We use cookies to improve your experience.
By your continued use of this site you accept such use.
For more details please see our privacy policy and cookies policy.

Script Repository

Force Active Directory replication

January 14, 2022 Views: 6388

The script forces replication in the domain of the object the script is executed for. You can use the script in a business rule, custom command or scheduled task.

Security-sensitive changes, such as user password change or account lock-outs, are replicated immediately by default. There is no need to force replication of such events. For details, see Understanding Urgent Replication.
Caution: The script can cause high replication traffic between your AD domain controllers.

IMPORTANT: The script uses credentials of the account specified in the Run As section of the Run a program or PowerShell script action. Make sure that the user has sufficient permissions to connect to DCs used by Adaxes via PowerShell remoting and force AD replication.

Synchronize with all domain controllers

In the script, set the $allPartitions variable to $True to force replication of all Active Directory partitions. When set to $False, only the default partition will be replicated.

Edit Remove
PowerShell
# Get the DC that Adaxes uses for the domain
$domainName = $Context.GetObjectDomain("%distinguishedName%")
$rootDSE = $Context.BindToObject("Adaxes://$domainName/rootDSE")
$domainControllerFQDN = $rootDSE.Get("dnsHostName")

# Get credentials
$password = ConvertTo-SecureString -AsPlainText -Force -String $Context.RunAs.Password
$credential = New-Object System.Management.Automation.PsCredential($Context.RunAs.UserName, $password)

# Invoke command
$result = Invoke-Command -ComputerName $domainControllerFQDN -Credential $credential -ErrorAction Stop -ScriptBlock {
    $allPartitions = $True # TODO: modify me
    
    $domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
    
    foreach ($dc in $domain.DomainControllers)
    {
        $partitions = @()
        if ($allPartitions) 
        {
            $partitions += $dc.Partitions
        }
        else
        {
            $partitions += ([ADSI]"").distinguishedName
        }
        
        foreach ($partition in $partitions)
        {
            "$($dc.Name) - Syncing replicas from all servers for partition '$partition'"
            $dc.SyncReplicaFromAllServers($partition, 'CrossSite')
        }
    }
}

if (-not [System.String]::IsNullOrEmpty($result))
{
    $result | %% {$Context.LogMessage($_, "Information")}
}

Synchronize with specific domain controllers only

Parameters:

  • $allPartitions - when set to $True, the script forces replication of all Active Directory partitions. When set to $False, only the default partition will be replicated.
  • $domainControllers - specifies the domain controllers for which the synchronization will be performed.
Edit Remove
PowerShell
# Get the DC that Adaxes uses for the domain
$domainName = $Context.GetObjectDomain("%distinguishedName%")
$rootDSE = $Context.BindToObject("Adaxes://$domainName/rootDSE")
$domainControllerFQDN = $rootDSE.Get("dnsHostName")

# Get credentials
$password = ConvertTo-SecureString -AsPlainText -Force -String $Context.RunAs.Password
$credential = New-Object System.Management.Automation.PsCredential($Context.RunAs.UserName, $password)

# Invoke command
$result = Invoke-Command -ComputerName $domainControllerFQDN -ArgumentList $domainControllerFQDN -Credential $credential -ErrorAction Stop -ScriptBlock {
    param($domainControllerFQDN)
    $allPartitions = $True # TODO: modify me
    $domainControllers = @("mydc1.domain.com", "mydc2.domain.com") # TODO: modify me
    
    $domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
    foreach ($dc in $domain.DomainControllers)
    {
        if ($domainControllerFQDN -eq $dc.Name -or $domainControllers -notcontains $dc.Name)
        {
            continue
        }
        
        $partitions = @()
        if ($allPartitions) 
        {
            $partitions += $dc.Partitions
        }
        else
        {
            $partitions += ([ADSI]"").distinguishedName
        }
        
        foreach ($partition in $partitions)
        {
            "$($dc.Name) - Syncing replicas from all servers for partition '$partition'"
            $dc.SyncReplicaFromServer($partition, $domainControllerFQDN)
        }
    }
}

if (-not [System.String]::IsNullOrEmpty($result))
{
    $result | %% {$Context.LogMessage($_, "Information")}
}
Comments 2
avatar
Easton Straus Feb 04, 2024
Hello,

I have added the first script to sync with all domain controllers and I left all partions to true. But when I run it, I get the following errors in the execution log. is the script still correct:

Cannot bind argument to parameter 'String' because it is null. Stack trace: at <ScriptBlock>, <No file>: line 7
Exception calling ".ctor" with "2" argument(s): "Cannot process argument because the value of argument "userName" is not valid. Change the value of the "userName" argument and run the operation again." Stack trace: at <ScriptBlock>, <No file>: line 8
Cannot process argument transformation on parameter 'Credential'. A command that prompts the user failed because the host program or the command type does not support user interaction. The host was attempting to request confirmation with the following message: Enter your credentials. Stack trace: at <ScriptBlock>, <No file>: line 11
avatar
Support Feb 05, 2024
Hello Easton,

The script uses the credentials specified in the Run as section of the Run a program or PowerShell script action. According to the errors, you did not specify the credentials. Mae sure to do that as described in the instructions to the scripts in the beginning of the article.
Leave a comment
Loading...

Got questions?

Support Questions & Answers