As a systems administrator, you should still consider that Active Directory performance still needs to be monitored and analyzed. The health and maximized performance of Active Directory depends on a smooth replication process. If you are having problems with replication, you will know not only from blatant logging in your Event Viewer, but from poor performance as well. Many times, you cannot stop every problem from occurring, but hopefully after reading this article, you will be better equipped to handle issues and keep your network as optimized as possible to handle the traffic traversing it.<\/p>\n Consider a common problem such as a failed network link. In figure 2, you see that the main wide area network link has been broken.<\/p>\n ISP\u2019s and telecom service providers occasionally have problems and service can be interrupted. This of course stops the communication between domain controllers, therefore also severing the replication process. This can prevent the synchronization of information between domain controllers and possibly cause corruption and\/or other problems.<\/p>\n A good way to make sure that this doesn\u2019t happen is to set up a backup link (such as ISDN as seen in figure 2). ISDN (Integrated Services Digital Networks) is a digital WAN technology used to facilitate connections between sites. More commonly used today for disaster recovery, ISDN still has a place in today\u2019s marketplace. Although still used, you don\u2019t have to limit yourself to any technology when it comes to backup links, you can use a fractional or full T1, a DSL line, or any other technology that allows you to have redundancy in your links. The goal is to have redundant links to keep your domain controllers in constant communication with each other so that the Active Directory database stays synchronized and healthy. A common symptom of replication problems is that information is not updated on some or all domain controllers. For example, a systems administrator creates a user account on one domain controller, but the changes are not propagated to other domain controllers. In most environments, this is a potentially serious problem because it affects network security and can prevent authorized users from accessing the resources they require. You can take several steps to troubleshoot Active Directory replication; each of these is discussed in the following sections.<\/p>\n In order for replication to work properly in distributed environments, you must have network connectivity. Although ideally all domain controllers would be connected by high-speed and redundant LAN or WAN links, this is rarely the case for larger deployments and for most companies that utilize slow WAN links that aren\u2019t recoverable from a disaster. Always make sure your network topology is documented and tested to ensure that it\u2019s connected. There are many tools you can use to verify connectivity such as Ping and Tracert which come with just about every operating system ever created that runs TCP\/IP.<\/p>\n In real world deployments, analog\/dial-up connections and slow connections are common. If you have verified that your replication topology is set up properly, you should confirm that your servers are able to communicate over the network. Problems such as a failed dial-up connection attempt can prevent important Active Directory information from being replicated. Learn how to use ping and other ICMP based protocol troubleshooting tools in the links section at the end of this article.<\/p>\n When building a secure network, most times controls are placed on network devices to filter the traffic going from place to place. The most commonly used tool to control traffic is a Firewall. A router or any other device that utilizes a firewall feature set, or some other form of Access Control that stops access to and from other hosts connected can also be used. A firewall is usually dedicated to only protecting the perimeter so its been designed to do that, do not assume that the use of a firewall stops any risk of you being attacked, it only minimizes that risk.<\/p>\n Firewalls are used to restrict the types of traffic that can be transferred between networks. Their main use is to increase security by preventing unauthorized users from transferring information. In some cases, company firewalls may block the types of network access that must be available in order for Active Directory replication to occur. For example, if a specific router or firewall prevents data from being transferred using SMTP, replication that uses this protocol will fail.<\/p>\n RPC replication uses dynamic port mapping as per the default setting. When you need to connect to an RPC endpoint during Active Directory replication, RPC uses TCP port 135.\u00a0 \u00a0RPC on the client contacts the RPC endpoint mapper on the server at a well-known port and RPC randomly allocates high TCP ports from port 1024 to 65536. Because of this configuration, a client will never need to know what port to use for Active Directory replication; it will just take place seamlessly. There are also other ports assigned for Active Directory replication. There are as follows:<\/p>\n Errors, if they occur, will show up in the Event Viewer logs. At the end of this article, I have placed a link to the Microsoft Website so that you can learn how to use the Event Viewer. The Event Viewer can be very helpful when trying to locate and resolve a replication problem. Many errors are reported to the Event Viewer for your review.<\/p>\n Whenever an error in the replication configuration occurs, the computer writes events to the Directory Service and File Replication Service (FRS) event logs. By using the Event Viewer administrative tool, you can quickly and easily view the details associated with any problems in replication. For example, if one domain controller is not able to communicate with another to transfer changes, a log entry is created.