Rep Admin

Monitoring and troubleshooting Active
Directory replication using Repadmin

Microsoft Corporation
Originally Published: September 2008
Update Published: March 2010
Abstract
his document describes ho! to use "epadmin#e$e to monitor% diagnose% and troubleshoot the
most common replication problems that organi&ations might e$perience in their 'cti(e )irectory*
en(ironments# 'll the information in this document applies to computers running the Microsoft*
+indo!s* 2000 Ser(er% +indo!s Ser(er* 200,% +indo!s Ser(er* 2008% and +indo!s
Ser(er* 2008 "2 operation systems#
-nformation in this document% including U". and other -nternet +eb site references% is sub/ect to
change !ithout notice# Unless other!ise noted% the e$ample companies% organi&ations% products%
domain names% e0mail addresses% logos% people% places% and e(ents depicted herein are fictitious%
and no association !ith any real company% organi&ation% product% domain name% e0mail address%
logo% person% place% or e(ent is intended or should be inferred# Complying !ith all applicable
copyright la!s is the responsibility of the user# +ithout limiting the rights under copyright% no part
of this document may be reproduced% stored in% or introduced into a retrie(al system% or
transmitted in any form or by any means 1electronic% mechanical% photocopying% recording% or
other!ise2% or for any purpose% !ithout the e$press !ritten permission of Microsoft Corporation#
Microsoft may ha(e patents% patent applications% trademar3s% copyrights% or other intellectual
property rights co(ering sub/ect matter in this document# 4$cept as e$pressly pro(ided in any
!ritten license agreement from Microsoft% the furnishing of this document does not gi(e you any
license to these patents% trademar3s% copyrights% or other intellectual property#
5 2010 Microsoft Corporation# 'll rights reser(ed#
'cti(e )irectory% Microsoft% +indo!s% and +indo!s Ser(er are either registered trademar3s or
trademar3s of Microsoft Corporation in the United States and6or other countries#
he names of actual companies and products mentioned herein may be the trademar3s of their
respecti(e o!ners#
Contents
Monitoring and troubleshooting 'cti(e )irectory replication using "epadmin#################################1
'bstract#################################################################################################################################### 1
Contents########################################################################################################################################## ,
Monitoring and roubleshooting 'cti(e )irectory "eplication Using "epadmin##############################7
Publication and re(ision history################################################################################################### 7
"epadmin -ntroduction and echnology O(er(ie!########################################################################## 7
'cti(e )irectory replication dependencies#################################################################################10
8lossary of replication terms##################################################################################################### 11
8lossary of other replication0related terms################################################################################ 1,
"epadmin "e9uirements% Synta$% and Parameter )escriptions###################################################1:
System re9uirements################################################################################################################# 1:
;ile re9uirements####################################################################################################################### 1:
"epadmin command0line options############################################################################################## 1<
Synta$#################################################################################################################################### 1<
Parameters############################################################################################################################# 1<
"epadmin subcommands########################################################################################################## 1=
"epadmin 6listhelp##################################################################################################################### 22
CS> format################################################################################################################################ 2:
"epadmin Usage Scenarios######################################################################################################### 2?
Monitor ;orest0+ide "eplication################################################################################################### 2<
Synta$#################################################################################################################################### 2<
Simple usage of repadmin 6replsummary############################################################################### 2=
@o! to interpret the output##################################################################################################### 28
@o! to ma3e more sense of some of the fields######################################################################27
Common factors that influence the largest delta field#############################################################27
+here do "4P')M-A 6"4P.SUMM'"B read replication status informationC######################,0
+ild card and other parameter usage#################################################################################### ,0
"eplsummary reporting failures ############################################################################################# ,1
)isplay "eplication Partners and Status of a )omain Controller##################################################,2
Synta$######################################################################################################################################## ,2
Sho! replication partners and replication status#######################################################################,,
Using repadmin 6sho!repl to display detailed and precise information######################################,?
@igh0!atermar3 (alue################################################################################################################ ,<
Sho!ing outbound neighbors#################################################################################################### ,<
Some of the repadmin 6sho!repl 4rror Messages and their root cause####################################,=
Ao inbound neighbors############################################################################################################ ,8
'cti(e )irectory replication has been preempted###################################################################,7
.ast attempt D ne(er !as successful#################################################################################### ,7
'ccess denied######################################################################################################################## :0
"eplication .atency####################################################################################################################### :0
Synta$######################################################################################################################################## :1
@o! to interpret the data########################################################################################################### :1
@o! to interpret the data########################################################################################################### :,
)isplay the latency only for the domain partition#######################################################################:,
>ie! "eplication Metadata of an Ob/ect####################################################################################### ::
Synta$######################################################################################################################################## ::
4$ample 1: Metadata of a group ob/ect##################################################################################### :?
4$ample 2: Comparing replication metadata of a user ob/ect bet!een t!o domain controllers :?
)isplay the 'ttributes of a Specific Ob/ect##################################################################################### :<
Synta$######################################################################################################################################## :=
4$ample: )isplay select attributes############################################################################################# :8
@o! Up to )ate 're My )omain ControllersC###############################################################################:8
Synta$######################################################################################################################################## :8
4$ample: Chec3ing replication latency on the E"'AC@, domain controller#############################:7
4$ample: Comparing ho! up0to0date other domain controllers in the enterprise are !ith respect
to the OriginatingUSA############################################################################################################ ?0
4$ample: ;urther in(estigation from the perspecti(e of the E"'AC@2 domain controller#########?0
Can - .oo3 at My Connection Ob/ects and Schedule )etailsC######################################################?1
Synta$######################################################################################################################################## ?1
4$ample: Simple usage of 6sho!conn####################################################################################### ?1
;ine0uning Change Aotification >alues####################################################################################### ?,
Synta$######################################################################################################################################## ??
4$ample 1: )isplaying the default notification delay on the ;orest)nsFones partition##############??
4$ample 2: Changing the defaults to ,006,0 on the ;orest)nsFones#######################################?<
;orcing "eplication####################################################################################################################### ?<
"eplicate a single ob/ect bet!een t!o domain controllers#########################################################?<
Synta$#################################################################################################################################### ?=
4$ample: "eplicate a single ob/ect bet!een all the branch domain controllers by using !ild
card character##################################################################################################################### ?=
;orce a replication e(ent bet!een t!o partners########################################################################?=
Synta$1 ################################################################################################################################# ?8
Synta$2 ################################################################################################################################# ?8
4$ample: replicate in domain partition bet!een t!o specific partners####################################?7
;orce a replication e(ent !ith all partners################################################################################# <0
Synta$#################################################################################################################################### <0
4$ample 1: Synchroni&ing Configuration Partition !ithin the site###########################################<1
4$ample 2: Crossing site boundaries and other features#######################################################<2
Geeping rac3 of Changes hat @a(e Occurred O(er a Period of ime#######################################<,
Synta$1###################################################################################################################################### <,
Synta$2###################################################################################################################################### <,
4$ample: Compare changes occurred to configuration partition o(er a period of time##############<?
@o! to interpret the data########################################################################################################### <?
)isplay changes not replicated bet!een t!o partners###############################################################<?
4$ample: )isplay pending replication changes 1config partition2 bet!een t!o replication
partners############################################################################################################################### <?
4$ample: Usage of a filter###################################################################################################### <<
4$ample: listing only the summary as opposed to indi(idual changes###################################<<
Usage of "epadmin +hen roubleshooting 4(ent -) 1,11##########################################################<=
)etermine if site lin3 bridging is turned on#################################################################################<7
)etect preferred bridgeheads#################################################################################################### =0
>erify inter0site cost matri$ and orphaned sites######################################################################### =1
Synta$#################################################################################################################################### =1
4$ample: )isplay inter0site cost matri$################################################################################### =2
@o! to interpret the data######################################################################################################## =2
"epadmin 6failcache################################################################################################################## =,
Synta$#################################################################################################################################### =,
4$ample: )isplay replication failures that GCC is a!are of####################################################=:
4$ample: Output !hen there are no failures########################################################################## =?
"epadmin 6GCC######################################################################################################################### =?
Synta$#################################################################################################################################### =?
4$ample 1: "unning the GCC on the local domain controller#################################################=<
4$ample 2: "unning the GCC against the -S8 of the @UE site############################################=<
4$ample ,: "unning the GCC against all the global catalog ser(ers in the forest##################=<
4$ample :: "unning the GCC against all the domain controllers in the E"'AC@2 site#########==
"epadmin 6-S8######################################################################################################################## ==
Synta$#################################################################################################################################### ==
4$ample: )isplay -S8s in my en(ironment########################################################################## ==
"epadmin 69uerysites################################################################################################################ =8
Synta$#################################################################################################################################### =8
4$ample 1: )isplay cost bet!een E"'AC@1 and @UE#########################################################=8
4$ample 2: )isplay cost bet!een E"'AC@1 and E"'AC@2################################################=8
4$ample ,: )isplay cost bet!een E"'AC@1 and Eranch2###################################################=8
"epadmin 69ueue###################################################################################################################### =7
Synta$ ################################################################################################################################### =7
4$ample: )isplay the 9ueue length against the local domain controller#################################=7
4$ample: Hueue contains one item######################################################################################## 80
"epadmin 6bridgeheads############################################################################################################# 80
Synta$#################################################################################################################################### 80
4$ample 1: "epadmin 6bridgeheads rootdns ########################################################################80
4$ample 2: "epadmin 6bridgeheads rootdns 6(erbose###########################################################81
@o! to interpret the data######################################################################################################## 81
"epadmin 6sho!msg################################################################################################################# 8,
Synta$#################################################################################################################################### 8,
4$ample: )isplay the error message for the !in,2error 1=22 and )S e(ent -) 1:0:############8,
"epadmin 6(ie!list##################################################################################################################### 8,
Synta$#################################################################################################################################### 8,
4$ample 1: )isplay all the )CIs in the forest########################################################################## 8:
4$ample 2: )isplay all the 8roup Policy ob/ects in the domain directory partition for the
domain of the domain controller that repadmin is running against######################################8:
Open sessions !ith the domain controller#################################################################################8:
Synta$#################################################################################################################################### 8:
4$ample: Sho! open sessions !ith a )S'############################################################################8?
Subcommands Aot Co(ered Under the Pre(ious Scenarios#########################################################8?
)isplay replication features######################################################################################################## 8?
Synta$#################################################################################################################################### 8?
4$ample: )isplay replication features on the local domain controller% !hich is running
+indo!s Ser(er 200,######################################################################################################### 8<
Ser(er ob/ect 8U-) 1)S' 8U-)2 J )atabase 8U-)##################################################################8<
Synta$#################################################################################################################################### 8<
4$ample: )isplay the domain controller name !hen gi(en a 8U-)#######################################8=
Certificates loaded on a domain controller#################################################################################8=
Synta$#################################################################################################################################### 8=
"etired 'pplication partition 8U-)s 1signature2######################################################################### 88
Synta$#################################################################################################################################### 88
4$ample: )isplay the recently retired ;orest)nsFone application directory partition on the
local domain controller######################################################################################################## 88
Unans!ered replication calls##################################################################################################### 88
Synta$#################################################################################################################################### 88
4$ample: @ub domain controller !aiting for the re9uest to be ans!ered from a spo3e domain
controller############################################################################################################################# 87
sho!pro$y################################################################################################################################# 87
Synta$1################################################################################################################################## 87
Synta$2################################################################################################################################## 87
"etired )atabase 8U-)s 1signature2######################################################################################### 70
Synta$#################################################################################################################################### 70
4$ample 1: Simple usage of no retired signatures#################################################################70
4$ample 2: Simple usage of retired signature########################################################################71
Con(ert directory ser(ice time to readable time#########################################################################71
Synta$#################################################################################################################################### 71
4$ample 1: Usage !ith directory ser(ice time format#############################################################71
4$ample 2: Current system time############################################################################################ 71
'cti(e )irectory domains trusted by domain controller##############################################################72
Synta$#################################################################################################################################### 72
4$ample: )isplay 'cti(e )irectory domains that are trusted by the domain of the local domain
controller############################################################################################################################# 72
.in3ed )istinguished Aame (alues############################################################################################ 72
Synta$#################################################################################################################################### 72
4$ample: )isplay members of the )omain 'dmins group######################################################7,
Oldhelp########################################################################################################################################## 7,
sync########################################################################################################################################### 7,
Synta$#################################################################################################################################### 7:
propchec3################################################################################################################################## 7:
Synta$#################################################################################################################################### 7?
getchanges################################################################################################################################ 7?
Synta$1################################################################################################################################## 7?
