Skip to main content

Configuring and Troubleshooting Active Directory Replication


An Overview of Active Directory Replication

Active Directory is a distributed multimaster replicated database. All domain controllers host a full replica of the domain information for its own domain. Domain controllers in Windows 2000 and Windows Server 2003 environments hold a read/write copy of the Active Directory database. In these environments, changes can be made to the Active Directory database on any domain controller within the Active Directory environment. Replication is the process that ensures that changes made to a replica on one domain controller are transferred to replicas on the remainder of the domain controllers. When an object in Active Directory is created, deleted, moved, or changed; Active Directory replication is triggered.
In Windows 2000 and Windows Server 2003 environments, the types of Active Directory replication that can be defined are:
  • Intrasite Replication: Intrasite replication takes place between domain controllers within the same site. This makes intrasite replication an uncomplicated process. Intrasite replication utilizes the Remote Procedure Call (RPC) protocol to convey replication data over fast, reliable network connections. Replication data within a site is not compressed. Configuring and Troubleshooting Active Directory Replication
  • Intersite Replication: Intersite replication takes place between sites. Intersite replication can utilize either RPC over IP or SMTP to convey replication data. Intersite replication has to be manually configured. Intersite replication occurs between two domain controllers that are called bridgeheads or bridgehead servers. With intersite replication, packets are compressed to conserve bandwidth.
The information replicated in Active Directory is summarized below:
  • Configuration partition data: Objects stored in the configuration partition relate to the domain structure and replication topology, and is replicated to each domain controller in each domain, and in a forest.
  • Domain partition data: All objects that are stored in a domain exist in the domain partition. Domain partition data is replicated to the domain controllers within a domain.
  • Schema partition data: Schema partition data include information on the objects that can be created in Active Directory and is replicated to each domain controller in domains/forests.
  • Application partition data: A new feature introduced in Windows Server 2003 is the application partition. Applications and services store data in the application partition.
You can use the Active Directory Sites and Services console to configure intersite replication. Configuring intersite replication typically involves:
  • Renaming the Default-First-Site-Name object
  • Creating site objects and subnet objects
  • Creating site link objects
  • Configuring site link attributes: Site link cost, site link replication frequency, site link replication availability
  • Specifying or designating a preferred bridgehead server (BS).
  • Creating site link bridges
  • Manually creating connection objects

How to rename the Default-First-Site-Name Site (first site object)

It is a good idea to rename the default site object to something that has meaning in your organization. To do this,
  1. Open the Active Directory Sites and Services console.
  2. Right-click Default-First-Site-Name, and select Rename from the shortcut menu.
  3. Proceed to set a meaningful name for the site.

How to create a new site object

  1. Open the Active Directory Sites and Services console.
  2. Right-click the Sites folder and select New Site from the shortcut menu.
  3. When The New Object – Site dialog box opens, enter a name for the site in the Name box.
  4. You ca accept DefaultIPSiteLink in the Link Name box.
  5. Click OK.

How to create a new subnet object

  1. Open the Active Directory Sites and Services console.
  2. Right-click the Subnets folder, and select New Subnet from the shortcut menu.
  3. When The New Object – Subnet dialog box opens, in the first section of the dialog box, specify the subnet address and the number of bits in the subnet mask.
  4. In the Select a site object for this subnet section, specify the site object to which this particular subnet is associated with.
  5. Click OK.

How to create a site link

When you create a site link you can specify the transport protocol for replicating data over site links as either IP or SMTP.
  • IP replication is typically selected for a site link when a reliable connection exists between domain controllers in different sites.
  • SMTP replication is normally selected when connections are unreliable and slow.
To create a site link,
  1. Open the Active Directory Sites and Services console.
  2. Open the Sites folder, and then open the Inter-Site Transports folder.
  3. Right-click either the IP folder or the SMTP folder, and choose New Site Link from the shortcut menu.
  4. The New Object-Site Link dialog box opens.
  5. In the Name field, enter a name for the new site link.
  6. In the Sites Not In This Site Link box, select the sites to connect. Click Add.
  7. Click OK.

How to configure site link attributes or properties

Configuring site link attributes involves specifying site link costs, the site link replication frequency, and setting site link replication availability. When you set the site link cost, you are basically defining the cost of the network connection proportionate to the speed of the link. Lower costs are utilized for fast links, while higher costs are associated with slower links. The site link replication frequency can be a number ranging from 15 minutes to 10,080 minutes. Setting site link replication availability involves specifying when a site link is available for replication.
To configure site link attributes,
  1. Open the Active Directory Sites and Services console.
  2. Open the Sites folder, and then open the Inter-Site Transports folder.
  3. Open the IP folder or SMTP folder which contains the site link that you want to configure site link attributes for.
  4. Right-click the particular site link and then select Properties from the shortcut menu.
  5. In the Description box in the General tab of the Properties dialog box for the site, you can enter a description for the site link.
  6. In the Cost box, you can change the default cost for the site link, and assign a cost to the link. The default cost setting is 100.
  7. In the Replicate Every box, you can change the default replication interval. This is basically the number of minutes between replications. The default setting is 180 minutes. The shortest replication interval that can be set is 15 minutes, and the longest interval that can be specified is 10,080 minutes.
  8. Click the Change Schedule button to configure when the site link is available for replication.
  9. When the Schedule dialog box for the site link opens, you can set when the site link is available for replication, or when it is not available for replication.
  10. Click OK to save configuration changes you made in the Schedule dialog box.
  11. Click OK to save changes in the Properties dialog box of the site.

How to configure replication to disregard/ignore schedules

  1. Open the Active Directory Sites and Services console.
  2. Open he Sites folder, and then open the Inter-Site Transports folder.
  3. Right-click the IP folder or SMTP folder and choose Properties from the shortcut menu.
  4. When the Properties dialog box of the folder which you selected opens, click the Ignore Schedules checkbox.
  5. Click OK.

How to add a site to an existing site link

  1. Open the Active Directory Sites and Services console.
  2. Open the Sites folder, and then open the Inter-Site Transports folder.
  3. Open the IP folder or SMTP folder that contains the site link to which the site should be added.
  4. Right-click the particular site link and then select Properties from the shortcut menu.
  5. Use the Sites Not In This Site Link box to select the site that should be added to the site link. Click Add.
  6. Click OK.

How to rename an existing site link

  1. Open the Active Directory Sites and Services console
  2. Open the Sites folder, and then open the Inter-Site Transports folder.
  3. Open the IP folder or SMTP folder that contains the site link that you want to rename.
  4. Right-click the particular site link and then select Rename from the shortcut menu.
  5. Proceed to set a new name for the site link.

How to designate a preferred bridgehead server (BS)

The Knowledge Consistency Checker (KCC) could possibly not designate a bridgehead server that is the most optimal domain controller in a site. In cases like this, to improve performance, you can manually designate a preferred bridgehead server(s).
To designate a preferred BS,
  1. Open the Active Directory Sites and Services console.
  2. In the console tree, expand the Sites folder, expand the site in which you want to create the bridgehead server, and then expand the Servers folder.
  3. Right-click on the particular server, and select Properties from the shortcut menu.
  4. When the Properties dialog box of the server opens, in the Transports available for inter-site transfer section, select the protocol for which the server is to be a bridgehead server. Click Add.
  5. Click OK.

How to disable transitive site links, or automatic bridging

Because site link transitivity is enabled by default, you would typically need to disable it if you want to create site link bridges.
  1. Open the Active Directory Sites and Services console.
  2. Open the Sites folder, and then open the Inter-Site Transports folder.
  3. Right-click either the IP folder or SMTP folder and choose Properties from the shortcut menu.
  4. On the General tab, uncheck the Bridge All Site Links checkbox to disable site link transitivity.
  5. Click OK.

How to create a site link bridge

  1. Open the Active Directory Sites and Services console.
  2. Open the Sites folder, and then open the Inter-Site Transports folder.
  3. Right-click either the IP folder or SMTP folder and choose New Site Link Bridge from the shortcut menu.
  4. The New Object-Site Link Bridge dialog box opens.
  5. Enter a name for the new site link bridge in the Name field.
  6. Use the Site links not in this bridge box to select two or more sites to connect. Click Add.
  7. Click OK.

How to manually create and configure a connection object

Connection objects in Active Directory are automatically created by the KCC. You can however manually create connection objects to customize the topology of the network, or to decrease the number of hops from one domain controller to another particular domain controller. When connection objects are created by the KCC, they are automatically removed by the KCC when the replication topology changes. Connection objects hat are manually created are not removed when the replication topology changes. You have to manually remove these connection objects.
To manually create and configure connection objects,
  1. Open the Active Directory Sites and Services console.
  2. In the console tree, expand the Sites folder, expand the site in which you want to create the connection object, and then expand the Servers folder.
  3. Select the particular server that you want to enable the connection for.
  4. Right-click NTDS Settings and select New Active Directory Connection from the shortcut menu.
  5. When the Find Domain Controllers dialog box opens, choose the domain controller. Click OK
  6. When the New Object-Connection dialog box opens, enter a name for the connection object. Click OK.
  7. Proceed to right-click the connection that you have just created in the details pane and select Properties from the shortcut menu.
  8. When the Properties dialog box of the connection object opens, in the Description field, provide a description for the new connection object.
  9. In the Transport drop down list, verify that RPC is specified as the transport protocol.
  10. If you want to modify the default schedule for intrasite replication, click the Change Schedule button.
  11. When the Schedule dialog box for the connection object opens, set the appropriate replication frequency and Click OK.
  12. Click OK to save changes made in the Properties dialog box of the connection object.

How to manually force immediate replication

  1. Open the Active Directory Sites and Services console.
  2. In the console tree, expand the Sites folder, expand the site that Active Directory has to replicate to and then expand the name of the server to use for replication.
  3. Click NTDS Settings to display the inbound connection objects of the server in the right pane.
  4. Right-click the server that you want to replicate from and click Replicate Now from the shortcut menu.

Troubleshooting Active Directory Replication

Although domain controllers generally automatically manage the replication process, there are instances when incorrect configuration settings or troublesome network connections can prevent Active Directory information from being replicated between domain controllers. There are quite a few mechanisms that can be used to monitor and troubleshoot the Active Directory replication process.
The tools available are:
  • Active Directory Replication Monitor (Replmon.exe).
  • Replication Diagnostics Tool (Repadmin.exe).
  • The Dsastat.exe command-line tool.
  • You can also configure Active Directory event logging.
A few common methods that you can use to monitor or troubleshoot Active Directory replication are summarized below:
  • Verify network connectivity in your environment: When Active Directory replication has stopped, verify your existing network connections. For replication to occur, your domain controllers have to be connected by capable LAN links. Using high speed links typically improves replication performance.
  • Verify site links: In order for domain controllers in different sites to exchange Active Directory data or information, you have to configure the appropriate site links. When replication is not occurring between sites, verify that a site link object does link the current site to a site which is connected to the remainder of the sites of the network.
  • Verify the replication topology: You can use the Active Directory Sites and Services console to check that your replication topology is reliable and constant. Errors are displayed in a dialog box in the console.
  • Manually verify that Active Directory information has been synchronize. You should on a regular basis verify that information is synchronized between domain controllers within domains.
  • When replication errors are encountered, check the Directory Service event log in Event Viewer. Active Directory replication errors are written to the Directory Service event log.
There may be instances when Active Directory replication is quite slow. A few methods of correcting this problem are summarized below:
  • Having no site link bridge can result in Active Directory information taking quite a while to be replicated between domain controllers. You can create a site link bridge or you can bridge all sites. This is typically necessary when there are only site links in your network, but no site link bridges.
  • If the configuration value specified for the frequency of intersite replication is set too low, you may experience large delays between when changes are made on one domain controller and when it is replicated on a domain controller in a different site. To fix this problem, consider changing the setting of the replication frequency.
  • When your existing network resources are unable to cope with the quantity of traffic being generated by Active Directory replication consider the following:
    • If realistic, modify the setting of the replication frequency.
    • If feasible, configure additional resources for Active Directory replication.
    • Create site links.
    • Create site link bridges.

