ADDUSERS Add or list users to/from a CSV file
ARP Address Resolution Protocol
ASSOC Change file extension associations
ASSOCIAT One step file association
AT Schedule a command to run at a later time
ATTRIB Change file attributes

BOOTCFG Edit Windows boot settings
BROWSTAT Get domain, browser and PDC info

CACLS Change file permissions

CALL Call one batch program from another
CD Change Directory – move to a specific Folder
CHANGE Change Terminal Server Session properties
CHKDSK Check Disk – check and repair disk problems
CHKNTFS Check the NTFS file system
CHOICE Accept keyboard input to a batch file
CIPHER Encrypt or Decrypt files/folders
CleanMgr Automated cleanup of Temp files, recycle bin
CLEARMEM Clear memory leaks
CLIP Copy STDIN to the Windows clipboard.
CLS Clear the screen
CLUSTER Windows Clustering
CMD Start a new CMD shell
COLOR Change colors of the CMD window
COMP Compare the contents of two files or sets of files
COMPACT Compress files or folders on an NTFS partition
COMPRESS Compress individual files on an NTFS partition
CON2PRT Connect or disconnect a Printer
CONVERT Convert a FAT drive to NTFS.
COPY Copy one or more files to another location
CSVDE Import or Export Active Directory data

DATE Display or set the date
Dcomcnfg DCOM Configuration Utility
DEFRAG Defragment hard drive
DEL Delete one or more files
DELPROF Delete NT user profiles
DELTREE Delete a folder and all subfolders
DevCon Device Manager Command Line Utility
DIR Display a list of files and folders
DIRUSE Display disk usage
DISKCOMP Compare the contents of two floppy disks
DISKCOPY Copy the contents of one floppy disk to another
DNSSTAT DNS Statistics
DOSKEY Edit command line, recall commands, and create macros
DSADD Add user (computer, group..) to active directory
DSQUERY List items in active directory
DSMOD Modify user (computer, group..) in active directory

ECHO Display message on screen
ENDLOCAL End localisation of environment changes in a batch file
ERASE Delete one or more files
EXIT Quit the CMD shell
EXPAND Uncompress files
EXTRACT Uncompress CAB files

FC Compare two files
FDISK Disk Format and partition
FIND Search for a text string in a file
FINDSTR Search for strings in files
FOR /F Loop command: against a set of files
FOR /F Loop command: against the results of another command
FOR Loop command: all options Files, Directory, List
FORFILES Batch process multiple files
FORMAT Format a disk
FREEDISK Check free disk space (in bytes)
FSUTIL File and Volume utilities
FTP File Transfer Protocol
FTYPE Display or modify file types used in file extension associations

GLOBAL Display membership of global groups
GOTO Direct a batch program to jump to a labelled line

HELP Online Help
HFNETCHK Network Security Hotfix Checker

IF Conditionally perform a command
IFMEMBER Is the current user in an NT Workgroup
IPCONFIG Configure IP

KILL Remove a program from memory

LABEL Edit a disk label
LOCAL Display membership of local groups
LOGEVENT Write text to the NT event viewer.
LOGOFF Log a user off
LOGTIME Log the date and time in a file

MAPISEND Send email from the command line
MEM Display memory usage
MD Create new folders
MODE Configure a system device
MORE Display output, one screen at a time
MOUNTVOL Manage a volume mount point
MOVE Move files from one folder to another
MOVEUSER Move a user from one domain to another
MSG Send a message
MSIEXEC Microsoft Windows Installer
MSINFO Windows NT diagnostics
MSTSC Terminal Server Connection (Remote Desktop Protocol)
MUNGE Find and Replace text within file(s)
MV Copy in-use files

NET Manage network resources
NETDOM Domain Manager
NETSH Configure network protocols
NETSVC Command-line Service Controller
NBTSTAT Display networking statistics (NetBIOS over TCP/IP)
NETSTAT Display networking statistics (TCP/IP)
NOW Display the current Date and Time
NSLOOKUP Name server lookup
NTBACKUP Backup folders to tape
NTRIGHTS Edit user account rights

PATH Display or set a search path for executable files
PATHPING Trace route plus network latency and packet loss
PAUSE Suspend processing of a batch file and display a message
PERMS Show permissions for a user
PERFMON Performance Monitor
PING Test a network connection
POPD Restore the previous value of the current directory saved by PUSHD
PORTQRY Display the status of ports and services
PRINT Print a text file
PRNCNFG Display, configure or rename a printer
PRNMNGR Add, delete, list printers set the default printer
PROMPT Change the command prompt
PsExec Execute process remotely
PsFile Show files opened remotely
PsGetSid Display the SID of a computer or a user
PsInfo List information about a system
PsKill Kill processes by name or process ID
PsList List detailed information about processes
PsLoggedOn Who’s logged on (locally or via resource sharing)
PsLogList Event log records
PsPasswd Change account password
PsService View and control services
PsShutdown Shutdown or reboot a computer
PsSuspend Suspend processes
PUSHD Save and then change the current directory

QGREP Search file(s) for lines that match a given pattern.

RASDIAL Manage RAS connections
RASPHONE Manage RAS connections
RECOVER Recover a damaged file from a defective disk.
REG Read, Set or Delete registry keys and values
REGEDIT Import or export registry settings
REGSVR32 Register or unregister a DLL
REGINI Change Registry Permissions
REM Record comments (remarks) in a batch file
REN Rename a file or files.
REPLACE Replace or update one file with another
RD Delete folder(s)
RDISK Create a Recovery Disk
RMTSHARE Share a folder or a printer
ROBOCOPY Robust File and Folder Copy
ROUTE Manipulate network routing tables
RUNAS Execute a program under a different user account
RUNDLL32 Run a DLL command (add/remove print connections)

SC Service Control
SCHTASKS Create or Edit Scheduled Tasks
SCLIST Display NT Services
ScriptIt Control GUI applications
SET Display, set, or remove environment variables
SETLOCAL Control the visibility of environment variables
SETX Set environment variables permanently
SHARE List or edit a file share or print share
SHIFT Shift the position of replaceable parameters in a batch file
SHORTCUT Create a windows shortcut (.LNK file)
SHOWGRPS List the NT Workgroups a user has joined
SHOWMBRS List the Users who are members of a Workgroup
SHUTDOWN Shutdown the computer
SLEEP Wait for x seconds
SOON Schedule a command to run in the near future
SORT Sort input
START Start a separate window to run a specified program or command
SU Switch User
SUBINACL Edit file and folder Permissions, Ownership and Domain
SUBST Associate a path with a drive letter
SYSTEMINFO List system configuration

TASKLIST List running applications and services
TIME Display or set the system time
TIMEOUT Delay processing of a batch file
TITLE Set the window title for a CMD.EXE session
TOUCH Change file timestamps
TRACERT Trace route to a remote host
TREE Graphical display of folder structure
TYPE Display the contents of a text file

USRSTAT List domain usernames and last login

VER Display version information
VERIFY Verify that files have been saved
VOL Display a disk label

WHERE Locate and display files in a directory tree
WHOAMI Output the current UserName and domain
WINDIFF Compare the contents of two files or sets of files
WINMSD Windows system diagnostics
WINMSDP Windows system diagnostics II
WMIC WMI Commands

XCACLS Change file permissions
XCOPY Copy files and folders

Let’s run our first command:

repadmin.exe /replsummary

This /replsummary command will identify Domain Controllers that are failing replication (inbound or outbound) and summerize the results in a report. This report can be the basis of your Active Directory replication troubleshooting actions.

If one of your Domain Controllers is failing replication we can use repadmin.exe to force synchronization immediately. We’d run the following command:

repadmin.exe /syncall DCName dc=domain,dc=tld

Where DCName is the name of the replication-incapable Domain Controller and the domain and top-level domainname (tld) specify the Active Directory Naming Context to synchronize.

Of course, when you have a serious Active Directory replication problem, trying to force replication like this will only show more errors, pointing you in the direction of targeting specific Domain Controllers and/or objects.

Another repadmin.exe command of particular use it the command to stop and/or start inbound and/or outbound replication immediately for a specific Domain Controller. This is useful in scenarios where you want to make changes to a Domain Controller, but don’t want them replicated to other Domain Controllers. The commands are easy:

repadmin /options DCName +DISABLE_OUTBOUND_REPL
repadmin /options DCName -DISABLE_OUTBOUND_REPL
repadmin /options DCName +DISABLE_INBOUND_REPL
repadmin /options DCName -DISABLE_INBOUND_REPL

Of course, many Microsoft schema updates and preparations have checks for disabled inbound and/or outbound replication. Thus, you can’t always use the above commands in these scenarios.

And this gem: Checking whether an Active Directory infrastructure successfully prepared the domain and forest for Windows Server 2003. And checking whether the changes have been replicated to all Domain Controllers:

 repadmin /showobjmeta * "CN=Windows2003Update,
 CN=ForestUpdates,CN=Configuration,DC=domain,DC=tld"

 repadmin /showobjmeta * "CN=Windows2003Update,
 CN=DomainUpdates,CN=Configuration,DC=domain,DC=tld"

Any Domain Controller, not returning it has the object, has not yet replicated the Active Directory preparation. Until you’ve replicated the object to all Domain Controllers, it would be ill-advised to continue and promote the first Windows Server 2008 Domain Controller.

If you’d like to learn more about Active Directory, I’d recommend that you get hold of these Active Directory Training Videos. If you truly want to Learn Active Directory you won’t find better training than this.

Error Status: 0x%2. Click OK to shut down the system and reboot into Directory Services Restore Mode. Check the event log for detailed information.

8505 Only an administrator can modify the membership list of an administrative group.
8506 Cannot change the primary group ID of a domain controller account.
8507 An attempt is made to modify the base schema.
8508 Adding a new mandatory attribute to an existing class, deleting a mandatory attribute from an existing class, or adding an optional attribute to the special class Top that is not a backlink attribute (directly or through inheritance, for example, by adding or deleting an auxiliary class) is not allowed.
8509 Schema update is not allowed on this DC because the DC is not the schema FSMO Role Owner.
8510 An object of this class cannot be created under the schema container. You can only create attribute-schema and class-schema objects under the schema container.
8511 The replica/child install failed to get the objectVersion attribute on the schema container on the source DC. Either the attribute is missing on the schema container or the credentials supplied do not have permission to read it.
8512 The replica/child install failed to read the objectVersion attribute in the SCHEMA section of the file schema.ini in the system32 directory.
8513 The specified group type is invalid.
8514 Cannot nest global groups in a mixed domain if the group is security-enabled.
8515 Cannot nest local groups in a mixed domain if the group is security-enabled.
8516 A global group cannot have a local group as a member.
8517 A global group cannot have a universal group as a member.
8518 A universal group cannot have a local group as a member.
8519 A global group cannot have a cross-domain member.
8520 A local group cannot have another cross-domain local group as a member.
8521 A group with primary members cannot change to a security-disabled group.
8522 The schema cache load failed to convert the string default SD on a class-schema object.
8523 Only DSAs configured to be Global Catalog servers should be allowed to hold the Domain Naming Master FSMO role. (Applies only to Windows 2000 servers)
8524 The DSA operation is unable to proceed because of a DNS lookup failure.
8525 While processing a change to the DNS Host Name for an object, the Service Principal Name values could not be kept in sync.
8526 The Security Descriptor attribute could not be read.
8527 The object requested was not found, but an object with that key was found.
8528 The syntax of the linked attributed being added is incorrect. Forward links can only have syntax 2.5.5.1, 2.5.5.7, and 2.5.5.14, and backlinks can only have syntax 2.5.5.1.
8529 Security Account Manager needs to get the boot password.
8530 Security Account Manager needs to get the boot key from floppy disk.
8531 Directory Service cannot start.
8532 Directory Services could not start.
8533 The connection between client and server requires packet privacy or better.
8534 The source domain may not be in the same forest as destination.
8535 The destination domain must be in the forest.
8536 The operation requires that destination domain auditing be enabled.
8537 The operation couldn’t locate a DC for the source domain.
8538 The source object must be a group or user.
8539 The source object’s SID already exists in destination forest.
8540 The source and destination object must be of the same type.
8541 Security Accounts Manager initialization failed because of the following error: %1.

Error Status: 0x%2. Click OK to shut down the system and reboot into Safe Mode. Check the event log for detailed information.

8542 Schema information could not be included in the replication request.
8543 The replication operation could not be completed due to a schema incompatibility.
8544 The replication operation could not be completed due to a previous schema incompatibility.
8545 The replication update could not be applied because either the source or the destination has not yet received information regarding a recent cross-domain move operation.
8546 The requested domain could not be deleted because there exist domain controllers that still host this domain.
8547 The requested operation can be performed only on a global catalog server.
8548 A local group can only be a member of other local groups in the same domain.
8549 Foreign security principals cannot be members of universal groups.
8550 The attribute is not allowed to be replicated to the GC because of security reasons.
8551 The checkpoint with the PDC could not be taken because there are too many modifications being processed currently.
8552 The operation requires that source domain auditing be enabled.
8553 Security principal objects can only be created inside domain naming contexts.
8554 A Service Principal Name (SPN) could not be constructed because the provided hostname is not in the necessary format.
8555 A Filter was passed that uses constructed attributes.
8556 The unicodePwd attribute value must be enclosed in double quotes.
8557 Your computer could not be joined to the domain. You have exceeded the maximum number of computer accounts you are allowed to create in this domain. Contact your system administrator to have this limit reset or increased.
8558 For security reasons, the operation must be run on the destination DC.
8559 For security reasons, the source DC must be NT4SP4 or greater.
8560 Critical Directory Service System objects cannot be deleted during tree delete operations. The tree delete may have been partially performed.
8561 Directory Services could not start because of the following error: %1.

Error Status: 0x%2. Please click OK to shutdown the system. You can use the recovery console to diagnose the system further.

8562 Security Accounts Manager initialization failed because of the following error: %1.

Error Status: 0x%2. Please click OK to shutdown the system. You can use the recovery console to diagnose the system further.

