How to check Active Directory Replication - Explained

How to check Active Directory Replication - Explained

How to Check Active Directory Replication

Active Directory replication is a feature that allows the Domain Controllers to share and update the directory data across the forest. This ensures that any change made on a domain controller is propagated to all other domain controllers and that the database is maintained up to date. This way, all the controllers store the same set of information and are in sync with each other. Replication in Active Directory is independent of the forest, tree or domain structure.

For instance, when the address of an employee is modified, it has to be updated across all the domain controllers in an organization. This is to ensure that the correct and updated information is available everywhere within an organization. This way, anyone who tries to access an employee’s contact information would be provided with the updated and latest information.

While Windows NT offered single-master replication which followed a master-slave approach, later versions of the Windows server offered multi-master replication. The single-master replication model consists of only one Primary Domain Controller (PDC) and multiple Backup Domain Controllers (BDCs). Only the Primary Domain Controller has write access, while the Backup Domain Controllers have only read access. The main shortcoming of this model is, no changes can be made to the database if the Primary Domain Controller (PDC) was unavailable. However, in the multi-master approach, all the domain controllers are allowed to act as masters and are provided with both read and write access. This makes replication more synchronous and easier to manage.

Types of Active Directory Replication

Replication in Active Directory can be broadly classified into two types. They are discussed as follows.

Intra-site Replication
Intra-site replication takes place between domain controllers within the same site. This process is quite simple and occurs by default in less than a minute. This replication is performed within a site by means of the ring topology. This need not be configured manually and occurs automatically within the site.
 
Inter-site Replication
In inter-site replication, changes made to a domain controller in one site are propagated to the domain controllers in different sites. This type of replication takes place by means of site links. However, this also utilizes the ring topology. Here, replication occurs between two domain controllers called bridgeheads. At least one domain controller within a site is assigned the role of bridgehead. In contrast to the intra-site replication, it has to be configured and does not occur manually.

How to check Active Directory Replication?

Problems in replication between domain controllers can lead to issues such as authentication failures and failure to access network resources. This in turn can lead to disruptions in the functioning of the organization. To overcome these problems, replication between domain controllers must be monitored regularly. Active Directory replication can be monitored using tools such as Repadmin, Active Directory Replication Status Tool and using Windows PowerShell.
Checking active directory replication using Repadmin
Repadmin is a command line tool that is used for checking the replication status, diagnosing replication failures and troubleshooting replication errors. Windows Server 2003 and later versions of Windows Server have Repadmin.exe built in. Otherwise, it is also available as part of the Remote Server Administration Tools (RSAT). It can be run as a Domain Administrator or Enterprise Administrator.

Using Repadmin to check Active Directory Replication


Repadmin can be used by following the steps given below.
Open the Start menu and right click on CommandPrompt.
Click on Run as Administrator. This opens an elevated command prompt.
Run the ntdsutil command from the elevated command prompt.
This opens Repadmin.exe and allows us to use the same. This can be used to check the replication status, view the replication topology, create replication topology and force replication between domain controllers, among other functions. The commands for some basic operations using Repadmin are given as follows.

repadmin /replsummary

This command is used to perform one of the most basic functions of Repadmin, which is to provide the replication status within the Active Directory forest.   It also displays the number of replication attempts with respect to the failures. It identifies the domain controllers that have failed replication (both inbound and outbound) and summarizes the results.
 
repadmin /showrepl

This command is used to obtain detailed information regarding the replication attempts. It also gives an overview of the replication topology. It helps identify the specific domain controller that has failed to replicate while troubleshooting. This command can also be modified to show the replication partners for a specific domain controller. This can be done by specifying the hostname of the domain controller after the repadmin /showrepl command like: repadmin /showrepl DOMCON3. Similarly, this command can also be modified to display only the errors using: repadmin /showrepl /errorsonly.
 
repadmin / queue

This command can be used to obtain the queue status of the domain controller. It displays the inbound replication requests that have to be issued by the domain controller. The number of items in the queue is also displayed. A replication problem is indicated if the queue is very long. Using this command lets us know if there is a replication problem or if the required replication has just been queued up.
 
repadmin /replicate

This command is used to force the immediate replication of a directory or schema partition from a source domain controller to a destination domain controller.  It can be used to check the replication success after the suspected fault conditions are removed. In addition to this, it can also be used to check the replication status between two domain controllers.
 
repadmin /syncall

This command is used for synchronizing a specific domain controller with all of its replication partners. The following syntax is used for the purpose.
 
repadmin /syncall <DSA> [<Naming Context>] [<flags>]
 
Here, DSA is used to specify the host name of the domain controller and the Naming Context is used to specify the distinguished name of the directory partition. The flags can be used to perform specific actions. Examples of some of the flags that can be used are:
 
/a – Aborts if a server is unavailable.
/A – Synchronizes all the naming contexts on the home server.
/d – Identifies the servers by the distinguished names.
/e – Synchronizes domain controllers across all sites.
/h – Displays help.
/i – Iterates indefinitely.
/I – Runs the repadmin / showrepl command
/s – Does not synchronize.
 
In addition to these, several other flags can be used for specific purposes. 

Checking active directory replication using PowerShell

Besides Repadmin, Windows PowerShell can also be used to perform several operations related to replication.
Get-ADReplicationUpToDatenessVectorTable DC1
This command is used to view the replication status information. It displays a replication report using the up-to-dateness vector table. This is maintained by every domain controller and helps keep track of the highest USN from each domain controller in the forest. There are several modifications of this command that can be used for specific purposes.
 
Get-ADReplicationPartnerMetadata
This command is used to obtain the replication metadata of a specific object in Active Directory.
 
Get-ADReplicationQueueOperation
This command can be considered to be the PowerShell counterpart of the repadmin /queue command. It is used to get the inbound replication queue details.
 
Sync-ADObject
This command can be used to replicate specific objects between two domain controllers taht have partitions in common. However, they need not be direct replication partners.
 
Get-ADReplicationFailure
This command can be used to obtain out a collection of data that can be used to describe a replication failure. It returns all the failures for a specific domain controller. The repadmin.exe tool provides a convenient way to check and resolve the replication problems that occur in Active Directory, using the command line. However, the same functions can also be performed using Windows PowerShell commands. 

    Limited-period offers on our IAM solutions




      • Related Articles

      • Active Directory Security Baseline: Explained

        Every business organization is different from one another. They serve their customers differently, their end users behave differently, and ultimately, the way that the organization handles cyber threat is vastly different from one another. Healthcare ...
      • Active Directory Objects

        Real-world entities such as users, computers are represented as objects in Active Directory. Objects are the fulcrum for the very existence of Active Directory. One important aspect with respect to object characteristics is that some of the objects ...
      • Best Practices | Active Directory FSMO Roles

        FSMO Roles in Active Directory In Flexible Single Master Operation, the responsibilities of the single-master are split into separate roles. These roles can be distributed to any domain controller in the enterprise, based on the requirements. This in ...
      • Framework of Active Directory

        The Active Directory structure is built on the domain level. The framework that holds the objects can be viewed at different levels namely forest, domain trees and domains. At the top of the level is the forest. A forest holds all the Active ...
      • Active Directory Objects List

        Objects are the fulcrum of Active Directory. The ease of an organization’s resource management comes from the fact that objects give AD a modular structure. Introduction The individual components of an organization’s network are called objects in ...