Inter-site change notification

[ - or: How to minimize change convergency between sites ]

In one of my previous postings, What is urgent replication and when is it used?, I explained what urgent replication is and how Active Directory goes notifying its neighbours when there are changes made to the database. As an addition, I’ll be explaining today how this whole concept behaves with multiple-site environments and what you can do to minimize the time it takes to propagate the changes throughout the domain.

As mentioned in the previous posting, there is a short delay between the actual object change and the notification to the source DC’s neighbours. The neighbours get the notification and start requesting (pulling) the delta off the notifying DC. You may know or already have experienced, that the inter-site replication works different. It basically sticks to a schedule. When scheduled, DCs request changes from their neighbour-site-DC-friends and replicate all changes that have been made since the last scheduled replication. This makes sense over small or non-reliable sites where bandwidth and availability can sometimes be an issue. Changes that “hold back” until the right time comes to replicate them as a whole.

The picture above shows an example environment with four AD-sites and seven domain controllers. Changes made to DC1 would take 15 seconds before DC2 gets notified about them. Then there’s time to wait until the scheduled replication kicks in and DC3 gets to know about the changes. Another 15 seconds pass by, until DC3 would notify DC4 about them. Based on the schedule, there again exists a delay between Dc4-DC5 replication as it again is a inter-site replication. You can get that scenario to an end.

The bottom line is that changes tend to converge pretty slowly over a multiple-site topology. That might not be something that you want. Especially not if you’re editing a user attribute on DC1 that an app on DC7 tries to query for. Password changes are still pushed to the PDC emulator so that failed authentication attempts on a random DC can be re-checked with the PDC to make sure the password hasn’t changed and it just didn’t get replicated thoroughly.

Wouldn’t it be nice if we could have inter-site replication behave the same way as intra-site replication does? Just notify the partner at the neighbour site that there’ve been changes made and it pulls them? Luckily, the DS team implemented exactly that option, it’s just not enabled by default nor easy to access — but you can define for each inter-site link whether inter site change notification is enabled or not. Before we get to know how to enable it, here are some things to think about before enabling it:

* is the site link in question “fast” enough to handle directory service replication right-away? “Fast” doesn’t just mean the speed here but also the bandwidth available at any given time. There may be other services on the wire that use the same link.
* Are there utilization peaks on the line that cause the line to be almost 100% utilized so that replication would take too much time?
* How much traffic resulting from replication is the site hitting?
* How often do object changes occur? Is the site link able to service larger updates (like Schema Updates, mass object creation/editing)?

So, as you now have thought about enabling the feature, it’s time to show you the hows and the wheres. You can only do that using ADSIEdit. You should get it from the Support Tools – on Server 2008 it’s already installed (afair). Once opened connect to the default naming context and open the Configuration partition then. From there, navigate to:

CN=<the site link in question>,CN=IP,CN=Inter-Site Transport,CN=Sites,CN=Configuration,DC=domain,DC=tld. Double click the object and browse for the “options” attribute. Set the attribute’s value to 1, if it was “<Not set> or to the previous value +1. The attribute is a bit mask where Bit 0 controls the setting here. Enabling that setting: 1, disabling the setting: 0 for Bit0.


(sorry for the German screenshot. There was no other machine around :-)

5 Comments so far

  1. Bo on September 19th, 2010

    hi Florian,

    nice 2 meet you, I just have a question about AD replication. I have seen your blog: http://www.frickelsoft.net/blog/?p=145.

    in the last paragraph, see below

    As an (probably easier) alternative, you might want to check that setting in “Active Directory Sites and Services” in the Properties of the “IP” node under “Inter-Site Transports”. There’s the “Ignore Schedule” checkbox that controls this setting.

    i think if we selected “Ignore Schedule”, we just ingore the schedule of site link, it’s not change notification, am i right?
    thanks very much!

    -Bo

  2. florian on September 20th, 2010

    Ha, good question, Bo.

    I’ll have to look into this again. If I remember correctly, the “ignore schedule” setting would set the very same bit in AD that the options attribute in CN= ,CN=IP,CN=Inter-Site Transport,CN=Sites,CN=Configuration,DC=domain,DC=tld would. But I’ll look into it again.

    Thanks for asking!
    Florian

  3. florian on September 20th, 2010

    Bo,

    thanks for writing. It turns out you are correct. The “Ignore schedule” check box indeed triggers something different then the inter-site change notification. The funny thing is that I haven’t had that last paragraph in the article when I first published it. Later I found the “Ignore schedule” information and added it (obviously wrong!) as an additional information.

    It turns out they’re not the same. While setting the first bit in the “options” bitmask of the siteLink object enables inter-site change notification between sites, the “Ignore schedules” checkbox, when selected, disables schedules on the siteLink — the link is then available at all times.

    Thanks for the hint.
    Florian

  4. Florian's too on May 12th, 2011

    Hi Florian,

    My AD is : 2 sites, 1 DC in each sites (win2k8r2)
    I followed your tuto about enable notifications changes for inter-site replication.
    But when I add an OU, create a User, it fail to replication until the replication interval is reached (in my case 15min).
    I checked many things but can’t find what is missing.
    Have you an idea from where I should start investigating ?

    Thanks in advance,

    Florian D.

  5. florian on May 21st, 2011

    Florian,

    I’d check on the siteLink object whether it has the correct options set. When you look at object, was does the “options” attribute look like?

    If you weren’t able to resolve the issue – may I suggest you try the Technet Forums (http://social.technet.microsoft.com/Forums/en-US/winserverDS), ActiveDir Mailing List (http://activedir.org) or the adgpo mailing list (http://www.myitforum.com/lists.asp)?