How to compare Active Directory on 2 Domain Controllers

active-directorydomain-controller

Our Windows domain has 3 DCs. One of the DCs is replicating changes made on the other DCs but not replicating out any changes made on itself.

We have no idea which has the most up-to-date AD so we want to compare the other 2 with the 1 that isn't working.

Is it possible to export the properties on every object (OU, CN, User, Group etc.) so that I can compare them? Maybe to an xml file?

Maybe there is a PowerShell or vbScript that will do this?

Best Answer

It sounds like your plan is to determine what DC has the latest changes, and then make them on another DC?

No no no no no.

This will backfire. AD doesn't replicate by what changes are consistent with each other, it replicates by latest serial number. What you need to do is fix replication. Depending on your version of Windows (you didn't tell us; it would be helpful), you can use REPLMON or REPADMIN to determine what is failing, and probably why. Edit- cheekaleak is correct: DCDIAG is also useful for finding replication and other errors in your DCs.

Related Solutions

Ldap – Monitor Active Directory modified users/groups

You can do most of this with powershell and LDIF - the snippet below for example will produce a file called ad.txt that has a list of user objects changed or added in the last ten minutes

$DateString = (Get-Date).AddMinutes(-10).ToString("u") -Replace "-|:|\s"
$DateString = $DateString -Replace "Z", ".0Z"
$LdapFilter = """" + "(&(|(whenChanged>=" + $DateString + ")(whenCreated>=" + $DateString + "))(objectClass=user))" + """" 
$lCmd = "ldifde -f ad.txt -r " + $LdapFilter + " -l ""dn,whenCreated,whenChanged"""
Invoke-Expression $lCmd

Active directory member servers cannot locate domain controller

I'd start looking at DNS. This really smells like DNS to me.

Does it look like things are missing from the _msdcs.domain.com forward-lookup zone?

If you run a nslookup -type=SRV _kerberos._tcp.dc._msdcs.domain.com what are you getting back for output?

Sniff the traffic on either the DCs or the member servers when you're running your failing diagnostic commands and post the output here if the problem isn't glaringly obvious. The NLTEST /DCLIST:domain.com command, for example, should cause the client to emit some DNS looking for an LDAP server in its site, followed by a couple of RPC binds.

Best Answer

Related Solutions

Ldap – Monitor Active Directory modified users/groups

Active directory member servers cannot locate domain controller

Related Topic