Server Object GUID (DSA GUID) and Server Database GUID (Invocation ID)


The server object that represents a domain controller in the Sites container of the configuration directory partition has a globally unique identifier (GUID) that identifies it to the replication system as a domain controller. This GUID, called the DSA (Directory System Agent) GUID, is used in USNs to track originating updates. It is also used by domain controllers to locate replication partners. The DSA GUID is the GUID of the NTDS Settings object (class nTDSDSA), which is a child object of the server object. Its value is stored in the objectGUID attribute of the NTDS Settings object.

The DSA GUID is created when Active Directory is initially installed on the domain controller and destroyed only if Active Directory is removed from the domain controller. The DSA GUID ensures that the DSA remains recognizable when a domain controller is renamed. The DSA GUID is not affected by the Active Directory restore process.

The Active Directory database has its own GUID, which the DSA uses to identify the database instance (version of the database). The database GUID is stored in the invocationId attribute on the NTDS Settings object. Unlike the DSA GUID, which never changes for the lifetime of the domain controller, the invocation ID is changed during an Active Directory restore process to ensure replication consistency. For more information about replication following a restore process, see “Active Directory Replication on a Restored Domain Controller” later in this section.

On domain controllers that are running Windows Server 2003, the invocation ID also changes when an application directory partition is removed from or added to the domain controller.

Determining Changes to Replicate: Update Sequence Numbers

A source domain controller uses USNs to determine what changes have already been received by a destination domain controller that is requesting changes. The destination domain controller uses USNs to determine what changes it needs to request.

The current USN is a 64-bit counter that is maintained by each Active Directory domain controller as the highestCommittedUsn attribute on the rootDSE object. At the start of each update transaction (originating or replicated), the domain controller increments its current USN and associates this new value with the update request.

https://social.technet.microsoft.com/Forums/en-US/46e32fb9-eb6b-4957-a8d7-65601db04d79/repadmin-showutdvec-objects?forum=winserverDS

Nltest command


Command : nltest

Switch name : /DSGETDC:

nltest /dsgetdc:test.com /pdc

nltest /dsgetdc:test.com /kdc

nltest /dsgetdc:test.com /force

nltest /dsgetdc:test.com /TIMESERV

nltest /dsgetdc:test.com /GTIMESERV

nltest /dsgetdc:test.com /dns

Repadmin /showrepl


The repadmin /showrepl command helps you understand the replication topology and replication failures. It reports status for each source domain controller from which the destination has an inbound connection object. The status report is categorized by directory partition.

replication only inbound connections

repadmin /showrepl

repadmin /showrepl /v

Displays additional information about the source partners from which the destination domain controller performs inbound replication. The information includes fully qualified CNAME, invocation ID, replication flags, and update sequence number (USN) values for originating update and replicated updates.

repadmin /showrepl /conn

Appends a KCC CONNECTION OBJECTS section to the Repadmin output that lists all connections and why they were created.

repadmin /showrepl /conn /intersite

Displays the replication status for connections from domain controllers in remote sites from which the domain controller that is listed in the DSA_LIST parameter performs inbound replication.

repadmin /showrepl /errorsonly

Displays replication status only for source domain controllers with which the destination domain controller encounters replication errors.

repadmin /showconn dc1.test.com

Display the connection object for the server

dcdiag /test:replications

replication test using dcdiag

repadmin /showsig server1.microsoft.com

Display the replication signature for a server

Repadmin /Queue

shows you how many items are in the queue waiting to be replicated.

PS C:\> repadmin /showvector “cn=schema,cn=configuration,dc=mi,dc=com
Caching GUIDs.
..
Default-First-Site-Name\MIDC @ USN 561645 @ Time 2019-05-15 16:14:02
Default-First-Site-Name\CHNADC @ USN 127053 @ Time 2019-05-06 13:19:35
PS C:\> repadmin /showvector “dc=mi,dc=com”
Caching GUIDs.
..
Default-First-Site-Name\MIDC @ USN 561645 @ Time 2019-05-15 16:14:04
Default-First-Site-Name\CHNADC @ USN 127053 @ Time 2019-05-06 13:19:35
PS C:\> repadmin /showvector “cn=configuration,dc=mi,dc=com”
Caching GUIDs.
..
Default-First-Site-Name\MIDC @ USN 561645 @ Time 2019-05-15 16:14:08
Default-First-Site-Name\CHNADC @ USN 127053 @ Time 2019-05-06 13:19:35

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc742066%28v%3dws.11%29

https://social.technet.microsoft.com/wiki/contents/articles/50788.active-directory-repadmin-tool.aspx

https://jorgequestforknowledge.wordpress.com/2006/12/09/dsa-guids-and-invocation-ids/

https://premglitz.wordpress.com/2013/12/19/repadmin-examples/

The Authoritative Restore Explained

 

active directory dependent services


Monitoring Windows DFS


DFSDIAG /TestDCs

DFSDiag /TestDCs /Domain:test.com

DFSDIAG /TestSites

Creating a propagation report

Trust tools


NETDOM: Used to establish or break trust types.

netdom trust /?

NETDIAG: The output of this tool can give basic status on trust relationships.

NLTEST: Can be used to verify a trust relationship.

DFS commands


DFS Sync with two node(powershell):

Sync-DfsReplicationGroup -GroupName “college-Repl” -SourceComputerName “node-1” -DestinationComputerName “node-2” -DurationInMinutes 5

DFS Sync with one node :

dfsrdiag syncnow /partner:node-2 /RGName:college-Repl /Time:1

To find the DFS backlog:

dfsrdiag backlog /rgname:college-Repl /rfname:college /sendingmember:node-1 /receivingmember:node-2

DFS replication status:

dfsrdiag replicationstate

%d bloggers like this: