Mejores practicas active directory

La replicación
Verifying Replication You may want to verify that objects have been completely replicated
throughout the domain before you attempt to run applications or perform administrative
management of the domain controllers. In order to do so, you can use the dsastat.exe utility from the
Support Tools. This utility will allow you to compare the contents of the Active Directory database
so that you can determine whether replication has completed. In its most basic form, you can issue
the command and specify only the domain controllers you want to compare, separated by
semicolons such as: Dsastat -s:domaincontroller1;domaincontroller2 When issuing the command in
the zygort.lcl domain for the domain controllers rosebud and milquetoast, the command line would
appear as: dsastat -s:rosebud;milquetoast The utility will attempt to make LDAP connections to
each of the domain controllers and query the partition information. It will compare both directory
databases and return whether or not they are identical. Figure 13.4 shows the response that is
returned if the databases are identical, and Figure 13.5 shows the response when replication has not
completed. 4305book.fm Page 198 Wednesday, July 14, 2004 5:13 PM VERIFYING
REPLICATION 199 Figure 13.4 Response from dsastat.exe if replication has completed Figure
13.5 Response from dsastat.exe if replication has not completed Note The dsastat.exe utility can
also be used to verify that specific portions of the Active Directory structure are synchronized. For
more information on the switches available for use with dsastat.exe, enter dsastat /? at the command
prompt. Other tools are available that can also provide information about your Active Directory
directory service and tell you whether or not the replicas are up-to-date. The first is the command-
line tool repadmin, which can be found in the Support Tools. If you are more comfortable using the
GUI-based tools, the ReplMon utility is available to perform the same functions. The final tool we
will discuss is the DCDiag utility. 4305book.fm Page 199 Wednesday, July 14, 2004 5:13 PM 200
CHAPTER 13 TROUBLESHOOTING ACTIVE DIRECTORY REPLICATION Using RepAdmin
The RepAdmin utility can assist you when you are trying to determine the cause of replication
problems. Some of its more popular options include checking the status of the Knowledge
Consistency Checker (KCC), viewing the replication partners for domain controllers, and viewing
which domain controllers have not replicated. If you want to view the KCC status, you can enter the
command: repadmin /kcc If you want to view the replication status of the last replication attempt
from a domain controllers replication partners, you can enter the command: repadmin /showreps
Windows 2000 and Windows Server 2003 will both use the /showreps option, but the RepAdmin
utility that is included with Windows Server 2003 Support Tools can also use the /showrepl switch
to do the same thing. Windows Server 2003 also uses the /replsummary switch, sometimes
abbreviated as /replsum, to allow you to view the failures and replicated objects. You should see a
minimum of three connections per domain controller, one connection for each of the directory
partitions. If the /showreps or /showrepl options do not show any connections to other domain
controllers, you should run the KCC by using the ReplMon utility. If you are working within a
Windows Server 2003 environment, you can open Active Directory Sites and Services, right-click
the NTDS Settings object, and select All Tasks Check Replication Topology. If you still receive
errors because the KCC did not create the appropriate connection objects, manually create a
connection object between the domain controllers. Note If you use the Check Replication Topology
option on the domain controller that is the Intersite Topology Generator, you will recalculate the
intersite and intrasite replication topology. If you run it from any other domain controller, you will
recalculate the intrasite topology. You can force synchronization for any of the partitions with
repadmin tool by using the /sync switch. This will force replication for a specific partition from a
replication partner that you use in the command. If you want to force replication between all
domain controllers, you can use the option /syncall. By default, the Active Directory replication is
pull replication, meaning that the domain controller will request the data from its partners. You can
change that behavior by using the /P switch, which forces the domain controller to push its objects
to it partner domain controllers. The command looks like this: repadmin /syncall
domain_controller_FQDN directory_partition /P Using ReplMon ReplMon is the graphical utility
that will allow you to view the connections between domain controllers and troubleshoot issues
with Active Directory replication. It will also allow you to view the Update Sequence Number
(USN) of the replication partners and the last successful replication time. As seen in Figure 13.6,
you can add the domain controllers that you want to monitor within the contents pane of the utility
and perform tests on them. Beneath the domain controller, all of the directory partitions are listed.
When you expand the partition, you will be shown the replication partner and the replication results
for the last replication attempt for that partitio