Introduction

Connection objects in Active Directory (AD) specify how updates replicate between domain controllers or sites. These objects have a schedule attribute that specifies when replication is scheduled between the replication partners. The schedule attribute can be modified in the AD Sites and Services MMC, or using a script.



Intra-site Replication

Intra-site replication is replication of Active Directory updates between Domain Controllers (DCs) within an Active Directory site. It is assumed that there is good connectivity between DCs in a site. When an update is made to the AD database on a DC, a change notification process alerts all replication partners to request (pull) the updates. By default, there is a 15 second delay after the update before the first replication partner is notified, in case there are more updates. Then there is a 3 second delay before each subsequent replication partner is notified. If the update is considered critical, such as a password change or account lockout, the change notification is immediate.

Because the change notification results in updates being replicated within the site with little delay, scheduled replication is only needed when the change notification process fails for some reason. Scheduled replication is just a backup.

The schedule attribute of a connection object specifies when replication is allowed. The connection objects for intra-site replication are in the "NTDS Settings" container of the Server container corresponding to the Domain Controller that receives the updates. These objects are in the Site container in the Configuration partition of Active Directory. For example, the distinguished name of an intra-site connection object would be similar to.

cn=<GUID>,cn=NTDS Settings,cn=MyServerA,cn=Servers,cn=MySite,cn=Sites,cn=Configuration,dc=MyDomain,dc=com

where <GUID> is a unique GUID. The source DC for this replication, the replication partner, is specified in the fromServer attribute of the connection object. The value of the fromServer attribute will be a distinguished name similar to.

cn=NTDS Settings,cn=MyServerB,cn=Servers,cn=MySite,cn=Sites,cn=Configuration,dc=MyDomain,dc=com

This example specifies intra-site replication from MyServerB to MyServerA in site MySite.

↑ Return to Top


Inter-site Replication

Inter-site replication is replication of Active Directory updates between two Active Directory sites. It is not assumed that there is good connectivity between sites. There may be slow, even intermittent, communication over the site links. By default, there is no change notification process. All replication is according to the schedule specified in the schedule attribute of the site link objects. The schedule attribute indicates when replication over the link is allowed. A typical inter-site connection object will have a distinguished name similar to.

cn=SiteA-SiteB,cn=IP,cn=Inter-Site Transports,cn=Sites,cn=Configuration,dc=MyDomain,dc=com

where "SiteA-SiteB" is the name of the connection object. In this case the inter-site replication is between SiteA and SiteB.

↑ Return to Top


The Schedule Attribute

The schedule attribute of a connection object specifies when replication is scheduled. The schedule attribute is found on objects of the following classes.

  • NTDS-Connection (for intra-site connection objects)
  • NTDS-Site-Settings (default schedule for all intra-site connection objects in a site)
  • Site-Link (for inter-site connection objects)

Two other classes can have this attribute, NTFRS-Replica-Set and NTFRS-Subscriber. But these classes are obsolete. They have been replaced by DFS and DFSR classes, which have the ms-DFSR-Schedule attribute. This later attribute is similar to the schedule attribute, but is larger.

The schedule attribute is a byte array, known as data type OctetString, of 188 bytes. The first 20 bytes are a header that does not change. The remaining 168 bytes define the replication schedule, one byte for each hour in a week.

The first of the 168 hour bytes specifies replication during the first hour of Sunday, 00:00 to 00:59 am, in Coordinated Universal Time (UTC, which used to be called GMT). Only the first 4 of the 8 bits in each hour byte are used, so each byte has 16 possible values. Each of these 4 bits specifies if replication is scheduled during a particular 15 minute interval of the hour. The first bit is a "1" if replication is scheduled during the first 15 minute interval of the hour, from 0 to 14 minutes after the hour. The bit is "0" if replication is not scheduled. There are 16 possible combinations of the 4 bits, as seen in the table below.

