Tag Archive: replication


How to Troubleshoot Active Directory Replication Issues

In the previous article: https://itworldjd.wordpress.com/2018/04/02/troubleshooting-ad-replications/

we explained all the methodology to troubleshoot AD replication:

This second article will deep dive with the most well known and out of the box AD utility called REPADMIN.exe

This utility recommended to run as Domain Administrator or Enterprise Administrator.

repadmin /replsummary /bydest

above command summarizes the replication status for all domain controllers based on the replication destination. This parameter does not display the source domain controller.

repadmin /replsummary /bysrc

above command summarizes the replication status for all domain controllers based on the replication source. This parameter does not display the destination domain controller.

repadmin /showrepl serverdc1.mydomain.com

above command shows the replication partners for serverdc1.mydomain.comand the status of last sync attempt.

repadmin /showrepl /errorsonly

above command will list down the replication partners which have replication errors (last sync attempt failed)

we also can view results in CSV format.

repadmin /showrepl /csv

repadmin /syncall serverdc1 dc=mydomain,dc=com

above command initiates domain directory partition synchronization with all replication partners of serverdc1.

It will also indicate if there were any issues by doing it.

repadmin /queue

above command shows if there are any unprocessed inbound replications requests. If system keep que requests it can be due to high number of AD changes, System resource issue or too many replication partners.

repadmin /showchanges serverpdc1 e4f89917-5fff-40a8-scc2-b148b60d9359 dc=mydomain,dc=com

above command list down the changes which are not replicated between server serverpdc1 and serverdc1. In here serverdc1 is the source server and it is listed with object GUID.
  
repadmin /replicate serverdc1 serverpdc1 dc=mydomain,dc=com

above command initiate immediate directory partition replication from serverpdc1 to serverdc1.

Apart from the repadmin, there are certain PowerShell cmdlets which we can use to troubleshoot replication issues. Get-ADReplicationFailure cmdlet is one of those which can collect data about replication failures.

Get-ADReplicationFailure -Target serverdc1

Above command will collect information about replication failures associated with serverdc1.
This also can do with multiple servers.

Get-ADReplicationFailure -Target serverdc1,serverpdc1

Further we can target all the domain controllers in the domain.

Get-ADReplicationFailure -Target “mydomain.com” -Scope Domain

Or even entire forest

Get-ADReplicationFailure -Target “mydomain.com” -Scope Forest

Get-ADReplicationConnection cmdlet can list down replication partner details for the given domain controller.

Get-ADReplicationConnection -Filter *

Above command will list down all replication connection for the domain controller you logged in.

We also can filter the replication connections based on the attributes.

Get-ADReplicationConnection -Filter {ReplicateToDirectoryServer -eq “serverdc1”}

Above command will list down the replication connections with destination server as serverdc1.
We also can force sync object between domain controllers.

Sync-ADObject -object “foo” -source serverdc1 -destination serverpdc1

Above command will sync user object foo from serverdc1 to serverpdc1

Advertisements

Symptom:

You configure a logon script with a Group Policy object. In a multiple domain controller environment, this change requires that Active Directory and the Sysvol replicate this change to all the domain controllers. Before both Active Directory and Sysvol are fully replicated, a user logs on to the system and is authenticated by a domain controller that is not fully replicated, and the user experiences unexpected behavior.

Possible Causes:

  • In a multiple domain controller environment, changes to Active Directory have not yet completed replication.
  • In a multiple domain controller environment, changes to the Sysvol have not yet completed replication.

Diagnostic Tests:

Open EventVwr and check traces of FRS or DFS-R errors (use also dcdiag utility)

Run Netdiag.exe to check client network configuration and that DNS is configured and working correctly.

If the user has a roaming user profile, verify that he or she correctly receives the roaming user profile at logon.

Run Gpresult.exe to see if any Group Policy Settings are applied. If no Group Policy settings are applied, see “No Group Policy Objects Are Applied” later in this chapter.

To check the status of Active Directory and Sysvol replication on each server:

  1. Run Gpotool.exe to check the number of unique Group Policy objects available on the network, and the status of each of these Group Policy objects on each domain controller. The status output from Gpotool.exe indicates all necessary information to diagnose if Active Directory and Sysvol are synchronized for each domain controller that you can connect to.
  2. If you find that Sysvol is not synchronized between two domain controllers, place any text file on the Sysvol of one of the domain controllers. Confirm that it is replicated to the other domain controllers. If this fails, check the network connectivity between the domain controllers.
  3. If Active Directory is not synchronized between domain controllers, run Active Directory Replication Monitor (Replmon.exe), which can provide additional information about the state of Active Directory synchronization, and provide assistance in resolving the problem.
  4. Also if you are considering SCOM, install the DFS Management pack to monitor DFS replication status.
  5. if you are using Win 2008 R2 based DFS-R, then considering DFSRDIAG.exe utility to monitor replication status: http://blogs.technet.com/b/filecab/archive/2009/05/28/dfsrdiag-exe-replicationstate-what-s-dfsr-up-to.aspx
  6. Also you can use: dcdiag /test:frsevent (w2k3 DCs) and dcdiag /test:dfsrevent (W2k8R2 or greater errors) to test if there are any operation errors
  7. On W2k3 based DC: Check if there is a fixed FRS port on the registry (HKLM\system\currentcontrolset\services\NTFRS\parameters) on all DCs and are identicals.
  8. On W2k8R2 or greater based DC: Check if there is a fixed DFSR port (DFSRDiag dumpmachinecfg to identity the static port) on all DCs and are identicals.
  9. DFSRDiag les commandes les plus utiles: http://www.monbloginfo.com/2011/03/02/dfsr-les-commandes-les-plus-utiles/

DFS Replication dirty shutdown recovery process. Related system event log entries, e.g. Event ID 2212, refer to the same event as “unexpected shutdown”.

Sometimes, it is possible that the database and the file system get out of sync. Abrupt power loss on the server or if the DFSR service was stopped abnormally for any reason. Another example is if the volume hosting a replicated folder loses its power, gets disconnected or is forced to dismount. These exception conditions result in unexpected shutdown of DFSR database, as any of these can cause inconsistencies between the database and the file system. DFSR is designed to automatically recover from these situations starting with Windows Server 2008, and this behavior continued through Windows Server 2008 R2.

Technet blog: http://blogs.technet.com/b/filecab/archive/2012/07/23/understanding-dfsr-dirty-unexpected-shutdown-recovery.aspx

Article: http://support.microsoft.com/kb/2846759