1 of 8
http://technet.microsoft.com/en-in/library/cc739941(d=printer,v=ws.10).aspx
Category
Active Directory Administrative Tools Microsoft Management Console (MMC) snap-in. This tool is installed automatically when you install Active Directory, and is
available on the Start menu under Programs\Administrative Tools. This tool also ships with the Administration Tools Pack (Adminpak.msi).
Version compatibility
Active Directory Sites and Services provides a view into the Sites container of the configuration directory partition. Use Active Directory Sites and Services to manage
Active Directory replication topology. The following objects and their properties can be managed by using this tool:
Repadmin.exe: Repadmin
Category
Command-line tool.
1/11/2015 1:53 PM
http://technet.microsoft.com/en-in/library/cc739941(d=printer,v=ws.10).aspx
Version compatibility
Repadmin is used to view the replication information on domain controllers. You can determine the last successful replication of all directory partitions, identify
inbound and outbound replication partners, identify the current bridgehead servers, view object metadata, and generally manage Active Directory replication
topology. You can use Repadmin to force replication of an entire directory partition or of a single object. You can also list domain controllers in a site.
Repadmin is extended to enable commands to target sets of domain controllers. For example, you can target all domain controllers in a site or domain, or all domain
controllers that are global catalog servers.
Repadmin also includes the RemoveLingeringObjects command, which removes objects that are outdated (do not exist in a replica of the same directory partition
on the source domain controller).
For more information about removing lingering objects, see "Fixing Replication Lingering Object Problems (Event IDs 1388, 1988, 2042)" in the Windows Server 2003
Operations Guide at http://go.microsoft.com/fwlink/?LinkId=44131. For more information about Repadmin, see Repadmin Overview.
Ntdsutil.exe: Ntdsutil
Category
Command-line tool.
Version compatibility
Ntdsutil.exe provides management capabilities for Active Directory. You can use Ntdsutil.exe to perform Active Directory database maintenance, manage and control
single-master operations, and remove replication metadata left behind by domain controllers that are removed from the network without uninstalling Active
Directory. The version of Ntdsutil that is included with Windows Server 2003 SP1 removes File Replication service (FRS) metadata in addition to Active Directory
replication metadata. You can also use Ntdsutil to create application directory partitions and perform authoritative restore operations. This tool is intended for use by
experienced administrators.
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Version
Windows 2000 Server.
Default value
Windows 2000 Server: 300 seconds.
The value for the delay between an originating update on a domain controller and the first change notification. On domain controllers running Windows Server 2003
or higher, the value for initial change notification delay is stored in the msDSReplicationNotifyFirstDSADelay attribute on the cross-reference object for each
directory partition in the Configuration container. The default value in Windows Server 2003 and higher operating systems is decreased to 15 seconds when the forest
functional level is Windows Server 2003 or higher.
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Version
Windows 2000 Server.
Default value
Windows 2000 Server: 30 seconds
The value for the delay before each subsequent change notification. On domain controllers running Windows Server 2003, the value for subsequent notification delay
is stored in the msDSReplicationNotifySubsequentDSADelay attribute on the cross-reference object for each directory partition in the Configuration container. The
default value in Windows Server 2003 is decreased to 3 seconds when the forest functional level is Windows Server 2003.
2 of 8
1/11/2015 1:53 PM
http://technet.microsoft.com/en-in/library/cc739941(d=printer,v=ws.10).aspx
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Version
Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 2000 Server.
Default value
Windows 2000 Server: 45 minutes; Windows Server 2003 and higher server operating systems: 5 minutes.
The number of minutes between initiation of Active Directory replication and the RPC timeout. The domain controller must be restarted before the change takes
effect.
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Version
Windows Server 2008 R2, Windows Server 2008 R2, Windows Server 2003, Windows 2000 Server with SP3.
Default value
Windows 2000 Server with SP3: off (0); Windows Server 2003 and higher server operating systems: on (1)
The value that determines the treatment of replication of outdated objects that exist on reconnected domain controllers that have not replicated in longer than a
tombstone lifetime. If the destination domain controller has strict replication consistency enabled, inbound replication of an outdated object is blocked. If the
destination domain controller has strict replication disabled, inbound replication of the full object occurs.
Registry path
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
Version
Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 2000 Server.
Default value
1/1,000,000th the size of RAM, with a minimum of 100 objects and a maximum of 1,000 objects.
The maximum number of objects per packet for RPC replication within a site.
Registry path
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
Version
Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 2000 Server.
Default value
1/100th the size of RAM, with a minimum of 1 megabyte (MB) and a maximum of 10 MB.
The maximum size of objects per packet for RPC replication within a site.
Registry path
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
Version
Windows Server 2008 R2, Windows Server 2008 R2, Windows Server 2003, Windows 2000 Server.
Default value
1/1,000,000th the size of RAM, with a minimum of 100 objects and a maximum of 1,000 objects.
The maximum number of objects per packet for RPC replication between sites.
3 of 8
1/11/2015 1:53 PM
http://technet.microsoft.com/en-in/library/cc739941(d=printer,v=ws.10).aspx
Registry path
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
Version
Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 2000 Server.
The maximum size of objects per packet for RPC replication between sites.
Default value
1/100th the size of RAM, with a minimum of 1 MB and a maximum of 10 MB.
Registry path
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
Version
Windows Server 2008, Windows Server 2008 R2, Windows Server 2003, Windows 2000 Server.
Default value
1/1,000,000th the size of RAM, with a minimum of 100 objects and a maximum of 1,000 objects.
The maximum number of objects per packet for SMTP replication between sites.
Registry path
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
Version
Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 2000 Server.
Default value
1 MB.
The maximum size of objects per packet for SMTP replication between sites.
Registry path
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
Version
Windows Server 2008 R2, Windows Server 2008, Windows Server 2003.
Default value
For Windows 2000 Server compression, change the value to 2.
Determines the compression algorithm that is used on a site link
Registry path
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
Version
Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 2000 Server.
Default value
300 seconds.
Number of seconds to wait between the time Active Directory starts and the KCC performs the first topology check.
To find more information about Repl topology update delay (secs), see Registry Reference in Tools and Settings Collection.
Registry path
4 of 8
1/11/2015 1:53 PM
http://technet.microsoft.com/en-in/library/cc739941(d=printer,v=ws.10).aspx
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
Version
Windows Server 2008, Windows Server 2008 R2, Windows Server 2003, Windows 2000 Server.
Default value
900 seconds.
Interval between KCC replication topology checks.
To find more information about Repl topology update period (secs), see Registry Reference in Tools and Settings Collection.
IntersiteFailuresAllowed
Registry path
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
Version
Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 2000 Server.
Default value
1.
Number of failed replication attempts prior to excluding nonresponding servers from the intersite topology.
MaxFailureTimeForIntersiteLink (sec)
Registry path
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
Version
Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 2000 Server.
Default value
7200 seconds (2 hours).
Time in seconds that must elapse prior to excluding nonresponding servers from the intersite topology.
NonCriticalLinkFailuresAllowed
Registry path
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
Version
Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 2000 Server.
Default value
1.
Number of failed replication attempts prior to excluding nonresponding servers from the intrasite topology.
MaxFailureTimeForNonCriticalLink (sec)
Registry path
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
Version
Windows Server 2008, Windows Server 2008 R2, Windows Server 2003, Windows 2000 Server.
Default value
43200 seconds (12 hours).
Time in seconds that must elapse prior to excluding nonresponding servers from the intrasite topology.
CriticalLinkFailuresAllowed
Registry path
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
5 of 8
1/11/2015 1:53 PM
6 of 8
http://technet.microsoft.com/en-in/library/cc739941(d=printer,v=ws.10).aspx
Version
Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 2000 Server.
Default value
0.
Number of failed replication attempts prior to excluding nonresponding servers for immediate neighbor connections within a site.
MaxFailureTimeForCriticalLink (sec)
Registry path
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
Version
Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 2000 Server.
Default value
7200 seconds (2 hours).
Time in seconds that must elapse prior to excluding nonresponding servers for immediate neighbor connections within a site.
TCP/IP Port
Registry path
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
Version
Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 2000 Server.
Default value
135.
TCP port that the directory service uses instead of using dynamic port 135. The domain controller must be restarted before the change takes effect.
Registry path
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
Version
Windows Server 2008 R2, Windows Server 2008, Windows Server 2003 with SP 1
Default value
Half the value of the tombstone lifetime of the forest.
When the value is reached, logs event ID 2089 in the Directory Service event log, warning administrators and monitoring applications to make sure that domain
controllers are backed up before the tombstone lifetime expires.
Description
Changes to these settings in the Domain Security Policy trigger urgent replication.
1/11/2015 1:53 PM
7 of 8
Password Policy:
http://technet.microsoft.com/en-in/library/cc739941(d=printer,v=ws.10).aspx
Changes to these settings in the Domain Security Policy trigger urgent replication.
Account lockout and domain password changes rely on contacting the primary domain controller (PDC) emulator urgently to
update the PDC emulator with the change. If Contact PDC on logon failure is disabled, replication of password changes to the
PDC emulator occurs non-urgently.
To find more information about these Group Policy settings, see Group Policy Settings Reference in Tools and Settings Collection.
Class Name
Namespace
Version Compatibility
MSAD_DomainController
\\root\MicrosoftActiveDirectory
MSAD_NamingContext
\\root\MicrosoftActiveDirectory
MSAD_ReplNeighbor
\\root\MicrosoftActiveDirectory
MSAD_ReplCursor
\\root\MicrosoftActiveDirectory
MSAD_ReplPendingOp
\\root\MicrosoftActiveDirectory
1/11/2015 1:53 PM
8 of 8
http://technet.microsoft.com/en-in/library/cc739941(d=printer,v=ws.10).aspx
For more information about these WMI classes, see the WMI SDK documentation on MSDN.
In addition to the dynamic port 135, other ports that are required for replication to occur are listed in the following table.
Port Assignments for Active Directory Replication
Service Name
UDP
TCP
LDAP
389
389
LDAP
LDAP
Kerberos
88
88
DNS
53
53
SMB over IP
445
445
Replication within a domain also requires FRS using a dynamic RPC port.
Related Information
The following resources contain additional information that is relevant to this section.
Community Additions
Typo!
Reapdmin.exe:
But this was the first one i have spotted so text's here are basically written very carefully. =)
jyrkiar
9/2/2009
2015 Microsoft
1/11/2015 1:53 PM