Active Directory Diagnostics, Troubleshooting, and Recovery

Previous Topic Next Topic

Domain Controller Issues

Among the most important features of Windows 2000 include the facts that all domain controllers in the same domain are peers of one another and any domain controller can make directory updates.

However, given the way in which directory updates are replicated from one domain controller to another, it is possible that difficulties can arise. For example, if the necessary domain controllers are not connected by a replication topology, the appropriate domain controllers do not receive directory updates when replication occurs.

Also, in order for the (Domain Controller) Locator to find a domain controller, it must have accurate information so that it can properly locate the resource. If a domain controller is incorrectly advertised, the Locator is not going to find it.


note-icon

Note

In addition to the DNS and NetBIOS broadcast being used to find servers, each server must be "advertising" a role in order for the locator to return that server as a candidate. You can use the Nltest tool to show what roles are being advertised. Furthermore, a server does not advertise itself in some roles until it has finished initializing. Thus, if a server is stuck or having problems starting, it might be excluded from the list of available servers, making the other servers more heavily loaded. If a server runs out of disk space, it stops advertising itself as an LDAP server.

Also be aware that FRS might prevent a computer from advertising.

This section discusses diagnostic tools and gives examples of possible domain controller consistency problems, along with suggested solutions.

Event Viewer

In Event Viewer, there is a separate directory service log for the all the directory events that are written to it. For example, domain controller consistency problems might be manifested in events such as Internal Processing, Inter-Site Messaging, Service Control, and Internal Configuration.

For information about the replication schedule of directory partitions, use Event Viewer, and increase the Replication Events logging level to level 2. You can adjust the logging level in the registry by changing the value of entries in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics subkey.


note-icon

Note

You should check the event log first and not raise the logging level until you understand the problem and what you are looking for.

It is not recommended that you set the diagnostic level of Replication Events higher than 2. The user can be inundated with detail, especially for replication events.

For more information about adjusting Active Directory log levels, see "Advanced Troubleshooting" later in this chapter. Do not modify the registry until you have read this section.

Using Dcdiag to Diagnose Domain Controller Issues

The Domain Controller Diagnostic tool (Dcdiag) analyzes the state of domain controllers in a forest or enterprise and reports any problems. The tool is designed to be an end-user reporting program that encapsulates the detailed knowledge of how to identify abnormal behavior in the computer. The area of focus of this tool is domain controller functions and interactions across an entire enterprise.

Dcdiag consists of a framework for running tests, and a series of tests to verify different functional areas of Active Directory. The framework selects which domain controllers are tested according to scope directives given by the user, such as enterprise, site, or single server. The user can also select domain controllers holding a directory partition.

It is recommended that only severe errors be reported, and that they be reported in a way that informs the user of the consequences of the problem, and also suggests a course of action for the user. In the default mode, minimum output is displayed — successful confirmation of each test. In the verbose mode, the collected data for each test displays.


note-icon

Note

Note that Dcdiag is intended to perform a fully automatic analysis with little user intervention. It is essentially a read-only tool that does not affect the state of the enterprise. Although it allows specific tests to be run individually, it is not intended as a general toolbox of commands to perform specific tasks.

Use the Dcdiag tool to diagnose domain controller status for the following:

Connectivity

To test for domain controller connectivity, use the Dcdiag tool to do the following:

Replication

To test for domain controller replication consistency, use the Dcdiag tool to do the following:

Topology Integrity

To test for domain controller topology integrity, use the Dcdiag tool to verify that all servers holding a specific directory partition are connected by the replication topology.

Directory Partition Head Permissions

Use the Dcdiag tool to test that the security descriptors on the directory partition heads, such as the Schema, Domain, or Configuration directory partitions, for the proper permissions.

User Permissions

To ensure that users have the necessary permissions, use the Dcdiag tool to do the following:

Locator Functionality

To ensure that the Domain Controller Locator is properly functioning, use the Dcdiag tool to do the following:

Inter-site Health

To ensure consistency of domain controllers among sites, use the Dcdiag tool to do the following:

For more information about Inter-site Topology Generator, bridgeheads, and bridgehead failovers, see "Active Directory Replication" in this book.

