Professional Documents
Culture Documents
Sanjo900@yahoo.com
What is LDAP?
LDAP is the directory service protocol that is used to query and update AD. LDAP naming paths are used to access AD objects and includes the following: Distinguished names Relative Distinguished names
Distinguished name gives the complete path of the object E.g. CN=Sanjo Thomas,OU=India,DC=Microsoft,DC=com Relative Distinguished name is the portion of the distinguished name that uniquely identifies the object. E.g. CN=Sanjo Thomas OR OU= India
Sanjo900@yahoo.com
A forest consists of multiple domain trees. The domain trees in a forest do not form a contiguous namespace but share a common schema and GC. The forest root domain is the first domain created in the forest. The root domains of all domain trees in the forest establish transitive trust relationships with the forest root domain. This is necessary for the purposes of establishing trust across all the domain trees in the forest. All of the Windows 2000 domains in all of the domain trees in a forest share the following traits: Transitive trust relationships between the domains Transitive trust relationships between the domain trees A common schema Common configuration information A common global catalog
Using both domain trees and forests provides you with the flexibility of both contiguous and noncontiguous naming conventions. This can be useful in, for example, companies with independent divisions that must each maintain their own DNS names.
When a user logs on to the network, the global catalog provides universal group membership information for the account sending the logon request to the domain controller. If there is only one domain controller in the domain, the domain controller and the global catalog are the same server. If there are multiple domain controllers in the network, the global catalog is hosted on the domain controller configured as such. If a global catalog is not available when a user initiates a network logon process, the user is only able to log on to the local computer. If a user is a member of the Domain Admins group, they are able to log on to the network even when a global catalog is not available. The global catalog is designed to respond to queries about objects anywhere in the forest with maximum speed and minimum network traffic. Because a single global catalog contains information about objects in all domains in the forest, a query about an object can be resolved by a global catalog
Sanjo900@yahoo.com
Sanjo900@yahoo.com
Sanjo900@yahoo.com
Using nslookup >nslookup >ls t SRV Domain If the SRV records are properly created, they will be listed. 2. Verifying SYSVOL If SYSVOL folder is not properly created data stores in SYSVOL such are scripts, GPO, etc will not be replicated between DCs. First verify the following folder structure is created in SYSVOL Domain Staging Staging areas Sysvol Then verify necessary shares are created. >net share It should show two shares, NETLOGON and SYSVOL 3. Verifying Database and Log files Make sure that the following files are there at %systemroot%\ntds Ntds.dit, Edb.*, Res*.log
Sanjo900@yahoo.com
Sanjo900@yahoo.com
Schema Master The schema master is responsible for performing updates to the directory schema. This DC is the only one that can process updates to the directory schema. Once the Schema update is complete, it is replicated from the schema master to all other DCs in the directory. There is only one schema master per directory. Domain Naming Master The Domain Naming Master is responsible for making changes to the forest-wide domain name space of the directory. This DC is the only one that can add or remove a domain from the directory. RID Master The RID master is responsible for processing RID Pool requests from all DCs within a given domain. It is also responsible for removing an object from its domain and putting it in another domain during an object move. When a DC creates a security principal object such as a user or group, it attaches a unique SID to the object. This SID consists of a domain SID (the same for all SIDs created in a domain), and a relative ID (RID) that is unique for each security principal SID created in a domain.
Sanjo900@yahoo.com
Each Windows 2000 DC in a domain is allocated a pool of RIDs that can be assigned to the security principals it creates. When a DC's allocated RID pool falls below a threshold, that DC issues a request for additional RIDs to the domain's RID master. The domain-RID master responds to the request by retrieving RIDs from the domain's unallocated RID pool and assigns them to the pool of the requesting DC. There is one RID master per domain in a directory. PDC Emulator FSMO Role The PDC emulator is necessary to synchronize time in an enterprise. Windows 2000 includes the W32Time (Windows Time) time service that is required by the Kerberos authentication protocol. All Windows 2000-based computers within an enterprise use a common time. The purpose of the time service is to ensure that the Windows Time service uses a hierarchical relationship that controls authority and does not permit loops to ensure appropriate common time usage. The PDC emulator of a domain is authoritative for the domain. The PDC emulator at the root of the forest becomes authoritative for the enterprise, and should be configured to gather the time from an external source. All PDC FSMO role holders follow the hierarchy of domains in the selection of their inbound time partner. In a Windows 2000 domain, the PDC emulator role holder retains the following functions: Password changes performed by other DCs in the domain are replicated preferentially to the PDC emulator. Authentication failures that occur at a given DC in a domain because of an incorrect password are forwarded to the PDC emulator before a bad password failure message is reported to the user. Account lockout is processed on the PDC emulator.
Note that the PDC emulator role becomes unnecessary as down-level workstations, member servers, and domain controllers are all upgraded to Windows 2000, in which case the following information applies: Windows 2000 clients (workstations and member servers) and down-level clients that have installed the distributed services client package do not perform directory writes (such as password changes) preferentially at the DC that has advertised itself as the PDC; they use any DC for the domain. Once backup domain controllers (BDCs) in down-level domains are upgraded to Windows 2000, the PDC emulator receives no down-level replica requests. Windows 2000 clients (workstations and member servers) and down-level clients that have installed the distributed services client package use the Active Directory to locate network resources. They do not require the Windows NT Browser service.
Infrastructure FSMO Role When an object in one domain is referenced by another object in another domain, it represents the reference by the GUID, the SID (for references to security principals), and the DN of the object being referenced. The infrastructure FSMO role holder is the DC responsible for updating an object's SID and distinguished name in a cross-domain object reference. NOTE: The Infrastructure Master (IM) role should be held by a domain controller that is not a Global
Sanjo900@yahoo.com
Two exceptions to the "do not place the infrastructure master on a global catalog server" rule are: o Single domain forest: In a forest that contains a single Active Directory domain, there are no phantoms, and so the infrastructure master has no work to do. The infrastructure master may be placed on any domain controller in the domain. o Multidomain forest where every domain controller holds the global catalog: If every domain controller in the domain also hosts the global catalog, then there are no phantoms or work for the infrastructure master to do. The infrastructure master may be placed on any domain controller in the domain. At the forest level, the schema master and domain naming master roles should be placed on the same domain controller as they are rarely used and should be tightly controlled. Additionally, the Domain Naming master FSMO should also be a global catalog server.
Sanjo900@yahoo.com
Sanjo900@yahoo.com
Sanjo900@yahoo.com
Sanjo900@yahoo.com
Sanjo900@yahoo.com
When you audit Active Directory events, Windows 2000 writes an event to the Security log on the domain controller. If a user tries to log on to the domain using a domain user account and the logon attempt is unsuccessful, the event is recorded on the DC and not on the computer on which the logon attempt was made. This is because it is the domain controller that tried to authenticate the logon attempt. How to Configure an Audit Policy Setting for a Domain Controller Auditing is turned off by default. To audit all DCs, Enable auditing on Domain Controllers OU To configure an audit policy setting for a domain controller, follow these steps: 1. Start Directory Users and Computers. 2. Click Advanced Features on the View menu. 3. Right-click Domain Controllers, and then click Properties. 4. Click the Group Policy tab, click Default Domain Controller Policy, and then click Edit. 5. Click Computer Configuration, double-click Windows Settings, double-click Security Settings, double-click Local Policies, and then double-click Audit Policy. 6. In the right pane, right-click Audit Directory Services Access, and then click Security. 7. Click Define These Policy Settings, and then click to select one or both of the following check boxes: o Success: Click to select this check box to audit successful attempts for the event category. o Failure: Click to select this check box to audit failed attempts for the event category. 8. Right-click any other event category that you want to audit, and then click Security. Click OK How to Configure Auditing for Specific Active Directory Objects You can configure auditing for specific objects, such as users, computers, organizational units, or groups, by specifying both the types of access and the users whose access that you want to audit. To configure auditing for specific Active Directory objects, follow these steps: 1. 2. 3. 4. 5. Open Active Directory Users and Computers. Select Advanced Features on the View menu. Right-click the Active Directory object that you want to audit, and then click Properties. Click the Security tab, and then click Advanced. Click the Auditing tab, and then click Add. Enter the name of either the user or the group whose access you want to audit
Sanjo900@yahoo.com
Sanjo900@yahoo.com
Sanjo900@yahoo.com
Sanjo900@yahoo.com
The Printers container that you created appears in the list of directory objects. 13. On the View menu, click Advanced Features. 14. On the View menu, click Users, Groups, and Computers as containers. 15. Move the printers that you want to the Printers container. 16. Quit Active Directory Users and Computers. Note: The procedure in this article requires that printers are published in Active Directory.
