Active DirectoryMicrosoft Technologies

Active Directory Replication

In an infrastructure setup, it may have many domain controllers. Some may even in different sites. But in order to keep the consistency in network it’s important to have proper replication between these domain controllers. It is important to plan and optimize the replication process. For example let’s assume you have a remote site which is connect via 256kb link with head office. According to setup site have sales team and the AD sync is not crucial during the day to day work. So if we just leave it to trigger sync with default schedule it will just use large portion of the link just for this AD sync traffic. So when you place your AD servers in network make sure you also plan for the optimization in replication process.

AD replication between sites built based on the active directory knowledge consistency checker (KCC). Replication process is works differently based on the fact that traffic is passing within the site or between sites. Within site the replication will be fast and occurs more frequent.

When optimizing the replication process you can mainly use 3 factors.

Site Cost – This represent the bandwidth between sites.

Schedule – This represent how often replication should happen. For ex- If the site is just need 1 time replication for day for its operations no point doing it in every 2 hours’ time.

Interval – By default replication happens in every 180 minutes

It is always recommended to create sites where domain controller is placed. For example if the office A is in different city, we can create it as different site in the network. But if the bandwidth is not matters you still can keep it as one site.

If you use different sites, the replications happens via site link. Once you create site links it goes to inter-site transport container and it confirms the connectivity between each sites. The site links can reuse for sites which have same connectivity and availability.

To check the replication we can use 2 command line tools. Apart from that event viewer also can use to identify replication issues.

1)    repadmin /showrepl
2)    dcdiag /test:replications

In following I list down the main replication errors and solution for them.

Slow replication – most common replication error. To fix it you need to review event viewer entries. Also you need to review the AD topology, such as how sites are linked and how those site links are optimized.

Access is denied error – to fix it you need to follow

1)    stop the KDC service – net stop kdc
2)    purge ticket cache in DC
3)    reset domain controller’s account password
4)    sync replication partner’s domain directory partition with the PDC emulator
5)    force replication
6)    start the KDC service

DNS lookup failure / RPC service unavailable – to fix this error follow following steps

1)    Run dcdiag /test:connectivity to verify DNS CNAME and A records
2)    Check the IP configuration and ping domain controller
3)    Restart netlogon service

Site and site link errors – check if the sites and site links connectivity is ok.

Manual replication access denied –   verify the replication synchronization permissions. Use repadmin or replmon tools to force replication.

This is the end of article and if any questions feel free to ask me on rebeladm@live.com

Related posts
Cyber SecurityMicrosoft Entra IDMicrosoft Technologies

Microsoft Entra lifecycle workflows Part 02 - How to synchronize value for employeeHireDate attribute from on-premises Active Directory ?

In my previous blog post, I explained how we can automate JML (Joiners/Movers/Leavers) process by…
Read more
Azure servicesMicrosoft Entra IDMicrosoft Technologies

Step-by-Step Guide : Automate JML(Joiners/Movers/Leavers) process with Microsoft Entra lifecycle workflows

JML (Joiners/Movers/Leavers) process of an organization has a major impact on its security and…
Read more
Cyber SecurityMicrosoft DefenderMicrosoft Technologies

Microsoft Defender for Identity Part 02 – Create Directory Service Account

In Part 01 of Microsoft Defender for Identity blog series, I have explained about Microsoft Defender…
Read more
Newsletter
Become a Trendsetter

Sign up and get the best of RebelAdmin, tailored for you.

Leave a Reply

Your email address will not be published. Required fields are marked *