locked
AD on Server 2008 R2 replication problem RRS feed

  • Question

  • I'm working to resolve some issues with a new group I'm working with with Active Directory. We're about to move our DCs to new boxes (one physical, one VM). We want to make sure everything is consistent in AD before making the move.

    The problem is that we currently have 4 DCs up and running on the same domain, Two originals and Two newer units that were added before I came on board. DCDIAG shows no issues at all, not even warnings, other than a couple minor issues with RPC event logs.

    I have checked replication using RPADMIN /SHOWREPS, with no problems reported. We have heard of no problems with logons, etc.

    So here's the question. Should all of my active domain contollers have the same user database?  Between the four DCs the number of users varies between around 2200 users and 4300 users, some of which match up, and some of which do not. Is there something that would cause them to get out of sync and still remain operational?

    Thanks,

    Brandon

    Thursday, June 16, 2011 4:35 PM

Answers

  • Although I'm not 100% convinced that everything is okay, I think I've figured it out. After doing further queries, I've found that the server manager console, as well as MMC simply can't count. They provide estimates, and are sometimes way off.

    I had to export a list for comparison from each DC, and each file was exactly the same. After seeing this, I gradually increased the limit on the filter, and each time, it would give me a higher count, until I reached the actual number of users.

    Odd that I couldn't find any information about this anywhere online, but apparently, if you want to know how many users are on your domain (especially if you have a large number), you should user other means for counting.

    Thanks everyone for your help. Unless I find some other evidence, I'm going to assume that everything is fine, since all of the diagnostics I could run passed with flying colors.

    Brandon

    Friday, June 17, 2011 7:42 PM

All replies

  • Are all your DCs, read-write, if yes than user database should be same on each domain controler. If you have RODC in place than it is possible. Are you DCs all GC?


    With kind regards
    Krystian Zieja
    http://www.projectnenvision.com
    Follow me on twitter
    My Blog
    Thursday, June 16, 2011 4:40 PM
  • All are read-write, yes.

    Brandon

    EDIT-
    Oops, and they're all GCs as well.
    Thursday, June 16, 2011 4:41 PM
  • Hello,

    I don't see a problem with your AD environment. Just make sure that you have at least two DC/DNS/GC servers per domain.

    If this is a single domain in your forest then I recommend that all DCs will be GC servers.

    You said that you want to move DCs to other servers. Just avoid the use of P2V and images.

    You can proceed like that:

    • Promote the new servers as DC/DNS/GC servers
    • transfer FSMO roles to these DCs
    • Demote the DCs you want to demote

    Once done, make sure that:

    • Each DC/DNS server points to its private IP address as primary DNS server and to other internal DNS servers as secondary ones
    • Each DC without DNS points to internal DNS servers as DNS servers

    Once done, run ipconfig /registerdns and restart netlogon on each DC. Also, make sure that client computers points to correct DNS servers.

    By proceeding like that, all should be okay. 

    If you have another need to achieve, please detail it.

     

     


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified IT Professional: Enterprise Administrator

    Thursday, June 16, 2011 7:43 PM
  • I don't know whether you have run DCdiag basic or advanced test, but running DCDIAG /V /C /D/E /s:dcname >C:\dcdiag.log gives you comprehensive reports, also take a look at below article by Paul.

    http://blogs.dirteam.com/blogs/paulbergson/archive/2009/01/26/troubleshooting-active-directory-issues.aspx

    http://social.technet.microsoft.com/wiki/contents/articles/2285.aspx

    What does DCDIAG actually… do?

    http://blogs.technet.com/b/askds/archive/2011/03/22/what-does-dcdiag-actually-do.aspx

    Note: Don't use snapshot/images/cloning of DC's its not recommended by MS neither it is advicable due to various issues caused like USN rollback, AD database corruption etc.

    Things to consider when you host Active Directory domain controllers in virtual hosting environments

    http://support.microsoft.com/kb/888794

    http://blogs.technet.com/b/pfe-ireland/archive/2008/05/08/virtual-domain-controllers-and-time-synchronisation.aspx

     

    Regards  


    Awinish Vishwakarma| CHECK MY BLOG

    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Friday, June 17, 2011 4:21 AM
  • Hello,

    normally each DC should have the exact same information.

    Please upload the following files:

    ipconfig /all >c:\ipconfig.txt [from each DC/DNS Server]
    dcdiag /v /c /d /e /s:dcname >c:\dcdiag.txt
    repadmin /showrepl dc* /verbose /all /intersite >c:\repl.txt  ["dc* is a place holder for the starting name of the DCs if they all begin the same (if more then one DC exists)]
    dnslint /ad /s "DCipaddress" (http://support.microsoft.com/kb/321045)


    As the output will become large, DON'T post them into the thread, please use Windows Sky Drive (skydrive.live.com) [with open access!] and add the link from it here. Also the /e in dcdiag scans the complete forest, so better run it on COB.


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Friday, June 17, 2011 6:51 AM
  • Although I'm not 100% convinced that everything is okay, I think I've figured it out. After doing further queries, I've found that the server manager console, as well as MMC simply can't count. They provide estimates, and are sometimes way off.

    I had to export a list for comparison from each DC, and each file was exactly the same. After seeing this, I gradually increased the limit on the filter, and each time, it would give me a higher count, until I reached the actual number of users.

    Odd that I couldn't find any information about this anywhere online, but apparently, if you want to know how many users are on your domain (especially if you have a large number), you should user other means for counting.

    Thanks everyone for your help. Unless I find some other evidence, I'm going to assume that everything is fine, since all of the diagnostics I could run passed with flying colors.

    Brandon

    Friday, June 17, 2011 7:42 PM
  • Since, you are running windows 2008 R2, you can make use of AD Administrative Center to query objects in AD.

    http://blogs.technet.com/b/askds/archive/2011/06/16/fun-with-the-ad-administrative-center.aspx

     

    Regards


    Awinish Vishwakarma| CHECK MY BLOG

    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Saturday, June 18, 2011 6:45 AM
  • Hello,

    "Although I'm not 100% convinced that everything is okay, I think I've figured it out. After doing further queries, I've found that the server manager console, as well as MMC simply can't count"

    Where did you look for the counting, please elaborate this statement in detail?


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Sunday, June 19, 2011 7:56 AM
  • I apologize for the delay responding to this. The counts are those shown in the console window. i.e.'Showing 2000 of approximately 4200 users' etc.

    If I do a query through powershell or some other means, everything is solid. It just seems silly that it estimates those numbers when it shouldn't take much effort to display an accurate count.

     

    Brandon

    Saturday, July 30, 2011 1:31 AM