Synta$2################################################################################################################################## 7?
sho!reps################################################################################################################################### 7=
Synta$#################################################################################################################################### 7=
sho!(ector################################################################################################################################ 7=
Synta$#################################################################################################################################### 7=
sho!meta################################################################################################################################## 78
Synta$#################################################################################################################################### 78
'dminister Pass!ords and Pass!ord "eplication Policy for "ead0Only )omain Controllers !ith
"epadmin#e$e########################################################################################################################### 77
repadmin 6prp############################################################################################################################ 77
Synta$#################################################################################################################################### 77
Operations############################################################################################################################## 77
'dd################################################################################################################################### 100
Synta$############################################################################################################################ 101
'dditional parameters#################################################################################################### 101
)elete############################################################################################################################### 101
Synta$############################################################################################################################ 101
Mo(e################################################################################################################################# 102
Synta$############################################################################################################################ 102
>ie!################################################################################################################################## 10,
Synta$############################################################################################################################ 10,
'dditional parameters#################################################################################################### 10,
4$ample 1: >ie! the P"P of an "O)C################################################################################10:
4$ample 2: >ie! accounts that an "O)C has authenticated ##############################################10:
4$ample ,: Clear the list of authenticated accounts#############################################################10:
4$ample :: Configure the P"P############################################################################################# 10?
4$ample ?: Mo(e accounts that an "O)C has authenticated to the 'llo!ed "O)C Pass!ord
"eplication Policy 8roup################################################################################################### 10?
4$ample <: >ie! accounts !ith cached pass!ords on an "O)C########################################10?
repadmin 6rodcp!drepl############################################################################################################ 10<
Synta$################################################################################################################################## 10<
4$ample############################################################################################################################### 10=
"epadmin for 4$perts################################################################################################################# 10=
'dd% Modify% or )elete replication lin3s#################################################################################### 10=
Synta$################################################################################################################################## 10=
'dd% Modify% or )elete outbound replication partners##############################################################107
Synta$################################################################################################################################### 110
@osting and unhosting read0only partitions##############################################################################111
Synta$################################################################################################################################### 111
)etecting and remo(ing lingering ob/ects################################################################################ 112
Strict and loose replication consistency################################################################################ 11,
Synta$################################################################################################################################### 11?
'd(anced domain controller options######################################################################################## 11?
Synta$################################################################################################################################### 11<
'd(anced site options############################################################################################################## 11=
Synta$################################################################################################################################### 11=
Miscellaneous########################################################################################################################## 117
Monitoring and Troubleshooting Active
Directory Replication Using Repadmin
his document describes ho! to use the "epadmin#e$e tool to monitor% diagnose% and
troubleshoot common replication problems in your 'cti(e )irectory* en(ironment# 'll the
information in this document applies to computers running the Microsoft* +indo!s* 2000 Ser(er
and +indo!s Ser(er* 200, operation systems# his document includes the follo!ing topics:
"epadmin -ntroduction and echnology O(er(ie!
"epadmin "e9uirements% Synta$% and Parameter )escriptions
"epadmin Usage Scenarios
"epadmin for 4$perts
o obtain a copy of this guide in #doc file format% see roubleshooting replication !ith repadmin on
the Microsoft )o!nload Center 1http:66go#microsoft#com6f!lin36C.in3-)K1270202#
Publication and revision history
he follo!ing table summari&es the re(ision history for this guide% including its original publication
on Microsoft echAet#
)ate "e(ision
Lune 2008 Original publication on echAet#
March 2010 Updated !ith ne! commands for managing
read0only domain controllers in +indo!s
Ser(er 2008 and +indo!s Ser(er 2008 "2# ;or
more information% see 'dminister Pass!ords
and Pass!ord "eplication Policy for "ead0Only
)omain Controllers !ith "epadmin#e$e#
Repadmin Introduction and Technology
Overview
"epadmin#e$e is a command line tool that is designed to assist administrators in diagnosing%
monitoring% and troubleshooting 'cti(e )irectory replication problems#
7
Active Directory replication dependencies
'cti(e )irectory replication has the follo!ing dependencies:
Routable IP inrastructure! he replication topology depends on a routable -P
infrastructure from !hich you can map -P subnet address ranges to site ob/ects# his
mapping generates the information that client !or3stations use to communicate !ith domain
controllers that are close byM!hen there is a choiceMrather than !ith domain controllers
that are located across !ide area net!or3 1+'A2 lin3s#
D"#! he )omain Aame System 1)AS2 that resol(es )AS names to -P addresses#
'cti(e )irectory re9uires that )AS is properly designed and deployed so that domain
controllers can correctly resol(e the )AS names of replication partners#
Remote procedure call $RPC%! 'cti(e )irectory replication re9uires -P connecti(ity and
the remote procedure call 1"PC2 to transfer updates bet!een replication partners#
&erberos version ' $('% authentication! he authentication protocol for both
authentication and encryption that is re9uired for all 'cti(e )irectory "PC replication#
)ightweight Directory #ervices Protocol $)DAP%! he primary access protocol for
'cti(e )irectory# "eplication of an entire replica of an 'cti(e )irectory domain% as occurs
!hen 'cti(e )irectory is installed on an additional domain controller in an e$isting domain%
uses .)'P communication rather than "PC#
"et)ogon! Aet.ogon dynamically registers the globally uni9ue identifier 18U-)2 CA'M4
in )AS that a domain controller uses to resol(e its partnerIs host name and -P address for
'cti(e )irectory replication#
Intersite Messaging! -ntersite Messaging is re9uired for Simple Mail ransfer Protocol
1SMP2 intersite replication and for site co(erage calculations# -f the forest functional le(el is
+indo!s 2000% -ntersite Messaging is also re9uired for intersite topology generation#
Replication Topology and Dependent Technologies
10
*lossary o replication terms
he follo!ing table lists terms that are commonly used in discussions about 'cti(e )irectory
replication#
erm )efinition
'cti(e )irectory replication 'cti(e )irectory is a distributed directory
ser(ice% in !hich not all ob/ects in the directory
are stored on e(ery domain controller# -n
addition% all domain controllers in a domain can
be updated directly% not /ust one primary domain
controller# 'cti(e )irectory replication is the
means by !hich changes that are made on one
domain controller are synchroni&ed !ith all
other appropriate domain controllers in the
domain or forest that store copies of the same
information# )ata integrity is maintained by
trac3ing changes on each domain controller and
updating other domain controllers in a
systematic !ay# "eplication uses a connection
topology that is created automatically to ma3e
optimal use of beneficial net!or3 connections#
'cti(e )irectory replication topology "eplication topology is the current set of
'cti(e )irectory connections by !hich domain
controllers in a forest communicate o(er local
area net!or3s 1.'As2 and +'As to
synchroni&e the directory partition replicas that
the domain controllers ha(e in common#
"eplication topology generation is usually
dynamic# -t adapts to the net!or3 conditions
and a(ailability of domain controllers# 's a
result of ho! much !e rely and depend on
directory ser(ices today% it is (ery important to
ensure that a directory replication topology is
fine0tuned to maintain and deli(er the e$pected
le(el of performance#
'cti(e )irectory sites ' site is a part of the net!or3 !ith high
band!idth connecti(ity# Ey definition% it is a
collection of !ell0connected computers% based
on -P subnets# Bou can use the 'cti(e )irectory
Sites and Ser(ices snap0in to administer sites#
11
Eecause sites control ho! replication occurs%
changes that you ma3e !ith this snap0in affect
ho! efficiently domain controllers !ithin a
domain 1but separated by great distances2 !ill
coalesce#
Gno!ledge Consistency Chec3er 1GCC2 ' part of the -S8 role in 'cti(e directory# he
GCC chec3s and% as an option% re0creates
topology information for the 'cti(e )irectory
domain#
-ntersite opology 8enerator 1-S82 his is a role that one domain controller in an
'cti(e )irectory site must perform#he -S8
designates one or more bridgehead ser(ers to
perform replication bet!een sites#
Multimaster replication 4(ery domain controller can recei(e originating
updates to data for !hich it is authoritati(e%
rather than ha(ing a single domain controller
that recei(es all original updates 1also 3no!n as
single0master replication% such as Microsoft
+indo!s A* :#0 replication2#
Pull replication )omain controllers re9uest 1pull2 changes
rather than send 1push2 changes that might not
be necessary#
Store0and0for!ard replication 4ach domain controller communicates !ith a
subset of domain controllers to transfer
replication changes% rather than one domain
controller being responsible for communicating
!ith e(ery other domain controller that re9uires
the change#
@igh !ater mar3 @igh !ater mar3 is a (alue that the destination
domain controller maintains to 3eep trac3 of the
most recent changes that it has recei(ed from a
specific source domain controller for an ob/ect
in a specific partition# @igh !ater mar3 pre(ents
irrele(ant ob/ects from being considered by the
source domain controller !ith respect to a
single destination#
Up0to0dateness (ector he up0to0dateness (ector is a (alue that the
destination domain controller maintains for
trac3ing the originating updates that are
recei(ed from all source domain controllers#
12
+hen a destination domain controller re9uests
changes for a directory partition% it pro(ides its
up0to0dateness (ector to the source domain
controller# he source domain controller then
uses this (alue to reduce the set of attributes
that it sends to the destination domain
controller#
*lossary o other replication+related terms
he follo!ing table lists terms that are related to other technologies that depend on
'cti(e )irectory replication topology#
erm )efinition
;ile "eplication Ser(ice 1;"S2 he replication ser(ice in +indo!s 2000 Ser(er
and +indo!s Ser(er 200, that is used to
replicate the SBS>O. shared folder#
"eplica set he collection of ser(ers that are all replicating
a gi(en set of directories is called a replica set#
+ith an appropriate topology design and
sufficient net!or3 support% a +indo!s 2000 or
+indo!s Ser(er 200, ;"S replica set can span
thousands of computers# -t is also possible for a
single computer to be a member of multiple
replica sets#
opology opology defines the set of connections that are
used to send updates bet!een members of a
replica set# he topology definition includes both
the connections and the properties of those
connections% such as the schedule% enabled
and disabled flags% and so on#
)isconnected operation ;"S can operate e(en if some or all member
computers are disconnected from each other for
periods of time# Changes can be accepted by
any computer% and changes are replicated to
other member computers !hen connecti(ity is
reestablished#
'uthenticated "PC !ith encryption o pro(ide secure communications% ;"S uses
the Gerberos authentication protocol for
authenticated "PC to encrypt and tamper0proof
1,
the data that is sent bet!een replication
partners#
Repadmin Re,uirements- #ynta.- and
Parameter Descriptions
Bou can use the repadmin command to perform replication tas3s and to manage and modify the
replication topology% force replication e(ents% and display replication metadata and up0to0dateness
(ectors# his topic co(ers:
System re9uirements
;ile re9uirements
"epadmin command0line options
"epadmin subcommands
"epadmin 6listhelp
CS> format
#ystem re,uirements
he follo!ing are the system re9uirements for repadmin:
+indo!s NP Professional% +indo!s >ista*% +indo!s Ser(er 200,% or
+indo!s Ser(er 2008
'dministrator rights on the domain controller:
"e9uired replication rights can be delegated
Some commands do not re9uire 'dministrator rights
/ile re,uirements
"epadmin#e$e is included in the +indo!s Ser(er 200, Ser(ice Pac3 1 1SP12 Support tools# Bou
must install the Support tools before you can use them# ;or more information about ho! to install
the Support tools% see +indo!s Ser(er 200, SP1 Support ools in the Microsoft Gno!ledge Ease
1http:66go#microsoft#com6f!lin36C.in3-)K::,212#
o obtain the Support tools if you do not ha(e the +indo!s Ser(er 200, operating system disc%
see +indo!s Ser(er 200, SP1 ,20bit Support ools on the Microsoft )o!nload Center
1http:66go#microsoft#com6f!lin36C.in3-)K=0==?2#
Pre(ious (ersions of repadmin ha(e similar functionality% but they ha(e some limitations
regarding the !or3stations that they can be run on and !hich functions they can perform# he
follo!ing table lists the (ersions of repadmin% !hich operating systems they can be run on% and
!hich domain controllers they can target#
1:
>ersion Client operating system arget operating system -mportant feature sets
+indo!s 2000 +indo!s 2000 and
later
'll 'cti(e )irectory
(ersions
6sync
6propchec3
6sho!reps
6sho!(ector
6sho!meta
+indo!s Ser(er 20
0,
+indo!s NP Professio
nal and
+indo!s Ser(er 200,
(ersions
6notifyopt
6replsummary
6replicate
6replsingleob/
6
remo(elingeringob/ect
s
6rehost and 6unhost
6sho!msg
6sho!attr
6syncall
6(ie!list
DC_LIST
+indo!s Ser(er 20
0, !ith SP 1
nal and
+indo!s Ser(er 200,
(ersions
"ehost re9uires
+indo!s 2000 Ser(er S
P: and later
"emo(e lingering
ob/ects re9uires
+indo!s Ser(er 200,
6sho!bac3up
6rehost bug fi$
6reg3ey
'cti(e )irectory
'pplication Mode
1')'M2
nal and
+indo!s Ser(er 200,
(ersions
6setattr
6listhelp
)eprecated subcommands 1from
+indo!s 2000 Ser(er2
49ui(alent or impro(ed subcommands in
+indo!s Ser(er 200,
6sync
6propchec3
6sho!reps
6repl or 6replicate
6sho!changes
6sho!repl
1?
