Report and Edit AD Site Links From PowerShell (Turbo Your AD Replication)

AD Replication in TRON terms

“The Grid. A digital frontier. I tried to picture clusters of information as they moved through the computer. What did they look like? Ships, motorcycles? Were the circuits like freeways? I kept dreaming of a world I thought I'd never see. And then, one day... I got in!” (Kevin Flynn, Tron Legacy)

Imagine Kevin Flynn as an AD admin. He would speak of AD replication, sites, and site links in terms of virtual vehicles. We could imagine high speed intra-site replication as light cycles and long-haul WAN link replication as a solar sailer. Back in Kevin’s day link speeds were nowhere near the bandwidth we have now.

Back then

Some of us implemented Active Directory shortly after release in the year 2000. Back then we had truly slow links. While those still exist in pockets today, most of our bandwidth has been seriously upgraded. Microsoft’s replication best practices have been upgraded as well.  Here is a somewhat dated article guiding you to “calculate a relative cost factor by dividing 1024 by the log of the available bandwidth as measured in Kbps”. Really? Some folks took this very seriously. Others of us didn’t like math and used round numbers like 100 for site link costs. And that is what we prefer in the field today. Link speeds for AD are really more about available bandwidth than total bandwidth anyway.

Fast forward to today

Active Directory site links have three key attributes governing efficiency: schedule, cost, and interval. They also have a feature called “change notification” that is not exposed in the GUI. The table below summarizes defaults versus today’s recommended practices:

  Default Recommendation
Schedule 24 x 7 24 x 7
Cost 100 100 *
Interval 180 minutes 15 minutes
Change Notification Disabled Enabled *

* Tweaked as appropriate.

Many companies have upgraded bandwidth without updating AD replication topology. If it has been a while since you reviewed your AD site link topology, then today is the day. For starters, you can download the recently-updated Microsoft Active Directory Topology Diagrammer. This free tool will draw a Visio diagram of your sites and links. I use this all of the time as an audit tool to make sure that the site topology actually implemented matches the intended design.

Enter PowerShell

Next you can use the PowerShell one-liner below to create a quick report of your site links and relevant settings (after typing Import-Module ActiveDirectory):

Get-ADObject -Filter 'objectClass -eq "siteLink"' -Searchbase (Get-ADRootDSE).ConfigurationNamingContext -Property Options, Cost, ReplInterval, SiteList, Schedule | Select-Object Name, @{Name="SiteCount";Expression={$_.SiteList.Count}}, Cost, ReplInterval, @{Name="Schedule";Expression={If($_.Schedule){If(($_.Schedule -Join " ").Contains("240")){"NonDefault"}Else{"24x7"}}Else{"24x7"}}}, Options | Format-Table * -AutoSize

Author’s note: This one-liner got a little out of hand, because I had to account for the Schedule attribute either being blank (24x7) or non-blank (custom). However, if you set the schedule back to 24x7 after it was custom, then you have a non-blank value indicating 24x7. A quick way to distinguish the two non-blank values is that the number 240 will be present in the data if replication has been disabled for any block on the schedule.

Sample report output:

Name SiteCount Cost ReplInterval Schedule Options
---- --------- ---- ------------ -------- -------
Hub-Branch1 2 100 15 24x7
Hub-Branch2 2 100 15 24x7 5
Hub-Branch3 2 150 45 NonDefault
Hub-DR 2 50 15 24x7 1

As you look at the output do you find any oddball costs? Are any intervals over 15 minutes? Is the Options attribute blank or 1? Are any site counts not equal to 2? Are any schedules non-default? Any surprises? It may be time to turbo your site link settings from solar sailer to light cycle.

Here is what I would check for in this output:

Name Is there a consistent naming convention? Suggestion: “HubName-SpokeName”.
SiteCount We recommend that most site links should only contain two sites. Consider splitting multi-site-links into individual two-site links. It won’t hurt anything to have more than two in a link, but that should be the exception. If you see a SiteCount of 1, then that is likely an orphaned site link that can be deleted.
Cost Use round numbers like 50, 100, 150, 200 for costs to make the math easier at a glance. Use the default site link cost of 100 for most links, and then tweak it down to 50 between hub sites and up to 150 for those really slow links.
ReplInterval 180 is the default. 15 is the recommendation. Contrary to popular opinion you actually want to use lower intervals on slow links for several reasons. The amount of data transfer is the same, and long intervals cause a larger bandwidth spike. If a replication cycle fails, then a short interval means that the site won’t have to wait so long for the next retry.
Schedule These days I rarely find companies using custom schedules. Consider using the 24x7 schedule unless you have a compelling network justification.
Options This value will likely be either blank or "1" or "5". If it is blank, then change notification is not enabled. If "1" or an odd number then it is enabled. Consider using change notification if you have plenty of available bandwidth for the sitelink.

