Initiating Replication Between AD Direct Replication Partners

[Guest]

I have a need to allow level one and two support to replicate dc's, what
(specific) rights are necessary to run the Repadmin.exe tool from the Windows
2000 Support Tools suite?

 

[Cary Shultz [A.D. MVP]]

Chadwic,

I might be a bit off on this but you usually need to be a member of the
Enterprise Admins to do this. What is it that needs to be done by the level
one and level two Tech Support people that they need to replicate Domain
Controllers. This is normally handled by AD itself. In Intrasite
Replication it is usually every 15 minutes ( with some things being a bit
less ) and in Intersite Replication it is every three hours.

HTH,

Cary

 

[Glenn L]

There are ACLs you must grant, and one optional one.
You must grant these ACLs on the domain object in each domain.
Required:
replicate directory changes
replicate directory changes all
replication synchronization

optional:
monitor active directory replication

Its been a while since I validated this, but I think this is all that is
required.

 

[ptwilliams]

I'm wondering if that'll work. By default, the inter-site connection
objects generated by the KCCs/ ISTG replicate not just the domain partition,
but also the enterprise partitions and GC if applicable. I don't know if
this will work without granting permissions to those partitions as well...


--

Paul Williams

http://www.msresource.net
http://forums.msresource.net
______________________________________
There are ACLs you must grant, and one optional one.
You must grant these ACLs on the domain object in each domain.
Required:
replicate directory changes
replicate directory changes all
replication synchronization

optional:
monitor active directory replication

Its been a while since I validated this, but I think this is all that is
required.

 

[Glenn L]

Good point...yes I forgot to consider those partitions.
these three ACLs must be set on the configuration object and the schema
object.
ADSIEDIT.MSC will get you access to these objects.

 

[Guest]

Adding the 'Replication Synchronization' permission (along with Read
permission) on the AD container allowed the required group(s) to synch using
the 'repadmin.exe' utility. I have not dealt with AD enough to fully grasp
what is involved with which partitions are being synchronized
(domain/enterprise), so it looks like I have some reading to do.

Thanks to Cary, Glenn and Paul for your help and quick responses.

-chadwic

 

[ptwilliams]

By default, in Win2000, there's three partitions (or naming contexts in
LDAP-speak). Two are enterprise-wide and are thus considered enterprise
partitions, these are the configuration (sites, subnets, etc.) and schema
(base definitions). The third is the domain-specific domain partition (user
objects, etc.).

The Distributed Systems Guide (2000 RK) covers this, as does the **AWESOME**
Inside Active Directory by Kouti and Seitsonen.

Good luck, it's interesting reading.

Also, looking at things via ADSIEdit or LDP will help you better understand
the depths of the directory...


--

Paul Williams

http://www.msresource.net
http://forums.msresource.net
______________________________________
Adding the 'Replication Synchronization' permission (along with Read
permission) on the AD container allowed the required group(s) to synch using
the 'repadmin.exe' utility. I have not dealt with AD enough to fully grasp
what is involved with which partitions are being synchronized
(domain/enterprise), so it looks like I have some reading to do.

Thanks to Cary, Glenn and Paul for your help and quick responses.

-chadwic

 

[Cary Shultz [A.D. MVP]]

Chadwic,

Paul pretty much laid it out for you.

I will expound on this a little bit more so that you have a more clear idea
of what is going on here. There are three Naming Contexts - or Partitions -
in Active Directory: The Schema, the Configuration and the Domain. The
Schema and the Configuration NCs are replicated to each and every Domain
Controller in the entire Forest. So, if you had two Domain Controllers for
three different domains ( nkdsolutions.com, northamerica.nkdsolutions.com
and europe.nkdsolutions.com ) then each of the six Domain Controllers would
get this. Now, for the Domain NC things look a little bit differently.
Only the Domain Controllers for each domain get this information. So, the
two Domain Controllers in the nkdsolutions.com domain and only the two
Domain Controllers in the nkdsolutions.com domain would replicate this
specific Domain NC between themselves. Same goes for the two Domain
Controllers in the northamerica.nkdsolutions.com domain and for the two
Domain Controllers in the europe.nkdsolutions.com domain.

BTW, the LDAP-speak for each would be as follows:

Schema Partition: CN=schema,CN=configuration,DC=nkdsolutions,DC=com
Configuration NC: CN=configuration,DC=nkdsolutions,DC=com
Domain Partition: DC=nkdsolutions,DC=com

Domain Partition: DC=northamerica,DC=nkdsolutions,DC=com

Domain Partition: DC=europe,DC=nkdsolutions,DC=com


It is also very important to understand that Active Directory Replication
comes in two flavors: Intrasite and Intersite. Intrasite Replication is the
replication that happens between the DCs in the same Site while Intersite
Replication is the replication that happens between the DCs in different
Sites. Please note that in Intersite Replication the replication between
DCs in different Sites goes through what is called a Bridgehead Server.
Also, please understand that this topology is created by the KCC ( Knowledge
Consistency Checker ) and it's sidekick the ISTG. You can turn this off and
create the topology yourself if you so choose. You can also let it do some
things and then manually create other connection objects. Or you can let it
do it all.

An extremely important concept is that AD replication - regardless of
'flavor' - is based on an incoming connection object. So, if there is
replication between DC01 and DC02 then there are actually two connection
objects required: one from DC01 to DC02 and one from DC02 to DC01.

Do yourself a big favor and install the Support Tools on a Domain Controller
( in the lab so that you can play and mess things up without loosing your
job! ) and play around with both of the tools that Paul mentioned: ADSIEdit
and LDP. They will make things a whole lot more clear!

HTH,

Cary