AD Replication tests

[Guest]

Hey all,

Getting my domain ready for upgrading to 2003 and I want to make sure the
following are working correctly.

Verify the end-to-end Active Directory replication throughout the forest
Verify that the contents of the Sysvol share are consistent.

What would be the best way to check them?

Would something like ADCheck do from NetIQ? or should I use the FRSDiag tool?

This is my first time venturing into this area so I'm a little unsure of how
to test for accurate results.
Thanks

 

[Herb Martin]

Hey all,

Getting my domain ready for upgrading to 2003 and I want to make sure the
following are working correctly.

Verify the end-to-end Active Directory replication throughout the forest
Verify that the contents of the Sysvol share are consistent.

What would be the best way to check them?

Generaly I just use DCDiag as it is quick and easy, but sometimes
ReplMon and RepAdmin are useful too.

Support tools are on the server CDRom.

Would something like ADCheck do from NetIQ? or should I use the FRSDiag
tool?

They sound like they do something similar but I usually just
use the free tools.

This is my first time venturing into this area so I'm a little unsure of
how
to test for accurate results.
Thanks

DCDiag is your friend and should be run against every
DC regularly or whenever you suspect either authentication
or replicaton issues.

 

[Guest]

Thanks Herb,

ADCheck is a free tool with a little gui small but somewhat usefull.

I ran DCdiag and it pulled up some interesting results. Im not quite what
they mean though.

Under Services
Starting test: Services
.....................
Could not open IISADMIN Service on [DC01]:failed with 1060:
Win32 Error 1060
Could not open SMTPSVC Service on [DC01]:failed with 1060: Win32
Error 1060
......................... DC01 failed test Services

I dont have any IISADMIN Service or SMTPSVC Service running? or need too for
that matter, why would it pick these up?

Then further on, It pulled up and old DC which has since been removed.

Starting test: frssysvol
* The File Replication Service Event log test
The SYSVOL has been shared, and the AD is no longer
prevented from starting by the File Replication Service.
There are errors after the SYSVOL has been shared.
The SYSVOL can prevent the AD from starting.

This event log message will appear once per connection, After the problem is
fixed you will see another event log message indicating that the connection
has been established.

An Warning Event occured. EventID: 0x800034C4
Time Generated: 08/30/2006 20:23:13
Event String: The File Replication Service is having trouble
enabling replication from COM0 to DC01 for c:\winnt\sysvol\domain using the
DNS name Com0.mydomain.com. FRS will keep retrying.

Following are some of the reasons you would see this warning.

[1] FRS can not correctly resolve the DNS name Com0.mydomain.com from this
computer.
[2] FRS is not running on Com0.mydomain.com.
[3] The topology information in the Active

Directory for this replica has not yet replicate to all the Domain
Controllers.

Ive checked under Sites & Services aswell Users & Comp and the old DC doesnt
seem to exist yet its pulling it here for some reason.

Any idea's whats going on? or more importantly how to fix the errors

I will try tomorrow and do some work on finding the rogue dc which must have
a record, Ill try using the Metadata Cleanup. But for the serives im stumped.

Just noticed Im also getting SMTPSVC Service errors on my application
server? definatly needs more investigateing.
Thanks

 

[Herb Martin]

Thanks Herb,

ADCheck is a free tool with a little gui small but somewhat usefull.

I ran DCdiag and it pulled up some interesting results. Im not quite what
they mean though.

Under Services
Starting test: Services
.....................
Could not open IISADMIN Service on [DC01]:failed with 1060:
Win32 Error 1060
Could not open SMTPSVC Service on [DC01]:failed with 1060:
Win32
Error 1060
......................... DC01 failed test Services
I dont have any IISADMIN Service or SMTPSVC Service running? or need too
for
that matter, why would it pick these up?

DCs usually run the SMTP service and IISAdmin is needed
for any of the IIS services (web, ftp, smtp, pop) to run.

Not important to the direct funtioning of your domain.

Then further on, It pulled up and old DC which has since been removed.

DCs that are not PROPERLY removed will show up AND
cause errors until you remove them manually. (*See NTDSutil
notes below.)

Starting test: frssysvol
* The File Replication Service Event log test
The SYSVOL has been shared, and the AD is no longer
prevented from starting by the File Replication Service.
There are errors after the SYSVOL has been shared.
The SYSVOL can prevent the AD from starting.

This event log message will appear once per connection, After the problem
is
fixed you will see another event log message indicating that the
connection
has been established.

An Warning Event occured. EventID: 0x800034C4
Time Generated: 08/30/2006 20:23:13

Ive checked under Sites & Services aswell Users & Comp and the old DC
doesnt
seem to exist yet its pulling it here for some reason.

Hopefully you (nor anyone else) didn't try to manually remove
the DC in the GUIs instead of just DCPromo it to non DC or
using NTDSUtil if that first mistake was made.

Don't try to remove an "abandoned" DC using ANY GUI tools
until you have run the NTDSUtil and read docs on what to do
next if this has been screwed up. (It's not terrible but it is much
more tedious if you do it wrong first.)

Any idea's whats going on? or more importantly how to fix the errors

I will try tomorrow and do some work on finding the rogue dc which must
have
a record, Ill try using the Metadata Cleanup. But for the serives im
stumped.

Just noticed Im also getting SMTPSVC Service errors on my application
server? definatly needs more investigateing.
Thanks

--
NTDSutil metadata cleanup

Search Google for:

[ NTDSutil "metadata cleanup" remove DC Domain ]

No need to add either site:microsoft.com OR microsoft:
since the NTDSutil and other terms make it Microsoft specific
by itself.

Unless you WISH to restrict answers to the site:microsoft.com
for some reason.

[ NTDSutil "metadata cleanup" remove DC Domain site:microsoft.com ]

Key points to NOTE when doing the metadata cleanup:

You CONNECT to a WORKING DC.
You SELECT the missing/dead DC or DOMAIN

'Connect' and 'Select' are technical terms in this context.

216498 - HOW TO Remove Data in Active Directory After an
Unsuccessful Domain Controller Demotion (2000 & 2003):
http://support.microsoft.com/?id=216498

 

[Guest]

Herb,

Ive checked this morning under DC01, NTDSutil Metadata Cleanup and the rogue
DC doesnt show up at all? its not listed.

Unfortunatly It had been removed manually, I removed it when I started here
as the origional server had been simply disconnected and trashed without
having first run DCpromo so. I removed it through NTDSutil as per the guide
on "http://www.petri.co.il/delete_failed_dcs_from_ad.htm" I had read the MS
docs on the matter but the guide above was easier for a first timer.

Im not however where the rogue dc entry could be however. If it isn't under
Sites and Services \ Users & Computers \ DNS and I cant see it under NTDSutil
where is the litle guy hiding!? Could it be possible its just a stale record
that hasn't been removed?

As for the services
I dont have IIS running on this DC at all, I checked under Windows
Componants and its not installed.
As for SMTP im not quite sure what to do about it.

Is it ok to leave these errors?

Thanks again for all your help!

 

[Herb Martin]

Herb,

Ive checked this morning under DC01, NTDSutil Metadata Cleanup and the
rogue
DC doesnt show up at all? its not listed.

This is typical I believe of the case where the entries have been
(improperly) removed manually from other places (like AD Users
and Computers) without doing the NTDSUtil procedure.

Once they are not visiable, NTDSUtil cannot find them and do
the job properly.

Search for articles (Google) at MS which include 'ADSIEdit' and
this whole idea, something like:

[ site:microsoft.com adsiedit ntdsutil remove dc | "domain controller" ]

You might need to modify the above search but this should get you close.

ADSIEdit is a dangerous utility unless you know what your are doing so
find the actual article and follow the steps.

Unfortunatly It had been removed manually, I removed it when I started
here
as the origional server had been simply disconnected and trashed without
having first run DCpromo so. I removed it through NTDSutil as per the
guide
on "http://www.petri.co.il/delete_failed_dcs_from_ad.htm" I had read the
MS
docs on the matter but the guide above was easier for a first timer.

Then it should have been gone. Unless the non-NTDSUtil stuff was done
first.

Im not however where the rogue dc entry could be however. If it isn't
under
Sites and Services \ Users & Computers \ DNS and I cant see it under
NTDSutil
where is the litle guy hiding!? Could it be possible its just a stale
record
that hasn't been removed?

Embedded deeper in the AD perhaps.

 

[Jorge de Almeida Pinto [MVP - DS]]

Verify the end-to-end Active Directory replication throughout the forest
see: MS-KBQ325379
see: MS-KBQ325379

To get a feeling everything is OK, you could use: GPOTOOL /CHECKACL /VERBOSE
which checks every GPO on every DC in a domain. if that is OK then you could
assume your SYSVOL is replicating OK

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx