# Repadmin: How to Check Active Directory Replication

In this tutorial, you will learn how to use the repadmin tool to check Active Directory Replication.

Repadmin is the ultimate replication diagnostic tool.

In addition to checking the health of your domain controllers, it can also be used to force replication and pin point errors.

Active Directory replication is a critical service that keeps changes synchronized with other domain controllers in the forest.

Problems with replication can cause authentication failures and issues accessing network resources (files, printers, applications).

Below I’ll show you the step by step process with plenty of examples and the results.

Let’s do this.

Repadmin was introduced in 2003 with the Windows Server 2003 support tools.

Microsoft started to include the repadmin command in Windows server 2008 and up. It is also included on any computer that has the Remote Server Administration Tools (RSAT) installed.

To use repadmin you need to run the command prompt as an administrator. Simply right click cmd and choose to run as administrator

Use the following command to see the help menu, this will display all the command line options. There are many options and you will probably not use most of them. In the examples below I will go over the most common and useful command line options.

repadmin /?

Results displayed

    C:\Users\rallen>repadmin /?
[/retry[:][:]]
[/csv]

Use these commands to see the help:

/?          Displays a list of commands available for use in repadmin and their
description.
/help       Same as /?
/?:    Displays the list of possible arguments , appropriate
syntaxes and examples for the specified command .
/help: Same as /?:
/experthelp Displays a list of commands for use by advanced users only.
/listhelp   Displays the variations of syntax available for the DSA_NAME,
DSA_LIST, NCNAME and OBJ_LIST strings.
/oldhelp    Displays a list of deprecated commands that still work but
are no longer supported by Microsoft.

Supported  commands (use /? for detailed help):
/kcc    Forces the KCC on targeted domain controller(s) to immediately
recalculate its inbound replication topology.

/prp    This command allows an admin to view or modify the

/queue  Displays inbound replication requests that the  DC needs to issue
to become consistent with its source replication partners.

/replicate  Triggers the immediate replication of the specified directory
partition to the destination domain controller from the source DC.

/replsingleobj Replicates a single object between any two domain
controllers that have common directory partitions.

/replsummary The replsummary operation quickly and concisely summarizes
the replication state and relative health of a forest.

/rodcpwdrepl Triggers replication of passwords for the specified user(s)
from the source (Hub DC) to one or more Read Only DC's.

/showattr Displays the attributes of an object.

/showobjmeta Displays the replication metadata for a specified object
stored in Active Directory, such as attribute ID, version
number, originating and local Update Sequence Number (USN), and
originating server's GUID and Date and Time stamp.

/showrepl Displays the replication status when specified domain controller
last attempted to inbound replicate Active Directory partitions.

/showutdvec displays the highest committed Update Sequence Number (USN)
that the targeted DC's copy of Active Directory shows as
committed for itself and its transitive partners.

/syncall Synchronizes a specified domain controller with all replication
partners.

/u:    Specifies the domain and user name separated by a backslash
{domain\user} that has permissions to perform operations in
Active Directory. UPN logons not supported.

/pw:   Specifies the password for the user name entered with the /u
parameter.

/retry This parameter will cause repadmin to repeat its attempt to bind
to the target dc should the first attempt fail with one of the
following error status:

1722 / 0x6ba : "The RPC Server is unavailable"
1753 / 0x6d9 : "There are no more endpoints available from the
endpoint mapper"

/csv   Used with /showrepl to output results in comma separated
value format. See /csvhelp


### Example 2: Summarize the replication status and view overall health

The first command you should use is replsummary. This command will quickly show you the overall replication health. This command will show you the percentage of replication attempts that have failed as well as the largest replication deltas.

repadmin /replsummary

Results displayed

:\WINDOWS\system32>repadmin /replsummary
Replication Summary Start Time: 2018-03-13 04:44:54

Beginning data collection for replication summary, this may take awhile:
.....

Source DSA          largest delta    fails/total %%   error
DC1                       52m:48s    0 /   5    0
DC2                       52m:46s    0 /   5    0

Destination DSA     largest delta    fails/total %%   error
DC1                       52m:46s    0 /   5    0
DC2                       52m:48s    0 /   5    0


### Example 3:  Show replication partner and status

Next, use the following command to see the replication partner as well as the replication status. This helps you understand the role of each domain controller in the replication process.

