Forcing a replication sounds like fixing a problem that shouldn't be there... But let's give it a try. Mayby we can find another way of solving your problem.
First of all, you want to be in charge of the decision of choosing the DC on which the computer account is created. This can be done by using netdom v2. This tool contains a join command that you can use to create a computer account on any specified DC. It uses a NetJoinDomain API, which is used in conjunction with multiple-master replication on Windows 2000 DCs, to create security principals on any DC. When you create the computer account on a DC in the same site as the client workstation for which the account is created, you reduce or eliminate replication latency delays that might prevent users from logging on to the domain immediately. Then, you want to be in charge of the decision of choosing the DC the newly created computer account will contact when logging on. The server on which the account is created seems to be different from the server that is contacted the first time. The first time a machine boots it will contact a random DC by querying DNS for a DC that hosts his domain. Not site specific information is contained in this query because the client doesn't know (yet) what site he is in. So a "random" DC is returned from DNS. I'm wondering what will happen if this DC did not receive the newly created computer account yet. However, you can force a client to start looking in a specific site by telling him in which site he belongs (defining the parameter dynamicsite or something like that in the registry of the client). Using netdom to force an account to be created on a specific DC and "prompting" the sitename to the client might help in your case. It might not work for mobile clients, but it could reduce your problem. Cheers! John -----Original Message----- From: FDiskThePC [mailto:[EMAIL PROTECTED] Sent: woensdag 5 november 2003 5:16 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Forcing Replication from a Source DC Thanks for your lengthy response, Joe. I appreciate it. I actually knew that all AD replication was pull replication. But replmon does have a "push mode" which basically sends out a change notification to the DC's partners so that they will immediately come pull its changes. What's cool is that unless you disable transitive replication with "push mode", the direct partners of the original DC will in turn send out change notifications to their partners as well. In essence, all DC's get the change from the source DC. And this is exactly what I want to do, but using something other than replmon. Why do I need to force replication like this? Good question. I wish I knew, and I've hit the list on this before, but didn't get many responses. Basically we'll add a computer to the domain and upon reboot, get the classic "the computer account is its primary domain is missing". I know it sounds like the computer account isn't being created on a DC in the local site, but a few times I verified that it is. Sync'ing the domain like I describe immediately fixes the problem. It sounds like I may want to call MS PSS if other folks have not seen this issue. -Rick --- Joe <[EMAIL PROTECTED]> wrote: > Right off the bat.... (am I saying that too much lately)? > > Ah who cares, right off the bat, you will not push changes. Windows > doesn't use push replication. All Windows Replication is pull based > whether it is WINS or AD or whatever. The DC who wants the changes > pulls the changes from the other DC. When you look at connection > agreements between DC's, the connection agreement is a subobject of > the DC that will do the pulling and is pointing at the DC it will pull > from. > Additionally there has to be a > direct connection defined between the DC's you want replication to > occur through, you won't simply push it to some replica there isn't a > connection to. > > There is a single thread on every DC that will go out to its > connection partners and PULL the changes from them. On the sending > side there are 25 threads by default that the pulling DC can connect > to and pull from. > > How do you know what to type to get a DC to PULL from one of its > partners? > > Ex: > > C:\>repadmin /showreps fntxx101 > BXXXX\FNTXX101 > DSA Options : (none) > objectGuid : 99765f71-4dad-496f-a996-a5d0af0232c6 > invocationID: 69a2f2fc-c3c2-412b-81bf-2f8d12abf436 > > ==== INBOUND NEIGHBORS > ====================================== > > DC=xxx,DC=xxx,DC=com > A-NADC\FMCXX104 via RPC > objectGuid: > d01e1848-e701-41ed-b7df-abdea09475ba > Last attempt @ 2003-11-04 18:38.56 was successful. > > CN=Schema,CN=Configuration,DC=xxx,DC=com > A-NADC\FMCXX104 via RPC > objectGuid: > d01e1848-e701-41ed-b7df-abdea09475ba > Last attempt @ 2003-11-04 18:38.55 was successful. > > CN=Configuration,DC=xxx,DC=com > A-NADC\FMCXX104 via RPC > objectGuid: > d01e1848-e701-41ed-b7df-abdea09475ba > Last attempt @ 2003-11-04 18:38.54 was successful. > > ==== OUTBOUND NEIGHBORS FOR CHANGE NOTIFICATIONS ============ > > > > Doing that repadmin I know that my DC fntxx101 has a pull replication > connection object with fmcxx104. Note there is NO GUARANTEE that there > is a reciprocal connection object on fmcxx104 but there PROBABLY is. > > I now know that if I want to sync fntxx101 with fmcxx104's current > state for the default partition I would type > > repadmin /sync dc=xxx,dc=xxx,dc=com fntxx101 > d01e1848-e701-41ed-b7df-abdea09475ba /force > > I took the partition name from the repadmin for the <Naming Context> > parameter. > I took the server name that is pulling as the <Dest > DSA> > I took the objectguid of the server I want to pull from as the <Source > DSA > UUID> > > > Assuming I have a matching agreement going the other way I could use > > repadmin /sync dc=xxx,dc=xxx,dc=com fmcxx104 > 99765f71-4dad-496f-a996-a5d0af0232c6 /force > > > If the connection object is missing between two servers you will get > the error message > > DsReplicaSync failed with status 8452 (0x2104): > The naming context is in the process of being removed or is not > replicated from the specified server. > > > If you want to pull from all partners for a specific context, use > syncall > > repadmin /syncall DomainControllerName dc=domain,dc=com > > If you want all partitions from all direct connected partners you > would do > > repadmin /syncall DomainControllerName > > > I am curious about the undocumented command you mention. That is > interesting, I will dig into it when I get time as the implications > are rather large as it would have to force replications though the > entire domain and possibly forest if it was a GC. > > Hope this helps. > > > May I ask why you need to force replication like this? It is so > ungodly rare that we have to force replication that I am not even sure > if my team other than myself even knows how to do it through repadmin > like this. > > > joe > > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of FDiskThePC > Sent: Tuesday, November 04, 2003 12:36 PM > To: [EMAIL PROTECTED] > > Okay, guys, I've done quite a bit of research here, but I need some > help. I don't know about you guys, but I find it frustrating that AD > has been out for over three years and so much of this stuff is still > undocumented! Argh! > > First problem was delegating the right for remote admins to > synchronize the domain. For those out there that may still be > searching, you need to delegate the "Replication Synchronization" > right to your Domain Naming Context (NC) and any other NC's (Schema, > Config, > etc.) that you may have. > Note that if you do not delegate this right to every NC, AD Sites & > Services will still fail because a "Replicate Now" > tries to sync every NC behind the scenes - there is no way with this > tool to sync a particular NC. Note that ADSIEdit will probably be > needed to make the delegation. > > Okay, second problem that I still need an answer to. > > I need a way to force replication from one source DC to all my other > DC's. > Ah! Use replmon you say choosing "Push Mode" and "Cross Site > Boundaries". > That works great, actually, but not for my remote admins. Come to > find out, replmon doesn't work unless the remote admin is also given > the "Replicating Directory Changes" and "Manage Replication Topology" > permission. And I am not about to do that. > > I've also looked at repadmin. It appears that some changes have been > made to this command in W2K3, but I'd like to do this in a W2K > setting. > Unfortunately, the W2K tool requires that you use actual GUIDS, but > the more important thing is that I can't figure out how to push > changes rather than pull! I did come across one undocumented switch > with repadmin. Using repadmin /p /e /d server1.company.com forces > server1 to pull any and all > === message truncated === __________________________________ Do you Yahoo!? Protect your identity with Yahoo! Mail AddressGuard http://antispam.yahoo.com/whatsnewfree List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
