Active Directory Cookbook for windows server 2003- P38 pps

11.23.4 See Also Recipe 11.22 for creating a connection object Recipe 11.24 Load-Balancing Connection Objects 11.24.1 Problem You want to evenly distribute connection objects between b

Trang 1

11.23.2.2 Using a command-line interface

> repadmin /showconn [<DomainControllerName>]

11.23.2.3 Using VBScript

' This code lists the connection objects for a server

' - SCRIPT CONFIGURATION -

strServer = "<ServerName>" ' e.g dc01

strSite = "<SiteName>" ' e.g MySite1

' - END CONFIGURATION -

set objRootDSE = GetObject("LDAP://RootDSE")

set objNTDSCont = GetObject("LDAP://cn=NTDS Settings,cn=" & strServer & _ ",cn=servers,cn=" & strSite & ",cn=sites," & _ objRootDSE.Get("configurationNamingContext") ) objNTDSCont.Filter = Array("ntdsConnection")

WScript.Echo "Connection objects for " & strSite & "\" & strServer

for each objConn in objNTDSCont

if objConn.Get("options") = 0 then

Wscript.Echo " " & objConn.Get("cn") & " (MANUAL)"

else

Wscript.Echo " " & objConn.Get("cn") & " (AUTO)"

end if

11.23.3 Discussion

Connection objects are used to replicate inbound changes to a domain controller By viewing the connection objects for a server you can see what domain controllers it receives updates from Connection objects are created automatically by the KCC, but can be created manually if

necessary

11.23.4 See Also

Recipe 11.22 for creating a connection object

Recipe 11.24 Load-Balancing Connection Objects

11.24.1 Problem

You want to evenly distribute connection objects between bridgehead servers in a site

11.24.2 Solution

Trang 2

To see what changes the command would make, run it without the /commit option To actually make the changes in Active Directory, use the /commit option:

> adlb /server:<DomainControllerName> -site:<SiteName> [/commit] [/verbose]

This command is available in the Windows Server 2003 Resource Kit

Bridgeheads can become overloaded or end up with too many connection objects in relation to other bridgeheads in the domain The Active Directory Load Balancing (ADLB) tool allows you

to balance the load of connection objects among bridgehead servers within a site The Windows Server 2003 algorithms are much better than Windows 2000 for load balancing connection objects across servers, but that process happens only when new connection objects are added You can use the adlb tool to load balance the connection objects more efficiently at any time

I recommend viewing the changes adlb would make first before using the /commit option It is always good to do a sanity check to ensure adlb doesn't mess up your replication topology

Recipe 11.25 Finding the ISTG for a Site

11.25.1 Problem

You want to find the Inter-Site Topology Generator (ISTG) for a site

11.25.2.1 Using a graphical user interface

1 Open the Active Directory Sites and Services snap-in

2 Click on the site you are interested in

3 In the right pane, double-click on the NTDS Site Settings object

4 The ISTG will be displayed under Inter-Site Topology Generator if one is present

> repadmin /istg <DomainControllerName>

This command is available only with the Windows Server 2003 version of repadmin

' This code finds the ISTG for the specified site

strSiteName = <SiteName> ' e.g Raleigh

Trang 3

set objSiteSettings = GetObject("LDAP://cn=NTDS Site Settings,cn=" & _

strSiteName & ",cn=sites," & _

objRootDSE.Get("ConfigurationNamingContext"))

on error resume next

strISTGDN = objSiteSettings.Get("interSiteTopologyGenerator")

if (strISTGDN <> "") then

set objNTDSSettings = GetObject("LDAP://" & strISTGDN)

set objServer = GetObject( objNTDSSettings.Parent )

WScript.Echo "ISTG for site " & strSiteName & " is " & _

objServer.Get("dnsHostName")

else

WScript.Echo "No ISTG found for site " & strSiteName

end if

One domain controller in every site is picked as the ISTG for that site While each domain controller is responsible for creating its own intra-site connection objects, the ISTG for a site is responsible for creating the inter-site connection objects for the bridgehead servers in the site

The current ISTG for a site is stored in the interSiteTopologyGenerator attribute of the site's NTDS Site Settings object The distinguished name of ISTG's NTDS Settings object is stored

in the interSiteTopologyGenerator attribute

Disabling inter-site topology generation is synonymous with disabling the KCC for a site See

Recipe 11.29 for more information on disabling the KCC

11.25.4 See Also

Recipe 11.26 for moving the ISTG, MS KB 224815 (The Role of the Inter-Site Topology

Generator in Active Directory Replication), and MS KB 224599 (Determining the Inter-Site Topology Generator (ISTG) of a Site in the Active Directory)

Recipe 11.26 Transferring the ISTG to Another Server 11.26.1 Problem

You want to move the ISTG for a site to another domain controller This happens automatically

if you take the current ISTG offline, but you may want to transfer the role to a server that is more optimal in your environment

1 Open ADSI Edit

2 Connect to the CNC if it is not already displayed in the left pane

Trang 4

3 In the left pane, browse the Configuration NC Sites

4 Click on the site you want to transfer the ISTG for

5 In the right pane, double-click CN=NTDS Site Settings

6 Modify the interSiteTopologyGenerator attribute to include the NTDS Settings object of the domain controller you want to transfer the ISTG role to

7 Click OK

' This code forces a new ISTG in a site

' Name of site to transfer ISTG in

strSiteName = "<SiteName>" ' e.g Raleigh

' Site the new ISTG server is in

strNewISTGSite = "<ISTGSiteName>" ' e.g Raleigh

' Common name of server object for new ISTG

strNewISTGName = "<DomainControllerName>" ' e.g dc01

set objSiteSettings = GetObject("LDAP://cn=NTDS Site Settings,cn=" & _

strSiteName & ",cn=sites," & _

objRootDSE.Get("ConfigurationNamingContext")) strCurrentISTG = objSiteSettings.Get("interSiteTopologyGenerator")

objSiteSettings.Put "interSiteTopologyGenerator", _

"cn=NTDS Settings,cn=" & strNewISTGName & _

",cn=servers,cn=" & strNewISTGSite & ",cn=sites," & _ objRootDSE.Get("ConfigurationNamingContext")

objSiteSettings.SetInfo

WScript.Echo "ISTG for " & strSiteName & " changed from:"

WScript.Echo " " & strCurrentISTG

WScript.Echo "To"

WScript.Echo " " & objSiteSettings.Get("interSiteTopologyGenerator")

The current ISTG for a site is stored in the interSiteTopologyGenerator attribute of the site's NTDS Site Settings object The distinguished name of the ISTG's NTDS Settings object is stored in that attribute

Domain controllers communicate their presence as the ISTG by writing to the

interSiteTopologyGenerator attribute at a set interval If you want another domain controller

to assume the role of the ISTG, you need to write the distinguished name of that domain

controller's NTDS Settings object to the interSiteTopologyGenerator attribute of the NTDS Site Settings object for the site

Two registry settings govern the ISTG registration process, both of which are stored under the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters key The interval (in minutes) in which the current ISTG should write to the

interSiteTopologyGenerator attribute to inform the other DCs in the site that it is still the

Trang 5

ISTG is stored in the KCC site generator renewal interval (minutes) value The default is

30 minutes The other value is named KCC site generator fail-over (minutes) and contains the time in minutes that each domain controller in the site should wait for the

interSiteTopologyGenerator attribute to be written to before attempting to register itself as the ISTG The default is 60 minutes

11.26.4 See Also

MS KB 224815 (The Role of the Inter-Site Topology Generator in Active Directory Replication)

