381 11.23.2.2 Using a command-line interface > repadmin /showconn [<DomainControllerName>] 11.23.2.3 Using VBScript ' This code lists the connection objects for a server ' SCRIPT CONFIGURATION strServer = "<ServerName>" ' e.g. dc01 strSite = "<SiteName>" ' e.g. MySite1 ' END CONFIGURATION set objRootDSE = GetObject("LDAP://RootDSE") set objNTDSCont = GetObject("LDAP://cn=NTDS Settings,cn=" & strServer & _ ",cn=servers,cn=" & strSite & ",cn=sites," & _ objRootDSE.Get("configurationNamingContext") ) objNTDSCont.Filter = Array("ntdsConnection") WScript.Echo "Connection objects for " & strSite & "\" & strServer for each objConn in objNTDSCont if objConn.Get("options") = 0 then Wscript.Echo " " & objConn.Get("cn") & " (MANUAL)" else Wscript.Echo " " & objConn.Get("cn") & " (AUTO)" end if next Another option for programmatically getting the connection objects for a server is to use the GetDSAConnections method from the IADsTool interface. 11.23.3 Discussion Connection objects are used to replicate inbound changes to a domain controller. By viewing the connection objects for a server you can see what domain controllers it receives updates from. Connection objects are created automatically by the KCC, but can be created manually if necessary. 11.23.4 See Also Recipe 11.22 for creating a connection object Recipe 11.24 Load-Balancing Connection Objects 11.24.1 Problem You want to evenly distribute connection objects between bridgehead servers in a site. 11.24.2 Solution 11.24.2.1 Using a command-line interface 382 To see what changes the command would make, run it without the /commit option. To actually make the changes in Active Directory, use the /commit option: > adlb /server:<DomainControllerName> -site:<SiteName> [/commit] [/verbose] This command is available in the Windows Server 2003 Resource Kit. 11.24.3 Discussion Bridgeheads can become overloaded or end up with too many connection objects in relation to other bridgeheads in the domain. The Active Directory Load Balancing (ADLB) tool allows you to balance the load of connection objects among bridgehead servers within a site. The Windows Server 2003 algorithms are much better than Windows 2000 for load balancing connection objects across servers, but that process happens only when new connection objects are added. You can use the adlb tool to load balance the connection objects more efficiently at any time. I recommend viewing the changes adlb would make first before using the /commit option. It is always good to do a sanity check to ensure adlb doesn't mess up your replication topology. Recipe 11.25 Finding the ISTG for a Site 11.25.1 Problem You want to find the Inter-Site Topology Generator (ISTG) for a site. 11.25.2 Solution 11.25.2.1 Using a graphical user interface 1. Open the Active Directory Sites and Services snap-in. 2. Click on the site you are interested in. 3. In the right pane, double-click on the NTDS Site Settings object. 4. The ISTG will be displayed under Inter-Site Topology Generator if one is present. 11.25.2.2 Using a command-line interface > repadmin /istg <DomainControllerName> This command is available only with the Windows Server 2003 version of repadmin. 11.25.2.3 Using VBScript ' This code finds the ISTG for the specified site. ' SCRIPT CONFIGURATION strSiteName = <SiteName> ' e.g. Raleigh ' END CONFIGURATION 383 set objRootDSE = GetObject("LDAP://RootDSE") set objSiteSettings = GetObject("LDAP://cn=NTDS Site Settings,cn=" & _ strSiteName & ",cn=sites," & _ objRootDSE.Get("ConfigurationNamingContext")) on error resume next strISTGDN = objSiteSettings.Get("interSiteTopologyGenerator") if (strISTGDN <> "") then set objNTDSSettings = GetObject("LDAP://" & strISTGDN) set objServer = GetObject( objNTDSSettings.Parent ) WScript.Echo "ISTG for site " & strSiteName & " is " & _ objServer.Get("dnsHostName") else WScript.Echo "No ISTG found for site " & strSiteName end if 11.25.3 Discussion One domain controller in every site is picked as the ISTG for that site. While each domain controller is responsible for creating its own intra-site connection objects, the ISTG for a site is responsible for creating the inter-site connection objects for the bridgehead servers in the site. The current ISTG for a site is stored in the interSiteTopologyGenerator attribute of the site's NTDS Site Settings object. The distinguished name of ISTG's NTDS Settings object is stored in the interSiteTopologyGenerator attribute. Disabling inter-site topology generation is synonymous with disabling the KCC for a site. See Recipe 11.29 for more information on disabling the KCC. 11.25.4 See Also Recipe 11.26 for moving the ISTG, MS KB 224815 (The Role of the Inter-Site Topology Generator in Active Directory Replication), and MS KB 224599 (Determining the Inter-Site Topology Generator (ISTG) of a Site in the Active Directory) Recipe 11.26 Transferring the ISTG to Another Server 11.26.1 Problem You want to move the ISTG for a site to another domain controller. This happens automatically if you take the current ISTG offline, but you may want to transfer the role to a server that is more optimal in your environment. 11.26.2 Solution 11.26.2.1 Using a graphical user interface 1. Open ADSI Edit. 2. Connect to the CNC if it is not already displayed in the left pane. 384 3. In the left pane, browse the Configuration NC Sites. 4. Click on the site you want to transfer the ISTG for. 5. In the right pane, double-click CN=NTDS Site Settings. 6. Modify the interSiteTopologyGenerator attribute to include the NTDS Settings object of the domain controller you want to transfer the ISTG role to. 7. Click OK. 11.26.2.2 Using VBScript ' This code forces a new ISTG in a site. ' SCRIPT CONFIGURATION ' Name of site to transfer ISTG in strSiteName = "<SiteName>" ' e.g. Raleigh ' Site the new ISTG server is in strNewISTGSite = "<ISTGSiteName>" ' e.g. Raleigh ' Common name of server object for new ISTG strNewISTGName = "<DomainControllerName>" ' e.g. dc01 ' END CONFIGURATION set objRootDSE = GetObject("LDAP://RootDSE") set objSiteSettings = GetObject("LDAP://cn=NTDS Site Settings,cn=" & _ strSiteName & ",cn=sites," & _ objRootDSE.Get("ConfigurationNamingContext")) strCurrentISTG = objSiteSettings.Get("interSiteTopologyGenerator") objSiteSettings.Put "interSiteTopologyGenerator", _ "cn=NTDS Settings,cn=" & strNewISTGName & _ ",cn=servers,cn=" & strNewISTGSite & ",cn=sites," & _ objRootDSE.Get("ConfigurationNamingContext") objSiteSettings.SetInfo WScript.Echo "ISTG for " & strSiteName & " changed from:" WScript.Echo " " & strCurrentISTG WScript.Echo "To" WScript.Echo " " & objSiteSettings.Get("interSiteTopologyGenerator") 11.26.3 Discussion The current ISTG for a site is stored in the interSiteTopologyGenerator attribute of the site's NTDS Site Settings object. The distinguished name of the ISTG's NTDS Settings object is stored in that attribute. Domain controllers communicate their presence as the ISTG by writing to the interSiteTopologyGenerator attribute at a set interval. If you want another domain controller to assume the role of the ISTG, you need to write the distinguished name of that domain controller's NTDS Settings object to the interSiteTopologyGenerator attribute of the NTDS Site Settings object for the site. Two registry settings govern the ISTG registration process, both of which are stored under the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters key. The interval (in minutes) in which the current ISTG should write to the interSiteTopologyGenerator attribute to inform the other DCs in the site that it is still the 385 ISTG is stored in the KCC site generator renewal interval (minutes) value. The default is 30 minutes. The other value is named KCC site generator fail-over (minutes) and contains the time in minutes that each domain controller in the site should wait for the interSiteTopologyGenerator attribute to be written to before attempting to register itself as the ISTG. The default is 60 minutes. 11.26.4 See Also MS KB 224815 (The Role of the Inter-Site Topology Generator in Active Directory Replication) Recipe 11.27 Triggering the KCC 11.27.1 Problem You want to trigger the KCC. 11.27.2 Solution 11.27.2.1 Using a graphical user interface 1. Open the Active Directory Sites and Services snap-in. 2. In the left pane, browse to the NTDS Settings object for the server you want to trigger the KCC for. 3. Right-click on NTDS Settings, select All Tasks, and Check Replication Topology. 4. Click OK. 11.27.2.2 Using a command-line interface > repadmin /kcc <DomainControllerName> 11.27.2.3 Using VBScript ' This code triggers the KCC on a DC. ' SCRIPT CONFIGURATION strDC = "<DomainControllerName>" ' e.g. dc01 ' END CONFIGURATION set objIadsTools = CreateObject("IADsTools.DCFunctions") intRes = objIadsTools.TriggerKCC(Cstr(strDC),0) if intRes = -1 then Wscript.Echo objIadsTools.LastErrorText else Wscript.Echo "KCC successfully triggered" end if 11.27.3 Discussion The KCC runs every 15 minutes by default on all domain controllers to generate the intra-site topology connections. The KCC that runs on the server that is selected as the ISTG generates 386 inter-site topology connections to other sites from the bridgehead servers in its site. In some situations, such as when you create new site, siteLink, or subnet objects, you may want to run the KCC immediately so that any new connections between domain controllers get created. 11.27.4 See Also Recipe 11.28 for determining if the KCC is completing successfully, for more information on IADsTools see iadstools.doc that is installed with the Support Tools, and MS KB 224815 (The Role of the Inter-Site Topology Generator in Active Directory Replication) Recipe 11.28 Determining if the KCC Is Completing Successfully 11.28.1 Problem You want to determine if the KCC is completing successfully. 11.28.2 Solution 11.28.2.1 Using a graphical user interface 1. Open the Event Viewer of the target domain controller. 2. Click on the Directory Service log. 3. In the right pane, click on the Source heading to sort by that column. 4. Scroll down to view any events with Source: NTDS KCC. 11.28.2.2 Using a command-line interface The following command will display any KCC errors found in the Directory Service log: > dcdiag /v /test:kccevent /s:<DomainControllerName> 11.28.3 Discussion The only way to debug issues with the KCC is by looking for NTDS KCC events in the Directory Service event log. If you suspect a problem or perhaps are seeing errors, you can increase the amount of logging in the event log by enabling diagnostics logging for the KCC. When the KCC diagnostics logging is enabled, each KCC exception logs a lot of information to the event log that may help you pinpoint the problem. See Recipe 15.2 for more information on enabling diagnostics logging. 387 Recipe 11.29 Disabling the KCC for a Site 11.29.1 Problem You want to disable the KCC for a site and generate your own replication connections between domain controllers. 11.29.2 Solution 11.29.2.1 Using a graphical user interface 1. Open ADSI Edit. 2. Connect to the Configuration Naming Context if it is not already displayed. 3. In the left pane, browse the Configuration Naming Context Sites. 4. Click on the site you want to disable the KCC for. 5. In the right pane, double-click CN=NTDS Site Settings. 6. Modify the options attribute. To disable only intra-site topology generation, enable the 00001 bit (decimal 1). To disable inter-site topology generation, enable the 10000 bit (decimal 16). To disable both, enable the 10001 bits (decimal 17). 7. Click OK. 11.29.2.2 Using a command-line interface You can disable the KCC for <SiteName> by using the ldifde utility and an LDIF file that contains the following: dn: cn=NTDS Site Settings,<SiteName>,cn=sites,cn=configuration,<ForestRootDN> changetype: modify replace: options options: <OptionsValue> - If the LDIF file were named disable_kcc.ldf, you would run the following command: > ldifde -v -i -f disable_kcc.ldf 11.29.2.3 Using VBScript ' This code disables the KCC for a site. ' SCRIPT CONFIGURATION strSiteName = "<SiteName>" ' e.g. Default-First-Site-Name boolDisableIntra = TRUE ' set to TRUE/FALSE to disable/enable intra-site boolDisableInter = TRUE ' set to TRUE/FALSE to disable/enable inter-site ' END CONFIGURATION strAttr = "options" set objRootDSE = GetObject("LDAP://RootDSE") set objObject = GetObject("LDAP://cn=NTDS Site Settings,cn=" _ & strSiteName & ",cn=sites," & _ objRootDSE.Get("configurationNamingContext") ) 388 intBitsOrig = objObject.Get(strAttr) intBitsCalc = CalcBit(intBitsOrig, 1, boolDisableIntra) WScript.Echo "Checking the KCC Intra-site generation flag:" if intBitsOrig <> intBitsCalc then objObject.Put strAttr, intBitsCalc objObject.SetInfo WScript.Echo " Changed " & strAttr & " from " & _ intBitsOrig & " to " & intBitsCalc else WScript.Echo " Did not need to change " & strAttr & _ " (" & intBitsOrig & ")" end if intBitsOrig = objObject.Get(strAttr) intBitsCalc = CalcBit(intBitsOrig, 16, boolDisableInter) WScript.Echo "Checking the KCC Inter-site generation flag:" if intBitsOrig <> intBitsCalc then objObject.Put strAttr, intBitsCalc objObject.SetInfo WScript.Echo " Changed " & strAttr & " from " & intBitsOrig & _ " to " & intBitsCalc else WScript.Echo " Did not need to change " & strAttr & " (" & _ intBitsOrig & ")" end if 11.29.3 Discussion In some cases, you may want to disable the KCC