How to Use Repadmin to Monitor Active Directory Health

The replication of active directory data between your domain controllers is a critical function. If replication breaks and you don’t catch it you’re in for a world of hurt.

Monitoring replication is something you should be doing on a regular basis. You can either use gui tools like the Active Directory Replication Status Tool built in command line tools such as Repadmin.

The great thing about Repadmin is it’s quick and easy to run and can be ran programatically as part of a monitoring system because it’s a command line tool. It also has the ability to not only check domain controller replication but also force it.

How to Get Repadmin

Repadmin is already available in modern Windows Server installs such as Windows Server 2008 through Windows Server 2016.

You can also access Repadmin by installing Remote Server Admin Tools (RSAT) on your workstation making it available in OS’s like Windows 10.

Related: How to Install Remote Server Administration Tools (RSAT) for Windows 10

Using Repadmin Commands

Just like nslookup, gpresult, and dcdiag, repadmin is used by running the command inside of an elevated command prompt along with a variety of command line switches.

You can access the complete list of commands via the repadmin help menu by running:

repadmin /?

How to Show Active Directory Replication Summary

As mentioned earlier, the most basic function of repadmin is to report on that status of replication within your active directory forest. To do this we’ll make use of the replsummary function to view the number of AD replication attempts in relation to failures.

To do this, run the command:

repadmin /replsummary

Which results in:

Replication Summary Start Time: 2018-09-12 05:40:24

Beginning data collection for replication summary, this may take awhile:
  .......


Source DSA          largest delta    fails/total %%   error
 DOMCON1                   09m:28s    0 /  10    0
 DOMCON2                   09m:11s    0 /  10    0
 DOMCON3                   09m:11s    0 /  10    0
 DOMCON4                   09m:28s    0 /  10    0

How to Show Replication Partner Status

When you want to know which domain controllers your DCs are replicating with you use the showrepl command. This will give you not only the names of all the replication partners but also tell you if the replication was successful or not. That will allow you to zero in on the specific partner that is failing if you’re trying to troubleshoot an unhealthy domain.

To do this, run the command:

repadmin /showrepl

Which results in:

Repadmin: running command /showrepl against full DC localhost
Servers-Production\DOMCON1
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 95a2452-99dd-32jh-f9s0-85jg97iy07oy
DSA invocationID: 95a2452-99dd-32jh-f9s0-85jg97iy07oy

==== INBOUND NEIGHBORS ======================================

DC=ad,DC=npgdom,DC=com
    Servers-Production\DOMCON2 via RPC
        DSA object GUID: 95a2452-99dd-32jh-f9s0-85jg97iy07oy
        Last attempt @ 2018-09-12 05:41:02 was successful.
    Servers-Production\DOMCON3 via RPC
        DSA object GUID: 95a2452-99dd-32jh-f9s0-85jg97iy07oy
        Last attempt @ 2018-09-12 05:41:07 was successful.

How to Show Replication Partner for Specific Domain Controller

Sometimes you just want to see the partners of a specific domain controller, especially large forests where than can be dozens of DCs. To do this just call out the hostname of the DC after the showrepl command like so:

repadmin /showrepl DOMCON2

Which results in:

Servers-Production\DOMCON2
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 95a2452-99dd-32jh-f9s0-85jg97iy07oy
DSA invocationID: 95a2452-99dd-32jh-f9s0-85jg97iy07oy

==== INBOUND NEIGHBORS ======================================

DC=ad,DC=npgdom,DC=com
    Servers-Production\DOMCON1 via RPC
        DSA object GUID: 95a2452-99dd-32jh-f9s0-85jg97iy07oy
        Last attempt @ 2018-09-12 05:41:37 was successful.
    Servers-Production\DOMCON3 via RPC
        DSA object GUID: 95a2452-99dd-32jh-f9s0-85jg97iy07oy
        Last attempt @ 2018-09-12 05:41:48 was successful.

How to Show AD Replication Errors

While I always advocate to start with the replsummary command, sometimes you need to progress to just looking for errors. To show only active directory replication errors we can append the showrepl command with errorsonly like so:

repadmin /showrepl /errorsonly

Which results in:

Repadmin: running command /showrepl against full DC localhost
Computers-Production\DOMCON1
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 95a2452-99dd-32jh-f9s0-85jg97iy07oy
DSA invocationID: 95a2452-99dd-32jh-f9s0-85jg97iy07oy

==== INBOUND NEIGHBORS ======================================

DC=ad,DC=npgdom,DC=com
    Default-First-Site-Name\DOMCON2 via RPC
        DSA object GUID: 95a2452-99dd-32jh-f9s0-85jg97iy07oy
        Last attempt @ 2018-09-12 09:34:57 failed, result 8524 (0x214c):
            The DSA operation is unable to proceed because of a DNS lookup failure.
        2 consecutive failure(s).
        Last success @ 2018-09-12 09:34:57.

How to Show AD Replication Queue

In large environments with many domain controllers and lots of replication activity you’ll sometimes find replications queued up. A small amount of queued replications is normal, however you should keep an eye on a progressively increasing queue which can signify an unhealthy domain or forest.

Do see just the domain controller queue status run the following command:

repadmin /queue

Which results in:

Repadmin: running command /queue against full DC localhost
Queue contains 0 items.

How to Force Active Directory Replication via Command Line

If you suspect you have a domain controller that is out of sync or you just want to force ad replication to verify all is well with the world you run the syncall command.

The syncall command is ran against a specific DC and you need to define if you want to push a replication to that DC (using the AeD command) or pull a replication from it (using the APeD command).

Force AD Replication Push:

repadmin /syncall DOMCON1 /AeD

Force AD Replication Pull:

repadmin /syncall DOMCON1 /APeD

How to Export Repadmin Results to File

The easiest way to review the results of the various Repadmin commands is to export the results to a text file that you save in a central location. You can use the export command within a script that runs the various Repadmin commands at a fixed interval allowing you to schedule periodic review of the results.

To export Repadmin Results to .txt you will append your Repadmin command string with:

> c:\pathto.txt

Like so:

repadmin /replsummary > c:\replication_status\replsummary.txt

Alternatives to Repadmin

As mentioned earlier, if you want to view replication results in a GUI you can use the AD Replication Status Tool from Microsoft.

There are also a number of remote management and monitoring (RMM) tools available that allow you to set up monitors for AD replication such Paessler PRTG.

If you’re the really adventurous type you can find several examples of scripts that can run Repadmin and send you csv and html reports like this one.

Recommended for You: Solarwinds Server & Application Monitor (SAM)

Know which applications are having issues in your environment before users complain? Know which systems are causing those problems? How about which servers are about to have problems like running out of space or memory?

Automate collection of data and alerting on your applications and servers with Solarwinds Server & Application Monitor so you have these answers.

Get insight into Active Directory, DNS, DHCP, and your Virtual environment without needing to mess with complex templates or knowing a single line of code.

Leave a Reply

Your email address will not be published. Required fields are marked *