Windows Server 2016-Manage Active Directory replication tasks

Repadmin.exe can help administrators diagnose Active Directory replication issues between domain controllers running the Microsoft Windows operating system.

Repadmin.exe is built into Windows Server 2008&08r2 and later. Available if the AD DS or AD LDS server role is installed. You can also use it if you install the Active Directory Domain Services tool that is part of the Remote Server Administration tool (RSAT).

To use Repadmin.exe, you must run the Ntdsutil command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as Administrator.

From the perspective of each domain controller, you can use Repadmin.exe to view the replication topology. In addition, you can use Repadmin.exe to manually create replication topologies, force replication events between domain controllers, and view replication metadata and up-to-date vectors (UTDVEC). You can also use Repadmin.exe to monitor the relative health of Active Directory Domain Services (AD DS) forests.

Note: You do not need to manually create a replication topology during normal operation. Improper use of repadmin may adversely affect the replication topology. The primary purpose of repadmin is to monitor replication to identify issues such as offline servers or unavailable local area network (LAN) or wide area network (WAN) connections.

Repadmin also requires administrative credentials on each domain controller that the command targets. Members of the Domain Admins group have sufficient permissions to run repadmin on the domain controllers in the domain. By default, members of the Enterprise Admins group grant membership to Domain Admins groups in each domain in the forest. You can also delegate the specific permissions that are required to view and manage replication status.

1. View the replication status of the current domain controller: REPADMIN/SHOWREPL

2. view the Active Directory replication status for the domain controller named "major": Repadmin/showrepl major

3. View the domain controller replication queue named "Major": Repadmin/queue Major

4. View Domain Replication Status report: Repadmin/replsummary

5. Verify that replication links are successfully created between the current domain controller and other domain controllers: Repadmin/showconn

6. Force replication to be enabled between domain controllers: Repadmin/replicate major BDC Dc=azureyun,dc=local/force

7. Display the topology of the current domain controller: repadmin/siteoptions

8. Display the auto-Generate topology feature is enabled in the site. Related information: dcdiag/test:topology

Add:

For repadmin syntax:

repadmin <cmd> <args> [/u:{domain\user}] [/pw:{password | *}] [/retry[:<retries>][:<delay>] [ /CSV]

About the repadmin command:

REPADMIN /KCC forces the Knowledge Consistency Checker (KCC) on the target domain controller to immediately recalculate the inbound replication topology. REPADMIN /PRP Specifies the password Replication policy (PRP) for a read-only domain controller (RODC). Repadmin /queue shows that the domain controller must make an inbound replication request to be consistent with its source replication partner. Repadmin /replicate triggers the specified directory partition to replicate from the source domain controller immediately to the destination domain controller. Repadmin /replsingleobj copies a single object between any two domain controllers that have a common directory partition. The repadmin /replsummary identifies the domain controller that failed inbound replication or outbound replication and summarizes the results in the report. REPADMIN /RODCPWDREPL triggers the replication of the specified user's password from the source domain controller to one or more read-only domain controllers. (The source domain controller is typically the central site domain controller.) ) Repadmin /showattr displays the properties of the object. Repadmin /showobjmeta Displays the replication metadata for the specified object stored in Ad ds, such as the attribute ID, version number, originating and local update sequence number (USN), the global Unique identifier (GUID) of the originating server, and the date and time stamp. REPADMIN /SHOWREPL The replication status is displayed when the specified domain controller last attempted inbound replication on the Active directory partition. Repadmin /showutdvec shows that Ad ds displays the highest committed USN for itself and its delivery partner on the target domain controller. Repadmin /syncall synchronizes the specified domain controller with all replication partners. /u Specifies the domain and user name with permissions to perform actions in Ad ds. (the domain and user names are delimited by backslashes, such as Domain \ user.) This parameter does not support logging on to the domain by using the user principal name (UPN). /PW Specifies the password for the user name entered with the/u parameter. /retry If the first attempt fails, and one of the following errors occurs, it causes the Repadmin retry attempt to bind to the target domain controller:/csv Displays the results of the/ SHOWREPL parameter in a comma-separated value (CSV) format. 

The Repadmin syntax uses the following terms:

Naming Context : The distinguished name of the directory partition in the AD DS forest. The naming context includes three read/write naming contexts-domains, patterns, and configurations-and optional read-only naming contexts that exist on domain controllers that are global catalog servers. A naming context can also be an application directory partition. Specifies the naming context as the distinguished name that indicates its hierarchical relationship to the forest root domain, such as DC = MYDOMAIN,DC = CONTOSO,DC = Com.

globally unique identifier (GUID): A 128-bit number that uniquely identifies an object stored in a directory, such as fa1a9e6e-2e14-11d2-aa9b-bbfc0a30094c. GUIDs are sometimes referred to as Universal unique identifiers (UUID) in syntax. For the purpose of Repadmin, these two terms are synonyms.

proprietary name : X.500 distinguished name, such as CN = SERVER1,CN = SERVERS,CN = DEFAULT-FIRST-SITE-NAME,CN = SITES,CN = CONFIGURATION,DC = Conto SO,DC = Com.

In the repadmin example contained in each command topic, some commands (such as the/SHOWREPL command) return the domain controller object GUID and the domain controller invocation ID initially display the same hexadecimal value (until System State recovery). However, these two values identify different objects. The domain controller object GUID is the NTDS setting for the unique identifier object on the domain controller. The value of the domain controller object GUID does not change unless you remove ad DS from the domain controller and then reinstall it. The domain controller invocation ID identifies the directory database on the domain controller. This value changes when you restore a domain controller from a backup. When you install the domain controller for the first time, the values of the two identifiers are the same; However, the invocation ID value changes whenever a domain controller is restored from a backup.

Most repadmin commands take their parameters in the following order:

"Target or target Dsa_list"

"Source Dsa_name", if necessary

< naming context > or object Distinguished Name (if required)

For ad DS, this string is a network label. For domain controllers, the network tags include domain Name System (DNS), NetBIOS, and IP addresses.

For Active Directory Lightweight Directory Services (AD LDS), this string must be the network label of the AD LDS server, followed by a colon, and then the Lightweight Directory Access Protocol (LDAP) port of the AD LDS instance.

< naming context > is the distinguished name of the named up-down root. If you install the appropriate font and language support on the computer that is running repadmin, text with international or Unicode characters will display correctly.

Windows Server 2016-Manage Active Directory replication tasks