6sho!(ector
6sho!meta
6sho!utd(ec
6sho!ob/meta
Repadmin command+line options
"epadmin is e$ecuted at the command prompt% and it contains se(eral subcommands% !hich are
described in detail in the follo!ing section#
#ynta.
repadmin <subcommand> [<dsa>] [/u: <UserName>] [/pw: {<Password> | *}] [/rpc] [/ldap]
[/homeserver: <dsaname>]
Parameters
Parameter )escription
OsubcommandP One of the repadmin subcommands that is
described in the subcommands section#
O)saP )irectory System 'gent 1)S'2 represents the
domain controller to be targeted by the
repadmin subcommand#
Aot all repadmin subcommands re9uire the
dsa parameter
ype repadmin 0listhelp at the command line
for additional information about the dsa
parameter#
6u:OUserAameP Specifies the account name to use for binding
to the directory# Ey default% 0u uses the account
name !ith !hich the user is currently logged
on# Bou can use any of the follo!ing formats to
specify an account name:
account name 1for e$ample% Eob2
domainQaccount name 1for e$ample%
contosoQEob2
user principal name 1UPA2 1for
e$ample% EobDcontoso#com2
6p! ROPass!ordP S TU Specifies the pass!ord to use for
authentication# -f you type 1% you are prompted
for a pass!ord#
1<
6rpc ;orces repadmin to communicate by using a
remote procedure call 1"PC2 session#
6ldap ;orces repadmin to communicate by using a
.ight!eight )irectory 'ccess Protocol 1.)'P2
session# -f .)'P communication fails%
repadmin attempts to communicate by using
"PC# .)'P is the default communication
method for repadmin#
6homeser(er:OdsanameP ;orces repadmin to run against a specific
domain controller% !hich is determined by the
forest membership of the directory ser(er that is
represented by <dsaname>#
Bou can specify <dsaname> in the follo!ing
formats:
<Computername>% <Dnsname>% <Dsaguid>%
T% #% Vsite:<site>W% VfsmoXdnm:W% or
VfsmoXschema:W#
Repadmin subcommands
Subcommand Synta$ and description
bind repadmin 6bind YdsaZ
Connects to and displays the replication features for a
directory ser(er#
bridgeheads repadmin 6bridgeheads YdsaZ
.ists the directory ser(ers that act as bridgehead
ser(ers for a specified site#
chec3prop repadmin 6chec3prop YdsaZ Naming Context
OriginatingDCInvocationID OriginatingUSN
Compares the properties of specified directory ser(ers
to determine if they are up to date !ith each other# he
source directory ser(er contains the original
information that must be chec3ed# he data on the
destination directory ser(er is compared to the data on
the source directory ser(er#
dsaguid repadmin 6dsaguid YdsaZ YGUIDZ
"eturns a ser(er name !hen gi(en a globally uni9ue
identifier 18U-)2#
1=
failcache repadmin 6failcache YdsaZ
)isplays a list of failed replication lin3s that are
detected by the Gno!ledge Consistency Chec3er
1GCC2#
istg repadmin 6istg YdsaZ Y6(erboseZ
"eturns the computer name of the -ntersite opology
8enerator 1-S82 ser(er for a specified site#
3cc repadmin 63cc YdsaZ Y6asyncZ
;orces GCC to calculate replication topology for a
specified directory ser(er# Ey default% this calculation
occurs e(ery 1? minutes#
latency repadmin 6latency YdsaZ Y6(erboseZ
)isplays the amount of time bet!een replications% by
using the -S8 Geep 'li(e time stamp# he -S8 Geep
'li(e time stamp is not used in forests that are set to
the +indo!s Ser(er 200, forest functional le(el#
-nstead% in those en(ironments% use repadmin
0showutdvec 0latency#
notifyopt repadmin 6notifyopt YdsaZ Naming Context Y6first:VaueZ
Y6subs:VaueZ
)isplays or sets the notification timing settings for
replication of a specified directory partition#
9ueue repadmin 69ueue YdsaZ
)isplays tas3s that are !aiting in the replication 9ueue#
prp "epadmin 6prp YoperationZ !ODC Yadditiona
argumentsZ
)isplays or modified the Pass!ord "eplication Policy
for a read0only domain controller 1"O)C2#
his command is a(ailable only for (ersions of
"epadmin that are included in +indo!s Ser(er 2008%
+indo!s Ser(er 2008 "2% or "emote Ser(er
'dministration ools#
he operation can be view% add% delete% or move# ;or
view% add% and delete% !ODC can be either
!ODC_Name or 1# ;or move% !ODC must be
!ODC_name#
9uerysites repadmin 69uerysites "romSite!DN ToSite#!DN
YToSite$!DN###Z
18
Uses routing information to determine the cost of a
route from a specified site to another specified site or
sites# he ,uerysites parameter does not allo! the
use of alternate credentials# he relati(e distinguished
names that are used in this command are case
sensiti(e#
replicate Synta$ 1
repadmin 6replicate destination_dsa source_dsa
Y6forceZ Y6asyncZ Y6fullZ Y6addrefZ
Synta$ 2
repadmin 6replicate destination_dsa Y6forceZ Y6asyncZ
Y6fullZ Y6addrefZ 6allsources
Starts a replication e(ent for the specified directory
partition bet!een the source and destination directory
ser(ers# Bou can determine the source 8U-) !hen you
(ie! the replication partners by using showrepl#
replsingleob/ repadmin 6replsingleob/ect dsa DsaSourceGUID
O%&ectDN
"eplicates a single ob/ect bet!een any t!o directory
ser(ers that ha(e partitions in common# he t!o
directory ser(ers do not ha(e a replication agreement#
Bou can sho! replication agreements by using the
repadmin 0showrepl command#
replsummary repadmin 6replsummary YdsaZ Y6bysrcZ Y6bydestZ
Y6errorsonlyZY6sort:RdeltaSpartnersSfailuresSerrorSpercentUZ
Summari&es the replication state and relati(e health of
an 'cti(e )irectory forest#
rodcp!drepl repadmin 6rodcp!drepl YDS'_istZ (u% DC User# DN
YUser$ DN User) DNZ
riggers replication of pass!ords for the specified
users from the source (u% DC to one or more "O)Cs#
his command is a(ailable only for (ersions of
"epadmin that are included in +indo!s Ser(er 2008%
+indo!s Ser(er 2008 "2% or "emote Ser(er
'dministration ools#
sho!attr repadmin 6sho!attr dsa YO*+_LISTZ
YO*+_LIST_O,TIONSZ Y6attrS6attrs: attri%ute attri%ute ###Z
Y6all(aluesZ Y6longZ Y6nolongblobZ Y6nolongblobZ
Y6nolongfriendlyZ Y6dumpallblobZ
17
he 0showattr operation displays the attributes and
contents of an ob/ect#
sho!cert repadmin 6sho!cert dsa
)isplays the certificates 1used !ith Simple Mail
ransfer Protocol 1SMP2[based replication2 that are
loaded on a specified directory ser(er#
sho!changes Synta$ 1
repadmin 6sho!changes source_dsa Naming Context
Y6coo3ie: "ieZ Y6atts: attri%ute#%attri%ute$%###Z
Synta$ 2
repadmin 6sho!changes dest_dsa
SourcedsaO%&ectGUID Naming Context Y6(erboseZ
Y6statisticsZ Y6noincrementalZ Y6ob/ectsecurityZ
Y6ancestorsZ Y6atts: attri%ute#%attri%ute$%###Z Y6filter: dap
-iterZ
)isplays changes from a specified directory partition or
changes to a specified ob/ect# \Synta$ 1\ sa(es
changes to a directory partition# -f this information is
sa(ed to a file% you can run the getchanges operation
again for comparison# \Synta$ 2\ lists changes to a
specified ob/ect# ;or this command to run properly% the
account under !hich the command is run must
possess the replication get changes right on the
specified directory partition#
sho!conn repadmin 6sho!conn YdsaZ YServer!DN S ContainerDN
S dsa_GUIDZ Y6;rom:Server!DNZ Y6intersiteZ
)isplays the connection ob/ects for a specified
directory ser(er# he default is local site#
sho!ct$ repadmin 6sho!ct$ YdsaZ Y6nocacheZ
)isplays a list of computers that ha(e opened sessions
!ith a specified directory ser(er#
sho!ism repadmin 6sho!ism YTransportDNZ Y6(erboseZ
Hueries the -ntersite Messaging Ser(ice 1-SM2 for site
routes# his operation cannot be e$ecuted remotely#
sho!msg repadmin 6sho!msg R.in)$/rror S DS/ventID S
NTDS0SGU
)isplays the error message for a gi(en error number#
sho!ncsig repadmin 6sho!ncsig YdsaZ
20
4ach directory ser(er maintains a directory partition
signature list# his command displays a list of the
remo(ed application partition 8U-)s# Bou can
configure an application directory partition to be held or
not held on a particular directory ser(er by using
ntdsutil 1for 'cti(e )irectory2#
sho!ob/meta repadmin 6sho!ob/meta YdsaZ O%&ectDN Y6nocacheZ
Y6lin3edZ
)isplays the replication metadata for a specified ob/ect
that is stored in the directory% including attribute -)%
(ersion number% originating and local update se9uence
number 1USA2% and originating ser(er]s 8U-) and )ate
and ime stamp# +hen you compare the replication
metadata for the same ob/ect on different directory
ser(ers% you can determine !hether replication has
occurred#
sho!outcalls repadmin 6sho!outcalls YdsaZ
)isplays calls that ha(e been made by the specified
directory ser(er to other directory ser(ers but not yet
ans!ered#
sho!pro$y Synta$ 1
repadmin 6sho!pro$y YdsaZ YNaming ContextZ
YmatchstringZ
Synta$ 2
repadmin 6sho!pro$y YdsaZ YO%&ectDNZ
YmatchstringZ 6mo(edob/ect
.ists cross0domain mo(e pro$y ob/ects# +hen an
ob/ect is mo(ed from one domain to another% a mar3er
remains in the original domain# his mar3er is called a
pro$y#
sho!repl repadmin 6sho!repl YdsaZ YSourceDCO%&ectGUIDZ
YNaming ContextZ Y6(erboseZ Y6nocacheZ Y6repstoZ
Y6connZ Y6cs(Z Y6allZ Y6errorsonlyZ Y6intersiteZ
)isplays replication information# -nbound replica lin3s
are displayed by default# Outbound lin3s can also be
sho!n% as !ell as connections corresponding to those
lin3s# he command also displays errors that
correspond to replica lin3s that cannot be created by
GCC# his helps an administrator build a (isual
representation of the replication topology and see the
21
role of each directory ser(er in the replication process#
sho!cig repadmin 6sho!sig YdsaZ
)isplays the retired in(ocation -)s on a directory
ser(er# ' directory ser(er changes its in(ocation -)
!hen it is restored or !hen it rehosts an application
partition#
sho!time repadmin 6sho!time YDSTimeVaueZ
Con(erts a directory ser(ice time (alue to string format
for both the local and the UC time &ones#
sho!trust repadmin 6sho!trust YdsaZ
.ists all 'cti(e )irectory domains that are trusted by a
specified 'cti(e )irectory domain#
sho!utd(ec repadmin 6sho!utd(ec dsa Naming Context Y6nocacheZ
Y6latencyZ
)isplays the highest USA for the specified directory
ser(er# his information sho!s ho! up to date a replica
is !ith its replication partners#
sho!(alue repadmin 6sho!(alue YdsaZ O%&ectDN Y'ttri%uteNameZ
YVaueDNZ Y6nocacheZ
)isplays the (alues of the type% last modified time%
originating directory ser(er% and distinguished name of
a specified ob/ect#
syncall repadmin 6syncall dsa YNaming ContextZ Y"agsZ
Synchroni&es a specified directory ser(er !ith all
replication partners# his command contains se(eral
subcommands% !hich are described in the usage
scenarios#
Ey default% if no directory partition is pro(ided in the
NamingContext parameter% the command performs its
operations on the configuration directory partition#
(ie!list repadmin 6(ie!list YdsaZ YO*+_LISTZ
)isplays a list of directory ser(ers#
oldhelp )isplays a list of the operations that ha(e been
deprecated in this (ersion of repadmin#
Repadmin 0listhelp
22
'rguments >alues )escription
)CX.-S VTW 'll domain controllers in the
enterprise
)CXAame See under )CXA'M4 argument
Part0ser(erXnameT +ould pic3
\partXser(erXnameXdcX01\ and
\partXser(erXnameXdcX02\ but
not ser(er
\partXser(erXdiffXname\#
Site:site_name 'll domain controllers in the
specified site#
8c: 'll global catalog ser(ers in the
enterprise#
;smoX-smo_t1pe:-smo_dn See under ;SMOXBP4
;SMOXBP4 ypes of operations master 1also
3no!n as fle$ible single master
operations or ;SMO2 role holders
re9uire different base
distinguished names or relati(e
distinguished names#
;smoXdnm: 4nterprise0!ide ;SMO^ does not
ta3e any distinguished name 1also
3no!n as )A2#
;smoXschema: 4nterprise0!ide ;SMO^ does not
ta3e any distinguished name#
;smoXpdc: )omain0specific ;SMO^ ta3es the
distinguished name of the domain
that the user specifies#
;smoXrid: )omain0specific ;SMO^ ta3es the
;smoXim: )omain0specific ;SMO^ ta3es the
;smoXistg: Site0specific 9uasi0;SMO^ ta3es
the relati(e distinguished name of
the site#
2,
)CXA'M4
V#W ells repadmin to try to pic3 a
domain controller for you#
Ser(erXdns Specifies a ser(er by )AS#
)cXdsaXguid Specifies a specific ser(er by its
)irectory System 'gent 1)S'2
8U-)#
Ser(erXob/Xrdn Specifies a ser(er by its ser(er
ob/ect relati(e distinguished name
1usually the same as its AetEios
name2#
)saXdn Specifies a ser(er by the
distinguished name of its )S'
ob/ect#
OELX.-S
Acob/:ACXA'M4 Specifies the use of the
distinguished name of AC @ead
that is specified in ACXA'M4#
)saob/: Specifies the use of the
distinguished name of the )S'
that repadmin is connected to#
ACXA'M4 Config: Configuration directory partition#
Schema: Schema directory partition#
)omain: )omain directory partition for the
domain of the domain controller
that repadmin is running against#
OELX.-S OP-OAS R6onele(el S 6subtreeU 6filter:
Rdap_-iterU
+ith these options% you can use
the showattr and viewlist
commands to co(er a list of
ob/ects% instead of /ust a single
ob/ect#
C#( ormat
he output that repadmin 0showrepl returns can be difficult to na(igate !hen you are
troubleshooting replication errors or (ie!ing replication topology in a large enterprise# here is a
ne! feature 10C#(2 that you can use to force 0showrepl output to print in a tightly constrained
2:
comma0separated0(alue 1CS>2 format for programmatic manipulation or 9uic3 import and
correlation in 4$cel#
he CS> format is also an effecti(e !ay to e$change repadmin outputs because it is not prone
to user errors#
o generate output as a #cs( 1comma0delimited2 file% perform the follo!ing steps:
1# Open a command prompt% type the follo!ing command% and then press 4A4":
repadmin /showrepl <!"N#$%> /csv > &epl'csv
2# Open "epl#cs(% and then delete or hide column A and both RPC and #MTP columns#
,# Select ro! 2# Clic3 (iew% and then clic3 /ree3e Panes#
:# @ighlight the column heading ro!# Clic3 Data% point to /ilter% and then clic3 Auto/ilter#
?# Clic3 the drop0do!n arro! to display replication status based on your situation#
/igure 2!4!5
Repadmin Usage #cenarios
his section includes e$planations and e$amples for the follo!ing usage scenarios:
Monitor ;orest0+ide "eplication
)isplay "eplication Partners and Status of a )omain Controller
"eplication .atency
>ie! "eplication Metadata of an Ob/ect
)isplay the 'ttributes of a Specific Ob/ect
@o! Up to )ate 're My )omain ControllersC
Can - .oo3 at My Connection Ob/ects and Schedule )etailsC
;ine0uning Change Aotification >alues
;orcing "eplication
Geeping rac3 of Changes hat @a(e Occurred O(er a Period of ime
Usage of "epadmin +hen roubleshooting 4(ent -) 1,11
2?
Subcommands Aot Co(ered Under the Pre(ious Scenarios
Oldhelp
Monitor /orest+6ide Replication
Maintaining the health of enterprise0!ide directory replication is (ery important so that the users%
ser(ices% machines% and applications that rely on it can operate successfully# he
+indo!s Ser(er 200, (ersion of repadmin has enhanced functionality that ma3es it easier to
monitor forest0!ide directory replication and it is compatible !ith +indo!s 2000 domains#
Repadmin 0replsummary summari&es the replication state and relati(e health of an
'cti(e )irectory forest by in(entorying and contacting e(ery domain controller in the forest%
collecting information such as replication deltas and replication failures#
-t !ill also identify any domain controllers that could not be contacted and !ould report the failure
reason 1for an e$ample% see ;igure ,#1#:2#
#ynta.
&epadmin /replsummar( <!")*+,> [/b(src] [/b(des-] [/errorsonl(] [/sor-:{del-a | par-ners
| .ailures | error | percen-}]
Parameters )efinition
<DC_LIST> Specifies the host name of a domain controller
or a list of domain controllers separated by a
space that the ob/ect !ill be replicated to# ;or
details about <DC_LIST>% see repadmin
0listhelp#
0bysrc Sho!s the output of repadmin 0replsummary%
from the perspecti(e of the replication source
1outbound domain controller2% in the form of a
table# his means that a gi(en source directory
ser(er is \pulled on\ by multiple client domain
controllers# he table is sorted in order of the
source domain controllers that are ha(ing the
most problems% across all the clients in the
configuration set# his parameter does not
display the destination domain controller#
0bydest Sho!s the output of repadmin 0replsummary%
from the perspecti(e of the replication
destination% in the form of a table# his means
that a gi(en replication destination 1inbound
domain controller2 is pulling the changes from
2<
one or more replication source1s2# he table
sho!s the inbound domain controllers and !hat
problems they are ha(ing !ith their partners#
he table is sorted in order of the inbound
domain controllers that are ha(ing the most
problem !ith inbound replication% across all the
possible partners in the configuration set# his
parameter does not display the source domain
controller#
0errorsonly Sho!s only the domain controllers !here the
partner error is not &ero#
0sort78delta 9 partners 9 ailures 9 error 9
percent:
Sorts the replsummary table by the specified
column heading#
he 0bysrc and 0bydest parameters may be specified at the same time# -f they are
specified at the same time% repadmin displays the 0bysrc table first and the 0bydest table
ne$t# -f the parameters 0bysrc and 0bydest are both absent% repadmin pic3s the best one
and displays the one !ith the least number of partner errors#
#imple usage o repadmin 0replsummary
/igure ;!5!5
"otes
2=
<ow to interpret the output
he output of repadmin 0replsummary is organi&ed by destination and source domain
controllers# Bou should focus on the destination domain controllers first% because the replication
model is pull0based# "eplication bet!een domain controllers does not use a \push\ mechanism# -f
the replication is !ithin a site% a domain controller 1)C12 notifies another domain controller 1)C22
that it has updates% and then the )C2 pulls the updates from )C1# -f the replication is bet!een
sites% a domain controller re9uests updates at a scheduled time and if updates are a(ailable% the
domain controller pulls the updates from a domain controller in the other site#
;ields of interest )efinition
_## 4ach dot after the first three represents a
domain controller% !ith not more than ?0 dots
per line# So% if you ha(e t!o lines full of dots% it
indicates 7= domain controllers 11000,2#
-n figure ,#1#1% there are nine dots% !hich
relates to si$ domain controllers 170,2#
)estination )C "eplication destination# ' single destination
might be pulling data from one or more sources#
-n figure ,#1#1% !e are focusing on "OO)C01#
Source )C "eplication source# Multiple destinations might
be pulling from a single source#
-n figure ,#1#1% !e do not yet 3no! the source
domain controller#
.argest delta )enotes the longest replication gap amongst all
replication lin3s for a particular domain
controller#
-n figure ,#1#1% the largest delta is :?m::=s#
otal "eplica lin3s for a particular domain controller
1one for each naming conte$t on each domain
controller2# Please note that this is not the
connection ob/ects or replication partners per
domain controller#
-n figure ,#1#1% !e ha(e se(en replication lin3s#
;ails otal number of replica lin3s failing to replicate
for one reason or the other# his !ill ne(er be
greater than the otal field#
Ao failures in our e$ample#
Percentage Percentage of failures in relation to the total
replica lin3s on the domain controller#
28
<ow to ma=e more sense o some o the ields
+e ran repadmin 0showrepl against "OO)C01 to get detailed replication status# 'l!ays focus
on inbound neighbors because replication is inbound#
-f you notice ;igure ,#1#1% the time replsummary ta3en !as 22:,<:,0# Ao!% if you loo3 at the
schema naming conte$t replication time% 21::7::: from figure ,#1#2% the difference is :?m::=s%
!hich relates to the largest delta#
-nterestingly% :? minutes is relati(ely high in our e$ample because our partners belong to
the same site# his is because the default periodic replication fre9uency is once per hour
!ithin a site and because the schema naming conte$t did not ha(e any changes% periodic
replication too3 place only at 21::7::: as opposed to other partitions that replicated in
response to change notifications from its partners#
+e also see se(en replica lin3s% one for each naming conte$t on each domain controller#
/igure ;!5!2
Common actors that inluence the largest delta ield
Periodic intrasite replication fre9uency#
-ntersite replication schedule and fre9uency#
27
"edundant replication paths !ith staggered replication schedules#
-ntrasite and intersite change notifications^ first and subse9uent replication notification
delay (alues#
6here do R>PADMI" 0R>P)#UMMAR? read replication status
inormation@
Similar to 0showrepl% Repadmin 0replsummary gathers this information from the Reps+
rom and Repsto multivalued attributes stored at the root of each directory partition replica
1also 3no!n as naming conte$ts2 stored on the domain controller# -t is local to the domain
controller and not replicated#
he Repsrom attribute contains configuration and persistent state information
associated !ith inbound replication from each source replica of that directory partition#
he Repsto attribute contains outbound change notification partners# ypically this list
!ould be your intrasite partners#
6ild card and other parameter usage
he follo!ing e$ample uses a !ildcard character to sho! the replication summary for all of the
domain controllers in the forest that ha(e a name that begins !ith `"OOI#
/igure ;!5!;
-f there are no inbound partners for a gi(en domain controller% none !ould be listed under
the )estination )C list# Similarly% if there are no outbound partners for a gi(en domain
controller% none !ould be listed under the Source )C list#
So it is important to tally the total number of domain controllers in the forest and compare
that against the )estination )C and Source )C lists to achie(e an accurate (ie!# Repadmin
0viewlist 1 should list all the domain controllers in the forest#
Important
,0
't this time of !riting% the total number of replication lin3s that !ould be reported in the
replsummary output is limited to 777#
-f the replication destination has ne(er replicated from the source% the largest delta !ould
report as un=nown#
Replsummary reporting ailures
he follo!ing e$ample reports replication failure and a domain controller that could not be
reached% !ith the error codes and reasons#
/igure ;!5!4
!:/>ne- helpms0 12
,he speci.ied server canno- per.orm -he re-urned opera-ion'
!:/>ne- helpms0 3455
,he &P! server is unavailable'
-n our e$ample% the follo!ing occurred:
+e could not reach E"'AC@2 and hence the error ?8#
V"PC ser(er is una(ailableW being reported by E"'AC@0@UE0E@ co0relates to the abo(e
finding# -t could mean that E"'AC@2 domain controller is either do!n or not reachable due
to communication lin3 problem#
+e also used 0homeserver7rootdns to demonstrate that sometimes you ha(e to specify
a ser(er 16homeser(er:Odomain controller nameP2 if you are not running the command from a
domain controller#
,1
Display Replication Partners and #tatus o a
Domain Controller
+hen troubleshooting replication errors% it is helpful to 3no! !ho are the replication partners of a
specific domain controller and the status of replication !ith each of those partners#
Repadmin 0showrepl displays the replication partners 1Reps/rom and RepsTo2 for each
naming conte$t that is held on the specified domain controller# Ey enumerating each Reps/rom
and each RepsTo for each domain controller% you can (isuali&e the replication topology for each
naming conte$t#
-t also indicates !hether the domain controller is also a global catalog ser(er# -nbound replica
lin3s are displayed by default# Outbound lin3s can also be sho!n% as !ell as connections that
correspond to those lin3s# he command also displays errors that correspond to replica lin3s that
cannot be created by the Gno!ledge Consistency Chec3er 1GCC2# his helps the administrator
build a (isual representation of the replication topology and see the role of each directory ser(er
in the replication process#
#ynta.
