Active Directory : Replication

Hi Friends,

Welcome Back !!!!

In the previous post i discussed something about Active Directory and the files associated with it. In this post i want to tell you about the magic behind Active Directory replication.

What is meant by Replication?

Replication is the process of making a replica (a copy) of something. A replication is a copy. Using replication process we can copy the active directory database from one site to another site. This process is initiated when we create additional domain controller for the existing domain. That means we are creating a backup/secondary copy of the original domain controller to make sure it is available in the case of failures.

How the Replication happens in Windows Server?

image After replica of Active Directory implemented, from there on every change that is being made to Primary copy will be replicated to Secondary. When you are trying to implement a replica for the first time, in the process of implementation all the objects from Primary Domain Controller will be copied over to the Secondary Domain controller. At this point both DC’s are in sync state. But when a new object created or deleted in/from the Primary DC, the same will be copied to Secondary DC immediately. Remember in Windows 2003/2008 the Secondary DC are always read-only copies. In the situation of failure of the Primary DC, we can change the Secondary DC as read/write copy. When the Secondary DC acting as Read-Only copy, it will not allows us to create or delete objects. It only updates it’s information from the Primary DC. This was implemented in this way to avoid conflicts in the objects. Every object has an property called USN (Update Sequence Number), depending on this attribute the Secondary DC identifies whether the updates are available or not. For example, for a user object if the USN is 124 on Primary DC, and the same is 123 on Secondary DC, then the secondary DC requests the Primary DC to send the updated information. In this way both DC’s are in sync all the time. If one of the DC goes down, we still have updated information in the Other.

If you are creating the replica in same location as the Primary, there is no issue at all in the process of replication, but if you are creating the replica in branch office location there might be some problems associated with the design. You can manage the inter-site (between sites) or intra-site(same site) replication using the AD Sites and Services. A site is a collection of computers which are working together in the same IP Subnet. Replication is controlled by the Site Link objects created in between the sites. We can schedule the replication process and replication interval using the Site Link Properties. The Site Links are “automatically generated” using the ISTG(Intra Site Topology Generator). KCC (Knowledge Consistency Checker) is the part of ISTG which generates Site Link objects in Inter-Site replication. If in any case if the automatically generated site links are not working for some reason, we can create them manually using repadmin /kcc command.  image

If you have multiple domain controllers (multiple copies) in each site, replication process consumes high amount of bandwidth. To avoid this, every site must have only one domain controller acting as the replication partner. It is called as Bridgehead server. This bridgehead server again sends the updates to the other DC’s which are located in its site. In the image, the server in Russia acting as Bridgehead for Server in Germany(Think it as Russia Second server).

By Right clicking on a site link and by selecting “replicate now” you can initiate replication between the domain controllers in same site or different sites.



Thanks for visiting my blog.  I will keep posting some interesting topics. Subscribe Now.


  1. I Believe there is no difference between in DC and ADC both contains write copy of AD. Both can also handles FSMO roles (If transfers from DC to ADC). It is just for identification. Functionality wise there is no difference.

    Then how come you said Additional domain controller is not a Read/Write domain controller?

  2. ISTG stands for Inter-Site Topology Generator

  3. you have not mentioned anything about FRS.. folders(sysvol, netlogon,ntds) which gets replicated

  4. RODC introduced in 2008 contain read only domain controller. windows 2003 having a functionality DC and ADC.


Post a Comment

Popular posts from this blog

VMWare Interview Questions & Tips

Windows: 2012 Server: Restoration of server from ransomware brute force attack – Real time experience

Windows and VMware : System Admin Responsibilities