« Previous 1 2 3 4 Next »
Managing Active Directory sites and subnets
Divide and Conquer
Configuring ISTG
If you click on a site in the snap-in, the entry NTDS Site Settings appears on the right side. If you call up the properties of this entry, you will see the current ISTG in the Inter-Site Topology Generator section.
At this point you can also customize the Enable Universal Group Membership Caching option. The group membership of these groups is part of the global catalog in Active Directory. If you do not operate a global catalog at the site, other DCs can be configured to store these memberships with this option. If you made changes to the routing topology, you have the option of enabling them immediately. To do this, proceed as follows:
- Open the Active Directory Sites and Services snap-in.
- Navigate to the site from which you want to start the scan.
- Click the current ISTG role owner of the site.
- Right-click NTDS Settings and select All Tasks | Check Replication Topology from the context menu.
If you right-click and select a line, you can trigger replication to this server immediately with the Replicate Now option, but if you choose to replicate to a DC that resides at a different site, replication will not start immediately. Instead, replication waits until the next time allowed by the schedule. Before replicating data, the DC first makes sure it can connect to the other DCs. The server indicates the successful connection. If the replication partner is unreachable, an error message is displayed.
Fixing Replication Errors
If you have a problem with AD replication, always perform full diagnostics on the DCs. It is best to make a simple sketch of the replication connections of the DCs and record exactly which ones can no longer replicate with which other DCs. A sketch like this will usually help you identify quickly which DC is the root cause of the problem. Then, you can take a closer look at it and check whether it is working within its site. The next step will be to look at the Event Viewer and the Directory Services event log. In particular, look for errors from NTDS KCC, NTDS Replication, or NTDS General.
PowerShell is also a convenient way to troubleshoot. The familiar repadmin
, dcdiag
, and nltest
tools, as well as others, are available in Active Directory for this purpose. Microsoft shows you exactly what troubleshooting can look like in an example online [1]. Before you use tools to examine replication in more detail, however, you will first want to rule out the most serious and most frequent causes of error:
- Can a general problem on the DC that can no longer replicated be discovered with
<dcdiag
? If so, maybe the problem is not related to replication, but the DC is simply malfunctioning. - Has any software been installed on the DC that could be interfering with replication, such as security software, a virus scanner, a firewall, or something else?
- Does a hardware failure on the DC prevent replication?
- Does a line, router, or firewall have a problem?
- Can the corresponding DC still be pinged, and does the DNS name of the server resolve?
- Are general problems with authentication between DCs logged with access denied messages?
- Are the replication intervals between sites set to so short an interval that the previous replication has not been completed by the time the next round starts?
- Have any changes been made to the routing topology that could prevent replication?
The most important tool for checking replication in Active Directory is repadmin
. To display all the AD replication operations that have occurred, along with errors that might show you what is causing replication to fail, enter:
repadmin /showreps
You can also display only the errors, redirect the display to a file, and send the replication information to a CSV file:
repadmin /showrepl /errorsonly repadmin /showreps >c:\repl.txt repadmin /showreps * /csv > reps.csv
If a replication connection does not work, you need to read the server globally unique identifier (GUID) for each server with the
repadmin /showreps
command. Each server shows the directory service account (DSA) object GUID in the window. You need to reference this to add a connection, then use the GUID in the repadmin /add
command line. The domain name for the example here is contoso.int
. The server GUIDs for the two DCs are:
DC1 GUID = e8b4bce7-13d4-46bb-b521-8a8ccfe4ac06
DC5 GUID = d48b4bce7-13d4-444bb-b521-7a8ccfe4ac06
In the Active Directory Sites and Services snap-in, delete all connection objects, then create a new connection from the broken DC to a working DC with the command:
repadmin /add "cn=configuration,dc=contoso,dc=int" e8b4bce7-13d4-46bb-b521-8a8ccfe4ac06._msdcs.contoso.int d48b4bce7-13d4-444bb-b521-7a8ccfe4ac06._msdcs.contoso.int
In your environment, of course, you need to use your own server GUIDs and domain name. The rest of the input is identical. During this action, you see an 8441 (distinguished name already exists) error. Now trigger full replication through the connection you created:
repadmin /sync cn=configuration,dc=contoso,dc=int DC1 e8b4bce7-13d4-46bb-b521-8a8ccfe4ac06 /force /full
After doing so, go to the snap-in and make sure you again have automatically generated connection objects from the failed machine to the working DC. The
repadmin /replsummary /bydest
command is useful for displaying errors by replication target. If you want to show the errors by the replication sources for these the targets, use the command:
repadmin /replsummary /bysrc
to get a picture of which inbound and outbound replication actions are not working properly. To check whether replications are suspended on a DC because communication with other DCs is impossible, use
repadmin /queue
If replication is working, the queue should be processed and approach zero.
Testing Replication with PowerShell
You can also discover the replication status in PowerShell:
Get-ADReplicationUpToDatenessVectorTable * | Sort Partner,Server |ft Partner,Server,UsnFilter
The asterisk in place of <name of server>
displays a list of all servers.
To view the individual sites and their domain controllers, enter:
Get-ADReplicationSite -Filter * | ft <name> Get-ADDomainController -Filter * | ft <hostname,site>
The Get-ADReplicationFailure
cmdlet lets you check for replication failures in PowerShell. It expects the -Target
parameter and the name of the domain controller to be checked:
Get-ADReplicationFailure -Target dc01
If you want to check multiple domain controllers, add the names in a comma-separated list. The command
Get-ADReplicationFailure -Target "joos.int" -Scope Forest
defines a complete AD forest as the target.
« Previous 1 2 3 4 Next »
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Most Popular
Support Our Work
ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.