Replication

  • Article

Applies To: Operations Manager 2007, Windows Server 2012

Replication of data is a key aspect of any Active Directory installation. Replication Monitoring ensures that replication is occurring correctly in your environment. The following four specific aspects of replication are monitored:

  • Replication Provider. This aspect provides monitoring continually and verifies that all of the replication links for a domain controller are always working properly. The health of each replication link is checked by leveraging Windows Management Instrumentation (WMI) to determine the status of each link.

  • Replication Partner Count. This aspect ensures that every domain controller has an acceptable number of partners with which to replicate. If a domain controller has either too many or too few partners, the health of the domain controller will be considered to be degraded.

  • Replication Latency Monitoring. This aspect ensures that changes made to the Active Directory installation are being replicated throughout the environment in a timely manner. The replication latency monitoring mechanism will inject changes into the directory at a regular interval, and then watch to see that those changes reach every domain controller that is monitored by the ADMP within a specified amount of time.

  • Operations Master Consistency. Although operations master verification is performed elsewhere, replication monitoring verifies that all replication partners for a given domain controller agree on the owner of each operations master role. This check is a critical part of replication because replication partners need to agree on the ownership of each operations master role.

Replication is the mechanism by which domain controllers in a domain exchange changes to the directory. This mechanism is essential to the operation of the Active Directory deployment in a forest. The topic of replication is both deep and wide, and a full view of every aspect of replication is beyond the scope of what the Active Directory Management Pack (ADMP) attempts to monitor. For the purpose of this management pack, you should strive to monitor the critical aspects of replication to give information technology (IT) administrators an overall assessment of replication for their environment.

Note

This section discusses the monitoring of replication for the purposes of providing alerts when replication issues are detected. If you are interested in configuring replication performance monitoring that allows for trend reporting, see Collecting Replication Performance Data in the Optional Configuration section of this guide.

The following four specific aspects of replication are monitored:

  • Replication Provider – This aspect uses Windows Management Instrumentation (WMI) to indicate whether replication links between a domain controller and its replication partners are healthy or unhealthy.

  • Replication Partner Count – This aspect validates that a particular domain controller does not have too many or too few replication partners.

  • Replication Latency – This aspect validates that updates to the directory are propagated to other domain controllers within a reasonable timeframe.

  • Operations Master Consistency Check – This aspect validates that all of the replication partners for a particular domain controller agree on the various Operations Master role holders.

These four aspects of replication are monitored to provide an overall view of the replication mechanism of the Active Directory environment. Sometimes, it will be appropriate to utilize a tool that is more specialized in monitoring replication. For example, if the Replication Provider verification fails, the guidance might be to use the Replprov tool to gather more detailed information about the failure.

Replication Provider

The replication paths of data between domain controllers are represented by replication links. These links are a logical entities (represented as objects in the directory) that the domain controller will reference when it needs to replicate. The health of the replication links is essential to determining the health of replication. The ADMP determines the health status of these links by using WMI. Health of replication links is determined by examining the MSAD_ReplNeighbor object in WMI. Information about this object can be found MSAD_ReplNeighbor Class (https://go.microsoft.com/fwlink/?LinkId=122796). The replication provider check specifically monitors the following aspects of the MSAD_ReplNeighbor object:

  • ModifiedNumConsecutiveSyncFailures is less than 2

  • The TimeOfLastSyncSuccess is less than 14 days old

Replication Partner Count

With replication as one of the cornerstones of the Active Directory environment, it is essential that the domain controllers in the forest are all able to replicate with each other, and that there are not excessive connections being created between domain controllers. Excessive connections can degrade the performance of the forest, while a lack of connectivity can create replication site islands. A replication site island occurs when a single domain controller or group of domain controllers in a particular site do not have any connections to domain controllers in another site. The domain controllers in a replication site island are unable to propagate their own changes to the other domain controllers in the domain and forest.

The replication partner count specifically validates the following three cases are true:

  • A domain controller always has at least one outbound connection. Because replication connections are always seen as inbound connections, there is no need to record outbound connections. This means that the replication partner count mechanism will validate that a minimum number of connections exist by checking all of the other domain controllers in the domain to see if the domain controller in question has a connection.

    Note

    A domain containing a single domain controller is considered a lone domain controller, and the replication partner count check will be ignored.

  • A domain controller has at least one connection to another site. When sites are created, they must have a way to replicate changes to domain controllers from other sites. By default, when a site is created beyond the initial Default-Site-First-Name site, the Enterprise Administrator needs to create a site link to connect these two sites. A site always needs to have at least one intersite connection to another site.

    Note

    If the domain or forest contains only a single site, the replication site island check will be ignored.

  • A domain controller does not have more than a specified number of connections. When a domain controller has too many connections, the performance of the directory can become degraded. The replication partner count validation mechanism checks that a domain controller does not have too many connections. The specific threshold is made a parameter to the script, so that it can be overridden and customized for a particular environment.

Replication Latency

The purpose of replication latency monitoring is to ensure that changes are being properly replicated across the forest. An Active Directory deployment comprises domain controllers, all of which (excluding read-only domain controllers (RODCs)) are able to modify the collective directory. When a change is recorded, it will be replicated to neighboring domain controllers within a given time interval.

Replication latency monitoring in this management pack is done by injecting a change into the directory and determining how long it takes for that change to reach every other domain controller in the forest. This value can vary from domain controller to domain controller. The maximum determined time that it takes a change to replicate across the forest is known as the convergence latency.

Latency monitoring is done on a per-naming context basis. On a typical domain controller, there will be three predefined naming contexts in the directory:

  • The Domain Naming Context, which exists for each domain

  • The Configuration Naming Context, which exists for each forest

  • The Schema Naming Context, which exists for each forest

In addition, on a domain controller that is acting as a Domain Name System (DNS) server, there will be two more partitions:

  • The Domain DNS Zones Naming Context

  • The Forest DNS Zones Naming Context

Each partition is monitored separately from the others. This is because some customers might configure certain partitions to not be replicated, and the management pack needs to be flexible enough to handle this. You need to be able to ensure that each partition is being correctly replicated.

How and when replication occurs between domain controllers is heavily dependent on the site location of the domain controller. Replication can be divided into two categories:

  • Replication between domain controllers that are within the same site (known as intrasite replication)

  • Replication between domain controllers that are in different sites (known as intersite replication)

When a change is made on a domain controller, the replication partners of that domain controller need to receive a copy of that change. Because domain controllers belonging to the same site are considered to be well connected, changes are proactively pulled by other domain controllers from the same site almost as soon as the changes are made. For domain controllers belonging to a separate site, the assumption is made that these domain controllers are not as well connected, so you should request changes only on a scheduled interval. This way, changes from the previous x minutes will be patched together and transferred at the same time.

Because the replication intervals for intersite and intrasite replication are different, the management pack needs to monitor each type of replication separately. For this reason, you use an intersite replication latency threshold and an intrasite replication latency threshold.

Container Creation

When the ADMP is deployed for the first time, the latency objects container (OpsMgrLatencyMonitors) does not yet exist. Before monitoring can begin, the container needs to be created, which can occur in two different ways:

  • If the container does not exist, the replication monitoring script attempts to create the container. If the System Center Operations Manager 2007 Action Account does not have appropriate permissions to create the OpsManagerLatencyMonitors container, the creation will fail and an event will be logged.

    Note

    For information about the Action Account, see Account Information for Operations Manager 2007 (https://go.microsoft.com/fwlink/?LinkID=165736).

  • The administrator can use ADSI Edit to manually create the latency objects container.

For situations in which the administrator creates an Action Account or even another user account specifically for the latency monitoring mechanism, the account that is used may not provide the credentials to create the container automatically. For this reason, you may require an enterprise administrator to manually create the container, as described in the following section.