Recipe 11.27 Triggering the KCC

11.27.1 Problem

You want to trigger the KCC

1 Open the Active Directory Sites and Services snap-in

2 In the left pane, browse to the NTDS Settings object for the server you want to trigger the KCC for

3 Right-click on NTDS Settings, select All Tasks, and Check Replication Topology

4 Click OK

> repadmin /kcc <DomainControllerName>

' This code triggers the KCC on a DC

strDC = "<DomainControllerName>" ' e.g dc01

set objIadsTools = CreateObject("IADsTools.DCFunctions")

intRes = objIadsTools.TriggerKCC(Cstr(strDC),0)

if intRes = -1 then

Wscript.Echo objIadsTools.LastErrorText

else

Wscript.Echo "KCC successfully triggered"

end if

The KCC runs every 15 minutes by default on all domain controllers to generate the intra-site topology connections The KCC that runs on the server that is selected as the ISTG generates

Trang 6

inter-site topology connections to other sites from the bridgehead servers in its site In some situations, such as when you create new site, siteLink, or subnet objects, you may want to run the KCC immediately so that any new connections between domain controllers get created

11.27.4 See Also

Recipe 11.28 for determining if the KCC is completing successfully, for more information on

IADsTools see iadstools.doc that is installed with the Support Tools, and MS KB 224815 (The

Role of the Inter-Site Topology Generator in Active Directory Replication)

Recipe 11.28 Determining if the KCC Is Completing Successfully

11.28.1 Problem

You want to determine if the KCC is completing successfully

1 Open the Event Viewer of the target domain controller

2 Click on the Directory Service log

3 In the right pane, click on the Source heading to sort by that column

4 Scroll down to view any events with Source: NTDS KCC

The following command will display any KCC errors found in the Directory Service log:

> dcdiag /v /test:kccevent /s:<DomainControllerName>

The only way to debug issues with the KCC is by looking for NTDS KCC events in the

Directory Service event log If you suspect a problem or perhaps are seeing errors, you can increase the amount of logging in the event log by enabling diagnostics logging for the KCC When the KCC diagnostics logging is enabled, each KCC exception logs a lot of information to the event log that may help you pinpoint the problem See Recipe 15.2 for more information on enabling diagnostics logging

Trang 7

Recipe 11.29 Disabling the KCC for a Site

11.29.1 Problem

You want to disable the KCC for a site and generate your own replication connections between domain controllers

1 Open ADSI Edit

2 Connect to the Configuration Naming Context if it is not already displayed

3 In the left pane, browse the Configuration Naming Context Sites

4 Click on the site you want to disable the KCC for

5 In the right pane, double-click CN=NTDS Site Settings

6 Modify the options attribute To disable only intra-site topology generation, enable the

00001 bit (decimal 1) To disable inter-site topology generation, enable the 10000 bit (decimal 16) To disable both, enable the 10001 bits (decimal 17)

7 Click OK

You can disable the KCC for <SiteName> by using the ldifde utility and an LDIF file that contains the following:

dn: cn=NTDS Site Settings,<SiteName>,cn=sites,cn=configuration,<ForestRootDN>

changetype: modify

replace: options

options: <OptionsValue>

-

If the LDIF file were named disable_kcc.ldf, you would run the following command:

> ldifde -v -i -f disable_kcc.ldf

' This code disables the KCC for a site

strSiteName = "<SiteName>" ' e.g Default-First-Site-Name

boolDisableIntra = TRUE ' set to TRUE/FALSE to disable/enable intra-site boolDisableInter = TRUE ' set to TRUE/FALSE to disable/enable inter-site ' - END CONFIGURATION -

strAttr = "options"

set objObject = GetObject("LDAP://cn=NTDS Site Settings,cn=" _

& strSiteName & ",cn=sites," & _

objRootDSE.Get("configurationNamingContext") )

Trang 8

intBitsOrig = objObject.Get(strAttr)

intBitsCalc = CalcBit(intBitsOrig, 1, boolDisableIntra)

WScript.Echo "Checking the KCC Intra-site generation flag:"

if intBitsOrig <> intBitsCalc then

objObject.Put strAttr, intBitsCalc

objObject.SetInfo

WScript.Echo " Changed " & strAttr & " from " & _

intBitsOrig & " to " & intBitsCalc

else

WScript.Echo " Did not need to change " & strAttr & _

" (" & intBitsOrig & ")"

end if

intBitsOrig = objObject.Get(strAttr)

intBitsCalc = CalcBit(intBitsOrig, 16, boolDisableInter)

