Domain Controller Issues

  • Article

Among the most important features of Windows 2000 include the facts that all domain controllers in the same domain are peers of one another and any domain controller can make directory updates.

However, given the way in which directory updates are replicated from one domain controller to another, it is possible that difficulties can arise. For example, if the necessary domain controllers are not connected by a replication topology the appropriate domain controllers do not receive directory updates when replication occurs.

Also, in order for the (Domain Controller) Locator to find a domain controller, it must have accurate information so that it can properly locate the resource. If a domain controller is incorrectly advertised, the Locator is not going to find it.

note-iconNote

In addition to the DNS and NetBIOS broadcast being used to find servers, each server must be "advertising" a role in order for the locator to return that server as a candidate. You can use the Nltest tool to show what roles are being advertised. Furthermore, a server does not advertise itself in some roles until it has finished initializing. Thus, if a server is stuck or having problems starting, it might be excluded from the list of available servers, making the other servers more heavily loaded. If a server runs out of disk space, it stops advertising itself as an LDAP server.

Also be aware that FRS might prevent a computer from advertising.

This section discusses diagnostic tools and gives examples of possible domain controller consistency problems, along with suggested solutions.

Event Viewer

In Event Viewer, there is a separate directory service log for the all the directory events that are written to it. For example, domain controller consistency problems might be manifested in events such as Internal Processing, Inter-Site Messaging, Service Control, and Internal Configuration.

For information about the replication schedule of directory partitions, use Event Viewer, and increase the Replication Events logging level to level 2. You can adjust the logging level in the registry by changing the value of entries in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics subkey.

note-iconNote

You should check the event log first and not raise the logging level until you understand the problem and what you are looking for.

It is not recommended that you set the diagnostic level of Replication Events higher than 2. The user can be inundated with detail, especially for replication events.

For more information about adjusting Active Directory log levels, see "Advanced Troubleshooting" later in this chapter. Do not modify the registry until you have read this section.

Using Dcdiag to Diagnose Domain Controller Issues

The Domain Controller Diagnostic tool (Dcdiag) analyzes the state of domain controllers in a forest or enterprise and reports any problems. The tool is designed to be an end-user reporting program that encapsulates the detailed knowledge of how to identify abnormal behavior in the computer. The area of focus of this tool is domain controller functions and interactions across an entire enterprise.

Dcdiag consists of a framework for running tests, and a series of tests to verify different functional areas of Active Directory. The framework selects which domain controllers are tested according to scope directives given by the user, such as enterprise, site, or single server. The user can also select domain controllers holding a directory partition.

It is recommended that only severe errors be reported, and that they be reported in a way that informs the user of the consequences of the problem, and also suggests a course of action for the user. In the default mode, minimum output is displayed — successful confirmation of each test. In the verbose mode, the collected data for each test displays.

note-iconNote

Note that Dcdiag is intended to perform a fully automatic analysis with little user intervention. It is essentially a read-only tool that does not affect the state of the enterprise. Although it allows specific tests to be run individually, it is not intended as a general toolbox of commands to perform specific tasks.

Use the Dcdiag tool to diagnose domain controller status for the following:

  • Connectivity

  • Replication

  • Topology Integrity

  • Directory Partition Head Permissions

  • User Permissions

  • Locator Functionality

  • Inter-site Health

  • Trust Verification

  • Diagnose Replication Latencies

  • Replication of Trust Objects

  • File Replication Service

  • Critical Services Check

Connectivity

To test for domain controller connectivity, use the Dcdiag tool to do the following:

  • Verify that the DNS names for the server are registered.

  • Verify that the server can be reached by means of IP at its IP address.

  • Verify that the server can be reached by means of LDAP.

  • Verify that the server can be reached by means of an RPC call.

Replication

To test for domain controller replication consistency, use the Dcdiag tool to do the following:

  • Report any replication errors on incoming replica links to this computer. Normal errors, such as those generated because the source is deleted or a new source is added, are filtered out appropriately.

  • Report if replications are late in being performed.

  • Check if replication is disabled.

Topology Integrity

To test for domain controller topology integrity, use the Dcdiag tool to verify that all servers holding a specific directory partition are connected by the replication topology.

Directory Partition Head Permissions

Use the Dcdiag tool to test that the security descriptors on the directory partition heads, such as the Schema, Domain, or Configuration directory partitions, for the proper permissions.

User Permissions

To ensure that users have the necessary permissions, use the Dcdiag tool to do the following:

  • Check that the necessary users have the proper network logon permissions to allow replication to proceed.

  • Check for Authenticated Users.

Locator Functionality

To ensure that the Domain Controller Locator is properly functioning, use the Dcdiag tool to do the following:

  • Verify that each server is being advertised to the (Domain Controller) Locator.

  • Verify that the roles returned by the Locator for the computer match the roles for which that computer is capable.

  • Verify that the server recognizes and can communicate with global role holders (operations masters).

  • Verify that the Locator can find a Global Catalog server for the enterprise.

  • Verify that the Locator can find a primary domain controller for the enterprise.

Inter-site Health

To ensure consistency of domain controllers among sites, use the Dcdiag tool to do the following:

  • Identify the Inter-site Topology Generator for each site.

  • Identify bridgeheads for a site and generate a bridgehead status report to determine which ones are not functioning.

  • In the case where bridgeheads are not functioning, locate additional backup bridgeheads. Report how long it is going to be until a failed bridgehead is failed-over. Fail-over means that if a bridgehead server unexpectedly goes down, another delegated or preferred bridgehead server eventually takes the place of that bridgehead server.

  • Identify which sites are not communicating with other sites in the network topology.

For more information about Inter-site Topology Generator, bridgeheads, and bridgehead failovers, see "Active Directory Replication" in this book.

Trust Verification

To check for trust verification, the recommended method is to use the Netdom tool. However, the Dcdiag tool can also be used to check explicit trust relationships. A trust verification is between two domains that enumerates all of the domain controllers in each domain. You can optionally scope this verification by site or by domain controller. You can check trust establishment, the secure channel setup, and ticket validity between each pair of domain controllers. By default, errors are flagged. In verbose mode, all of the successes are printed as well.

note-iconNote

The Dcdiag tool only checks explicit trust relationships; it does not check Kerberos v5 trust relationships. To check the Kerberos v5 trust relationships, you would use the Netdom tool. For more information on the Netdom tool and how to check the Kerberos v5 trust relationships, see "Join and Authentication Issues" later in this chapter.

If the trust relationship fails between every pair of domain controllers, there is a very high probability that the problem is with the trust relationship. In this case, use the Nltest tool to further isolate the failure (for example, use the /sc_query and /sc_reset switches) and the Net Logon log to further investigate the problem.

note-iconNote

The problem can be usually be resolved by recreating the trust relashionship through the Active Directory Domains and Trusts console.

If only a few pairs of domain controllers are experiencing the trust relationship problem and other pairs are not, it could be a replication or name resolution–related problem. In this case, check whether the trusted domain objects (in the System container) are up-to-date on all domain controllers.

For more information about trusted domain objects, see "Active Directory Logical Structure" in this book.

For each server that has a broken secure channel, the server's name is printed out along with a Win32 error message indicating the reason why the secure channel is not working. For each error, the next step is to examine the domain controller that is having the trouble — most likely the error is network connectivity based.

Following is an example of a secure channel failure while running the Dcdiag tool.

F:> dcdiag /v /s:dc5/test:outboundsecurechannels /testdomain:washington /nositerestriction

DC Diagnosis

Performing initial setup:

* Connecting to directory service on server dc5.

* Collecting site info.

* Identifying all servers.

* Found 20 DC(s). Testing 1 of them.

Done gathering initial info.

Doing initial non skippeable tests

Testing server: Building1\DC5

Starting test: Connectivity

* Active Directory LDAP Services Check

* Active Directory RPC Services Check

......................... DC5passed test Connectivity

Doing primary tests

Testing server: Building1\DC5

Test omitted by user request: Replications

Test omitted by user request: Topology

Test omitted by user request: NCSecDesc

Test omitted by user request: NetLogons

Test omitted by user request: LocatorGetDc

Test omitted by user request: RidManager

Test omitted by user request: MachineAccount

Test omitted by user request: Services

Starting test: OutboundSecureChannels

* Secure channel from [DC-08] to [\\RED-DC-11.washington.corp.micros

oft.com] is working properly.

* [DC-08] has downlevel trust object for [washington]

* [DC-08] has uplevel trust object for [washington]

* Secure channel from [DC-07] to [\\RED-DC-01.washington.corp.micros

oft.com] is working properly.

* [DC-07] has downlevel trust object for [washington]

* [DC-07] has uplevel trust object for [washington]

* Secure channel from [NTDSDCB] to [\\RED-DC-08.washington.reskit.com.

com] is working properly.

* [NTDSDCB] has downlevel trust object for [washington]

* [NTDSDCB] has uplevel trust object for [washington]

[ NTDSDC] LDAP connection failed with error 58,

The specified server cannot perform the requested operation..

