AD Synchronization/Replication issue between 2 sites running Windows Server 2008 R2

active-directorywindows-server-2008-r2

  • We have an AD forest with a root domain (Main office, HQ) & 4 child domains.
  • Out of which one child domain is has two sites.
  • AD services are running on Windows Server 2008 R2.
  • AD services in all sites were migrated from Window Server 2003, so in all AD Servers, the actual name of the SYSVOL shared folder is SYSVOL_DFSR and Netlogon is shared on using the same folder. NTDS DB is present in NTDS folder.

In the child domain that has 2 sites, one site is newly created and ADC (Windows Server 2008 R2) is installed in this server.

Now while promoting the DC in the new site, I have created SYSVOL as SYSVOL instead of normal SYSVOL_DFSR present in all other sites.

On 1st day I got few errors on the client systems regarding a domain trust relationship issue and once we restarted the client workstations, we have not received any errors again.

The problem is that AD synchronization is not working properly as in whenever I create any account or do any changes in security of any user/group in one site then it is not reflecting immediately in other site Domain controllers (same child domain) & taking 5-15 minutes times to synchronize.

What are the steps to verify proper ADC installation and to troubleshoot site to site AD replication?

Additionally, I have manually added a connection between the child domain (PDC Emulator) located in the other site. The ADC has automatically created a connection with the root domain. In AD sites and services my enterprise admin has created sites and subnets for my sites. But he has later on created a site to site bridge (not link) between these 2 sites via the root domain located in the main office (HQ).

Best Answer

AD replication honors Replication Interval set on the Site Link between two sites. Which can have minimum interval of 15 minutes. But to you can enable Change Notification for site links.

To do this:

  1. Open ADSIEdit.msc.

  2. In ADSI Edit, expand the Configuration container.

  3. Expand Sites, navigate to the Inter-Site Transports container, and select CN=IP. Note: You cannot enable change notification for SMTP links.

  4. Right-click the site link object for the sites where you want to enable change notification, e.g CN=DEFAULTSITELINK, click Properties.

  5. In the Attribute Editor tab, double click on options.

    a. If the Value(s) box shows , type 1

    b. If the Value(s) box contains a value, you must derive the new value by using a Boolean BITWISE-OR calculation on the old value, as follows: old_value BITWISE-OR 1. For example, if the value in the Value(s) box is 2, calculate 0010 OR 0001 to equal 0011. Type the integer value of the result in the Edit Attribute box; for this example, the value is 3.

  6. Click OK.

More info is here: https://blogs.technet.microsoft.com/qzaidi/2010/09/23/enable-change-notifications-between-sites-how-and-why/

You can find VBScript to enable Change Notification here: https://gallery.technet.microsoft.com/scriptcenter/390b54d2-cd49-4f46-92e0-c22ff6f25f1c

Related Topic