In this article we will review the subject area “Configure Active Directory Replication” from the Microsoft 70-640 certification exam objective.

In this series, we will move through the content blueprint of the Microsoft Windows Active Directory Configuration (70-640) exam objectives with an eye toward preparing you to pass this Microsoft Certified Technology Specialist (MCTS) exam.

Microsoft Exam 70-640 – Configure Active Directory Replication Domain 2, Subobjective 4

Microsoft Exam 70-640 – Configure Active Directory Replication/ Domain 2, Subobjective 4

The screenshot above shows the relevant section from the 70-640 exam blueprint on configuring Active Directory Domain Services (AD DS) sites.

In the previous subobjective, we learned all about how subnets, sites, and site links mirror the physical infrastructure of your Active Directory domain or forest. We now know that whereas domain controllers that exist within a site replicate AD changes pretty much at-will, the purpose of the site link is to allow the domain administrator to schedule and prioritize replication traffic. After all, it is presumed that the network links between sites is slower and/or more unreliable than connectivity within a site.

In this subobjective we delve more "under the hood" in how Active Directory replication works.

Before you register to take the 70-640 exam, please ensure that you are very comfortable with all technologies and procedures that are referenced in this subobjective:

  • DFSR
  • One-way replication
  • Bridgehead server
  • Replication scheduling
  • Configuring replication protocols
  • Forcing intersite replication


First of all, remember that Distributed File System (DFS) is Microsoft's set of services that allow for the aggregation and replication of a several Server Message Block (SMB) shared folders into a virtual "tree" structure.

DFSR is the successor to the File Replication Service (FRS); FRS is the protocol that was used prior to Windows Server 2008 R2 to handle DFS replication. The coolest thing about DFSR is that it supports incremental replication; thus, only changed bits in the DFS link folders is replicated between partner servers.

NOTE: Remote Differential Compression (RDC) is the specific name of the technology that allows for incremental updates for DFS; RDC also provides for data compression.

Relevant Links:

One-way replication ^

The term "one-way replication" is a fancy term that is used to describe Active Directory replication with Read-Only Domain Controllers (RODCs). Recall that a RODC (also called a "branch office" DC) possesses a read-only copy of the Active Directory database. Thus, AD replication changes flow from a "normal," read/write domain controller within a site or from another site to the RODC, but not the other way around. Thus, replication is one-way by design.

NOTE: Remember that the business case for RODCs is that they are optimized for branch offices without a full-time IT staff. The idea is that the boxes are more difficult to hack and mess up because AD is read-only.

Relevant Links:

Bridgehead server ^

The Knowledge Consistency Checker (KCC) is an Active Directory component that is present on every domain controller and automatically (or "automagically," depending upon your perspective) determines an optimal replication topology between domain controller within a site or between sites.

In the Active Directory multi-master replication model, any DC within a site can act as a bridgehead server. A bridgehead server is the actual DC that sends or receives AD updates across a site link. The selection of a bridgehead server is done automatically by the aforementioned replication components. Specifically, one DC within each site (selected internally by Active Directory and not necessarily the bridgehead server) holds what is called the Inter-Site Topology Generator (ISTG) role. The ISTG role reviews the inter-site topology and creates inbound replication connection objects for local bridgehead servers.

NOTE: An administrator can force a particular DC to hold the ISTG role. Please see Microsoft TechNet for details on how this is accomplished.

There are occasions when as an administrator you may need or want to specify a particular DC to serve as the preferred bridgehead server within a site. To do this, adjust the properties of the chosen domain controller in the Active Directory Sites and Services console.

Designating a preferred bridgehead server

Designating a preferred bridgehead server

You can also use the repadmin command-line tool to force the KCC or the ISTG processes to run on a particular domain controller.

Relevant Links:

Replication scheduling ^

By default, an Active Directory site link is configured to trigger a replication event every 180 minutes, or 3 hours. However, administrators have the ability to easily determine the times and days in which a site link is allowed to open up.

Scheduling replication frequency and cost

Scheduling replication frequency and cost

Do you see the "cost" field in the above screenshot? Site link costs are arbitrary and administrator-assigned, with lower values denoting higher-priority routes. The DC holding the ISTG role within a site uses site link costs to determine the best replication paths between sites. You should note that site link costs are cumulative.

Relevant Links:

Configuring replication protocols ^

The default replication transport protocol used in Active Directory replication is Remote Procedure Call (RPC) over Internet Protocol (IP). If we are speaking of replicating the Active Directory database (that is to say, the domain directory partition), then IP is our only choice. The upside to the RPC-over-IP transport is its security (using Kerberos V5 and data encryption) and its speed. Its chief downside is that the transport is synchronous (the DCs exchanging updates must be online simultaneously).

The other transport option is Simple Mail Transfer Protocol (SMTP)--yes, the industry-standard e-mail transport protocol. What's cool about SMTP replication transport is that it is highly secure (you actually need a certificate authority infrastructure in place to create and deploy the appropriate digital certificates) and that it is asynchronous. Thus, SMTP replication transport is optimized for sites that have intermittent and/or very slow connectivity.

The primary downfall of the SMTP replication transport is that it can be used only for inter-domain replication. The reason for this is that SMTP replication cannot replicate the domain directory partition, only schema, configuration, and global catalog updates. Bummer!

Relevant Links:

Forcing intersite replication ^

Due to a variety of factors (slow network connections, etc.), an administrator may need to force replication between domain controllers on a manual basis. This task can be accomplished either by using the Active Directory Sites and Services console or by using the repadmin command-line utility.

NOTE: The administrator must be a member of the Enterprise Admins forest group or the Domain Admins group in the forest root domain in order to force Active Directory replication.

Relevant Links:

Conclusion ^

I hope that you find this approach to 70-640 exam preparation to be beneficial. Please feel free to leave your questions, comments, and exam experiences (no brain dumps, please) in the comments portion of this post.

In the next post  in this series I will provide a sample practice question for the “Configure Active Directory Replication” subobjective.

1 Comment
  1. Ahmad 10 years ago

    Thank you,
    i found this article helpful in my studies for the exam.

Leave a reply to Ahmad Click here to cancel the reply

Please enclose code in pre tags

Your email address will not be published.


© 4sysops 2006 - 2022


Please ask IT administration questions in the forums. Any other messages are welcome.


Log in with your credentials


Forgot your details?

Create Account