Active Directory 2008 : Configuring Replication (part 3) - Configuring Intersite Replication, Monitoring Replication

7. Configuring Intersite Replication

After you have created site links and the ISTG has generated connection objects to replicate partitions between bridgehead servers that share a site link, your work might be complete. In many environments, particularly those with straightforward network topologies, site links might be sufficient to manage intersite replication. In more complex networks, however, you can configure additional components and properties of replication.

Site Link Transitivity

By default, site links are transitive. That means, continuing the example from earlier, that if Amsterdam and Headquarters sites are linked, and Headquarters and Seattle sites are linked, then Amsterdam and Seattle are transitively linked. This means, theoretically, that the ISTG could create a connection object directly between a bridgehead in Seattle and a bridgehead in Amsterdam, again working at odds with the hub-and-spoke network topology.

You can disable site link transitivity by opening the properties of the IP transport in the Inter-Site Transports container and clearing the Bridge All Site Links option.

Site Link Bridges

A site link bridge connects two or more site links in a way that creates a transitive link. Site link bridges are necessary only when you have cleared the Bridge All Site Links option for the transport protocol. Remember that site link transitivity is enabled by default, in which case, site link bridges have no effect.

Figure 5 illustrates the use of a site link bridge in a forest in which site link transitivity has been disabled. By creating a site link bridge, AMS-HQ-SEA, that includes the HQ-AMS and HQ-SEA site links, those two site links become transitive, so a replication connection can be made between a domain controller in Amsterdam and a domain controller in Seattle.

Figure 5. A site link bridge that includes the HQ-AMS and HQ-SEA site links

Site Link Costs

Site link costs are used to manage the flow of replication traffic when there is more than one route for replication traffic. You can configure site link cost to indicate that a link is faster, more reliable, or preferred. Higher costs are used for slow links, and lower costs are used for fast links. Active Directory replicates using the connection with the lowest cost.

By default, all site links are configured with a cost of 100. To change the site link cost, open the properties of a site link and change the value in the Cost box, shown in Figure 6.

Figure 6. The properties of a site link

Returning to the example used earlier in the lesson, imagine that a site link was created between the Amsterdam and Beijing sites, as shown in Figure 7. Such a site link could be configured to allow replication between domain controllers in those two sites in the event that the links to the headquarters become unavailable. You might want to configure such a topology as part of a disaster recovery plan, for example.

With the default site link cost of 100 assigned to the AMS-PEK site link, Active Directory will replicate changes directly between Amsterdam and Beijing. If you configure the site link cost to 300, changes will replicate between Amsterdam and the Headquarters, then between the Headquarters and Beijing at a total cost of 200 rather than directly over the AMS-PEK site link at a cost of 300. This cost configuration is illustrated in Figure 7.

Figure 7. Site links

Replication Frequency

Intersite replication is based only on polling; by default, there is no notification in intersite replication, as there is with intrasite replication. Every three hours, by default, a bridgehead server polls its upstream replication partners to determine whether changes are available. This replication interval is too long for organizations that want changes to the directory to replicate more quickly.

To change the polling interval for a site link:

1. Open the site link’s properties, shown in Figure 6.

2. Change the value in the Replicate Every box.

The minimum polling interval is 15 minutes. With this setting, and using Active Directory’s default replication configuration, a change made to the directory in one site takes on average seven and a half minutes to replicate to domain controllers in another site.

Replication Schedules

By default, replication occurs 24 hours a day. However, you can restrict intersite replication to specific times by changing the schedule attributes of a site link. Open the properties of a site link and click Change Schedule. Using the Schedule For dialog box shown in Figure 8, you can select the times during which the link is available for replication. The link shown in the figure does not replicate between 8:00 A.M. and 6:00 P.M. Monday through Friday.

Figure 8. Site link schedule

You must be careful when scheduling site link availability. It is possible to schedule windows of availability that do not overlap, at which point replication will not happen. It’s generally not recommended to configure link availability. If you do not require link scheduling, you should select the Ignore Schedules option in the properties of the IP transport protocol. This option causes any schedules for site link availability to be ignored, ensuring replication 24 hours a day over all site links.

8. Monitoring Replication

After you have implemented your replication configuration, you must be able to monitor replication for ongoing support, optimization, and troubleshooting. Two tools are particularly useful for reporting and analyzing replication: the Replication Diagnostics tool (Repadmin.exe) and Directory Server Diagnosis (Dcdiag.exe). This lesson introduces you to these powerful tools.

Repadmin.exe

The Replication Diagnostics tool, Repadmin.exe, is a command-line tool that allows you to report the status of replication on each domain controller. The information produced by Repadmin.exe can help you spot a potential problem before it gets out of control and troubleshoot problems with replication in the forest. You can view levels of detail down to the replication metadata for specific objects and attributes, helping you identify where and when a problematic change was made to Active Directory. You can even use Repadmin.exe to create the replication topology and force replication between domain controllers.

Like other command-line tools, you can type repadmin /? to see the usage information for the tool. Its basic syntax is as follows:

repadmin command arguments...

Repadmin.exe supports several commands that perform specific tasks. You can learn about each command by typing repadmin /? :command. Most commands require arguments. Many commands take a DSA_LIST parameter, which is simply a network label (DNS or NetBIOS name or IP address) of a domain controller. Some of the replication monitoring tasks you can perform with Repadmin are:

• Displaying replication status To display the replication of a domain controller, type repadmin /showrepl DSA_LIST.

• Displaying connection objects for a domain controller Type repadmin /showconn DSA_LIST to show the connection objects for a domain controller.

• Displaying metadata about an object, its attributes, and replication You can learn a lot about replication by examining an object on two different domain controllers to find out which attributes have or have not replicated. Type repadmin /showobjmeta DSA_LIST Object, where DSA_LIST indicates the domain controller(s) to query. (You can use an asterisk [*] to indicate all domain controllers.) Object is a unique identifier for the object, its DN, or its GUID, for example.

You can also make changes to your replication infrastructure by using Repadmin.exe. Some of the management tasks you can perform are:

• Launching the KCC Type repadmin /kcc to force the KCC to recalculate the inbound replication topology for the server.

• Forcing replication between two partners You can use Repadmin.exe to force replication of a partition between a source and a target domain controller. Type repadmin /replicate Destination_DSA_Name Source_DSA_Name Naming_Context.

• Synchronizing a domain controller with all replication partners Type repadmin /syncall DSA /A /e to synchronize a domain controller with all its partners, including those in other sites.

Dcdiag.exe

The Directory Service Diagnosis tool, Dcdiag.exe, performs several tests and reports on the overall health of replication and security for AD DS. Run by itself, Dcdiag.exe performs summary tests and reports the results. On the other extreme, Dcdiag.exe /c performs almost every test. The output of tests can be redirected to files of various types, including XML. Type dcdiag /? for full usage information.

You can also specify one or more tests to perform by using dcdiag /test:TestName parameter. Tests that are directly related to replication include:

• FrsEvent Reports any operation errors in the file replication system (FRS).

• DFSREvent Reports any operation errors in the DFS replication (DFS-R) system.

• Intersite Checks for failures that would prevent or delay intersite replication.

• KccEvent Identifies errors in the KCC.

• Replications Checks for timely replication between domain controllers.

• Topology Checks that the replication topology is fully connected for all DSAs.

• VerifyReplicas Verifies that all application directory partitions are fully instantiated on all domain controllers hosting replicas.

Note

REPADMIN.EXE AND DCDIAG.EXE

See the Help & Support Center for more information about Repadmin.exe and Dcdiag.exe.

Practice Configuring Replication

In this practice, you manage intrasite and intersite replication in the contoso.com domain. To perform the exercises in this practice, you must have two domain controllers, SERVER01 and SERVER02, running in the domain.

EXERCISE 1 Create a Connection Object

Configure direct replication between a domain controller that will be a standby operations master and the domain controller that is currently the operations master. As a result, if the current operations master needs to be taken offline, the standby operations master is as up to date as possible with the operations master. In this exercise, you create a connection object between SERVER01 and SERVER02, where SERVER02, the standby operations master, replicates from SERVER01, the current operations master.

1. Log on to SERVER01 as Administrator.

2. Open the Active Directory Sites And Services snap-in.

3. Expand Sites, HEADQUARTERS, Servers, and SERVER02.

4. Select the NTDS Settings node under SERVER02 in the console tree.

5. Right-click NTDS Settings and click New Active Directory Domain Services Connection.

6. In the Find Active Directory Domain Controllers dialog box, select SERVER01 and click OK.

   Because the KCC has already created a connection from SERVER01 to SERVER02, a warning appears asking if you want to create another connection.

7. Click Yes.

8. In the New Object – Connection dialog box, type the name SERVER01 – OPERATIONS MASTER and click OK.

9. Right-click the new connection object in the details pane and click Properties.

10. Examine the properties of the connection object and the partitions that are replicated from SERVER01. Do not make any changes.

11. Click OK to close the Properties dialog box.

12. Because the sample domain has only two DCs, and you will move the server in a later exercise, delete the connection object by right-clicking it and clicking Delete. Confirm the deletion by clicking Yes.

EXERCISE 2 Create Site Links

In this exercise, you create site links between the branch sites and the headquarters site.

1. In the Active Directory Sites And Services snap-in, expand Inter-Site Transports.

2. Select IP.

3. Right-click DEFAULTIPSITELINK and click Rename.

4. Type HQ-BRANCHA and press Enter.

5. Double-click HQ-BRANCHA.

6. In the Sites In This Site Link list, select BRANCHB and click Remove. Click OK.

7. Right-click IP and click New Site Link.

8. Type HQ-BRANCHB in the Name box.

9. In the Sites Not In This Site Link list, select Headquarters and click Add.

10. In the Sites Not In This Site Link list, select BRANCHB and click Add.

11. Click OK.

EXERCISE 3 Designate a Preferred Bridgehead Server

You can designate a preferred bridgehead server that will handle replication to and from its site. This is useful when you want to assign the role to a domain controller in a site with greater system resources or when firewall considerations require that the role be assigned to a single, fixed system. In this exercise, you designate a preferred bridgehead server for the site.

1. Expand Headquarters, Servers, and SERVER02.

2. Right-click SERVER02 and click Properties.

3. In the Transports Available For Inter-Site Data Transfer list, select IP.

4. Click Add, and then click OK.

   It is recommended that if a site has a GC server, the domain controller acting as a GC server should be the preferred bridgehead server. When Active Directory designates a bridgehead server automatically, it selects a GC server if one is available.

   If SERVER02 is not a DNS server and a GC server, you receive a warning that the preferred bridgehead server does not include all the directory partitions in the site. You can ignore the message for this exercise.

EXERCISE 4 Configure Intersite Replication

After you have created site links and, optionally, designated bridgehead servers, you can continue to refine and control replication by configuring properties of the site link. In this exercise, you reduce the intersite replication polling frequency and increase the cost of a site link.

1. Expand Inter-Site Transports.

2. Select the IP container in the console tree.

3. Double-click the HQ-BRANCHA site link.

4. In the Replicate Every box, type 15 and click OK.

5. Double-click the HQ-BRANCHB site link.

6. In the Replicate Every box, type 15.

7. Click Change Schedule.

8. Examine the Schedule For HQ-BRANCHB dialog box. Experiment with configuring the schedule, but click Cancel when you are finished.

9. In the Cost box, type 200.

10. Click OK.