Win 2003 AD Replication Schedule - 15 minutes min??

[K Berrien]

Here is the scenario. We've got 2 new servers running 2003 which will
run our new AD domain (running nt 4 now).

Server 1 is for authentication, DC root, SUS, SAV, DNS.
Server 2 is file services, member DC (our "BDC"), secondary DNS. (The
idea is to split the load, and Server 2 can pick up all services if
server 1 fails - this machine has more beefy redudancy features).

Ok, so I join Server 2 to the AD Domain, configure DNS, etc. Now I
realise that AD appears to only replicate at min. 15 minute intervals.
This is a problem. Create a user on Server 1, and you have to wait 15
mins to apply rights to their home directory? (or manually use
site/subnets to 'replicate now' which didn't work anyways). Or,
create user on Server 2, but the user won't be able to authenticate
for 15 minutes?

Is there something crucially wrong with our design here, ie, your file
server can not be a domain server or is there an instantaneous
replication method I'm not aware of. These servers will live on the
same switch, so it's not like there is worry over the transfers, but I
certainly should not have to replicate sysvol constantly.

And what mechanism ensures that clients authenticate through a
specific machine?

 

[Matjaz Ladava [MVP]]

Default intrasite replication is 5 between two DC's not 15 minutes + few
seconds delay. Topology generator will create a site topology (bidirectional
ring), so that no more than three hops are between DC's. In large site with
more DC's (7 or more) there is a replication latency of 15 min. If there are
more than 7 DC's within a site, the topology generator creates a shortcut
links between DC's so that 3 hops limit is maintained.

--
Regards

Matjaz Ladava, MCSE (NT4 & 2000), Windows MVP
(e-mail address removed)
http://ladava.com

 

[K Berrien]

Well, even five minutes would be a bit annoying. Where is that set?
According to the site utility 15 is min. Also, even so, I did not get
five minute replication, nor 15. Twice I rebooted the server to
somehow force (selecting replicate now didn't work) replication, which
worked.

According to log entries, replication is working as far as I can tell.

 

[Matjaz Ladava [MVP]]

5 minutes is built in the KCC, and I don't think there is a way to change
that. Use Replication monitor from support tools to get more info on your
replication.

--
Regards

Matjaz Ladava, MCSE (NT4 & 2000), Windows MVP
(e-mail address removed)
http://ladava.com

 

[Joe Richards [MVP]]

Actually with Windows 2003 intrasite has been reduced considerably and via registry change you can modify it on Windows
2000. Windows 2003 has (if I recall correctly) a 15 second hold back now instead of a 5 minute holdback.

Between sites, the replication scheduling of 15 minutes is still the minimum unless change notification is enabled. At
the time that is enabled the question comes up as to whether or not the two sites should be actually one site. Reasons
why you wouldn't want to would be segregation of used domain controller resources for specific clients in a specific
subnet or you still want compression of the replication traffic with the understanding that enabling change
notifications will really cut down on how much compression really occurs.

--
Joe Richards
www.joeware.net

 

[K Berrien]

Ok, all in all, good information. Anyone got some concrete actions I
can take? I'd love to have instantaneous updates - but to replicate
the entire AD constantly doesn't seem quite right. I don't know if
replication is a blanket copy of the AD, or a selective updating of
changed records. I suspect it's selective, else there would be risk
of writing over changes made on different DC's.

Both DC's are within the same site(on the same switch), and I've
modified the replication schedules to be every day at 15 min (lowest I
could set) increments using IP.

Use Replication monitor from support tools to get more info on your
replication.

I assume you mean the 2003 resource kit? This perhaps would be a good
start to SEE whats going on.

5 minutes is built in the KCC

KCC? Your talking to an ole NT 4 guy. I've used 2k in a non-AD role
but these AD portions are somewhat new. Unfortunately, my initial
testing this summer did not include replication... so I'm not familiar
with the term kcc.

Actually with Windows 2003 intrasite has been reduced considerably and via registry change you can modify it on Windows
2000. Windows 2003 has (if I recall correctly) a 15 second hold back now instead of a 5 minute holdback.

Anyone remember that registry location in Win 2k?


I guess I have the following questions at this point:

1. I assume it's possible my replication (at whatever interval) ISN'T
working correctly. How should I test this, etc.

2. Is it possible to obtain near instantaneous updating so I can see
changes between boxes when doing work, like adding users, applying
rights for that user on the 2nd box all within one sitting - or will I
always have to get a coffee and wait?

a. If my file server WAS a member server (and not a DC - say I
add another DC for redundancy only) would I still
have delays?

3. I've been doing a lot of research since the summer in prep for this
project, but don't remember anything good on replication scenarios.
Any suggestions of stuff on the web?

4. Back to an origional question I had. XP clients will find the DC
via DNS, but what will make them use one DC over another? The idea
was (based on recommendations) the auth server would handle that and
other services, leaving the file server to share files, etc... but the
file server could at as both during a failure.

TIA, Kevin

 

[Joe Richards [MVP]]

Ok when you say in the same site do you mean in the same site logically and physically? I.E. What is your site topology
configured like in AD? If you mucking with the site link schedule timing is changing things then they are configured to
be in different logical sites. This wouldn't be right if they are on the same physical switch.

Are these machines W2K DC's upgraded or are they Native W2K3? If native, you don't need the reg entries. If W2K upgrades
then you want to look at the following two entries:

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\ntds\parameters
Replicator notify pause after modify (secs) REG_DWORD 0x12c
Replicator notify pause between DSAs (secs) REG_DWORD 0x1e

The values are hex number of seconds for holdback and notify pause.


For your bulleted questions

1. REPADMIN /SHOWREPS run against each DC.

2. Near instantaneous will be difficult, AD is specifically a multimaster loosely consistent system. If everything is in
the same site and there are a small number of DC's (say enough to keep the ring to 3 hops or less) your latency should
be less than a minute for a change unless things are really hosed. You can force a member machine to use a specific DC
or you can look at a member machine and ascertain what DC it is using and target that for the changes.

a. You really shouldn't run apps and f&p serving on DC's.

3. Check out Notes from the field from MSPress. A lot of replication details but they are W2K specific.

4. XP will choose the most logical based on the siting info and the DNS priority/weighting on the SRV records. If all of
that is equal it will be based on whether or not your DNS is roundrobin-ing the result sets. If it isn't your machines
will consistently use the same DC, if it is, you will loop through your DC's.





--
Joe Richards
www.joeware.net

--

Ok, all in all, good information. Anyone got some concrete actions I
can take? I'd love to have instantaneous updates - but to replicate
the entire AD constantly doesn't seem quite right. I don't know if
replication is a blanket copy of the AD, or a selective updating of
changed records. I suspect it's selective, else there would be risk
of writing over changes made on different DC's.

Both DC's are within the same site(on the same switch), and I've
modified the replication schedules to be every day at 15 min (lowest I
could set) increments using IP.

Use Replication monitor from support tools to get more info on your
replication.

I assume you mean the 2003 resource kit? This perhaps would be a good
start to SEE whats going on.

5 minutes is built in the KCC

KCC? Your talking to an ole NT 4 guy. I've used 2k in a non-AD role
but these AD portions are somewhat new. Unfortunately, my initial
testing this summer did not include replication... so I'm not familiar
with the term kcc.

Actually with Windows 2003 intrasite has been reduced considerably and via registry change you can modify it on Windows
2000. Windows 2003 has (if I recall correctly) a 15 second hold back now instead of a 5 minute holdback.

Anyone remember that registry location in Win 2k?


I guess I have the following questions at this point:

1. I assume it's possible my replication (at whatever interval) ISN'T
working correctly. How should I test this, etc.

2. Is it possible to obtain near instantaneous updating so I can see
changes between boxes when doing work, like adding users, applying
rights for that user on the 2nd box all within one sitting - or will I
always have to get a coffee and wait?

a. If my file server WAS a member server (and not a DC - say I
add another DC for redundancy only) would I still
have delays?

3. I've been doing a lot of research since the summer in prep for this
project, but don't remember anything good on replication scenarios.
Any suggestions of stuff on the web?

4. Back to an origional question I had. XP clients will find the DC
via DNS, but what will make them use one DC over another? The idea
was (based on recommendations) the auth server would handle that and
other services, leaving the file server to share files, etc... but the
file server could at as both during a failure.

TIA, Kevin

 

[K Berrien]

Ok when you say in the same site do you mean in the same site logically and physically? I.E. What is your site topology
configured like in AD? If you mucking with the site link schedule timing is changing things then they are configured to
be in different logical sites. This wouldn't be right if they are on the same physical switch.

Both machines are in the same site physically. Within AD Sites &
Services they are configured within the same site.

Are these machines W2K DC's upgraded or are they Native W2K3? If native, you don't need the reg entries. If W2K upgrades
then you want to look at the following two entries:

These are native W2K3.

1. REPADMIN /SHOWREPS run against each DC.

Thanks, will check.

2. Near instantaneous will be difficult, AD is specifically a multimaster loosely consistent system. If everything is in
the same site and there are a small number of DC's (say enough to keep the ring to 3 hops or less) your latency should
be less than a minute for a change unless things are really hosed. You can force a member machine to use a specific DC
or you can look at a member machine and ascertain what DC it is using and target that for the changes.

Less than a minute would probably be sufficient. Even if the user was
created on the file serving machine, and their home dir was created
there also (which it has to) the entire user change/create process
could be done instantly on THAT machine. By the time the user logged
in (if less than 1 minute until replication) to the auth machine we'd
be golden.

a. You really shouldn't run apps and f&p serving on DC's.

Yes, this is true. As you certainly know, we all can't afford (much
less the strapped Municipality I work for) to split all our services
amoung servers as Microsoft recommends. Having a replication partner
at min. is a big improvement on our NT4 system.

3. Check out Notes from the field from MSPress. A lot of replication details but they are W2K specific.
Thanks...

4. XP will choose the most logical based on the siting info and the DNS priority/weighting on the SRV records. If all of
that is equal it will be based on whether or not your DNS is roundrobin-ing the result sets. If it isn't your machines
will consistently use the same DC, if it is, you will loop through your DC's.

Server 2, the file server is running secondary DNS for server 1, the
auth server (as the service purists cringe) so that should tell you
how the configuration is in brief. Either by being secondary (and
generated from the primary dns), the SRV records with either be
identical? and clients will round-robin, or they carry a lighter
weight priority number than the primaries and clients will "prefer"
the auth server.

Thanks for the continuing advice gentlemen. I'm starting to get a
game plan for Monday so I can move on and meet my next weekend
deadline for server configuration. While this isn't a show stopper, I
don't want to move forward without having to backtrack because this
issue require some adjustments.

Kevin

 

[Joe Richards [MVP]]

Ok simply verify that they think they are in the same sites by doing nltest /dsgetsite on both of them.

You should have subminute replication with 2 DC's. In fact you should probably have convergence in under 30 seconds
unless you have some weird issues like DNS problems or network dropouts.

I don't say you shouldn't mix DCs and other things because MS recommends it. I say it for security and stability
reasons. There are many times where to get replication going again you have to reboot a server. If it isn't burdened
with an application or F&P this is an easy thing to accomplish. From a security standpoint, the more you run on a DC,
the more stuff can be compromised to get access to your core security structure.

As for the DNS and service purists comment.. See paragraph above. However MS actually tells you to run DNS on DC's as
that is fine. I am again of the opinion, the more crap on DCs the better the chance of being compromised.

As for how your DNS is actually working, I would say do multiple nslookups against the server and see if it is
roundrobining the results. One other point I forgot before. Once a client picks a specific DC, it will tend to use that
one until there is a problem or you force a rediscovery - nltest /dsgetdc:domain /force

By default, MS sets priority and weight the same for all DC's, you would have to modify the registry on specific
machines if you wanted something else.

 

[K Berrien]

Ok, sounds good. Looks as if I need to watch and test replication as
there is likely a problem there.

Kevin

 

[K Berrien]

Ok, I checked my DC's and replication IS WORKING, but confirmed at 15
minute intervals.

I found an article in 2003 help - Set a notification delay and gave
that a try. I appeared to be what I need to adjust.

using ntdsutil

set nc replicate notification delay <DirectoryPartition> <delaysec>
<additional delaysec for remaining dc's>

So I did:

set nc replicate notification delay DC=mydomain,DC=org 30 60

it takes the command....

And I'm still at 15 minutes. Any thoughts, am I barking up the wrong
tree, addressing my DirectoryPartion wrongly?

 

[Joe Richards [MVP]]

Please post nltest /dsgetsite for both DC's.

 

[K Berrien]

nltest /dsgetsite for both DC's gives me

WHS

which is the site name both reside in.

 

[Joe Richards [MVP]]

Yeah that is the same site. The replication should all be intrasite which should be quick, what are the values (or do
they even exist) of

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\ntds\parameters
Replicator notify pause after modify (secs) REG_DWORD 0x12c
Replicator notify pause between DSAs (secs) REG_DWORD 0x1e


How do you know it takes 15 minutes for replication?



--
Joe Richards
www.joeware.net

--

nltest /dsgetsite for both DC's gives me

WHS

which is the site name both reside in.

 

[K Berrien]

I've made changes to one DC (add OU, user, etc...) and checked the
other DC to find it doesn't replicate for around that period, I've
also used REPADMIN /SHOWREPS which gives you the actual times of
replication.

I'll check those reg. entries today.

 

[K Berrien]

Ok, checked those reg keys out, and I don't have them on either DC.
Here is some more info, perhaps that might have some bearing.

1. The site WHS has 3 subnets attached. Both DC's are however on the
same subnet. I guess I could try making a fictious site, with one
subnet and moving them both into that.

2. I origionally had 1 DC in the site WHS, and one in the Default
site, and I moved that DC into WHS soon after I promoted the second
box to DC. They have been in the same site all this week. I guess I
could move a DC in/out of the WHS site, perhaps something wasn't
updated the first time?

 

[K Berrien]

Gave a try of making a new site (our datacenter) and moving the DC's
into them, and the 1 subnet. I still get 15 minute (inter-site)
replication time.

 

[Joe Richards [MVP]]

Intersite is between sites, if they are both in the same site it should be intrasite replication.

Out of curiosity, if you bump your site link replication timing up to 3 hours or so, what happens?

--
Joe Richards
www.joeware.net

 

[K Berrien]

Good question, and your right, "intra", bloody prefixes! Making the
changeover and going live today. If I get a chance, I'll adjust and
time it.

 

[K Berrien]

I changed the replication times, with no effect, still 15 mins.