November 16, 2011 at 11:47 am
Hi All,
We have a cookie-cutter client-server application. When a new app request comes in, I run a script which
---- creates a copy of the DB on multiple SQL Servers (prod, backup, off-site backup)
---- creates AD groups, creates logins for these on the SQL Servers.
The problem I am encountering is this: the local Domain controller is where I create the AD Groups. The off-site SQL Server - same domain - connects to an off-site DC - as it should be. However, I can't create the logins on the off-site SQL Server until AD replicates, which is currently up to 15 minutes.
I will not be granted domain admin, which would allow me to force replication in my script.
Does anybody see a way that I can get around waiting the 15 minutes? It's not the end of the world, but it is a nuisance.
This is a mixed domain (Win 2003/2008). The SQL Servers are 2008 R2.
Any input is appreciated.
Thanks,
Paul
November 16, 2011 at 12:38 pm
Create the groups and run the script from the remote SQL Server. That will create everything on the DC it talks to, which will in turn replicate eventually to all DCs. Remember, AD is a multi-master model, so as long as it's not talking to a read-only DC (which, if you need to create anything, would get bumped up the line anyway), you're fine.
K. Brian Kelley
@kbriankelley
November 16, 2011 at 12:45 pm
Hey Brian,
So if I understand you, I can create the AD groups on both DCs?
There won't be a problem with out-of-synch SIDs after replication occurs?
Paul
November 16, 2011 at 1:12 pm
schleep (11/16/2011)
Hey Brian,So if I understand you, I can create the AD groups on both DCs?
There won't be a problem with out-of-synch SIDs after replication occurs?
Paul
If you're talking DCs in the same domain, you only need to create them once and they will replicate to all the other DCs in the domain. So instead of creating them against the local domain controller (how are you doing this... if you are actually logging on to the DC, then you have the equivalent of domain admin rights), then they will eventually replicate to all DCs. Likewise, if you create them against the DC the SQL Server is primarily talking to, it will eventually replicate the group changes to all DCs.
By doing it against the DC the SQL Server is talking to, you're effectively reversing that replication direction, if that makes sense. So the DC which SQL talks to sees the groups immediately, allowing you to proceed, while your local DC will get the changes up to 15 minutes later.
K. Brian Kelley
@kbriankelley
November 17, 2011 at 4:55 am
Ah...but that just moves the problem from remote to local... as in the local SQL Servers won't see those groups until the replication occurs.
I was given the rights to create AD security groups.
But repadmin /replicate only be run by domain admins.
Paul
November 17, 2011 at 6:51 am
Yay, problem solved. My domain admin found a way to grant me rights to run repadmin /replicate without making me domain admin!
P
November 17, 2011 at 1:05 pm
Here's a dumb question you may ask. Not sure how large your environment is, but in a lot of places with the upgrade to 2003 AD inter-site replication became significantly faster. Wonder why you guys are still at the 15 minute mark.
K. Brian Kelley
@kbriankelley
November 18, 2011 at 4:16 am
15 minutes is the lowest possible setting, according to my admin guy: we tried for 5, but he sent me a screen shot showing the message box where it says possible values are between 15 and 10800 minutes.
November 18, 2011 at 9:40 pm
OK, that means he has them configured as separate physical sites, which makes sense, then. That also explains why the SQL Servers are talking to their DCs. That's all per best practices, though we've combined sites when it made sense to. However, to do so you have to have enough bandwidth.
K. Brian Kelley
@kbriankelley
Viewing 9 posts - 1 through 8 (of 8 total)
You must be logged in to reply to this topic. Login to reply