8563 This version of Windows is too old to support the current directory forest behavior. You must upgrade the operating system on this server before it can become a domain controller in this forest.
8564 This version of Windows is too old to support the current domain behavior. You must upgrade the operating system on this server before it can become a domain controller in this domain.
8565 This version of Windows no longer supports the behavior version in use in this directory forest. You must advance the forest behavior version before this server can become a domain controller in the forest.
8566 This version of Windows no longer supports the behavior version in use in this domain. You must advance the domain behavior version before this server can become a domain controller in the domain.
8567 The version of Windows is incompatible with the behavior version of the domain or forest.
8568 The behavior version cannot be increased to the requested value because Domain Controllers still exist with versions lower than the requested value.
8569 The behavior version value cannot be increased while the domain is still in mixed domain mode. You must first change the domain to native mode before increasing the behavior version.
8570 The sort order requested is not supported.
8571 Found an object with a non unique name.
8572 The machine account was created pre-NT4. The account needs to be recreated.
8573 The database is out of version store.
8574 Unable to continue operation because multiple conflicting controls were used.
8575 Unable to find a valid security descriptor reference domain for this partition.
8576 Schema update failed: The link identifier is reserved.
8577 Schema update failed: There are no link identifiers available.
8578 An account group cannot have a universal group as a member.
8579 Rename or move operations on naming context heads or read-only objects are not allowed.
8580 Move operations on objects in the schema naming context are not allowed.
8581 A system flag has been set on the object and does not allow the object to be moved or renamed.
8582 This object is not allowed to change its grandparent container. Moves are not forbidden on this object, but are restricted to sibling containers.
8583 Unable to resolve completely, a referral to another forest is generated.
8584 The requested action is not supported on standard server.
8585 Could not access a partition of the Active Directory located on a remote server. Make sure at least one server is running for the partition in question.
8586 The directory cannot validate the proposed naming context (or partition) name because it does not hold a replica nor can it contact a replica of the naming context above the proposed naming context. Please ensure that the parent naming context is properly registered in DNS, and at least one replica of this naming context is reachable by the Domain Naming master.
8587 The thread limit for this request was exceeded.
8588 The Global catalog server is not in the closet site.
8589 The DS cannot derive a service principal name (SPN) with which to mutually authenticate the target server because the corresponding server object in the local DS database has no serverReference attribute.
8590 The Directory Service failed to enter single user mode.
8591 The Directory Service cannot parse the script because of a syntax error.
8592 The Directory Service cannot process the script because of an error.
8593 The directory service cannot perform the requested operation because the servers involved are of different replication epochs (which is usually related to a domain rename that is in progress).
8594 The directory service binding must be renegotiated due to a change in the server extensions information.
8595 Operation not allowed on a disabled cross ref.
8596 Schema update failed: No values for msDS-IntId are available.
8597 Schema update failed: Duplicate msDS-INtId. Retry the operation.
8598 Schema deletion failed: attribute is used in rDNAttID.
8599 The directory service failed to authorize the request.
8600 The Directory Service cannot process the script because it is invalid.
8601 The remote create cross reference operation failed on the Domain Naming Master FSMO. The operation’s error is in the extended data.
9001 DNS server unable to interpret format.
9002 DNS server failure.
9003 DNS name does not exist.
9004 DNS request not supported by name server.
9005 DNS operation refused.
9006 DNS name that ought not exist, does exist.
9007 DNS RR set that ought not exist, does exist.
9008 DNS RR set that ought to exist, does not exist.
9009 DNS server not authoritative for zone.
9010 DNS name in update or prereq is not in zone.
9016 DNS signature failed to verify.
9017 DNS bad key.
9018 DNS signature validity expired.
9501 No records found for given DNS query.
9502 Bad DNS packet.
9503 No DNS packet.
9504 DNS error, check rcode.
9505 Unsecured DNS packet.
9551 Invalid DNS type.
9552 Invalid IP address.
9553 Invalid property.
9554 Try DNS operation again later.
9555 Record for given name and type is not unique.
9556 DNS name does not comply with RFC specifications.
9557 DNS name is a fully-qualified DNS name.
9558 DNS name is dotted (multi-label).
9559 DNS name is a single-part name.
9560 DSN name contains an invalid character.
9561 DNS name is entirely numeric.
9562 The operation requested is not permitted on a DNS root server.
9601 DNS zone does not exist.
9602 DNS zone information not available.
9603 Invalid operation for DNS zone.
9604 Invalid DNS zone configuration.
9605 DNS zone has no start of authority (SOA) record.
9606 DNS zone has no name server (NS) record.
9607 DNS zone is locked.
9608 DNS zone creation failed.
9609 DNS zone already exists.
9610 DNS automatic zone already exists.
9611 Invalid DNS zone type.
9612 Secondary DNS zone requires master IP address.
9613 DNS zone not secondary.
9614 Need secondary IP address.
9615 WINS initialization failed.
9616 Need WINS servers.
9617 NBTSTAT initialization call failed.
9618 Invalid delete of start of authority (SOA)
9619 A conditional forwarding zone already exists for that name.
9620 This zone must be configured with one or more master DNS server IP addresses.
9621 The operation cannot be performed because this zone is shutdown.
9651 Primary DNS zone requires datafile.
9652 Invalid datafile name for DNS zone.
9653 Failed to open datafile for DNS zone.
9654 Failed to write datafile for DNS zone.
9655 Failure while reading datafile for DNS zone.
9701 DNS record does not exist.
9702 DNS record format error.
9703 Node creation failure in DNS.
9704 Unknown DNS record type.
9705 DNS record timed out.
9706 Name not in DNS zone.
9707 CNAME loop detected.
9708 Node is a CNAME DNS record.
9709 A CNAME record already exists for given name.
9710 Record only at DNS zone root.
9711 DNS record already exists.
9712 Secondary DNS zone data error.
9713 Could not create DNS cache data.
9714 DNS name does not exist.
9715 Could not create pointer (PTR) record.
9716 DNS domain was undeleted.
9717 The directory service is unavailable.
9718 DNS zone already exists in the directory service.
9719 DNS server not creating or reading the boot file for the directory service integrated DNS zone.
9751 DNS AXFR (zone transfer) complete.
9752 DNS zone transfer failed.
9753 Added local WINS server.
9801 Secure update call needs to continue update request.
9851 TCP/IP network protocol not installed.
9852 No DNS servers configured for local system.
9901 The specified directory partition does not exist.
9902 The specified directory partition already exists.
9903 The DS is not enlisted in the specified directory partition.
9904 The DS is already enlisted in the specified directory partition.
10004 A blocking operation was interrupted by a call to WSACancelBlockingCall.
10009 The file handle supplied is not valid.
10013 An attempt was made to access a socket in a way forbidden by its access permissions.
10014 The system detected an invalid pointer address in attempting to use a pointer argument in a call.
10022 An invalid argument was supplied.
10024 Too many open sockets.
10035 A non-blocking socket operation could not be completed immediately.
10036 A blocking operation is currently executing.
10037 An operation was attempted on a non-blocking socket that already had an operation in progress.
10038 An operation was attempted on something that is not a socket.
10039 A required address was omitted from an operation on a socket.
10040 A message sent on a datagram socket was larger than the internal message buffer or some other network limit, or the buffer used to receive a datagram into was smaller than the datagram itself.
10041 A protocol was specified in the socket function call that does not support the semantics of the socket type requested.
10042 An unknown, invalid, or unsupported option or level was specified in a getsockopt or setsockopt call.
10043 The requested protocol has not been configured into the system, or no implementation for it exists.
10044 The support for the specified socket type does not exist in this address family.
10045 The attempted operation is not supported for the type of object referenced.
10046 The protocol family has not been configured into the system or no implementation for it exists.
10047 An address incompatible with the requested protocol was used.
10048 Only one usage of each socket address (protocol/network address/port) is normally permitted.
10049 The requested address is not valid in its context.
10050 A socket operation encountered a dead network.
10051 A socket operation was attempted to an unreachable network.
10052 The connection has been broken due to keep-alive activity detecting a failure while the operation was in progress.
10053 An established connection was aborted by the software in your host machine.
10054 An existing connection was forcibly closed by the remote host.
10055 An operation on a socket could not be performed because the system lacked sufficient buffer space or because a queue was full.
10056 A connect request was made on an already connected socket.
10057 A request to send or receive data was disallowed because the socket is not connected and (when sending on a datagram socket using a sendto call) no address was supplied.
10058 A request to send or receive data was disallowed because the socket had already been shut down in that direction with a previous shutdown call.
10059 Too many references to some kernel object.
10060 A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.
10061 No connection could be made because the target machine actively refused it.
10062 Cannot translate name.
10063 Name component or name was too long.
10064 A socket operation failed because the destination host was down.
10065 A socket operation was attempted to an unreachable host.
10066 Cannot remove a directory that is not empty.
10067 A Windows Sockets implementation may have a limit on the number of applications that may use it simultaneously.
10068 Ran out of quota.
10069 Ran out of disk quota.
10070 File handle reference is no longer available.
10071 Item is not available locally.
10091 WSAStartup cannot function at this time because the underlying system it uses to provide network services is currently unavailable.
10092 The Windows Sockets version requested is not supported.
10093 Either the application has not called WSAStartup, or WSAStartup failed.
10101 Returned by WSARecv or WSARecvFrom to indicate the remote party has initiated a graceful shutdown sequence.
10102 No more results can be returned by WSALookupServiceNext.
10103 A call to WSALookupServiceEnd was made while this call was still processing. The call has been canceled.
10104 The procedure call table is invalid.
10105 The requested service provider is invalid.
10106 The requested service provider could not be loaded or initialized.
10107 A system call that should never fail has failed.
10108 No such service is known. The service cannot be found in the specified name space.
10109 The specified class was not found.
10110 No more results can be returned by WSALookupServiceNext.
10111 A call to WSALookupServiceEnd was made while this call was still processing. The call has been canceled.
10112 A database query failed because it was actively refused.
11001 No such host is known.
11002 This is usually a temporary error during hostname resolution and means that the local server did not receive a response from an authoritative server.
11003 A non-recoverable error occurred during a database lookup.
11004 The requested name is valid and was found in the database, but it does not have the correct associated data being resolved for.
11005 At least one reserve has arrived.
11006 At least one path has arrived.
11007 There are no senders.
11008 There are no receivers.
11009 Reserve has been confirmed.
11010 Error due to lack of resources.
11011 Rejected for administrative reasons – bad credentials.
11012 Unknown or conflicting style.
11013 Problem with some part of the filterspec or providerspecific buffer in general.
11014 Problem with some part of the flowspec.
11015 General QOS error.
11016 An invalid or unrecognized service type was found in the flowspec.
11017 An invalid or inconsistent flowspec was found in the QOS structure.
11018 Invalid QOS provider-specific buffer.
11019 An invalid QOS filter style was used.
11020 An invalid QOS filter type was used.
11021 An incorrect number of QOS FILTERSPECs were specified in the FLOWDESCRIPTOR.
11022 An object with an invalid ObjectLength field was specified in the QOS provider-specific buffer.
11023 An incorrect number of flow descriptors was specified in the QOS structure.
11024 An unrecognized object was found in the QOS provider-specific buffer.
11025 An invalid policy object was found in the QOS provider-specific buffer.
11026 An invalid QOS flow descriptor was found in the flow descriptor list.
11027 An invalid or inconsistent flowspec was found in the QOS provider-specific buffer.
11028 An invalid FILTERSPEC was found in the QOS provider-specific buffer.
11029 An invalid shape discard mode object was found in the QOS provider-specific buffer.
11030 An invalid shaping rate object was found in the QOS provider-specific buffer.
11031 A reserved policy element was found in the QOS provider-specific buffer.
13000 The specified quick mode policy already exists.
13001 The specified quick mode policy was not found.
13002 The specified quick mode policy is being used.
13003 The specified main mode policy already exists.
13004 The specified main mode policy was not found.
13005 The specified main mode policy is being used.
13006 The specified main mode filter already exists.
13007 The specified main mode filter was not found.
13008 The specified transport mode filter already exists.
13009 The specified transport mode filter does not exist.
13010 The specified main mode authentication list exists.
13011 The specified main mode authentication list was not found.
13012 The specified quick mode policy is being used.
13013 The specified main mode policy was not found.
13014 The specified quick mode policy was not found.
13015 The manifest file contains one or more syntax errors.
13016 The application attempted to activate a disabled activation context.
13017 The requested lookup key was not found in any active activation context.
13018 The Main Mode filter is pending deletion.
13019 The transport filter is pending deletion.
13020 The tunnel filter is pending deletion.
13021 The Main Mode policy is pending deletion.
13022 The Main Mode authentication bundle is pending deletion.
13023 The Quick Mode policy is pending deletion.
13801 IKE authentication credentials are unacceptable.
13802 IKE security attributes are unacceptable.
13803 IKE Negotiation in progress.
13804 General processing error.
13805 Negotiation timed out.
13806 IKE failed to find valid machine certificate.
13807 IKE SA deleted by peer before establishment completed.
13808 IKE SA deleted before establishment completed.
13809 Negotiation request sat in Queue too long.
13810 Negotiation request sat in Queue too long.
13811 Negotiation request sat in Queue too long.
13812 Negotiation request sat in Queue too long.
13813 No response from peer.
13814 Negotiation took too long.
13815 Negotiation took too long.
13816 Unknown error occurred.
13817 Certificate Revocation Check failed.
13818 Invalid certificate key usage.
13819 Invalid certificate type.
13820 No private key associated with machine certificate.
13822 Failure in Diffie-Helman computation.
13824 Invalid header.
13825 No policy configured.
13826 Failed to verify signature.
13827 Failed to authenticate using Kerberos.
13828 Peer’s certificate did not have a public key.
13829 Error processing error payload.
13830 Error processing SA payload.
13831 Error processing Proposal payload.
13832 Error processing Transform payload.
13833 Error processing KE payload.
13834 Error processing ID payload.
13835 Error processing Cert payload.
13836 Error processing Certificate Request payload.
13837 Error processing Hash payload.
13838 Error processing Signature payload.
13839 Error processing Nonce payload.
13840 Error processing Notify payload.
13841 Error processing Delete Payload.
13842 Error processing VendorId payload.
13843 Invalid payload received.
13844 Soft SA loaded.
13845 Soft SA torn down.
13846 Invalid cookie received..
13847 Peer failed to send valid machine certificate.
13848 Certification Revocation check of peer’s certificate failed.
13849 New policy invalidated SAs formed with old policy.
13850 There is no available Main Mode IKE policy.
13851 Failed to enabled TCB privilege.
13852 Failed to load SECURITY.DLL.
13853 Failed to obtain security function table dispatch address from SSPI.
13854 Failed to query Kerberos package to obtain max token size.
13855 Failed to obtain Kerberos server credentials for ISAKMP/ERROR_IPSEC_IKE service. Kerberos authentication will not function. The most likely reason for this is lack of domain membership. This is normal if your computer is a member of a workgroup.
13856 Failed to determine SSPI principal name for ISAKMP/ERROR_IPSEC_IKE service (QueryCredentialsAttributes).
13857 Failed to obtain new SPI for the inbound SA from Ipsec driver. The most common cause for this is that the driver does not have the correct filter. Check your policy to verify the filters.
13858 Given filter is invalid.
13859 Memory allocation failed.
13860 Failed to add Security Association to IPSec Driver. The most common cause for this is if the IKE negotiation took too long to complete. If the problem persists, reduce the load on the faulting machine.
13861 Invalid policy.
13862 Invalid DOI.
13863 Invalid situation.
13864 Diffie-Hellman failure.
13865 Invalid Diffie-Hellman group.
13866 Error encrypting payload.
13867 Error decrypting payload.
13868 Policy match error.
13869 Unsupported ID.
13870 Hash verification failed.
13871 Invalid hash algorithm.
13872 Invalid hash size.
13873 Invalid encryption algorithm.
13874 Invalid authentication algorithm.
13875 Invalid certificate signature.
13876 Load failed.
13877 Deleted via RPC call.
13878 Temporary state created to perform reinit. This is not a real failure.
13879 The lifetime value received in the Responder Lifetime Notify is below the Windows 2000 configured minimum value. Please fix the policy on the peer machine.
13881 Key length in certificate is too small for configured security requirements.
13882 Max number of established MM SAs to peer exceeded.
13883 IKE received a policy that disables negotiation.
13884 ERROR_IPSEC_IKE_NEG_STATUS_END
14000 The requested section was not present in the activation context.
14001 This application has failed to start because the application configuration is incorrect. Reinstalling the application may fix this problem.
14002 The application binding data format is invalid.
14003 The referenced assembly is not installed on your system.
14004 The manifest file does not begin with the required tag and format information.
14005 The manifest file contains one or more syntax errors.
14006 The application attempted to activate a disabled activation context.
14007 The requested lookup key was not found in any active activation context.
14008 A component version required by the application conflicts with another component version already active.
14009 The type requested activation context section does not match the query API used.
14010 Lack of system resources has required isolated activation to be disabled for the current thread of execution.
14011 An attempt to set the process default activation context failed because the process default activation context was already set.
14012 The encoding group identifier specified is not recognized.
14013 The encoding requested is not recognized.
14014 The manifest contains a reference to an invalid URI.
14015 The application manifest contains a reference to a dependent assembly which is not installed.
14016 The manifest for an assembly used by the application has a reference to a dependent assembly which is not installed.
14017 The manifest contains an attribute for the assembly identity which is not valid.
14018 The manifest is missing the required default namespace specification on the assembly element.
14019 The manifest has a default namespace specified on the assembly element but its value is not “urn:schemas-microsoft-com:asm.v1″.
14020 The private manifest probe has crossed the reparse-point-associated path.
14021 Two or more components referenced directly or indirectly by the application manifest have files by the same name.
14022 Two or more components referenced directly or indirectly by the application manifest have window classes with the same name.
14023 Two or more components referenced directly or indirectly by the application manifest have the same COM server CLSIDs.
14024 Two or more components referenced directly or indirectly by the application manifest have proxies for the same COM interface IIDs.
14025 Two or more components referenced directly or indirectly by the application manifest have the same COM type library TLBIDs.
14026 Two or more components referenced directly or indirectly by the application manifest have the same COM ProgIDs.
14027 Two or more components referenced directly or indirectly by the application manifest are different versions of the same component which is not permitted.
14028 A component’s file does not match the verification information present in the component manifest.
14029 The policy manifest contains one or more syntax errors.
14030 Manifest Parse Error : A string literal was expected, but no opening quote character was found.
14031 Manifest Parse Error : Incorrect syntax was used in a comment.
14032 Manifest Parse Error : A name was started with an invalid character.
14033 Manifest Parse Error : A name contained an invalid character.
14034 Manifest Parse Error : A string literal contained an invalid character.
14035 Manifest Parse Error : Invalid syntax for an XML declaration.
14036 Manifest Parse Error : An invalid character was found in text content.
14037 Manifest Parse Error : Required white space was missing.
14038 Manifest Parse Error : The character ‘>’ was expected.
14039 Manifest Parse Error : A semi colon character was expected.
14040 Manifest Parse Error : Unbalanced parentheses.
14041 Manifest Parse Error : Internal error.
14042 Manifest Parse Error : White space is not allowed at this location.
14043 Manifest Parse Error : End of file reached in invalid state for current encoding.
14044 Manifest Parse Error : Missing parenthesis.
14045 Manifest Parse Error : A single or double closing quote character (\’ or \”) is missing.
14046 Manifest Parse Error : Multiple colons are not allowed in a name.
14047 Manifest Parse Error : Invalid character for decimal digit.
14048 Manifest Parse Error : Invalid character for hexadecimal digit.
14049 Manifest Parse Error : Invalid Unicode character value for this platform.
14050 Manifest Parse Error : Expecting white space or ‘?’.
14051 Manifest Parse Error : End tag was not expected at this location.
14052 Manifest Parse Error : The following tags were not closed: %1.
14053 Manifest Parse Error : Duplicate attribute.
14054 Manifest Parse Error : Only one top level element is allowed in an XML document.
14055 Manifest Parse Error : Invalid at the top level of the document.
14056 Manifest Parse Error : Invalid XML declaration.
14057 Manifest Parse Error : XML document must have a top level element.
14058 Manifest Parse Error : Unexpected end of file.
14059 Manifest Parse Error : Parameter entities cannot be used inside markup declarations in an internal subset.
14060 Manifest Parse Error : Element was not closed.
14061 Manifest Parse Error : End element was missing the character ‘>’.
14062 Manifest Parse Error : A string literal was not closed.
14063 Manifest Parse Error : A comment was not closed.
14064 Manifest Parse Error : A declaration was not closed.
14065 Manifest Parse Error : A CDATA section was not closed.
14066 Manifest Parse Error : The namespace prefix is not allowed to start with the reserved string “xml”.
14067 Manifest Parse Error : System does not support the specified encoding.
14068 Manifest Parse Error : Switch from current encoding to specified encoding not supported.
14069 Manifest Parse Error : The name ‘xml’ is reserved and must be lower case.
14070 Manifest Parse Error : The standalone attribute must have the value ‘yes’ or ‘no’.
14071 Manifest Parse Error : The standalone attribute cannot be used in external entities.
14072 Manifest Parse Error : Invalid version number.
14073 Manifest Parse Error : Missing equals sign between attribute and attribute value.
14074 Assembly Protection Error: Unable to recover the specified assembly.
14075 Assembly Protection Error: The public key for an assembly was too short to be allowed.
14076 Assembly Protection Error: The catalog for an assembly is not valid, or does not match the assembly’s manifest.
14077 An HRESULT could not be translated to a corresponding Win32 error code.
14078 Assembly Protection Error: The catalog for an assembly is missing.
14079 The supplied assembly identity is missing one or more attributes which must be present in this context.
14080 The supplied assembly identity has one or more attribute names that contain characters not permitted in XML names

