ActiveDirectory
Active Directory Replication Time Intervals
What are the replication time intervals for Active Directory?
It seems there are always many questions as to when Active Directory replicates various pieces of the infrastructure. ย I have put together a quick summary post below of most of the important areas of Active Directory Replication and when these components are replicated. ย Hopefully, this will give a clear and concise view of replication in Active Directory.
Image courtesy of Microsoft Technet
Intrasite Replication:ย
- When a directory change is made, the source DC waitsย 15 secondsย before it sends the update notification to closest replication partner
- If there is more than one replication partner, the changes go out inย 3 second incrementsย to the subsequent replication partners
- After receiving notification of the change, the partner domain controller sends a directory update request to the source domain controllers. ย The source DC responds with a replication operation. ย The 3 second skew prevents overloading the source DC from replication partners if there are many.
- There are of course exceptions to the 15 secondย time frame where this doesn’t apply andย replication occurs immediately. This is known asย urgent replication, this immediate replication applies toย critical directory updates. ย The includeย account lockouts and changes in the account lockout policy, the domain password policy, or the password on a domain controller account or user passwords.
Windows 2000ย (Yes it is still out there)ย
- Default delay with Windows 2000 DCs for intrasite replication isย 5 minutes
Intersite Replicationย
- By default intersite replication occurs between each site everyย 180 minutes or 3 hours
- The lowest interval that intersite replication can be adjusted to isย 15 minutesย
Group Policy replication intervalย
- Changes to Group Policy settings might not be immediately available as they have to replicate to the appropriate domain controller.
- Clients have aย 90-minute refreshย period (randomized by up to approximatelyย 30 minutes)
- Components of GPO are stored in both AD and on the Sysvol folder of domain controllers.
- You can manually trigger a GPO refresh with theย gpupdateย command with XP and up, or withย seceditย with Windows 2000 environments
SYSVOL & FRS/DFSย
- SYSVOL replication is state based meaning replication happens as soon as anything changes in the SYSVOL folders ย Replication pre Windows 2008 is taken care of via the File Replication Service (FRS) and then starting with Windows 2008 domain functional level you can use DFS technology to replicate SYSVOL information.
DNS Replication Active Directoryย
- If DNS zones are AD integrated it is updated using AD replication. ย Any new DNS record that is created in AD integrated zone is replicated immediately with AD intra-site replication.
- The DNS recordย will not appear immediatelyย however even though the AD database is up to date.
- The DNS server does not query the AD database directly but everyย 180 seconds it reloads the zone from the latest AD database values.
- You can check yourย dwDsPollingIntervalย attribute by using the commandย dnscmd /info
- Force DNS pollingย – use the commandย dnscmd /zoneupdatefromdsย yourzonenamehere
