Backup the Active Directory Database (System State + wbadmin)
If you only ever do one Active Directory backup, it’s the system state backup. System state pulls everything AD needs to come back from scratch — the NTDS.DIT database, SYSVOL,…
Knowledge Base
The Dojo
Tutorials, deep dives, and insights from our team of IT professionals.
repadmin /replsummary: Decode Your Active Directory Replication Health
repadmin /replsummary is the single most useful command for telling you whether AD replication is healthy. One terminal, one keystroke, two columns of numbers that immediately surface every DC that’s…
The Concept of Lingering Objects in Active Directory (Causes, Detection, Cleanup)
A lingering object is a deleted AD object that didn’t get the “you’re deleted” memo before the memo itself expired. It sits on a long-disconnected DC, pretending to still be…
How Active Directory Replication Conflicts Are Resolved (Version, Timestamp, GUID)
Multi-master replication doesn’t prevent conflicts — it tolerates them. Two admins on two DCs can simultaneously edit the same attribute, create the same object, or move and delete things at…
Understanding the AD Replication Bridgehead Server (Selection, Failover, Pitfalls)
If every DC in every site talked directly to every DC in every other site, an N-site forest with M DCs per site would have N×M×(N-1)×M long-distance connections — explosive…
KCC: How AD’s Knowledge Consistency Checker Builds the Replication Topology
You never have to tell Active Directory “DC1 should replicate with DC2.” AD figures it out itself. The component that does the figuring is the Knowledge Consistency Checker (KCC) —…
AD Replication Frequency: Intra-Site (15 sec) vs Inter-Site (180 min) Explained
AD replication runs on two clocks. Inside a site, it’s near-realtime — 15 seconds after any change. Across sites, it’s scheduled polling — default 180 minutes, minimum 15 minutes, configurable…
How a Naming Context Replicates Between Two AD Servers (The 5-Step Cycle)
Active Directory replication is always pull-based, pairwise, and per naming context. Server A pulls from Server B for the Domain NC, then pulls again for the Configuration NC, then again…
How an AD Object’s Metadata Is Modified During Replication (USN, Version, Timestamp)
An AD object isn’t just a name and some attributes — it’s the attributes plus a per-attribute change diary. That diary, called replication metadata, is what makes inter-DC replication, conflict…
Multi-Master vs Single-Master Replication in Active Directory (FSMO Explained)
Active Directory uses two replication models side-by-side. Multi-master replication is the default and covers 99% of directory data — users, groups, computers, OUs, ACLs. Single-master replication covers the five FSMO…
How Active Directory Replication Actually Works (USN, DSA GUID, HWMV, UTDV)
Active Directory replication is the engine that keeps every domain controller’s copy of the directory in agreement. It’s also where most “weird” AD problems live — lingering objects, USN rollback,…
SQL Always On Availability Groups Part 7: Manual Failover Testing
The AG is healthy and replicating (verified in Part 6). The whole point of building this is failover — so we exercise it now. Three tests in this part: Manual…