How Active Directory Replication Topology Works
How Active Directory Replication Topology Works
How Active Directory Replication Topology Works
Topology Works
How Active Directory Replication Topology Works
In this section
Replication Transports
Related Information
Active Directory implements a replication topology that takes advantage of the network speeds within sites, which are ideally configured to be equivalent to local area network (LAN) connectivity (network speed of 10 megabits
per second [Mbps] or higher). The replication topology also minimizes the use of potentially slow or expensive wide area network (WAN) links between sites.
Note
In Windows 2000 Server and Windows Server 2003, the directory service is named Active Directory. In Windows
Server 2008 and Windows Server 2008 R2, the directory service is named Active Directory Domain Services (AD
DS). The rest of this topic refers to Active Directory, but the information is also applicable to AD DS.
When you create a site object in Active Directory, you associate one or more Internet Protocol (IP) subnets with the site. Each domain controller in a forest is associated with an Active Directory site. A client workstation is
associated with a site according to its IP address; that is, each IP address maps to one subnet, which in turn maps to one site.
Active Directory uses sites to:
Optimize replication for speed and bandwidth consumption between domain controllers.
Locate the closest domain controller for client logon, services, and directory searches.
Direct a Distributed File System (DFS) client to the server that is hosting the requested data within the site.
Replicate the system volume (SYSVOL), a collection of folders in the file system that exists on each domain controller in a domain and is required for implementation of Group Policy.
The ideal environment for replication topology generation is a forest that has a forest functional level of at least Windows Server 2003. In this case, replication topology generation is faster and can accommodate more sites and
domains than occurs when the forest has a forest functional level of Windows 2000. When at least one domain controller in each site is running Windows Server 2003, more domain controllers in each site can be used to replicate
changes between sites than when all domain controllers are running Windows 2000 Server.
In addition, replication topology generation requires the following conditions:
A Domain Name System (DNS) infrastructure that manages the name resolution for domain controllers in the forest. Active Directory–integrated DNS is assumed, wherein DNS zone data is stored in Active
Directory and is replicated to all domain controllers that are DNS servers.
All physical locations that are represented as site objects in Active Directory have LAN connectivity.
IP connectivity is available between each site and all sites in the same forest that host operations master roles.
Domain controllers meet the hardware requirements for Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows
Server 2003, Datacenter Edition.
The appropriate number of domain controllers is deployed for each domain that is represented in each site.
This section covers the replication components that create the replication topology and how they work together, plus the mechanisms and rationale for routing replication traffic between domain controllers in the same site and
in different sites.
The KCC uses only RPC to communicate with the directory service. The KCC does not use Lightweight Directory Access Protocol (LDAP).
One domain controller in each site is selected as the Intersite Topology Generator (ISTG). To enable replication across site links, the ISTG automatically designates one or more servers to perform site-to-site replication. These
servers are called bridgehead servers. A bridgehead is a point where a connection leaves or enters a site.
The ISTG creates a view of the replication topology for all sites, including existing connection objects between all domain controllers that are acting as bridgehead servers. The ISTG then creates inbound connection objects for
servers in its site that it determines will act as bridgehead servers and for which connection objects do not already exist. Thus, the scope of operation for the KCC is the local server only, and the scope of operation for the ISTG is
a single site.
Each KCC has the following global knowledge about objects in the forest, which it gets by reading objects in the Sites container of the configuration directory partition and which it uses to generate a view of the replication
topology:
Sites
Servers
Site links
Detailed information about these configuration components and their functionality is provided later in this section.
The following diagram shows the KCC architecture on servers in the same forest in two sites.
KCC Architecture and Processes
The architecture and process components in the preceding diagram are described in the following table.
KCC Architecture and Process Components
Component Description
Knowledge The application running on each domain controller that communicates directly with
Consistency the Ntdsa.dll to read and write replication objects.
Checker (KCC)
Directory System The directory service component that runs as Ntdsa.dll on each domain controller,
Agent (DSA) providing the interfaces through which services and processes such as the KCC gain
access to the directory database.
Extensible Storage The directory service component that runs as Esent.dll. ESE manages the tables of
Engine (ESE) records, each with one or more columns. The tables of records comprise the directory
database.
Remote procedure The Directory Replication Service (Drsuapi) RPC protocol, used to communicate
call (RPC) replication status and topology to a domain controller. The KCC also uses this
protocol to communicate with other KCCs to request error information when building
the replication topology.
Intersite Topology The single KCC in a site that manages intersite connection objects for the site.
Generator (ISTG)
The four servers in the preceding diagram create identical views of the servers in their site and generate connection objects on the basis of the current state of Active Directory data in the configuration directory partition. In
addition to creating its view of the servers in its respective site, the KCC that operates as the ISTG in each site also creates a view of all servers in all sites in the forest. From this view, the ISTG determines the connections to create
on the bridgehead servers in its own site.
Note
A connection requires two endpoints: one for the destination domain controller and one for the source domain controller. Domain controllers creating an intrasite topology always use themselves as the
destination end point and must consider only the endpoint for the source domain controller. The ISTG, however, must identify both endpoints in order to create connection objects between two other servers.
Thus, the KCC creates two types of topologies: intrasite and intersite. Within a site, the KCC creates a ring topology by using all servers in the site. To create the intersite topology, the ISTG in each site uses a view of all
bridgehead servers in all sites in the forest. The following diagram shows a high-level generalization of the view that the KCC sees of an intrasite ring topology and the view that the ISTG sees of the intersite topology. Lines
between domain controllers within a site represent inbound and outbound connections between the servers. The lines between sites represent configured site links. Bridgehead servers are represented as BH.
KCC and ISTG Views of Intrasite and Intersite Topology
Active Directory runs as part of the LSA, which manages authentication packages and authenticates users and services.
Minimum and Maximum KCC Generation Times for Domain-Site Combinations
By default, the replication topology is managed automatically and optimizes existing connections. However, manual connections created by an administrator are not modified or optimized.
Connect Directory Partition Replicas
The total replication topology is actually composed of several underlying topologies, one for each directory partition. In the case of the schema and configuration directory partitions, a single topology is created. The underlying
topologies are merged to form the minimum number of connections that are required to replicate each directory partition between all domain controllers that store replicas. Where the connections for directory partitions are
identical between domain controllers — for example, two domain controllers store the same domain directory partition — a single connection can be used for replication of updates to the domain, schema, and configuration
directory partitions.
A separate replication topology is also created for application directory partitions. However, in the same manner as schema and configuration directory partitions, application directory partitions can use the same topology as
domain directory partitions. When application and domain directory partitions are common to the source and destination domain controllers, the KCC does not create a separate connection for the application directory partition.
A separate topology is not created for the partial replicas that are stored on global catalog servers. The connections that are needed by a global catalog server to replicate each partial replica of a domain are part of the topology
that is created for each domain.
The routes for the following directory partitions or combinations of directory partitions are aggregated to arrive at the overall topology:
Replication transport protocols determine the manner in which replication data is transferred over the network media. Your network environment and server configuration dictates the transports that you can use. For more
information about transports, see “Replication Transports” later in this section.
Control Replication Latency and Cost
Replication latency is inherent in a multimaster directory service. A period of replication latency begins when a directory update occurs on an originating domain controller and ends when replication of the change is received on
the last domain controller in the forest that requires the change. Generally, the latency that is inherent in a WAN link is relative to a combination of the speed of the connection and the available bandwidth. Replication cost is an
administrative value that can be used to indicate the latency that is associated with different replication routes between sites. A lower-cost route is preferred by the ISTG when generating the replication topology.
Site topology is the topology as represented by the physical network: the LANs and WANs that connect domain controllers in a forest. The replication topology is built to use the site topology. The site topology is represented in
Active Directory by site objects and site link objects. These objects influence Active Directory replication to achieve the best balance between replication speed and the cost of bandwidth utilization by distinguishing between
replication that occurs within a site and replication that must span sites. When the KCC creates replication connections between domain controllers to generate the replication topology, it creates more connections between
domain controllers in the same site than between domain controllers in different sites. The results are lower replication latency within a site and less replication bandwidth utilization between sites.
Within sites, replication is optimized for speed as follows:
Connections between domain controllers in the same site are always arranged in a ring, with possible additional connections to reduce latency.
Replication within a site is triggered by a change notification mechanism when an update occurs, moderated by a short, configurable delay (because groups of updates frequently occur together).
Data is sent uncompressed, and thus without the processing overhead of data compression.
Between sites, replication is optimized for minimal bandwidth usage (cost) as follows:
Store-and-forward replication makes efficient use of WAN links — each update crosses an expensive link only once.
Replication occurs at intervals that you can schedule so that use of expensive WAN links is managed.
The intersite topology is a layering of spanning trees (one intersite connection between any two sites for each directory partition) and generally does not contain redundant connections.
LAN connectivity assumes high-speed, inexpensive bandwidth that allows similar and reliable network performance, regardless of which two computers in the site are communicating. This quality of connectivity
does not indicate that all servers in the site must be on the same network segment or that hop counts between all servers must be identical. Rather, it is the measure by which you know that if a large amount of
data needs to be copied from one server to another, it does not matter which servers are involved. If you find that you are concerned about such situations, consider creating another site.
