Script Repository


Force Active Directory replication

June 23, 2020
2617

The script forces replication in the domain of the object on which the script is executed. You can use the script to force replication of important changes in your AD domain. For example, if you need certain properties of user accounts to be up-to-date on all DCs, you can create a Business Rule that runs the script after updating them.

The script can be used only in Business Rules, Custom Commands or Scheduled Tasks.
Security-sensitive changes, such as user password change or account lock-outs, are replicated immediately by default. There is no need to force replication of such events. For details, see Understanding Urgent Replication.
Caution: The script can cause high replication traffic between your AD domain controllers. Use great caution when deciding to force replication changes.

The script uses credentials of a user specified in the Run As section of the Run a program or PowerShell script action used to run the script to initiate replication changes Make sure that the user has sufficient permissions to connect to DCs used by Adaxes via PowerShell remoting and force AD replication.

Synchronize with all domain controllers

Parameter:

  • $allPartitions - when set to $True, the script forces replication of all Active Directory partitions. When set to $False, only the default partition will be replicated.
Edit Remove
PowerShell
# Get the DC that Adaxes uses for the domain
$domainName = $Context.GetObjectDomain("%distinguishedName%")
$rootDSE = $Context.BindToObject("Adaxes://$domainName/rootDSE")
$domainControllerFQDN = $rootDSE.Get("dnsHostName")

# Get credentials
$password = ConvertTo-SecureString -AsPlainText -Force -String $Context.RunAs.Password
$credential = New-Object System.Management.Automation.PsCredential($Context.RunAs.UserName, $password)

# Invoke command
$result = Invoke-Command -ComputerName $domainControllerFQDN -Credential $credential -ErrorAction Stop -ScriptBlock {
    $allPartitions = $True # TODO: modify me
    
    $domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
    
    foreach ($dc in $domain.DomainControllers)
    {
        $partitions = @()
        if ($allPartitions) 
        {
            $partitions += $dc.Partitions
        }
        else
        {
            $partitions += ([ADSI]"").distinguishedName
        }
        
        foreach ($partition in $partitions)
        {
            "$($dc.Name) - Syncing replicas from all servers for partition '$partition'"
            $dc.SyncReplicaFromAllServers($partition, 'CrossSite')
        }
    }
}

if (-not [System.String]::IsNullOrEmpty($result))
{
    $result | %% {$Context.LogMessage($_, "Information")}
}

Synchronize with specific domain controllers only

Parameter:

  • $allPartitions - when set to $True, the script forces replication of all Active Directory partitions. When set to $False, only the default partition will be replicated.
  • $domainControllers - specifies the domain controllers for which the synchronization will be performed.
Edit Remove
PowerShell
# Get the DC that Adaxes uses for the domain
$domainName = $Context.GetObjectDomain("%distinguishedName%")
$rootDSE = $Context.BindToObject("Adaxes://$domainName/rootDSE")
$domainControllerFQDN = $rootDSE.Get("dnsHostName")

# Get credentials
$password = ConvertTo-SecureString -AsPlainText -Force -String $Context.RunAs.Password
$credential = New-Object System.Management.Automation.PsCredential($Context.RunAs.UserName, $password)

# Invoke command
$result = Invoke-Command -ComputerName $domainControllerFQDN -ArgumentList $domainControllerFQDN -Credential $credential -ErrorAction Stop -ScriptBlock {
    param($domainControllerFQDN)
    $allPartitions = $True # TODO: modify me
    $domainControllers = @("mydc1.domain.com", "mydc2.domain.com") # TODO: modify me
    
    $domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
    foreach ($dc in $domain.DomainControllers)
    {
        if ($domainControllerFQDN -eq $dc.Name -or $domainControllers -notcontains $dc.Name)
        {
            continue
        }
        
        $partitions = @()
        if ($allPartitions) 
        {
            $partitions += $dc.Partitions
        }
        else
        {
            $partitions += ([ADSI]"").distinguishedName
        }
        
        foreach ($partition in $partitions)
        {
            "$($dc.Name) - Syncing replicas from all servers for partition '$partition'"
            $dc.SyncReplicaFromServer($partition, $domainControllerFQDN)
        }
    }
}

if (-not [System.String]::IsNullOrEmpty($result))
{
    $result | %% {$Context.LogMessage($_, "Information")}
}

Comments ( 0 )
No results found.
Leave a comment