Directory Services Utility (DsaStat.exe) (ST)

This tool is the same as it is in Windows 2000 systems; it allows an administrator to compare full directory replicas stored on different domain controllers, or compare a domain partition with the partial replica stored in Global Catalog. The comparison can be purely statistical or on a per-attribute content basis.

The administrator can test either an entire directory partition or a subtree only. By default, all objects are compared, but it is possible to use a LDAP filter and choose only necessary types of objects. Moreover, you can test either all or only selected attributes, or the attributes replicated to Global Catalog. Thus, DsaStat can serve as an instrument for verifying replication between domain controllers and actual information stored on a DC.

Tip 

In the Windows 2000 environment, use the servers' DNS rather than NetBIOS names, and the tool will run faster.

Tip 

The tool may require quite a lot of time to run, and it is difficult to interrupt it. Besides, it produces significant network traffic. Therefore, if you plan to use it, do so carefully.

General Statistical Comparison

Let us first see how DsaStat compares directory replicas and produces statistical data. In this mode, the tool only counts the directory objects and displays totals. In the following example, the Configuration partition is verified on DCs from different domains. (It might be necessary to specify a domain administrator's credentials.) If the b parameter has been omitted, all applicable partitions are compared.

    C:\>dsastat -s:netdc1.net.dom;netdc2.subdom.net.dom     -b: CN=Configuration, DC=net, DC=dom    Stat-Only mode.    Unsorted mode.    Opening connections...            netdc1.net.dom...success.    Connecting to netdc1.net.dom...    reading...     **> ntMixedDomain = 0     [0 --- native mode]    reading...     **> Options = 1           [1 --- Global Catalog server]    Setting server as [netdc1.net.dom] as server to read Config Info...            netdc2.subdom.net.dom...success.    Connecting to netdc2.subdom.net.dom...    reading...     **> ntMixedDomain = 1            [1 --- mixed mode]    reading...     **> Options = 0                  [0 --- "normal" server]    [If options have not been defined, you will see the following line:    LocalException <0>: Cannot get Options <2>.]    Generation Domain List on server netdc1.net.dom...    > Searching server for GC attribute partial set on property attributeId.    > Searching server for GC attribute partial set on property    ldapDisplayName.    Retrieving statistics...    [The command can be cancelled only from this point and afterwards:]    Paged result search...    Paged result search...      50 entries processed (7 msg queued, 0 obj stored, 0 obj deleted)...    ...    2650 entries processed (7 msg queued, 0 obj stored, 0 obj deleted)...    ...(Terminated query to netdc1.net.dom. <No result present in message>)    ...(Terminated query to netdc2.subdom.net.dom. <No result present in    message>)    2700 entries processed (6 msg queued, 0 obj stored, 0 obj deleted)...    ...    2950 entries processed (6 msg queued, 0 obj stored, 0 obj deleted)...                          -=>>|*** DSA Diagnostics ***|<<=-    Objects per server:    Obj /Svr              netdc1.net.dom   netdc2.subdom.net.dom    Total    configuration                     1        1        2    container                         61       61      122    controlAccessRight                58       58      116    crossRef                           6        6       12    crossRefContainer                  1        1        2    dSUISettings                      24       24       48    displaySpecifier                1296     1296     2592    foreignSecurityPrincipal          16       16       32    interSiteTransport                 2        2        4    interSiteTransportContainer        1        1        2    licensingSiteSettings              1        1        2    lostAndFound                       1        1        2    mSMQEnterpriseSettings             1        1        2    msPKI-Enterprise-Oid               1        1        2    nTDSConnection                     4        4        8    nTDSDSA                            2        2        4    nTDSService                        1        1        2    nTDSSiteSettings                   1        1        2    physicalLocation                   1        1        2    queryPolicy                        1        1        2    rRASAdministrationDictionary       1        1        2    server                             2        2        4    serversContainer                   1        1        2    site                               1        1        2    siteLink                           1        1        2    sitesContainer                     1        1        2    subnetContainer                    1        1        2    ---                                    1489     1489     2978                              . . . . . . . . . . . . . .    Bytes per object:    configuration                828    container                    18992    controlAccessRight           23564    crossRef                     1952    crossRefContainer            322    dSUISettings                 8400    displaySpecifier             469344    foreignSecurityPrincipal     6056    interSiteTransport           596    interSiteTransportContainer  408    licensingSiteSettings        436    lostAndFound                 334    mSMQEnterpriseSettings       350    msPKI-Enterprise-Oid         304    nTDSConnection               1628    nTDSDSA                      660    nTDSService                  324    nTDSSiteSettings             396    physicalLocation             420    queryPolicy                  336    rRASAdministrationDictionary 398    server                       594    serverContainer              304    site                         258    siteLink                     312    sitesContainer               288    subnetContainer              300                           . . . . . . . . . . . . . .    Bytes per server:    netdc1.net.dom               269052    netdc2.subdom.net.dom        269052                           . . . . . . . . . . . . . .    Checking for missing replies...            No missing replies! INFO: Server sizes are equal.    *** Identical Directory Information Trees ***    PASS      -=>>PASS <<=-    closing connections...            netdc1.net.dom; netdc2.subdom.net.dom; 

As you can see, the number of objects of each type is displayed, along with the total size of objects of a specific type.

Analyzing Differences between Partitions

Basically, there are three types of inconsistencies between directory replicas which DsaStat can detect. Let us consider these types in the examples given below. In each case, we will compare the results of statistical and full-content comparisons of an OU object's replicas. For compactness, only the most interesting lines from the DsaStat's screen output will be shown.

Different Attribute Values of the Same Object

If the values of one or more attributes of the same object are different on specified domain controllers, statistical comparison (similar to the one shown above) only counts total sizes and produces the following result:

   Checking for missing replies...       No missing replies!INFO: Server sizes are not equal (min= ...,   max=...).       *** Identical Directory Information Trees ***       PASS            -=>> PASS <<= 

You can only conclude from such an output that the replicas differ, and nothing more.

The following command performs the full-content comparison as well as detects both a changed, albeit non-replicated directory object (a GPO) and an attribute name (versionNumber) (notice that the t:FALSE parameter is used):

    C:\>dsastat -s:netdc1.net.dom;netdc4.net.dom -b:DC=net,DC=dom -t: FALSE    Unsorted mode.    ...    FAIL Value [0] of Attr[versionNumber] did not compare on dn    [<GUID=7a8d66e928d2d94c93dd5ca95c7d5ac4>; CN={64C49D93-BBB7-    410E-B999-837B5B90422B}, CN=Policies, CN=System, DC=net, DC=dom]                          Servers [netdc1.net.dom] ~ [netdc4.net.dom]    FAIL FAIL[1]: mismatch with current DIT image    ...                        -=>> |*** DSA Diagnostics ***|<<=-    ...    Checking for missing replies...            No missing replies!INFO: Server sizes are equal.    *** Different Directory Information Trees. 1 errors (see above). ***    FAIL            -=>> FAIL <<=-    closing connections...            netdc1.net.dom; netdc4.net.dom; 

In this case, a GPO named {64C49D93-BBB7-410E-B999-837B5B90422B} has been changed on a domain controller.

Thus, you can see both the number of errors and their location. The sizes of compared trees on the specified servers can be equal as well as not equal. This depends on the changes made with the directory objects.

Different Number of Defined Attributes of the Same Object

If the replicas of the same object have different numbers of attributes, the statistical comparison, again, reports only that the replicas' sizes are not equal. Let us look at the results produced by a full-content comparison.

