Over the years I’ve come across a number of different environments with many running Active Directory in many different states. Replication is an important part of ensuring that your AD environment is healthy and highly available to service end users. I’ve compiled some notes around Active Directory Replication commands and gathering information.
Firstly, just give the server a quick look over, make sure it has plenty of hard disk space wherever the Active Directory NTDS database lives and a quick look in the event viewer for anything out of the ordinary, this usually reveals the issue and you can start to troubleshoot and fix. Otherwise we can use some of the tools below to dig deeper into the AD environment.
repadmin
A quick way I check to ensure replication is going okay is to use the replsummary command, this will give me an output of each replication relationship for each domain controller as well as the delta size, last change time and any errors.
repadmin /replsummary
You can also pipe the replication relationships and summary to a csv, which is a good way to dig into the environment and getting an understanding of how everything fits together.
repadmin /showrepl * /csv > rep.csv
In order to force Active Directory replication, we can issue the command repadmin /syncall /AeD on the domain controller which we want to update the Active Directory Database for, for example DC02 is out of Sync we run the command on DC2.
- A = All Partitions
- e = Enterprise (Cross Site)
- D = Identify servers by distinguished name in messages.
repadmin /replicate DC01-PRD.stg.local DC02-PRD.stg.local DC=Prod,DC=stg,DC=local /selsecrets
By default this does a pull replication – which is how AD works by default. If you want to do a push replication use the following command:
repadmin /syncall /APeD
You want to do a push replication if you make changes on a DC and you want to replicate those changes to all other DC’s. For example, you make a change on DC1 and you want all other changes to get that change instantly, run repadmin /syncall /APeD on DC1.
For all repadmin syntax please see this link on Microsoft
dcdiag
dcdiag is another simple tool you can use to quickly run a number of tests across your active directory, I generally run this as part of an audit and pipe the output to a text file for review later.
dcdiag > dcdiag.txt
This will test things like DNS, Group Policy, AD DS Services, Replication and reachability of services across the Active Directory environment and is a quick way to get a quick snapshot of overall health.
nltest
nltest is another tool you can use to analyse the local machine and connectivity to active directory. Most of these commands will require a domain, in this case stg.local but change that with your own AD namespace. We can do a secure channel test to ensure a client has connectivity to a domain controller (and what domain controller)
nltest /sc_query:stg.local
We can also identify domain controllers via DNS
nltest /dnsgetdc
And we can also reset the secure channel if the machine complains about the trust relationship between this workstation and the primary domain has failed, hint there is also a cool powershell command for this
nltest /sc_reset:stg.local
All of these tools are quite powerful, but knowing just a few of these commands will get you a long way in understanding what the issue is or could be.
Leave a Reply