Professional Documents
Culture Documents
• 1
• 2
• 3
• 4
• 5
"For a complete guide to security, check out 'Security+ Study Guide and DVD Training
System' from Amazon.com"
If you would like to be notified when Robert Shimonski releases Active Directory
Troubleshooting Part 1, please sign up to our Real-time article update newsletter.
Monitoring and Troubleshooting Active Directory
Replication
Replication may be defined as a duplicate copy of similar data on the same or a different
platform or system. When using a directory service such as Active Directory, the
directory database is carried by all domain controllers so that when you want to contact a
domain controller for use, there is always a local copy local for use so that requests do
not have to be sent over the wide area network (WAN). Replication for Active Directory
operates within the directory service component of the security subsystem. This
component is called Ntdsa.dll and is accessed through the Lightweight Directory Access
Protocol (LDAP). Ntdsa.dll runs as a part of the local security authority (LSA), which
runs as Lsass.exe. Updates are transported over Internet Protocol (IP) by the remote
procedure call (RPC) protocol. The Simple Mail Transfer Protocol (SMTP) is also
available for use as well, although it’s more common to see RPC over IP used.
When considering Active Directory, replication takes place and a copy of the Active
Directory database is stored and updated on all other participating domain controllers on
your network and in a perfect world, each copy of the database is the same and all
domain controllers are synchronized. If this happens, then all your domain controllers are
synchronized with an exact duplicate copy of the Active Directory database. When you
install Active Directory, for the most part even if all the default settings are chosen, the
replication process from domain controller to domain controller is automatic and
practically transparent. For the most part, domain controllers handle the replication
processes without advanced configuration and most times, without a problem.
In figure 1, you can see a common network (2 sites connected via a WAN link) with a
domain controller in each location. Again, the benefit of having a domain controller local
to your PC’s at each network segment is to have requests made of the domain controller
kept local to the PC’s in need of its services to speed up requests (by keeping them local)
or in case of disaster recovery, which could happen if the WAN link drops, the local PCs
can still find a local domain controller to use. Keeping traffic off the wide area network
(WAN) and containing it to the local area network (LAN) is the best design practice you
can implement.
Figure 1: A Common Wide Area Network (WAN)
As a systems administrator, you should still consider that Active Directory performance
still needs to be monitored and analyzed. The health and maximized performance of
Active Directory depends on a smooth replication process. If you are having problems
with replication, you will know not only from blatant logging in your Event Viewer, but
from poor performance as well. Many times, you cannot stop every problem from
occurring, but hopefully after reading this article, you will be better equipped to handle
issues and keep your network as optimized as possible to handle the traffic traversing it.
Consider a common problem such as a failed network link. In figure 2, you see that the
main wide area network link has been broken.
Figure 2: A Failed Network Link
ISP’s and telecom service providers occasionally have problems and service can be
interrupted. This of course stops the communication between domain controllers,
therefore also severing the replication process. This can prevent the synchronization of
information between domain controllers and possibly cause corruption and/or other
problems.
A good way to make sure that this doesn’t happen is to set up a backup link (such as
ISDN as seen in figure 2). ISDN (Integrated Services Digital Networks) is a digital WAN
technology used to facilitate connections between sites. More commonly used today for
disaster recovery, ISDN still has a place in today’s marketplace. Although still used, you
don’t have to limit yourself to any technology when it comes to backup links, you can use
a fractional or full T1, a DSL line, or any other technology that allows you to have
redundancy in your links. The goal is to have redundant links to keep your domain
controllers in constant communication with each other so that the Active Directory
database stays synchronized and healthy. A common symptom of replication problems is
that information is not updated on some or all domain controllers. For example, a systems
administrator creates a user account on one domain controller, but the changes are not
propagated to other domain controllers. In most environments, this is a potentially serious
problem because it affects network security and can prevent authorized users from
accessing the resources they require. You can take several steps to troubleshoot Active
Directory replication; each of these is discussed in the following sections.
Firewalls are used to restrict the types of traffic that can be transferred between networks.
