This is the Title of the Book, eMatter Edition
Copyright © 2008 O’Reilly & Associates, Inc. All rights reserved.
Chapter 5: Active Directory
Viewing highest USNs
By simply adding the /verbose switch to the command to view replication partners,
you can see what the current server thinks is the highest USN for each partner. For
repadmin /showrepl /verbose server1,dc=com
For each replication partner, the number before the /OU indicator is the highest USN
from that particular partner that the current server has encountered.
Pressing the Big Red Button
If you want to replicate now, not later, you can use one of two options with REPAD-
MIN. To force replication among any two domain controllers, use the command
repadmin /replicate targetcomputer sourcecomputer <LDAP-naming-context>. For exam-
ple, to force replication from SERVER3 to SERVER2, issue this command:
repadmin /replicate server2 server3,dc=com
To initiate replicate among all partners, use repadmin /syncall servername <LDAP-
. So, if I wanted to force replication among all SERVER2’s partners
in the domain, I’d use the following command:
repadmin /syncall server2 dc=jonathanhassell,dc=com
Among Sites: Spanning Trees and Site Links
Although Active Directory uses loops and meshes to create and manage replication
topologies within a particular site, using that many links across an expensive WAN
connection can cost you dearly as well as take a lot of time. For that reason, when
Active Directory replicates between sites, it uses a minimal spanning tree—in other
words, a tree with as few branches as possible to span the link between multiple
Let’s use an example environment, with two servers in a site called MAIN (repre-
senting the headquarters in Charlotte) and a single domain controller in another
site, called WEST (located in San Francisco). Recall that the KCC facility creates
replication topologies within sites automatically—you, the administrator, do not
have to intervene. Replication between sites isn’t as simple; Active Directory needs to
know several things about your individual sites before it can figure out how to repli-
cate traffic among them.
This is the Title of the Book, eMatter Edition
Copyright © 2008 O’Reilly & Associates, Inc. All rights reserved.
Understanding Directory Replication
Site links
By creating site links, you give Active Directory three key pieces of information it
needs to know before it can determine the most efficient way to force replication traf-
fic across your sites:
Which connection, if there are more than one, to use for replication to the desti-
nation site
The persistency of that connection
How the replication should take place—either using RPC in real time, or
through SMTP
Let’s discuss the third bit of information first: Active Directory will allow you to cre-
ate links based over IP (using RPC calls) or via SMTP for less reliable or less secure
connections. Unfortunately, SMTP-based site links are extremely limited in function-
ality. For one, SMTP links will only transfer updates to the forest schema naming
context and configuration naming context; it will not perform cross-site domain con-
troller information updates. Also, you need a secure mail server, hardened against
outside interception using encryption and certificates, to transfer even that bit of
information. For these reasons, the vast majority of site links you create will be IP-
based links.
Returning to our example, let’s create a site link between MAIN and WEST. To do
so, follow these steps:
1. Open Active Directory Sites and Services.
2. Expand the MAIN node in the left pane, and then expand the Inter-Site Trans-
ports folder.
3. Right-click IP, and select Site Link from the New menu.
4. The screen in Figure 5-47 appears.
5. Enter a friendly name for the site in the Name box.
6. Choose the sites you want to include in this link. A link must include two or
more sites, and you can shift sites back and forth using the Add and Remove
buttons in the middle of the screen. For our purposes, make sure MAIN and
WEST are in the box labeled Sites in this site link. Click OK.
To further configure the site link, right-click the new link in the IP folder of the left
pane of Active Directory Sites and Services. Choose Properties, and the screen in
Figure 5-48 will appear.
This screen contains three critical items. First, the Cost field allows you to determine a
cost quotient—in essence, an index of the expense of using a connection—for each
site link you create. If you have more than one site link, Active Directory will choose
the lowest-cost link to perform the replication. Unfortunately, Microsoft doesn’t give

Get Learning Windows Server 2003, Second Edition now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.