How to replace the current primary DNS Server with a new Primary DNS Server in Windows 2000
When an existing DNS domain structure is in place, it may be necessary to replace the current primary DNS server with a new Windows 2000 DNS server. First install DNS on new windows 2000 Server and transfer the records
Transfer Records from the Current DNS Server 1. Open the DNS MMC and double-click W2K-DNS (the server name) to expand it. 2. Right-click Forward Lookup Zones, click New Zone to start the wizard, and then click Next. 3. Click Standard Secondary for the zone type, click Next, type the zone name (E.g. "microsoft.edu"), and then click Next. 4. Type the IP address of the current primary DNS server (in this example, 192.168.0.2), click Add, click Next, and then click Finish. 5. Right-click Reverse Lookup Zones, click New Zone to start the wizard, click Next, click Standard Secondary for the zone type, and then click Next. 6. In the Network ID box, type 192.168.0, and then click Next. 7. Type the IP address of the current primary DNS server (in this example, 192.168.0.2), click Add, click Next, and then click Finish.
Sanjo900@yahoo.com
Change the Role of a DNS Server to Primary Server After you transfer all of the records have been transferred, you must remove the old DNS server from the network, and set the DNS server as the primary DNS server. To set the DNS server as the primary DNS server 1. Open the DNS MMC and double-click W2K-DNS (the server name) to expand it. 2. Double-click Forward Lookup Zones, right-click the Microsoft.edu zone, and then click Properties. 3. Click the General tab, click Change under Type, and then click either Standard Primary or Active Directory Integrated as the new type, depending on whether or not this computer is a domain controller (DC). Click OK. 4. Change the setting under Allow Dynamic Updates to Yes if this server is for a Windows 2000 Domain. The server is now set as a primary DNS server for the DNS domain space. It may be necessary to change the IP address of the new server to match the IP address that the old DNS server used. This should be done to prevent having to make changes on all clients or secondary servers to point to a new IP address for the primary DNS server
Sanjo900@yahoo.com
To set the Aging feature on an individual zone: 1. Right-click the zone, and then click Properties. 2. Click Aging. 3. Click to select the Scavenge Stale Resource Records check box, and then set the interval that you want the Aging feature to use. If the Aging feature is not enabled at the server level, and you attempt to enable the Aging feature at the zone level, the Aging feature does not work. After you select the appropriate aging periods and you enable the Scavenging feature on the server, outdated records are scavenged. Additionally, you can initiate the Scavenging feature if you right-click the server name in the left pane, click Scavenge Stale Resource Records, and then click YES when asked if you want to scavenge.
How to move Windows 2000 DNS Zones to Another Windows 2000-based Server
To move zone files from one server to another, follow these steps:
Sanjo900@yahoo.com
The host's "A" record is registered in DNS after you choose not to register the connection's address.
In Windows 2000, if you clear the Register this connection's address in DNS check box under Advanced TCP/IP Settings for a network interface, the IP address may register an A record for the host name in its primary DNS suffix zone. For example, this behavior may occur if you have the following configuration: The DNS service is installed on the server. The DNS server zone is example.com, where the example.com zone can be updated dynamically. The server host name is Server1.example.com, where Server1 has two network adapters that have IP addresses of 10.1.1.1 and 10.2.2.2.
If you click to clear the Register this connection's address in DNS check box on the network adaptor that has the IP address of 10.2.2.2 and then you delete the host record for Server1.example.com 10.2.2.2, the host record for Server1.example.com 10.2.2.2 is dynamically added back to the zone late. The unwanted registration of this record can be reproduced if you restart the DNS service on the server.
Sanjo900@yahoo.com
This is because, when the DNS service is installed on a computer that is running Windows 2000, it listens to all of the network interfaces that are configured by using TCP/IP. When DNS causes an interface to listen for DNS queries, the interface tries to register the host A record in the zone that matches its primary DNS suffix. The interface tries to register the host A record regardless of the settings that have been configured in the TCP/IP properties. This behavior is by design and can take place under the following circumstances: The DNS service is installed on the server whose configuration you are trying to change. The DNS zone that matches the primary DNS suffix of the server is enabled to update dynamically.
To resolve this, remove the interface from the list of interfaces that the DNS server listens on. To do so, follow these steps: 1. 2. 3. 4. 5. Start the DNS Management Microsoft Management Console (MMC). Right-click the DNS server, and then click Properties. Click the Interfaces tab. Under Listen on, click to select the Only the following IP addresses check box. Type the IP addresses that you want the server to listen on. Include only the IP addresses of the interfaces for which you want a host A record registered in DNS. 6. Click OK, and then quit the DNS Management MMC.