Their main use is to increase security by preventing unauthorized users from transferring
information. In some cases, company firewalls may block the types of network access
that must be available in order for Active Directory replication to occur. For example, if a
specific router or firewall prevents data from being transferred using SMTP, replication
that uses this protocol will fail.
Protocol Port
LDAP udp 389
tcp 389
LDAP (SSL) udp 636
tcp 636
Kerberos udp 88
tcp 88
DNS udp 53
tcp 53
SMB over IP udp 445
tcp 445
Global Catalog Server tcp 3269
tcp 3268
Whenever an error in the replication configuration occurs, the computer writes events to
the Directory Service and File Replication Service (FRS) event logs. By using the Event
Viewer administrative tool, you can quickly and easily view the details associated with
any problems in replication. For example, if one domain controller is not able to
communicate with another to transfer changes, a log entry is created.
Note:
The link at the end of the article covers the explanation of these specific errors and more.
It is important to periodically verify that objects have been synchronized between domain
controllers. This process might be as simple as logging on to a different domain
controller and looking at the objects within a specific OU. This manual check, although it
might be tedious, can prevent inconsistencies in the information stored on domain
controllers, which, over time, can become an administration and security nightmare.
You can verify the Active Directory topology using the Active Directory Sites and
Services tool.
Besides for ensuring that replication always continues, you can also learn how to monitor
it as well. There are several ways in which you can monitor the behavior of Active
Directory replication and troubleshoot the process if problems occur. In our next article
we will look at the replication monitor and part III of this article will cover the system
monitor.
Summary
In this article we covered the basics of replication, how it works, how to verify and
troubleshoot it and what you can do to ensure that you Active Directory topology is
healthy. Stay tuned for more to come!
If you would like to be notified when Robert Shimonski releases Active Directory
Troubleshooting Part 1, please sign up to our Real-time article update newsletter.
Using Tracert
http://www.windowsnetworking.com/articles_tutorials/Using-Tracert.html
Using Pathping
http://www.windowsnetworking.com/articles_tutorials/Using-Pathping.html
MSDN on RPC
http://msdn.microsoft.com/library/default.asp?url=/library/en-
us/dnanchor/html/rpcank.asp
Using Repadmin
http://support.microsoft.com/?kbid=249256
http://support.microsoft.com/kb/229896/EN-US/
Related links
• LDAP and Exchange port conflict
• A quick look at the Windows 2003 support tools
• ADSI queries fails at 2 minutes
• ILS directory service for NetMeeting
• Windows 2000 Exchange Server in the DMZ
Featured Links*
Get a free Windows SIP Server / IP PBX
IP Telefonanlage, VOIP Telefooncentrale, Centralino Telefonico IP, PABX-IP, Centralita
Telefonica VOIP, Centrala Telefoniczna, Telefonni system, IP telefonvaxel, Central
Telefonica IP, VOIP Telefonsentral, IP telefonanlaeg, IP Puhelinvaihde, Telefon Sistemi,
IP PBX (Russian), IP PBX (Greek), IP PBX (Japanese), IP PBX (Korean), IP PBX
(Simplified Chinese), IP PBX (Traditional Chinese), IP PBX (Arabic)
Optimize the benefits of VDI to printing.
Try UniPrint VDI Edition for easy local and remote desktop access, fast printing and
secure delivery. Find out how UniPrint simplifies printer management and saves up to
90% bandwidth consumption.
ManageEngine OpManager - The Complete Network Monitoring Software
Monitor WAN infrastructure, LAN, Servers, Switches, Routers, Services, Apps, CPU,
Memory, AD, URL, Logs, Printers. Satisfies your entire Network infrastructure
Management needs.
Event log monitoring and management: Why do the dirty work yourself?
Be served with the events that matter and automatically monitor and manage Windows
event logs, W3C logs, Syslog events and SNMP Traps. Download a free trial today!
Citrix burning a hole in your pocket?
Get 2X ApplicationServer - unlimited - for $995