Trust Verification

To check for trust verification, the recommended method is to use the Netdom tool. However, the Dcdiag tool can also be used to check explicit trust relationships. A trust verification is between two domains that enumerates all of the domain controllers in each domain. You can optionally scope this verification by site or by domain controller. You can check trust establishment, the secure channel setup, and ticket validity between each pair of domain controllers. By default, errors are flagged. In verbose mode, all of the successes are printed as well.


note-icon

Note

The Dcdiag tool only checks explicit trust relationships; it does not check Kerberos v5 trust relationships. To check the Kerberos v5 trust relationships, you would use the Netdom tool. For more information on the Netdom tool and how to check the Kerberos v5 trust relationships, see "Join and Authentication Issues" later in this chapter.

If the trust relationship fails between every pair of domain controllers, there is a very high probability that the problem is with the trust relationship. In this case, use the Nltest tool to further isolate the failure (for example, use the /sc_query and /sc_reset switches) and the Net Logon log to further investigate the problem.


note-icon

Note

The problem can be usually be resolved by recreating the trust relashionship through the Active Directory Domains and Trusts console.

If only a few pairs of domain controllers are experiencing the trust relationship problem and other pairs are not, it could be a replication or name resolution–related problem. In this case, check whether the trusted domain objects (in the System container) are up-to-date on all domain controllers.

For more information about trusted domain objects, see "Active Directory Logical Structure" in this book.

For each server that has a broken secure channel, the server's name is printed out along with a Win32 error message indicating the reason why the secure channel is not working. For each error, the next step is to examine the domain controller that is having the trouble — most likely the error is network connectivity based.

Following is an example of a secure channel failure while running the Dcdiag tool.

F:> dcdiag /v /s:dc5/test:outboundsecurechannels /testdomain:washington /nositerestriction

DC Diagnosis


Performing initial setup:

   * Connecting to directory service on server dc5.

   * Collecting site info.

   * Identifying all servers.

   * Found 20 DC(s). Testing 1 of them.

   Done gathering initial info.


Doing initial non skippeable tests


   Testing server: Building1\DC5

      Starting test: Connectivity

         * Active Directory LDAP Services Check

         * Active Directory RPC Services Check

         ......................... DC5passed test Connectivity


Doing primary tests


   Testing server: Building1\DC5

      Test omitted by user request: Replications

      Test omitted by user request: Topology

      Test omitted by user request: NCSecDesc

      Test omitted by user request: NetLogons

      Test omitted by user request: LocatorGetDc

      Test omitted by user request: RidManager

      Test omitted by user request: MachineAccount

      Test omitted by user request: Services

      Starting test: OutboundSecureChannels

         * Secure channel from [DC-08] to [\\RED-DC-11.washington.corp.micros

oft.com] is working properly.

         * [DC-08] has downlevel trust object for [washington]

         * [DC-08] has uplevel trust object for [washington]

         * Secure channel from [DC-07] to [\\RED-DC-01.washington.corp.micros

oft.com] is working properly.

         * [DC-07] has downlevel trust object for [washington]

         * [DC-07] has uplevel trust object for [washington]

         * Secure channel from [NTDSDCB] to [\\RED-DC-08.washington.reskit.com.

com] is working properly.

         * [NTDSDCB] has downlevel trust object for [washington]

         * [NTDSDCB] has uplevel trust object for [washington]

         [NTDSDC] LDAP connection failed with error 58,

         The specified server cannot perform the requested operation..

         [NTDSDC] LDAP bind failed with error 31. A device attached to the system is not functioning.

* Secure channel from [DC5] to [\\RED-DC-12.washington.reskit.com.

com] is working properly.

         * [DC5] has downlevel trust object for [washington]

         * [DC5] has uplevel trust object for [washington]

         * Secure channel from [DC1] to [\\RED-DC-03.washington.reskit.com.

com] is working properly.

         * [DC1] has downlevel trust object for [washington]

         * [DC1] has uplevel trust object for [washington]

         * Secure channel from [DC9] to [\\RED-DC-07.washington.reskit.com.

com] is working properly.

         * [DC9] has downlevel trust object for [washington]

         * [DC9] has uplevel trust object for [washington]

         * Secure channel from [DCG] to [\\RED-DC-08.washington.reskit.com.

com] is working properly.

         * [DCG] has downlevel trust object for [washington]

         * [DCG] has uplevel trust object for [washington]

         * Secure channel from [DC2] to [\\RED-DC-06.washington.reskit.com.

com] is working properly.

         * [DC2] has downlevel trust object for [washington]

         * [DC2] has uplevel trust object for [washington]

         ......................... NTDSDC failed test OutboundSecureChannels

      Test omitted by user request: ObjectsReplicated


   Running enterprise tests on : reskit.com

      Test omitted by user request: Intersite

      Test omitted by user request: RolesHeld


In this example, NTDSDC is down.

For a specific secure channel problem, you might see the following:

* Secure channel from [DC5] to washington is working because "The RPC server is unavailable."


In this case, it is recommended that the administrator run diagnostics on [DC5] to see whether it is having network problems.

Diagnose Replication Latencies

The checks are as follows:

Replication of Trust Objects

This option checks the following:

File Replication Service

Verify that File Replication service (FRS) has started successfully on all servers. If FRS has not started, it delays the Net Logon service from advertising that domain controller.

Critical Services Check

Verifies that critical services are running on each domain controller. The services that are checked include: File Replication service, Intersite Messaging Service, Kerberos v5 Key Distribution Center Service, Server Service, Workstation Service, Remote Procedure Call Locator Service, Windows Time Service, Distributed Link Tracking Client Service, Distributed Link Tracking Server Service and the Net Logon service.

Sample output of Dcdiag.exe running all the previous tests in verbose mode:

C:\DS TOOLS>dcdiag /s:SERVER1 /c /v


DC Diagnosis


Performing initial setup:

   * Connecting to directory service on server SERVER1.

   * Collecting site info.

   * Identifying all servers.

   * Found 1 DC(s). Testing 1 of them.

   Done gathering initial info.


Doing initial non skippeable tests


   Testing server: Default-First-Site-Name\SERVER1

      Starting test: Connectivity

         * Active Directory LDAP Services Check

         * Active Directory RPC Services Check

         ......................... SERVER1 passed test Connectivity


Doing primary tests


   Testing server: Default-First-Site-Name\SERVER1

      Starting test: Replications

         * Replications Check

         ......................... SERVER1 passed test Replications

      Starting test: Topology

         * Configuration Topology Integrity Check

         * Analyzing the connection topology for CN=Schema,CN=Configuration,DC=f

oobar,DC=com.

         * Performing upstream (of target) analysis.

         * Performing downstream (of target) analysis.

         * Analyzing the connection topology for CN=Configuration,DC=reskit,DC=c

om.

         * Performing upstream (of target) analysis.

         * Performing downstream (of target) analysis.

         * Analyzing the connection topology for DC=reskit,DC=com.

         * Performing upstream (of target) analysis.

         * Performing downstream (of target) analysis.

         ......................... SERVER1 passed test Topology

      Starting test: CutoffServers

         * Configuration Topology Aliveness Check

         * Analyzing the alive system replication topology for CN=Schema,CN=Conf

iguration,DC=reskit,DC=com.

         * Performing upstream (of target) analysis.

         * Performing downstream (of target) analysis.

         * Analyzing the alive system replication topology for CN=Configuration,

DC=reskit,DC=com.

         * Performing upstream (of target) analysis.

         * Performing downstream (of target) analysis.

         * Analyzing the alive system replication topology for DC=reskit,DC=com.


         * Performing upstream (of target) analysis.

         * Performing downstream (of target) analysis.

         ......................... SERVER1 passed test CutoffServers

      Starting test: NCSecDesc

         * Security Permissions Check for

           CN=Schema,CN=Configuration,DC=reskit,DC=com

         * Security Permissions Check for

           CN=Configuration,DC=reskit,DC=com

         * Security Permissions Check for

           DC=reskit,DC=com

         ......................... SERVER1 passed test NCSecDesc

      Starting test: NetLogons

         * Network Logons Privileges Check

         ......................... SERVER1 passed test NetLogons

      Starting test: LocatorGetDc

         Role Schema Owner = CN=NTDS Settings,CN=SERVER1,CN=Servers,CN=Default-F

irst-Site-Name,CN=Sites,CN=Configuration,DC=reskit,DC=com

         Role Domain Owner = CN=NTDS Settings,CN=SERVER1,CN=Servers,CN=Default-F

irst-Site-Name,CN=Sites,CN=Configuration,DC=reskit,DC=com

         Role PDC Owner = CN=NTDS Settings,CN=SERVER1,CN=Servers,CN=Default-Firs

t-Site-Name,CN=Sites,CN=Configuration,DC=reskit,DC=com

         Role Rid Owner = CN=NTDS Settings,CN=SERVER1,CN=Servers,CN=Default-Firs

t-Site-Name,CN=Sites,CN=Configuration,DC=reskit,DC=com

         Role Infrastructure Update Owner = CN=NTDS Settings,CN=SERVER1,CN=Serve

rs,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=reskit,DC=com

         ......................... SERVER1 failed test LocatorGetDc

      Starting test: RidManager

         * Available RID Pool for the Domain is 1603 to 1073741823

         * SERVER1.reskit.com is the RID Master

         * DsBind with RID Master was successful

         * rIDAllocationPool is 1103 to 1602

         * rIDNextRID: 1106

         * rIDPreviousAllocationPool is 1103 to 1602

         ......................... SERVER1 passed test RidManager

      Starting test: MachineAccount

         * SPN found :LDAP/SERVER1.reskit.com/reskit.com

         * SPN found :LDAP/SERVER1.reskit.com

         * SPN found :LDAP/SERVER1

         * SPN found :LDAP/SERVER1.reskit.com/RESKIT1

         * SPN found :LDAP/6cbd730e-b9ce-4154-8367-45a8b469097b._msdcs.reskit.co

m

         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/6cbd730e-b9ce-4154-83

67-45a8b469097b/reskit.com

         * SPN found :HOST/SERVER1.reskit.com/reskit.com

         * SPN found :HOST/SERVER1.reskit.com

         * SPN found :HOST/SERVER1

         * SPN found :HOST/SERVER1.reskit.com/RESKIT1

         * SPN found :GC/SERVER1.reskit.com/reskit.com

         ......................... SERVER1 passed test MachineAccount

      Starting test: Services

         * Checking Service: Dnscache

         * Checking Service: NtFrs

         * Checking Service: IsmServ

         * Checking Service: kdc

         * Checking Service: SamSs

         * Checking Service: LanmanServer

         * Checking Service: LanmanWorkstation

         * Checking Service: RpcSs

         * Checking Service: RPCLOCATOR

         * Checking Service: w32time

         * Checking Service: TrkWks

         * Checking Service: TrkSvr

         * Checking Service: NETLOGON

         * Checking Service: Dnscache

         * Checking Service: NtFrs

         ......................... SERVER1 passed test Services

      Starting test: OutboundSecureChannels

         ** Did not run test because /testdomain: was not entered         ......

................... SERVER1 passed test OutboundSecureChannels

      Starting test: ObjectsReplicated

         SERVER1 is in domain DC=reskit,DC=com

         Checking for CN=SERVER1,OU=Domain Controllers,DC=reskit,DC=com in domai

n DC=reskit,DC=com on 1 servers

            Object is up-to-date on all servers.

         Checking for CN=NTDS Settings,CN=SERVER1,CN=Servers,CN=Default-First-Si

te-Name,CN=Sites,CN=Configuration,DC=reskit,DC=com in domain CN=Configuration,DC

=reskit,DC=com on 1 servers

            Object is up-to-date on all servers.

         ......................... SERVER1 passed test ObjectsReplicated

      Starting test: frssysvol

         * The File Replication Service Event log test

         The SYSVOL has been shared, and the AD is no longer

         prevented from starting by the File Replication Service.

         ......................... SERVER1 passed test frssysvol


   Running enterprise tests on : reskit.com

      Starting test: Intersite

         ......................... reskit.com passed test Intersite

      Starting test: RolesHeld

         GC Name: \\SERVER1.reskit.com

         Locator Flags: 0xe00001fd

         PDC Name: \\SERVER1.reskit.com

         Locator Flags: 0xe00001fd

         Time Server Name: \\SERVER1.reskit.com

         Locator Flags: 0xe00001fd

         Preferred Time Server Name: \\SERVER1.reskit.com

         Locator Flags: 0xe00001fd

         KDC Name: \\SERVER1.reskit.com

         Locator Flags: 0xe00001fd

         ......................... reskit.com passed test RolesHeld

Using Ntdsutil to Manage Domain Controller Consistency

Ntdsutil is a command-line tool that provides directory service management. It maintains the Active Directory store, manages and controls Flexible Single Master Operations master, and purges metadata left behind by abandoned domain controllers (which are removed from the network without being uninstalled). For more information about using Ntdsutil, see "Active Directory Diagnostic Tool (Ntdsutil.exe)" in this book.

By using Ntdsutil, you can diagnose and troubleshoot the following domain controller consistency-related issues:


note-icon

Note

Netdom can also remove orphaned domains. For more information about removing orphaned domain controller, see "Active Directory Instsallation and Removal" later in this chapter.

Identifying Windows 2000 Domain Controller Roles

There might be instances when you need to identify which domain controller holds the primary domain controller operations master role in a domain so that clients that are running earlier versions of Windows NT can be authenticated.


note-icon

Note

Clients running earlier versions of Windows NT can be authenticated at any domain controller. Unavailability of the PDC emulator prevents these clients from joining computers to the domain or changing their user password among other options.

Also, you might need to identify which domain controllers are Global Catalog servers so that you can verify that LDAP Search requests can be satisfied in the forest. Use the following methods to identify Windows 2000 domain controllers:

nltest /dsgetdc:reskit /pdc

DC: \\NTDSDC4

Address: \\172.23.92.85

Dom Guid: ca21b03b-6dd3-11d1-8a7d-b8dfb156871f

Dom Name: RESKIT

Forest Name: reskit.reskit.com.

Dc Site Name: Red-Bldg26

Our Site Name: Red-Bldg26

Flags: PDC DS KDC TIMESERV WRITABLE DNS_FOREST CLOSE_SITE 0x8

The command completed successfully


E:\nltest /dsgetdc:server1.reskit.com /gc

DC: \\FE-DC-02.fareast.reskit.com.com

Address: \\172.23.4.194

Dom Guid: 0502fd7a-2b1e-11d3-a5ec-00805f9f21f5

Dom Name: fareast.reskit.com.com

Forest Name: reskit.com.com

Dc Site Name: Default-First-Site-Name

Flags: PDC GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST


Advertising as a Global Catalog Server

A domain controller does not advertise itself as a global catalog until it has replicated in the required domains. The following standards for Global Catalog promotion:


note-icon

Note

Even though this box is checked does not necessarily imply that the computer has successfully become a Global Catalog and is advertising itself.

There are four ways to determine if a computer is advertising as a Global Catalog:


note-icon

Note

During dcpromo, after a certain point, the user has the option of finish replication later. If this is selected and the computer rebooted, the system does not advertise until the first full synchonziation of the domain has occurred. Whether the computer considers itself synchronized can be tested by using the RootDSE attribute isSynchronized. This can be examined using Ldp.exe.

Using Dsastat to Detect Directory Partition Differences

If you want to examine the differences amongst a user-defined scope of objects on two different domain controllers, use the Dsastat tool.

The Dsastat command-line tool compares and detects differences between directory partitions on domain controllers. It retrieves capacity statistics such as megabytes per server, objects per server, and megabytes per object class. Then, it compares the attributes of replicated objects. It can be used to compare two directory trees across replicas within the same domain or, in the case of a Global Catalog, across different domains. You can use this to monitor replication status at a much higher level than monitoring detailed transactions.


note-icon

Note

The Dcdiag tool contains an option called "check objects" that analyzes and confirms that all copies of a server's computer account objects and a server's DSA objects are consistent. In general, if replication is up-to-date, all copies are consistent and there is no need for a detecting differences of all the copies. This is only needed if you suspect database corruption. If you have different views of your data, the most likely reason is replication failure. The Dcdiag "replication" test tells you about any replication failures.

For example, to perform a comparison of all users in the Sales organizational unit in the Reskit.com domain, with those in another directory partition, specify the following:

dsastat -s:reskitS1;reskitS2 -b:OU=Sales,DC=Reskit,DC=com -gcattrs:all -sort:true -t:false -p:16 -filter:"(&(objectclass=user)(!objectClass=computer))"


In this example you can determine whether both domain controllers agreed on the contents of the OU=Sales,DC=Reskit,DC=com subtree. It detects objects in one and not the other (for example, if a creation or deletion has not replicated) as well as differences in the values on objects that do exist on both.

This example specifies a base search path at a subtree of the domain. In this case, the organizational unit name is "Sales." The filter specifies that the comparison is concerned only with user objects, not computer objects.


note-icon

Note

Because computer objects are derived from user objects in the class hierarchy, a search filter specifying "objectclass = user" returns both user and computer objects.

Also, using the Dsastat tool, you can specify the target domain controllers and additional operational parameters from the command line or from an initialization file. The Dsastat tool determines whether domain controllers in a domain have a consistent and accurate image of their own domain. In the case of Global Catalogs, it checks whether the Global Catalog server has an image that is consistent with the domain controllers in other domains. It complements the other replication-monitoring tools, Repadmin and Replmon, by ensuring that domain controllers are up to date with one another.

Determining if Domain Controllers are Up To Date

If you see the error "DS paths have a different object count in them" in the Directory Service log of Event Viewer, you would use Dsastat, Repadmin, and Replmon to diagnose and resolve the problems.

For example:

LDAP::<DCName>.reskit.com/CN=Packages,CN=Class Store,CN={EF06ECF2-A8C9-11D2-B575-0008C7457B4E},CN=Policies,CN=System, DC=reskit,DC=microsoft,DC=com


For DCName=ntdsdc4 there are 77 objects in the tree while for DCName=RESKIT-DC-08 there are 78 objects. The missing object is  CN={7cc10d6e-463f-4a65-8d4d-56d85fc823c1}


Resolution to the problem:

The object was created by dc1 about 4 P.M.:

C:\>repadmin /showmeta "CN=7cc10d6e-463f-4a65-8d4d-56d85fc823c1,CN=Packages,CN=Class Store,CN=User,CN={EF06ECF2-A8C9-11D

2-B575-0008C7457B4E},CN=Policies,CN=System,DC=reskit,DC=microsoft,DC=com" reskit-dc-08


29 entries.


Loc.USN                      Originating DSA Org.USN       Org.Time/Date  Ver Attribute

=======                      =============== =======       =============  === =========

