Active Directory Replication Tools and Settings
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2
Active Directory Replication Tools and Settings
In this section
Active Directory Replication Tools
Active Directory Replication Registry Entries
Active Directory Replication Group Policy Settings
Active Directory Replication WMI Classes
Network Ports Used by Active Directory Replication
Related Information
Active Directory Replication Tools
The following tools are associated with Active Directory replication.
Note
In Windows 2000 Server and Windows Server 2003, the directory service is named Active Directory. In Windows Server 2008 and Windows Server 2008 R2, the directory service is named Active Directory Domain Services (AD DS). The rest of this topic refers to Active Directory, but the information is also applicable to AD DS.
Dssite.msc: Active Directory Sites and Services
Category
Active Directory Administrative Tools Microsoft Management Console (MMC) snap-in. This tool is installed automatically when you install Active Directory, and is available on the Start menu under Programs\Administrative Tools. This tool also ships with the Administration Tools Pack (Adminpak.msi).
Version compatibility
Active Directory Sites and Services provides a view into the Sites container of the configuration directory partition. Use Active Directory Sites and Services to manage Active Directory replication topology. The following objects and their properties can be managed by using this tool:
Sites container: Add new sites.
Site objects: Add new servers to a site.
NTDS Site Settings object: For each site, view the connection object schedule and enable Universal group membership caching.
Server object: View the NTDS Settings object and designate the server as a bridgehead server.
NTDS Settings object: View inbound connections for the server. View the connection object schedule and change the source server for the connection.
Inter-Site Transports container: Manage IP and SMTP site links.
Site link objects: Manage the site link properties for a set of sites.
Subnets container: Add, remove, and configure subnets with IP addresses. Associate subnets with sites.
Repadmin.exe: Repadmin
Category
Command-line tool.
Version compatibility
Repadmin is used to view the replication information on domain controllers. You can determine the last successful replication of all directory partitions, identify inbound and outbound replication partners, identify the current bridgehead servers, view object metadata, and generally manage Active Directory replication topology. You can use Repadmin to force replication of an entire directory partition or of a single object. You can also list domain controllers in a site.
Repadmin is extended to enable commands to target sets of domain controllers. For example, you can target all domain controllers in a site or domain, or all domain controllers that are global catalog servers.
Repadmin also includes the RemoveLingeringObjects command, which removes objects that are outdated (do not exist in a replica of the same directory partition on the source domain controller).
For more information about removing lingering objects, see "Fixing Replication Lingering Object Problems (Event IDs 1388, 1988, 2042)" in the Windows Server 2003 Operations Guide at https://go.microsoft.com/fwlink/?LinkId=44131. For more information about Repadmin, see Repadmin Overview.
Ntdsutil.exe: Ntdsutil
Category
Command-line tool.
Version compatibility
Ntdsutil.exe provides management capabilities for Active Directory. You can use Ntdsutil.exe to perform Active Directory database maintenance, manage and control single-master operations, and remove replication metadata left behind by domain controllers that are removed from the network without uninstalling Active Directory. The version of Ntdsutil that is included with Windows Server 2003 SP1 removes File Replication service (FRS) metadata in addition to Active Directory replication metadata. You can also use Ntdsutil to create application directory partitions and perform authoritative restore operations. This tool is intended for use by experienced administrators.
Active Directory Replication Registry Entries
The information here is provided as a reference for use in troubleshooting or verifying that the required settings are applied. It is recommended that you do not directly edit the registry unless there is no other alternative. Modifications to the registry are not validated by the registry editor or by Windows before they are applied, and as a result, incorrect values can be stored. This can result in unrecoverable errors in the system. When possible, use Group Policy or other Windows tools, such as Microsoft Management Console (MMC), to accomplish tasks rather than editing the registry directly. If you must edit the registry, use extreme caution.
The following registry settings cannot be modified by using Group Policy or other Windows tools.
NTDS Parameters Registry Settings
The following registry entries are associated with Active Directory replication.
Replicator notify pause after modify (secs)
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Version
Windows 2000 Server.
Default value
Windows 2000 Server: 300 seconds.
The value for the delay between an originating update on a domain controller and the first change notification. On domain controllers running Windows Server 2003 or higher, the value for initial change notification delay is stored in the msDSReplicationNotifyFirstDSADelay attribute on the cross-reference object for each directory partition in the Configuration container. The default value in Windows Server 2003 and higher operating systems is decreased to 15 seconds when the forest functional level is Windows Server 2003 or higher.
