Active Directory Diagnostics, Troubleshooting, and Recovery |
Among the most important features of Windows 2000 include the facts that all domain controllers in the same domain are peers of one another and any domain controller can make directory updates.
However, given the way in which directory updates are replicated from one domain controller to another, it is possible that difficulties can arise. For example, if the necessary domain controllers are not connected by a replication topology, the appropriate domain controllers do not receive directory updates when replication occurs.
Also, in order for the (Domain Controller) Locator to find a domain controller, it must have accurate information so that it can properly locate the resource. If a domain controller is incorrectly advertised, the Locator is not going to find it.
Note
In addition to the DNS and NetBIOS broadcast being used to find servers, each server must be "advertising" a role in order for the locator to return that server as a candidate. You can use the Nltest tool to show what roles are being advertised. Furthermore, a server does not advertise itself in some roles until it has finished initializing. Thus, if a server is stuck or having problems starting, it might be excluded from the list of available servers, making the other servers more heavily loaded. If a server runs out of disk space, it stops advertising itself as an LDAP server.
Also be aware that FRS might prevent a computer from advertising.
This section discusses diagnostic tools and gives examples of possible domain controller consistency problems, along with suggested solutions.
In Event Viewer, there is a separate directory service log for the all the directory events that are written to it. For example, domain controller consistency problems might be manifested in events such as Internal Processing, Inter-Site Messaging, Service Control, and Internal Configuration.
For information about the replication schedule of directory partitions, use Event Viewer, and increase the Replication Events logging level to level 2. You can adjust the logging level in the registry by changing the value of entries in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics subkey.
Note
You should check the event log first and not raise the logging level until you understand the problem and what you are looking for.
It is not recommended that you set the diagnostic level of Replication Events higher than 2. The user can be inundated with detail, especially for replication events.
For more information about adjusting Active Directory log levels, see "Advanced Troubleshooting" later in this chapter. Do not modify the registry until you have read this section.
The Domain Controller Diagnostic tool (Dcdiag) analyzes the state of domain controllers in a forest or enterprise and reports any problems. The tool is designed to be an end-user reporting program that encapsulates the detailed knowledge of how to identify abnormal behavior in the computer. The area of focus of this tool is domain controller functions and interactions across an entire enterprise.
Dcdiag consists of a framework for running tests, and a series of tests to verify different functional areas of Active Directory. The framework selects which domain controllers are tested according to scope directives given by the user, such as enterprise, site, or single server. The user can also select domain controllers holding a directory partition.
It is recommended that only severe errors be reported, and that they be reported in a way that informs the user of the consequences of the problem, and also suggests a course of action for the user. In the default mode, minimum output is displayed — successful confirmation of each test. In the verbose mode, the collected data for each test displays.
Note
Note that Dcdiag is intended to perform a fully automatic analysis with little user intervention. It is essentially a read-only tool that does not affect the state of the enterprise. Although it allows specific tests to be run individually, it is not intended as a general toolbox of commands to perform specific tasks.
Use the Dcdiag tool to diagnose domain controller status for the following:
To test for domain controller connectivity, use the Dcdiag tool to do the following:
To test for domain controller replication consistency, use the Dcdiag tool to do the following:
To test for domain controller topology integrity, use the Dcdiag tool to verify that all servers holding a specific directory partition are connected by the replication topology.
Use the Dcdiag tool to test that the security descriptors on the directory partition heads, such as the Schema, Domain, or Configuration directory partitions, for the proper permissions.
To ensure that users have the necessary permissions, use the Dcdiag tool to do the following:
To ensure that the Domain Controller Locator is properly functioning, use the Dcdiag tool to do the following:
To ensure consistency of domain controllers among sites, use the Dcdiag tool to do the following:
For more information about Inter-site Topology Generator, bridgeheads, and bridgehead failovers, see "Active Directory Replication" in this book.
To check for trust verification, the recommended method is to use the Netdom tool. However, the Dcdiag tool can also be used to check explicit trust relationships. A trust verification is between two domains that enumerates all of the domain controllers in each domain. You can optionally scope this verification by site or by domain controller. You can check trust establishment, the secure channel setup, and ticket validity between each pair of domain controllers. By default, errors are flagged. In verbose mode, all of the successes are printed as well.
Note
The Dcdiag tool only checks explicit trust relationships; it does not check Kerberos v5 trust relationships. To check the Kerberos v5 trust relationships, you would use the Netdom tool. For more information on the Netdom tool and how to check the Kerberos v5 trust relationships, see "Join and Authentication Issues" later in this chapter.