These are some powerful policy settings that allow you to configure five settings for Application, Security, Setup, and System event logs. These categories and their policy settings are located under Computer Configuration\Policies\Administrative Templates\Windows Components\Event Log Service.

The Log File Path policy setting, when enabled, allows you to provide a specific location where the Event Log service writes its log file. You must provide a path and file name when relocating where Windows writes the log file.

Next is the Maximum Log file size policy. When enabled, this policy allows you to specify the maximum size of the event log. It supports sizes between one megabyte and two terabytes and uses one-kilobyte increments.

Figure 1 Event Log Service Policy Settings

The next two policy settings are related. The Event Logging service uses the Retain old events and Backup log automatically when full policy settings when the event log reaches the maximum file size (defaults to 20 MB or the value specified in the Maximum Log size policy setting). With the Retain Old Events policy setting enabled, the Event Logging service stops writing new events to the event log when the log file reaches or exceeds the maximum value and you lose all new events.

With this policy setting disabled, new events overwrite old events. When you enabling the Backup log automatically when full and the Retain old events policy settings, the Event Log service closes the current event log, renames it, and then creates a new log. The Backup log automatically when full policy setting works only when you enable Retain old events policy setting.

Figure 2 Maximum Log Size Policy Setting

The last setting and one that I think is the most beneficial is the Log Access setting. Enabling this setting allows you to enter a security descriptor for the log file. The security descriptor controls who can read, write, or clear the event log. You enter the security descriptor using Security Definition Description Language (SDDL), which is document on MSDN (http://msdn.microsoft.com/library/en-us/secauthz/security/security_descriptor_string_format.asp).

Finally, I should mention that these new policy settings have precedence over the older Windows Server 2003 and Windows XP security policy setting that manage Event Logs. Both settings can exist in the same Group Policy object and apply only to the respective operating systems for the policy setting

These new policy settings for the Event Logging service provide more flexibility and control from earlier versions.

Using Group Policy to control where event logs are written, how large they can grow, how they are preserved, and who can manage them are key to change control and security auditing. You can implement these policy settings in your existing Group Policy objects and they will not affect operating systems earlier than Windows Vista.

If you or a colleague happen to mistakenly delete an object in Active Directory the results can be disastrous. ADRecycleBin allows administrators to quickly find and restore deleted objects in Active Directory. If you are running Active Directory in Windows 2008 R2 native mode you can enable the Active Directory Recycle Bin. If you are running Active Directory in an earlier mode you can re-animate deleted objects.

Features

Supports Windows 2008 R2 Active Directory Recycle Bin technology
Supports Object reanimation in earlier versions of Active Directory
Review deleted objects
Restore multiple objects at the same time
An Example
Consider the following scenario. We have some users, computers and a group in an Organization Unit called Richmond Hill:

I decide to delete an object ignoring all of the prompts. First prompt:

As well as the second prompt:

To make things worse, the computer object was a very important shared PC with a ton of mission-critical applications, and without this object in Active Directory, no one can log on to this PC with their domain ID. So how do we get these deleted objects back?