from generating the intra-site topology connections, inter-site topology connections, or both. The connection objects the KCC dynamically creates determines how domain controllers replicate with each other. Disabling the KCC was sometimes necessary with Windows 2000 due to scalability issues with the KCC and very large topologies. In Windows Server 2003, the KCC has been greatly improved and, hopefully, you will not need to disable the KCC. I recommend against disabling the KCC unless you have really good reasons because you will have to pay close attention to any domain controller or site topology changes and manually adjust the connection objects accordingly. Disabling the KCC can only be done at the site level. You have to modify the NTDS Site Settings object of the site for which you want to disable the KCC. The options attribute (a bit flag) on this object determines whether the KCC runs. If the 00001 bit is enabled, intra-site topology generation is disabled, if the 10000 bit is enabled (16 in decimal), inter-site topology generation is disabled. See Recipe 4.12 for more on the proper way to set bit-flags. 11.29.4 See Also Recipe 4.12 for more on setting bit flags, Recipe 11.22 for creating a connection object manually, MS KB 242780 (How to Disable the Knowledge Consistency Checker From Automatically Creating Replication Topology), and MS KB 245610 (HOW TO: Disable the Knowledge Consistency Checker Inter-Site Topology Generation for All Sites) 389 Recipe 11.30 Changing the Interval at Which the KCC Runs 11.30.1 Problem You want to change the interval at which the KCC runs. 11.30.2 Solution 11.30.2.1 Using a graphical user interface 1. Run regedit.exe from the command line or Start Run. 2. Expand HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Services NTDS Parameters. 3. Right-click on Parameters and select New DWORD Value. 4. Enter the following for the name: Repl topology update period (secs). 5. Double-click on the new value and under Value data enter the KCC interval in number of seconds (900 is the default). 6. Click OK. 11.30.2.2 Using a command-line interface > reg add HKLM\System\CurrentControlSet\Services\NTDS\Parameters /v "Repl topology[RETURN] update period (secs)" /t REG_DWORD /d <NumSecs> 11.30.2.3 Using VBScript ' This code changes the interval in which the KCC runs. ' SCRIPT CONFIGURATION intNumSecs = <NumSecs> ' Number of seconds between intervals ' 900 is default ' END CONFIGURATION strNetlogonReg = "SYSTEM\CurrentControlSet\Services\NTDS\Parameters" const HKLM = &H80000002 Set objReg = GetObject("winmgmts:root\default:StdRegProv") objReg.SetDWORDValue HKLM, strNetlogonReg, _ "Repl topology update period (secs)", _ intNumSecs WScript.Echo "KCC interval set to " & intNumSecs 11.30.3 Discussion By default, the KCC checks its connections ever 15 minutes and makes changes as necessary. You can modify this interval by simply modifying the registry. This was necessary with many Windows 2000 implementations that had large topologies. In that case, the KCC may have taken longer than 15 minutes to run or monopolized the CPU. Changing the KCC to run every hour instead of 15 minutes would help ensure it would complete. With Windows Server 2003, 390 Microsoft made significant improvements to the scalability of the KCC and I recommend running the KCC at the default interval. There is another related registry setting you should also be aware of. By default, the KCC waits 5 minutes after Active Directory starts up before it runs. You can change this delay by creating a REG_DWORD value called Repl topology update delay (secs) under the HKLM\System\CurrentControlSet\Services\NTDS\Parameters\ key. The data for the value should be the number of seconds to wait after startup before the KCC starts. The default is 300, which is 5 minutes. 11.30.4 See Also MS KB 271988 (Replication Topology Updates) . changes in Active Directory, use the /commit option: > adlb /server: <DomainControllerName> -site:<SiteName> [/commit] [/verbose] This command is available in the Windows Server. bridgeheads in the domain. The Active Directory Load Balancing (ADLB) tool allows you to balance the load of connection objects among bridgehead servers within a site. The Windows Server 2003 algorithms. connection objects, the ISTG for a site is responsible for creating the inter-site connection objects for the bridgehead servers in the site. The current ISTG for a site is stored in the interSiteTopologyGenerator