WScript.Echo "Checking the KCC Inter-site generation flag:"

if intBitsOrig <> intBitsCalc then

objObject.Put strAttr, intBitsCalc

objObject.SetInfo

WScript.Echo " Changed " & strAttr & " from " & intBitsOrig & _

" to " & intBitsCalc

else

WScript.Echo " Did not need to change " & strAttr & " (" & _

intBitsOrig & ")"

end if

In some cases, you may want to disable the KCC from generating the intra-site topology

connections, inter-site topology connections, or both The connection objects the KCC

dynamically creates determines how domain controllers replicate with each other Disabling the KCC was sometimes necessary with Windows 2000 due to scalability issues with the KCC and very large topologies In Windows Server 2003, the KCC has been greatly improved and,

hopefully, you will not need to disable the KCC I recommend against disabling the KCC unless you have really good reasons because you will have to pay close attention to any domain

controller or site topology changes and manually adjust the connection objects accordingly Disabling the KCC can only be done at the site level You have to modify the NTDS Site

Settings object of the site for which you want to disable the KCC The options attribute (a bit flag) on this object determines whether the KCC runs If the 00001 bit is enabled, intra-site

topology generation is disabled, if the 10000 bit is enabled (16 in decimal), inter-site topology generation is disabled See Recipe 4.12 for more on the proper way to set bit-flags

11.29.4 See Also

Recipe 4.12 for more on setting bit flags, Recipe 11.22 for creating a connection object manually,

MS KB 242780 (How to Disable the Knowledge Consistency Checker From Automatically Creating Replication Topology), and MS KB 245610 (HOW TO: Disable the Knowledge

Consistency Checker Inter-Site Topology Generation for All Sites)

Trang 9

Recipe 11.30 Changing the Interval at Which the KCC Runs

11.30.1 Problem

You want to change the interval at which the KCC runs

1 Run regedit.exe from the command line or Start Run

2 Expand HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Services

NTDS Parameters

3 Right-click on Parameters and select New DWORD Value

4 Enter the following for the name: Repl topology update period (secs)

5 Double-click on the new value and under Value data enter the KCC interval in number of seconds (900 is the default)

6 Click OK

> reg add HKLM\System\CurrentControlSet\Services\NTDS\Parameters /v "Repl

topology[RETURN]

update period (secs)" /t REG_DWORD /d <NumSecs>

' This code changes the interval in which the KCC runs

intNumSecs = <NumSecs> ' Number of seconds between intervals

' 900 is default

strNetlogonReg = "SYSTEM\CurrentControlSet\Services\NTDS\Parameters"

const HKLM = &H80000002

Set objReg = GetObject("winmgmts:root\default:StdRegProv")

objReg.SetDWORDValue HKLM, strNetlogonReg, _

"Repl topology update period (secs)", _

intNumSecs

WScript.Echo "KCC interval set to " & intNumSecs

By default, the KCC checks its connections ever 15 minutes and makes changes as necessary You can modify this interval by simply modifying the registry This was necessary with many Windows 2000 implementations that had large topologies In that case, the KCC may have taken longer than 15 minutes to run or monopolized the CPU Changing the KCC to run every hour instead of 15 minutes would help ensure it would complete With Windows Server 2003,

Trang 10

Microsoft made significant improvements to the scalability of the KCC and I recommend

running the KCC at the default interval

There is another related registry setting you should also be aware of By default, the KCC waits 5 minutes after Active Directory starts up before it runs You can change this delay by creating a REG_DWORD value called Repl topology update delay (secs) under the

HKLM\System\CurrentControlSet\Services\NTDS\Parameters\ key The data for the value should be the number of seconds to wait after startup before the KCC starts The default is 300, which is 5 minutes

11.30.4 See Also

MS KB 271988 (Replication Topology Updates)

Định dạng
Số trang	10
Dung lượng	34,77 KB