blog.naxios.fr - naXios - des experts à votre...

Monitoring and troubleshooting Active Directory replication using Repadmin

Microsoft Corporation

Originally Published: September 2008

Update Published: March 2010

AbstractThis document describes how to use Repadmin.exe to monitor, diagnose, and troubleshoot the most common replication problems that organizations might experience in their Active Directory® environments. All the information in this document applies to computers running the Microsoft® Windows® 2000 Server, Windows Server® 2003, Windows Server® 2008, and Windows Server® 2008 R2 operation systems.

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

© 2010 Microsoft Corporation. All rights reserved.

Active Directory, Microsoft, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

ContentsMonitoring and Troubleshooting Active Directory Replication Using Repadmin..............................9

Publication and revision history...................................................................................................9

Repadmin Introduction and Technology Overview..........................................................................9Active Directory replication dependencies.................................................................................10Glossary of replication terms.....................................................................................................11Glossary of other replication-related terms................................................................................13

Repadmin Requirements, Syntax, and Parameter Descriptions...................................................14System requirements................................................................................................................. 14File requirements....................................................................................................................... 15Repadmin command-line options..............................................................................................16

Syntax.................................................................................................................................... 16Parameters............................................................................................................................. 16

Repadmin subcommands..........................................................................................................18Repadmin /listhelp..................................................................................................................... 23CSV format................................................................................................................................ 25

Repadmin Usage Scenarios.........................................................................................................26

Monitor Forest-Wide Replication...................................................................................................26Syntax.................................................................................................................................... 27Simple usage of repadmin /replsummary...............................................................................28How to interpret the output.....................................................................................................28How to make more sense of some of the fields......................................................................29Common factors that influence the largest delta field.............................................................30Where do REPADMIN /REPLSUMMARY read replication status information?......................31Wild card and other parameter usage....................................................................................31Replsummary reporting failures.............................................................................................32

Display Replication Partners and Status of a Domain Controller..................................................33Syntax....................................................................................................................................... 33Show replication partners and replication status.......................................................................34Using repadmin /showrepl to display detailed and precise information.....................................36High-watermark value................................................................................................................37Showing outbound neighbors....................................................................................................37Some of the repadmin /showrepl Error Messages and their root cause....................................38

No inbound neighbors............................................................................................................39Active Directory replication has been preempted...................................................................40Last attempt @ never was successful....................................................................................41

Access denied........................................................................................................................ 41

Replication Latency......................................................................................................................41Syntax....................................................................................................................................... 42How to interpret the data...........................................................................................................42How to interpret the data...........................................................................................................44Display the latency only for the domain partition.......................................................................45

View Replication Metadata of an Object.......................................................................................45Syntax....................................................................................................................................... 45Example 1: Metadata of a group object.....................................................................................46Example 2: Comparing replication metadata of a user object between two domain controllers 46

Display the Attributes of a Specific Object....................................................................................47Syntax....................................................................................................................................... 48Example: Display select attributes.............................................................................................49

How Up to Date Are My Domain Controllers?...............................................................................49Syntax....................................................................................................................................... 49Example: Checking replication latency on the BRANCH3 domain controller.............................50Example: Comparing how up-to-date other domain controllers in the enterprise are with respect

to the OriginatingUSN............................................................................................................51Example: Further investigation from the perspective of the BRANCH2 domain controller........51

Can I Look at My Connection Objects and Schedule Details?......................................................52Syntax....................................................................................................................................... 52Example: Simple usage of /showconn.......................................................................................53

Fine-Tuning Change Notification Values.......................................................................................55Syntax....................................................................................................................................... 56Example 1: Displaying the default notification delay on the ForestDnsZones partition..............57Example 2: Changing the defaults to 300/30 on the ForestDnsZones.......................................57

Forcing Replication....................................................................................................................... 58Replicate a single object between two domain controllers........................................................58

Syntax.................................................................................................................................... 58Example: Replicate a single object between all the branch domain controllers by using wild

card character.....................................................................................................................59Force a replication event between two partners........................................................................59

Syntax1.................................................................................................................................. 59Syntax2.................................................................................................................................. 59Example: replicate in domain partition between two specific partners...................................60

Force a replication event with all partners.................................................................................61Syntax.................................................................................................................................... 61Example 1: Synchronizing Configuration Partition within the site...........................................63

Example 2: Crossing site boundaries and other features.......................................................63

Keeping Track of Changes That Have Occurred Over a Period of Time.......................................64Syntax1..................................................................................................................................... 65Syntax2..................................................................................................................................... 65Example: Compare changes occurred to configuration partition over a period of time..............66How to interpret the data...........................................................................................................67Display changes not replicated between two partners...............................................................67

Example: Display pending replication changes (config partition) between two replication partners............................................................................................................................... 67

Example: Usage of a filter......................................................................................................68Example: listing only the summary as opposed to individual changes...................................68

Usage of Repadmin When Troubleshooting Event ID 1311..........................................................69Determine if site link bridging is turned on.................................................................................71Detect preferred bridgeheads....................................................................................................72Verify inter-site cost matrix and orphaned sites.........................................................................73

Syntax.................................................................................................................................... 73Example: Display inter-site cost matrix..................................................................................74How to interpret the data........................................................................................................74

Repadmin /failcache..................................................................................................................75Syntax.................................................................................................................................... 75Example: Display replication failures that KCC is aware of....................................................76Example: Output when there are no failures..........................................................................77

Repadmin /KCC......................................................................................................................... 77Syntax.................................................................................................................................... 77Example 1: Running the KCC on the local domain controller.................................................78Example 2: Running the KCC against the ISTG of the HUB site............................................78Example 3: Running the KCC against all the global catalog servers in the forest..................78Example 4: Running the KCC against all the domain controllers in the BRANCH2 site.........79

Repadmin /ISTG........................................................................................................................ 79Syntax.................................................................................................................................... 79Example: Display ISTGs in my environment..........................................................................79

Repadmin /querysites................................................................................................................80Syntax.................................................................................................................................... 80Example 1: Display cost between BRANCH1 and HUB.........................................................80Example 2: Display cost between BRANCH1 and BRANCH2...............................................80Example 3: Display cost between BRANCH1 and Branch2...................................................80

Repadmin /queue......................................................................................................................81Syntax.................................................................................................................................... 81Example: Display the queue length against the local domain controller.................................81Example: Queue contains one item.......................................................................................82

Repadmin /bridgeheads............................................................................................................82Syntax.................................................................................................................................... 82

Example 1: Repadmin /bridgeheads rootdns.........................................................................82Example 2: Repadmin /bridgeheads rootdns /verbose...........................................................83How to interpret the data........................................................................................................84

Repadmin /showmsg................................................................................................................. 85Syntax.................................................................................................................................... 85Example: Display the error message for the win32error 1722 and DS event ID 1404...........85

Repadmin /viewlist..................................................................................................................... 85Syntax.................................................................................................................................... 85Example 1: Display all the DC’s in the forest..........................................................................86Example 2: Display all the Group Policy objects in the domain directory partition for the

domain of the domain controller that repadmin is running against......................................86Open sessions with the domain controller.................................................................................87

Syntax.................................................................................................................................... 87Example: Show open sessions with a DSA............................................................................87

Subcommands Not Covered Under the Previous Scenarios........................................................87Display replication features.......................................................................................................87

Syntax.................................................................................................................................... 88Example: Display replication features on the local domain controller, which is running

Windows Server 2003.........................................................................................................88Server object GUID (DSA GUID) & Database GUID.................................................................88

Syntax.................................................................................................................................... 89Example: Display the domain controller name when given a GUID.......................................89

Certificates loaded on a domain controller................................................................................89Syntax.................................................................................................................................... 89

Retired Application partition GUIDs (signature).........................................................................90Syntax.................................................................................................................................... 90Example: Display the recently retired ForestDnsZone application directory partition on the

local domain controller........................................................................................................90Unanswered replication calls.....................................................................................................91

Syntax.................................................................................................................................... 91Example: Hub domain controller waiting for the request to be answered from a spoke domain

controller............................................................................................................................. 91showproxy................................................................................................................................. 91

Syntax1.................................................................................................................................. 91Syntax2.................................................................................................................................. 91

Retired Database GUIDs (signature).........................................................................................92Syntax.................................................................................................................................... 92Example 1: Simple usage of no retired signatures.................................................................93Example 2: Simple usage of retired signature........................................................................93

Convert directory service time to readable time........................................................................93Syntax.................................................................................................................................... 93Example 1: Usage with directory service time format.............................................................94

Example 2: Current system time............................................................................................94Active Directory domains trusted by domain controller..............................................................94

Syntax.................................................................................................................................... 94Example: Display Active Directory domains that are trusted by the domain of the local domain

controller............................................................................................................................. 94Linked Distinguished Name values............................................................................................95

Syntax.................................................................................................................................... 95Example: Display members of the Domain Admins group.....................................................95

Oldhelp......................................................................................................................................... 96sync........................................................................................................................................... 96

Syntax.................................................................................................................................... 96propcheck.................................................................................................................................. 97

Syntax.................................................................................................................................... 97getchanges................................................................................................................................ 97

Syntax1.................................................................................................................................. 98Syntax2.................................................................................................................................. 98

showreps................................................................................................................................... 99Syntax.................................................................................................................................... 99

showvector.............................................................................................................................. 100Syntax.................................................................................................................................. 100

showmeta................................................................................................................................ 100Syntax.................................................................................................................................. 100

Administer Passwords and Password Replication Policy for Read-Only Domain Controllers with Repadmin.exe......................................................................................................................... 101repadmin /prp..........................................................................................................................102

Syntax.................................................................................................................................. 102Operations............................................................................................................................ 102

Add................................................................................................................................... 102Syntax........................................................................................................................... 103Additional parameters....................................................................................................103

Delete............................................................................................................................... 104Syntax........................................................................................................................... 104Additional parameters....................................................................................................104

Move................................................................................................................................. 104Syntax........................................................................................................................... 105Additional parameters....................................................................................................105

View.................................................................................................................................. 105Syntax........................................................................................................................... 105Additional parameters....................................................................................................105

Example 1: View the PRP of an RODC................................................................................106Example 2: View accounts that an RODC has authenticated...............................................107Example 3: Clear the list of authenticated accounts.............................................................107

Example 4: Configure the PRP............................................................................................107Example 5: Move accounts that an RODC has authenticated to the Allowed RODC Password

Replication Policy Group...................................................................................................108Example 6: View accounts with cached passwords on an RODC........................................108

repadmin /rodcpwdrepl............................................................................................................108Syntax.................................................................................................................................. 108Example............................................................................................................................... 109

Repadmin for Experts................................................................................................................. 109Add, Modify, or Delete replication links....................................................................................110

Syntax.................................................................................................................................. 110Add, Modify, or Delete outbound replication partners..............................................................112

Syntax.................................................................................................................................. 112Hosting and unhosting read-only partitions..............................................................................113

Syntax.................................................................................................................................. 114Detecting and removing lingering objects................................................................................115

Strict and loose replication consistency................................................................................116Syntax.................................................................................................................................. 118

Advanced domain controller options........................................................................................118Syntax.................................................................................................................................. 119

Advanced site options.............................................................................................................120Syntax.................................................................................................................................. 120

Miscellaneous.......................................................................................................................... 122

Monitoring and Troubleshooting Active Directory Replication Using RepadminThis document describes how to use the Repadmin.exe tool to monitor, diagnose, and troubleshoot common replication problems in your Active Directory® environment. All the information in this document applies to computers running the Microsoft® Windows® 2000 Server and Windows Server® 2003 operation systems. This document includes the following topics:

Repadmin Introduction and Technology Overview

Repadmin Requirements, Syntax, and Parameter Descriptions

Repadmin Usage Scenarios

Repadmin for Experts

To obtain a copy of this guide in .doc file format, see Troubleshooting replication with repadmin on the Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkID=129020).

Publication and revision historyThe following table summarizes the revision history for this guide, including its original publication on Microsoft TechNet.

Date Revision

June 2008 Original publication on TechNet.

March 2010 Updated with new commands for managing read-only domain controllers in Windows Server 2008 and Windows Server 2008 R2. For more information, see Administer Passwords and Password Replication Policy for Read-Only Domain Controllers with Repadmin.exe.

Repadmin Introduction and Technology OverviewRepadmin.exe is a command line tool that is designed to assist administrators in diagnosing, monitoring, and troubleshooting Active Directory replication problems.

9

http://go.microsoft.com/fwlink/?LinkID=129020

Active Directory replication dependenciesActive Directory replication has the following dependencies:

Routable IP infrastructure. The replication topology depends on a routable IP infrastructure from which you can map IP subnet address ranges to site objects. This mapping generates the information that client workstations use to communicate with domain controllers that are close by—when there is a choice—rather than with domain controllers that are located across wide area network (WAN) links.

DNS. The Domain Name System (DNS) that resolves DNS names to IP addresses. Active Directory requires that DNS is properly designed and deployed so that domain controllers can correctly resolve the DNS names of replication partners.

Remote procedure call (RPC). Active Directory replication requires IP connectivity and the remote procedure call (RPC) to transfer updates between replication partners.

Kerberos version 5 (V5) authentication. The authentication protocol for both authentication and encryption that is required for all Active Directory RPC replication.

Lightweight Directory Services Protocol (LDAP). The primary access protocol for Active Directory. Replication of an entire replica of an Active Directory domain, as occurs when Active Directory is installed on an additional domain controller in an existing domain, uses LDAP communication rather than RPC.

NetLogon. NetLogon dynamically registers the globally unique identifier (GUID) CNAME in DNS that a domain controller uses to resolve its partner’s host name and IP address for Active Directory replication.

Intersite Messaging. Intersite Messaging is required for Simple Mail Transfer Protocol (SMTP) intersite replication and for site coverage calculations. If the forest functional level is Windows 2000, Intersite Messaging is also required for intersite topology generation.

10

Replication Topology and Dependent Technologies

Glossary of replication termsThe following table lists terms that are commonly used in discussions about Active Directory replication.

Term Definition

Active Directory replication Active Directory is a distributed directory service, in which not all objects in the directory are stored on every domain controller. In addition, all domain controllers in a domain can be updated directly, not just one primary domain controller. Active Directory replication is the means by which changes that are made on one domain controller are synchronized with all other appropriate domain controllers in the domain or forest that store copies of the same information. Data integrity is maintained by tracking changes on each domain controller and updating other domain controllers in a systematic way. Replication uses a connection topology that is created automatically to make optimal use of beneficial network connections.

Active Directory replication topology Replication topology is the current set of

11

Active Directory connections by which domain controllers in a forest communicate over local area networks (LANs) and WANs to synchronize the directory partition replicas that the domain controllers have in common. Replication topology generation is usually dynamic. It adapts to the network conditions and availability of domain controllers. As a result of how much we rely and depend on directory services today, it is very important to ensure that a directory replication topology is fine-tuned to maintain and deliver the expected level of performance.

Active Directory sites A site is a part of the network with high bandwidth connectivity. By definition, it is a collection of well-connected computers, based on IP subnets. You can use the Active Directory Sites and Services snap-in to administer sites. Because sites control how replication occurs, changes that you make with this snap-in affect how efficiently domain controllers within a domain (but separated by great distances) will coalesce.

Knowledge Consistency Checker (KCC) A part of the ISTG role in Active directory. The KCC checks and, as an option, re-creates topology information for the Active Directory domain.

Intersite Topology Generator (ISTG) This is a role that one domain controller in an Active Directory site must perform.The ISTG designates one or more bridgehead servers to perform replication between sites.

Multimaster replication Every domain controller can receive originating updates to data for which it is authoritative, rather than having a single domain controller that receives all original updates (also known as single-master replication, such as Microsoft Windows NT® 4.0 replication).

Pull replication Domain controllers request (pull) changes rather than send (push) changes that might not be necessary.

12

Store-and-forward replication Each domain controller communicates with a subset of domain controllers to transfer replication changes, rather than one domain controller being responsible for communicating with every other domain controller that requires the change.

High water mark High water mark is a value that the destination domain controller maintains to keep track of the most recent changes that it has received from a specific source domain controller for an object in a specific partition. High water mark prevents irrelevant objects from being considered by the source domain controller with respect to a single destination.

Up-to-dateness vector The up-to-dateness vector is a value that the destination domain controller maintains for tracking the originating updates that are received from all source domain controllers. When a destination domain controller requests changes for a directory partition, it provides its up-to-dateness vector to the source domain controller. The source domain controller then uses this value to reduce the set of attributes that it sends to the destination domain controller.

Glossary of other replication-related termsThe following table lists terms that are related to other technologies that depend on Active Directory replication topology.

Term Definition

File Replication Service (FRS) The replication service in Windows 2000 Server and Windows Server 2003 that is used to replicate the SYSVOL shared folder.

Replica set The collection of servers that are all replicating a given set of directories is called a replica set. With an appropriate topology design and sufficient network support, a Windows 2000 or Windows Server 2003 FRS replica set can

13

span thousands of computers. It is also possible for a single computer to be a member of multiple replica sets.