When you create subnet objects in Active Directory, you associate them with site objects so that IP addresses can be localized according to sites. During the process of domain controller location, subnet information is used to
find a domain controller in the same site as, or the site closest to, the client computer. The Net Logon service on a domain controller is able to identify the site of a client by mapping the client’s IP address to a subnet object in
Active Directory. Likewise, when a domain controller is installed, its server object is created in the site that contains the subnet that maps to its IP address.
You can use Active Directory Sites and Services to define subnets, and then create a site and associate the subnets with the site. By default, only members of the Enterprise Admins group have the right to create new sites,
although this right can be delegated.
In a default Active Directory installation, there is no default subnet object, so potentially a computer can be in the forest but have an IP subnet that is not contained in any site. For private networks, you can specify the network
addresses that are provided by the Internet Assigned Numbers Authority (IANA). By definition, that range covers all of the subnets for the organization. However, where several class B or class C addresses are assigned, there
would necessarily be multiple subnet objects that all mapped to the same default site.
To accommodate this situation, use the following subnets:
Note
The Active Directory Sites and Services MMC snap-in neither checks nor enforces IP address mapping when you move a server object to a different site. You must manually change the IP address on the domain
controller to ensure proper mapping of the IP address to a subnet in the appropriate site.
Server Objects
Server objects (class server) represent server computers, including domain controllers, in the configuration directory partition. When you install Active Directory, the installation process creates a server object in the Servers
container within the site to which the IP address of the domain controller maps. There is one server object for each domain controller in the site.
A server object is distinct from the computer object that represents the computer as a security principal. These objects are in separate directory partitions and have separate globally unique identifiers (GUIDs). The computer
object represents the domain controller in the domain directory partition; the server object represents the domain controller in the configuration directory partition. The server object contains a reference to the associated
computer object.
The server object for the first domain controller in the forest is created in the Default-First-Site-Name site. When you install Active Directory on subsequent servers, if no other sites are defined, server objects are created in
Default-First-Site-Name. If other sites have been defined and subnet objects have been associated with these sites, server objects are created as follows:
If additional sites have been defined in Active Directory and the IP address of the installation computer matches an existing subnet in a defined site, the domain controller is added to that site.
If additional sites have been defined in Active Directory and the new domain controller's IP address does not match an existing subnet in one of the defined sites, the new domain controller's server object is
created in the site of the source domain controller from which the new domain controller receives its initial replication.
When Active Directory is removed from a server, its NTDS Settings object is deleted from Active Directory, but its server object remains because the server object might contain objects other than NTDS Settings. For example,
when Microsoft Operations Manager or Message Queuing is running on a domain controller, these applications create child objects beneath the server object.
NTDS Settings Objects
The NTDS Settings object (class nTDSDSA) represents an instantiation of Active Directory on that server and distinguishes a domain controller from other types of servers in the site or from decommissioned domain controllers.
For a specific server object, the NTDS Settings object contains the individual connection objects that represent the inbound connections from other domain controllers in the forest that are currently available to send changes to
this domain controller.
Note
The hasMasterNCs multivalued attribute (where “NC” stands for “naming context,” a synonym for “directory partition”) of an NTDS Settings object contains the distinguished names for the set of writable (non-global-catalog)
directory partitions that are located on that domain controller, as follows:
DC=Configuration,DC=ForestRootDomainName
DC=Schema,DC=Configuration,DC=ForestRootDomainName
DC=DomainName,DC=ForestRootDomainName
The msDSHasMasterNCs attribute is new attribute introduced in Windows Server 2003, and this attribute of the NTDS Settings object contains values for the above-named directory partitions as well as any application directory
partitions that are stored by the domain controller. Therefore, on domain controllers that are DNS servers and use Active Directory–integrated DNS zones, the following values appear in addition to the default directory partitions:
Applications that need to retrieve the list of all directory partitions that are hosted by a domain controller can be updated or written to use the msDSHasMasterNCs attribute. Applications that need to retrieve only domain
directory partitions can continue to use thehasMasterNCs attribute.
For more information about these attributes, see Active Directory in the Microsoft Platform SDK on MSDN.
Connection Objects
A connection object (class nTDSConnection) defines a one-way, inbound route from one domain controller (the source) to the domain controller that stores the connection object (the destination). The KCC uses information in
cross-reference objects to create the appropriate connection objects, which enable domain controllers that store the same directory partitions to replicate with each other. The KCC creates connections for every server object in
the Sites container that has an NTDS Settings object.
The connection object is a child of the replication destination’s NTDS Settings object, and the connection object references the replication source domain controller in the fromServer attribute on the connection object — that is,
it represents the inbound half of a connection. The connection object contains a replication schedule and specifies a replication transport. The connection object schedule is derived from the site link schedule for intersite
connections. For more information about intersite connection schedules, see “Connection Object Schedule” later in this section.
A connection is unidirectional; a bidirectional replication connection is represented as two inbound connection objects. The KCC creates one connection object under the NTDS Settings object of each server that is used as an
endpoint for the connection.
Connection objects are created in two ways:
Manually by a directory administrator by using Active Directory Sites and Services, ADSI Edit, or scripts.
Intersite connection objects are created by the KCC that has the role of intersite topology generator (ISTG) in the site. One domain controller in each site has this role, and the ISTG role owners in all sites use the same algorithm
to collectively generate the intersite replication topology.
Ownership of Connection Objects
Connections that are created automatically by the KCC are “owned” by the KCC. If you create a new connection manually, the connection is not owned by the KCC. If a connection object is not owned by the KCC, the KCC does
not modify it or delete it.
Note
One exception to this modification rule is that the KCC automatically changes the transport type of an administrator-owned connection if the transportType attribute is set incorrectly (see “Transport Type”
later in this section).
However, if you modify a connection object that is owned by the KCC (for example, you change the connection object schedule), the ownership of the connection depends on the application that you use to make the change:
If you use an LDAP editor such as Ldp.exe or Adsiedit.msc to change a connection object property, the KCC reverses the change the next time it runs.
If you use Active Directory Sites and Services to change a connection object property, the object is changed from automatic to manual and the KCC no longer owns it. The UI indicates the ownership status of
each connection object.
In most Active Directory deployments, manual connection objects are not needed.
If you create a connection object, it remains until you delete it, but the KCC will automatically delete duplicate KCC-owned objects if they exist and will continue to create needed connections. Ownership of a connection object
does not affect security access to the object; it determines only whether the KCC can modify or delete the object.
Note
If you create a new connection object that duplicates one that the KCC has already created, your duplicate object is created and the KCC-created object is deleted by the KCC the next time it runs.
Interruption of the service of key domain controllers, such as the primary domain controller (PDC) emulator, global catalog servers, or bridgehead servers.
Domain controllers that are too busy to replicate in a timely manner (too few domain controllers).
For problems such as these, creating a manual connection does not improve replication latency. Adjusting the scheduling and costs that are assigned to the site link is the best way to influence intersite topology.
Site Link Objects
For a connection object to be created on a destination domain controller in one site that specifies a source domain controller in another site, you must manually create a site link object (class siteLink) that connects the two sites.
Site link objects identify the transport protocol and scheduling required to replicate between two or more sites. You can use Active Directory Sites and Services to create the site links. The KCC uses the information stored in the
properties of these site links to create the intersite topology connections.
A site link is associated with a network transport by creating the site link object in the appropriate transport container (either IP or SMTP). All intersite domain replication must use IP site links. The Simple Mail Transfer Protocol
(SMTP) transport can be used for replication between sites that contain domain controllers that do not host any common domain directory partition replicas.
Site Link Properties
A site link specifies the following:
Two or more sites that are permitted to replicate with each other.
An administrator-defined cost value associated with that replication path. The cost value controls the route that replication takes, and thus the remote sites that are used as sources of replication information.
An interval that determines how frequently replication occurs over this site link during the times when the schedule allows replication.
For more information about site link properties, see “Site Link Settings and Their Effects on Intersite Replication” later in this section.
Default Site Link
When you install Active Directory on the first domain controller in the forest, an object named DEFAULTIPSITELINK is created in the Sites container (in the IP container within the Inter-Site Transports container). This site link
contains only one site, Default-First-Site-Name.
Site Link Bridging
By default, site links for the same IP transport that have sites in common are bridged, which enables the KCC to treat the set of associated site links as a single route. If you categorically do not want the KCC to consider some
routes, or if your network is not fully routed, you can disable automatic bridging of all site links. When this bridging is disabled, you can create site link bridge objects and manually add site links to a bridge. For more information
about using site link bridges, see “Bridging Site Links Manually” later in this section.
NTDS Site Settings Object
NTDS Site Settings objects (class nTDSSiteSettings) identify site-wide settings in Active Directory. There is one NTDS Site Settings object per site in the Sites container. NTDS Site Settings attributes control the following features
and conditions:
The identity of the ISTG role owner for the site. The KCC on this domain controller is responsible for identifying bridgehead servers. For more information about this role, see “Automated Intersite Topology
Generation” later in this section.
Whether domain controllers in the site cache membership of universal groups and the site in which to find a global catalog server for creating the cache.
