Wednesday 28 September 2016

Active Directoy Site and Service with Replication



Replication being a very important feature in Active Directory. Its replicate the data from once DC to another DC. This maintain up time of the remote site, if there is any network or server issue with from branch to branch. Once you done with primary and secondary DC implement you can see in the Sites and Services there will be a Default First Site, where both DC's added automatically. From site and services console you can create and manage branch of your organization and it help admin to troubleshoot as well keep inventory of the server that which DC belong to which location.
The Primary DC will automatically replicate the data to secondary with help for this terminology. This data gets replicated not in the same physical location as well on remote location too. This can be done and configured from site and services console.
Just to better understanding you can refer this image, which I had done in my lab.














First figure is done in Windows 2003 Root DC (which is primary domain controller) and Second is done in 2012 AD Server (which is child Domain Controller). After Doing Site and services I can see these all are updated and replicated to child as well with Additional Domain Controller.
Had created 2 other sites in my lab to explain more about replication. New site can be create from First Root DC by right click and create new, and here you can put name as per best practise. If you created IP and Subnet also so at second image it will ask you to map the site with specific Subnet and IP. I didnt created any so by default it will map with DefaultIP SiteLink.


 





















In the above image you can see in the ROOTDC 2 connections are automatically added with other 2 DC for replication. It can be done manually but after just finishing AD Site and Services will automatically add replication connection on based of Bandwidth speed and site link objects and the main term is responsible is KCC. By default, the KCC reviews and makes modifications to the Active Directory replication topology every 15 minutes to ensure updating  of data, either directly or transitively, by creating and deleting connection objects as needed. The KCC recognizes changes that occur in the environment and ensures that domain controllers are not orphaned in the replication topology.
By default, KCC checks the topology every 15 minutes. This time cane be modified by changing the Repl topology update period (secs) entry in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters as follows:
Value: Number of seconds between KCC topology updates
Default: 900 seconds (15 minutes)
Data type: REG_DWORD

Tools to use check replication:
In 2003, to check replication status and troubleshooting you need to install Support tools from ISO under support folder. All tools be installed in program files under support tools folder and here you can get repadmin, replmon which gives you better understanding of replication.
In 2012 to check replication status you have to give this command
repadmin /showrepl <servername> /u:<domainname>\<username> /pw:*
and there is command which helps to understand very deeply of the replication topology of the Forest
repadmin /showrepl * /csv >showrepl.csv

In 2008 there is tool AD replication Monitor , from here you can check and schedule the replication check for the forest and that gives you awesome data with the exact details and error code, that help admins to troubleshoot also. 
This command will give you out in csv format with the below details, now assume what is the data. I can get all the details of Domain Hostname, Site name, replication status, failure reason, and in concern of architect it’s very useful to understand and design the AD network.
There is another tool From MS that is Active Directory Topology Diagram which gives you clear picture of your current environment. Once you will run this tool on your environment, it will take more than 30 min (depend on your environment) and that you can save in XPS or PDF or image.


Here is some common event ID, which generated during replication issue:
Event ID 1388: Inbound replication of the lingering objects
Event ID 1988: Inbound replication of the directory partition of the lingering object has been blocked on the destination domain controller.
Event ID 8606: "Insufficient attributes were given to create an objects
Event Id 8456 or 8457: "The source | destination server is currently rejecting replication requests
Error ID 8453 : Replication access was denied
Event ID 1722: The RPC server is unavailable
Event IDs 1388 and 2042: Replication Lingering Object Problems
Event IDs 1925, 2087, 2088 :Replication DNS Lookup Problems
Event ID 1925 : Replication Connectivity Problems 
  
Lots of there in AD, will be updating as and when I receive. I am sure once you start digging in to AD replication you will find lots of things and its very interesting but some time its bored me due to headache J. That time I just leave and leave.
Here another Option is IP and Subnet, which is like to move a DC with in there IP/Postal Code or region area. Its not restricted to Networking. Its created only to understand and manage that which DC belong to site/Network/Subnet.

Ports Require for AD Replication are
Service Name     UDP    TCP
LDAP                     389      389
LDAP                                  636
LDAP                              3268
Kerboros               88    88
DNS                       53    53
smb over IP      445   445



















From here you can see or change that which server is working as Global Catalogue 


















Here it shows the connection that from and to replication happening.

















Here it shows the objects updated number. USN refer the what was the starting objects and what is the latest.












And Above both image with Single site and multi Replication site will gives you lots of question for AD Scenario. Start brainstorming and raise questions that what how and if…..Let me know if any question there. we are there to assist you. I will be updating the next document as what if there is difference in policy and objects between all domain controller. It’s very Interesting activity. I love this.


Don’t let sleep your zeal to learn and earn.
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)