To configure the OpsMgrLatencyMonitors container

  1. To perform this procedure, you must be a member of the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, see Default local groups, Default groups, and Using Run as.

    Important

    Ensure that the OpsMgrLatencyMonitors container is created only once—on one domain controller—and that it will replicate to the other domains in the forest.

  2. In ADSI Edit, right click the ADSI Edit object in the navigation pane, and then click Connect To.

  3. In the Connection Settings dialog box under Connection Point, ensure that Select a well known Naming Context is selected, and then click Configuration in the drop-down menu.

  4. In the Computer section, select the domain controller on which you want to complete the configuration, and then click OK.

  5. In the navigation pane, expand the Configuration object. An object with CN=Configuration followed by LDAP path of the forest appears.

  6. If you do not see the OpsMgrLatencyMonitors container immediately below the CN=Configuration object in the navigation pane, create the container:

    1. Right-click the CN=Configuration object, click New, and then click Object.

    2. In the Create Object dialog box, select the container, and then click Next.

    3. In Value, type OpsMgrLatencyMonitors, and then click Next. Click Finish.

  7. In the navigation pane of ADSI Edit, right-click CN=OpsMgrLatencyMonitors, and then click Properties.

  8. Click the Security tab, click Advanced, and then click Add.

  9. Use the Select users, Computers, Service Accounts or Groups dialog box to locate the Action Account, and then click OK.

  10. In the Permissions Entry for OpsMgrLatencyMonitors dialog box, ensure that Apply to reads This object and all descendant objects.

  11. In Permissions, select the Allow box that corresponds to the Create container objects permission.

  12. Click the Properties tab, and then set Apply to so that it reads All descendant objects.

  13. In Permissions, select the Allow box that corresponds to Read all properties.

  14. Select the Allow box that corresponds to Write adminDescription, and then click OK three times to close the open dialog boxes.

Latency Detection

After change injection has been performed, the container will be scanned for existing objects. Each object represents a domain controller that is participating in replication latency monitoring.

The process begins by querying the local domain controller by using the Lightweight Directory Access Protocol (LDAP) for a list of all the objects located in the latency objects container, where the containers that are queries are determined by using the naming context monitoring parameters for the workflow. The list is reiterated, taking each object one at a time.

Operations Master Consistency Check

Replication monitoring verifies that all replication partners for a given domain controller agree on the owner of each operations master role. This check is a critical part of replication because replication partners need to agree on the ownership of each operations master role.

Configuration

To perform the procedures in this section, you must be a member of the Operations Manager Administrators group in the Operations console. For more information, see Account Information for Operations Manager 2007 (https://go.microsoft.com/fwlink/?LinkId=165736)

To change the maximum number of replication partners

  1. Open the Operations console, and then click Authoring.

  2. Expand Management Pack Objects, and then click Monitors.

  3. In the Monitors pane, expand Active Directory Domain Controller Server 2000 Computer Role.

  4. Expand Entity Health, and then expand Configuration.

  5. Right-click AD Replication Partner Count Monitor, click Overrides, click Override the Monitor, and then click For all objects of class: Active Directory Domain Controller Server 2000 Computer.

  6. To change the warning threshold, select the Override box that corresponds to the Number Connections Warning Threshold in the Parameter Name column.

  7. In the Override Value column, enter the number of connections that you want to set as the new warning threshold.

  8. To change the error threshold, select the Override box that corresponds to Number Connections Error Threshold.

  9. In the Override Value column, enter the number of connections that you want to set as the new error threshold.

  10. In Select destination management pack, select the management pack that you created for ADMP Customizations, as described in Create a New Management Pack for Customizations. If you have not yet created a management pack for your overrides, you can click New to create management pack now. Click OK.

  11. Repeat steps 5 through 10 for the following monitors:

    • Active Directory Domain Controller Server 2003 Computer Role

    • Active Directory Domain Controller Server 2008 Computer Role