[NTDSDC] LDAP bind failed with error 31. A device attached to the system is not functioning.

* Secure channel from [DC5] to [\\RED-DC-12.washington.reskit.com.

com] is working properly.

* [DC5] has downlevel trust object for [washington]

* [DC5] has uplevel trust object for [washington]

* Secure channel from [DC1] to [\\RED-DC-03.washington.reskit.com.

com] is working properly.

* [DC1] has downlevel trust object for [washington]

* [DC1] has uplevel trust object for [washington]

* Secure channel from [DC9] to [\\RED-DC-07.washington.reskit.com.

com] is working properly.

* [DC9] has downlevel trust object for [washington]

* [DC9] has uplevel trust object for [washington]

* Secure channel from [DCG] to [\\RED-DC-08.washington.reskit.com.

com] is working properly.

* [DCG] has downlevel trust object for [washington]

* [DCG] has uplevel trust object for [washington]

* Secure channel from [DC2] to [\\RED-DC-06.washington.reskit.com.

com] is working properly.

* [DC2] has downlevel trust object for [washington]

* [DC2] has uplevel trust object for [washington]

......................... NTDSDC failed test OutboundSecureChannels

Test omitted by user request: ObjectsReplicated

Running enterprise tests on : reskit.com

Test omitted by user request: Intersite

Test omitted by user request: RolesHeld

In this example, NTDSDC is down.

For a specific secure channel problem, you might see the following:

* Secure channel from [DC5] to washington is working because "The RPC server is unavailable."

In this case, it is recommended that the administrator run diagnostics on [DC5] to see whether it is having network problems.

Diagnose Replication Latencies

The checks are as follows:

  • Check the status of a specific source partner for a destination, The test also checks that the source partner has a notification link back to that destination.
    For more information about notification links, see "Active Directory Replication" in this book.

  • Analyze a particular incoming replication link for occurrences of zero failures if the time since its last success is unusually long. This means that the replication link is being delayed or preempted because of higher priority work.

  • Report if the updated sequence number (USN) vector, which the destination keeps for a particular source partner, indicates that a full synchronization is in progress. This is not a failure, although it does indicate that new changes from that partner are delayed until the full synchronization process has completed.

  • Check the queue of current and pending replication activities for indications of delay. There are three specific areas to investigate:

    • First, a replication job is taking a long time when there are no higher priority tasks waiting. This is not a failure, although, this could mean that the computer is not up to date. New changes from that source are delayed until the computer catches up.

    • Second, a replication job is taking a long time when there are higher priority tasks waiting. Theoretically, this can only happen until the current call completes, when the replication dispatcher causes the higher priority task to run. In practice, this can indicate either a stuck call at the server or a replication call that does not have a server-side time limit.

    • Third, look at the number of pending replication tasks. A large number means that the computer was delayed in the past, and a large number of replications requests are waiting.

Replication of Trust Objects

This option checks the following:

  • Check that the computer account object has replicated to all additional domain controllers of the domain. Verification is done by comparing the object attribute metadata of all copies of the object.

  • Verify that the DSA object has replicated to all replicas of the configuration directory partition.

File Replication Service

Verify that File Replication service (FRS) has started successfully on all servers. If FRS has not started, it delays the Net Logon service from advertising that domain controller.

Critical Services Check

Verifies that critical services are running on each domain controller. The services that are checked include: File Replication service, Intersite Messaging Service, Kerberos v5 Key Distribution Center Service, Server Service, Workstation Service, Remote Procedure Call Locator Service, Windows Time Service, Distributed Link Tracking Client Service, Distributed Link Tracking Server Service and the Net Logon service.

Sample output of Dcdiag.exe running all the previous tests in verbose mode:

C:\DS TOOLS>dcdiag /s:SERVER1 /c /v

DC Diagnosis

Performing initial setup:

* Connecting to directory service on server SERVER1.

* Collecting site info.

* Identifying all servers.

* Found 1 DC(s). Testing 1 of them.

Done gathering initial info.

Doing initial non skippeable tests

Testing server: Default-First-Site-Name\SERVER1

Starting test: Connectivity

* Active Directory LDAP Services Check

* Active Directory RPC Services Check

......................... SERVER1 passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\SERVER1

Starting test: Replications

* Replications Check

......................... SERVER1 passed test Replications

Starting test: Topology

* Configuration Topology Integrity Check

* Analyzing the connection topology for CN=Schema,CN=Configuration,DC=f

oobar,DC=com.