In addition, this command displays the GUID of each object that was replicated and it’s result. This is helpful to identify what objects are failing to replicate.

repadmin /showrepl

Results displayed

C:\Users\rallen>repadmin /showrepl

Default-First-Site-Name\DC1
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: a4d22a63-1918-492a-bcd6-7fe286941e72
DSA invocationID: a4d22a63-1918-492a-bcd6-7fe286941e72

==== INBOUND NEIGHBORS ======================================

Default-First-Site-Name\DC2 via RPC
DSA object GUID: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408
Last attempt @ 2018-03-13 03:52:08 was successful.

Default-First-Site-Name\DC2 via RPC
DSA object GUID: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408
Last attempt @ 2018-03-13 03:52:08 was successful.

Default-First-Site-Name\DC2 via RPC
DSA object GUID: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408
Last attempt @ 2018-03-13 03:52:08 was successful.

Default-First-Site-Name\DC2 via RPC
DSA object GUID: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408
Last attempt @ 2018-03-13 03:52:08 was successful.

Default-First-Site-Name\DC2 via RPC
DSA object GUID: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408
Last attempt @ 2018-03-13 03:52:08 was successful.


### Example 4: Show replication partner for a specific domain controller

If you want to see the replication status for a specific domain controller use this command.

replace <ServerName> with the name of your domain controller.

repadmin /showrepl <ServerName>

Results displayed

C:\WINDOWS\system32>repadmin /showrepl dc2
Default-First-Site-Name\DC2
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408
DSA invocationID: 2eb95693-bfa7-4f3f-b52c-139737aa883f

==== INBOUND NEIGHBORS ======================================

Default-First-Site-Name\DC1 via RPC
DSA object GUID: a4d22a63-1918-492a-bcd6-7fe286941e72
Last attempt @ 2018-03-14 04:21:02 was successful.

Default-First-Site-Name\DC1 via RPC
DSA object GUID: a4d22a63-1918-492a-bcd6-7fe286941e72
Last attempt @ 2018-03-14 03:52:07 was successful.

Default-First-Site-Name\DC1 via RPC
DSA object GUID: a4d22a63-1918-492a-bcd6-7fe286941e72
Last attempt @ 2018-03-14 03:52:07 was successful.

Default-First-Site-Name\DC1 via RPC
DSA object GUID: a4d22a63-1918-492a-bcd6-7fe286941e72
Last attempt @ 2018-03-14 03:52:07 was successful.

Default-First-Site-Name\DC1 via RPC
DSA object GUID: a4d22a63-1918-492a-bcd6-7fe286941e72
Last attempt @ 2018-03-14 03:52:07 was successful.

### Example 5: Show only Replication Errors

The showrepl command can output a lot of information. If you want to see only the errors use this command. In this example, DC2 is down, you can see the results are all errors from DC2.

C:\WINDOWS\system32>repadmin /showrepl /errorsonly

Default-First-Site-Name\DC1
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: a4d22a63-1918-492a-bcd6-7fe286941e72
DSA invocationID: a4d22a63-1918-492a-bcd6-7fe286941e72

==== INBOUND NEIGHBORS ======================================

Default-First-Site-Name\DC2 via RPC
DSA object GUID: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408
Last attempt @ 2018-03-15 04:19:38 failed, result 8524 (0x214c):
The DSA operation is unable to proceed because of a DNS lookup failure.
1 consecutive failure(s).
Last success @ 2018-03-14 07:52:08.

Default-First-Site-Name\DC2 via RPC
DSA object GUID: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408
Last attempt @ 2018-03-15 04:19:38 failed, result 8524 (0x214c):
The DSA operation is unable to proceed because of a DNS lookup failure.
1 consecutive failure(s).
Last success @ 2018-03-14 07:52:08.

Default-First-Site-Name\DC2 via RPC
DSA object GUID: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408
Last attempt @ 2018-03-15 04:19:38 failed, result 8524 (0x214c):
The DSA operation is unable to proceed because of a DNS lookup failure.
1 consecutive failure(s).
Last success @ 2018-03-14 07:52:08.

