Active Directory Replication Strategy

Active Directory Replication Strategy
Explain how replication should be configured, implemented, maintained, and monitored in an Active Directory infrastructure.
Active Directory implements a replication topology that takes advantage of the network speeds within sites, which are ideally configured to be equivalent to local area network (LAN) connectivity. The replication topology also minimizes the use of potentially slow or expensive wide area network (WAN) links between sites. When you create a site object in Active Directory, you associate one or more Internet Protocol (IP) subnets with the site. Each domain controller in a forest is associated with an Active Directory site. A client workstation is associated with a site according to its IP address; that is, each IP address maps to one subnet, which in turn maps to one site. Active Directory uses sites to: 1. Optimize replication for speed and bandwidth consumption between domain controllers. 2. Locate the closest domain controller for client logon, services, and directory searches. 3. Direct a Distributed File System (DFS) client to the server that is hosting the requested data within the site. 4. Replicate the system volume (SYSVOL), a collection of folders in the file system that exists on each domain controller in a domain and is required for implementation of Group Policy.
And when it comes to monitoring my replication in active directory I would use the following command: dcdiag /test:replications, which will allow me to find issues in my replication.
Explain the factors that go into the decision for what data is being replicated, how often that is done, and how to ensure that it is functioning properly. When you decide which replication scope to choose, consider that the broader the replication scope, the greater the network traffic caused by replication. For example, if you decide to have AD DS integrated DNS zone data replicated to all DNS servers in the forest, this will produce greater network traffic than replicating the DNS zone data to all DNS servers in a single AD DS domain in that forest. Active Directory permits you to schedule replication so that you can control the amount of bandwidth consumed. This is important because bandwidth affects the efficiency of replication. The frequency of replication is a trade-off between bandwidth consumption and maintaining the AD DS database in an up-to-date condition. It would be best to do most replication after business hours.
Inbound or outbound replication failure causes Active Directory objects that represent the replication topology, replication schedule, domain controllers, users, computers, passwords, security groups, group memberships, and Group Policy to be inconsistent between domain controllers. Directory inconsistency and replication failure cause either operational failures or inconsistent results, depending on the domain controller that is contacted for the operation, and can prevent the application of Group Policy and access control permissions. Active Directory Domain Services (AD DS) depends on network connectivity, name resolution, authentication and authorization, the directory database, the replication topology, and the replication engine. When the root cause of a replication problem is not immediately obvious, determining the cause among the many possible causes requires systematic elimination of probable causes.

Detail three errors that can arise from Active Directory Replication and how they can be diagnosed as well as prevented.
Replication error 8606 insufficient attributes were given to create an object;
Diagnostic: DCDIAG reports that Active Directory Replications test failed with error status code (8614): "Active Directory cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime."
System time on the destination DC moved, or "jumped," tombstone lifetime one or more number of days in the future since the last successful replication. This gives the appearance to the replication engine that the destination DC failed to inbound-replicate a directory partition for tombstone lifetime elapsed number of days.
Prevent: Check for nondefault values of tombstone lifetime, Check for DCs that failed inbound replication for TSL number of days, Check for time jumps.
Replication error 5 Access is denied;
Diagnostic: Antivirus software that uses a mini-firewall network adapter filter driver on the source or destination DC has been known to cause this issue. Some network adapters have a "Large Send Offload" feature that has been known to cause this issue.
Prevent: to prevent and fix this issue I would run DCDIAG on the destination DC, also DCDAIG /TEST:CheckSecurityErro and NETDIAG.

Replication error 1753 there are no more endpoints available from the endpoint mapper;
Diagnostic: error 1753 means that the RPC client (destination DC) was able to contact the RPC Server (source DC) over port 135 but the EPM on the RPC Server (source DC) was unable to locate the RPC application of interest and returned server side error 1753. The presence of the 1753 error indicates that the RPC client (destination DC) received the server side error response from the RPC Server (AD replication source DC) over the network.