* Performing upstream (of target) analysis.

* Performing downstream (of target) analysis.

* Analyzing the connection topology for CN=Configuration,DC=reskit,DC=c

om.

* Performing upstream (of target) analysis.

* Performing downstream (of target) analysis.

* Analyzing the connection topology for DC=reskit,DC=com.

* Performing upstream (of target) analysis.

* Performing downstream (of target) analysis.

......................... SERVER1 passed test Topology

Starting test: CutoffServers

* Configuration Topology Aliveness Check

* Analyzing the alive system replication topology for CN=Schema,CN=Conf

iguration,DC=reskit,DC=com.

* Performing upstream (of target) analysis.

* Performing downstream (of target) analysis.

* Analyzing the alive system replication topology for CN=Configuration,

DC=reskit,DC=com.

* Performing upstream (of target) analysis.

* Performing downstream (of target) analysis.

* Analyzing the alive system replication topology for DC=reskit,DC=com.

* Performing upstream (of target) analysis.

* Performing downstream (of target) analysis.

......................... SERVER1 passed test CutoffServers

Starting test: NCSecDesc

* Security Permissions Check for

CN=Schema,CN=Configuration,DC=reskit,DC=com

* Security Permissions Check for

CN=Configuration,DC=reskit,DC=com

* Security Permissions Check for

DC=reskit,DC=com

......................... SERVER1 passed test NCSecDesc

Starting test: NetLogons

* Network Logons Privileges Check

......................... SERVER1 passed test NetLogons

Starting test: LocatorGetDc

Role Schema Owner = CN=NTDS Settings,CN=SERVER1,CN=Servers,CN=Default-F

irst-Site-Name,CN=Sites,CN=Configuration,DC=reskit,DC=com

Role Domain Owner = CN=NTDS Settings,CN=SERVER1,CN=Servers,CN=Default-F

irst-Site-Name,CN=Sites,CN=Configuration,DC=reskit,DC=com

Role PDC Owner = CN=NTDS Settings,CN=SERVER1,CN=Servers,CN=Default-Firs

t-Site-Name,CN=Sites,CN=Configuration,DC=reskit,DC=com

Role Rid Owner = CN=NTDS Settings,CN=SERVER1,CN=Servers,CN=Default-Firs

t-Site-Name,CN=Sites,CN=Configuration,DC=reskit,DC=com

Role Infrastructure Update Owner = CN=NTDS Settings,CN=SERVER1,CN=Serve

rs,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=reskit,DC=com

......................... SERVER1 failed test LocatorGetDc

Starting test: RidManager

* Available RID Pool for the Domain is 1603 to 1073741823

* SERVER1.reskit.com is the RID Master

* DsBind with RID Master was successful

* rIDAllocationPool is 1103 to 1602

* rIDNextRID: 1106

* rIDPreviousAllocationPool is 1103 to 1602

......................... SERVER1 passed test RidManager

Starting test: MachineAccount

* SPN found :LDAP/SERVER1.reskit.com/reskit.com

* SPN found :LDAP/SERVER1.reskit.com

* SPN found :LDAP/SERVER1

* SPN found :LDAP/SERVER1.reskit.com/RESKIT1

* SPN found :LDAP/6cbd730e-b9ce-4154-8367-45a8b469097b._msdcs.reskit.co

m

* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/6cbd730e-b9ce-4154-83

67-45a8b469097b/reskit.com

* SPN found :HOST/SERVER1.reskit.com/reskit.com

* SPN found :HOST/SERVER1.reskit.com

* SPN found :HOST/SERVER1

* SPN found :HOST/SERVER1.reskit.com/RESKIT1

* SPN found :GC/SERVER1.reskit.com/reskit.com

......................... SERVER1 passed test MachineAccount

Starting test: Services

* Checking Service: Dnscache

* Checking Service: NtFrs

* Checking Service: IsmServ

* Checking Service: kdc

* Checking Service: SamSs

* Checking Service: LanmanServer

* Checking Service: LanmanWorkstation

* Checking Service: RpcSs

* Checking Service: RPCLOCATOR

* Checking Service: w32time

* Checking Service: TrkWks

* Checking Service: TrkSvr

* Checking Service: NETLOGON

* Checking Service: Dnscache

* Checking Service: NtFrs

......................... SERVER1 passed test Services

Starting test: OutboundSecureChannels

** Did not run test because /testdomain: was not entered ......

................... SERVER1 passed test OutboundSecureChannels

Starting test: ObjectsReplicated

SERVER1 is in domain DC=reskit,DC=com

Checking for CN=SERVER1,OU=Domain Controllers,DC=reskit,DC=com in domai

n DC=reskit,DC=com on 1 servers

Object is up-to-date on all servers.

Checking for CN=NTDS Settings,CN=SERVER1,CN=Servers,CN=Default-First-Si

te-Name,CN=Sites,CN=Configuration,DC=reskit,DC=com in domain CN=Configuration,DC

=reskit,DC=com on 1 servers

Object is up-to-date on all servers.

......................... SERVER1 passed test ObjectsReplicated

Starting test: frssysvol

* The File Replication Service Event log test

The SYSVOL has been shared, and the AD is no longer

prevented from starting by the File Replication Service.

......................... SERVER1 passed test frssysvol

Running enterprise tests on : reskit.com

Starting test: Intersite

......................... reskit.com passed test Intersite

Starting test: RolesHeld

GC Name: \\SERVER1.reskit.com

Locator Flags: 0xe00001fd

PDC Name: \\SERVER1.reskit.com

Locator Flags: 0xe00001fd

Time Server Name: \\SERVER1.reskit.com

Locator Flags: 0xe00001fd

Preferred Time Server Name: \\SERVER1.reskit.com

Locator Flags: 0xe00001fd

KDC Name: \\SERVER1.reskit.com

Locator Flags: 0xe00001fd

......................... reskit.com passed test RolesHeld

Using Ntdsutil to Manage Domain Controller Consistency

Ntdsutil is a command-line tool that provides directory service management. It maintains the Active Directory store, manages and controls Flexible Single Master Operations master, and purges metadata left behind by abandoned domain controllers (which are removed from the network without being uninstalled). For more information about using Ntdsutil, see "Active Directory Diagnostic Tool (Ntdsutil.exe)" in this book.

By using Ntdsutil, you can diagnose and troubleshoot the following domain controller consistency-related issues:

  • Remove orphaned domain controllers and domains.

note-iconNote

Netdom can also remove orphaned domains. For more information about removing orphaned domain controller, see "Active Directory Instsallation and Removal" later in this chapter.

  • Connect to a specific domain controller.
    View directory partitions, sites, servers, domains, and operations master roles.

  • View and set the values for the LDAP policies supported on a server.

  • Manage operations master roles. (For more information about managing operations master roles, see "Managing Flexible Single-Master Operations" in this book.)

Identifying Windows 2000 Domain Controller Roles

There might be instances when you need to identify which domain controller holds the primary domain controller operations master role in a domain so that clients that are running earlier versions of Windows NT can be authenticated.

note-iconNote

Clients running earlier versions of Windows NT can be authenticated at any domain controller. Unavailability of the PDC emulator prevents these clients from joining computers to the domain or changing their user password among other options.

Also, you might need to identify which domain controllers are Global Catalog servers so that you can verify that LDAP Search requests can be satisfied in the forest. Use the following methods to identify Windows 2000 domain controllers:

  • The NTDS registry subkey appears in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services registry subkey.

  • The SYSVOL and NETLOGON shares exist. For more information about SYSVOL and NETLOGON shares, see "File Replication Service" in this book. (The SYSVOL share and its contents exist after removing Active Directory.)

  • By using the nbtstat command-line tool, you can check domain name registration. It shows that the 1C name (Domain) is registered. Type nbtstat -n at the command prompt, and note the presence of the 1C name.

  • The computer role from the Net Accounts tool lists the computer role as "PRIMARY" and stand-alone servers as "SERVERS." Type net accounts at the command prompt.

  • The net start command indicates that the Kerberos KDC service is running. Type net start |more at the command prompt for additional information.

  • By using the Connect to server % S command in the Ntdsutil tool, you can connect to other Windows 2000–based domain controllers. (Note that Ntdsutil functions only with Windows 2000–based domain controllers.) The computer responds to LDAP queries (specifically, to port 389 or port 3289).

  • The Change button on the Network Identification tab in My   Computer is disabled when a Windows 2000–based server is configured as a domain controller. A note appears indicating this fact. (Domain controllers cannot be renamed. However, domain member and stand-alone computers can be renamed.)

  • To identify the domain controller that holds the primary domain controller role for a domain, by running the Netdiag tool and observing the "Machine is a Primary Domain Controller" entry in the output. Type netdiag /v at the command prompt. Also, you can use the Nltest tool to obtain the same information, as shown in the following example:

nltest /dsgetdc:reskit /pdc

DC: \\NTDSDC4

Address: \\172.23.92.85

Dom Guid: ca21b03b-6dd3-11d1-8a7d-b8dfb156871f

Dom Name: RESKIT

Forest Name: reskit.reskit.com.

