Purpose :
In some cases (lingering objects, corruption), an Active Directory partition needs to be rehosted. This technique allows you to “re-host” a partition on an Active Directory domain controller without dumping all the other read only partitions (like you would by simply un-checking the global catalog option). It saves time, replication traffic and reduces the impact on your domain controller in cases where you believe you have invalid data hosted on a particular server (http://blogs.msdn.com/b/canberrapfe/archive/2012/04/14/un-hosting-amp-re-hosting-active-directory-partitions.aspx)
I have written this script to automate the rehosting task of an Active Directory partition in a complex forest/site infrastructure. The first step before using this script is to build a configuration file with the domain controllers that need a rehost. To be clear, I will use the following example :
In that structure, all the domain controllers on the forest wide are Global Catalogs. Each domain belongs to a specific Active Directory site. I need to rehost the partition “dc=child2,dc=root,dc=com”.
The domain controllers of the domain child2.root.com have a valid partition. I will use for the rehost one of the child2.root.com domain controller as a valid source. For this example, the valid source will be :
This is the list of the domain controllers that need a rehosting of the partition “dc=child2,dc=root,dc=com” :
  • server1.root.com
  • server2.root.com
  • server3.root.com
  • server1.child1.root.com
  • server2.child1.root.com
  • server3.child1.root.com
  • server1.sub1.child1.root.com
  • server2.sub1.child1.root.com
  • server3.sub1.child1.root.com
  • server1.sub2.child1.root.com
  • server2.sub2.child1.root.com
  • server3.sub2.child1.root.com
  • server1.sub3.child1.root.com
  • server2.sub3.child1.root.com
  • server3.sub3.child1.root.com

To avoid an impact on the production, there is at least one Global catalog available in a domain/site. These are the configuration files and the schedule plan for the rehost :

  • Day 1 : rehost the first root.com domain controller
    • conf1-1.txt :
    • Execute the following command :
.\script.ps1 conf1-1.txt
  • Day 1 : when the rehost, of the first domain controller of root.com is successful, launch the rehost script for the remaining root.com domain controllers
    • conf1-2.txt :
    • Execute the following command :
.\script.ps1 conf1-2.txt
  • Day 2 : rehost the first child1.root.com domain controller
    • conf2-1.txt :
    • Execute the following command :
.\script.ps1 conf2-1.txt
  • Day 2 : when the rehost, of the first domain controller of child1.root.com is successful, launch the rehost script for the remaining child1.root.com domain controllers
    • conf2-2.txt :
    • Execute the following command :
.\script.ps1 conf2-2.txt
  • Day 3 : rehost the first domain controller of the domains sub1, sub2 and sub3
    • conf3-1.txt :
    • Execute the following command :
.\script.ps1 conf3-1.txt
  • Day 3 : when the rehost, of the first domain controllers are successful, launch the rehost script for the remaining domain controllers
    • conf3-2.txt :
    • Execute the following command :
.\script.ps1 conf3-2.txt
Every time you will execute the script, a log file will be created. The script will do the following steps :

  • test if the source and destination server are reachable on the network
  • test if the remote registry is available on the destination server
  • a registry key and value will be created to unregister the global catalog of the destination server on the DNS (gc._msdcs zone). This step will avoid errors, if a user try to reach a Global Catalog during the rehost task
  • the script will pause for 30 minutes to let the DNS synchronize on all other domain controllers
  • unhost the partition on the destination server
  • check if the unhost task is successful by checking the event id 1660 on the destination server
  • rehost the partition on the destination server using the valid one located on the source server
  • wait for the user reply : you will have to check the generated log files and validate the rehost is successful. If you need to restart the rehost, press “r” and then Enter to restart the task. Else, just press Enter
  • the registry key and value are removed to register back the server in the DNS

The rehost task is successful if you find the following message in the log file : [mardi 20 août 2013 07:46:18] : Rehosting the partition dc=child2,dc=root,dc=com on the server server2.sub1.child1.root.com using the valid source server1.sub1.child1.root.com… New DSA Options: IS_GC DISABLE_NTDSCONN_XLATE Removal of partition dc=child2,dc=root,dc=com is in progress… Replication link from source:(null) to dest:server2.sub1.child1.root.com deleted. Full sync of partition dc=child2,dc=root,dc=com is in progress. Please be patient. This step may take many hours on a large partition. You can monitor the progress of the full sync using repadmin /showreps /v in another window. One-way replication from source:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx._msdcs. to dest:server2.sub1.child1.root.com established. New DSA Options: IS_GC ==== INBOUND NEIGHBORS ====================================== dc=child2,dc=root,dc=com SUB1-SITE\SERVER1 via RPC DSA object GUID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx Address: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx._msdcs. DSA invocationID: yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy SYNC_ON_STARTUP DO_SCHEDULED_SYNCS USNs: 123456789/OU, 123456789/PU Last attempt @ 2013-08-20 07:49:56 was successful.

IMPORTANT : If you have slow site links you will probably receive an AD Replication error 1818. To resolve it, please follow this procedure on the destination domain controller.

Script :

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Social Media Auto Publish Powered By : XYZScripts.com