Using ADRecycleBin.exe

Firstly, before you run ADRecycleBin.exe ensure that your account has the appropriate privileges to restore objects in Active Directory. You will want to run the tool in the same domain where you plan on restoring the objects. Launch ADRecycleBin.exe and click the Load Deleted Objects button:

Unless you intend on restoring other types of objects other than OUs, Users, Computer or groups, I recommend you leave the Load Filter checkboxes as the default. Then click the Load Deleted Objects button. This will load all of the deleted objects detected based on the Load Filter checkboxes:

To restore all of the objects from our Richmond Hill OU click on one of the child objects, for example, I have selected the group called: LDAP://CN=ROL-RichmondHill IT Managers\0ADEL:86249fc3-ca0e-4614-b258-65fb15ff9ab7,CN=Deleted Objects,DC=beta,DC=local. Then I right-click and select the Select All menu item:

This will check all of the siblings. Incidentally, selecting a child node will automatically check its parent. Once we have selected the objects we wish to bring back from the dead, we click the Restore Checked Objects button:

This will initiate the restore process. When this process is complete a new window will open showing us a summary of the Active Directory deleted objects that were restored:

From this window we can copy and paste the messages of importance or export the results to a csv file to let others know what was restored:

When we close the Restore Summary window the deleted objects will be enumerated again:

Our OU called Richmond Hill has now been successfully restored:

DOWNLOAD THE FREE TOOL

http://www.overall.ca/index.php?option=com_docman&task=doc_download&gid=78&Itemid=11

If you’d like to learn more about Active Directory, I’d recommend that you get hold of these Active Directory Training Videos. If you truly want to Learn Active Directory you won’t find better training than this.

Immediately after that, John tries to authenticate and – he succeeds. He’s prompted to change his password, does so and logs successfully in. “Thanks buddy”, he ends the conversation. You scratch your head wondering how that password got replicated so fast. You’re sitting in the headquarters doing the change and John is in some branch office which has a pretty tight replication schedule and intervall – rep takes place every three hours between headquater and John’s branch. You verify that “Active Directory Users and Computers” you used to reset John’s password with is “connected” to a local headquarter-DC. You scratch your head. How’s that possible? How’s password reset getting replicated so fast to the branch DC?

The answer lies in PDC chaining. The password isn’t immediately replicated to the branch DC – the mechanism is different. Once a domain controller receives an authentication request, it checks for the credentials provided. In our scenario, the password hasn’t replicated yet to John’s branch office and as John tries the password we manually resetted it to, it fails. Smart-pants branch-DC doesn’t give up though and the next step it tries is ask the PDC emulator-FSMO-holder-DC for help. It chains the authentication request to the PDC. The PDC checks the credentials and – since it got our resetted password already, it replies to the branch-DC that the password is valid. In addition to the “pass is valid” reply to the branch DC, it actually sends the current pass in a follwing message.

Branch-DC now lets John authenticated, but provides him with the “Change password” dialog to pick a new password. After that, John is allowed to log on to his machine.

What basically happened was that branch-DC, evaluating John’s password to “not valid”, forwarded John’s auth request to the PDC which evaluated to true and responded accordingly. After that, the PDC pushes the John’s current credentials to the branch-DC so that it’s up-to-date. This “push” isn’t anything like immediate rep or urgent-rep but a special LDAP operation (Single object replication).

So — why’s branch-DC asking PDC to re-check John’s credentials? Branch-DC knows what all DCs know and that is that PDC always has the valid password* for all users. Once a password gets changed, the DC that handles the password change request pushes the new update via a special RPC call to the PDC to update the password. The PDC is the first to know about password changes and password resets. Again, this isn’t done with pure replication but with a special RPC call to the PDC.

* Exceptions are environments that don’t allow direct DC communication (e.g. a meshed network). In cases where DCs cannot reach the PDC directly – either for chaining an auth request or RPC-pushing the password – the request fails. In those cases, the passwords go along their way through normal replication. Password changes aren’t pushed directly and auth requests are evaluated as “invalid” if the PDC isn’t reachable.

The process is here in a small picture:

1) An admin in site B resets a user’s password in site B.

(2) The DC pushes the new password via an RPC call to the PDC.

(3) At the same time, the user in site C tries to authenticate using the new password. DC-C checks the password with its local database and comes to find that the password isn’t correct (the password reset hasn’t replicated to DC-C).

(4) DC-C forwards the authentication request to the PDC which knows the new password because of the RPC call. It reponds to DC-C, that the password is valid.

(5) Immediately after that, it pushes the new user password via an LDAP operation to DC-C so that DC-C’s database is updated (regarding the user’s password only!). This is not done by normal replication means – it’s a special push.

(6) DC-C allows the user to authenticate.

If you’d like to learn more about Active Directory, I’d recommend that you get hold of these Active Directory Training Videos. If you truly want to Learn Active Directory you won’t find better training than this.

When firing the command at my box, I didn’t get any results either:

C:\Windows\system32>adfind -b “CN=Deleted

Objects,DC=intern,DC=frickelsoft,DC=net” -f”&(objectClass=user)(objectCategory=person)” objectSID

AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007

Using server: dc.intern.frickelsoft.net:389Directory: Windows Server 2003

0 Objects returned

Looking at the query, I remembered that deleted objects aren’t deleted right away but are moved to the “Deleted Objects” container, get a new name and are stripped from most of their attributes. Only a few of them are preserved. Knowing that objectClass is one of the attributes that is preserved, let’s see whether objectCategory is. For that, we need to get the “searchFlags” attribute of the schema object here. The searchFlags bitmask tells us, whether the attribute is preserved on deletion – bit #3 (decimal = as described in

http://msdn.microsoft.com/en-us/library/ms679765(VS.85).aspx and  http://www.frickelsoft.net/blog/?p=151

is the one we’re looking for:

C:\Windows\system32>adfind -sc s:objectCategory searchFlags

AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007

Using server: dc.intern.frickelsoft.net:389

Directory: Windows Server 2003

Base DN: CN=Schema,CN=Configuration,DC=intern,DC=frickelsoft,DC=net

dn:CN=Object-Category,CN=Schema,CN=Configuration,DC=intern,DC=frickelsoft,DC=net

>searchFlags: 1 [INDEX(1)]

We can see that searchFlags for “objectCategory” is 1 which resolves to “put attribute into index”.