Decimal Hex Binary # / Hr. Schedule
000 00 0000 0 nnnn
001 01 0001 1 Ynnn
002 02 0010 1 nYnn
003 03 0011 2 YYnn
004 04 0100 1 nnYn
005 05 0101 2 YnYn
006 06 0110 2 nYYn
007 07 0111 3 YYYn
008 08 1000 1 nnnY
009 09 1001 2 YnnY
010 0A 1010 2 nYnY
011 0B 1011 3 YYnY
012 0C 1100 2 nnYY
013 0D 1101 3 YnYY
014 0E 1110 3 nYYY
015 0F 1111 4 YYYY

The first bit in each binary value corresponds to the first 15 minute interval, from 0 to 14 minutes after the hour. The first bit, the least significant bit, is the far right hand bit of the binary representation of the value. The binary value "0010" (decimal 2) means that replication is scheduled during the second 15 minute interval after the hour. The schedule is shown as "nYnn" in the table. The 15 minute intervals are shown chronologically, from left to right in the last column above. "Y" means replication is scheduled, "n" means replication is not scheduled.

The 20 bytes in the header of the schedule attribute all have the value "00", except:

  • byte[0] = 188 (hex BC), the number of bytes in the array.
  • byte[8] = 001, the number of schedules.
  • byte[16] = 020 (hex 14), the offset to the start of the schedule.
The schedule itself is defined by the values in byte[20] through byte[187], a total of 168 bytes.

↑ Return to Top


Knowledge Consistency Checker

Connection objects can be created manually by an administrator using Active Directory Sites and Services, ADSI Edit, or scripts. But more often administrators let a process called the Knowledge Consistency Checker (KCC) automatically create the objects. The KCC runs every 15 minutes on every domain controller to keep the connection objects up to date. It automatically creates connection objects for intra-site replication under the NTDS Settings object of each domain controller in the Configuration container. These enable domain controllers to replicate directory partition updates with each other.

Inter-site connection objects are created by the KCC on one domain controller in each site that has the inter-site topology generator (ISTG) role. The ISTG role owners in all sites use the same algorithm to collectively generate the inter-site replication topology.

The KCC will assign the default schedule to all connection objects owned by the KCC for intra-site replication. The default schedule is once per hour, during the first 15 minute interval. Intra-site connection objects are owned by the KCC if the options attribute of the object has the first bit of the integer value set. If an administrator assigns a schedule, this bit of the attribute should be cleared (or the value 1 changed to 0). Otherwise the KCC will assign the default schedule the next time it runs. The KCC does not update the schedule attribute of connection objects for inter-site replication. By default the schedule attribute of an inter-site connection object has no value assigned. This means replication is always available.

↑ Return to Top


Active Directory Sites and Services

Connection objects and their properties can be viewed in the Active Directory Sites and Services MMC. The following image shows two intra-site connection objects in the NTDS Settings object for domain controller Nebraska.

The next image shows the properties of the connection object to replicate updates from domain controller Wisconsin to Nebraska.

Click "Change Schedule" to view and update the replication schedule of this intra-site connection object.

Notice that the GUI shows how many times per hour replication is scheduled. As will be seen later, there is actually more to the schedule than is shown here. The schedule is displayed in local time. The first replication on Sunday in the image above is scheduled during the 1:00 am hour local time. No replication is scheduled during the first hour, from 12:00 to 12:59 am.

Next, ADSI Edit is used to view the Active Directory attributes of the same connection object (with Name starting with 26a1c131).

With the schedule attribute highlighted, click the "Edit" button to view the attribute as an array of hexadecimal bytes.

Notice that the first value, for byte[0], is hex BC (188 decimal), while byte[8] is 01 and byte[16] is hex 14 (decimal 20). These bytes are part of the header of the schedule attribute. The schedule itself starts at byte[20], which has the value 01. But clearly in this example replication is not scheduled during the first hour of Sunday in local time. The AD schedule attribute uses Coordinated Universal Time (UTC). Since the time zone bias for the test lab network used for these images is 5 hours, byte[20] actually corresponds to 7:00 pm Saturday local time. The value 01 means that replication is scheduled during the first 15 minute interval after 7:00 pm Saturday. The value for 12:00 am Sunday local time is byte[25], which is 00. It is circled in red in the image. This matches what is seen above in AD Sites and Services, where the GUI has displayed the schedule in local time. No replication is scheduled during the first hour Sunday.

The value of byte[26] corresponds the second hour Sunday morning, from 1:00 to 1:59 am local time. The value 01 means replication is scheduled between 1:00 and 1:14 am. The value 0A for byte[27] means replication is scheduled twice during the third hour, between 2:00 and 2:14 am, and again between 2:30 and 2:44 am. The AD Sites and Services GUI only shows that replication is scheduled twice during the hour. The actual schedule attribute is more specific.

