Recursive vs Iterative Query.

With a recursive name query , the DNS client requires that the DNS server respond to the client with either the requested resource record or an error message stating that the record or domain name does not exist. The DNS server cannot just refer the DNS client to a different DNS server.Thus, if a DNS server does not have the requested information when it receives a recursive query, it queries other servers until it gets the information, or until the name query fails.

Recursive name queries are generally made by a DNS client to a DNS server, or by a DNS server that is configured to pass unresolved name queries to another DNS server, in the case of a DNS server configured to use a forwarder.

An iterative name query is one in which a DNS client allows the DNS server to return the best answer it can give based on its cache or zone data. If the queried DNS server does not have an exact match for the queried name, the best possible information it can return is a referral (that is, a pointer to a DNS server authoritative for a lower level of the domain namespace). The DNS client can then query the DNS server for which it obtained a referral. It continues this process until it locates a DNS server that is authoritative for the queried name, or until an error or time-out condition is met.This process is sometimes referred to as "walking the tree," and this type of query is typically initiated by a DNS server that attempts to resolve a recursive name query for a DNS client.

Figure 5.4 shows an example of iterative and recursive queries. This example assumes that none of the servers have the requested information in their caches.

Figure 5.4 Iterative and Recursive Queries

In the example shown in Figure 5.4, a client somewhere on the Internet needs the IP address of noam.reskit.com. The following events take place:

1. The client contacts NameServer1 with a recursive query for noam.reskit.com. The server must now return either the answer or an error message.

2. NameServer1 checks its cache and zones for the answer, but does not find it, so it contacts a server authoritative for the Internet (that is, a root server ) with an iterative query for noam.reskit.com.

3. The server at the root of the Internet does not know the answer, so it responds with a referral to a server authoritative for the .com domain.

4. NameServer1 contacts a server authoritative for the .com domain with an iterative query for noam.reskit.com.

5. The server authoritative for the .com domain does not know the exact answer, so it responds with a referral to a server authoritative for the reskit.com domain.

6. NameServer1 contacts the server authoritative for the reskit.com domain with an iterative query for noam.reskit.com.

7. The server authoritative for the reskit.com domain does know the answer. It responds with the requested IP address.

8. NameServer1 responds to the client query with the IP address for noam.reskit.com.

Defragmenting an Active Directory Database

When the Active Directory Domain Service finishes shutting down, open a Command Prompt window, and enter the NTDSUTIL command. The command prompt will now display an NTDSUTIL prompt. Now enter the following command:

Activate Instance NTDS

At this point, NTDSUTIL will display a message stating that activate instance has been set to “NTDS”. Now enter the Files command. This will cause NTDSUTIL to switch to the File Maintenance prompt. You should now enter the Info command. This will cause NTDSUTIL to display information about the size and location of the Active Directory database, as shown in Figure A.

Figure A

You should double check the database size against the size that you recorded earlier.

You should make sure that the information that is displayed coincides with the size that you recorded earlier. Otherwise, some corruption may exist. Assuming that everything looks good, you can launch the defragmentation process by entering the following command:

Compact to c:\Windows\NTDS\temp

The command shown above assumes that you have created a folder named Temp beneath the c:\windows\ntds folder.

The amount of time that the defragmentation process will take varies depending on the speed of your server, and on the size of the Active Directory database. You can see what a successful defragmentation looks like in Figure B.

Figure B

This is what a successful defragmentation looks like.

When the process completes, enter the Q command at the NTDSUTIL prompt to close NTDSUTIL. Next, verify that Windows has created a copy of the Active Directory database in the C:\Windows\NTDS\Temp folder. This copy is the defragmented version of the database. To use it, you must either delete or rename the original database (the one in C:\Windows\NTDS), and then copy the defragmented database from C:\Windows\NTDS\Temp to C:\Windows\NTDS. You must also either rename or delete the log files located in the C:\Windows\NTDS folder.

You can now restart the Active Directory. The easiest way to do this is to simply start the Active Directory Domain Service that you shut down earlier. If a bunch of dependency services were also shut down too though, it may be easier to just reboot the server.

ADAM/AD LDS

Active Directory Application Mode (ADAM) is a light-weight implementation of Active Directory. ADAM is capable of running as a service, on computers running Microsoft Windows Server 2003 or Windows XP Professional. ADAM shares the code base with Active Directory and provides the same functionality as Active Directory, including an identical API, but does not require the creation of domains or domain controllers.