If the trust relationship fails between every pair of domain controllers, there is a very high probability that the problem is with the trust relationship. In this case, use the Nltest tool to further isolate the failure (for example, use the /sc_query and /sc_reset switches) and the Net Logon log to further investigate the problem.
Note
The problem can be usually be resolved by recreating the trust relashionship through the Active Directory Domains and Trusts console.
If only a few pairs of domain controllers are experiencing the trust relationship problem and other pairs are not, it could be a replication or name resolution–related problem. In this case, check whether the trusted domain objects (in the System container) are up-to-date on all domain controllers.
For more information about trusted domain objects, see "Active Directory Logical Structure" in this book.
For each server that has a broken secure channel, the server's name is printed out along with a Win32 error message indicating the reason why the secure channel is not working. For each error, the next step is to examine the domain controller that is having the trouble — most likely the error is network connectivity based.
Following is an example of a secure channel failure while running the Dcdiag tool.
F:> dcdiag /v /s:dc5/test:outboundsecurechannels /testdomain:washington /nositerestriction
DC Diagnosis
Performing initial setup:
* Connecting to directory service on server dc5.
* Collecting site info.
* Identifying all servers.
* Found 20 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial non skippeable tests
Testing server: Building1\DC5
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... DC5passed test Connectivity
Doing primary tests
Testing server: Building1\DC5
Test omitted by user request: Replications
Test omitted by user request: Topology
Test omitted by user request: NCSecDesc
Test omitted by user request: NetLogons
Test omitted by user request: LocatorGetDc
Test omitted by user request: RidManager
Test omitted by user request: MachineAccount
Test omitted by user request: Services
Starting test: OutboundSecureChannels
* Secure channel from [DC-08] to [\\RED-DC-11.washington.corp.micros
oft.com] is working properly.
* [DC-08] has downlevel trust object for [washington]
* [DC-08] has uplevel trust object for [washington]
* Secure channel from [DC-07] to [\\RED-DC-01.washington.corp.micros
oft.com] is working properly.
* [DC-07] has downlevel trust object for [washington]
* [DC-07] has uplevel trust object for [washington]
* Secure channel from [NTDSDCB] to [\\RED-DC-08.washington.reskit.com.
com] is working properly.
* [NTDSDCB] has downlevel trust object for [washington]
* [NTDSDCB] has uplevel trust object for [washington]
[NTDSDC] LDAP connection failed with error 58,
The specified server cannot perform the requested operation..
[NTDSDC] LDAP bind failed with error 31. A device attached to the system is not functioning.
* Secure channel from [DC5] to [\\RED-DC-12.washington.reskit.com.
com] is working properly.
* [DC5] has downlevel trust object for [washington]
* [DC5] has uplevel trust object for [washington]
* Secure channel from [DC1] to [\\RED-DC-03.washington.reskit.com.
com] is working properly.
* [DC1] has downlevel trust object for [washington]
* [DC1] has uplevel trust object for [washington]
* Secure channel from [DC9] to [\\RED-DC-07.washington.reskit.com.
com] is working properly.
* [DC9] has downlevel trust object for [washington]
* [DC9] has uplevel trust object for [washington]
* Secure channel from [DCG] to [\\RED-DC-08.washington.reskit.com.
com] is working properly.
* [DCG] has downlevel trust object for [washington]
* [DCG] has uplevel trust object for [washington]
* Secure channel from [DC2] to [\\RED-DC-06.washington.reskit.com.
com] is working properly.
* [DC2] has downlevel trust object for [washington]
* [DC2] has uplevel trust object for [washington]
......................... NTDSDC failed test OutboundSecureChannels
Test omitted by user request: ObjectsReplicated
Running enterprise tests on : reskit.com
Test omitted by user request: Intersite
Test omitted by user request: RolesHeld
In this example, NTDSDC is down.
For a specific secure channel problem, you might see the following:
* Secure channel from [DC5] to washington is working because "The RPC server is unavailable."
In this case, it is recommended that the administrator run diagnostics on [DC5] to see whether it is having network problems.
The checks are as follows:
For more information about notification links, see "Active Directory Replication" in this book.
This option checks the following:
Verify that File Replication service (FRS) has started successfully on all servers. If FRS has not started, it delays the Net Logon service from advertising that domain controller.
Verifies that critical services are running on each domain controller. The services that are checked include: File Replication service, Intersite Messaging Service, Kerberos v5 Key Distribution Center Service, Server Service, Workstation Service, Remote Procedure Call Locator Service, Windows Time Service, Distributed Link Tracking Client Service, Distributed Link Tracking Server Service and the Net Logon service.
