Repadmin: How to Check Active Directory Replication

by Robert Allen

In this tutorial, you will learn how to use the repadmin tool to check Active Directory Replication.

Repadmin is the ultimate replication diagnostic tool.

In addition to checking the health of your domain controllers, it can also be used to force replication and pinpoint errors.

Active Directory replication is a critical service that keeps changes synchronized with other domain controllers in the forest.

Problems with replication can cause authentication failures and issues accessing network resources (files, printers, applications).

Below I’ll show you the step by step process with plenty of examples and the results.

Let’s do this.

How to install Repadmin

Repadmin was introduced in 2003 with the Windows Server 2003 support tools.

Microsoft started to include the repadmin command in Windows server 2008 and up. It is also included on any computer that has the Remote Server Administration Tools (RSAT) installed.

Repadmin Examples

To use repadmin you need to run the command prompt as an administrator. Simply right click cmd and choose to run as administrator

Example 1: Display the repadmin help menu

Use the following command to see the help menu, this will display all the command line options. There are many options and you will probably not use most of them. In the examples below I will go over the most common and useful command line options.

repadmin /?

Results displayed

    C:\Users\rallen>repadmin /?
Usage: repadmin   [/u:{domain\user}] [/pw:{password|*}]
                             [/retry[:][:]]
                             [/csv]

Use these commands to see the help:

/?          Displays a list of commands available for use in repadmin and their
            description.
/help       Same as /?
/?:    Displays the list of possible arguments , appropriate
            syntaxes and examples for the specified command .
/help: Same as /?:
/experthelp Displays a list of commands for use by advanced users only.
/listhelp   Displays the variations of syntax available for the DSA_NAME,
            DSA_LIST, NCNAME and OBJ_LIST strings.
/oldhelp    Displays a list of deprecated commands that still work but
            are no longer supported by Microsoft.


Supported  commands (use /? for detailed help):
     /kcc    Forces the KCC on targeted domain controller(s) to immediately
             recalculate its inbound replication topology.

     /prp    This command allows an admin to view or modify the
             password replication policy for RODCs.

     /queue  Displays inbound replication requests that the  DC needs to issue
             to become consistent with its source replication partners.

     /replicate  Triggers the immediate replication of the specified directory
             partition to the destination domain controller from the source DC.

     /replsingleobj Replicates a single object between any two domain
             controllers that have common directory partitions.

     /replsummary The replsummary operation quickly and concisely summarizes
             the replication state and relative health of a forest.

     /rodcpwdrepl Triggers replication of passwords for the specified user(s)
             from the source (Hub DC) to one or more Read Only DC's.

     /showattr Displays the attributes of an object.

     /showobjmeta Displays the replication metadata for a specified object
             stored in Active Directory, such as attribute ID, version
             number, originating and local Update Sequence Number (USN), and
             originating server's GUID and Date and Time stamp.

     /showrepl Displays the replication status when specified domain controller
             last attempted to inbound replicate Active Directory partitions.

     /showutdvec displays the highest committed Update Sequence Number (USN)
             that the targeted DC's copy of Active Directory shows as
             committed for itself and its transitive partners.

     /syncall Synchronizes a specified domain controller with all replication
              partners.

Supported additional parameters:

     /u:    Specifies the domain and user name separated by a backslash
            {domain\user} that has permissions to perform operations in
            Active Directory. UPN logons not supported.

     /pw:   Specifies the password for the user name entered with the /u
            parameter.

     /retry This parameter will cause repadmin to repeat its attempt to bind
            to the target dc should the first attempt fail with one of the
            following error status:

            1722 / 0x6ba : "The RPC Server is unavailable"
            1753 / 0x6d9 : "There are no more endpoints available from the
                            endpoint mapper"

     /csv   Used with /showrepl to output results in comma separated
            value format. See /csvhelp

Example 2: Summarize the replication status and view the overall health

The first command you should use is replsummary. This command will quickly show you the overall replication health. This command will show you the percentage of replication attempts that have failed as well as the largest replication deltas.

repadmin /replsummary

Results displayed

:\WINDOWS\system32>repadmin /replsummary
Replication Summary Start Time: 2018-03-13 04:44:54

Beginning data collection for replication summary, this may take awhile:
  .....


Source DSA          largest delta    fails/total %%   error
 DC1                       52m:48s    0 /   5    0
 DC2                       52m:46s    0 /   5    0


Destination DSA     largest delta    fails/total %%   error
 DC1                       52m:46s    0 /   5    0
 DC2                       52m:48s    0 /   5    0

Example 3:  Show replication partner and status

Next, use the following command to see the replication partner as well as the replication status. This helps you understand the role of each domain controller in the replication process.

In addition, this command displays the GUID of each object that was replicated and its result. This is helpful to identify what objects are failing to replicate.

repadmin /showrepl

Results displayed

C:\Users\rallen>repadmin /showrepl

Repadmin: running command /showrepl against full DC dc1.ad.activedirectorypro.com
Default-First-Site-Name\DC1
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: a4d22a63-1918-492a-bcd6-7fe286941e72
DSA invocationID: a4d22a63-1918-492a-bcd6-7fe286941e72

==== INBOUND NEIGHBORS ======================================

DC=ad,DC=activedirectorypro,DC=com
    Default-First-Site-Name\DC2 via RPC
        DSA object GUID: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408
        Last attempt @ 2018-03-13 03:52:08 was successful.

CN=Configuration,DC=ad,DC=activedirectorypro,DC=com
    Default-First-Site-Name\DC2 via RPC
        DSA object GUID: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408
        Last attempt @ 2018-03-13 03:52:08 was successful.

CN=Schema,CN=Configuration,DC=ad,DC=activedirectorypro,DC=com
    Default-First-Site-Name\DC2 via RPC
        DSA object GUID: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408
        Last attempt @ 2018-03-13 03:52:08 was successful.

DC=DomainDnsZones,DC=ad,DC=activedirectorypro,DC=com
    Default-First-Site-Name\DC2 via RPC
        DSA object GUID: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408
        Last attempt @ 2018-03-13 03:52:08 was successful.

DC=ForestDnsZones,DC=ad,DC=activedirectorypro,DC=com
    Default-First-Site-Name\DC2 via RPC
        DSA object GUID: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408
        Last attempt @ 2018-03-13 03:52:08 was successful.

Example 4: Show replication partner for a specific domain controller

If you want to see the replication status for a specific domain controller use this command.

replace <ServerName> with the name of your domain controller.

repadmin /showrepl <ServerName>

Results displayed

C:\WINDOWS\system32>repadmin /showrepl dc2
Default-First-Site-Name\DC2
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408
DSA invocationID: 2eb95693-bfa7-4f3f-b52c-139737aa883f

==== INBOUND NEIGHBORS ======================================

DC=ad,DC=activedirectorypro,DC=com
    Default-First-Site-Name\DC1 via RPC
        DSA object GUID: a4d22a63-1918-492a-bcd6-7fe286941e72
        Last attempt @ 2018-03-14 04:21:02 was successful.

CN=Configuration,DC=ad,DC=activedirectorypro,DC=com
    Default-First-Site-Name\DC1 via RPC
        DSA object GUID: a4d22a63-1918-492a-bcd6-7fe286941e72
        Last attempt @ 2018-03-14 03:52:07 was successful.

CN=Schema,CN=Configuration,DC=ad,DC=activedirectorypro,DC=com
    Default-First-Site-Name\DC1 via RPC
        DSA object GUID: a4d22a63-1918-492a-bcd6-7fe286941e72
        Last attempt @ 2018-03-14 03:52:07 was successful.

DC=DomainDnsZones,DC=ad,DC=activedirectorypro,DC=com
    Default-First-Site-Name\DC1 via RPC
        DSA object GUID: a4d22a63-1918-492a-bcd6-7fe286941e72
        Last attempt @ 2018-03-14 03:52:07 was successful.

DC=ForestDnsZones,DC=ad,DC=activedirectorypro,DC=com
    Default-First-Site-Name\DC1 via RPC
        DSA object GUID: a4d22a63-1918-492a-bcd6-7fe286941e72
        Last attempt @ 2018-03-14 03:52:07 was successful.

