Active Directory Replication

The actual process of getting updates from one domain controller to another is different depending on whether we are talking about replication within a site or replication between sites. As discussed earlier in the series, a site is a collection of high-speed IP subnets, and the intermediary element between sites is most often a WAN link. You need to define subnets in Active Directory, or AD will assume that all domain controllers are part of the single default site, literally named Default-First-Site-Link. Replication within a site happens on a 5-minute change notification interval. In this type of setup, after an originating update occurs on a domain controller, it waits 5 minutes before initiating a change notification message to replication partners (separated by 30-second intervals). This gives the domain controller time to batch many changes, instead of initiating replication for every change. After being notified, replication partners pull the changes. Note that replication is always pulled, not pushed. Replication between sites is a bigger discussion, and will be discussed in a bit.

A process that runs on all domain controllers called the Knowledge Consistency Checker (KCC) creates the connection objects between domain controllers automatically. The KCC runs every 15 minutes, and makes changes to the topology of connection objects if necessary (for example if a domain controller cannot be contacted). It is also possible to manually create connection objects between domain controllers, though this is not necessary. Connection objects are listed (and can be created) in Active Directory Sites and Services under the NTDS settings icon for a server. Note that the connection objects listed are those from whom a given domain controller will pull replicated changes. By default, the KCC creates a topology that ensures that a domain controller is never more than 3 hops away from another domain controller. In this case, hops refer to the number of domain controllers that need to be traversed to get a change to another domain controller.

Author: Dan DiNicolo

Dan DiNicolo is a freelance author, consultant, trainer, and the managing editor of He is the author of the CCNA Study Guide found on this site, as well as many books including the PC Magazine titles Windows XP Security Solutions and Windows Vista Security Solutions. Click here to contact Dan.