The default schedule that applies to connection objects. For more information about this schedule, see “Connection Object Schedule” later in this section.
Note
o To allow for the possibility of network failure, which might cause one or more notifications to be missed, a default schedule of once per hour is applied to replication within a site. You do not
need to manage this schedule.
Cross-Reference Objects
Cross-reference objects (class crossRef) store the location of directory partitions in the Partitions container (CN=Partitions,CN=Configuration,DC=ForestRootDomainName). The contents of the Partitions container are not visible
by using Active Directory Sites and Services, but can be viewed by using Adsiedit.msc to view the Configuration directory partition.
Active Directory replication uses cross-reference objects to locate the domain controllers that store each directory partition. A cross-reference object is created during Active Directory installation to identify each new directory
partition that is added to the forest. Cross-reference objects store the identity (nCName, the distinguished name of the directory partition where “NC” stands for “naming context,” a synonym for “directory partition”) and
location (dNSRoot, the DNS domain where servers that store the particular directory partition can be reached) of each directory partition.
Note
Starting in Windows Server 2003 Active Directory, a special attribute of the cross-reference object, msDS-NC-Replica-Locations, identifies application directory partitions to the replication system. For more
information about how application directory partitions are replicated, see “Topology Generation Phases” later in this section.
Replication Transports
Replication transports provide the wire protocols that are required for data transfer. There are three levels of connectivity for replication of Active Directory information:
Replication between sites can use either RPC over IP or SMTP over IP.
Replication between sites over SMTP is supported for only domain controllers of different domains. Domain controllers of the same domain must replicate by using the RPC over IP transport. Therefore,
replication between sites over SMTP is supported for only schema, configuration, and global catalog replication, which means that domains can span sites only when point-to-point, synchronous RPC is
available between sites.
The Inter-Site Transports container provides the means for mapping site links to the transport that the link uses. When you create a site link object, you create it in either the IP container (which associates the site link with the
RPC over IP transport) or the SMTP container (which associates the site link with the SMTP transport).
For the IP transport, a typical site link connects only two sites and corresponds to an actual WAN link. An IP site link connecting more than two sites might correspond to an asynchronous transfer mode (ATM) backbone that
connects, for example, more than two clusters of buildings on a large campus or connects several offices in a large metropolitan area that are connected by leased lines and IP routers.
Synchronous and Asynchronous Communication
The RPC intersite and intrasite transport (RCP over IP within sites and between sites) and the SMTP intersite transport (SMTP over IP between sites only) correspond to synchronous and asynchronous communication methods,
respectively. Synchronous communication favors fast, available connections, while asynchronous communication is better suited for slow or intermittent connections.
Synchronous Replication Over IP
The IP transport (RPC over IP) provides synchronous inbound replication. In the context of Active Directory replication, synchronous communication implies that after the destination domain controller sends the request for data,
it waits for the source domain controller to receive the request, construct the reply, and send the reply before it requests changes from any other domain controllers; that is, inbound replication is sequential. Thus in synchronous
transmission, the reply is received within a short time. The IP transport is appropriate for linking sites in fully routed networks.
Asynchronous Replication Over SMTP
The SMTP transport (SMTP over IP) provides asynchronous replication. In asynchronous replication, the destination domain controller does not wait for the reply and it can have multiple asynchronous requests outstanding at any
particular time. Thus in asynchronous transmission, the reply is not necessarily received within a short time. Asynchronous transport is appropriate for linking sites in networks that are not fully routed and have particularly slow
WAN links.
Note
Although asynchronous replication can send multiple replication requests in parallel, the received replication packets are queued on the destination domain controller and the changes applied for only one
partner and directory partition at a time.
Replication Queue
Suppose a domain controller has five inbound replication connections. As the domain controller formulates change requests, either by a schedule being reached or from a notification, it adds a work item for each request to the
end of the queue of pending synchronization requests. Each pending synchronization request represents one <source domain controller, directory partition> pair, such as “synchronize the schema directory partition from DC1,”
or “delete the ApplicationX directory partition.”
When a work item has been received into the queue, notification and polling intervals do not apply — the domain controller processes the item (begins synchronizing from that source) as soon as the item reaches the front of
the queue, and continues until either the destination is fully synchronized with the source domain controller, an error occurs, or the synchronization is pre-empted by a higher-priority operation.
SMTP Intersite Replication
When sites are on opposite ends of a WAN link (or the Internet), it is not always desirable — or even possible — to perform synchronous, RPC-based directory replication. In some cases, the only method of communication
between two sites is e-mail. When connectivity is intermittent or when end-to-end IP connectivity is not available (an intermediate site does not support RPC/IP replication), replication must be possible across asynchronous,
store-and-forward transports such as SMTP.
In addition, where bandwidth is limited, it can be disadvantageous to force an entire replication cycle of request for changes and transfer of changes between two domain controllers to complete before another can begin (that
is, to use synchronous replication). With SMTP, several cycles can be processing simultaneously so that each cycle is being processed to some degree most of the time, as opposed to receiving no attention for prolonged periods,
which can result in RPC time-outs.
For intersite replication, SMTP replication substitutes mail messaging for the RPC transport. The message syntax is the same as for RPC-based replication. There is no change notification for SMTP–based replication, and
scheduling information for the site link object is used as follows:
By default, SMTP replication ignores the Replication Available and Replication Not Available settings on the site link schedule in Active Directory Sites and Services (the information that indicates when these
sites are connected). Replication occurs according to the messaging system schedule.
Within the scope of the messaging system schedule, SMTP replication uses the replication interval that is set on the SMTP site link to indicate how often the server requests changes. The interval (Replicate
every ____ minutes) is set in 15-minute increments on theGeneral tab in site link Properties in Active Directory Sites and Services.
The underlying SMTP messaging system is responsible for message routing between SMTP servers.
SMTP Replication and Intersite Messaging
Intersite Messaging is a component that is enabled when Active Directory is installed. Intersite Messaging allows for multiple transports to be used as add-ins to the Intersite Messaging architecture. Intersite Messaging enables
messaging communication that can use SMTP servers other than those that are dedicated to processing e-mail applications.
When the forest has a functional level of at least Windows 2000, Intersite Messaging also provides services to the KCC in the form of querying the available replication paths. In addition, Net Logon queries the connectivity data
in Intersite Messaging when calculating site coverage. By default, Intersite Messaging rebuilds its database once a day, or when required by a site link change.
When the forest has a functional level of at least Windows Server 2003, the KCC does not use Intersite Messaging for calculating the topology. However, regardless of forest functional level, Intersite Messaging is still required for
SMTP replication, DFS, universal group membership caching, and Net Logon automatic site coverage calculations. Therefore, if any of these features are in use, do not stop Intersite Messaging.
For more information about site coverage and how automatic site coverage is calculated, see “How DNS Support for Active Directory Works.” For more information about DFS, see “DFS Technical Reference.”
Requirements for SMTP Replication
The KCC does not create connections that use SMTP until the following requirements are met:
An enterprise certification authority (CA) is installed and configured on your network. The CA signs and encrypts SMTP messages that are exchanged between domain controllers, ensuring the authenticity of
directory updates. Specifically, a domain controller certificate must be present on the replicating domain controllers. The replication request message, which contains no directory data, is not encrypted. The
replication reply message, which does contain directory data, is encrypted using a key length of 128 bits.
You are not attempting to replicate writable replicas of the same domain (although replication of global catalog partial replicas is supported).
You must also determine if mail routing is necessary. If the two replicating domain controllers have direct IP connectivity and can send mail to each other, no further configuration is required. However, if the two domain
controllers must go through mail gateways to deliver mail to each other, you must configure the domain controller to use the mail gateway.
Note
RPC is required for replicating the domain to a new domain controller and for installing certificates. If RPC is not available to the remote site, the domain must be replicated and certificates must be installed
over RPC in a hub site and the domain controller then shipped to the remote site.
For replication between sites, data that is replicated through either transport is compressed.
Active Directory can respond with only a fixed (maximum) number of changes per change request, based on the size of the replication packet. The size of the replication packet is configurable. For information
about configuring the replication packet size, see “Replication Packet Size” later in this section.
Active Directory can apply a single set of changes at a time for a specific directory partition and replication partner.
The response data (changes) are transported in one or many frames, based on the total number of changed or new values.
TCP transports the data portion by using the same algorithm for both SMTP and RPC.
Point-to-point synchronous RPC replication is available between sites to allow the flexibility of having domains that span multiple sites. RPC is best used between sites that are connected by WAN links because it involves lower
latency. SMTP is best used between sites where RPC over IP is not possible. For example, SMTP can be used by companies that have a network backbone that is not based on TCP/IP, such as companies that use an X.400
backbone.
Active Directory replication uses both transports to implement a request-response mechanism. Active Directory issues requests for changes and replies to requests for changes. RPC maps these requests into RPC requests and
RPC replies. SMTP, on the other hand, actually uses long-lived TCP connections (or X.400-based message transfer agents in non-TCP/IP networks) to deliver streams of mail in each direction. Thus, RPC transport expects a
response to any request immediately and can have a maximum of one active inbound RPC connection to a directory partition replica at a time. The SMTP transport expects much longer delays between a request and a response.