Hmm..as we thought, not preserved — but let’s check objectClass, too:

C:\Windows\system32>adfind -sc s:objectClass searchFlags

AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007

Using server: dc.intern.frickelsoft.net:389

Directory: Windows Server 2003

Base DN: CN=Schema,CN=Configuration,DC=intern,DC=frickelsoft,DC=net

dn:CN=Object-Class,CN=Schema,CN=Configuration,DC=intern,DC=frickelsoft,DC=net

>searchFlags: 9 [INDEX(1);PRESERVE TOMBSTONE(8)]

1 Objects returned

Okay, that’s a nine which resolves to “put into index” (=1) and “preserve on deletion” (=8, so 1+8 = 9). I must admit you could have looked that one up too on MSDN:

http://msdn.microsoft.com/en-us/library/ms679011(VS.85).aspx

- objectCategory has searchFlags “1″ everywhere — but hey, we wanted to use ADfind, right? It makes sense now that we don’t get any results. We could query now for “objectClass=user” only, but that’s probably not what we want, as computers are part of the “user” objectClass, too.

So the query won’t work as we’re filtering for an attribute that isn’t there any more. So — what can we do there?

Change our search to only display objectClass=user objects and NOT objectClass=computers Unfortunately, we don’t get any results for that, as seen in the above output. Hum… what did go wrong?

Looking at the ADfind help at

http://www.joeware.net/freetools/tools/adfind/usage.htm (or /?),

we can see that we need the “-showdel” switch to make ADFind issue the “Show deleted objects” LDAP control to the server. Our query looks like this now:

C:\Windows\system32>adfind -b “CN=Deleted

Objects,DC=intern,DC=frickelsoft,DC=ne

t” -f “&(objectClass=user)(!objectClass=computer)” -showdel objectSID

AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007

Using server: dc.intern.frickelsoft.net:389

Directory: Windows Server 2003

dn:CN=User, Created_0111200813120�ADEL:5d0f95e6-516a-474c-9a35-c479a8d80ff8,CN

=Deleted Objects,DC=intern,DC=frickelsoft,DC=net

>objectSid: S-1-5-21-3722298651-1274886394-2888734146-1603

dn:CN=User, Created_0111200813140�ADEL:73ab9ee1-10c5-4d99-9abc-5d21ca274ef4,CN

=Deleted Objects,DC=intern,DC=frickelsoft,DC=net

>objectSid: S-1-5-21-3722298651-1274886394-2888734146-1604

dn:CN=User, Created_0111200813150�ADEL:c7393437-7868-481e-9633-7cd49c62fb36,CN

=Deleted Objects,DC=intern,DC=frickelsoft,DC=net

>objectSid: S-1-5-21-3722298651-1274886394-2888734146-1605

dn:CN=User, Created_0111200813160�ADEL:8f0fcce6-0f6e-4802-8faa-12e5ae2d48a3,CN

=Deleted Objects,DC=intern,DC=frickelsoft,DC=net

>objectSid: S-1-5-21-3722298651-1274886394-2888734146-1606

4 Objects returned

If you don’t know what ADfind is or what ADMod does, you really should check joe’s repository of cool tools at

http://www.joeware.net

If you’d like to learn more about Active Directory, I’d recommend that you get hold of these Active Directory Training Videos. If you truly want to Learn Active Directory you won’t find better training than this.

Replication of the active directory operates within the directory service component of the security sub system.This component is called Ntdsa.dll and accessed through the LDAP protocol.Ntdsa.dll runs as a part of the Local security authority , which runs as Lsass.exe.Updates are transported by the IP over the RPC protocol.

In the above figure , you can see a common network (2 sites connected via a wan link) with a domain controller in each location

The health and maximized performance depends upon the smooth replication process .If you have problems , with replication you will not only have login problems , but also poor performance .
Now consider a common problem , with a failed network link

ISP ‘s and telecom service providers ocassionally have problems and service can be interrupted . This of course stops the communication between the domain controller’s therefore also severing the repolication process .This can prevent the synchronization of information between the domain controller’s and possibly cause the corruption or other problems .

The best thing is to provide abckup link such as ISDN , is a digital wan technology used to faciliate connections between the sites .More commonly Used today for disaster recovery,ISDN still has a place in today’s market place.

Here are the several steps to trouble shoot active directory

Verifing the Network Connectivity

Inorder to have the replication process properly the Network connectivity must be ina proper way. Although , iodeally all domain controllers would be connected by high -pass and redunat LAN and WAN links this rarely the case for larger deployments and for most companies that utilize slow WAN links that aren’t recoverable from disaster .
In real world, deployments, analog /dial up and slow connections are common ,
if you have verified that replication toplogy is set up properly ,you should communicate that servers are able to communicate properly .

Verifing the router and firewall configurations .

When building a secure network most times controls are placed on the network devices to filter the traffic going form place to place .The most coomonly tool used for controlling the traffivc is firewall.A fire wall usually dedicated to only protecting the perimeter so it is designed to do that it only minimizes the risk.
Firewalls are used to restrict the types of traffic that can be transferred over the networks.Their main use is to prevent unauthorized users from transferring the information .

Network Ports used by the Active directory Replication:

RPC replication uses dynamic port mapping as per default setting .When you need to connect an RPC end point during active directory replication ,RPC uses TCP port 135. RPC on the client contacts the RPC endpoint mapper on the server a well known port and randomly allocates high end TCP ports from 1024 to 65536 .The ports which are used by the active directory replication are .

PROTOCOL PORT

LDAP UDP 389
TCP 389

LDAP(SSL) UDP 636
TCP 636

KERBEROS UDP 88
TCP 88

DNS UDP 53
TCP 53

SMB over IP UDP 445
TCP 445

GLOBAL CATALOG SERVER TCP 3268
TCP 3269

Examining the Event logs:

Errors if they occur they show up in the event viewer. When ever there is an error in the replication service the computer writes events to the directory service and file replication service event logs. we may receive events such as

1. Event ID 1311 in the directory service log
2.Event ID 13265 with error “DNS LOOKUP FAILURE” or ” RPC SERVER UNAVAILABLE”.

Verifing the site links:

Before domain controllers in different sites can communicate each other verify the site links are connected properly. If replication doesnt occur properly verify the site links by using the rool repadmin.exe.Use this site tool for correct site links and to display inbound and outbound connections

Verifing the Replication topology:

The active directory sites and services tool allows you to verify the that a replication topology is logically constient.You can perform this task by right clicking the NTDS settings , within a server object and choosing all tasks => choose replication topology and you can verify the topology by the active directory sites and services tool.

If you’d like to learn more about Active Directory, I’d recommend that you get hold of these Active Directory Training Videos. If you truly want to Learn Active Directory you won’t find better training than this.

If you’d like to learn more about Active Directory, I’d recommend that you get hold of these Active Directory Training Videos. If you truly want to Learn Active Directory you won’t find better training than this.