Like Active Directory, ADAM provides a Data Store, which is a hierarchical datastore for storage of directory data, a Directory Service with an LDAP Directory Service Interface. Unlike Active Directory, however, multiple ADAM instances can be run on the same server, with each instance having its own and required by applications making use of the ADAM directory service.

In Windows Server 2008, ADAM has been renamed AD LDS (Lightweight Directory Services)

Transfer FSMO roles

To transfer the FSMO roles by using the Ntdsutil utility, follow these steps:

1. Log on to a Windows 2000 Server-based or Windows Server 2003-based member computer or domain controller that is located in the forest where FSMO roles are being transferred. We recommend that you log on to the domain controller that you are assigning FSMO roles to. The logged-on user should be a member of the Enterprise Administrators group to transfer Schema master or Domain naming master roles, or a member of the Domain Administrators group of the domain where the PDC emulator, RID master and the Infrastructure master roles are being transferred.

2. Click Start, click Run, type ntdsutil in the Open box, and then click OK.

3. Type roles, and then press ENTER.

Note To see a list of available commands at any one of the prompts in the Ntdsutil utility, type ?, and then press ENTER.

4. Type connections, and then press ENTER.

5. Type connect to server servername, and then press ENTER, where servername is the name of the domain controller you want to assign the FSMO role to.

6. At the server connections prompt, type q, and then press ENTER.

7. Type transfer role, where role is the role that you want to transfer. For a list of roles that you can transfer, type ? at the fsmo maintenance prompt, and then press ENTER, or see the list of roles at the start of this article. For example, to transfer the RID master role, type transfer rid master. The one exception is for the PDC emulator role, whose syntax is transfer pdc, not transfer pdc emulator.

8. At the fsmo maintenance prompt, type q, and then press ENTER to gain access to the ntdsutil prompt. Type q, and then press ENTER to quit the Ntdsutil utility.

Windows Server 2008Editions

Most editions of Windows Server 2008 are available in x86-64 (64-bit) and x86 (32-bit) versions. Windows Server 2008 for Itanium-based Systems supports IA-64 processors. The IA-64 version is optimized for high workload scenarios like database servers and Line of Business (LOB) applications. As such it is not optimized for use as a file server or media server. Microsoft has announced that Windows Server 2008 is the last 32-bit Windows server operating system.Windows Server 2008 is available in the editions listed below, similar to Windows Server 2003.

Windows Server 2008 Standard (x86 and x86-64)
Windows Server 2008 Enterprise (x86 and x86-64)
Windows Server 2008 Datacenter (x86 and x86-64)
Windows HPC Server 2008 (Codenamed "Socrates") (replacing Windows Compute Cluster Server 2003)
Windows Web Server 2008 (x86 and x86-64)
Windows Storage Server 2008 (Codenamed "Magni") (x86 and x86-64)
Windows Small Business Server 2008 (Codenamed "Cougar") (x86-64) for small businesses
Windows Essential Business Server 2008 (Codenamed "Centro") (x86-64) for medium-sized businesses
Windows Server 2008 for Itanium-based Systems
Windows Server 2008 Foundation (Codenamed "Lima")

Server Core is available in the Web, Standard, Enterprise and Datacenter editions. It is not available in the Itanium edition. Server Core is simply an alternate installation option supported by some of the editions, and not a separate edition by itself. Each architecture has a separate installation DVD. Windows Server 2008 Standard Edition is available to students for free through Microsoft's

NTDS UTIL:

How to Start Your Computer Into Directory Services Restore Mode

Restart the computer.
After the BIOS information is displayed, press F8.
Use the down arrow to select Directory Services Restore Mode (Windows 2000 domain controllers only), and then press ENTER.
Use the up and down arrows to select your computer, and then press ENTER.
Log on using your administrative logon and password.

How to Start Ntdsutil

Ntdsutil.exe is located in the Support Tools folder on the Windows 2000 CD-ROM. By default, this tool is installed in the System32 folder.

Click Start, and then click Run.
In the Open text box, type ntdsutil.

Type ? at the command prompt to access the help file for the tool.

How to Move the Database

You can move the Ntds.dit data file to the new folder that is specified by the location variable. If you do so, the registry is updated so that Directory Service uses the new location when you restart the server.

At the Ntdsutil command prompt, type files, and then press ENTER.
At the file maintenance command prompt, type Move DB to Folder_location (where Folder_location is location of an existing folder that you have created for this purpose), and then press ENTER.

Verification is displayed.
To exit the tool, type q at the command prompt, press ENTER, type q, and then press ENTER.