As a result, multiple inbound SMTP connections to a directory partition replica can be active at the same time, provided the requests are all for a different source domain controller or, for the same source domain controller, a
different directory partition. For more information, see “Synchronous and Asynchronous Communication” earlier in this section.
Replication Packet Size
Replication packet sizes are computed on the basis of memory size unless you have more than 1 gigabyte (GB). By default, the system limits the packet size as follows:
The packet size in bytes is 1/100th the size of RAM, with a minimum of 1 MB and a maximum of 10 MB.
The packet size in objects is 1/1,000,000th the size of RAM, with a minimum of 100 objects and a maximum of 1,000 objects. For general estimates when this entry is not set, assume an approximate packet size
of 100 objects.
There is one exception: the value of the Replicator async inter site packet size (bytes) registry entry is always 1 MB if it is not set (that is, when the default value is in effect). Many mail systems limit the amount of data that can
be sent in a mail message (2 MB to 4 MB is common), although most Windows-based mail systems can handle large 10-MB mail messages.
Overriding these memory-based values might be beneficial in advanced bandwidth management scenarios. You can edit the registry to set the maximum packet size.
Note
If you must edit the registry, use extreme caution. Registry information is provided here as a reference for use by only highly skilled directory service administrators. It is recommended that you do not directly
edit the registry unless, as in this case, there is no Group Policy or other Windows tools to accomplish the task. Modifications to the registry are not validated by the registry editor or by Windows before they
are applied, and as a result, incorrect values can be stored. Storage of incorrect values can result in unrecoverable errors in the system.
Setting the maximum packet size requires adding or modifying entries in the following registry path with the REG_DWORD data type: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters. These entries
can be used to determine the maximum number of objects per packet and maximum size of the packets. The minimum values are indicated as the lowest value in the range.
Range: >=2
Range: >=10 KB
Range: >=2
o Replicator inter site packet size (bytes)
Range: >=10 KB
Range: >=2
Range: >=10 KB
Transport Type
The transportType attribute of a connection object specifies which network transport is used when the connection is used for replication. The transport type receives its value from the distinguished name of the container in the
configuration directory partition that contains the site link over which the connection occurs, as follows:
Connection objects that use TCP/IP have the transportType value of CN=IP,CN=Inter-Site Transports,CN=IP,DC=Configuration,DC=ForestRootDomainName.
Connection objects that use SMTP/IP have the transportType value of CN=SMTP,CN=Inter-Site Transports,CN=IP,DC=Configuration,DC=ForestRootDomainName.
For intrasite connections, transportType has no value; Active Directory Sites and Services shows the transport of “RPC” for connections that are from servers in the same site.
If you move a domain controller to a different site, the connection objects from servers in the site from which it was moved remain, but the transport type is blank because it was an intrasite connection. Because the connection
has an endpoint outside of the site, the local KCC in the server’s new site does not manage the connection. When the ISTG runs, if a blank transport type is found for a connection that is from a server in a different site,
the transportType value is automatically changed to IP. The ISTG in the site determines whether to delete the connection object or to retain it, in which case the server becomes a bridgehead server in its new site.
You can identify a KCC-selected bridgehead server in Active Directory Sites and Services by viewing connection objects for the server (select the NTDS Settings object below the server object); if there are
connections from servers in a different site or sites, the server represented by the selected NTDS Settings object is a bridgehead server. If you have Windows Support Tools installed, you can see all bridgehead
servers by using the command repadmin /bridgeheads.
KCC selection of bridgehead servers guarantees bridgehead servers that are capable of replicating all directory partitions that are needed in the site, including partial global catalog partitions. By default, bridgehead servers are
selected automatically by the KCC on the domain controller that holds the ISTG role in each site. If you want to identify the domain controllers that can act as bridgehead servers, you can designate preferred bridgehead servers,
from which the ISTG selects all bridgehead servers. Alternatively, if the ISTG is not used to generate the intersite topology, you can create manual intersite connection objects on domain controllers to designate bridgehead
servers.
In sites that have at least one domain controller that is running Windows Server 2003, the ISTG can select bridgehead servers from all eligible domain controllers for each directory partition that is represented in the site. For
example, if three domain controllers in a site store replicas of the same domain and domain controllers for this domain are also located in three or more other sites, the ISTG can spread the inbound connection objects from
those sites among all three domain controllers, including those that are running Windows 2000 Server.
In Windows 2000 forests, a single bridgehead server per directory partition and per transport is designated as the bridgehead server that is responsible for intersite replication of that directory partition. Therefore, for the
preceding example, only one of the three domain controllers would be designated by the ISTG as a bridgehead server for the domain, and all four connection objects from the four other sites would be created on the single
bridgehead server. In large hub sites, a single domain controller might not be able to adequately respond to the volume of replication requests from perhaps thousands of branch sites.
For more information about how the KCC selects bridgehead servers, see “Bridgehead Server Selection” later in this section.
Compression of Replication Data
Intersite replication is compressed by default. Compressing replication data allows the data to be transferred over WAN links more quickly, thereby conserving network bandwidth. The cost of this benefit is an increase in CPU
utilization on bridgehead servers.
By default, replication data is compressed under the following conditions:
A new compression algorithm is employed by bridgehead servers that are running at least Windows Server 2003. The new algorithm improves replication speed by operating between two and ten times faster than the
Windows 2000 Server algorithm.
Windows 2000 Server Compression
The compression algorithm that is used by domain controllers that are running Windows 2000 Server achieves a compression ratio of approximately 75% to 85%. The cost of this compression in terms of CPU utilization can be as
high as 50% for intersite Active Directory replication. In some cases, the CPUs on bridgehead servers that are running Windows 2000 Server can become overwhelmed with compression requests, compounded by the need to
service outbound replication partners. In a worst case scenario, the bridgehead server becomes so overloaded that it cannot keep up with outbound replication. This scenario is usually coupled with a replication topology issue
where a domain controller has more outbound partners than necessary or the replication schedule was overly aggressive for the number of direct replication partners.
Note
If a bridgehead server has too many replication partners, the KCC logs event ID 1870 in the Directory Service log, indicating the current number of partners and the recommended number of partners for the
domain controller.
The default value is 3, which indicates that the Windows Server 2003 algorithm is in effect. By changing the value to 2, the Windows 2000 algorithm is used for compression. However, switching to the Windows 2000 algorithm is
not recommended unless both bridgehead domain controllers serve relatively few branches and have ample CPU (for example, > dual processor 850 megahertz [MHz]).
Site Link Settings and Their Effects on Intersite Replication
In Active Directory Sites and Services, the General tab of the site link Properties contains the following options for configuring site links to control the replication topology:
A single numeric cost that is associated with communication over the link. The default cost is 100, but you can assign higher cost values to represent more expensive transmission. For example, sites that are
connected by low-speed or dial-up connections would have high-cost site links between them. Sites that are well connected through backbone lines would have low-cost site links. Where multiple routes or
transports exist between two sites, the least expensive route and transport combination is used.
A schedule that determines days and hours during which replication can occur over the link (the link is available). For example, you might use the default (100 percent available) schedule on most links, but
block replication traffic during peak business hours on links to certain branches. By blocking replication, you give priority to other traffic, but you also increase replication latency.
Note
o Scheduling information is ignored by site links that use SMTP transports; the mail is stockpiled and then exchanged at the times that are configured for your mail infrastructure.
An interval in minutes that determines how often replication can occur (default is every 180 minutes, or 3 hours). The minimum interval is 15 minutes. If the interval exceeds the time allowed by the schedule,
replication occurs once at the scheduled time.
A site can be connected to other sites by any number of site links. For example, a hub site has site links to each of its branch sites. Each site that contains a domain controller in a multisite directory must be connected to at least
one other site by at least one site link; otherwise, it cannot replicate with domain controllers in any other site.
The following diagram shows two sites that are connected by a site link. Domain controllers DC1 and DC2 belong to the same domain and are acting as partner bridgehead servers. When topology generation occurs, the ISTG in
each site creates an inbound connection object on the bridgehead server in its site from the bridgehead server in the opposite site. With these objects in place, replication can occur according to the settings on the SB site link.
Connections Between Domain Controllers in Two Sites that Are Connected by a Site Link
Overlapping schedules are required for site link transitivity, even when Bridge all site links is enabled. In the example, if the site link schedules for SB and PS do not overlap, no connections are possible
between Boston and Portland.
Transitive Replication when Site Links Are Bridged, Schedules Overlap, and Replication Must Be Rerouted
In the preceding diagram, creating a third site link to connect the Boston and Portland sites is unnecessary and counterproductive because of the way that the KCC uses cost to route replication. In the configuration that is shown,
the KCC uses cost to choose either the route between Portland and Seattle or the route between Portland and Boston. If you wanted the KCC to use the route between Portland and Boston, you would create a site link between
Portland and Boston instead of the site link between Portland and Seattle.
Aggregated Site Link Cost and Routing
When site links are bridged, the cost of replication from a domain controller at one end of the bridge to a domain controller at the other end is the sum of the costs on each of the intervening site links. For this reason, if a
domain controller in an interim site stores the directory partition that is being replicated, the KCC will route replication to the domain controller in the interim site rather than to the more distant site. The domain controller in the
more distant site in turn receives replication from the interim site (store-and-forward replication). If the schedules of the two site links overlap, this replication occurs in the same period of replication latency.
The following diagram illustrates an example where two site links connecting three sites that host the same domain are bridged automatically (Bridge all site links is enabled). The aggregated cost of directly replicating between
Portland and Boston illustrates why the KCC routes replication from Portland to Seattle and from Seattle to Boston in a store-and-forward manner. Given the choice between replicating at a cost of 4 from Seattle or a cost of 7
from Boston, the ISTG in Portland chooses the lower cost and creates the connection object on DC3 from DC1 in Seattle.
Bridged Site Links Routing Replication Between Three Sites According to Cost
In the preceding diagram, if DC3 in Portland needs to replicate a directory partition that is hosted on DC2 in Boston but not by any domain controller in Seattle, or if the directory partition is hosted in Seattle but the Seattle site
cannot be reached, the ISTG creates the connection object from DC2 to DC3.
Significance of Overlapping Schedules
In the preceding diagram, to replicate the same domain that is hosted in all three sites, the Portland site replicates directly with Seattle and Seattle replicates directly with Boston, transferring Portland’s changes to Boston, and
vice versa, through store-and-forward replication. Whether the schedules overlap has the following effects:
PS and SB site link schedules have replication available during at least one common hour of the schedule:
o Replication between these two sites occurs in the same period of replication latency, being routed through Seattle.
o Replication of changes between Portland and Boston reach their destination in the next period of replication latency after reaching Seattle.
Note
If Bridge all site links is disabled, a connection is never created between Boston and Portland, regardless of schedule overlap, unless you manually create a site link bridge.
Site Link Changes and Replication Path
The path that replication takes between sites is computed from the information that is stored in the properties of the site link objects. When a change is made to a site link setting, the following events must occur before the
change takes effect:
The site link change must replicate to the ISTG of each site by using the previous replication topology.
As the path of connections is transitively figured through a set of site links, the attributes (settings) of the site link objects are combined along the path as follows:
The replication interval is the maximum of the intervals that are set for the site links along the path.
The options, if any are set, are computed by using the AND operation.
Note
o Options are the values of the options attribute on the site link object. The value of this attribute determines special behavior of the site link, such as reciprocal replication and intersite change
notification.
Thus the site link schedule is the overlap of all of the schedules of the subpaths. If none of the schedules overlap, the path is not used.
Bridging Site Links Manually
If your IP network is composed of IP segments that are not fully routed, you can disable Bridge all site links for the IP transport. In this case, all IP site links are considered nontransitive, and you can create and configure site link
bridge objects to model the actual routing behavior of your network. A site link bridge has the effect of providing routing for a disjoint network (networks that are separate and unaware of each other). When you add site links to
a site link bridge, all site links within the bridge can route transitively.
A site link bridge object represents a set of site links, all of whose sites can communicate through some transport. Site link bridges are necessary if both of the following conditions are true:
A site contains a domain controller that hosts a domain directory partition that is not hosted by a domain controller in an adjacent site (a site that is in the same site link).
That domain directory partition is hosted on a domain controller in at least one other site in the forest.
Note
Site link bridge objects are used by the KCC only when the Bridge all site links setting is disabled. Otherwise, site link bridge objects are ignored.
Site link bridges can also be used to diminish potentially high CPU overhead of generating a large transitive replication topology. In very large networks, transitive site links can be an issue because the KCC considers every
possible connection in the bridged network, and selects only one. Therefore, in a Windows 2000 forest that has a very large network or a Windows Server 2003 or higher forest that consists of an extremely large hub-and-spoke
topology, you can reduce KCC-related CPU utilization and run time by turning off Bridge all site links and creating manual site link bridges only where they are required.
Note
Turning off Bridge all site links affects the ability of DFS clients to locate DFS servers in the closest site. If the ISTG is running at least Windows Server 2003, the Bridge all site links must be enabled to
generate the intersite cost matrix that DFS requires for its site-costing functionality. If the ISTG is running at least Windows Server 2003 with Service Pack 1 (SP1), you can enable Bridge all site links and then
run the repadmin /siteoptions W2K3_BRIDGES_REQUIRED command on each site where you need to accommodate the DFS site-costing functionality. This command disables automatic site link bridging for
the KCC but allows default Intersite Messaging options to enable the site-costing calculation to occur for DFS. For more information about turning off this functionality while accommodating DFS, see "DFS Site
Costing and Windows Server 2003 SP1 Site Options" later in this section. For more information about site link cost and DFS, see “DFS Technical Reference.”
You create a site link bridge object for a specific transport by specifying two or more site links for the specified transport.
Requirements for manual site link bridges
Each site link in a manual site link bridge must have at least one site in common with another site link in the bridge. Otherwise, the bridge cannot compute the cost from sites in one link to the sites in other links of the bridge. If
bridgehead servers that are capable of the transport that is used by the site link bridge are not available in two linked sites, a route is not available.
Manual site link bridge behavior
Separate site link bridges, even for the same transport, are independent. To illustrate this independence, consider the following conditions:
Four sites have domain controllers for the same domain: Portland, Seattle, Detroit, and Boston.
Three site links are configured: Portland-Seattle (PS), Seattle-Detroit (SD), and Detroit-Boston (DB).
Two separate manual site link bridges link the outer site links PS and DB with the inner site link SD.
The presence of the PS-SD site link bridge means that an IP message can be sent transitively from the Portland site to the Detroit site with cost 4 + 3 = 7. The presence of the SD-DB site link bridge means that an IP message can
be sent transitively from Seattle to Boston at a cost of 3 + 2 = 5. However, because there is no transitivity between the PS-SB and SB-DB site link bridges, an IP message cannot be sent between Portland and Boston with cost
4 + 3 + 2 = 9, or at any cost.
In the following diagram, the two manual site link bridges means that Boston is able to replicate directly only with Detroit and Seattle, and Portland is able to replicate directly only with Seattle and Detroit.
Note
If you need direct replication between Portland and Detroit, you can create the PS-SB-DB site link bridge. By excluding the PS site link, you ensure that connections are neither created nor considered by the
KCC between Portland and Detroit.
In the diagram, connection objects are not possible between DC4 in Detroit and DC3 in Portland because two site link bridges are not transitive. For connection objects to be possible between DC3 and DC4, the site link DB must
be added to the PS-SB site link bridge. In this case, the cost of replication between DC3 and DC4 is 9.
Note
Cost is applied differently to a site link bridge than to a site link that contains more than two sites. To use the preceding example, if Seattle, Boston, and Portland are all in the same site link, the cost of
replication between any of the two sites is the same.
Bridging site links manually is generally recommended for only large branch office deployments. For more information about using manual site link bridging, see the “Windows Server 2003 Active Directory Branch Office
Deployment Guide.”
Site Link Schedule
Replication using the RPC transport between sites is scheduled. The schedule specifies one or many time periods during which replication can occur. For example, you might schedule a site link for a dial-up line to be available
during off-peak hours (when telephone rates are low) and unavailable during high-cost regular business hours. The schedule attribute of the site link object specifies the availability of the site link. The default setting is that
replication is always available.
Note
The Ignore schedules setting on the IP container is equivalent to replication being always available. If Ignore schedules is selected, replication occurs at the designated intervals but ignores any schedule.
If replication goes through multiple site links, there must be at least one common time period (overlap) during which replication is available; otherwise, the connection is treated as not available. For example, if site link AB has a
schedule of 18:00 hours to 24:00 hours and site link BC has a schedule of 17:00 hours to 20:00 hours, the resulting overlap is 18:00 hours through 20:00 hours, which is the intersection of the schedules for site link AB and site
link BC. During the time in which the schedules overlap, replication can occur from site A to site C even if a domain controller in the intermediate site B is not available. If the schedules do not overlap, replication from the
intermediate site to the distant site continues when the next replication schedule opens on the respective site link.
Note
Cost considerations also affect whether connections are created. However, if the site link schedules do not overlap, the cost is irrelevant.
Thus, when replication begins at 10:00 o’clock at night in Seattle, it is occurring in Tokyo at 3:00 o’clock in the afternoon the following day. By scheduling replication a few hours later in Seattle, you can avoid replication occurring
during working hours in Japan.
Schedule implementation
The times that you can set in the Schedule setting on the site link are in one-hour increments. For example, you can schedule replication to occur between 00:00 hours and 01:00 hours, between 01:00 hours and 02:00 hours, and
so forth. However, each block in the actual connection schedule is 15 minutes. For this reason, when you set a schedule of 01:00 hours to 02:00 hours, you can assume that replication is queued at some point between
01:00 hours and 01:14:59 hours.
Note
RPC synchronous inbound replication is serialized so that if the server is busy replicating this directory partition from another source, replication from a different source does not begin until the first
synchronization is complete. SMTP asynchronous replication is processed serially by order of arrival, with multiple replication requests queued simultaneously.
