56 Fragment: Single DRSUAPI V4.0 DCERPC: Alter_context: call_id: 56 Fragment: Single accept max_xmit: 5840 max_recv: 5840 Directory Replication Service: The DsReplicaSync function synchronizes a destination naming context (NC) with one of its sources. DRSUAPI: DsGetNCChanges response Microsoft RPC connection () DCE/RPC is a specification for a remote procedure call mechanism that defines both APIs and an over-the-network protocol. A DCE/RPC server’s endpoint mapper (EPMAP) will listen for incoming calls. A client will call this endpoint mapper and ask for a specific interface, which will beaccessed on a different connection. After that, the client can request calls to the server. DCERPC: Bind: call_id 57 Fragment: Single, 2 context items, 1st DRSUAPI 4.0 DCERPC: Bind_ack: Call_id: 57 Fragment: Single accept max_xmit: 5840 max_recv: 5840 DCERPC: Alter_context: call_id: 57 Fragment: Single DRSUAPI V4.0 DCERPC: Alter_context: call_id: 57 Fragment: Single accept max_xmit: 5840 max_recv: 5840 Directory Replication Service: When a DC receives a DSReplicaSync Request, then for each DC that it replicates from (stored in RepsFrom data structure) it performs a replication cycle, where it behaves like a client and makes DSGetNCChanges requests to that DC. So it gets up-to-date AD objects from each of the DC’s which it replicates from. This function implements a changes propagation mechanism. DRSUAPI: DsReplicaSync request DRSUAPI: DsReplicaSync response Microsoft RPC connection () DCE/RPC is a specification for a remote procedure call mechanism that defines both APIs and anover-the-network protocol. A DCE/RPC server’s endpoint mapper (EPMAP) will listen for incoming calls. A client will call this endpoint mapper and ask for a specific interface, which will be accessed on a different connection. After that, the client can request calls to the server. DCERPC: Bind: call_id 56 Fragment: Single, 2 context items, 1st DRSUAPI 4.0 DCERPC: Bind_ack: Call_id: 56 Fragment: Single accept max_xmit: 5840 max_recv: 5840 DCERPC: Alter_context: call_id: 56 Fragment: Single DRSUAPI V4.0 DCERPC: Alter_context_resp: call_id: 56 Fragment: Single DRSUAPI V4.0 DCERPC: Alter_context: call_id: 56 Fragment: Single DRSUAPI V4.0 DCERPC: Alter_context_resp: call_id: 56 Fragment: Single DRSUAPI V4.0 Directory Replication Service: The DsReplicaSync function synchronizes a destination naming context (NC) with one of its sources. DRSUAPI: DsGetNCChanges request DRSUAPI: DsGetNCChanges response Although the Windows Time service is not an exact implementation of the Network TimeProtocol (NTP), it uses the complex suite of algorithms that is defined in the NTP specifications to ensure that clocks on computers throughout a network are as accurate as possible. Ideally, all computer clocks in an AD DS domain are synchronized with the time of an authoritative computer. NTP: NTP Version 3, Symmetric active NTP: NTP Version 3, server (Peer Clock Stratum, Peer Polling Interval, Peer Clock Precision, Root Delay,Root Dispersion, Reference ID, Reference Timestamp, Origin Timestamp, Receive Timestamp, TransmitTimestamp, Key ID, Message Authentication Code) Microsoft RPC connection () DCE/RPC is a specification for a remote procedure call mechanism that defines both APIs and an over-the-network protocol. A DCE/RPC server’s endpoint mapper (EPMAP) will listen for incoming calls. A client will call this endpoint mapper and ask for a specific interface, which will be accessed on a different connection. After that, the client can request calls to the server. DCERPC: Bind:call_id 58 Fragment: Single, 2 context items, 1st DRSUAPI 4.0 DCERPC: Bind_ack: Call_id: 58 Fragment: Single accept max_xmit: 5840 max_recv: 5840 DCERPC: Alter_context: call_id: 58 Fragment: Single DRSUAPI V4.0 DCERPC: Alter_context_resp: call_id: 58 Fragment: Single DRSUAPI V4.0 DRSUAPI: DsReplicaSync request DRSUAPI: DsReplicaSync response DCERPC: Alter_context: call_id: 57 Fragment: Single DRSUAPI V4.0 DCERPC: Alter_context_resp: call_id: 57 Fragment: Single DRSUAPI V4.0 Directory Replication Service: The DsReplicaSync function synchronizes a destination naming context (NC) with one of its sources. DRSUAPI: DsGetNCChanges request DRSUAPI: DsGetNCChanges response Microsoft RPC connection () DCE/RPC is a specification for a remote procedure call mechanism that defines both APIs and an over-the-network protocol. A DCE/RPC server’s endpoint mapper (EPMAP) will listen for incoming calls. A client will call this endpoint mapper and ask for a specific