• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 554
  • Last Modified:

Windows 2003 AD Replication not working

Hi all,
having an issue with my AD. Situation is this...I have 3 locations, New York, New Jersey, & China. All 3 have their own DC's. NY & NJ are Win 2003's, CH is a 2008. In the AD Sites & Services I originally had all servers under the Default-First group & everything was working perfectly except that some of my people here in the US were using the China logon server, so I followed the directions to split these into 3 separate sites & thats when my replication broke.
What I did was, create the 3 separate sites, move the appropriate servers into the site where it belongs, set up the subnet for each site, & made a bulkhead DC in each site.
From there, one by one the Automatic Replication partners started to disappear so I set them up manually on all servers & did a Replicate Now. If I do a replication & watch in ReplMon I get no red x's & everything says successful.
I even created a fake batch script with different names on each of the servers to see if they will replicate & they do not. I also modified the description of a user in AD UC & that has not replicated either...
Any help would be more than appreciated with this!

Thanks.
Jon
0
Jon DeVito
Asked:
Jon DeVito
  • 21
  • 8
  • 7
2 Solutions
 
KenMcFCommented:
How long have they been unable to replicate?

Can you post the output of repadmin /showreps

I would suggest you leave the replication obejct as automatic and not create an manual entries. But lets see the out put of repadmin first.
0
 
Jon DeVitoAuthor Commented:
All day today. Ok what I did was delete the manual entries & let the auto pick them back up, that actually seemed to fix the problem for NY to NJ (even thouse the naming looks a little weird). CH is still having the issue though. Here is the output from the CH server:


Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\Administrator>repadmin /showreps
Shanghai\WIN2008FS-CH
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: e6cde72f-7782-4317-99be-97837008b0f4
DSA invocationID: d327c9b5-d45c-4c67-88bf-61e8aab753ee

==== INBOUND NEIGHBORS ======================================

DC=DOMAIN,DC=local
    Showroom\WIN2003FS-NY via RPC
        DSA object GUID: d38e8a08-eae6-4375-bfc0-b356c0d101e5
        Last attempt @ 2010-11-24 23:59:57 was successful.
    Warehouse\WIN2003FS-NJ via RPC
        DSA object GUID: eb14377c-7bd9-4cb5-b024-31041727b677
        Last attempt @ 2010-11-25 00:00:01 was successful.

CN=Configuration,DC=DOMAIN,DC=local
    Warehouse\WIN2003FS-NJ via RPC
        DSA object GUID: eb14377c-7bd9-4cb5-b024-31041727b677
        Last attempt @ 2010-11-25 02:10:10 was successful.
    Showroom\WIN2003FS-NY via RPC
        DSA object GUID: d38e8a08-eae6-4375-bfc0-b356c0d101e5
        Last attempt @ 2010-11-25 02:10:28 was successful.

CN=Schema,CN=Configuration,DC=DOMAIN,DC=local
    Showroom\WIN2003FS-NY via RPC
        DSA object GUID: d38e8a08-eae6-4375-bfc0-b356c0d101e5
        Last attempt @ 2010-11-25 00:00:01 was successful.
    Warehouse\WIN2003FS-NJ via RPC
        DSA object GUID: eb14377c-7bd9-4cb5-b024-31041727b677
        Last attempt @ 2010-11-25 00:00:01 was successful.

DC=DomainDnsZones,DC=DOMAIN,DC=local
    Showroom\WIN2003FS-NY via RPC
        DSA object GUID: d38e8a08-eae6-4375-bfc0-b356c0d101e5
        Last attempt @ 2010-11-25 00:00:02 was successful.
    Warehouse\WIN2003FS-NJ via RPC
        DSA object GUID: eb14377c-7bd9-4cb5-b024-31041727b677
        Last attempt @ 2010-11-25 00:00:02 was successful.

DC=ForestDnsZones,DC=DOMAIN,DC=local
    Showroom\WIN2003FS-NY via RPC
        DSA object GUID: d38e8a08-eae6-4375-bfc0-b356c0d101e5
        Last attempt @ 2010-11-25 00:00:02 was successful.
    Warehouse\WIN2003FS-NJ via RPC
        DSA object GUID: eb14377c-7bd9-4cb5-b024-31041727b677
        Last attempt @ 2010-11-25 00:00:03 was successful.

Open in new window

0
 
Jon DeVitoAuthor Commented:
Keep in mind that they are 13hrs ahead of us so the time may be off from the US.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
Mike KlineCommented:
Did you setup site links between the sites? (China to NY site link...just an example)

Thanks

Mike
0
 
Jon DeVitoAuthor Commented:
Thanks Mike, yes I did. After deleting the manual entries & letting it pick back up all seems to be working but so ridiculously slow it can't be right. Previously if I added a 1kb file to the Netlogon share of one of the servers it was instantaniously transferred to the other servers (especially NJ to NY) now its like 10 minutes or more. Any ideas why that would be all of a sudden with this setup?

Thanks.
Jon
0
 
KenMcFCommented:
What is your replication interval set to on the site link.

You could enable change notification if you need a fast response time.
0
 
Mike KlineCommented:
Previously you were using intrasite replication which can almost be thought of as "instant"  (15 seconds with a small offset in 2003)

You could decrease the replication interval or maybe even test enabling change notification for the NJ/NY site link   http://www.frickelsoft.net/blog/?p=145

Thanks

Mike
0
 
Jon DeVitoAuthor Commented:
Thanks Ken, are you talking about under Inter-Site Transport / IP, for the interval. If so, its set to 180.
How would I enable Change Notification?
0
 
Jon DeVitoAuthor Commented:
Just saw your post Mike, looking at it now.

Thanks.
0
 
Mike KlineCommented:
Look at that blog link from Florian...shows you how to enable change notification.

yes 180/3 hours is the default.  You can lower that to 15 minutes via the GUI.

I wouldn't start by enabling change notification from the US to China.  

Thanks

Mike
0
 
KenMcFCommented:
Take a look at the link Mike posted, that has a good step by step process and explanation.
0
 
Jon DeVitoAuthor Commented:
Thanks, maybe I'm looking at it wrong but it doesnt give an option for doing individual sites. From the article its on the Transport link.
0
 
Jon DeVitoAuthor Commented:
Even doing it at that level, I just deleted a 1kb file from the netlogon in NY, its over 5 minutes & it still hasn't replicated to NJ. Do I need to restart a service or something to get the change to take effect?
0
 
KenMcFCommented:
This setting is on the Site link not the site itself.
Do you have a single site link for all sites or a separate site link for every site. Can you post a screen shot of your site links and sites.

As Mike said try to set the replication interval to 15 minutes and see if that will work for you. If it does not then you can start testing change notification.
0
 
KenMcFCommented:
Mike can correct me if I am wrong, but I do not think the sysvol supports the change notification flag since you are still using FRS.
0
 
Jon DeVitoAuthor Commented:
Gotcha, Yes I have a single site, screen shot is attached.
15 minutes is way too long for this though, I really need this to work as close to instant as I possibly can, especially NY to NJ...if the US to China & vice versa takes a few mins its not a big deal but the sites in the US between each other are.
11-24-2010-2-17-09-PM.jpg
0
 
Jon DeVitoAuthor Commented:
It replicates the netlogon faster than the interval though, its about 5-6 minutes.
0
 
KenMcFCommented:
Just to understand this better, Why do you need this to replicate that fast to the sites?
0
 
Jon DeVitoAuthor Commented:
We have admins in NJ that only have access to the NJ DC, so if we fire someone (or hire) we need the changes to be immediate in NY.
0
 
Mike KlineCommented:
Right on Ken; FRS does not support the intersite change notification flag

In your screenshot you are still using the default site link.  You could also create individual site lins

NY to NJ
NY to China

Then play/experiment with the replication intervals.  I'm guessing the link between China and NY is not as good as NJ to NY.

Thanks

Mike
0
 
Jon DeVitoAuthor Commented:
That stinks. Ok, so I would not need one from nj to china doing it this way, correct? Also, the lower Cost is faster?
0
 
Jon DeVitoAuthor Commented:
Correct BTW that the link to China is much slower.
0
 
Jon DeVitoAuthor Commented:
Also, would I need any Site-Link Bridge?
0
 
KenMcFCommented:
It all depends on how you want your AD topology to look. It sounds like you want a hub and spoke where NY is the hub. In this senerio you would create two site links, one NY to CH and one NY to NJ.
0
 
Mike KlineCommented:
A hub-spoke design is what  I'd go with (assuming NY is your HQ)

So the two site links could be NY to NJ  & China to NY

The China interval would be higher and you might even enable change notification on the NJ to NY link.

In this setup you don't have to worry about sit link bridges or cost.

Thanks

Mike
0
 
Mike KlineCommented:
Quick question, are the admins in NJ domain admins?  Just wondering what you mean when you say you restrict them to the NJ DCs only.
0
 
Jon DeVitoAuthor Commented:
Gotcha with the Hub & Spoke design. I think I'm doing something wrong here though, I made the change to the 2 links instead of 1 but it is still taking forever to replicate between NY & NJ. I made the change in adsi for the new site link but didnt seem to help. Am I missing something?
11-24-2010-2-17-09-PM.jpg
2.jpg
0
 
Jon DeVitoAuthor Commented:
Yes they are Domain Admins, I just give them an RDP to the server they are allowed to use.
0
 
Mike KlineCommented:
On screenshot 2 in the details/right pane there should be the site links listed is that where you are right clicking and selecting options.

On another note the NJ DA's could access all your DCs....if they know what they are doing :)

Thanks

Mike
0
 
Jon DeVitoAuthor Commented:
Yes thats where I am right clicking, on the US link.
You are 100% correct, lol. Its less of a security thing than ease of use & speed of the servers.
0
 
Jon DeVitoAuthor Commented:
If I force the replication it works instantaniously, its gotta be something with the change notification. I saw some people saying its only on account lockouts, so I tried that & even that didnt replicate quickly.
0
 
KenMcFCommented:
How long is the replciation taking?

you can run test using powershell, Brandon Shell has a really good script in a blog post to test replication.

http://bsonposh.com/archives/276
0
 
Jon DeVitoAuthor Commented:
Sorry I got booted from the building for the holiday weekend. What an awesome script! I'll run it tonight & see what I get. Thanks again for the help with this whole thing!!

Jon
0
 
Jon DeVitoAuthor Commented:
That script is awesome. Its actually showing me something VERY unexpected...the China site replicated very quickly, the NY site took forever! Any idea where I could start digging to figure out why?

Thanks.
Jon
0
 
Jon DeVitoAuthor Commented:
I'm actually going to open that as a new question. I think you both have helped me enough to get my stuff working & answer the original question. I really appreciate all of the help!!

Thanks.
Jon
0
 
Jon DeVitoAuthor Commented:
Thank you both for all of the help!
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 21
  • 8
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now