Specifically, a replication event is queued at time t + n, where t is the replication interval that is applied across the schedule and n is a pseudo-random number from 1 minute through 15 minutes. For example, if the site link
indicates that replication can occur from 02:00 hours through 07:00 hours, and the replication interval is 2 hours (120 minutes), t is 02:00 hours, 04:00 hours, and 06:00 hours. A replication event is queued on the destination
domain controller between 02:00 hours and 02:14:59 hours, and another replication event is queued between 04:00 hours and 04:14:59 hours. Assuming that the first replication event that was queued is complete, another
replication event is queued between 06:00 hours and 06:14:59 hours. If the synchronization took longer than two hours, the second synchronization would be ignored because an event is already in the queue.
Replication can extend beyond the end of the schedule. A period of replication latency that starts before the end of the schedule runs until completion, even if the period is still running when the schedule no longer allows
replication to be available.
Note
The replication queue is shared with other events, and the time at which replication takes place is approximate. Duplicate replication events are not queued for the same directory partition and transport.
The connection object schedule and interval are derived from one of two locations, depending on whether it is an intrasite or intersite connection:
Intrasite connections inherit a default schedule from the schedule attribute of the NTDS Site Settings object. By default, this schedule is always available and has an interval of one hour.
Intersite connections inherit the schedule and interval from the site link.
Although intrasite replication is prompted by changes, intrasite connection objects inherit a default schedule so that replication occurs periodically, regardless of whether change notification has been received. The connection
object schedule ensures that intrasite replication occurs if a notification message is lost, or if notification does not take place, due to network problems or a domain controller becomes unavailable. The NTDS Site Settings
schedule has a minimum replication interval of 15 minutes. This minimum replication interval is not configurable and determines the smallest interval that is possible for both intrasite and intersite replication (on a connection
object or a site link, respectively).
For intersite replication, the schedule is configured on the site link object, but the connection object schedule actually determines replication; that is, the connection object schedule for an intersite connection is derived from the
site link schedule, which is applied through the connection object schedule. Scheduled replication occurs independently of change notification.
Note
You do not need to configure the connection object schedule unless you are creating a manual intersite replication topology that does not use the KCC automatic connection objects.
The KCC uses a two-step process to compute the schedule of an intersite connection.
1. The schedules of the site links traversed by a connection are merged together.
2. This merged schedule is modified so that it is available at only certain periods. The length of those periods is equal to the maximum replication interval of the site links traversed by this connection.
By using Active Directory Sites and Services, you can manually revise the schedule on a connection object, but such an override is effective for only administrator-owned connection objects.
Replication Interval
For each site link object, you can specify a value for the replication interval (frequency), which determines how often replication occurs over the site link during the time that the schedule allows. For example, if the schedule
allows replication between 02:00 hours and 04:00 hours, and the replication interval is set for 30 minutes, replication can occur up to four times during the scheduled time.
The default replication interval is 180 minutes, or 3 hours. When the KCC creates a connection between a domain controller in one site and a domain controller in another site, the replication interval of the connection is the
maximum interval along the minimum-cost path of site link objects from one end of the connection to the other.
Interaction of Replication Schedule and Interval
When multiple site links are required to complete replication for all sites, the replication interval settings on each site link combine to affect the entire length of the connection between sites. In addition, when schedules on each
site link are not identical, replication can occur only when the schedules overlap.
Suppose that site A and site B have site link AB, and site B and site C have site link BC. When a domain controller in site A replicates with a domain controller in site C, it can do so only as often as the maximum interval that is set
for site link AB and site link BC allows. The following table shows the site link settings that determine how often and during what times replication can occur between domain controllers in site A, site B, and site C.
Replication Interval and Schedule Settings for Two Site Links
Configures appropriate replication connections (connection objects) on the basis of the existing cross-reference, server, NTDS settings, site, site link, and site link bridge objects and the current status of
replication.
Converts the connection objects that represent inbound replication to the local domain controller into the replication agreements that are actually used by the replication engine. These agreements, called
replica links, accommodate replication of a single directory partition from the source to the destination domain controller.
If you must edit the registry, use extreme caution. Registry information is provided here as a reference for use by only highly skilled directory service administrators. It is recommended that you do not directly
edit the registry unless, as in this case, there is no Group Policy or other Windows tools to accomplish the task. Modifications to the registry are not validated by the registry editor or by Windows before they
are applied, and as a result, incorrect values can be stored. Storage of incorrect values can result in unrecoverable errors in the system.
Modifying the interval between startup and the time the domain controller first checks the replication topology requires changing the Repl topology update delay (secs) entry in
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters as appropriate:
Value: Number of seconds to wait between the time Active Directory starts and the KCC runs for the first time.
Thereafter, as long as services are running, the KCC on each domain controller checks the replication topology every 15 minutes and makes changes as necessary.
Modifying the interval at which the KCC performs topology review requires changing the Repl topology update period (secs) entry in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters as
appropriate:
Cross-reference. Each directory partition in the forest is identified in the Partitions container by a cross-reference object. The attributes of this object are used by the replication system to locate the domain
controllers that store each directory partition.
Server. Each domain controller in the forest is identified as a server object in the Sites container.
NTDS Settings. Each server object that represents a domain controller has a child NTDS Settings object. Its presence identifies the server as having Active Directory installed. The NTDS Settings object must be
present for the server to be considered by the KCC for inclusion in the replication topology.
Site. The presence of the above objects also indicates to the KCC the site in which each domain controller is located for replication. For example, the distinguished name of the NTDS Settings object contains
the name of the site in which the server object that represents the domain controller exists.
Site link. A site link must be available between any set of sites and its schedule and cost properties evaluated for routing decisions.
Site link bridge. If they exist, site link bridge objects and properties are evaluated for routing decisions.
If the domain controller is physically located in one site but its server object is configured in a different site, the domain controller will attempt intrasite replication with a replication partner that is in the site of its server object. In
this scenario, the improper configuration of servers in sites can affect network bandwidth.
If a site object exists for a site that has no domain controllers, the KCC does not consider the site when generating the replication topology.
Topology Generation Phases
The KCC generates the replication topology in two phases:
Evaluation. During the evaluation phase, the KCC evaluates the current topology, determines whether replication failures have occurred with the existing connections, and constructs whatever new connection
objects are required to complete the replication topology.
Translation. During the translation phase, the KCC implements, or “translates,” the decisions that were made during the evaluation phase into agreements between the replication partners. During this phase,
the KCC writes to the repsFrom attribute on the local domain controller (for intrasite topology) or on all bridgehead servers in a site (for intersite topology) to identify the replication partners from which each
domain controller pulls replication. For more information about the information in the replication agreement, see “How the Active Directory Replication Model Works.”
Performing Domain
KCC Mode Scope Description
Controllers
Intrasite All Local Evaluate all servers in a site and create connection objects
server locally on this server from servers in the same site that are
adjacent to this server in the ring topology.
Intersite One domain controller Local Evaluate the servers in all sites and create connection
per site that has the site objects both locally and on other servers in the site from
ISTG role servers in different sites.
Link All Local Translate connection objects into replica links
translation server (partnerships) for each server relative to each directory
partition that it holds.
Topology Evaluation and Connection Object Generation
The KCC on a destination domain controller evaluates the topology by reading the existing connection objects. For each connection object, the KCC reads attribute values of the NTDS Settings object (class nTDSDSA) of the
source domain controller (indicated by thefromServer value on the connection object) to determine what directory partitions its destination domain controller has in common with the source domain controller.
Topology evaluation for all domain controllers
To determine the connection objects that need to be generated, the KCC uses information stored in the attributes of the NTDS Settings object that is associated with each server object, as follows:
For all directory partitions, the multivalued attribute hasMasterNCs stores the distinguished names of all directory partitions that are stored on that domain controller.
For all domain controllers, the value of the options attribute indicates whether that domain controller is configured to host the global catalog.
The hasPartialReplicaNCs attribute contains the set of partial-replica directory partitions (global catalog read-only domain partitions) that are located on the domain controller that is represented by the server
object.
The linked multivalued attribute msDS-NC-Replica-Locations on cross-reference objects stores the distinguished names of NTDS Settings objects for all domain controllers that are configured to host a replica
of the corresponding application directory partition.
Note
o When you remove Active Directory from a server that hosts an application directory partition, its corresponding entry in this multivalued attribute is automatically dropped because msDS-NC-
Replica-Locations is a linked attribute.
Application directory partition replica locations are determined by matching the values of the hasMasterNCs attribute with the values of the msDS-NC-Replica-Locations linked multivalued attribute of cross-
reference objects. The msDS-NC-Replica-Locationsattribute holds distinguished name references to the NTDS Settings objects for domain controllers that have been configured to store replicas of the
application directory partition. The msDS-NC-Replica-Locations attribute facilitates the enumeration of existingreplicas for a given application directory partition. Connection objects can then be created
between the domain controllers that hold matching replicas.
Be aware that due to replication latency, the configuration of replicas in attribute values does not guarantee the existence of the replica on a given server. For example, you can designate a domain controller as a global catalog
server by clicking the Global Catalog check box on the NTDS Settings object properties in Active Directory Sites and Services. However, until all of the partial domain directory partitions have replicated to that domain controller
and global-catalog-specific SRV records are registered in DNS, it is not a functioning global catalog server (does not advertise as a global catalog server in DNS). Similarly, observing the NTDS Settings name for a server in
the msDS-NC-Replica-Locations attribute on the cross-reference object does not indicate that the replica has necessarily been fully replicated to that server.
