Repadmin: How to Check Active Directory Replication

In this tutorial, you will learn how to use the repadmin tool to check Active Directory Replication.

Repadmin is the ultimate replication diagnostic tool.

In addition to checking the health of your domain controllers, it can also be used to force replication and pin point errors.

Active Directory replication is a critical service that keeps changes synchronized with other domain controllers in the forest.

Problems with replication can cause authentication failures and issues accessing network resources (files, printers, applications).

Below I’ll show you the step by step process with plenty of examples and the results.

Let’s do this.

Repadmin was introduced in 2003 with the Windows Server 2003 support tools.

Microsoft started to include the repadmin command in Windows server 2008 and up. It is also included on any computer that has the Remote Server Administration Tools (RSAT) installed.

To use repadmin you need to run the command prompt as an administrator. Simply right click cmd and choose to run as administrator

Use the following command to see the help menu, this will display all the command line options. There are many options and you will probably not use most of them. In the examples below I will go over the most common and useful command line options.

repadmin /?

Results displayed

    C:\Users\rallen>repadmin /?
[/retry[:][:]]
[/csv]

Use these commands to see the help:

/?          Displays a list of commands available for use in repadmin and their
description.
/help       Same as /?
/?:    Displays the list of possible arguments , appropriate
syntaxes and examples for the specified command .
/help: Same as /?:
/experthelp Displays a list of commands for use by advanced users only.
/listhelp   Displays the variations of syntax available for the DSA_NAME,
DSA_LIST, NCNAME and OBJ_LIST strings.
/oldhelp    Displays a list of deprecated commands that still work but
are no longer supported by Microsoft.

Supported  commands (use /? for detailed help):
/kcc    Forces the KCC on targeted domain controller(s) to immediately
recalculate its inbound replication topology.

/prp    This command allows an admin to view or modify the

/queue  Displays inbound replication requests that the  DC needs to issue
to become consistent with its source replication partners.

/replicate  Triggers the immediate replication of the specified directory
partition to the destination domain controller from the source DC.

/replsingleobj Replicates a single object between any two domain
controllers that have common directory partitions.

/replsummary The replsummary operation quickly and concisely summarizes
the replication state and relative health of a forest.

/rodcpwdrepl Triggers replication of passwords for the specified user(s)
from the source (Hub DC) to one or more Read Only DC's.

/showattr Displays the attributes of an object.

/showobjmeta Displays the replication metadata for a specified object
stored in Active Directory, such as attribute ID, version
number, originating and local Update Sequence Number (USN), and
originating server's GUID and Date and Time stamp.

/showrepl Displays the replication status when specified domain controller
last attempted to inbound replicate Active Directory partitions.

/showutdvec displays the highest committed Update Sequence Number (USN)
that the targeted DC's copy of Active Directory shows as
committed for itself and its transitive partners.

/syncall Synchronizes a specified domain controller with all replication
partners.

/u:    Specifies the domain and user name separated by a backslash
{domain\user} that has permissions to perform operations in
Active Directory. UPN logons not supported.

/pw:   Specifies the password for the user name entered with the /u
parameter.

/retry This parameter will cause repadmin to repeat its attempt to bind
to the target dc should the first attempt fail with one of the
following error status:

1722 / 0x6ba : "The RPC Server is unavailable"
1753 / 0x6d9 : "There are no more endpoints available from the
endpoint mapper"

/csv   Used with /showrepl to output results in comma separated
value format. See /csvhelp


Example 2: Summarize the replication status and view overall health

The first command you should use is replsummary. This command will quickly show you the overall replication health. This command will show you the percentage of replication attempts that have failed as well as the largest replication deltas.

repadmin /replsummary

Results displayed

:\WINDOWS\system32>repadmin /replsummary
Replication Summary Start Time: 2018-03-13 04:44:54

Beginning data collection for replication summary, this may take awhile:
.....