Notice that the GUI shows 2 replications scheduled for both the third and the fourth hours of Sunday. But the schedule attribute reveals that byte[28], for the fourth hour of Sunday, has the value 0B. Looking at the table of possible values for the schedule attribute reveals that replication is actually scheduled 3 times during that hour, during the first, second, and fourth 15 minute intervals after 3:00 am. Again the schedule attribute shows more information than the GUI can display. The next image shows the same schedule after selecting decimal from the "Edit value as" pull down menu.

Inter-site connection objects are shown differently in the AD Sites and Services MMC. The properties of a typical inter-site connection object are similar to those in this image.

Click "Change Schedule" to view and update the replication schedule of this inter-site connection object.

In this case the GUI only shows the hours when replication is available. The schedule attribute is exactly the same, where you can specify replication in 15 minute intervals, but this makes less sense when the replication interval is the default 180 minutes. ADSI Edit reveals that the schedule attribute for this object has no value assigned, so this is the default schedule.

↑ Return to Top


PowerShell Script to Document Replication Schedule

A PowerShell script has been developed to document the replication schedule assigned to any connection object in AD. The script takes the local time zone bias into account, so the schedule is shown in local time. The script in the TechNet Gallery is linked here.

Document Replication Schedule of Active Directory Connection Object

For intra-site connection objects, you specify the site, the destination server (ToServer), and the source server (FromServer). For inter-site connection objects you specify the Name of the connection object. You can also specify the distinguished name of any connection object. These values can be specified on the command line, or the script will prompt for values.

The script accepts the following parameters.

  • -Site: The name (RDN) of the site where the connection object for intra-site replication is located.
  • -ToServer: The NetBIOS name of the destination server in the site (intra-site replication).
  • -FromServer: The NetBIOS name of the source server in the site (intra-site replication).
  • -Name: The name (RDN) of a connection object for inter-site replication.
  • -DN: The distinguished name of a connection object (intra-site or inter-site), in quotes.

You also can use switch parameters to specify details of the output, as follows.

  • -Black: Output without using the Write-Host cmdlet, so the output can be redirected to a text file.
  • -Value: Output decimal values for each hour.
  • -Frequency: Output the number of replications scheduled in each hour.
  • -CSV: Output the schedule values in comma delimited format. Implies -Black. Output can be -Value (the default) or -Frequency.

If none of the parameters -Value, -Frequency, and -CSV are selected, the script defaults to show in which 15 minute intervals replication is scheduled. For example, "nYnY" means replication is scheduled during the second and fourth 15 minute interval after the hour. In addition, the script accepts the following switch parameters.

  • -Key: Outputs a table of possible schedule values each hour in decimal, hex, and binary.
  • -Help: Outputs a screen of help information for the script, documenting the parameters.

↑ Return to Top


Document Other Attributes of All Connection Objects

PowerShell scripts can be used to document attributes of all connection objects. In the examples below the distinguished names and other relevant attributes are output, in comma delimited format with a header line. The output can be redirected to a CSV file.

Document All Intra-Site Connection Objects

Another relevant attribute of intra-site connection objects is the options attribute, an integer. If the first bit of the value is set (or the value is 1), the connection object is owned by the Knowledge Consistency Checker (KCC). If you modify the schedule of an intra-site connection object, you should clear the first bit of the options attribute (or change the value from 1 to 0) to prevent the KCC from replacing your schedule with the default schedule. The default schedule is defined by the schedule attribute of the NTDS-Site-Settings object in the Site container, so it applies to all intra-site connection objects in the site owned by the KCC. The distinguished name of the NTDS-Site-Settings object will be similar to.

cn=NTDS Site Settings,cn=MySite,cn=Sites,cn=Configuration,dc=MyDomain,dc=com

Unless modified, the default schedule is once an hour, every hour of the week, during the first 15 minute interval of each hour.

The following PowerShell script documents all intra-site connection objects in the Configuration partition. It documents the distinguishedName, fromServer, and options attributes, comma delimited.

# FindIntra.ps1
# PowerShell script to find all intra-site connection objects.
# The output should be redirected to a text file, with csv extension.

# Author: Richard L. Mueller # Version 1.0 - October 19, 2018
# Determine Configuration naming context from RootDSE object. $RootDSE = [System.DirectoryServices.DirectoryEntry]([ADSI]"LDAP://RootDSE") $ConfigNC = $RootDSE.Get("configurationNamingContext")
# Use ADSI Searcher object to find all intra-site connection objects. $Searcher = New-Object System.DirectoryServices.DirectorySearcher $Searcher.SearchScope = "subtree" # Retrieve the distinguishedName, fromServer, and options attributes. $Searcher.PropertiesToLoad.Add("distinguishedName") > $Null $Searcher.PropertiesToLoad.Add("fromServer") > $Null $Searcher.PropertiesToLoad.Add("options") > $Null # Base of search is the Sites container in the configuration partition. $Searcher.SearchRoot = "LDAP://cn=Sites,$ConfigNC"
# LDAP syntax filter to find the intra-site connection objects. $Searcher.Filter = "(objectClass=NTDSConnection)"
$Connections = $Searcher.FindAll()
# Output the header line. "DN, FromServer, options, KCC Owns"
ForEach ($Connection In $Connections) {     $DN = $Connection.Properties.Item("distinguishedName")     $From = $Connection.Properties.Item("fromServer")     $Options = $Connection.Properties.Item("options")     If ($Options -band 1) {$KCC = $True}     Else {$KCC = $False}     # Output values comma delimited.     # DN values quoted (because of embedded commas).     """$DN"", ""$From"", $Options, $KCC" }

Document All Inter-Site Connection Objects

Inter-site connection objects have three other attributes that may require an update if the schedule is modified. These are documented in the following table:

Attribute Description Allowed Values Default Value
options Enable change notification bit 1 set or not set (generally 1 or 0) not set
cost Relative cost of replication on this link Integer 100
replInterval Intervals between replication cycles Minutes in multiples of 15, between 15 and 10080 180 (3 hours)

It is recommended that change notification not be enabled on inter-site connection objects, unless the link is very reliable and fast. The cost attribute is a relative number, so the administrator can rate the links based on reliability, speed, and the actual cost of the connection. The replInterval attribute is an integer, in minutes, that specifies how often replication can occur during the times when the schedule attribute indicates that replication is allowed.

The following PowerShell script documents all inter-site connection objects in the Configuration partition. It documents the distinguishedName, cost, replInterval, and options attributes, comma delimited.

# FindInter.ps1
# PowerShell script to find all inter-site connection objects.
# The output should be redirected to a text file, with csv extension.

# Author: Richard L. Mueller # Version 1.0 - October 19, 2018
# Determine Configuration naming context from RootDSE object. $RootDSE = [System.DirectoryServices.DirectoryEntry]([ADSI]"LDAP://RootDSE") $ConfigNC = $RootDSE.Get("configurationNamingContext")
# Use ADSI Searcher object to find all inter-site connection objects. $Searcher = New-Object System.DirectoryServices.DirectorySearcher $Searcher.SearchScope = "subtree" # Retrieve the distinguishedName, cost, replInterval, and options attributes. $Searcher.PropertiesToLoad.Add("distinguishedName") > $Null $Searcher.PropertiesToLoad.Add("cost") > $Null $Searcher.PropertiesToLoad.Add("replInterval") > $Null $Searcher.PropertiesToLoad.Add("options") > $Null # Base of search is the "cn=IP,cn=Inter-Site Transports,cn=Sites" container # in the configuration partition. $Searcher.SearchRoot = `     "LDAP://cn=IP,cn=Inter-Site Transports,cn=Sites,$ConfigNC"
# LDAP syntax filter to find the inter-site connection objects. $Searcher.Filter = "(objectClass=SiteLink)"
$Connections = $Searcher.FindAll()
# Output the header line. "DN, cost, replInterval, options, Change Notification Enabled"
ForEach ($Connection In $Connections) {     $DN = $Connection.Properties.Item("distinguishedName")     $Cost = $Connection.Properties.Item("cost")     $ReplInt = $Connection.Properties.Item("replInterval")     $Options = $Connection.Properties.Item("options")     If ($Options -band 1) {$ChgNotification = $True}     Else {$ChgNotification = $False}     # Output values comma delimited.     # DN values quoted (because of embedded commas).     """$DN"", $Cost, $ReplInt, $Options, $ChgNotification" }

↑ Return to Top


See Also

↑ Return to Top


Other Resources

↑ Return to Top