How To Use Repadmin for Active Directory Troubleshooting -- Redmondmag.com

How To Use Repadmin for Active Directory Troubleshooting

The Windows Server tool Repadmin can be your best friend when trying to pinpoint and fix Active Directory issues.

By Brien Posey
08/08/2014

Most of the time Active Directory replication seems to work pretty well. When the replication process does break down however, troubleshooting the problem can sometimes be surprisingly difficult. Thankfully, the Windows operating system includes a command line tool called Repadmin that you can use to diagnose (and in some cases repair) Active Directory replication.

The Repadmin tool has been a part of the Windows Server operating system since at least Windows Server 2003, and is alive and well in Windows Server 2012 R2. To use the Repadmin tool, you must open an elevated Command Prompt window. This can be done in Windows Server 2012 and Windows Server 2012 R2 by right clicking on the Start button and then choosing the Command Prompt (Admin) option from the shortcut menu.

The way that you would use Repadmin depends on exactly what it is that you are trying to accomplish. For the purposes of this article, I will show you the basics. The techniques that I am about to describe assume that you are running Repadmin directly on a domain controller and that you are logged in as a domain administrator.

The first command that you probably want to run is:

Repadmin /replsummary

You can see an example of this command in Figure 1.

**[Click on image for larger view.]** *Figure 1.* The Repadmin /Replsummary command provides an active directory replication summary.

As you can see in the figure above, this command provides you with a summary view of the current replication health. So let's take a look at this summary in a bit more detail.

As you look at the figure, you will notice that it is divided into two main sections -- Source DSA and Destination DSA. You will also notice that the same servers are listed in both sections. The reason for this is that the Active Directory uses a multi master domain model. In other words, Active Directory updates can be written to any domain controller (with read-only domain controllers being the notable exception). Those updates are then replicated to the other domain controllers in the domain. This is the reason why you see the same domain controllers listed as both source and destination DSAs. If my domain contained any read only domain controllers, they would only be listed in the Destination DSA section.

Of course the replication summary report does more than just list your domain controllers. It also lists the largest replication deltas. You can also see the total number of replications that have recently been attempted, as well as how many of those attempts failed. You can even see the percentage of attempts that resulted in an error.

Obviously the summary is a good starting place, but you might be wondering what other types of information we can see. Here's another interesting command to take a look at:

Repadmin /Queue
The Repadmin /queue command shows you how many items are in the queue waiting to be replicated.

**[Click on image for larger view.]** *Figure 2.* An empty queue list.

If you look at Figure 2, you can see that there are currently no items in my queue. It's actually normal to see some items in the queue. The only reason why my queue is showing zero items is because I work in a small shop with infrequent Active Directory updates. So if you see items in your queue, it does not necessarily indicate a problem. It's only a problem if those items sit in the queue indefinitely or if the queue length increases indefinitely.

OK, so there is nothing in my Active Directory queue right now, but if you look back at Figure 1, you will recall that there were five recent replication operations that completed successfully. What if I wanted to know more about those five objects? Well, in that type of situation, I could use the following command:

Repadmin /Showrepl
As you can see in Figure 3, this command displays the GUID of each object that was initially replicated, as well as the replication result. This is useful because you may find that there is a single object for which replication is failing.

**[Click on image for larger view.]** *Figure 3.* You can see the results of attempted replication operations by using the Repadmin /showrepl command.

So what can you do if you suspect that there may be a problem with Active Directory replication? Well, the Repadmin command supports about a dozen different switches that you can use to correct a wide variety of problems. The first thing that I would recommend doing however, is running the Repadmin /replicate command. This command manually initiates the replication process. If that does not fix your problem then I recommend checking out the TechNet documentation for Repadmin. The documentation explains how to use some Repadmin's more advanced troubleshooting and repair functions.

About the Author

Brien Posey is a 22-time Microsoft MVP with decades of IT experience. As a freelance writer, Posey has written thousands of articles and contributed to several dozen books on a wide variety of IT topics. Prior to going freelance, Posey was a CIO for a national chain of hospitals and health care facilities. He has also served as a network administrator for some of the country's largest insurance companies and for the Department of Defense at Fort Knox. In addition to his continued work in IT, Posey has spent the last several years actively training as a commercial scientist-astronaut candidate in preparation to fly on a mission to study polar mesospheric clouds from space. You can follow his spaceflight training on his Web site.

Featured

Cisco Warns of Brute Force Attacks Targeting VPNs and Firewalls

Cisco has revealed that a global increase in brute force attacks targeting Virtual Private Networks (VPNs) and other devices is currently taking place.
What's Inside Microsoft 365's Security Toolbox?

Microsoft provides plenty of native tools to secure Microsoft 365. IT pros just have to know where to look.
Microsoft Kills 30-Day Data Retention Policy for Copilot in Fabric

Microsoft this week announced several usability improvements coming to Copilot in Fabric in preparation of its general availability release later this year.
Using Microsoft Office to Build a Network Diagram 2

Now that we've set up our process, let's dig in with the actual execution.
Microsoft Graph 'Activity Logs' Feature Goes Live

Microsoft announced the general availability of the "activity logs" capability in Microsoft Graph, giving administrators more options to track user activity and identify patterns of potential misuse.