Hello. Jim here again to elucidate on the wonderment of change notification as it relates to Active Directory replication within and between sites. As you know Active Directory replication between domain controllers within the same site (intrasite) happens instantaneously. Active Directory replication between sites (intersite) occurs every 180 minutes (3 hours) by default. You can adjust this frequency to match your specific needs BUT it can be no faster than fifteen minutes when configured via the AD Sites and Services snap-in.
Back in the old days when remote sites were connected by a string and two soup cans, it was necessary in most cases to carefully consider configuring your replication intervals and times so as not to flood the pipe (or string in the reference above) with replication traffic and bring your WAN to a grinding halt. With dial up connections between sites it was even more important. It remains an important consideration today if your site is a ship at sea and your only connectivity is a satellite link that could be obscured by a cloud of space debris.
Now in the days of wicked fast fiber links and MPLS VPN Connectivity, change notification may be enabled between site links that can span geographic locations. This will make Active Directory replication instantaneous between the separate sites as if the replication partners were in the same site. Although this is well documented on TechNet and I hate regurgitating existing content, here is how you would configure change notification on a site link:
- Open ADSIEdit.msc.
- In ADSI Edit, expand the Configuration container.
- Expand Sites, navigate to the Inter-Site Transports container, and select CN=IP.
Note: You cannot enable change notification for SMTP links. - Right-click the site link object for the sites where you want to enable change notification, e.g. CN=DEFAULTSITELINK, click Properties.
- In the Attribute Editor tab, double click on Options.
- If the Value(s) box shows <not set>, type 1.
There is one caveat however. Change notification will fail with manual connection objects. If your connection objects are not created by the KCC the change notification setting is meaningless. If it's a manual connection object, it will NOT inherit the Options bit from the Site Link. Enjoy your 15 minute replication latency.
Why would you want to keep connection objects you created manually, anyway? Why don't you just let the KCC do its thing and be happy? Maybe you have a Site Link costing configuration that you would rather not change. Perhaps you are at the mercy of your networking team and the routing of your network and you must keep these manual connections. If, for whatever reason you must keep the manually created replication partners, be of good cheer. You can still enjoy the thrill of change notification.
Change Notification on a manually created replication partner is configured by doing the following:
- Open ADSIEDIT.msc.
- In ADSI Edit, expand the Configuration container.
- Navigate to the following location:
\Sites\SiteName\Server\NTDS settings\connection object that was manually created - Right-click on the manually created connection object name.
- In the Attribute Editor tab, double click on Options.
- If the value is 0 then set it to 8.
If the value is anything other than zero, you must do some binary math. Relax; this is going to be fun.
On the Site Link object, it's the 1st bit that controls change notification. On the Connection object, however, it's the 4th bit. The 4th bit is highlighted in RED below represented in binary (You remember binary don't you???)
Binary Bit | 8th | 7th | 6th | 5th | 4th | 3rd | 2nd | 1st |
Decimal Value | 128 | 64 | 32 | 16 | 8 | 4 | 2 | 1 |
NOTE: The values represented by each bit in the Options attribute are documented in the Active Directory Technical Specification. Fair warning! I'm only including that information for the curious. I STRONGLY recommend against setting any of the options NOT discussed specifically in existing documentation or blogs in your production environment.
Remember what I said earlier? If it's a manual connection object, it will NOT inherit the Options value from the Site Link object. You're going to have to enable change notifications directly on the manually created connection object.
Take the value of the Options attribute, let's say it is 16.
Open Calc.exe in Programmer mode, and paste the contents of your options attribute.
Click on Bin, and count over to the 4th bit starting from the right.
That's the bit that controls change notification on your manually created replication partner. As you can see, in this example it is zero (0), so change notifications are disabled.
Convert back to decimal and add 8 to it.
Click on Bin, again.
As you can see above, the bit that controls change notification on the manually created replication partner is now 1. You would then change the Options value in ADSIEDIT from 16 to 24.
Click on Ok to commit the change.
Congratulations! You have now configured change notification on your manually created connection object. This sequence of events must be repeated for each manually created connection object that you want to include in the excitement and instantaneous gratification of change notification. Keep in mind that in the event something (or many things) gets deleted from a domain controller, you no longer have that window of intersite latency to stop inbound replication on a downstream partner and do an authoritative restore. Plan the configuration of change notifications accordingly. Make sure you take regular backups, and test them occasionally!
And when you speak of me, speak well…
Jim "changes aren't permanent, but change is" Tierney