Understanding Active Directory replication (2023)

If you’ve worked much with Windows 2000, you know just how important Active Directory can be. Active Directory stores everything from network security information to basic contact information for network users. As with any database of such importance, Active Directory is subject to constant updates. Normally, rapid database updates aren’t a problem. What makes Active Directory updates so special is that unlike a conventional database, Active Directory isn’t stored in a single location. Instead, it’s distributed across all of your domain controllers. Therefore, Windows 2000 must be able to keep track of any database changes, regardless of which server the change was made on. The process by which Windows keeps track of these changes is called replication. In this Daily Drill Down, I’ll discuss the concepts involved in Active Directory replication.

The multimaster model
If you’ve done much networking with Windows NT, you’re probably at least vaguely familiar with the concept of replication. As with Windows 2000, Windows NT offers the possibility of having multiple domain controllers in each domain. However, Windows NT uses a much simpler replication model than Windows 2000 uses. In Windows NT, any changes to the Security Accounts Manager (SAM) database can occur only on the primary domain controller. Therefore, when an administrator makes a change to an account, the change is always applied directly to the primary domain controller, regardless of how many domain controllers actually exist on the system.

Keep in mind that in Windows NT, each domain controller maintains a copy of the SAM database. This copy allows any domain controller to authenticate users. Because each domain controller contains an independent copy of the SAM database, the copy must be updated to match changes that occur to the primary domain controller’s copy.

To avoid overwhelming the backup domain controllers, which may already be busy with other tasks, the primary domain controller doesn’t automatically push the database modifications onto the backup domain controllers. Instead, the primary domain controller simply alerts each backup domain controller to the fact that a change has occurred. When the backup domain controllers have some idle time, they each contact the primary domain controller and request that the changes be replicated to them.

Windows 2000, on the other hand, uses a much more complicated replication model called multimaster replication. In multimaster replication, any time an administrator makes a change to Active Directory, the change can be applied directly to any domain controller. Remember that in Windows 2000, there’s no such thing as a primary domain controller or a backup domain controller. Instead, a server is either a domain controller or a non-domain controller. As such, all domain controllers in Windows 2000 are treated equally.

Given the variety of types of information that Active Directory can store, it’s easy to see just how fast changes to Active Directory can accumulate across multiple domain controllers in a large organization. It’s therefore necessary for Windows to frequently synchronize the domain controllers through the replication process.

(Video) How Active Directory Replication Works ? Types of replication.

Windows 2000 accomplishes this task in a method similar to the one used by Windows NT, with the obvious exceptions I’ve already discussed. When an administrator makes a change that affects a domain controller’s copy of Active Directory, the domain controller sends a notice to the other domain controllers about the change. The other domain controllers may then request a copy of the changes when they have idle time. Because several domain controllers may be replicating changes at any given time, each Active Directory change is time-stamped. This allows Windows 2000 to know which change should take precedence in the event that contradictory changes are made within a replication cycle.

As you can imagine, the Active Directory replication process can cause considerable network traffic when large numbers of domain controllers exist within an organization. In a large organization, dozens of domain controllers could potentially be replicating hundreds of Active Directory changes at any given time. This can cause some serious congestion problems, especially on networks that are already bogged down with excessive traffic. Replication-related network traffic can also cause problems by bogging down wide area network (WAN) links. Fortunately, Windows 2000 provides an Active Directory structure that you can use to reduce the replication-related network traffic. This structure is called a site.

Intersite Active Directory replication
If your background consists primarily of working on Windows NT Servers, the concept of sites may be new to you. You’re probably familiar with sites only if you’ve used Exchange Server. Even so, sites created by Exchange Server are somewhat different from sites created by Windows 2000.

So what’s a site? To put it simply, a site is a collection of domain controllers. Typically, these domain controllers service a common group of users. To understand why dividing a network into sites is effective, you must first understand something about the nature of Active Directory.

As you probably already know, Active Directory is divided into all sorts of structures, such as domains, trees, and forests. All of these structures fall under the organization’s root level. This means that every domain controller in every level of the organization must share Active Directory information to some extent.

(Video) MCITP 70-640: Active Directory Replication

For example, consider an organization that contains two domains. Even if those two domains have almost nothing to do with each other, they share a common Active Directory and must therefore replicate Active Directory updates between themselves on a regular basis.

Earlier I explained how the Active Directory replication process works. In that explanation, any Active Directory changes were replicated across the entire organization on an as-needed basis. If a change was made to a domain controller, the domain controller saw the need to replicate the change to every other domain controller in the entire organization just as soon as the other domain controllers became available.

