Wednesday, March 26, 2014

Faster Active Directory Replication - Decrease Intersite Replication Interval to Seconds

Enable Fast Domain Controller Replication

Active Directory Intersite Replication Interval Enable Faster AD and DNS updates

Enable Faster Active Directory AD and DNS Replication Updates Between Sites 

Although for some newer administrators making changes to Active Directory could be a nerve rattling proposition, making this change to speed up active directory replication can only be accomplished using this method. Using the standard GUI Microsoft Management Consoles to make the change to speed up Active Directory replication is not possible. The best result of using administrator consoles will be to increase domain replication between domain controllers to 15 minutes. These large time values were instituted into Active Directory at version 1 because inter-site connections during that era of computing and networking were much lower in bandwidth with the most common being frame-relay or 56k circuits. Since then, inter-site connections and the Internet speeds have increased tremendously so faster domain controller replication is possible even over wan links. 

Fast Intersite Replication Interval - Speed up DC Replication, Updates are in Seconds 

To enabled faster Intersite Replication, to nearly the speed of intra-site or LAN replication, use ADSI Edit.

Start ADSI edit and go to
   Configuration > then Sites > Inter Site Transports > IP. 

Note this setting cannot be enabled for SMTP InterSite links.
Unless it has been renamed, right click on  the default Intersite link and choose properties. Then scroll down to the options line. Double-click and change the value to 1 if it has a value .




  is the default unless this option has been previously modified.  Once changed to 1, click OK twice to save and close the properties window.
Force a replication using Sites and Services so this setting get pushed/pulled to the other domain controllers.

Faster AD DNS Replication Updates Between Sites and Domain Controllers. 

Test by creating a test account in AD, I use 123, 1234, 111, etc., just so the test account was at the top of the list in AD users and computers. Check your other domain controller or controllers for the new account. You will see it appear in 15 seconds or less. I was getting an average of about a 2 second delay for the test account to appear. Delete the account from the other domain controller and see it get removed in less than 15 seconds on the original domain controller you were working from.

7 comments:

Anonymous said...

Absolutely worked for me. This made replication between domain controllers instant, like on the LAN. I had a domain controller at a customer's office and another domain controller in a cloud configuration. The local office network and the cloud network were interconnected with a VPN. There were no replication errors but we wanted to properly configure sites so that local logins were handled by the local domain controller and any logins that occurred on the cloud side were handle by the domain controller on that network in the cloud. This would speed up logins for both cloud access and for local access. We created the two sites and added the domain controller for each into the appropriate site but replication was not as fast as when both servers were in the same site. This ADSI edit fixed the problem with no repercussions.
Thank you.

Anonymous said...

Thanks.This method to speed-up domain controller replication worked.

Anonymous said...

HI This worked for me. I used ADSI Edit as described in this post and in the image. Changed the not set option to 1 . Right after that the domain controllers were replicating between AD sites as fast as they do on the local network LAN. A quick tests of fast AD replication is just create a simple text file in the netlogon folder of one of the domain controllers and nearly instantly it can be seen in the NETLOGON folder of the other domain controllers.
This setting made AD replication go faster between sites.

Remote-Tech said...

We have many client for which we have installed active directory servers and for whom we support. Many of our clients have multiple sites. Although I could understand the reason for having a time gap between active directory server updates, the need for a faster method exists. The large delay was inherited from the legacy networks. Legacy networks were much slower. The long wait times were developed, designed and implemented because networks at the time were much slower than they are today. Bandwidth was not a bountiful and throughput was very low. With higher bandwidth, such delays in ad replication is not necessary and it would be best if an option easily accessible from with active directory sites and server from which replication protocols can be configured along with the active directory domain topology can be changed to be as low as a minute or less. The option to enable replication using the notification option, although it requires ADSI Edit mmc console, works well, The screen shot is perfect to enable anyone who views this port to know exactly where to go in the active directory suites and services structure and properties to make the change and enable notify.

Anonymous said...

Used this solution for a client that had two offices with domain controllers at each office. When creating new users or updating or changing passwords, the default site-to-site replication speed was not optimal for these changes to be realized immediately from the opposite of the two office connection. We needed more real time replication. This setting decreased the time for replicating between domain controllers down to nearly local area network speeds. It worked great. Thank you for posting this information.
I could not believe how easy it was to implement and although using Microsoft ADSIedit can be daunting, it was easily accomplished. The administrators could have remoted into the remote domain controllers to create or modify accounts. More often they would remote into their local domain controller using remote desktop connection. Because they each were more familiar with their own network environment, this became the pattern and culture at this office. The administrators remoted into their own local domain controllers. even after remote controlling the domain controller and entering the modified data or properties for the user of other resource on the network, the changes would not be seen quickly on the other site's server.

Remote-Tech said...

Once again I used this solution for speeding up domain controller replication. It worked nicely this second time. No issues making the changes using ADSIedit and the settings took affect immediately. No rebooting was required.

Tech support said...

This helped speed up replication between domain controllers 100 percent. I thought the fastest domain controller replication possible was 15 minutes as that is the lowest number available in Sites and Services control. This setting helped speed up replication between domain controllers to the point it is indistinguishable from local area network speeds. There is no delay in replication. Replication between our domain controllers between sites is much faster now.