Enabling Strict or Loose Replication Consistency






Enabling Strict or Loose Replication Consistency

Problem

You want to enable strict or loose replication consistency.

Solution

Using a graphical user interface
  1. Run regedit.exe from the command line or Start Run.

  2. Expand HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters.

  3. If the Strict Replication Consistency value does not exist, right-click on Parameters and select New DWORD Value. For the name, enter Strict Replication Consistency.

  4. In the right pane, double-click on the value and enter 1 to enable strict consistency or 0 to enable loose consistency.

  5. Click OK.

Using a command-line interface

To enable strict consistency, run the following command:

	> reg add HKLM\System\CurrentControlSet\Services\NTDS\Parameters /v "Strict
	Replication Consistency" /t REG_DWORD /d 1

To enable loose consistency, run the following command:

	> reg add HKLM\System\CurrentControlSet\Services\NTDS\Parameters /v "Strict\
	 
Replication Consistency" /t REG_DWORD /d 0

Using VBScript
	' This code enables strict or loose consistency on the specified DC.
	' ------ SCRIPT CONFIGURATION -----
	intEnableStrict = 1 ' 1 = strict consistency, 0 = loose consistency
	strDC = "<DomainControllerName>"
	' ------ END CONFIGURATION --------

	const HKLM = &H80000002
	strNTDSReg = "SYSTEM\CurrentControlSet\Services\NTDS\Parameters"
	set objReg = GetObject("winmgmts:\\" & strDC & _
	                       "\root\default:StdRegProv")
	objReg.SetDWORDValue HKLM, strNTDSReg, " 
Strict Replication Consistency", _
	                     intEnableStrict
	WScript.Echo "Strict Replication Consistency value set to " & _
	             intEnableStrict

Discussion

Up until Windows 2000 Service Pack 3, domain controllers followed a loose replication consistency model whereby lingering objects could get reinjected into Active Directory and replicate among all the domain controllers. A lingering object is one that was previously deleted, but got reintroduced because a domain controller did not successfully replicate for the duration of the time defined by the tombStoneLifetime attribute, or because the object was restored using a backup that was older than the tombStoneLifetime. See the "Introduction" of Chapter 17 for more on the tombStoneLifetime attribute. Windows 2000 SP2 and earlier domain controllers would replicate the lingering object throughout the naming context. Loose consistency thus has the potential to cause some security risks since an object you thought was deleted is now back in the forest again.

Some post-SP2 hotfixes and SP3 introduced strict replication consistency. Under strict replication, a domain controller will stop replicating with a destination domain controller when it determines that the source is attempting to replicate a lingering object. Event ID 1084 will get logged in the Directory Service event log indicating that it couldn't replicate the lingering object. Although strict replication can halt replication, it is the preferable method and is a good check to ensure lingering objects do not infiltrate your forest. For this reason, you must monitor your domain controllers to ensure they are replicating on a regular basis and that they do not have any 1084 events.

See Also

The "Introduction" of Chapter 17 for more on the tombStoneLifetime attribute, MS KB 317097 (Lingering Objects Prevent Active Directory Replication from Occurring), and MS KB 314282 (Lingering Objects May Remain After You Bring an Out-of-Date Global Catalog Server Back Online)



 Python   SQL   Java   php   Perl 
 game development   web development   internet   *nix   graphics   hardware 
 telecommunications   C++ 
 Flash   Active Directory   Windows