Repadmin. Repadmin.exe, a command-line tool that you'll find on the Win2K Server CD-ROM, will probably be the hammer in your replication toolbelt. This tool's commands can reveal replication's inner workings and help you troubleshoot and repair problems. To view all your Repadmin command-line options, type
repadmin /?
One particularly helpful use of Repadmin is to show a DC's replication partners. To do so, type
repadmin /showreps <server DNS name>
Figure 3 shows the results of running this command against a DC called testdc01. You can see that testdc01 has inbound connection objects from testdc02 for the Schema, Configuration, and testdomain.com NCs. Figure 3 also shows that the most recent attempts to replicate each of these NCs occurred on June 3 at various times and that each attempt was successful. The bottom half of the screen shows the outbound replication neighbors to which testdc01 will send replication notifications when it has directory data to replicate.
You can also use Repadmin to view detailed information about a particular object in AD. Suppose you want to see an object's local USN and the source of the most recent update to the object's properties. To do so, you can use Repadmin to reveal that object's metadata:
repadmin /showmeta <objectDN> <server DNS name>
For example, to show the metadata for the administrator account in testdomain.com, you would type
repadmin /showmeta "CN=administrator,OU=users,dc=testdomain,dc=com" testdc01.testdomain.com
Figure 4 shows the results of this query. In the far-right column, you can see each of the attributes that make up the Administrator user. In the far-left column, you can see each attribute's local USN. Notice that the nTSecurityDe and adminCount attributes have a higher local USN than the other attributes do. This higher number indicates that these attributes' values have changed more recently than the others.
Group Policy Verification. Gpotool.exe, a command-line resource kit tool, can help you troubleshoot the replication of Group Policy Objects (GPOs) between DCs. For more information about GPO replication, see the sidebar "Win2K's File Replication Service."
Directory Service Agent Statistics. Dsastat.exe, a command-line tool included on the Win2K Server CD-ROM, compares and reports differences between directory NCs on DCs. This tool is handy when replication appears to be working but you see different views of directory data on different DCs. Such an occurrence might mean that the database is corrupted. Dsastat provides high-level data-consistency information by comparing directory statistics such as objects per server, bytes per server, and bytes per object between two DCs.
Patience Is a Virtue
Even in the smallest environments, AD requires attention and expertise. If you take the time to understand how replication works, you'll have a significant advantage when you need to address AD problems. If you work for a large company that has many sites, the best troubleshooting advice I can give you is this: Be patient. Remember that AD operates in a multimaster fashion. When you make a change on one DC, that change might take hours to propagate to the other DCs in the forest. When you focus on a problem, try to make one change at a time, document that change, and give AD enough time to replicate and respond to the modification.
)
Register
collisonl March 16, 2007 (Article Rating: