Active Directory Replication Tools and Settings

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2

Active Directory Replication Tools and Settings

In this section

  • Active Directory Replication Tools

  • Active Directory Replication Registry Entries

  • Active Directory Replication Group Policy Settings

  • Active Directory Replication WMI Classes

  • Network Ports Used by Active Directory Replication

  • Related Information

Active Directory Replication Tools

The following tools are associated with Active Directory replication.

Note

In Windows 2000 Server and Windows Server 2003, the directory service is named Active Directory. In Windows Server 2008 and Windows Server 2008 R2, the directory service is named Active Directory Domain Services (AD DS). The rest of this topic refers to Active Directory, but the information is also applicable to AD DS.

Dssite.msc: Active Directory Sites and Services

Category

Active Directory Administrative Tools Microsoft Management Console (MMC) snap-in. This tool is installed automatically when you install Active Directory, and is available on the Start menu under Programs\Administrative Tools. This tool also ships with the Administration Tools Pack (Adminpak.msi).

Version compatibility

Active Directory Sites and Services provides a view into the Sites container of the configuration directory partition. Use Active Directory Sites and Services to manage Active Directory replication topology. The following objects and their properties can be managed by using this tool:

  • Sites container: Add new sites.

  • Site objects: Add new servers to a site.

  • NTDS Site Settings object: For each site, view the connection object schedule and enable Universal group membership caching.

  • Server object: View the NTDS Settings object and designate the server as a bridgehead server.

  • NTDS Settings object: View inbound connections for the server. View the connection object schedule and change the source server for the connection.

  • Inter-Site Transports container: Manage IP and SMTP site links.

  • Site link objects: Manage the site link properties for a set of sites.

  • Subnets container: Add, remove, and configure subnets with IP addresses. Associate subnets with sites.

Repadmin.exe: Repadmin

Category

Command-line tool.

Version compatibility

Repadmin is used to view the replication information on domain controllers. You can determine the last successful replication of all directory partitions, identify inbound and outbound replication partners, identify the current bridgehead servers, view object metadata, and generally manage Active Directory replication topology. You can use Repadmin to force replication of an entire directory partition or of a single object. You can also list domain controllers in a site.

Repadmin is extended to enable commands to target sets of domain controllers. For example, you can target all domain controllers in a site or domain, or all domain controllers that are global catalog servers.

Repadmin also includes the RemoveLingeringObjects command, which removes objects that are outdated (do not exist in a replica of the same directory partition on the source domain controller).

For more information about removing lingering objects, see "Fixing Replication Lingering Object Problems (Event IDs 1388, 1988, 2042)" in the Windows Server 2003 Operations Guide at https://go.microsoft.com/fwlink/?LinkId=44131. For more information about Repadmin, see Repadmin Overview.

Ntdsutil.exe: Ntdsutil

Category

Command-line tool.

Version compatibility

Ntdsutil.exe provides management capabilities for Active Directory. You can use Ntdsutil.exe to perform Active Directory database maintenance, manage and control single-master operations, and remove replication metadata left behind by domain controllers that are removed from the network without uninstalling Active Directory. The version of Ntdsutil that is included with Windows Server 2003 SP1 removes File Replication service (FRS) metadata in addition to Active Directory replication metadata. You can also use Ntdsutil to create application directory partitions and perform authoritative restore operations. This tool is intended for use by experienced administrators.

Active Directory Replication Registry Entries

The information here is provided as a reference for use in troubleshooting or verifying that the required settings are applied. It is recommended that you do not directly edit the registry unless there is no other alternative. Modifications to the registry are not validated by the registry editor or by Windows before they are applied, and as a result, incorrect values can be stored. This can result in unrecoverable errors in the system. When possible, use Group Policy or other Windows tools, such as Microsoft Management Console (MMC), to accomplish tasks rather than editing the registry directly. If you must edit the registry, use extreme caution.

The following registry settings cannot be modified by using Group Policy or other Windows tools.

NTDS Parameters Registry Settings

The following registry entries are associated with Active Directory replication.

Replicator notify pause after modify (secs)

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters

Version

Windows 2000 Server.

Default value

Windows 2000 Server: 300 seconds.

The value for the delay between an originating update on a domain controller and the first change notification. On domain controllers running Windows Server 2003 or higher, the value for initial change notification delay is stored in the msDSReplicationNotifyFirstDSADelay attribute on the cross-reference object for each directory partition in the Configuration container. The default value in Windows Server 2003 and higher operating systems is decreased to 15 seconds when the forest functional level is Windows Server 2003 or higher.

Replicator notify pause between DSAs (secs)

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters

Version

Windows 2000 Server.

Default value

Windows 2000 Server: 30 seconds

The value for the delay before each subsequent change notification. On domain controllers running Windows Server 2003, the value for subsequent notification delay is stored in the msDSReplicationNotifySubsequentDSADelay attribute on the cross-reference object for each directory partition in the Configuration container. The default value in Windows Server 2003 is decreased to 3 seconds when the forest functional level is Windows Server 2003.

RPC Replication Timeout (mins)

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters

Version

Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 2000 Server.

Default value

Windows 2000 Server: 45 minutes; Windows Server 2003 and higher server operating systems: 5 minutes.

The number of minutes between initiation of Active Directory replication and the RPC timeout. The domain controller must be restarted before the change takes effect.

Strict replication consistency

Registry path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters

Version

Windows Server 2008 R2, Windows Server 2008 R2, Windows Server 2003, Windows 2000 Server with SP3.

Default value

Windows 2000 Server with SP3: off (0); Windows Server 2003 and higher server operating systems: on (1)

The value that determines the treatment of replication of outdated objects that exist on reconnected domain controllers that have not replicated in longer than a tombstone lifetime. If the destination domain controller has strict replication consistency enabled, inbound replication of an outdated object is blocked. If the destination domain controller has strict replication disabled, inbound replication of the full object occurs.

Replicator intra site packet size (objects)

Registry path

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters

Version

Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 2000 Server.

Default value

1/1,000,000th the size of RAM, with a minimum of 100 objects and a maximum of 1,000 objects.

The maximum number of objects per packet for RPC replication within a site.

Replicator intra site packet size (bytes)

Registry path

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters

Version

Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 2000 Server.

Default value

1/100th the size of RAM, with a minimum of 1 megabyte (MB) and a maximum of 10 MB.

The maximum size of objects per packet for RPC replication within a site.

Replicator inter site packet size (objects)

Registry path

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters

Version

Windows Server 2008 R2, Windows Server 2008 R2, Windows Server 2003, Windows 2000 Server.

Default value

1/1,000,000th the size of RAM, with a minimum of 100 objects and a maximum of 1,000 objects.

The maximum number of objects per packet for RPC replication between sites.

Replicator inter site packet size (bytes)

Registry path

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters

Version

Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 2000 Server.

The maximum size of objects per packet for RPC replication between sites.

Default value

1/100th the size of RAM, with a minimum of 1 MB and a maximum of 10 MB.

Replicator async inter site packet size (objects)

Registry path

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters

Version

Windows Server 2008, Windows Server 2008 R2, Windows Server 2003, Windows 2000 Server.

Default value

1/1,000,000th the size of RAM, with a minimum of 100 objects and a maximum of 1,000 objects.

The maximum number of objects per packet for SMTP replication between sites.

Replicator async inter site packet size (bytes)

Registry path

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters

Version

Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 2000 Server.

Default value

1 MB.

The maximum size of objects per packet for SMTP replication between sites.

Replicator compression algorithm

Registry path

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters

Version

Windows Server 2008 R2, Windows Server 2008, Windows Server 2003.

Default value

For Windows 2000 Server compression, change the value to 2.

Determines the compression algorithm that is used on a site link

Repl topology update delay (secs)

Registry path

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters

Version

Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 2000 Server.

Default value

300 seconds.

Number of seconds to wait between the time Active Directory starts and the KCC performs the first topology check.

To find more information about Repl topology update delay (secs), see “Registry Reference” in Tools and Settings Collection.

Repl topology update period (secs)

Registry path

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters

Version

Windows Server 2008, Windows Server 2008 R2, Windows Server 2003, Windows 2000 Server.

Default value

900 seconds.

Interval between KCC replication topology checks.

To find more information about Repl topology update period (secs), see “Registry Reference” in Tools and Settings Collection.

IntersiteFailuresAllowed

Registry path

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters

Version

Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 2000 Server.

Default value

1.

Number of failed replication attempts prior to excluding nonresponding servers from the intersite topology.

Registry path

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters

Version

Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 2000 Server.

Default value

7200 seconds (2 hours).

Time in seconds that must elapse prior to excluding nonresponding servers from the intersite topology.

NonCriticalLinkFailuresAllowed

Registry path

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters

Version

Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 2000 Server.

Default value

1.

Number of failed replication attempts prior to excluding nonresponding servers from the intrasite topology.

Registry path

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters

Version

Windows Server 2008, Windows Server 2008 R2, Windows Server 2003, Windows 2000 Server.

Default value

43200 seconds (12 hours).

Time in seconds that must elapse prior to excluding nonresponding servers from the intrasite topology.

CriticalLinkFailuresAllowed

Registry path

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters

Version

Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 2000 Server.

Default value

0.

Number of failed replication attempts prior to excluding nonresponding servers for immediate neighbor connections within a site.

Registry path

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters

Version

Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 2000 Server.

Default value

7200 seconds (2 hours).

Time in seconds that must elapse prior to excluding nonresponding servers for immediate neighbor connections within a site.

TCP/IP Port

Registry path

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters

Version

Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 2000 Server.

Default value

135.

TCP port that the directory service uses instead of using dynamic port 135. The domain controller must be restarted before the change takes effect.

Backup Latency Threshold (days)

Registry path

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters

Version

Windows Server 2008 R2, Windows Server 2008, Windows Server 2003 with SP 1

Default value

Half the value of the tombstone lifetime of the forest.

When the value is reached, logs event ID 2089 in the Directory Service event log, warning administrators and monitoring applications to make sure that domain controllers are backed up before the tombstone lifetime expires.

Active Directory Replication Group Policy Settings

The following table lists and describes the Group Policy settings that are associated with Active Directory replication updates.

Group Policy Settings Associated with Active Directory Replication

Group Policy Setting Description

Account Lockout Policy:

  • Account lockout duration

  • Account lockout threshold

  • Reset account lockout counter after

Changes to these settings in the Domain Security Policy trigger urgent replication.

Password Policy:

  • Enforce password history

  • Maximum password age

  • Minimum password age

  • Minimum password length

  • Password must meet complexity requirements

  • Store passwords using reversible encryption

Changes to these settings in the Domain Security Policy trigger urgent replication.

Contact PDC on logon failure

Account lockout and domain password changes rely on contacting the primary domain controller (PDC) emulator urgently to update the PDC emulator with the change. If Contact PDC on logon failure is disabled, replication of password changes to the PDC emulator occurs non-urgently.

To find more information about these Group Policy settings, see “Group Policy Settings Reference” in Tools and Settings Collection.

Active Directory Replication WMI Classes

The following table lists and describes the WMI classes that are associated with Active Directory replication. These classes are shipped with Windows Server 2003 or later server operating systems, but are also compatible with Windows 2000 Server.

WMI Classes Associated with Active Directory Replication

Class Name Namespace Version Compatibility

MSAD_DomainController

\\root\MicrosoftActiveDirectory

Windows Server 2008 R2

Windows Server 2008

Windows Server 2003

Windows 2000 Server

MSAD_NamingContext

\\root\MicrosoftActiveDirectory

Windows Server 2008 R2

Windows Server 2008

Windows Server 2003

Windows 2000 Server

MSAD_ReplNeighbor

\\root\MicrosoftActiveDirectory

Windows Server 2008 R2

Windows Server 2008

Windows Server 2003

Windows 2000 Server

MSAD_ReplCursor

\\root\MicrosoftActiveDirectory

Windows Server 2008 R2

Windows Server 2008

Windows Server 2003

Windows 2000 Server

MSAD_ReplPendingOp

\\root\MicrosoftActiveDirectory

Windows Server 2008 R2

Windows Server 2008

Windows Server 2003

Windows 2000 Server

For more information about these WMI classes, see the WMI SDK documentation on MSDN.

Network Ports Used by Active Directory Replication

By default, RPC-based replication uses dynamic port mapping. When connecting to an RPC endpoint during Active Directory replication, the RPC run time on the client contacts the RPC endpoint mapper on the server at a well-known port (port 135). The server queries the RPC endpoint mapper on this port to determine what port has been assigned for Active Directory replication on the server. This query occurs whether the port assignment is dynamic (the default) or fixed. The client never needs to know which port to use for Active Directory replication.

Note

  • An endpoint comprises the protocol, local address, and port address.

In addition to the dynamic port 135, other ports that are required for replication to occur are listed in the following table.

Port Assignments for Active Directory Replication

Service Name UDP TCP

LDAP

389

389

LDAP

 

636 (Secure Sockets Layer [SSL])

LDAP

 

3268 (global catalog)

Kerberos

88

88

DNS

53

53

SMB over IP

445

445

Replication within a domain also requires FRS using a dynamic RPC port.

The following resources contain additional information that is relevant to this section.