Dynamic DNS Updates Do Not Work if the DHCP Client Service Stops
The client computer does not send dynamic Domain Name System (DNS) updates to the DNS server even though the Register this connection's address in DNS option is selected. You receive the following error forcing DNS registration: IPCONFIG /REGISTERDNS Windows 2000 IP Configuration Error: The system cannot find the file specified. : Refreshing DNS names
This is because: Dynamic DNS registration relies on the DHCP client service to perform dynamic updates. When you disable or set the DHCP client service to start manually, it prevents dynamic DNS updates from occurring. Even if the has a static IP, the DHCP client service must be running for dynamic DNS updates to occur. To resolve this issue, you must configure the DHCP client service to start automatically when your computer system starts.
Sanjo900@yahoo.com
2. Deletion of any unnecessary log files. 3. The process launches a defragmentation thread to claim additional free space. There are two ways to defragment the Active Directory database in Windows 2000. Online Defragmentation method that runs as part of the garbage collection process. The only advantage to this method is that the server does not need to be taken offline for it to run. However, this method does not shrink the Active Directory database file (Ntds.dit). Offline Defragmentation: This is done by taking the server offline and use Ntdsutil.exe to defragment the database. This approach requires that the ADS database be started in repair mode. The advantage to this method is that the database is resized, unused space is removed, and the size is reflected by the Ntds.dit file.
How will you remove DC Server Object (In ADS Sites and Services) which is not removed After Demotion?
After demoting a DC, the object that represents the server in the Active Directory Sites and Services Manager snap-in remains. This issue occurs because the server object is a "container" in the Active Directory and may hold child objects that represent configuration data for other services installed on your computer. Because of this, the Dcpromo utility does not automatically remove the server object.
If the server object contains any child objects named "NTDS Settings," these are objects that represent the server as a DC and should be automatically removed by the demotion process. If this does not work, these objects must be removed by using the Ntdsutil utility before you delete the server object.
After verifying that all other services with a dependency on the server object have been removed an administrator can delete the server in Active Directory Sites and Services Manager. NOTE: This process may not finish successfully for either of the following reasons: If you receive a message that states the server is a container that contains other objects, verify that the appropriate decommissioning of services has completed before continuing.
Sanjo900@yahoo.com
PDC operations master at the root of the forest becomes authoritative for the organization. This PDC can be configured to recognize an external Simple Network Time Protocol (SNTP) time server as authoritative by using the following net time command: Net time /setsntp: server_list To reset the local computer's time against the authoritative time server for the domain: Net time /domain_name /set Net stop w32time W32tm once Net start w32time SNTP defaults to using UDP port 123. If this port is not open to the Internet, you cannot synchronize your server to Internet SNTP servers. Administrators can also configure an internal time server as authoritative by using the net time command. If the administrator directs the command to the operations master, it may be necessary to reboot the server for the changes to take effect.
Sanjo900@yahoo.com
1. Determine the DC that holds the Domain Naming Master FSMO role. 2. Verify that all servers for the specified domain have been demoted. 3. At the command prompt: ntdsutil metadata cleanup connections connect to server servername (Servername is the name of the DC holding the Domain Naming Master FSMO Role) If an error occurs, verify that the DC being used in the connection is available and that the credentials you supplied have administrative permissions on the server. Quit Metadata Cleanup menu is displayed Select operation target List domains A list of domains in the forest is displayed, each with an associated number Select domain number Where number is the number associated with the domain to be removed Quit The Metadata Cleanup menu is displayed. Remove selected domain You should receive confirmation that the removal was successful. Quit You should receive confirmation that the connection disconnected successfully.
Sanjo900@yahoo.com
SRV Records Missing After Implementing Active Directory and Domain Name System
When you implement Active Directory and Domain Name System (DNS), SRV records may be missing in the DNS Management console or database. This behavior occurs when the following conditions exist: The DNS server is configured as a Dynamic Host Configuration Protocol (DHCP) client. The DNS zone has a name other than your Active Directory domain name. The zone is not enabled to allow dynamic updates.
To resolve this issue, verify that all of the following conditions exist: Configure your DNS server to use a static Internet Protocol (IP) address. Create a forward lookup zone named after your Active Directory.
Sanjo900@yahoo.com
If all of these conditions exist and you still do not see your SRV records, stop and start the Netlogon service. This action forces the DC to re-register the appropriate SRV records. Using the netdiag /fix command on the DC will verify that all SRV records that are in the Netlogon.dns file are registered on the primary DNS server.
