To keep your Active Directory in the best shape, you should periodically check the replication between domain controllers using the repadmin and dcdiag tools.
The repadmin command line tool can monitor replication, track replication failures between domain controllers, and force data replication.
The Active Directory replication is fully automated, and proper planning and configuration of the AD architecture, sites, and replication schedules almost does not require manual replication management by system administrators.
In small AD domains with several DCs (2-5), replication is usually fine. But in large infrastructures with tens and hundreds of domain controllers, the administrator often has to intervene in the replication process and correct errors.
This post will discuss some repadmin examples related to monitoring the Active Directory replication between domain controllers. The example will be using two domain controllers with the following information.
| Server Name | Site | Subnet | IP Address | Operating System |
|---|---|---|---|---|
| DC-CALIFORNIA.theitbros.com | WEST-US | 10.1.3.0/24 | 10.1.3.4 | Windows Server 2019 |
| DC-VIRGINIA.theitbros.com | EAS-US | 10.0.2.0/24 | 10.0.2.4 | Windows Server 2019 |
Table of Contents
Getting the Repadmin Tool
The repadmin utility in Windows Server 2003 was included in the Support Tools package, which needed to be downloaded and installed manually. In Windows Server 2008 R2 and higher, the repadmin tool is automatically installed on the domain controller when you install the ADDS (Active Directory Domain Services) role.
The repadmin is available on Windows desktop computers by installing the Remote Server Administration Tools.
To view the repadmin command built-in help and options, run the below command in PowerShell or CMD.
repadmin /?
If you want help with specific options, you can append a colon followed by the option. For example, to view the help for the showattr option:
repadmin /?:showattr
Tip. To display detailed information in any command, append the /verbose argument.
Checking the Domain Controller Availability and Replication Features
The basic availability of the LDAP directory on a specific DC can be checked by running the repadmin /bind command. This command also shows the enabled extensions and security information.
# Check the localhost (if the localhost is a DC) repadmin /bind # Check the specific DC repadmin /bind <DC Name> # Check all DCs repadmin /bind *
Viewing the Replication Summary and Health
When checking for overall replication health and summary, the frontrunner option is the /replsummary.
Note. Learn how to rename Active Directory domain.
To quickly check the replication health between domain controllers, run the below command:
# Summarize the replication state and relative health of a forest. repadmin /replsummary
As you can see, only two domain controllers exist in this environment. According to the summary result, there are no replication errors.
Showing the Last Replication Status
The following command shows the status of the last attempted replication by a domain controller. If you suspect a domain controller is not receiving updates successfully, this command can help quickly confirm it.
## Target the DC on the localhost. repadmin /showrepl ## Targets a specific domain controller repadmin /showrepl <DC Name> ## Target all domain controllers repadmin /showrepl *
As you can see below, the command checked the replication status of the DC on the localhost because no DC name was specified. Based on the result, the replication attempts for all partitions were successful.
If you want to show only the errors, append the /errorsonly argument.
The PowerShell cmdlet equivalent of this command is Get-ADReplicationPartnerMetadata.
# Target a specific DC Get-ADReplicationPartnerMetadata -Target <DC Name>
Displaying the Replication Queue
In large deployments, you may notice that some DCs are behind others regarding replication. Running the /queue command shows you whether there are pending inbound replication requests to the DC.
# Queue on the local DC repadmin /queue # Queue on a specific DC repadmin /queue <DC Name> # Queue on all DCs repadmin /queue *
The equivalent PowerShell cmdlet is Get-ADReplicationQueueOperation.
# Target the local host as the DC
Get-ADReplicationQueueOperation -Server localhost
# Target a specific DC
Get-ADReplicationQueueOperation -Server <DC Name>
# Target all DCs
(Get-ADDomainController -Filter *).HostName | `
ForEach-Object {Get-ADReplicationQueueOperation -Server $_}
This cmdlet will not return any result if the queue is clear.
Recalculating the Inbound Replication Topology
Each DC runs the Knowledge Consistency Checker (KCC) every 15 minutes by default. The KCC ensures that the DC is aware of its neighbors.
For example, run the below command to force run the KCC on every DC in the EAST-US site.
repadmin /kcc site:EAST-US
The output shows the AD site and the consistency check result of each DC on that site.
Forcing Replication Between Two Domain Controllers
To force the replication of a specific partition between DCs, you can run the repadmin /replicate command.
repadmin /replicate <destination DC> <source DC> <partition>
For example, the command below forces the replication of the DC=theitbros,DC=com partition from the DC-VIRGINIA to DC-CALIFORNIA.
repadmin /replicate DC-CALIFORNIA DC-VIRGINIA DC=theitbros,DC=com
Forcing a Replication with All Partners
The repadmin /replicate command replicates a specific directory partition between a specified source and destination DC, the more surgical approach to force replication. On the other hand, you can force the replication of a specific DC with all the replication partners using the repadmin /syncall command.
