Windows Server 2003 : Active Directory - Understanding Directory Replication (part 3) - Spanning Trees and Site Links

6. Managing Replication Using REPADMIN

Replication Administrator, or REPADMIN, is a command-line utility that can control a lot of aspects and behaviors of Active Directory replication. In case you're wondering why you've never seen the utility, REPADMIN is part of the Windows Server 2003 Resource Kit Tools—not the standard kit—and you can find it on the distribution CD within the SUPPTOOLS.MSI installer file in the \SUPPORT\TOOLS folder.

6.1. Running the KCC

The KCC detects the network environment and adjusts the structure of replication partners among domain controllers. It does this by default every 15 minutes, but if you want it to update earlier, you can trigger the KCC manually from the command line by running repadmin /kcc.

6.2. Viewing up-to-date vectors

On production machines, you can view the up-to-date vectors on a particular machine using REPADMIN. From a command line, run repadmin /showutdvec servername <LDAP-naming-context>. To fill in the latter part of the command, examine the name of your Active Directory structure, and divide the parts from each other and include "DC=" in front of each. Separate the DC parts with commas. For example, if I have a domain jonathanhassell.com, I would use DC=jonathanhassell,DC=com, and my REPADMIN command looking at a machine named SERVER1 would be:

    repadmin /showutdvec server1 dc=jonathanhassell.com,dc=com

A sample result looks like the following:

    Caching GUIDs.
    ..
    Default-First-Site-Name\SERVER3 @ USN 8404 @ Time 2004-06-10 12:24:30
    Default-First-Site-Name\SERVER2 @ USN 8038 @ Time 2004-06-10 11:12:57
    Default-First-Site-Name\SERVER1 @ USN 9374 @ Time 2004-06-10 12:27:23

Of course, the numbers after the USN constitute the up-to-date vector for each listed domain controller.

6.3. Viewing replication partners

REPADMIN gives you a way to view replication partners outside of the GUI method discussed earlier in this section. Use the command repadmin /showrepl servername <LDAP-naming-context> to do so. For example:

    repadmin /showrepl server1 dc=jonathanhassell.com,dc=com

6.4. Viewing highest USNs

By simply adding the /verbose switch to the command to view replication partners, you can see what the current server thinks is the highest USN for each partner. For example:

    repadmin /showrepl /verbose server1 dc=jonathanhassell.com,dc=com

For each replication partner, the number before the /OU indicator is the highest USN from that particular partner that the current server has encountered.

6.5. Pressing the "Big Red Button"

If you want to replicate now, not later, you can use one of two options with REPADMIN. To force replication among any two domain controllers, use the command repadmin /replicate targetcomputer sourcecomputer <LDAP-naming-context>. For example, to force replication from SERVER3 to SERVER2, issue this command:

    repadmin /replicate server2 server3 dc=jonathanhassell.com,dc=com

To initiate replicate among all partners, use repadmin /syncall servername <LDAP-naming-context>. So, if I wanted to force replication among all SERVER2's partners in the jonathanhassell.com domain, I'd use the following command:

    repadmin /syncall server2 dc=jonathanhassell,dc=com

7. Among Sites: Spanning Trees and Site Links

Although Active Directory uses loops and meshes to create and manage replication topologies within a particular site, using that many links across an expensive WAN connection can cost you dearly as well as take a lot of time. For that reason, when Active Directory replicates between sites , it uses a minimal spanning tree—in other words, a tree with as few branches as possible to span the link between multiple sites.

Let's use an example environment, with two servers in a site called MAIN (representing the headquarters in Charlotte) and a single domain controller in another site, called WEST (located in San Francisco). Recall that the KCC facility creates replication topologies within sites automatically—you, the administrator, do not have to intervene. Replication between sites isn't as simple; Active Directory needs to know several things about your individual sites before it can figure out how to replicate traffic among them.

7.1. Site links

By creating site links, you give Active Directory three key pieces of information it needs to know before it can determine the most efficient way to force replication traffic across your sites:

• Which connection, if there are more than one, to use for replication to the destination site

• The persistency of that connection

• How the replication should take place—either using RPC in real time, or through SMTP

Let's discuss the third bit of information first: Active Directory will allow you to create links based over IP (using RPC calls) or via SMTP for less reliable or less secure connections. Unfortunately, SMTP-based site links are extremely limited in functionality. For one, SMTP links will only transfer updates to the forest schema naming context and configuration naming context; it will not perform cross-site domain controller information updates. Also, you need a secure mail server, hardened against outside interception using encryption and certificates, to transfer even that bit of information. For these reasons, the vast majority of site links you create will be IP-based links.

Returning to our example, let's create a site link between MAIN and WEST. To do so, follow these steps:

1. Open Active Directory Sites and Services.

2. Expand the MAIN node in the left pane, and then expand the Inter-Site Transports folder.

3. Right-click IP, and select Site Link from the New menu.

4. The screen in Figure 3 appears.

5. Enter a friendly name for the site in the Name box.

6. Choose the sites you want to include in this link. A link must include two or more sites, and you can shift sites back and forth using the Add and Remove buttons in the middle of the screen. For our purposes, make sure MAIN and WEST are in the box labeled Sites in this site link. Click OK.

To further configure the site link, right-click the new link in the IP folder of the left pane of Active Directory Sites and Services. Choose Properties, and the screen in Figure 4 will appear.

This screen contains three critical items. First, the Cost field allows you to determine a cost quotient—in essence, an index of the expense of using a connection—for each site link you create. If you have more than one site link, Active Directory will choose the lowest-cost link to perform the replication. Unfortunately, Microsoft doesn't give you much guidance on how to arrive at your cost quotient figure; I recommend taking into account the base link cost, rates for prime and overnight periods, traffic limits, and link availability. Second, the Replicate every box allows you to specify how often Active Directory will attempt to initiate replication over this specific site link. You can set the shortest replication interval to 15 minutes, and there is no functional maximum value (although all Active Directory sites must replicate at least once every 60 days). Click the Change Schedule button to see the screen depicted in Figure 5.

Figure 3. Configuring a new site link

Use the mouse to select the hours during which the link will not be available; Active Directory will use this information and not even attempt replication during that time period. Click OK to exit that dialog box, and then click OK to finish configuring the link.

Once you have specified the information for the site, the Sites and Services equivalent of the KCC, called the Inter-Site Topology Generator (ISTG) , will begin developing the minimal spanning tree needed to pass replication traffic among sites.

And that's a basic but thorough treatment of Active Directory replication.

Figure 4. Setting the properties of a site link

Figure 5. Changing the schedule for a site link