How to use Active Directory Replication Monitor to monitor/troubleshoot replication

Replication Monitor (Replmon) is a graphical management tool included in the Windows Support Tools. In order to open and use Replmon, it must be installed on a computer running. The computer can be a domain controller, member server, member workstation or stand-alone computer. Replication Monitor can be used to perform the following activities:
  • View the replication topology or replication information in a highly useful graphical format.
  • Determine whether domain controllers are replicating Active Directory information correctly.
  • Determine the status of Active Directory replication.
  • Manually force replication between domain controllers.
The information displayed in the main Replication Monitor window is listed below:
  • Naming contexts: All the naming contexts that a server contains are displayed here.
  • Replication partners: Each naming context shows the inbound replication partners for that particular naming context.
  • Server icons: Server icons enable you to determine information at a glance.
  • Log entries: The replication log entries for the connection are displayed in the right pane.
Once you have specified a domain controller for monitoring, you can set view options to suit your needs. To specify view options, open Replication Monitor, and select Options from the View menu. The options that can be selected on the General tab are:
  • Show Retired Replication Partners.
  • Show Transitive Replication Partners and Extended Data.
  • Notify When Replication Fails After This Number Of Attempts.
  • Log Files: Settings under Log Files are used to change the default location for the log files.
  • Enable Debug Logging: This setting relates to debugging Replmon.
The Replmon replica synchronization options that can be selected are listed below. These options can be configured by right-clicking a monitored server object, and then selecting Synchronize Each Directory Partition with All Servers. The synchronization options that you can select are:
  • Disable Transitive Replication: This option can be selected if you want to troubleshoot a ailed replication process to a particular domain controller, and you want to manually start the replication process.
  • Push Mode: When enabled, push mode is enabled for replication and the DRA is no longer enabled to pull updates.
  • Cross Site Boundaries: When enabled, you can start intersite replication for RPC connections only.

How to start Replication Monitor

Remember that you first have to install Replication Monitor.
  1. Click Start, Windows Support Tools, Command Prompt and enter replmon.exe.
  2. When the Replication Monitor opens, in the console tree, right-click Monitored Servers and select Add Monitored Server from the shortcut menu.
  3. The Add Monitored Server Wizard now starts.
  4. Select the Add The Server Explicitly By Name option. Click Next.
  5. In the Add Server To Monitor page, use the Enter The Name Of The Server To Monitor Explicitly box to specify the name of the server that should be monitored.
  6. Click Finish.
  7. The server that you specified for monitoring is now displayed in the console tree.

How to synchronize the Active Directory directory partition

Domain controllers that are indicated for a directory partition are regarded as source servers. Source servers can be a Direct Replication Partner, a Transitive Replication Partner or a Bridge Head Connection.
To synchronize the directory partition,
  1. Open Replication Monitor.
  2. Right-click the direct replication partner and then choose Synchronize Replica from the shortcut menu.
  3. Replication Monitor now starts the replication process and reports on the status of replication as well.

How to use the Replication Diagnostics Tool to monitor/troubleshoot Active Directory replication

The Replication Diagnostics Tool (Repadmin) is a command-line interface that can be quite useful when troubleshooting Active Directory replication. Through Repadmin, you can perform the following:
  • View the replication topology.
  • View replication metadata.
  • Determine the status/validity of Active Directory information on each domain controller.
  • Force replication between domain controllers.
  • Manually create the replication topology.
The online help shows the syntax for options and switches of Repadmin. Run repadmin /? for online help. If you want to determine the status of the KCC for replication, run repadmin/kcc. If you want to determine what the replication result was for the last replication process performed, run repadmin/showreps. If you are running Windows Server 2003, Repadmin offers a few additional functions that can be performed. To view these, run repadmin/experthelp.

How to configure Active Directory event logging

You can also configure Active Directory event logging. A few key events that can be specified for event logging are listed below:
  • Directory access.
  • Internal configuration.
  • Internal processing.
  • Intersite messaging.
  • KCC.
  • MAPI events.
  • Replication events.
  • Security events.
You can set one of the following logging levels for an event:
  • 0 – None, 1 – Minimal, 2 – Basic, 3 – Extensive, 4 – Verbose, 5 – Internal.

How to enable Active Directory event logging

  1. Click Start, Run and enter regedit in the Run dialog box. Click OK.
  2. This opens the Registry Editor.
  3. Click the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNTDSDiagnostics registry key.
  4. The entries that are displayed in the right pane are the types of events that can be logged. The default logging level for each entry is 0 – None.
  5. Open the entry for each type of event that you want to log by double-clicking it.
  6. In the Value data box of each entry, enter the logging level.
  7. Click OK.

How to use Dsastat.exe tomonitor/troubleshoot Active Directory replication

You can use Dsastat.exe to compare the attributes of replicated objects and to determine differences between directory partitions hosted by domain controllers. Dsastat.exe uses statistics such as objects per server, and megabytes per server to determine what the differences are in Active Directory information between domain controllers.
The syntax for Dsastat is:
dsastat [/loglevel:option] [/output:option] [/s:servername[portnumber][;servername[portnumber];…]] [/t:option] [/sort:option] [/p:entrynumber] [/scope:option] [/b:searchpath] [/filter:ldapfilter] [/gcattrs:option[;option;...]] [/u:username] [/pwd:password] [/d:domain]
  • /loglevel:option, indicates the type of logging. A value of Info, Trace or Debug can be specified.
  • /output:option, indicates how results will be displayed. A value of Screen, File or both of these can be specified.
  • /s:servername[portnumber][;servername[portnumber];…], for defining the server names that are to be included in the comparison by Dsastat.exe.
  • /t:option, for setting whether a statistics comparison or a full-content comparison should be performed. Values that can be set are True for statistics comparison, and False for full-content comparison.
  • /sort:option, for setting whether sorted queries should be performed or not. Values are True for sorted queries to be performed, and False for specifying that sorted queries should not be performed.
  • /p:pagesize, for specifying the number of entries that should be returned on a page. With a default value of 64, you can specify any value from 1 – 999.
  • /scope:option, for setting what the search should include. Values that can be set are Base, Onelevel, Sub-tree.
  • /b:searchpath, for specifying the distinguished name of the base search path.
  • /filter:ldapfilter, for specifying the LPAD filter that should be used.
  • /gcattrs:option[;option;...], for indicating what attributes should be returned. Values that can be set are all, LDAPattributes, ObjectClass, auto.
  • /u:username, for setting the username that should be used for the search.
  • /pwd:password, the password associated with the above username.
  • /d:domain, the domain that should be used to validate the username/password.
Cheers :)
Jagadeesh


Popular posts from this blog

HOW TO EDIT THE BCD REGISTRY FILE

The BCD registry file controls which operating system installation starts and how long the boot manager waits before starting Windows. Basically, it’s like the Boot.ini file in earlier versions of Windows. If you need to edit it, the easiest way is to use the Startup And Recovery tool from within Vista. Just follow these steps: 1. Click Start. Right-click Computer, and then click Properties. 2. Click Advanced System Settings. 3. On the Advanced tab, under Startup and Recovery, click Settings. 4. Click the Default Operating System list, and edit other startup settings. Then, click OK. Same as Windows XP, right? But you’re probably not here because you couldn’t find that dialog box. You’re probably here because Windows Vista won’t start. In that case, you shouldn’t even worry about editing the BCD. Just run Startup Repair, and let the tool do what it’s supposed to. If you’re an advanced user, like an IT guy, you might want to edit the BCD file yourself. You can do this

DNS Scavenging.

                        DNS Scavenging is a great answer to a problem that has been nagging everyone since RFC 2136 came out way back in 1997.  Despite many clever methods of ensuring that clients and DHCP servers that perform dynamic updates clean up after themselves sometimes DNS can get messy.  Remember that old test server that you built two years ago that caught fire before it could be used?  Probably not.  DNS still remembers it though.  There are two big issues with DNS scavenging that seem to come up a lot: "I'm hitting this 'scavenge now' button like a snare drum and nothing is happening.  Why?" or "I woke up this morning, my DNS zones are nearly empty and Active Directory is sitting in a corner rocking back and forth crying.  What happened?" This post should help us figure out when the first issue will happen and completely avoid the second.  We'll go through how scavenging is setup then I'll give you my best practices.  Scavenging s

AD LDS – Syncronizing AD LDS with Active Directory

First, we will install the AD LDS Instance: 1. Create and AD LDS instance by clicking Start -> Administrative Tools -> Active Directory Lightweight Directory Services Setup Wizard. The Setup Wizard appears. 2. Click Next . The Setup Options dialog box appears. For the sake of this guide, a unique instance will be the primary focus. I will have a separate post regarding AD LDS replication at some point in the near future. 3. Select A unique instance . 4. Click Next and the Instance Name dialog box appears. The instance name will help you identify and differentiate it from other instances that you may have installed on the same end point. The instance name will be listed in the data directory for the instance as well as in the Add or Remove Programs snap-in. 5. Enter a unique instance name, for example IDG. 6. Click Next to display the Ports configuration dialog box. 7. Leave ports at their default values unless you have conflicts with the default values. 8. Click N