Overview
Let’s talk about a couple of basic troubleshooting tools for Active Directory Replication. Be sure to check out my Instagram @ach_sysadmin
In my lab, I have 2 domain controllers. LAB-DC01 and LAB-DC02. They both belong to the achubbard.lab domain. We want to make sure they are replicating correctly. There are a couple of ways we can investigate this.
Open up a PowerShell session as an admin. You can run this from administrative workstation, you do not need to be on a Domain Controller to perform these tasks. If you’re on Windows 10, you will need to download the RSAT toolset from Microsoft. If you’re on a server platform, which, in my video I use Server 2019 as my utility/admin workstation, you will need to install RSAT tools from the Server Manager, feature section.
Tools and Commands Used
- Checking replication between DCs
- Repadmin /showrepl
- Repadmin /replsummary
- https://www.microsoft.com/en-us/download/details.aspx?id=30005
- RSAT Tools required to run from an admin workstation
- Install with server admin on server 2019
PowerShell Commands To Check Active Directory Replication
From your PowerShell window, type: repadmin /showrepl *
This will show you the incoming replications to all source Domain Controllers in the environment. From here you can see if there are any issues related to replication, or if replication was successful.
We can also run the command Repadmin /replsummary, which will show you if there have been any failures.
Both of these commands can give you a quick glimpse if something is amiss. Let’s take a look at what these commands would like if there was something broken.
Simulate Active Directory Replication Failure.
I am going to login to my vCenter console and disconnect the NIC card for LAB-DC02. Then we will re-run these commands again and take a look at the results.
The NIC has been disconnected. Let’s verify we can no longer ping LAB-DC02.
Forcing An Active Directory Replication
Login to LAB-DC01 and try to force a replication so you can see what it looks like. Open up control panel on your LAB-DC01. Find Administrative Tools. Open Sites and Services.
Find LAB-DC01 and expand it until you see NTDS settings.
We will force a replication from LAB-DC02 so you can see what a failure looks like. Right click on the “Automatically Generated” entry and select “Replicate Now”
You’re going to receive an error. That is ok, that is what we want to see for this lab/demo.
Go back over to your admin workstation. Let’s start with re-running repadmin /showrepl * (in a large environment, you could use the /errorsonly switch so you only see errors and not all replications.)
We can see that this time, we have a failure. It shows that the RPC server is unavailable.
Testing Replication Again
Now run the repadmin /replsummary command. This may take a couple of minutes to run depending on your environment.
From this, you can see that replication has failed once and that LAB-DC02 appears to be the culprit.
You can use both the repadmin /replsummary and the repadmin /showrepl commands to give you some clues to how your domain is performing. These can be used either during troubleshooting or occasionally just to make sure there are no replication issues.
Microsoft has a GUI for this as well, it is the AD Replication Status Tool. You can run this on your administrative workstation as well. It gives a graphical representation of the above Powershell commands.
This is what an error free environment will look like:
This is what it will look with an error. We shut off the NIC on the LAB-DC02 again to simulate an issue with the system. The error is highlighted in red.
Using the GUI presents the same information as the Powershell commands, just in a different manor.
I hope this write and video helps you out. This is just a brief summary of a couple tools I use to start troubleshooting replication issues. If you found this video helpful, please like and subscribe below. You can also check out my new Instagram account @ach_sysadmin.