Topology Topology defines the set of connections that are used to send updates between members of a replica set. The topology definition includes both the connections and the properties of those connections, such as the schedule, enabled and disabled flags, and so on.

Disconnected operation FRS can operate even if some or all member computers are disconnected from each other for periods of time. Changes can be accepted by any computer, and changes are replicated to other member computers when connectivity is reestablished.

Authenticated RPC with encryption To provide secure communications, FRS uses the Kerberos authentication protocol for authenticated RPC to encrypt and tamper-proof the data that is sent between replication partners.

Repadmin Requirements, Syntax, and Parameter DescriptionsYou can use the repadmin command to perform replication tasks and to manage and modify the replication topology, force replication events, and display replication metadata and up-to-dateness vectors. This topic covers:

System requirements

File requirements

Repadmin command-line options

Repadmin subcommands

Repadmin /listhelp

CSV format

System requirementsThe following are the system requirements for repadmin:

14

Windows XP Professional, Windows Vista®, Windows Server 2003, or Windows Server 2008

Administrator rights on the domain controller:

Required replication rights can be delegated

Some commands do not require Administrator rights

File requirementsRepadmin.exe is included in the Windows Server 2003 Service Pack 1 (SP1) Support tools. You must install the Support tools before you can use them. For more information about how to install the Support tools, see Windows Server 2003 SP1 Support Tools in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=44321).

To obtain the Support tools if you do not have the Windows Server 2003 operating system disc, see Windows Server 2003 SP1 32-bit Support Tools on the Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkID=70775).

Previous versions of repadmin have similar functionality, but they have some limitations regarding the workstations that they can be run on and which functions they can perform. The following table lists the versions of repadmin, which operating systems they can be run on, and which domain controllers they can target.

Version Client operating system Target operating system Important feature sets

Windows 2000 Windows 2000 and later

All Active Directory versions

/sync

/propcheck

/showreps

/showvector

/showmeta

Windows Server 2003

Windows XP Professional and Windows Server 2003


/notifyopt

/replsummary

/replicate

/replsingleobj

/removelingeringobjects

/rehost and /unhost

/showmsg

/showattr

/syncall

/viewlist

DC_LIST

15



Windows Server 2003 with SP 1



Rehost requires Windows 2000 Server SP4 and later

Remove lingering objects requires Windows Server 2003

/showbackup

/rehost bug fix

/regkey

Active Directory Application Mode (ADAM)



/setattr

/listhelp

Deprecated subcommands (from Windows 2000 Server)

Equivalent or improved subcommands in Windows Server 2003

/sync

/propcheck

/showreps

/showvector

/showmeta

/repl or /replicate

/showchanges

/showrepl

/showutdvec

/showobjmeta

Repadmin command-line optionsRepadmin is executed at the command prompt, and it contains several subcommands, which are described in detail in the following section.

Syntaxrepadmin <subcommand> [<dsa>] [/u: <UserName>] [/pw: {<Password> | *}] [/rpc] [/ldap]

[/homeserver: <dsaname>]

Parameters

Parameter Description

<subcommand> One of the repadmin subcommands that is described in the subcommands section.

<Dsa> Directory System Agent (DSA) represents the domain controller to be targeted by the

16

repadmin subcommand.

Not all repadmin subcommands require the dsa parameter

Type repadmin /listhelp at the command line for additional information about the dsa parameter.

/u:<UserName> Specifies the account name to use for binding to the directory. By default, /u uses the account name with which the user is currently logged on. You can use any of the following formats to specify an account name:

account name (for example, Bob)

domain\account name (for example, contoso\Bob)

user principal name (UPN) (for example, [email protected])

/pw {<Password> | *} Specifies the password to use for authentication. If you type *, you are prompted for a password.

/rpc Forces repadmin to communicate by using a remote procedure call (RPC) session.

/ldap Forces repadmin to communicate by using a Lightweight Directory Access Protocol (LDAP) session. If LDAP communication fails, repadmin attempts to communicate by using RPC. LDAP is the default communication method for repadmin.

/homeserver:<dsaname> Forces repadmin to run against a specific domain controller, which is determined by the forest membership of the directory server that is represented by <dsaname>.

You can specify <dsaname> in the following formats:

<Computername>, <Dnsname>, <Dsaguid>, *, ., “site:<site>”, “fsmo_dnm:”, or “fsmo_schema:”.

17

Repadmin subcommands

Subcommand Syntax and description

bind repadmin /bind [dsa]

Connects to and displays the replication features for a directory server.

bridgeheads repadmin /bridgeheads [dsa]

Lists the directory servers that act as bridgehead servers for a specified site.

checkprop repadmin /checkprop [dsa] Naming Context OriginatingDCInvocationID OriginatingUSN

Compares the properties of specified directory servers to determine if they are up to date with each other. The source directory server contains the original information that must be checked. The data on the destination directory server is compared to the data on the source directory server.

dsaguid repadmin /dsaguid [dsa] [GUID]

Returns a server name when given a globally unique identifier (GUID).

failcache repadmin /failcache [dsa]

Displays a list of failed replication links that are detected by the Knowledge Consistency Checker (KCC).

istg repadmin /istg [dsa] [/verbose]

Returns the computer name of the Intersite Topology Generator (ISTG) server for a specified site.

kcc repadmin /kcc [dsa] [/async]

Forces KCC to calculate replication topology for a specified directory server. By default, this calculation occurs every 15 minutes.

latency repadmin /latency [dsa] [/verbose]

Displays the amount of time between replications, by using the ISTG Keep Alive time stamp. The ISTG Keep Alive time stamp is not used in forests that are set to the Windows Server 2003 forest functional level. Instead, in those environments, use repadmin

18

/showutdvec /latency.

notifyopt repadmin /notifyopt [dsa] Naming Context [/first:Value] [/subs:Value]

Displays or sets the notification timing settings for replication of a specified directory partition.

queue repadmin /queue [dsa]

Displays tasks that are waiting in the replication queue.

prp Repadmin /prp [operation] RODC [additional arguments]

Displays or modified the Password Replication Policy for a read-only domain controller (RODC).

This command is available only for versions of Repadmin that are included in Windows Server 2008, Windows Server 2008 R2, or Remote Server Administration Tools.

The operation can be view, add, delete, or move. For view, add, and delete, RODC can be either RODC_Name or *. For move, RODC must be RODC_name.

querysites repadmin /querysites FromSiteRDN ToSite1RDN [ToSite2RDN...]

Uses routing information to determine the cost of a route from a specified site to another specified site or sites. The querysites parameter does not allow the use of alternate credentials. The relative distinguished names that are used in this command are case sensitive.

replicate Syntax 1

repadmin /replicate destination_dsa source_dsa [/force] [/async] [/full] [/addref]

Syntax 2

repadmin /replicate destination_dsa [/force] [/async] [/full] [/addref] /allsources

Starts a replication event for the specified directory partition between the source and destination directory servers. You can determine the source GUID when you view the replication partners by using showrepl.

19

replsingleobj repadmin /replsingleobject dsa DsaSourceGUID ObjectDN

Replicates a single object between any two directory servers that have partitions in common. The two directory servers do not have a replication agreement. You can show replication agreements by using the repadmin /showrepl command.

replsummary repadmin /replsummary [dsa] [/bysrc] [/bydest] [/errorsonly][/sort:{delta|partners|failures|error|percent}]

Summarizes the replication state and relative health of an Active Directory forest.

rodcpwdrepl repadmin /rodcpwdrepl [DSA_list] Hub DC User1 DN [User2 DN User3 DN]

Triggers replication of passwords for the specified users from the source Hub DC to one or more RODCs.

This command is available only for versions of Repadmin that are included in Windows Server 2008, Windows Server 2008 R2, or Remote Server Administration Tools.

showattr repadmin /showattr dsa [OBJ_LIST] [OBJ_LIST_OPTIONS] [/attr|/attrs: attribute attribute ...] [/allvalues] [/long] [/nolongblob] [/nolongblob] [/nolongfriendly] [/dumpallblob]

The /showattr operation displays the attributes and contents of an object.

showcert repadmin /showcert dsa

Displays the certificates (used with Simple Mail Transfer Protocol (SMTP)–based replication) that are loaded on a specified directory server.

showchanges Syntax 1

repadmin /showchanges source_dsa Naming Context [/cookie: File] [/atts: attribute1,attribute2,...]

Syntax 2

repadmin /showchanges dest_dsa SourcedsaObjectGUID Naming Context [/verbose] [/statistics] [/noincremental] [/objectsecurity] [/ancestors] [/atts: attribute1,attribute2,...] [/filter: ldap filter]

20

Displays changes from a specified directory partition or changes to a specified object. "Syntax 1" saves changes to a directory partition. If this information is saved to a file, you can run the getchanges operation again for comparison. "Syntax 2" lists changes to a specified object. For this command to run properly, the account under which the command is run must possess the replication get changes right on the specified directory partition.

showconn repadmin /showconn [dsa] [ServerRDN | ContainerDN | dsa_GUID] [/From:ServerRDN] [/intersite]

Displays the connection objects for a specified directory server. The default is local site.

showctx repadmin /showctx [dsa] [/nocache]

Displays a list of computers that have opened sessions with a specified directory server.

showism repadmin /showism [TransportDN] [/verbose]

Queries the Intersite Messaging Service (ISM) for site routes. This operation cannot be executed remotely.

showmsg repadmin /showmsg {Win32Error | DSEventID | NTDSMSG}

Displays the error message for a given error number.

showncsig repadmin /showncsig [dsa]

Each directory server maintains a directory partition signature list. This command displays a list of the removed application partition GUIDs. You can configure an application directory partition to be held or not held on a particular directory server by using ntdsutil (for Active Directory).

showobjmeta repadmin /showobjmeta [dsa] ObjectDN [/nocache] [/linked]

Displays the replication metadata for a specified object that is stored in the directory, including attribute ID, version number, originating and local update sequence number (USN), and originating server's GUID and Date and Time stamp. When you compare the replication metadata for the same object on different directory servers, you can determine whether replication has occurred.

21

showoutcalls repadmin /showoutcalls [dsa]

Displays calls that have been made by the specified directory server to other directory servers but not yet answered.

showproxy Syntax 1

repadmin /showproxy [dsa] [Naming Context] [matchstring]

Syntax 2

repadmin /showproxy [dsa] [ObjectDN] [matchstring] /movedobject

Lists cross-domain move proxy objects. When an object is moved from one domain to another, a marker remains in the original domain. This marker is called a proxy.

showrepl repadmin /showrepl [dsa] [SourceDCObjectGUID] [Naming Context] [/verbose] [/nocache] [/repsto] [/conn] [/csv] [/all] [/errorsonly] [/intersite]

Displays replication information. Inbound replica links are displayed by default. Outbound links can also be shown, as well as connections corresponding to those links. The command also displays errors that correspond to replica links that cannot be created by KCC. This helps an administrator build a visual representation of the replication topology and see the role of each directory server in the replication process.

showcig repadmin /showsig [dsa]

Displays the retired invocation IDs on a directory server. A directory server changes its invocation ID when it is restored or when it rehosts an application partition.

showtime repadmin /showtime [DSTimeValue]

Converts a directory service time value to string format for both the local and the UTC time zones.

showtrust repadmin /showtrust [dsa]

Lists all Active Directory domains that are trusted by a specified Active Directory domain.

showutdvec repadmin /showutdvec dsa Naming Context [/nocache] [/latency]

22

Displays the highest USN for the specified directory server. This information shows how up to date a replica is with its replication partners.

showvalue repadmin /showvalue [dsa] ObjectDN [AttributeName] [ValueDN] [/nocache]

Displays the values of the type, last modified time, originating directory server, and distinguished name of a specified object.

syncall repadmin /syncall dsa [Naming Context] [Flags]

Synchronizes a specified directory server with all replication partners. This command contains several subcommands, which are described in the usage scenarios.

By default, if no directory partition is provided in the NamingContext parameter, the command performs its operations on the configuration directory partition.

viewlist repadmin /viewlist [dsa] [OBJ_LIST]

Displays a list of directory servers.

oldhelp Displays a list of the operations that have been deprecated in this version of repadmin.

Repadmin /listhelp

Arguments Values Description

DC_LIST “*” All domain controllers in the enterprise

DC_Name See under DC_NAME argument

Part-server_name* Would pick "part_server_name_dc_01" and "part_server_name_dc_02" but not server "part_server_diff_name".

Site:site_name All domain controllers in the specified site.

Gc: All global catalog servers in the enterprise.

23

Fsmo_fsmo_type:fsmo_dn See under FSMO_TYPE

FSMO_TYPE Types of operations master (also known as flexible single master operations or FSMO) role holders require different base distinguished names or relative distinguished names.

Fsmo_dnm: Enterprise-wide FSMO; does not take any distinguished name (also known as DN).

Fsmo_schema: Enterprise-wide FSMO; does not take any distinguished name.

Fsmo_pdc: Domain-specific FSMO; takes the distinguished name of the domain that the user specifies.

Fsmo_rid: Domain-specific FSMO; takes the distinguished name of the domain that the user specifies.

Fsmo_im: Domain-specific FSMO; takes the distinguished name of the domain that the user specifies.

Fsmo_istg: Site-specific quasi-FSMO; takes the relative distinguished name of the site.

DC_NAME

“.” Tells repadmin to try to pick a domain controller for you.

Server_dns Specifies a server by DNS.

Dc_dsa_guid Specifies a specific server by its Directory System Agent (DSA) GUID.

Server_obj_rdn Specifies a server by its server object relative distinguished name (usually the same as its NetBios name).

Dsa_dn Specifies a server by the distinguished name of its DSA

24

object.

OBJ_LIST

Ncobj:NC_NAME Specifies the use of the distinguished name of NC Head that is specified in NC_NAME.

Dsaobj: Specifies the use of the distinguished name of the DSA that repadmin is connected to.

NC_NAME Config: Configuration directory partition.

Schema: Schema directory partition.

Domain: Domain directory partition for the domain of the domain controller that repadmin is running against.

OBJ_LIST OPTIONS {/onelevel | /subtree} /filter:{ldap_filter}

With these options, you can use the showattr and viewlist commands to cover a list of objects, instead of just a single object.

CSV formatThe output that repadmin /showrepl returns can be difficult to navigate when you are troubleshooting replication errors or viewing replication topology in a large enterprise. There is a new feature (/CSV) that you can use to force /showrepl output to print in a tightly constrained comma-separated-value (CSV) format for programmatic manipulation or quick import and correlation in Excel.

The CSV format is also an effective way to exchange repadmin outputs because it is not prone to user errors.

To generate output as a .csv (comma-delimited) file, perform the following steps:

1. Open a command prompt, type the following command, and then press ENTER:

repadmin /showrepl <DC_NAME> /csv > Repl.csv

2. Open Repl.csv, and then delete or hide column A and both RPC and SMTP columns.

3. Select row 2. Click View, and then click Freeze Panes.

4. Highlight the column heading row. Click Data, point to Filter, and then click AutoFilter. 5. Click the drop-down arrow to display replication status based on your situation.

25

Figure 2.4.1

Repadmin Usage ScenariosThis section includes explanations and examples for the following usage scenarios:

Monitor Forest-Wide Replication

Display Replication Partners and Status of a Domain Controller

Replication Latency

View Replication Metadata of an Object

Display the Attributes of a Specific Object

How Up to Date Are My Domain Controllers?

Can I Look at My Connection Objects and Schedule Details?

Fine-Tuning Change Notification Values

Forcing Replication

Keeping Track of Changes That Have Occurred Over a Period of Time

Usage of Repadmin When Troubleshooting Event ID 1311

Subcommands Not Covered Under the Previous Scenarios

Oldhelp

Monitor Forest-Wide ReplicationMaintaining the health of enterprise-wide directory replication is very important so that the users, services, machines, and applications that rely on it can operate successfully. The Windows Server 2003 version of repadmin has enhanced functionality that makes it easier to monitor forest-wide directory replication and it is compatible with Windows 2000 domains.

Repadmin /replsummary summarizes the replication state and relative health of an Active Directory forest by inventorying and contacting every domain controller in the forest, collecting information such as replication deltas and replication failures.

26

It will also identify any domain controllers that could not be contacted and would report the failure reason (for an example, see Figure 3.1.4).

SyntaxRepadmin /replsummary <DC_LIST> [/bysrc] [/bydest] [/errorsonly] [/sort:{delta | partners

| failures | error | percent}]

Parameters Definition

<DC_LIST> Specifies the host name of a domain controller or a list of domain controllers separated by a space that the object will be replicated to. For details about <DC_LIST>, see repadmin /listhelp.

/bysrc Shows the output of repadmin /replsummary, from the perspective of the replication source (outbound domain controller), in the form of a table. This means that a given source directory server is "pulled on" by multiple client domain controllers. The table is sorted in order of the source domain controllers that are having the most problems, across all the clients in the configuration set. This parameter does not display the destination domain controller.

/bydest Shows the output of repadmin /replsummary, from the perspective of the replication destination, in the form of a table. This means that a given replication destination (inbound domain controller) is pulling the changes from one or more replication source(s). The table shows the inbound domain controllers and what problems they are having with their partners. The table is sorted in order of the inbound domain controllers that are having the most problem with inbound replication, across all the possible partners in the configuration set. This parameter does not display the source domain controller.

/errorsonly Shows only the domain controllers where the partner error is not zero.

/sort:{delta | partners | failures | error | Sorts the replsummary table by the specified

27

percent} column heading.

The /bysrc and /bydest parameters may be specified at the same time. If they are specified at the same time, repadmin displays the /bysrc table first and the /bydest table next. If the parameters /bysrc and /bydest are both absent, repadmin picks the best one and displays the one with the least number of partner errors.

Simple usage of repadmin /replsummaryFigure 3.1.1

How to interpret the outputThe output of repadmin /replsummary is organized by destination and source domain controllers. You should focus on the destination domain controllers first, because the replication model is pull-based. Replication between domain controllers does not use a "push" mechanism. If the replication is within a site, a domain controller (DC1) notifies another domain controller (DC2) that it has updates, and then the DC2 pulls the updates from DC1. If the replication is between sites, a domain controller requests updates at a scheduled time and if updates are available, the domain controller pulls the updates from a domain controller in the other site.

Fields of interest Definition

….. Each dot after the first three represents a domain controller, with not more than 50 dots

Notes

28

per line. So, if you have two lines full of dots, it indicates 97 domain controllers (100-3).

In figure 3.1.1, there are nine dots, which relates to six domain controllers (9-3).

Destination DC Replication destination. A single destination might be pulling data from one or more sources.

In figure 3.1.1, we are focusing on ROOTDC01.

Source DC Replication source. Multiple destinations might be pulling from a single source.

In figure 3.1.1, we do not yet know the source domain controller.

Largest delta Denotes the longest replication gap amongst all replication links for a particular domain controller.

In figure 3.1.1, the largest delta is 45m:47s.

Total Replica links for a particular domain controller (one for each naming context on each domain controller). Please note that this is not the connection objects or replication partners per domain controller.

In figure 3.1.1, we have seven replication links.

Fails Total number of replica links failing to replicate for one reason or the other. This will never be greater than the Total field.

No failures in our example.

Percentage Percentage of failures in relation to the total replica links on the domain controller.

How to make more sense of some of the fieldsWe ran repadmin /showrepl against ROOTDC01 to get detailed replication status. Always focus on inbound neighbors because replication is inbound.

If you notice Figure 3.1.1, the time replsummary taken was 22:36:30. Now, if you look at the schema naming context replication time, 21:49:44 from figure 3.1.2, the difference is 45m:47s, which relates to the largest delta.

Interestingly, 45 minutes is relatively high in our example because our partners belong to the same site. This is because the default periodic replication frequency is once per hour within a

29

site and because the schema naming context did not have any changes, periodic replication took place only at 21:49:44 as opposed to other partitions that replicated in response to change notifications from its partners.

We also see seven replica links, one for each naming context on each domain controller.

Figure 3.1.2

Common factors that influence the largest delta field Periodic intrasite replication frequency.

Intersite replication schedule and frequency.

Redundant replication paths with staggered replication schedules.

Intrasite and intersite change notifications; first and subsequent replication notification delay values.

Where do REPADMIN /REPLSUMMARY read replication status information? Similar to /showrepl, Repadmin /replsummary gathers this information from the Reps-from

and Repsto multivalued attributes stored at the root of each directory partition replica (also

30

known as naming contexts) stored on the domain controller. It is local to the domain controller and not replicated.

The Repsfrom attribute contains configuration and persistent state information associated with inbound replication from each source replica of that directory partition.

The Repsto attribute contains outbound change notification partners. Typically this list would be your intrasite partners.

Wild card and other parameter usageThe following example uses a wildcard character to show the replication summary for all of the domain controllers in the forest that have a name that begins with ‘ROOT’.

Figure 3.1.3

If there are no inbound partners for a given domain controller, none would be listed under the Destination DC list. Similarly, if there are no outbound partners for a given domain controller, none would be listed under the Source DC list.

So it is important to tally the total number of domain controllers in the forest and compare that against the Destination DC and Source DC lists to achieve an accurate view. Repadmin /viewlist * should list all the domain controllers in the forest.

At this time of writing, the total number of replication links that would be reported in the replsummary output is limited to 999.

If the replication destination has never replicated from the source, the largest delta would report as unknown.

Replsummary reporting failures The following example reports replication failure and a domain controller that could not be reached, with the error codes and reasons.

Important

31

Figure 3.1.4

C:\>net helpmsg 58

The specified server cannot perform the returned operation.

C:\>net helpmsg 1722

The RPC server is unavailable.

In our example, the following occurred:

We could not reach BRANCH2 and hence the error 58.

“RPC server is unavailable” being reported by BRANCH-HUB-BH co-relates to the above finding. It could mean that BRANCH2 domain controller is either down or not reachable due to communication link problem.

We also used /homeserver:rootdns to demonstrate that sometimes you have to specify a server (/homeserver:<domain controller name>) if you are not running the command from a domain controller.

Display Replication Partners and Status of a Domain ControllerWhen troubleshooting replication errors, it is helpful to know who are the replication partners of a specific domain controller and the status of replication with each of those partners.

Repadmin /showrepl displays the replication partners (RepsFrom and RepsTo) for each naming context that is held on the specified domain controller. By enumerating each RepsFrom

32

and each RepsTo for each domain controller, you can visualize the replication topology for each naming context.

It also indicates whether the domain controller is also a global catalog server. Inbound replica links are displayed by default. Outbound links can also be shown, as well as connections that correspond to those links. The command also displays errors that correspond to replica links that cannot be created by the Knowledge Consistency Checker (KCC). This helps the administrator build a visual representation of the replication topology and see the role of each directory server in the replication process.

SyntaxRepadmin /showrepl <DC_LIST> <SourceDCObjectGUID> [NamingContext] [/verbose] [/nocache]

[/repsto] [/conn] [/csv] [/all] [/errorsonly] [/intersite]


<DC_LIST> Specifies the host name of a domain controller or a list of domain controllers separated by a space that the object will be replicated to. See above for detailed syntax. For details about <DC_LIST>, see repadmin /listhelp.

SourceDCObjectGUID Specifies the unique hexadecimal number that identifies the object whose replication events will be listed.

NamingContext Specifies the distinguished name of the directory partition.

/verbose Lists detailed information.

/nocache Specifies that globally unique identifiers (GUIDs) are left in hexadecimal form. By default, GUIDs are translated into strings.

/repsto Lists the directory servers that pull replication information from the specified directory partition. To see the outbound neighbors, specify /repsto or /all.

/conn Displays the connection objects that are associated with each link.

/csv Displays the output of the repadmin /showrepl operation in a Comma Separated Variable (CSV) format for viewing and analysis in Microsoft Excel. Repadmin supports redirection

33

of screen output to a file.

/all Displays all replication partners.

/errorsonly Only shows the partnership if it has an error associated with it.

/intersite Only shows this partnership if the source server belongs to a different site than the site of the server on which the command is being run.

Show replication partners and replication statusThe following example uses the showrepl operation of repadmin to display the replication status of ROOTDNS in relation to its partners. In our example, there are no problems reported because replication is running properly. There is lot of information one could gather from this output and please read the comments next to each line explaining what it means.

Figure 3.2.1

C:\>repadmin /showrepl rootdns

HUB\ROOTDNS (Site name and domain controller name)

DC Options: IS_GC (DC Options)

Site Options: (none) (Site options)

DC object GUID: 076cd5dd-e25e-4897-acd2-7c8691621522 (GUID of NTDS settings)

DC invocationID: 076cd5dd-e25e-4897-acd2-7c8691621522 (Database signature)

==== INBOUND NEIGHBORS =========================================================

DC=contoso,DC=com (Naming Context)

HUB\ROOTDC01 via RPC (Replication link)

DC object GUID: 2a92f776-6c0f-4cb4-a111-f5dcd447af6c (GUID of replication partner)

Last attempt @ 2005-01-05 01:04:34 was successful. (Status of last replication)

CN=Configuration,DC=contoso,DC=com (Naming Context)


DC object GUID: 2a92f776-6c0f-4cb4-a111-f5dcd447af6c (GUID of replication partner)

Last attempt @ 2005-01-05 01:01:31 was successful. (Status of last replication)

HUB\BRANCH-HUB-BH via RPC (Replication link)

DC object GUID: 9090b7ce-53a6-4a44-91bf-b50ed232be53

34

Last attempt @ 2005-01-05 01:01:44 was successful.

CN=Schema,CN=Configuration,DC=contoso,DC=com (Naming Context)

HUB\BRANCH-HUB-BH via RPC (Replication link)

DC object GUID: 9090b7ce-53a6-4a44-91bf-b50ed232be53



DC object GUID: 2a92f776-6c0f-4cb4-a111-f5dcd447af6c


In the output under INBOUND NEIGHBORS, repadmin.exe shows the Lightweight Directory Access Protocol (LDAP) distinguished name of each directory partition for which inbound directory replication has been attempted, the site and name of the source domain controller, and whether it succeeded or not, as follows:

Last attempt @ YYYY-MM-DD HH:MM.SS was successful.

Last attempt @ [Never] was successful.

If repadmin.exe reports any of the following conditions, further investigation is required:

The last successful inter-site replication was prior to the last scheduled replication.

The last intra-site replication was longer than one hour ago.

Replication was never successful.

DC Object GUID is a reference point used in the Active Directory and Domain Name System (DNS) to locate a domain controller primarily for the purposes of replication. This GUID is automatically generated for each domain controller, is unique when created, and will not be duplicated.

DC invocationID – Active Directory database has its own GUID, which the Directory System Agent (DSA) uses to identify the database instance (version of the database). The database GUID is stored in the invocationId attribute on the nTDSDSA object. Although the DSA GUID never changes for the lifetime of the domain controller, the Active Directory database GUID (also known as the invocation ID or database signature) is changed during the Active Directory restore process to ensure the consistency of the replication process. In Windows Server 2003, it changes when application directory partitions are removed or added to the domain controller.

Using repadmin /showrepl to display detailed and precise informationThe following showrepl output is returned by combining <Naming Context> and /verbose.

35

Figure 3.2.2

For two domain controllers to engage in replication, they have to first resolve each other’s GUID CNAME to a host name and the host name to an IP address, such as the following:

Figure 3.2.3

2a92f776-6c0f-4cb4-a111-f5dcd447af6c._msdcs.contoso.com is the GUID CNAME registration in DNS.

Figure 3.2.4

High-watermark valueThe high-watermark value is not required for any administrative task. However, it can help you deduce the state of progress on that replication link. You can see the high-watermark in the output of the repadmin /showrepl /verbose command in Figure 3.2.2. Look for lines that begin with USNs:. The high-watermark USN is the number that is followed by /OU.

36

The object update (OU) USN saves the position when in the middle of a replication cycle. It stays the same as the property update (PU) when replication is not occurring, and increases during a replication cycle. At the end of the cycle, the final USN replicated becomes the PU value and the OU is left to match. Thus, the OU indicates progress within a cycle, and the PU indicates the last update seen at the conclusion of a successful cycle. A PU of zero means that the link has never completed a successful cycle, as is the case when performing its first synchronization on a new domain controller connection. If the OU and PU are not equal, it means a replication cycle is in progress.

The following table lists nbrflagoptions, which are flags that define expected replication actions with its partner.

Nbrflagoptions Meaning

WRITEABLE The local copy of the naming context is writable.

SYNC_ON_STARTUP Replication of this naming context from this source is attempted when the destination server is booted. This normally only applies to intrasite neighbors.

DO_SCHEDULED_SYNCS Perform replication on a schedule. This flag is normally set unless the schedule for this naming context/source is "never," that is, the empty schedule.

Showing outbound neighborsBy default, repadmin /showrepl does not display outbound neighbors, as with previous versions. The /repsto parameter provides this feature, as shown in Figure 3.2.5.

37

Figure 3.2.5

Some of the repadmin /showrepl Error Messages and their root causeThe following table lists some repadmin /showrepl errors and their root cause. The next sections after the table explain some errors in more detail.

Repadmin error Root cause

No Inbound neighbors If no items appear in the “Inbound Neighbors” section of the output generated by the repadmin /showrepl command, the domain controller could not establish replication links with another domain controller.

Access denied A replication link exists between two domain controllers, but replication cannot be properly performed.

Last attempt at <date - time> failed with the “Target account name is incorrect.”

This problem can be related to connectivity, DNS, or authentication issues.

If it is a DNS error, the local domain controller could not resolve the GUID–based DNS name of its replication partner.

38

No more end point This can be caused because no more end-points are available to establish the TCP session with the replication partner.

This error can also result when the replication partner can be contacted, but its RPC interface is not registered. This usually indicates that the domain controller’s DNS name is registered but with the wrong IP address.

LDAP Error 49 The domain controller computer account might not be synchronized with the Key Distribution Center (KDC).

Cannot open LDAP connection to local host. The administration tool could not contact Active Directory.

Active Directory replication has been Pre-empted

An inbound replication in progress was interrupted by a higher priority replication request, such as a request generated manually by using the repadmin /syncall command.

Replication posted, waiting. The domain controller posted a replication request and is waiting for an answer. Replication is in progress from this source.

Last attempt @ never was successful The KCC successfully created the replication link between the local domain controller and its replication partner, but because of the schedule or possible bridgehead overload, replication has not occurred.

A large backlog of inbound replication must be performed on this domain controller.

No inbound neighborsA “no inbound neighbor” error appears in the repadmin /showrepl command output when one or more of the following conditions exists:

No connection object exists to indicate which domain controller(s) this domain controller should replicate from. These connection objects are typically created by the KCC. However, in some environments, administrators have turned off the part of KCC (Intersite) that creates connection objects for inbound replication from domain controllers in other sites, relying on manual connections instead.

One or more connection objects exist, but the domain controller cannot contact the source domain controller to create the replication links. In this case, the KCC logs events each time it

39

runs (by default, every 15 minutes) detailing the error that occurred when it attempted to add the replication links.

Existing replication links has been inadvertently deleted in between KCC executions.

Repadmin in this scenario could be used only to diagnose. The following table explains subcommand usage that can help you diagnose the problems leading to this situation.

Subcommand Description

Repadmin /showrepl Verify replication status.

Repadmin /showconn Verify whether a valid connection object exists between the source and destination.

Repadmin /failcache Resolve the underlying connection translation problems. For more information about using Repadmin /failcache, see Repadmin /failcache.

Repadmin /KCC Ensure that a connection object (Automatic or Manual) has been created properly between the domain controller and its replication partner. And then force the KCC to run so that the connection object is translated to an appropriate replication link.

Active Directory replication has been preemptedWhen Active Directory replication has been preempted, an inbound replication in progress was interrupted by a higher priority replication request. An example of a higher priority replication request is a request generated manually by using the repadmin /sync command.

Repadmin in this scenario could be used only to diagnose. The following table explains subcommand usage that can help you diagnose the problems leading to this situation.



Repadmin /queue Check how many inbound synchronizations are in the queue.

40

Last attempt @ never was successfulLast attempt @ never was successful error typically indicates that KCC successfully created the replication link between the local domain controller and its replication partner, but because of the schedule or possible bridgehead overload, replication has not occurred.

Repadmin in this scenario may be used for both diagnosis and resolution. The following table explains subcommand usage that can help you diagnose or solve the problems.



Repadmin /queue Check how many inbound synchronizations are in the queue.

Repadmin /sync Synchronize replication from a source domain controller.

Access deniedThis error indicates that the local domain controller failed to authenticate against its replication partner when creating the replication link or when trying to replicate over an existing link. This typically happens when the domain controller has been disconnected from the rest of the network for a long time and its computer account password is not synchronized with the computer account password that is stored in the Active Directory of its replication partner.

Replication LatencyThere are two mechanisms each specific to the underlying operating system functionality to measure replication latencies. Repadmin could be used against both environments based on the following table.

Windows 2000 functionality Windows Server 2003 functionality

/latency provides you replication latency report by measuring how recently the Intersite Topology Generator (ISTG) attribute has changed.

/showutdvec provides you replication latency report by leveraging a new field stored in the Up-To-Dateness (UTD) vector – “last successful replication timestamp.”

Note that this report ceases to give meaningful results when the forest functional level is Windows Server 2003 because the interSiteTopologyGenerator on the NTDS site settings object is not updated at that

/showutdvec provides you replication latency report by leveraging a new field stored in the UTD vector – “last successful replication timestamp.”

41

functional level. This timestamp records the last time the corresponding domain controller completed a successful replication cycle with its partner. The replication cycle may have occurred directly (direct replication partner) or indirectly (transitive replication partner).

