Репликация Active Directory
Repadmin: How to Check Active Directory Replication
Example 2: Summarize the replication status and view the overall health
The first command you should use is replsummary. This command will quickly show you the overall replication health. This command will show you the percentage of replication attempts that have failed as well as the largest replication deltas.
repadmin /replsummary
Results displayed
:\WINDOWS\system32>repadmin /replsummary Replication Summary Start Time: 2018-03-13 04:44:54 Beginning data collection for replication summary, this may take awhile: ..... Source DSA largest delta fails/total %% error DC1 52m:48s 0 / 5 0 DC2 52m:46s 0 / 5 0 Destination DSA largest delta fails/total %% error DC1 52m:46s 0 / 5 0 DC2 52m:48s 0 / 5 0
Example 3: Show replication partner and status
Next, use the following command to see the replication partner as well as the replication status. This helps you understand the role of each domain controller in the replication process.
In addition, this command displays the GUID of each object that was replicated and its result. This is helpful to identify what objects are failing to replicate.
repadmin /showrepl
Results displayed
C:\Users\rallen>repadmin /showrepl
Repadmin: running command /showrepl against full DC dc1.ad.activedirectorypro.com
Default-First-Site-Name\DC1
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: a4d22a63-1918-492a-bcd6-7fe286941e72
DSA invocationID: a4d22a63-1918-492a-bcd6-7fe286941e72
==== INBOUND NEIGHBORS ======================================
DC=ad,DC=activedirectorypro,DC=com
Default-First-Site-Name\DC2 via RPC
DSA object GUID: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408
Last attempt @ 2018-03-13 03:52:08 was successful.
CN=Configuration,DC=ad,DC=activedirectorypro,DC=com
Default-First-Site-Name\DC2 via RPC
DSA object GUID: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408
Last attempt @ 2018-03-13 03:52:08 was successful.
CN=Schema,CN=Configuration,DC=ad,DC=activedirectorypro,DC=com
Default-First-Site-Name\DC2 via RPC
DSA object GUID: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408
Last attempt @ 2018-03-13 03:52:08 was successful.
DC=DomainDnsZones,DC=ad,DC=activedirectorypro,DC=com
Default-First-Site-Name\DC2 via RPC
DSA object GUID: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408
Last attempt @ 2018-03-13 03:52:08 was successful.
DC=ForestDnsZones,DC=ad,DC=activedirectorypro,DC=com
Default-First-Site-Name\DC2 via RPC
DSA object GUID: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408
Last attempt @ 2018-03-13 03:52:08 was successful.
Example 4: Show replication partner for a specific domain controller
If you want to see the replication status for a specific domain controller use this command.
replace <ServerName> with the name of your domain controller.
repadmin /showrepl <ServerName>
Results displayed
C:\WINDOWS\system32>repadmin /showrepl dc2
Default-First-Site-Name\DC2
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408
DSA invocationID: 2eb95693-bfa7-4f3f-b52c-139737aa883f
==== INBOUND NEIGHBORS ======================================
DC=ad,DC=activedirectorypro,DC=com
Default-First-Site-Name\DC1 via RPC
DSA object GUID: a4d22a63-1918-492a-bcd6-7fe286941e72
Last attempt @ 2018-03-14 04:21:02 was successful.
CN=Configuration,DC=ad,DC=activedirectorypro,DC=com
Default-First-Site-Name\DC1 via RPC
DSA object GUID: a4d22a63-1918-492a-bcd6-7fe286941e72
Last attempt @ 2018-03-14 03:52:07 was successful.
CN=Schema,CN=Configuration,DC=ad,DC=activedirectorypro,DC=com
Default-First-Site-Name\DC1 via RPC
DSA object GUID: a4d22a63-1918-492a-bcd6-7fe286941e72
Last attempt @ 2018-03-14 03:52:07 was successful.
DC=DomainDnsZones,DC=ad,DC=activedirectorypro,DC=com
Default-First-Site-Name\DC1 via RPC
DSA object GUID: a4d22a63-1918-492a-bcd6-7fe286941e72
Last attempt @ 2018-03-14 03:52:07 was successful.