12950240                   Bldg\DC1 7611643 1999-06-18 15:58.37    1 objectClass

12950240               Bldg\RESKIT-DC-0812950240 1999-06-18 16:14.59    1 cn

12950240                   Bldg\DC1 7611643 1999-06-18 15:58.37    1 instanceType

12950240                   Bldg\DC1 7611643 1999-06-18 15:58.37    1 whenCreated

12950240                   Bldg\DC1 7611643 1999-06-18 15:58.37    1 showInAdvancedViewOnly

12950240                   Bldg\DC1 7611643 1999-06-18 15:58.37    1 nTSecurityDescriptor

12950240                   Bldg\DC1 7611643 1999-06-18 15:58.37    1 name

12950240                   Bldg\DC1 7611643 1999-06-18 15:58.37    1 msiScriptPath

12950240                   Bldg\DC1 7611643 1999-06-18 15:58.37    1 cOMClassID

12950240                   Bldg\DC1 7611643 1999-06-18 15:58.37    1 cOMProgID

12950240                   Bldg\DC1 7611643 1999-06-18 15:58.37    1 localeID

12950240                   Bldg\DC1 7611643 1999-06-18 15:58.37    1 computerArchitecture

12950240                   Bldg\DC1 7611643 1999-06-18 15:58.37    1 revision

12950240                   Bldg\DC1 7611643 1999-06-18 15:58.37    1 packageType

12950240                   Bldg\DC1 7611643 1999-06-18 15:58.37    1 packageName

12950240                   Bldg\DC1 7612100 1999-06-18 16:01.02    2 packageFlags

12950240                   Bldg\DC1 7611643 1999-06-18 15:58.37    1 versionNumberHi

12950240                   Bldg\DC1 7611643 1999-06-18 15:58.37    1 versionNumberLo

12950240                   Bldg\DC1 7612100 1999-06-18 16:01.02    3 lastUpdateSequence

12950240                   Bldg\DC1 7611643 1999-06-18 15:58.37    1 msiFileList

12950240                   Bldg\DC1 7611643 1999-06-18 15:58.37    1 categories

12950240                   Bldg\DC1 7611643 1999-06-18 15:58.37    1 url

12950240                   Bldg\DC1 7611643 1999-06-18 15:58.37    1 objectCategory

12950240                   Bldg\DC1 7611643 1999-06-18 15:58.37    1 upgradeProductCode

12950240                   Bldg\DC1 7611643 1999-06-18 15:58.37    1 canUpgradeScript

12950240                   Bldg\DC1 7611643 1999-06-18 15:58.37    1 fileExtPriority

12950240                   Bldg\DC1 7611643 1999-06-18 15:58.37    1 productCode

12950240                   Bldg\DC1 7612100 1999-06-18 16:01.02    2 msiScriptName

12950240                   Bldg\DC1 7611643 1999-06-18 15:58.37    1 installUiLevel


Taking in to consideration the latencies in reskit.microsoft.com (computers being restarted, upgrades, new software installation, and so on), it might take more than an hour for a change to replicate.

The following example shows that the change has finally replicated:

C:\>repadmin /showmeta "CN=7cc10d6e-463f-4a65-8d4d-56d85fc823c1,CN=Packages,CN=Class Store,CN=User,CN={EF06ECF2-

2-B575-0008C7457B4E},CN=Policies,CN=System,DC=reskit,DC=microsoft,DC=com" ntdsdc4


29 entries.


Loc.USN                      Originating DSA Org.USN       Org.Time/Date  Ver Attribute

=======                      =============== =======       =============  === =========

7597742                   Bldg\DC1 7611643 1999-06-18 15:58.37    1 objectClass

7597742                   Bldg\DC4 7597742 1999-06-18 16:17.19    1 cn

7597742                   Bldg\DC1 7611643 1999-06-18 15:58.37    1 instanceType

7597742                   Bldg\DC1 7611643 1999-06-18 15:58.37    1 whenCreated

7597742                   Bldg\DC1 7611643 1999-06-18 15:58.37    1 showInAdvancedViewOnly

7597742                   Bldg\DC1 7611643 1999-06-18 15:58.37    1 nTSecurityDescriptor

7597742                   Bldg\DC1 7611643 1999-06-18 15:58.37    1 name

7597742                   Bldg\DC1 7611643 1999-06-18 15:58.37    1 msiScriptPath

7597742                   Bldg\DC1 7611643 1999-06-18 15:58.37    1 cOMClassID

7597742                   Bldg\DC1 7611643 1999-06-18 15:58.37    1 cOMProgID

7597742                   Bldg\DC1 7611643 1999-06-18 15:58.37    1 localeID

7597742                   Bldg\DC1 7611643 1999-06-18 15:58.37    1 computerArchitecture

7597742                   Bldg\DC1 7611643 1999-06-18 15:58.37    1 revision

7597742                   Bldg\DC1 7611643 1999-06-18 15:58.37    1 packageType

7597742                   Bldg\DC1 7611643 1999-06-18 15:58.37    1 packageName

7597742                   Bldg\DC1 7612100 1999-06-18 16:01.02    2 packageFlags

7597742                   Bldg\DC1 7611643 1999-06-18 15:58.37    1 versionNumberHi

7597742                   Bldg\DC1 7611643 1999-06-18 15:58.37    1 versionNumberLo

7597742                   Bldg\DC1 7612100 1999-06-18 16:01.02    3 lastUpdateSequence

7597742                   Bldg\DC1 7611643 1999-06-18 15:58.37    1 msiFileList

7597742                   Bldg\DC1 7611643 1999-06-18 15:58.37    1 categories

7597742                   Bldg\DC1 7611643 1999-06-18 15:58.37    1 url

7597742                   Bldg\DC1 7611643 1999-06-18 15:58.37    1 objectCategory

7597742                   Bldg\DC1 7611643 1999-06-18 15:58.37    1 upgradeProductCode

7597742                   Bldg\DC1 7611643 1999-06-18 15:58.37    1 canUpgradeScript

7597742                   Bldg\DC1 7611643 1999-06-18 15:58.37    1 fileExtPriority

7597742                   Bldg\DC1 7611643 1999-06-18 15:58.37    1 productCode

7597742                   Bldg\DC1 7612100 1999-06-18 16:01.02    2 msiScriptName

7597742                   Bldg\DC1 7611643 1999-06-18 15:58.37    1 installUiLevel


For monitoring replication, use the tools Repadmin, Replmon, and Dsastat in the /Support directory on the Windows 2000 operating system CD.

© 1985-2000 Microsoft Corporation. All rights reserved.