Active Directory Replication Overview

August 29, 2021

Active Directory Replication helps to transferring and updating Active Directory objects from one DC to another DC.

To understand AD Replication, we are going to discuss the Connection Object, KCC, Subnet, Sites, Site-link, Site-link bridge, Global Catalog & Universal Group membership.

Connection Object is an Active Directory object that represents a replication connection from a source domain controller to a destination domain controller.

Knowledge Consistancy Checker (KCC) generates connection objects within sites so that replication happens within (Intrasite Replication) & between (Intersite Replication) different sites in AD infrastructure.
Intra-site replication refers to replication between domain controllers in the same site.
Inter-site replication refers to replication between DCs belonging to different sites.

Subnet is a segment of a TCP/IP network to which a set of logical IP addresses are assigned. Subnets group helps computers to identifies their physical proximity on the network using AD Site configuration.

Sites are Active Directory objects that represent one or more TCP/IP subnets. Site information allows administrators to configure Active Directory access and replication to optimize usage of the physical network.

Site links are Active Directory objects that represent logical paths that the KCC uses to establish a connection for Active Directory replication. A site link object represents a set of sites that can communicate at uniform cost through a specified intersite transport.

Site link bridge is an Active Directory object that represents a set of site links, all of whose sites can communicate by using a common transport. Site link bridges enable domain controllers that are not directly connected by means of a communication link to replicate with each other.

Global Catalog server is a domain controller that stores information about all objects in the forest, so that applications can search AD DS without referring to specific domain controllers that store the requested data. Like all domain controllers, a global catalog server stores full, writable replicas of the schema and configuration directory partitions and a full, writable replica of the domain directory partition for the domain that it is hosting.

In addition, a global catalog server stores a partial, read-only replica of every other domain in the forest. Partial, read-only domain replicas contain every object in the domain but only a subset of the attributes.

Universal Group Membership Caching allows the domain controller to cache universal group membership information for users. Enabling universal group membership caching eliminates the need for a global catalog server at every site in a domain, which minimizes network bandwidth usage because a domain controller does not need to replicate all of the objects located in the forest. It also reduces logon times because the authenticating domain controllers do not always need to access a global catalog to obtain universal group membership information

Replication interval for inter site (180 min, we can able to set 15 min) and intra site (15 sec)
KCC will pull the replication – update sequence number, Notification & Polling

Update Sequence Number(USN) Whenever a change occurs (add/delete/modify, etc), the USN value will change. Each DC keeps track of other DCs USNs. If a DC see a USN was changed on another replication partner DC, it will ask for the changes (replication), then the change will replicate. Each DC has a overall USN, as each object in the directory.


Get AD Replication summary,
Repadmin /replsum

Below command reports status for each source domain controller from which the destination has an inbound connection object. The status report is categorized by directory partition
Repadmin /showrepl
Repadmin /showrepl <DC_NAME> /csv >replication-status.csv

Each site we will be having one beidgehead server which helps to replicate the AD changes to another site bridge server.
Repadmin /bridgeheads

KCC on each targeted domain controller to immediately recalculate the inbound replication topology
Repadmin /kcc

Below command helps to replicate the AD Changes to specific domain controller
Repadmin /replicate dest-dc01 source-dc01 DC=lab,DC=com

Below command helps to replicate the AD changes to all domain controllers.
Repadmin /SyncAll /apad

To find if any DNS related replication
Dcdiag /test:replications

