Tag Archives: AD replication

Active Directory Replication Status Review Using PowerShell

Data Replication is crucial for healthy Active Directory Environment. There are different ways to check status of replication. In this article I am going to explain how you can check status of domain replication using PowerShell.

For a given domain controller we can find its inbound replication partners using, 

Get-ADReplicationPartnerMetadata -Target REBEL-SRV01.rebeladmin.com

Above command provide detail description for the given domain controller including last successful replication, replication partition, server etc. 

We can list down all the inbound replication partners for given domain using, 

Get-ADReplicationPartnerMetadata -Target "rebeladmin.com" -Scope Domain

In above command the scope is defined as the domain. this can change to forest and get list of inbound partners in the forest. The output is for default partition.  If needed the partition can change using – Partition to Configuration or Schema partition. It will list down the relevant inbound partners for given partition. 

Associated replication failures for a site, forest, domain, domain controller can find using Get-ADReplicationFailure cmdlet. 

Get-ADReplicationFailure -Target REBEL-SRV01.rebeladmin.com

Above command will list down the replication failures for the given domain controller. 

Replication failures for domain can find out using, 

Get-ADReplicationFailure -Target rebeladmin.com -Scope Domain

Replication failures for forest can find out using, 

Get-ADReplicationFailure -Target rebeladmin.com -Scope Forest

Replication failures for site can find out using, 

Get-ADReplicationFailure -Target LondonSite -Scope Site

In command, LondonSite can replace using relevant site name. 

Using both Get-ADReplicationPartnerMetadata and Get-ADReplicationFailure, following PowerShell script can provide report against specified domain controller. 

## Active Directory Domain Controller Replication Status##

$domaincontroller = Read-Host 'What is your Domain Controller?'

## Define Objects ##

$report = New-Object PSObject -Property @{

ReplicationPartners = $null

LastReplication = $null

FailureCount = $null

FailureType = $null

FirstFailure = $null

}

## Replication Partners ##

$report.ReplicationPartners = (Get-ADReplicationPartnerMetadata -Target $domaincontroller).Partner

$report.LastReplication = (Get-ADReplicationPartnerMetadata -Target $domaincontroller).LastReplicationSuccess

## Replication Failures ##

$report.FailureCount  = (Get-ADReplicationFailure -Target $domaincontroller).FailureCount

$report.FailureType = (Get-ADReplicationFailure -Target $domaincontroller).FailureType

$report.FirstFailure = (Get-ADReplicationFailure -Target $domaincontroller).FirstFailureTime

## Format Output ##

$report | select ReplicationPartners,LastReplication,FirstFailure,FailureCount,FailureType | Out-GridView

In this command, it will give option for engineer to specify the Domain Controller name. 

$domaincontroller = Read-Host 'What is your Domain Controller?'

Then its creates some object and map those to result of the PowerShell command outputs. Last but not least it provides a report to display a report including, 

Replication Partner (ReplicationPartners)

Last Successful Replication (LastReplication)

AD Replication Failure Count (FailureCount)

AD Replication Failure Type (FailureType)

AD Replication Failure First Recorded Time (FirstFailure)

repower1

Further to Active Directory replication topologies, there are two types of replications.

1) Intra-Site – Replications between domain controllers in same Active Directory Site

2) Inter-Site – Replication between domain controllers in different Active Directory Site

We can review AD replication site objects using Get-ADReplicationSite cmdlet. 

Get-ADReplicationSite -Filter *

Above command returns all the AD replication sites in the AD forest. 

repower2

We can review AD replication site links on the AD forest using, 

Get-ADReplicationSiteLink -Filter *

In site links, most important information is to know the site cost and replication schedule. It allows ro understand the replication topology and expected delays on replications. 

Get-ADReplicationSiteLink -Filter {SitesIncluded -eq "CanadaSite"} | Format-Table Name,Cost,ReplicationFrequencyInMinutes -A

Above command list all the replication sites link included CanadaSite AD site along with the site link name, link cost, replication frequency. 

A site link bridge can use to bundle two or more site links and enables transitivity between site links.

Site link bridge information can retrieve using, 

Get-ADReplicationSiteLinkBridge -Filter *

Active Directory sites may use multiple IP address segments for its operations. It is important to associate those with the AD site configuration so domain controllers know which computer related to which site. 

Get-ADReplicationSubnet -Filter * | Format-Table Name,Site -A

Above command will list down all the Subnets in the forest in a table with subnet name and AD site.

repower3

Bridgehead servers are operating as the primary communication point to handle replication data which comes in and go out from AD site. 

We can list down all the preferred bridgehead servers in a domain using, 

$BHservers = ([adsi]"LDAP://CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=rebeladmin,DC=com").bridgeheadServerListBL

$BHservers | Out-GridView

In above command the attribute value bridgeheadServerListBL retrieve via ADSI connection. 

We can list down all of these findings using on script. 

## Script to gather information about Replication Topology ##

## Define Objects ##

$replreport = New-Object PSObject -Property @{

Domain = $null

}

## Find Domain Information ##

$replreport.Domain = (Get-ADDomain).DNSroot

## List down the AD sites in the Domain ##

$a = (Get-ADReplicationSite -Filter *)

Write-Host "########" $replreport.Domain "Domain AD Sites" "########"

$a | Format-Table Description,Name -AutoSize

## List down Replication Site link Information ##

$b = (Get-ADReplicationSiteLink -Filter *)

Write-Host "########" $replreport.Domain "Domain AD Replication SiteLink Information" "########"

$b | Format-Table Name,Cost,ReplicationFrequencyInMinutes -AutoSize

## List down SiteLink Bridge Information ##

$c = (Get-ADReplicationSiteLinkBridge -Filter *)

Write-Host "########" $replreport.Domain "Domain AD SiteLink Bridge Information" "########"

$c | select Name,SiteLinksIncluded | Format-List

## List down Subnet Information ##

$d = (Get-ADReplicationSubnet -Filter * | select Name,Site)

Write-Host "########" $replreport.Domain "Domain Subnet Information" "########"

$d | Format-Table Name,Site -AutoSize

## List down Prefered BridgeHead Servers ##

$e = ([adsi]"LDAP://CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=rebeladmin,DC=com").bridgeheadServerListBL

Write-Host "########" $replreport.Domain "Domain Prefered BridgeHead Servers" "########"

$e

## End of the Script ##

The only thing we need to change is the ADSI connection with relevant domain DN. 

$e = ([adsi]"LDAP://CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=rebeladmin,DC=com")

This marks the end of this blog post. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Manage Active Directory Permissions with Delegate Control method

In one of my previous post I explained how we can manage AD administration privileges using ACLs. If you didn’t read it yet you can find it using http://www.rebeladmin.com/2018/02/step-step-guide-manage-active-directory-permissions-using-object-acls/

This Delegate Control method also works similar to ACLs, but its simplified the process as its uses,

Delegation of Control Wizard which can use to apply delegated permissions. 

Allows to use predefined tasks and assign permission to those

The Wizard contain following predefined tasks which can use to assign permissions. 

Create, delete, and manage user accounts

Reset user passwords and force password change at next logon

Read all user information

Create, delete and manage groups

Modify the membership of a group

Manage Group Policy links

Generate Resultant Set of Policy (Planning)

Generate Resultant Set of Policy (Logging)

Create, delete, and manage inetOrgPerson accounts

Reset inetOrgPerson passwords and force password change at next logon

Read all inetOrgPerson information

This also allows to create custom task to delegate permissions, if it’s not covered from the common task list. 

Similar to ACLs, Permissions can apply in,

1) Site – Delegated permission will valid for all the objects under the given Active Directory Site. 

2) Domain – Delegated permission will valid for all the objects under the given Active Directory Domain. 

3) OU – Delegated permission will valid for all the objects under the given Active Directory OU.

As an example, I have a security group called Second Line Engineers and Scott is a member of it. I like to allow members of this group to reset password for objects in OU=Users,OU=Europe,DC=rebeladmin,DC and nothing else. 

1) Log in to Domain Controller as Domain Admin/Enterprise Admin

2) Review Group Membership Using 

Get-ADGroupMember “Second Line Engineers”

dele1

3) Go to ADUC, right click on the Europe OU, then from list click on “Delegate Control

4) This will open new wizard, in initial page click Next to proceed. 

5) In next page, Click on Add button and add the Second Line Engineers group to it. Then click Next to proceed.

dele2

6) From the task to delegate window select Delegate the following common tasks option and from list select Reset user passwords and force password change at next logon. In this page, we can select multiple tasks. If none of those works, we still can create custom task to delegate. Once completes the selection, click next to proceed. 

dele3

7) This completes the wizard and click on Finish to complete. 

8) Now it’s time for testing. I log in to Windows 10 computer which has RSAT tools installed as user Scott. 

According to permissions, I should be able to reset password of an object under OU=Users,OU=Europe,DC=rebeladmin,DC

Set-ADAccountPassword -Identity dfrancis

This allows to change the password successfully. 

dele4

However, it should not allow to delete any objects. we can test it using,

Remove-ADUser -Identity "CN=Dishan Francis,OU=Users,OU=Europe,DC=rebeladmin,DC=com"

And as expected, it returns access denied error. 

dele5

This marks the end of this blog post. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Step-by-Step guide to force replication for an AD Object (PowerShell Guide)

Once object is added to a domain controller, it needs to replicate to all other domain controllers. otherwise users will face issues on login, using AD integrated application and services etc. The replication is depending on many different facts such as replication schedule, intra site connectivity. However sometime it is required to force the replication between domain controllers for fast results. Following script can use to replicate a object from one DC to another forcefully. 

## Replicate Object to From Domain Controller to Another ##

$myobject = Read-Host 'What is your AD Object Includes?'

$sourcedc = Read-Host 'What is the Source DC ?'

$destinationdc = Read-Host 'What is the Destination DC ?'

$passobject = (Get-ADObject -Filter {Name -Like $myobject})

Sync-ADObject -object $passobject -source $sourcedc -destination $destinationdc

Write-Host "Given Object Replicated to" $destinationdc

Above script will ask for few questions, 

1) Name of Object – This no need to be DN. All need is text included in object Name field

2) Source DC – Hostname of Source DC

3) Destination DC – Hostname of Destination DC

Once relevance info provided, the object will be replicated forcefully. 

frep1

This marks the end of this blog post. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

How Active Directory Replication Works?

Active Directory Infrastructure is depending on healthy replication. Every domain controller in the network should aware of every change which has made. When domain controller triggers a sync, it passes the data through the physical network to the destination.

In active directory environment, there are mainly two types of replications.

1) Intra-Site Replication 

2) Inter-Site Replication

Intra-Site Replication

As the name confirms, this covers the replication happens with in a site. By default, (according to Microsoft) any domain controller will aware of any directory update within 15 seconds. Within site despite the number of domain controllers, any directory update will be replicate in less than one minute. 

rep1

Within the site, the replication connections are performing in ring topology. Which mean an any give domain controller have two replication links (of cause if there is minimum of three domain controllers). this architecture will prevent domain controllers having endless replication loops. As example if there are 5 domain controllers and if all are connected to each other with one-to-one connection each domain controller will have 4 connection and when there is an update in one of the domain controller it will need to advertise it to 4 domain controllers. then the first one to receive update will advertise to its 4 connected domain controllers and its go on and on. It will be too much replication processes to advertise, listen and sort out the conflicts. But in ring topology, despite the number of domain controllers in the site, any given domain controller only need to advertise or listen to two domain controllers in any given time. This replication topology is no need to configure manually and active directory will automatically determine the connections it need to make. When number of domain controllers grow, the replication time can grow as well as its in ring topology. But to avoid the latency active directory will create additional connections. This is also determined automatically and we do not need to worry about these replication connections. 

Inter-Site Replication

If active directory infrastructure contains more than one site, a change happens in one site need to replicate over to other sites. This is called as inter-site replication and its topology is different from the intra-site replication. Replication with in site is always benefited from the high-speed links. But when it comes to between sites bandwidth, latency and reliability comes to considerations. In previous section, we discussed about site-links, site costs and replication schedules when we can use to control the inter-site replication. 

rep2

When it comes to inter-site, the replication will happen via site links. The replication with in each site still uses the ring topology. In above example let’s assume an object been added to REBEL-DC-02 in London Site. Now based on the topology it will be advertise to REBEL-DC-03 too. But apart from been domain controller, this particular domain controller is bridgehead server as well. So, it is this server’s responsibility to advertise the updates it received in to the bridge server in Canada Site which is REBEL-DC-04. Once it receives the update it will advertise to other domain controllers in the site. The replication between sites still need to obey the rules which is applied to control the replication. Active Directory domain services automatically selects the bridgehead server for a site. But if need we can decide what should act as bridgehead server for site. 

This marks the end of this blog post. Hope this was useful. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Troubleshooting Active Directory Replication Issues (PowerShell Guide)

There are certain windows cmdlets and utilities which we can use for replication issues troubleshooting purpose. Among those, Repadmin.exe is most commonly used Microsoft utility. This is available in servers which have AD DS or AD LDS role installed. It is also part of Remote Server Administration Tools (RSAT). This utility recommended to run as Domain Administrator or Enterprise Administrator. However, it is also possible to delegate permission only to review and manage replication. 

Let’s see it’s in action 

repadmin /replsummary /bydest

above command summarizes the replication status for all domain controllers based on the replication destination. This parameter does not display the source domain controller.

repadmin /replsummary /bysrc

above command summarizes the replication status for all domain controllers based on the replication source. This parameter does not display the destination domain controller.

repadmin /showrepl REBEL-SRV01.therebeladmin.com 

above command shows the replication partners for REBEL-SRV01.therebeladmin.com and the status of last sync attempt. 

repadmin /showrepl /errorsonly 

above command will list down the replication partners which have replication errors (last sync attempt failed) 

we also can view results in CSV format.

repadmin /showrepl /csv

tr1

repadmin /syncall REBEL-SRV01 dc=therebeladmin,dc=com

above command initiates domain directory partition synchronization with all replication partners of REBEL-SRV01. 

It will also indicate if there were any issues by doing it.

tr2

repadmin /queue

above command shows if there are any unprocessed inbound replications requests. If system keep que requests it can be due to high number of AD changes, System resource issue or too many replication partners. 

repadmin /showchanges REBELNET-PDC01 d3f89917-5fff-40a8-scc2-b148b60d9309 dc=therebeladmin,dc=com

above command list down the changes which are not replicated between server REBELNET-PDC01 and REBEL-SRV01. In here REBEL-SRV01 is the source server and it is listed with object GUID. 

tr3

repadmin /replicate REBEL-SRV01 REBELNET-PDC01 dc=therebeladmin,dc=com

above command initiate immediate directory partition replication from REBELNET-PDC01 to REBEL-SRV01.

Apart from the repadmin, there are certain PowerShell cmdlets which we can use to troubleshoot replication issues. Get-ADReplicationFailure cmdlet is one of those which can collect data about replication failures. 

Get-ADReplicationFailure -Target REBEL-SRV01

Above command will collect information about replication failures associated with REBEL-SRV01. 

This also can do with multiple servers. 

Get-ADReplicationFailure -Target REBEL-SRV01,REBELNET-PDC01

Further we can target all the domain controllers in the domain.

Get-ADReplicationFailure -Target "therebeladmin.com" -Scope Domain

Or even entire forest

Get-ADReplicationFailure -Target " therebeladmin.com" -Scope Forest

Get-ADReplicationConnection cmdlet can list down replication partner details for the given domain controller. 

Get-ADReplicationConnection -Filter *

Above command will list down all replication connection for the domain controller you logged in. 

tr4

We also can filter the replication connections based on the attributes. 

Get-ADReplicationConnection -Filter {ReplicateToDirectoryServer -eq "REBEL-SRV01"}

Above command will list down the replication connections with destination server as REBEL-SRV01.

We also can force sync object between domain controllers. 

Sync-ADObject -object “adam” -source REBEL-SRV01 -destination REBELNET-PDC01

Above command will sync user object adam from REBEL-SRV01 to REBELNET-PDC01

This marks the end of this blog post. Hope this was useful. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Non-Authoritative and Authoritative SYSVOL Restore (DFS Replication)

Healthy SYSVOL replication is key for every active directory infrastructure. when there is SYSVOL replication issues you may notice,

1. Users and systems are not applying their group policy settings properly. 

2. New group policies not applying to certain users and systems. 

3. Group policy object counts is different between domain controllers (inside SYSVOL folders)

4. Log on scripts are not processing correctly

Also, same time if you look in to event viewer you may able to find events such as,

Event Id

Event Description

2213

The DFS Replication service stopped replication on volume C:. This occurs when a DFSR JET database is not shut down cleanly and Auto Recovery is disabled. To resolve this issue, back up the files in the affected replicated folders, and then use the ResumeReplication WMI method to resume replication.

Recovery Steps

1. Back up the files in all replicated folders on the volume. Failure to do so may result in data loss due to unexpected conflict resolution during the recovery of the replicated folders.

2. To resume the replication for this volume, use the WMI method ResumeReplication of the DfsrVolumeConfig class. For example, from an elevated command prompt, type the following command:

wmic /namespace:\\root\microsoftdfs path dfsrVolumeConfig where volumeGuid=”xxxxxxxx″ call ResumeReplication

5002

The DFS Replication service encountered an error communicating with partner <FQDN> for replication group Domain System Volume.

5008

The DFS Replication service failed to communicate with partner <FQDN> for replication group Home-Replication. This error can occur if the host is unreachable, or if the DFS Replication service is not running on the server.

5014

The DFS Replication service is stopping communication with partner <FQDN> for replication group Domain System Volume due to an error. The service will retry the connection periodically.

Some of these errors can be fixed with simple server reboot or running commands describe in the error ( ex – event 2213 description) but if its keep continuing we need to do Non-Authoritative or Authoritative SYSVOL restore.

Non-Authoritative Restore 

If it’s only one or few domain controller (less than 50%) which have replication issues in a given time, we can issue a non-authoritative replication. In that scenario, system will replicate the SYSVOL from the PDC. 

Authoritative Restore

If more than 50% of domain controllers have SYSVOL replication issues, it possible that entire SYSVOL got corrupted. In such scenario, we need to go for Authoritative Restore. In this process, first we need to restore SYSVOL from backup to PDC and then replicate over or force all the domain controllers to update their SYSVOL copy from the copy in PDC. 

SYSVOL can replicate using FRS too. This is deprecated after windows server 2008, but if you migrated from older Active Directory environment you may still have FRS for SYSVOL replication. It also supports for Non-Authoritative and Authoritative restore but in this demo, I am going to talk only about SYSVOL with DFS replication. 

Non-Authoritative DFS Replication 

In order to perform a non-authoritative replication,

1) Backup the existing SYSVOL – This can be done by copying the SYSVOL folder from the domain controller which have DFS replication issues in to a secure location. 

2) Log in to Domain Controller as Domain Admin/Enterprise Admin

3) Launch ADSIEDIT.MSC tool and connect to Default Naming Context

sys1

4) Brows to DC=domain,DC=local > OU=Domain Controllers > CN=(DC NAME) > CN=DFSR-LocalSettings > Domain System Volume > SYSVOL Subscription

5) Change value of attribute msDFSR-Enabled = FALSE

sys2

6) Force the AD replication using,

repadmin /syncall /AdP

7) Run following to install the DFS management tools using (unless this is already installed), 

Add-WindowsFeature RSAT-DFS-Mgmt-Con

8) Run following command to update the DFRS global state,

dfsrdiag PollAD

9) Search for the event 4114 to confirm SYSVOL replication is disabled. 

Get-EventLog -Log "DFS Replication" | where {$_.eventID -eq 4114} | fl

10) Change the attribute value back to msDFSR-Enabled=TRUE (step 5)

11) Force the AD replication as in step 6

12) Update DFRS global state running command in step 8

13) Search for events 4614 and 4604 to confirm successful non-authoritative synchronization. 

sys3

All these commands should run from domain controllers set as non-authoritative. 

Authoritative DFS Replication 

In order to perform to initiate authoritative DFS Replication,

1) Log in to PDC FSMO role holder as Domain Administrator or Enterprise Administrator

2) Stop DFS Replication Service (This is recommended to do in all the Domain Controllers)

3) Launch ADSIEDIT.MSC tool and connect to Default Naming Context

4) Brows to DC=domain,DC=local > OU=Domain Controllers > CN=(DC NAME) > CN=DFSR-LocalSettings > Domain System Volume > SYSVOL Subscription

5) Update the given attributes values as following, 

msDFSR-Enabled=FALSE

msDFSR-options=1

sys4

6) Modify following attribute on ALL other domain controller.

msDFSR-Enabled=FALSE

7) Force the AD replication using,

repadmin /syncall /AdP

8) Start DFS replication service in PDC

9) Search for the event 4114 to verify SYSVOL replication is disabled.

10) Change following value which were set on the step 5,

msDFSR-Enabled=TRUE

11) Force the AD replication using,

repadmin /syncall /AdP

12) Run following command to update the DFRS global state,

dfsrdiag PollAD

13) Search for the event 4602 and verify the successful SYSVOL replication. 

14) Start DFS service on all other Domain Controllers

15) Search for the event 4114 to verify SYSVOL replication is disabled.

16) Change following value which were set on the step6. This need to be done on ALL domain controllers. 

msDFSR-Enabled=TRUE

17) Run following command to update the DFRS global state,

dfsrdiag PollAD

18) Search for events 4614 and 4604 to confirm successful authoritative synchronization. 

Please note you do not need to run Authoritative DFS Replication for every DFS replication issue. It should be the last option.

Hope this was useful and if you have any questions feel free to contact me on rebeladm@live.com 

The Active Directory Replication Status Tool (ADREPLSTATUS)

Healthy Active directory replication is important for active directory infrastructure. REPADMIN is command line utility which can use to check the AD replication status. I wrote an article before about common replication errors and how to use these command line utilities for troubleshooting. If you till not read it you can find it in here.

The Active Directory Replication Status Tool (ADREPLSTATUS) is a small but handy tool Microsoft published which can use to analyze the replication status of active directory environment. The output is similar to output of command REPADMIN /SHOWREPL * /CSV but with few enhancements.

Specific capabilities for this tool include:

    • Expose Active Directory replication errors occurring in a domain or forest
    • Prioritize errors that need to be resolved in order to avoid the creation of lingering objects in Active Directory forests
    • Help administrators and support professionals resolve replication errors by linking to Active Directory replication troubleshooting content on Microsoft TechNet
    • Allow replication data to be exported to source or destination domain administrators or support professionals for offline analysis

System Requirement

Domain membership requirements:

    • Must be joined to the Active Directory domain or forest you intend to monitor
.NET Framework requirements:
    • .NET Framework 4.0 (you may be prompted to install .NET Framework 3.5.1 first on Windows Server 2008)

Required User Credentials:

    • Target forest/domain user account

Other Requirements:

ADREPLSTATUS will not work when the following security setting is enabled on the operating system:
    • System cryptography: Use FIPS 140 compliant cryptographic algorithms, including encryption, hashing and signing algorithms

The tool can be download from https://www.microsoft.com/en-gb/download/details.aspx?id=30005

Installation

It is very straight forward. All need to do is double click on the file.

Once install, double click on the icon to run the application.

status1

status2

Once tool is loaded, you can check the replication on entire forest or specific domains.

status3

After you specify the replication boundaries, click on refresh replication status button. It will discover the current configuration and replication status.

status4

status5

status6

If you required you can export the data to xps or csv format.

status7

hope this info helps. If you have any questions feel free to contact me on rebeladm@live.com

Active Directory Replication

In an infrastructure setup, it may have many domain controllers. Some may even in different sites. But in order to keep the consistency in network it’s important to have proper replication between these domain controllers. It is important to plan and optimize the replication process. For example let’s assume you have a remote site which is connect via 256kb link with head office. According to setup site have sales team and the AD sync is not crucial during the day to day work. So if we just leave it to trigger sync with default schedule it will just use large portion of the link just for this AD sync traffic. So when you place your AD servers in network make sure you also plan for the optimization in replication process.

AD replication between sites built based on the active directory knowledge consistency checker (KCC). Replication process is works differently based on the fact that traffic is passing within the site or between sites. Within site the replication will be fast and occurs more frequent.

When optimizing the replication process you can mainly use 3 factors.

Site Cost – This represent the bandwidth between sites.

Schedule – This represent how often replication should happen. For ex- If the site is just need 1 time replication for day for its operations no point doing it in every 2 hours’ time.

Interval – By default replication happens in every 180 minutes

It is always recommended to create sites where domain controller is placed. For example if the office A is in different city, we can create it as different site in the network. But if the bandwidth is not matters you still can keep it as one site.

If you use different sites, the replications happens via site link. Once you create site links it goes to inter-site transport container and it confirms the connectivity between each sites. The site links can reuse for sites which have same connectivity and availability.

To check the replication we can use 2 command line tools. Apart from that event viewer also can use to identify replication issues.

1)    repadmin /showrepl
2)    dcdiag /test:replications

In following I list down the main replication errors and solution for them.

Slow replication – most common replication error. To fix it you need to review event viewer entries. Also you need to review the AD topology, such as how sites are linked and how those site links are optimized.

Access is denied error – to fix it you need to follow

1)    stop the KDC service – net stop kdc
2)    purge ticket cache in DC
3)    reset domain controller’s account password
4)    sync replication partner’s domain directory partition with the PDC emulator
5)    force replication
6)    start the KDC service

DNS lookup failure / RPC service unavailable – to fix this error follow following steps

1)    Run dcdiag /test:connectivity to verify DNS CNAME and A records
2)    Check the IP configuration and ping domain controller
3)    Restart netlogon service

Site and site link errors – check if the sites and site links connectivity is ok.

Manual replication access denied –   verify the replication synchronization permissions. Use repadmin or replmon tools to force replication.

This is the end of article and if any questions feel free to ask me on rebeladm@live.com