Latency is shown for configuration naming context only.

Because this data is recorded on all domain controllers that host the partition, it is possible to identify non-replicating domain controllers from any domain controller in the forest that has a common partition between them.

SyntaxThe following command displays the amount of time between replications on a site by site basis from the perspective of the servers listed in <DC_LIST>, using the ISTG Keep Alive time stamp.

The ISTG Keep Alive time stamp is the mechanism used in Windows 2000 to determine whether a new ISTG is required for the site. Prior to Windows Server 2003, all ISTGs will record a time stamp every 30 minutes to indicate they are alive. After this gets replicated within the site, all of the domain controllers in the site know whether an ISTG is down or not by verifying this attribute, which is stored in Active Directory.

repadmin /latency <DC_LIST>

Figure 3.3.1

How to interpret the dataIn this example, the forest has only four sites.

Note

42

Field Explanation

Origination site This column has a row for each site in the forest

Ver Version number for site specific interSiteTopologyGenerator

Time Local Update Local time when the remote ISTG attribute change was replicated in.

Time Orig. Update Time when the ISTG attribute was changed on the originating server.

Latency Difference between the Time Orig. Update and Time Local Update

Since Last Difference between the Tool execution time and Time Local Update

Examining the UTD vector from time to time on one bridgehead server is another good way to ensure that replication is healthy. The (UTD) vector shows the last time that a domain controller has received updates from each replication partner for a particular naming context. The UTD vector is transitive in that one domain controller does not have to talk directly to another domain controller to receive an update from it.

repadmin /showutdvec <DC_LIST> <NamingContext> [/nocache][/latency]


<DC_LIST> Specifies the host name of a domain controller or a list of domain controllers separated by a space that the object will be replicated to. For details about DC_LIST, see repadmin /listhelp.

<NamingContext> Specifies the distinguished name of the directory partition.

/nocache Specifies that globally unique identifier (GUIDs) are left in hexadecimal form. By default, GUIDs are translated into strings.

/latency Sorts the information by the time required to complete the replication. By default, the information is sorted by Update Sequence Number (USN).

43

Figure 3.3.2

How to interpret the data In Figure 3.3.2, there are four sites, two domains and six domain controllers in the forest.

The output is a list of dates and times indicating the last time that inbound replication of the configuration container occurred from each domain controller. If an excessive amount of time has passed since replication last took place it could indicate a problem and there is reason to be concerned.

The entries are listed by domain controller and the /latency parameter sorts the output by date/time.

As given in the example, occasionally GUID’s will be displayed instead of a domain controller’s name. It is safe to ignore the GUID entries as these are a result of InvocationID changes or domain controllers being demoted or rebuilt and do not affect the health of the topology.

HUB\ROOTDNS will always report the current date and time and the highest committed USN. The reason is that a domain controller does not keep itself in its own UTDVEC and always builds its entry on the fly based on the current state.

Latency from the perspective ROOTDNS is the difference between its current date/time with respect to other partners (direct or transitive) for the given Naming Context. For example, latency between ROOTDNS and BRANCH1 is 00:24:17.

44

Display the latency only for the domain partitionFigure 3.3.3

In this example, we are only interested in the domain naming context latency. Both the domain controllers are running Windows Server 2003 and reside in the same site; hence the latency is less than a minute. Also please note that we are only displaying the domain members and not the whole forest due to the scope of the naming context.

While it is important to measure replication latencies, it is equally important to understand that intersite replication depends on many factors such as:

Site link schedules and intervals

Availability of bridgehead servers and their load

Whether change notifications are enabled

LAN/WAN infrastructure

View Replication Metadata of an ObjectDisplays the replication metadata for a specified object stored in Active Directory, such as attribute ID, version number, originating and local Update Sequence Number (USN), and originating server's globally unique identifier (GUID) and date and time stamp. By comparing the replication metadata for the same object on different domain controllers, an administrator can determine whether replication has occurred.

Syntaxrepadmin /showobjmeta <DC_LIST> <ObjectDN> [/nocache] [/linked]

Parameters Definitions


<ObjectDN> Specifies the distinguished name of the object.

45

/nocache Specifies that GUIDs are left in hexadecimal form. By default, GUIDs are translated into strings.

/linked Displays metadata associated with, but not stored with, the specified object.

Example 1: Metadata of a group objectIn this example, we are viewing the metadata of a group object (Domain Admins) and therefore the forward links (members) are listed as well.

Figure 3.4.1

Example 2: Comparing replication metadata of a user object between two domain controllersA domain administrator has restricted user Lee’s logon hrs. Lee claims he could still log on during restricted hours from BRANCH3 as opposed to other branch offices. The domain administrator could easily figure whether this is related to Active Directory replication latencies by comparing the replication metadata of Lee’s account.

46

Figure 3.4.2

Figure 3.4.2 is the metadata of Lee from HUB domain controller (where the change was made) and Figure 3.4.3 is the metadata from the BRANCH3 domain controller. The attribute logonHours has been highlighted for clarity.

BRANCH-HUB-BH has version 2, last Orig. time/date is 2005-01-06 01:19:59 and Orig.USN as 20654.

BRANCH3 is still on version 1, last Orig. time/date is 2005-01-06 00:52:03 and Orig.USN as 20578 and hence the logon succeeds in BRANCH3 because that domain controller has not yet replicated the update.

Figure 3.4.3

Display the Attributes of a Specific ObjectThe /showattr operation displays the attributes and contents of an object.

47

Syntaxrepadmin /showattr <DC_LIST> <OBJ_LIST> <OBJ_LIST_OPTIONS> [/atts: <<att1>>,<<att2>>,...]

[/allvalues] [/long] [/dumpallblob]



<OBJ_LIST> This parameter takes a distinguished name or a special keyword that expands into a distinguished name. The keywords are as follows:

Ncobj:config: Distinguished name of the Configuration partition of the domain controller

Ncobj:schema: Distinguished name of the Schema partition of the domain controller

Ncobj:domain: Distinguished name of the Domain partition of the domain controller

Dsaobj: NTDS settings object of the directory server

<OBJ_LIST_OPTIONS> The OBJ_LIST_OPTION parameter is required to perform a generic Lightweight Directory Access Protocol (LDAP) search from the command line. The parameter requires a BaseDN, with the ability to use a search modifier option. The valid search modifier options are as follows:

/filter:<ldap_filter>

/base /subtree /onelevel

[/atts: <att1>,<att2>,... Returns only the attributes that are specified. Separate each listed attribute with a comma.

/allvalues For an attribute, the tool only displays 20 values unless this flag is specified, in which

48

case it shows all values.

/long Displays one value per line.

/dumpallblob Dumps the BLOB in a default byte-by-byte format if there is not a friendly formatted interpretation available for it.

A BLOB in this context means an attribute that is not a simple type, like a string or an integer. A BLOB is a complex structured type that is stored as binary bytes. To make sense of the BLOB, a program must interpret it and format it. A friendly BLOB is a BLOB that the program knows about and can format in an understandable way. The program has a list of BLOBs that it understands.

Example: Display select attributesPlease note how we specify the naming context as ncobj:domain:

Figure 3.5.1

How Up to Date Are My Domain Controllers?Checkprop compares properties of specified domain controllers to determine if they are up-to-date with each other. The source domain controller contains the original information that needs to be checked. The destination domain controller data is compared to the source domain controller data.

Syntaxrepadmin /checkprop <DC_LIST> <NamingContext> <OriginatingDCInvocationID> <OriginatingUSN>

Parameter Definition

<DC_LIST> Specifies the host name of a domain controller,

Note

49

or a list of domain controllers separated by a space. For details about <DC_LIST>, see repadmin /listhelp.

<NamingContext> Specifies the distinguished name of the directory partition on the source domain controller.

<OriginatingDCInvocationID> Specifies the unique hexadecimal number that identifies an object on a source domain controller. The InvocationID can be retrieved by using the /showrepl operation.

<OriginatingUSN> Specifies the Update Sequence Number (USN) for the object on the source domain controller. The USN is for the object whose InvocationID is already listed.

Example: Checking replication latency on the BRANCH3 domain controllerLatency output reveals that the highest OriginatingUSN that BRANCH3 has knowledge of for its HUB site bridgehead server, BRANCH-HUB-BH, is 137844. It is also apparent that the last successful replication attempt with this HUB site bridgehead server was just less than 5 minutes.

Figure 3.6.1

50

Example: Comparing how up-to-date other domain controllers in the enterprise are with respect to the OriginatingUSNIn Figure 3.6.2, note that BRANCH2 domain controller is not up-to-date with the rest of the domain controllers.

Figure 3.6.2

Example: Further investigation from the perspective of the BRANCH2 domain controllerLatency was calculated for BRANCH2 which revealed that it is not aware of the latest OriginatingUSN from BRANCH-HUB-BH and in fact it is behind by approximately 20 minutes. Because the latency in this example is just less than 20 minutes (replication interval being 30 minutes) it is expected to catch up during the next replication cycle.

Figure 3.6.3

51

Can I Look at My Connection Objects and Schedule Details?Every domain controller that is also a member of the SYSVOL replica set has to have at least one inbound connection. Otherwise, Active Directory and File Replication Service (FRS) would not replicate inbound. The /showconn subcommand is very useful to verify this especially:

When you don’t have access to the graphical user interface (GUI)

or

When you find it task-oriented to directly connect to the various domain controllers from the user interface (UI) to look at Active Directory topology from the perspective of that domain controller.

The /showconn subcommand displays the connection objects for a specified domain controller. The default is the local site.

Syntaxrepadmin /showconn <DC_LIST> {<ServerRDN> | <ContainerDN> | <DC_GUID>} [/From:

<ServerRDN>] [/intersite]


<DC_LIST> Specifies the host name of a domain controller from where to read the configuration, or a list of domain controllers separated by a space. For details about <DC_LIST>, see repadmin /listhelp.

<ServerRDN> Specifies the relative distinguished name of a server.

<ContainerDN> Specifies the distinguished name of a container.

<DC_GUID> Specifies the unique hexadecimal number that identifies the domain controller. The globally unique identifier (GUID) can be retrieved by using the /showreps operation.

/intersite Displays only those connection objects that are between sites.

52

Example: Simple usage of /showconnFigure 3.7.1 shows a simple example of output returned by /showconn.

C:\>repadmin /showconn branch1

Base DN: CN=BRANCH1,CN=Sites,CN=Configuration,DC=contoso,DC=com

===== KCC CONNECTION OBJECTS =================================

Connection --

Connection name : ed5e0d25-bec3-4556-9f18-f24cf4ea3a57

Server DNS name : BRANCH1.research.contoso.com

Server DN name : CN=NTDS Settings,CN=BRANCH1,CN=Servers,CN=BRANCH1,CN=Sites,CN=C

onfiguration,DC=contoso,DC=com

Source: HUB\BRANCH-HUB-BH

No Failures.

TransportType: IP

options: isGenerated overrideNotifyDefault

ReplicatesNC: DC=DomainDnsZones,DC=research,DC=contoso,DC=com

Reason: IntersiteTopology

Replica link has been added.

ReplicatesNC: DC=ForestDnsZones,DC=contoso,DC=com



ReplicatesNC: CN=Configuration,DC=contoso,DC=com



ReplicatesNC: DC=research,DC=contoso,DC=com



1 connections found.

In the example in figure 3.7.1, there is only one connection object for the BRANCH1 site. It is also automatically created (options: isgenerated). Depending on the number of connection objects, we may have to further qualify our query to just list what we are interested in such as in the following cases:

Figure 3.7.2

53

repadmin /showconn BRANCH1 CN=HUB,CN=Sites,CN=Configuration,DC=contoso,DC=com

/intersite /v

Here repadmin contacts BRANCH1 DC and list all the incoming intersite connections for HUB

site with verbose details.

Figure 3.7.3

repadmin /showconn BRANCH-HUB-BH BRANCH-HUB-BH /from:BRANCH3

Here repadmin contacts the BRANCH-HUB-BH DC which is also located in the HUB site and

displays just the connection object from BRANCH3 DC to BRANCH-HUB-BH.

With the verbose switch, showconn provides you much more information such as the following:

Connection replication schedule

Partition Replication Schedule Loading

Figure 3.7.4 Connection replication schedule

day: 0123456789ab0123456789ab

Sun: ffffffffffffffffffffffff

Mon: ffffffffffffffffffffffff

Tue: ffffffffffffffffffffffff

Wed: ffffffffffffffffffffffff

Thu: ffffffffffffffffffffffff

Fri: ffffffffffffffffffffffff

Sat: ffffffffffffffffffffffff

Every single number of the above represents one hour of the day as a decimal 4-bit value. Each single bit represents 15 minutes of this hour.

So if we have “1” in decimal, then one bit is set in binary (0001) and we replicate once per hour in which case the output will be:

111111111111111111111111

If the decimal value is five (0101 in binary) we replicate twice per hour, for example:

555555555555555555555555

Finally if it is F (1111) we replicate four times per hour:

FFFFFFFFFFFFFFFFFFFFFFFF

So in our example we replicate four times per hour for the entire week.

54

Fine-Tuning Change Notification ValuesReplication within a site occurs as a response to changes elsewhere in the site. Replication across sites occurs based on the replication schedule and interval. It is also possible to enable change notifications across sites.

When a change occurs on a domain controller, two configurable intervals determine the delay between the following events:

Notification to the first partner.

Notification to each subsequent partner.

The above two intervals serve to:

Stagger network traffic caused by replication.

Spreads out the load of responding to replication requests from its partners.

The following table lists the default notification delays:

Operating system Notify first partner (sec)

Subsequent partner (sec)

Forest functional level

Windows 2000 300 30 Windows 2000

Windows Server 2003 (upgraded from Windows 2000)

Note If you changed the default values, then those values that you set are retained after you upgrade from Windows 2000 to Windows Server 2003.

300 30 Windows 2000

Windows Server 2003 15 3 Windows 2000

Windows Server 2003 (either upgraded from Windows 2000 or a clean install)

15 3 Windows Server 2003

The following table lists the storage location of notification delay values for each operating system.

Operating system Location Attribute

Windows 2000 Server HKLM\SYSTEM\CSS\Services\NTDS\Parameters Replicator

55

notify pause after modify (secs)

Replicator notify pause between Directory System Agent (DSAs) (secs)

Windows Server 2003 Cross-reference object for each directory partition in the configuration partition.

msDS-Replication-Notify-First-DSA-Delay

msDS-Replication-Notify-Subsequent-DSA-Delay

Repadmin /notifyopt could be used to view or change the notification timing settings of a specified directory partition in Windows Server 2003.

Syntaxrepadmin /notifyopt <DC_LIST> <NamingContext> [/first: Value] [/subs: Value]


<DC_List> Specifies the host name of a domain controller, or a list of domain controllers separated by a space. For details about <DC_LIST>, see repadmin /listhelp.


/first The number of seconds after a change is made before the domain controller notifies its first replication partner that there is a change.

/subs Once the first replication partner is notified of a change, the subs parameter specifies the

56

number of seconds to wait before notifying the next replication partner.

Example 1: Displaying the default notification delay on the ForestDnsZones partitionFigure 3.8.1

Example 2: Changing the defaults to 300/30 on the ForestDnsZonesFigure 3.8.2

In order to make this change, you have to run /notifyopt against the Domain Naming Master. See the highlighted text in figure 3.8.2.

Forcing ReplicationSometimes it becomes necessary to forcefully replicate objects and entire partitions between domain controllers that may or may not have replication agreements

Note

57

These are very powerful subcommands and should be used sparingly as they do not follow replication agreements that are in place and have the potential to cause replication storm and break Active Directory if not used properly.

Replicate a single object between two domain controllersThe repadmin /replsingleobj command replicates a single object between any two domain controllers that have partitions in common. The two domain controllers do not require a replication agreement between them. Replication agreements can be shown by using the repadmin /showreps command.

Syntaxrepadmin /replsingleobj <DC_LIST> <Source DSA_Name> <ObjectDN>


<DC_LIST> Specifies the host name of a domain controller or a list of domain controllers separated by a space that the object will be replicated to. For details about <DC_LIST>, see repadmin /listhelp

<Source DSA_Name> Specifies the name of the source domain controller. You can specify a host name or the unique hexadecimal number that identifies the source domain controller. You can retrieve the objectGUID by using the /showreps operation.


Important

58

Example: Replicate a single object between all the branch domain controllers by using wild card characterFigure 3.9.1.1

Force a replication event between two partnersThe repadmin /replicate command starts a replication event for the specified directory partition between the source and destination domain controllers. The source universally unique identifier (UUID) can be determined when viewing the replication partners by using the /showreps operation.

The repadmin /replicate command will not work if the partners do not have the specified partition in common or replication agreement between them.

Syntax1 repadmin /replicate <Destination_DC_LIST> <Source_DC_NAME> <Naming Context> [/force]

[/async] [/full] [/addref] [/readonly]

Syntax2 repadmin /replicate <Destination_DC_LIST> <Naming Context> [/allsources] [/force] [/async]

[/full] [/addref] [/readonly]


<Destination_DC_LIST> Specifies the host name of the destination domain controller (Directory Server Agent) with which you want to replicate. For details about

Important

59

<DC_LIST>, see repadmin /listhelp.

<Source_DC_NAME> Specifies the host name of the source domain controller with which you want to replicate. This parameter accepts a globally unique identifier (GUID), GUID-based Domain Name System (DNS) name, or the name of a server object.

<Naming Context> Specifies the distinguished name of the directory partition.

/force This parameter is used to override the Disable Replication option on a server.

/async Specifies that the replication will be asynchronous. This means that repadmin starts the replication event, but it does not expect an immediate response from the destination domain controller. Use this parameter when there are slow links between domain controllers.

/full Forces a full replication of all objects from the destination domain controller.

/addref Directs the source to check for a notification entry on the source. If the source does not have a notification entry for this destination, one is added.

/allsources A given destination can have multiple sources for the same naming context. Directs the destination to sync with all sources instead of just one. This parameter cannot be used with <Destination_DC_LIST>.

/readonly This parameter is ignored by the /replicate operation.

Example: replicate in domain partition between two specific partnersIn the example in figure 3.9.2.1, we are attempting to replicate in domain partition between two specific partners. But the source domain controller is rejecting replication requests as configured by the administrator for valid reasons.

60

Figure 3_9_2_1

In the next example, we run repadmin /showrepl against the source domain controller (BRANCH-HUB-BH) to read the domain controller options. Figure 3.9.2.2 highlights that outbound replication is currently disabled (DISABLE_OUTBOUND_REPL).

Figure 3.9.2.2

We could work around this by using the /force switch as seen in figure 3.9.2.3. However, use caution you when using the force replication feature. The /force switch is dangerous because it overrides any precautions that have been implemented by an enterprise administrator to address specific business needs. For example, in a large forest with hundreds of sites connected across unreliable WAN links, use of the /force switch to replicate changes across forest might cause a replication storm (depending on the changes) that the WAN could not handle.

Figure 3.9.2.3

Force a replication event with all partnersthe repadmin /syncall command synchronizes a specified domain controller with all replication partners.

Syntaxrepadmin /syncall <DC> [<NamingContext>] [<Flags>]

61


<DC> Specifies the host name of the domain controller to synchronize with all replication partners.


<Flags> Performs specific actions during the replication.

The following table lists the flags that you can use with repadmin /syncall.

Flag Description

/a Abort if any server is unavailable.

/A Sync all naming contexts which are held on the home server.

/d Identify servers by distinguished name in messages.

/e Enterprise, cross sites

/h Print this help screen.

/i Iterate indefinitely.

/l Perform showreps on each server pair in path instead of synchronizing.

/j Synchronize adjacent servers only.

/p Pause for possible user abort after every message.

/P Push changes outward from home server.

/q Run in quiet mode, suppress call back messages.

/Q Run in very quiet mode, report fatal errors only.

/s Do not synchronize.

/S Skip initial server response check.

Use this command and the above flags cautiously or you can damage the replication system because this command does not follow replication agreements nor honor any

Important

62

replication restrictions such as DISABLE_INBOUND_REPL or DISABLE_OUTBOUND_REPL

Example 1: Synchronizing Configuration Partition within the siteFigure 3.9.3.1

There will be two callback messages for each partner in figure 3.9.3.1. One reports the progress and the other reports either success or failure (with explanation). Also notice that domain controllers are denoted by their GUID CNAMES as used in replication.

Example 2: Crossing site boundaries and other featuresBy default, repadmin /syncall does not cross site boundaries as depicted in figure 3.9.3.2. BRANCH-HUB-BH does not have any domain members in its own site for domain dc=research,dc=contoso,dc=com. In this case, use /e.

Figure 3.9.3.2

In figure 3.9.3.3, we are using three additional flags. The /d flag would translate the GUID CNAME to the distinguished name of the domain controller. The /e flag is used to cross site boundaries. The /a flag is used to abort if any domain controller is unavailable. In this example, the BRANCH2 domain controller was not reachable and therefore, the process was aborted.

63

Figure 3.9.3.3

In figure 3.9.3.4, repadmin /syncall did succeed because the problem with the BRANCH2 domain controller was fixed. Also notice that we omitted the /d switch so that the GUID names are not translated.

Figure 3.9.3.4

Keeping Track of Changes That Have Occurred Over a Period of TimeThere could be multiple occasions where we would be interested in finding out the number of changes that are either pending replication or that have occurred to a specified directory partition over a period of time.

For example:

You may want to get statistics of all the changes that have occurred to a domain partition over a period of one day or one week so that you can use this data to either support or calculate intersite replication bandwidth requirements.

This will help with troubleshooting replication issues and reviewing changes that have not replicated between two partners.

The repadmin /showchanges command has two syntaxes that can helpful in these situations.

64

Syntax1repadmin /showchanges <SourceDC> <NamingContext> [/cookie: <File>] [/atts:

<attribute>,<attribute>,...]

Syntax2repadmin /showchanges <DestDC> <SourceDCObjectGUID> <NamingContext> [/verbose]

[/statistics] [/noincremental] [/objectsecurity] [/ancestors] [/atts:

<attribute1>,<attribute2>,...] [/filter: <ldap filter>]


<DestDC> Specifies the host name of the destination domain controller from which to enumerate the host domain controllers.

<SourceDC> Specifies the host name of the domain controller that hosts the directory partition whose changes you want to view.


/cookie: <File> Specifies a name for the file to which list changes are saved.

/atts: <attribute>,<attribute>,... Returns only the attributes specified. Separate each listed attribute with a comma.

<SourceDCObjectGUID> Specifies the unique hexadecimal number that identifies the object whose changes will be listed. The objectGUID can be retrieved by using the /showreps operation.


/statistics Displays a summary of information about changes instead of a list of individual changes.

/noincremental Returns changes in value change format, which lists current values for attributes as well with attributes that have been added or deleted. If not specified, changes are returned in attribute change format, which shows only the current value of the attribute.

/objectsecurity Overrides the need for the GetChanges right to the directory partition. By default, this right is

65

necessary to run the GetChanges parameter. However, only changes that the currently logged on user has the rights to view are displayed.

/ancestors Returns changes in Update Sequence Number (USN) order.

/filter: <ldap filter> Returns only those changes that meet the filter requirements.

Syntax 1 can be used to compare changes that occurred to a specified directory partition over a period of time.

The idea here is to:

1. Create a cookie file that saves changes to a directory partition that could be used for later comparisons. The first time you use the cookie option, it may take a long time (depending on the size of your partition) to create the file. It is important to note that we store only metadata about all the changes that have occurred to this cookie file on the entire set of domain controllers.

2. Later on when you present this cookie file to any domain controller, it will update the cookie file and provide you with just the change deltas since the last time it was updated.

Example: Compare changes occurred to configuration partition over a period of timeFigure 3.10.1

66

How to interpret the data Prior to running the showchanges, a cookie file was created using the following syntax:

repadmin /showchanges . cn=configuration,dc=contoso,dc=com /cookie:config Re ran repadmin /showchanges after some time against another domain controller, which

not only displayed the changes but also updated the cookie file called config.

Three objects have been changed. In our example, all the changes are pertaining to Intersite Topology Generators (ISTGs). Because the forest functional level is Windows 2000, we still update the ISTG Keep Alive stamp every 30 minutes.

You could further apply filters to just target the partitions and objects of your interest.

Display changes not replicated between two partnersSyntax 2, shown earlier, is used here to display pending replication changes between partners.

Example: Display pending replication changes (config partition) between two replication partnersIn this example (figure 3.10.1.1), we ran repadmin /showchanges to compare the destinations up-to-date vector with the source and determined that there are two outstanding changes for the configuration partition.

67

Figure 3.10.1.1

Example: Usage of a filterIn the following example (figure 3.10.1.2), we applied a filter (/filter:"(objectclass=sitelink)”) to just provide only changes occurred to the sitelink objectclass since the last successful replication.

Figure 3.10.1.2

Example: listing only the summary as opposed to individual changesIn the following example (figure 3.10.1.3), the previous changes are listed as summary obtained by the /statistics switch.

68

Figure 3.10.1.3

Usage of Repadmin When Troubleshooting Event ID 1311By all means, this topic is not about how to troubleshoot events that have Event ID 1311. In this topic, we are attempting to expose the various usage of repadmin while troubleshooting 1311 in Windows 2000 domains based on Microsoft Knowledge Base (KB) article 307593, How to Troubleshoot Event ID 1311 Messages on a Windows 2000 Professional Domain (http://go.microsoft.com/fwlink/?LinkId=121799). Some or all of the repadmin subcommands used here may be used in Windows Server 2003 environments as well.

The KB article RESOLUTION section has the following action plan. This topic examines how to apply the various repadmin subcommands against each action plan. All of the repadmin subcommands listed in this topic have associated examples either in this section or elsewhere in this document.

Resolution steps from the KB article Action plan by using repadmin

Determine if the event ID 1311 messages are To determine the scope of event ID 1311

69

http://go.microsoft.com/fwlink/?LinkId=121799

site-specific or forest-wide. messages:

1. First, find all the Inter Site Topology Generators (ISTG) in the forest.

2. Then, examine the Directory Service logs of all the ISTG domain controllers in the forest.

To determine the ISTG’s, use Repadmin /ISTG.

Determine if site link bridging is turned on and if the network is fully routed.

To determine this, use repadmin /showattr (Determine if site link bridging is turned on).

Verify that all of the sites are defined in site links.

Every site defined in Active Directory must be hosted or reside in a site link.

The repadmin /showism command (Verify inter-site cost matrix and orphaned sites) is useful for locating improperly configured sites.

Detect and remove preferred bridgeheads. To search for preferred bridgehead servers use repadmin /showattr (Determine if site link bridging is turned on).

Resolve Active Directory replication failures in the forest

When you want to discover and troubleshoot replication failures, the following repadmin subcommands can be useful:

repadmin /replsummary (Monitor Forest-Wide Replication)

repadmin /showrepl (Display Replication Partners and Status of a Domain Controller)

Repadmin /failcache

repadmin /removelingeringobjects (Windows Server 2003 only)

Repadmin /KCC

Determine if source servers are overloaded. A domain controller that is overloaded with a large number of direct replication partners or a replication schedule that is overly aggressive can create a backlog in which some partners never receive changes from a hub domain controller. The following subcommands can be useful in this situation:

repadmin /showrepl (Display Replication Partners and Status of a Domain

70

Controller)

Repadmin /queue

repadmin /showctx (Open sessions with the domain controller)

Determine if site links are disjointed. "Disjoint site links" is an Active Directory configuration in which the topology is broken into two or more parts in which some sites do not replicate because site definitions and site link definitions are incorrect. Disjoint site links are the most difficult improper configuration to troubleshoot. The following subcommands may be useful in this situation:

Repadmin /querysites

repadmin /showconn (Can I Look at My Connection Objects and Schedule Details?)

Repadmin /KCC

repadmin /showrepl (Display Replication Partners and Status of a Domain Controller)

Delete connections if the KCC is in "Keep Connection Mode."

If the Knowledge Consistency Checker (KCC) builds a different path around a site-to-site connection failure, but it retries the failing connection every 15 minutes because it is in "connection keeping mode," delete all broken connections and let the KCC rebuild them. Wait two times the longest replication schedule in the forest.

Determine if site link bridging is turned onSite link bridging is enabled in Active Directory if the following conditions are true:

The Bridge all site links check box is selected for the IP protocol and the SMTP protocol in the Active Directory Sites and Services snap-in.

The Options attribute for the IP protocol and the SMTP protocol is NULL or set to zero (0) for the following distinguished name (DN) paths:

CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=root domain of forest

CN=SMTP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=root domain of forest

71

Figure 3.11.1

There are two values that we could set from the graphical user interface (GUI): Ignore Schedules and Bridge all site links. In our example (figure 3.11.1), the IP transport has Bridge all site links enabled and SMTP transport has both values selected.

The following table lists the various values that the options attribute take.

Option value Description

0X0 Only Bridge all site links is selected from the above

0X1 Both the values are selected

0X2 None selected

0X3 Only Ignore schedules is selected

Detect preferred bridgeheadsPreferred bridgeheads are selected when the following condition is true:

bridgeheadTransportList attribute is set to either one of the following values or both values:

CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=<root domain of forest>

CN=SMTP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=<root domain of forest>

By using repadmin /showattr, we are setting the base at configuration partition and applying a filter for server ObjectClass and looking for all of the domain controllers that have this value set to use either IP or SMTP transports.

If the search returns any results, note the name of server in the distinguished name path in which the bridgeheadTransportList attribute is populated.

72

Figure 3.11.2

In the example in figure 3.11.2, ROOTDC01 is selected as a preferred Bridgehead for IP transport in site HUB.

Verify inter-site cost matrix and orphaned sitesRepadmin /showism displays intersite messaging routes calculated by the Intersite Messaging Service and is very useful for locating improperly configured sites. This operation cannot be executed remotely.

As the KCC runs through the progressions of analyzing intersite site links and connections, it must query the Intersite Messaging Service (ISM) service to retrieve data about the network configuration to make intelligent decisions about routing changes.

To display cost and frequency configurations of replication between sites, use the following command:

Syntaxrepadmin /showism [<TransportDN>] [/verbose]


<TransportDN> Specifies whether the mail server is using SMTP or remote procedure call (RPC) to send messages.


The repadmin.exe /showism cannot be executed against a remote domain controller.

Notes

73

Example: Display inter-site cost matrixfigure 3.11.3

How to interpret the data Showism was used against the IP transport and hence the output is specific to IP.

If a specific transport is not specified, the output will contain both IP and SMTP details.

The numbers in an entry appear in the following order:

Cost: Replication interval: Options

There are four key pieces of information:

Text regarding the status of bridgehead servers.

Total cost between two sites. The cost value indicates the preference for a network link for replicating directory information between sites.

Frequency of replication in minutes between the two sites.

Options for each replication link.

In the example in figure 3.11.3, we have five sites and Bridge all site links is enabled, which means that site link transitivity is enabled. Therefore, if we see any "-1:0:0" entries for one or more covered Active Directory sites, we must ensure that the affected sites are listed in a site link. In this example, site Branch4 is not included in any site links and therefore disconnected from rest of the sites. Event 1311 will certainly occur here due to this configuration problem.

Fields of interest Definition

"0:0:0" Each site matrix contains one "0:0:0" entry that refers to itself.

"200:30:1" An entry that contains positive numbers for the cost value and replication interval value (for example, "200:30:1" or "100:15:1") indicates that the site connection is good. Specifically in our example for Site BRANCH1

74

Site(0) CN=BRANCH1,CN=Sites,CN=Configuration,DC=contoso,DC=com

0:0:0, 200:30:1, 200:30:1, -1:0:0, 100:15:1

200 stands for the cost to replicate from site(1) which is BRANCH2 that is an aggregate cost between two hops (100 + 100) because a direct replication link between the two sites does not exist.

30 is the replication interval that is common between the two branches

1 is the option on the site link which denotes “Change Notifications are enabled across the site link”

And so on the rest of the sites…

"-1:0:0" A "-1:0:0" entry indicates that the site connection is not working. This occurs if one or more of the following conditions are true:

Site is not included in a site link.

Site does not host any domain controllers (this is known as an "uncovered" site).

Replication protocol is not used. For example, if SMTP replication is not configured, the entries in the SMTP portion of the /SHOWISM matrix all appear as "-1:0:0".

If site link bridging is enabled and the repadmin /showism command returns a site with a full complement of "-1:0:0" entries and one "0:0:0" entry is orphaned unless the site is uncovered (no domain controllers reside in that site).

If site link bridging is disabled, "-1:0:0" entries are less meaningful. If this is the case, you must manually determine if each site is included in a site link. To do so, write down the list of sites and site links, and manually map each site to a site link.

Repadmin /failcacheRepadmin /failcache displays a list of replication failures that KCC is aware of. Run this command from the console of each ISTG domain controller in the forest to discover replication failures for bridgeheads in the site for that ISTG.

Syntaxrepadmin /failcache <DC_LIST>

Notes

75


<DC_LIST> Specifies the host name of a domain controller, or a list of domain controllers separated by a space. For details about <DC_LIST>, see repadmin /listhelp.

Example: Display replication failures that KCC is aware ofThe example in figure 3.11.4 shows sample output from the repadmin /failcache command.

Figure 3.11.4.1

The output from the repadmin /failcache command is divided into two sections explained in the following table.

KCC Link Failures Lists errors for existing connection links. The ISTG domain controller imports showreps ("repsfroms") data for every bridgehead server in its site. However, the ISTG domain controller does not list errors. The link failure cache is emptied at the beginning of every KCC run and refilled during the course of the current run.

