Home / server / Questions / 480862
In Process
neildeadman
Asked: 2013-02-21 02:26:58 +0800 CST

How to compare Active Directory on 2 Domain Controllers

  • 772

Our Windows domain has 3 DCs. One of the DCs is replicating changes made on the other DCs but not replicating out any changes made on itself.

We have no idea which has the most up-to-date AD so we want to compare the other 2 with the 1 that isn't working.

Is it possible to export the properties on every object (OU, CN, User, Group etc.) so that I can compare them? Maybe to an xml file?

Maybe there is a PowerShell or vbScript that will do this?

active-directory

3 Answers

  1. It sounds like your plan is to determine what DC has the latest changes, and then make them on another DC?

    No no no no no.

    This will backfire. AD doesn't replicate by what changes are consistent with each other, it replicates by latest serial number. What you need to do is fix replication. Depending on your version of Windows (you didn't tell us; it would be helpful), you can use REPLMON or REPADMIN to determine what is failing, and probably why. Edit- cheekaleak is correct: DCDIAG is also useful for finding replication and other errors in your DCs.

    • 9

  2. Run dcdiag on the server that isn't replicating changes made on it, and check its File Replication Services log for errors. That should help point you in the direction of how to fix replication.

    • 4

  3. The symptom is a classic indicator of lingering objects. If Strict Replication is enabled on a domain controller, and it detects a lingering object from a replication neighbor, it block inbound changes from that neighbor until the offending object is removed.

    Strict Replication is set by default in new Windows Server 2003 SP1 domains and later.

    When a lingering object is detected, an event id 1988 or 1388 is recorded in the Directory Service event log. If the domain/forest is small (at most a few domain controllers and less than 50,000 objects), you may use repadmin to remove lingering objects. Using repadmin for this purpose is not feasible on large AD implementations.

    The following command will compare the specified partition on all domain controllers when * is substituted for ServerName, and log any offending lingering objects for removal: 

    repadmin /removelingeringobjects <ServerName> <ServerGUID> <DirectoryPartition> /advisory_mode

    If you are satisfied with the report, run the command without the advisory_mode switch to perform the action.

    Troubleshooting Active Directory Replication Problems
    http://technet.microsoft.com/en-us/library/cc738415%28v=ws.10%29.aspx

    Event ID 1388 or 1988: A lingering object is detected
    http://technet.microsoft.com/en-us/library/cc949134%28v=ws.10%29.aspx

    Use Repadmin to remove lingering objects
    http://technet.microsoft.com/en-us/library/cc949134%28v=ws.10%29.aspx#BKMK_RemoveLingeringObjects

    A similar tool is GCChk from JoeWare, although I haven't used it:

    http://www.joeware.net/freetools/tools/gcchk/index.htm

    • 2