DC=ForestDnsZones,DC=ad,DC=activedirectorypro,DC=com
Default-First-Site-Name\DC1 via RPC
DSA object GUID: a4d22a63-1918-492a-bcd6-7fe286941e72
Last attempt @ 2018-03-14 03:52:07 was successful.
Example 5: Show only Replication Errors
The showrepl command can output a lot of information. If you want to see only the errors use this command. In this example, DC2 is down, you can see the results are all errors from DC2.
C:\WINDOWS\system32>repadmin /showrepl /errorsonly
Repadmin: running command /showrepl against full DC dc1.ad.activedirectorypro.com
Default-First-Site-Name\DC1
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: a4d22a63-1918-492a-bcd6-7fe286941e72
DSA invocationID: a4d22a63-1918-492a-bcd6-7fe286941e72
==== INBOUND NEIGHBORS ======================================
DC=ad,DC=activedirectorypro,DC=com
Default-First-Site-Name\DC2 via RPC
DSA object GUID: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408
Last attempt @ 2018-03-15 04:19:38 failed, result 8524 (0x214c):
The DSA operation is unable to proceed because of a DNS lookup failure.
1 consecutive failure(s).
Last success @ 2018-03-14 07:52:08.
CN=Configuration,DC=ad,DC=activedirectorypro,DC=com
Default-First-Site-Name\DC2 via RPC
DSA object GUID: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408
Last attempt @ 2018-03-15 04:19:38 failed, result 8524 (0x214c):
The DSA operation is unable to proceed because of a DNS lookup failure.
1 consecutive failure(s).
Last success @ 2018-03-14 07:52:08.
CN=Schema,CN=Configuration,DC=ad,DC=activedirectorypro,DC=com
Default-First-Site-Name\DC2 via RPC
DSA object GUID: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408
Last attempt @ 2018-03-15 04:19:38 failed, result 8524 (0x214c):
The DSA operation is unable to proceed because of a DNS lookup failure.
1 consecutive failure(s).
Last success @ 2018-03-14 07:52:08.
DC=DomainDnsZones,DC=ad,DC=activedirectorypro,DC=com
Default-First-Site-Name\DC2 via RPC
DSA object GUID: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408
Last attempt @ 2018-03-15 04:19:38 failed, result 8524 (0x214c):
The DSA operation is unable to proceed because of a DNS lookup failure.
1 consecutive failure(s).
Last success @ 2018-03-14 07:52:08.
DC=ForestDnsZones,DC=ad,DC=activedirectorypro,DC=com
Default-First-Site-Name\DC2 via RPC
DSA object GUID: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408
Last attempt @ 2018-03-15 04:19:38 failed, result 8524 (0x214c):
The DSA operation is unable to proceed because of a DNS lookup failure.
1 consecutive failure(s).
Last success @ 2018-03-14 07:52:08.
Source: Default-First-Site-Name\DC2
******* 1 CONSECUTIVE FAILURES since 2018-03-14 07:52:08
Last error: 8524 (0x214c):
The DSA operation is unable to proceed because of a DNS lookup failure.
Example 6: Show replication Queue
It is normal to see items in the queue. If you have a small environment it will often be at zero because there are few replications that occur. If you notice items sitting in the queue and they never clear out, you have a problem.
Use this command to view the replication queue
Repadmin /Queue
Results displayed
C:\Users\rallen>repadmin /queue Repadmin: running command /queue against full DC dc1.ad.activedirectorypro.com Queue contains 0 items.
Example 7: How to Force Active Directory Replication
Use the following command if you want to force replication between domain controllers. You will want to run this on the DC that you wish to update. For example, if DC1 is out of sync I would run this on DC1.
This will do a pull replication, which means it will pull updates from DC2 to DC1.
repadmin /syncall dc1 /Aed
If you want to push replication you will use the /P switch. For example if you make changes on DC1 and want to replicate those to other DCs use this command.
repadmin /syncall dc1 /APed
Results displayed
C:\WINDOWS\system32>repadmin /syncall dc1 /Aed
Syncing all NC's held on dc1.