Connection Translation
All KCCs process their connection objects and translate them into connection agreements, also called “replica links,” between pairs of domain controllers. At specified intervals, Active Directory replicates data from the source
domain controller to the destination for directory partitions that they have in common. These replication agreements do not appear in the administrative tools; the replication engine uses them internally to track the directory
partitions that are to be replicated from specified servers.
For each directory partition that two domain controllers have in common and that matches the full and partial characteristics of a replication source, the KCC creates (or updates) a replication agreement on the destination
domain controller. Replication agreements take the form of entries for each source domain controller in the repsFrom attribute on the topmost object of each directory partition replica. This value is stored and updated locally
on the domain controller and is not replicated. The KCC updates this attribute each time it runs.
For example, suppose a connection object is created between two domain controllers from different domains. Assuming that neither of these domain controllers is a global catalog server and neither stores an application
directory partition, the KCC identifies the only two directory partitions that the domain controllers have in common — the schema directory partition and the configuration directory partition. If a connection object links domain
controllers in the same domain, at least three directory partitions are replicated: the schema directory partition, the configuration directory partition, and the domain directory partition.
In contrast, if the connection object that is created establishes replication between two domain controllers that are global catalog servers, then in addition to the directory partitions the domain controllers have in common, a
partial replica of each additional domain directory partition in the forest is also replicated between the two domain controllers over the same connection.
For more information about replication agreements, see “How the Active Directory Replication Model Works.”
Read-only and Writable Replicas
When computing the replication topology, the KCC must consider whether a replica is writable or read-only. For each potential set of replication partners in the topology, the considerations are as follows:
In Windows 2000 forests, for any one domain directory partition, the KCC calculates two topologies: one for the writable replicas and one for the read-only replicas. This calculation allows redundant connections for read-only
replicas under certain conditions.
The improved KCC spanning tree algorithm eliminates redundancy that can occur in Windows 2000. The algorithm computes only one topology with slightly different behavior for replicating the global catalog. The KCC on a
domain controller that is not a global catalog server does not consider global catalog servers in its calculations for read-only domain replicas because it never replicates read-only data from a global catalog server.
Automated Intrasite Topology Generation
For replication within a site, a topology is generated and then optimized to minimize the number of hops to three. The means by which the three-hop minimum is achieved varies according to the number of domain controllers
that are hosted in the site as well as the presence of global catalog servers. Generally, the intrasite topology is formed in a ring. The topology becomes more complex as the number of servers increases. However, the KCC can
accommodate thousands of domain controllers in a site.
Simplified Ring Topology Generation
A simplified process for creating the topology for replication within a site begins as follows:
The KCC generates a list of all servers in the site that hold that directory partition.
For each neighboring server in the ring from which the current domain controller is to replicate, the KCC creates a connection object if one does not already exist.
This simple approach guarantees a topology that tolerates a single failure. If a domain controller is not available, it is not included in the ring that is generated by the list of servers. However, this topology, with no other
adjustments, accommodates only seven servers. Beyond this number, the ring would require more than three hops for some servers.
The simplest case scenario — seven or fewer domain controllers, all in the same domain and site — would result in the replication topology shown in the following diagram. The only directory partitions to replicate are a single
domain directory partition, the schema directory partition, and the configuration directory partition. Those topologies are generated first, and at that point, sufficient connections to replicate each directory partition have already
been created.
In the next series of diagrams, the arrows indicate one-way or two-way replication of the type of directory partitions indicated in the Legend.
Simple Ring Topology that Requires No Optimization
Because a ring topology is created for each directory partition, the topology might look different if domain controllers from a second domain were present in the site. The next diagram illustrates the topology for domain
controllers from two domains in the same site with no global catalog servers defined in the site.
Ring Topology for Two Domains in a Site that Has No Global Catalog Server
The next diagram illustrates replication between a global catalog server and three domains to which the global catalog server does not belong. When a global catalog server is added to the site in DomainA, additional
connections are required to replicate updates of the other domain directory partitions to the global catalog server. The KCC on the global catalog server creates connection objects to replicate from domain controllers for each of
the other domain directory partitions within the site, or from another global catalog server, to update the read-only partitions. Wherever a domain directory partition is replicated, the KCC also uses the connection to replicate the
schema and configuration directory partitions.
Note
Connection objects are generated independently for the configuration and schema directory partitions (one connection) and for the separate domain and application directory partitions, unless a connection
from the same source to destination domain controllers already exists for one directory partition. In that case, the same connection is used for all (duplicate connections are not created).
Intrasite Topology for Site with Four Domains and a Global Catalog Server
Given a set of nodes in a ring, create the minimum number of connections, n, that each server must have to ensure a path of no more than three hops to another server.
If the local server does not have n extra connections, the KCC does the following:
This approach approximates the minimum-hop goal of three servers. In addition, it grows well, because as the site grows in server count, old optimizing connections are still useful and are not removed. Also, every time an
additional 9 to 11 servers are added, a connection object is deleted at random; then a new one is created, ideally having one of the new servers as its source. This process ensures that, over time, the additional connections are
distributed well over the entire site.
The following diagram shows an intrasite ring topology with optimizing connections in a site that has eight domain controllers in the same domain. Without optimizing connections, the hop count from DC1 to DC2 is more than
three hops. The KCC creates optimizing connections to limit the hop count to three hops. The two one-way inbound optimizing connections accommodate all directory partitions that are replicated between the two domain
controllers.
Intrasite Topology with Optimizing Connections
Excluded Nonresponding Servers
The KCC automatically rebuilds the replication topology when it recognizes that a domain controller has failed or is unresponsive.
The criteria that the KCC uses to determine when a domain controller is not responsive depend upon whether the server computer is within the site or not. Two thresholds must be reached before a domain controller is declared
“unavailable” by the KCC:
The requesting domain controller must have made n attempts to replicate from the target domain controller.
o For replication within a site, the following distinctions are made between the two immediate neighbors (in the ring) and the optimizing connections:
For immediate neighbors, the default value of n is 0 failed attempts. Thus, as soon as an attempt fails, a new server is tried.
For optimizing connections, the default value of n is 1 failed attempt. Thus, as soon as a second failed attempt occurs, a new server is tried.
A certain amount of time must have passed since the last successful replication attempt.
o For replication within a site, a distinction is made between the two immediate neighbors (in the ring) and the optimizing connections:
You can edit the registry to modify the thresholds for excluding nonresponding servers.
Note
If you must edit the registry, use extreme caution. Registry information is provided here as a reference for use by only highly skilled directory service administrators. It is recommended that you do not directly
edit the registry unless, as in this case, there is no Group Policy or other Windows tools to accomplish the task. Modifications to the registry are not validated by the registry editor or by Windows before they
are applied, and as a result, incorrect values can be stored. Storage of incorrect values can result in unrecoverable errors in the system.
Modifying the thresholds for excluding nonresponding servers requires editing the following registry entries in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters, with the data type REG_DWORD.
You can modify these values to any desired value as follows:
For replication between sites, use the following entries:
IntersiteFailuresAllowed
Default: 1
MaxFailureTimeForIntersiteLink (sec)
Value: Time that must elapse before being considered unavailable, in seconds
NonCriticalLinkFailuresAllowed
Default: 1
MaxFailureTimeForNonCriticalLink
For immediate neighbor connections within a site, use the following entries:
CriticalLinkFailuresAllowed
Default: 0
MaxFailureTimeForCriticalLink
When the original domain controller begins responding again, the KCC automatically restores the replication topology to its pre-failure condition the next time that the KCC runs.
Fully Optimized Ring Topology Generation
Taking the addition of extra connections, management of nonresponding servers, and growth-management mechanisms into account, the KCC proceeds to fully optimize intrasite topology generation. The appropriate
connection objects are created and deleted according to the available criteria.
Note
Connection objects from nonresponding servers are not deleted because the condition is expected to be transient.
Improved scalability: A new spanning tree algorithm achieves greater efficiency and scalability when the forest has a functional level of Windows Server 2003. For more information about this new algorithm, see
“Improved KCC Scalability in Windows Server 2003 Forests” later in this section.
Less network traffic: A new method of communicating the identity of the ISTG reduces the amount of network traffic that is produced by this process. For more information about this method, see “Intersite
Topology Generator” later in this section.
Multiple bridgehead servers per site and domain, and initial bridgehead server load balancing: An improved algorithm provides random selection of multiple bridgehead servers per domain and transport (the
Windows 2000 algorithm allows selection of only one). The load among bridgehead servers is balanced the first time connections are generated. For more information about bridgehead server load balancing,
see “Windows Server 2003 Multiple Bridgehead Selection” later in this section.
Location of domain directory partitions (calculate a replication topology for each domain).
With automatic site link bridging in effect, consider all implicit paths as a single path with a combined cost.
With manual site link bridging in effect, consider the implicit combined paths of only those site links included in the explicit site link bridges.