Default-First-Site-Name\DC2 via RPC
DSA object GUID: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408
Last attempt @ 2018-03-15 04:19:38 failed, result 8524 (0x214c):
The DSA operation is unable to proceed because of a DNS lookup failure.
1 consecutive failure(s).
Last success @ 2018-03-14 07:52:08.

Default-First-Site-Name\DC2 via RPC
DSA object GUID: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408
Last attempt @ 2018-03-15 04:19:38 failed, result 8524 (0x214c):
The DSA operation is unable to proceed because of a DNS lookup failure.
1 consecutive failure(s).
Last success @ 2018-03-14 07:52:08.

Source: Default-First-Site-Name\DC2
******* 1 CONSECUTIVE FAILURES since 2018-03-14 07:52:08
Last error: 8524 (0x214c):
The DSA operation is unable to proceed because of a DNS lookup failure.

### Example 6: Show replication Queue

It is normal to see items in the queue. If you have a small environment it will often be at zero because there are few replications that occur. If you notice items sitting in the queue and they never clear out, you have a problem.

Use this command to view the replication queue

Repadmin /Queue

Results displayed

C:\Users\rallen>repadmin /queue

Queue contains 0 items.

### Example 7: How to Force Active Directory Replication

Use the following command if you want to force replication between domain controllers. You will want to run this on the DC that you wish to update. For example, if DC1 is out of sync I would run this on DC1.

This will do a pull replication, which means it will pull updates from DC2 to DC1.

repadmin /syncall dc1 /AeD

If you want to push replication you will use the /P switch. For example if you make changes on DC1 and want to replicate those to other DCs use this command.

repadmin /syncall dc1 /APeD

Results displayed

C:\WINDOWS\system32>repadmin /syncall dc1 /AeD
Syncing all NC's held on dc1.
CALLBACK MESSAGE: The following replication is in progress:
CALLBACK MESSAGE: The following replication completed successfully:
CALLBACK MESSAGE: SyncAll Finished.
SyncAll terminated with no errors.

CALLBACK MESSAGE: The following replication is in progress:
CALLBACK MESSAGE: The following replication completed successfully:
CALLBACK MESSAGE: SyncAll Finished.
SyncAll terminated with no errors.

CALLBACK MESSAGE: The following replication is in progress:
CALLBACK MESSAGE: The following replication completed successfully:
CALLBACK MESSAGE: SyncAll Finished.
SyncAll terminated with no errors.

CALLBACK MESSAGE: The following replication is in progress:
CALLBACK MESSAGE: The following replication completed successfully:
CALLBACK MESSAGE: SyncAll Finished.
SyncAll terminated with no errors.

CALLBACK MESSAGE: The following replication is in progress:
CALLBACK MESSAGE: The following replication completed successfully:
CALLBACK MESSAGE: SyncAll Finished.
SyncAll terminated with no errors.

### Example 8: Export results to text file

Sometimes these commands can display a lot of information. You can export any of the examples above to a text file, this makes it a little easier to review at a later time or save for documentation.

just add > c:\destination folder\filename.txt to the end of any of the commands

Here are a few examples

repadmin /replsummary > c:\it\replsummary.txt
repadmin /showrepl > c:\it\showrepl.txt

## More examples

### Find the last time your DC were backup

Repadmin /showbackup *

### Displays calls that have not yet been answered

repadmin /showoutcalls *

### List the Topology information

repadmin /bridgeheads * /verbose

### Inter Site Topology Generator Report

repadmin /istg * /verbose

## Conclusion

As a system administrator it is important that you know how to troubleshoot and verify replication is working correctly. The repadmin is a simple yet powerful tool that you should know how to use.

Recommended Tool: SolarWinds Server & Application Monitor (SAM)

This utility was designed to Monitor Active Directory and other critical applications. It will quickly spot domain controller issues, prevent replication failures, track failed logon attempts and much more.

What I like best about SAM is it’s easy to use dashboard and alerting features. It also has the ability to monitor virtual machines and storage.

1. Hani Alhabshi on September 9, 2018 at 10:48 am

Great article..Thanks for sharing

• Robert Allen on September 22, 2018 at 7:16 pm

Thanks Hani