Re: [ActiveDir] slow replication partner / site link config
Joe, thanks for the post reply. first about the dns registrations - will put this right on Mon AM - i have misread the article (Authentication Topology, authored by Gil Fitzpatrick) used as reference for this technique - the article quotes to add all mnemonics except DcByGuid - this was subsequently corrected to DSAcName am just wondering whether this error would be suffcient to cause the observed behaviour - my suspicion is not and that my admin of the site link configuration is not correct. to answer directly your qu 1 it is set currently to a value of 1440 (1 day) - the value being required as no of minutes.- the intended interval is 5 days and this is a step to test the modification of replication interval if i read your 2nd qu correct you are checking to see if this change to the site configuration has reached the slow replication partner - to check this i set the focus of AD sites and services to the slow replication partner which does have in fact have the revised correct value of 1440 i thought that the KCC (which runs on by default every 15 mins on win2k) would run on the slow replication partner to enumerate its replication schedule - and no further administrative action needs to be taken ??? this appears not the case but then i guess we need to put the DnsAvoidRegisterRecords config right first to get any sort of normal behaviour - will advise subseqeuent to this change this begs the question of how would an admin view the net replication schedule of a particular server to enumerate the time when next it will replicate - I guess it could be inferred from a previous replication time (as in repadmin) and the site link configuration (which just defines an interval) - it just seems to me that a view of the actual replication schedule would be helpful ? GT .. - Original Message - From: joe [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, February 08, 2004 1:26 AM Subject: RE: [ActiveDir] slow replication partner / site link config Howdy Graham. This is something that is near to my heart right now as I am working out a similar thing for our DR utilizing some virtualization software - we are testing virtual server for this. Let me pop a couple of the questions here... The question regarding the DNSAvoidRegisterRecords seeming to be additional unneeded step. The point behind this should be to remove the records from the generic zones of the domain (and forest if this is a GC). Even though you are in a specific site there are cases where these DCs could still be hit by clients. Those cases being a machine that isn't in a defined subnet (I recommend a high level definition even up to being an 8 bit definition to direct these to a known site like a hub) or when the normally correct DC isn't responding properly to requests. I don't think that DSACName is the record you want to stop publishing though. The clients don't use that record to my knowledge. That is used by other DCs to find the DC for replication purposes. That is one you would want to be registered unless something is registering it otherwise on your behalf. Without that record in DNS, DCs won't be able connect to that DC to pull changes. I believe the records you want to prevent getting published are: LdapIpAddress Ldap DcByGuid Kdc Dc Rfc1510Kdc Rfc1510UdpKdc Rfc1510Kpwd Rfc1510UdpKpwd If it is a GC the following as well Gc GcIpAddress GenericGc That list may be more extensive than is needed but seems to catch all of the non-site specific records, if you have machines in the same site you may even want to kill the site specific ones. The second part of your post indicates that the server isn't replicating on the extended frequency you have set. The questions I have around this are 1. What is the frequency you have set? 2. Do you see it listed as a change notification partner on any of the DCs in the Enterprise when looking at the partners via repadmin? Or do you see it listing any DCs as change notification partners for it? I have been successful at setting longer replication periods up to almost a week long (Greater than that and it seems to ignore the schedule). joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Thursday, February 05, 2004 5:43 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] slow replication partner / site link config a server has been joined to the AD infrastructure and promoted to DC for the specific purpose of recovery of AD objects. the intention is to configure the replication topology following what seems to be termed as lazy replication partner model. to this end the following tasks have been completed; it is connected to a subnet on which there are no other AD hosts a site / subnet has been defined site link linking it to a hub site defined netdiag confirms its site membership the server has been reconfigured with the following registry
RE: [ActiveDir] slow replication partner / site link config
Great on the DNS registrations. I have got to sit down and read that entire Gil article... The second question is to check to see if the site link info did replicate and if everything is cool [1] with the connection objects. You didn't indicate what this normal frequency is that it is replicating at so I am wondering if it had indeed gotten that change to the server and that the replication wasn't in a change notification setting right now. I have seen in the past people who have moved server objects between sites and the connection objects maintained information that made them replicate incorrectly. Most recently I saw a person with a site that had a server in it that was replicating on a intersite schedule even though it was in the same site as the other DCs. The solution was to delete all connection objects involving it. Possibly there was some value in the connection objects that could have been updated but I didn't dig into it closely enough and haven't time since to try and duplicate. Obviously another thing to check is to make sure that the site link isn't enabled for change notification. joe [1] - Cool being a technical term in this use. :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Sunday, February 08, 2004 6:47 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] slow replication partner / site link config Joe, thanks for the post reply. first about the dns registrations - will put this right on Mon AM - i have misread the article (Authentication Topology, authored by Gil Fitzpatrick) used as reference for this technique - the article quotes to add all mnemonics except DcByGuid - this was subsequently corrected to DSAcName am just wondering whether this error would be suffcient to cause the observed behaviour - my suspicion is not and that my admin of the site link configuration is not correct. to answer directly your qu 1 it is set currently to a value of 1440 (1 day) - the value being required as no of minutes.- the intended interval is 5 days and this is a step to test the modification of replication interval if i read your 2nd qu correct you are checking to see if this change to the site configuration has reached the slow replication partner - to check this i set the focus of AD sites and services to the slow replication partner which does have in fact have the revised correct value of 1440 i thought that the KCC (which runs on by default every 15 mins on win2k) would run on the slow replication partner to enumerate its replication schedule - and no further administrative action needs to be taken ??? this appears not the case but then i guess we need to put the DnsAvoidRegisterRecords config right first to get any sort of normal behaviour - will advise subseqeuent to this change this begs the question of how would an admin view the net replication schedule of a particular server to enumerate the time when next it will replicate - I guess it could be inferred from a previous replication time (as in repadmin) and the site link configuration (which just defines an interval) - it just seems to me that a view of the actual replication schedule would be helpful ? GT .. - Original Message - From: joe [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, February 08, 2004 1:26 AM Subject: RE: [ActiveDir] slow replication partner / site link config Howdy Graham. This is something that is near to my heart right now as I am working out a similar thing for our DR utilizing some virtualization software - we are testing virtual server for this. Let me pop a couple of the questions here... The question regarding the DNSAvoidRegisterRecords seeming to be additional unneeded step. The point behind this should be to remove the records from the generic zones of the domain (and forest if this is a GC). Even though you are in a specific site there are cases where these DCs could still be hit by clients. Those cases being a machine that isn't in a defined subnet (I recommend a high level definition even up to being an 8 bit definition to direct these to a known site like a hub) or when the normally correct DC isn't responding properly to requests. I don't think that DSACName is the record you want to stop publishing though. The clients don't use that record to my knowledge. That is used by other DCs to find the DC for replication purposes. That is one you would want to be registered unless something is registering it otherwise on your behalf. Without that record in DNS, DCs won't be able connect to that DC to pull changes. I believe the records you want to prevent getting published are: LdapIpAddress Ldap DcByGuid Kdc Dc Rfc1510Kdc Rfc1510UdpKdc Rfc1510Kpwd Rfc1510UdpKpwd If it is a GC the following as well Gc GcIpAddress GenericGc That list may be more extensive than is needed but seems to catch all of the non-site specific records, if you have
Re: [ActiveDir] slow replication partner / site link config
Joe, what's this working on a sunday afternoon ??!! does not setting the focus of AD sites and services to the remote server not verify that the site link has replicated ?? all other site links have default interval of 180 mins so i know it to be different change notification on the site link being enabled on it sounds interesting - is this exposed via any GUI (repadmin) or otherwise ? or do we need to look at the directory directly ? is it typical for a server in the moved between sites to retain its previous site affiliation subsequent to moves - not too sure what the administrator did precisely in the move ? all i can tell is that the AD sites and services / netdiag thinks that it is in the right site GT - Original Message - From: joe [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, February 08, 2004 3:21 PM Subject: RE: [ActiveDir] slow replication partner / site link config Great on the DNS registrations. I have got to sit down and read that entire Gil article... The second question is to check to see if the site link info did replicate and if everything is cool [1] with the connection objects. You didn't indicate what this normal frequency is that it is replicating at so I am wondering if it had indeed gotten that change to the server and that the replication wasn't in a change notification setting right now. I have seen in the past people who have moved server objects between sites and the connection objects maintained information that made them replicate incorrectly. Most recently I saw a person with a site that had a server in it that was replicating on a intersite schedule even though it was in the same site as the other DCs. The solution was to delete all connection objects involving it. Possibly there was some value in the connection objects that could have been updated but I didn't dig into it closely enough and haven't time since to try and duplicate. Obviously another thing to check is to make sure that the site link isn't enabled for change notification. joe [1] - Cool being a technical term in this use. :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Sunday, February 08, 2004 6:47 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] slow replication partner / site link config Joe, thanks for the post reply. first about the dns registrations - will put this right on Mon AM - i have misread the article (Authentication Topology, authored by Gil Fitzpatrick) used as reference for this technique - the article quotes to add all mnemonics except DcByGuid - this was subsequently corrected to DSAcName am just wondering whether this error would be suffcient to cause the observed behaviour - my suspicion is not and that my admin of the site link configuration is not correct. to answer directly your qu 1 it is set currently to a value of 1440 (1 day) - the value being required as no of minutes.- the intended interval is 5 days and this is a step to test the modification of replication interval if i read your 2nd qu correct you are checking to see if this change to the site configuration has reached the slow replication partner - to check this i set the focus of AD sites and services to the slow replication partner which does have in fact have the revised correct value of 1440 i thought that the KCC (which runs on by default every 15 mins on win2k) would run on the slow replication partner to enumerate its replication schedule - and no further administrative action needs to be taken ??? this appears not the case but then i guess we need to put the DnsAvoidRegisterRecords config right first to get any sort of normal behaviour - will advise subseqeuent to this change this begs the question of how would an admin view the net replication schedule of a particular server to enumerate the time when next it will replicate - I guess it could be inferred from a previous replication time (as in repadmin) and the site link configuration (which just defines an interval) - it just seems to me that a view of the actual replication schedule would be helpful ? GT . - Original Message - From: joe [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, February 08, 2004 1:26 AM Subject: RE: [ActiveDir] slow replication partner / site link config Howdy Graham. This is something that is near to my heart right now as I am working out a similar thing for our DR utilizing some virtualization software - we are testing virtual server for this. Let me pop a couple of the questions here... The question regarding the DNSAvoidRegisterRecords seeming to be additional unneeded step. The point behind this should be to remove the records from the generic zones of the domain (and forest if this is a GC). Even though you are in a specific site there are cases where these DCs could still be hit by clients. Those cases being
RE: [ActiveDir] slow replication partner / site link config
Ah this isn't work. This is non-work work. If working I wouldn't have time to respond. :o) So yes, I am non-work working on Sunday. Yes setting the focus to that DC should verify that the site link update replicated. A quick check to see all of your default intervals that aren't set at 180 minutes quickly would be to do adfind -h servername -config -f (objectcategory=sitelink)(!replinterval=180) replinterval Do that against a known good server and on the one that you have segregated. That just doublechecks what you saw in the GUI. Now when people run that many end up finding site links that were configured to something else and are like WTF, how did that get set... Don't lose your focus for this problem first. :o) Ok so now you have verified that the link is set properly. What is the replication frequency you are seeing? You can figure this out by looking at the repadmin /showreps command occasionally and checking last replication. If you want to actually see the replication work that is queued at any given second you can also use adqueueloop like this adqueueloop -h servername -delay 1000 -top That will show everything [1] that is coming through the queue. I agree knowing when the next scheduled replication will take place would be nice. I don't think that is exposed anywhere for us though. Oh yeah, adfind and adqueueloop are both on the free win32 tools page of www.joeware.net. joe [1] Everything that is in the queue when the call goes out that is. If you get quick requests that take less than a second to complete they can slip through without being seen and you will know this is happening based on queue number. If you see that happening you can kill the delay parameter and it will run as fast as it can though things can still slip through. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Sunday, February 08, 2004 11:14 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] slow replication partner / site link config Joe, what's this working on a sunday afternoon ??!! does not setting the focus of AD sites and services to the remote server not verify that the site link has replicated ?? all other site links have default interval of 180 mins so i know it to be different change notification on the site link being enabled on it sounds interesting - is this exposed via any GUI (repadmin) or otherwise ? or do we need to look at the directory directly ? is it typical for a server in the moved between sites to retain its previous site affiliation subsequent to moves - not too sure what the administrator did precisely in the move ? all i can tell is that the AD sites and services / netdiag thinks that it is in the right site GT - Original Message - From: joe [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Sunday, February 08, 2004 3:21 PM Subject: RE: [ActiveDir] slow replication partner / site link config Great on the DNS registrations. I have got to sit down and read that entire Gil article... The second question is to check to see if the site link info did replicate and if everything is cool [1] with the connection objects. You didn't indicate what this normal frequency is that it is replicating at so I am wondering if it had indeed gotten that change to the server and that the replication wasn't in a change notification setting right now. I have seen in the past people who have moved server objects between sites and the connection objects maintained information that made them replicate incorrectly. Most recently I saw a person with a site that had a server in it that was replicating on a intersite schedule even though it was in the same site as the other DCs. The solution was to delete all connection objects involving it. Possibly there was some value in the connection objects that could have been updated but I didn't dig into it closely enough and haven't time since to try and duplicate. Obviously another thing to check is to make sure that the site link isn't enabled for change notification. joe [1] - Cool being a technical term in this use. :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Graham Turner Sent: Sunday, February 08, 2004 6:47 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] slow replication partner / site link config Joe, thanks for the post reply. first about the dns registrations - will put this right on Mon AM - i have misread the article (Authentication Topology, authored by Gil Fitzpatrick) used as reference for this technique - the article quotes to add all mnemonics except DcByGuid - this was subsequently corrected to DSAcName am just wondering whether this error would be suffcient to cause the observed behaviour - my suspicion is not and that my admin of the site link configuration is not correct. to answer directly your qu 1 it is set currently to a value
[ActiveDir] slow replication partner / site link config
a server has been joined to the AD infrastructure and promoted to DC for the specific purpose of recovery of AD objects. the intention is to configure the replication topology following what seems to be termed as lazy replication partner model. to this end the following tasks have been completed; it is connected to a subnet on which there are no other AD hosts a site / subnet has been defined site link linking it to a hub site defined netdiag confirms its site membership the server has been reconfigured with the following registry value - DNSAvoidRegisterRecords with the data of DSACname - this change is made with the intention of preventing it authenticating any logon requests - this would seem to be an additional step given that site membership should dictate no clients discover it once the server ids fully replicant, the site link has been configured with an extended value of the number of hours but yet the slow server is still replicating on the normal frequency it would seem that the replication topology has not learnt the configuration of the site link to the slow replication site/server. qu - is this by design and if so do we need to force a refresh of the replication topology - is this what repadmin /kcc does ? GT List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