Given the examples and explanations I’ve presented so far, you might assume that if two domains or other organizational structures don’t have anything to do with each other, then there’s really no need to replicate updates between them. Nothing could be further from the truth. Your domain controllers must replicate changes with one another to maintain Active Directory’s consistency and integrity. However, just because you have to replicate Active Directory updates between unrelated organizational structures, it doesn’t mean that the replication has to occur immediately. The advantage to creating sites is that you can replicate Active Directory changes between the sites on a scheduled basis rather than on an as-needed basis.

Scheduling replication can greatly reduce network traffic and can relieve a tremendous burden from WAN links. I mentioned earlier that sites were nothing more than a collection of domain controllers that serve a common group of users. The idea is that users within these groups need to know about Active Directory updates that are directly related to them more quickly than they would need to know about Active Directory updates that relate to a different office, department, or company.

Sites are very flexible. I mentioned that a site is a collection of domain controllers that serve a common group of users, so you may have assumed that a site exists at the same level as a domain. However, this simply isn’t true. You can have multiple sites within a single domain, or you can make each domain an individual site. Other than some general guidelines, no firm rules exist governing how sites should be implemented.

(Video) Replication in Active Directory

When should I implement sites?
In spite of Windows 2000’s loose control over how you implement sites, some situations are much more appropriate for implementing sites than others. One situation in which you’d almost always want to implement a site would be the case of a domain spread across a WAN link. Suppose for a moment that you work for a company that has two local offices connected by a WAN link. Now imagine that the idiot who you inherited the network from got the bright idea to use a single domain to cover both buildings. You could greatly improve the network’s efficiency by setting up each building as an individual site.

The first step you’d take in such an arrangement would be to make sure that each building has at least one domain controller. Remember that sites require domain controllers. Even if you weren’t dividing the network into sites, it would still be a good idea to have at least one domain controller in each building so that users in each building could authenticate locally. After all, you don’t want to congest your WAN link with authentication traffic.

Now, consider the reason for and the results of separating the two buildings into individual sites. There’s a good chance that the users in each building work more closely with one another than they do with users in the other office. Therefore, an Active Directory change in building A would more likely affect the users in building A than the users in building B. Because of this, you’d want to make sure that Active Directory updates within each building continue to be replicated on an as-needed basis. You still have to replicate the changes over to the other building but doing so isn’t as time sensitive as replicating the update within the original building. Therefore, you can update the other building on a scheduled basis.

You can allow Active Directory updates to accumulate for several hours before replicating them to the other building. This means your WAN link will receive only the occasional burst of strategically timed replication traffic rather than the constant bombardment of traffic it would otherwise be subjected to.

I recommend timing the intersite replications to correspond with low periods of network traffic, such as during lunch or after people start going home for the day. Of course, if an important update is made to Active Directory, the administrator can always force an immediate replication.

(Video) How To Check Active Directory Replication

Now, suppose your entire company shares a single building. It’s still possible (and often a good idea) to implement sites, even though no WAN link is present. You can create a separate site for each department. Doing so can drastically cut down on the replication-related network traffic in your organization.

How do sites work?
Now that you know what a site is, let’s take a brief look at how sites work. As you’ve probably already figured out, the domain controllers that exist within a site continue to replicate with one another on an as-needed basis. Only one domain controller in each site is responsible for replicating changes with other sites, however. This domain controller is known as the bridgehead server.

Replication occurs on an as-needed basis among the domain controllers within each site. When it comes time for sites to replicate with one another, each site’s bridgehead server forwards all of the changes that have occurred since the last replication cycle to the remote site’s bridgehead server. When the bridgehead server in the remote site receives the changes, it replicates those changes to the other domain controllers within the site.

Conclusion
In this Daily Drill Down, I explained the process by which Active Directory changes are replicated between domain controllers. I also discussed why it’s sometimes necessary to reduce replication-related network traffic by dividing Active Directory into multiple sites.
The authors and editors have taken care in preparation of the content contained herein but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for any damages. Always have a verified backup before making any changes.

FAQs

How many types of replication are there in Active Directory? ›

In active directory environment, there are mainly two types of replications. As the name confirms, this covers the replication happens with in a site. By default, (according to Microsoft) any domain controller will aware of any directory update within 15 seconds.

How do I replicate users in Active Directory? ›

Solution
  1. Open the Active Directory Sites and Services snap-in.
  2. Browse to the NTDS Setting object for the domain controller you want to replicate to.
  3. In the right pane, right-click on the connection object to the domain controller you want to replicate from and select Replicate Now.