How to Move Log Files

At the Ntdsutil command prompt, type files, and then press ENTER.
At the file maintenance command prompt, type Move logs to Folder_location (where Folder_location is location of an existing folder that you have created for this purpose), and then press ENTER.
To exit the tool, type q at the command prompt, press ENTER, type q, and then press ENTER.

How to Recover the Database

You can use Esentutl.exe to perform a soft recovery of the database. Soft recovery scans the log files and ensures that all committed transactions that exist in the log file are also reflected in the data file. The Windows 2000 Backup program truncates the log files appropriately.

Logs are used to ensure that committed transactions are not lost if your computer fails or if it experiences unexpected power loss. Transaction data is written first to a log file, and then it is written to the data file. After you restart the computer after failure, you can rerun the log to reproduce the transactions that were committed but that were not recorded to the data file.

At the Ntdsutil command prompt, type files, and then press ENTER.
At the file maintenance command prompt, type recover, press ENTER.

Verification is displayed.

NOTE: It is recommended that you perform a Semantic database analysis. Refer to the "References" section of this article for resources that describe how to perform the Semantic database analysis.
To exit the tool, type q at the command prompt, press ENTER, type q, and then press ENTER.

How to Repair the Database

WARNING: After you complete the procedure that is described in this section, Esentutl.exe performs a low-level repair of the data file. Use the repair command only on the advice of qualified service personnel, because this command can cause data loss. You can use this procedure to repair only the data that ESENT knows about. As a result, the repair operation may eliminate data that is key to the safe operation of Directory Service.

At the Ntdsutil command prompt, type files, and then press ENTER.
At the file maintenance command prompt, type repair, press ENTER.

Verification is displayed.

NOTE: It is recommended that you perform a Semantic database analysis. Refer to the "References" section of this article for resources that describe how to perform the Semantic database analysis.
To exit the tool, type q at the command prompt, press ENTER, type q, and then press ENTER.

How to Set Paths

You can use the set path command to set the path for the following items:

Backup: Use this parameter with the set path command to set the disk-to-disk backup target to the folder that is specified by the location variable. You can configure Directory Service to perform an online disk-to-disk backup at scheduled intervals.
Database: Use this parameter with the set path command to update the part of the registry that identifies the location and file name of the data file. Use this command only to rebuild a domain controller that has lost its data file and that is not being restored by means of normal restoration procedures.
Logs: Use this parameter with the set path command to update the part of the registry that identifies the location of the log files. Use this command only if you are rebuilding a domain controller that has lost its log files and is not being restored by means of normal restoration procedures.
Working Directory: Use this parameter with the set path command to set the part of the registry that identifies Directory Service's working folder to the folder that is specified by the location variable.

To run the set path command:

At the Ntdsutil command prompt, type files, and then press ENTER.
At the file maintenance command prompt, type set path objectlocation (where object is one of the parameters that is described in the preceding list and location is the path that you are setting for that object), and then press ENTER.

Verification is displayed.
To exit the tool, type q at the command prompt, press ENTER, type q, and then press ENTER.

Use the Netdom command

The FSMO role holders can be easily found by use of the Netdom command.

Netdom.exe is a part of the Windows 2000/XP/2003 Support Tools. You must either download it separately (from here Download Free Windows 2000 Resource Kit Tools) or by obtaining the correct Support Tools pack for your operating system. The Support Tools pack can be found in the \Support\Tools folder on your installation CD (or you can Download Windows 2000 SP4 Support Tools, Download Windows XP SP1 Deploy Tools).

On any domain controller, click Start, click Run, type CMD in the Open box, and then click OK.
In the Command Prompt window, type netdom query /domain:<domain> fsmo (where <domain> is the name of YOUR domain).

C:\WINDOWS>netdom query /domain:dpetri fsmo

Schema owner server100.dpetri.net

Domain role owner server100.dpetri.net

PDC role server100.dpetri.net

RID pool manager server100.dpetri.net

Infrastructure owner server100.dpetri.net

The command completed successfully.

Close the CMD window.

Method #5: Use the Replmon tool

The FSMO role holders can be easily found by use of the Netdom command.

Just like Netdom, Replmon.exe is a part of the Windows 2000/XP/2003 Support Tools. Replmon can be used for a wide verity of tasks, mostly with those that are related with AD replication. But Replmon can also provide valuable information about the AD, about any DC, and also about other objects and settings, such as GPOs and FSMO roles. Install the package before attempting to use the tool.

On any domain controller, click Start, click Run, type REPLMON in the Open box, and then click OK.
Right-click Monitored servers and select Add Monitored Server.

In the Add Server to Monitor window, select the Search the Directory for the server to add. Make sure your AD domain name is listed in the drop-down list.

In the site list select your site, expand it, and click to select the server you want to query. Click Finish.

Right-click the server that is now listed in the left-pane, and select Properties.

Click on the FSMO Roles tab and read the results.

Click Ok when you're done.

· The Active Directory Replication Monitor (Replmon) enables administrators to view the low-level status of Active Directory replication, force synchronization between domain controllers, view the topology in a graphical format, and monitor the status and performance of domain controller replication through a graphical interface.

· The Replication Diagnostics Tool (Repadmin) allows you to view the replication topology as seen from the perspective of each domain controller and the replication metadata and up-to-datedness vectors. This tool can be used in troubleshooting to manually create the replication topology (although in normal practice this should not be necessary), and to force replication events between domain controllers.

· Dsastat.exe compares and detects differences between directory partitions on domain controllers and can be used to ensure that domain controllers are up-to-date with one another. The tool retrieves capacity statistics such as megabytes per server, objects per server, and megabytes per object class and compares the attributes of replicated objects.

Managing directory replication

Except for very small networks, directory data must reside in more than one place on the network to be equally useful to all users. Through replication, the Active Directory directory service maintains replicas of directory data on multiple domain controllers, ensuring directory availability and performance for all users. Active Directory relies on configuration information that you provide about sites, subnets, and site links to manage and optimize the process of replication.

Some of the most common tasks are creating sites, creating site links, and creating a subnet and associating it with a site. For more information about other tasks for managing directory replication, see Manage Sites.

To create a site

Open Active Directory Sites and Services.
Right-click the Sites folder, and then click New Site.
In Name, type the name of the new site.
Click a site link object, and then click OK.

To create a site link

Open Active Directory Sites and Services.
In the console tree, right-click the intersite transport protocol you want the site link to use, and then click New Site Link.

Where?

Active Directory Sites and Services/Sites/Inter-Site Transports/inter-site transport protocol you want the site link to use

In Name, type the name to be given to the link.
Click two or more sites to connect, and then click Add.
Configure the site link's cost, schedule, and replication frequency.

Caution

If you create a site link that uses SMTP, you must have an enterprise certification authority (Enterprise CA) available and SMTP must be installed on all domain controllers that will use the site link.

To create a subnet and associate it with a site

Open Active Directory Sites and Services.
In the console tree, double-click Sites.
Right-click Subnets, and then click New Subnet.
In Address, enter the subnet address.
In Mask, enter the subnet mask that describes the range of addresses included in this site's subnet.
Select a site with which to associate this subnet, and then click OK.

How to optimize Active Directory replication in a large network

The Knowledge Consistency Checker (KCC) dynamically adjusts the data replication topology of your network when domain controllers are added to or removed from the network, when a domain controller is unavailable, or when the data replication schedules are changed.

The tasks of the KCC are:

Based on the network topology described by Active Directory objects, the KCC creates connection objects which are used to define inbound and outbound replication to domain controllers:

For sources within the same site, inbound to the domain controller on which the KCC is running.
For sources in different sites, inbound to the site in which the KCC is running, if the domain controller on which the KCC is running is the elected interSiteTopologyGenerator for its site.

Convert the KCC-defined and administrator-defined Microsoft Windows NT Directory Service Connection (ntdsConnection) objects into a configuration understood by the Directory Service (DS) replication engine.

By default, each of these tasks is executed every 15 minutes.

Run the Inter-site KCC Only During Off Peak Hours

Disable Inter-Site KCC Entirely, Manually Configure Connections

Runkcc.vbs (VBScript to Trigger the One-time Run of the KCC)

Initiating Replication Using the Sites and Services Manager Snap-in

Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services.
Expand the Sites container in the left pane. Expand the container that represents the name of the site containing the target server that needs to be synchronized with its replication partners.
Expand the Servers container, and then expand the target server to display the NTDS Settings object (an object that represents settings for the domain controller).
Click the NTDS Settings object. The connection objects in the right pane represent the target server's direct replication partners.
Right-click a connection object in the right pane, and then click Replicate Now. Windows 2000 initiates replication of any changes from the source server (the server represented by the connection object) to the target server for all directory partitions the target server is configured to replicate from the source server.

Initiating replication Using Repadmin.exe

Repadmin.exe is a command-line tool from the Windows 2000 Resource Kit that is included in the Support Tools folder on the Windows 2000 CD-ROM.

Determine the name of the target server that needs to be synchronized.
At a command prompt, use Repadmin.exe to determine the target server's direct replication partners by typing the following command:

repadmin /showreps target_server_name

If the target server can be reached, it displays output similar to the following sample. In this example, DC1 and DC2 are now in the same domain, "support.microsoft.com."

Redmond\DC1
DSA Options : (none)
objectGuid : 4a11d649-f9ab-11d2-b17f-00c04f5cb503
invocationID: 45d18b0b-f9ab-11d2-98b8-0000f87a546b

==== INBOUND NEIGHBORS ======================================

CN=Schema,CN=Configuration,DC=microsoft,DC=com

Redmond\DC2 via RPC
objectGuid: d2e3badd-e07a-11d2-b573-0000f87a546b
Last attempt @ 1999-05-03 18:07.04 was successful.

CN=Configuration,DC=microsoft,DC=com

Redmond\DC2 via RPC
objectGuid: d2e3badd-e07a-11d2-b573-0000f87a546b
Last attempt @ 1999-05-03 18:07.05 was successful.

DC=support,DC=microsoft,DC=com

Redmond\DC2 via RPC
objectGuid: d2e3badd-e07a-11d2-b573-0000f87a546b
Last attempt @ 1999-05-03 18:07.09 was successful.

(Other data excluded because it does not pertain to this article.)

Under the Inbound Neighbors section of the output, the direct replication partners for each directory partition are identified along with the status of the last replication.

Find the directory partition that needs synchronization and locate the source server with which the target will be synchronized. Note the objectGuid of the source server.
Use Repadmin.exe to initiate replication by typing the following command:

repadmin /sync directory_partition target_server_name source_server_objectGuid

For example, to initiate replication on DC1 so that changes are replicated from DC2:

repadmin /sync dc=support,dc=microsoft,dc=com DC1 d2e3badd-e07a-11d2-b573-0000f87a546b

If successful, Repadmin.exe displays the following message:

ReplicaSync() from source: d2e3badd-e07a-11d2-b573-0000f87a546b, to dest: DC1 is successful.

Optionally, you can use the following switches on the command line:

/force: Overrides the normal replication schedule.
/async: Starts the replication event. Repadmin.exe does not wait for the replication event to finish.
/full: Forces a full replication of all objects from the destination DSA.

Initiating Replication Using Active Directory Replication Monitor

On the Windows 2000-based computer that will run the script, install the Windows 2000 Support Tools Resource Kit, which includes Active Directory Replication Monitor (Replmon.exe).
Start Active Directory Replication Monitor and click Add Site/Server on the Edit menu. Use the "Add Site or Server" Wizard to add the target server to the view.
Replmon.exe identifies the directory partitions and displays them as child nodes to the target server in the left pane.
Find and expand the directory partition that needs to be synchronized. All domain controllers listed for a given directory partition are source servers, but direct replication partners are displayed with an icon that represents two network-connected servers. Direct replication partners can also be identified by right-clicking a server and clicking Properties. The Properties dialog box displays the source server as a Direct Replication Partner, a Transitive Replication Partner, or a BridgeHead Connection (also a direct replication connection).
Right-click the direct replication partner, and then click Synchronize Replica. Replmon.exe initiates replication and reports the success or failure of the request.

NetLogon Service

NetLogon Service is very important for Domain Controllers. This service is started and configured to start Automatic when you promote a server to Domain Controller. If this service is not running then there are a few things which fail. This article explains the functionality of NetLogon service on Domain Controllers as mentioned below:

This service is responsible for creating Secure Channel between Domain Controllers and client computers. Secure Channel is created to pass the authentication packets.
Service performs the registration of SRV records, CNAME and other DC records in the DNS Server to advertise the availability of Domain Controllers in the domain.
SRV Records registered by NetLogon Service are stored in C:\Windows\System32\Config\NetLogon.DNS File.
Performs registration of SRV Records every 24 hours depending on the version of Operating System in use.
Registers the SRV Records for a site where there is no Domain Controller. This is called Site Coverege

Group Policy Processing At Client Computers

A client computer joined to domain gathers the list of GPOs to be processed as mentioned below:

Client computer starts.
Winlogon Service on the client computer starts. The DCLocator component executes an API call; DsGetDcName to find the domain controller. A DNS Query is send to configured DNS Server.
DNS Server receives the DNS Query and provides the list of domain controllers.
Winlogon selects one of the Domain Controller listed in the list and then authenticates the client computer.
Winlogon now processes the GPOs to be applies to the computer.
It checks the location of Computer Account in the Active Directory and then check the GPOs configured on the OU.
Winlogon checks the following permissions for the Computer Account.

How To Use DsQuery To Find All The Domain Controllers In The Domain or Forest?

There are many command line tools which can be used to interact with Active Directory. These command line tools are DsMOD, DsQuery, DsGet etc. This article explains DsQuery command line tool and hows how you can use this command line tool to get the list of domain controllers based upon your requirement.

To find all the domain controllers in the forest with DN and RDN:

DsQuery Server -o rdn -Forest
DsQuery Server -Forest

To find all the domain controllers in a domain:

DsQuery Server -domain domain_name.com

To list all the domain controllers in a domain that are also Global Catalog Servers:

DsQuery Server -domain domain_name.com -isgc

To list the domain controller in the forest that holds the Schema FSMO:

DsQuery Server -Forest -hasfsmo schema

Note: Use the ">" to store the output to a text file. The below command will store all the domain controller names in AllDCs.txt.

DsQuery Server -Forest > AllDCs.txt

How To Quickly Check If Newly Created GPO Replicated To All Domain Controllers?

When you create a new GPO, that GPO must be replicated to all other domain controllers of that domain. There is a quick way to check this using GPOTool.exe:

gpotool.exe /gpo:GPO_Name_Here /verbose

The above command you need to run on the domain controller on which you created this GPO. If the policy has replicated to all the domain controllers, you will see a "Policy Ok" message. If it has not replicated yet, the tool will list the names of the domain controllers who have not received this GPO yet.

What All Ports Are Rrequired By Domain Controllers And Client Computers?

Active Directory communication takes place using several ports. These ports are required by both client computers and Domain Controllers. As an example, when a client computer tries to find a domain controller it always sends a DNS Query over Port 53 to find the name of the domain controller in the domain.

The following is the list of services and their ports used for Active Directory communication:

UDP Port 88 for Kerberos authentication
UDP and TCP Port 135 for domain controllers-to-domain controller and client to domain controller operations.
TCP Port 139 and UDP 138 for File Replication Service between domain controllers.
UDP Port 389 for LDAP to handle normal queries from client computers to the domain controllers.
TCP and UDP Port 445 for File Replication Service
TCP and UDP Port 464 for Kerberos Password Change
TCP Port 3268 and 3269 for Global Catalog from client to domain controller.
TCP and UDP Port 53 for DNS from client to domain controller and domain controller to domain controller.

Opening above ports in Firewall between client computers and domain controllers, or between domain controllers, will enable Active Directory to function properly.

A Quick Tip To Check If PDC Emulator Is Working

PDC Emulator plays an important role in the Active Directory. If your PDC Emulator fails, certain domain functions, security functions, can stop functioning. If anyone of the following is not happening then you should check if your PDC Emulator is working properly:

Time is not Syncing: PDC is the default source for the client computers to sync the time. If client computers are not syncing the time then you should always check the PDC.
User accounts are not locked out: PDC Emulator processes the account lockouts immediately for the entire domain.
Pre-Windows 2000 Computers are unable to change their passwords: It's again PDC Emulator who processes the password changes for previous versions of Windows 2000 computers.
Windows NT BDCs are not getting updates: PDC Emulator replicates the Active Directory data to Windows NT BDCs.

How to verify PDC Emulator role in the domain?

Run the following command:

dsquery server -hasfsmo pdc

The above command will return the FQDN (Fully Qualified Domain Name) of the domain controller who is holding the PDC Emulator role.

Finding global catalog servers

How can you quickly find the global catalog servers in your domain? Two command-line tools can be helpful here:

1. First, you can type repadmin.exe /options * and use IS_GC for current domain options.

2. And second, you can type nltest /dsgetdc:corp /GC

Identifying Unused Accounts

A company I know wanted to identify any user accounts belonging to users who had not logged onto the network for an extended period of time. After discussing several options, they came up with the following solution: use the DSQUERY computer -inactive NumberOfWeeks command to identify all machines that were not logged on to Active Directory during the specified NumberOfweeks.

Note that the command above should be used if your domain is running at the Windows Server 2003 functional level. If your domain still has Windows 2000 computers in it and is running in the mixed-mode functional level, use DSQUERY computer -stalepwd NumberOfDays instead.

Repadmin vs Replmon

Ned here again. The AD Replication Monitor utility (Replmon.exe) was introduced with the Windows Server 2000 Support Tools many years ago as a GUI mechanism for performing certain DC admin tasks. With the release of Window Server 2008 Replmon was not included and we stopped making add-on Support Tools. Every few weeks someone asks me ‘where do I download the Windows Server 2008 version of Replmon? Nowhere. It’s done. Buried. Gone. Kaput. If you want it, you must run the old Windows Server 2003 version. Today I will talk about moving on with its supported replacement, Repadmin.exe.

Background

Replmon grew out of the need for a more useful tool than the AD Sites and Services snap-in (dssites.msc). DS Sites offered only a basic view of the topology, and had very limited options for forcing replication or seeing errors in the topology.

On the other hand, Replmon exposed more information and had a deeper view into the AD partitioning structure. It was designed not by the Windows Product Group but rather by an engineer in PSS. Like all Support Tools, it was not truly supported but instead provided ‘AS IS’.

Replmon gave an administrator the ability to quickly force replication, get basic status reports, and see information about the environmental configuration.

It was also written in a graphical format rather than a command-line interface. When Active Directory was first released 10 years ago, most tools were given more attention in their GUI rather than command-line versions. Customers were already overwhelmed with the radical changes of AD over NT and having a GUI was a highly desirable feature for a complex and not well-understood product like Active Directory.

That was then.

Now AD is as ubiquitous as Windows in most customer environments. Windows administrators are much more comfortable with the command-line, and that’s great – because repadmin.exe is now equal or superior to Replmon. Don’t believe me? Let’s compare.

Moving On with Repadmin Syncall

The most common operation with Replmon was to have it ”push” AD replication outbound from a given DC where someone had made a change and wanted it to propagate quickly to all partners. I put ”push” in quotes because AD replication is always pull-based; there is no such thing as push. What Replmon was actually doing was contacting the partner DCs and telling them to replicate inbound immediately. To do this you would:

1. Start Replmon.

2. Type in (or search for) the DC.

3. Right click the DC or partition and choose Synchronize to force replication.

4. Select if you wanted to pull or push, cross AD sites or not, and disable transitivity or not.

Then you waited for it to finish. There were no immediate results to view, and you weren’t always going to see useful messages when something was shown at all. The only progress was a small status bar:

And you might also see:

If there was a problem you would get an error, but it could be misleading. For example, here is the error you get when forcing replication of the Domain partition and one of the DCs is offline for maintenance:

Now contrast this with the Repadmin.exe steps for the same server, doing a push replication of all partitions:

1. Run:

Repadmin /syncall DC_name /APed

2. There is no step 2, we’re done. :-)

By running a repadmin /syncall with the /A(ll partitions) P(ush) e(nterprise, cross sites) d(istinguished names) parameters, you have duplicated exactly what Replmon is doing. Except that you did it in one step, not many. And with the benefit of seeing immediate results on how the operations are proceeding. If I am running it on the DC itself, I don’t even have to specify the server name.

What about the situation I showed earlier where one of the DCs was offline for maintenance? In this case I am going to have Repadmin synchronize just the Domain partition, pushing across site boundaries:

Repadmin /syncall /Pe dc_name naming_context

With Repadmin we get a much more specific error:

Those are legitimate errors that are documented and can be researched.

Status Checking

Replmon had the option to generate a status report text file. It could tell you which servers were configured to replicate with each other, if they had any errors, and so on. It was pretty useful actually, and one of the main reasons people liked the tool.

Repadmin.exe offers similar functionality within a few of its command line options. For example, we can get a summary report:

Repadmin /replsummary *

Several DCs have been taken offline. Repadmin shows the correct error of 58 – that the other DCs are not available and cannot tell you their status.

You can also use more verbose commands with Repadmin to see details about which DCs are or are not replicating:

Repadmin /showrepl *

If you want to generate a ‘repadmin status report’ that generates a bunch of useful status information, give this simple batch file a try:

@echo off

echo.
echo Gathering Report for DCLIST = %1
echo.
Echo Report for DCLIST = %1 > replreport.txt

echo. >> replreport.txt
echo. >> replreport.txt

echo Gathering Verbose Replication and Connections
echo Verbose Replication and Connections >> replreport.txt echo. >> replreport.txt
repadmin /showrepl %1 /all >> replreport.txt
echo. >> replreport.txt

echo Gathering Bridgeheads
echo Bridgeheads >> replreport.txt
echo. >> replreport.txt
repadmin /bridgeheads %1 /verbose >> replreport.txt
echo. >> replreport.txt

echo Gathering ISTG
echo ISTG >> replreport.txt
echo. >> replreport.txt
repadmin /istg %1 >> replreport.txt
echo. >> replreport.txt

echo Gathering DRS Calls
echo Outbound DRS Calls >> replreport.txt
echo. >> replreport.txt
repadmin /showoutcalls %1 >> replreport.txt
echo. >> replreport.txt

echo Gathering Queue
echo Queue >> replreport.txt
echo. >> replreport.txt
repadmin /queue %1 >> replreport.txt
echo. >> replreport.txt

echo Gathering KCC Failures
echo KCC Failures >> replreport.txt
echo. >> replreport.txt
repadmin /failcache %1 >> replreport.txt
echo. >> replreport.txt

echo Gathering Trusts
echo Trusts >> replreport.txt
echo. >> replreport.txt
repadmin /showtrust %1 >> replreport.txt
echo. >> replreport.txt

echo Gathering Replication Flags
echo Replication Flags >> replreport.txt
echo. >> replreport.txt
repadmin /bind %1 >> replreport.txt
echo. >> replreport.txt

echo Done.

Copy and paste into notepad, save as a CMD file and run it with a server name, a partial server name with wildcards, or an asterisk. It supports whatever Repadmin supports.

So to get data from one server, like with Replmon:

Replreport.cmd server1

Or to get data from all DC’s (which Replmon cannot do):

Replreport.cmd *

Or to get data from all servers that have names starting with “SANFRAN“:

Replreport.cmd sanfran*

It will output to a text file called replreport.txt. Anything Repadmin can do, you can do in this batch file.

More More More

Repadmin can do even more for monitoring. Such as:

Tell you the last time your DCs were backed up, by reading the DSASignature attribute from all servers:

Repadmin /showbackup *

Or output all replication summary information from all DCs to a CSV format that you can open in a spreadsheet or database. Here I’ve brought my DCs back online and replicated any pending changes. Then I get a replication report:

Repadmin /showrepl * /csv

Or you can see what your replication backlog is currently in the queue, like here:

Repadmin /queue *

Or you can see which changes have not yet replicated from a server, as well as what changes have replicated since the last time the command was run, with /showchanges:

repadmin /showchanges destination_DC source_DSA_GUID domain_DN

(69) add CN=Ned Pyle,CN=Users,DC=adatum,DC=com
1> parentGUID: a90a9633-2682-4896-be86-21220cf24f0c
1> objectGUID: e8f0e0a2-69aa-4e4e-9f74-3db79ad6f3b7
4> objectClass: top; person; organizationalPerson; user
1> sn: Pyle
1> givenName: Ned
1> instanceType: 0x4 = ( WRITE )
1> whenCreated: 6/21/2009 9:05:32 AM Pacific Daylight Time
1> displayName: Ned Pyle
1> nTSecurityDescriptor: O:DAG:DAD:AI
1> name: Ned Pyle
1> userAccountControl: 0x10200 = ( NORMAL_ACCOUNT | DONT_EXPIRE_PASSWD )
1> codePage: 0
1> countryCode: 0
1> pwdLastSet: 6/21/2009 9:05:32 AM Pacific Daylight Time
1> primaryGroupID: 513 = ( GROUP_RID_USERS )
1> objectSid: S-1-5-21-3776065869-1984782319-1196103478-1107
1> accountExpires: (never)
1> sAMAccountName: nedpyle
1> sAMAccountType: 805306368 = ( NORMAL_USER_ACCOUNT )
1> userPrincipalName: nedpyle@adatum.com
1> objectCategory: <GUID=4ed8da23575bed48b12cd36061257c14>;CN=Person,CN=Schema,CN=Configuration,DC=adatum,DC=com

Neat right? That’s a user I created while the other DC was offline, in the list of pending changes. I snipped out another long list of changes that were also pending. Pretty useful to see if a DC that has not been replicating for a while is worth spending time trying to fix or is better off demoting.

Other Repadmin capabilities

Repadmin has plenty of other secrets you can use for monitoring, administering, and troubleshooting – most of which Replmon cannot do:

· Replicate a single specific object

· View and modify RODC password policies as well as trigger password caching

· Create, modify, and delete replication topology

· Remove lingering objects

· Manipulate Global Catalog partitions

· Set replication registry values

· Export data to Excel-ready text

· Way more cool stuff…

Need to see all the help?

Basic help - Repadmin /?

Help on selecting DCs - Repadmin /listhelp

Advanced command help - Repadmin /experthelp

Help and examples for every parameter- Repadmin /?:Your specific parameter here

IT DOCUMENT

Pages

Labels

Thursday 6 October 2011

Collection: Windows Server 2003 (3)