Syncing partition: DC=ForestDnsZones,DC=ad,DC=activedirectorypro,DC=com
CALLBACK MESSAGE: The following replication is in progress:
From: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408._msdcs.ad.activedirectorypro.com
To : a4d22a63-1918-492a-bcd6-7fe286941e72._msdcs.ad.activedirectorypro.com
CALLBACK MESSAGE: The following replication completed successfully:
From: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408._msdcs.ad.activedirectorypro.com
To : a4d22a63-1918-492a-bcd6-7fe286941e72._msdcs.ad.activedirectorypro.com
CALLBACK MESSAGE: SyncAll Finished.
SyncAll terminated with no errors.
Syncing partition: DC=DomainDnsZones,DC=ad,DC=activedirectorypro,DC=com
CALLBACK MESSAGE: The following replication is in progress:
From: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408._msdcs.ad.activedirectorypro.com
To : a4d22a63-1918-492a-bcd6-7fe286941e72._msdcs.ad.activedirectorypro.com
CALLBACK MESSAGE: The following replication completed successfully:
From: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408._msdcs.ad.activedirectorypro.com
To : a4d22a63-1918-492a-bcd6-7fe286941e72._msdcs.ad.activedirectorypro.com
CALLBACK MESSAGE: SyncAll Finished.
SyncAll terminated with no errors.
Syncing partition: CN=Schema,CN=Configuration,DC=ad,DC=activedirectorypro,DC=com
CALLBACK MESSAGE: The following replication is in progress:
From: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408._msdcs.ad.activedirectorypro.com
To : a4d22a63-1918-492a-bcd6-7fe286941e72._msdcs.ad.activedirectorypro.com
CALLBACK MESSAGE: The following replication completed successfully:
From: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408._msdcs.ad.activedirectorypro.com
To : a4d22a63-1918-492a-bcd6-7fe286941e72._msdcs.ad.activedirectorypro.com
CALLBACK MESSAGE: SyncAll Finished.
SyncAll terminated with no errors.
Syncing partition: CN=Configuration,DC=ad,DC=activedirectorypro,DC=com
CALLBACK MESSAGE: The following replication is in progress:
From: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408._msdcs.ad.activedirectorypro.com
To : a4d22a63-1918-492a-bcd6-7fe286941e72._msdcs.ad.activedirectorypro.com
CALLBACK MESSAGE: The following replication completed successfully:
From: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408._msdcs.ad.activedirectorypro.com
To : a4d22a63-1918-492a-bcd6-7fe286941e72._msdcs.ad.activedirectorypro.com
CALLBACK MESSAGE: SyncAll Finished.
SyncAll terminated with no errors.
Syncing partition: DC=ad,DC=activedirectorypro,DC=com
CALLBACK MESSAGE: The following replication is in progress:
From: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408._msdcs.ad.activedirectorypro.com
To : a4d22a63-1918-492a-bcd6-7fe286941e72._msdcs.ad.activedirectorypro.com
CALLBACK MESSAGE: The following replication completed successfully:
From: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408._msdcs.ad.activedirectorypro.com
To : a4d22a63-1918-492a-bcd6-7fe286941e72._msdcs.ad.activedirectorypro.com
CALLBACK MESSAGE: SyncAll Finished.
SyncAll terminated with no errors.
Example 8: Export results to text file
Sometimes these commands can display a lot of information. You can export any of the examples above to a text file, this makes it a little easier to review at a later time or save for documentation.
just add > c:\destination folder\filename.txt to the end of any of the commands
Here are a few examples
repadmin /replsummary > c:\it\replsummary.txt
repadmin /showrepl > c:\it\showrepl.txt
More examples
Find the last time your DC was backed up
Repadmin /showbackup *
Displays calls that have not yet been answered
repadmin /showoutcalls *
List the Topology information
repadmin /bridgeheads * /verbose
Inter Site Topology Generator Report
repadmin /istg * /verbose
Conclusion
As a system administrator, it is important that you know how to troubleshoot and verify replication is working correctly. The repadmin is a simple yet powerful tool that you should know how to use.
I hope you found this guide useful. If you have any questions leave a comment below. If you liked this article, check out: How to Use NSLookup to Check DNS Records.