Dc Site Name: Red-Bldg26

Our Site Name: Red-Bldg26

Flags: PDC DS KDC TIMESERV WRITABLE DNS_FOREST CLOSE_SITE 0x8

The command completed successfully

  • To identify the domain controller that is also designated as the Global Catalog server for the forest, you can either examine the Global Catalog check box in the Active Directory Sites and Services console or by running the Nltest tool, check whether the Global Catalog flag is returned.

E:\nltest /dsgetdc:server1.reskit.com /gc

DC: \\FE-DC-02.fareast.reskit.com.com

Address: \\172.23.4.194

Dom Guid: 0502fd7a-2b1e-11d3-a5ec-00805f9f21f5

Dom Name: fareast.reskit.com.com

Forest Name: reskit.com.com

Dc Site Name: Default-First-Site-Name

Flags: PDC GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST

  • To identify the FSMO roles. Through the Active Directory Users and Computers console, you must be able to select operation masters and it is going to show the holders of the three roles — PDC, RID, and Infrastructure.

Advertising as a Global Catalog Server

A domain controller does not advertise itself as a global catalog until it has replicated in the required domains. The following standards for Global Catalog promotion:

  • There is a distinction between requesting that a computer be elected as a Global Catalog server, and that computer actually finishing promotion and advertising as a Global Catalog server. The server must successfully replicate in read only copies of the domains in the enterprise before that server will advertise as a Global Catalog. The way you request a domain controller to become a Global Catalog is to check the Global Catalog box in the Active Directory Sites and Services console.

note-iconNote

Even though this box is checked does not necessarily imply that the computer has successfully become a Global Catalog and is advertising itself.

There are four ways to determine if a computer is advertising as a Global Catalog:

  • Look in the Directory Service log in Event Viewer for a message indicating that the computer is advertising.

  • Use the Ldp tool to view the isGcReady attribute from the rootDSE. When this is true, the computer is a Global Catalog server and is advertising itself.

  • Use the Nltest tool to determine that the computer has the Global Catalog attribute set. If it does, then it is a Global Catalog server.

  • Verify if the Global Catalog Promotion Complete registry entry stored in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\ is set to the value 1. If it is, then the computer is advertising as a Global Catalog server.

  • If a computer is successfully advertised as a Global Catalog and restarted, it immediately advertises itself even if there are additional domains in the enterprise that the Global Catalog doesn't have yet. This can be referred to as a "grandfather clause," which implies that after a computer is a Global Catalog, the Global Catalog is not diabled even if it doesn't hold all the domains in its list.

  • A computer with the Global Catalog check box is selected, retries periodically (every 30 minutes) to see if it holds all the domains. You can decrease this time period by setting a registry key that is mentioned in the event log message.

  • The default requirement is that the Global Catalog must hold copies of all domains that have a source in the Global Catalog's site. Thus if the Global Catalog is in site1, and there exist domain controllers for domains A, B, and C in site1, and domain controllers in domains D, E, and F in site2, then the Global Catalog must hold copies of A, B, and C before it advertises.

  • Rebooting a computer that is trying to become a Global Catalog doesn't alter the behavior. When it restarts, it continues trying to become a Global Catalog.

note-iconNote

During dcpromo, after a certain point, the user has the option of finish replicationlater . If this is selected and the computer rebooted, the system does not advertise until the first full synchonziation of the domain has occurred. Whether the computer considers itself synchronized can be tested by using the RootDSE attribute isSynchronized . This can be examined using Ldp.exe.

Using Dsastat to Detect Directory Partition Differences

If you want to examine the differences amongst a user-defined scope of objects on two different domain controllers, use the Dsastat tool.

The Dsastat command-line tool compares and detects differences between directory partitions on domain controllers. It retrieves capacity statistics such as megabytes per server, objects per server, and megabytes per object class. Then, it compares the attributes of replicated objects. It can be used to compare two directory trees across replicas within the same domain or, in the case of a Global Catalog, across different domains. You can use this to monitor replication status at a much higher level than monitoring detailed transactions.

note-iconNote

The Dcdiag tool contains an option called "check objects" that analyzes and confirms that all copies of a server's computer account objects and a server's DSA objects are consistent. In general, if replication is up-to-date, all copies are consistent and there is no need for a detecting differences of all the copies. This is only needed if you suspect database corruption. If you have different views of your data, the most likely reason is replication failure. The Dcdiag "replication" test tells you about any replication failures.

