Solved

Active Directory User Replication

Posted on 2009-05-08
47
451 Views
Last Modified: 2013-12-23
Hi All,

I need to know how to replicate users from my kindertons.local domain to my kindertons-winsford.local domain.

As you can see in the attached JPG I have my two site and the two subnets. Just need to know how to replicate from one to the other.
AD-layout.jpg
0
Comment
Question by:marc_butler
  • 26
  • 13
  • 8
47 Comments
 
LVL 27

Expert Comment

by:bluntTony
ID: 24335244
Why would you want to replicate users between two domains? The users can only exist in the one domain.

You could migrate the users over if you want to move them from one to the other, but you wouldn't want to replicate them.

What is it you are trying to achieve?
0
 

Author Comment

by:marc_butler
ID: 24335271
Hi,

The Winsford sever is a desaster recovery server. So if we had a fire or what ever at the main office the data and all user setting are ready to go at Winsford.

I don't want to migrate them as no-one hopefully will ever be using the server at Winsford.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 24335360
You need to setup another domain controller for  kindertons.local  all the AD data will then replicate to it and you will have it as a backup.  That second DC can be a physical box or virtual box.   Like Tony mentioned you replicate between the same domain. (domain partition or naming context)
 
Thanks
Mike
0
 

Author Comment

by:marc_butler
ID: 24335413
So let me get this right.

I setup another PC with the same computer name (i.e EXCHANGE) and setup another DC called kindertons.local at the Winsford Office. With an differant IP range, DNS set to the main office DC. And then what?

Run DCPROMO and setup a completely new domain called kindertons.local, install MS Exchange, SQL.

Then how do I tie to two domains togeather since they both have the same name?

Marc
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 24335464
The second domain controller would have a different computer name.  It could be at the Winsford office or even at the same office.  Yes during DC promo you would set it to point to the main/first DC for DNS.
It would still be in the same domain.  All the data in AD will replicate to the second DC; both DCs will have a writable copy of AD.
Are these domains in the same forest or different forests.  You can tie domains together by establishing trusts but trusts are not for replicating AD info.
Do you only have 1 domain controller for each domain right now?
Thanks
Mike
0
 

Author Comment

by:marc_butler
ID: 24335616
Hi Mike,

In the Main Office I have one DC with one Domain but it has three servers as listed below;

ComputerName                 Type
EXCHANGE                      Domain Controller
GFI-SERVER                    DC Member Server
KINDERTON-TS01            DC Member Server

Winsford doesn't need a domain so I can remove kindertons-winsford.local.

Marc
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24335721
Mike is correct - From what you have said, you don't need another domain - you want another DC in the same domain, but on a different site (the DR site). This DC can sit there replicating to the schedule you define and is there as a backup.

I have an identical setup where I've installed a domain controller in a remote site, set the replication schedule to once every couple of hours. It just sits there. It's not being used, other than being a backup DC to build from should a comet hit our main office and we need to rebuild at the DR site.

In fact having another domain just for this purpose is just complicating matters.

0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 24335725
Ok,  so you definitely need a second DC (any domain should always have at least 2 DCs in case of disaster of the first DC)
On a side note generally it is not a good idea to have exchange and a DC on the same box but for now you need to get a second DC.
Any member server can be another DC.  Not sure what each of those member servers do but you can promote one of them or build a new box as your additional DC.
That new DC should also be a global catalog server.  If anyone tells you that is not a good idea see the first bullet point in the blog below
http://adisfun.blogspot.com/2009/04/lessons-learned-from-eric-fleischman.html
Thanks
Mike
0
 

Author Comment

by:marc_butler
ID: 24335844
OK Gents,

I will remove the kindertons-winsford.local domain on Monday. And setup the DC again. Are you OK if I leave the question open?

Marc
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24335983
No problems. Let us know how you get on on Monday.

If you need help configuring AD Sites and Services for the new DC/Site, let us know...
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 24336131
Yeah that is fine, for now get the DC up make sure everything is working there.  Then move on to the other domain.
Talk to you on Monday
Thanks
Mike
0
 

Author Comment

by:marc_butler
ID: 24352861
Good Morning Tony/Mike,

Im having problems demoting the Winsford DC. Attached is the error, I know I need to run NTDSUtil to move FSMO role. But I dont know what im doing.

Can you help please.

Marc
Demote-error.JPG
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 24355982
From http://support.microsoft.com/?kbid=249256#6#6
To troubleshoot this error: Use the Nltest /dsgetdc: /pdc /force /avoidself command to determine
if the correct PDC is returned. If there a connection object and not a replication link reported by the REPLMON or REPADMIN commands, the problem might be related to the KCC.
 Run the following commands on the PDC, and then submit the output to Microsoft PSS for more troubleshooting: nltest /DBFLAG:0x2000FFFF

-and-

nltest /DSGETDC: /GC Run the nltest /dsgetdc: /gc /force command to determine if you can contact a global catalog server (GC).
Check the "password last changed" parameter on both the PDC and the server(s) with which you experience the problem.
Is this the last DC in exchange.kindertons.local that you are trying to demote?
Thanks
Mike

 
 
0
 

Author Comment

by:marc_butler
ID: 24356029
Hi Mike,

Yes this is the last server in the kindertons-winsford.local domain. I need to join it to kindertons.local to setup my site replication.

Marc
0
 

Author Comment

by:marc_butler
ID: 24356074
Hi Mike,

If I can Nltest /dsgetdc: /pdc /force /avoidself from a comand prompt it says nltest file not found.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 24356199
Did you intall support tools from the server CD? It is part of that, you can download support tools here
http://www.petri.co.il/download_windows_2003_support_tools.htm
Thanks
MIke
0
 

Author Comment

by:marc_butler
ID: 24356284
Hi Mike,

Ive installed the support tools from the CD. Still no joy im affraid.
Untitled-1.jpg
0
 

Author Comment

by:marc_butler
ID: 24358505
Hi Mike,

Got nltest working. Attached is the result.
Untitled-1.jpg
0
 

Author Comment

by:marc_butler
ID: 24361861
Hi Mike,

Can you have a look over this question and answer's to see if you can think of anything. http://www.experts-exchange.com/Networking/Windows_Networking/NT/Q_24398346.html

Marc
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24362374
Maybe Mike has a better way round this, but as you've had a failed demotion, one ooption would be to go down the forced removal/metadata cleanup route (as mentioned in the post you linked).

1. Run dcpromo /forceremoval on the DC. This is will blow AD from the system regardless of errors.
2. Seize any remaining FSMOs that the server held (schema or domain naming masters - the others are domain wide) - http://www.petri.co.il/seizing_fsmo_roles.htm. If your main domain already held these then you don't need to worry about this.
2. This will leave your remaining AD in a non-normal state. You'll need to perform a metadata cleanup of the old DC on one of your remaining DCs : http://www.petri.co.il/delete_failed_dcs_from_ad.htm
3. Then you need to remove the domain information left, to remove the actual domain : http://windowsitpro.com/article/articleid/13415/how-do-i-remove-a-nonexistent-domain-from-active-directory.html

After this, you should have successfully removed the domain.

It is like a sledgehammer to crack a nut, but could be the quickest way to achieve what you want.
0
 

Author Comment

by:marc_butler
ID: 24362445
Hi Tony,

I have performed the above before, but it left some index's/refence's to the old domain in terminal service on my main DC (exchange.kindertons.local).

I know this sounds stupid but how do I know where the (kindertons-winsford.local) FSMO is held? Plus I don't really feel comfortable playing around in the meatadata due to the existing domain being live with our business network.

Marc
0
 

Author Comment

by:marc_butler
ID: 24362460
Hi Tony,

I have run dcpromo /forceremoval and it says the the DC is running the RID master role. Should I seize this first?

Marc
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24362505
The RID master role is a domain wide FSMO, i.e. your existing domain also has a RID master. So this wouldn't affect your production domain. You don't need to seize it.

The two forest wide roles are Schema (find this by looking in the Schema management mmc snap in) and domain naming master (right click the top node in AD Domains and trusts, operations master).

These are the two you should be concerned with. Unless you actually moved these roles they will still sit in your production domain anyway (providing this was the first domain set up)
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 

Author Comment

by:marc_butler
ID: 24362573
Hi Tony,

I don't seem to have a schema management snapin, but here is the operations manager info from the DC I want to demote.

Can I run a comand from the promp to launch schema snapin?

Marc
Operations-Manager.jpg
0
 

Author Comment

by:marc_butler
ID: 24362610
Hi Tony,

Here is the Schema from the DC.
Schema-Manager.jpg
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24362926
exchange.kindertons.local is a DC in your current production domain right? That's good - you don't need to transfer or seize the roles.

Running a forced removal will remove AD from the DC in your test domain, regardless of whether it's able to communicate with DCs in the other domain. Now, if it isn't (which it looks like this is the case), then your production domain will 'think' this DC/Domain still exists. That's why you will have to perform a metadata cleanup.

FYI - to enable the schema snap-in, you need to register a DLL - from a cmd prompt, type 'regsvr32 schmmgmt.dll' - sorry - forgot about that :0)
0
 

Author Comment

by:marc_butler
ID: 24363033
Hi Tony,

I will give it a go. But could you help me with the metadata cleanup after?

Marc
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24363234
No problems.

One thing - just read your other post fully. Am i right in assuming that the two domains are seperate trees in the same forest?
0
 

Author Comment

by:marc_butler
ID: 24363301
Yes Tony,

the kindertons-winsford.local is a tree off of kindertons.local.

Marc
0
 

Author Comment

by:marc_butler
ID: 24364020
Hi Tony,

I have demoted the DC now, next I need to clean the metadata. So is this the command line I should be using from my main DC (exchange.kindertons.local)? This DC is running Windows 2003 Ent Server R2 SP1.

Command Prompt: ntdsutil
ntdsutil Prompt: metadata cleanup
metadata cleanup Prompt: remove selected server cn=kinderton-s01,cn=Servers,cn=WINSFORD,cn=Sites,cn=Configuration,dc=kindertons-winsford.local

Marc
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24364036
That's fine. The basic steps for a metadata cleanup of the DC are:

Follow all of the steps in point 2 above (the metadata cleanup one) to remove the DC. Carry this task out on a DC in the production domain. During the process, you connect to an operational server in your main domain (you will be editing the AD database held by this DC - it can be the same one you're sitting at), then follow the steps to select the server you wish to remove. You need to give the domain, site and then the server. Be sure to use the list commands to make sure you're selected the correct objects.

This will remove any trace of this DC in the copy of AD held by the server you connected to. This deletion will then replicate around to the other DCs.

After this is done, there will be remaining metadata relating to the kindertons-winsford.local domain itself, rather than the DC. You will need to remove this also. The steps are similar and are detailed in the next link I posted.

0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24364135
I think our messages just crossed.

Not quite. You need to 'target' the server for removal by narrowing down where it is by selecting the domain and site it resides in. From the command prompt on a DC...

ntdsutil
metadata cleanup
connections
connect to server exchange.kinderton.local                                         -- (this is the server you'll be making changes on, not removing)
quit
select operation target
list domains                                                                                          -- you'll get a numbered list of domains
select domain
list sites                                                                                                -- you'll get a numbered list of sites.
select site
list servers in site                                                                                 -- you'll get a list of servers in the domain/site you targetted
select server
quit
remove selected server

You'll then get a warning window pop up to ask you to confirm the deletion. I'm sure I don't need to remind you that this change is permanent so make sute you've selected correctly!!




0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24364234
Forgot, after that, you'll need to type quit twice to exit.

Also follow the remaining steps in the article I posted to check that objects in AD Sites and Services / AD Users and Computers have been removed. If not, you'll need to remove them.
0
 

Author Comment

by:marc_butler
ID: 24364331
Hi Tony,

This is the eroor I got first time around, before I removed it all manually. I must be doing something wrong.

Please see JPG.
metadata-cleanup.jpg
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24364451
You need to follow the steps I have posted above.
0
 

Author Comment

by:marc_butler
ID: 24364865
Hi Tony,

OK, ive done that and all has gone ok. But im still left with a WINSFORD domain in the terminal services manager. This is not a biggie but if you happen to click on it by accident the server reboots.

As you can imagine could cause some problems.

Marc
0
 

Author Comment

by:marc_butler
ID: 24364930
Hi Tony,

Also if I log me PC off and try to log in again. The WINSFORD domain is in the domain drop down list, along with KINDERTONS.

Marc
0
 

Author Comment

by:marc_butler
ID: 24365282
Hi Tony,

Ive sorted it, I needed to remove the trust from kindertons.local.

Im now setting the old DC up again, so we can try what this post was origanally about.

http://www.experts-exchange.com/Networking/Windows_Networking/NT/Q_24392009.html#a24335413

Marc
0
 

Author Comment

by:marc_butler
ID: 24366147
Hi Tony,

The DC is all ready to go with dcpromo. Let me get this correct.

I want to create a mirror of exchange.kindertons.co.uk. The new DC Full Computer Name is exchange-02.

I run dcpromo and select DC for new Domain or additional DC for existing Domain?

Marc
0
 
LVL 27

Expert Comment

by:bluntTony
ID: 24366258
Sorry Marc - been in a meeting - damn work :0)

You need to run dcpromo on the new machine - additional domain controller in an existing domain - your production domain. Ensure DNS is pointing to one of the existing DCs.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 24366261
additional DC for existing domain. You don't want to create a new domain.
Good work on this question Tony!!
 
Thanks
Mike
0
 

Author Comment

by:marc_butler
ID: 24366332
Hi Tony/Mike,

Now this is going to sound stupid. But if exchange.kindertons.co.uk go's bang. And the new DC is set to get its AD info from it, what happens?

Next step is to setup some form of file replication if that is possible though site to site rep?

Marc
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 250 total points
ID: 24366354
Once the new DC is promoted then exchange and exchange02 will both hold full writable copies of AD.
So if it goes bang now you have a backup :)
Now if it goes bang in the middle of the dcpromo...well lets hope that doesn't happen.
Thanks
Mike
0
 

Author Comment

by:marc_butler
ID: 24366367
Also I need the new DC to have services like DNS, DHCP, Terminal Services, File Server and be an Application Server.

Is there anyway of getting all the settings from exchange.kindertons.local?

Marc
0
 
LVL 27

Assisted Solution

by:bluntTony
bluntTony earned 250 total points
ID: 24366572
Basically the two DCs hold exact replicas of each other. The information in the DB will replicate according to the schedule you set in AD Sites and Services. It's called multimaster replication, they're both 'masters' rather than a primary and a secondary. You make a change on either DC, that change will replicate to the other.

If one goes bang, from an AD point of view your OK as the other one holds a complete backup.

For your purposes of having a DR site setup, this setup is good. However, from a continuation point of view (i.e. your main DC goes bang and users still need to log in) it's not so great as all authentication traffic etc would have to go over the WAN link to talk to the other DC.

So then you're thinking about maybe making one of the member servers in the main site also a domain controller for this eventuality. That way users wouldn't notice that one server had gone down and your WAN remains untouched.

With regards your last post, DNS is (or should be) replicated as part of the AD database so your good there. Check in the properties of your DNS zone, that it's Active Directory Integrated.

DHCP would be a separate setup to the existing DC, as the DR site is a separate site/subnet to the main site. Probably best to just configure it from scratch on the new server. It's then ready and waiting for requests should you start adding machines down there.

With regards to Files/Application/Terminal Services - the DR strategy you take could be one of many different approaches. Taking images of application servers with hardware independent imaging software could be the way for you. When your office gets hit by a comet, you can restore the server to a different box in the DR site. However this is a very big subject and one I'm actually trying to get my head around at the moment where I am.

Hope this helps a little bit at least :0)


0
 

Author Comment

by:marc_butler
ID: 24382875
Thankyou Tony and Mike for all your assistance.

I seem to have it up and running now.

Marc
0
 

Author Closing Comment

by:marc_butler
ID: 31579384
Thank you guys
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

This article is in response to a question (http://www.experts-exchange.com/Networking/Network_Management/Network_Analysis/Q_28230497.html) here at Experts Exchange. The Original Poster (OP) requires a utility that will accept a list of IP addresses …
I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now