Link to home
Start Free TrialLog in
Avatar of richeyd
richeydFlag for United States of America

asked on

Verify Replication After Forestprep and Domain Prep

I'm asing the same question as previous asked in the link below but I'm upgrading from Windows 2003 to a 2008 domain. Could you please detail the steps to verify replication from a Windows 2003 domain to a Windows 2008 domain.

https://www.experts-exchange.com/questions/21636190/Verify-adprep-forestprep-and-adprep-domainprep-replication.html

One other question: I noticed that my Windows2003 domain is actually in Windows2000 native mode. I'm aware that I can't be in Windows2000 mixt mode and upgrade my domain to 2008. Can I jump from Windows2000 native to a 2008 domain upgrade or do I need to raise the domain functional level to Windows2003 and let that replicate through our entire domain?

Thank you

https://www.experts-exchange.com/questions/21636190/Verify-adprep-forestprep-and-adprep-domainprep-replication.html
Avatar of snusgubben
snusgubben
Flag of Norway image

To verify replication between all DCs: "repadmin /replsum"

DFL 2000 native supports 2008 DCs. More about the levels her: http://www.petri.co.il/understanding-windows-server-2008-active-directory-domain-and-forest-functional-levels.htm
Avatar of richeyd

ASKER

Snusgubben,
Thank you!

How exactly will the repadmin command above show me that the forestprep configurations have completly and successfully replicated across our domain?

All of our domain controllers have been Windows 2003 dc servers, so our We just raised our domain fuctionaliy today from Win2000 to Win2003. I would have thought that our forest fuctionality would also have raised but it stayed at Win200. See below. This concerns me. Do you have an explanation for this? I would assume that we will need our forest functionality raised to Win2003 before our foreestprep and domainprep upgrade.

1> domainFunctionality: 2 = ( DS_BEHAVIOR_WIN2003 );
1> forestFunctionality: 0 = ( DS_BEHAVIOR_WIN2000 );
1> domainControllerFunctionality: 2 = ( DS_BEHAVIOR_WIN2003 );  

many thanks in advance
The "Domain Functional Level" and "Forest Functional Level" are two different tasks that have to be done to raise them.

You raise the DFL on all domains in the forest to i.e 2003. When that is done you can raise the FFL to 2003. You
have to raise the FFL from the "Active Directory Domains and Trusts" mmc.

The "repadmin /replsum" command report back the replication status in your forest (all DCs). When you raise i.e. the level to 2003 you can see in the output:

Fails: Should always be 0

Delta (time elapsed since last replication): Should be less or equal the replication frequency on the site links, default 180 minutes (if you have mulitple sites).
Avatar of richeyd

ASKER

Okay, that's helpful.

So it was correct to raise the DFL first before the FFL?
I believe I should raise the FFL on the DC that is the PDC role owner?

I will test using the repadmin /replsum command.

Thanks!
You are correct. The FFL level cannot be raised before the DFL is raised.

(In 2008, raising the FFL will automatically raise the 2003 DFL to 2008 DFL).
Avatar of richeyd

ASKER

Snusgubben,
1. Could you please help me to understand this repadmin output between our San Franisco and Boston DC's using the command repadmin /replsum * /bysrc /bydest /sort:delta - See below

2. When running the above repadmin command am I essentially forcing replication and monitoring the progress?  Does this table show the replication results between sf-dc2 and sf-dc1? and then the replication results between bos-dc1 and bos-dc2? How exactly should I be reading the results/graph below? How will this command help me monitor replication progress after doing my forestprep before initiating domainprep?

3. Once we run ADPREP /forestprep, will our forest functionality automatically change to WIN2003? Or should we do this now manually before running ADPREP /forest prep? Again, all of our domain controllers are windows 2003 and we have no win2000 dc's in our domain/forrest.

Thanks!

C:\>repadmin /replsum * /bysrc /bydest /sort:delta
Replication Summary Start Time: 2010-11-28 14:34:02

Beginning data collection for replication summary, this may take awhile:
  .......


Source DC           largest delta  fails/total  %     %  error
 SF-DC2                    47m:44s    0 /      10             0
 BOS-DC1                   43m:42s    0 /     5              0
 BOS-DC2                   39m:15s    0 /     10            0
 SF-DC1                    39m:14s    0 /       5              0


Destination DC    largest delta    fails/total  %    %  error
 SF-DC1                    47m:45s    0 /   5               0
 BOS-DC2                   43m:42s    0 /  10            0
 SF-DC2                    39m:17s    0 /  10              0
 BOS-DC1                   35m:09s    0 /   5             0
Avatar of richeyd

ASKER

To be more clear: 3. Once we run ADPREP /forestprep 2008, will our forest functionality automatically change to WIN2003? Or should we reise the FFL manually before running ADPREP /forest prep 2008? Again, all of our domain controllers are windows 2003 and we have no win2000 dc's in our domain/forrest.

I realize we may not need to raise the FFL to run adprep /forest prep 2008 but I think that would be a best practive considering all of our DC's are Win2003.

Thanks

1. Don't know how many details you want?!

....... (7 dots). 3 dots are always "wait, I'm processing dots" so it finds 4 DC's in your forest. (7 - 3 = 4)

Largest delta = longest replication gap amongst all replication links for a particular DC

Fails/total:

as long as you have 0 fails, you are in good health.
"Total" indicates replica links for a particular DC (one for each NC on each domain controller).
If you wanna dive deeper to see each NC replication status, "repadmin /showrepl". If you have "fails" you would use this command to investigate further.

Normally you would focus on "/bydest" since replication is based on pull.

2.

It's not forcing a replication. It is just a view of the status.

08:00: Lets say you run adprep at this time
08:05: it completes
08:06: you run repadmin /replsum. Take a note of the delta time.

Wait for i.e. 15 minutes. Run repadmin again. If the delta time has decreased on all DCs, you would know that the changes has been replicated.

Largest delta should never be larger than 1h:30m

3. Adprep will not change the FFL. It will just prepare the forest so that it can be raised.


Avatar of richeyd

ASKER

When we upgrade our domain Wednesday morning, is it not possible to just look at certain features that the forestprep process will install on each particular DC to verify replication? If the delta's returen to their same value as they were before the upgrade, does that verify that replicaiton completed and was successful? Seems like there should be an easier and more clear way to do this.

I'm assuming the ldp.exe tool woul not be helpful in this instance.

Thanks for your help.
"Largest Delta" can't return the same value. It's a counter that goes tick,tack and reset to 0m:0s if all NC's replicate at the same time.

Since your replication is running smoothly you will not have any problems with this task.

I would:

1. take a SS of cmd showing the largest delta
2. prep the forest and wait 15 minutes.
3. re-run repadmin /replsum. If largest delta has decreased -> job done (prepping the forest)
4. If largest delta has increased, wait some more.

You can go into regedit and see the forest level, or use tools like LDP, but then you'll need to know every change adprep does.
forestprep extends the schema, so you run the extension on the Schema master.

If you want to see more detailed when the schema naming context was updated on a DC:

From the schema master DC:

repadmin /showrepl <source DC X>

Look at inbound neighbors: CN=schema... -> Last attempt
Avatar of richeyd

ASKER

Just to be on the safe side, I think I will upgrade the forest on Wednesday and then wait two days and upgrade the domain on Friday to make sure replication has finished.. Is it at all a problem to wait a few days between forest prep and domain prep? Thanks
Avatar of richeyd

ASKER

I have no windows2000 dc's in our forest or domain. Do I need to run adprep / domainprep /gpprep?
Is it at all a problem to wait a few days between forest prep and domain prep?
Not at all

Do I need to run adprep / domainprep /gpprep?
Yes
Avatar of richeyd

ASKER

Interesting. So I run gpprep after domainprep, correct? I'm assuming I should wait for the domainprep process to replicate as well. Is this a command that replicates domain policies? I thought it was just for windows2000 DC's. Thanks
My fault. /gpprep are only when you're upgrading Win 2000 domains which is not in your case.

"adprep /rodcprep" is optional, but you need to run it before introducing RODC.  

Avatar of richeyd

ASKER

In what circumstance would you want an read only dc? If you have a dc that you want to read/repplicate or otherwise be functional but don't want the ability to create or edit and objects?
Avatar of richeyd

ASKER

Are you sure about gpprep? I noticed this statement in the technet link below. Could you please verify.
Thank you

"If the updated adprep /domainprep command has already been run, the adprep /domainprep /gpprep command adds only the inheritable access control entries (ACEs) on GPOs in the SYSVOL shared resource."

http://technet.microsoft.com/en-us/library/cc783495(WS.10).aspx
Avatar of richeyd

ASKER

Also, I'm doing this for an Exchange 2010 installation. Is there any advantage for me to migrate my 4 domain controllers to 08R2 and then raise the domain level? That would be some extra work that I would want to avoid if possible but there may be advantages to doing so.

Thanks
In what circumstance would you want an read only dc?

i.e. you got a site without IT-personell or you can't store the DC in a secure room.

If you ran GPPREP when you added 2003 DC's, you don't need to run it. It wouldn't hurt to run it once more (as you can run the gpprep so many times you want)

2008R2 has its own adprep (three schema extensions from 2008 RTM). If you have the choice I would without doubt go directly to R2.
 
Avatar of richeyd

ASKER

I want to run domainprep tomorrow. Can I run domainprep /gpprep immediatly following the regular domainprep or is it best to wait for replication for finish the domainprep settings?

With regard to Win08 r2. I would need to DCpromo all of my domain controllers and transfer services to them. You recommend that becuase of what?

Thanks!
I did this task on a 2003 forest with two 2003 domains yesterday. Here's what I did.

Verified replication: repadmin /replsum -> Ok

Ran adprep 32-bit on the schema master:

adprep32 /forestprep

Checked the forest level on all DC's:

adsiedit > Schema > Properties on "CN=Schema,CN=Configuration,DC=domain,DC=com
Checked "objectVersion" value. Should be "47" if it has replicated.

The other domain DC's had a value of "30".

Ran "repadmin /syncall /A /P /e" on the PDC of the other domain.

Check the objectVersion. All had "47".

Ran: "adprep32 /domainprep" on the Infrastructure Master.

Waited 5 minutes:

Ran: "adprep32 /domainprep /gpprep"

Waited couple of minutes.

Ran: "adprep32 /rodcprep"



ASKER CERTIFIED SOLUTION
Avatar of snusgubben
snusgubben
Flag of Norway image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial