進階複寫 Active Directory 和拓撲管理,使用 Windows PowerShell (層級 200)Advanced Active Directory Replication and Topology Management Using Windows PowerShell (Level 200)

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

本主題解釋新 AD DS 複寫及拓撲管理 cmdlet 在更多詳細資料,並提供額外的範例。This topic explains the new AD DS replication and topology management cmdlets in more detail, and provides additional examples. 如簡介、 Active Directory 複寫和拓撲管理使用 Windows PowerShell 和 #40; 簡介層級 100 和 #41;.For an introduction, see Introduction to Active Directory Replication and Topology Management Using Windows PowerShell (Level 100).

  1. 簡介Introduction

  2. 複製和中繼資料Replication and Metadata

  3. 取得-ADReplicationAttributeMetadataGet-ADReplicationAttributeMetadata

  4. 取得-ADReplicationPartnerMetadataGet-ADReplicationPartnerMetadata

  5. 取得-ADReplicationFailureGet-ADReplicationFailure

  6. 取得-ADReplicationQueueOperation 並取得-ADReplicationUpToDatenessVectorTableGet-ADReplicationQueueOperation and Get-ADReplicationUpToDatenessVectorTable

  7. 同步-ADObjectSync-ADObject

  8. 拓撲Topology

簡介Introduction

Windows Server 2012 擴充 Windows PowerShell 模組 25 新 cmdlet 管理複寫和拓撲樹系的 Active Directory。Windows Server 2012 extends the Active Directory module for Windows PowerShell with twenty-five new cmdlets to manage replication and forest topology. 在過去,您被迫使用一般*-AdObject名詞或通話.NET 函式。Prior to this, you were forced to use the generic *-AdObject nouns or call .NET functions.

如同所有 Active Directory Windows PowerShell cmdlet,這個新的功能需要安裝Active Directory 管理閘道服務上至少一個網域控制站 (最好所有網域控制站)。Like all Active Directory Windows PowerShell cmdlets, this new functionality requires installing the Active Directory Management Gateway Service on at least one domain controller (and preferably, all domain controllers).

下表列出新複寫和拓撲 cmdlet 新增至 Active Directory Windows PowerShell 模組。The following table lists new replication and topology cmdlets added to the Active Directory Windows PowerShell module.

CmdletCmdlet 解釋Explanation
取得-ADReplicationAttributeMetadataGet-ADReplicationAttributeMetadata 退貨屬性物件複寫中繼資料Returns attribute replication metadata for an object
取得-ADReplicationConnectionGet-ADReplicationConnection 傳回網域控制站連接物件的詳細資料Returns domain controller connection object details
取得-ADReplicationFailureGet-ADReplicationFailure 退貨最多複寫最近失敗網域控制站Returns the most replication recent failure for a domain controller
取得-ADReplicationPartnerMetadataGet-ADReplicationPartnerMetadata 退貨複寫設定的網域控制站Returns replication configuration of a domain controller
取得-ADReplicationQueueOperationGet-ADReplicationQueueOperation 退貨為目前複寫佇列待處理Returns the current replication queue backlog
取得-ADReplicationSiteGet-ADReplicationSite 退貨網站資訊Returns site information
取得-ADReplicationSiteLinkGet-ADReplicationSiteLink 退貨網站連結資訊Returns site link information
取得-ADReplicationSiteLinkBridgeGet-ADReplicationSiteLinkBridge 退貨網站連結橋接器資訊Returns site link bridge information
取得-ADReplicationSubnetGet-ADReplicationSubnet 傳回 AD 子網路的資訊Returns AD subnet information
取得-ADReplicationUpToDatenessVectorTableGet-ADReplicationUpToDatenessVectorTable 退貨網域控制站 UTD 向量Returns the UTD vector for a domain controller
取得-ADTrustGet-ADTrust 退貨間網域或跨樹系信任的相關資訊Returns information about an inter-domain or inter-forest trust
新 ADReplicationSiteNew-ADReplicationSite 建立新的網站Creates a new site
新 ADReplicationSiteLinkNew-ADReplicationSiteLink 建立新的網站連結Creates a new site link
新 ADReplicationSiteLinkBridgeNew-ADReplicationSiteLinkBridge 建立新的網站連結橋接器Creates a new site link bridge
新 ADReplicationSubnetNew-ADReplicationSubnet 建立新的廣告子Creates a new AD subnet
移除-ADReplicationSiteRemove-ADReplicationSite 刪除網站Deletes a site
移除-ADReplicationSiteLinkRemove-ADReplicationSiteLink 刪除網站連結Deletes a site link
移除-ADReplicationSiteLinkBridgeRemove-ADReplicationSiteLinkBridge 刪除網站連結橋接器Deletes a site link bridge
移除-ADReplicationSubnetRemove-ADReplicationSubnet 刪除 AD 子網路Deletes an AD subnet
設定-ADReplicationConnectionSet-ADReplicationConnection 修改連接Modifies a connection
設定-ADReplicationSiteSet-ADReplicationSite 修改網站Modifies a site
設定-ADReplicationSiteLinkSet-ADReplicationSiteLink 修改網站連結Modifies a site link
設定-ADReplicationSiteLinkBridgeSet-ADReplicationSiteLinkBridge 修改網站連結橋接器Modifies a site link bridge
設定-ADReplicationSubnetSet-ADReplicationSubnet 修改 AD 子網路Modifies an AD subnet
同步-ADObjectSync-ADObject 力量︰ 複寫單一物件Forces replication of a single object

大部分的下列 cmdlet 中 Repadmin.exe 有他們的方式。Most of these cmdlets have their basis in Repadmin.exe. 其他 cmdlet (未列出) 處理動態存取控制與群組管理服務帳號等功能。Other cmdlets (not listed) handle features like Dynamic Access Control and Group Managed Service Accounts.

適用於所有 Active Directory Windows PowerShell cmdlet 的完整清單,請執行:For a complete list of all Active Directory Windows PowerShell cmdlets, run:

Get-command -module ActiveDirectory  

適用於所有 Active Directory Windows PowerShell cmdlet 引數的完整清單,參考協助。For a complete list of all Active Directory Windows PowerShell cmdlet arguments, reference the help. 例如:For example:

Get-help New-ADReplicationSite  

使用Update-Helpcmdlet 來下載並安裝協助檔案Use the Update-Help cmdlet to download and install help files

複製和中繼資料Replication and Metadata

Repadmin.exe 驗證複寫 Active Directory 的一致性與健康。Repadmin.exe validates the health and consistency of Active Directory replication. Repadmin.exe 提供簡單資料操作選項-某些引數支援 CSV 輸出,例如-但自動化通常需要剖析透過文字檔案輸出。Repadmin.exe offers simple data manipulation options - some arguments support CSV outputs, for example - but automation generally required parsing through text file outputs. Windows PowerShell 模組 Active Directory 是第一次嘗試提供的選項,可讓真正控制傳回的資料;在過去,您必須建立指令碼,或使用第三方工具。The Active Directory module for Windows PowerShell is the first attempt at offering an option that allows real control over the returned data; prior to this, you had to create scripts or use third party tools.

此外,下列 cmdlet 實作參數全新的目標範圍,並EnumerationServer:Additionally, the following cmdlets implement a new parameter set of Target, Scope, and EnumerationServer:

  • 取得-ADReplicationFailureGet-ADReplicationFailure

  • 取得-ADReplicationPartnerMetadataGet-ADReplicationPartnerMetadata

  • 取得-ADReplicationUpToDatenessVectorTableGet-ADReplicationUpToDatenessVectorTable

目標引數接受清單以逗號分隔的目標伺服器、 網站、 網域或指定的樹系找出字串範圍引數。The Target argument accepts a comma-separated list of strings that identify the target servers, sites, domains, or forests specified by the Scope argument. 星號 (\ ) 也允許,表示指定的範圍中的所有伺服器。An asterisk (*) is also permissible and means all servers within the specified scope. 如果未指定範圍,就表示目前使用者的森林中的所有伺服器。If no scope is specified, it implies all servers in the current user's forest. 範圍引數指定緯度的搜尋]。The **Scope* argument specifies the latitude of the search. 可接受的值為伺服器網站網域,和樹系Acceptable values are Server, Site, Domain, and Forest. EnumerationServer指定列舉清單中所指定的網域控制站伺服器目標範圍The EnumerationServer specifies the server that enumerates the list of domain controllers specified in Target and Scope. 它的運作方式相同伺服器引數,並且需要執行 Active Directory Web 服務指定的伺服器。It operates the same as the Server argument and requires the specified server run the Active Directory Web Service.

若要引入新 cmdlet,以下是一些樣本顯示功能無法 repadmin.exe;配備圖例,系統可能性明顯。To introduce the new cmdlets, here are some sample scenarios showing capabilities impossible to repadmin.exe; armed with these illustrations, the administrative possibilities become obvious. 檢視需求特定使用 cmdlet 協助。Review the cmdlet help for specific usage requirements.

取得-ADReplicationAttributeMetadataGet-ADReplicationAttributeMetadata

這個 cmdlet 是類似repadmin.exe /showobjmetaThis cmdlet is similar to repadmin.exe /showobjmeta. 它可以讓您回到複寫中繼資料,例如屬性的變更時,原始的網域控制站、 版本及 USN 的詳細資訊,屬性資料。It enables you to return replication metadata, such as when an attribute changed, the originating domain controller, the version and USN information, and attribute data. 這個 cmdlet 是適用於稽核位置,以及當發生變更。This cmdlet is useful for auditing where and when a change occurred.

然而 Repadmin,Windows PowerShell 提供彈性搜尋和輸出控制。Unlike Repadmin, Windows PowerShell gives flexible search and output control. 例如,您可以輸出網域系統管理員物件,以讀取清單訂購中繼的資料:For example, you can output the metadata of the Domain Admins object, ordered as a readable list:

Get-ADReplicationAttributeMetadata -object "cn=domain admins,cn=users,dc=corp,dc=contoso,dc=com" -server dc1.corp.contoso.com -showalllinkedvalues | format-list  

透過 powershell 進階的管理

或者,您可以安排看起來像 repadmin、 表格中的資料:Alternatively, you can arrange the data to look like repadmin, in a table:

Get-ADReplicationAttributeMetadata -object "cn=domain admins,cn=users,dc=corp,dc=contoso,dc=com" -server dc1.corp.contoso.com -showalllinkedvalues | format-table -wrap  

透過 powershell 進階的管理

或者,您可以取得中繼資料的物件,整個種管線取得-Adobject cmdlet 篩選器,例如所有群組-然後結合的特定日期。Alternatively, you can get metadata for an entire class of objects, by pipelining the Get-Adobject cmdlet with a filter, such as all groups - then combine that with a specific date. 管線是之間傳送資料的多個 cmdlet 所使用的通道。The pipeline is a channel used between multiple cmdlets to pass data. 若要查看所有群組 2012 年 1 月 13 修改一些方式:To see all groups modified in some fashion on January 13th, 2012:

get-adobject -filter 'objectclass -eq "group"' | Get-ADReplicationAttributeMetadata -server dc1.corp.contoso.com | where-object {$_.lastoriginatingchangetime -like "*1/13/2012*" -and $_.attributename -eq "name"} | format-table object  

透過 powershell 進階的管理

如需有關更多的 Windows PowerShell 作業管線的詳細資訊,請查看傳送及 Windows PowerShell 中的管線For more information about more Windows PowerShell operations with pipelines, see Piping and the Pipeline in Windows PowerShell.

或者,以了解每個群組,有 Tony Wang 成員,並上次修改群組:Alternatively, to find out every group that has Tony Wang as a member and when the group was last modified:

get-adobject -filter 'objectclass -eq "group"' | Get-ADReplicationAttributeMetadata -server dc1.corp.contoso.com -showalllinkedvalues | where-object {$_.attributevalue -like "*tony wang*"} | format-table object,LastOriginatingChangeTime,version -auto  

透過 powershell 進階的管理

此外,系統授權尋找所有物件還原網域中,使用系統狀態備份依據他們手動高版本:Alternatively, to find all objects authoritatively restored using a system state backup in the domain, based on their artificially high version:

get-adobject -filter 'objectclass -like "*"' | Get-ADReplicationAttributeMetadata -server dc1.corp.contoso.com | where-object {$_.version -gt "100000" -and $_.attributename -eq "name"} | format-table object,LastOriginatingChangeTime  

透過 powershell 進階的管理

或者,將所有使用者中繼資料都傳送給 CSV 檔案以供日後檢查 Microsoft Excel 中:Alternatively, send all user metadata to a CSV file for later examination in Microsoft Excel:

get-adobject -filter 'objectclass -eq "user"' | Get-ADReplicationAttributeMetadata -server dc1.corp.contoso.com -showalllinkedvalues | export-csv allgroupmetadata.csv  

取得-ADReplicationPartnerMetadataGet-ADReplicationPartnerMetadata

這個 cmdlet 傳回設定和的網域控制站,讓您監視、 清單,或疑難排解複寫狀態的相關資訊。This cmdlet returns information about the configuration and state of replication for a domain controller, allowing you to monitor, inventory, or troubleshoot. 然而 Repadmin.exe,使用 Windows PowerShell 表示您會看到格式您想要對您而言重要的資料。Unlike Repadmin.exe, using Windows PowerShell means you see only the data that is important to you, in the format you want.

例如,單一網域控制站的讀取複寫狀態:For example, the readable replication state of a single domain controller:

Get-ADReplicationPartnerMetadata -target dc1.corp.contoso.com  

透過 powershell 進階的管理

最後一次網域控制站複寫或者,輸入與表格中的,其合作夥伴格式化:Alternatively, the last time a domain controller replicated inbound and its partners, in a table format:

Get-ADReplicationPartnerMetadata -target dc1.corp.contoso.com | format-table lastreplicationattempt,lastreplicationresult,partner -auto  

透過 powershell 進階的管理

或者,請連絡森林中的所有網域控制站,並顯示任何嘗試的最後一個複寫失敗任何原因:Alternatively, contact all domain controllers in the forest and display any whose last attempted replication failed for any reason:

Get-ADReplicationPartnerMetadata -target * -scope server | where {$_.lastreplicationresult -ne "0"} | ft server,lastreplicationattempt,lastreplicationresult,partner -auto  

透過 powershell 進階的管理

取得-ADReplicationFailureGet-ADReplicationFailure

這個 cmdlet 可用於退貨複寫最近錯誤的資訊。This cmdlet can be used to returns information about recent errors in replication. 它就像Repadmin.exe /showreplsum,再試一次,多與進一步控制感謝 Windows PowerShell,但。It is analogous to Repadmin.exe /showreplsum, but again, with much more control thanks to Windows PowerShell.

例如,您可以退還網域控制站的最新失敗和他失敗連絡合作夥伴:For example, you can return a domain controller's most recent failures and the partners he failed contacting:

Get-ADReplicationFailure dc1.corp.contoso.com  

透過 powershell 進階的管理

或者,退款表格所有伺服器] 檢視中特定 AD 邏輯網站排列變得更容易檢視,並包含只最重要的資料:Alternatively, return a table view for all servers in a specific AD logical site, ordered for easier viewing and containing only the most critical data:

Get-ADReplicationFailure -scope site -target default-first-site-name | format-table server,firstfailuretime,failurecount,lasterror,partner -auto  

透過 powershell 進階的管理

取得-ADReplicationQueueOperation 並取得-ADReplicationUpToDatenessVectorTableGet-ADReplicationQueueOperation and Get-ADReplicationUpToDatenessVectorTable

這兩個下列 cmdlet 傳回進一步層面網域控制站 「 操之在 dateness 」、 暫停複寫和版本向量資訊包括。Both of these cmdlets returns further aspects of domain controller "up to dateness", which includes pending replication and version vector information.

同步-ADObjectSync-ADObject

這個 cmdlet 是執行類似Repadmin.exe /replsingleobjectThis cmdlet is analogous to running Repadmin.exe /replsingleobject. 當您需要退出 band 複寫,尤其是以修正問題的變更,它會很有幫助。It is very useful when you make changes that require out of band replication, especially to fix an issue.

例如,如果其他人刪除執行的帳號,然後將它還原的 Active Directory 資源回收筒您可能想所有網域控制站立即都複製。For example, if someone deleted the CEO's user account and then restored it with the Active Directory Recycle Bin, you probably want it replicated to all domain controllers immediately. 您也可能會想要執行此動作不必複寫的所有其他物件所做的變更。畢竟,這是您已複寫排程-避免載 WAN 連結的原因。You also probably want to do this without forcing replication of all the other object changes made ; after all, that is why you have a replication schedule - to avoid overloading WAN links.

Get-ADDomainController -filter * | foreach {Sync-ADObject -object "cn=tony wang,cn=users,dc=corp,dc=contoso,dc=com" -source dc1 -destination $_.hostname}  

透過 powershell 進階的管理

拓撲Topology

Repadmin.exe 擅長退貨複寫拓撲等網站、 網站連結、 網站連結橋接器,並連接的相關資訊時,它不會有一組完整的變更引數。While Repadmin.exe is good at returning information about replication topology like sites, site links, site link bridges, and connections, it does not have a comprehensive set of arguments to make changes. 事實上,不會有編寫指令碼,在方塊專為系統管理員來建立和修改 AD DS 拓撲設計的 Windows 公用程式。In fact, there has never been scriptable, in-box Windows utility designed specifically for administrators to create and modify AD DS topology. 在 Active Directory 中數百萬客戶環境成熟,需要大量修改 Active Directory,就能發揮邏輯資訊。As Active Directory has matured in millions of customer environments, the need to bulk modify Active Directory logical information becomes apparent.

例如新的分公司,加上的其他彙總快速擴充之後,您可能會所在位置、 網路的變更,以及新容量需求讓根據數百網站變更。For example, after a rapid expansion of new branch offices, combined with the consolidation of others, you might have a hundred site changes to make based on physical locations, network changes, and new capacity requirements. 您可以使用 Dssites.msc 和 Adsiedit.msc 進行變更,除了自動化。Rather than using Dssites.msc and Adsiedit.msc to make changes, you can automate. 當您開始使用您的網路和功能的小組所提供之資料試算表,這是非常便利。This is especially compelling when you start with a spreadsheet of data provided by your network and facilities teams.

取得-Adreplication\ *** cmdlet 傳回複寫拓撲的相關資訊,適合用來插入管線設定-Adreplication\ 中大量 cmdlet。The *Get-Adreplication\* cmdlets return information about replication topology and are useful for pipelining into the Set-Adreplication\* cmdlets in bulk. 取得cmdlet 不會變更資料,這些只顯示的資料或建立 Windows PowerShell 工作階段物件,可以趁著以設定為 Adreplication\ *** cmdlet。Get** cmdlets do not change data, they only show data or to create Windows PowerShell session objects that can be pipelined to Set-Adreplication\* cmdlets. 新增]移除cmdlet 所建立,或移除 Active Directory 拓撲物件實用。The New and Remove cmdlets are useful for creating or removing Active Directory topology objects.

例如,您可以建立使用 CSV 檔案的新網站:For example, you can create new sites using a CSV file:

import-csv -path C:\newsites.csv | new-adreplicationsite  

透過 powershell 進階的管理

透過 powershell 進階的管理

或者,建立新的網站連結之間自訂複寫長的時間間隔與網站成本較兩個現有網站:Alternatively, create a new site link between two existing sites with a custom replication interval and site cost:

new-adreplicationsitelink -name "chicago<-->waukegan" -sitesincluded chicago,waukegan -cost 50 -replicationfrequencyinminutes 15  

透過 powershell 進階的管理

或者,尋找森林中的每個網站,並更換其選項以允許網站間的旗標屬性變更通知,以複寫壓縮使用最快的速度在:Alternatively, find every site in the forest and replace their Options attributes with the flag to enable inter-site change notification, in order to replicate at maximum speed with compression:

get-adreplicationsitelink -filter * | set-adobject -replace @{options=$($_.options -bor 1)}  

透過 powershell 進階的管理

重要

設定-bor 5若要停用壓縮這些網站連結。Set -bor 5 to disable compression on those site links as well.

或者,尋找所有網站遺失子網路設定,以便協調實際這些位置的子網路清單:Alternatively, find all sites missing subnet assignments, in order to reconcile the list with the actual subnets of those locations:

get-adreplicationsite -filter * -property subnets | where-object {!$_.subnets -eq "*"} | format-table name  

透過 powershell 進階的管理

也了See Also

複寫 Active Directory 和拓撲管理,使用 Windows PowerShell 與 #40; 簡介層級 100 和 #41;Introduction to Active Directory Replication and Topology Management Using Windows PowerShell (Level 100)