KCC Connection Failures Lists unsuccessful attempts to build connection objects between domain controllers ("reps from" or "reps to"). When you run the repadmin /failcache command from the ISTG domain controller, it lists entries that are imported from bridgeheads in the site. At the beginning of

76

each KCC run, the KCC examines each entry in the connection failure cache and tries to DsBind to the failing server. If the bind succeeds, the entry is removed.

In the example in figure 3.11.4.1, the failures are a result of some topology changes from the past and would continue to exist due to the value of the replTopologyStayOfExecution attribute, which determines how long domain controller metadata is retained in Active Directory after a domain controller has been removed.

Example: Output when there are no failuresWhen there are no failures, the output should appears as it does in figure 3.11.4.2.

Figure 3.11.4.2

The repadmin /failcache command differs from the repadmin /showrepl command in two ways:

The repadmin /showrepl command shows the naming context that is failing.

The repadmin /failcache command does not.

Repadmin /KCCRepadmin /KCC forces the KCC to recalculate replication topology for a specified domain controller. By default, this recalculation occurs every 15 minutes.

Syntaxrepadmin /kcc <DC_LIST> [/async]


<DC_LIST> Specifies the host name of a domain controller, or a list of domain controllers separated by a space. For details about <DC_LIST>, see

Notes

77

repadmin /listhelp.

/async Specifies that replication will be asynchronous. This means that repadmin starts the replication event, but it does not expect an immediate response from the destination domain controller. Use this parameter to start the KCC and not wait for it to finish.

Example 1: Running the KCC on the local domain controllerFigure 3.11.5.1

Example 2: Running the KCC against the ISTG of the HUB siteFigure 3.11.5.2

Example 3: Running the KCC against all the global catalog servers in the forestFigure 3.11.5.3

78

Example 4: Running the KCC against all the domain controllers in the BRANCH2 siteFigure 3.11.5.4

Repadmin /ISTGRepadmin /ISTG returns the server name of the ISTG server for a specified site.

Syntaxrepadmin /istg <DC_LIST> [/verbose]

Parameters Descriptions



Example: Display ISTGs in my environmentFigure 3.11.6

In the example in figure 3.11.6, the ISTGs are listed from the perspective of the local domain controller from which the command was run. It is important to note that this information may be different from the perspective of each domain controller, depending on the forest-wide Active Directory convergence time and replication status.

79

Repadmin /querysitesRepadmin /querysites use routing information to determine cost of a route from a specified site to another specified site or sites.

Syntaxrepadmin /querysites <FromSiteRDN> <ToSite1RDN> <ToSite2RDN>...]


<FromSiteRDN> Specifies the relative distinguished name of the site from which the cost is calculated.

<ToSite1RDN> Specifies the relative distinguished name of the site to which the cost is calculated.

Example 1: Display cost between BRANCH1 and HUBFigure 3.11.7.1

Example 2: Display cost between BRANCH1 and BRANCH2Due to site link transitivity, the cost from BRANCH1 to BRANCH2 is aggregated by adding the cost from BRANCH1 to HUB (100) with the cost from HUB to BRANCH2 (100).

Figure 3.11.7.2

Example 3: Display cost between BRANCH1 and Branch2Note that the relative distinguished name of the site is case sensitive and hence the error.

80

Figure 3.11.7.3

The relative distinguished name of the site is case sensitive.

The repadmin /querysites parameter does not allow the use of alternate credentials.

Repadmin /queueRepadmin /queue displays tasks that are waiting in the replication queue.

Syntax repadmin /queue <DC_LIST>



Example: Display the queue length against the local domain controllerUnder normal circumstances this list should always be empty and the command should be run outside of the replication window when troubleshooting domain controller overload was caused due to replication requests.

Figure 3.11.8.1

Notes

81

Example: Queue contains one itemfigure 3.11.8.2

Repadmin /bridgeheadsRepadmin /bridgeheads lists the bridgehead servers for a specified site.

Syntaxrepadmin /bridgeheads [<DC_LIST>] [/verbose]




For clarity:

The following example shows only bridgeheads only for the HUB site.

The following example shows the normal and verbose modes to help compare them.

“The RPC service is unavailable” status is abbreviated as RPC. “The operation completed successfully” status is abbreviated as status.

Example 1: Repadmin /bridgeheads rootdns Bridgeheads for site HUB (rootdns.contoso.com):

Source Site Local Bridge Trns Fail. Time # Status

=========== ============ ==== ============== === ======

BRANCH2 BRANCH-HUB-BH IP 2005-02-14 14:18:52 3 RPC.

Configuration research

BRANCH1 BRANCH-HUB-BH IP (never) 0 Success.

82

Configuration ForestDnsZones DomainDnsZones research


Configuration DomainDnsZones ForestDnsZones research

Example 2: Repadmin /bridgeheads rootdns /verboseBridgeheads for site HUB (rootdns.contoso.com):


=========== ============ ==== ============== === ======

BRANCH2 BRANCH-HUB-BH IP 2005-02-14 14:18:52 3 RPC.

Naming Context Attempt Time Success Time #Fail Last Result

============== ============ ============ ===== ===========

Configuration 2005-02-14 14:51:41 2005-02-14 14:18:51 3 RPC.

research 2005-02-14 14:53:15 2005-02-14 14:18:52 2 RPC.


=========== ============ ==== ============== === ======

BRANCH1 BRANCH-HUB-BH IP (never) 0 Success


============== ============ ============ ===== ===========

Configuration 2005-02-14 14:51:41 2005-02-14 14:51:41 0 Success.

ForestDnsZones 2005-02-14 14:52:37 2005-02-14 14:52:37 0 Success.

DomainDnsZones 2005-02-14 14:53:15 2005-02-14 14:53:15 0 Success.

research 2005-02-14 14:52:37 2005-02-14 14:52:37 0 Success.


=========== ============ ==== ============== === ======



============== ============ ============ ===== ===========

Configuration 2005-02-14 14:51:42 2005-02-14 14:51:42 0 Success.

DomainDnsZones 2005-02-14 14:53:15 2005-02-14 14:53:15 0 Success.

ForestDnsZones 2005-02-14 14:52:37 2005-02-14 14:52:37 0 Success.

research 2005-02-14 14:53:15 2005-02-14 14:53:15 0 Success.

83

How to interpret the dataRepadmin /bridgeheads is run remotely against a domain controller in the HUB site and the output is the perspective of the topology for ROOTDNS. In these examples, we are seeing local bridgehead server BRANCH-HUB-BH is having replication problems with the remote bridgehead server in the BRANCH2 site.

Fields of interest Explanation

Source Site Source site from where the local bridge head (inbound) is pulling data. Remember replication is always inbound.

Local Bridge Local Bridge head server for the site for which the tool is displaying results. In the example in figure 3.11.9.2, BRANCH-HUB-BH is the bridgehead server of the HUB site.

Trns In the example in figure 3.11.9.2, the transport is IP.

Fail time This is the last successful replication time.

# Number of failures since the last successful replication time.

Status Replication status.

Naming Context Directory partition. Remember Bridgeheads are partition specific.

Attempt time Last replication attempt time with the remote bridgehead.

Success time Last successful replication time with the remote bridgehead.

#Fail Number of attempts since the failure per partition.

Last result Latest replication status.

Replication is performed for each partition. But sometimes we do not see the Schema partition listed in the previous example as a naming context (partition) and hence there are no bridgeheads listed. This is not a limitation of the tool; it has to do with the how information is stored in the connection object that is queried to determine the bridgehead. If you see the configuration partition in the output, it is implied that schema is also

Notes

84

included because the KCC calculates the configuration and schema partitions to have the same replication topology.

Repadmin /showmsgRepadmin /showmsg displays the error message for a given error number.

Syntaxrepadmin /showmsg <Win32Error> | <DSEventID> /NTDSMSG}


<Win32Error> Returns a short description of the given Win32 error code.

<DSEventID> /NTDSMSG Returns the actual event log text for the specified event ID.

Example: Display the error message for the win32error 1722 and DS event ID 1404Figure 3.11.10

Repadmin /viewlistBy default, this subcommand is used to displays a list of domain controllers. It could also be used to form an Lightweight Directory Access Protocol (LDAP) query to list only objects in the directory.

Syntaxrepadmin /viewlist <DC_LIST> <OBJ_LIST>


<DC_LIST> Specifies the host name of a domain controller, or a list of domain controllers separated by a

85

space. For details about <DC_LIST>, see repadmin /listhelp.

<OBJ_LIST> This parameter takes a distinguished name (DN) or a special keyword that expands into a DN. The keywords are:

Ncobj:config: This keyword is the Configuration directory partition for the forest.

Ncobj:schema: This keyword is the Schema directory partition for the forest.

Ncobj:domain: This keyword is the domain partition DN of the home server.

Dsaobj: This keyword is the NTDS settings object of the home server.

Example 1: Display all the DC’s in the forestfigure 3.11.11.1

Example 2: Display all the Group Policy objects in the domain directory partition for the domain of the domain controller that repadmin is running againstFigure 3.11.11.2

Note the usage of OBJ_LIST and OBJ_LIST OPTIONS. For details please refer to repadmin /listhelp.

86

Open sessions with the domain controllerThe repadmin /showctx command displays a list of computers that have opened sessions with a specified domain controller.

Syntaxrepadmin /showctx <DC_LIST> [/nocache]



/nocache Specifies that globally unique identifiers (GUIDs) are left in hexadecimal form. By default, GUIDs are translated into strings.

Example: Show open sessions with a DSAFigure 3.11.12

Subcommands Not Covered Under the Previous ScenariosThis topic covers additional subcommands that you can use with repadmin.

Display replication featuresThe repadmin /bind command connects to, and displays the replication features for a directory partition on a domain controller.

87

Syntaxrepadmin /bind <DC_LIST>



Example: Display replication features on the local domain controller, which is running Windows Server 2003Note that the LINKED_VALUE_REPLICATION is set to NO because the forest functional level is set to Windows 2000 instead of Windows Server 2003.

Figure3.12.1

Server object GUID (DSA GUID) & Database GUIDThe repadmin /dsaguid command returns a server name when given a globally unique identifier (GUID).

88

Syntaxrepadmin /dsaguid <DC_LIST> <GUID>



<GUID> Specifies the unique hexadecimal number that identifies the domain controller. The globally unique identifier (GUID) can be retrieved by using the showreps operation.

Example: Display the domain controller name when given a GUIDLook at the usage of “.” here for <DC_LIST>.

Figure 3.12.2

Please refer to repadmin /showrepl for a detailed explanation and difference between DSA GUID and Database GUID.

Certificates loaded on a domain controllerThe repadmin /showcert command displays the server certificates loaded on a specified domain controller.

Syntaxrepadmin /showcert <DC_LIST>


<DC_LIST> Specifies the host name of a domain controller, or a list of domain controllers separated by a

89

space. For details about <DC_LIST>, see repadmin /listhelp.

Retired Application partition GUIDs (signature)Each domain controller has a naming context signature list. The repadmin /showncsig command displays a list of the removed application directory partition GUIDs. An application directory partition can be configured to be held or not held on a particular domain controller by using ntdsutil.

Syntaxrepadmin /showncsig <DC_LIST>



Example: Display the recently retired ForestDnsZone application directory partition on the local domain controllerFigure 3.12.4

The following information is displayed in figure 3.12.4:

Partition name

InvocationID at the time of removal

Highest update sequence number (USN) at the time of removal

Date of removal

90

Unanswered replication callsThe repadmin /showoutcalls command displays calls that have not yet been answered, made by the specified domain controller to other domain controllers.

Syntaxrepadmin /showoutcalls <DC_LIST>



Example: Hub domain controller waiting for the request to be answered from a spoke domain controllerFigure 3.12.5

showproxyLists cross domain move proxy objects. When an object is moved to another domain, a marker is left in the old domain indicating that the object used to be there. This is called the proxy.

Syntax1repadmin /showproxy <DC_LIST> <NamingContext> [matchstring]

Syntax2repadmin /showproxy <DC_LIST> <ObjectDN> [matchstring] /movedobject


91



matchstring Specifies the distinguished name of the object.

<ObjectDN> Specifies a filter for the output. Type a string of characters that must be present in the distinguished name in order to display the object.

/movedobject Displays a history of information from the original domain on a moved object after it has reached the new domain.

Retired Database GUIDs (signature)The repadmin /showsig command displays the retired InvocationIDs on a domain controller. A domain controller changes its InvocationID on being restored or when re-hosting an application partition.

Syntaxrepadmin /showsig <DC_LIST>



92

Example 1: Simple usage of no retired signaturesfigure 3.12.7.1

Example 2: Simple usage of retired signaturefigure 3.12.7.2

Convert directory service time to readable timeThe repadmin /showtime command converts a directory service time value to string format for both the local and the Coordinated Universal Time (UTC) time zones.

Syntaxrepadmin /showtime <DSTimeValue>


<DSTimeValue> Specifies the time value that needs to be converted.

With parameters omitted, repadmin /showtime displays the current system time in both the directory service format and string format.

Example 1: Usage with directory service time formatfigure 3.12.8.1

Note

93

Example 2: Current system timeFigure 3.12.8.2

Active Directory domains trusted by domain controllerThe repadmin /showtrust command lists all Active Directory domains (in the same forest) that are trusted by the specified domain controller’s domain.

Syntaxrepadmin /showtrust <DC_LIST>


<DC_LIST> Specifies the host name of a domain controller, or a list of domain controllers, separated by a space. For details about <DC_LIST>, see repadmin /listhelp.

Example: Display Active Directory domains that are trusted by the domain of the local domain controllerFigure 3.12.9

94

Linked Distinguished Name valuesThe repadmin /showvalue command is used to list only linked distinguished name values. Linked distinguished name values can also be obtained by the repadmin /showobjmeta subcommand with the /linked switch.

Syntaxrepadmin /showvalue <DC_LIST> ObjectDN <AttributeName> <ValueDN> [/nocache]


<DC_LIST> Specifies the host name of a domain controller, or a list of domain controllers, separated by a space. For details about DC_LIST, see repadmin /listhelp.


<AttributeName> Specifies a single attribute whose value you want to display.

<ValueDN> Specifies the distinguished name of the attribute that is displayed.


Example: Display members of the Domain Admins group Note that showvalue lists value for only forward links. Backward links (such as memberOf) are not obtained.

Figure 3.12.10

95

OldhelpOldhelp displays a list of the operations that have been deprecated in the Windows Server 2003 version of repadmin.

syncStarts a replication event for the specified directory partition between the source and destination domain controllers. The source universally unique identifier (UUID) can be determined when viewing the replication partners by using the showreps operation.

Syntaxrepadmin /sync <NamingContext> <DestDC> <SourceDCUUID> [/force] [/async] [/full] [/addref]

[/allsources]



<DestDC> Specifies the host name of the domain controller (Directory Server Agent) with which you want to replicate.

<SourceDCUUID> Specifies the unique hexadecimal number that identifies the object whose changes will be listed. The objectGUID can be retrieved by using the showreps operation.

/force Overrides the normal replication schedule

/async Specifies that the replication will be asynchronous. This means that repadmin starts the replication event, but it does not expect an immediate response from the destination domain controller. Use this parameter when there are slow links between domain controllers.

/full Forces a full replication of all objects from the destination domain controller.

/addref Directs the source to check for a notification entry on the source. If the source does not have a notification entry for this destination,

96

one is added.

/allsources A given destination can have multiple sources for the same naming context. Directs the destination to sync with all sources instead of just one.

propcheckCompares properties of specified domain controllers to determine if they are up-to-date with each other. The source domain controller contains the original information that needs to be checked. The destination domain controller data will be compared to the source domain controller data.

Syntaxrepadmin /propcheck <NamingContext> <OriginatingDCInvocationID> <OriginatingUSN> <DestDC>



<OriginatingDCInvocationID> Specifies the unique hexadecimal number that identifies an object on a source domain controller. The InvocationID can be retrieved by using the showreps operation.

<OriginatingUSN> Specifies the update sequence number (USN) for the object on the source domain controller. The USN is for the object whose InvocationID is already listed.

DestDC Specifies the host name of the destination domain controller from which to enumerate the host domain controllers.

getchangesDisplays changes from a specified directory partition or changes to a specified object. Syntax 1 saves changes to a directory partition. If this information is saved to a file the getchanges operation can be run again for comparison. Syntax 2 lists changes to a specified object.

97

Syntax1repadmin /getchanges <NamingContext> <SourceDC> [/cookie: <File>] [/atts:

<attribute1>,<attribute2>,...]

Syntax2repadmin /getchanges <NamingContext> <DestDC> <SourceDCObjectGUID> [/verbose]

[/statistics] [/noincremental] [/objectsecurity] [/ancestors] [/atts:

<attribute1>,<attribute2>,...] [/filter: <ldap filter>]



<SourceDC> Specifies the host name of the domain controller that hosts the directory partition whose changes you want to view.

cookie: <File> Specifies a name for the file to which list changes are saved.

atts: <attribute1>,<attribute2> Returns only the attributes specified. Separate each listed attribute with a comma.