For example, to perform a comparison of all users in the Sales organizational unit in the Reskit.com domain, with those in another directory partition, specify the following:

dsastat -s:reskitS1;reskitS2 -b:OU=Sales,DC=Reskit,DC=com -gcattrs:all -sort:true -t:false -p:16 -filter:"(&(objectclass=user)(!objectClass=computer))"

In this example you can determine whether both domain controllers agreed on the contents of the OU=Sales,DC=Reskit,DC=com subtree. It detects objects in one and not the other (for example, if a creation or deletion has not replicated) as well as differences in the values on objects that do exist on both.

This example specifies a base search path at a subtree of the domain. In this case, the organizational unit name is "Sales." The filter specifies that the comparison is concerned only with user objects, not computer objects.

note-iconNote

Because computer objects are derived from user objects in the class hierarchy, a search filter specifying "objectclass = user" returns both user and computer objects.

Also, using the Dsastat tool, you can specify the target domain controllers and additional operational parameters from the command line or from an initialization file. The Dsastat tool determines whether domain controllers in a domain have a consistent and accurate image of their own domain. In the case of Global Catalogs, it checks whether the Global Catalog server has an image that is consistent with the domain controllers in other domains. It complements the other replication-monitoring tools, Repadmin and Replmon, by ensuring that domain controllers are up to date with one another.

Determining if Domain Controllers are Up To Date

If you see the error "DS paths have a different object count in them" in the Directory Service log of Event Viewer, you would use Dsastat, Repadmin, and Replmon to diagnose and resolve the problems.

For example:

LDAP::<DCName>.reskit.com/CN=Packages,CN=Class Store,CN={EF06ECF2-A8C9-11D2-B575-0008C7457B4E},CN=Policies,CN=System, DC=reskit,DC=microsoft,DC=com

For DCName=ntdsdc4 there are 77 objects in the tree while for DCName=RESKIT-DC-08 there are 78 objects. The missing object is CN={7cc10d6e-463f-4a65-8d4d-56d85fc823c1}

Resolution to the problem:

The object was created by dc1 about 4 P.M.:

C:\>repadmin /showmeta "CN=7cc10d6e-463f-4a65-8d4d-56d85fc823c1,CN=Packages,CN=Class Store,CN=User,CN={EF06ECF2-A8C9-11D

2-B575-0008C7457B4E},CN=Policies,CN=System,DC=reskit,DC=microsoft,DC=com" reskit-dc-08

29 entries.

