Divide and Conquer

Configuring ISTG

If you click on a site in the snap-in, the entry NTDS Site Settings appears on the right side. If you call up the properties of this entry, you will see the current ISTG in the Inter-Site Topology Generator section.

At this point you can also customize the Enable Universal Group Membership Caching option. The group membership of these groups is part of the global catalog in Active Directory. If you do not operate a global catalog at the site, other DCs can be configured to store these memberships with this option. If you made changes to the routing topology, you have the option of enabling them immediately. To do this, proceed as follows:

• Open the Active Directory Sites and Services snap-in.
• Navigate to the site from which you want to start the scan.
• Click the current ISTG role owner of the site.
• Right-click NTDS Settings and select All Tasks | Check Replication Topology from the context menu.

If you right-click and select a line, you can trigger replication to this server immediately with the Replicate Now option, but if you choose to replicate to a DC that resides at a different site, replication will not start immediately. Instead, replication waits until the next time allowed by the schedule. Before replicating data, the DC first makes sure it can connect to the other DCs. The server indicates the successful connection. If the replication partner is unreachable, an error message is displayed.

Fixing Replication Errors

If you have a problem with AD replication, always perform full diagnostics on the DCs. It is best to make a simple sketch of the replication connections of the DCs and record exactly which ones can no longer replicate with which other DCs. A sketch like this will usually help you identify quickly which DC is the root cause of the problem. Then, you can take a closer look at it and check whether it is working within its site. The next step will be to look at the Event Viewer and the Directory Services event log. In particular, look for errors from NTDS KCC, NTDS Replication, or NTDS General.

PowerShell is also a convenient way to troubleshoot. The familiar repadmin, dcdiag, and nltest tools, as well as others, are available in Active Directory for this purpose. Microsoft shows you exactly what troubleshooting can look like in an example online [1]. Before you use tools to examine replication in more detail, however, you will first want to rule out the most serious and most frequent causes of error:

• Can a general problem on the DC that can no longer replicated be discovered with <dcdiag? If so, maybe the problem is not related to replication, but the DC is simply malfunctioning.
• Has any software been installed on the DC that could be interfering with replication, such as security software, a virus scanner, a firewall, or something else?
• Does a hardware failure on the DC prevent replication?
• Does a line, router, or firewall have a problem?
• Can the corresponding DC still be pinged, and does the DNS name of the server resolve?
• Are general problems with authentication between DCs logged with access denied messages?
• Are the replication intervals between sites set to so short an interval that the previous replication has not been completed by the time the next round starts?
• Have any changes been made to the routing topology that could prevent replication?

The most important tool for checking replication in Active Directory is repadmin. To display all the AD replication operations that have occurred, along with errors that might show you what is causing replication to fail, enter:

repadmin /showreps

You can also display only the errors, redirect the display to a file, and send the replication information to a CSV file:

repadmin /showrepl /errorsonly
repadmin /showreps >c:\repl.txt
repadmin /showreps * /csv > reps.csv

If a replication connection does not work, you need to read the server globally unique identifier (GUID) for each server with the

repadmin /showreps

command. Each server shows the directory service account (DSA) object GUID in the window. You need to reference this to add a connection, then use the GUID in the repadmin /add command line. The domain name for the example here is contoso.int . The server GUIDs for the two DCs are:

DC1 GUID = e8b4bce7-13d4-46bb-b521-8a8ccfe4ac06

DC5 GUID = d48b4bce7-13d4-444bb-b521-7a8ccfe4ac06

In the Active Directory Sites and Services snap-in, delete all connection objects, then create a new connection from the broken DC to a working DC with the command:

repadmin /add "cn=configuration,dc=contoso,dc=int" e8b4bce7-13d4-46bb-b521-8a8ccfe4ac06._msdcs.contoso.int d48b4bce7-13d4-444bb-b521-7a8ccfe4ac06._msdcs.contoso.int

In your environment, of course, you need to use your own server GUIDs and domain name. The rest of the input is identical. During this action, you see an 8441 (distinguished name already exists) error. Now trigger full replication through the connection you created:

repadmin /sync cn=configuration,dc=contoso,dc=int DC1 e8b4bce7-13d4-46bb-b521-8a8ccfe4ac06 /force /full

After doing so, go to the snap-in and make sure you again have automatically generated connection objects from the failed machine to the working DC. The

repadmin /replsummary /bydest

command is useful for displaying errors by replication target. If you want to show the errors by the replication sources for these the targets, use the command:

repadmin /replsummary /bysrc

to get a picture of which inbound and outbound replication actions are not working properly. To check whether replications are suspended on a DC because communication with other DCs is impossible, use

repadmin /queue

If replication is working, the queue should be processed and approach zero.

Testing Replication with PowerShell

You can also discover the replication status in PowerShell:

Get-ADReplicationUpToDatenessVectorTable * | Sort Partner,Server |ft Partner,Server,UsnFilter

The asterisk in place of <name of server> displays a list of all servers.

To view the individual sites and their domain controllers, enter:

Get-ADReplicationSite -Filter * | ft <name>
Get-ADDomainController -Filter * | ft <hostname,site>

The Get-ADReplicationFailure cmdlet lets you check for replication failures in PowerShell. It expects the -Target parameter and the name of the domain controller to be checked:

Get-ADReplicationFailure -Target dc01

If you want to check multiple domain controllers, add the names in a comma-separated list. The command

Get-ADReplicationFailure -Target "joos.int" -Scope Forest

defines a complete AD forest as the target.