Sites Container Hierarchy in Active Directory

On This Page

Active Directory Sites and Services Overview
Replication of information
Replication goals and strategies
Replication options
Planning replication between sites
Managing site links
Site link bridges
Replication period
Change notification
Urgent replication
Forced replication between two servers
Changing the default replication time for the Active Directory Connector

Active Directory Sites and Services Overview

Active Directory Sites and Services is the administrative tool that authorized administrators use to view and manage the hierarchy of objects that are used by the KCC to effect the replication topology. The hierarchy is displayed as the contents of the Sites container, which is a child of the Configuration container. The distinguished name of the Sites container is cn=Sites,cn=Configuration,dc=<ForestRootDomain>. The Configuration container is the topmost object in the configuration directory partition and the Sites container is the topmost object in the hierarchy of objects that are used to manage and implement Active Directory replication. The Sites container hierarchy contains the following objects:

  • The Sites container, which contains an object for each site in the forest. In addition to site objects, Sites also contains the Subnets container, which contains subnet definitions in the form of subnet objects. Each subnet object has a siteObject attribute that links it to a site object.

  • Site objects, each of which contains two child objects:

    • The NTDS Site Settings object, which stores directory properties common to all domain controllers in the site, including the schedule for replication within the site.

    • The Servers container, which stores a server object for each domain controller in the site.

  • Server objects, each of which contains an NTDS Settings object.

  • NTDS Settings object, which represents an instantiation of Active Directory on that server. (When Active Directory is removed from a server, its NTDS Settings object is deleted from Active Directory, but its server object remains.) For a specific server object, the NTDS Settings object contains the individual connection objects that represent the inbound connections from other domain controllers in the forest that are currently available to send changes to this domain controller.

  • Connection objects, each of which represents a unidirectional replication agreement between two specific domain controllers, where the destination domain controller is the server object that is the parent object of the NTDS Settings object that stores the connection. Connection objects are created automatically by the KCC; they can also be created manually.

The figure below shows the expanded Sites container. The NTDS Settings object for one server is selected, and the related connection objects are displayed in the details pane. The From Server column displays the name of the domain controllers from which the selected domain controller receives replication (the names of its current replication partners).

Dd277430.w2kab198(en-us,TechNet.10).gif

Active Directory Sites and Services can only be used from a computer that has access to a Windows 2000 domain. Active Directory Sites and Services is installed on all Windows 2000 domain controllers. To use Active Directory Sites and Services on a computer that is not a domain controller, such as one running Windows 2000 Professional, install the Windows 2000 Administration Tools.

Replication of information

Replication provides information availability, fault tolerance, load balancing, and performance benefits for the directory. Active Directory uses multimaster replication, enabling authorized administrators to update the directory at any domain controller, rather than at a single, primary domain controller. The multimaster model has the benefit of greater fault tolerance, since, with multiple domain controllers, replication continues, even if any single domain controller stops working.

Although users may not realize it, due to multimaster replication, they are updating a single copy of the directory. After directory information has been created or modified at a domain controller, the new or changed information is sent to all other domain controllers in the domain, so their directory information is current.

Domain controllers need the latest directory information, but to be efficient, they must limit their updates only to times when there is new or changed directory information. Indiscriminately exchanging directory information among domain controllers can quickly overwhelm any network. Active Directory has been designed to replicate only changed directory information.

With multimaster replication, there is always the potential for the exact same directory change to occur at more than one domain controller. Active Directory has also been designed to track and mediate conflicting changes to the directory, resolving conflicts automatically in nearly all cases.

Deploying multiple domain controllers in one domain provides fault tolerance and load balancing. If one domain controller within a domain slows, stops, or fails, other domain controllers within the same domain can provide necessary directory access, since they contain the same directory data.

Replication goals and strategies

Users and services should be able to access directory information at any time from any computer in the forest. To make this possible, additions, modifications, and deletions of directory data must be relayed to other domain controllers.

For example, if an account's password is changed in an organization's Seattle office, the new password must be valid when the user logs on with the same account at the Sydney office. This is made possible by replicating the directory changes to other domain controllers, including that in the Sydney office.

Directory information must be widely distributed, but this must be balanced with the need to optimize network performance. If directory updates are constantly distributed to all other domain controllers in the domain, they will consume network resources. Although authorized administrators can manually add or configure connections or force replication over a particular connection, replication should normally be automatically optimized by the Active Directory knowledge consistency checker based on information provided to Active Directory Sites and Services about the deployment.

Windows 2000 uses sites and replication change control to optimize replication:

  • By occasionally re-evaluating which connections are used, Active Directory uses the most efficient network connections.

  • Active Directory uses multiple routes to replicate changes, providing fault tolerance.

  • Replication costs are minimized by only replicating changed information.

Replication between sites

Network connections are represented by site links. By creating site links and configuring their replication availability, cost, and replication frequency, authorized administrators provide the Active Directory knowledge consistency checker with information about what Connection objects to create to replicate directory data. Active Directory uses site links as indicators for where it should create Connection objects, and Connection objects use the actual network connections to exchange directory information. Without site links, Connection objects that use network connections to connect sites will not be created, and domain controllers will be isolated within their sites: unable to send or receive directory updates to or from other domain controllers outside of their own site. To avoid this, create site links to connect multiple sites.

When authorized administrators create a site, they may want to create more links to enable specific connections between sites and customize existing site links connecting the sites. Overlapping site links can be linked together into site link bridges, or all site links can be bridged, maximizing available site link connectivity. Such a site link configuration maximizes replication of directory information.

Creating site link bridges or bridging all site links maximizes replication, but errors will occur if there are domain controllers in a single site link or in bridged site links that span a firewall. Because all domain controllers in a site link or site link bridge attempt to send directory updates to other domain controllers in their site or site link, they may send updates to domain controllers that are on the opposite side of a firewall. If this occurs, those attempts will fail unless the sender is also the firewall proxy server. Therefore, if there are domain controllers on different sides of a firewall and the firewall is configured in such a way that allows packet transmission between specific computers only, do not place them all in one site, even if they are well-connected. Instead, add all domain controllers that are on the same side of a firewall to a site link and establish the firewall proxy as the preferred bridgehead server for the site link. By doing so, the firewall will not block replication. Site links are not automatically generated.

After the first Domain Controller is installed, all other Domain Controllers are automatically added to the same site as the original Domain Controller, unless one of the three following conditions is met:

  • An alternative default site is provided using Active Directory Sites and Services.

  • At the time the Domain Controller is installed, its IP address falls within the subnet previously specified in an alternate site. The domain controller is then added to this alternate site.

  • A Domain Controller has already been moved from another site to the site to which the new Domain Controller is being added. In this case, the new Domain Controller is added to the site that contains the previously moved Domain Controller.

    Note: In general, a Domain Controller can be installed into a site that has existing Domain Controllers. The exception to this rule is the first Domain Controller installed, which automatically creates the Default-First-Site site. A first Domain Controller cannot be created in any site but Default-First-Site, but a Domain Controller can be created in a site that has a previously existing Domain Controller and then move it to another site. Therefore, after the first Domain Controller has been installed, creating Default-First-Site, other Domain Controllers can be created in this site and then move them to alternative sites.

Active Directory automatically creates connections (Connection objects) within a site, but connections between sites are not automatically generated unless the site is in a site link and the site contains a domain controller. Connection objects are required for replication.

Note: It is possible to change information (like the description) about connection objects that were automatically created by the knowledge consistency checker; however, the next time the connection object is automatically created, any changes made to that object will be lost.

If network connections are available, Active Directory Sites and Services should be used to add site links that correspond to the network connections.

Replication options

Replication characteristics are broadly determined by the protocols supported and the configuration of the site links.

Replication protocols

Directory information can be exchanged using different network protocols such as IP or SMTP.

Note: SMTP is not part of the Evaluated Configuration.

  • SMTP replication. SMTP replication is only used for replication over site links (inter-site), and not for replication within a site (intra-site). Because SMTP is asynchronous, it typically ignores all schedules. Therefore, do not configure site link replication availability on SMTP site links unless the following is true:

    • The site links use scheduled connections.

    • The SMTP queue is not on a schedule.

    • Information is being exchanged directly from one server to another, and not through intermediaries as is the case, for example, on a network Ethernet backbone.

    If the network's SMTP connections meet these conditions, synchronize the SMTP site link replication schedule with the times the network's SMTP connections are available.

    If SMTP is used over site links, an enterprise certification authority must be installed and configured. The certification authority (CA) signs SMTP messages that are exchanged between domain controllers, ensuring the authenticity of directory updates. SMTP replication uses 56-bit encryption.

  • IP replication. IP replication uses remote procedure calls (RPC) for replication over site links (inter-site) and within a site (intra-site). By default, inter-site IP replication does adhere to replication schedules, although Active Directory replication may be configured to ignore schedules. IP replication does not require a CA.

Site link attributes

Authorized administrators should provide availability, cost, and frequency information for all site links as part of the process of providing Active Directory with information about available inter-site connections.

  • Replication availability. Configure site link replication availability to designate when a site link will be available for replication.

  • Cost. Configure site link cost to assign a value for the cost of each available connection used for inter-site replication.

    If there are multiple redundant network connections, establish site links for each connection, and then assign costs to these site links that reflect their relative bandwidth. For example, if there is a high speed T-1 line and a dial-up network connection in case the T-1 line is unavailable, configure a lower cost for the T-1 line and a higher cost for the dial-up network connection. Active Directory always chooses the connection on a per-cost basis, so the cheaper connection will be used as long as it is available. Cost does not correspond to a specific unit of measure such as minutes, but is evaluated in comparison to other costs. The cost of a site link only has meaning as it relates to other site links.

    A client should always find a domain controller in its site. If a site does not contain a domain controller, the site link costs for that domain are evaluated by all replication processes. The domain controllers in the closest site are then used to service the site containing that domain.

    The cost of a site link bridge is the sum of the costs of all links included in the bridge. For example, if a site link bridge contains two site links, one with a cost of three and another with a cost of four, the cost of the site link bridge is seven.

  • Replication frequency. Configure site link replication frequency for site links by providing an integer value that tells Active Directory how many minutes it should wait before using a connection to check for replication updates. The replication interval must be at least 15 and no more than 10,080 minutes (equal to one week). A site link must be available for any replication to occur, so if a site link is scheduled as unavailable when the number of minutes between replication updates has passed, no replication will occur.

Replication over a virtual private network

To enable a steady flow of updated directory information, domain controllers should have a connection constantly available. Such a connection may not be available (such as for smaller branch offices) in which case directory updates can be exchanged through a virtual private network (VPN) established using an Internet Service Provider (ISP). If such a VPN is used to connect to another site, all replication should occur between the domain controllers in the two sites at once, so the connection can be closed when it is no longer needed. This is called reciprocal replication.

When using reciprocal replication between a branch office site's domain controller and a main office site's domain controller, after a VPN is established through an ISP, the branch site domain controller that initiated the connection requests all directory updates from the main site domain controller. After the branch site domain controller receives all updates, it sends a change notification to the main site domain controller, causing the main site domain controller to request all updates, which the branch site domain controller then sends. Since all directory information is current, the ISP connection is closed. Replication does not take place when the connection is not available. This maximizes the efficiency of directory information exchange, while minimizing connection time and eliminating timeout errors that would occur if the main site domain controller tried to request changes from the branch site domain controller when the connection was not available.

Planning replication between sites

Replication within sites requires little or no planning because it is fully automatic. However, when there are multiple sites, the following steps can be used to plan how replication occurs between them:

  1. Identify sites that are well connected through backbones, and create low-cost site links between these sites.

  2. Identify sites that are all connected to each other with a comparable transport, and create medium-cost site links between them. For example, full mesh links (remote sites that are connected over telecommunication links), frame relay cloud links (a point-to-point system that uses a private virtual circuit), medium area network (MAN) links with T1 connections.

  3. Identify remaining WAN links.

  4. Create a site link for each pair of sites that cross a WAN link.

  5. Create a schedule that meets user needs.

    Avoid high-frequency times. Site links must have windows of time in common that are available for routing.

Connection objects are created automatically by the KCC for replication both within a site and between sites. For connection objects to be created between two sites, however, a link that connects the two sites must be manually created. These links, implemented through site link objects in Active Directory, identify the transport protocol and scheduling required to replicate between two sites. Administrators use Active Directory Sites and Services to create the site links, and the KCC creates the connections accordingly when it generates the intersite topology.

Site link objects can be created in two transport-specific containers within the Inter-Site Transports container in Active Directory Sites and Services. By creating the link in one or the other container, the link is associated with the respective replication transport. The Inter-Site Transports container is a child of the Sites container, and it also has child containers:

  • The IP container, which contains site link objects that use RPC over IP synchronous replication transport.

  • The SMTP container, which contains site link objects that use SMTP over IP asynchronous replication transport.

When the KCC configures the connection objects for replication between sites, it takes the settings on the site link object into account to create the best connection. For example, one of the site link settings is the cost of the connection. When it has a choice, the KCC chooses a remote site whose link has the lowest cost when it forms connections.

For IP transport, a typical site link connects only two sites and corresponds to an actual WAN link. An IP site link connecting more than two sites might correspond to an ATM backbone that connects, for example, more than two clusters of buildings on a large campus or connects several offices in a large metropolitan area that are connected by leased lines and IP routers.

A site can be connected to other sites by any number of site link objects. Each site in a multi-site directory must be connected by at least one site link. Otherwise, it cannot replicate with domain controllers in any other site, so the directory is disconnected. Therefore, if there is more than one site in the forest, at least one site link must be configured.

The figure below shows two sites that are connected by one site link. A single domain has domain controllers in both sites. When topology generation occurs, connection objects between bridgehead servers in the site are created by the KCC and replication occurs according to the settings on the site link.

Dd277430.w2kab199(en-us,TechNet.10).gif

The figure below shows three sites connected by two site links. By default, site links are transitive. Therefore, replication messages can flow from the Atlanta site, through the Seattle site, and on to the Milan site. In this scenario, because the Seattle site contains a full replica of reskit.com, there is no need for direct replication between Milan and Atlanta; all replication between them is transitive through the Seattle site.

Dd277430.w2kab200(en-us,TechNet.10).gif

Site link settings

In Active Directory Sites and Services, the General tab in the Site Link Properties dialog box contains the following options for configuring site links to control the replication topology:

  • A list of two or more sites to be connected.

  • A schedule that determines during what time periods the link is available for replication. For example, authorized administrators might schedule a site link for a dial-up line to be available during off-hours (when telephone rates are low) and unavailable during high-cost regular business hours.

    Note: Scheduling information is ignored by site links that use SMTP transports; the mail is stockpiled and then exchanged at the times that are configured for the mail infrastructure.

  • Cost, a single numeric cost factor associated with communication over the link. Higher cost numbers represent more expensive messages. For example, sites that are connected by low-speed or dial-up connections would have high-cost site links between them. Sites that are well connected through backbone lines would have low-cost site links. Where multiple routes or transports exist between two sites, the least expensive route and transport are used.

  • Period, an interval in minutes that determines how often replication can occur (default is 180 minutes, or 3 hours). The minimum period is 15 minutes.

The site link settings let authorized administrators control replication topology and timing independently:

  • Topology is controlled by setting the costs on site links. In a common scenario, the cost might be set to cost = 1 for site links that are part of the backbone network, and cost = 100 for site links that correspond to slow connections to branch offices. Setting costs in this way ensures that a branch office replicates with a domain controller in a site that is part of the backbone, never directly with a second branch office. These cost numbers have no influence on the replication period.

  • The replication period can be controlled by setting an interval in minutes on site links.

  • Link availability is controlled by setting a schedule on site links. Use the default (100 percent available) schedule on most links, but block replication traffic during peak business hours on links to certain branches. By blocking replication, priority is given to other traffic, but the replication latency is also increased.

Creating a site link between two or more sites is a way to influence replication topology. By creating a site link, authorized administrators can provide Active Directory with information about what connections are available, which ones are preferred, and how much bandwidth is available. Active Directory uses this information to choose times and connections for replication that will afford the best performance.

Warning: If a site link is created that uses SMTP, there must be an enterprise certification authority (Enterprise CA) available and SMTP must be installed on all domain controllers that will use the site link.

To create a site link:

  1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services.

  2. In the console tree, right-click the inter-site transport protocol for the site link to use, and then click New Site Link.

  3. In Name, type the name to be given to the link.

  4. Click two or more sites to connect, and then click Add.

  5. Configure the site link's cost, schedule, and replication frequency.

To add a site to a site link:

  1. Open Active Directory Sites and Services. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services.

  2. In the console tree, click the inter-site transport folder that contains the site link to which the site is being added.

  3. In the details pane, right-click the site link to which the site is to be added, and then click Properties.

  4. Click the site to add to this site link, and then click Add.

To delete a site link:

  1. Open Active Directory Sites and Services. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services.

  2. In the console tree, click the inter-site transport folder that contains the site link to delete.

  3. In the details pane, right-click the site link to delete, and then click Delete.

Cost factor

Assign cost values to site links to favor inexpensive connections over expensive connections. The costs of providing bandwidth are a factor that is to be taken into account when defining site boundaries; it is recommended that these costs be defined on a sitewide basis. Cost is usually based not only on the total bandwidth of the link but also on the availability, latency, and monetary cost of the link.

For example, a 128-kilobits per second (Kbps) permanent link might be assigned a lower cost than a dial-up 128-Kbps dual ISDN link because the dial-up ISDN link has replication latency-producing delay that occurs as the links are being established or removed. Furthermore, in this example, the permanent link might have a fixed monthly cost, whereas the ISDN line is charged according to actual usage. Because the company is paying up-front for the permanent link, the administrator might assign it a lower cost than the ISDN line. The ISDN connections in this example only add extra monetary cost to the already paid-for permanent line.

The table below shows the speeds for different types of networks; these network speeds can be used to estimate cost.

Network Type

Speed

Very slow

56 Kbps

Slow (typical in Europe)

64 Kbps

ISDN

64 Kbps or 128 Kbps

Frame relay

Variable rate, commonly between 56 Kbps and 1.5 megabits per second (Mbps)

T1

1.5 Mbps

T3

45 Mbps

Asynchronous Transfer Mode (ATM)

Variable rate, commonly between 155 Mbps and 622 Mbps

Gigabit Ethernet

1 gigabit per second (Gbps)

Before assigning any costs, define a model for the WAN. On the basis of the cost plus other factors (availability and replication latency), a set of costs can be established that can be implemented throughout the forest. Where a cost is assigned, it must always mean the same thing in any other place where the same cost is assigned. The following table shows an example of the cost breakdown in a forest for a network where a high speed has a lower cost.

Network Type

Cost Value

T1 to backbone

1

56-kilobit link

500

Branch office

1,000

International link

5,000

The Cost setting on a site link provides a relative value for the cost of communication between all sites that are part of the link. (By default, site link settings are transitive between the sites that they connect.) For example, if an IP site link object XYZ is created that connects the sites X, Y, and Z with cost 5, it is established that an IP message can be sent between all pairs of sites (X to Y, X to Z, Y to X, Y to Z, Z to X, Z to Y) with cost 5.

Note: By default, all site links are transitive; that is, all site links for a specific transport implicitly belong to a single site link bridge for that transport. If the IP network is not fully routed, the transitive site link feature can be turned off for the IP transport, in which case all IP site links are considered nontransitive and site link bridges can be configured.

The KCC determines the least-cost path from each site to every other site for each directory partition. The KCC then reviews the comparison of multiple paths to and from every destination and computes the spanning tree of the least-cost path.

To configure site link cost

  1. Open Active Directory Sites and Services. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services.

  2. In the console tree, click the inter-site transport folder that contains the type of link to be configured.

  3. In the details pane, right-click the site link whose cost is to be set, and then click Properties.

  4. In Cost, enter a value for the cost of replication.

Note: Because cost is determined by the sum of the costs of the constituent links that make up a site link bridge, costs cannot be applied to site link bridges. Costs can only be applied to site links.

A site link bridge object represents a set of site links, all of whose sites can communicate through some transport. A site link bridge usually corresponds to a router (or a set of routers) in an IP network.

Note: If no bridgehead server that is capable of the site link bridge transport is available in two linked sites, a route is not available.

By default, all site links created are bridged ("transitive"); all site links for a specific transport implicitly belong to a single site link bridge for that transport. Therefore, in the common case of a fully routed IP network, site link bridges do not need to be configured. The figure below shows a case where three sites are connected by two site links and the site link bridge allows connections to be created between two sites that are not connected by an explicit site link

Dd277430.w2kab201(en-us,TechNet.10).gif

If the IP network is not fully routed, the Bridge all site links for IP transport (on the General tab in the IP transport object property sheet or SMTP transport object property sheet) can be turned off. In this case, all IP site links are considered nontransitive, and site link bridges can be configured to model the actual routing behavior of the network.

A site link bridge object can be created for a specific transport by specifying two or more site links for the specified transport.

To understand what a site link bridge means, consider the following example:

  • Site link SM connects the Seattle site and the Milan site over IP with cost 4.

  • Site link SA connects the Seattle site and the Atlanta site over IP with cost 3.

  • There is no site link between the Milan site and the Atlanta site.

  • Site link bridge SM-SA connects site link SM and site link SA.

  • In this simple example, the site link bridge SM-SA implies that an IP message can be sent from the Milan site to the Atlanta site with cost 4+3 = 7.

