Have you ever wondered why some Active Directory changes take longer to get to all of the domain controllers while others seem to synchronize faster? The concepts of Active Directory replication can be complex and a bit hard to calculate, but once you understand them, you will have a better grip on how to manage Active Directory objects within your enterprise.
Start by understanding replication
Replication is when the domain controllers replicate the user, group, computer, organizational unit and other objects to each other. This is essential so that every domain controller has the same information for administration of the objects and authentication of accounts.
An attribute is a property of an account, and replication between domain controllers occurs at the attribute level. This is important to know in that the size of the replication traffic is usually quite small. For example, it could be a phone number for a user.
Identify Active Directory sites
You must understand Active Directory sites to grasp replication convergence. A site is a logical configuration within Active Directory that represents a physical network. For example, if you had one network in Phoenix and a branch office in New York, you would have two Active Directory sites.
Inter-site replication occurs within a single site. When you have a single domain in a default configuration, you have a single site. Every new domain controller that is added is included in this site. Domain controllers that exist in the same site will replicate to all other domain controllers within 15 minutes. If there are only two domain controllers, they replicate to one another within 5 minutes. The replication is done with replication partners, and each domain controller has at least two partners when there are three or more domain controllers. So, when there are four domain controllers, a change on one will take 10 minutes to reach all three of the others.
Before expanding the number of sites, consider the replication within each site as well as the replication between sites. The default replication interval between two sites is 180 minutes, or 3 hours. When this replication occurs, there is a token domain controller in each site that is responsible for performing the replication to the domain controller in the other site.
Let's look at an example in which there are four domain controllers in each site, with a total of two sites. When a change is made to a domain controller in the first site, it will replicate to the other domain controllers within 10 minutes. Then, the replication must go across the sites. This could take another 3 hours. Finally, once the replication change hits the domain controller in the other site, it could take up to another 10 minutes to replicate to all of the domain controllers in the second site. So for one change to get to all domain controllers, it takes 3 hours and 20 minutes.
As you add more domain controllers per site and more sites, the replication convergence time can add up very quickly. These numbers are conservative, as I have used maximized replication intervals.
A change to one domain controller is not an instantaneous change to all other domain controllers. In fact, a single change to one could take many hours to get to all other domain controllers. If the change you made relates to security, you need to know how long the change will take to get to all domain controllers. The convergence time of replication between domain controller within the sites and between the sites determines how long this could take.
Derek Melber provides customized training for auditors, security professionals, and network administrators. His book series on auditing Windows security is available at The IIA Bookstore. Online training is also available, which coincides with the books, at http://www.auditlearning.com. Melber can be reached at firstname.lastname@example.org.