&epadmin /showrepl <!")*+,> <+ource!6b7ec-8U*> [Namin0!on-e9-] [/verbose] [/nocache]
[/reps-o] [/conn] [/csv] [/all] [/errorsonl(] [/in-ersi-e]
space that the ob/ect !ill be replicated to# See
abo(e for detailed synta$# ;or details about
<DC_LIST>% see repadmin 0listhelp#
SourceDCO%&ectGUID Specifies the uni9ue he$adecimal number that
identifies the ob/ect !hose replication e(ents
!ill be listed#
"amingConte.t Specifies the distinguished name of the
directory partition#
0verbose .ists detailed information#
0nocache Specifies that globally uni9ue identifiers
18U-)s2 are left in he$adecimal form# Ey
default% 8U-)s are translated into strings#
0repsto .ists the directory ser(ers that pull replication
information from the specified directory
partition# o see the outbound neighbors%
,2
specify 0repsto or 0all#
0conn )isplays the connection ob/ects that are
associated !ith each lin3#
0csv )isplays the output of the repadmin 0showrepl
operation in a Comma Separated >ariable
1CS>2 format for (ie!ing and analysis in
Microsoft 4$cel# "epadmin supports redirection
of screen output to a file#
0all )isplays all replication partners#
0errorsonly Only sho!s the partnership if it has an error
associated !ith it#
0intersite Only sho!s this partnership if the source ser(er
belongs to a different site than the site of the
ser(er on !hich the command is being run#
#how replication partners and replication status
he follo!ing e$ample uses the showrepl operation of repadmin to display the replication status
of "OO)AS in relation to its partners# -n our e$ample% there are no problems reported because
replication is running properly# here is lot of information one could gather from this output and
please read the comments ne$t to each line e$plaining !hat it means#
;igure ,#2#1
!:/>repadmin /showrepl roo-dns
:U;/&66,N+ <+i-e name and domain con-roller name=
! 6p-ions: *+"8! <! 6p-ions=
+i-e 6p-ions: <none= <+i-e op-ions=
! ob7ec- 8U*: >4?cd1dd@e51e@A2B4@acd5@4c2?B3?53155 <8U* o. N,+ se--in0s=
! invoca-ion*: >4?cd1dd@e51e@A2B4@acd5@4c2?B3?53155 <a-abase si0na-ure=
CCCC *N;6UN N%*8:;6&+ CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
!Ccon-osoD!Ccom <Namin0 !on-e9-=
:U;/&66,!>3 via &P! <&eplica-ion linE=
! ob7ec- 8U*: 5aB5.44?@?c>.@AcbA@a333@.1dcdAA4a.?c <8U* o. replica-ion par-ner=
)as- a--emp- F 5>>1@>3@>1 >3:>A:GA was success.ul' <+-a-us o. las- replica-ion=
,,
!NC!on.i0ura-ionD!Ccon-osoD!Ccom <Namin0 !on-e9-=
! ob7ec- 8U*: 5aB5.44?@?c>.@AcbA@a333@.1dcdAA4a.?c <8U* o. replica-ion par-ner=
)as- a--emp- F 5>>1@>3@>1 >3:>3:G3 was success.ul' <+-a-us o. las- replica-ion=
:U;/;&#N!:@:U;@;: via &P! <&eplica-ion linE=
! ob7ec- 8U*: B>B>b4ce@1Ga?@AaAA@B3b.@b1>ed5G5be1G
)as- a--emp- F 5>>1@>3@>1 >3:>3:AA was success.ul'
!NC+chemaD!NC!on.i0ura-ionD!Ccon-osoD!Ccom <Namin0 !on-e9-=
:U;/;&#N!:@:U;@;: via &P! <&eplica-ion linE=
! ob7ec- 8U*: B>B>b4ce@1Ga?@AaAA@B3b.@b1>ed5G5be1G
)as- a--emp- F 5>>1@>3@>1 >>:1G:GA was success.ul'
! ob7ec- 8U*: 5aB5.44?@?c>.@AcbA@a333@.1dcdAA4a.?c
)as- a--emp- F 5>>1@>3@>1 >>:1G:GA was success.ul'
-n the output under -AEOUA) A4-8@EO"S% repadmin#e$e sho!s the .ight!eight )irectory
'ccess Protocol 1.)'P2 distinguished name of each directory partition for !hich inbound
directory replication has been attempted% the site and name of the source domain controller% and
!hether it succeeded or not% as follo!s:
.ast attempt D BBBB0MM0)) @@:MM#SS !as successful#
.ast attempt D YAe(erZ !as successful#
-f repadmin#e$e reports any of the follo!ing conditions% further in(estigation is re9uired:
he last successful inter0site replication !as prior to the last scheduled replication#
he last intra0site replication !as longer than one hour ago#
"eplication !as ne(er successful#
)C Ob/ect 8U-) is a reference point used in the 'cti(e )irectory and )omain Aame System
1)AS2 to locate a domain controller primarily for the purposes of replication# his 8U-) is
automatically generated for each domain controller% is uni9ue !hen created% and !ill not be
duplicated#
)C in(ocation-) [ 'cti(e )irectory database has its o!n 8U-)% !hich the )irectory System
'gent 1)S'2 uses to identify the database instance 1(ersion of the database2# he database
8U-) is stored in the invocationId attribute on the n)S)S' ob/ect# 'lthough the )S' 8U-)
ne(er changes for the lifetime of the domain controller% the 'cti(e )irectory database 8U-) 1also
3no!n as the in(ocation -) or database signature2 is changed during the 'cti(e )irectory restore
process to ensure the consistency of the replication process# -n +indo!s Ser(er 200,% it changes
!hen application directory partitions are remo(ed or added to the domain controller#
,:
Using repadmin 0showrepl to display detailed and
precise inormation
he follo!ing showrepl output is returned by combining <Naming Context> and 0verbose#
/igure ;!2!2
;or t!o domain controllers to engage in replication% they ha(e to first resol(e each otherIs 8U-)
CA'M4 to a host name and the host name to an -P address% such as the follo!ing:
/igure ;!2!;
2aA2BBC+CcD+4cb4+a555+'dcd44BaCc!Emsdcs!contoso!com is the 8U-) C"AM>
registration in )AS#
/igure ;!2!4
,?
<igh+watermar= value
he high0!atermar3 (alue is not re9uired for any administrati(e tas3# @o!e(er% it can help you
deduce the state of progress on that replication lin3# Bou can see the high0!atermar3 in the
output of the repadmin 0showrepl 0verbose command in ;igure ,#2#2# .oo3 for lines that begin
!ith USAs:# he high0!atermar3 USA is the number that is follo!ed by 0OU#
he ob/ect update 1OU2 USA sa(es the position !hen in the middle of a replication cycle# -t stays
the same as the property update 1PU2 !hen replication is not occurring% and increases during a
replication cycle# 't the end of the cycle% the final USA replicated becomes the PU (alue and the
OU is left to match# hus% the OU indicates progress !ithin a cycle% and the PU indicates the last
update seen at the conclusion of a successful cycle# ' PU of &ero means that the lin3 has ne(er
completed a successful cycle% as is the case !hen performing its first synchroni&ation on a ne!
domain controller connection# -f the OU and PU are not e9ual% it means a replication cycle is in
progress#
he follo!ing table lists nbrlagoptions% !hich are flags that define e$pected replication actions
!ith its partner#
Abrflagoptions Meaning
+"-4'E.4 he local copy of the naming conte$t is !ritable#
SBACXOAXS'"UP "eplication of this naming conte$t from this
source is attempted !hen the destination ser(er
is booted# his normally only applies to intrasite
neighbors#
)OXSC@4)U.4)XSBACS Perform replication on a schedule# his flag is
normally set unless the schedule for this
naming conte$t6source is \ne(er%\ that is% the
empty schedule#
#howing outbound neighbors
Ey default% repadmin 0showrepl does not display outbound neighbors% as !ith pre(ious (ersions#
he 0repsto parameter pro(ides this feature% as sho!n in ;igure ,#2#?#
,<
/igure ;!2!'
#ome o the repadmin 0showrepl >rror Messages
and their root cause
he follo!ing table lists some repadmin 0showrepl errors and their root cause# he ne$t sections
after the table e$plain some errors in more detail#
"epadmin error "oot cause
Ao -nbound neighbors -f no items appear in the V-nbound AeighborsW
section of the output generated by the
repadmin 0showrepl command% the domain
controller could not establish replication lin3s
!ith another domain controller#
'ccess denied ' replication lin3 e$ists bet!een t!o domain
controllers% but replication cannot be properly
performed#
.ast attempt at Odate 0 timeP failed !ith the
Varget account name is incorrect#W
his problem can be related to connecti(ity%
)AS% or authentication issues#
-f it is a )AS error% the local domain controller
could not resol(e the 8U-)[based )AS name
of its replication partner#
Ao more end point his can be caused because no more end0
,=
points are a(ailable to establish the CP
session !ith the replication partner#
his error can also result !hen the replication
partner can be contacted% but its "PC interface
is not registered# his usually indicates that the
domain controllerIs )AS name is registered but
!ith the !rong -P address#
.)'P 4rror :7 he domain controller computer account might
not be synchroni&ed !ith the Gey )istribution
Center 1G)C2#
Cannot open .)'P connection to local host# he administration tool could not contact
'cti(e )irectory#
'cti(e )irectory replication has been Pre0
empted
'n inbound replication in progress !as
interrupted by a higher priority replication
re9uest% such as a re9uest generated manually
by using the repadmin 0syncall command#
"eplication posted% !aiting# he domain controller posted a replication
re9uest and is !aiting for an ans!er#
"eplication is in progress from this source#
.ast attempt D ne(er !as successful he GCC successfully created the replication
lin3 bet!een the local domain controller and its
replication partner% but because of the schedule
or possible bridgehead o(erload% replication has
not occurred#
' large bac3log of inbound replication must be
performed on this domain controller#
"o inbound neighbors
' Vno inbound neighborW error appears in the repadmin 0showrepl command output !hen one or
more of the follo!ing conditions e$ists:
Ao connection ob/ect e$ists to indicate !hich domain controller1s2 this domain controller
should replicate from# hese connection ob/ects are typically created by the GCC# @o!e(er%
in some en(ironments% administrators ha(e turned off the part of GCC 1-ntersite2 that creates
connection ob/ects for inbound replication from domain controllers in other sites% relying on
manual connections instead#
One or more connection ob/ects e$ist% but the domain controller cannot contact the
source domain controller to create the replication lin3s# -n this case% the GCC logs e(ents
each time it runs 1by default% e(ery 1? minutes2 detailing the error that occurred !hen it
attempted to add the replication lin3s#
,8
4$isting replication lin3s has been inad(ertently deleted in bet!een GCC e$ecutions#
"epadmin in this scenario could be used only to diagnose# he follo!ing table e$plains
subcommand usage that can help you diagnose the problems leading to this situation#
Subcommand )escription
Repadmin 0showrepl >erify replication status#
Repadmin 0showconn >erify !hether a (alid connection ob/ect e$ists
bet!een the source and destination#
Repadmin 0ailcache "esol(e the underlying connection translation
problems# ;or more information about using
Repadmin 0ailcache% see "epadmin
6failcache#
Repadmin 0&CC 4nsure that a connection ob/ect 1'utomatic or
Manual2 has been created properly bet!een the
domain controller and its replication partner#
'nd then force the GCC to run so that the
connection ob/ect is translated to an appropriate
replication lin3#
Active Directory replication has been preempted
+hen 'cti(e )irectory replication has been preempted% an inbound replication in progress !as
interrupted by a higher priority replication re9uest# 'n e$ample of a higher priority replication
re9uest is a re9uest generated manually by using the repadmin 0sync command#
"epadmin in this scenario could be used only to diagnose# he follo!ing table e$plains
subcommand usage that can help you diagnose the problems leading to this situation#
Repadmin 0,ueue Chec3 ho! many inbound synchroni&ations are
in the 9ueue#
)ast attempt F never was successul
.ast attempt D ne(er !as successful error typically indicates that GCC successfully created the
replication lin3 bet!een the local domain controller and its replication partner% but because of the
schedule or possible bridgehead o(erload% replication has not occurred#
"epadmin in this scenario may be used for both diagnosis and resolution# he follo!ing table
e$plains subcommand usage that can help you diagnose or sol(e the problems#
,7
Repadmin 0,ueue Chec3 ho! many inbound synchroni&ations are
in the 9ueue#
Repadmin 0sync Synchroni&e replication from a source domain
controller#
Access denied
his error indicates that the local domain controller failed to authenticate against its replication
partner !hen creating the replication lin3 or !hen trying to replicate o(er an e$isting lin3# his
typically happens !hen the domain controller has been disconnected from the rest of the net!or3
for a long time and its computer account pass!ord is not synchroni&ed !ith the computer account
pass!ord that is stored in the 'cti(e )irectory of its replication partner#
Replication )atency
here are t!o mechanisms each specific to the underlying operating system functionality to
measure replication latencies# "epadmin could be used against both en(ironments based on the
follo!ing table#
+indo!s 2000 functionality +indo!s Ser(er 200, functionality
0latency pro(ides you replication latency report
by measuring ho! recently the -ntersite
opology 8enerator 1-S82 attribute has
changed#
0showutdvec pro(ides you replication latency
report by le(eraging a ne! field stored in the
Up0o0)ateness 1U)2 (ector [ Vlast successful
replication timestamp#W
Aote that this report ceases to gi(e meaningful
results !hen the forest functional le(el is
+indo!s Ser(er 200, because the
inter#iteTopology*enerator on the "TD#
site settings obGect is not updated at that
functional le(el#
0showutdvec pro(ides you replication latency
report by le(eraging a ne! field stored in the
U) (ector [ Vlast successful replication
timestamp#W
his timestamp records the last time the
corresponding domain controller completed a
successful replication cycle !ith its partner# he
replication cycle may ha(e occurred directly
1direct replication partner2 or indirectly
1transiti(e replication partner2#
.atency is sho!n for configuration naming
conte$t only#
Eecause this data is recorded on all domain
controllers that host the partition% it is possible
:0
to identify non0replicating domain controllers
from any domain controller in the forest that has
a common partition bet!een them#
#ynta.
he follo!ing command displays the amount of time bet!een replications on a site by site basis
from the perspecti(e of the ser(ers listed in <DC_LIST>% using the -S8 Geep 'li(e time stamp#
he -S8 Geep 'li(e time stamp is the mechanism used in +indo!s 2000 to determine
!hether a ne! -S8 is re9uired for the site# Prior to +indo!s Ser(er 200,% all -S8s !ill
record a time stamp e(ery ,0 minutes to indicate they are ali(e# 'fter this gets replicated
!ithin the site% all of the domain controllers in the site 3no! !hether an -S8 is do!n or
not by (erifying this attribute% !hich is stored in 'cti(e )irectory#
repadmin 0latency <DC_LIST>
/igure ;!;!5
<ow to interpret the data
-n this e$ample% the forest has only four sites#
;ield 4$planation
Origination site his column has a ro! for each site in the forest
>er >ersion number for site specific
inter#iteTopology*enerator
ime .ocal Update .ocal time !hen the remote -S8 attribute
change !as replicated in#
ime Orig# Update ime !hen the -S8 attribute !as changed on
"ote
:1
the originating ser(er#
.atency )ifference bet!een the ime Orig# Update and
ime .ocal Update
Since .ast )ifference bet!een the ool e$ecution time and
ime .ocal Update
4$amining the U) (ector from time to time on one bridgehead ser(er is another good !ay to
ensure that replication is healthy# he 1U)2 (ector sho!s the last time that a domain controller
has recei(ed updates from each replication partner for a particular naming conte$t# he U)
(ector is transiti(e in that one domain controller does not ha(e to tal3 directly to another domain
controller to recei(e an update from it#
repadmin /showu-dvec <!")*+,> <Namin0!on-e9-> [/nocache][/la-enc(]
details about )CX.-S% see repadmin 0listhelp#
<NamingContext> Specifies the distinguished name of the
0nocache Specifies that globally uni9ue identifier 18U-)s2
are left in he$adecimal form# Ey default% 8U-)s
are translated into strings#
0latency Sorts the information by the time re9uired to
complete the replication# Ey default% the
information is sorted by Update Se9uence
Aumber 1USA2#
:2
/igure ;!;!2
-n ;igure ,#,#2% there are four sites% t!o domains and si$ domain controllers in the forest#
he output is a list of dates and times indicating the last time that inbound replication of
the configuration container occurred from each domain controller# -f an e$cessi(e amount of
time has passed since replication last too3 place it could indicate a problem and there is
reason to be concerned#
he entries are listed by domain controller and the 0latency parameter sorts the output by
date6time#
's gi(en in the e$ample% occasionally 8U-)Is !ill be displayed instead of a domain
controllerIs name# -t is safe to ignore the 8U-) entries as these are a result of -n(ocation-)
changes or domain controllers being demoted or rebuilt and do not affect the health of the
topology#
@UEQ"OO)AS !ill al!ays report the current date and time and the highest committed
USA# he reason is that a domain controller does not 3eep itself in its o!n U)>4C and
al!ays builds its entry on the fly based on the current state#
.atency from the perspecti(e "OO)AS is the difference bet!een its current date6time
!ith respect to other partners 1direct or transiti(e2 for the gi(en Aaming Conte$t# ;or e$ample%
latency bet!een "OO)AS and E"'AC@1 is 00:2::1=#
Display the latency only or the domain partition
/igure ;!;!;
:,
-n this e$ample% !e are only interested in the domain naming conte$t latency# Eoth the domain
controllers are running +indo!s Ser(er 200, and reside in the same site^ hence the latency is
less than a minute# 'lso please note that !e are only displaying the domain members and not the
!hole forest due to the scope of the naming conte$t#
+hile it is important to measure replication latencies% it is e9ually important to understand that
intersite replication depends on many factors such as:
Site lin3 schedules and inter(als
'(ailability of bridgehead ser(ers and their load
+hether change notifications are enabled
.'A6+'A infrastructure
(iew Replication Metadata o an ObGect
)isplays the replication metadata for a specified ob/ect stored in 'cti(e )irectory% such as
attribute -)% (ersion number% originating and local Update Se9uence Aumber 1USA2% and
originating ser(er]s globally uni9ue identifier 18U-)2 and date and time stamp# Ey comparing the
replication metadata for the same ob/ect on different domain controllers% an administrator can
determine !hether replication has occurred#
#ynta.
repadmin /showob7me-a <!")*+,> <6b7ec-N> [/nocache] [/linEed]
Parameters )efinitions
O)CX.-SP Specifies the host name of a domain controller
OOb/ect)AP Specifies the distinguished name of the ob/ect#
0nocache Specifies that 8U-)s are left in he$adecimal
form# Ey default% 8U-)s are translated into
strings#
0lin=ed )isplays metadata associated !ith% but not
stored !ith% the specified ob/ect#
::
>.ample 57 Metadata o a group obGect
-n this e$ample% !e are (ie!ing the metadata of a group ob/ect 1)omain 'dmins2 and therefore
the for!ard lin3s 1members2 are listed as !ell#
/igure ;!4!5
>.ample 27 Comparing replication metadata o a
user obGect between two domain controllers
' domain administrator has restricted user .eeIs logon hrs# .ee claims he could still log on during
restricted hours from E"'AC@, as opposed to other branch offices# he domain administrator
could easily figure !hether this is related to 'cti(e )irectory replication latencies by comparing
the replication metadata of .eeIs account#
:?
/igure ;!4!2
;igure ,#:#2 is the metadata of .ee from @UE domain controller 1!here the change !as made2
and ;igure ,#:#, is the metadata from the E"'AC@, domain controller# he attribute
logon<ours has been highlighted for clarity#
E"'AC@0@UE0E@ has (ersion 2% last Orig# time6date is 200?00100< 01:17:?7 and Orig#USA as
20<?:#
E"'AC@, is still on (ersion 1% last Orig# time6date is 200?00100< 00:?2:0, and Orig#USA as
20?=8 and hence the logon succeeds in E"'AC@, because that domain controller has not yet
replicated the update#
/igure ;!4!;
Display the Attributes o a #peciic ObGect
he 0showattr operation displays the attributes and contents of an ob/ect#
:<
#ynta.
repadmin /showa--r <!")*+,> <6;H")*+,> <6;H")*+,"6P,*6N+> [/a--s: <<a--3>>D<<a--5>>D''']
[/allvalues] [/lon0] [/dumpallblob]
<O*+_LIST> his parameter ta3es a distinguished name or a
special 3ey!ord that e$pands into a
distinguished name# he 3ey!ords are as
follo!s:
"cobG7conig7 )istinguished name of
the Configuration partition of the domain
controller
"cobG7schema7 )istinguished name of
the Schema partition of the domain
controller
"cobG7domain7 )istinguished name of
the )omain partition of the domain
controller
DsaobG7 A)S settings ob/ect of the
directory ser(er
<O*+_LIST_O,TIONS> he OELX.-SXOP-OA parameter is re9uired
to perform a generic .ight!eight )irectory
'ccess Protocol 1.)'P2 search from the
command line# he parameter re9uires a
Ease)A% !ith the ability to use a search
modifier option# he (alid search modifier
options are as follo!s:
0ilter7Odap_-iterP
0base
0subtree
0onelevel
H0atts7 <att#>%Iatt2J-!!! "eturns only the attributes that are specified#
Separate each listed attribute !ith a comma#
0allvalues ;or an attribute% the tool only displays 20 (alues
unless this flag is specified% in !hich case it
:=
sho!s all (alues#
0long )isplays one (alue per line#
0dumpallblob )umps the E.OE in a default byte0by0byte
format if there is not a friendly formatted
interpretation a(ailable for it#
' E.OE in this conte$t means an attribute that is not a simple type% li3e a string or an
integer# ' E.OE is a comple$ structured type that is stored as binary bytes# o ma3e
sense of the E.OE% a program must interpret it and format it# ' friendly E.OE is a E.OE
that the program 3no!s about and can format in an understandable !ay# he program
has a list of E.OEs that it understands#
>.ample7 Display select attributes
Please note ho! !e specify the naming conte$t as ncob/:domain:
/igure ;!'!5
<ow Up to Date Are My Domain Controllers@
Chec=prop compares properties of specified domain controllers to determine if they are up0to0
date !ith each other# he source domain controller contains the original information that needs to
be chec3ed# he destination domain controller data is compared to the source domain controller
data#
#ynta.
repadmin /checEprop <!")*+,> <Namin0!on-e9-> <6ri0ina-in0!*nvoca-ion*> <6ri0ina-in0U+N>
Parameter )efinition
<DC_LIST> Specifies the host name of a domain controller%
"ote
:8
space# ;or details about <DC_LIST>% see
repadmin 0listhelp#
directory partition on the source domain
controller#
<OriginatingDCInvocationID> Specifies the uni9ue he$adecimal number that
identifies an ob/ect on a source domain
controller# he -n(ocation-) can be retrie(ed by
using the 0showrepl operation#
<OriginatingUSN> Specifies the Update Se9uence Aumber 1USA2
for the ob/ect on the source domain controller#
he USA is for the ob/ect !hose -n(ocation-) is
already listed#
>.ample7 Chec=ing replication latency on the
KRA"C<; domain controller
.atency output re(eals that the highest OriginatingUSA that E"'AC@, has 3no!ledge of for its
@UE site bridgehead ser(er% E"'AC@0@UE0E@% is 5;BL44# -t is also apparent that the last
successful replication attempt !ith this @UE site bridgehead ser(er !as /ust less than ? minutes#
/igure ;!C!5
:7
>.ample7 Comparing how up+to+date other
domain controllers in the enterprise are with
respect to the OriginatingU#"
-n ;igure ,#<#2% note that KRA"C<2 domain controller is not up0to0date !ith the rest of the
domain controllers#
/igure ;!C!2
>.ample7 /urther investigation rom the
perspective o the KRA"C<2 domain
controller
.atency !as calculated for E"'AC@2 !hich re(ealed that it is not a!are of the latest
OriginatingUSA from E"'AC@0@UE0E@ and in fact it is behind by appro$imately 20 minutes#
Eecause the latency in this e$ample is /ust less than 20 minutes 1replication inter(al being ,0
minutes2 it is e$pected to catch up during the ne$t replication cycle#
/igure ;!C!;
?0
Can I )oo= at My Connection ObGects and
#chedule Details@
4(ery domain controller that is also a member of the SBS>O. replica set has to ha(e at least one
inbound connection# Other!ise% 'cti(e )irectory and ;ile "eplication Ser(ice 1;"S2 !ould not
replicate inbound# he 0showconn subcommand is (ery useful to (erify this especially:
+hen you donIt ha(e access to the graphical user interface 18U-2
or
+hen you find it tas30oriented to directly connect to the (arious domain controllers from
the user interface 1U-2 to loo3 at 'cti(e )irectory topology from the perspecti(e of that domain
controller#
he 0showconn subcommand displays the connection ob/ects for a specified domain
controller# he default is the local site#
#ynta.
repadmin /showconn <!")*+,> {<+erver&N> | <!on-ainerN> | <!"8U*>} [/Irom:
<+erver&N>] [/in-ersi-e]
from !here to read the configuration% or a list of
domain controllers separated by a space# ;or
0listhelp#
<Server!DN> Specifies the relati(e distinguished name of a
ser(er#
<ContainerDN> Specifies the distinguished name of a container#
<DC_GUID> Specifies the uni9ue he$adecimal number that
identifies the domain controller# he globally
uni9ue identifier 18U-)2 can be retrie(ed by
using the 0showreps operation#
0intersite )isplays only those connection ob/ects that are
bet!een sites#
>.ample7 #imple usage o 0showconn
;igure ,#=#1 sho!s a simple e$ample of output returned by 0showconn#
?1
C:\>repadmin /showconn branch1
;ase N: !NC;&#N!:3D!NC+i-esD!NC!on.i0ura-ionD!Ccon-osoD!Ccom
CCCCC J!! !6NN%!,*6N 6;H%!,+ CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
!onnec-ion @@
!onnec-ion name : ed1e>d51@becG@A11?@B.32@.5Ac.AeaGa14
+erver N+ name : ;&#N!:3'research'con-oso'com
+erver N name : !NCN,+ +e--in0sD!NC;&#N!:3D!NC+erversD!NC;&#N!:3D!NC+i-esD!NC!
on.i0ura-ionD!Ccon-osoD!Ccom
+ource: :U;/;&#N!:@:U;@;:
No Iailures'
,ranspor-,(pe: *P
options: isGenerated overrideNo-i.(e.aul-
&eplica-esN!: !ComainnsKonesD!CresearchD!Ccon-osoD!Ccom
&eason: *n-ersi-e,opolo0(
&eplica linE has been added'
&eplica-esN!: !CIores-nsKonesD!Ccon-osoD!Ccom
&eplica-esN!: !NC!on.i0ura-ionD!Ccon-osoD!Ccom
&eplica-esN!: !CresearchD!Ccon-osoD!Ccom
1 connections found.
