Professional Documents
Culture Documents
Active Directory is a distributed multimaster replicated database. All domain controllers host a full replica of the domain information for its own domain. Domain controllers in Windows 2000 and Windows Server 2003 environments hold a read/write copy of the Active Directory database. In these environments, changes can be made to the Active Directory database on any domain controller within the Active Directory environment. Replication is the process that ensures that changes made to a replica on one domain controller are transferred to replicas on the remainder of the domain controllers. When an object in Active Directory is created, deleted, moved, or changed; Active Directory replication is triggered. In Windows 2000 and Windows Server 2003 environments, the types of Active Directory replication that can be defined are:
Intrasite Replication: Intrasite replication takes place between domain controllers within the same site. This makes intrasite replication an uncomplicated process. Intrasite replication utilizes the Remote Procedure Call (RPC) protocol to convey replication data over fast, reliable network connections. Replication data within a site is not
compressed. Intersite Replication: Intersite replication takes place between sites. Intersite replication can utilize either RPC over IP or SMTP to convey replication data. Intersite replication has to be manually configured. Intersite replication occurs between two domain controllers that are called bridgeheads or bridgehead servers. With intersite replication, packets are compressed to conserve bandwidth.
Configuration partition data: Objects stored in the configuration partition relate to the domain structure and replication topology, and is replicated to each domain controller in each domain, and in a forest. Domain partition data: All objects that are stored in a domain exist in the domain partition. Domain partition data is replicated to the domain controllers within a domain. Schema partition data: Schema partition data include information on the objects that can be created in Active Directory and is replicated to each domain controller in domains/forests. Application partition data: A new feature introduced in Windows Server 2003 is the application partition. Applications and services store data in the application partition.
You can use the Active Directory Sites and Services console to configure intersite replication. Configuring intersite replication typically involves:
Renaming the Default-First-Site-Name object Creating site objects and subnet objects Creating site link objects Configuring site link attributes: Site link cost, site link replication frequency, site link replication availability Specifying or designating a preferred bridgehead server (BS). Creating site link bridges Manually creating connection objects
IP replication is typically selected for a site link when a reliable connection exists between domain controllers in different sites. SMTP replication is normally selected when connections are unreliable and slow.
To create a site link, 1. Open the Active Directory Sites and Services console 2. Open the Sites folder, and then open the Inter-Site Transports folder 3. Right-click either the IP folder or the SMTP folder, and choose New Site Link from the shortcut menu. 4. The New Object-Site Link dialog box opens 5. In the Name field, enter a name for the new site link. 6. In the Sites Not In This Site Link box, select the sites to connect. Click Add 7. Click OK.
1. Open the Active Directory Sites and Services console 2. In the console tree, expand the Sites folder, expand the site in which you want to create the bridgehead server, and then expand the Servers folder. 3. Right-click on the particular server, and select Properties from the shortcut menu. 4. When the Properties dialog box of the server opens, in the Transports available for inter-site transfer section, select the protocol for which the server is to be a bridgehead server. Click Add. 5. Click OK.
Active Directory Replication Monitor (Replmon.exe) Replication Diagnostics Tool (Repadmin.exe) The Dsastat.exe command-line tool You can also configure Active Directory event logging
A few common methods that you can use to monitor or troubleshoot Active Directory replication are summarized below:
Verify network connectivity in your environment: When Active Directory replication has stopped, verify your existing network connections. For replication to occur, your domain controllers have to be connected by capable LAN links. Using high speed links typically improves replication performance. Verify site links: In order for domain controllers in different sites to exchange Active Directory data or information, you have to configure the appropriate site links. When replication is not occurring between sites, verify that a site link object does link the current site to a site which is connected to the remainder of the sites of the network. Verify the replication topology: You can use the Active Directory Sites and Services console to check that your replication topology is reliable and constant. Errors are displayed in a dialog box in the console.
Manually verify that Active Directory information has been synchronize. You should on a regular basis verify that information is synchronized between domain controllers within domains. When replication errors are encountered, check the Directory Service event log in Event Viewer. Active Directory replication errors are written to the Directory Service event log.
