|
|
This tool is the same as it is in Windows 2000 systems; it allows an administrator to compare full directory replicas stored on different domain controllers, or compare a domain partition with the partial replica stored in Global Catalog. The comparison can be purely statistical or on a per-attribute content basis.
The administrator can test either an entire directory partition or a subtree only. By default, all objects are compared, but it is possible to use a LDAP filter and choose only necessary types of objects. Moreover, you can test either all or only selected attributes, or the attributes replicated to Global Catalog. Thus, DsaStat can serve as an instrument for verifying replication between domain controllers and actual information stored on a DC.
Tip | In the Windows 2000 environment, use the servers' DNS rather than NetBIOS names, and the tool will run faster. |
Tip | The tool may require quite a lot of time to run, and it is difficult to interrupt it. Besides, it produces significant network traffic. Therefore, if you plan to use it, do so carefully. |
Let us first see how DsaStat compares directory replicas and produces statistical data. In this mode, the tool only counts the directory objects and displays totals. In the following example, the Configuration partition is verified on DCs from different domains. (It might be necessary to specify a domain administrator's credentials.) If the −b parameter has been omitted, all applicable partitions are compared.
C:\>dsastat -s:netdc1.net.dom;netdc2.subdom.net.dom -b: CN=Configuration, DC=net, DC=dom Stat-Only mode. Unsorted mode. Opening connections... netdc1.net.dom...success. Connecting to netdc1.net.dom... reading... **> ntMixedDomain = 0 [0 --- native mode] reading... **> Options = 1 [1 --- Global Catalog server] Setting server as [netdc1.net.dom] as server to read Config Info... netdc2.subdom.net.dom...success. Connecting to netdc2.subdom.net.dom... reading... **> ntMixedDomain = 1 [1 --- mixed mode] reading... **> Options = 0 [0 --- "normal" server] [If options have not been defined, you will see the following line: LocalException <0>: Cannot get Options <2>.] Generation Domain List on server netdc1.net.dom... > Searching server for GC attribute partial set on property attributeId. > Searching server for GC attribute partial set on property ldapDisplayName. Retrieving statistics... [The command can be cancelled only from this point and afterwards:] Paged result search... Paged result search... 50 entries processed (7 msg queued, 0 obj stored, 0 obj deleted)... ... 2650 entries processed (7 msg queued, 0 obj stored, 0 obj deleted)... ...(Terminated query to netdc1.net.dom. <No result present in message>) ...(Terminated query to netdc2.subdom.net.dom. <No result present in message>) 2700 entries processed (6 msg queued, 0 obj stored, 0 obj deleted)... ... 2950 entries processed (6 msg queued, 0 obj stored, 0 obj deleted)... -=>>|*** DSA Diagnostics ***|<<=- Objects per server: Obj /Svr netdc1.net.dom netdc2.subdom.net.dom Total configuration 1 1 2 container 61 61 122 controlAccessRight 58 58 116 crossRef 6 6 12 crossRefContainer 1 1 2 dSUISettings 24 24 48 displaySpecifier 1296 1296 2592 foreignSecurityPrincipal 16 16 32 interSiteTransport 2 2 4 interSiteTransportContainer 1 1 2 licensingSiteSettings 1 1 2 lostAndFound 1 1 2 mSMQEnterpriseSettings 1 1 2 msPKI-Enterprise-Oid 1 1 2 nTDSConnection 4 4 8 nTDSDSA 2 2 4 nTDSService 1 1 2 nTDSSiteSettings 1 1 2 physicalLocation 1 1 2 queryPolicy 1 1 2 rRASAdministrationDictionary 1 1 2 server 2 2 4 serversContainer 1 1 2 site 1 1 2 siteLink 1 1 2 sitesContainer 1 1 2 subnetContainer 1 1 2 --- 1489 1489 2978 . . . . . . . . . . . . . . Bytes per object: configuration 828 container 18992 controlAccessRight 23564 crossRef 1952 crossRefContainer 322 dSUISettings 8400 displaySpecifier 469344 foreignSecurityPrincipal 6056 interSiteTransport 596 interSiteTransportContainer 408 licensingSiteSettings 436 lostAndFound 334 mSMQEnterpriseSettings 350 msPKI-Enterprise-Oid 304 nTDSConnection 1628 nTDSDSA 660 nTDSService 324 nTDSSiteSettings 396 physicalLocation 420 queryPolicy 336 rRASAdministrationDictionary 398 server 594 serverContainer 304 site 258 siteLink 312 sitesContainer 288 subnetContainer 300 . . . . . . . . . . . . . . Bytes per server: netdc1.net.dom 269052 netdc2.subdom.net.dom 269052 . . . . . . . . . . . . . . Checking for missing replies... No missing replies! INFO: Server sizes are equal. *** Identical Directory Information Trees *** PASS -=>>PASS <<=- closing connections... netdc1.net.dom; netdc2.subdom.net.dom;
As you can see, the number of objects of each type is displayed, along with the total size of objects of a specific type.
Basically, there are three types of inconsistencies between directory replicas which DsaStat can detect. Let us consider these types in the examples given below. In each case, we will compare the results of statistical and full-content comparisons of an OU object's replicas. For compactness, only the most interesting lines from the DsaStat's screen output will be shown.
If the values of one or more attributes of the same object are different on specified domain controllers, statistical comparison (similar to the one shown above) only counts total sizes and produces the following result:
Checking for missing replies... No missing replies!INFO: Server sizes are not equal (min= ..., max=...). *** Identical Directory Information Trees *** PASS -=>> PASS <<=
You can only conclude from such an output that the replicas differ, and nothing more.
The following command performs the full-content comparison as well as detects both a changed, albeit non-replicated directory object (a GPO) and an attribute name (versionNumber) (notice that the −t:FALSE parameter is used):
C:\>dsastat -s:netdc1.net.dom;netdc4.net.dom -b:DC=net,DC=dom -t: FALSE Unsorted mode. ... FAIL Value [0] of Attr[versionNumber] did not compare on dn [<GUID=7a8d66e928d2d94c93dd5ca95c7d5ac4>; CN={64C49D93-BBB7- 410E-B999-837B5B90422B}, CN=Policies, CN=System, DC=net, DC=dom] Servers [netdc1.net.dom] ~ [netdc4.net.dom] FAIL FAIL[1]: mismatch with current DIT image ... -=>> |*** DSA Diagnostics ***|<<=- ... Checking for missing replies... No missing replies!INFO: Server sizes are equal. *** Different Directory Information Trees. 1 errors (see above). *** FAIL -=>> FAIL <<=- closing connections... netdc1.net.dom; netdc4.net.dom;
In this case, a GPO named {64C49D93-BBB7-410E-B999-837B5B90422B} has been changed on a domain controller.
Thus, you can see both the number of errors and their location. The sizes of compared trees on the specified servers can be equal as well as not equal. This depends on the changes made with the directory objects.
If the replicas of the same object have different numbers of attributes, the statistical comparison, again, reports only that the replicas' sizes are not equal. Let us look at the results produced by a full-content comparison.
C:\>dsastat -s:netdc1.net.dom;netdc4.net.dom -b:DC=net,DC=dom -t: FALSE Unsorted mode. Opening connections... ... ...(Terminated query to netdc1.net.dom. <No result present in message>) ...(Terminated query to netdc4.net.dom. <No result present in message>) FAIL AttrCount mismatch : Attrcount[17]@Server[netdc1.net.dom] != Attrcount[16]@Server[netdc4.net.dom] for Dn '<GUID=74c87b3d85df0945bab5d2ccd5e31381>;<SID=010500000000000515000000dc f4dc3ba837d66516c0ea3255040000>;CN=John Smith,OU=Staff,DC=net,DC=dom' ********** Dumping Attribute List ********** ---------------> Server [netdc1.net.dom] <-------------- Attr[0] = cn Attr[1] = description Attr[2] = displayName Attr[3] = givenName Attr[4] = name Attr[5] = nTSecurityDescriptor Attr[6] = objectCategory Attr[7] = objectClass Attr[8] = objectSid Attr[9] = primaryGroupID Attr[10] = replPropertyMetaData Attr[11] = sAMAccountName Attr[12] = sAMAccountType Attr[13] = sn Attr[14] = userAccountControl Attr[15] = userPrincipalName Attr[16] = whenCreated ----------------> Server [netdc4.net.dom] <--------------- Attr[0] = cn Attr[1] = displayName Attr[2] = givenName Attr[3] = name Attr[4] = nTSecurityDescriptor Attr[5] = objectCategory Attr[6] = objectClass Attr[7] = objectSid Attr[8] = primaryGroupID Attr[9] = replPropertyMetaData Attr[10] = sAMAccountName Attr[11] = sAMAccountType Attr[12] = sn Attr[13] = userAccountControl Attr[14] = userPrincipalName Attr[15] = whenCreated FAIL FAIL[1]: mismatch with current DIT image -=>>|*** DSA Diagnostics ***|<<=- Objects per server: ... Bytes per object: ... Checking for missing replies... No missing replies!INFO: Server sizes are not equal (min=43841, max=43830). *** Different Directory Information Trees. 1 errors (see above). *** FAIL -=>> FAIL <<=- closing connections... netdc1.net.dom; netdc4.net.dom;
As you can see, the tool displays the number of attributes for each object replica, shows the DN of the object, and then lists the attributes for each replica. The missing attribute can be easily found.
In the following example, a user mark and a computer Comp 1 have been deleted from the Staff OU on one domain controller, and the changes have not yet been replicated to another DC. In this case, both statistical and full-content comparisons report that the test has failed, and that there has been a "Server total object count mismatch". A full-content test, however, displays specific information about the error: the type and name of the missing object. Look at the following sample output:
C:\>dsastat -s:netdc1.net.dom;netdc4.net.dom -b:OU=Staff,DC=net,DC=dom -t: FALSE Unsorted mode. ... -=>>|*** DSA Diagnostics ***|<<=- Objects per server: Obj /Svr netdc1.net.dom netdc4.net.dom Total computer 1 2 3 group 2 2 4 organizationalUnit 1 1 2 user 4 5 9 volume 1 1 2 --- 9 11 20 FAIL Server total object count mismatch ... Checking for missing replies... Fail [2]: missing 1 replies for '<GUID=65d29dba5ad79e4e947c4a85bdb2c774>;<SID=010500000000000515000000dc f4dc3ba837d66516 c0ea3264040000>;CN=Comp1,OU=Staff,DC=net,DC=dom' Fail [3] : missing 1 replies for '<GUID=f8c1c9cf1e919a469821b7ceb67608e2>;<SID=010500000000000515000000dc f4dc3ba837d66516 c0ea3266040000<;CN=Mark,OU=Staff,DC=net,DC=dom' INFO: Server sizes are not equal (min=1838, max=2227). *** Different Directory Information Trees. 3 errors (see above). *** FAIL -=>> FAIL <<=- closing connections... netdc1.net.dom; netdc4.net.dom;
|
|