Recipe 12.10 Enabling Strict or Loose Replication Consistency

12.10.1 Problem

You want to enable strict or loose replication consistency.

12.10.2 Solution

12.10.2.1 Using a graphical user interface
  1. Run regedit.exe from the command line or Start Run.

  2. Expand HKEY_LOCAL_MACHINE SYSTEM CurrentControlSet Services NTDS Parameters.

  3. If the Strict Replication Consistency value does not exist, right-click on Parameters and select New DWORD Value. For the name, enter Strict Replication Consistency.

  4. In the right pane, double-click on the value and enter 1 to enable strict consistency or 0 to enable loose consistency.

  5. Click OK.

12.10.2.2 Using a command-line interface

To enable strict consistency, run the following command:

> reg add HKLM\System\CurrentControlSet\Services\NTDS\Parameters /v "Strict[RETURN]  Replication Consistency" /t REG_DWORD /d 1

To enable loose consistency, run the following command:

> reg add HKLM\System\CurrentControlSet\Services\NTDS\Parameters /v "Strict[RETURN]  Replication Consistency" /t REG_DWORD /d 0
12.10.2.3 Using VBScript
' This code enables strict or loose consistency on the specified DC. ' ------ SCRIPT CONFIGURATION ------ intEnableStrict = 1  ' 1 = strict consistency, 0 = loose consistency strDC = "<DomainControllerName>" ' ------ END CONFIGURATION --------- const HKLM = &H80000002 strNTDSReg = "SYSTEM\CurrentControlSet\Services\NTDS\Parameters" set objReg = GetObject("winmgmts:\\" & strDC & _                        "\root\default:StdRegProv") objReg.SetDWORDValue HKLM, strNTDSReg, "Strict Replication Consistency", _                      intEnableStrict WScript.Echo "Strict Replication Consistency value set to " & _              intEnableStrict

12.10.3 Discussion

Up until Windows 2000 Service Pack (SP) 3, domain controllers followed a loose replication consistency model whereby lingering objects could get reinjected into Active Directory and replicate among all the domain controllers. A lingering object is one that was previously deleted, but got reintroduced because a domain controller did not successfully replicate for the duration of the time defined by the tombStoneLifetime attribute or was restored using a backup that was older than the tombStoneLifetime. See Introduction in Chapter 16 for more on the tombStoneLifetime attribute.

Windows 2000 SP2 and earlier domain controllers would replicate the lingering object throughout the naming context. Loose consistency has the potential to cause some security risks since an object you thought was deleted is now back in the forest again.

Some post-SP2 hotfixes and SP3 introduced strict replication consistency. Under strict replication, a domain controller will stop replicating with a destination domain controller when it determines that the source is attempting to replicate a lingering object. Event id 1084 will get logged in the Directory Service event log indicating that it couldn't replicate the lingering object. Although strict replication can halt replication, it is the preferable method and is a good check to ensure lingering objects do not infiltrate your forest. For this reason, you must monitor your domain controllers to ensure they are replicating on a regular basis and do not have any 1084 events.

12.10.4 See Also

See the Introduction in Chapter 16 for more on the tombStoneLifetime attribute, MS KB 317097 (Lingering Objects Prevent Active Directory Replication from Occurring), and MS KB 314282 (Lingering Objects May Remain After You Bring an Out-of-Date Global Catalog Server Back Online)



Active Directory Cookbook
Active Directory Cookbook, 3rd Edition
ISBN: 0596521103
EAN: 2147483647
Year: 2006
Pages: 456

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net