Windows Server How-To

How To Use Repadmin for Active Directory Troubleshooting

The Windows Server tool Repadmin can be your best friend when trying to pinpoint and fix Active Directory issues.

Most of the time Active Directory replication seems to work pretty well. When the replication process does break down however, troubleshooting the problem can sometimes be surprisingly difficult. Thankfully, the Windows operating system includes a command line tool called Repadmin that you can use to diagnose (and in some cases repair) Active Directory replication.

The Repadmin tool has been a part of the Windows Server operating system since at least Windows Server 2003, and is alive and well in Windows Server 2012 R2. To use the Repadmin tool, you must open an elevated Command Prompt window. This can be done in Windows Server 2012 and Windows Server 2012 R2 by right clicking on the Start button and then choosing the Command Prompt (Admin) option from the shortcut menu.

The way that you would use Repadmin depends on exactly what it is that you are trying to accomplish. For the purposes of this article, I will show you the basics. The techniques that I am about to describe assume that you are running Repadmin directly on a domain controller and that you are logged in as a domain administrator.

The first command that you probably want to run is:

Repadmin /replsummary

You can see an example of this command in Figure 1.

[Click on image for larger view.]  Figure 1. The Repadmin /Replsummary command provides an active directory replication summary.

As you can see in the figure above, this command provides you with a summary view of the current replication health. So let's take a look at this summary in a bit more detail.

As you look at the figure, you will notice that it is divided into two main sections -- Source DSA and Destination DSA. You will also notice that the same servers are listed in both sections. The reason for this is that the Active Directory uses a multi master domain model. In other words, Active Directory updates can be written to any domain controller (with read-only domain controllers being the notable exception). Those updates are then replicated to the other domain controllers in the domain. This is the reason why you see the same domain controllers listed as both source and destination DSAs. If my domain contained any read only domain controllers, they would only be listed in the Destination DSA section.

Of course the replication summary report does more than just list your domain controllers. It also lists the largest replication deltas. You can also see the total number of replications that have recently been attempted, as well as how many of those attempts failed. You can even see the percentage of attempts that resulted in an error.

Obviously the summary is a good starting place, but you might be wondering what other types of information we can see.  Here's another interesting command to take a look at:

Repadmin /Queue
The Repadmin /queue command shows you how many items are in the queue waiting to be replicated.

[Click on image for larger view.]  Figure 2. An empty queue list.

If you look at Figure 2, you can see that there are currently no items in my queue. It's actually normal to see some items in the queue. The only reason why my queue is showing zero items is because I work in a small shop with infrequent Active Directory updates. So if you see items in your queue, it does not necessarily indicate a problem. It's only a problem if those items sit in the queue indefinitely or if the queue length increases indefinitely.

OK, so there is nothing in my Active Directory queue right now, but if you look back at Figure 1, you will recall that there were five recent replication operations that completed successfully. What if I wanted to know more about those five objects? Well, in that type of situation, I could use the following command:

Repadmin /Showrepl
As you can see in Figure 3, this command displays the GUID of each object that was initially replicated, as well as the replication result. This is useful because you may find that there is a single object for which replication is failing.

[Click on image for larger view.]  Figure 3. You can see the results of attempted replication operations by using the Repadmin /showrepl command.

So what can you do if you suspect that there may be a problem with Active Directory replication? Well, the Repadmin command supports about a dozen different switches that you can use to correct a wide variety of problems. The first thing that I would recommend doing however, is running the Repadmin /replicate command. This command manually initiates the replication process. If that does not fix your problem then I recommend checking out the TechNet documentation for Repadmin. The documentation explains how to use some Repadmin's more advanced troubleshooting and repair functions.

About the Author

Brien Posey is a seven time Microsoft MVP with over two decades of IT experience. As a freelance writer, Posey has written many thousands of articles and written or contributed to several dozen books on a wide variety of IT topics. Prior to going freelance, Posey was a CIO for a national chain of hospitals and healthcare facilities. He has also served as a network administrator for some of the country's largest insurance companies and for the Department of Defense at Fort Knox. When He isn't busy writing, Brien Posey enjoys exotic travel, scuba diving, and racing his Cigarette boat. You can visit his personal Web site at: www.brienposey.com.

comments powered by Disqus

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.