想象一下(Imagine)你家只有一扇门。没有窗户,没有天井门,只有一扇门。如果你不能打开那扇门会怎样?房子,以及里面的一切,对你毫无用处。
从某种意义上说,域控制器就像一扇门。一个有保镖的。这是进入你想要的东西的门户。Active Directory (AD) 是门口的保镖。它会检查您的凭据,确定您是否被允许通过门,以及您一旦进入就可以访问哪些资源。
如果您正在运行任何类型的网络并且只有一个域控制器,那么您就住在一个只有一扇门的房子里。如果该域控制器发生故障,您的整个服务器系统就会崩溃。始终拥有多个域控制器 (DC)。
但是如何确保两个域控制器具有相同的信息?假设您在一个 DC 上进行了与安全相关的更改。您希望确保立即将更改复制到您的其他DC(DCs)。为什么要等待 15 分钟或更长时间才能按计划进行?您需要强制复制Active Directory中的域控制器。
有3种方法可以解决这个问题;通过图形用户界面 ( GUI )、命令行界面 ( CLI ) 或PowerShell。
通过 GUI 强制复制域控制器(Force Replication Of Domain Controller Through GUI)
Windows 服务器大量使用GUI ,这对新手(GUIs)系统管理员(Systems Administrators)很有好处。它更容易学习,有时可以帮助您想象真正发生的事情。
- 登录到您的 DC 之一并打开Active Directory 站点和服务(Active Directory Sites and Services)。
- 导航到要为其复制域控制器的站点。单击站点名称旁边的箭头将其展开。展开服务器(Servers)。展开您要复制的 DC。单击(Click)NTDS(NTDS Settings)设置。
- 在右窗格中,右键单击服务器并选择立即复制(Replicate Now)。
- 根据有多少DC(DCs),这可能需要不到一秒到几分钟的时间。完成后,您将看到通知“Active Directory 域服务已复制连接。”。单击(Click) 确定(OK)完成。
通过 CLI 命令强制复制域控制器(Force Replication of Domain Controllers Through CLI Command)
如果您熟悉旧的Windows CMD,那么repadmin命令适合您。这是强制 DC 复制的最快的一次性方法。如果您不熟悉,那么这是了解 Windows CMD(learn about Windows CMD)的好时机。
- 登录(Log)到您的DC(DCs)之一并打开命令提示符(Command Prompt)。
- 输入(Enter)以下命令,然后按Enter键。
repadmin /syncall /AdeP
- 一连串的信息将向上滚动屏幕。如果您看到最后一行显示“SyncAll 终止且没有错误。”,然后是它下方的命令提示符,则说明您的DC(DCs)已成功复制。
使用 PowerShell 强制域控制器复制(Force Domain Controller Replication With PowerShell)
如果您没有在日常生活中使用PowerShell ,那么您就错过了。(PowerShell)你真的应该为自己学习 PowerShell(learn PowerShell)。它会让你的生活更轻松,如果你是一名初级系统管理员(Systems Administrator),它将极大地帮助你的职业生涯更上一层楼。
这些步骤可以在普通的PowerShell CLI中完成,但我们已经在PowerShell ISE中完成,以便更好地显示命令及其结果。我们将构建一个脚本,您可以保存它,甚至可以将其转换为您可以从PowerShell命令行调用的 cmdlet。
- 登录到您的 DC 之一并打开PowerShell或PowerShell ISE。
- 在编写任何脚本之前,请使用诸如force-DCReplication.ps1之类的描述性名称保存它,以便您可以更轻松地重复使用它。输入以下代码并运行它,看看它将如何获取所有DC(DCs)的名称。
(Get-ADDomainController -Filter *).Name
看看它如何返回DC(DCs)的名称?现在您可以将该结果通过管道传输到下一个 cmdlet。竖线是竖线字符 ( | ),通常位于键盘上Enter键上方。
- 在上一条命令的最后,输入以下代码:
| Foreach-Object { repadmin /syncall $_ (Get-ADDomain).DistinguishedName /AdeP }
该命令应如下图所示。运行。它应该返回一条消息,就像上面通过GUI强制域控制器复制(Force Domain Controller Replication)部分中的消息一样。如果它以“ SyncAll终止且没有错误”结尾。然后它起作用了。
您是否看到它还如何使用repadmin命令?
- 让我们添加另一行来帮助您确保复制确实完成了。以下代码将返回您的每个DC(DCs)上次复制的日期和时间。如果您只是好奇上次复制DC的时间,则可以在其他时间单独使用此命令。(DCs)输入(Enter)代码并运行它。
Get-ADReplicationPartnerMetadata -Target "$env:userdnsdomain" -Scope Domain | Select-Object Server, LastReplicationSuccess
结果应类似于下图。您将在底部看到上次进行复制的确切日期和时间。
- 为了对这个脚本进行一些润色,让我们让它的输出不那么冗长。在第一行的末尾附近,输入| Out-Null/AdeP和结束括号之间的Out-Null 。这告诉它不要发布该 cmdlet 的结果。最终结果将如下图所示。
保持复制(Keep’em Replicated)
现在您知道了在 AD 中强制复制域控制器的 3 种方法。您还编写了一个可重用的PowerShell脚本,您可以随时从PowerShell命令行调用该脚本。没有任何理由让您的最新 DC 更改坐下来等待下一次计划的复制,无论何时。
Force Replication Between Two Domain Controllers in Active Directory
Imaginе having only one door to your home. No windows, no patio door, juѕt one door. What happens if you can’t open that door? The house, and everything in it, is useless to you.
A domain controller is like a door, in a sense. One with a bouncer at it. It’s the gateway to get inside to the things you want. Active Directory (AD) is the bouncer at the door. It checks your credentials, determines if you are allowed to go through the door, and what resources you can access once inside.
If you’re running a network of any kind and only have one domain controller, you’re living in a house with one door. If something happens to that domain controller, your whole system of servers falls apart. Always have more than one domain controller (DC).
But how do you make sure that both domain controllers have the same information? Let’s say you made a security-related change on one DC. You want to make sure that change is replicated on your other DCs immediately. Why wait 15 minutes or more for it to happen by schedule? You need to force replication of the domain controllers in Active Directory.
There are 3 ways to approach this; through the graphical user interface (GUI), through the command-line interface (CLI), or via PowerShell.
Force Replication Of Domain Controller Through GUI
Windows servers make use of GUIs a lot, which is good for novice Systems Administrators. It’s easier to learn and sometimes helps you visualize what’s really happening.
- Log in to one of your DCs and open Active Directory Sites and Services.
- Navigate to the site for which you’d like to replicate the domain controllers. Expand it by clicking the arrowhead next to the site name. Expand the Servers. Expand the DC which you’d like to replicate. Click on NTDS Settings.
- In the right pane, right-click on the server and select Replicate Now.
- Depending on how many DCs there are, this could take less than a second to a few minutes. When it is complete, you’ll see the notification, “Active Directory Domain Services has replicated the connections.”. Click OK to finish.
Force Replication of Domain Controllers Through CLI Command
If you’re familiar with the good old Windows CMD, then the repadmin command is for you. This is the quickest one-off way to force DC duplication. If you’re not familiar then this is a good time to learn about Windows CMD.
- Log in to one of your DCs and open the Command Prompt.
- Enter the following command, and then press the Enter key.
repadmin /syncall /AdeP
- A litany of information will scroll up the screen. If you see that the last line reads, “SyncAll terminated with no errors.”, and then the command prompt underneath it, your DCs are successfully replicated.
Force Domain Controller Replication With PowerShell
If you’re not using PowerShell in your daily life, you’re missing out. You really owe it to yourself to learn PowerShell. It will make your life easier, and if you’re a Junior Systems Administrator it will massively help take your career to the next step.
These steps can be done in the ordinary PowerShell CLI, but we’ve done it in the PowerShell ISE to better show the commands and their results. We’re going to build a script that you can save or even turn into a cmdlet that you can call from the PowerShell command line.
- Log in to one of your DCs and open PowerShell or PowerShell ISE.
- Before writing any script, save this with a descriptive name like force-DCReplication.ps1 so you can reuse it easier. Enter the following code and run it to see how it will get the names of all your DCs.
(Get-ADDomainController -Filter *).Name
See how it returns the names of the DCs? Now you can pipe that result into the next cmdlet. A pipe is the vertical line character ( | ), that’s usually found on the keyboard just above the Enter key.
- At the end of the previous command, enter the following code:
| Foreach-Object { repadmin /syncall $_ (Get-ADDomain).DistinguishedName /AdeP }
The command should look like it does in the image below. Run it. It should return a message just like the one back in the Force Domain Controller Replication Through GUI section above. If it ends with, “SyncAll terminated with no errors.” then it worked.
Did you see how it also uses the repadmin command?
- Let’s add another line to help you make sure that the replication really did complete. The following code will return the date and time of when each of your DCs was last replicated. This command could be used on its own at another time if you’re just curious when your DCs last replicated. Enter the code and run it.
Get-ADReplicationPartnerMetadata -Target "$env:userdnsdomain" -Scope Domain | Select-Object Server, LastReplicationSuccess
The result should resemble the image below. You’ll see at the bottom the exact date and time the replication last took place.
- To put some polish on this script, let’s make its output a little less verbose. Near the end of the first line, enter | Out-Null between the /AdeP and the end bracket. That tells it to not put out the results of that cmdlet. The end result will look like the following image.
Keep’em Replicated
Now you know 3 ways to force replication of domain controllers in AD. You’ve also put together a reusable PowerShell script that you can call from the PowerShell command-line whenever you want. There’s no excuse for your latest DC changes to sit and wait for the next scheduled replication, whenever that may be.
