AD replication question (around metadata)

  • 103 Views
  • Last Post 11 September 2015
kbatlive posted this 03 September 2015

Had a question from someone about who modified an OU (looks like the OU was renamed).  Usually, I’d use repadmin /showmeta of the DN of the object and it would tell me which DC it was changed on and when – so we could go look in the logs and find whom made the change. However, in this case, I’m getting inconsistent results – which is conflicting with my knowledge of AD and replication. I’m using repadmin /showmeta to get to some of the details which is shown below (partially, from just 3 DC’s).  What I’m seeing for the output is that the attribute “ou” is having an orig.time/date that is different on some DC’s that I query – but on some DC’s, it is the same.  DCDIAG is not showing any issues on the DC’s I’ve checked and repadmin /replsummary is not showing any AD replication issues across the forest. At first I thought it was an attribute that doesn’t replicate (like ‘lastlogon’ - although the schema shows the ‘ismemberofpartialattributeset’ is true for ‘ou’ but not ‘lastlogon’). And the version shown from the repadmin /metadata output is interesting…we did an authoritative AD restore many years ago hence why the “ver” is 100,000 higher – but why isn’t it higher on ‘ou’ and ‘objectclass’ (objectclass I could kind of understand as the class didn’t change).  Could that be part of the problem? Thanks in advance! Ken C:\>dsquery * -scope base "OU=X,OU=Y,DC=A,DC=B" -attr whencreated  whenchanged -s differentdcname  whencreated            whenchanged  06/11/2001 04:29:53    08/29/2013 18:29:35 Note: the above ‘whenchanged’ is different on different DC’s – here is a sample from some DC’s (most DC’s are showing the ‘whenchanged’ to be 1/24/12); my basic (perhaps incorrect) understanding of ‘whenchanged’ is that is when it replicated onto the DC for the AD object?whencreated            whenchanged06/11/2001 04:29:53    11/11/2013 19:58:04whencreated            whenchanged06/11/2001 04:29:53    01/24/2012 14:28:44whencreated            whenchanged06/11/2001 04:29:53    10/28/2013 22:02:36 This is the partial output (last few columns) of the repadmin /showmeta command below from a couple of DC’s.  Note that output #1 is different than #2 and #3 for the “ou” attribute. repadmin /showmeta "OU=X,OU=Y,DC=A,DC=B"  dcname                 note: the lines below read much better with a fixed-width font like courier!) Org.USN  Org.Time/Date        Ver Attribute========= =============        === =========  2092255 2001-06-10 23:29:53    1 objectClass    26130 2013-11-11 13:58:04    1 ou 11061101 2002-12-10 13:10:26100001 description 11061101 2002-12-10 13:10:26100001 instanceType 11061101 2002-12-10 13:10:26100001 whenCreated 11061101 2002-12-10 13:10:26100000 isDeleted 12257082 2011-02-23 09:03:59100005 nTSecurityDescriptor 11061101 2002-12-10 13:10:26100007 name 11061101 2002-12-10 13:10:26100001 managedBy 11061101 2002-12-10 13:10:26100001 objectCategory 17384992 2012-01-24 08:06:18100111 gPLink  8086948 2010-08-09 11:31:53100007 gPOptions   Org.USN  Org.Time/Date        Ver Attribute========= =============        === =========  2092255 2001-06-10 23:29:53    1 objectClass    25347 2009-07-30 11:59:34    1 ou 11061101 2002-12-10 13:10:26100001 description 11061101 2002-12-10 13:10:26100001 instanceType 11061101 2002-12-10 13:10:26100001 whenCreated 11061101 2002-12-10 13:10:26100000 isDeleted  12257082 2011-02-23 09:03:59100005 nTSecurityDescriptor 11061101 2002-12-10 13:10:26100007 name 11061101 2002-12-10 13:10:26100001 managedBy 11061101 2002-12-10 13:10:26100001 objectCategory  17384992 2012-01-24 08:06:18100111 gPLink   8086948 2010-08-09 11:31:53100007 gPOptions   Org.USN  Org.Time/Date        Ver Attribute========= =============        === =========  2092255 2001-06-10 23:29:53    1 objectClass    25347 2009-07-30 12:02:44    1 ou 11061101 2002-12-10 13:10:26100001 description 11061101 2002-12-10 13:10:26100001 instanceType 11061101 2002-12-10 13:10:26100001 whenCreated 11061101 2002-12-10 13:10:26100000 isDeleted  12257082 2011-02-23 09:03:59100005 nTSecurityDescriptor 11061101 2002-12-10 13:10:26100007 name 11061101 2002-12-10 13:10:26100001 managedBy 11061101 2002-12-10 13:10:26100001 objectCategory  17384992 2012-01-24 08:06:18100111 gPLink  8086948 2010-08-09 11:31:53100007 gPOptions  

Order By: Standard | Newest | Votes
GuyTe posted this 10 September 2015

Naming attributes (cn/ou/dc) are a bit special. Here is an example:

 

C:\>repadmin /showobjmeta F04D01DC01 "CN=krbtgt,CN=Users,DC=f04d01,DC=lab" | findstr cn

  12320        Default-First-Site-Name\F04D01DC01     12320 2015-05-17 08:01:23    1 cn

This is the first DC in the domain and the metadata is related to the creation of the object in the database

 

 

C:\>repadmin /showobjmeta F04D01DC02 "CN=krbtgt,CN=Users,DC=f04d01,DC=lab" | findstr cn

   8043      08ff8b03-5504-4db9-86dc-6ea65fbe6b85     

8043 2015-05-17 08:53:37    1 cn

This is the second DC in the domain and the metadata is of the time the DC replicated the object in (the object was created in the local dit)

The invocationId is not resolved because the DC had its invocationId changed (was restored from backup):

 

C:\>repadmin /showutdvec localhost DC=f04d01,DC=lab

Caching GUIDs.

..

Default-First-Site-Name\F04D01DC02 (retired) @ USN    

28675 @ Time 2015-07-15 09:30:32

Default-First-Site-Name\F04D01DC02   @ USN    427700 @ Time 2015-09-10 04:45:48

Default-First-Site-Name\F04D01DC01   @ USN    233773 @ Time 2015-09-10 04:42:51

Default-First-Site-Name\F04D01DC03   @ USN    291313 @ Time 2015-09-10 04:50:52

 

C:\>repadmin /showutdvec localhost DC=f04d01,DC=lab /nocache

08ff8b03-5504-4db9-86dc-6ea65fbe6b85 @ USN    

28675 @ Time 2015-07-15 09:30:32

4dad688a-9e90-4902-9866-a5de6d5b1aec @ USN    427700 @ Time 2015-09-10 04:45:48

68e6b1ca-2158-4193-b9e4-6b389c020608 @ USN    233773 @ Time 2015-09-10 04:42:51

b2e1caa2-ff9b-44da-a3f4-8dfcf8237d70 @ USN    291313 @ Time 2015-09-10 04:50:58

 

C:\>repadmin /showobjmeta F04D01DC03 "CN=krbtgt,CN=Users,DC=f04d01,DC=lab" | findstr cn

   8078        Default-First-Site-Name\F04D01DC03      8078 2015-05-25 12:02:06    1 cn

This is the 3rd DC in the domain and the metadata is of the time the DC was DCPROMO-ed

 

Bottom line, the metadata on the naming attribute will have the DC itself (or one of the previous invocationIds the DC owned) and the time will be the time when

the object was created in the dit.

 

whenChanged of an object is calculated (derived from whenChanged of the list of the attributes), and because you have the naming attributes having different metadata,

might very on different DCs.

 

Cheers,

Guy

 

 

show

kbatlive posted this 11 September 2015

Thank you.  So that is normal for those attributes. I’ll have to re-read this when after a little more tea and am fully awake…I’ve read it twice and it is slowly sinking in!   J   

show

Close