Tip

Repadmin diagnoses Active Directory replication issues in Windows

Repadmin troubleshoots Active Directory replication issues, but it also includes some commands that Windows administrators might not recognize.

Repadmin has been a mainstay in the Windows toolbox since Windows 2000 was introduced, and it’s perhaps the most robust tool for troubleshooting Active Directory replication issues, such as fixing lingering objects. As a staple in Microsoft’s Windows Support Tools, Repadmin is available in many of the more recent versions of Windows Server, including:

  • Windows 2000 -- located in Windows Support Tools on the server CD
  • Windows 2003 -- located in Windows Support Tools on the server CD, but can also be downloaded with the Windows 2003 SP 2 Support Tools
  • Windows 2008, 2008 R2 -- located in Remote Server Administration Tools (RSAT)
  • Repadmin.exe can also be copied to a server instead of installing the support tools.

As a command-line tool Repadmin is equipped with several operations that Active Directory admins use on a regular basis. Here are some of the more common options and how to use them:

  • /Showrepl --Shows the current replication status and error description for each naming context that the domain controller (DC) is replicating and can be run remotely to see the status of any DC. Using the /csv switch will pipe the whole output into a CSV formatted table so errors can be seen on a large number of DCs. Adding an asterisk (*) in the DCList parameter runs the command on all DCs. For example:

            Repadmin /showrepl * /csv > replication.txt

  • /ReplSum (Replication Summary) -- Provides an end-to-end summary of inbound and outbound replication on every DC in the forest. It’s handy for getting a quick replication health check without wading through a lot of data. For example:

            Repadmin/replsum /bysrc /bydest /sort:delta

  • /regkey -- Configures the “StrictReplicationConsistency” registry key to “-strict” (loose) or +strict (strict). All domain controllers should have this key set to strict to protect against lingering objects. To set strict behavior on all DCs, use the following command:

            Repadmin /regkey * company.com +strict

  • /showobjmeta -- Dumps all the attributes for a given object. These attributes show useful data, including when the object was created and on which DC. Version numbers for attributes are also shown to help determine if an attribute change has replicated. To track an object creation use the following command:

         C:\>repadmin /showobjmeta * "CN=HP-DC3,OU=Domain Controllers
         OU, DC=company,DC=com"

    In the output, there is a section for the command running on each DC. If the attributes are listed, the object has been replicated. But if an error occurs, such as DsReplicaGetInfo() failed with status 8333, then the object has not yet been replicated to that DC.

Repadmin options you might not know about
Although Repadmin is a well-known tool for troubleshooting replication issues, there are some commands that admins might not be as familiar with that can assist with more complex problems between domain controllers in Active Directory.

  • /replicate -- Replicates a domain controller to one or more DCs, and is run as follows: 

/ replicate <Dest_DC_LIST> <Source DC_NAME> <Naming Context> [/force] [/async] [/full] [/addref] [/readonly]

The example below replicates the configuration naming context from WTet-DC2 to Wtec-DC4. Note that the naming context is specified in distinguished name (DN) format:

     C:\Users\olseng>repadmin /replicate wtec-dc4 Wtec-dc2
     cn=configuration,dc=wtec,dc=adapps,dc=hp,dc=com

     Sync from Wtec-dc2 to wtec-dc4 completed successfully.

  • /showcert -- Checks whether the Domain Controller Certificate is stored on the DC. Here’s an example of how to use /showcert:

            C:\Users\olseng>repadmin /showcert wtec-dc4

            Checking for 'Domain Controller' certificate in store
            '\\wtec-dc4\MY'...A Domain Controller Certificate was found
            with Computer Object GUID .
                   Domain Controller Certificate V2 is present.

Expert help commands in Repadmin
Some of the more powerful Repadmin commands fall under the expert help section and are designated for advanced users. To locate this tool use Repadmin /experthelp.

For instance, /rebuildgc DCName is used to rebuild global catalogs (GC). It essentially disables the GC partitions, builds temporary replication links to each of the domain naming contexts in the forest and replicates them back. It then cleans up all the temporary links and rebuilds the topology. On the downside, this tool isn’t timely and can cause a heavy network hit in a large environment.

Another command that uses the expert help feature in Repadmin is: /add <Naming Context> <Dest DC> <Source DC> [/asyncrep] [/syncdisable]

It’s most useful when dcpromo doesn’t work due to a replication failure. For instance, if there is only one-way replication after using dcpromo, or if the SYSVOL and NETLOGON shares don’t show up after dcpromo reboots the machine, this command can be used to build a low-level replication link. However, the syntax isn’t specified in the help feature, so admins must use the DNS, CNAME as the argument in the DestDC and SourceDC arguments. Just copy/paste from the DNS management snap-in for the respective servers and enter the naming context in DN format.

Note: The “good DC” is listed as the destination DC (first on the command list) and the “bad DC” (the one that won’t replicate) is listed as the source DC.

In the example below, dcpromo fails on the DC beginning with f3632fb7. The other DC in the command is any other good DC (preferably in the same site/subnet).

C:\Users\olseng>repadmin /add"dc=wtec,dc=adapps,dc=hp,dc=com" f303e249-f90e-45f8-b165-1d5552013489._msdcs.wtec.adapps.hp.com f3632fb7-1baa-4034-b765-d9b509fb36 e2._msdcs.wtec.adapps.hp.com

Remember, this command only works if something is broken. Executing it on a perfectly good DC will produce an error message because a naming context cannot be added to a DC where it already exists.

The options attribute is another handy tool in Repadmin. Running Repadmin /options * lists the options set on all domain controllers in an AD forest. A single DC can be specified as well by removing the asterisk from the command. The syntax for the options attribute is as follows:

options [DC] [{+|-}IS_GC] [{+|-}DISABLE_INBOUND_REPL] [{+|-}DISABLE_OUTBOUND_REPL] [{+|-}DISABLE_NTDSCONN_XLATE]

And the parameters within this attribute include:

      • IS_GC-- Indicates that the DC is a global catalog. Absence of this option means it is not a GC.
      • DISABLE_INBOUND_REPL -- Disables inbound replication.
      • DISABLE_OUTBOUND_REPL -- Disables outbound replication.
      • DISABLE_NTDSCONN_XLATE -- Disables connections.

The following examples demonstrate different ways to use the options attribute:

Repadmin /options -- Lists all options related to C:\Users\olseng>repadmin /options wtec-dc2. For example:

C:\Users\olseng>repadmin /options *

repadmin running command /options against server WTEC- DC4.Wtec.adapps.hp.com

Current DC Options: IS_GC

Repadmin /options +IS_GC -- Turns a DC into a global catalog. Likewise, –IS_GC turns a global catalog into a DC.

Note: Other options attributes disable inbound and outbound replication, which are handy for troubleshooting or for doing an authoritative restore to prevent premature replication. However, it’s important to track which options are enabled to avoid any issues.

Repadmin/SiteOptions -- Lets admins see which settings are enabled. For example, if an admin wants caching enabled they would use [{+|-}IS_GROUP_CACHING_ENABLED].

Repadmin /RemoveLingeringObjects -- Removes lingering objects in forest functional level domains in Windows 2003, 2008 and 2008 R2. It’s also useful for Active Directory disaster recovery and runs as follows:

/removelingeringobjects <Dest_DC_LIST> <Source DC GUID> [/ADVISORY_MODE]

The Dest_DC_List is a list of domain controllers that might have lingering objects. Note that you can insert “GC” for the DC list to operate on all GCs. The Source DC GUID is the GUID of a DC that is considered good. If the primary DC is free of lingering object errors it can be used. For example:

Repadmin /RemoveLingeringObjects GC: bf3bdb32-aed6-4a26-b6ce-107ae19c1a27 dc=emea,dc=company,dc=com

Remember, this command is not a fool-proof fix and doesn’t always do the job. For the best results, make sure the StrictReplication regkey is enabled on all DCs to prevent lingering objects from returning. It’s also important to run this command on all naming contexts when working with multiple domain forests, and keep checking for lingering object-related events in the event log to make sure they are gone.

These are just some of the commands admins can use when working with Repadmin and can be best learned by implementing them in a lab environment. There are several other resources that discuss the ins and outs of Repadmins as well. Start by reading the ExpertHelp files to learn several other commands that were not covered here. You’ll be glad you did.

You can follow SearchWindowsServer.com on Twitter @WindowsTT.

ABOUT THE AUTHOR
Gary Olsen is a Solution Architect in Hewlett-Packard’s Technology Services organization and lives in Roswell, GA. Gary has worked in the IT industry since 1981 and holds an MS in Computer Aided Manufacturing from Brigham Young University. Gary has authored numerous technical articles for TechTarget, Redmond Magazine and TechNet magazine, and has presented numerous times at the HP Technology Forum. Gary is a Microsoft MVP for Directory Services and is the founder and president of the Atlanta Active Directory Users Group.

Dig Deeper on Microsoft cloud computing and hybrid services