In this tutorial, you will learn how to use the repadmin tool to check Active Directory Replication.
Repadmin is the ultimate replication diagnostic tool.
In addition to checking the health of your domain controllers, it can also be used to force replication and pinpoint errors.
Active Directory replication is a critical service that keeps changes synchronized with other domain controllers in the forest.
Problems with replication can cause authentication failures and issues accessing network resources (files, printers, applications).
Below I’ll show you the step by step process with plenty of examples and the results.
Let’s do this.
How to install Repadmin
Repadmin was introduced in 2003 with the Windows Server 2003 support tools.
Microsoft started to include the repadmin command in Windows server 2008 and up. It is also included on any computer that has the Remote Server Administration Tools (RSAT) installed.
Repadmin Examples
To use repadmin you need to run the command prompt as an administrator. Simply right click cmd and choose to run as administrator
Example 1: Display the repadmin help menu
Use the following command to see the help menu, this will display all the command line options. There are many options and you will probably not use most of them. In the examples below I will go over the most common and useful command line options.
repadmin /?
Results displayed
C:\Users\rallen>repadmin /? Usage: repadmin [/u:{domain\user}] [/pw:{password|*}] [/retry[:][:]] [/csv] Use these commands to see the help: /? Displays a list of commands available for use in repadmin and their description. /help Same as /? /?: Displays the list of possible arguments , appropriate syntaxes and examples for the specified command . /help: Same as /?: /experthelp Displays a list of commands for use by advanced users only. /listhelp Displays the variations of syntax available for the DSA_NAME, DSA_LIST, NCNAME and OBJ_LIST strings. /oldhelp Displays a list of deprecated commands that still work but are no longer supported by Microsoft. Supported commands (use /? for detailed help): /kcc Forces the KCC on targeted domain controller(s) to immediately recalculate its inbound replication topology. /prp This command allows an admin to view or modify the password replication policy for RODCs. /queue Displays inbound replication requests that the DC needs to issue to become consistent with its source replication partners. /replicate Triggers the immediate replication of the specified directory partition to the destination domain controller from the source DC. /replsingleobj Replicates a single object between any two domain controllers that have common directory partitions. /replsummary The replsummary operation quickly and concisely summarizes the replication state and relative health of a forest. /rodcpwdrepl Triggers replication of passwords for the specified user(s) from the source (Hub DC) to one or more Read Only DC's. /showattr Displays the attributes of an object. /showobjmeta Displays the replication metadata for a specified object stored in Active Directory, such as attribute ID, version number, originating and local Update Sequence Number (USN), and originating server's GUID and Date and Time stamp. /showrepl Displays the replication status when specified domain controller last attempted to inbound replicate Active Directory partitions. /showutdvec displays the highest committed Update Sequence Number (USN) that the targeted DC's copy of Active Directory shows as committed for itself and its transitive partners. /syncall Synchronizes a specified domain controller with all replication partners. Supported additional parameters: /u: Specifies the domain and user name separated by a backslash {domain\user} that has permissions to perform operations in Active Directory. UPN logons not supported. /pw: Specifies the password for the user name entered with the /u parameter. /retry This parameter will cause repadmin to repeat its attempt to bind to the target dc should the first attempt fail with one of the following error status: 1722 / 0x6ba : "The RPC Server is unavailable" 1753 / 0x6d9 : "There are no more endpoints available from the endpoint mapper" /csv Used with /showrepl to output results in comma separated value format. See /csvhelp
Example 2: Summarize the replication status and view the overall health
The first command you should use is replsummary. This command will quickly show you the overall replication health. This command will show you the percentage of replication attempts that have failed as well as the largest replication deltas.
repadmin /replsummary
Results displayed
:\WINDOWS\system32>repadmin /replsummary Replication Summary Start Time: 2018-03-13 04:44:54 Beginning data collection for replication summary, this may take awhile: ..... Source DSA largest delta fails/total %% error DC1 52m:48s 0 / 5 0 DC2 52m:46s 0 / 5 0 Destination DSA largest delta fails/total %% error DC1 52m:46s 0 / 5 0 DC2 52m:48s 0 / 5 0
Example 3: Show replication partner and status
Next, use the following command to see the replication partner as well as the replication status. This helps you understand the role of each domain controller in the replication process.
