Active Directory Replication Tools and Settings

Active Directory Replication Tools and Settings: Active Directory
1 of 8
http://technet.microsoft.com/en-in/library/cc739941(d=printer,v=ws.10).aspx
Active Directory Replication Tools and Settings

11 out of 23 rated this helpful
Updated: November 19, 2014
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server
2008 R2, Windows Server 2012, Windows Server 2012 R2
Active Directory Replication Tools and Settings

In this section
Active Directory Replication Tools

Active Directory Replication Registry Entries
Active Directory Replication Group Policy Settings
Active Directory Replication WMI Classes
Network Ports Used by Active Directory Replication
Related Information
Active Directory Replication Tools

The following tools are associated with Active Directory replication.
Note
In Windows 2000 Server and Windows Server 2003, the directory service is named Active Directory. In Windows Server 2008 and Windows Server 2008 R2, the
directory service is named Active Directory Domain Services (AD DS). The rest of this topic refers to Active Directory, but the information is also applicable to AD
DS.
Dssite.msc: Active Directory Sites and Services
Category
Active Directory Administrative Tools Microsoft Management Console (MMC) snap-in. This tool is installed automatically when you install Active Directory, and is
available on the Start menu under Programs\Administrative Tools. This tool also ships with the Administration Tools Pack (Adminpak.msi).
Version compatibility
Active Directory Sites and Services provides a view into the Sites container of the configuration directory partition. Use Active Directory Sites and Services to manage
Active Directory replication topology. The following objects and their properties can be managed by using this tool:
Sites container: Add new sites.

Site objects: Add new servers to a site.
NTDS Site Settings object: For each site, view the connection object schedule and enable Universal group membership caching.
Server object: View the NTDS Settings object and designate the server as a bridgehead server.
NTDS Settings object: View inbound connections for the server. View the connection object schedule and change the source server for the connection.
Inter-Site Transports container: Manage IP and SMTP site links.
Site link objects: Manage the site link properties for a set of sites.
Subnets container: Add, remove, and configure subnets with IP addresses. Associate subnets with sites.
Repadmin.exe: Repadmin
Category
Command-line tool.
1/11/2015 1:53 PM
Repadmin is used to view the replication information on domain controllers. You can determine the last successful replication of all directory partitions, identify
inbound and outbound replication partners, identify the current bridgehead servers, view object metadata, and generally manage Active Directory replication
topology. You can use Repadmin to force replication of an entire directory partition or of a single object. You can also list domain controllers in a site.
Repadmin is extended to enable commands to target sets of domain controllers. For example, you can target all domain controllers in a site or domain, or all domain
controllers that are global catalog servers.
Repadmin also includes the RemoveLingeringObjects command, which removes objects that are outdated (do not exist in a replica of the same directory partition
on the source domain controller).
For more information about removing lingering objects, see "Fixing Replication Lingering Object Problems (Event IDs 1388, 1988, 2042)" in the Windows Server 2003
Operations Guide at http://go.microsoft.com/fwlink/?LinkId=44131. For more information about Repadmin, see Repadmin Overview.
Ntdsutil.exe: Ntdsutil
Category
Command-line tool.
Ntdsutil.exe provides management capabilities for Active Directory. You can use Ntdsutil.exe to perform Active Directory database maintenance, manage and control
single-master operations, and remove replication metadata left behind by domain controllers that are removed from the network without uninstalling Active
Directory. The version of Ntdsutil that is included with Windows Server 2003 SP1 removes File Replication service (FRS) metadata in addition to Active Directory
replication metadata. You can also use Ntdsutil to create application directory partitions and perform authoritative restore operations. This tool is intended for use by
experienced administrators.
Active Directory Replication Registry Entries

The information here is provided as a reference for use in troubleshooting or verifying that the required settings are applied. It is recommended that you do not
directly edit the registry unless there is no other alternative. Modifications to the registry are not validated by the registry editor or by Windows before they are
applied, and as a result, incorrect values can be stored. This can result in unrecoverable errors in the system. When possible, use Group Policy or other Windows tools,
such as Microsoft Management Console (MMC), to accomplish tasks rather than editing the registry directly. If you must edit the registry, use extreme caution.
The following registry settings cannot be modified by using Group Policy or other Windows tools.
NTDS Parameters Registry Settings

The following registry entries are associated with Active Directory replication.
Replicator notify pause after modify (secs)
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Version
Windows 2000 Server.
Default value
Windows 2000 Server: 300 seconds.
The value for the delay between an originating update on a domain controller and the first change notification. On domain controllers running Windows Server 2003
or higher, the value for initial change notification delay is stored in the msDSReplicationNotifyFirstDSADelay attribute on the cross-reference object for each
directory partition in the Configuration container. The default value in Windows Server 2003 and higher operating systems is decreased to 15 seconds when the forest
functional level is Windows Server 2003 or higher.
Replicator notify pause between DSAs (secs)
Registry path
Version
Windows 2000 Server.
Default value
Windows 2000 Server: 30 seconds
The value for the delay before each subsequent change notification. On domain controllers running Windows Server 2003, the value for subsequent notification delay
is stored in the msDSReplicationNotifySubsequentDSADelay attribute on the cross-reference object for each directory partition in the Configuration container. The
default value in Windows Server 2003 is decreased to 3 seconds when the forest functional level is Windows Server 2003.
RPC Replication Timeout (mins)
2 of 8
1/11/2015 1:53 PM
Registry path
Version
Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 2000 Server.
Default value
Windows 2000 Server: 45 minutes; Windows Server 2003 and higher server operating systems: 5 minutes.
The number of minutes between initiation of Active Directory replication and the RPC timeout. The domain controller must be restarted before the change takes
effect.
Strict replication consistency
Registry path
Version
Windows Server 2008 R2, Windows Server 2008 R2, Windows Server 2003, Windows 2000 Server with SP3.
Default value
Windows 2000 Server with SP3: off (0); Windows Server 2003 and higher server operating systems: on (1)
The value that determines the treatment of replication of outdated objects that exist on reconnected domain controllers that have not replicated in longer than a
tombstone lifetime. If the destination domain controller has strict replication consistency enabled, inbound replication of an outdated object is blocked. If the
destination domain controller has strict replication disabled, inbound replication of the full object occurs.
Replicator intra site packet size (objects)
Registry path
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
Version
Default value
1/1,000,000th the size of RAM, with a minimum of 100 objects and a maximum of 1,000 objects.
The maximum number of objects per packet for RPC replication within a site.
Replicator intra site packet size (bytes)
Registry path
Version
Default value
1/100th the size of RAM, with a minimum of 1 megabyte (MB) and a maximum of 10 MB.
The maximum size of objects per packet for RPC replication within a site.
Replicator inter site packet size (objects)
Registry path
Version
Windows Server 2008 R2, Windows Server 2008 R2, Windows Server 2003, Windows 2000 Server.
Default value
The maximum number of objects per packet for RPC replication between sites.
Replicator inter site packet size (bytes)
3 of 8
1/11/2015 1:53 PM
Registry path
Version
The maximum size of objects per packet for RPC replication between sites.
Default value
1/100th the size of RAM, with a minimum of 1 MB and a maximum of 10 MB.
Replicator async inter site packet size (objects)
Registry path
Version
Windows Server 2008, Windows Server 2008 R2, Windows Server 2003, Windows 2000 Server.
Default value
The maximum number of objects per packet for SMTP replication between sites.
Replicator async inter site packet size (bytes)
Registry path
Version
Default value
1 MB.
The maximum size of objects per packet for SMTP replication between sites.
Replicator compression algorithm
Registry path
Version
Windows Server 2008 R2, Windows Server 2008, Windows Server 2003.
Default value
For Windows 2000 Server compression, change the value to 2.
Determines the compression algorithm that is used on a site link
Repl topology update delay (secs)
Registry path
Version
Default value
300 seconds.
Number of seconds to wait between the time Active Directory starts and the KCC performs the first topology check.
To find more information about Repl topology update delay (secs), see Registry Reference in Tools and Settings Collection.
Repl topology update period (secs)
Registry path
4 of 8
1/11/2015 1:53 PM
Version
Default value
900 seconds.
Interval between KCC replication topology checks.
To find more information about Repl topology update period (secs), see Registry Reference in Tools and Settings Collection.
IntersiteFailuresAllowed
Registry path
Version
Default value
1.
Number of failed replication attempts prior to excluding nonresponding servers from the intersite topology.
MaxFailureTimeForIntersiteLink (sec)
Registry path
Version
Default value
7200 seconds (2 hours).
Time in seconds that must elapse prior to excluding nonresponding servers from the intersite topology.
NonCriticalLinkFailuresAllowed
Registry path
Version
Default value
1.
Number of failed replication attempts prior to excluding nonresponding servers from the intrasite topology.
MaxFailureTimeForNonCriticalLink (sec)
Registry path
Version
Default value
Time in seconds that must elapse prior to excluding nonresponding servers from the intrasite topology.
CriticalLinkFailuresAllowed
Registry path
5 of 8
1/11/2015 1:53 PM
6 of 8
Version
Default value
0.
Number of failed replication attempts prior to excluding nonresponding servers for immediate neighbor connections within a site.
MaxFailureTimeForCriticalLink (sec)
Registry path
Version
Default value
Time in seconds that must elapse prior to excluding nonresponding servers for immediate neighbor connections within a site.
TCP/IP Port
Registry path
Version
Default value
135.
TCP port that the directory service uses instead of using dynamic port 135. The domain controller must be restarted before the change takes effect.
Backup Latency Threshold (days)
Registry path
Version
Windows Server 2008 R2, Windows Server 2008, Windows Server 2003 with SP 1
Default value
Half the value of the tombstone lifetime of the forest.
When the value is reached, logs event ID 2089 in the Directory Service event log, warning administrators and monitoring applications to make sure that domain
controllers are backed up before the tombstone lifetime expires.
Active Directory Replication Group Policy Settings

The following table lists and describes the Group Policy settings that are associated with Active Directory replication updates.
Group Policy Settings Associated with Active Directory Replication
Group Policy Setting
Description
Account Lockout Policy:
Changes to these settings in the Domain Security Policy trigger urgent replication.
Account lockout duration

Account lockout threshold
Reset account lockout
counter after
1/11/2015 1:53 PM
7 of 8
Password Policy:
Changes to these settings in the Domain Security Policy trigger urgent replication.
Enforce password history

Maximum password age
Minimum password age
Minimum password length
Password must meet
complexity requirements
Store passwords using
reversible encryption
Contact PDC on logon failure
Account lockout and domain password changes rely on contacting the primary domain controller (PDC) emulator urgently to
update the PDC emulator with the change. If Contact PDC on logon failure is disabled, replication of password changes to the
PDC emulator occurs non-urgently.
To find more information about these Group Policy settings, see Group Policy Settings Reference in Tools and Settings Collection.
Active Directory Replication WMI Classes

The following table lists and describes the WMI classes that are associated with Active Directory replication. These classes are shipped with Windows Server 2003 or
later server operating systems, but are also compatible with Windows 2000 Server.
WMI Classes Associated with Active Directory Replication
Class Name
Namespace
Version Compatibility
MSAD_DomainController
\\root\MicrosoftActiveDirectory
Windows Server 2008 R2

Windows Server 2008
Windows Server 2003
Windows 2000 Server
MSAD_NamingContext

Windows Server 2008
Windows Server 2003
Windows 2000 Server
MSAD_ReplNeighbor

Windows Server 2008
Windows Server 2003
Windows 2000 Server
MSAD_ReplCursor

Windows Server 2008
Windows Server 2003
Windows 2000 Server
MSAD_ReplPendingOp

Windows Server 2008
Windows Server 2003
1/11/2015 1:53 PM
8 of 8
Windows 2000 Server
For more information about these WMI classes, see the WMI SDK documentation on MSDN.
Network Ports Used by Active Directory Replication

By default, RPC-based replication uses dynamic port mapping. When connecting to an RPC endpoint during Active Directory replication, the RPC run time on the
client contacts the RPC endpoint mapper on the server at a well-known port (port 135). The server queries the RPC endpoint mapper on this port to determine what
port has been assigned for Active Directory replication on the server. This query occurs whether the port assignment is dynamic (the default) or fixed. The client never
needs to know which port to use for Active Directory replication.
Note
An endpoint comprises the protocol, local address, and port address.
In addition to the dynamic port 135, other ports that are required for replication to occur are listed in the following table.
Port Assignments for Active Directory Replication
Service Name
UDP
TCP
LDAP
389
389
LDAP
636 (Secure Sockets Layer [SSL])
LDAP
3268 (global catalog)
Kerberos
88
88
DNS
53
53
SMB over IP
445
445
Replication within a domain also requires FRS using a dynamic RPC port.
Related Information
The following resources contain additional information that is relevant to this section.
How the Active Directory Replication Model Works

How Active Directory Replication Topology Works
Community Additions
Typo!
Reapdmin.exe:
But this was the first one i have spotted so text's here are basically written very carefully. =)
jyrkiar
9/2/2009
2015 Microsoft
1/11/2015 1:53 PM

Active Directory Replication Tools and Settings - Active Directory

Diunggah oleh

Informasi Dokumen

Judul Asli

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Active Directory Replication Tools and Settings - Active Directory

Diunggah oleh

Hak Cipta:

Format Tersedia

Active Directory Replication Tools and Settings: Active Directory