Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
How replication works
To keep directory data on all domain controllers consistent and up to date, Active Directory replicates directory changes on a regular basis. Replication occurs over standard network protocols, uses change tracking information to prevent unnecessary replication, and uses linked value replication to improve efficiency.
Transferring replication data
Active Directory uses remote procedure call (RPC) over Internet Protocol (IP) to transfer replication data between domain controllers. RPC over IP is used for both intersite and intrasite replication. To keep data secure while in transit, RPC over IP replication uses both authentication (using the Kerberos V5 authentication protocol) and data encryption.
When a direct or reliable IP connection is not available, replication between sites can be configured to use the Simple Mail Transfer Protocol (SMTP). However, SMTP replication functionality is limited, and requires an enterprise certification authority (CA). SMTP can only be used to replicate the configuration, schema and application directory partitions, and does not support the replication of domain directory partitions. For more information, see "Active Directory Replication" at the Microsoft Windows Resource Kits Web site [ http://go.microsoft.com/fwlink/?LinkId=4556 ] .
Preventing unnecessary replication
Once a domain controller has processed a directory change from another domain controller successfully, it should not try to replicate those changes back to the domain controller that sent the change. In addition, a domain controller should avoid sending updates to another domain controller if the target domain controller has already received that same update from a different replication partner. To prevent such unnecessary replication, Active Directory uses change tracking information stored in the directory. For information about change tracking, see "Active Directory Replication" at the Microsoft Windows Resource Kits Web site [ http://go.microsoft.com/fwlink/?LinkId=4556 ] .
Resolving conflicting changes
It is possible for two different users to make changes to the exact same object property and to have these changes applied at two different domain controllers in the same domain before replication of either change occurs. In such a case, both changes are replicated as new changes, creating a conflict. To resolve this conflict, domain controllers that receive these conflicting changes examine the attribute data contained within the changes, each of which holds a version and a timestamp. Domain controllers will accept the change with the higher version and discard the other change. If the versions are identical, domain controllers will accept the change with the more recent timestamp.
Improving replication efficiency
Introduced in the Windows Server 2003 family, linked value replication allows individual values of a multivalued attribute to be replicated separately. In Windows 2000, when a change was made to a member of a group (one example of a multivalued attribute with linked values) the entire group had to be replicated. With linked value replication, only the group member that has changed is replicated, and not the entire group. To enable linked value replication, you must raise the forest functional level to Windows Server 2003 . For more information about forest functional levels, see Domain and forest functionality [ http://technet.microsoft.com/en-us/library/cc738670(WS.10).aspx ] . For more information about multivalued attributes, see Schema [ http://technet.microsoft.com/en-us/library/cc756876(WS.10).aspx ] .
For more information about how replication works, see "Active Directory Replication" at the Microsoft Windows Resource Kits Web site [