Replication is controlled by the Options attribute on the NTDS Settings object as shown in the following table. The Options attribute value is found in ADSIEdit by browsing to Configuration -> Sites -> <Site Name> -> Servers - <Server Name> -> NTDS Settings.
| RepAdmin Option | NTDS Settings/Options attribute value |
| Enable Inbound and Outbound | 1 |
| Enable Inbound, Disable Outbound | 5 |
| Enable Outbound, Disable Inbound | 3 |
| Disable Inbound and Outbound | 7 |
Using RepAdmin /Options
Repadmin /options <dcname> <+/-> <DISABLE_INBOUND_REPL/DISABLE_OUTBOUND_REPL>
Here is what it looks like when you disable or enable replication via RepAdmin using the /Options switch. Note that the minus (-) character in front of the option indicates a negative disable or enable. To disable these values, use the plus (+) sign: +DISABLE_INBOUND_REPLICATION, for example.
To enable both inbound and outbound replication:
C:\>repadmin /options wtec-dc1
Current DC Options: IS_GC
To enable only outbound replication:
C:\>repadmin /options wtec-dc1 -disable_outbound_repl
Current DC Options: IS_GC DISABLE_OUTBOUND_REPL
New DC Options: IS_GC
To disable only inbound replication:
C:\>repadmin /options wtec-dc1 +disable_inbound_repl
Current DC Options: IS_GC
New DC Options: IS_GC DISABLE_INBOUND_REPL
To disable inbound and outbound replication:
C:\>repadmin /options wtec-dc1 +disable_outbound_repl +disable_inbound_repl
Current DC Options: IS_GC
New DC Options: IS_GC DISABLE_INBOUND_REPL DISABLE_OUTBOUND_REPL
repadmin /Options * is a good command that produces a quick report to determine if any other DCs have replication purposely disabled.
CAUTION: These commands remain in effect until changed. That is, if you turn on the Disable inbound repl feature, it will remain on (i.e., inbound replication is disabled) until you enable it again using the –disable_inbound_repl command).
There are several reasons why you would want to do this:
- If a report such as RepAdmin / replsum / bysrc / bydest / sort:delta shows that replication has not happened in the past 60 days (tombstone lifetime). Then you would want to disable outbound replication. Of course, if you have strict replication enabled you will be OK, but it's better to be safe than sorry in this instance. The RepAdmin command is quick and easy. Note that in this case there is really no need to disable inbound replication since the danger is in replicating outbound. Still, I suggest that you play it safe and do both until you determine the existence of lingering objects.
- If you suspect corruption or issues with a domain controller that you don't want replicated, this command is an easy way to prevent replication from that source. Remember, you can remotely execute RepAdmin. And the DCList option in RepAdmin can be used to specify a single DC, or an asterisk (*) can be used to specify all DCs.
- For Authoritative Restore: Authoritative restoration is used to move the Active Directory back in time by taking a single system state backup from an earlier date, stopping replication on a DC, then restoring the backup using NTDSUtil's Authoritative Restore feature. When it boots into normal mode and replication is enabled (using RepAdmin), this copy of the Active Directory is pushed out as authoritative and all DCs get a copy. Since you typically want to at least disable inbound replication before starting this -- and then enable it again -- it's easy to forget after the restore that you need to re-enable replication.
- Lag Sites can be another cause for replication failure. Lag sites are scheduled to replicate only once or twice per week to provide a sort of online backup for a quick authoritative restore. In case of a disaster recovery situation, such as deleting an OU, it's important to disable replication on the lag site DC(s). Some prefer to simply keep replication disabled on the lag DC(s) and manually re-enable it when they want replication. Again, it's easy to forget that it was purposely disabled.
-------------- End of Document -----------------
Tags: Active Directory, Windows Server 2000, Windows Server 2003
Published Date: 20071003