<DestDC> Specifies the host name of the destination domain controller from which to enumerate the host domain controllers.

<SourceDCObjectGUID> Specifies the unique hexadecimal number that identifies the object whose changes will be listed. The objectGUID can be retrieved by using the showreps operation.


/statistics Displays a summary of information about changes instead of a list of individual changes.

/noincremental Returns changes in value change format, which lists current values for attributes as well as what attributes have been added or deleted. If not specified, changes are returned in attribute change format, which shows only the current value of the attribute.

/objectsecurity Overrides the need for the Get Changes right to the directory partition. By default this right is

98

needed to run the /getchanges parameter. However, only changes that the currently logged on user has the rights to view are displayed.

/filter: <ldap filter> Returns only those changes that meet the filter requirements.

/ancestors Returns changes in USN order

The information from Syntax1 can be saved to a file for later comparison.

showrepsDisplays the replication partners for each directory partition on the specified domain controller. Helps the administrator build a visual representation of the replication topology and see the role of each domain controller in the replication process.

Syntaxrepadmin /showreps <NamingContext> <DC> <SourceDCObjectGUID> [/verbose] [/nocache]

[/repsto] [/conn] [/all]



DC Specifies the host name of the domain controller.

<SourceDCObjectGUID> Specifies the unique hexadecimal number that identifies the object whose replication events will be listed.


/nocache Specifies that globally unique identifier (GUIDs) are left in hexadecimal form. By default, GUIDs are translated into strings.

[/repsto] Lists the domain controllers that pull replication information from the specified directory partition.

/conn Displays the connection objects associated with each link.

Note

99

/all Displays all replication partners.

showvectorDisplays the highest USN for the specified domain controller. This information shows how up-to-date a replica is with its replication partners.

Syntaxrepadmin /showvector <NamingContext> <DC> [/nocache] [/latency]



<DC> Specifies the host name of the domain controller.


/latency Sorts the information by the time required to complete the replication. By default the information is sorted by USN.

showmetaDisplays the replication metadata for a specified object stored in Active Directory such as attribute ID, version number, originating and local Update Sequence Number (USN), and originating server's GUID and Date and Time stamp. By comparing the replication metadata for the same object on different domain controllers, an administrator can determine whether replication has taken place.

Syntaxrepadmin /showmeta <ObjectDN> <DC> [/nocache] [/linked]



<DC> Specifies the host name of the domain

100

controller that hosts the object.


/linked Displays metadata associated with, but not stored with the specified object.

Administer Passwords and Password Replication Policy for Read-Only Domain Controllers with Repadmin.exeThis topic describes the following commands that were added to Repadmin.exe in Windows Server 2008 to manage passwords and Password Replication Policy (PRP) for read-only domain controllers (RODCs). RODCs are available in Windows Server 2008 and Windows Server 2008 R2.

Repadmin.exe is built into Windows Server 2008 and Windows Server 2008 R2. It is available if you have the Active Directory Domain Services (AD DS) server role or the Active Directory Lightweight Directory Services (AD LDS) server role installed. It is also available if you install the Active Directory Domain Services Tools that are part of the Remote Server Administration Tools (RSAT). For more information, see How to Administer Microsoft Windows Client and Server Computers Locally and Remotely (http://go.microsoft.com/fwlink/?LinkID=177813).

In Windows Server 2008 and Windows Server 2008 R2, you must run command-line-based tools from an elevated command prompt. To open an elevated Command Prompt using the credentials of a Domain Admin, click Start. In Start Search, type runas /user:<domainName>\<domainAdminAccountUser> cmd, and then press ENTER. Replace <domainName> with the domain name, and replace <domainAdminUser> with the name of a user account that is a member of the Domain Admins group in that domain.

repadmin /prp

repadmin /rodcpwdrepl

For more information about managing passwords and the PRP for RODCs, see Administering the Password Replication Policy (http://go.microsoft.com/fwlink/?LinkId=185778).

repadmin /prpYou can use this command to view or modify the PRP for an RODC. The PRP determines which account passwords are allowed to be cached on an RODC and which account are denied from being cached.

101





Syntax

Repadmin /prp [operation] RODC [additional arguments]

OperationsThe repadmin /prp command can perform the following operations:

Add

Delete

Move

View

Additional arguments are available for each operation.

AddAdds the specified security principal to the msDS-RevealOnDemandGroup attribute that is associated with the RODC. (This attribute is also known as the Allowed List.)

You cannot use repadmin /prp commands to add an account to the Deny List or remove an account from the Deny List. To configure the Deny List, you can use the Active Directory Users and Computers snap-in or you can create a script. For example, if you want to deny members of the group RODC2Admins from caching passwords on RODC2, which is located in the Branch2 organizational unit (OU) of hq.cpandl.com, you can use the following script:

'The following items specify to Clear, Update, Append, or Delete a property of an Active

Directory object

Const ADS_PROPERTY_CLEAR = 1

Const ADS_PROPERTY_UPDATE = 2

Const ADS_PROPERTY_APPEND = 3

Const ADS_PROPERTY_DELETE = 4

Const ATT = "msDS-NeverRevealGroup"

'The setting for ATT determines which list will be modified

'msDS-AuthenticatedToAccountlist is for the authenticated to or Auth2 list

'msDS-RevealedList is for the password revealed or cached list

'msDS-RevealOnDemandGroup is for the allowed to authenticate list

'msDS-NeverRevealGroup is for the denied from authenticating list

Note

102

'PRPObj defines the object that needs to be modified in the PRP list

PRPObj = "CN=RODC2Admins,OU=Branch2,DC=hq,DC=cpandl,DC=com"

'RODCObj defines the RODC for which the PRP should be modified

RODCObj = "LDAP://CN=RODC2,OU=Domain Controllers,DC=hq,DC=cpandl,DC=com"

'Sets the object to modify based on the LDAP path set in RODCObj

Set objComputer = GetObject(RODCObj)

'Implements the change, which, depending on the word after ADS_PROPERTY_, is a CLEAR,

UPDATE, APPEND, or DELETE operation

objComputer.PutEx ADS_PROPERTY_APPEND, ATT, Array(PRPObj)

objComputer.SetInfo

'Confirms that the modification has taken place (this is optional)

wscript.echo "Modified list attributes for object " & PRPObj

'Closes the script

wscript.quit(0)

Syntaxrepadmin /prp add <RODC> allow <PRINCIPAL>

Additional parameters


<RODC> Specifies the host name of the RODC. You can specify the single-label host name or the fully qualified domain name (FQDN). In addition, you can use an asterisk (*) as a wildcard character to specify multiple RODCs in one domain.

<PRINCIPAL> Specifies the name of the security principal that you want to add to the Allowed List.

103

DeleteDeletes one or more specified security principals from the msDS-AuthenticatedToAccountList attribute or from the msDS-RevealOnDemandGroup attribute that is associated with the RODC. (The AuthenticatedToAccountList attribute is also known as the Authenticated to List, and the msDS-RevealOnDemandGroup attribute is also known as the Allowed List.)

Syntaxrepadmin /prp delete <RODC> allow {<PRINCIPAL>|/all}

repadmin /prp delete <RODC> auth2 /all



<RODC> Specifies the host name of the RODC. You can specify the single-label host name or the FQDN. In addition, you can use an asterisk (*) as a wildcard character to specify multiple RODCs in one domain.

<PRINCIPAL> Specifies the name of the security principal that you want to delete from the Allowed List. Specify /all to have the operation delete all security principals.

/all Specifies all security principals. You cannot delete only one security principal from the msDS-AuthenticatedToAccountList attribute.

MoveMoves all the security principals from the msDS-AuthenticatedToAccountList attribute to the specified group. If the group does not exist, this command creates the group. If necessary, this command also adds the group to the msDS-RevealOnDemandGroup attribute of the RODC. (The msDS-AuthenticatedToAccountList attribute is also known as the Authenticated To List, and the msDS-RevealOnDemandGroup attribute is also known as the Allowed List.)

Syntaxrepadmin /prp move <RODC> <Group> [/noauth2cleanup] [/users_only | /comps_only]



<RODC> Specifies the host name of the RODC. For this

104


operation, you can specify the single-label host name or the FQDN.

<Group> Specifies the name of the security group to which you want to move the security principals. If the security group does not exist, this command creates the security group in the built-in Users container. You can specify the name of the security group but not the distinguished name.

/noauth2cleanup Retains the list of security principals in the msDS-AuthenticatedToAccountList attribute after the Move operation is complete. By default, the msDS-AuthenticatedToAccountList attribute is cleared.

/users_only Moves only user accounts from the msDS-AuthenticatedToAccountList attribute to the specified group. The group is then added to the msDS-RevealOnDemandGroup attribute.

/comps_only Moves only computer accounts from the msDS-AuthenticatedToAccountList attribute to the specified group. The group is then added to the msDS-RevealOnDemandGroup attribute.

ViewDisplays the security principals in the specified list or displays the current PRP setting (allowed or denied) for a specified user.

Syntaxrepadmin /prp view <RODC> {<List_Name>|<User>}



<RODC> Specifies the host name of the RODC. You can specify the single-label host name or the FQDN. In addition, you can use an asterisk (*) as a wildcard character to specify multiple

105


RODCs in one domain.

<List_Name> Specifies all the security principals that are in the list that you want to view. The valid list names are as follows:

auth2: The list of security principals that the RODC has authenticated.

reveal: The list of security principals for which the RODC has cached passwords.

allow: The list of security principals in the msDS-RevealOnDemandGroup attribute. The RODC can cache passwords for this list of security principals only.

deny: The list of security principals in the msDS-NeverRevealGroup attribute. The RODC cannot cache passwords for any security principals in this list.

<User> Specifies the effective PRP setting (allowed or denied) for the specified user. You can specify the user name only or the distinguished name.

Example 1: View the PRP of an RODCThe following examples show how to view the accounts that are configured in the PRP that applies to an RODC with the host name RODC2 in the domain hq.cpandl.com.

To view the accounts that are allowed to have their passwords cached on the RODC, use the following command:

repadmin /prp view rodc2.hq.cpandl.com allow

To view the accounts that are denied from having their passwords cached on the RODC (also known as the Deny list), use the following command:

repadmin /prp view rodc2.hq.cpandl.com deny

Example 2: View accounts that an RODC has authenticated To review the list of authenticated accounts for RODC2 in the hq.cpandl.com domain, use the following command:

repadmin /prp view rodc2.hq.cpandl.com auth2

106

Example 3: Clear the list of authenticated accountsNote that this command does not actually remove account passwords from an RODC. It only deletes the list of those accounts.

There is no mechanism to erase passwords after they are cached on an RODC. If you want to clear a password that is stored on an RODC, reset the password in the hub site. This way, the password that is cached in the branch will no longer be valid for accessing any resources in the hub site or other branches. In the branch that contains the RODC on which the password may have been compromised, the password will still be valid for authentication purposes until the next replication cycle, at which time its value that is stored on the RODC will be changed to Null. The new password will be cached only after the user authenticates with it—or the new password is prepopulated on the RODC—and if the PRP has not been changed.

To clear the list of authenticated accounts for RODC2, use the following command:

repadmin /prp delete rodc2 auth2 /all

Example 4: Configure the PRPTo add an account named RODC2users from a top-level OU named West in the domain hq.cpandl.com to the Allowed List (or to remove it from the Allowed List) for an RODC computer with a hostname of RODC2, use one of the following commands:

To find the Lightweight Directory Access Protocol (LDAP) distinguished name of a directory object from the command line, you can use the dsquery command. For example, if you want to find the distinguished name of a group that has “RODC” as part of its name from a computer in the local domain, you can run the command dsquery group –name *RODC*. The asterisks around “RODC” indicate that any number of characters can come before or after the letters RODC. If instead you want to find the distinguished name of a computer or user, substitute either the word computer or the word user (respectively) for the word group in the command. For more information about dsquery command syntax, see Dsquery (http://go.microsoft.com/fwlink/?LinkId=120196).

To allow the account RODC2users to be cached on RODC2, use the following command:

repadmin /prp add rodc2.hq.cpandl.com allow cn=RODC2users,ou=west,dc=hq,dc=cpandl,dc=com

To remove the account from the Allowed List, use the following command:

repadmin /prp delete rodc2.hq.cpandl.com allow

cn=RODC2users,ou=west,dc=hq,dc=cpandl,dc=com

Example 5: Move accounts that an RODC has authenticated to the Allowed RODC Password Replication Policy GroupTo move the current list of only the users from RODC2 to the Allowed List, use the following command:

Repadmin /prp move rodc2 /users_only

Note

107


You cannot selectively move entries from the Auth2 list to the Allowed List by using the repadmin /prp move command. However, when you have created an appropriate group, you can use Active Directory Users and Computers, Dsadd, and similar tools to add users or computers to that group.

Example 6: View accounts with cached passwords on an RODCTo see the accounts with cached passwords on an RODC with the host name RODC2 in the domain contoso.com, use the following command:

repadmin /prp view rodc2.contoso.com reveal

If you have a large number of accounts cached, the repadmin /prp view <hostname> reveal command might return only a subset of the accounts. For more information, see Repadmin /PRP might return only a subset of accounts (http://go.microsoft.com/fwlink/?LinkId=185775).

repadmin /rodcpwdreplTriggers replication of passwords for the specified users from the source (Hub site domain controllers) to one or more RODCs.

For each destination RODC, the ability to cache the user’s password is evaluated before the operation succeeds. In other words, the specified user must be in the Allowed RODC Password Replication Group and not be a member of the Denied RODC Password Replication Group for the destination RODC. You can specify passwords for multiple users, but if a user’s password is not allowed to be cached for a destination RODC, the request for that specific user and destination RODC will fail.

SyntaxRepadmin /rodcpwdrepl <hostnameRODC> <hostnameWDC> <User1LdapPath> <Computer1LdapPath>

<UserNLdapPath> <ComputerNLdapPath>


<hostnameRODC> The host name or FQDN of the target RODC’s password cache that you want to prepopulate. If you are running the command from outside the target domain, use the FQDN.

<hostnameWDC> The host name or FQDN of the writable domain controller that is the replication partner of the RODC. If you are running the command from outside the target domain, use the FQDN.

<User1LdapPath> The LDAP distinguished name of a user account password that you want to

Note Important

108



prepopulate.

<Computer1LdapPath> The LDAP distinguished name of a computer account whose password that you want to populate. You must add the computer accounts of the users or they will not be able to log on.

<UserNLdapPath> The LDAP distinguished name of another user account password that you want to populate.

<ComputerNLdapPath> The LDAP distinguished name of another computer whose account password you want to prepopulate. You must add the computer accounts of the users or they will not be able to log on.

ExampleThe following command prepopulates the password cache for an RODC named RODC2 in the domain hq.cpandl.com, using the writeable domain controller named WS2008A to transfer the passwords for a user account for Mike Danseglio (MikeDan) and his computer named MDVista1. The MikeDan account is in a top-level OU named B1 Users, and the MDVista1 account is in the default Computers container.

repadmin /rodcpwdrepl rodc2.hq.cpandl.com ws2008a.hq.cpandl.com “cn=mikedan,ou=b1

users,dc=hq,dc=cpandl,DC=com” cn=mdvista1,cn=Computers,dc=hq,dc=cpandl,dc=com

Repadmin for ExpertsThe previous topics in this guide have looked at how an administrator can use repadmin to view the replication topology (sometimes referred to as Reps-From and Reps-To) as seen from the perspective of each domain controller, monitor forest-wide replication, diagnose replication problems, and perform miscellaneous tasks.

The following sections are used for advanced operations only. These commands have the potential to break your Active Directory installation, and they should be used only under the expert guidance of Microsoft Customer Support Service representative or engineer.

Add, Modify, or Delete replication linksDuring normal operation, the Knowledge Consistency Checker (KCC) automatically manages the replication topology for each naming context held on domain controllers.

109

Although in normal practice this should not be necessary, repadmin can be used to manually create the replication topology. This topology would be temporary in nature by default and would last until the next time the KCC is run. So we need to engage these steps only during troubleshooting issues related to Active Directory replication.

During the normal course of operations, there is no requirement for manual creation of the replication topology. Incorrect use of this tool may adversely impact the replication topology.

SyntaxRepadmin /add <Naming Context> <Dest DC> <Source DC> [/asyncrep] [/syncdisable]

[/dsadn:< Source DC DN>] [/transportdn:< Transport DN>] [/mail] [/async] [/readonly]

Repadmin /mod <Naming Context> <Dest DC> <Source GUID> [/readonly] [/srcdsaaddr:< dns

address>] [/transportdn:< Transport DN>] [+nbrflagoption] [-nbrflagoption]

Repadmin /delete <Naming Context> <Dest DC> [<Source DC Address>] [/localonly] [/nosource]

[/async]

The following table lists the purpose for each of the subcommands.