Kick in the turbo

In order to convert your replication Solar Sailer into a Light Cycle you should do two things:

  1. Drop all site link intervals to 15 minutes.
  2. Enable change notification on all site links.

If you have any intervals over 15 minutes can you really justify them? If not, I would recommend dropping them to the minimum value of 15 minutes. Enabling change notification treats an INTER-site replication connection like an INTRA-site connection. Replication between sites with change notification is almost instant. For example, if your site topology is three hops long, then you can take your AD convergence time from a maximum of 45 minutes down to less than 2 minutes. Then when the helpdesk resets a password or updates a group membership the user doesn’t have to wait 30 minutes for replication! Enable change notification on any links that have good available bandwidth, especially between your hub sites.

Where do I enable change notification?

Like I said earlier you will not find a checkbox for change notification in the site link GUI. Normally you have to navigate through ADSIEDIT or use the Attribute Editor tab in 2008. Site links are stored in the Configuration partition of the AD database here:

CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=contoso,DC=com

Here you will find a list of siteLink class objects. Look at the properties of a site link and you will see an attribute called options. 99.9% of the time this attribute is empty. To really understand what this attribute does you can read the Active Directory Technical Specification (available in HTML or PDF). It is defined here:  7.1.1.2.2.3.3 Site Link Object. You will find that the options attribute is a bit switch with three settings:

  • UN (NTDSSITELINK_OPT_USE_NOTIFY, 0x00000001): If present, enables replication notifications … between DCs in different sites in the siteList.
  • TS (NTDSSITELINK_OPT_TWOWAY_SYNC, 0x00000002): If present, forces a replication cycle in the opposite direction at the end of a replication cycle between DCs in different sites in the siteList.
  • DC (NTDSSITELINK_OPT_DISABLE_COMPRESSION, 0x00000004): If present, disables compression of the implemented server-to-server replication protocol response messages sent between DCs in different sites in the siteList.

To enable change notification we set the options attribute to 1. If there is already a value assigned, then we make it an odd number by adding 1 to it, representing the first bit. This setting takes effect after the next KCC run (within 15 minutes, no reboots or service restarts required). A better recommendation is to set options to 5 (1 + 4); this enabled change notification and disables compression of the traffic. This is better, because the compression activity burns CPU cycles on the bridgeheads. By disabling the compression we reduce the load on the DCs.

Now your DC changes notify the DC bridgehead in the next site on the intrasite notification schedule (15 seconds/3 seconds) instead of waiting 15 minutes. How cool is that!

Author's note: Use care when enabling change notification, especially in large environments. If the bridgeheads in the hub sites have too many connections with change notification it could cause performance issues. Consider limiting change notification to hub-hub and hub-DR site links in those cases.

Afterall this is a PowerShell blog, so let’s get to the good part. I’ve taken you down this long-winded path for a big finish with another one-liner. This code uses the power of the pipeline to send a GET into a SET. We can use PowerShell to set the cost, interval, and change notification (or any combination of those attributes) of all site links at once.

Get-ADObject -Filter 'objectClass -eq "siteLink"' -SearchBase (Get-ADRootDSE).ConfigurationNamingContext | Set-ADObject -Replace @{Cost=100;ReplInterval=15;Options=5}

The above line of PowerShell will set all site links to cost of 100, interval of 15, and enable change notification. If you don’t want all of those attributes set, simply remove the attributes and values you don’t want from the end of the line. For example, this version would only change the interval to 15 minutes on all site links:

Get-ADObject -Filter 'objectClass -eq "siteLink"' -SearchBase (Get-ADRootDSE).ConfigurationNamingContext | Set-ADObject -Replace @{ReplInterval=15}

If you want to narrow the impact, then edit the Filter switch to grab a single site link or match a wildcard on the name. Like this:

Get-ADObject -Filter 'objectClass -eq "siteLink" –and name –like "*foo*"' -SearchBase (Get-ADRootDSE).ConfigurationNamingContext | Set-ADObject -Replace @{Options=5}

This one-liner will reset all site link schedules to 24x7:

Get-ADObject -Filter 'objectClass -eq "siteLink" –and schedule -like "*"' -SearchBase (Get-ADRootDSE).ConfigurationNamingContext | Set-ADObject -Clear Schedule

After running these updates go back and use the one-liner at the beginning of the article to validate your changes.

Conclusion

Hopefully this post has inspired you to revisit your replication topology and site links. You've got the bandwidth. Why not leverage it? Now go take your light cycle for a victory lap.

.end of line

# ><>

Site_Link_One_Liners.p-s-1.txt