Sample output of Dcdiag.exe running all the previous tests in verbose mode:
C:\DS TOOLS>dcdiag /s:SERVER1 /c /v
DC Diagnosis
Performing initial setup:
* Connecting to directory service on server SERVER1.
* Collecting site info.
* Identifying all servers.
* Found 1 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial non skippeable tests
Testing server: Default-First-Site-Name\SERVER1
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... SERVER1 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\SERVER1
Starting test: Replications
* Replications Check
......................... SERVER1 passed test Replications
Starting test: Topology
* Configuration Topology Integrity Check
* Analyzing the connection topology for CN=Schema,CN=Configuration,DC=f
oobar,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for CN=Configuration,DC=reskit,DC=c
om.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for DC=reskit,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
......................... SERVER1 passed test Topology
Starting test: CutoffServers
* Configuration Topology Aliveness Check
* Analyzing the alive system replication topology for CN=Schema,CN=Conf
iguration,DC=reskit,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for CN=Configuration,
DC=reskit,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for DC=reskit,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
......................... SERVER1 passed test CutoffServers
Starting test: NCSecDesc
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=reskit,DC=com
* Security Permissions Check for
CN=Configuration,DC=reskit,DC=com
* Security Permissions Check for
DC=reskit,DC=com
......................... SERVER1 passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
......................... SERVER1 passed test NetLogons
Starting test: LocatorGetDc
Role Schema Owner = CN=NTDS Settings,CN=SERVER1,CN=Servers,CN=Default-F
irst-Site-Name,CN=Sites,CN=Configuration,DC=reskit,DC=com
Role Domain Owner = CN=NTDS Settings,CN=SERVER1,CN=Servers,CN=Default-F
irst-Site-Name,CN=Sites,CN=Configuration,DC=reskit,DC=com
Role PDC Owner = CN=NTDS Settings,CN=SERVER1,CN=Servers,CN=Default-Firs
t-Site-Name,CN=Sites,CN=Configuration,DC=reskit,DC=com
Role Rid Owner = CN=NTDS Settings,CN=SERVER1,CN=Servers,CN=Default-Firs
t-Site-Name,CN=Sites,CN=Configuration,DC=reskit,DC=com
Role Infrastructure Update Owner = CN=NTDS Settings,CN=SERVER1,CN=Serve
rs,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=reskit,DC=com
......................... SERVER1 failed test LocatorGetDc
Starting test: RidManager
* Available RID Pool for the Domain is 1603 to 1073741823
* SERVER1.reskit.com is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 1103 to 1602
* rIDNextRID: 1106
* rIDPreviousAllocationPool is 1103 to 1602
......................... SERVER1 passed test RidManager
Starting test: MachineAccount
* SPN found :LDAP/SERVER1.reskit.com/reskit.com
* SPN found :LDAP/SERVER1.reskit.com
* SPN found :LDAP/SERVER1
* SPN found :LDAP/SERVER1.reskit.com/RESKIT1
* SPN found :LDAP/6cbd730e-b9ce-4154-8367-45a8b469097b._msdcs.reskit.co
m
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/6cbd730e-b9ce-4154-83
67-45a8b469097b/reskit.com
* SPN found :HOST/SERVER1.reskit.com/reskit.com
* SPN found :HOST/SERVER1.reskit.com
* SPN found :HOST/SERVER1
* SPN found :HOST/SERVER1.reskit.com/RESKIT1
* SPN found :GC/SERVER1.reskit.com/reskit.com
......................... SERVER1 passed test MachineAccount
Starting test: Services
* Checking Service: Dnscache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: RpcSs
* Checking Service: RPCLOCATOR
* Checking Service: w32time
* Checking Service: TrkWks
* Checking Service: TrkSvr
* Checking Service: NETLOGON
* Checking Service: Dnscache
* Checking Service: NtFrs
......................... SERVER1 passed test Services
Starting test: OutboundSecureChannels
** Did not run test because /testdomain: was not entered ......
................... SERVER1 passed test OutboundSecureChannels
Starting test: ObjectsReplicated
SERVER1 is in domain DC=reskit,DC=com
Checking for CN=SERVER1,OU=Domain Controllers,DC=reskit,DC=com in domai
n DC=reskit,DC=com on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=SERVER1,CN=Servers,CN=Default-First-Si
te-Name,CN=Sites,CN=Configuration,DC=reskit,DC=com in domain CN=Configuration,DC
=reskit,DC=com on 1 servers
Object is up-to-date on all servers.
......................... SERVER1 passed test ObjectsReplicated
Starting test: frssysvol
* The File Replication Service Event log test
The SYSVOL has been shared, and the AD is no longer
prevented from starting by the File Replication Service.
......................... SERVER1 passed test frssysvol
Running enterprise tests on : reskit.com
Starting test: Intersite
......................... reskit.com passed test Intersite
Starting test: RolesHeld
GC Name: \\SERVER1.reskit.com
Locator Flags: 0xe00001fd
PDC Name: \\SERVER1.reskit.com
Locator Flags: 0xe00001fd
Time Server Name: \\SERVER1.reskit.com
Locator Flags: 0xe00001fd
Preferred Time Server Name: \\SERVER1.reskit.com
Locator Flags: 0xe00001fd
KDC Name: \\SERVER1.reskit.com
Locator Flags: 0xe00001fd
......................... reskit.com passed test RolesHeld
Ntdsutil is a command-line tool that provides directory service management. It maintains the Active Directory store, manages and controls Flexible Single Master Operations master, and purges metadata left behind by abandoned domain controllers (which are removed from the network without being uninstalled). For more information about using Ntdsutil, see "Active Directory Diagnostic Tool (Ntdsutil.exe)" in this book.
By using Ntdsutil, you can diagnose and troubleshoot the following domain controller consistency-related issues:
Note
Netdom can also remove orphaned domains. For more information about removing orphaned domain controller, see "Active Directory Instsallation and Removal" later in this chapter.
View directory partitions, sites, servers, domains, and operations master roles.
There might be instances when you need to identify which domain controller holds the primary domain controller operations master role in a domain so that clients that are running earlier versions of Windows NT can be authenticated.
Note
Clients running earlier versions of Windows NT can be authenticated at any domain controller. Unavailability of the PDC emulator prevents these clients from joining computers to the domain or changing their user password among other options.
Also, you might need to identify which domain controllers are Global Catalog servers so that you can verify that LDAP Search requests can be satisfied in the forest. Use the following methods to identify Windows 2000 domain controllers:
nltest /dsgetdc:reskit /pdc
DC: \\NTDSDC4
Address: \\172.23.92.85
Dom Guid: ca21b03b-6dd3-11d1-8a7d-b8dfb156871f
Dom Name: RESKIT
Forest Name: reskit.reskit.com.
Dc Site Name: Red-Bldg26
Our Site Name: Red-Bldg26
Flags: PDC DS KDC TIMESERV WRITABLE DNS_FOREST CLOSE_SITE 0x8
The command completed successfully
E:\nltest /dsgetdc:server1.reskit.com /gc
DC: \\FE-DC-02.fareast.reskit.com.com
Address: \\172.23.4.194
Dom Guid: 0502fd7a-2b1e-11d3-a5ec-00805f9f21f5
Dom Name: fareast.reskit.com.com
Forest Name: reskit.com.com
Dc Site Name: Default-First-Site-Name
Flags: PDC GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST
A domain controller does not advertise itself as a global catalog until it has replicated in the required domains. The following standards for Global Catalog promotion:
Note
Even though this box is checked does not necessarily imply that the computer has successfully become a Global Catalog and is advertising itself.
There are four ways to determine if a computer is advertising as a Global Catalog:
Note
During dcpromo, after a certain point, the user has the option of finish replication later. If this is selected and the computer rebooted, the system does not advertise until the first full synchonziation of the domain has occurred. Whether the computer considers itself synchronized can be tested by using the RootDSE attribute isSynchronized. This can be examined using Ldp.exe.
If you want to examine the differences amongst a user-defined scope of objects on two different domain controllers, use the Dsastat tool.
The Dsastat command-line tool compares and detects differences between directory partitions on domain controllers. It retrieves capacity statistics such as megabytes per server, objects per server, and megabytes per object class. Then, it compares the attributes of replicated objects. It can be used to compare two directory trees across replicas within the same domain or, in the case of a Global Catalog, across different domains. You can use this to monitor replication status at a much higher level than monitoring detailed transactions.
Note
The Dcdiag tool contains an option called "check objects" that analyzes and confirms that all copies of a server's computer account objects and a server's DSA objects are consistent. In general, if replication is up-to-date, all copies are consistent and there is no need for a detecting differences of all the copies. This is only needed if you suspect database corruption. If you have different views of your data, the most likely reason is replication failure. The Dcdiag "replication" test tells you about any replication failures.
For example, to perform a comparison of all users in the Sales organizational unit in the Reskit.com domain, with those in another directory partition, specify the following:
dsastat -s:reskitS1;reskitS2 -b:OU=Sales,DC=Reskit,DC=com -gcattrs:all -sort:true -t:false -p:16 -filter:"(&(objectclass=user)(!objectClass=computer))"
In this example you can determine whether both domain controllers agreed on the contents of the OU=Sales,DC=Reskit,DC=com subtree. It detects objects in one and not the other (for example, if a creation or deletion has not replicated) as well as differences in the values on objects that do exist on both.
This example specifies a base search path at a subtree of the domain. In this case, the organizational unit name is "Sales." The filter specifies that the comparison is concerned only with user objects, not computer objects.
Note
Because computer objects are derived from user objects in the class hierarchy, a search filter specifying "objectclass = user" returns both user and computer objects.
Also, using the Dsastat tool, you can specify the target domain controllers and additional operational parameters from the command line or from an initialization file. The Dsastat tool determines whether domain controllers in a domain have a consistent and accurate image of their own domain. In the case of Global Catalogs, it checks whether the Global Catalog server has an image that is consistent with the domain controllers in other domains. It complements the other replication-monitoring tools, Repadmin and Replmon, by ensuring that domain controllers are up to date with one another.
If you see the error "DS paths have a different object count in them" in the Directory Service log of Event Viewer, you would use Dsastat, Repadmin, and Replmon to diagnose and resolve the problems.
For example:
LDAP::<DCName>.reskit.com/CN=Packages,CN=Class Store,CN={EF06ECF2-A8C9-11D2-B575-0008C7457B4E},CN=Policies,CN=System, DC=reskit,DC=microsoft,DC=com
For DCName=ntdsdc4 there are 77 objects in the tree while for DCName=RESKIT-DC-08 there are 78 objects. The missing object is CN={7cc10d6e-463f-4a65-8d4d-56d85fc823c1}
Resolution to the problem:
The object was created by dc1 about 4 P.M.:
C:\>repadmin /showmeta "CN=7cc10d6e-463f-4a65-8d4d-56d85fc823c1,CN=Packages,CN=Class Store,CN=User,CN={EF06ECF2-A8C9-11D
2-B575-0008C7457B4E},CN=Policies,CN=System,DC=reskit,DC=microsoft,DC=com" reskit-dc-08
29 entries.
Loc.USN Originating DSA Org.USN Org.Time/Date Ver Attribute
======= =============== ======= ============= === =========
12950240 Bldg\DC1 7611643 1999-06-18 15:58.37 1 objectClass
12950240 Bldg\RESKIT-DC-0812950240 1999-06-18 16:14.59 1 cn
12950240 Bldg\DC1 7611643 1999-06-18 15:58.37 1 instanceType
12950240 Bldg\DC1 7611643 1999-06-18 15:58.37 1 whenCreated
12950240 Bldg\DC1 7611643 1999-06-18 15:58.37 1 showInAdvancedViewOnly
12950240 Bldg\DC1 7611643 1999-06-18 15:58.37 1 nTSecurityDescriptor
12950240 Bldg\DC1 7611643 1999-06-18 15:58.37 1 name
12950240 Bldg\DC1 7611643 1999-06-18 15:58.37 1 msiScriptPath
12950240 Bldg\DC1 7611643 1999-06-18 15:58.37 1 cOMClassID
12950240 Bldg\DC1 7611643 1999-06-18 15:58.37 1 cOMProgID
12950240 Bldg\DC1 7611643 1999-06-18 15:58.37 1 localeID
12950240 Bldg\DC1 7611643 1999-06-18 15:58.37 1 computerArchitecture
12950240 Bldg\DC1 7611643 1999-06-18 15:58.37 1 revision
12950240 Bldg\DC1 7611643 1999-06-18 15:58.37 1 packageType
12950240 Bldg\DC1 7611643 1999-06-18 15:58.37 1 packageName
12950240 Bldg\DC1 7612100 1999-06-18 16:01.02 2 packageFlags
12950240 Bldg\DC1 7611643 1999-06-18 15:58.37 1 versionNumberHi
12950240 Bldg\DC1 7611643 1999-06-18 15:58.37 1 versionNumberLo
12950240 Bldg\DC1 7612100 1999-06-18 16:01.02 3 lastUpdateSequence
12950240 Bldg\DC1 7611643 1999-06-18 15:58.37 1 msiFileList
12950240 Bldg\DC1 7611643 1999-06-18 15:58.37 1 categories
12950240 Bldg\DC1 7611643 1999-06-18 15:58.37 1 url
12950240 Bldg\DC1 7611643 1999-06-18 15:58.37 1 objectCategory
12950240 Bldg\DC1 7611643 1999-06-18 15:58.37 1 upgradeProductCode
12950240 Bldg\DC1 7611643 1999-06-18 15:58.37 1 canUpgradeScript
12950240 Bldg\DC1 7611643 1999-06-18 15:58.37 1 fileExtPriority
12950240 Bldg\DC1 7611643 1999-06-18 15:58.37 1 productCode
12950240 Bldg\DC1 7612100 1999-06-18 16:01.02 2 msiScriptName
12950240 Bldg\DC1 7611643 1999-06-18 15:58.37 1 installUiLevel
Taking in to consideration the latencies in reskit.microsoft.com (computers being restarted, upgrades, new software installation, and so on), it might take more than an hour for a change to replicate.
The following example shows that the change has finally replicated:
C:\>repadmin /showmeta "CN=7cc10d6e-463f-4a65-8d4d-56d85fc823c1,CN=Packages,CN=Class Store,CN=User,CN={EF06ECF2-
2-B575-0008C7457B4E},CN=Policies,CN=System,DC=reskit,DC=microsoft,DC=com" ntdsdc4
29 entries.
Loc.USN Originating DSA Org.USN Org.Time/Date Ver Attribute
======= =============== ======= ============= === =========
7597742 Bldg\DC1 7611643 1999-06-18 15:58.37 1 objectClass
7597742 Bldg\DC4 7597742 1999-06-18 16:17.19 1 cn
7597742 Bldg\DC1 7611643 1999-06-18 15:58.37 1 instanceType
7597742 Bldg\DC1 7611643 1999-06-18 15:58.37 1 whenCreated
7597742 Bldg\DC1 7611643 1999-06-18 15:58.37 1 showInAdvancedViewOnly
7597742 Bldg\DC1 7611643 1999-06-18 15:58.37 1 nTSecurityDescriptor
7597742 Bldg\DC1 7611643 1999-06-18 15:58.37 1 name
7597742 Bldg\DC1 7611643 1999-06-18 15:58.37 1 msiScriptPath
7597742 Bldg\DC1 7611643 1999-06-18 15:58.37 1 cOMClassID
7597742 Bldg\DC1 7611643 1999-06-18 15:58.37 1 cOMProgID
7597742 Bldg\DC1 7611643 1999-06-18 15:58.37 1 localeID
7597742 Bldg\DC1 7611643 1999-06-18 15:58.37 1 computerArchitecture
7597742 Bldg\DC1 7611643 1999-06-18 15:58.37 1 revision
7597742 Bldg\DC1 7611643 1999-06-18 15:58.37 1 packageType
7597742 Bldg\DC1 7611643 1999-06-18 15:58.37 1 packageName
7597742 Bldg\DC1 7612100 1999-06-18 16:01.02 2 packageFlags
7597742 Bldg\DC1 7611643 1999-06-18 15:58.37 1 versionNumberHi
7597742 Bldg\DC1 7611643 1999-06-18 15:58.37 1 versionNumberLo
7597742 Bldg\DC1 7612100 1999-06-18 16:01.02 3 lastUpdateSequence
7597742 Bldg\DC1 7611643 1999-06-18 15:58.37 1 msiFileList
7597742 Bldg\DC1 7611643 1999-06-18 15:58.37 1 categories
7597742 Bldg\DC1 7611643 1999-06-18 15:58.37 1 url
7597742 Bldg\DC1 7611643 1999-06-18 15:58.37 1 objectCategory
7597742 Bldg\DC1 7611643 1999-06-18 15:58.37 1 upgradeProductCode
7597742 Bldg\DC1 7611643 1999-06-18 15:58.37 1 canUpgradeScript
7597742 Bldg\DC1 7611643 1999-06-18 15:58.37 1 fileExtPriority
7597742 Bldg\DC1 7611643 1999-06-18 15:58.37 1 productCode
7597742 Bldg\DC1 7612100 1999-06-18 16:01.02 2 msiScriptName
7597742 Bldg\DC1 7611643 1999-06-18 15:58.37 1 installUiLevel
For monitoring replication, use the tools Repadmin, Replmon, and Dsastat in the /Support directory on the Windows 2000 operating system CD.