In addition, this command displays the GUID of each object that was replicated and its result. This is helpful to identify what objects are failing to replicate.
repadmin /showrepl
Results displayed
C:\Users\rallen>repadmin /showrepl Repadmin: running command /showrepl against full DC dc1.ad.activedirectorypro.com Default-First-Site-Name\DC1 DSA Options: IS_GC Site Options: (none) DSA object GUID: a4d22a63-1918-492a-bcd6-7fe286941e72 DSA invocationID: a4d22a63-1918-492a-bcd6-7fe286941e72 ==== INBOUND NEIGHBORS ====================================== DC=ad,DC=activedirectorypro,DC=com Default-First-Site-Name\DC2 via RPC DSA object GUID: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408 Last attempt @ 2018-03-13 03:52:08 was successful. CN=Configuration,DC=ad,DC=activedirectorypro,DC=com Default-First-Site-Name\DC2 via RPC DSA object GUID: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408 Last attempt @ 2018-03-13 03:52:08 was successful. CN=Schema,CN=Configuration,DC=ad,DC=activedirectorypro,DC=com Default-First-Site-Name\DC2 via RPC DSA object GUID: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408 Last attempt @ 2018-03-13 03:52:08 was successful. DC=DomainDnsZones,DC=ad,DC=activedirectorypro,DC=com Default-First-Site-Name\DC2 via RPC DSA object GUID: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408 Last attempt @ 2018-03-13 03:52:08 was successful. DC=ForestDnsZones,DC=ad,DC=activedirectorypro,DC=com Default-First-Site-Name\DC2 via RPC DSA object GUID: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408 Last attempt @ 2018-03-13 03:52:08 was successful.
Example 4: Show replication partner for a specific domain controller
If you want to see the replication status for a specific domain controller use this command.
replace <ServerName> with the name of your domain controller.
repadmin /showrepl <ServerName>
Results displayed
C:\WINDOWS\system32>repadmin /showrepl dc2 Default-First-Site-Name\DC2 DSA Options: IS_GC Site Options: (none) DSA object GUID: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408 DSA invocationID: 2eb95693-bfa7-4f3f-b52c-139737aa883f ==== INBOUND NEIGHBORS ====================================== DC=ad,DC=activedirectorypro,DC=com Default-First-Site-Name\DC1 via RPC DSA object GUID: a4d22a63-1918-492a-bcd6-7fe286941e72 Last attempt @ 2018-03-14 04:21:02 was successful. CN=Configuration,DC=ad,DC=activedirectorypro,DC=com Default-First-Site-Name\DC1 via RPC DSA object GUID: a4d22a63-1918-492a-bcd6-7fe286941e72 Last attempt @ 2018-03-14 03:52:07 was successful. CN=Schema,CN=Configuration,DC=ad,DC=activedirectorypro,DC=com Default-First-Site-Name\DC1 via RPC DSA object GUID: a4d22a63-1918-492a-bcd6-7fe286941e72 Last attempt @ 2018-03-14 03:52:07 was successful. DC=DomainDnsZones,DC=ad,DC=activedirectorypro,DC=com Default-First-Site-Name\DC1 via RPC DSA object GUID: a4d22a63-1918-492a-bcd6-7fe286941e72 Last attempt @ 2018-03-14 03:52:07 was successful. DC=ForestDnsZones,DC=ad,DC=activedirectorypro,DC=com Default-First-Site-Name\DC1 via RPC DSA object GUID: a4d22a63-1918-492a-bcd6-7fe286941e72 Last attempt @ 2018-03-14 03:52:07 was successful.
Example 5: Show only Replication Errors
The showrepl command can output a lot of information. If you want to see only the errors use this command. In this example, DC2 is down, you can see the results are all errors from DC2.
C:\WINDOWS\system32>repadmin /showrepl /errorsonly Repadmin: running command /showrepl against full DC dc1.ad.activedirectorypro.com Default-First-Site-Name\DC1 DSA Options: IS_GC Site Options: (none) DSA object GUID: a4d22a63-1918-492a-bcd6-7fe286941e72 DSA invocationID: a4d22a63-1918-492a-bcd6-7fe286941e72 ==== INBOUND NEIGHBORS ====================================== DC=ad,DC=activedirectorypro,DC=com Default-First-Site-Name\DC2 via RPC DSA object GUID: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408 Last attempt @ 2018-03-15 04:19:38 failed, result 8524 (0x214c): The DSA operation is unable to proceed because of a DNS lookup failure. 1 consecutive failure(s). Last success @ 2018-03-14 07:52:08. CN=Configuration,DC=ad,DC=activedirectorypro,DC=com Default-First-Site-Name\DC2 via RPC DSA object GUID: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408 Last attempt @ 2018-03-15 04:19:38 failed, result 8524 (0x214c): The DSA operation is unable to proceed because of a DNS lookup failure. 1 consecutive failure(s). Last success @ 2018-03-14 07:52:08. CN=Schema,CN=Configuration,DC=ad,DC=activedirectorypro,DC=com Default-First-Site-Name\DC2 via RPC DSA object GUID: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408 Last attempt @ 2018-03-15 04:19:38 failed, result 8524 (0x214c): The DSA operation is unable to proceed because of a DNS lookup failure. 1 consecutive failure(s). Last success @ 2018-03-14 07:52:08. DC=DomainDnsZones,DC=ad,DC=activedirectorypro,DC=com Default-First-Site-Name\DC2 via RPC DSA object GUID: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408 Last attempt @ 2018-03-15 04:19:38 failed, result 8524 (0x214c): The DSA operation is unable to proceed because of a DNS lookup failure. 1 consecutive failure(s). Last success @ 2018-03-14 07:52:08. DC=ForestDnsZones,DC=ad,DC=activedirectorypro,DC=com Default-First-Site-Name\DC2 via RPC DSA object GUID: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408 Last attempt @ 2018-03-15 04:19:38 failed, result 8524 (0x214c): The DSA operation is unable to proceed because of a DNS lookup failure. 1 consecutive failure(s). Last success @ 2018-03-14 07:52:08. Source: Default-First-Site-Name\DC2 ******* 1 CONSECUTIVE FAILURES since 2018-03-14 07:52:08 Last error: 8524 (0x214c): The DSA operation is unable to proceed because of a DNS lookup failure.
Example 6: Show replication Queue
It is normal to see items in the queue. If you have a small environment it will often be at zero because there are few replications that occur. If you notice items sitting in the queue and they never clear out, you have a problem.
Use this command to view the replication queue
Repadmin /Queue
Results displayed
C:\Users\rallen>repadmin /queue Repadmin: running command /queue against full DC dc1.ad.activedirectorypro.com Queue contains 0 items.
Example 7: How to Force Active Directory Replication
Use the following command if you want to force replication between domain controllers. You will want to run this on the DC that you wish to update. For example, if DC1 is out of sync I would run this on DC1.
This will do a pull replication, which means it will pull updates from DC2 to DC1.
repadmin /syncall dc1 /Aed
If you want to push replication you will use the /P switch. For example if you make changes on DC1 and want to replicate those to other DCs use this command.
repadmin /syncall dc1 /APed
Results displayed
C:\WINDOWS\system32>repadmin /syncall dc1 /Aed Syncing all NC's held on dc1. Syncing partition: DC=ForestDnsZones,DC=ad,DC=activedirectorypro,DC=com CALLBACK MESSAGE: The following replication is in progress: From: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408._msdcs.ad.activedirectorypro.com To : a4d22a63-1918-492a-bcd6-7fe286941e72._msdcs.ad.activedirectorypro.com CALLBACK MESSAGE: The following replication completed successfully: From: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408._msdcs.ad.activedirectorypro.com To : a4d22a63-1918-492a-bcd6-7fe286941e72._msdcs.ad.activedirectorypro.com CALLBACK MESSAGE: SyncAll Finished. SyncAll terminated with no errors. Syncing partition: DC=DomainDnsZones,DC=ad,DC=activedirectorypro,DC=com CALLBACK MESSAGE: The following replication is in progress: From: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408._msdcs.ad.activedirectorypro.com To : a4d22a63-1918-492a-bcd6-7fe286941e72._msdcs.ad.activedirectorypro.com CALLBACK MESSAGE: The following replication completed successfully: From: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408._msdcs.ad.activedirectorypro.com To : a4d22a63-1918-492a-bcd6-7fe286941e72._msdcs.ad.activedirectorypro.com CALLBACK MESSAGE: SyncAll Finished. SyncAll terminated with no errors. Syncing partition: CN=Schema,CN=Configuration,DC=ad,DC=activedirectorypro,DC=com CALLBACK MESSAGE: The following replication is in progress: From: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408._msdcs.ad.activedirectorypro.com To : a4d22a63-1918-492a-bcd6-7fe286941e72._msdcs.ad.activedirectorypro.com CALLBACK MESSAGE: The following replication completed successfully: From: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408._msdcs.ad.activedirectorypro.com To : a4d22a63-1918-492a-bcd6-7fe286941e72._msdcs.ad.activedirectorypro.com CALLBACK MESSAGE: SyncAll Finished. SyncAll terminated with no errors. Syncing partition: CN=Configuration,DC=ad,DC=activedirectorypro,DC=com CALLBACK MESSAGE: The following replication is in progress: From: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408._msdcs.ad.activedirectorypro.com To : a4d22a63-1918-492a-bcd6-7fe286941e72._msdcs.ad.activedirectorypro.com CALLBACK MESSAGE: The following replication completed successfully: From: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408._msdcs.ad.activedirectorypro.com To : a4d22a63-1918-492a-bcd6-7fe286941e72._msdcs.ad.activedirectorypro.com CALLBACK MESSAGE: SyncAll Finished. SyncAll terminated with no errors. Syncing partition: DC=ad,DC=activedirectorypro,DC=com CALLBACK MESSAGE: The following replication is in progress: From: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408._msdcs.ad.activedirectorypro.com To : a4d22a63-1918-492a-bcd6-7fe286941e72._msdcs.ad.activedirectorypro.com CALLBACK MESSAGE: The following replication completed successfully: From: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408._msdcs.ad.activedirectorypro.com To : a4d22a63-1918-492a-bcd6-7fe286941e72._msdcs.ad.activedirectorypro.com CALLBACK MESSAGE: SyncAll Finished. SyncAll terminated with no errors.
Example 8: Export results to text file
Sometimes these commands can display a lot of information. You can export any of the examples above to a text file, this makes it a little easier to review at a later time or save for documentation.
just add > c:\destination folder\filename.txt to the end of any of the commands
Here are a few examples
repadmin /replsummary > c:\it\replsummary.txt
repadmin /showrepl > c:\it\showrepl.txt
More examples
Find the last time your DC was backed up
Repadmin /showbackup *
Displays calls that have not yet been answered
repadmin /showoutcalls *
List the Topology information
repadmin /bridgeheads * /verbose
Inter Site Topology Generator Report
repadmin /istg * /verbose
Conclusion
As a system administrator, it is important that you know how to troubleshoot and verify replication is working correctly. The repadmin is a simple yet powerful tool that you should know how to use.
I hope you found this guide useful. If you have any questions leave a comment below. If you liked this article, check out: How to Use NSLookup to Check DNS Records.
good evening sir,
i am Reddy from Bangalore, India
in my company we have windows server 2008 Small business edition 2011.
now we are trying to add Windows server 2016 as Additional Domain controller but while checking for prerequisites it is showing (“The File replication service is depricated to continue replicating the SYSVOL folder. You should migrate to DFS Replication by using the DFSRMIG command. if you continue to use FRS for SYSVOL replication in this domain you might not be able to add domain controllers running future version of windows server”) warning message.
even after migrating from FRS to DFSR still appearing same warning message.
after that also we have proceeded for joining, now SYSVol and Netlogon are not shared and error in Group Policy management console saying Active directory not accessible.
please help us sir
Good Stuff here. Thanks for providing
No problem
very help full for Level 2 Administrators. Thank you for the valuable updates.
No problem 🙂
Why is there capital D in repadmin /syncall command? Shouldn’t it be small d.