Prevent: To prevent and fix this issue I would, verify that the Active Directory Domain Services service is running. Verify that RPC client (destination DC) connected to the intended RPC Server (source DC). Verify that the server application (Active Directory et al) has registered with the endpoint mapper on the RPC server (source DC). Verify that the startup value and service status for RPC service and RPC Locator is correct for OS version of the RPC Client (destination DC) and RPC Server (source DC). If the service is currently stopped or was not configured with default startup values, reset the default startup values, reboot the modified DC then retry the operation.
Describe and detail three tools that can aid in the replication process.
Dssite.msc: Active Directory Sites and Services * Sites container: Add new sites. * Site objects: Add new servers to a site. * NTDS Site Settings object: For each site, view the connection object schedule and enable Universal group membership caching. * Server object: View the NTDS Settings object and designate the server as a bridgehead server. * NTDS Settings object: View inbound connections for the server. View the connection object schedule and change the source server for the connection. * Inter-Site Transports container: Manage IP and SMTP site links. * Site link objects: Manage the site link properties for a set of sites. * Subnets container: Add, remove, and configure subnets with IP addresses. Associate subnets with sites.
Repadmin.exe: Repadmin
Repadmin is used to view the replication information on domain controllers. You can determine the last successful replication of all directory partitions, identify inbound and outbound replication partners, identify the current bridgehead servers, view object metadata, and generally manage Active Directory replication topology. You can use Repadmin to force replication of an entire directory partition or of a single object. You can also list domain controllers in a site.
The Active Directory Replication Status Tool (ADREPLSTATUS)
ADREPLSTATUS helps administrators identify, prioritize and resolve Active Directory replication errors on a single DC or all DCs in an Active Directory Domain or Forest. * Auto-discovery of the DCs and domains in the Active Directory forest to which the ADREPLSTATUS computer is joined * Errors only mode allows administrators to focus only on DCs reporting replication failures * Upon detection of replication errors, ADREPLSTATUS uses its tight integration with resolution content on Microsoft TechNet to display the resolution steps for the top AD Replication errors * Rich sorting and grouping of result output by clicking on any single column header (sort) or by dragging one or more column headers to the filter bar. Use one or both options to arrange output by last replication error, last replication success date, source DC naming context and last replication success date, etc.) * The ability to export replication status data so that it can be imported and viewed by source domain admins, destination domain admins or support professionals using either Microsoft Excel or ADREPLSTATUS
ADREPLSTATUs UI consists of a toolbar and Office-style ribbon to expose different features. The Replication Status Viewer tab displays the replication status for all DCs in the forest. The screenshot below shows ADREPLSTATUS highlighting a DC that has not replicated in Tombstone Lifetime number of days (identified here by the black color-coding).
List and describe some of the best practices for Active Directory Replication.
When in in a business setting it is a smart move to replicate your domain controllers. Say you have a site with let’s say seven domain controllers and you have a user that’s logging on to the network and types there password in, one of those domain controllers is going to authenticate the user, now let’s say that users logs off changes there password and then logs back in they would be then authenticated by a different one of the domain controllers. For this reason you want a replication with in a site to happen quickly. This is called Intrasite Replication (IR). With this type of replication windows active directory can use with no configuration. IR will take place 15 seconds after a change on the network is made. What this means is that when I change is made all seven domain controllers will receive the change in less than a minute. If you have 8 or more domain controllers in one site active directory can reduce the latency buy make additional connection between domain controllers. And again active directory does this automatically;
Now with Intersite Replication (IR2) this replication takes place between two different sites rather than just one site like Intrasite Replication. Say we have the original site with the seven domain controllers and we need to have a replication to another site out of state that has three domain controllers. Now as an administrator you will have to manually set up a Site Link. After that active directory will choose a domain controller from both sites, it creates 2 Bridgehead Servers (BHS) at each site. Now when a change is made at one site it will first replicate at that site and when it reaches the BHS then I will begin to replicate to the other BHS located at the other site. If the active BHS at one of the sites fail active directory will then choose another BHS automatically.
As a network admin you can also choose the domain controller you want act as the BHS manually. But be warned if you decide to this manually if that BHS you choose goes down active directory will not automatically choose another one for you and replication will not take place. Once the site link is finished you can now set up some awesome options, you can set up a Schedule of when you want the Intersite to replicate you may want to set it to replicate after business hours due to network traffic. Then you can set up a Cost which sets priority for which the site links to use. The last thing to consider with a site link is Site Transport there are two options to consider with Site Transport to use for the Site Link. First you have RCP over IP or SMTP. RCP over IP support everything active directory needs which is also the common route to use. Now with SMTP it supports everything but file replication it’s impossible to use SMTP on domain level, all the log in scripts and group policy will not be replicated (and that’s a no-no). The only things SMTP can replicate are active directory changes and the schema. SMTP is only good in my opinion when you have a unreliable network because it does not require a response back confirming the transmit (asynchronous). With RCP over IP it waits for a response from the recipient and if it does not receive one then it will stop communication (synchronous). So as you can see replication is very important to the world as we know it today, when adding new users, changes in group policies like file control and changes made throughout active directory, user passwords anything, if you’re in a company you’re going to want all these things to update in every domain controller, at every site.

References
Microsoft/TechNet (2011, April 25). Verify Active Directory replication: Active Directory. Retrieved April 18, 2013, from http://technet.microsoft.com/en-us/library/cc816863(v=ws.10).aspx
Microsoft/TechNet (2012, July 12). Understanding DNS Zone Replication in Active Directory Domain Services. Retrieved April 18, 2013, from http://technet.microsoft.com/en-us/library/cc772101.aspx
Blog at WordPress.com (2011, June 22). How to Configure Active Directory Sites and Replication | Windows Management And Scripting Blog. Retrieved April 18, 2013, from http://windows-scripting.org/2011/06/22/how-to-configure-active-directory-sites-and-replication/
Itfreetraining (2012, April 15). MCITP 70-640: Active Directory Replication [Video file]. Retrieved from http://www.youtube.com/watch?v=N7yFQx0Jv54
Microsoft/TechNet (2012, December 10). Active Directory Replication Tools and Settings: Active Directory. Retrieved April 18, 2013, from http://technet.microsoft.com/en-us/library/cc739941(v=ws.10).aspx#w2k3tr_repup_tools_zpun
Microsoft/TechNet (2012, March 1). Replication error 1753 There are no more endpoints available from the endpoint mapper. Retrieved 18, 2013, from http://technet.microsoft.com/en-us/library/replication-error-1753-there-are-no-more-endpoints-available-from-the-endpoint-mapper(WS.10).aspx
Microsoft/TechNet (2012, March 1). Replication error 8456 or 8457 The source | destination server is currently rejecting replication requests. Retrieved April 18, 2013, from http://technet.microsoft.com/en-us/library/replication-error-8456-the-source-server-is-currently-rejecting-replication-requests-or-replication-error-8457-the-destination-server-is-currently-rejecting-replication-requests(WS.10).aspx
Microsoft/Technet (2012, March 1). Replication error 5 Access is denied. Retrieved April 18, 2013, from http://technet.microsoft.com/en-us/library/replication-error-5-access-is-denied(WS.10).aspx
Microsoft/Technet (2012, December 17). Troubleshooting Active Directory Replication Problems: Active Directory. Retrieved April 18, 2013, from http://technet.microsoft.com/en-us/library/cc949120(v=ws.10).aspx
Microsoft (n.d.). Troubleshooting AD Replication error 8614: "The Active Directory cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime". Retrieved April 18, 2013, from http://support.microsoft.com/kb/2020053
Pyle, N. (2012, August 23). AD Replication Status Tool is Live - Ask the Directory Services Team - Site Home - TechNet Blogs. Retrieved April 18, 2013, from http://blogs.technet.com/b/askds/archive/2012/08/23/ad-replication-status-tool-is-live.aspx