Each site link in a bridge must have at least one site in common with another site link in the bridge. Otherwise, the bridge cannot compute the cost from sites in one link to the sites in other links of the bridge. For example, if there are four sites (W, X, Y, and Z), a site link WX that connects W and X, and a site link YZ that connects Y and Z, a site link bridge that connects WX and YZ serves no purpose.

Separate site link bridges, even for the same transport, are independent. To illustrate this independence, the following objects are added to the Milan-Seattle-Atlanta example:

  • Site link DA connects the Detroit site and the Atlanta site over IP with cost 2.

  • Site link bridge DA-SA connects site link DA and site link SA.

The presence of this additional bridge means that an IP message can be sent from the Seattle site to the Detroit site with cost 2 + 3 = 5. However, it does not imply that an IP message can be sent from the Detroit site to the Milan site with cost 2 + 3 + 4 = 9. In almost all cases, use a single site link bridge to model the entire IP network.

To create a site link bridge

  1. Open Active Directory Sites and Services. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services.

  2. In the console tree, right-click the inter-site transport folder for which a new site link bridge is to be created, and then click New Site Link Bridge.

  3. In Name, type a name for the site link bridge.

  4. Click two or more site links to be bridged, and then click Add.

Note:

If Bridge all site links is enabled, this procedure is redundant and will have no effect.

Creating a site link between two or more sites is a way to influence replication topology. By creating a site link, Active Directory is provided with information about what connections are available, which ones are preferred, and how much bandwidth is available. Active Directory uses this information to choose times and connections for replication that will afford the best performance.

To bridge all site links

  1. Open Active Directory Sites and Services. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services.

  2. Double-click the Sites folder, and then double-click the Inter-Site Transports folder.

  3. Right-click the appropriate inter-site transport folder (such as IP or SMTP), and then click Properties.

  4. Select the Bridge all site links check box.

Note: If bridging all site links creates connections between sites that span firewalls, replication errors will occur if the firewall only allows packets to travel between specific domain controllers.

To delete a site link bridge

  1. Open Active Directory Sites and Services. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services.

  2. In the console tree, click the inter-site transport folder that contains the site Link Bridge to delete.

  3. In the details pane, right-click the site link bridge that to delete, and then click Delete.

Replication period

For each site link object, a value can be specified for the replication period, which determines how often replication occurs over the site link during the time that the schedule allows. For example, if the schedule allows replication between 02:00 hours and 04:00 hours, and the replication period is set for 30 minutes, replication can occur up to four times during the scheduled time.

The default replication period is 180 minutes, or 3 hours. When the KCC creates a connection between a domain controller in one site and a domain controller in another site, the replication period of the connection is the maximum period along the minimum-cost path of site link objects from one end of the connection to the other.

The schedule determines the time intervals during which the site link is available, and the replication period determines how often replication can occur during those intervals. The interaction of these factors determines the replication latency. For sites where the maximum replication period within the site is 15 minutes, the worst-case, end-to-end replication latency from a source domain controller to a destination domain controller in a remote site is the sum of the replication period settings for the connections between the source and destination sites, plus 15 minutes for each site in the path (including the source and destination sites). This sum assumes that the RPC transport is used between sites and that the required physical connections are available.

Interaction of schedule and replication period

When multiple site links are required to complete replication for all sites, the replication periods on each link combine to affect the entire length of the connection between sites. In addition, when schedules on each link do not coincide, replication can occur only during the window of opportunity where the schedules intersect.

Suppose that site A and site B have site link AB, and site B and site C have site link BC. When a domain controller in site A replicates with a domain controller in site C, it can do so only as often as the maximum period set for site link AB and site link BC allow. The table below shows the site link settings that determine how often and during what times replication can occur between domain controllers in site A, site B, and site C.

Site Link

Replication Period

Schedule

AB

30 minutes

12:00 hours to 04:00 hours

BC

60 minutes

01:00 hours to 05:00 hours

Given the settings in Table 6.4, a domain controller in domain A can replicate with a domain controller in site B according to the AB site link schedule and period, which is once every 30 minutes between the hours of 12:00 and 04:00. However, assuming that there is no site link AC, a domain controller in site A can replicate with a domain controller in site C once every 60 minutes, which is the greater of the two replication periods, and between the hours of 01:00 and 04:00, which is where the schedules on the two site links intersect.

