This Solution describes how the ARS Administration Service replicates to Active Directory (AD) using the DirSync Application Programming Interface (API).
Note: Attached is a MS Word version of this article.
· The ARS Administration Service selects a DirSync domain controller (DC) on startup. Every operation, requested by a client or service internal logic, is forwarded to this DC. An ARS administrative user can specify other DCs for ARS operations using the Operational DC command in the ARS Snap-in or the Web Interface (see instructions below for changing this within the ARS MMC. For the web interface version the "Change Operational DC" button is provided on the Admin site. Please refer to the ARS documentation for further details and instruction.)
· Every 10 minutes the ARS Administration Service validates the availability of the selected DirSync DC. If the ARS Service identifies that the DC is not available, it selects another DC. Until the ARS Service selects another DC, every ARS session that does not specify an Operational DC will receive an error message when trying to perform any operation within AD. Consequently, the managed domain may become unavailable for up to 10 minutes (the polling interval).
* How often does ARS receive dirsync notifications from the DC?
Answer: This is configurable parameter (via registry). Out of the box every 2 seconds
Changing domain controller (DirSync Server):
· If you have a domain controller in the same site as the ARS Administration Service, and that DC becomes unavailable for some reason (for example, it was restarted), the ARS Administration Service will select a DC from another site. After the DC in its home site becomes available, the ARS service will switch back to a DC in its home site.
· If you have multiple domain controllers in the same site as the ARS Administration Service, it will not randomly switch from one DC to another every 10 minutes. When another DC, other than the current one, is identified as the nearest DC, the ARS Service will switch to that newly discovered DC only if it is in the home site and the current DC is located in another site (the service never switches between 2 available DCs in the same site).
· When the ARS Service selects another DC, it does not reload the domain cache. Microsoft implemented the DirSync API in such a way that you can switch to another DC and continue receiving and making changes in AD.
How the ARS Administration Service selects a DC:
· By default, the ARS Administration Service selects the nearest available domain controller within a managed domain. This behavior can be configured on a per-service, per-domain basis. To configure this behavior, use the "DirSync Servers" tab, either on the Managed Domain object property sheet (located in the Configuration | Server Configuration | Managed Domains node within ARS), or the service configuration object property sheet (located in the Configuration | Server Configuration | Administration Services node - right-click the appropriate service and choose "Properties"). If you specify the "Only specified domain controller" option (select the service and click "Change") and that DC becomes unavailable, the ARS Service will not switch to another DC and the domain will be unavailable for management.
· When the ARS Service selects a DC, it uses a standard API function - "DSGetDCName" that returns the nearest DC from Active Directory. Depending on the DirSync DC parameters described above, this function returns the "nearest" domain controller from a particular site or from any site within the domain. According to Microsoft, this function is provided by the Net Logon service. This service collects and caches the domain controller information, including the time required to reach each DC (ping time), and returns the most "optimal" DC to the ARS client.
For more information regarding "DSGetDCName", please refer to the following Microsoft KB articles:
Validation of the domain controller:
· The ARS Administration Service uses the "DsBind" function to check the availability of a particular DC. The ARS Service checks the returned code, and if it is anything other than "ERROR_SUCCESS", the ARS Service considers this DC as unavailable.
· In some environments "DsBind" returns "ERROR_SUCCESS", but the DC might not be available for active directory administration. Another check was added using the "ADsOpenObject" function, to double-check the DC status. If that function returns any other result than "S_OK", the DC is considered to be unavailable.
· "DsBind" is part of Domain Controller and Replication Management functions, for more information, please refer to the following Microsoft KB article:
· "ADsOpenObject" is part of the Active Directory Service Interfaces (ADSI) library, for more information, please refer to the following Microsoft KB article:
In order to check if the DirSync domain controller is still available the ARS Service performs 2 tests:
* it uses the "DsBind" function: http://msdn2.microsoft.com/en-us/library/ms675931.aspx
* it attempts to call ADSI "GetObject" function for selected Dirsync DC
This solution also applies to versions of ActiveRoles Server prior to ARS 6.0.0 (eg, 5.2.x)