LCS 2005 User Replicator FAQ

  • Article

FAQ:

1. What does User Replicator do?

User Replicator is responsible for ensuring that the LCS 2005 user database (MSDE for SE; SQL Server for EE pool) and Active Directory are synchronized. What this means is that any time an LCS enabled user object is created or modified in Active Directory, it is User Replicator's responsibility for ensuring that the changes are propagated to LCS 2005 user database. To do this, User Replicator uses the Active Directory DirSync control to track incremental changes. DirSync allows User Replicator to ask Active Directory to view all changes that have occurred since the last time it asked. In that way, User Replicator only needs to store something that marks the last time it asked, and Active Directory will return the changes that have occurred since then.

2. What is the difference between LCS 2003 ADC (Active Directory Connector) and LCS 2005 User Replicator (UR)?

ADC and UR are essentially the same component with some superficial differences. ADC ran in its own process, UR runs inside the rtcsrv.exe process. UR is made to work in a distributed environment, such that only one EE server will actually perform UR's job when there are multiple EE servers to choose from. (See question 3.) UR also has minor changes in processing logic for the updates received from Active Directory.

3. Where does User Replicator run?

There must be one active User Replicator for every pool in LCS 2005. For LCS 2005 SE, this means that every homeserver has a User Replicator running on it. For LCS 2005 EE, this means that one of the working EE servers runs User Replicator. The way to tell which front end is running User Replicator is to run dbanalyze.exe against the backend. (see deployment guide for details)

Task Name Fqdn
-----------------        -------

Endpoint Expiration      server01.contoso.com
 
Subscription Expiration  server02.contoso.com
 
User Replication server03.contoso.com
 
Nightly Maintenance      server04.contoso.com
 
It is useful to know which front end is running the User Replicator because any errors the User Replicator encounters will be logged as events on the front end that owns the task. Note that the assignment may change as EE servers come and go.

4. What is the polling frequency for User Replicator? Is it configurable?

The default polling frequency for User Replicator is 60 seconds. This means that every 60 seconds, User Replicator will ask Active Directory for any changes that have happened to user objects in the last 60 seconds. This frequency is configurable. Generally speaking, configuring this value to be something other than the default is not necessary since the network overhead of the LDAP traffic that User Replicator causes is so low. However, in some cases, such as with a very slow or bandwidth sensitive link that User Replicator is synchronizing across, it may make sense for administrators to change this interval. This interval is a per pool value and can be set by WMI.(ReplicationCycleInterval attribute of MSFT_SIPUserReplicatorSetting WMI class).

Here are the steps for changing this using wbemtest.exe tool:

  1. Click Start, click Run, and then type wbemtest.exe
  2. In the Windows Management Instrumentation (WMI) Tester dialog box, click Connect.
  3. In the Namespace box, type: root\cimv2
  4. Click Connect.
  5. Click Enum Instances
  6. In the Enter Superclass name box, type: MSFT_SIPUserReplicatorSetting
  7. Click OK
  8. In the Query Result dialog box, double click the resulted instance
  9. In the Object editor for MSFT_SIPUserReplicatorSetting dialog box, under Update type, select the radio button: Update only
  10. In the Object editor for MSFT_SIPUserReplicatorSetting dialog box, select ReplicationCycleInterval from the Properties list and click Edit Property
  11. In the Property Editor dialog box, under Value, select Not Null and enter the value: 30  
  12. Click Save Property
  13. In the Object editor for MSFT_SIPUserReplicatorSetting dialog box, click Save Object
  14. Click Exit to exit from Windows Management Instrumentation (WMI) Tester dialog box

5. What is the 'initial cycle' referred to by some User Replicator events?

User Replicator deals with incremental changes, meaning it asks Active Directory to give it a list of changes since the last time it asked. If User Replicator has never asked Active Directory for changes before, then it performs the 'initial cycle.' In this case, User Replicator synchronizes every LCS 2005 enabled user or contact object in Active Directory from scratch. After the initial cycle is complete, User Replicator will continue to ask for incremental changes from Active Directory every minute.

6. How often does the 'initial cycle' occur?

The initial cycle is only performed the first time User Replicator connects to a domain, and is noted in the event logs by start and stop events. LCS 2005 also has a means to resynchronize every domain by restarting the initial cycle for those domains (RegenerateCookiesNow attribute of the MSFT_SIPUserReplicatorSetting WMI class). This is provided only as disaster recovery measure, if a large number of user objects had errors that prevented them from working correctly, and fixing those errors did not modify each user object and cause them all to be resynchronized. In general, the 'initial cycle' will only happen once over the lifetime of the product.

7. Can I control which DC's User Replicator connects to in order to perform synchronization?

You cannot directly control which DC's User Replicator connects to. However, User Replicator uses the windows API DsGetDcName to find DC's to connect to. DsGetDcName is sensitive to DC affinity, so you can indirectly control User Replicator's choice of DC through the use of DC affinity.

8. What is the performance impact of User Replicator? Do I need to add more DCs to my domain?

Generally speaking, the performance impact of User Replicator is negligible. After the initial cycle completes (which is a one time cost that is of moderate load on DC CPU) the network cost is less than 1 kilobyte/minute and the CPU cost on the DC itself is negligible.

9. How long does the initial replication cycle typically take?

There are a number of variables that affect the length of the initial cycle, chief among them the number of users being synchronized,  the speed of the machine running User Replicator and the speed of the backend. Assuming minimum spec hardware or better and no serious network latency/bandwidth issues, an initial cycle with 100,000 users will take about 30 minutes. Subsequent cycles will be incremental changes only and will thus take much less time to complete.

10. What are the configuration parameters for UR?

WMI Class
 Setting
 
MSFT_SIPESGlobalRegistrarSetting
 UserDomainList
 
MSFT_SIPUserReplicatorSetting
 CycleInterval
 
MSFT_SIPUserReplicatorSetting
 RegenerateCookies*

*RegenerateCookies is more like a one time method call rather than a setting.

It is possible to configure these parameters using wbemtest or WMI scripts. Please see section 4 for sample wbemtest steps and troubleshooting section 1 for a sample WMI script.

Troubleshooting:

1. I see User Replicator connecting to all of the domains in the forest. Why? Is it possible to configure User Replicator so that it only connects to the domains that have SIP users in them?

By default, User Replicator operates in a zero configuration mode in which it attempts to synchronize all domains in the forest that it has been deployed in. For forests with one or two domains in which both domains have LCS 2005 enabled user objects, this mode is fine. However, if the forest has many  domains and only one domain has LCS 2005 enabled user objects, this can result in a lot of superfluous events being logged by User Replicator because it won't have access to those domains. In that case, administrators can set up a list of domains that User Replicator will only pull from. This list is set via WMI (UserDomainList attribute of MSFT_SIPESGlobalRegistrarSetting WMI class).

Below is a sample WMI script that can be used to modify this setting:

Dim ObjGlobalSetting
Dim objWbem
Dim DomainList

' DomainList has a list of domains that tells UR which domains to sync.
' In this sample we are setting it up to sync domains domain1.fabrikam.com and domain2.fabrikam.com

DomainList = array("DC=domain1,DC=fabrikam,DC=com","DC=domain2,DC=fabrikam,DC=com")

set objWbem= CreateObject("WbemScripting.SWbemLocator").ConnectServer(".","root\cimv2")

for each ObjGlobalSetting in objWbem.ExecQuery("select * from MSFT_SIPESGlobalRegistrarSetting")

    ObjGlobalSetting.UserDomainList = DomainList
ObjGlobalSetting.Put_ 1

next

Below is a sample WMI script that can be used to view this setting:

