There are certain Windows cmdlets and utilities which we can use for replication issue troubleshooting purposes. Among these, Repadmin.exe is the most commonly used Microsoft utility. It is available in servers which have the AD DS or AD LDS role installed. It is also part of the ;Remote Server Administration Tools (RSAT). This utility is recommended to be run as a Domain Admin or Enterprise Admin. However, it is also possible to delegate permissions only to review and manage replication.
The following list contains the commands supported by repadmin:
Command |
Description |
repadmin /kcc |
Forces the Knowledge Consistency Checker (KCC) on targeted domain controllers to immediately recalculate the inbound replication topology |
repadmin /prp |
This command allows an administrator to view or modify the password replication policy for |
repadmin /queue |
Displays inbound replication requests that the domain controller must issue to become consistent with its source replication partners |
repadmin /replicate |
Triggers the immediate replication of the specified directory partition to a destination domain controller from the source domain controller |
repadmin /replsingleobj |
Replicates a single object between any two domain controllers that have common directory partitions |
repadmin /replsummary |
This will quickly and concisely summarize the replication state and relative health of a forest |
repadmin /rodcpwdrepl |
Triggers replication of passwords for the specified users from the source domain controller to one or more RODC |
repadmin /showattr |
Displays the attributes of an object |
repadmin /showobjmeta |
Displays the replication metadata for a specified object stored in AD, such as attribute ID, version number, originating and local update sequence numbers (USNs), and the originating server's globally unique identifier (GUID) and date and time stamp |
repadmin /showrepl |
Displays the replication status when the specified domain controller last attempted inbound replication on AD partitions |
repadmin /showutdvec |
Displays the highest, committed USN that the targeted DC's copy of AD shows as committed for itself and its transitive partners |
repadmin /syncall |
Synchronizes a specified domain controller with all replication partners |
Let's see some of these commands in action:
repadmin /replsummary /bydest
The preceding command summarizes the replication status for all domain controllers based on the replication destination. This parameter does not display the source domain controller.
repadmin /replsummary /bysrc
The preceding command summarizes the replication status for all domain controllers based on the replication source. This parameter does not display the destination domain controller.
repadmin /showrepl REBEL-SRV01.therebeladmin.com
The preceding command shows the replication partners for REBEL-SRV01.therebeladmin.com and the status of the last sync attempt.
repadmin /showrepl /errorsonly
The preceding command will list the replication partners that have replication errors (the last sync attempt failed).
We also can view results in CSV format:
repadmin /showrepl /csv
repadmin /syncall REBEL-SRV01 dc=therebeladmin,dc=com
The preceding command initiates domain directory partition synchronization with all replication partners of REBEL-SRV01.
It will also indicate whether there were any issues during sync:
repadmin /queue
The preceding command shows whether there are any unprocessed inbound replication requests. If the system keeps sending ;queue requests, it can be due to a high number of AD changes, system resource issues, or too many replication partners.
repadmin /showchanges REBELNET-PDC01 d3f89917-5fff-40a8-scc2-b148b60d9309 dc=therebeladmin,dc=com
The preceding command lists the changes that are not replicated between server REBELNET-PDC01 and REBEL-SRV01. In here, REBEL-SRV01 is the source server and it is listed with the object GUID:
repadmin /replicate REBEL-SRV01 REBELNET-PDC01 dc=therebeladmin,dc=com
The preceding command initiates immediate directory partition replication from REBELNET-PDC01 to REBEL-SRV01.
Apart from the repadmin, there are certain PowerShell cmdlets which we can use to troubleshoot replication issues. The ;Get-ADReplicationFailure cmdlet is one that can collect data about replication failures.
Get-ADReplicationFailure -Target REBEL-SRV01
The preceding command will collect information about replication failures associated with REBEL-SRV01.
This also can be done with multiple servers:
Get-ADReplicationFailure -Target REBEL-SRV01,REBELNET-PDC01
Further, we can target all the domain controllers in the domain:
Get-ADReplicationFailure -Target "therebeladmin.com" -Scope Domain
Or even the entire forest:
Get-ADReplicationFailure -Target " therebeladmin.com" -Scope Forest
The Get-ADReplicationConnection cmdlet can list down replication partner details for the given domain controller:
Get-ADReplicationConnection -Filter *
The preceding command will list all replication connections for the domain controller you logged in to:
We also can filter replication connections based on attributes.
Get-ADReplicationConnection -Filter {ReplicateToDirectoryServer -eq "REBEL-SRV01"}
The preceding command will list replication connections with the destination server as REBEL-SRV01.
We also can force-sync objects between domain controllers.
Sync-ADObject -object "adam" -source REBEL-SRV01 -destination REBELNET-PDC01
The preceding command will sync the user object adam from REBEL-SRV01 to REBELNET-PDC01.
In Chapter 16, Advanced AD Management with PowerShell, ;I shared some scripts we can use with AD replication troubleshooting. I also explained some other PowerShell cmdlets we can use for troubleshooting and information gathering.