Subcommand Purpose

add The add command will create a RepsFrom attribute on the destination domain controller for the specified naming context and initiate a replication request. During a normal replication cycle, the destination domain controller will request updates from the source domain controller.

mod The mod command will modify the RepsFrom attribute on the destination domain controller for the specified naming context and initiate a replication request. During a normal replication cycle, the destination domain controller will request updates from the source domain controller.

delete The delete command will remove a RepsFrom attribute on the destination domain controller for the specified naming context.

The following table lists the parameters that can be used with the subcommands.


Note

110


<Dest DC> Domain controller to which the link is created.

<Source DC> Domain controller from which to source the partition.

asyncrep Queue the replication event, but do not wait for the replication to complete before you return control to the user.

syncdisable Add the RepsFrom attribute but do not participate in the replication cycle. To perform replication between the destination and source domain controllers, repadmin /sync /force must be used.

/dsadn:<<Source DC DN>

transportdn The distinguished name of the Inter Site Message transport, only used for mail-based replication.

mail specify that the replication is mail-based, therefore requires the /transportdn option.

async Queue the add/delete operation without interrupting the current replication cycle and return control to the user.

readonly Specify that the partition is read-only.

/srcdsaaddr:<dns address>

nbrflagoption

localonly Do not delete the corresponding RepsTo attribute on the source Directory System Agent (DSA).

nosource When you remove a read-only naming context such as the global catalog, the associated data stored in the directory is removed in blocks of 500 objects. This allows the /delete command to be re-executed without having to specify the Source DSA to remove the remaining objects.

111

When you create temporary replication links between replication partners, the process could fail if the KCC starts while you are performing the procedure. The KCC will delete any replication links for which no corresponding connection object exists.

Because these commands can take a very long time to complete as they trigger the replication of the corresponding naming context, it is important to ensure that KCC do not disturb the process. This is where you would use +DISABLE_NTDSCONN_XLATE which effectively disables capability for the KCC to translate connection objects to replication links.

Add, Modify, or Delete outbound replication partnersSimilar to inbound replication (Reps-From) partners, outbound replication (Reps-To) partners are instantiated from connection objects by a process called “Connection Translation.”

Both Reps-From and Reps-To attributes are for each partition and they are not replicated. Reps-To is only needed when the destination requires the source to notify him that there is a change in the partition at the source, and the destination should synchronize. Because Reps-To attributes are used for notification, if the destination has a Reps-From marked NO_NOTIFY, then the source will not have a Reps-To.

Depending on the underlying operating system, sometimes you might see outbound partners lingering. While Windows Server 2003 takes care of this, Windows 2000 would need some help cleaning out lingering outbound partners.

SyntaxRepadmin /addrepsto <Naming Context> <DC> <Reps-To DC> <Reps-To DC GUID> Repadmin

/updrepsto <Naming Context> <DC> <Reps-To DC> <Reps-To DC GUID> Repadmin /delrepsto

<Naming Context> <DC> <Reps-To DC> <Reps-To DC GUID>


Subcommand Purpose

addrepsto This will create a Reps-To attribute on the domain controller for the specified naming context. Ordinarily there is no requirement to perform this command as the KCC will automatically create the Reps-To attributes on destination DSAs based on other DSAs Reps-From entries.

updrepsto This will update the Reps-To attribute on the domain controller for the specified naming context. More specifically it updates the network address used by the source DSA to

112

contact the destination DSA.

delrepsto Delrepsto deletes the Reps-To attribute on the domain controller for the specified naming context.




<DC> The domain controller on which the Reps-To attribute is modified.

<Reps-To DC> Outbound replication partner.

<Reps-To DC GUID> DSA globally unique identifier (GUID) of outbound replication partner.

Hosting and unhosting read-only partitionsHosting and unhosting global catalog partitions is convenient, especially when you want to ensure a faster global catalog removal process. As noted in the following table, these subcommands will also facilitate removal of lingering objects from Active Directory.

Global catalog removal process In Windows 2000 versions earlier than Service Pack 4 (SP4), when the IS_GC bit is turned off, the KCC deletes the read-only objects at a rate of only 500 for each time the KCC runs, which allows a maximum of 2000 object removals for each hour. This presents some challenges in large environments. In order to make the global catalog removal faster, you could potentially remove one partition at a time by using the unhost subcommand.

Lingering Objects A lingering object is an object that is present on one replica, but on another replica it has been deleted and removed from the directory by the garbage collection process.

When lingering object exists only in one or more read-only naming contexts (global

113

catalog), it makes it all the more difficult to delete the object. Clearing the IS_GC bit may not always be appropriate, because it removes all read-only naming contexts from the global catalog server.

Unhosting and rehosting a read-only naming context is therefore sometimes considered to be a good solution, especially because you could specify the source to be a good replica that does not contain lingering objects.

SyntaxRepadmin /rehost <DC_LIST> <Naming Context> <Good Source DC Address> [/application]

Repadmin /unhost <DC_LIST> <Naming Context> Repadmin /removesources <DC_LIST> <Naming

Context>


Subcommand Purpose

rehost Add a specific read-only partition to a global catalog server.

unhost Remove a specific read-only partition from a global catalog server.

removesources Removes all replication links for a given naming context. This does not delete the connection objects, so the KCC will build new links on it regular cycle as required.



<DC_LIST> Specifies the host name of a domain controller or a list of domain controllers separated by a space that the object will be replicated to. For details about <DC_LIST>, see repadmin /listhelp.


114

<Good Source DC Address> Specify the source domain controller.

/application Application directory partition

Detecting and removing lingering objectsThere are multiple methods that are available to detect or remove lingering objects from Active Directory. This depends on the operating system version that the domain controller is running. Repadmin could be used to detect or remove lingering objects from a directory partition when the source and destination domain controllers are running Windows Server 2003 and therefore the scope here is limited to the following:

Introduction to lingering objects

Repadmin usage in Windows Server 2003

A lingering object is an object that is present on one replica, but on another replica it has been deleted and removed from the directory by the garbage collection process.

This condition can occur for a variety of reasons including:

Prolonged misconfigurations (such as those that cause event ID 1311 messages)

Prolonged errors in name resolution, authentication or the replication engine that block inbound replication.

Bringing a domain controller online after it has been offline for a period greater than the TombStone Lifetime (TSL).

Advancing system time or reducing TSL values in an attempt to accelerate garbage collection before end-to-end replication has taken place for all naming contexts in the forest.

Symptoms that you may have lingering objects:

Active Directory replication is prevented from occurring.

A user account that no longer exists still appears in the Global Address list for E-mail clients.

A universal group that no longer exists still appears in a user’s access token.

E-mail messages cannot be delivered due to duplicate e-mail address on two different user objects.

Regardless of the reason, a deleted object can remain on a domain controller in either of the following circumstances:

A domain controller goes offline immediately prior to the deletion of an object on another domain controller, and remains offline for a period that exceeds the tombstone lifetime.

A domain controller goes offline immediately following the deletion of an object on another domain controller but prior to receiving replication of the tombstone, and remains offline for a period that exceeds the tombstone lifetime.

What to do with a lingering object?

Determining what to do with a lingering object depends on whether or not it was intended.

115

Action Explanation

Unintended Use repadmin to delete the lingering object on a domain controller that is running Windows Server 2003.

Intended Change the replication consistency on the inbound domain controller (DC). The object will be re-animated on this DC. See strict and loose replication consistency below

Strict and loose replication consistencyIf the attributes of a lingering object never change, the object is never considered for replication. However, if an attribute changes, the attribute is considered for outbound replication. The problem with an attribute update for a lingering object is that the receiving domain controller does not hold the object for the attribute being replicated. An update cannot be performed because the entire object does not exist on the receiving domain controller. What happens next depends on the replication consistency set on the domain controller.

Replication consistency Explanation

Loose When replication consistency is set to loose, the receiving domain controller detects that it does not have the object for the attribute that is being replicated. The inbound partner requests the entire object from the outbound partner, and reanimates the object on its copy of the directory. The same process repeats on all domain controllers that do not have a copy of the object. This mechanism can be used to cause lingering objects to “reanimate” across the entire forest. If a lingering object is discovered and its presence is intended, then perform any update to the object. As long as replication consistency is set to loose on all domain controllers, the object will be reanimated as it replicates around the forest. “Loose replication consistency” is the default for Windows 2000 domain controllers, with the exception of domain controllers that have the MS01-044 security rollup package installed. For more information about the MS01-044 security rollup package, see article 297860 in the

116

Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=122508).

Strict The default behavior for domain controllers that run Windows Server 2003 (and domain controllers that are upgraded from Windows NT 4.0) is to block inbound replication for each naming context when a domain controller receives an update to an object that it does not have. Replication is halted in the naming context for the object until the lingering object is removed or the replication mode is set to “loose.”

Storage for Consistency SettingThe setting for replication consistency is in the registry on each domain controller.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters

Entry name: Strict Replication Consistency

Data type: REG_DWORD

Values: 1 for enabled; 0 for disabled

Default: 1 (enabled)

There was a post-SP2 hotfix (also included in the security rollup package from November 2001) that used a different registry value. A setting of 0 will not recreate the missing object (strict), and a setting of 1 will create the missing object. This value is only needed with the November version of the hotfix.

Value Name: Correct Missing Objects

Data type: REG_DWORD

Value data: 1

The repadmin /removelingeringobjects command does the following:

Designates an up-to-date domain controller as the authority.

Compares the Active Directory database objects on the authoritative server with the objects that are on the suspected domain controller that contains the lingering objects.

With /advisory_mode, the subcommand logs the potential deletions to the Directory Service log.

Without /advisory_mode, the subcommand removes the lingering objects.

SyntaxRepadmin /removelingeringobjects <Dest_DC_LIST> <Source DC GUID> <NC> [/ADVISORY_MODE]

Notes

117



<Dest_DC_LIST> The domain controller that is suspected to have lingering objects.

<Source DC GUID> Source domain controller GUID used to compare with the suspected domain controller.

<NC> Specifies the distinguished name of the directory partition.

/ADVISORY_MODE Read-only mode.

During lingering object removal, Event ID 1937 is logged to the Directory Service log. This information includes the source domain controller, the objects that are removed, and a total count of all the objects that are removed.

Advanced domain controller optionsBy using the option subcommand, we could change the options attribute stored on the NTDS Settings Object. The options attribute determines the following behaviors on a domain controller:

Global catalog installation and removal

Enable or disable inbound or outbound replication

Disable connection translation

Note that disabling inbound or outbound replication is specific to the domain controller where you target the operation. So this does not disable intrasite or intersite replication. It just disables Active Directory replication for that domain controller. If the domain controller happens to be the bridgehead server and the Intersite Topology Generator (ISTG) is disabled, then effectively intersite replication to and from that site is disabled.

SyntaxRepadmin /options <DC> [{+|-} IS_GC] [{+|-} DISABLE_INBOUND_REPL] [{+|-

DISABLE_OUTBOUND_REPL] [{+|-} DISAB LE_NTDSCONN_XLATE]

+|- turns on or off the associated parameter.


<DC> Domain controller

IS_GC DSA is a global catalog server.

DISABLE_INBOUND_REPL Disables inbound replication.

DISABLE_OUTBOUND_REPL Disables outbound replication.

Note

118

DISAB LE_NTDSCONN_XLATE Turns off the capability of the KCC to translate connection objects to replication links.

The following table lists the possible values for the options attribute.

Value Description

1 Global catalog server

2 Disable inbound replication

3 2 + 1

4 Disable outbound replication

5 4 + 1

6 4 + 2

7 4 + 2 + 1

8 Disable connection translation

The following table lists the purpose for the possible procedures using the options attribute.

Procedure Purpose

Disable Outbound Replication Use this procedure to disable Active Directory replication from a domain controller. The domain controller continues to receive inbound replication.

Repadmin /options <ServerName> +disable_outbound_repl where <ServerName> is the name of the domain controller on which you want to disable outbound replication. The tool reports the current options (the options that were in effect prior to pressing ENTER) and the new options (all options that are in effect after pressing ENTER).

Disable inbound Replication Similar to the above step you could disable inbound replication to a server as well.

repadmin /options <ServerName> +disable_inbound_repl

Disable the ability of the KCC to translate When creating temporary replication links

119

connection objects. between replication partners, the process could fail if the KCC starts while you perform the procedure. The KCC will delete any replication links for which no corresponding connection object exists.

Advanced site optionsBy using the siteoptions subcommand, we could change the options attribute stored on the NTDS Site Settings Object.

SyntaxRepadmin /siteoptions <DC> /site:< Site> [{+|-}IS_AUTO_TOPOLOGY_DISABLED] [{+|-}

IS_TOPL_CLEANUP_DISABLED] [{+|-} IS_TOPL_MIN_HOPS_DISABLED] [{+|-}

IS_TOPL_DETECT_STALE_DISABLED] [{+|-} IS_INTER_SITE_AUTO_TOPOLOGY_DISABLED] [{+|-}

IS_GROUP_CACHING_ENABLED] [{+|-} FORCE_KCC_WHISTLER_BEHAVIOR] [{+|-}

FORCE_KCC_W2K_ELECTION] [{+|-} IS_RAND_BH_SELECTION_DISABLED] [{+|-}

IS_SCHEDULE_HASHING_ENABLED] [{+|-} IS_REDUNDANT_SERVER_TOPOLOGY_ENABLED]


<DC> Domain controller

site: <Site> Site name where the domain controller resides

IS_AUTO_TOPOLOGY_DISABLED Disables the automatic generation of intra-site topology.

IS_TOPL_CLEANUP_DISABLED Disables the cleanup or unneeded connection objects and replication links.

IS_TOPL_MIN_HOPS_DISABLED Disables the KCC rule that all intrasite replication partners should be no more than three hops from any other partner.

IS_TOPL_DETECT_STALE_DISABLED Disables the detection by the KCC of failing replication links and the behavior of the KCC to route around failing links. Use this with the KCC Branch Office mode.

IS_INTER_SITE_AUTO_TOPOLOGY_DISABLED Disables the automatic generation of the intersite topology. Commonly used for creating manual connections, either by

120

hand or with MKDSX.

IS_GROUP_CACHING_ENABLED Enables group caching for use with “no-GC logon.” This setting is also exposed in the UI of Active Directory Sites and Services.

FORCE_KCC_WHISTLER_BEHAVIOR Forces the KCC to operate using the new spanning tree algorithm. It’s not recommended to manually change this setting. The recommended alternative is to raise the forest functional level to Windows Server 2003.

FORCE_KCC_W2K_ELECTION Forces the Windows 2000 domain controller ISTG election logic. The default is for any Windows Server 2003 domain controller to assume the ISTG role.

IS_RAND_BH_SELECTION_DISABLED Disables the new random bridgehead selection behavior. Reverts to Windows 2000 KCC behavior of using a single bridgehead server.

IS_SCHEDULE_HASHING_ENABLED Creates a random schedule on each new connection object based in hashed value. Helps to balance the load on bridgehead servers.

IS_REDUNDANT_SERVER_TOPOLOGY_ENABLED Creates two inbound connection objects from different domain controllers in a hub site. Reduces impact on FRS (vvjoin) during failover.

MiscellaneousThe following table lists nbrflagoptions.


SYNC_ON_STARTUP Replication of this naming context from this source is attempted when the destination server is booted. This normally only applies to intra-site neighbors.

DO_SCHEDULED_SYNCS Perform replication on a schedule. This flag is

121

normally set unless the schedule for this naming context and source is "never", that is, the empty schedule.

WRITEABLE The local copy of the naming context is writable.

TWO_WAY_SYNC If set, indicates that when inbound replication is complete, the destination server must tell the source server to synchronize in the reverse direction. This feature is used in dial-up scenarios where only one of the two servers can initiate a dial-up connection. For example, this option would be used in a corporate headquarters and branch office, where the branch office connects to the corporate headquarters over the Internet by means of a dial-up ISP connection.

NEVER_SYNCED Synchronization has never been successfully completed from this source.

IGNORE_CHANGE_NOTIFICATIONS This neighbor is set to disable notification-based synchronizations. Within a site, domain controllers synchronize with each other based on notifications when changes occur. This setting prevents this neighbor from performing synchronizations that are triggered by notifications. The neighbor will still do synchronizations based on its schedule, or in response to manually requested synchronizations.

DISABLE_SCHEDULED_SYNC This neighbor is set to not perform synchronizations based on its schedule. The only way this neighbor will perform synchronizations is in response to change notifications or to manually requested synchronizations.

COMPRESS_CHANGES Changes received from this source are to be compressed. This is normally set if, and only if, the source server is in a different site.

NO_CHANGE_NOTIFICATIONS No change notifications should be received from this source. Normally set if, and only if, the

122

source server is in a different site.

123

blog.naxios.fr - naXios - des experts à votre...

Documents

Transcript of blog.naxios.fr - naXios - des experts à votre...