With no site link bridging in effect, where the site links represent hops between domain controllers in the same domain, replication flows in a store-and-forward manner through sites.
Computes a cost matrix by identifying each site pair (that is, each pair of bridgehead servers in different sites that store the directory partition) and the cost on the site link connecting each pair.
Note
o This matrix is actually computed by Intersite Messaging and used by the KCC.
By using the costs computed in the matrix, builds a spanning tree between sites that store the directory partition.
This method becomes inefficient when there are a large number of sites.
Note
CPU time and memory is not an issue in a Windows 2000 forest as long as the following criteria apply:
Note
The site option on the NTDS Site Settings object can be set on any domain controller, but it does not take effect
until replication of the change reaches the ISTG role holder for the site.
All domain controllers in the site are running Windows 2000 and one of them is upgraded to Windows Server 2003.
If at least one domain controller in a site is running Windows Server 2003, the ISTG role is assumed by a domain controller that is running Windows Server 2003.
The viability of the current ISTG is assessed by all other domain controllers in the site. The need for a new ISTG in a site is established differently, depending on the forest functional level that is in effect.
Windows 2000 functional level: At 30-minute intervals, the current ISTG notifies every other domain controller of its existence and availability by writing the interSiteTopologyGenerator attribute of the NTDS
Site Settings object for the site. The change replicates to every domain controller in the forest. The KCC on each domain controller monitors this attribute for its site to verify that it has been written. If a period
of 60 minutes elapses without a modification to the attribute, a new ISTG declares itself.
Windows Server 2003 or Windows Server 2003 interim functional level: Each domain controller maintains an up-to-dateness vector, which contains an entry for each domain controller that holds a full replica of
any directory partition that the domain controller replicates. On domain controllers that are running Windows Server 2003, this up-to-dateness vector contains a timestamp that indicates the times that it was
last contacted by its replication partners, including both direct and indirect partners (that is, every domain controller that replicates a directory partition that is stored by this domain controller). The timestamp is
recorded whether or not the local domain controller actually received any changes from the partner. Because all domain controllers store the schema and configuration directory partitions, every domain
controller is guaranteed to have the ISTG for its site among the domain controllers in its up-to-dateness vector.
This timestamp eliminates the need to receive periodic replication of the updated interSiteTopologyGenerator attribute from the current ISTG. When the timestamp indicates that the current ISTG has not
contacted the domain controller in the last 120 minutes, a new ISTG declares itself.
The Windows Server 2003 method eliminates the network traffic that is generated by periodically replicating the interSiteTopologyGenerator attribute update to every domain controller in the forest.
ISTG Eligibility
When at least one domain controller in a site is running Windows Server 2003, the eligibility for the ISTG role depends on the operating system of the domain controllers. When a new ISTG is required, each domain controller
computes a list of domain controllers in the site. All domain controllers in the site arrive at the same ordered list. Eligibility is established as follows:
If no domain controllers in the site are running Windows Server 2003, all domain controllers that are running Windows 2000 Server are eligible. The list of eligible servers is ordered by GUID.
If at least one domain controller in the site is running Windows Server 2003, all domain controllers that are running Windows Server 2003 are eligible. In this case, the entries in the list are sorted first by
operating system and then by GUID. In a site in which some domain controllers are running Windows 2000 Server, domain controllers that are running Windows Server 2003 remain at the top of the list and use
the GUID in the same manner to maintain the order.
The domain controller that is next in the list of servers after the current owner declares itself the new ISTG by writing the interSiteTopologyGenerator attribute on the NTDS Site Settings object.
If the current ISTG is temporarily disconnected from the topology, as opposed to being shut down, and a new ISTG declares itself in the interim, then two domain controllers can temporarily assume the ISTG role. When the
original ISTG resumes replication, it initially considers itself to be the current ISTG and creates inbound replication connection objects, which results in duplicate intersite connections. However, as soon as the two ISTGs replicate
with each other, the last domain controller to write the intersiteTopologyGenerator attribute continues as the single ISTG and removes the duplicate connections.
Bridgehead Server Selection
Bridgehead servers can be selected in the following ways:
Automatically by the ISTG from all domain controllers that are identified as preferred bridgehead servers, if any preferred bridgehead servers are assigned. Preferred bridgehead servers must be assigned
manually.
Manually by creating a connection object on a domain controller in one site from a domain controller in a different site.
By default, when at least one domain controller in a site is running Windows Server 2003 (regardless of forest functional level), any domain controller that hosts a domain in the site is a candidate to be an ISTG-selected
bridgehead server. If preferred bridgehead servers are selected, candidates are limited to this list. The connections from remote servers are distributed among the available candidate bridgehead servers in each site. The selection
of multiple bridgehead servers per domain and transport is new in Windows Server 2003. The ISTG uses an algorithm to evaluate the list of domain controllers in the site that can replicate each directory partition. This algorithm
is improved in Windows Server 2003 to randomly select multiple bridgehead servers per directory partition and transport. In sites containing only domain controllers that are running Windows 2000 Server, the ISTG selects only
one bridgehead server per directory partition and transport.
When bridgehead servers are selected by the ISTG, the ISTG ensures that each directory partition in the site that has a replica in any other site can be replicated to and from that site or sites. Therefore, if a single domain
controller hosts the only replica of a domain in a specific site and the domain has domain controllers in another site or sites, that domain controller must be a bridgehead server in its site. In addition, that domain controller must
be able to connect to a bridgehead server in the other site that also hosts the same domain directory partition.
Note
If a site has a global catalog server but does not contain at least one domain controller of every domain in the forest, then at least one bridgehead server must be a global catalog server.
If at least one server is designated as a preferred bridgehead server, updates to the domain directory partition hosted by that server can be replicated only from a preferred bridgehead server. If at the time of
replication no preferred bridgehead server is available for that directory partition, replication of that directory partition does not occur.
If any bridgehead servers are designated but no domain controller is designated as a preferred bridgehead server for a specific directory partition that has replicas in another site or sites, the KCC selects a
domain controller to act as the bridgehead server, if one is available that can replicate the directory partition to the other site or sites.
Assign at least two or more bridgehead servers for each of the following:
o Any domain directory partition that has a replica in any other site.
o The schema and configuration directory partitions (one bridgehead server replicates both) if no domains in the site have replicas in other sites.
If the site has a global catalog server, select the global catalog server as one of the preferred bridgehead servers.
If one or more new domain controllers are added to the hub site, the inbound connections on the existing bridgehead servers are not automatically re-balanced. The next time it runs, the ISTG considers the newly added server(s)
as follows:
If preferred bridgehead servers are not selected in the site, the ISTG considers the newly added servers as candidate bridgehead servers and creates new connections randomly if new connections are needed. It
does not remove or replace the existing connections.
If preferred bridgehead servers are selected in the site, the ISTG does not consider the newly added servers as candidate bridgehead servers unless they are designated as preferred bridgehead servers.
The initial connections remain in place until a bridgehead server becomes unavailable, at which point the KCC randomly replaces the connection on any available bridgehead server. That is, the endpoints do not change
automatically for the existing bridgehead servers. In the following diagram, two new domain controllers are added to the hub site, but the existing connections are not redistributed.
New Domain Controllers with No New Connections Created
Although the ISTG does not rebalance the load among the existing bridgehead servers in the hub site after the initial connections are created, it does consider the added domain controllers as candidate bridgehead servers
under either of the following conditions:
A new site is added that requires a bridgehead server connection to the hub site.
The following diagram illustrates the inbound connection that is possible on a new domain controller in the hub site to accommodate a failed connection on one of the existing hub site bridgehead servers. In addition, a new
branch site is added and a new inbound connection can potentially be created on the new domain controller in the hub site. However, because the selection is random, there is no guarantee that the ISTG creates the connections
on the newly added domain controllers.
Possible New Connections for Added Site and Failed Connection
Using ADLB to Balance Hub Site Bridgehead Server Load
In large hub-and-spoke topologies, you can implement the redistribution of existing bridgehead server connections by using the Active Directory Load Balancing (ADLB) tool (Adlb.exe), which is included with the “Windows
Server 2003 Active Directory Branch Office Deployment Guide.” ADLB makes it possible to dynamically redistribute the connections on bridgehead servers. This application works independently of the KCC, but uses the
connections that are created by the KCC. Connections that are manually created are not moved by ADLB. However, manual connections are factored into the load-balancing equations that ADLB uses.
The ISTG is limited to making modifications in its site, but ADLB modifies both inbound and outbound connections on eligible bridgehead servers and offers schedule staggering for outbound connections.
For more information about how bridgehead server load balancing and schedule staggering work with ADLB, see the “Windows Server 2003 Active Directory Branch Office Planning and Deployment Guide” on the Web at
http://go.microsoft.com/fwlink/?linkID=28523.
In addition to the dynamic port 135, other ports that are required for replication to occur are listed in the following table.
Port Assignments for Active Directory Replication
Restricting the directory service to using a fixed port requires editing the TCP/IP Port registry entry (REG_DWORD), located in:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
Changing this registry entry on a domain controller and restarting it causes the directory service to use the TCP port named in the registry entry. For example, port 49152 is DWORD=0000c000 (hexadecimal).