AD Check Replication Latency

by Nils Kaczenski (first name @ last name dot de)
http://www.faq-o-matic.net


What this is
------------

This is a collection of three scripts that you can use to measure the replication latency in your Active Directory environment. The scripts inject a change into AD on one Domain Controller and then query a different DC to see when the change arrives there. Comparing the original change time and the reported change time on the remote DC gives you the replication latency time in seconds.
The idea for this script was developed by Florian Frommherz.


This consists of
----------------

ADRepCheckLatency-Inject.vbs:  This is the first executable script. It modifies one attribute on a specified AD object and informs you about the original change time.

ADRepCheckLatency-Detect.vbs:  This is the second executable script. It queries a specified remote DC for the modified object and checks if the modification is already there. If so, it displays the remote change time and tells you the replication latency time in seconds.

ADRepCheckLatency-Parameters.vbs:  This is not an executable script but rather a parameters file. Before you run any of the two executables please adjust the values in this file.


How to use this
---------------

Step 1: Open the file "ADRepCheckLatency-Parameters.vbs" in a text editor (such as notepad). Adjust the fourvalues in the script to your environment and save the script. This is what you have to modify:
- strObject: specify an LDAP distinguished name for the AD object that you want to be changed. Use a domain object to measure domain replication latency. Use a configuration object to measure configuration replication latency. For domains, the built-in Administrator account may be a good choice as usually there are only few attributes relevant to your organisation on this object. You can as well create a new object or coose anything else.
- strAttribute: specify the attribute that you want the script to modify. Make sure it is a text-based and single-valued attribute.
- strNewValue: specify a text value that you want the script to write into the attribute. Choose something that you can easily recognize and that is different from the current value in the object. Do not use dynamic data such as the VBS "Now" function as this will cause the detection to fail.
- strLocalDC: specify the computer name of the Domain Controller that you want to perform the actual modification. This DC's change time is the basis for the latency time calculation.

Step 2: Open a CMD window using an account that has write permission to the object you want to be modified. Launch the script "ADRepCheckLatency-Inject.vbs" using cscript without any arguments. Example:
cscript C:\MyFolder\ADRepCheckLatency-Inject.vbs
Wait for the script to finish. If the script complains that the value to set is the same as the current value you can either go back to Step 1 and choose a different New Value - or you can use ADSI Edit to alter the value in the AD object.

Step 3: Wait for a reasonable time until you think that replication has occurred between the local DC and the remote DC that you want to measure. Then open a CMD window using an account that has read permission on the modified object. Launch the script "ADRepCheckLatency-Detect.vbs" with cscript and with the remote DC's computer name as an argument. Example:
cscript C:\MyFolder\ADRepCheckLatency-Detect.vbs DC007
Wait for the script to finish. If it finds that replication has not yet done its work (that is: if the value on the remote DC is different from the value on the local DC) it waits for one minute and then checks again. When replication is through, the script displays the change time of the remote DC and the replication latency time in seconds.


Checking replication latency against multiple DCs
-------------------------------------------------

The "Detect" script queries exacly one DC for the modified object. If you want to measure the replication latency time against multiple sites or DCs in your network you can simply run the Detect script (Step 3 above) multiple times. You can do this either sequentially (useful if you redirect the script output to a file) or simultaneously (in that case you need to open a separate CMD window for each instance of the script).


Support and Disclaimer
----------------------

This script collection comes "as is" and without any warranty. Use it completely at your own risk. One of the script does try to modify data in your AD. It is only up to you to prevent the script from changing critical data. It is mandatory to do a full AD backup before you run this script.
Nils Kaczenski will not provide any support for the script itself or for anything that may go wrong in your environment.
