When you have multiple domain controllers then they constantly sync with each other. But how can you check if everything is synced correctly? Or if the synchronization is even running? This is where the RepAdmin tool comes in.
RepAdmin is the Active Directory replication diagnostics tool, which is installed on all domain controllers running Windows Server 2008 and newer. You can also install RepAdmin on other computers by installing the Remote Server Administration Tools (RSAT).
In this article
In this article, we are going to take a look at how to use RepAdmin and what to look for in the diagnostics results.
RepAdmin
The RepAdmin tool is primarily used to force replication between the domain controllers or to diagnose replication issues in your network. It can also be used to manually configure the replication topology of your domain, but that isn’t really recommended.
We are going to focus on the most commonly used commands:
| Command | Description |
|---|---|
| repadmin /replsummary | Show summary of failing in- & outbound connections |
| repadmin /showrepl | Shows status per naming context between two domain controllers |
| repadmin /queue | Displays inboud replication queue |
| repadmin /syncall | Synchronizes a specified domain controller |
| repadmin /syncall /AdeP | Push changes outwards to all domain controllers |
| repadmin /replicate | Displays inbound replication queue |
Replication Summary
One of the primary functions of repadmin is to monitor the replication status between the domain controllers. There are two options to do this, we can either view the status of the synchronization of all domain controllers, by using the command repadmin /replsummary, or we can view the status with the direct neighbor of the domain controller, with repadmin /showrepl.
Tip
Quickly check the health of all your Domain Controllers with this free script. View the results in the PowerShell console or export to HTML
The first step is to start with a complete overview. This will show the largest delta between the different domain controllers and if there are any errors:
repadmin /replsummary # Result Source DSA largest delta fails/total %% error LA-SRV-DC01 05m:32s 0 / 5 0 LAZYSRVLAB03 :54s 0 / 5 0 Destination DSA largest delta fails/total %% error LA-SRV-DC01 :54s 0 / 5 0 LAZYSRVLAB03 04m:37s 0 / 5 0
So what does this all mean? Let’s explain what we are looking at. You will see two tables with stats, the first one is the Source DSA. These are the stats for the outgoing replications. The latter, Destination DSA are the incoming replications.
The largest Delta is always an interesting one. It tells us the longest time a connection between two domain controllers isn’t used. Now this can go up to 60 min, which is actually pretty normal. Let me explain; within your domain, some changes are replicated within seconds, like password resets. But others, like schema changes, don’t happen that often and are only checked once per hour. The domain controllers check at least (pol) every hour for changes, so that is why the time can get up to 60 minutes.
The field total shows the number of replication links the domain controller has. Fails tells us how many of those are failed (should be zero of course) and %% is the percentage of the failed links out of the total.
When there is an error, then the error code is shown in the error field.
Zooming in on Replications
In case of errors, you will need to zoom in on the replication to view what is going wrong. To do this we can use the command repadmin /showrepl. This will show all inbound connections and their status.
repadmin /showrepl
Again, let’s explain what we are looking at:
- Name of the domain controller that the command is run against to
- IS_GC stands for Is Global Catalog
- Replication Context
- Last replication attempt
We can zoom in further by adding the parameter /all, which will also add the outbound connections and the KCC connection objects. If you have a lot of connections, which can happen when you have a lot of domain controllers, then I recommend adding the parameter /errorsonly. As the name implies, this will show only the connection that is in an error state. Making it easier to troubleshoot any issues.
Show Replication Queue
A small queue of replications is normal in large environments, but for smaller networks, the replication queue should pretty much always contain 0 items. If you have replication issues, then monitoring the queue is a good way to check if your domain is healthy or not.
To view the queue we can use the following command:
repadmin /queue # Result Repadmin: running command /queue against full DC localhost Queue contains 0 items.
Force domain controller sync with repadmin syncall
Sometimes you need to force the synchronization between the domain controllers. For example, after you have created a new user on one of your domain controllers, and need that user in Microsoft 365. Then you want the new users synced as fast as possible to the domain controller that is synced with Azure AD.
The most common way to force synchronization in a single-domain environment is to run the command below. This will push all changes from the domain controller that you run the command on, to all other domain controllers. Changes that you made on other domain controllers at the same time won’t be pulled with this command:
# Push all changes out to other domain controllers repadmin /syncall /AdeP
Good to know what AdeP stands for
- A – Synchronizes all naming contexts
- d– Identifies servers by distinguished name
- e – Across all sites in the enterprise
- P – Pushes changes outward from this domain controller
Instead of pushing the changes outwards to the other domain controllers, we can also pull the changes to the domain controller on which you are running the command. For this, we only need to remove the flag P
# Pull changes to this domain controller repadmin /sycall /Ade
Other options
There are also other ways to force replication between domain controllers. We can for example force the replication of only a specific domain controller with the command repadmin /syncall followed by the domain controller name:
repadmin /syncall la-srv-dc01
We can also, for example, replicate only a specific context (directory partition) between two domain controllers. This method is primarily used when you need to troubleshoot replication errors:
# Replicate Destion DC (DC01 from Source DC (Lab03) and the naming context (Configuration) repadmin /replicate la-srv-dc01 lazysrvlab03 CN=Configuration,DC=lazyadmin,DC=nl
Wrapping Up
Repadmin is a great tool to quickly diagnose the health of your domain or to force the replication between multiple domain controllers. Keep in mind that force replication in large domains, or between domain controllers with a slow network connection, can cause more issues than it solves. So use it with caution in these cases.
Also make sure that you check out this domain controller health report script, which you can easily schedule to run every week.
I hope you liked this article, if you have any questions, just drop a comment below.
There is a typo: repadmin /sycall /AdeP
Is: repadmin /syncall /AdeP
Thanks