In Windows 2008, we use repadmin.exe to troubleshoot Active Directory replication. Repadmin allows you to dig deep into replication, down to the level of the replication metadata and the up-to-dateness vector. You can specify Password Replication Policies (PRPs) with Read-only Domain Controllers and enable/disable replication for a given Domain Controller and manually configure a replication topology.
Let’s run our first command:
repadmin.exe /replsummary
This /replsummary command will identify Domain Controllers that are failing replication (inbound or outbound) and summerize the results in a report. This report can be the basis of your Active Directory replication troubleshooting actions.
If one of your Domain Controllers is failing replication we can use repadmin.exe to force synchronization immediately. We’d run the following command:
repadmin.exe /syncall DCName dc=domain,dc=tld
Where DCName is the name of the replication-incapable Domain Controller and the domain and top-level domainname (tld) specify the Active Directory Naming Context to synchronize.
Of course, when you have a serious Active Directory replication problem, trying to force replication like this will only show more errors, pointing you in the direction of targeting specific Domain Controllers and/or objects.
Another repadmin.exe command of particular use it the command to stop and/or start inbound and/or outbound replication immediately for a specific Domain Controller. This is useful in scenarios where you want to make changes to a Domain Controller, but don’t want them replicated to other Domain Controllers. The commands are easy:
repadmin /options DCName +DISABLE_OUTBOUND_REPL repadmin /options DCName -DISABLE_OUTBOUND_REPL repadmin /options DCName +DISABLE_INBOUND_REPL repadmin /options DCName -DISABLE_INBOUND_REPL
Of course, many Microsoft schema updates and preparations have checks for disabled inbound and/or outbound replication. Thus, you can’t always use the above commands in these scenarios.
And this gem: Checking whether an Active Directory infrastructure successfully prepared the domain and forest for Windows Server 2003. And checking whether the changes have been replicated to all Domain Controllers:
repadmin /showobjmeta * "CN=Windows2003Update, CN=ForestUpdates,CN=Configuration,DC=domain,DC=tld"
repadmin /showobjmeta * "CN=Windows2003Update, CN=DomainUpdates,CN=Configuration,DC=domain,DC=tld"
Any Domain Controller, not returning it has the object, has not yet replicated the Active Directory preparation. Until you’ve replicated the object to all Domain Controllers, it would be ill-advised to continue and promote the first Windows Server 2008 Domain Controller.
If you’d like to learn more about Active Directory, I’d recommend that you get hold of these Active Directory Training Videos. If you truly want to Learn Active Directory you won’t find better training than this.