Pull Replication
Run this command to initiate the pull replication of all partitions (naming context). This example uses DC-CALIFORNIA as the destination DC.
repadmin /syncall DC-CALIFORNIA /A /a /d /e
The following flags are used:
- /A — Sync all partitions (naming contexts) held by the specified server.
- /a — Abort if the server is unavailable.
- /d — Show the server’s distinguished names (DN) instead of GUID.
- /e — Enable cross-site replication.
Notice that the target or destination is the specified DC for every replication.
Push Replication
In contrast, you can force the push replication from the specific DC to all replication partners by appending the /P flag to the same command. The example below pushes the replication data from DC-CALIFORNIA to all.
repadmin /syncall DC-CALIFORNIA /A /a /d /e /P
You’ll notice that this time, the source of the replications is the specific DC, which is DC-CALIFORNIA.
Note. Check our guide on how to use PsExec to run commands remotely.
Monitoring Active Directory Replication using PowerShell
Of all the commands we’ve demonstrated, the repadmin /showrepl is the most likely candidate for monitoring automation. It shows essential information about the replication status of the server and its partners.
We’ll use this command to generate a report you can display on the screen or email.
Copy the code below and save it as Invoke-ADReplicationReport.ps1. You can also download this script from this Gist.
[cmdletbinding()]
param (
[parameter()]
[string]
$Server,
[Parameter()]
[hashtable]
$EmailReport
)
# If no Server is specified, we will use the local computer.
if (-not($Server)) {
$Server = $env:COMPUTERNAME
}
$replStatus = $(
repadmin /showrepl $Server /csv | ConvertFrom-Csv | Select-Object `
@{n = 'From'; e = { "$($_.'Source DSA Site')\$($_.'Source DSA')" } },
@{n = 'To'; e = { "$($_.'Destination DSA Site')\$($_.'Destination DSA')" } },
@{n = 'Partition'; e = { "$($_.'Naming Context')" } },
@{n = 'FailureCount'; e = { "$($_.'Number of Failures')" } },
@{n = 'LastFailureStatus'; e = { "$($_.'Last Failure Status')" } },
@{n = 'LastFailureTime'; e = { "$($_.'Last Failure Time')" } },
@{n = 'LastSuccessTime'; e = { "$($_.'Last Success Time')" } }
)
if (-not($EmailReport)) {
return
}
$head = @'
<style>
h1 {
font-family: "Arial Black", arial, sans-serif;
}
table {
font-family: Consolas, Tahoma, arial, sans-serif;
border-collapse: collapse;
/* width: 100%; */
}
td,
th {
border: 1px solid #dddddd;
text-align: left;
padding: 8px;
}
</style>
'@
$htmlSplat = @{
Title = 'Active Directory Replication Health
PreContent = "<H1>Active Directory Replication Health</H1><p>"
Head = $head
}
Send-MailMessage @EmailReport -Body $(($replStatus | ConvertTo-Html @htmlSplat) -join "`n")
Display the Report on the Screen
To run this script, open PowerShell and run it without a parameter.
# Display the replication status of the local DC and its partners. .\Invoke-ADReplicationReport.ps1
# Display the replication status of the specified DC and its partners. .\Invoke-ADReplicationReport.ps1 -Server DC-VIRGINIA
# Display the replication status of all DCs. .\Invoke-ADReplicationReport.ps1 -Server *
Send the Report as an Email
You can run the below command if you want to receive the report via email instead. Make sure to update the email parameters. The email parameter accepts the same parameters as the Send-MailMessage cmdlet.
# Generate the replication report of all DCs and send it via email
# define the email parameters
$emailReport = @{
SmtpServer = 'mail.theitbros.com'
From = 'monitoring@theitbros.com'
To = 'alpha@theitbros.com'
Subject = 'Active Directory Replication Health'
BodyAsHTML = $true
}
# Generate the report and send it via email
.\Invoke-ADReplicationReport.ps1 -Server * -EmailReport $emailReport
And you’ll receive a similar report in your mailbox.
Summary
That’s it! We’ve covered the basics of using repadmin to monitor the Active Directory replication health. We’ve learned the different options, flags, and some of their PowerShell equivalents.
We’ve also created a simple script that generates the AD replication report that can be displayed on the screen or sent via email report. You can run this script as a scheduled task so that you don’t need to manually run it for monitoring.
