- Published on
Active Directory
- Authors
- Name
- Jackson Chen
Instant Replication between Active Directory Sites with PowerShell
function Replicate-AllDomainController {
(Get-ADDomainController -Filter *).Name | `
Foreach-Object {repadmin /syncall $_ (Get-ADDomain).DistinguishedName /e /A | Out-Null};
Start-Sleep 10;
Get-ADReplicationPartnerMetadata -Target "$env:userdnsdomain" -Scope Domain | Select-Object Server, LastReplicationSuccess
}
Active Directory replication
https://activedirectorypro.com/repadmin-how-to-check-active-directory-replication/
Connection object
A connection object is an Active Directory object that represents a replication connection from a source domain controller to a destination domain controller. A domain controller is a member of a single site and is represented in the site by a server object in Active Directory Domain Services (AD DS). Each server object has a child NTDS Settings object that represents the replicating domain controller in the site.
The connection object is a child of the NTDS Settings object on the destination server. For replication to occur between two domain controllers, the server object of one must have a connection object that represents inbound replication from the other. All replication connections for a domain controller are stored as connection objects under the NTDS Settings object. The connection object identifies the replication source server, contains a replication schedule, and specifies a replication transport.
The Knowledge Consistency Checker (KCC) creates connection objects automatically, but they can also be created manually. Connection objects created by the KCC appear in the Active Directory Sites and Services snap-in as (automatically generated) and are considered adequate under normal operating conditions. Connection objects created by an administrator are manually created connection objects. A manually created connection object is identified by the name assigned by the administrator when it was created. When you modify a (automatically generated) connection object, you convert it into an administratively modified connection object and the object appears in the form of a GUID. The KCC does not make changes to manual or modified connection objects.
Components of AD replication
Knowledge Consistency Checker (KCC)
A process that runs on each DC and is responsible for creating replication topologies.
Directory System Agent (DSA)
A directory service component that runs as Ntdsa.dll on each DC.
Extensible Storage Engine (ESE)
Responsible for managing directory database records, which may contain one or more columns.
Remote Procedure Call (RPC)
A communication protocol where developers can run code on a local or remote system without needing to develop a separate code for remote execution of processes.
Intersite Topology Generator (ISTG)
Responsible for managing the intersite inbound replication connection objects for a specific site.
There is one ISTG server on each site.
KCC
The KCC is a built-in process that runs on all domain controllers and generates replication topology for the Active Directory forest. The KCC creates separate replication topologies depending on whether replication is occurring within a site (intrasite) or between sites (intersite). The KCC also dynamically adjusts the topology to accommodate the addition of new domain controllers, the removal of existing domain controllers, the movement of domain controllers to and from sites, changing costs and schedules, and domain controllers that are temporarily unavailable or in an error state.
By default, this calculation occurs every 15 minutes.
# To force KCC to calculate replication topology
repadmin /kcc
Global catalog server
A global catalog server is a domain controller that stores information about all objects in the forest, so that applications can search AD DS without referring to specific domain controllers that store the requested data. Like all domain controllers, a global catalog server stores full, writable replicas of the schema and configuration directory partitions and a full, writable replica of the domain directory partition for the domain that it is hosting. In addition, a global catalog server stores a partial, read-only replica of every other domain in the forest. Partial, read-only domain replicas contain every object in the domain but only a subset of the attributes (those attributes that are most commonly used for searching the object).
AD DS Troubleshooting
Repadmin.exe and Dcdiag.exe are available on all domain controllers that run Windows Server 2012 R2 or later versions.
# Tools
repadmin.exe
dcdiag.exe
Another useful technology is Event Tracing for Windows (ETW). You can use ETW to troubleshoot LDAP communications among the domain controllers.
Event Tracing for Windows (ETW)
Configure Reliability and Performance Monitor
Windows Server includes the Windows Reliability and Performance Monitor, which is a Microsoft Management Console (MMC) snap-in that combines the functionality of previous stand-alone tools, including Performance Logs and Alerts and System Monitor. This snap-in provides a graphical user interface (GUI) for customizing Data Collector Sets and Event Trace Sessions.