    C:\>dsastat -s:netdc1.net.dom;netdc4.net.dom -b:DC=net,DC=dom -t: FALSE    Unsorted mode.    Opening connections...    ...    ...(Terminated query to netdc1.net.dom. <No result present in message>)    ...(Terminated query to netdc4.net.dom. <No result present in message>)    FAIL AttrCount mismatch : Attrcount[17]@Server[netdc1.net.dom] !=    Attrcount[16]@Server[netdc4.net.dom]    for Dn    '<GUID=74c87b3d85df0945bab5d2ccd5e31381>;<SID=010500000000000515000000dc    f4dc3ba837d66516c0ea3255040000>;CN=John Smith,OU=Staff,DC=net,DC=dom'    ********** Dumping Attribute List **********    ---------------> Server [netdc1.net.dom] <--------------    Attr[0] = cn    Attr[1] = description    Attr[2] = displayName    Attr[3] = givenName    Attr[4] = name    Attr[5] = nTSecurityDescriptor    Attr[6] = objectCategory    Attr[7] = objectClass    Attr[8] = objectSid    Attr[9] = primaryGroupID    Attr[10] = replPropertyMetaData    Attr[11] = sAMAccountName    Attr[12] = sAMAccountType    Attr[13] = sn    Attr[14] = userAccountControl    Attr[15] = userPrincipalName    Attr[16] = whenCreated    ----------------> Server [netdc4.net.dom] <---------------    Attr[0] = cn    Attr[1] = displayName    Attr[2] = givenName    Attr[3] = name    Attr[4] = nTSecurityDescriptor    Attr[5] = objectCategory    Attr[6] = objectClass    Attr[7] = objectSid    Attr[8] = primaryGroupID    Attr[9] = replPropertyMetaData    Attr[10] = sAMAccountName    Attr[11] = sAMAccountType    Attr[12] = sn    Attr[13] = userAccountControl    Attr[14] = userPrincipalName    Attr[15] = whenCreated    FAIL FAIL[1]: mismatch with current DIT image                        -=>>|*** DSA Diagnostics ***|<<=-    Objects per server:    ...    Bytes per object:    ...    Checking for missing replies...            No missing replies!INFO: Server sizes are not equal (min=43841, max=43830).    *** Different Directory Information Trees. 1 errors (see above). ***    FAIL            -=>> FAIL <<=-    closing connections...            netdc1.net.dom; netdc4.net.dom; 

As you can see, the tool displays the number of attributes for each object replica, shows the DN of the object, and then lists the attributes for each replica. The missing attribute can be easily found.

Different Number of Objects

In the following example, a user mark and a computer Comp 1 have been deleted from the Staff OU on one domain controller, and the changes have not yet been replicated to another DC. In this case, both statistical and full-content comparisons report that the test has failed, and that there has been a "Server total object count mismatch". A full-content test, however, displays specific information about the error: the type and name of the missing object. Look at the following sample output:

    C:\>dsastat -s:netdc1.net.dom;netdc4.net.dom -b:OU=Staff,DC=net,DC=dom       -t: FALSE    Unsorted mode.    ...                         -=>>|*** DSA Diagnostics ***|<<=-    Objects per server:    Obj /Svr                                netdc1.net.dom  netdc4.net.dom Total    computer                                         1       2       3    group                                            2       2       4    organizationalUnit                               1       1       2    user                                             4       5       9    volume                                           1       1       2    ---                                                     9      11      20    FAIL Server total object count mismatch    ...    Checking for missing replies...    Fail [2]: missing 1 replies for    '<GUID=65d29dba5ad79e4e947c4a85bdb2c774>;<SID=010500000000000515000000dc    f4dc3ba837d66516    c0ea3264040000>;CN=Comp1,OU=Staff,DC=net,DC=dom'    Fail [3] : missing 1 replies for    '<GUID=f8c1c9cf1e919a469821b7ceb67608e2>;<SID=010500000000000515000000dc    f4dc3ba837d66516    c0ea3266040000<;CN=Mark,OU=Staff,DC=net,DC=dom'    INFO: Server sizes are not equal (min=1838, max=2227).    *** Different Directory Information Trees. 3 errors (see above). ***    FAIL            -=>> FAIL <<=-    closing connections...            netdc1.net.dom; netdc4.net.dom; 



Windows  .NET Domains & Active Directory
Windows .NET Server 2003 Domains & Active Directory
ISBN: 1931769001
EAN: 2147483647
Year: 2002
Pages: 154

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net