DFS Replication

Gregory H Hall May 13, 2014 at 3:27 UTC [DataGuys is an IT service provider.]: DFS-R only works for file sets that are pretty much static. Otherwise I use Branch Office Cache to get speed.

BEFORE enabling DFS-R sync with robocopy

Follow this guide: https://technet.microsoft.com/en-us/library/dn495044(v=ws.11).aspx
e.g.:
robocopy.exe "\\dimsrv01\c$\fserver" "C:\fserver" /e /b /copyall /r:6 /w:5 /MT:64 /xd DfsrPrivate /tee /log:c:\preseed-dfs.tmp.log

ΣΗΜΑΝΤΙΚΟ: το /e ΔΕΝ ΣΒΗΝΕΙ ΕΞΤΡΑ ΑΡΧΕΙΑ ΑΠΟ ΤΟ destination ενώ το /mir σβήνει

After robocopy check a few random files — you should get the same hash:

dfsrdiag filehash /path:"c:\fserver\x\y\z"
dfsrdiag filehash /path:"\\dimsrv01\c$\fserver\x\y\z"

Tips for normal operation

Viewing backlog using Powershell

(more tips at DFS Replication in Windows Server 2012 R2: If You Only Knew the Power of the Dark Shell)

echo "Queued Kalamata -> Meg/poli" ; Get-DfsrBacklog -GroupName RGfserver  -FolderName * -SourceComputerName dimsrv02 -DestinationComputerName dimsrv01 -verbose | ft FullPathName ; echo "Queued Meg/poli -> Kalamata" ; Get-DfsrBacklog -GroupName RGfserver  -FolderName * -SourceComputerName dimsrv01 -DestinationComputerName dimsrv02 -verbose | ft FullPathName

Queued Kalamata -> Meg/poli
VERBOSE: No backlog for the replicated folder named "fserver"

Queued Meg/poli -> Kalamata
VERBOSE: The replicated folder has a backlog of files. Replicated folder: "fserver". Count: 1

FullPathName
------------
C:\fserver\accounting\DIMITRIOS\ΛΟΓΙΣΤΗΡΙΟ\ΠΑΡΟΥΣΙΕΣ ΔΕΗ\2017\IOYLIOS\10-7-2017.xlsx

To easily find out the largest replication deltas in your domain/forest

REPADMIN /REPLSUM * /BYSRC /BYDEST /SORT:ERROR

To force syncing right now

repadmin /syncall DIMSRV01 /edjQSA; repadmin /syncall DIMSRV02 /edjQSA

When to increase the staging quota

During normal operation, if the event that indicates the staging quota (event ID 4208 in the DFS Replication event log) is over its configured size and is logged multiple times in an hour, increase the staging quota by 20 percent.

Troubleshoot replication

from https://blogs.technet.microsoft.com/askds/2009/07/01/getting-over-replmon/ :

By running a repadmin /syncall with the /A(ll partitions) P(ush) e(nterprise, cross sites) d(istinguished names) parameters, you have duplicated exactly what Replmon is doing. Except that you did it in one step, not many. And with the benefit of seeing immediate results on how the operations are proceeding. If I am running it on the DC itself, I don’t even have to specify the server name.

What about the situation I showed earlier where one of the DCs was offline for maintenance? In this case I am going to have Repadmin synchronize just the Domain partition, pushing across site boundaries:

Repadmin /syncall /Pe dc_name naming_context

With Repadmin we get a much more specific error:

Those are legitimate errors that are documented and can be researched.

Status Checking

Replmon had the option to generate a status report text file. It could tell you which servers were configured to replicate with each other, if they had any errors, and so on. It was pretty useful actually, and one of the main reasons people liked the tool.

Repadmin.exe offers similar functionality within a few of its command line options. For example, we can get a summary report:

Repadmin /replsummary *

Several DCs have been taken offline. Repadmin shows the correct error of 58 – that the other DCs are not available and cannot tell you their status.

You can also use more verbose commands with Repadmin to see details about which DCs are or are not replicating:

Repadmin /showrepl *

If you want to generate a ‘repadmin status report’ that generates a bunch of useful status information, give this simple batch file a try:

@echo off echo. echo Gathering Report for DCLIST = %1 echo. Echo Report for DCLIST = %1 > replreport.txt echo. >> replreport.txt echo. >> replreport.txt echo Gathering Verbose Replication and Connections echo Verbose Replication and Connections >> replreport.txt echo. >> replreport.txt repadmin /showrepl %1 /all >> replreport.txt echo. >> replreport.txt echo Gathering Bridgeheads echo Bridgeheads >> replreport.txt echo. >> replreport.txt repadmin /bridgeheads %1 /verbose >> replreport.txt echo. >> replreport.txt echo Gathering ISTG echo ISTG >> replreport.txt echo. >> replreport.txt repadmin /istg %1 >> replreport.txt echo. >> replreport.txt echo Gathering DRS Calls echo Outbound DRS Calls >> replreport.txt echo. >> replreport.txt repadmin /showoutcalls %1 >> replreport.txt echo. >> replreport.txt echo Gathering Queue echo Queue >> replreport.txt echo. >> replreport.txt repadmin /queue %1 >> replreport.txt echo. >> replreport.txt echo Gathering KCC Failures echo KCC Failures >> replreport.txt echo. >> replreport.txt repadmin /failcache %1 >> replreport.txt echo. >> replreport.txt echo Gathering Trusts echo Trusts >> replreport.txt echo. >> replreport.txt repadmin /showtrust %1 >> replreport.txt echo. >> replreport.txt echo Gathering Replication Flags echo Replication Flags >> replreport.txt echo. >> replreport.txt repadmin /bind %1 >> replreport.txt echo. >> replreport.txt echo Done.

Copy and paste into notepad, save as a CMD file and run it with a server name, a partial server name with wildcards, or an asterisk. It supports whatever Repadmin supports.

So to get data from one server, like with Replmon:

Replreport.cmd server1

Or to get data from all DC’s (which Replmon cannot do):

Replreport.cmd *

Or to get data from all servers that have names starting with “SANFRAN“:

Replreport.cmd sanfran*

It will output to a text file called replreport.txt. Anything Repadmin can do, you can do in this batch file.

More More More

Repadmin can do even more for monitoring. Such as:

Tell you the last time your DCs were backed up, by reading the DSASignature attribute from all servers:

Repadmin /showbackup *

Or output all replication summary information from all DCs to a CSV format that you can open in a spreadsheet or database. Here I’ve brought my DCs back online and replicated any pending changes. Then I get a replication report:

Repadmin /showrepl * /csv

Or you can see what your replication backlog is currently in the queue, like here:

Repadmin /queue *

Or you can see which changes have not yet replicated from a server, as well as what changes have replicated since the last time the command was run, with /showchanges:

repadmin /showchanges destination_DC source_DSA_GUID domain_DN

(69) add CN=Ned Pyle,CN=Users,DC=adatum,DC=com
1> parentGUID: a90a9633-2682-4896-be86-21220cf24f0c
1> objectGUID: e8f0e0a2-69aa-4e4e-9f74-3db79ad6f3b7
4> objectClass: top; person; organizationalPerson; user
1> sn: Pyle
1> givenName: Ned
1> instanceType: 0x4 = ( WRITE )
1> whenCreated: 6/21/2009 9:05:32 AM Pacific Daylight Time
1> displayName: Ned Pyle
1> nTSecurityDescriptor: O:DAG:DAD:AI
1> name: Ned Pyle
1> userAccountControl: 0x10200 = ( NORMAL_ACCOUNT | DONT_EXPIRE_PASSWD )
1> codePage: 0
1> countryCode: 0
1> pwdLastSet: 6/21/2009 9:05:32 AM Pacific Daylight Time
1> primaryGroupID: 513 = ( GROUP_RID_USERS )
1> objectSid: S-1-5-21-3776065869-1984782319-1196103478-1107
1> accountExpires: (never)
1> sAMAccountName: nedpyle
1> sAMAccountType: 805306368 = ( NORMAL_USER_ACCOUNT )
1> userPrincipalName: nedpyle@adatum.com
1> objectCategory: <GUID=4ed8da23575bed48b12cd36061257c14>;CN=Person,CN=Schema,CN=Configuration,DC=adatum,DC=com

Neat right? That’s a user I created while the other DC was offline, in the list of pending changes. I snipped out another long list of changes that were also pending. Pretty useful to see if a DC that has not been replicating for a while is worth spending time trying to fix or is better off demoting.

Other Repadmin capabilities

Repadmin has plenty of other secrets you can use for monitoring, administering, and troubleshooting – most of which Replmon cannot do:

• Replicate a single specific object
• View and modify RODC password policies as well as trigger password caching
• Create, modify, and delete replication topology
• Remove lingering objects
• Manipulate Global Catalog partitions
• Set replication registry values
• Export data to Excel-ready text
• Way more cool stuff…

Need to see all the help?

Basic help – Repadmin /?

Help on selecting DCs – Repadmin /listhelp

Advanced command help – Repadmin /experthelp

Help and examples for every parameter- Repadmin /?:Your specific parameter here

Troubleshooting #2

see also this blog post with a lot of tips: http://calienfj.blogspot.gr/2014/06/windows-2012-dfs-replication-and.html

Basic troubleshooting

Step0a) Check for generic domain problems
Run dcdiag IN BOTH SERVERS and check for anything that hasn't PASSED
dcdiag
Step 0b) Run repadmin /showrepl
repadmin /showrepl

Repadmin: running command /showrepl against full DC localhost
Default-First-Site-Name\DIMSRV02
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 8a621083-6491-4717-8fc3-560828ccce7b
DSA invocationID: 98eeedbd-26a7-43b3-b19b-d5f400ac5d8d

==== INBOUND NEIGHBORS ======================================

DC=dimopoulos,DC=local
    Default-First-Site-Name\DIMSRV01 via RPC
        DSA object GUID: 97429870-812d-4d79-ad25-b99b6fdd32dc
        Last attempt @ 2017-06-18 18:02:49 was 

successful .

CN=Configuration,DC=dimopoulos,DC=local
Default-First-Site-Name\DIMSRV01 via RPC
DSA object GUID: 97429870-812d-4d79-ad25-b99b6fdd32dc
Last attempt @ 2017-06-18 17:49:54 was successful .

CN=Schema,CN=Configuration,DC=dimopoulos,DC=local
Default-First-Site-Name\DIMSRV01 via RPC
DSA object GUID: 97429870-812d-4d79-ad25-b99b6fdd32dc
Last attempt @ 2017-06-18 17:49:54 was successful .

DC=DomainDnsZones,DC=dimopoulos,DC=local
Default-First-Site-Name\DIMSRV01 via RPCrepadmin /syncall PDC03 /APed
DSA object GUID: 97429870-812d-4d79-ad25-b99b6fdd32dc
Last attempt @ 2017-06-18 17:49:54 was successful .

DC=ForestDnsZones,DC=dimopoulos,DC=local
Default-First-Site-Name\DIMSRV01 via RPC
DSA object GUID: 97429870-812d-4d79-ad25-b99b6fdd32dc
Last attempt @ 2017-06-18 17:49:54 was successful .

step 0c) Test for DNS problems
Note that the /E flag results in all DNS servers to be tested (e.g. both primary and secondary DCs)
DCDIAG /TEST:DNS /V /E /F:c:\dns-test-log.temp.txt
notepad c:\dns-test-log.temp.txt

:: take a good look at the results

Step 0d) Check if you can find the DC for the domain.
NLTEST /DSGETDC:dimopoulos

The command completed successfully

Step1) findout from which DC we get the DFS configuration:
WMIC /namespace:\\root\microsoftdfs path DfsrReplicationGroupConfig get LastChangeSource

LastChangeSource
DIMSRV02.dimopoulos.local

Step 2) replicate the AD config from the other DC
:: This probably(2) replicates everything from DIMSRV01 but there is a long GUI procedure as well that surely does
repadmin /syncall DIMSRV01 /edjQSA [haven't tested this]

:: Following command forces syncing like this: dimsrv02 <---- dimsrv01 [I THINK THIS WORKED] after running it I show the replication settings for fserver appear in DFS Manager
repadmin /replicate /force dimsrv02 dimsrv01 "DC=dimopoulos,DC=local"

Sync from dimsrv01 to dimsrv02 completed successfully.

The command to force replication to start
dfsrdiag syncnow /partner:dimsrv02 /RGName:fserver /Time:60
:: Time:60 means srepadmin /syncall PDC03 /APedyncnow will replicate for 60mins then it's back to normal mode

dfsrdiag syncnow /partner:dimsrv01 /RGName:"Domain System Volume" /Time:60

Operation Succeeded

Other Tests

Get a A.D. Replication Summaryy

repadmin /replsummary
--OR MAYBE BETTER--
REPADMIN /REPLSUM * /BYSRC /BYDEST /SORT:ERROR

Replication Summary Start Time: 2017-06-18 20:12:11
Beginning data collection for replication summary, this may take awhile:

Source DSA          largest delta    fails/total %%   error
 DIMSRV01                  04m:32s    0 /   5    0
 DIMSRV02                  04m:26s    0 /   5    0

Destination DSA     largest delta    fails/total %%   error
 DIMSRV01                  04m:26s    0 /   5    0
 DIMSRV02                  04m:32s    0 /   5    0

IF ALL ELSE FAILS -- completely erase DFSR state [VERY LOW LEVEL]

1. Stop and disable the DFSR service on <ServerA> server
2. psexec -i -s cmd.exe
3. (in the new cmd.exe) rmdir "c:\System Volume Information\DFSR" /s
   (if it fails create an empty folder named c:\emptyfolder.tmp and run robocopy c:\emptyfolder.tmp "c:\System Volume Information\DFSR" /MIR)
   

8. Enable and re-start the DFSR service on <ServerA> server

Other Links

DFSR best practice for bulk security changes?

[from: https://community.spiceworks.com/topic/489809-dfsr-best-practice-for-bulk-security-changes]

Stop DFS

Do exactly what you said and set the permissions the same on each side. When I say the same I mean Exactly the same.

Open DFS management and raise the Staging Quotas on all the DFS roots to a nice high level. I like at least 32GB when I make bulk changes.

Start DFS-R and restart DFS

Use the Spiceworks plugin to monitor DFS progress.

">http://community.spiceworks.com/scripts/show/1536-dfs-monitor-with-history'>http://community.spiceworks.com/scripts/show/1536-dfs-monitor-with-history

Πως μετέφερα το DFSR από έναν δίσκο σε έναν άλλο και από έναν server σε έναν άλλο

# PHASE 1 Move DFSR synced folder from one drive to another
###################################################################################################

# Deleted DFSR settings related to C:\fserver
#---------------------------------------------

PS C:\Users\Administrator> Remove-DfsrMember -GroupName "RG01" -ComputerName DIMSRV01

   This operation will remove the computer and all of its memberships and connections. Computer: DIMSRV01 Replication
   group: "RG01"
   Are you sure you want to remove this computer from its replication group and all of its memberships and connections?
   [Y] Yes  [N] No  [S] Suspend  [?] Help (default is "Y"): y

PS C:\Users\Administrator> Remove-DfsReplicatedFolder -GroupName "RG01" -FolderName "RFfserver"

   This operation will remove the replicated folder "RFfserver" and its memberships.
   Are you sure you want to remove this replicated folder and its memberships?
   [Y] Yes  [N] No  [S] Suspend  [?] Help (default is "Y"): y
   PS C:\Users\Administrator> Remove-DfsReplicationGroup -GroupName "RG01"

   This operation will remove the replication group "RG01" and the subscriptions members have to this replication group.
   Are you sure you want to remove this replication group?
   [Y] Yes  [N] No  [S] Suspend  [?] Help (default is "Y"): y
   PS C:\Users\Administrator> Update-DfsrConfigurationFromAD ?ComputerName DIMSRV01 -verbose
   VERBOSE: Performing the operation "Update-DfsrConfigurationFromAD" on target "DIMSRV01".
   VERBOSE: Successfully updated the DFSR Active Directory Domain Service configuration on the computer named DIMSRV01

# Recreated DFSR for K:\fserver
#---------------------------------------------

New-DfsReplicationGroup -GroupName "RGfserver"
New-DfsReplicatedFolder -GroupName "RGfserver" -FolderName "RFfserver"
Add-DfsrMember -GroupName "RGfserver" -ComputerName DIMSRV01
Set-DfsrMembership -GroupName "RGfserver" -FolderName "RFfserver" -ContentPath "K:\fserver" -ComputerName DIMSRV01 -PrimaryMember $True
Update-DfsrConfigurationFromAD –ComputerName DIMSRV01 -verbose



# PHASE 2 use robocopy for fast syncing and then start normal DFSR replication
###################################################################################################


# export DFS-R db
New-Item -Path "K:\Dfsrclone" -Type Directory 
Export-DfsrClone -Volume K: -Path "K:\Dfsrclone"

# monitor (it'll take time)
Get-WinEvent "Dfs replication" MaxEvents 4 | fl 

# pressed with robocopy (initial fast sync)
robocopy K:\fserver \\DIMSRV02\k$\fserver   /E /B /COPYALL /R:6 /W:5 /MT:64 /XD DfsrPrivate /LOG+:K:\preseed.log

# copy exported DFSR db
Robocopy.exe "K:\Dfsrclone" \\DIMSRV02\k$\Dfsrclone /B

# test a few files
Get-DfsrFileHash '\\DIMSRV01\K$\fserver\it-public\*'
Get-DfsrFileHash '\\DIMSRV01\K$\fserver\it-public\drivers\*'
...

# establish normal DFSR replication
Add-DfsrMember -GroupName "RGfserver" -ComputerName DIMSRV02 
Add-DfsrConnection -GroupName "RGfserver" -SourceComputerName DIMSRV01 -DestinationComputerName DIMSRV02 
Set-DfsrMembership -GroupName "RGfserver" -FolderName "RFfserver" -ComputerName DIMSRV02 -ContentPath "K:\RGfserver"  
Update-DfsrConfigurationFromAD DIMSRV01,DIMSRV02

#undo BY DELETING CONNECTION K:\RGfserver on DIMSRV02
#4010

Add-DfsrMember -GroupName "RGfserver" -ComputerName DIMSRV02 
Add-DfsrConnection -GroupName "RGfserver" -SourceComputerName DIMSRV01 -DestinationComputerName DIMSRV02 
Set-DfsrMembership -GroupName "RGfserver" -FolderName "RFfserver" -ComputerName DIMSRV02 -ContentPath "K:\fserver"  

# Wait for the DFSR informational event 4104
#............................................
Get-WinEvent "Dfs replication" -MaxEvents 3 | fl