Source DSA          largest delta    fails/total %%   error
DC1                       52m:48s    0 /   5    0
DC2                       52m:46s    0 /   5    0

Destination DSA     largest delta    fails/total %%   error
DC1                       52m:46s    0 /   5    0
DC2                       52m:48s    0 /   5    0


Example 3:  Show replication partner and status

Next, use the following command to see the replication partner as well as the replication status. This helps you understand the role of each domain controller in the replication process.

In addition, this command displays the GUID of each object that was replicated and it’s result. This is helpful to identify what objects are failing to replicate.

repadmin /showrepl

Results displayed

C:\Users\rallen>repadmin /showrepl

Default-First-Site-Name\DC1
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: a4d22a63-1918-492a-bcd6-7fe286941e72
DSA invocationID: a4d22a63-1918-492a-bcd6-7fe286941e72

==== INBOUND NEIGHBORS ======================================

Default-First-Site-Name\DC2 via RPC
DSA object GUID: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408
Last attempt @ 2018-03-13 03:52:08 was successful.

Default-First-Site-Name\DC2 via RPC
DSA object GUID: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408
Last attempt @ 2018-03-13 03:52:08 was successful.

Default-First-Site-Name\DC2 via RPC
DSA object GUID: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408
Last attempt @ 2018-03-13 03:52:08 was successful.

Default-First-Site-Name\DC2 via RPC
DSA object GUID: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408
Last attempt @ 2018-03-13 03:52:08 was successful.

Default-First-Site-Name\DC2 via RPC
DSA object GUID: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408
Last attempt @ 2018-03-13 03:52:08 was successful.


Example 4: Show replication partner for a specific domain controller

If you want to see the replication status for a specific domain controller use this command.

replace <ServerName> with the name of your domain controller.

repadmin /showrepl <ServerName>

Results displayed

C:\WINDOWS\system32>repadmin /showrepl dc2
Default-First-Site-Name\DC2
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408
DSA invocationID: 2eb95693-bfa7-4f3f-b52c-139737aa883f

==== INBOUND NEIGHBORS ======================================

Default-First-Site-Name\DC1 via RPC
DSA object GUID: a4d22a63-1918-492a-bcd6-7fe286941e72
Last attempt @ 2018-03-14 04:21:02 was successful.

Default-First-Site-Name\DC1 via RPC
DSA object GUID: a4d22a63-1918-492a-bcd6-7fe286941e72
Last attempt @ 2018-03-14 03:52:07 was successful.

Default-First-Site-Name\DC1 via RPC
DSA object GUID: a4d22a63-1918-492a-bcd6-7fe286941e72
Last attempt @ 2018-03-14 03:52:07 was successful.

Default-First-Site-Name\DC1 via RPC
DSA object GUID: a4d22a63-1918-492a-bcd6-7fe286941e72
Last attempt @ 2018-03-14 03:52:07 was successful.

Default-First-Site-Name\DC1 via RPC
DSA object GUID: a4d22a63-1918-492a-bcd6-7fe286941e72
Last attempt @ 2018-03-14 03:52:07 was successful.

Example 5: Show only Replication Errors

The showrepl command can output a lot of information. If you want to see only the errors use this command. In this example, DC2 is down, you can see the results are all errors from DC2.

C:\WINDOWS\system32>repadmin /showrepl /errorsonly

Default-First-Site-Name\DC1
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: a4d22a63-1918-492a-bcd6-7fe286941e72
DSA invocationID: a4d22a63-1918-492a-bcd6-7fe286941e72

==== INBOUND NEIGHBORS ======================================

Default-First-Site-Name\DC2 via RPC
DSA object GUID: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408
Last attempt @ 2018-03-15 04:19:38 failed, result 8524 (0x214c):
The DSA operation is unable to proceed because of a DNS lookup failure.
1 consecutive failure(s).
Last success @ 2018-03-14 07:52:08.

Default-First-Site-Name\DC2 via RPC
DSA object GUID: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408
Last attempt @ 2018-03-15 04:19:38 failed, result 8524 (0x214c):
The DSA operation is unable to proceed because of a DNS lookup failure.
1 consecutive failure(s).
Last success @ 2018-03-14 07:52:08.

Default-First-Site-Name\DC2 via RPC
DSA object GUID: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408
Last attempt @ 2018-03-15 04:19:38 failed, result 8524 (0x214c):
The DSA operation is unable to proceed because of a DNS lookup failure.
1 consecutive failure(s).
Last success @ 2018-03-14 07:52:08.

Default-First-Site-Name\DC2 via RPC
DSA object GUID: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408
Last attempt @ 2018-03-15 04:19:38 failed, result 8524 (0x214c):
The DSA operation is unable to proceed because of a DNS lookup failure.
1 consecutive failure(s).
Last success @ 2018-03-14 07:52:08.

Default-First-Site-Name\DC2 via RPC
DSA object GUID: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408
Last attempt @ 2018-03-15 04:19:38 failed, result 8524 (0x214c):
The DSA operation is unable to proceed because of a DNS lookup failure.
1 consecutive failure(s).
Last success @ 2018-03-14 07:52:08.

Source: Default-First-Site-Name\DC2
******* 1 CONSECUTIVE FAILURES since 2018-03-14 07:52:08
Last error: 8524 (0x214c):
The DSA operation is unable to proceed because of a DNS lookup failure.

Example 6: Show replication Queue

It is normal to see items in the queue. If you have a small environment it will often be at zero because there are few replications that occur. If you notice items sitting in the queue and they never clear out, you have a problem.

Use this command to view the replication queue

Repadmin /Queue

Results displayed

C:\Users\rallen>repadmin /queue

Queue contains 0 items.

Example 7: How to Force Active Directory Replication

Use the following command if you want to force replication between domain controllers. You will want to run this on the DC that you wish to update. For example, if DC1 is out of sync I would run this on DC1.

This will do a pull replication, which means it will pull updates from DC2 to DC1.

repadmin /syncall dc1 /AeD

If you want to push replication you will use the /P switch. For example if you make changes on DC1 and want to replicate those to other DCs use this command.

repadmin /syncall dc1 /APeD

Results displayed

C:\WINDOWS\system32>repadmin /syncall dc1 /AeD
Syncing all NC's held on dc1.
CALLBACK MESSAGE: The following replication is in progress:
CALLBACK MESSAGE: The following replication completed successfully:
CALLBACK MESSAGE: SyncAll Finished.
SyncAll terminated with no errors.

CALLBACK MESSAGE: The following replication is in progress:
CALLBACK MESSAGE: The following replication completed successfully:
CALLBACK MESSAGE: SyncAll Finished.
SyncAll terminated with no errors.

CALLBACK MESSAGE: The following replication is in progress:
CALLBACK MESSAGE: The following replication completed successfully:
CALLBACK MESSAGE: SyncAll Finished.
SyncAll terminated with no errors.

CALLBACK MESSAGE: The following replication is in progress:
CALLBACK MESSAGE: The following replication completed successfully:
CALLBACK MESSAGE: SyncAll Finished.
SyncAll terminated with no errors.

CALLBACK MESSAGE: The following replication is in progress:
CALLBACK MESSAGE: The following replication completed successfully:
CALLBACK MESSAGE: SyncAll Finished.
SyncAll terminated with no errors.

Example 8: Export results to text file

Sometimes these commands can display a lot of information. You can export any of the examples above to a text file, this makes it a little easier to review at a later time or save for documentation.

just add > c:\destination folder\filename.txt to the end of any of the commands

Here are a few examples

repadmin /replsummary > c:\it\replsummary.txt
repadmin /showrepl > c:\it\showrepl.txt

More examples

Find the last time your DC were backup

Repadmin /showbackup *

Displays calls that have not yet been answered

repadmin /showoutcalls *

List the Topology information

repadmin /bridgeheads * /verbose

Inter Site Topology Generator Report

repadmin /istg * /verbose

Conclusion

As a system administrator it is important that you know how to troubleshoot and verify replication is working correctly. The repadmin is a simple yet powerful tool that you should know how to use.

Recommended Tool: Permissions Analyzer for Active Directory

This FREE tool lets you get instant visibility into user and group permissions and allows you to quickly check user or group permissions for files, network, and folder shares.

You can analyze user permissions based on an individual user or group membership.

21 thoughts on “Repadmin: How to Check Active Directory Replication”

1. Great article..Thanks for sharing

• Thanks Hani

2. Great. thanks you very much for sharing useful information

• No problem

3. Very useful stuff …

4. Nice article!! Thanks a lot.

5. that was very useful , indeed.Thank you !

6. Useful article!

7. WOW, So easy as very useful knowledge for troubleshooting replication errors

8. Great, very useful!

9. This is a great article. I sue this constantly. I do have a question, in order to run the repadmin command, what access rights need to be granted? I want one of my team to action this task but I do not wish to give the user full Domain Admin. Kind regards

10. Hi,
Would you please explain how to Active Directory replication happen site to site and Domain controller to Domain Controller step by step.

11. Excellent!

12. Excellent explanation and command.

• Thans Mohd

13. Thank you very much for sharing.
Paul

14. Excellent that’s very helpful. Many Thanks….

15. Hey man, great article. i don’t know if someone could help me, but if someone have any idea.

I will post some results about my DC. Let me try to explain. there’re around 3 months that we have migrated an old DC MS 2016 to a new DC 2019. Everything was working fine during this 3 or 4 months, but now I’m getting some Event ID that some of them, I get it solved. But this one, is causing a headache for us. Probability, my collegue forget to demote old DC and turned him on in the network, I did it later when I cleaned metadata on AD and demote him. After that I did an update in the new DC, the server asked to update, ok I did. Now, I don’t know if is my DNS Server on 2019 that is causing problem or it is my other DNS Filter nxfilter separeted, which is we have made some tests and nothing help.

What I have found of register of old DC on DNS Server, I’ve removed. I used the ADSIEdit tool to find something else, but no succces the error I got in the screen when some workstations try to access my File Server by IP address \\IP pull up a message on screen ErrorCode 0x80004005 and believe me, I have tried everything I could and searched for. If I change the Preferred DNS Server on my server file to their own IP address, workstation can get access through IP. Using the name, it’s okay, no problem with mapping etc. I already desable Firewall as a way to test.

Now the output of dcdiag

Iniciando teste: Replications

* Replications Check
DC=ForestDnsZones,DC=DOMAIN,DC=LOCAL has 2 cursors.
DC=DomainDnsZones,DC=DOMAIN,DC=LOCAL has 2 cursors.
CN=Schema,CN=Configuration,DC=DOMAIN,DC=LOCAL has 2 cursors.
CN=Configuration,DC=DC=DOMAIN,DC=LOCAL has 2 cursors.
DC=DOMAIN,DC=LOCAL has 2 cursors.
* Replication Latency Check
DC=ForestDnsZones,DC=DOMAIN,DC=LOCAL
Latency information for 1 entries in the vector were ignored.
1 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc’s no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=DomainDnsZones,DC=DOMAIN,DC=LOCAL
Latency information for 1 entries in the vector were ignored.
1 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc’s no longer replicating this nc. 0 had no latency information (Win2K DC).
CN=Schema,CN=Configuration,DC=DOMAIN,DC=LOCAL
Latency information for 1 entries in the vector were ignored.
1 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc’s no longer replicating this nc. 0 had no latency information (Win2K DC).
CN=Configuration,DC=DOMAIN,DC=LOCAL
Latency information for 1 entries in the vector were ignored.
1 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc’s no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=DOMAIN,DC=LOCAL
Latency information for 1 entries in the vector were ignored.
1 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc’s no longer replicating this nc. 0 had no latency information (Win2K DC).
……………………. DC2-0 passou no teste Replications

Despite everything looks okay, could be this error is related with DNS LOCAL, migration even not appearing any error or metadate?

16. @Robert Allen

I tried to do dcdiag /fix before post here, but no error were find. Thanks for your answer.