To configure site link replication availability

  1. Open Active Directory Sites and Services. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services.

  2. In the console tree, click the inter-site transport folder that contains the site link whose schedule is to be adjusted.

  3. In the details pane, right-click the site link whose schedule is to be adjusted, and then click Properties.

  4. Click Change Schedule.

  5. Select the block of time to schedule, and then click the desired frequency of replication for that block of time: None, Once per Hour, Twice per Hour, or Four times per Hour.

    Note: Because SMTP is asynchronous, it typically ignores all schedules. Therefore, do not configure site link replication availability on SMTP site links unless the site links use scheduled connections, or the SMTP queue is not on a schedule, and information is being exchanged directly from one server to another, and not through intermediaries as is the case, for example, on a network Ethernet backbone.

To configure site link replication frequency

  1. Open Active Directory Sites and Services. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services.

  2. In the console tree, click the inter-site transport containing the site link to configure.

  3. In the details pane, right-click the site link whose replication frequency to set, and then click Properties.

  4. In Replicate every, enter the number of minutes between replications.

    Note: The Replicate every value will be processed as the nearest multiple of 15 ranging from a minimum of 15 to a maximum of 10,080 minutes(corresponds to one week).

To ignore schedules

  1. Open Active Directory Sites and Services. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services.

  2. In the console tree, right-click the inter-site transport protocol that contains the site link schedules to ignore, and then click Properties.

  3. Select the Ignore schedules check box.

Change notification

Change notification is a mechanism by which a domain controller notifies a replication partner that it has changes. Replication within a site occurs as a response to changes; as changes occur on one domain controller, it notifies its replication partner, which prompts the partner to request the changes. When a domain controller performs an update to an attribute, it sends notification to its replication partner within a specified time following the change.

Change notification within a site

For changes that occur within a site, there is a "holdback timer" that determines the interval between the time a change is made and the time that the source server notifies its replication partners. This interval serves to stagger network traffic caused by replication. When a domain controller makes a change (originating or replicated) to a directory partition, it starts the timer; when the timer expires, the domain controller notifies all of its replication partners (for that directory partition and within the site) that it has changes. If a partner is not engaged in requesting changes from another partner, it sends its change request to the notifying server.

The default value for the holdback timer is 300 seconds, or 5 minutes. To change the default registry setting, set a new value in the Replicator notify pause after modify (secs) entry in HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\Services\NTDS\Parameters.

Note: Very small values for this timer generate redundant notifications, which can decrease performance.

A domain controller does not notify all of its replication partners at one time. By delaying between notifications, the domain controller spreads out the load of responding to replication requests from its partners. The default delay between notifications is 30 seconds.

To change the default delay, set a new value in the Replicator notify pause between DSAs (secs) entry in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters.

Warning: Editing the registry directly can have serious, unexpected consequences that can prevent the system from starting and require that Windows 2000 be reinstalled. There are programs available in Control Panel or Microsoft Management Console (MMC) for performing most administrative tasks. These programs provide safeguards that prevent users from entering conflicting settings or settings that are likely to degrade performance or damage the system. Registry editors bypass the standard safeguards that are provided by these administrative tools. Modifying the registry is recommended only when no administrative tool is available. Before making changes to the registry, it is recommended that any valuable data on the computer be backed up.

Urgent replication

Urgent replication is implemented by immediately notifying replication partners over RPC/IP that changes have occurred on a source domain controller. Urgent replication uses regular change notification between destination and source domain controller pairs that otherwise use change notification, but notification is sent immediately in response to urgent events instead of waiting the default period of five minutes. Therefore, if change notification is enabled on a site link, urgent replication is possible between sites for events that trigger it.

Events that trigger urgent replication

Urgent Active Directory replication is always triggered by certain events on all domain controllers within the same site. When change notification is enabled between sites, these triggering events also replicate immediately between sites.

Immediate replication between Windows 2000–based domain controllers in the same site is prompted by the following:

  • Assigning an account lockout, which prohibits a user from logging on after a certain number of failed attempts.

  • Changing a Local Security Authority (LSA) secret, which is a secure form in which private data is stored by the LSA.

  • Change in the relative identifier (known as a "RID") master role owner, which is the single domain controller in a domain that assigns relative identifiers to all domain controllers in that domain.

Urgent replication of account lockout changes

Account lockout is a security feature that sets a limit on the number of failed authentication attempts that are allowed before the account is locked out from a further attempt to log on, in addition to a time limit for how long the lockout is in effect.

In Windows 2000, account lockout is urgently replicated to the primary domain controller (PDC) emulator role owner and is then urgently replicated to the following:

  • Domain controllers in the same domain that are located in the same site as the PDC emulator.

  • Domain controllers in the same domain that are located in the same site as the domain controller that handled the account lockout.

  • Domain controllers in the same domain that are located in sites that have been configured to allow change notification between sites (and, therefore, urgent replication) with the site that contains the PDC emulator or with the site where the account lockout was handled. These sites include any site that is included in the same site link as the site that contains the PDC emulator or in the same site link as the site that contains the domain controller that handled the account lockout.

In addition, when authentication fails at a domain controller other than the PDC emulator, the authentication is retried at the PDC emulator. For this reason, the PDC emulator locks the account before the domain controller that handled the failed-password attempt if the bad-password-attempt threshold is reached.

Managing urgent replication

The following guidelines can be useful when deciding whether to enable change notification between sites relative to achieving urgent replication.

  • For urgent replication everywhere, put all domain controllers for the specific domain in a single site (this option might not be realistic).

  • For urgent replication everywhere but still want the benefits of site affinity, use multiple sites and enable change notification on all site links.

  • By default, a user lockout prompts urgent replication at the site that contains the domain controller that handled the authentication and the site that contains the PDC emulator role owner.

Forced replication between two servers

A connection object can be used to force replication from the inbound server. In Active Directory Sites and Services, right-click a connection object, and then click Replicate Now.

Replication of password changes

Password changes are replicated differently than normal (non-urgent) replication and urgent replication. Changes to security account passwords present a replication latency problem wherein a users password is changed on domain controller A and the user subsequently attempts to log on, being authenticated by domain controller B. If the password has not replicated from A to B, the attempt to log on fails. Active Directory replication remedies this situation by forwarding password changes immediately to a single domain controller in the domain, the PDC emulator.

In Windows 2000, when a user password is changed at a specific domain controller, that domain controller attempts to update the respective replica at the domain controller that holds the PDC emulator role. Update of the PDC emulator occurs immediately, without respect to schedules between sites on site links. The updated password is propagated to other domain controllers by normal replication within a site. When the user logs on to a domain and is authenticated by a domain controller that does not have the updated password, the domain controller refers to the PDC emulator to check the credentials of the user name and password rather than denying authentication based on a nonvalid password. Therefore, the user can log on successfully even when the authenticating domain controller has not yet received the updated password.

If the update at the PDC emulator fails for any reason, the password change is replicated non-urgently by normal replication.

Note: A domain controller can be set to not contact the PDC emulator if the PDC emulator role owner is not in the current site. If the AvoidPdcOnWan entry in HKEY_LOCAL_MACHINE\CurrentControlSet\Services\Netlogon \Parameters\ is set to 1, the password change reaches the PDC emulator non-urgently through normal replication.

To manually add or configure connections

  1. Open Active Directory Sites and Services. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services.

  2. In the console tree, click the domain controller for which a connection is to be manually added or configured.

  3. Right-click NTDS Settings, and then click New Active Directory Connection.

  4. In the Find Domain Controllers dialog box, click the domain controller that to include in the Connection object.

  5. In the New Object-Connection dialog box, enter a name for the new Connection object.

To force replication over a connection

  1. Open Active Directory Sites and Services. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services.

  2. In the console tree, double-click the domain controller for the site containing the connection over which directory information is to be replicated.

  3. In the console tree, click NTDS Settings.

  4. In the details pane, right-click the connection over which directory information is to be replicated, and then click Replicate Now.

Changing the default replication time for the Active Directory Connector

Replication is scheduled in an Active Directory Connector (ADC) connection agreement, if the Always setting is selected, replication occurs every five minutes. For replication to occur more frequently, add a parameter to the ADC by modifying the Windows registry.

Warning: Using Registry Editor incorrectly can cause serious problems that may require reinstallation of the operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved.

To add a parameter to the ADC that causes replication to occur more frequently:

  1. Start Registry Editor (Regedt32.exe).

  2. Locate the following key in the registry:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSADC\Parameters

  3. On the Edit menu, click Add Value, and then add the following registry value:

    Value Name: Sync Sleep Delay (secs)

    Data Type: REG_DWORD

    Value: 5

  4. Quit Registry Editor.