How to optimize Active Directory replication in a large network

Article translations Article translations
Article ID: 244368 - View products that this article applies to.
This article was previously published under Q244368
Notice
This article applies to Windows 2000. Support for Windows 2000 ends on July 13, 2010. The Windows 2000 End-of-Support Solution Center is a starting point for planning your migration strategy from Windows 2000. For more information see the Microsoft Support Lifecycle Policy.
Expand all | Collapse all

On This Page

SUMMARY

This article describes how to optimize Active Directory replication in large network configurations.

MORE INFORMATION

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows
The Knowledge Consistency Checker (KCC) dynamically adjusts the data replication topology of your network when domain controllers are added to or removed from the network, when a domain controller is unavailable, or when the data replication schedules are changed.

The tasks of the KCC are:
  • Based on the network topology described by Active Directory objects, the KCC creates connection objects which are used to define inbound and outbound replication to domain controllers:

    • For sources within the same site, inbound to the domain controller on which the KCC is running.
    • For sources in different sites, inbound to the site in which the KCC is running, if the domain controller on which the KCC is running is the elected interSiteTopologyGenerator for its site.
  • Convert the KCC-defined and administrator-defined Microsoft Windows NT Directory Service Connection (ntdsConnection) objects into a configuration understood by the Directory Service (DS) replication engine.
By default, each of these tasks is executed every 15 minutes. For more information about the KCC, please see the Active Directory Replication chapter in the Windows 2000 Resource Kit.

Example

In some large site configurations containing many sites, many domains, or many routes betweens sites, the inter-site KCC executes slowly, consuming too much Central Processing Unit (CPU) time and memory resources.

If D is the number of domains in your network, S is the number of sites in your network, and
(1 + D) * S^2 <= 100,000
then you can safely ignore the rest of this article.

The following table lists the execution times and memory consumption figures for an inter-site KCC running in a variety of hub-and-spoke configurations with no performance tuning applied. Each site contains a domain controller for a single domain and a global catalog. Domains are equally dispersed across the sites. Automatic site-link bridging is enabled. Measurements were made on an Intel Pentium III Xeon at 500MHz with 1 gigabyte (GB) of Random Access Memory (RAM). Memory usage includes database caching. Memory consumption will be lower on computers with less physical memory.

Collapse this tableExpand this table
Location# Sites# DomainsTime Elapsed (h:m:s)Memory Usage in K
Satellite12510:00:1211748
Hub12510:00:2112256
Satellite25010:00:4145660
Hub25010:01:0544820
Satellite50010:02:56173216
Hub50010:04:34174752
Satellite100010:15:23685596
Hub100010:17:34688568
Satellite100010:15:54685604
Hub100010:17:51689668
Satellite125100:00:5958520
Hub125100:01:1958536
Satellite250100:04:00228304
Hub250100:04:47227508
Satellite500100:21:32815916
Satellite500100:19:41823808
Hub500100:21:18828484
Satellite125500:04:49266088
Hub125500:05:54264024
Satellite250500:20:19831924
Hub250500:22:49841536
The formula for the execution time is:
(1 + num domains) * num sites ^ 2 * 0.0000075 minutes
You can determine how long the KCC runs in your existing configuration using the Active Directory Sites and Services snap-in:
  1. Determine which domain controller in the site is the current inter-site topology generator by viewing the properties of the NTDS Site Settings object.
  2. Time the execution of the KCC on that domain controller:

    1. Right-click NTDS Settings.
    2. Click Check Replication Topology.
Also, you can monitor the execution time of the KCC on an on-going basis by using Registry Editor to view the following registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Diagnostics
Change the "1 Knowledge Consistency Checker" value to a value of 3 or greater.

With this value set to 3 or greater, the KCC will log events 1009 and 1013 to signify the beginning and end of the check.

Recommendations

If your configuration does not satisfy the above criteria, then use the appropriate method:

Reduce Use of Site-Link Bridges in Your Site Configuration

This option works well in typical hub and spoke configurations by reducing the number of potential routes between sites.

Automatic site-link bridging indicates the entire network is fully Internet Protocol (IP) routed. In this situation, any computer in a given site can communicate over IP with any computer in any other site. Automatic site-link bridging is enabled for both the IP and Simple Mail Transport Protocol (SMTP) inter-site transports by default. Disabling this feature requires that you add explicit site-link bridge objects where needed. Site-link bridges are necessary only if a particular site contains a domain controller of a domain that is not present in any adjacent site, but another domain controller of that domain does occur in other sites in the forest. An adjacent site is defined to be any site included in any site link containing the site in question. Most configurations do not require the use of site-link bridges, because any site holding a domain controller of a given domain that occurs in more than one site is almost always adjacent to at least one other site containing a domain controller of the same domain.