Microsoft list of flags for this command doesn’t have D, only d.
/d Identifies servers by distinguished name in messages.
Your examples show GUIDs for server names, not distinguished names.
You are correct. I have updated it. Thank you
@Robert Allen
I tried to do dcdiag /fix before post here, but no error were find. Thanks for your answer.
Hey man, great article. i don’t know if someone could help me, but if someone have any idea.
I will post some results about my DC. Let me try to explain. there’re around 3 months that we have migrated an old DC MS 2016 to a new DC 2019. Everything was working fine during this 3 or 4 months, but now I’m getting some Event ID that some of them, I get it solved. But this one, is causing a headache for us. Probability, my collegue forget to demote old DC and turned him on in the network, I did it later when I cleaned metadata on AD and demote him. After that I did an update in the new DC, the server asked to update, ok I did. Now, I don’t know if is my DNS Server on 2019 that is causing problem or it is my other DNS Filter nxfilter separeted, which is we have made some tests and nothing help.
What I have found of register of old DC on DNS Server, I’ve removed. I used the ADSIEdit tool to find something else, but no succces the error I got in the screen when some workstations try to access my File Server by IP address \\IP pull up a message on screen ErrorCode 0x80004005 and believe me, I have tried everything I could and searched for. If I change the Preferred DNS Server on my server file to their own IP address, workstation can get access through IP. Using the name, it’s okay, no problem with mapping etc. I already desable Firewall as a way to test.
Now the output of dcdiag
Iniciando teste: Replications
* Replications Check
DC=ForestDnsZones,DC=DOMAIN,DC=LOCAL has 2 cursors.
DC=DomainDnsZones,DC=DOMAIN,DC=LOCAL has 2 cursors.
CN=Schema,CN=Configuration,DC=DOMAIN,DC=LOCAL has 2 cursors.
CN=Configuration,DC=DC=DOMAIN,DC=LOCAL has 2 cursors.
DC=DOMAIN,DC=LOCAL has 2 cursors.
* Replication Latency Check
DC=ForestDnsZones,DC=DOMAIN,DC=LOCAL
Latency information for 1 entries in the vector were ignored.
1 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc’s no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=DomainDnsZones,DC=DOMAIN,DC=LOCAL
Latency information for 1 entries in the vector were ignored.
1 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc’s no longer replicating this nc. 0 had no latency information (Win2K DC).
CN=Schema,CN=Configuration,DC=DOMAIN,DC=LOCAL
Latency information for 1 entries in the vector were ignored.
1 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc’s no longer replicating this nc. 0 had no latency information (Win2K DC).
CN=Configuration,DC=DOMAIN,DC=LOCAL
Latency information for 1 entries in the vector were ignored.
1 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc’s no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=DOMAIN,DC=LOCAL
Latency information for 1 entries in the vector were ignored.
1 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc’s no longer replicating this nc. 0 had no latency information (Win2K DC).
……………………. DC2-0 passou no teste Replications
Despite everything looks okay, could be this error is related with DNS LOCAL, migration even not appearing any error or metadate?
Sorry I didn’t understand all of that.
1. Check DNS with this command:
dcdiag /test:dns /v
2. There is also the dcdiag /fix command which MS says is “Make safe repairs”. I’ve used it to fix domain controller DNS records. Here is an article that uses this command. https://www.techwalla.com/articles/how-to-fix-active-directory-dns-problems
Excellent that’s very helpful. Many Thanks….
Thank you very much for sharing.
Paul
Excellent explanation and command.
Thans Mohd
Excellent!
Hi,
Would you please explain how to Active Directory replication happen site to site and Domain controller to Domain Controller step by step.
This is a great article. I sue this constantly. I do have a question, in order to run the repadmin command, what access rights need to be granted? I want one of my team to action this task but I do not wish to give the user full Domain Admin. Kind regards
Great, very useful!
Thank you
WOW, So easy as very useful knowledge for troubleshooting replication errors
Useful article!
that was very useful , indeed.Thank you !
Nice article!! Thanks a lot.
Very useful stuff …
Great. thanks you very much for sharing useful information
No problem
Great article..Thanks for sharing
Thanks Hani