What is inbound and outbound replication in Active Directory? ›

Inbound replication is the incoming data transfer from a replication partner to a DC, and outbound replication is the data transfer from a DC to its replication partner.

Why is replication important in AD? ›

Replication in AD DS is a critical function that is necessary to fulfill the functionality of a multimaster environment. The ability to make changes on any DC in a forest and then have those changes replicate to the other DCs is key.

What are the 3 main components of an Active Directory? ›

The Active Directory structure is comprised of three main components: domains, trees, and forests. Several objects, like users or devices that use the same AD database, can be grouped into a single domain.

What are the 4 components of Active Directory? ›

The key components include domain, tree, forest, organizational unit, and site. As you read through each structural component description, consider that domains, trees, forest, and sites are not only integral with Active Directory but also integral with DNS.

How often does AD replication occur? ›

The default replication interval is 180 minutes, or 3 hours. The minimum interval is 15 minutes.

How do you check for replication issues in AD? ›

Use either of the following methods to view replications errors: Download and run the Microsoft Support and Recovery Assistant tool OR Run AD Status Replication Tool on the DCs. Read the replication status in the repadmin /showrepl output. Repadmin is part of Remote Server Administrator Tools (RSAT).

Can we create 2 users with the same name in the Active Directory? ›

Answers. The sAMAccountName must be unique (among all objects, including users, computers, and groups) in the domain. In addition, the Relative Distinguished Name (the value of the cn attribute) must be unique in the parent OU or container.

What is replication in LDAP? ›

LDAP Sync replication is an object-based replication mechanism. When any attribute value in a replicated object is changed on the provider, each consumer fetches and processes the complete changed object, including both the changed and unchanged attribute values during replication.

How do I replicate DNS between domain controllers? ›

A.
  1. Start the Microsoft Management Console (MMC) Active Directory Sites and Services snap-in.
  2. Expand the Sites branch to show the sites.
  3. Expand the site that contains the DCs. ...
  4. Expand the servers.
  5. Select the server you want to replicate to, and expand the server.
  6. Double-click NTDS Settings for the server.

How do I force replication between all domain controllers? ›

To ensure complete domain controller replication, the fastest solution is to use the RepAdmin command. The RepAdmin command is part of the AD DS Tools that are available via RSAT. So if you're working from a domain controller, the AD DS Tools are already installed.

What is AD replication and how it works? ›

Active Directory replication is the method of transferring and updating Active Directory objects from one DC to another DC. The connections between DCs are built based on their locations within a forest and site.

What happens if Active Directory replication fails? ›

Inbound or outbound replication failure causes Active Directory objects that represent the replication topology, replication schedule, domain controllers, users, computers, passwords, security groups, group memberships, and Group Policy to be inconsistent between domain controllers.

What is the purpose of a replication? ›

DNA replication is the process by which a double-stranded DNA molecule is copied to produce two identical DNA molecules. Replication is an essential process because, whenever a cell divides, the two new daughter cells must contain the same genetic information, or DNA, as the parent cell.

What are the 5 roles of Active Directory? ›

Currently in Windows there are five FSMO roles:
  • Schema master.
  • Domain naming master.
  • RID master.
  • PDC emulator.
  • Infrastructure master.
1 Dec 2021

What is difference between AD and LDAP? ›

Both AD and LDAP have different functions. LDAP is a protocol. Active Directory is a directory server. LDAP is a cross-platform open standard, but Active Directory is Microsoft's proprietary software meant for Windows users and applications.

What are the 4 most important benefits of Active Directory? ›

Advantages and Benefits of Active Directory

Centralized resources and security administration. Single logon for access to global resources. Simplified resource location.

What is the sysvol? ›

The term SYSVOL refers to a set of files and folders that reside on the local hard disk of each domain controller in a domain and that are replicated by the File Replication service (FRS). Network clients access the contents of the SYSVOL tree by using the following shared folders: NETLOGON.

What are the basics of Active Directory? ›

The following topics are core concepts of Active Directory Domain Services:
  • Attributes.
  • Containers and Leaves.
  • Object Names and Identities.
  • Naming Contexts and Directory Partitions.
  • Domain Trees.
  • Forests.
  • Active Directory Servers and Dynamic DNS.
  • Replication and Data Integrity.
23 Aug 2019

What is Active Directory in a nutshell? ›

Active Directory (AD) is a database and set of services that connect users with the network resources they need to get their work done. The database (or directory) contains critical information about your environment, including what users and computers there are and who's allowed to do what.