Reliability and Performance Monitor also includes Reliability Monitor, an MMC snap-in that tracks changes to the system and compares them to changes in system stability, providing a graphical view of their relationship.
Set logging levels
If the information that you receive in the Directory Service log in Event Viewer is not sufficient for troubleshooting, raise the logging levels by using the appropriate registry entry
# Registry key entry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics.
Note:
default value 0
max 5
By default, the logging levels for all entries are set to 0, which provides the minimum amount of information. The highest logging level is 5. Increasing the level for an entry causes additional events to be logged in the Directory Service event log.
repadmin
Some useful command options. Be default, LDAP is the default communication method for repadmin. To force to use rpc use /rpc
# connects to and displays the replication features for a directory server (dsa)
repadmin /bin <dsa>
# Displays a list of failed replication links that are detected by the Knowledge Consistency Checker (KCC)
repadmin /failcache <dsa>
# Displays the amount of time between replications, by using the ISTG Keep Alive time stamp
repadmin /latency [dsa] [/verbose]
# Displays tasks that are waiting in the replication queue
repadmin /queue
# Summarize the replication state and relative health of an active directory forest
repadmin /replsummary
# Check the replication status
repadmin /showrepl
# Synchronizes a specified directory server with all replication partners
repadmin /syncall <dsa> <naming context>
Note:
By default, if no directory partition is provided in the NamingContext parameter,
the command performs its operations on the configuration directory partition
repadmin /syncall # Synchronize replication between replication partners
# Export showrepl output to csv file
repadmin /showrepl <DC_NAME> /csv > Repl.csv
Note:
Open Repl.csv, and then delete or hide column A and both RPC and SMTP columns.
# Force the KCC to recalculate the topology
repadmin /kcc # By default, kcc recalculate the topology every 15 minutes
# Force replication
repadmin /replicate
How to Force Active Directory Replication
You will want to run this on the DC that you wish to update.
# Pull replication - It will pull update from other dc
repadmin /syncall <out-of-sync-dc-name> /AeD
Example:
repadmin /syncall dc1 /AeD
# Push replication - It will push the update to other DCs
repadmin /syncall <source-dc> /APed # P - push
Example:
repadmin /syncall dc01 /Ape # push the update from dc01 to all other DCs
# How to force replication
repadmin /syncall /Adep # command
# Using PowerShell
(Get-ADDomainController -Filter *).Name | `
Foreach-Object {repadmin /syncall $_ (Get-ADDomain.DistinguishedName /AdeP)}}
# Verify replication status after force replication
Get-ADReplicationPartnerMetadata -Target "$env:userdnsdomain" -Scope Domain | Select-Object Server, LastReplicationSuccess
dcdiag
The DCDiag tool can be used to analyze a single or multiple DCs simultaneously within your AD forest or enterprise.
# Verify options
dcdiag /?
/s <DC name>
Run DCDiag test against the specified remote Domain Controller.
/u <domain\username>
use the credentials to connect to a remote DC.
/p <password>
use along with /u to specify the password of the user.
/a
Perform DCDiag tests against all DCs within a site.
/e
Tests all the servers in the enterprise. Overrides /a
/q
(quiet) Display only error messages.
/c
(comprehensive) tests against the DC including DNS.
/v
(verbose) – display extended information.
/f
(filename) Save the results to the specified filename
Example: dcdiag.exe /s:dc01 /v f:c:\temp\dcdiag_dc01.txt
# Run dcdiag on a remote DC
dcdiag.exe /s:<remote-dc-name>
Example: dcdiag.exe /s:dc01 /v # verbose
# Test DNS and run various diagnostics
dcdiag /test:DNS
Example: dcdiag /s:<dc-name> /test:DNS
Note:
By default, it test all /DNSAll
/DNSBasic
The basic DNS test includes network connectivity, DNS client, zones, and service availability.
/DnsForwarders
Performs the basic test and checks the configuration of DNS forwarders.
/DnsDelegation
Basic and DNS delegation test.
/DnsDynamicUpdate
Runs the basic test and checks whether dynamic DNS updates are enabled in AD.
/DnsRecordRegistration
Performs the /DNSBasic test and checks the registration of resource records (A, CNAME, and SRV).
/DnsResolve<Internet Name>
Performs the basic DNS tests and attempts to resolve the <Internet name>
/DnsResolveExtName <internet name>
To test DNS resolution for external names.
/DNSAll
Perform all above tests, except the /DnsResolveExtName
Active Directory DFS Replication
How to troubleshoot missing SYSVOL and Netlogon shares
https://support.microsoft.com/en-us/topic/c4dc6648-ff6e-a8e1-7ae2-d3d465b2d875
Symptoms
You may encounter a situation in which SYSVOL and Netlogon shares are not shared on a domain controller. The following additional symptoms or conditions may also apply:
- The SYSVOL folder is empty.
- The affected domain controller was recently promoted.
- The environment contains domain controllers running versions of Windows earlier than Windows Server 2012 R2.
- DFS Replication is used to replicate the SYSVOL Share replicated folder.
- An upstream domain controller's DFS Replication service is in an error state
Cause
Domain controllers without SYSVOL shared cannot replicate inbound because of upstream (source) domain controllers being in an error state. Frequently (but not limited to), the upstream servers have stopped replication because of a dirty shutdown (event ID 2213)
# Step 1 - Evaluate the state of DFS Replication on all domain controllers
net share # verify "SYSVOL" and "NETLOGON" shares exist
# Use net view command
For /f %i IN ('dsquery server -o rdn') do @echo %i && @(net view \\%i | find "SYSVOL") & echo
# To check DFS Replication's state on domain controllers, query WMI
For /f %i IN ('dsquery server -o rdn')
do @echo %i && @wmic /node:"%i" /namespace:\\root\microsoftdfs
path dfsrreplicatedfolderinfo
WHERE replicatedfoldername='SYSVOL share'
get replicationgroupname,replicatedfoldername,state
Note: State value
0 = Uninitialized
1 = Initialized
2 = Initial Sync
3 = Auto Recovery
4 = Normal
5 = In Error
Example command:
wmic /namespace:\\root\microsoftdfs path dfsrreplicatedfolderinfo get replicationgroupname,replicatedfoldername,state
If any domain controllers do not report the "SYSVOL Share" replicated folder as being in a state "4" (normal), check the event log of those domain controller(s) to evaluate their condition. Review each domain controller for recent errors or warnings in the DFS Replication event log, such as the warning event ID 2213, which indicates that DFS Replication is currently paused.
Check the Content Freshness configuration
Determine whether DFS Replication triggered content freshness protection on the affected domain controllers. Content Freshness is enabled on Windows Server 2012 (and later versions) domain controllers by default, but may also be manually enabled on Windows Server 2008 and 2008 R2 servers.
To evaluate if content freshness is enabled, the MaxOfflineTimeInDays setting will be set to 60. If content freshness is disabled, MaxOfflineTimeInDays will be set to 0. To check MaxOfflineTimeInDays, run the following command
wmic.exe /node:%computername% /namespace:\\root\microsoftdfs path DfsrMachineConfig get MaxOfflineTimeInDays
To query all domain controllers in the domain, run the following command
For /f %i IN ('dsquery server -o rdn') do @echo %i && @wmic /node:"%i" /namespace:\\root\microsoftdfs path DfsrMachineConfig get MaxOfflineTimeInDays
For each domain controller enabled for content freshness, evaluate if DFS Replication has logged an event ID 4012 that indicates replication of the folder has stopped because replication has failed for longer than the MaxOfflineTimeInDays parameter.
# Step 2 - Prepare the domain controllers that are in an error state
Backup SYSVOL folder
Perform a backup of SYSVOL data (if present) on each domain controller. Backups may be a simple file copy of the SYSVOL contents to a safe location or, it may be a backup that uses backup software.
Depending on the situation, policy files could be moved to "PreExisting" or "Conflict and Deleted." "PreExisting" and "Conflict and Deleted" contents will be purged if initial synchronization is performed multiple times on a server. Back up data in these locations to avoid data loss.
For environments that have three or more domain controllers
# Important:
If all domain controllers have logged the 4012 event and their "state" is "5," then follow the instructions in article 2218556to completely initialize SYSVOL. This is the only situation to set a DFS Replication server as authoritative. Make sure that the domain controller configured as authoritative has the most up-to-date copy of all SYSVOL contents.
If one or more domain controllers are blocking replication because of content freshness, they each must be non-authoritatively recovered. To do this, follow these steps:
- Backup all SYSVOL contents of the domain controller(s). Typically, policy edits are performed on the PDC Emulator, but this is not guaranteed. Any data present on the recovered domain controller(s) not matching the partners will go into the "PreExisting" or "Conflict and Deleted" folder, or both.
- Next, set the domain controller(s) as nonauthoritative by disabling the membership as described in article 2218556. You must be aware of the replication topology, and you must "fan out" from a healthy domain controller by selecting direct partners of it, then recovering further downstream domain controllers, and so on. Event ID 4144 will be logged to confirm the membership is disabled. Make sure all domain controllers requiring recovery log this event. It may be necessary to force Active Directory replication and then run the dfsrdiag pollad command on each domain controller to detect the disabled membership quickly.
# Force active directory replication (DFS-R replication)
dfsrdiag pollad
- Enable the membership and wait for the 4614 and 4604 events to report completion of the initial synchronization. Restore any required files from backup or from "PreExisting" and "Conflict and Deleted" as necessary.
PsExec to run command under system context
# How to copy SYSVOL
PsExec.exe -i -s cmd.exe # It will open cmd.exe window
Then, run command in the newly opened cmd.exe
robocopy \\dc1\C$\Sysvol C:\Windows\SYSVOL /copyall /mir /b /r:0 /xd "DfsrPrivate" /xf "DfsrPrivate"
Note:
a. It will copy SYSVOL from dc1 to the current dc c:\Windows\SYSVOL
b. Command run in the cmd.exe will be run under system context
Manually set sysvol registry to 1, and make DCs able to advertise themselves as DCs
If SysvolReady flag has value data as 0, then set it to 1
# How to set SysvolReady to 1
1. Click Start, click Run, type regedit, and then click OK.
2. Locate the following subkey in Registry Editor:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
3. In the details pane, right-click the SysvolReady flag, and then click Modify.
4. In the Value data box, type 1, and then click OK.
How to orce authoritative and non-authoritative synchronization for DFSR-replicated sysvol replication
- In the ADSIEDIT.MSC tool, modify the following distinguished name (DN) value and attribute on each of the domain controllers (DCs) that you want to make non-authoritative:
CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=<the server name>,OU=Domain Controllers,DC=<domain>
msDFSR-Enabled=FALSE
- Force Active Directory replication throughout the domain.
- Run the following command from an elevated command prompt on the same servers that you set as non-authoritative:
dfsrdiag pollad
- You'll see Event ID 4114 in the DFSR event log indicating sysvol replication is no longer being replicated.
- On the same DN from Step 1, set msDFSR-Enabled=TRUE.
- Force Active Directory replication throughout the domain.
- Run the following command from an elevated command prompt on the same servers that you set as non-authoritative:
dfsrdiag pollad
- You'll see Event ID 4614 and 4604 in the DFSR event log indicating sysvol replication has been initialized. That domain controller has now done a D2 of sysvol replication.
How to perform an authoritative synchronization of DFSR-replicated sysvol replication (like D4 for FRS)
- Set the DFS Replication service Startup Type to Manual, and stop the service on all domain controllers in the domain.
- In the ADSIEDIT.MSC tool, modify the following DN and two attributes on the domain controller you want to make authoritative (preferably the PDC Emulator, which is usually the most up-to-date for sysvol replication contents):
CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=<the server name>,OU=Domain Controllers,DC=<domain>
msDFSR-Enabled=FALSE
msDFSR-options=1
- Modify the following DN and single attribute on all other domain controllers in that domain:
CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=<each other server name>,OU=Domain Controllers,DC=<domain>
msDFSR-Enabled=FALSE
- Force Active Directory replication throughout the domain and validate its success on all DCs.
- Start the DFSR service on the domain controller that was set as authoritative in Step 2.
- You'll see Event ID 4114 in the DFSR event log indicating sysvol replication is no longer being replicated.
- On the same DN from Step 1
set msDFSR-Enabled=TRUE.
- Force Active Directory replication throughout the domain and validate its success on all DCs.
- Run the following command from an elevated command prompt on the same server that you set as authoritative:
DFSRDIAG POLLAD
- You'll see Event ID 4602 in the DFSR event log indicating sysvol replication has been initialized. That domain controller has now done a D4 of sysvol replication.
- Start the DFSR service on the other non-authoritative DCs. You'll see Event ID 4114 in the DFSR event log indicating sysvol replication is no longer being replicated on each of them.
- Modify the following DN and single attribute on all other domain controllers in that domain:
CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=<each other server name>,OU=Domain Controllers,DC=<domain>
msDFSR-Enabled=TRUE
- Run the following command from an elevated command prompt on all non-authoritative DCs (that is, all but the formerly authoritative one):
DFSRDIAG POLLAD
- Return the DFSR service to its original Startup Type (Automatic) on all DCs.
If setting the authoritative flag on one DC, you must non-authoritatively synchronize all other DCs in the domain. Otherwise you'll see conflicts on DCs, originating from any DCs where you did not set auth/non-auth and restarted the DFSR service. For example, if all logon scripts were accidentally deleted and a manual copy of them was placed back on the PDC Emulator role holder, making that server authoritative and all other servers non-authoritative would guarantee success and prevent conflicts.
If making any DC authoritative, the PDC Emulator as authoritative is preferable, since its sysvol replication contents are most up to date.
The use of the authoritative flag is only necessary if you need to force synchronization of all DCs. If only repairing one DC, make it non-authoritative and don't touch other servers.
This article is designed with a 2-DC environment in mind, for simplicity of description. If you had more than one affected DC, expand the steps to include ALL of them as well. It also assumes you have the ability to restore data that was deleted, overwritten, damaged, and so on. previously if it's a disaster recovery scenario on all DCs in the domain.
How to verify and set domain controller as authentication DC
# Run the following command in elevated command prompt
# Verify authenticated domain controller
Nltest /dsgetdc:<domain-name>
# Set to required domain controller
Nltest /Server:<client-computer-name> /SC_RESET:<domain-name>\<DC-name>
How to update MSRTCSIP-primaryuseraddress attribute
Import-Module ActiveDirectory
$Users = Get-ADUser -SearchBase 'OU=Test,OU=Accounts,DC=contoso,DC=com' -filter * -Properties * | `
? {$_."msRTCSIP-OriginatorSID" -like $null} | `
select SamAccountname,DistinguishedName,ObjectSid,UserPrincipalName
ForEach ($user in $Users) {
$UserUPN = $user.UserPrincipalName
Try {
# Set-ADUser $user.SamAccountname -Replace @{'msRTCSIP-PrimaryUserAddress' = "$login@lab.local"}
Set-ADUser $user.SamAccountname -Replace @{'msRTCSIP-PrimaryUserAddress' = "$UserUPN"}
}
Catch {
Write-Host "$Error: Failed to update msRTCSIP-PrimaryUserAddress"
}
}
How to clean up
Get-ADuser -Properties msRTCSIP-PrimaryUserAddress,msRTCSIP-DeploymentLocator,msRTCSIP-PrimaryHomeServer,msRTCSIP-UserEnabled -Filter {msRTCSIP-DeploymentLocator -eq "SRV:" -and msRTCSIP-UserEnabled -notlike '*' -and msRTCSIP-PrimaryHomeServer -notlike '*' -and MSRTCSIP-primaryuseraddress -notlike "*"} | Set-ADUser -Clear MSRTCSIP-primaryuseraddress
Active Directory and BIND DNS
Using Active Directory and BIND9 with No Dynamic Updates (DDNS)
Using Linux BIND DNS Servers for Active Directory Domains
Linux and BIND9 as a DNS Secondary for Active Directory
https://vswitchzero.com/2021/02/24/linux-and-bind9-as-a-dns-secondary-for-active-directory/
Export-DnsServerZone
Export-DnsServerZone -Name "western.contoso.com" -FileName "exportedcontoso.com"