Datasheet
12
Chapter 1
N
Preparing for the Exchange Installation
RID master
ßN
: One RID master role exists in each domain in the forest and is responsible
for issuing blocks of relative identifiers (RIDs) to other domain controllers in the domain.
This block of RIDs is known as the RID pool. When a domain controller runs low on
RIDs in its RID pool, it makes a request to the RID master for another block of RIDs
for its usage. Each object that exists within a domain has a unique security identifier
(SID). This SID is composed of two parts: a domain RID (common throughout the
domain) and a unique RID from the RID pool. These are combined to create a glob-
ally unique (within the forest) SID for that object. When the pool of RIDs has been
exhausted on a domain controller, it will be unable to create new objects in the domain.
Exchange Server 2007 creates several security principals during its installation and thus
requires the usage of some RIDs from the RID pool of a domain controller.
Replication
Although I’ve mentioned replication in Active Directory several times, I have not yet prop-
erly discussed it. I’ll remedy that situation now before moving into the next section of this
chapter.
Replication is the process by which all domain controllers in a domain or forest pass
changes to other domain controllers and thus update their copies of the specific Active
Directory partitions they hold as they themselves receive replication updates from other
domain controllers. Because changes occur almost constantly across multiple domain con-
trollers within a forest, the replication used for Active Directory is referred to as loosely
consistent, meaning that not every domain controller in the forest with a certain partition
will have the same information at any time. However, over time, convergence occurs as all
domain controllers receive and pass replication updates and the partitions that they hold
become closer to matching exactly. In a production environment with multiple domain
controllers, complete convergence is almost impossible to achieve, but that rarely poses a
problem. Administrators with the appropriate permissions can always manually trigger rep-
lication to be performed between domain controllers, so important changes can be forced to
replicate if normal replication schedules are not appropriate at the time, which is typically a
problem only when dealing with intersite replication.
Given that Active Directory uses sites to map the Active Directory network to that of
the physical network, replication thus occurs differently between sites (intersite replication)
than it does between domain controllers in the same site (intrasite replication). Intersite rep-
lication is designed to have the minimum possible impact on the typically slower wide area
network (WAN) links that commonly separate the physical locations that Active Directory
sites represent. As such, the replication traffic is highly compressed and also occurs on a
schedule that is configured on the site link object that is created to logically connect two
Active Directory sites. Thus, changes made on a domain controller in Site A will not be sent
to a domain controller in Site B until the next scheduled replication time based on the rep-
lication interval and allowable replication times that were configured. Conversely, intrasite
replication occurs almost immediately after a change has been made to some bit of Active
Directory information. The domain controller that the change is made on will wait 15 sec-
onds (to account for any additional changes) and then will begin replicating its changes to