| Author |
 Topic  |
|
|
Edwardthe1st
Old Timer
USA
458 Posts
Status: offline |
 Posted - 04/11/2011 : 2:52:40 PM
|
I'm getting ready to enable strict replication consistency for my domain controllers and wanted an automated way of checking all the systems before and after the process is run. The script that follows does just that and while it may not be pretty (and not too efficient syntax-wise for that matter?), it works.
Any feedback is greatly appreciated.
===============================================
On Error Resume Next
Const ForReading = 1
Const ForWriting = 2
Const HKEY_LOCAL_MACHINE = &H80000002
'Text file containing names of systems to check with each host to a line.
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objTextFile = objFSO.OpenTextFile _
("c:\Scripts\Servers.txt", ForReading)
'Text file to write results to.
Set objTextFile1 = objFSO.OpenTextFile _
("c:\Scripts\Registry Query Results.txt", ForWriting, True)
objTextFile1.WriteLine("Script began execution at " & Now() & "!" & VBCRLF)
'Start of the work section loop.
Do Until objTextFile.AtEndOfStream
strComputer = objTextFile.Readline
'Connect to the registry on client. If the client is inaccessible, write an error to the log file.
Set objRegistry = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" &_
strComputer & "\root\default:StdRegProv")
if err.number <> 0 then
objTextFile1.WriteLine(strComputer & vbTab & "is inaccessible - unable to connect to the registry!" & VBCRLF)
Else
' Get the current value of the DWord key if it exists.
strKeyPath = "SYSTEM\CurrentControlSet\services\NTDS\Parameters"
strValueName = "Strict Replication Consistency"
objRegistry.GetDwordValue HKEY_LOCAL_MACHINE,strKeyPath,strValueName,dwValue
End If
If IsNull(dwValue) Then
objtextFile1.WriteLine(strComputer & vbTab & "- Registry key does not exist!" & VBCRLF)
Else
objtextFile1.WriteLine(strComputer & vbTab & "- The registry key exists with a value of" & Space(1) & dwValue)
End if
Loop
objTextFile1.WriteLine("Script completed execution at " & Now() & "!")
objTextFile.Close
objTextFile1.Close
Wscript.echo "Query process has finished - Review the log for results."
=====================================
Hopefully I'll be able to post a PoSh version of this script at some point 
|
I <3 AD. |
Edited by - Edwardthe1st on 04/11/2011 2:54:12 PM |
|
|
wkasdo
Administrator
Netherlands
7403 Posts
Status: offline |
Posted - 04/11/2011 : 4:12:29 PM
|
| A different approach would be to create a custom ADM template, and apply it using a policy on OU=Domain Controllers. |
Make it as simple as you can, but not simpler -- Albert Einstein |
 |
|
|
Edwardthe1st
Old Timer
USA
458 Posts
Status: offline |
Posted - 04/11/2011 : 4:19:40 PM
|
| Do you mean for enabling SRC? I was actually looking into a few different methods (script, repadmin * + strict, etc.). The custom ADM template would be a good idea as well. |
I <3 AD. |
|
|
|
wkasdo
Administrator
Netherlands
7403 Posts
Status: offline |
Posted - 04/11/2011 : 4:23:33 PM
|
| Yes, enabling strict. One benefit of GPO is that all new DC's would have it (although that can be done in other ways as well) |
Make it as simple as you can, but not simpler -- Albert Einstein |
|
|
|
Edwardthe1st
Old Timer
USA
458 Posts
Status: offline |
Posted - 04/11/2011 : 4:29:03 PM
|
| Hmm, taking this one step further how about Group Policy Preference then? GPP can be used to set registry keys so that should work if I define this as either a separate policy linked to the Domain Controllers OU (i.e. functional) or within the existing Default Domain Controllers Policy (i.e. monolithic). What do you think? |
I <3 AD. |
|
|
|
wkasdo
Administrator
Netherlands
7403 Posts
Status: offline |
Posted - 04/11/2011 : 4:40:38 PM
|
| Sure, makes perfect sense if all your DC's are on 2008 or better. Better than ADM! |
Make it as simple as you can, but not simpler -- Albert Einstein |
|
|
|
Edwardthe1st
Old Timer
USA
458 Posts
Status: offline |
Posted - 04/11/2011 : 5:08:32 PM
|
| The commercial forest was in-place upgraded from 2003 to Server 2008 R2, so I think GPP will be the way to go here. And as you already pointed out earlier, any additional systems that come online in the future will pick this up thanks to the policy. I did some checking after I wrote the script and while the key isn't there in the production forest, it does exist on the VMs running in the lab. The only differece is that the lab was deployed clean and pristine and not upgraded. |
I <3 AD. |
|
|
|
daemonroot
Here To Stay
Costa Rica
139 Posts
Status: offline |
Posted - 04/11/2011 : 5:33:52 PM
|
Well what I did to check that out was way less fancy than your script but it also does the job.
On step one I get the list of all DCs in the forest and then using that list I go checking their Registry for the "Strict Replication Consistency" parameter.
dsquery server -forest -o rdn >>dclist.txt
for /f %a in (dclist.txt) do echo %a >>srcCheck.log && reg query \\%a\HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters | findstr /I "Consistency" >>srcCheck.log
Now with the log file provided you can create a similar batch to add the key.
One thing to mention is that in my case I alwasy had the impression that SRC is enabled by default after 2003 SP1 but let's read further.
From http://technet.microsoft.com/en-us/library/cc738018(WS.10).aspx
Strict replication consistency enabled
-The value of strict replication consistency on domain controllers that are installed into a forest defaults to enabled (1) under the following conditions:
-The forest root domain of a new forest is created by upgrading the Windows NT 4.0 primary domain controller (PDC) to Windows Server 2003 by using the Windows Server 2003 version of Winnt32.exe.
-The forest root domain of a new forest is created by installing Active Directory on a server running Windows Server 2003.
Strict replication consistency disabled
-The value of strict replication consistency on domain controllers defaults to disabled (0) under the following conditions:
-A domain controller running Windows 2000 Server is upgraded to Windows Server 2003.
-A server running Windows 2000 Server is promoted into a Windows Server 2003 forest.
If you have a domain controller that is running Windows Server 2003 with SP1, you do not need to edit the registry to set strict replication consistency. Instead, you can use Repadmin to set the value for one or all domain controllers in the forest.
Now, the procedure described here can help you skip the scripting part http://blogs.technet.com/b/askds/archive/2010/02/15/strict-replication-consistency-myth-versus-reality.aspx
Gotta keep in mind that creating the mentioned container would NOT change the SRC parameters on existing DCs. |
~D
http://sysadmin-cr.com/ |
Edited by - daemonroot on 04/11/2011 6:30:59 PM |
|
|
|
Edwardthe1st
Old Timer
USA
458 Posts
Status: offline |
Posted - 04/11/2011 : 6:36:49 PM
|
| You beat me to the punch :-) Only if the forest is newly deployed, in other words if you don't do an inplace upgrade from a previous version like I did then you need to go in and turn it on. |
I <3 AD. |
|
|
|
daemonroot
Here To Stay
Costa Rica
139 Posts
Status: offline |
|
| |
Topic |
|
Looking for a particular registry key on systems