Example 5: Show only Replication Errors

The showrepl command can output a lot of information. If you want to see only the errors use this command. In this example, DC2 is down, you can see the results are all errors from DC2.

C:\WINDOWS\system32>repadmin /showrepl /errorsonly

Repadmin: running command /showrepl against full DC dc1.ad.activedirectorypro.com
Default-First-Site-Name\DC1
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: a4d22a63-1918-492a-bcd6-7fe286941e72
DSA invocationID: a4d22a63-1918-492a-bcd6-7fe286941e72

==== INBOUND NEIGHBORS ======================================

DC=ad,DC=activedirectorypro,DC=com
    Default-First-Site-Name\DC2 via RPC
        DSA object GUID: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408
        Last attempt @ 2018-03-15 04:19:38 failed, result 8524 (0x214c):
            The DSA operation is unable to proceed because of a DNS lookup failure.
        1 consecutive failure(s).
        Last success @ 2018-03-14 07:52:08.

CN=Configuration,DC=ad,DC=activedirectorypro,DC=com
    Default-First-Site-Name\DC2 via RPC
        DSA object GUID: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408
        Last attempt @ 2018-03-15 04:19:38 failed, result 8524 (0x214c):
            The DSA operation is unable to proceed because of a DNS lookup failure.
        1 consecutive failure(s).
        Last success @ 2018-03-14 07:52:08.

CN=Schema,CN=Configuration,DC=ad,DC=activedirectorypro,DC=com
    Default-First-Site-Name\DC2 via RPC
        DSA object GUID: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408
        Last attempt @ 2018-03-15 04:19:38 failed, result 8524 (0x214c):
            The DSA operation is unable to proceed because of a DNS lookup failure.
        1 consecutive failure(s).
        Last success @ 2018-03-14 07:52:08.

DC=DomainDnsZones,DC=ad,DC=activedirectorypro,DC=com
    Default-First-Site-Name\DC2 via RPC
        DSA object GUID: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408
        Last attempt @ 2018-03-15 04:19:38 failed, result 8524 (0x214c):
            The DSA operation is unable to proceed because of a DNS lookup failure.
        1 consecutive failure(s).
        Last success @ 2018-03-14 07:52:08.

DC=ForestDnsZones,DC=ad,DC=activedirectorypro,DC=com
    Default-First-Site-Name\DC2 via RPC
        DSA object GUID: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408
        Last attempt @ 2018-03-15 04:19:38 failed, result 8524 (0x214c):
            The DSA operation is unable to proceed because of a DNS lookup failure.
        1 consecutive failure(s).
        Last success @ 2018-03-14 07:52:08.

Source: Default-First-Site-Name\DC2
******* 1 CONSECUTIVE FAILURES since 2018-03-14 07:52:08
Last error: 8524 (0x214c):
            The DSA operation is unable to proceed because of a DNS lookup failure.

Example 6: Show replication Queue

It is normal to see items in the queue. If you have a small environment it will often be at zero because there are few replications that occur. If you notice items sitting in the queue and they never clear out, you have a problem.

Use this command to view the replication queue

Repadmin /Queue

Results displayed

C:\Users\rallen>repadmin /queue

Repadmin: running command /queue against full DC dc1.ad.activedirectorypro.com
Queue contains 0 items.

Example 7: How to Force Active Directory Replication

Use the following command if you want to force replication between domain controllers. You will want to run this on the DC that you wish to update. For example, if DC1 is out of sync I would run this on DC1.

This will do a pull replication, which means it will pull updates from DC2 to DC1.

repadmin /syncall dc1 /Aed

If you want to push replication you will use the /P switch. For example if you make changes on DC1 and want to replicate those to other DCs use this command.

repadmin /syncall dc1 /APed

Results displayed

C:\WINDOWS\system32>repadmin /syncall dc1 /Aed
Syncing all NC's held on dc1.
Syncing partition: DC=ForestDnsZones,DC=ad,DC=activedirectorypro,DC=com
CALLBACK MESSAGE: The following replication is in progress:
    From: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408._msdcs.ad.activedirectorypro.com
    To  : a4d22a63-1918-492a-bcd6-7fe286941e72._msdcs.ad.activedirectorypro.com
CALLBACK MESSAGE: The following replication completed successfully:
    From: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408._msdcs.ad.activedirectorypro.com
    To  : a4d22a63-1918-492a-bcd6-7fe286941e72._msdcs.ad.activedirectorypro.com
CALLBACK MESSAGE: SyncAll Finished.
SyncAll terminated with no errors.

Syncing partition: DC=DomainDnsZones,DC=ad,DC=activedirectorypro,DC=com
CALLBACK MESSAGE: The following replication is in progress:
    From: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408._msdcs.ad.activedirectorypro.com
    To  : a4d22a63-1918-492a-bcd6-7fe286941e72._msdcs.ad.activedirectorypro.com
CALLBACK MESSAGE: The following replication completed successfully:
    From: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408._msdcs.ad.activedirectorypro.com
    To  : a4d22a63-1918-492a-bcd6-7fe286941e72._msdcs.ad.activedirectorypro.com
CALLBACK MESSAGE: SyncAll Finished.
SyncAll terminated with no errors.

Syncing partition: CN=Schema,CN=Configuration,DC=ad,DC=activedirectorypro,DC=com
CALLBACK MESSAGE: The following replication is in progress:
    From: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408._msdcs.ad.activedirectorypro.com
    To  : a4d22a63-1918-492a-bcd6-7fe286941e72._msdcs.ad.activedirectorypro.com
CALLBACK MESSAGE: The following replication completed successfully:
    From: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408._msdcs.ad.activedirectorypro.com
    To  : a4d22a63-1918-492a-bcd6-7fe286941e72._msdcs.ad.activedirectorypro.com
CALLBACK MESSAGE: SyncAll Finished.
SyncAll terminated with no errors.

Syncing partition: CN=Configuration,DC=ad,DC=activedirectorypro,DC=com
CALLBACK MESSAGE: The following replication is in progress:
    From: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408._msdcs.ad.activedirectorypro.com
    To  : a4d22a63-1918-492a-bcd6-7fe286941e72._msdcs.ad.activedirectorypro.com
CALLBACK MESSAGE: The following replication completed successfully:
    From: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408._msdcs.ad.activedirectorypro.com
    To  : a4d22a63-1918-492a-bcd6-7fe286941e72._msdcs.ad.activedirectorypro.com
CALLBACK MESSAGE: SyncAll Finished.
SyncAll terminated with no errors.

Syncing partition: DC=ad,DC=activedirectorypro,DC=com
CALLBACK MESSAGE: The following replication is in progress:
    From: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408._msdcs.ad.activedirectorypro.com
    To  : a4d22a63-1918-492a-bcd6-7fe286941e72._msdcs.ad.activedirectorypro.com
CALLBACK MESSAGE: The following replication completed successfully:
    From: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408._msdcs.ad.activedirectorypro.com
    To  : a4d22a63-1918-492a-bcd6-7fe286941e72._msdcs.ad.activedirectorypro.com
CALLBACK MESSAGE: SyncAll Finished.
SyncAll terminated with no errors.

Example 8: Export results to text file

Sometimes these commands can display a lot of information. You can export any of the examples above to a text file, this makes it a little easier to review at a later time or save for documentation.

just add > c:\destination folder\filename.txt to the end of any of the commands

Here are a few examples

repadmin /replsummary > c:\it\replsummary.txt
repadmin /showrepl > c:\it\showrepl.txt

More examples

Find the last time your DC was backed up

Repadmin /showbackup *

Displays calls that have not yet been answered

repadmin /showoutcalls *

List the Topology information

repadmin /bridgeheads * /verbose

Inter Site Topology Generator Report

repadmin /istg * /verbose

Conclusion

As a system administrator, it is important that you know how to troubleshoot and verify replication is working correctly. The repadmin is a simple yet powerful tool that you should know how to use.

I hope you found this guide useful. If you have any questions leave a comment below. If you liked this article, check out: How to Use NSLookup to Check DNS Records.

The Ultimate Active Directory Toolkit

Learn More

28 thoughts on “Repadmin: How to Check Active Directory Replication”

  1. good evening sir,
    i am Reddy from Bangalore, India
    in my company we have windows server 2008 Small business edition 2011.
    now we are trying to add Windows server 2016 as Additional Domain controller but while checking for prerequisites it is showing (“The File replication service is depricated to continue replicating the SYSVOL folder. You should migrate to DFS Replication by using the DFSRMIG command. if you continue to use FRS for SYSVOL replication in this domain you might not be able to add domain controllers running future version of windows server”) warning message.

    even after migrating from FRS to DFSR still appearing same warning message.

    after that also we have proceeded for joining, now SYSVol and Netlogon are not shared and error in Group Policy management console saying Active directory not accessible.

    please help us sir

    Reply
  2. Why is there capital D in repadmin /syncall command? Shouldn’t it be small d.

    Microsoft list of flags for this command doesn’t have D, only d.

    /d Identifies servers by distinguished name in messages.

    Your examples show GUIDs for server names, not distinguished names.

    Reply
  3. Hey man, great article. i don’t know if someone could help me, but if someone have any idea.

    I will post some results about my DC. Let me try to explain. there’re around 3 months that we have migrated an old DC MS 2016 to a new DC 2019. Everything was working fine during this 3 or 4 months, but now I’m getting some Event ID that some of them, I get it solved. But this one, is causing a headache for us. Probability, my collegue forget to demote old DC and turned him on in the network, I did it later when I cleaned metadata on AD and demote him. After that I did an update in the new DC, the server asked to update, ok I did. Now, I don’t know if is my DNS Server on 2019 that is causing problem or it is my other DNS Filter nxfilter separeted, which is we have made some tests and nothing help.

    What I have found of register of old DC on DNS Server, I’ve removed. I used the ADSIEdit tool to find something else, but no succces the error I got in the screen when some workstations try to access my File Server by IP address \\IP pull up a message on screen ErrorCode 0x80004005 and believe me, I have tried everything I could and searched for. If I change the Preferred DNS Server on my server file to their own IP address, workstation can get access through IP. Using the name, it’s okay, no problem with mapping etc. I already desable Firewall as a way to test.

    Now the output of dcdiag

    Iniciando teste: Replications

    * Replications Check
    DC=ForestDnsZones,DC=DOMAIN,DC=LOCAL has 2 cursors.
    DC=DomainDnsZones,DC=DOMAIN,DC=LOCAL has 2 cursors.
    CN=Schema,CN=Configuration,DC=DOMAIN,DC=LOCAL has 2 cursors.
    CN=Configuration,DC=DC=DOMAIN,DC=LOCAL has 2 cursors.
    DC=DOMAIN,DC=LOCAL has 2 cursors.
    * Replication Latency Check
    DC=ForestDnsZones,DC=DOMAIN,DC=LOCAL
    Latency information for 1 entries in the vector were ignored.
    1 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc’s no longer replicating this nc. 0 had no latency information (Win2K DC).
    DC=DomainDnsZones,DC=DOMAIN,DC=LOCAL
    Latency information for 1 entries in the vector were ignored.
    1 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc’s no longer replicating this nc. 0 had no latency information (Win2K DC).
    CN=Schema,CN=Configuration,DC=DOMAIN,DC=LOCAL
    Latency information for 1 entries in the vector were ignored.
    1 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc’s no longer replicating this nc. 0 had no latency information (Win2K DC).
    CN=Configuration,DC=DOMAIN,DC=LOCAL
    Latency information for 1 entries in the vector were ignored.
    1 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc’s no longer replicating this nc. 0 had no latency information (Win2K DC).
    DC=DOMAIN,DC=LOCAL
    Latency information for 1 entries in the vector were ignored.
    1 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc’s no longer replicating this nc. 0 had no latency information (Win2K DC).
    ……………………. DC2-0 passou no teste Replications

    Despite everything looks okay, could be this error is related with DNS LOCAL, migration even not appearing any error or metadate?

    Reply
  4. Hi,
    Would you please explain how to Active Directory replication happen site to site and Domain controller to Domain Controller step by step.

    Reply
  5. This is a great article. I sue this constantly. I do have a question, in order to run the repadmin command, what access rights need to be granted? I want one of my team to action this task but I do not wish to give the user full Domain Admin. Kind regards

    Reply

Leave a Comment