Dim ObjGlobalSetting
Dim objWbem
Dim DomainList
Dim i

set objWbem= CreateObject("WbemScripting.SWbemLocator").ConnectServer(".","root\cimv2")
for each ObjGlobalSetting in objWbem.ExecQuery("select * from MSFT_SIPESGlobalRegistrarSetting")
DomainList = ObjGlobalSetting.UserDomainList
next

Wscript.echo "Verifying the value set for MSFT_SIPESGlobalRegistrarSetting::UserDomainList"
Wscript.echo "------------------------------------------------------------------------"

i = 1
for each domain in DomainList
wscript.echo "Domain " & i & ": " & domain
i = i + 1
next

2. I enabled a user for SIP, but I still do not see the entry in the database (or see it in n minutes). Why?
3. When the client logs in, REGISTER gets back a 404 “User not found” error. Why?

a) By default, User Replicator polls for changes once a minute. If this polling interval has been changed, then changes will not show up for at least the polling time. Additionally, DC replication latency can affect how long it takes before User Replicator "sees" Active Directory changes. For example, if it takes 30 minutes for changes to replication from DC A to DC B, User Replicator is connected to DC B to perform replication, and user object changes are made on DC A, then regardless of the polling interval used for User Replicator, it will take at least 30 minutes for User Replicator to "see" the changes made on DC A. If none of the above seems like it could be an issue, then the next step is to look for event logs from User Replicator indicating a problem. If User Replicator encounters errors while synchronizing a user, it will log detailed event logs describing the problem.

b) I waited for a while but did not see any errors or warnings in the event log.  See 4) Testing Permissions

4. I see a User Replicator event talking about an unrecognized error while processing users from a domain. How do I fix this problem?

First, determine if the domain listed in the event is one that you care about. Since User Replicator defaults to a mode in which it queries all domains for LCS 2005 enabled users, the listed domain may not be one in which you expect or desire User Replicator to find LCS 2005 enabled users. If you do not care about the domain in question, then either ignore the event when it occurs, or specify a list of domains User Replicator should poll and leave this domain out. Otherwise, this is a valid domain that User Replicator is trying to pull users from and encountered an error. If the event text does not give enough information to pinpoint the problem, the first thing to examine is permissions. User Replicator requires the ability to read this set of attributes on a given user object:

objectSid
telephoneNumber
mail
displayName
isDeleted
msRTCSIP-OriginatorSid
msRTCSIP-PrimaryUserAddress
msRTCSIP-PrimaryHomeServer
msRTCSIP-UserEnabled
msRTCSIP-FederationEnabled
msRTCSIP-InternetAccessEnabled
msRTCSIP-ArchivingEnabled

The account User Replicator runs under (a member of the RTCHSDomainServices group) should have been given read permissions to all the user objects in the domain in question as a part of enabling that domain for LCS 2005. However, since Active Directory permissions are configurable, it is possible to break the permissions User Replicator requires.

Testing Permissions:

A good way to test this is to run an Active Directory browsing tool (ldp.exe or adsiedit.msc, for example) under the same account that rtcsrv.exe runs under using the runas command. Use the tool to browse to the user/contact object DN in question. You should be able to see all msRTCSIP-* attributes if they are set. Whatever error/permission issue the tool encounters is the same error that User Replicator would have encountered. If you resolve the errors encountered by the tool, you will likely resolve the errors with User Replicator. The problem usually is the result of some permission setup specific to the customer. If Active Directory is in lock-down mode or inheritance is disabled, see the “Deployment Guide” for details in adding the extra permissions required.

5. I tried to change a user’s URI to be xxx@xxx.com , but the user cannot log in with that URI. How do I figure out the problem?

There are several possible reasons that the user can't login, and a replication issue is just one of them. In all these cases, User Replicator will log a warning event if it cannot assign a URI to a specific user. This usual cause for this is that some other valid user already has that URI assigned to them. The solution is to either delete one of the offending users from Active Directory if they aren't supposed to exist, or rename one of them such that their URI's aren't the same.