interface, which will be accessed ona different connection. After that, the client can request calls to the server. DCERPC: Bind: call_id 58 Fragment: Single, 2 context items, 1st DRSUAPI 4.0 DCERPC: Bind_ack: Call_id: 58 Fragment: Single accept max_xmit: 5840 max_recv: 5840 DCERPC: Alter_context: call_id: 58 Fragment: Single DRSUAPI V4.0 DCERPC: Alter_context_resp: call_id: 58 Fragment: Single DRSUAPI V4.0 Directory Replication Service: When a DC receives a DSReplicaSync Request, then for each DC that it replicates from (stored in RepsFrom data structure) it performs a replication cycle, where it behaves like a client and makes DSGetNCChanges requests to that DC. So it gets up-to-date AD objects from each of the DC’s which it replicates from. This function implements a changes propagation mechanism. DRSUAPI: DsReplicaSync request DRSUAPI: DsReplicaSync response Microsoft RPC connection () DCE/RPC is a specification for a remote procedure call mechanism that defines both APIs and an over-the-network protocol. A DCE/RPCserver’s endpoint mapper (EPMAP) will listen for incoming calls. A client will call this endpoint mapper and ask for a specific interface, which will be accessed on a different connection. After that, the client can request calls to the server. DCERPC: Bind: call_id 59 Fragment: Single, 2 context items, 1st DRSUAPI 4.0 DCERPC: Bind_ack: Call_id: 59 Fragment: Single accept max_xmit: 5840 max_recv: 5840 DCERPC: Alter_context: call_id: 59 Fragment: Single DRSUAPI V4.0 DCERPC: Alter_context_resp: call_id: 59 Fragment: Single DRSUAPI V4.0 DCERPC: Alter_context: call_id: 59 Fragment: Single DRSUAPI V4.0 DCERPC: Alter_context_resp: call_id: 59 Fragment: Single DRSUAPI V4.0 Directory Replication Service: The DsReplicaSync function synchronizes a destination naming context (NC) with one of its sources. DRSUAPI: DsGetNCChanges request DRSUAPI: DsGetNCChanges response Although the Windows Time service is not an exact implementation of the Network Time Protocol (NTP), it uses the complex suite ofalgorithms that is defined in the NTP specifications to ensure that clocks on computers throughout a network are as accurate as possible. Ideally, all computer clocks in an AD DS domain are synchronized with the time of an authoritative computer. NTP: NTP Version 3, Symmetric active NTP: NTP Version 3, server (Peer Clock Stratum, Peer Polling Interval, Peer Clock Precision, Root Delay, Root Dispersion, Reference ID, Reference Timestamp, Origin Timestamp, Receive Timestamp, Transmit Timestamp, Key ID, Message Authentication Code) Directory Replication Service: When a DC receives a DSReplicaSync Request, then for each DC that it replicates from (stored in RepsFrom data structure) it performs a replication cycle, where it behaves like a client and makes DSGetNCChanges requests to that DC. So it gets up-to-date AD objects from each of the DC’s which it replicates from. This function implements a changes propagation mechanism. DRSUAPI: DsReplicaSync request DRSUAPI: DsReplicaSync responseMicrosoft RPC connection () DCE/RPC is a specification for a remote procedure call mechanism that defines both APIs and an over-the-network protocol. A DCE/RPC server’s endpoint mapper (EPMAP) will listen for incoming calls. A client will call this endpoint mapper and ask for a specific interface, which will be accessed on a different connection. After that, the client can request calls to the server. DCERPC: Alter_context: call_id: 60 Fragment: Single DRSUAPI V4.0 DCERPC: Alter_context_resp: call_id: 60 Fragment: Single DRSUAPI V4.0 Directory Replication Service: The DsReplicaSync function synchronizes a destination naming context (NC) with one of its sources. DRSUAPI: DsGetNCChanges request DRSUAPI: DsGetNCChanges response Although the Windows Time service is not an exact implementation of the Network Time Protocol (NTP), it uses the complex suite of algorithms that is defined in the NTP specifications to ensure that clocks on computers throughout a network are as accurate aspossible. Ideally, all computer clocks in an AD DS domain are synchronized with the time of an authoritative computer. NTP: NTP Version 3, Symmetric active NTP: NTP Version 3, server (Peer Clock Stratum, Peer Polling Interval, Peer Clock Precision, Root Delay, Root Dispersion, Reference ID, Reference Timestamp, Origin Timestamp, Receive Timestamp, Transmit Timestamp, Key ID, Message Authentication Code)
References:
- Microsoft RPC connection ()
- Directory Replication Service:
- Directory Replication Service: