Solved

Windows 2003 AD Replication not working

Posted on 2010-11-24
36
541 Views
Last Modified: 2012-05-10
Hi all,
having an issue with my AD. Situation is this...I have 3 locations, New York, New Jersey, & China. All 3 have their own DC's. NY & NJ are Win 2003's, CH is a 2008. In the AD Sites & Services I originally had all servers under the Default-First group & everything was working perfectly except that some of my people here in the US were using the China logon server, so I followed the directions to split these into 3 separate sites & thats when my replication broke.
What I did was, create the 3 separate sites, move the appropriate servers into the site where it belongs, set up the subnet for each site, & made a bulkhead DC in each site.
From there, one by one the Automatic Replication partners started to disappear so I set them up manually on all servers & did a Replicate Now. If I do a replication & watch in ReplMon I get no red x's & everything says successful.
I even created a fake batch script with different names on each of the servers to see if they will replicate & they do not. I also modified the description of a user in AD UC & that has not replicated either...
Any help would be more than appreciated with this!

Thanks.
Jon
0
Comment
Question by:Jon DeVito
  • 21
  • 8
  • 7
36 Comments
 
LVL 27

Expert Comment

by:KenMcF
ID: 34207557
How long have they been unable to replicate?

Can you post the output of repadmin /showreps

I would suggest you leave the replication obejct as automatic and not create an manual entries. But lets see the out put of repadmin first.
0
 
LVL 3

Author Comment

by:Jon DeVito
ID: 34207661
All day today. Ok what I did was delete the manual entries & let the auto pick them back up, that actually seemed to fix the problem for NY to NJ (even thouse the naming looks a little weird). CH is still having the issue though. Here is the output from the CH server:


Microsoft Windows [Version 6.1.7600]

Copyright (c) 2009 Microsoft Corporation.  All rights reserved.



C:\Users\Administrator>repadmin /showreps

Shanghai\WIN2008FS-CH

DSA Options: IS_GC

Site Options: (none)

DSA object GUID: e6cde72f-7782-4317-99be-97837008b0f4

DSA invocationID: d327c9b5-d45c-4c67-88bf-61e8aab753ee



==== INBOUND NEIGHBORS ======================================



DC=DOMAIN,DC=local

    Showroom\WIN2003FS-NY via RPC

        DSA object GUID: d38e8a08-eae6-4375-bfc0-b356c0d101e5

        Last attempt @ 2010-11-24 23:59:57 was successful.

    Warehouse\WIN2003FS-NJ via RPC

        DSA object GUID: eb14377c-7bd9-4cb5-b024-31041727b677

        Last attempt @ 2010-11-25 00:00:01 was successful.



CN=Configuration,DC=DOMAIN,DC=local

    Warehouse\WIN2003FS-NJ via RPC

        DSA object GUID: eb14377c-7bd9-4cb5-b024-31041727b677

        Last attempt @ 2010-11-25 02:10:10 was successful.

    Showroom\WIN2003FS-NY via RPC

        DSA object GUID: d38e8a08-eae6-4375-bfc0-b356c0d101e5

        Last attempt @ 2010-11-25 02:10:28 was successful.



CN=Schema,CN=Configuration,DC=DOMAIN,DC=local

    Showroom\WIN2003FS-NY via RPC

        DSA object GUID: d38e8a08-eae6-4375-bfc0-b356c0d101e5

        Last attempt @ 2010-11-25 00:00:01 was successful.

    Warehouse\WIN2003FS-NJ via RPC

        DSA object GUID: eb14377c-7bd9-4cb5-b024-31041727b677

        Last attempt @ 2010-11-25 00:00:01 was successful.



DC=DomainDnsZones,DC=DOMAIN,DC=local

    Showroom\WIN2003FS-NY via RPC

        DSA object GUID: d38e8a08-eae6-4375-bfc0-b356c0d101e5

        Last attempt @ 2010-11-25 00:00:02 was successful.

    Warehouse\WIN2003FS-NJ via RPC

        DSA object GUID: eb14377c-7bd9-4cb5-b024-31041727b677

        Last attempt @ 2010-11-25 00:00:02 was successful.



DC=ForestDnsZones,DC=DOMAIN,DC=local

    Showroom\WIN2003FS-NY via RPC

        DSA object GUID: d38e8a08-eae6-4375-bfc0-b356c0d101e5

        Last attempt @ 2010-11-25 00:00:02 was successful.

    Warehouse\WIN2003FS-NJ via RPC

        DSA object GUID: eb14377c-7bd9-4cb5-b024-31041727b677

        Last attempt @ 2010-11-25 00:00:03 was successful.

Open in new window

0
 
LVL 3

Author Comment

by:Jon DeVito
ID: 34207667
Keep in mind that they are 13hrs ahead of us so the time may be off from the US.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 34207753
Did you setup site links between the sites? (China to NY site link...just an example)

Thanks

Mike
0
 
LVL 3

Author Comment

by:Jon DeVito
ID: 34207817
Thanks Mike, yes I did. After deleting the manual entries & letting it pick back up all seems to be working but so ridiculously slow it can't be right. Previously if I added a 1kb file to the Netlogon share of one of the servers it was instantaniously transferred to the other servers (especially NJ to NY) now its like 10 minutes or more. Any ideas why that would be all of a sudden with this setup?

Thanks.
Jon
0
 
LVL 27

Expert Comment

by:KenMcF
ID: 34207828
What is your replication interval set to on the site link.

You could enable change notification if you need a fast response time.
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 250 total points
ID: 34207843
Previously you were using intrasite replication which can almost be thought of as "instant"  (15 seconds with a small offset in 2003)

You could decrease the replication interval or maybe even test enabling change notification for the NJ/NY site link   http://www.frickelsoft.net/blog/?p=145

Thanks

Mike
0
 
LVL 3

Author Comment

by:Jon DeVito
ID: 34207869
Thanks Ken, are you talking about under Inter-Site Transport / IP, for the interval. If so, its set to 180.
How would I enable Change Notification?
0
 
LVL 3

Author Comment

by:Jon DeVito
ID: 34207881
Just saw your post Mike, looking at it now.

Thanks.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 34207885
Look at that blog link from Florian...shows you how to enable change notification.

yes 180/3 hours is the default.  You can lower that to 15 minutes via the GUI.

I wouldn't start by enabling change notification from the US to China.  

Thanks

Mike
0
 
LVL 27

Expert Comment

by:KenMcF
ID: 34207886
Take a look at the link Mike posted, that has a good step by step process and explanation.
0
 
LVL 3

Author Comment

by:Jon DeVito
ID: 34208055
Thanks, maybe I'm looking at it wrong but it doesnt give an option for doing individual sites. From the article its on the Transport link.
0
 
LVL 3

Author Comment

by:Jon DeVito
ID: 34208136
Even doing it at that level, I just deleted a 1kb file from the netlogon in NY, its over 5 minutes & it still hasn't replicated to NJ. Do I need to restart a service or something to get the change to take effect?
0
 
LVL 27

Expert Comment

by:KenMcF
ID: 34208138
This setting is on the Site link not the site itself.
Do you have a single site link for all sites or a separate site link for every site. Can you post a screen shot of your site links and sites.

As Mike said try to set the replication interval to 15 minutes and see if that will work for you. If it does not then you can start testing change notification.
0
 
LVL 27

Expert Comment

by:KenMcF
ID: 34208184
Mike can correct me if I am wrong, but I do not think the sysvol supports the change notification flag since you are still using FRS.
0
 
LVL 3

Author Comment

by:Jon DeVito
ID: 34208188
Gotcha, Yes I have a single site, screen shot is attached.
15 minutes is way too long for this though, I really need this to work as close to instant as I possibly can, especially NY to NJ...if the US to China & vice versa takes a few mins its not a big deal but the sites in the US between each other are.
11-24-2010-2-17-09-PM.jpg
0
 
LVL 3

Author Comment

by:Jon DeVito
ID: 34208195
It replicates the netlogon faster than the interval though, its about 5-6 minutes.
0
 
LVL 27

Expert Comment

by:KenMcF
ID: 34208200
Just to understand this better, Why do you need this to replicate that fast to the sites?
0
 
LVL 3

Author Comment

by:Jon DeVito
ID: 34208218
We have admins in NJ that only have access to the NJ DC, so if we fire someone (or hire) we need the changes to be immediate in NY.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 34208246
Right on Ken; FRS does not support the intersite change notification flag

In your screenshot you are still using the default site link.  You could also create individual site lins

NY to NJ
NY to China

Then play/experiment with the replication intervals.  I'm guessing the link between China and NY is not as good as NJ to NY.

Thanks

Mike
0
 
LVL 3

Author Comment

by:Jon DeVito
ID: 34208258
That stinks. Ok, so I would not need one from nj to china doing it this way, correct? Also, the lower Cost is faster?
0
 
LVL 3

Author Comment

by:Jon DeVito
ID: 34208260
Correct BTW that the link to China is much slower.
0
 
LVL 3

Author Comment

by:Jon DeVito
ID: 34208266
Also, would I need any Site-Link Bridge?
0
 
LVL 27

Expert Comment

by:KenMcF
ID: 34208336
It all depends on how you want your AD topology to look. It sounds like you want a hub and spoke where NY is the hub. In this senerio you would create two site links, one NY to CH and one NY to NJ.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 34208343
A hub-spoke design is what  I'd go with (assuming NY is your HQ)

So the two site links could be NY to NJ  & China to NY

The China interval would be higher and you might even enable change notification on the NJ to NY link.

In this setup you don't have to worry about sit link bridges or cost.

Thanks

Mike
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 34208356
Quick question, are the admins in NJ domain admins?  Just wondering what you mean when you say you restrict them to the NJ DCs only.
0
 
LVL 3

Author Comment

by:Jon DeVito
ID: 34208400
Gotcha with the Hub & Spoke design. I think I'm doing something wrong here though, I made the change to the 2 links instead of 1 but it is still taking forever to replicate between NY & NJ. I made the change in adsi for the new site link but didnt seem to help. Am I missing something?
11-24-2010-2-17-09-PM.jpg
2.jpg
0
 
LVL 3

Author Comment

by:Jon DeVito
ID: 34208407
Yes they are Domain Admins, I just give them an RDP to the server they are allowed to use.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 34208483
On screenshot 2 in the details/right pane there should be the site links listed is that where you are right clicking and selecting options.

On another note the NJ DA's could access all your DCs....if they know what they are doing :)

Thanks

Mike
0
 
LVL 3

Author Comment

by:Jon DeVito
ID: 34208512
Yes thats where I am right clicking, on the US link.
You are 100% correct, lol. Its less of a security thing than ease of use & speed of the servers.
0
 
LVL 3

Author Comment

by:Jon DeVito
ID: 34208743
If I force the replication it works instantaniously, its gotta be something with the change notification. I saw some people saying its only on account lockouts, so I tried that & even that didnt replicate quickly.
0
 
LVL 27

Assisted Solution

by:KenMcF
KenMcF earned 250 total points
ID: 34208867
How long is the replciation taking?

you can run test using powershell, Brandon Shell has a really good script in a blog post to test replication.

http://bsonposh.com/archives/276
0
 
LVL 3

Author Comment

by:Jon DeVito
ID: 34212894
Sorry I got booted from the building for the holiday weekend. What an awesome script! I'll run it tonight & see what I get. Thanks again for the help with this whole thing!!

Jon
0
 
LVL 3

Author Comment

by:Jon DeVito
ID: 34218747
That script is awesome. Its actually showing me something VERY unexpected...the China site replicated very quickly, the NY site took forever! Any idea where I could start digging to figure out why?

Thanks.
Jon
0
 
LVL 3

Author Comment

by:Jon DeVito
ID: 34240011
I'm actually going to open that as a new question. I think you both have helped me enough to get my stuff working & answer the original question. I really appreciate all of the help!!

Thanks.
Jon
0
 
LVL 3

Author Closing Comment

by:Jon DeVito
ID: 34240039
Thank you both for all of the help!
0

Join & Write a Comment

Do you have users whose passwords are expiring and they are constantly calling you?  Well I sure did and needed a way to put an end to this.  We have a lot of remote users which would not be notified that their passwords were expiring since they wer…
Installing a printer using group policy preferences is not that hard let’s take a look at it. First lets open up your group policy console and edit the policy you want to add it to. I recommend creating a new policy for each printer makes it a l…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now