What are the two types of replications? ›

Replication, replication, replication. At least two key types of replication exist: direct and conceptual.

How long should AD replication take? ›

First, the local AD environment must replicate the changes, be picked up by the Connector, and sent to the cloud. This typically takes about 5-15 minutes.

What causes AD replication errors? ›

Two of the more common causes include a loss of network connectivity or a DNS configuration error. Replication errors can also occur as a result of authentication errors or a situation when the domain controller lacks the hardware resources to keep pace with the current demand.

How can I tell if Active Directory is healthy? ›

How to check the health of your Active Directory
  1. Make sure that domain controllers are in sync and that replication is ongoing. ...
  2. Make sure that all the dependency services are running properly. ...
  3. Use the Domain Controller Diagnostic tool (DCDiag) to check various aspects of a domain controller. ...
  4. Detect unsecure LDAP binds.

How do I know if DFS is replicating? ›

Get-DfsrState:

This command shows you the current replication state of DFS-R in regard to its DFS replication group partners.

What are the replication conflicts? ›

Conflicts occur when the same data is modified at two separate servers, for example, at a Publisher and Subscriber, or at two different Subscribers. Replication automatically resolves conflicts using the conflict resolver you selected when the article was created.

How many accounts can Active Directory have? ›

You can only assign one user account per computer, and each account can be used with multiple services on the computer.

Can a directory have 2 owners? ›

No, this is not possible. Each file (and so also directories) can only have one user and one group.

How many main types of users are there in Active Directory? ›

Active Directory has two forms of common security principals: user accounts and computer accounts. These accounts represent a physical entity that is either a person or a computer. A user account also can be used as a dedicated service account for some applications.

What is the difference between synchronization and replication? ›

To put it very bluntly: Replication implies strongly that there are two or more copies of (all) the data. Synchronization implies that two or more copies of data are being kept up-to-date, but not necessarily that each copy contains all of the data (although this is typically the case for database syncing)

What is the difference between run and replication? ›

Repeat and replicate measurements are both multiple response measurements taken at the same combination of factor settings; but repeat measurements are taken during the same experimental run or consecutive runs, while replicate measurements are taken during identical but different experimental runs, which are often ...

What is difference between mirroring and replication? ›

Mirroring is the copying of data or database to a different location. While replication is the creation of data and database objects to increase the distribution actions.

Can I run 2 domain controllers on the same network? ›

Actually, In a larger environment, at least two domain controllers at each physical site should be DNS servers. This provides redundancy in the event that one DC goes offline unexpectedly. Note that domain-joined machines must be configured to use multiple DNS servers in order to take advantage of this.

Can 2 servers have same DNS? ›

Yes, this is possible. Sites like google, IBM and Microsoft use many, many machines to service requests. Of course your shared hosting provider may or may not support this for you. Allowing multiple machines to participate in the domain is handled by DNS and needs to be setup on your DNS Server.

How do I replicate data from one server to another? ›

In Windows Admin Center, navigate to Server Manager, and then select one of the servers. Navigate to Roles & Features. Select Features > Storage Replica, and then click Install. Repeat on the other server.

How do I know if my domain controller is primary or secondary? ›

To check which server is the PDC start MMC with the Active Directory Users and Computers.
  1. Right click on the domain.
  2. Click Operations Masters.
  3. All three tabs (RID, PDC, Infrastructure) should show the same server as the Operations Master.
27 Apr 2012

What is replication with example? ›

It is a molecular process taking place in dividing cells by which the DNA creates a copy of itself. Another use of the word “replication” in biology is about carrying out a similar procedure. The repetition of a laboratory procedure is an example in this regard.

What is the purpose of DFS replication? ›

DFS Replication is a role service in Windows Server that enables you to efficiently replicate folders (including those referred to by a DFS namespace path) across multiple servers and sites.

What ports are required for Active Directory replication? ›

The ports given below are used for Active Directory Replication.
  • TCP port 135: RPC (Remote Procedure Call)
  • TCP, UDP port 389: LDAP.
  • TCP, UDP port 636: LDAP SSL.
  • TCP 3268 port: Global Catalog LDAP.
  • TCP 3269 port: Global Catalog LDAP SSL.
  • TCP, UDP port 53: DNS.
  • TCP, UDP port 88: Kerberos.
  • TCP port 445: SMB.
23 Feb 2022

Why is DFS not replicating? ›

The DFS Replication service stopped replication on volume C:. This failure can occur because the disk is full, the disk is failing, or a quota limit has been reached. This can also occur if the DFS Replication service encountered errors while attempting to stage files for a replicated folder on this volume.

Does DFS replication require Active Directory? ›

DFS Replication relies on Active Directory® Domain Services for configuration. It will only work in a domain.

What is the process of replication? ›

Replication occurs in three major steps: the opening of the double helix and separation of the DNA strands, the priming of the template strand, and the assembly of the new DNA segment. During separation, the two strands of the DNA double helix uncoil at a specific location called the origin.

Why should we replicate data? ›

The goal of data replication is business continuity – to ensure that data is readily available for the multiple users (and use cases) who require it. For example, data can be copied from on-premises systems to cloud-based environments to support near real-time analytics.

What are different types of replication types? ›

Transactional replication and merge replication provide options for these types of applications.

What are different types of replicates? ›

There are two primary types of replicates: technical and biological.

What are the different types of replication explain? ›

Types of Replication:

Snapshot replication sends the entire data set to the subscriber. Transactional replication only sends modifications to the data. Merge replication items are modified at both the publisher and subscribers. Heterogeneous replication allows access to other database products.

What are the 3 models of replication? ›

There were three models for how organisms might replicate their DNA: semi-conservative, conservative, and dispersive.

Why is there 3 replications? ›

The Main reason to keep that replication factor as 3 is, that suppose a particular data node is own then the blocks in it won't be accessible, but with replication factor is 3 here, its copies will be stored on different data nodes, suppose the 2nd Data Node also goes down, but still that Data will be Highly Available ...

What does 3 replicates mean? ›

verb. To make three copies of. adjective. Having three copies; triple; threefold. Supplement.

What is a replication example? ›

It is a molecular process taking place in dividing cells by which the DNA creates a copy of itself. Another use of the word “replication” in biology is about carrying out a similar procedure. The repetition of a laboratory procedure is an example in this regard.

What is the difference between replication and duplicate? ›

Duplicate may be used as a noun, verb or adjective. Related words are duplicates, duplicated, duplicating, duplication. The word duplicate is derived from the Latin word duplicare, which means to double. Replicate means to reproduce something, to construct a copy of something, to make a facsimile.

What is the role of replications? ›

The purpose of replication is to advance theory by confronting existing understanding with new evidence. Ironically, the value of replication may be strongest when existing understanding is weakest. Theory advances in fits and starts with conceptual leaps, unexpected observations, and a patchwork of evidence.

What are the two primary reasons for replicating data? ›

Two primary reasons for replication: reliability and performance. Increasing reliability: – If a replica crashes, system can continue working by switching to other replicas. – Avoid corrupted data: can protect against a single, failing write operation.

What is replication in simple words? ›

: copy, reproduction. : the action or process of reproducing or duplicating. replication of DNA. viral replication.

What is replication strategy? ›

A replication strategy determines the nodes where replicas are placed. The total number of replicas across the cluster is referred to as the replication factor. A replication factor of 1 means that there is only one copy of each row in the cluster. If the node containing the row goes down, the row cannot be retrieved.

What is the difference between replication and redundancy? ›

Redundancy increases the reliability while Replication ensure Consistency. Replication does not necessary ensure Consistency.

Videos

1. Configuring Active Directory Replication and Site Link in Windows Server 2019
(MSFT WebCast)
2. Exam 70-741 - Understanding Active Directory Partitions and Replication Scope in DNS
(ITdvds)
3. Replication in Active Directory
(StormWind Studios)
4. Understanding Active Directory Sites
(Kevin Brown)
5. Part 2 | MCSA 2019: Active Directory Replication | Windows Server Admin
(TechPledge Consulting)
6. Step by Step Active Directory Sites and Replication
(NT-Virtual Lab)
Top Articles
Latest Posts
Article information

Author: Prof. An Powlowski

Last Updated: 02/15/2023

Views: 6493

Rating: 4.3 / 5 (44 voted)

Reviews: 83% of readers found this page helpful

Author information

Name: Prof. An Powlowski

Birthday: 1992-09-29

Address: Apt. 994 8891 Orval Hill, Brittnyburgh, AZ 41023-0398

Phone: +26417467956738

Job: District Marketing Strategist

Hobby: Embroidery, Bodybuilding, Motor sports, Amateur radio, Wood carving, Whittling, Air sports

Introduction: My name is Prof. An Powlowski, I am a charming, helpful, attractive, good, graceful, thoughtful, vast person who loves writing and wants to share my knowledge and understanding with you.