S 2.409 Planning of partitioning and replication in the directory service

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Head of IT, Administrator

A scalable directory service offers you the ability to divide parts of the directory database into partitions and distribute them across different directory service servers. This reduces the average access time, since search queries will only span a special partition and not the entire directory tree under certain circumstances. In addition, partitioning increases the reliability, since only the partitions located on the server will be affected and not the entire directory database if one server fails. Furthermore, partitioning allows distribution of the data according to a previously performed classification scheme among correspondingly secure servers.

When planning the partitions, it is necessary to take the partition rules defined by the directory service into account. In turn, partitions can contain sub-partitions, which need to be created according to the rules specified.

In addition to the mechanism of partitioning the directory tree, directory services also offer you the ability to replicate parts of the directory tree on other directory service servers. In directory service terminology, the replicated areas are referred to as replicas or reproductions. When planning a replication mechanism, it is especially necessary to perform an analysis of the network traffic to be expected in order to determine the bandwidth requirements for the communication connections or to design the topology of the replicas based on prescribed network parameters.

When planning the partitions, the following aspects should be taken into consideration:

• Consideration of the protection requirements: The information to be stored in the directory should be classified according to its protection requirements. The objects should then be distributed among correspondingly secure servers based on this classification. It must be ensured in this case that objects containing information requiring protection such as cryptographic keys are moved to adequately protected servers.
• Required availability of the directory service: A sufficient number of replicas of the directory data must be created on the directory service servers to improve load distribution.
• Distribution of the administrative tasks: In order for a division of roles regarding the administrative tasks to come along with the separation of the data storage, the administrative tasks should be distributed between individual partitions.
• Directory service rules for partitioning: The rules for the partitioning of the directory service must be specified and complied with. The most important rules in this case include the following:
  • Every partition must start hierarchically with a single container object.
  • The partition must contain a connected sub-tree of the directory service tree.
  • The various partitions must not overlap anywhere.
  • The name of the partition must be the Fully Qualified Distinguished Name (FQDN) of the root object of the partition.

The following points must be taken into account when planning replication:

• The specifications regarding the number of replications to be generated must be derived from the availability and reliability requirements placed on the directory service.
• The load distribution planning is based on the required system performance.
• It must be decided whether additional security can be gained by defining filters for replications.
  
  The additional security provided comes primarily in the the ability to separate the data storage according to the data classification specified in advance. This allows you to implement the basic principle of only allowing a directory service server to store the data that it actually "needs" (and/or which the users or applications accessing the data actually need).
  
  The performance of the system can suffer when replication is configured incorrectly. If the data searched for is not available or cannot be found on a directory service server because it is being hidden by corresponding filter rules, then the search for the data will continue in the background (provided that this is permitted). Therefore, a filter rule configuration that does not meet the actual needs may then have adverse effects on the performance of the system.

The exact contexts of the servers containing partitions or replications must be taken into account. If the structure is too flat, then it will be necessary to expend greater effort internally for replication. Furthermore, individual servers not available at a given time will result in corresponding status messages on all other directory service servers contained in this replication.

Review questions:

• Were the availability and the protection requirements of the directory service taken into account while partitioning?
• Is there enough bandwidth available to generate the replications in a timely manner?