Sanjo900@yahoo.com
Sanjo900@yahoo.com
Sanjo900@yahoo.com
If the DC holding the ISTG role is offline for more than 60 minutes, another DC in the site will automatically take over this role.
Temporary loss of the schema operations master will be visible only if we are trying to modify the schema or install an application that modifies the schema during installation. A DC whose schema master role has been seized must never be brought back online. To seize the schema master role 1. 2. 3. 4. 5. Click Start, click Run, and then type cmd. At the command prompt, type ntdsutil. At the ntdsutil prompt, type roles. At the fsmo maintenance prompt, type connections. At the server connections prompt, type connect to server, followed by the fully qualified domain name. 6. At the server connections prompt, type quit.
Sanjo900@yahoo.com
Sanjo900@yahoo.com
From a different perspective, Active Directory has three types of data Schema information Definitional details about objects and attributes that one CAN store in the AD. Replicates to all DCs. Static in nature. Configuration information Configuration data about forest and trees. Replicates to all DCs. Static as your forest is. Domain information Object information for a domain. Replicates to all DCs within a domain. The object portion becomes part of GC. The attribute values only replicates within the domain.
2. EDB.LOG This is the transaction log file (10 MB). When EDB.LOG is full, it is renamed to EDBnnnn.log. Where nnnn is the increasing number starting from 1 3. EDB.CHK This is the checkpoint file used to track the data not yet written to database file. This indicates the starting point from which data is to be recovered from the logfile, in case of failure. 4. Res1.log and Res2.log This is reserved transaction log files of 20 MB (10 MB each) which provides the transaction log files enough room to shutdown if the other spaces are being used.
Sanjo900@yahoo.com
Explain GC?
By default, a GC is created automatically on the first DC in the forest. It stores a full replica of all objects in the directory for its host domain and a partial replica of all objects of every other domain in the forest. The replica is partial because it stores only some attributes for each objects. The GC performs two key directory roles: It enables network logon by providing universal group membership information to a DC when a logon process is initiated. It enables finding directory information regardless of which domain in the forest actually contains the data.
When a user logs on to the network, the GC provides universal group membership information for the account sending the logon request to the DC. If a GC is not available the user is only able to log on to the local computer unless he is in the Domain Admins group. The GC is designed to respond to queries about objects with maximum speed and minimum network traffic. Because a single GC contains information about objects in all domains in the forest, a query about an object can be resolved by a GC in the domain in which the query is initiated. Thus, finding information in the directory does not produce unnecessary query traffic across domain boundaries. Active Directory defines a base set of attributes for each object in the directory. Each object and some of its attributes (such as universal group memberships) are stored in the GC. Using Active Directory Schema, you can specify additional attributes to be kept in the GC.
Sanjo900@yahoo.com
Sanjo900@yahoo.com
Sanjo900@yahoo.com
There can be only one schema master and one domain naming master for the entire forest. Schema master The schema master DC controls all updates and modifications to the schema. Domain naming master Domain Naming Master DC controls the addition or removal of domains in the forest. DOMAIN-WIDE OPERATIONS MASTER ROLES Every domain in the forest must have the following roles: Relative ID master Primary DC (PDC) emulator Infrastructure master
E0ach domain in the forest can have only one RID master, PDC Emulator, and Infrastructure Master. Relative ID master The RID master allocates pool of relative IDs to each DC in its domain. Whenever a DC creates a user, group, or computer object, it assigns a unique security ID to that object. The security ID consists of a domain security ID (that is the same for all security IDs created in the domain), and a relative ID that is unique for each security ID created in the domain. To move an object between domains (using Movetree.exe), you must initiate the move on the DC acting as the relative ID master of the domain that currently contains the object. PDC emulator For pre-W2K clients, the PDC emulator acts as a Windows NT PDC. It processes password changes from clients and replicates updates to the BDCs. In native-mode, the PDC emulator receives preferential replication of password changes performed by other DCs in the domain. If a password was recently changed, that change takes time to replicate to every DC in the domain. If a logon authentication fails at another DC due to a bad password, that DC will forward the authentication request to the PDC emulator before rejecting the log on attempt.
Sanjo900@yahoo.com
How the Local User Accounts Are Handled When a Server Is Promoted to a DC
When a server is promoted to a DC, the server no longer uses the local SAM database to store users and groups. When the promotion is complete, DC will store users, groups, and computer accounts in Active Directory database. The SAM database is present, but it is inaccessible when the server is running in Normal mode. But SAM database is used when you boot into Directory Services Restore Mode or the Recovery Console. If this new DC is the first DC in a new domain, all of the local user accounts in the SAM database are migrated to the Active Directory. All permissions that had been assigned to the local users, such as, NTFS permissions, are retained.
Sanjo900@yahoo.com
Create a new REG_DWORD key DebugLogLevel and set value as 1 and restart the computer 1 activates logging, 0 turns logging off. The logging information is placed in the %Systemroot%\System32\Directory Synchronization\Session Logs folder. The log files are labeled as "Session#-#.log"
Replication Access Was Denied" Error Message When Attempting to Synchronize DCs
When you use the Active Directory Sites and Services snap-in from a child domain to force replication from a parent domain or another child domain at the same level, you may receive the following error message: The following error occurred during the attempt to synchronize the DCs: Replication Access was denied Domains in Active Directory are natural security boundaries. Administrative permissions do not flow down; they need to be assigned. When a child domain is created, the Enterprise Admin global group is added to the built-in Administrators group of the child domain. This allows the administrator of the parent domain to administer and force replication from either the parent domain or the child domain, but the administrator in the child domain is only able to force replication from within his or her own domain. To resolve this issue, give the administrator in the child domain permissions to the parent domain from which you want to force replication. Add his to Administrators group in parent domain
Repeat these steps from each domain that you want to assign administrative permissions to. Keep in mind that parent domains are able to manage all of their child domains but you need to perform the steps described in this article for any child domains that want to manage the parent domain or other child domains on the same level.
Sanjo900@yahoo.com
RPC Error Messages Returned for Active Directory Replication When Time Is Out of Synchronization
When you are viewing the status of Active Directory replication between two DCs, the following messages may be displayed for the result of the last replication attempt: The RPC server is unavailable. -orThe RPC server is too busy to complete this operation. These error messages may be reported in the Event log through Replication Monitor. By default, W2K computers synchronize time with a time server. If the time server is not available and the time difference between DCs drifts beyond the skew allowed by Kerberos, authentication between the two DCs may not succeed and the RPC error messages can result. Synchronies time amongst DCs using net time Net time \\mypdc /set /y This synchronizes the local computer time with the server named Mypdc. The /set - Time not only be queried, but synchronized with the specified server. The /y switch skips the confirmation for changing the time on the local computer
Sanjo900@yahoo.com
Active Directory orders all update by assigning a globally unique stamp to the originating update. If there is a conflict, the ordering of stamps allows a consistent resolution. This approach is used in the following ways: Attribute value: The value whose update operation has the larger stamp wins. Add/move under a deleted container object or the deletion of a non-leaf object: After resolution at all replicas, the container object is deleted, and the leaf object is made a child of the folder's special Lost&Found container. Stamps are not involved in this resolution. Sibling name conflict: The object with the larger stamp keeps the RDN. The sibling object is assigned a unique RDN by the computer. This does not conflict with any client-assigned value [using a reserved character (the asterisk), the RDN, and the object's GUID].
Sanjo900@yahoo.com
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
The default value data for the "Replicator notify pause after modify (secs)" DWORD value is 0x12c, which in hexadecimal format is 300 decimal (5 minutes). To modify the notification delay between DCs, use Registry Editor to modify value data for the "Replicator notify pause between DSAs (secs)" DWORD value in the following registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
The default value data for the "Replicator notify pause between DSAs (secs)" DWORD value is 0x1e, which in hexadecimal format is 30 decimal (30 seconds).
Sanjo900@yahoo.com
When the KCC on each DC generates the intra-site topology for the site in which it resides, the KCC create a connection object in the Active Directory only when a connection object is required for the local computer. These changes propagate to other DCs through the normal replication process. Each DC uses the same algorithm to compute the replication topology, and in a state of equilibrium between DCs, each should arrive at the same result in respect to what the replication topology should be. In the process, each DC creates its own connection objects. Connection objects for bridgehead servers for inter-site replication are created differently. The KCC on one DC in each site is responsible for reviewing the inter-site topology and creating inbound replication connection objects as necessary for bridgehead servers in the site in which it resides. This DC is known as the Inter-Site Topology Generator (ISTG). The DC holding this role may not necessarily be a bridgehead server. When the ISTG determines that a connection object needs to be modified on a given bridgehead server in the site, the ISTG makes the change to its local Active Directory copy. As part of the normal intra-site replication process, these changes propagate to the bridgehead servers in the site. When
Sanjo900@yahoo.com