-n the e$ample in figure ,#=#1% there is only one connection ob/ect for the E"'AC@1 site# -t is also
automatically created 1options: isgenerated2# )epending on the number of connection ob/ects% !e
may ha(e to further 9ualify our 9uery to /ust list !hat !e are interested in such as in the follo!ing
cases:
;igure ,#=#2
repadmin /showconn ;&#N!:3 !NC:U;D!NC+i-esD!NC!on.i0ura-ionD!Ccon-osoD!Ccom
/in-ersi-e /v
Here repadmin contacts BRANCH1 DC and list all the incoming intersite connections for HUB
site with verbose details.
?2
;igure ,#=#,
repadmin /showconn ;&#N!:@:U;@;: ;&#N!:@:U;@;: /.rom:;&#N!:G
Here repadmin contacts the BRANCH-HUB-BH DC which is also located in the HUB site and
displas !"st the connection ob!ect from BRANCH# DC to BRANCH-HUB-BH.
+ith the (erbose s!itch% sho!conn pro(ides you much more information such as the follo!ing:
Connection replication schedule
Partition "eplication Schedule .oading
;igure ,#=#: Connection replication schedule
da(: >35GA1?42Bab>35GA1?42Bab
+un: ........................
$on: ........................
,ue: ........................
Led: ........................
,hu: ........................
Iri: ........................
+a-: ........................
4(ery single number of the abo(e represents one hour of the day as a decimal :0bit (alue# 4ach
single bit represents 1? minutes of this hour#
So if !e ha(e V1W in decimal% then one bit is set in binary 100012 and !e replicate once per hour in
!hich case the output !ill be:
111111111111111111111111
-f the decimal (alue is fi(e 10101 in binary2 !e replicate t!ice per hour% for e$ample:
????????????????????????
;inally if it is ; 111112 !e replicate four times per hour:
;;;;;;;;;;;;;;;;;;;;;;;;
So in our e$ample !e replicate four times per hour for the entire !ee3#
/ine+Tuning Change "otiication (alues
"eplication !ithin a site occurs as a response to changes else!here in the site# "eplication
across sites occurs based on the replication schedule and inter(al# -t is also possible to enable
change notifications across sites#
+hen a change occurs on a domain controller% t!o configurable inter(als determine the delay
bet!een the follo!ing e(ents:
Aotification to the first partner#
Aotification to each subse9uent partner#
he abo(e t!o inter(als ser(e to:
?,
Stagger net!or3 traffic caused by replication#
Spreads out the load of responding to replication re9uests from its partners#
he follo!ing table lists the default notification delays:
Operating system Aotify first
partner 1sec2
Subse9uent
partner 1sec2
;orest functional le(el
+indo!s 2000 ,00 ,0 +indo!s 2000
+indo!s Ser(er 200, 1upgraded
from +indo!s 20002
"ote
-f you changed the
default (alues% then
those (alues that you set
are retained after you
upgrade from
+indo!s 2000 to
+indo!s Ser(er 200,#
,00 ,0 +indo!s 2000
+indo!s Ser(er 200, 1? , +indo!s 2000
+indo!s Ser(er 200, 1either
upgraded from +indo!s 2000 or
a clean install2
1? , +indo!s Ser(er 200,
he follo!ing table lists the storage location of notification delay (alues for each operating
system#
Operating system .ocation 'ttribute
+indo!s 2000 Ser(er @G.MQSBS4MQCSSQSer(icesQA)SQParameters "eplicator
notify pause
after modify
1secs2
"eplicator
notify pause
bet!een
)irectory
System 'gent
1)S's2 1secs2
+indo!s Ser(er 200, Cross0reference ob/ect for each directory partition
in the configuration partition#
ms)S0
"eplication0
Aotify0;irst0
?:
)S'0)elay
ms)S0
"eplication0
Aotify0
Subse9uent0
)S'0)elay
Repadmin 0notiyopt could be used to (ie! or change the notification timing settings of a
specified directory partition in +indo!s Ser(er 200,#
#ynta.
repadmin /no-i.(op- <!")*+,> <Namin0!on-e9-> [/.irs-: Malue] [/subs: Malue]
<DC_List> Specifies the host name of a domain controller%
repadmin 0listhelp!
controller#
0irst he number of seconds after a change is made
before the domain controller notifies its first
replication partner that there is a change#
0subs Once the first replication partner is notified of a
change% the subs parameter specifies the
number of seconds to !ait before notifying the
ne$t replication partner#
>.ample 57 Displaying the deault notiication
delay on the /orestDnsMones partition
/igure ;!L!5
??
>.ample 27 Changing the deaults to ;DD0;D on the
/orestDnsMones
/igure ;!L!2
-n order to ma3e this change% you ha(e to run 0notiyopt against the )omain Aaming
Master# See the highlighted te$t in figure ,#8#2#
/orcing Replication
Sometimes it becomes necessary to forcefully replicate ob/ects and entire partitions bet!een
domain controllers that may or may not ha(e replication agreements
hese are (ery po!erful subcommands and should be used sparingly as they do not
follo! replication agreements that are in place and ha(e the potential to cause replication
storm and brea3 'cti(e )irectory if not used properly#
Replicate a single obGect between two domain
controllers
he repadmin 0replsingleobG command replicates a single ob/ect bet!een any t!o domain
controllers that ha(e partitions in common# he t!o domain controllers do not re9uire a replication
agreement bet!een them# "eplication agreements can be sho!n by using the repadmin
0showreps command#
"ote Important
?<
#ynta.
repadmin /replsin0leob7 <!")*+,> <+ource +#"Name> <6b7ec-N>
0listhelp
<Source DS'_Name> Specifies the name of the source domain
controller# Bou can specify a host name or the
uni9ue he$adecimal number that identifies the
source domain controller# Bou can retrie(e the
ob/ect8U-) by using the 0showreps operation#
<O%&ectDN> Specifies the distinguished name of the ob/ect#
>.ample7 Replicate a single obGect between all the branch
domain controllers by using wild card character
/igure ;!A!5!5
/orce a replication event between two partners
he repadmin 0replicate command starts a replication e(ent for the specified directory partition
bet!een the source and destination domain controllers# he source uni(ersally uni9ue identifier
?=
1UU-)2 can be determined !hen (ie!ing the replication partners by using the 0showreps
operation#
he repadmin 0replicate command !ill not !or3 if the partners do not ha(e the specified
partition in common or replication agreement bet!een them#
#ynta.5
repadmin /replica-e <es-ina-ion"!")*+,> <+ource"!"N#$%> <Namin0 !on-e9-> [/.orce]
[/as(nc] [/.ull] [/addre.] [/readonl(]
#ynta.2
repadmin /replica-e <es-ina-ion"!")*+,> <Namin0 !on-e9-> [/allsources] [/.orce]
[/as(nc] [/.ull] [/addre.] [/readonl(]
<Destination_DC_LIST> Specifies the host name of the destination
domain controller 1)irectory Ser(er 'gent2 !ith
!hich you !ant to replicate# ;or details about
<DC_LIST>% see repadmin 0listhelp!
<Source_DC_N'0/> Specifies the host name of the source domain
controller !ith !hich you !ant to replicate# his
parameter accepts a globally uni9ue identifier
18U-)2% 8U-)0based )omain Aame System
1)AS2 name% or the name of a ser(er ob/ect#
<Naming Context> Specifies the distinguished name of the
0orce his parameter is used to o(erride the )isable
"eplication option on a ser(er#
0async Specifies that the replication !ill be
asynchronous# his means that repadmin starts
the replication e(ent% but it does not e$pect an
immediate response from the destination
domain controller# Use this parameter !hen
there are slo! lin3s bet!een domain
controllers#
0ull ;orces a full replication of all ob/ects from the
destination domain controller#
0addre )irects the source to chec3 for a notification
Important
?8
entry on the source# -f the source does not ha(e
a notification entry for this destination% one is
added#
0allsources ' gi(en destination can ha(e multiple sources
for the same naming conte$t# )irects the
destination to sync !ith all sources instead of
/ust one# his parameter cannot be used !ith
<Destination_DC_LIST>#
0readonly his parameter is ignored by the 0replicate
operation#
>.ample7 replicate in domain partition between two speciic
partners
-n the e$ample in figure ,#7#2#1% !e are attempting to replicate in domain partition bet!een t!o
specific partners# Eut the source domain controller is re/ecting replication re9uests as configured
by the administrator for (alid reasons#
/igure ;EAE2E5
-n the ne$t e$ample% !e run repadmin 0showrepl against the source domain controller
1E"'AC@0@UE0E@2 to read the domain controller options# ;igure ,#7#2#2 highlights that outbound
replication is currently disabled 1)-S'E.4XOUEOUA)X"4P.2#
/igure ;!A!2!2
+e could !or3 around this by using the 0orce s!itch as seen in figure ,#7#2#,# @o!e(er% use
caution you !hen using the force replication feature# he 0orce s!itch is dangerous because it
o(errides any precautions that ha(e been implemented by an enterprise administrator to address
specific business needs# ;or e$ample% in a large forest !ith hundreds of sites connected across
?7
unreliable +'A lin3s% use of the 0orce s!itch to replicate changes across forest might cause a
replication storm 1depending on the changes2 that the +'A could not handle#
/igure ;!A!2!;
/orce a replication event with all partners
the repadmin 0syncall command synchroni&es a specified domain controller !ith all replication
partners#
#ynta.
repadmin /s(ncall <!> [<Namin0!on-e9->] [<Ila0s>]
<DC> Specifies the host name of the domain
controller to synchroni&e !ith all replication
partners#
<"ags> Performs specific actions during the replication#
he follo!ing table lists the flags that you can use !ith repadmin 0syncall#
;lag )escription
6a 'bort if any ser(er is una(ailable#
6' Sync all naming conte$ts !hich are held on the
home ser(er#
6d -dentify ser(ers by distinguished name in
messages#
6e 4nterprise% cross sites
6h Print this help screen#
6i -terate indefinitely#
<0
6l Perform sho!reps on each ser(er pair in path
instead of synchroni&ing#
6/ Synchroni&e ad/acent ser(ers only#
6p Pause for possible user abort after e(ery
message#
6P Push changes out!ard from home ser(er#
69 "un in 9uiet mode% suppress call bac3
messages#
6H "un in (ery 9uiet mode% report fatal errors only#
6s )o not synchroni&e#
6S S3ip initial ser(er response chec3#
Use this command and the abo(e flags cautiously or you can damage the replication
system because this command does not follo! replication agreements nor honor any
replication restrictions such as )-S'E.4X-AEOUA)X"4P. or
)-S'E.4XOUEOUA)X"4P.