Replicator notify pause between DSAs (secs)
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Version
Windows 2000 Server.
Default value
Windows 2000 Server: 30 seconds
The value for the delay before each subsequent change notification. On domain controllers running Windows Server 2003, the value for subsequent notification delay is stored in the msDSReplicationNotifySubsequentDSADelay attribute on the cross-reference object for each directory partition in the Configuration container. The default value in Windows Server 2003 is decreased to 3 seconds when the forest functional level is Windows Server 2003.
RPC Replication Timeout (mins)
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Version
Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 2000 Server.
Default value
Windows 2000 Server: 45 minutes; Windows Server 2003 and higher server operating systems: 5 minutes.
The number of minutes between initiation of Active Directory replication and the RPC timeout. The domain controller must be restarted before the change takes effect.
Strict replication consistency
Registry path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Version
Windows Server 2008 R2, Windows Server 2008 R2, Windows Server 2003, Windows 2000 Server with SP3.
Default value
Windows 2000 Server with SP3: off (0); Windows Server 2003 and higher server operating systems: on (1)
The value that determines the treatment of replication of outdated objects that exist on reconnected domain controllers that have not replicated in longer than a tombstone lifetime. If the destination domain controller has strict replication consistency enabled, inbound replication of an outdated object is blocked. If the destination domain controller has strict replication disabled, inbound replication of the full object occurs.
Replicator intra site packet size (objects)
Registry path
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
Version
Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 2000 Server.
Default value
1/1,000,000th the size of RAM, with a minimum of 100 objects and a maximum of 1,000 objects.
The maximum number of objects per packet for RPC replication within a site.
Replicator intra site packet size (bytes)
Registry path
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
Version
Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 2000 Server.
Default value
1/100th the size of RAM, with a minimum of 1 megabyte (MB) and a maximum of 10 MB.
The maximum size of objects per packet for RPC replication within a site.
Replicator inter site packet size (objects)
Registry path
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
Version
Windows Server 2008 R2, Windows Server 2008 R2, Windows Server 2003, Windows 2000 Server.
Default value
1/1,000,000th the size of RAM, with a minimum of 100 objects and a maximum of 1,000 objects.
The maximum number of objects per packet for RPC replication between sites.
Replicator inter site packet size (bytes)
Registry path
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
Version
Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 2000 Server.
The maximum size of objects per packet for RPC replication between sites.
Default value
1/100th the size of RAM, with a minimum of 1 MB and a maximum of 10 MB.
Replicator async inter site packet size (objects)
Registry path
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
Version
Windows Server 2008, Windows Server 2008 R2, Windows Server 2003, Windows 2000 Server.
Default value
1/1,000,000th the size of RAM, with a minimum of 100 objects and a maximum of 1,000 objects.
The maximum number of objects per packet for SMTP replication between sites.
Replicator async inter site packet size (bytes)
Registry path
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
Version
Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 2000 Server.
Default value
1 MB.
The maximum size of objects per packet for SMTP replication between sites.
Replicator compression algorithm
Registry path
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
Version
Windows Server 2008 R2, Windows Server 2008, Windows Server 2003.
Default value
For Windows 2000 Server compression, change the value to 2.
Determines the compression algorithm that is used on a site link
Repl topology update delay (secs)
Registry path
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
Version
Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 2000 Server.
Default value
300 seconds.
Number of seconds to wait between the time Active Directory starts and the KCC performs the first topology check.
To find more information about Repl topology update delay (secs), see “Registry Reference” in Tools and Settings Collection.
Repl topology update period (secs)
Registry path
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
Version
Windows Server 2008, Windows Server 2008 R2, Windows Server 2003, Windows 2000 Server.
Default value
900 seconds.
Interval between KCC replication topology checks.
To find more information about Repl topology update period (secs), see “Registry Reference” in Tools and Settings Collection.
IntersiteFailuresAllowed
Registry path
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
Version
Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 2000 Server.
Default value
1.
Number of failed replication attempts prior to excluding nonresponding servers from the intersite topology.
MaxFailureTimeForIntersiteLink (sec)
Registry path
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
Version
Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 2000 Server.
Default value
7200 seconds (2 hours).
Time in seconds that must elapse prior to excluding nonresponding servers from the intersite topology.
NonCriticalLinkFailuresAllowed
Registry path
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
Version
Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 2000 Server.
Default value
1.
Number of failed replication attempts prior to excluding nonresponding servers from the intrasite topology.
MaxFailureTimeForNonCriticalLink (sec)
Registry path
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
Version
Windows Server 2008, Windows Server 2008 R2, Windows Server 2003, Windows 2000 Server.
Default value
43200 seconds (12 hours).
Time in seconds that must elapse prior to excluding nonresponding servers from the intrasite topology.
CriticalLinkFailuresAllowed
Registry path
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
Version
Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 2000 Server.
Default value
0.
Number of failed replication attempts prior to excluding nonresponding servers for immediate neighbor connections within a site.
MaxFailureTimeForCriticalLink (sec)
Registry path
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
Version
Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 2000 Server.
Default value
7200 seconds (2 hours).
Time in seconds that must elapse prior to excluding nonresponding servers for immediate neighbor connections within a site.
TCP/IP Port
Registry path
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
Version
Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows 2000 Server.
Default value
135.
TCP port that the directory service uses instead of using dynamic port 135. The domain controller must be restarted before the change takes effect.
Backup Latency Threshold (days)
Registry path
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
Version
Windows Server 2008 R2, Windows Server 2008, Windows Server 2003 with SP 1
Default value
Half the value of the tombstone lifetime of the forest.
When the value is reached, logs event ID 2089 in the Directory Service event log, warning administrators and monitoring applications to make sure that domain controllers are backed up before the tombstone lifetime expires.
Active Directory Replication Group Policy Settings
The following table lists and describes the Group Policy settings that are associated with Active Directory replication updates.
Group Policy Settings Associated with Active Directory Replication
Group Policy Setting | Description |
---|---|
Account Lockout Policy:
|
Changes to these settings in the Domain Security Policy trigger urgent replication. |
Password Policy:
|
Changes to these settings in the Domain Security Policy trigger urgent replication. |
Contact PDC on logon failure |
Account lockout and domain password changes rely on contacting the primary domain controller (PDC) emulator urgently to update the PDC emulator with the change. If Contact PDC on logon failure is disabled, replication of password changes to the PDC emulator occurs non-urgently. |
To find more information about these Group Policy settings, see “Group Policy Settings Reference” in Tools and Settings Collection.
Active Directory Replication WMI Classes
The following table lists and describes the WMI classes that are associated with Active Directory replication. These classes are shipped with Windows Server 2003 or later server operating systems, but are also compatible with Windows 2000 Server.
WMI Classes Associated with Active Directory Replication
Class Name | Namespace | Version Compatibility |
---|---|---|
MSAD_DomainController |
\\root\MicrosoftActiveDirectory |
Windows Server 2008 R2 Windows Server 2008 Windows Server 2003 Windows 2000 Server |
MSAD_NamingContext |
\\root\MicrosoftActiveDirectory |
Windows Server 2008 R2 Windows Server 2008 Windows Server 2003 Windows 2000 Server |
MSAD_ReplNeighbor |
\\root\MicrosoftActiveDirectory |
Windows Server 2008 R2 Windows Server 2008 Windows Server 2003 Windows 2000 Server |
MSAD_ReplCursor |
\\root\MicrosoftActiveDirectory |
Windows Server 2008 R2 Windows Server 2008 Windows Server 2003 Windows 2000 Server |
MSAD_ReplPendingOp |
\\root\MicrosoftActiveDirectory |
Windows Server 2008 R2 Windows Server 2008 Windows Server 2003 Windows 2000 Server |
For more information about these WMI classes, see the WMI SDK documentation on MSDN.
Network Ports Used by Active Directory Replication
By default, RPC-based replication uses dynamic port mapping. When connecting to an RPC endpoint during Active Directory replication, the RPC run time on the client contacts the RPC endpoint mapper on the server at a well-known port (port 135). The server queries the RPC endpoint mapper on this port to determine what port has been assigned for Active Directory replication on the server. This query occurs whether the port assignment is dynamic (the default) or fixed. The client never needs to know which port to use for Active Directory replication.
Note
- An endpoint comprises the protocol, local address, and port address.
In addition to the dynamic port 135, other ports that are required for replication to occur are listed in the following table.
Port Assignments for Active Directory Replication
Service Name | UDP | TCP |
---|---|---|
LDAP |
389 |
389 |
LDAP |
|
636 (Secure Sockets Layer [SSL]) |
LDAP |
|
3268 (global catalog) |
Kerberos |
88 |
88 |
DNS |
53 |
53 |
SMB over IP |
445 |
445 |
Replication within a domain also requires FRS using a dynamic RPC port.
Related Information
The following resources contain additional information that is relevant to this section.