Share via

Active Directory : Repadmin Tool

  • Article

Introduction

Active Directory (AD) was one of the first LDAP-based directories to adopt and implement multi-master replication model. In a multi master replication model, there is no single "Master" or writable Domain Controller in the  domain. Instead, all Domain Controllers are writable except Read Only Domain Controllers (RODCs).

While the multi master replication model is extremely popular and useful, it also increases the complexity because AD objects can be created/deleted/modified on any Domain Controller (excluding RODCs). This becomes Active Directory replication complex and difficult to troubleshoot.

In this article, we will discuss how we can leverage the built-in Repadmin tool to view and troubleshoot replication issues.

The Repadmin tool

Microsoft offers a nice inbuilt tool called Repadmin which can be called as an all purpose tool related to AD Replication. 

With Repadmin, we can do lot of things, some of these are as follows: 

  • Capture replication summary status of an entire forest
  • Capture replication status for each naming context (partition) across all Domain Controllers in a forest
  • View replication partners of a Domain Controller
  • Initiate replication event between two replication partners
  • Check the replication queue status
  • View connection objects for a Domain Controller
  • View highest Update Sequence Number on a Domain Controller
  • View unreplicated changes between two Domain Controllers

Capture replication summary status of an entire forest

repadmin /replsummary command shows the summary of AD replication for the entire forest.

It is one of the most frequently command used by AD Administrators, and probably the fastest and easiest way to get the overall status of the AD replication across entire forest.

We would recommend to use this command with below attributes:

repadmin /replsummary /bysrc /bydest /sort:delta

This will ensure both Source DSA and Destination DSA in the output, and will sort the output based on the largest delta value. We will discuss about the delta value in the next section.

Using a Powershell script, we can schedule this command to run on a daily basis, and result will be stored in date wise subfolder. Click here to download the Powershell script.

We strongly recommend to monitor the replication summary report on a daily basis, and if possible, twice a day. By capturing and monitoring this report on a daily basis, lots of issues can be identified and mitigated proactively.

Understanding the output of this command

a) In the above diagram, each dot after the first three represents a domain controller. There are 7 dots in this diagram, so there are total 4 Domain controllers in the forest.

b) Largest delta denotes the longest replication gap amongst all replication links for a particular domain controller.

c) Total is the replica links for a particular domain controller (one for each naming context on each domain controller). Please note that this is not the connection objects or replication partners per domain controller.

d) Fail is the total number of replica links failing to replicate for one reason or the other. This will never be greater than the Total field.

e) Percentage is the percentage of failures in relation to the total replica links on the domain controller.

When we look at the above diagram, we will notice that it is divided into two main sections -- Source DSA and Destination DSA. We will also notice that the same servers are listed in both sections. The reason for this is that Active Directory uses a multi master domain model. In other words, Active Directory updates can be written to any domain controller (except RODCs). Those updates are then replicated to the other domain controllers in the domain. This is the reason why we see the same domain controllers listed as both source and destination DSAs. If our domain contained any read only domain controllers, they would only be listed in the Destination DSA section.

Capture replication status for each naming context (partition) across all Domain Controllers in a forest

​Repadmin /showrepl * /csv > <CSV file Path>

This command captures the replication status for each Naming Context for all Domain Controllers in an entire forest. The "*" represents all Domain Controllers in a forest. The result will be exported to a CSV file.

Ex: Repadmin /showrepl * /csv > c:\replication\replication.csv

For every domain controller in the forest, the spreadsheet shows the source replication partner, the time that replication last occurred, and the time that the last replication failure occurred for each naming context (directory partition). 

If all values for the column “Last Failure Time” are equal to zero (0), it means there is no error in any directory partition replication in any Domain Controller. We can filter out zero to get the values where there is error.

View replication partners of a Domain Controller

repadmin / showrepl commands displays the replication partners of a Domain Controller.

This command is also used to find the objectGUID and InvocationID for a server for use with other operations.

No parameters are required for the showrepl operation. 

Understanding the output of the above command

The command displays all inbound replication partners per naming context. In the above diagram, the command displays replication partners for all 6 naming contexts (or NTDS partitions). In this case, for each naming context, replication partners are DC1 and DC2.

a) DC=subhro, DC=com : This is the naming context for the domain naming context, which is only replicated with all domain controllers within a single domain (and not across any other domains in the forest).

Note: the Domain Naming context is represented by the domains distinguish name.

b) CN=Configuration,DC=subhro,DC=com : This is the naming context for the configuration naming context, which is replicated to every domain controllers in the forest.

c) CN=Schema,CN=Configuration,DC=subhro,DC=com : This is the naming context for the schema naming context, which is replicated to every domain controllers in the forest. However, please note that schema is writable only by the domain controller which holds the “Schema Master” role.

Note: Schema NC is a sub-container of the configuration NC.

d) DC=DomainDnsZones,DC=subhro,DC=com : This is the application directory partition for the Domain DNS zones.

e) DC=ForestDnsZones,DC=subhro,DC=com : This is the application directory partition for the Forest DNS zones.

Initiate replication event between two replication partners

repadmin /replicate command is used to initiate a replication between two Domain Controllers which are direct connection partners of each other.

Syntax: repadmin /replicate <Dest_DSA_List> <Source_DSA_Name>

Please Note: We do not recommend to use the option /force option unless required, as it will forcefully replicate to a DC even if that DC database is corrupted or USN Rollback happened.

In the below example, we have initiated a replication from DC1 to DC.

View Replication Metadata for an object

Repadmin / showobjmeta command is used to view metadata of an AD object. This is another useful command, which can be used to track changes of an AD object and identify when the change happened, what has changed and in which Domain Controller.

***Syntax: repadmin /showobjmeta DCname “Object’s DN”

*Example: repadmin /showobjmeta DC "CN=subhro,CN=users,DC=subhro,DC=com"

*

For more details on Replication Metadata, please refer this article.

Check the replication queue status

repadmin /queue command shows us how many items are in the queue waiting to be replicated.

Understanding the output of this command

If we look at the above diagram, we can see that there are currently no items in our queue. In a small environment where replication is very quick, we may not see any item in the queue. However, in large and dynamic environment where there are huge number of domain controllers in multiple sites, and AD update is very frequent, we should normally see some items in the queue.

View connection objects for a Domain Controller

repadmin /showconn shows connection objects for a server.

Understanding the output of this command

A connection object is an Active Directory object that represents a logical connection from one domain controller to another. A connection object specifies which domain controllers replicate with which domain controllers, how often, and which naming contexts are involved.

For example, when we open the “Active Directory Sites and Services” console, and click on the “NTDS Settings” under DC, we observe that there are two inbound connection objects:

1) An inbound connection object from DC2 . This connection object ID is :

subhro.com/Configuration/Sites/Default-First-Site-Name/Servers/DC/NTDS Settings/23f23c7c-7deb-4282-a9f2-5625ad0c1e32

2) An inbound connection object from DC1 . This connection object ID is :

subhro.com/Configuration/Sites/Default-First-Site-Name/Servers/DC/NTDS Settings/e61f3b65-6e14-4c20-b037-37d49db3cce1

Below diagram shows all connection objects between four domain controllers in our environment. There are total 8 connection objects.

Now, when we run the command repadmin /showconn , it will display all of the 8 connection objects with detailed information of all connection objects.

Below figure shows a partial screenshot of the command output. In this diagram, two connection objects are being displayed.

View highest Update Sequence Number on a Domain Controller

repadmin / showutdvec shows the highest USNs for a specified directory partition on each replication partner.

Understanding the output of this command

In the above diagram, we can see the High Watermark Vector table (HWVT) for domain, configuration and schema partitions of two domain controllers, DC1 and DC2, which are direct replication partner of the Domain Controller DC.subhro.com.

For example, the first command “repadmin /showutdvec dc "dc=subhro,dc=com" shows the highest USNs of all DCs for the domain partition (naming context). 

View unreplicated changes between two Domain Controllers

repadmin / showchanges is used for two purposes :

  1. It shows the un-replicated changes between two servers.
  2. It creates a file to determine what changes have occurred over a period of time for a particular naming context (partition).

Purpose 1: View the un-replicated changes between two servers.

Parameters :

a) objectGuid of the directory partition on the source server.(which we can get from repadmin /showrepl command)

b) Name of the directory partition.

In the above example, DC.subhro.com is the source server and dc1.subhro.com is the destination server. So we need to include the destination server, DSA object GUID of source server, and the partition (in this case domain partition) for which we want to know the unreplicated changes.

Understanding the output of this command

  1. When we executed the command for the first time, there was no unreplicated changes between DC and DC1. So “No Changes” was mentioned in the output.
  2. However, we then created a new user (user25) on DC and immediately ran the command again, we got below output.


This indicates that the creation of “user25” is yet to be replicated from DC to DC1.

Summary

Repadmin is the inbuilt tool provided by Microsoft, to monitor replication status and troubleshoot replication related issues . In this article, we have discussed some of the most important and commonly used commands, which are associated with Repadmin Tool.