Ping a Specific Port

Question

Daniel Arkley

Asked: 2014-10-15 11:44:30 +0800 CST2014-10-15 11:44:30 +0800 CST 2014-10-15 11:44:30 +0800 CST

My Active Directory replication settings don't look right

772

I have recently added a new site to my Active Directory domain (single forest, single domain). I have mapped subnets to the sites, and added one DC to the new site with our remaining 4 on the original site.

As part of the configuration of the new site I looked at NTDS Settings to ensure replication was configured correctly, and things look... odd.

I've compiled a list of which servers have replication configured from other servers. I've obscured the names for security reasons but, for background:

SERVER-A is our FSMO role holder for all roles.
SERVER-B is a virtual instance of a DC.

Both SERVER-A and SERVER-B are Windows Server 2012 Standard.

SERVER-C is our previous FSMO role holder which has been relegated to the role of a standard DC, no FSMO roles are held by it. This DC runs Windows Server 2003.
SERVER-D has never hosted any FSMO roles. It runs Windows Server 2008.

SERVER-A through SERVER-D all live in the same AD Site, called BHO.

SERVER-E holds no FSMO roles but is the sole DC in a new site, called ECO. It runs Windows Server 2012 Standard.

Ultimately, SERVER-C and SERVER-D will be demoted, removed from the domain, and have their hard disks formatted. However, I am nervous to do this because it appears replication relies quite heavily on these servers at present, particularly SERVER-C!

The list below shows each server, and the "source" servers associated with it (i.e. the servers are listed, followed by the servers which appear under the NTDS Settings page in ADS+S.

SERVER-C -> SERVER-A
SERVER-C -> SERVER-B
SERVER-C -> SERVER-E
SERVER-D -> SERVER-A
SERVER-D -> SERVER-B
SERVER-A -> SERVER-C
SERVER-A -> SERVER-D
SERVER-B -> SERVER-C
SERVER-B -> SERVER-D
SERVER-E -> SERVER-A

I am unsure what this means. If I click SERVER-C, go into it's NTDS Settings, and see Servers A, B and E listed, does this mean changes made on servers A, B and E will be replicated to C, or that changes on C are pushed to A, B and E?

My understanding is that C will receive changes from A, B and E which seems strange given that C is our "PDC" (for want of a better description). What I want is for C to push changes to A, B, D and E. And for each of A, B, D, and E to push their changes to C. Even more ideally, C and D would both be master copies, would replicate changes between themselves, but all other servers (A, B, E) would replicate their changes to one of C and D, before the change is then pushed out to the remaining servers.

I hope this explanation makes sense. Please could someone clarify whether I'm barking up the wrong tree and if so, whether it is safe to add the correct NTDS replication settings before removing the "incorrect" ones?

1 Answers

Voted

Evan Anderson · Answer 1 · 2014-10-15T12:25:28+08:00

Very short answer: Unless you have really, really oddball connectivity (connections with time-limited availability, connections with excessively high bandwidth costs that warrant tuning replication traffic) you really don't need to manually adjust anything about Active Directory (AD) replication. It just works (rather well, actually).

Microsoft has background material about how AD replication works that I'd recommend you review to get details.

The basic overview of the replication model within sites (intrasite) is:

Although AD replication is pull-based, Domain Controllers (DCs) send Change Notifications to their replication partners within a site informing them when changes are available.
The replication partner verifies that it does not have newer data than what the source server DC (because, potentially, it could have already received this or a newer update from another DC).
The replication partner requests updates from the source DC it determines that its local replicas of the object are in need of update.

Replication between sites doesn't use change notifications (by default) but, rather, at a configurable interval (as low as 15 minutes) a DC will poll its replication partner in the remote site to obtain changes. You can enable the change notification mechanism over intersite links to permit replication to occur in intervals shorter than 15 minutes.

Also, be aware that there, at minimum, three different replication topologies in play in a single domain AD forest. Each partition of the AD database is replicated on a potentially different topology.

Schema
Domain
Global Catalog

In Windows Server 2003 AD Forests you will also have a ForestDNSZones partition, and a ForestDNSZones partition for each domain in the forest.

The repadmin tool from the Windows Support Tools can be used to build some rudimentary visualizations of the AD replication topology.

My Active Directory replication settings don't look right

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?