Configuring and Troubleshooting Active

Directory Replication
An Overview of Active Directory Replication
Active Directory is a distributed multimaster replicated database. All domain controllers
host a full replica of the domain information for its own domain. Domain controllers in
Windows 2000 and Windows Server 2003 environments hold a read/write copy of the
Active Directory database. In these environments, changes can be made to the Active
Directory database on any domain controller within the Active Directory environment.
Replication is the process that ensures that changes made to a replica on one domain
controller are transferred to replicas on the remainder of the domain controllers. When an
object in Active Directory is created, deleted, moved, or changed; Active Directory
replication is triggered.

In Windows 2000 and Windows Server 2003 environments, the types of Active Directory
replication that can be defined are:

• Intrasite Replication: Intrasite replication takes place between domain controllers

within the same site. This makes intrasite replication an uncomplicated process.
Intrasite replication utilizes the Remote Procedure Call (RPC) protocol to convey
replication data over fast, reliable network connections. Replication data within a
site is not compressed.
• Intersite Replication: Intersite replication takes place between sites. Intersite
replication can utilize either RPC over IP or SMTP to convey replication data.
Intersite replication has to be manually configured. Intersite replication occurs
between two domain controllers that are called bridgeheads or bridgehead servers.
With intersite replication, packets are compressed to conserve bandwidth.

The information replicated in Active Directory is summarized below:

• Configuration partition data: Objects stored in the configuration partition relate to

the domain structure and replication topology, and is replicated to each domain
controller in each domain, and in a forest.
• Domain partition data: All objects that are stored in a domain exist in the domain
partition. Domain partition data is replicated to the domain controllers within a
domain.
• Schema partition data: Schema partition data include information on the objects
that can be created in Active Directory and is replicated to each domain controller
in domains/forests.
• Application partition data: A new feature introduced in Windows Server 2003 is
the application partition. Applications and services store data in the application
partition.
You can use the Active Directory Sites and Services console to configure intersite
replication. Configuring intersite replication typically involves:

• Renaming the Default-First-Site-Name object

• Creating site objects and subnet objects
• Creating site link objects
• Configuring site link attributes: Site link cost, site link replication frequency, site
link replication availability
• Specifying or designating a preferred bridgehead server (BS).
• Creating site link bridges
• Manually creating connection objects

How to rename the Default-First-Site-Name Site (first

site object)
You have to rename the default site object to something that has meaning in your
organization. To do this,

1. Open the Active Directory Sites and Services console

2. Right-click Default-First-Site-Name, and select Rename from the shortcut menu.
3. Proceed to set a meaningful name for the site.

How to create a new site object

1. Open the Active Directory Sites and Services console
2. Right-click the Sites folder and select New Site from the shortcut menu.
3. When The New Object – Site dialog box opens, enter a name for the site in the
Name box.
4. You ca accept DefaultIPSiteLink in the Link Name box.
5. Click OK.

How to create a new subnet object

1. Open the Active Directory Sites and Services console
2. Right-click the Subnets folder, and select New Subnet from the shortcut menu
3. When The New Object – Subnet dialog box opens, in the first section of the
dialog box, specify the subnet address and the number of bits in the subnet mask.
4. In the Select a site object for this subnet section, specify the site object to which
this particular subnet is associated with.
5. Click OK.

How to create a site link

When you create a site link you can specify the transport protocol for replicating data
over site links as either IP or SMTP.

• IP replication is typically selected for a site link when a reliable connection exists
between domain controllers in different sites.
• SMTP replication is normally selected when connections are unreliable and slow.

To create a site link,

1. Open the Active Directory Sites and Services console

2. Open the Sites folder, and then open the Inter-Site Transports folder
3. Right-click either the IP folder or the SMTP folder, and choose New Site Link
from the shortcut menu.
4. The New Object-Site Link dialog box opens
5. In the Name field, enter a name for the new site link.
6. In the Sites Not In This Site Link box, select the sites to connect. Click Add
7. Click OK.

How to configure site link attributes or properties

Configuring site link attributes involves specifying site link costs, the site link replication
frequency, and setting site link replication availability. When you set the site link cost,
you are basically defining the cost of the network connection proportionate to the speed
of the link. Lower costs are utilized for fast links, while higher costs are associated with
slower links. The site link replication frequency can be a number ranging from 15
minutes to 10,080 minutes. Setting site link replication availability involves specifying
when a site link is available for replication.