If KCC is unable to directly or transitively connect all the sites containing domain controllers of a particular domain after you disable automatic site-link bridging, the KCC will log event 1311.

Example

The Directory Service consistency checker has determined that either:
  1. There is not enough physical connectivity published by using the Active Directory Sites and Services Manager to create a spanning tree connecting all the sites in the forest.
  2. Replication cannot be performed with one or more critical servers for changes to propagate across all sites. This is most often due to the servers being unreachable.
To resolve issue A, use the Active Directory Sites and Services Manager to do one of the following:
  • Publish sufficient site connectivity information such that the computer can infer a route by which this partition can reach this site. This option is preferred.
  • Add an ntdsConnection object to a domain controller that contains the partition domain controller=europe,domain controller=mycorp,domain controller=com in this site from a domain controller that contains the same partition in another site.
To resolve issue B, examine the current event log to determine which server or servers could not be contacted by the KCC.

To disable automatic site-link bridging:
  1. Double-click the Active Directory Sites and Services snap-in.
  2. Right-click the IP transport object, and then click Properties.
  3. In the Inter-Site Transports container, click the appropriate check box to clear it, and then click OK.
There are still limits to the configurations for which the KCC can automatically calculate an inter-site topology, even when no site-link bridging is being used. The following table lists the execution times and memory consumption figures for the inter-site KCC running in a variety of hub-and-spoke configurations. Each site contains a domain controller of a single domain and a global catalog (GC). Domains are equally dispersed across the sites. Automatic site-link bridging is disabled, and no site-link bridges have been defined. Measurements were made on an Intel Pentium III Xeon at 500MHz with 1GB of RAM; execution times on Intel Pentium II 200MHz processors are about double those listed. Memory usage includes database caching. Memory consumption will be lower on computers with less physical memory.

Collapse this tableExpand this table
Location# Sites# DomainsTime Elapsed (h:m:s)Memory Usage in K
Satellite100210:01:2731380
Hub100210:04:4633352
Satellite50210:00:359980
Hub50210:01:5811540
Satellite25210:00:234072
Hub25210:00:544112
Satellite12710:00:101464
Hub12710:00:262052
Satellite1002500:39:4292160
Hub1002501:21:3085392
Satellite502500:11:3342456
Hub502500:26:2637384
Satellite252500:03:3215292
Hub252500:09:3618408
Satellite127500:01:157364
Hub127500:04:059324
Satellite1002100:09:0050752
Hub1002100:19:0460956
The formula for the execution time for satellite sites is
(1 + number of domains) * number of sites * 0.0006 minutes
where number of domains is the number of domains, and number of sites is the number of sites.

The formula for hub sites is:
(1 + number of domains) * number of sites * 0.0015 minutes

Run the Inter-site KCC Only During Off Peak Hours

This option works well when the computer has a time slot when little work is being done, and an inter-site KCC run fits within this time slot. This technique would typically be used only if the use of site-link bridging has already been reduced, and the execution time or memory usage of the KCC remains a problem during critical business hours.

The KCCs in a given site can be configured to disable only the inter-site topology calculation, maintaining their ability to respond to changing replication requirements within the site. The inter-site topology calculation can then be re-enabled at a specific time of day just long enough for a KCC in the site to run the inter-site check and can then be disabled again.

When the inter-site topology check is disabled for a particular site, that site will not respond to changes in the inter-site topology. If one or both replication partners for all inter-site connections that replicate a given domain are unavailable, no KCC automatic adaptation to a new source or destination will be done until the domain controllers come back online or the inter-site portion of the KCC is run again.

NOTE: The administrator can manually add connections while the inter-site KCC is disabled.

To evaluate whether this option is realistic in your configuration, first determine how long the KCC takes to run in your environment. Then determine if there is a block of time on one domain controller in each site to accommodate the time and memory requirements. It is not necessary for the inter-site portion of the KCC to be run in all sites at the same time.

To schedule the inter-site KCC, use the Task Scheduler component to schedule executions of "wscript /b runkcc.vbs" (the script in text form is included later in this article). For more information about Task Scheduler, refer to the Task Scheduler topic in Windows 2000 Help. Runkcc.vbs requires the support tools in the Support\Tools folder in the Windows 2000 CD-ROM to be installed on the computer on which it is run.

Disable Inter-Site KCC Entirely, Manually Configure Connections

This option works well in typical hub-spoke configurations. It is typically used only when the two previous methods are not viable options, especially in configurations with thousands of sites.

When automatic inter-site topology is disabled entirely, it becomes the responsibility of the administrator to create the necessary inter-site replication connection objects to ensure that replication data continues to flow across the forest. Typically, customers with enough sites to surpass the KCC limits employ hub-and-spoke network topologies to connect a corporate headquarters with a large number of homogeneous branch office sites. This symmetry greatly simplifies the process.

Before creating your own connection objects without the help of the KCC, there are several points to consider:
  • Server failures. Consider the case where the domain controller BR1 in a branch office site is connected to the domain controller HQ1 in the corporate hub site, and HQ1 undergoes a hardware error, power failure, or some other catastrophic event. When automatic inter-site topology is enabled, the KCC takes care of adding an additional connection to temporarily replicate from another domain controller in the corporate hub site until HQ1 returns online. Without automatic inter-site topology generation, to ensure that replication continues to occur in cases of server failures, redundant connections must be defined. Define two connections inbound to BR1, one from HQ1, and one from HQ2. If there are two domain controllers in the branch office, BR1 and BR2, then the second connection should be from HQ2 to BR2. This allows updates to be replicated from the corporate hub site in the event that one of the two branch office domain controllers fails.

    Redundant connections defined in this manner may force the same Active Directory updates to be replicated more than once unless the IP transport is being used and all connections inbound to the site have the same destination domain controller within the site. When using the SMTP transport or multiple destination domain controllers, the replication schedule should be interleaved such that the updates from one source are received, applied, and replicated within the destination site before the request to the second source is made. Extending the example above, the first connection might replicate on odd hours and the second connection replicate on even hours.
  • Global Catalog placement. If a site contains GCs, one or more of the GCs must be used for replication to and from the site. If this is not done, then GCs will not remain synchronized.
  • Domain placement. If domain controllers of a particular domain are spread out over multiple sites, one or more domain controllers of that domain must be used for replication with other domain controllers of that same domain. This ensures that domain data is replicated across all domain controllers of that domain. It is not sufficient for a domain A domain controller in site 1 to replicate solely with a domain B GC in site 2 if site 2 contains a domain controller for domain A. Because the domain B GC has only a subset of the attributes for objects in domain A, it cannot act as a conduit to replicate attributes not in this set between the domain A domain controllers.
  • Load balancing. Distribute the inbound and outbound replication load. For example, if you have 100 domain controllers in your corporate hub site and 1000 branch offices with 1 domain controller each, you do not want to configure all 1000 branch office domain controllers to replicate from the same domain controller in your hub site. Instead, load balance such that each domain controller in the corporate hub communicates with 10 branch office sites. Since only one inbound replication can occur at a time and communication with branch office sites is often over slow wide area network (WAN) links, failing to load balance will not only increase the CPU and memory load on the hub site domain controller, but this may also result in very large backlogs of data to replicate.
A single run of the KCC can also be used to initially create connections that can then be adapted by an administrator. If the inter-site KCC is not to be run periodically thereafter, then the administrator must define additional replication connections so that replication continues to function in the event of failure of the source domain controller identified by the first connection. If all existing connections fail and the inter-site KCC is not re-run, the administrator must connect directly to the target domain controller and create a connection to a domain controller that is reachable. In configurations with high volatility (when the optimal source domain controllers are occasionally unavailable for long periods of time due to network failures) it is advisable to have more than one extra connection.

Runkcc.vbs (VBScript to Trigger the One-time Run of the KCC)

Microsoft provides programming examples for illustration only, without warranty either expressed or implied. This includes, but is not limited to, the implied warranties of merchantability or fitness for a particular purpose. This article assumes that you are familiar with the programming language that is being demonstrated and with the tools that are used to create and to debug procedures. Microsoft support engineers can help explain the functionality of a particular procedure, but they will not modify these examples to provide added functionality or construct procedures to meet your specific requirements. '*/ runkcc.vbs
'*/
'*/ Parameters: <none>
'*/ Purpose: When run on a domain controller, this script makes the local domain controller the Inter-Site
'*/ Topology Generator for its site, enables inter-Site topology generation temporarily if it is disabled,
'*/ runs the KCC topology generation process, and disables inter-site topology generation if it was
'*/ configured so to begin with.
'*/
'*/

On Error Resume Next

Call ExecuteKCC()

Public Sub ReportError ()

'tell the user the error
wscript.Echo "The following error occurred: (" + cstr(hex(err.number)) +") " + cstr(err.description)

End Sub

Public Sub ExecuteKCC ()

On Error Resume Next

wscript.echo "Loading functions for use by this script..."
set dll=createobject("iadstools.DCFunctions")
if err.number <> 0 then ReportError:WScript.Quit
dll.enabledebuglogging 1

'get the local box name
wscript.echo "1> Connecting to local machine..."
set localMachine=GetObject("LDAP://localhost/rootdse")
if err.number <> 0 then ReportError:Wscript.Quit
ServerName=localmachine.get("dnsHostName")
if err.number <> 0 then ReportError:WScript.Quit
wscript.echo "2> Found local machine " + ucase(ServerName)

'get the config NC
configNC=localMachine.get("configurationNamingContext")
if err.number <> 0 then ReportError:Wscript.Quit
wscript.echo "3> Configuration Naming Context is: " + configNC

'get the SiteName of this box
domaincontrollerSiteName=dll.dsgetsitename

if err.number <> 0 then ReportError:Wscript.Quit
wscript.echo "4> The site for this server is: " + domaincontrollersitename

'get the DSA DN for this box
DSAObj = localMachine.get("dsServiceName")
if err.number <> 0 then ReportError:Wscript.Quit
wscript.echo "5> The DN for this machine's DSA is: " + DSAObj

'bind to the Site Settings object in the Directory
SiteSettingsPath="LDAP://localhost/CN=NTDS Site Settings,CN="+domaincontrollerSiteName+",CN=Sites,"+configNC
set SiteSettings=GetObject(SiteSettingsPath)
if err.number <> 0 then ReportError:WScript.Quit

'make the current box the ISTG
wscript.echo "6> Making " + ucase(ServerName) + " the Inter Site Topology Generator for the " + ucase(domaincontrollerSiteName) + " site."
SiteSettings.Put "interSiteTopologyGenerator",DSAObj
SiteSettings.SetInfo
if err.number <> 0 then ReportError:Wscript.Quit

'get the current options
origOptions=SiteSettings.Get("options")
if hex(err.number) = "8000500D" then
origOptions=0
elseif err.number=0 then
'do nothing
else
ReportError:Wscript.Quit
end if
modOptions=origOptions
wscript.echo "7> Currently, the options specified for KCC operations for the ISTG in this site is set to: " + cstr(origOptions)

'enable the KCC if currently disabled, otherwise, leave it alone
if modOPtions And 16 then
mod2Options=modOptions XOr 16
wscript.echo "8> The KCC is currently disabled for inter-site topology generation. Temporarily re-enabling it. Setting options to: "+ cstr(mod2Options)
SiteSettings.Put "options", mod2Options
SiteSettings.SetInfo
if err.number <> 0 then
ReportError
wscript.echo "An error occurred during the process of modifying the options attribute. Check to make sure that it has the correct original value. This script is terminating."
Wscript.Quit
end if
else
wscript.echo "8> The KCC is currently enabled to handle inter-site topology generation. No change is necessary before triggering the KCC."
end if

'run the KCC
Result=dll.TriggerKCC(cstr(ServerName))
if err.number > 0 then ReportError
If result=0 then
wscript.echo "9> The KCC was successfully triggered on " + ucase(ServerName)
else
wscript.echo "9> The following error occurred trigerring the KCC on " + ucase(ServerName) + ": " + dll.lasterrortext
end if

'disable the KCC
wscript.echo "10> Re-writing the original options (" + cstr(origOptions) + ") to the ISTG."
SiteSettings.Put "options", origOptions
SiteSettings.SetInfo
if err.number <> 0 then ReportError:WScript.Quit

End Sub

'end script

For more information about the Windows 2000 KCC, click the following article numbers to view the articles in the Microsoft Knowledge Base:
242780 Disabling KCC from automatically creating replication topology
224815 The role of the Inter-Site Topology Generator
214745 Troubleshooting Event ID 1311: Knowledge Consistency Checker

Properties

Article ID: 244368 - Last Review: March 2, 2007 - Revision: 5.5
APPLIES TO
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server
Keywords: 
kbinfo kbnetwork KB244368

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com