Solved

Verify Replication After Forestprep and Domain Prep

Posted on 2010-11-24
23
1,638 Views
Last Modified: 2012-05-10
I'm asing the same question as previous asked in the link below but I'm upgrading from Windows 2003 to a 2008 domain. Could you please detail the steps to verify replication from a Windows 2003 domain to a Windows 2008 domain.

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_21636190.html

One other question: I noticed that my Windows2003 domain is actually in Windows2000 native mode. I'm aware that I can't be in Windows2000 mixt mode and upgrade my domain to 2008. Can I jump from Windows2000 native to a 2008 domain upgrade or do I need to raise the domain functional level to Windows2003 and let that replicate through our entire domain?

Thank you

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_21636190.html
0
Comment
Question by:richeyd
  • 12
  • 11
23 Comments
 
LVL 21

Expert Comment

by:snusgubben
Comment Utility
To verify replication between all DCs: "repadmin /replsum"

DFL 2000 native supports 2008 DCs. More about the levels her: http://www.petri.co.il/understanding-windows-server-2008-active-directory-domain-and-forest-functional-levels.htm
0
 

Author Comment

by:richeyd
Comment Utility
Snusgubben,
Thank you!

How exactly will the repadmin command above show me that the forestprep configurations have completly and successfully replicated across our domain?

All of our domain controllers have been Windows 2003 dc servers, so our We just raised our domain fuctionaliy today from Win2000 to Win2003. I would have thought that our forest fuctionality would also have raised but it stayed at Win200. See below. This concerns me. Do you have an explanation for this? I would assume that we will need our forest functionality raised to Win2003 before our foreestprep and domainprep upgrade.

1> domainFunctionality: 2 = ( DS_BEHAVIOR_WIN2003 );
1> forestFunctionality: 0 = ( DS_BEHAVIOR_WIN2000 );
1> domainControllerFunctionality: 2 = ( DS_BEHAVIOR_WIN2003 );  

many thanks in advance
0
 
LVL 21

Expert Comment

by:snusgubben
Comment Utility
The "Domain Functional Level" and "Forest Functional Level" are two different tasks that have to be done to raise them.

You raise the DFL on all domains in the forest to i.e 2003. When that is done you can raise the FFL to 2003. You
have to raise the FFL from the "Active Directory Domains and Trusts" mmc.

The "repadmin /replsum" command report back the replication status in your forest (all DCs). When you raise i.e. the level to 2003 you can see in the output:

Fails: Should always be 0

Delta (time elapsed since last replication): Should be less or equal the replication frequency on the site links, default 180 minutes (if you have mulitple sites).
0
 

Author Comment

by:richeyd
Comment Utility
Okay, that's helpful.

So it was correct to raise the DFL first before the FFL?
I believe I should raise the FFL on the DC that is the PDC role owner?

I will test using the repadmin /replsum command.

Thanks!
0
 
LVL 21

Expert Comment

by:snusgubben
Comment Utility
You are correct. The FFL level cannot be raised before the DFL is raised.

(In 2008, raising the FFL will automatically raise the 2003 DFL to 2008 DFL).
0
 

Author Comment

by:richeyd
Comment Utility
Snusgubben,
1. Could you please help me to understand this repadmin output between our San Franisco and Boston DC's using the command repadmin /replsum * /bysrc /bydest /sort:delta - See below

2. When running the above repadmin command am I essentially forcing replication and monitoring the progress?  Does this table show the replication results between sf-dc2 and sf-dc1? and then the replication results between bos-dc1 and bos-dc2? How exactly should I be reading the results/graph below? How will this command help me monitor replication progress after doing my forestprep before initiating domainprep?

3. Once we run ADPREP /forestprep, will our forest functionality automatically change to WIN2003? Or should we do this now manually before running ADPREP /forest prep? Again, all of our domain controllers are windows 2003 and we have no win2000 dc's in our domain/forrest.

Thanks!

C:\>repadmin /replsum * /bysrc /bydest /sort:delta
Replication Summary Start Time: 2010-11-28 14:34:02

Beginning data collection for replication summary, this may take awhile:
  .......


Source DC           largest delta  fails/total  %     %  error
 SF-DC2                    47m:44s    0 /      10             0
 BOS-DC1                   43m:42s    0 /     5              0
 BOS-DC2                   39m:15s    0 /     10            0
 SF-DC1                    39m:14s    0 /       5              0


Destination DC    largest delta    fails/total  %    %  error
 SF-DC1                    47m:45s    0 /   5               0
 BOS-DC2                   43m:42s    0 /  10            0
 SF-DC2                    39m:17s    0 /  10              0
 BOS-DC1                   35m:09s    0 /   5             0
0
 

Author Comment

by:richeyd
Comment Utility
To be more clear: 3. Once we run ADPREP /forestprep 2008, will our forest functionality automatically change to WIN2003? Or should we reise the FFL manually before running ADPREP /forest prep 2008? Again, all of our domain controllers are windows 2003 and we have no win2000 dc's in our domain/forrest.

I realize we may not need to raise the FFL to run adprep /forest prep 2008 but I think that would be a best practive considering all of our DC's are Win2003.

Thanks

0
 
LVL 21

Expert Comment

by:snusgubben
Comment Utility
1. Don't know how many details you want?!

....... (7 dots). 3 dots are always "wait, I'm processing dots" so it finds 4 DC's in your forest. (7 - 3 = 4)

Largest delta = longest replication gap amongst all replication links for a particular DC

Fails/total:

as long as you have 0 fails, you are in good health.
"Total" indicates replica links for a particular DC (one for each NC on each domain controller).
If you wanna dive deeper to see each NC replication status, "repadmin /showrepl". If you have "fails" you would use this command to investigate further.

Normally you would focus on "/bydest" since replication is based on pull.

2.

It's not forcing a replication. It is just a view of the status.

08:00: Lets say you run adprep at this time
08:05: it completes
08:06: you run repadmin /replsum. Take a note of the delta time.

Wait for i.e. 15 minutes. Run repadmin again. If the delta time has decreased on all DCs, you would know that the changes has been replicated.

Largest delta should never be larger than 1h:30m

3. Adprep will not change the FFL. It will just prepare the forest so that it can be raised.


0
 

Author Comment

by:richeyd
Comment Utility
When we upgrade our domain Wednesday morning, is it not possible to just look at certain features that the forestprep process will install on each particular DC to verify replication? If the delta's returen to their same value as they were before the upgrade, does that verify that replicaiton completed and was successful? Seems like there should be an easier and more clear way to do this.

I'm assuming the ldp.exe tool woul not be helpful in this instance.

Thanks for your help.
0
 
LVL 21

Expert Comment

by:snusgubben
Comment Utility
"Largest Delta" can't return the same value. It's a counter that goes tick,tack and reset to 0m:0s if all NC's replicate at the same time.

Since your replication is running smoothly you will not have any problems with this task.

I would:

1. take a SS of cmd showing the largest delta
2. prep the forest and wait 15 minutes.
3. re-run repadmin /replsum. If largest delta has decreased -> job done (prepping the forest)
4. If largest delta has increased, wait some more.

You can go into regedit and see the forest level, or use tools like LDP, but then you'll need to know every change adprep does.
0
 
LVL 21

Expert Comment

by:snusgubben
Comment Utility
forestprep extends the schema, so you run the extension on the Schema master.

If you want to see more detailed when the schema naming context was updated on a DC:

From the schema master DC:

repadmin /showrepl <source DC X>

Look at inbound neighbors: CN=schema... -> Last attempt
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:richeyd
Comment Utility
Just to be on the safe side, I think I will upgrade the forest on Wednesday and then wait two days and upgrade the domain on Friday to make sure replication has finished.. Is it at all a problem to wait a few days between forest prep and domain prep? Thanks
0
 

Author Comment

by:richeyd
Comment Utility
I have no windows2000 dc's in our forest or domain. Do I need to run adprep / domainprep /gpprep?
0
 
LVL 21

Expert Comment

by:snusgubben
Comment Utility
Is it at all a problem to wait a few days between forest prep and domain prep?
Not at all

Do I need to run adprep / domainprep /gpprep?
Yes
0
 

Author Comment

by:richeyd
Comment Utility
Interesting. So I run gpprep after domainprep, correct? I'm assuming I should wait for the domainprep process to replicate as well. Is this a command that replicates domain policies? I thought it was just for windows2000 DC's. Thanks
0
 
LVL 21

Expert Comment

by:snusgubben
Comment Utility
My fault. /gpprep are only when you're upgrading Win 2000 domains which is not in your case.

"adprep /rodcprep" is optional, but you need to run it before introducing RODC.  

0
 

Author Comment

by:richeyd
Comment Utility
In what circumstance would you want an read only dc? If you have a dc that you want to read/repplicate or otherwise be functional but don't want the ability to create or edit and objects?
0
 

Author Comment

by:richeyd
Comment Utility
Are you sure about gpprep? I noticed this statement in the technet link below. Could you please verify.
Thank you

"If the updated adprep /domainprep command has already been run, the adprep /domainprep /gpprep command adds only the inheritable access control entries (ACEs) on GPOs in the SYSVOL shared resource."

http://technet.microsoft.com/en-us/library/cc783495(WS.10).aspx
0
 

Author Comment

by:richeyd
Comment Utility
Also, I'm doing this for an Exchange 2010 installation. Is there any advantage for me to migrate my 4 domain controllers to 08R2 and then raise the domain level? That would be some extra work that I would want to avoid if possible but there may be advantages to doing so.

Thanks
0
 
LVL 21

Expert Comment

by:snusgubben
Comment Utility
In what circumstance would you want an read only dc?

i.e. you got a site without IT-personell or you can't store the DC in a secure room.

If you ran GPPREP when you added 2003 DC's, you don't need to run it. It wouldn't hurt to run it once more (as you can run the gpprep so many times you want)

2008R2 has its own adprep (three schema extensions from 2008 RTM). If you have the choice I would without doubt go directly to R2.
 
0
 

Author Comment

by:richeyd
Comment Utility
I want to run domainprep tomorrow. Can I run domainprep /gpprep immediatly following the regular domainprep or is it best to wait for replication for finish the domainprep settings?

With regard to Win08 r2. I would need to DCpromo all of my domain controllers and transfer services to them. You recommend that becuase of what?

Thanks!
0
 
LVL 21

Expert Comment

by:snusgubben
Comment Utility
I did this task on a 2003 forest with two 2003 domains yesterday. Here's what I did.

Verified replication: repadmin /replsum -> Ok

Ran adprep 32-bit on the schema master:

adprep32 /forestprep

Checked the forest level on all DC's:

adsiedit > Schema > Properties on "CN=Schema,CN=Configuration,DC=domain,DC=com
Checked "objectVersion" value. Should be "47" if it has replicated.

The other domain DC's had a value of "30".

Ran "repadmin /syncall /A /P /e" on the PDC of the other domain.

Check the objectVersion. All had "47".

Ran: "adprep32 /domainprep" on the Infrastructure Master.

Waited 5 minutes:

Ran: "adprep32 /domainprep /gpprep"

Waited couple of minutes.

Ran: "adprep32 /rodcprep"



0
 
LVL 21

Accepted Solution

by:
snusgubben earned 500 total points
Comment Utility
With regard to Win08 r2.

You can still have 2003 DCs, but you can raise the forest until those are replaced with R2 DCs.
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Join & Write a Comment

Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
Learn about cloud computing and its benefits for small business owners.
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now