To configure site link attributes,

1. Open the Active Directory Sites and Services console

2. Open the Sites folder, and then open the Inter-Site Transports folder.
3. Open the IP folder or SMTP folder which contains the site link that you want to
configure site link attributes for.
4. Right-click the particular site link and then select Properties from the shortcut
menu.
5. In the Description box in the General tab of the Properties dialog box for the site,
you can enter a description for the site link.
6. In the Cost box, you can change the default cost for the site link, and assign a cost
to the link. The default cost setting is 100.
7. In the Replicate Every box, you can change the default replication interval. This is
basically the number of minutes between replications. The default setting is 180
minutes. The shortest replication interval that can be set is 15 minutes, and the
longest interval that can be specified is 10,080 minutes.
8. Click the Change Schedule button to configure when the site link is available for
replication.
 9. When the Schedule dialog box for the site link opens, you can set when the site
link is available for replication, or when it is not available for replication.
10. Click OK to save configuration changes you made in the Schedule dialog box.
11. Click OK to save changes in the Properties dialog box of the site.

How to configure replication to disregard/ignore

schedules
1. Open the Active Directory Sites and Services console
2. Open he Sites folder, and then open the Inter-Site Transports folder.
3. Right-click the IP folder or SMTP folder and choose Properties from the shortcut
menu.
4. When the Properties dialog box of the folder which you selected opens, click the
Ignore Schedules checkbox.
5. Click OK.

How to add a site to an existing site link

1. Open the Active Directory Sites and Services console
2. Open the Sites folder, and then open the Inter-Site Transports folder.
3. Open the IP folder or SMTP folder that contains the site link to which the site
should be added.
4. Right-click the particular site link and then select Properties from the shortcut
menu.
5. Use the Sites Not In This Site Link box to select the site that should be added to
the site link. Click Add.
6. Click OK.

How to rename an existing site link

1. Open the Active Directory Sites and Services console
2. Open the Sites folder, and then open the Inter-Site Transports folder.
3. Open the IP folder or SMTP folder that contains the site link that you want to
rename.
4. Right-click the particular site link and then select Rename from the shortcut
menu.
5. Proceed to set a new name for the site link.

How to designate a preferred bridgehead server (BS)

The Knowledge Consistency Checker (KCC) could possibly not designate a bridgehead
server that is the most optimal domain controller in a site. In cases like this, to improve
performance, you can manually designate a preferred bridgehead server(s).
To designate a preferred BS,
 1. Open the Active Directory Sites and Services console
2. In the console tree, expand the Sites folder, expand the site in which you want to
create the bridgehead server, and then expand the Servers folder.
3. Right-click on the particular server, and select Properties from the shortcut menu.
4. When the Properties dialog box of the server opens, in the Transports available
for inter-site transfer section, select the protocol for which the server is to be a
bridgehead server. Click Add.
5. Click OK.

How to disable transitive site links, or automatic

bridging
Because site link transitivity is enabled by default, you would typically need to disable it
if you want to create site link bridges.

1. Open the Active Directory Sites and Services console

2. Open the Sites folder, and then open the Inter-Site Transports folder.
3. Right-click either the IP folder or SMTP folder and choose Properties from the
shortcut menu.
4. On the General tab, uncheck the Bridge All Site Links checkbox to disable site
link transitivity.
5. Click OK.

How to create a site link bridge

1. Open the Active Directory Sites and Services console
2. Open the Sites folder, and then open the Inter-Site Transports folder.
3. Right-click either the IP folder or SMTP folder and choose New Site Link Bridge
from the shortcut menu.
4. The New Object-Site Link Bridge dialog box opens.
5. Enter a name for the new site link bridge in the Name field.
6. Use the Site links not in this bridge box to select two or more sites to connect.
Click Add
7. Click OK

How to manually create and configure a connection

object
Connection objects in Active Directory are automatically created by the KCC. You can
however manually create connection objects to customize the topology of the network, or
to decrease the number of hops from one domain controller to another particular domain
controller. When connection objects are created by the KCC, they are automatically
removed by the KCC when the replication topology changes. Connection objects hat are
manually created are not removed when the replication topology changes. You have to
manually remove these connection objects.

To manually create and configure connection objects,

1. Open the Active Directory Sites and Services console

2. In the console tree, expand the Sites folder, expand the site in which you want to
create the connection object, and then expand the Servers folder.
3. Select the particular server that you want to enable the connection for.
4. Right-click NTDS Settings and select New Active Directory Connection from the
shortcut menu.
5. When the Find Domain Controllers dialog box opens, choose the domain
controller. Click OK
6. When the New Object-Connection dialog box opens, enter a name for the
connection object. Click OK
7. Proceed to right-click the connection that you have just created in the details pane
and select Properties from the shortcut menu.
8. When the Properties dialog box of the connection object opens, in the Description
field, provide a description for the new connection object.
9. In the Transport drop down list, verify that RPC is specified as the transport
protocol.
10. If you want to modify the default schedule for intrasite replication, click the
Change Schedule button.
11. When the Schedule dialog box for the connection object opens, set the appropriate
replication frequency and Click OK.
12. Click OK to save changes made in the Properties dialog box of the connection
object.

How to manually force immediate replication

1. Open the Active Directory Sites and Services console
2. In the console tree, expand the Sites folder, expand the site that Active Directory
has to replicate to and then expand the name of the server to use for replication.
3. Click NTDS Settings to display the inbound connection objects of the server in
the right pane.
4. Right-click the server that you want to replicate from and click Replicate Now
from the shortcut menu.

Troubleshooting Active Directory Replication

Although domain controllers generally automatically manage the replication process,
there are instances when incorrect configuration settings or troublesome network
connections can prevent Active Directory information from being replicated between
domain controllers. There are quite a few mechanisms that can be used to monitor and
troubleshoot the Active Directory replication process.
The tools available are:

• Active Directory Replication Monitor (Replmon.exe)

• Replication Diagnostics Tool (Repadmin.exe)
• The Dsastat.exe command-line tool
• You can also configure Active Directory event logging

A few common methods that you can use to monitor or troubleshoot Active Directory
replication are summarized below:

• Verify network connectivity in your environment: When Active Directory

replication has stopped, verify your existing network connections. For replication
to occur, your domain controllers have to be connected by capable LAN links.
Using high speed links typically improves replication performance.
• Verify site links: In order for domain controllers in different sites to exchange
Active Directory data or information, you have to configure the appropriate site
links. When replication is not occurring between sites, verify that a site link object
does link the current site to a site which is connected to the remainder of the sites
of the network.
• Verify the replication topology: You can use the Active Directory Sites and
Services console to check that your replication topology is reliable and constant.
Errors are displayed in a dialog box in the console.
• Manually verify that Active Directory information has been synchronize. You
should on a regular basis verify that information is synchronized between domain
controllers within domains.
• When replication errors are encountered, check the Directory Service event log in
Event Viewer. Active Directory replication errors are written to the Directory
Service event log.

There may be instances when Active Directory replication is quite slow. A few methods
of correcting this problem are summarized below:

• Having no site link bridge can result in Active Directory information taking quite
a while to be replicated between domain controllers. You can create a site link
bridge or you can bridge all sites. This is typically necessary when there are only
site links in your network, but no site link bridges.
• If the configuration value specified for the frequency of intersite replication is set
too low, you may experience large delays between when changes are made on one
domain controller and when it is replicated on a domain controller in a different
site. To fix this problem, consider changing the setting of the replication
frequency.
• When your existing network resources are unable to cope with the quantity of
traffic being generated by Active Directory replication consider the following:
o If realistic, modify the setting of the replication frequency
o If feasible, configure additional resources for Active Directory replication
 o Create site links
o Create site link bridges

How to use Active Directory Replication Monitor to

monitor/troubleshoot replication
Replication Monitor (Replmon) is a graphical management tool included in the Windows
Support Tools. In order to open and use Replmon, it must be installed on a computer
running. The computer can be a domain controller, member server, member workstation
or stand-alone computer. Replication Monitor can be used to perform the following
activities:

• View the replication topology or replication information in a highly useful

graphical format.
• Determine whether domain controllers are replicating Active Directory
information correctly.
• Determine the status of Active Directory replication
• Manually force replication between domain controllers

The information displayed in the main Replication Monitor window is listed below:

• Naming contexts: All the naming contexts that a server contains are displayed
here.
• Replication partners: Each naming context shows the inbound replication partners
for that particular naming context.
• Server icons: Server icons enable you to determine information at a glance.
• Log entries: The replication log entries for the connection are displayed in the
right pane.

Once you have specified a domain controller for monitoring, you can set view options to
suit your needs. To specify view options, open Replication Monitor, and select Options
from the View menu. The options that can be selected on the General tab are:

• Show Retired Replication Partners

• Show Transitive Replication Partners and Extended Data
• Notify When Replication Fails After This Number Of Attempts
• Log Files: Settings under Log Files are used to change the default location for the
log files.
• Enable Debug Logging: This setting relates to debugging Replmon.

The Replmon replica synchronization options that can be selected are listed below. These
options can be configured by right-clicking a monitored server object, and then selecting
Synchronize Each Directory Partition with All Servers. The synchronization options that
you can select are:
 • Disable Transitive Replication: This option can be selected if you want to
troubleshoot a ailed replication process to a particular domain controller, and you
want to manually start the replication process.
• Push Mode: When enabled, push mode is enabled for replication and the DRA is
no longer enabled to pull updates.
• Cross Site Boundaries: When enabled, you can start intersite replication for RPC
connections only.

How to start Replication Monitor

Remember that you first have to install Replication Monitor.

1. Click Start, Windows Support Tools, Command Prompt and enter replmon.exe.
2. When the Replication Monitor opens, in the console tree, right-click Monitored
Servers and select Add Monitored Server from the shortcut menu.
3. The Add Monitored Server Wizard now starts
4. Select the Add The Server Explicitly By Name option. Click Next.
5. In the Add Server To Monitor page, use the Enter The Name Of The Server To
Monitor Explicitly box to specify the name of the server that should be monitored.
6. Click Finish
7. The server that you specified for monitoring is now displayed in the console tree.

How to synchronize the Active Directory directory

partition
Domain controllers that are indicated for a directory partition are regarded as source
servers. Source servers can be a Direct Replication Partner, a Transitive Replication
Partner or a Bridge Head Connection.
To synchronize the directory partition,

1. Open Replication Monitor

2. Right-click the direct replication partner and then choose Synchronize Replica
from the shortcut menu.
3. Replication Monitor now starts the replication process and reports on the status of
replication as well.

How to use the Replication Diagnostics Tool to

monitor/troubleshoot Active Directory replication
The Replication Diagnostics Tool (Repadmin) is a command-line interface that can be
quite useful when troubleshooting Active Directory replication. Through Repadmin, you
can perform the following:

• View the replication topology

 • View replication metadata
• Determine the status/validity of Active Directory information on each domain
controller
• Force replication between domain controllers
• Manually create the replication topology

The online help shows the syntax for options and switches of Repadmin. Run repadmin /?
for online help. If you want to determine the status of the KCC for replication, run
repadmin/kcc. If you want to determine what the replication result was for the last
replication process performed, run repadmin/showreps. If you are running Windows
Server 2003, Repadmin offers a few additional functions that can be performed. To view
these, run repadmin/experthelp.

How to configure Active Directory event logging

You can also configure Active Directory event logging. A few key events that can be
specified for event logging are listed below:

• Directory access
• Internal configuration
• Internal processing
• Intersite messaging
• KCC
• MAPI events
• Replication events
• Security events

You can set one of the following logging levels for an event:

• 0 – None, 1 – Minimal, 2 – Basic, 3 – Extensive, 4 – Verbose, 5 – Internal

How to enable Active Directory event logging

1. Click Start, Run and enter regedit in the Run dialog box. Click OK
2. This opens the Registry Editor.
3. Click the
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNTDSDiagnosti
cs registry key.
4. The entries that are displayed in the right pane are the types of events that can be
logged. The default logging level for each entry is 0 – None.
5. Open the entry for each type of event that you want to log by double-clicking it.
6. In the Value data box of each entry, enter the logging level.
7. Click OK.
How to use Dsastat.exe tomonitor/troubleshoot Active
Directory replication
You can use Dsastat.exe to compare the attributes of replicated objects and to determine
differences between directory partitions hosted by domain controllers. Dsastat.exe uses
statistics such as objects per server, and megabytes per server to determine what the
differences are in Active Directory information between domain controllers.

The syntax for Dsastat is:

dsastat [/loglevel:option] [/output:option] [/s:servername[portnumber]

[;servername[portnumber];…]] [/t:option] [/sort:option] [/p:entrynumber] [/scope:option]
[/b:searchpath] [/filter:ldapfilter] [/gcattrs:option[;option;...]] [/u:username]
[/pwd:password] [/d:domain]

• /loglevel:option, indicates the type of logging. A value of Info, Trace or Debug

can be specified.
• /output:option, indicates how results will be displayed. A value of Screen, File or
both of these can be specified.
• /s:servername[portnumber][;servername[portnumber];…], for defining the server
names that are to be included in the comparison by Dsastat.exe.
• /t:option, for setting whether a statistics comparison or a full-content comparison
should be performed. Values that can be set are True for statistics comparison,
and False for full-content comparison.
• /sort:option, for setting whether sorted queries should be performed or not. Values
are True for sorted queries to be performed, and False for specifying that sorted
queries should not be performed.
• /p:pagesize, for specifying the number of entries that should be returned on a
page. With a default value of 64, you can specify any value from 1 – 999.
• /scope:option, for setting what the search should include. Values that can be set
are Base, Onelevel, Sub-tree.
• /b:searchpath, for specifying the distinguished name of the base search path.
• /filter:ldapfilter, for specifying the LPAD filter that should be used.
• /gcattrs:option[;option;...], for indicating what attributes should be returned.
Values that can be set are all, LDAPattributes, ObjectClass, auto.
• /u:username, for setting the username that should be used for the search.
• /pwd:password, the password associated with the above username.
• /d:domain, the domain that should be used to validate the username/password