Wednesday, July 13, 2011

Windows 2003 support tools

Replmon


What is Replmon.exe?
Replmon is the first tool you should use when troubleshooting Active Directory replication issues. As it is a graphical tool, replication issues are easy to see and somewhat easier to diagnose than using its command line counterparts.

Symptoms of Replication Faults


  • Failure to extend the schema – The Active Directory schema has to be extended for many reasons. Two of the most common are:
    • When installing an Exchange 200x server (by running setup.exe /forestprep and /domainprep)
    • When adding a 2003 Domain Controller to a Windows 2000 Active Directory network (by running adprep /forestprep and /domainprep).
If there is a replication issue with any of the domain controllers on the Schema partition, the Schema will not allow any extension.
  • Failure to DCPromo a new Domain Controller – When installing a new Domain Controller, the wizard waits until Active Directory is fully synchronised before continuing. Replication issues would cause this to hang at this point. (Although it can be forced to wait until later, this would only put off the problem).
  • Installation of Active Directory aware software – Software that creates a new user account per network or writes to the Active Directory could fail or produce ambiguous errors when replication issues exist on the network.
  • Any recent warnings or errors in the File Replication Service log in Event Viewer
  • Any recent NTDS Replication Errors in the Directory Service log in Event Viewer
How to Use Replmon

To use Replmon logon to a Domain Controller, select Start|Run, type Replmon, and click OK. You will be presented with the following screen:



Right click on the Monitored Servers icon and select Add Monitored Server...

Select the Search the directory for the server to add radio button.

Ensure the correct domain populates in drop down list, and click Next.



Select an appropriate server from the list of Domain Controllers…
  • If you know you are experiencing issues with a particular domain controller, choose that server.
  • If you are checking general replication, or are not sure where the fault lies, choose the Forest Root.
  • On larger networks, you will need to choose more than one server depending on the replication topology.
  • (For information on viewing the replication topology, see Appendix A) …and click Finish.

If your Active Directory contains only Windows 2000 domain controllers, you will see three Directory partitions.



If your Active Directory Forest Root is Windows 2003 you will see five Directory partitions.



By expanding the + on each directory partition you will be able to see each of the server’s replication partners. Selecting one on the left shows the last replication attempt in the right hand pane.



If there are any replication issues the partitions on the domain controller the server cannot replicate with will show a red x.



Highlighting one of the problem replication partner servers will then show more verbose error messages in the logs pane explaining why it could not replicate.



Troubleshooting Replication Issues

Step 1: Check validity of replication partners
Perhaps an obvious step, but there can be replication issues when there are servers present in the replication topology that are no longer connected to the network. Look for replication agreements with non-existent servers, servers that have been forcibly removed from the domain or are simply turned off.

Step 2: Force replication
The last scheduled replication attempt could have failed for unaccountable reasons, but the failure cause may no longer be an issue. Get an accurate current understanding of the situation by right clicking on the replication partner server in each of the partitions and selecting “Synchronise with this Replication Partner”.



Then refresh the Tree view by pressing F5. Re-check the replication status in the right hand logs pane.

Step 3: General IP checks
Doesn’t matter if you’ve done them, do them all again now! From a command prompt:
  • Can you ping the IP address of the destination server? e.g. Ping 192.168.3.201
    If not: The issue will either be hardware (cable, switch, NIC, check all physical connections) or incorrect configuration of a server’s (either destination or host server) IP details. Check the NIC’s IP address and Subnet Mask.
  • Can you ping the netbios name of the destination server? e.g. Ping Replicadc1
    If not: The issue will be a name resolution issue. Check there is an A host entry in the domain’s Forward Lookup zone. Check the NIC IP properties and ensure the Forest Root IP is entered as the Preferred DNS Server.
  • Can you ping the FQDN of the destination server? e.g. Ping Replicadc1.RMTDS.Internal
    If not: The issue will be a DNS issue. Check as above, also check the NIC’s IP Advanced Properties and ensure the correct DNS Suffix is being used. Open the DNS admin console and ensure there is a populated Forward Lookup zone for the domain.
  • Can you reverse lookup the IP of the destination server? e.g. Ping –a 192.168.3.201
    If not: You have a reverse lookup zone issue. Open the DNS admin console and check for the existence of a Reverse Lookup zone per Class C IP range. e.g.

    10.0.0.x Subnet
    10.0.1.x Subnet

    Check there is a valid PTR record for each of the Domain Controllers in the relevant Reverse lookup zone.
Appendix A – Other Replmon functions

By right clicking the server you have selected to view Replication agreements from, you will see a range of options. A few of them are detailed below.



Update Status – This will recheck the replication status of the server. The time of the updated status is logged and displayed in the right hand pane.

Check Replication Topology – This will cause the Knowledge Consistency Checker (KCC) to recalculate the replication topology for the server.

Synchronize Each Directory Partition with All Servers – This will start immediate replication for all of the server’s directory partitions with each replication partner.

Generate Status Report - Creates and saves a verbose status report in the form of a log file.

Show Domain Controllers in Domain – will show a list of all known Domain Controllers.

Show Replication Topologies - will show a graphical view of the replication topology. Click View on the menu and select Connection Objects only. Then right click each server, and select Show Intra/Inter-site connections.

Show Group Policy Object Status – shows a list of all the Domain’s Group Policies and their respective AD and Sysvol version numbers.



Unlike other Windows Server 2003 tools where you can practice on just one Domain Controller, with Replmon you need two Domain Controllers to see any action.  In fact the more Domain Controllers you add, the more you appreciate the clever ways in which replication functions.  Best of all, if you have a multi domain forest, then you can trace the differences between domain and forest topologies.  Theory says that all domain controllers in the forest share the same schema, with Replmon you can actually see the one Schema ring containing every domain controller.  Contrast the Schema ring with domain ring which has a separate ring topology for each domain.
My advice is to begin by right clicking the ServerName object, from the resulting drop down menu select, 'Show Replication Topologies'.  As well as viewing how all the domain controllers are linked, this example shows the value of right-clicking on any object that you meet.  At first it seems as thought there is nothing to see, but if you click on the View Menu, Connection Objects only, then all Domain Controller appear.

 

 Hmm.... still no sign of the replication links.  Let us try another right click, and select 'Show Intra-Site Connections'.  At this point I pay attention to detail.  I remember that Intra means within, whereas Inter is like Inter-City and means between.  What you should now see is topology links between all the Domain Controller.  Incidentally, the word 'Site' reminds us that to begin with, we are investigating just the Default-First-Site, in a production network there may be multiple sites.

If you have 5 or more servers in the ring, you may consider right clicking and adding extra links to speed up replication; this is particularly true for Windows 2000 networks where latency is much longer than Windows Server 2003.
You can use ReplMon to do the following:
  • See when a replication partner fails.
  • View the history of successful and failed replication changes for troubleshooting purposes.
  • View the properties of directory replication partners.
  • Create your own applications or scripts written in Microsoft Visual Basic Scripting Edition (VBScript) to extract specific data from Active Directory.
  • View a snapshot of the performance counters on the computer, and the registry configuration of the server.
  • Generate status reports that include direct and transitive replication partners, and detail a record of changes.
  • Find all direct and transitive replication partners on the network.
  • Display replication topology.
  • Poll replication partners and generate individual histories of successful and failed replication events.
  • Force replication.
  • Trigger the Knowledge Consistency Checker (KCC) to recalculate the replication topology.
  • Display changes that have not yet replicated from a given replication partner.
  • Display a list of the trust relationships maintained by the domain controller being monitored.
  • Display the metadata of an Active Directory object's attributes.
  • Monitor replication status of domain controllers from multiple forests.

ReplMon Examples:

Example 1: Generate a status report for a server
In this example, you use ReplMon to create a log file that records replication events for an individual server. This data is used to troubleshoot possible replication errors in the forest or domain.
To create the log file
  1. In ReplMon, select the server in the Monitored Servers section of the window.
  2. On the Action menu, select Server, and then click Generate Status Report. The Save As dialog box appears.
  3. In the Save As dialog box, type a name for the log file to generate, (optionally) select a new path for the file, and then click Save.

    The Report Options dialog box appears.
  4. In the Report Options dialog box, select the type of information to be logged.
  5. To save the log file and return to ReplMon, click OK.
Notes
  • If a log file is given the same name as an existing log file, ReplMon replaces the existing log file without a warning. To avoid this, incorporate the current date in your naming scheme.
  • To set the default path, on the View menu, select Options, and then use the General tab of the Options dialog box.
Example 2: Display the replication topology for a server
In this example, you use ReplMon to display replication partners of a server, which graphically represents the replication topology.
To display replication partners
  1. In ReplMon, select the server in the Monitored Servers section of the window.
  2. On the Action menu, select Server, and then click Show Replication Topologies.

    The View Replication Topology window appears.
  3. In the View Replication Topology window, on the View menu, click Replication Topologies.
  4. In ReplMon on the Options menu, click Report.
Example 3: Display pending replication changes
Each domain controller keeps a record of the last changes received from other domain controllers by using the Update Sequence Number (USN) of the replication partner. In this example changes have occurred on the replication partner and the Active Directory replication process has not propagated those changes to the monitored server. You can use ReplMon to show what objects have changed and therefore need to be replicated to the monitored server. This is done on a per-directory partition basis.
To show what objects have changed
  1. In ReplMon, expand a server to display the list of directory partitions.
  2. Expand and select the replication partner within the directory partition for which you want to view unreplicated changes. Only objects that have changed within the directory partition are displayed.
  3. On the Action menu, click Replication Partner, and then select Check Current USN and Unreplicated Objects.

    A separate window opens. Detected changes are displayed and can be saved to a text file. If no changes are detected, a message box informs you of the current USN on the replication partner and that all changes have replicated to the monitored server.
Example 4: Synchronize directory partitions
In this example, you use ReplMon to force a replication event between two directory partitions. By default, directory partitions on servers periodically synchronize with each other. Manual synchronization is necessary only if the network or a server is down for an extended period of time.
To manually synchronize two directory partitions
  1. In the Monitored Servers pane of ReplMon, select the server that needs to be brought up to date.
  2. Expand a directory partition.

    A list of replication partners for that directory partition appears.
  3. Select the directory partition that needs to be synchronized.
  4. On the Action menu, click Synchronize with this Replication Partner.
  5. In the dialog box that appears, select any additional parameters for synchronization, then click OK to continue with the synchronization.
Notes
  • This method works only with direct replication partners.
  • This method synchronizes only one directory partition at a time. To synchronize all directory partitions at once, on the Action menu, click Server, and then click Synchronize Each Directory Partition with All Servers.