There may be instances when Active Directory replication is quite slow. A few methods of correcting this problem are summarized below:
Having no site link bridge can result in Active Directory information taking quite a while to be replicated between domain controllers. You can create a site link bridge or you can bridge all sites. This is typically necessary when there are only site links in your network, but no site link bridges. If the configuration value specified for the frequency of intersite replication is set too low, you may experience large delays between when changes are made on one domain controller and when it is replicated on a domain controller in a different site. To fix this problem, consider changing the setting of the replication frequency. When your existing network resources are unable to cope with the quantity of traffic being generated by Active Directory replication consider the following: o If realistic, modify the setting of the replication frequency o If feasible, configure additional resources for Active Directory replication o Create site links o Create site link bridges
View the replication topology or replication information in a highly useful graphical format. Determine whether domain controllers are replicating Active Directory information correctly.
Determine the status of Active Directory replication Manually force replication between domain controllers
The information displayed in the main Replication Monitor window is listed below:
Naming contexts: All the naming contexts that a server contains are displayed here. Replication partners: Each naming context shows the inbound replication partners for that particular naming context. Server icons: Server icons enable you to determine information at a glance. Log entries: The replication log entries for the connection are displayed in the right pane.
Once you have specified a domain controller for monitoring, you can set view options to suit your needs. To specify view options, open Replication Monitor, and select Options from the View menu. The options that can be selected on the General tab are:
Show Retired Replication Partners Show Transitive Replication Partners and Extended Data Notify When Replication Fails After This Number Of Attempts Log Files: Settings under Log Files are used to change the default location for the log files. Enable Debug Logging: This setting relates to debugging Replmon.
The Replmon replica synchronization options that can be selected are listed below. These options can be configured by right-clicking a monitored server object, and then selecting Synchronize Each Directory Partition with All Servers. The synchronization options that you can select are:
Disable Transitive Replication: This option can be selected if you want to troubleshoot a ailed replication process to a particular domain controller, and you want to manually start the replication process. Push Mode: When enabled, push mode is enabled for replication and the DRA is no longer enabled to pull updates. Cross Site Boundaries: When enabled, you can start intersite replication for RPC connections only.
How to use the Replication Diagnostics Tool to monitor/troubleshoot Active Directory replication
The Replication Diagnostics Tool (Repadmin) is a command-line interface that can be quite useful when troubleshooting Active Directory replication. Through Repadmin, you can perform the following:
Determine the status/validity of Active Directory information on each domain controller Force replication between domain controllers Manually create the replication topology
The online help shows the syntax for options and switches of Repadmin. Run repadmin /? for online help. If you want to determine the status of the KCC for replication, run repadmin/kcc. If you want to determine what the replication result was for the last replication process performed, run repadmin/showreps. If you are running Windows Server 2003, Repadmin offers a few additional functions that can be performed. To view these, run repadmin/experthelp.
Directory access Internal configuration Internal processing Intersite messaging KCC MAPI events Replication events Security events
You can set one of the following logging levels for an event:
/loglevel:option, indicates the type of logging. A value of Info, Trace or Debug can be specified. /output:option, indicates how results will be displayed. A value of Screen, File or both of these can be specified. /s:servername[portnumber][;servername[portnumber];], for defining the server names that are to be included in the comparison by Dsastat.exe. /t:option, for setting whether a statistics comparison or a full-content comparison should be performed. Values that can be set are True for statistics comparison, and False for full-content comparison. /sort:option, for setting whether sorted queries should be performed or not. Values are True for sorted queries to be performed, and False for specifying that sorted queries should not be performed. /p:pagesize, for specifying the number of entries that should be returned on a page. With a default value of 64, you can specify any value from 1 999. /scope:option, for setting what the search should include. Values that can be set are Base, Onelevel, Sub-tree. /b:searchpath, for specifying the distinguished name of the base search path. /filter:ldapfilter, for specifying the LPAD filter that should be used. /gcattrs:option[;option;...], for indicating what attributes should be returned. Values that can be set are all, LDAPattributes, ObjectClass, auto. /u:username, for setting the username that should be used for the search. /pwd:password, the password associated with the above username.