Dealing with Active Directory replication issues can feel like navigating a maze, especially when you’re trying to ensure everything is in sync across your domains. If you’ve ever found yourself troubleshooting Active Directory replication errors or just want a proactive way to keep your AD environment healthy, you’re in the right spot. RepAdmin is your go-to command-line tool for this, and we’re going to break down exactly how to use it to your advantage.

Let’s dive in and get your AD replication running smoother than ever!

Busy!!! Here is an AI summary about the entire post… enjoy listening

Prerequsists

Basic understanding of Active Directory concepts
Access to a Windows Server with Active Directory Domain Services installed
Administrative privileges on a domain controller

This tutorial includes the following domain controllers

  • Domain Controller: DC01.pscenter.local
  • Additional Domain Controller: DC02.pscenter.local

All the commands are executed from DC01

Why is RepAdmin Important for AD Health?

Active Directory replication is the process by which changes made on one domain controller are propagated to all other domain controllers in the same domain or forest. If replication fails, it can lead to a host of problems, including inconsistent user account information, authentication failures, and problems accessing resources. RepAdmin is crucial because it provides a clear and direct way to monitor this vital process, helping you keep your AD environment stable and reliable. Without healthy replication, your Active Directory simply won’t function as expected.

Active Directory detect object changes via USN value… you can read more about here: Using Repadmin To Detect Active Directory Replication Changes

How to Access RepAdmin

Accessing RepAdmin is straightforward, as it’s a built-in tool. You’ll typically use it from a command prompt or PowerShell window on a Windows Server that has the Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS) roles installed.

To open the command prompt or PowerShell with administrative privileges:

  1. Navigate to the Start menu.
  2. Type cmd or powershell.
  3. Right-click on the result and select “Run as administrator.”

Once you have an elevated command prompt or PowerShell window open, you can start running RepAdmin commands directly. For instance, you can type repadmin /? to see the command’s built-in help, which is a great way to explore its capabilities.

Understanding Key RepAdmin Commands

RepAdmin offers a variety of commands, each serving a specific purpose in diagnosing replication. Focusing on the most common ones will give you a solid foundation for managing your AD replication health.

How to Check Replication Status With /ReplSummary

The /replsummary switch is one of the most frequently used RepAdmin commands. It provides a high-level overview of replication status across all domain controllers in your environment. This command is your first port of call when you want a quick check on how well replication is performing.

To run it, simply open an elevated command prompt or PowerShell and type:

> repAdmin /replSummary
Replication Summary Start Time: 2025-12-28 16:52:16

Beginning data collection for replication summary, this may take awhile:
  ......

Source DSA          largest delta    fails/total %%   error
 DC01                      55m:40s    0 /  10    0
 DC02                      56m:48s    0 /  10    0


Destination DSA     largest delta    fails/total %%   error
 DC01                      56m:49s    0 /  10    0
 DC02                      02m:50s    0 /  10    0

This command will output a table showing each domain controller, its replication partners, the last replication attempt, and whether it was successful or if there were failures.

  • Source DSA (Directory System Agent): The name of the Domain Controller that is sending (outbound) the replication updates.
  • Largest Delta: The longest period of time that any single replication link connected to this DC has remained unused.
    • Normal: Values under 60 minutes are typical
    • Warning: If this exceeds your environment’s typical polling interval (often 1 or 2 hours), it may indicate a lag
    • Critical: If it reaches days or weeks, the DC may be tombstoned or disconnected
  • Fails / Total: The number of failed replication attempts compared to the total number of attempts
  • %% (Percentage): The failure rate represented as a percentage (Fails / Total * 100). In a healthy environment, this should always be 0.
  • Error: Displays the specific Win32 error code (e.g., 1722 for “The RPC server is unavailable”) if replication fails. A value of 0 indicates no errors occurred during the last attempt

How To View Replication Partners With /showrepl

While /replsummary gives you an overview, /showrepl provides more granular details about the replication partners for a specific domain controller. This is useful when you need to dive deeper into a particular server’s replication connections, along with the replication status

To see the replication partners for your current domain controller, use:

> repAdmin /showRepl DC01

Repadmin: running command /showRepl against full DC localhost
HQ\DC01
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 2f2eb440-4c71-4246-a3f9-361b3f8ee9a5
DSA invocationID: 2f2eb440-4c71-4246-a3f9-361b3f8ee9a5

==== INBOUND NEIGHBORS ======================================

DC=pscenter,DC=local
    HQ\DC02 via RPC
        DSA object GUID: 6e470d2a-ec4b-443b-b9dd-da5cad6a8e14
        Last attempt @ 2025-12-28 16:46:39 was successful.

<Output Trimmed>
  • HQ\DC01: This is the site name \ the server name that triggers the command, it can be any server if you set the <DCName>
  • DSA Options: Information about the Directory Service, this is a Global Catalog Server
  • DAS Object GUID: This is the unique identifier for the local server’s “NTDS Settings” object in Active Directory
  • HQ\DC02 via RPC: The server and the protocol used to perform the replication from.
  • DSA object GUID: The remote server GUID, which is in this example DC02
  • Last attempt: the last time the server attempted to replication, along with the replication result.

If you want to check the replication partners for a different domain controller, you can specify its name: repAdmin /showRepl <DCName>

What Is The Purpose of /SyncAll

The /syncall command is used to force replication between domain controllers. While you typically want replication to occur automatically, there are times when you might need to manually trigger it, especially after making significant changes or resolving a replication issue.

Forcing replication unnecessarily can sometimes put a strain on network resources.

To synchronize all naming contexts on the local domain controller with its partners, you can run:

repadmin /syncall

You can also specify a specific domain controller to sync with:

repadmin /syncall <DCName>

Be aware that /syncall can have different behaviors depending on the parameters you use. For instance, /syncall /Adeu synchronize the domain, forcing replication in both directions and recursively.

The /SyncAll parameter contains some additional flags that you can use

/a – Stop the run if any server can’t be reached.
/A – Sync all naming contexts (partitions) hosted on the target DC.
/d – Show servers as distinguished names (DNs) in messages/output.
/e – Include all sites (enterprise-wide). Without it, it stays within the current site.
/h – Show help.
/i – Keep repeating (loop) until you cancel it.
/I (capital i) – Don’t sync; instead run repadmin /showrepl along the path to report status.
/j – Sync adjacent partners only (direct neighbors).
/p – Pause after each message so you can interrupt/abort.
/P – Push changes outward from the specified DC to its partners.
/q – Quiet mode (less chatter; suppress callback messages).
/Q – Very quiet mode (show fatal errors only).
/s – Don’t synchronize (effectively a “no-op” mode; mainly used with other switches).
/S – Skip the initial “are you responding?” server check and just try the sync.

Here are three common repadmin /syncall examples you can drop into your post.

  • Quick “sync everything on this DC”: repadmin /syncall /A /d
  • Full enterprise sync (all sites) with minimal noise: repadmin /syncall /A /e /q
  • Push changes outward from a “hub” DC: repadmin /syncall /A /e /P /q

Manually Triggering the Knowledge Consistency Checker (KCC)

The Knowledge Consistency Checker (KCC) is a core Active Directory process that automatically constructs and maintains the replication topology between domain controllers based on site definitions, site links, and available partners, ensuring efficient and resilient intra- and inter-site replication.

Administrators often use repadmin /kcc <DCList> (optionally with /async) to troubleshoot replication topology problems or to verify that optimal replication connection objects are created without waiting for the automated KCC cycle

> repAdmin /kcc dc01
HQ
Current Site Options: (none)
Consistency check on dc01 successful.

Important Notes for KCC

  • repadmin /kcc does not replicate data; it only recalculates the topology.
  • Actual replication still occurs via normal schedules or commands, such as /syncall.
  • The KCC creates inbound connection objects only.
  • In multi-site environments, both intra-site and inter-site topologies may be recalculated depending on the changes.

Tracing AD Object Changes via Replication Metadata

To analyze changes made to specific Active Directory object attributes, including how many times an attribute has been modified, and the source of the originating DC. You can use the /showobjmeta parameter.
The repadmin /showobjmeta command displays detailed replication metadata for an object, such as

  • Originating Domain Controller
  • Attribute version numbers
  • Originating and local USNs
  • Timestamps associated with each modification.
    The command syntax is:
    repadmin /showobjmeta <DCName> "<Object DN>"

Inspecting Attribute Replication Metadata

The following example demonstrates how to inspect replication metadata for a user object named DemoUser1, and shows how to track changes to the telephonenumber attribute.

Let’s start by modifying the user telephonenumber attribute on the DC01 server, and wait for the replication to finish or run Repadmin /syncall. Confirm that the changes are replicated successfully.

Now run the following command

repadmin /showobjmeta DC02 "CN=DemoUser1,OU=1Demo,DC=pscenter,DC=local"
Repadmin

This command queries the specified domain controller, which is DC02, and returns replication metadata for each attribute on the object. The output includes information such as attribute versions, originating domain controllers, USNs, and timestamps, allowing administrators to determine where and when each attribute was last modified.

When reviewing the output of repadmin /showobjmeta, the most relevant fields are:

  • Attribute
    The specific object attribute (for example, telephoneNumber).
  • Ver (Version)
    Indicates the number of times the attribute has been modified. Each successful write increments the version number. As you can see its 1 as this is the first time a change occure to this attribute
  • Originating DSA
    The domain controller where the last modification originated. Which is DC01
  • Org.USN (Originating USN)
    The USN assigned by the originating domain controller at the time of the write.
  • Loc.USN (Local USN)
    The USN assigned when the change was applied on the domain controller where the command is executed.
  • Org.Time/Date
    The timestamp of the originating write operation.

Conclusion

Verifying and troubleshooting Active Directory replication is a core responsibility for system administrators. Repadmin is a simple yet powerful tool that provides deep insight into replication behavior and object-level changes

Looking for more… You will love this one. Active Directory Users Lockout Fix

5/5 - (1 vote)