Loc.USN Originating DSA Org.USN Org.Time/Date Ver Attribute

======= =============== ======= ============= === =========

12950240 Bldg\DC1 7611643 1999-06-18 15:58.37 1 objectClass

12950240 Bldg\RESKIT-DC-0812950240 1999-06-18 16:14.59 1 cn

12950240 Bldg\DC1 7611643 1999-06-18 15:58.37 1 instanceType

12950240 Bldg\DC1 7611643 1999-06-18 15:58.37 1 whenCreated

12950240 Bldg\DC1 7611643 1999-06-18 15:58.37 1 showInAdvancedViewOnly

12950240 Bldg\DC1 7611643 1999-06-18 15:58.37 1 nTSecurityDescriptor

12950240 Bldg\DC1 7611643 1999-06-18 15:58.37 1 name

12950240 Bldg\DC1 7611643 1999-06-18 15:58.37 1 msiScriptPath

12950240 Bldg\DC1 7611643 1999-06-18 15:58.37 1 cOMClassID

12950240 Bldg\DC1 7611643 1999-06-18 15:58.37 1 cOMProgID

12950240 Bldg\DC1 7611643 1999-06-18 15:58.37 1 localeID

12950240 Bldg\DC1 7611643 1999-06-18 15:58.37 1 computerArchitecture

12950240 Bldg\DC1 7611643 1999-06-18 15:58.37 1 revision

12950240 Bldg\DC1 7611643 1999-06-18 15:58.37 1 packageType

12950240 Bldg\DC1 7611643 1999-06-18 15:58.37 1 packageName

12950240 Bldg\DC1 7612100 1999-06-18 16:01.02 2 packageFlags

12950240 Bldg\DC1 7611643 1999-06-18 15:58.37 1 versionNumberHi

12950240 Bldg\DC1 7611643 1999-06-18 15:58.37 1 versionNumberLo

12950240 Bldg\DC1 7612100 1999-06-18 16:01.02 3 lastUpdateSequence

12950240 Bldg\DC1 7611643 1999-06-18 15:58.37 1 msiFileList

12950240 Bldg\DC1 7611643 1999-06-18 15:58.37 1 categories

12950240 Bldg\DC1 7611643 1999-06-18 15:58.37 1 url

12950240 Bldg\DC1 7611643 1999-06-18 15:58.37 1 objectCategory

12950240 Bldg\DC1 7611643 1999-06-18 15:58.37 1 upgradeProductCode

12950240 Bldg\DC1 7611643 1999-06-18 15:58.37 1 canUpgradeScript

12950240 Bldg\DC1 7611643 1999-06-18 15:58.37 1 fileExtPriority

12950240 Bldg\DC1 7611643 1999-06-18 15:58.37 1 productCode

12950240 Bldg\DC1 7612100 1999-06-18 16:01.02 2 msiScriptName

12950240 Bldg\DC1 7611643 1999-06-18 15:58.37 1 installUiLevel

Taking in to consideration the latencies in reskit.microsoft.com (computers being restarted, upgrades, new software installation, and so on), it might take more than an hour for a change to replicate.

The following example shows that the change has finally replicated:

C:\>repadmin /showmeta "CN=7cc10d6e-463f-4a65-8d4d-56d85fc823c1,CN=Packages,CN=Class Store,CN=User,CN={EF06ECF2-

2-B575-0008C7457B4E},CN=Policies,CN=System,DC=reskit,DC=microsoft,DC=com" ntdsdc4

29 entries.

Loc.USN Originating DSA Org.USN Org.Time/Date Ver Attribute

======= =============== ======= ============= === =========

7597742 Bldg\DC1 7611643 1999-06-18 15:58.37 1 objectClass

7597742 Bldg\DC4 7597742 1999-06-18 16:17.19 1 cn

7597742 Bldg\DC1 7611643 1999-06-18 15:58.37 1 instanceType

7597742 Bldg\DC1 7611643 1999-06-18 15:58.37 1 whenCreated

7597742 Bldg\DC1 7611643 1999-06-18 15:58.37 1 showInAdvancedViewOnly

7597742 Bldg\DC1 7611643 1999-06-18 15:58.37 1 nTSecurityDescriptor

7597742 Bldg\DC1 7611643 1999-06-18 15:58.37 1 name

7597742 Bldg\DC1 7611643 1999-06-18 15:58.37 1 msiScriptPath

7597742 Bldg\DC1 7611643 1999-06-18 15:58.37 1 cOMClassID

7597742 Bldg\DC1 7611643 1999-06-18 15:58.37 1 cOMProgID

7597742 Bldg\DC1 7611643 1999-06-18 15:58.37 1 localeID

7597742 Bldg\DC1 7611643 1999-06-18 15:58.37 1 computerArchitecture

7597742 Bldg\DC1 7611643 1999-06-18 15:58.37 1 revision

7597742 Bldg\DC1 7611643 1999-06-18 15:58.37 1 packageType

7597742 Bldg\DC1 7611643 1999-06-18 15:58.37 1 packageName

7597742 Bldg\DC1 7612100 1999-06-18 16:01.02 2 packageFlags

7597742 Bldg\DC1 7611643 1999-06-18 15:58.37 1 versionNumberHi

7597742 Bldg\DC1 7611643 1999-06-18 15:58.37 1 versionNumberLo

7597742 Bldg\DC1 7612100 1999-06-18 16:01.02 3 lastUpdateSequence

7597742 Bldg\DC1 7611643 1999-06-18 15:58.37 1 msiFileList

7597742 Bldg\DC1 7611643 1999-06-18 15:58.37 1 categories

7597742 Bldg\DC1 7611643 1999-06-18 15:58.37 1 url

7597742 Bldg\DC1 7611643 1999-06-18 15:58.37 1 objectCategory

7597742 Bldg\DC1 7611643 1999-06-18 15:58.37 1 upgradeProductCode

7597742 Bldg\DC1 7611643 1999-06-18 15:58.37 1 canUpgradeScript

7597742 Bldg\DC1 7611643 1999-06-18 15:58.37 1 fileExtPriority

7597742 Bldg\DC1 7611643 1999-06-18 15:58.37 1 productCode

7597742 Bldg\DC1 7612100 1999-06-18 16:01.02 2 msiScriptName

7597742 Bldg\DC1 7611643 1999-06-18 15:58.37 1 installUiLevel

For monitoring replication, use the tools Repadmin, Replmon, and Dsastat in the /Support directory on the Windows 2000 operating system CD.