<\/p>\n You may receive events such as:<\/p>\n Note:<\/strong> Before domain controllers in different sites can communicate with each other, the sites must be connected by site links. If replication between sites is not occurring properly, verify that the proper site links are in place. Verify your site links by using the Replication diagnostics utility (Repadmin.exe). Use this tool to verify correct site links and to display inbound and outbound connections. You can also use it to display the replication queue. You can get the tool by using the link at the end of this article.<\/p>\n It\u2019s often easy to forget to perform manual checks regarding the replication of Active Directory information. One of the reasons for this is that Active Directory domain controllers have their own read\/write copies of the Active Directory database. Therefore, if connectivity does not exist, you will not encounter failures while creating new objects.<\/p>\n It is important to periodically verify that objects have been synchronized between domain controllers. This process might be as simple as logging on to a different domain controller and looking at the objects within a specific OU. This manual check, although it might be tedious, can prevent inconsistencies in the information stored on domain controllers, which, over time, can become an administration and security nightmare.<\/p>\n A common replication configuration issue occurs when clients are forced to authenticate across slow network connections. The primary symptom of the problem is that users complain about the amount of time it takes them to log on to the Active Directory (especially during times of high volume of authentications, such as at the beginning of the workday). Usually, you can alleviate this problem by using additional domain controllers or reconfiguring the site topology. A good way to test this is to consider the possible scenarios for the various clients that you support. Often, walking through a configuration, such as \u201cA client in Domain A is trying to authenticate using a domain controller in Domain B, which is located across a very slow WAN connection,\u201d can be helpful in pinpointing potential problem areas.<\/p>\n The Active Directory Sites and Services tool allows you to verify that a replication topology is logically consistent. You can quickly and easily perform this task by right-clicking the NTDS Settings within a Server object and choosing All Tasks => Check Replication Topology. If any errors are present, a dialog box alerts you to the problem.<\/p>\n You can verify the Active Directory topology using the Active Directory Sites and Services tool.<\/p>\n Besides for ensuring that replication always continues, you can also learn how to monitor it as well. There are several ways in which you can monitor the behavior of Active Directory replication and troubleshoot the process if problems occur. In our next article we will look at the replication monitor and part III of this article will cover the system monitor.<\/p>\n In this article we covered the basics of replication, how it works, how to verify and troubleshoot it and what you can do to ensure that you Active Directory topology is healthy.<\/p>\n","protected":false},"excerpt":{"rendered":" In this article we will cover ways to monitor and troubleshoot common problems with Active Directory. Although listing ways to troubleshoot Active Directory could easily span into a 3 volume book set, we will cover the most common issues and solutions here within these articles. Whether you are already a pro, or just a beginner […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[42],"tags":[],"class_list":["post-832","post","type-post","status-publish","format-standard","hentry","category-ad"],"_links":{"self":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/832","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=832"}],"version-history":[{"count":1,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/832\/revisions"}],"predecessor-version":[{"id":833,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=\/wp\/v2\/posts\/832\/revisions\/833"}],"wp:attachment":[{"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=832"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=832"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/microsoftgeek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=832"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}![\"\"](\"http:\/\/www.windowsnetworking.com\/img\/upl\/image0021135008938343.JPG\")
\nFigure 1:<\/strong> A Common Wide Area Network (WAN)<\/p><\/blockquote>\n![\"\"](\"http:\/\/www.windowsnetworking.com\/img\/upl\/image0031135008938343.JPG\")
\nFigure 2:<\/strong> A Failed Network Link<\/p><\/blockquote>\nVerifying Network Connectivity<\/h2>\n
Verifying Router and Firewall Configurations<\/h2>\n
Network Ports Used by Active Directory Replication<\/h2>\n
\n
\n\n
\n Protocol<\/td>\n Port<\/td>\n<\/tr>\n \n LDAP<\/td>\n udp 389
\ntcp 389<\/td>\n<\/tr>\n\n LDAP (SSL)<\/td>\n udp 636
\ntcp 636<\/td>\n<\/tr>\n\n Kerberos<\/td>\n udp 88
\ntcp 88<\/td>\n<\/tr>\n\n DNS<\/td>\n udp 53
\ntcp 53<\/td>\n<\/tr>\n\n SMB over IP<\/td>\n udp 445
\ntcp 445<\/td>\n<\/tr>\n\n Global Catalog Server<\/td>\n tcp 3269
\ntcp 3268<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/blockquote>\nExamining the Event Logs:<\/h2>\n
\n
\nThe link at the end of the article covers the explanation of these specific errors and more.<\/p><\/blockquote>\nVerifying Site Links<\/h2>\n
Verifying That Information Is Synchronized<\/h2>\n
Verifying Authentication Scenarios<\/h2>\n
Verifying the Replication Topology<\/h2>\n
Summary<\/h2>\n