This week i’ve set up the first Windows 2012 R2 domain controller at a customer. All worked good and looked fine. But when i had to create two new user accounts i found out that these two accounts weren’t replicated to the new domain controller, i’ve just set up a day erlier, nor to another domain controller in another site. I discovered also that the NTDS settings and replication topology wasn’t complete. The new domain controller had not a single connection to active directory domain services. The customer has two sites which are connected over a leased line. Both sites have their domain controllers. Those new user accounts i’ve created on an existing Windows 2008 R2 domain controller.
After nearly two days of testing and troubleshooting the problem seems to be solved. All domain controllers are replicating and talking with each other domain controllers. When i create a user account it will show up instantly on all other domain controllers. Also the replication topology is now looking good. KCC generated the missing topology now automatically, which wasn’t the case directly after the new domain controller was on duty.
I want to provide you some information about this issue and how i solved it. Probably it will help you solving your Active Directory replication issues. And if not i hope it will be at least something you can check if this patricular thing is ok and help you with troubleshooting.
Since we know Active Directory, we know also that its replication works automatically between the domain controllers. The lowest value of this replication schedule is 15 minutes. You can’t get lower. If there aren’t that many frequent changes, or the active directory site is not large (probably with only one site) then this value should work for you.
But what if your active directory environment is larger? What if you have more than one site, on different locations, with different networks? Or what if you’ve got some remotedesktop services running in your main site and some users working with them in a branch office? What about the “i forgot my password” cases?
Well, there is a solution for you. We can tune-up the Active Directory Inter-Site Replication. The inter-site replication works also automatically, and you can also schedule the replication only for 15 minutes. But there are some settings we can tweak to get the domain controllers pulling the changes made recently. Let me show you how to do that.
First open “Active Directory Sites and Services” on your primary domain controller (that’s the icon with the blue “building”).
Personally i think it’s a good approach to expand first all the items in the tree, so you can make sure you don’t miss any hidden item in this tree.
Let’s start now with the tuning operation. Expand “Sites” and “Inter-Site Transports” (if you haven’t already). Click on the IP folder.
Now right-click (or double-click) on your site link on the right hand side. If you did not rename it it’s just the DEFAULTIPSITELINK. Then click “Properties”. Then click on the “Attribute Editor” tab.
The attribute we should edit is called “options”. You can search for but you won’t find it. All attributes which haven’t actually a value set are hidden. To unhide it click on “Filter” and click “Show only attributes that have values”. The checkmark disappears and now you should find the “options” attribute in the list.
We now have to change this attribute to a specific value which allows us to tweak the inter-site replication.
You can use any combination of these. If your options attribute already has a value you need to perform a BITWISE OR operation on the existing value. If the value is 4, convert that to binary (100), perform an OR operation with binary 1, the result should be binary 101, which you convert to decimal (5) and enter as the value of the options attribute.
Now we have set this option (in my case i’ve set it to 1). That should look like that:
But there’s more. At least in my production site there wasn’t an instant replication after changing the options attribute in the inter-site link, i had to dig a little deeper.
So i searched in every site, site link and server on this active directory infrastructure for this setting and changed it to 1 everywhere. It was some clicking, but it helped.
And don’t forget these naughty bits in the NTDS settings:
Change notification will fail with manual connection objects. That is, if your connection objects are not created by the KCC (Knowledge Consistency Checker).
Conclusion for Inter-Site Replication
It was some clicking and also testing. But after changing the options attribute on every piece the result was a nearly instant replication. I created an active directory user object and it was replicated instantly to any other domain controller. Also with changes and deletion there weren’t any problems or issues. This tip with tweaking inter-site replication should help you if you don’t want to wait for 15 minutes. But think about the bandwith. Yes, bandwith. If you’ve got many changes and thus resulting some heavy active directory traffic you should keep an eye on the bandwith. This tweaking works fine for site links with 20MBit/s and more. If your branch office is connected with less bandwith (like widely used 2 or 5Mbit connections), you should probably let this setting unchanged and work with these 15 minutes instead.