Tag Archives: AD replication

Step-by-Step guide to force replication for an AD Object (PowerShell Guide)

Once object is added to a domain controller, it needs to replicate to all other domain controllers. otherwise users will face issues on login, using AD integrated application and services etc. The replication is depending on many different facts such as replication schedule, intra site connectivity. However sometime it is required to force the replication between domain controllers for fast results. Following script can use to replicate a object from one DC to another forcefully. 

## Replicate Object to From Domain Controller to Another ##

$myobject = Read-Host 'What is your AD Object Includes?'

$sourcedc = Read-Host 'What is the Source DC ?'

$destinationdc = Read-Host 'What is the Destination DC ?'

$passobject = (Get-ADObject -Filter {Name -Like $myobject})

Sync-ADObject -object $passobject -source $sourcedc -destination $destinationdc

Write-Host "Given Object Replicated to" $destinationdc

Above script will ask for few questions, 

1) Name of Object – This no need to be DN. All need is text included in object Name field

2) Source DC – Hostname of Source DC

3) Destination DC – Hostname of Destination DC

Once relevance info provided, the object will be replicated forcefully. 

frep1

This marks the end of this blog post. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

How Active Directory Replication Works?

Active Directory Infrastructure is depending on healthy replication. Every domain controller in the network should aware of every change which has made. When domain controller triggers a sync, it passes the data through the physical network to the destination.

In active directory environment, there are mainly two types of replications.

1) Intra-Site Replication 

2) Inter-Site Replication

Intra-Site Replication

As the name confirms, this covers the replication happens with in a site. By default, (according to Microsoft) any domain controller will aware of any directory update within 15 seconds. Within site despite the number of domain controllers, any directory update will be replicate in less than one minute. 

rep1

Within the site, the replication connections are performing in ring topology. Which mean an any give domain controller have two replication links (of cause if there is minimum of three domain controllers). this architecture will prevent domain controllers having endless replication loops. As example if there are 5 domain controllers and if all are connected to each other with one-to-one connection each domain controller will have 4 connection and when there is an update in one of the domain controller it will need to advertise it to 4 domain controllers. then the first one to receive update will advertise to its 4 connected domain controllers and its go on and on. It will be too much replication processes to advertise, listen and sort out the conflicts. But in ring topology, despite the number of domain controllers in the site, any given domain controller only need to advertise or listen to two domain controllers in any given time. This replication topology is no need to configure manually and active directory will automatically determine the connections it need to make. When number of domain controllers grow, the replication time can grow as well as its in ring topology. But to avoid the latency active directory will create additional connections. This is also determined automatically and we do not need to worry about these replication connections. 

Inter-Site Replication

If active directory infrastructure contains more than one site, a change happens in one site need to replicate over to other sites. This is called as inter-site replication and its topology is different from the intra-site replication. Replication with in site is always benefited from the high-speed links. But when it comes to between sites bandwidth, latency and reliability comes to considerations. In previous section, we discussed about site-links, site costs and replication schedules when we can use to control the inter-site replication. 

rep2

When it comes to inter-site, the replication will happen via site links. The replication with in each site still uses the ring topology. In above example let’s assume an object been added to REBEL-DC-02 in London Site. Now based on the topology it will be advertise to REBEL-DC-03 too. But apart from been domain controller, this particular domain controller is bridgehead server as well. So, it is this server’s responsibility to advertise the updates it received in to the bridge server in Canada Site which is REBEL-DC-04. Once it receives the update it will advertise to other domain controllers in the site. The replication between sites still need to obey the rules which is applied to control the replication. Active Directory domain services automatically selects the bridgehead server for a site. But if need we can decide what should act as bridgehead server for site. 

This marks the end of this blog post. Hope this was useful. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Troubleshooting Active Directory Replication Issues (PowerShell Guide)

There are certain windows cmdlets and utilities which we can use for replication issues troubleshooting purpose. Among those, Repadmin.exe is most commonly used Microsoft utility. This is available in servers which have AD DS or AD LDS role installed. It is also part of Remote Server Administration Tools (RSAT). This utility recommended to run as Domain Administrator or Enterprise Administrator. However, it is also possible to delegate permission only to review and manage replication. 

Let’s see it’s in action 

repadmin /replsummary /bydest

above command summarizes the replication status for all domain controllers based on the replication destination. This parameter does not display the source domain controller.

repadmin /replsummary /bysrc

above command summarizes the replication status for all domain controllers based on the replication source. This parameter does not display the destination domain controller.

repadmin /showrepl REBEL-SRV01.therebeladmin.com 

above command shows the replication partners for REBEL-SRV01.therebeladmin.com and the status of last sync attempt. 

repadmin /showrepl /errorsonly 

above command will list down the replication partners which have replication errors (last sync attempt failed) 

we also can view results in CSV format.

repadmin /showrepl /csv

tr1

repadmin /syncall REBEL-SRV01 dc=therebeladmin,dc=com

above command initiates domain directory partition synchronization with all replication partners of REBEL-SRV01. 

It will also indicate if there were any issues by doing it.

tr2

repadmin /queue

above command shows if there are any unprocessed inbound replications requests. If system keep que requests it can be due to high number of AD changes, System resource issue or too many replication partners. 

repadmin /showchanges REBELNET-PDC01 d3f89917-5fff-40a8-scc2-b148b60d9309 dc=therebeladmin,dc=com

above command list down the changes which are not replicated between server REBELNET-PDC01 and REBEL-SRV01. In here REBEL-SRV01 is the source server and it is listed with object GUID. 

tr3

repadmin /replicate REBEL-SRV01 REBELNET-PDC01 dc=therebeladmin,dc=com

above command initiate immediate directory partition replication from REBELNET-PDC01 to REBEL-SRV01.

Apart from the repadmin, there are certain PowerShell cmdlets which we can use to troubleshoot replication issues. Get-ADReplicationFailure cmdlet is one of those which can collect data about replication failures. 

Get-ADReplicationFailure -Target REBEL-SRV01

Above command will collect information about replication failures associated with REBEL-SRV01. 

This also can do with multiple servers. 

Get-ADReplicationFailure -Target REBEL-SRV01,REBELNET-PDC01

Further we can target all the domain controllers in the domain.

Get-ADReplicationFailure -Target "therebeladmin.com" -Scope Domain

Or even entire forest

Get-ADReplicationFailure -Target " therebeladmin.com" -Scope Forest

Get-ADReplicationConnection cmdlet can list down replication partner details for the given domain controller. 

Get-ADReplicationConnection -Filter *

Above command will list down all replication connection for the domain controller you logged in. 

tr4

We also can filter the replication connections based on the attributes. 

Get-ADReplicationConnection -Filter {ReplicateToDirectoryServer -eq "REBEL-SRV01"}

Above command will list down the replication connections with destination server as REBEL-SRV01.

We also can force sync object between domain controllers. 

Sync-ADObject -object “adam” -source REBEL-SRV01 -destination REBELNET-PDC01

Above command will sync user object adam from REBEL-SRV01 to REBELNET-PDC01

This marks the end of this blog post. Hope this was useful. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.

Non-Authoritative and Authoritative SYSVOL Restore (DFS Replication)

Healthy SYSVOL replication is key for every active directory infrastructure. when there is SYSVOL replication issues you may notice,

1. Users and systems are not applying their group policy settings properly. 

2. New group policies not applying to certain users and systems. 

3. Group policy object counts is different between domain controllers (inside SYSVOL folders)

4. Log on scripts are not processing correctly

Also, same time if you look in to event viewer you may able to find events such as,

Event Id

Event Description

2213

The DFS Replication service stopped replication on volume C:. This occurs when a DFSR JET database is not shut down cleanly and Auto Recovery is disabled. To resolve this issue, back up the files in the affected replicated folders, and then use the ResumeReplication WMI method to resume replication.

Recovery Steps

1. Back up the files in all replicated folders on the volume. Failure to do so may result in data loss due to unexpected conflict resolution during the recovery of the replicated folders.

2. To resume the replication for this volume, use the WMI method ResumeReplication of the DfsrVolumeConfig class. For example, from an elevated command prompt, type the following command:

wmic /namespace:\\root\microsoftdfs path dfsrVolumeConfig where volumeGuid=”xxxxxxxx″ call ResumeReplication

5002

The DFS Replication service encountered an error communicating with partner <FQDN> for replication group Domain System Volume.

5008

The DFS Replication service failed to communicate with partner <FQDN> for replication group Home-Replication. This error can occur if the host is unreachable, or if the DFS Replication service is not running on the server.

5014

The DFS Replication service is stopping communication with partner <FQDN> for replication group Domain System Volume due to an error. The service will retry the connection periodically.

Some of these errors can be fixed with simple server reboot or running commands describe in the error ( ex – event 2213 description) but if its keep continuing we need to do Non-Authoritative or Authoritative SYSVOL restore.

Non-Authoritative Restore 

If it’s only one or few domain controller (less than 50%) which have replication issues in a given time, we can issue a non-authoritative replication. In that scenario, system will replicate the SYSVOL from the PDC. 

Authoritative Restore

If more than 50% of domain controllers have SYSVOL replication issues, it possible that entire SYSVOL got corrupted. In such scenario, we need to go for Authoritative Restore. In this process, first we need to restore SYSVOL from backup to PDC and then replicate over or force all the domain controllers to update their SYSVOL copy from the copy in PDC. 

SYSVOL can replicate using FRS too. This is deprecated after windows server 2008, but if you migrated from older Active Directory environment you may still have FRS for SYSVOL replication. It also supports for Non-Authoritative and Authoritative restore but in this demo, I am going to talk only about SYSVOL with DFS replication. 

Non-Authoritative DFS Replication 

In order to perform a non-authoritative replication,

1) Backup the existing SYSVOL – This can be done by copying the SYSVOL folder from the domain controller which have DFS replication issues in to a secure location. 

2) Log in to Domain Controller as Domain Admin/Enterprise Admin

3) Launch ADSIEDIT.MSC tool and connect to Default Naming Context

sys1

4) Brows to DC=domain,DC=local > OU=Domain Controllers > CN=(DC NAME) > CN=DFSR-LocalSettings > Domain System Volume > SYSVOL Subscription

5) Change value of attribute msDFSR-Enabled = FALSE

sys2

6) Force the AD replication using,

repadmin /syncall /AdP

7) Run following to install the DFS management tools using (unless this is already installed), 

Add-WindowsFeature RSAT-DFS-Mgmt-Con

8) Run following command to update the DFRS global state,

dfsrdiag PollAD

9) Search for the event 4114 to confirm SYSVOL replication is disabled. 

Get-EventLog -Log "DFS Replication" | where {$_.eventID -eq 4114} | fl

10) Change the attribute value back to msDFSR-Enabled=TRUE (step 5)

11) Force the AD replication as in step 6

12) Update DFRS global state running command in step 8

13) Search for events 4614 and 4604 to confirm successful non-authoritative synchronization. 

sys3

All these commands should run from domain controllers set as non-authoritative. 

Authoritative DFS Replication 

In order to perform to initiate authoritative DFS Replication,

1) Log in to PDC FSMO role holder as Domain Administrator or Enterprise Administrator

2) Stop DFS Replication Service (This is recommended to do in all the Domain Controllers)

3) Launch ADSIEDIT.MSC tool and connect to Default Naming Context

4) Brows to DC=domain,DC=local > OU=Domain Controllers > CN=(DC NAME) > CN=DFSR-LocalSettings > Domain System Volume > SYSVOL Subscription

5) Update the given attributes values as following, 

msDFSR-Enabled=FALSE

msDFSR-options=1

sys4

6) Modify following attribute on ALL other domain controller.

msDFSR-Enabled=FALSE

7) Force the AD replication using,

repadmin /syncall /AdP

8) Start DFS replication service in PDC

9) Search for the event 4114 to verify SYSVOL replication is disabled.

10) Change following value which were set on the step 5,

msDFSR-Enabled=TRUE

11) Force the AD replication using,

repadmin /syncall /AdP

12) Run following command to update the DFRS global state,

dfsrdiag PollAD

13) Search for the event 4602 and verify the successful SYSVOL replication. 

14) Start DFS service on all other Domain Controllers

15) Search for the event 4114 to verify SYSVOL replication is disabled.

16) Change following value which were set on the step6. This need to be done on ALL domain controllers. 

msDFSR-Enabled=TRUE

17) Run following command to update the DFRS global state,

dfsrdiag PollAD

18) Search for events 4614 and 4604 to confirm successful authoritative synchronization. 

Please note you do not need to run Authoritative DFS Replication for every DFS replication issue. It should be the last option.

Hope this was useful and if you have any questions feel free to contact me on rebeladm@live.com 

The Active Directory Replication Status Tool (ADREPLSTATUS)

Healthy Active directory replication is important for active directory infrastructure. REPADMIN is command line utility which can use to check the AD replication status. I wrote an article before about common replication errors and how to use these command line utilities for troubleshooting. If you till not read it you can find it in here.

The Active Directory Replication Status Tool (ADREPLSTATUS) is a small but handy tool Microsoft published which can use to analyze the replication status of active directory environment. The output is similar to output of command REPADMIN /SHOWREPL * /CSV but with few enhancements.

Specific capabilities for this tool include:

    • Expose Active Directory replication errors occurring in a domain or forest
    • Prioritize errors that need to be resolved in order to avoid the creation of lingering objects in Active Directory forests
    • Help administrators and support professionals resolve replication errors by linking to Active Directory replication troubleshooting content on Microsoft TechNet
    • Allow replication data to be exported to source or destination domain administrators or support professionals for offline analysis

System Requirement

Domain membership requirements:

    • Must be joined to the Active Directory domain or forest you intend to monitor
.NET Framework requirements:
    • .NET Framework 4.0 (you may be prompted to install .NET Framework 3.5.1 first on Windows Server 2008)

Required User Credentials:

    • Target forest/domain user account

Other Requirements:

ADREPLSTATUS will not work when the following security setting is enabled on the operating system:
    • System cryptography: Use FIPS 140 compliant cryptographic algorithms, including encryption, hashing and signing algorithms

The tool can be download from https://www.microsoft.com/en-gb/download/details.aspx?id=30005

Installation

It is very straight forward. All need to do is double click on the file.

Once install, double click on the icon to run the application.

status1

status2

Once tool is loaded, you can check the replication on entire forest or specific domains.

status3

After you specify the replication boundaries, click on refresh replication status button. It will discover the current configuration and replication status.

status4

status5

status6

If you required you can export the data to xps or csv format.

status7

hope this info helps. If you have any questions feel free to contact me on rebeladm@live.com

Active Directory Replication

In an infrastructure setup, it may have many domain controllers. Some may even in different sites. But in order to keep the consistency in network it’s important to have proper replication between these domain controllers. It is important to plan and optimize the replication process. For example let’s assume you have a remote site which is connect via 256kb link with head office. According to setup site have sales team and the AD sync is not crucial during the day to day work. So if we just leave it to trigger sync with default schedule it will just use large portion of the link just for this AD sync traffic. So when you place your AD servers in network make sure you also plan for the optimization in replication process.

AD replication between sites built based on the active directory knowledge consistency checker (KCC). Replication process is works differently based on the fact that traffic is passing within the site or between sites. Within site the replication will be fast and occurs more frequent.

When optimizing the replication process you can mainly use 3 factors.

Site Cost – This represent the bandwidth between sites.

Schedule – This represent how often replication should happen. For ex- If the site is just need 1 time replication for day for its operations no point doing it in every 2 hours’ time.

Interval – By default replication happens in every 180 minutes

It is always recommended to create sites where domain controller is placed. For example if the office A is in different city, we can create it as different site in the network. But if the bandwidth is not matters you still can keep it as one site.

If you use different sites, the replications happens via site link. Once you create site links it goes to inter-site transport container and it confirms the connectivity between each sites. The site links can reuse for sites which have same connectivity and availability.

To check the replication we can use 2 command line tools. Apart from that event viewer also can use to identify replication issues.

1)    repadmin /showrepl
2)    dcdiag /test:replications

In following I list down the main replication errors and solution for them.

Slow replication – most common replication error. To fix it you need to review event viewer entries. Also you need to review the AD topology, such as how sites are linked and how those site links are optimized.

Access is denied error – to fix it you need to follow

1)    stop the KDC service – net stop kdc
2)    purge ticket cache in DC
3)    reset domain controller’s account password
4)    sync replication partner’s domain directory partition with the PDC emulator
5)    force replication
6)    start the KDC service

DNS lookup failure / RPC service unavailable – to fix this error follow following steps

1)    Run dcdiag /test:connectivity to verify DNS CNAME and A records
2)    Check the IP configuration and ping domain controller
3)    Restart netlogon service

Site and site link errors – check if the sites and site links connectivity is ok.

Manual replication access denied –   verify the replication synchronization permissions. Use repadmin or replmon tools to force replication.

This is the end of article and if any questions feel free to ask me on rebeladm@live.com