Active Directory Domain Services (AD DS) handles replication between sites, or intersite replication, differently than replication within sites because bandwidth between sites is usually limited. The Active Directory Knowledge Consistency Checker (KCC) builds the intersite replication topology using a least-cost spanning tree design. Intersite replication is optimized for bandwidth efficiency. Directory updates between sites occur automatically based on a configurable schedule. Directory updates that are replicated between sites are compressed to preserve bandwidth.
Building the intersite replication topology
AD DS uses information that you provide (through the Active Directory Sites and Services snap-in) about your sites and site links to build the most efficient intersite replication topology automatically. The directory stores the replication topology as connection objects, which the system creates automatically to form the replication topology both within sites and between sites. Connection objects identify replication partners for both intrasite replication and intersite replication. These objects always represent one-way, inbound replication to the server that contains the object. The intersite replication topology is updated regularly to respond to any changes that occur in the network. You do not have to create or manage connection objects. However, you can control the timing of intersite replication through the information that you provide when you configure site link objects.
You can use Active Directory Sites and Services to administer the replication of directory data among all the sites in an Active Directory Lightweight Directory Services (AD LDS) configuration set.
Determining when intersite replication occurs
AD DS preserves bandwidth between sites by minimizing the frequency of replication and by making it possible for you to schedule the availability of site links for replication. By default, intersite replication across each site link occurs every 180 minutes (3 hours). You can adjust this frequency to match your specific needs. Be aware that increasing this frequency increases the amount of bandwidth that replication uses. In addition to scheduling the frequency of replication, you can also schedule the availability of site links for replication. By default, a site link is available to carry replication traffic 24 hours a day, 7 days a week. You can limit this schedule to specific days of the week and times of day. For example, you can schedule intersite replication so that it occurs only after normal business hours, five days a week.
If you have multiple site links configured so that there is more than one route between two sites, you can configure the cost of replication on the site link to identify a preference for one route over the other. For more information about how cost affects intersite replication routes, see How Active Directory Replication Topology Works (
Using replication transports
The default transport for AD DS replication within sites is Remote Procedure Call (RPC) over IP. RPC over IP is also used for intersite replication. The IP container in Active Directory Sites and Services contains objects that represent site links that use RPC over IP to package and transfer replication data between sites. To keep data secure while it is in transit between sites, RPC over IP replication uses both authentication (with the Kerberos version 5 (V5) authentication protocol) and data encryption.
When a direct or reliable IP connection is not available, you can configure replication between sites to use Simple Mail Transfer Protocol (SMTP). However, SMTP replication functionality is limited to nondomain replication (schema, configuration, and global catalog updates). It also requires an enterprise certification authority (CA) when you use it over site links. In Windows Server 2008 R2, the SMTP component of Intersite Messaging is optional. You must add it before you can use SMTP for replication. For more information about SMTP replication, see How Active Directory Replication Topology Works (
Intersite replication through a firewall or a virtual private network (VPN) requires some special considerations. For more information, see Active Directory in Networks Segmented by Firewalls (