>.ample 57 #ynchroni3ing Coniguration Partition within the site
/igure ;!A!;!5
here !ill be t!o callbac3 messages for each partner in figure ,#7#,#1# One reports the progress
and the other reports either success or failure 1!ith e$planation2# 'lso notice that domain
controllers are denoted by their 8U-) CA'M4S as used in replication#
Important
<1
>.ample 27 Crossing site boundaries and other eatures
Ey default% repadmin 0syncall does not cross site boundaries as depicted in figure ,#7#,#2#
E"'AC@0@UE0E@ does not ha(e any domain members in its o!n site for domain
dcKresearch%dcKcontoso%dcKcom# -n this case% use 0e#
/igure ;!A!;!2
-n figure ,#7#,#,% !e are using three additional flags# he 0d flag !ould translate the 8U-)
CA'M4 to the distinguished name of the domain controller# he 0e flag is used to cross site
boundaries# he 0a flag is used to abort if any domain controller is una(ailable# -n this e$ample%
the E"'AC@2 domain controller !as not reachable and therefore% the process !as aborted#
/igure ;!A!;!;
-n figure ,#7#,#:% repadmin 0syncall did succeed because the problem !ith the E"'AC@2
domain controller !as fi$ed# 'lso notice that !e omitted the 0d s!itch so that the 8U-) names are
not translated#
/igure ;!A!;!4
<2
&eeping Trac= o Changes That <ave
Occurred Over a Period o Time
here could be multiple occasions !here !e !ould be interested in finding out the number of
changes that are either pending replication or that ha(e occurred to a specified directory partition
o(er a period of time#
;or e$ample:
Bou may !ant to get statistics of all the changes that ha(e occurred to a domain partition
o(er a period of one day or one !ee3 so that you can use this data to either support or
calculate intersite replication band!idth re9uirements#
his !ill help !ith troubleshooting replication issues and re(ie!ing changes that ha(e not
replicated bet!een t!o partners#
he repadmin 0showchanges command has t!o synta$es that can helpful in these situations#
#ynta.5
repadmin /showchan0es <+ource!> <Namin0!on-e9-> [/cooEie: <Iile>] [/a--s:
<a--ribu-e>D<a--ribu-e>D''']
#ynta.2
repadmin /showchan0es <es-!> <+ource!6b7ec-8U*> <Namin0!on-e9-> [/verbose]
[/s-a-is-ics] [/noincremen-al] [/ob7ec-securi-(] [/ances-ors] [/a--s:
<a--ribu-e3>D<a--ribu-e5>D'''] [/.il-er: <ldap .il-er>]
<DestDC> Specifies the host name of the destination
domain controller from !hich to enumerate the
host domain controllers#
<SourceDC> Specifies the host name of the domain
controller that hosts the directory partition
!hose changes you !ant to (ie!#
0coo=ie7 <"ie> Specifies a name for the file to !hich list
changes are sa(ed#
0atts7 <attri%ute>%<attri%ute>%### "eturns only the attributes specified# Separate
each listed attribute !ith a comma#
<SourceDCO%&ectGUID> Specifies the uni9ue he$adecimal number that
<,
identifies the ob/ect !hose changes !ill be
listed# he ob/ect8U-) can be retrie(ed by
using the 0showreps operation#
0statistics )isplays a summary of information about
changes instead of a list of indi(idual changes#
0noincremental "eturns changes in (alue change format% !hich
lists current (alues for attributes as !ell !ith
attributes that ha(e been added or deleted# -f
not specified% changes are returned in attribute
change format% !hich sho!s only the current
(alue of the attribute#
0obGectsecurity O(errides the need for the 8etChanges right to
the directory partition# Ey default% this right is
necessary to run the *etChanges parameter#
@o!e(er% only changes that the currently
logged on user has the rights to (ie! are
displayed#
0ancestors "eturns changes in Update Se9uence Aumber
1USA2 order#
0ilter7 <dap -iter> "eturns only those changes that meet the filter
re9uirements#
Synta$ 1 can be used to compare changes that occurred to a specified directory partition o(er a
period of time#
he idea here is to:
1# Create a coo3ie file that sa(es changes to a directory partition that could be used for later
comparisons# he first time you use the coo3ie option% it may ta3e a long time 1depending on
the si&e of your partition2 to create the file# -t is important to note that !e store only metadata
about all the changes that ha(e occurred to this coo3ie file on the entire set of domain
controllers#
2# .ater on !hen you present this coo3ie file to any domain controller% it !ill update the
coo3ie file and pro(ide you !ith /ust the change deltas since the last time it !as updated#
<:
>.ample7 Compare changes occurred to
coniguration partition over a period o time
/igure ;!5D!5
Prior to running the sho!changes% a coo3ie file !as created using the follo!ing synta$:
repadmin 0showchanges ! cnNconiguration-dcNcontoso-dcNcom 0coo=ie7conig
"e ran repadmin 0showchanges after some time against another domain controller%
!hich not only displayed the changes but also updated the coo3ie file called conig#
hree ob/ects ha(e been changed# -n our e$ample% all the changes are pertaining to
-ntersite opology 8enerators 1-S8s2# Eecause the forest functional le(el is +indo!s 2000%
!e still update the -S8 Geep 'li(e stamp e(ery ,0 minutes#
Bou could further apply filters to /ust target the partitions and ob/ects of your interest#
Display changes not replicated between two
partners
Synta$ 2% sho!n earlier% is used here to display pending replication changes bet!een partners#
>.ample7 Display pending replication changes $conig partition%
between two replication partners
-n this e$ample 1figure ,#10#1#12% !e ran repadmin 0showchanges to compare the destinations
up0to0date (ector !ith the source and determined that there are t!o outstanding changes for the
configuration partition#
<?
/igure ;!5D!5!5
>.ample7 Usage o a ilter
-n the follo!ing e$ample 1figure ,#10#1#22% !e applied a filter 16filter:\1ob/ectclassKsitelin32W2 to /ust
pro(ide only changes occurred to the sitelin3 ob/ectclass since the last successful replication#
/igure ;!5D!5!2
>.ample7 listing only the summary as opposed to individual
changes
-n the follo!ing e$ample 1figure ,#10#1#,2% the pre(ious changes are listed as summary obtained
by the 0statistics s!itch#
<<
/igure ;!5D!5!;
Usage o Repadmin 6hen Troubleshooting
>vent ID 5;55
Ey all means% this topic is not about ho! to troubleshoot e(ents that ha(e 4(ent -) 1,11# -n this
topic% !e are attempting to e$pose the (arious usage of repadmin !hile troubleshooting 1,11 in
+indo!s 2000 domains based on Microsoft Gno!ledge Ease 1GE2 article ,0=?7,% @o! to
roubleshoot 4(ent -) 1,11 Messages on a +indo!s 2000 Professional )omain
1http:66go#microsoft#com6f!lin36C.in3-dK121=772# Some or all of the repadmin subcommands used
here may be used in +indo!s Ser(er 200, en(ironments as !ell#
he GE article "4SO.U-OA section has the follo!ing action plan# his topic e$amines ho! to
apply the (arious repadmin subcommands against each action plan# 'll of the repadmin
subcommands listed in this topic ha(e associated e$amples either in this section or else!here in
this document#
"esolution steps from the GE article 'ction plan by using repadmin
)etermine if the e(ent -) 1,11 messages are
site0specific or forest0!ide#
o determine the scope of e(ent -) 1,11
messages:
<=
1# ;irst% find all the -nter Site opology
8enerators 1-S82 in the forest#
2# hen% e$amine the )irectory Ser(ice
logs of all the -S8 domain controllers in
the forest#
o determine the -S8Is% use "epadmin 6-S8#
)etermine if site lin3 bridging is turned on and if
the net!or3 is fully routed#
o determine this% use repadmin 0showattr
1)etermine if site lin3 bridging is turned on2#
>erify that all of the sites are defined in site
lin3s#
4(ery site defined in 'cti(e )irectory must be
hosted or reside in a site lin3#
he repadmin 0showism command 1>erify
inter0site cost matri$ and orphaned sites2 is
useful for locating improperly configured sites#
)etect and remo(e preferred bridgeheads# o search for preferred bridgehead ser(ers use
repadmin 0showattr 1)etermine if site lin3
bridging is turned on2#
"esol(e 'cti(e )irectory replication failures in
the forest
+hen you !ant to disco(er and troubleshoot
replication failures% the follo!ing repadmin
subcommands can be useful:
repadmin 0replsummary 1Monitor
;orest0+ide "eplication2
repadmin 0showrepl 1)isplay
"eplication Partners and Status of a
)omain Controller2
"epadmin 6failcache
repadmin 0removelingeringobGects
1+indo!s Ser(er 200, only2
"epadmin 6GCC
)etermine if source ser(ers are o(erloaded# ' domain controller that is o(erloaded !ith a
large number of direct replication partners or a
replication schedule that is o(erly aggressi(e
can create a bac3log in !hich some partners
ne(er recei(e changes from a hub domain
controller# he follo!ing subcommands can be
useful in this situation:
)omain Controller2
"epadmin 69ueue
<8
repadmin 0showct. 1Open sessions
!ith the domain controller2
)etermine if site lin3s are dis/ointed# \)is/oint site lin3s\ is an 'cti(e )irectory
configuration in !hich the topology is bro3en
into t!o or more parts in !hich some sites do
not replicate because site definitions and site
lin3 definitions are incorrect# )is/oint site lin3s
are the most difficult improper configuration to
troubleshoot# he follo!ing subcommands may
be useful in this situation:
"epadmin 69uerysites
repadmin 0showconn 1Can - .oo3 at
My Connection Ob/ects and Schedule
)etailsC2
"epadmin 6GCC
)omain Controller2
)elete connections if the GCC is in \Geep
Connection Mode#\
-f the Gno!ledge Consistency Chec3er 1GCC2
builds a different path around a site0to0site
connection failure% but it retries the failing
connection e(ery 1? minutes because it is in
\connection 3eeping mode%\ delete all bro3en
connections and let the GCC rebuild them# +ait
t!o times the longest replication schedule in the
forest#
Determine i site lin= bridging is turned on
Site lin3 bridging is enabled in 'cti(e )irectory if the follo!ing conditions are true:
he Eridge all site lin3s chec3 bo$ is selected for the -P protocol and the SMP protocol
in the 'cti(e )irectory Sites and Ser(ices snap0in#
he Options attribute for the -P protocol and the SMP protocol is AU.. or set to &ero 102
for the follo!ing distinguished name 1)A2 paths:
CAK-P%CAK-nter0Site ransports%CAKSites%CAKConfiguration%)CKroot domain of forest
CAKSMP%CAK-nter0Site ransports%CAKSites%CAKConfiguration%)CKroot domain of forest
<7
/igure ;!55!5
here are t!o (alues that !e could set from the graphical user interface 18U-2: Ignore
#chedules and Kridge all site lin=s# -n our e$ample 1figure ,#11#12% the -P transport has Kridge
all site lin=s enabled and SMP transport has both (alues selected#
he follo!ing table lists the (arious (alues that the options attribute ta3e#
Option (alue )escription
0N0 Only Kridge all site lin=s is selected from the
abo(e
0N1 Eoth the (alues are selected
0N2 Aone selected
0N, Only Ignore schedules is selected
Detect preerred bridgeheads
Preferred bridgeheads are selected !hen the follo!ing condition is true:
bridgeheadTransport)ist attribute is set to either one of the follo!ing (alues or both (alues:
CAK-P%CAK-nter0Site ransports%CAKSites%CAKConfiguration%)CK<root domain o-
-orest>
CAKSMP%CAK-nter0Site ransports%CAKSites%CAKConfiguration%)CK<root domain o-
-orest>
Ey using repadmin 0showattr% !e are setting the base at configuration partition and applying a
filter for ser(er ObGectClass and loo3ing for all of the domain controllers that ha(e this (alue set
to use either -P or SMP transports#
-f the search returns any results% note the name of ser(er in the distinguished name path in !hich
the bridgeheadTransport)ist attribute is populated#
=0
/igure ;!55!2
-n the e$ample in figure ,#11#2% "OO)C01 is selected as a preferred Eridgehead for -P transport
in site @UE#
(eriy inter+site cost matri. and orphaned sites
Repadmin 0showism displays intersite messaging routes calculated by the -ntersite Messaging
Ser(ice and is (ery useful for locating improperly configured sites# his operation cannot be
e$ecuted remotely#
's the GCC runs through the progressions of analy&ing intersite site lin3s and connections% it
must 9uery the -ntersite Messaging Ser(ice 1-SM2 ser(ice to retrie(e data about the net!or3
configuration to ma3e intelligent decisions about routing changes#
o display cost and fre9uency configurations of replication bet!een sites% use the follo!ing
command:
#ynta.
repadmin /showism [<,ranspor-N>] [/verbose]
<TransportDN> Specifies !hether the mail ser(er is using
SMP or remote procedure call 1"PC2 to send
messages#
he repadmin!e.e 0showism cannot be e$ecuted against a remote domain controller#
"otes
=1
>.ample7 Display inter+site cost matri.
igure ;!55!;
Sho!ism !as used against the -P transport and hence the output is specific to -P#
-f a specific transport is not specified% the output !ill contain both -P and SMP details#
he numbers in an entry appear in the follo!ing order:
Cost: "eplication inter(al: Options
here are four 3ey pieces of information:
e$t regarding the status of bridgehead ser(ers#
otal cost bet!een t!o sites# he cost (alue indicates the preference for a net!or3
lin3 for replicating directory information bet!een sites#
;re9uency of replication in minutes bet!een the t!o sites#
Options for each replication lin3#
-n the e$ample in figure ,#11#,% !e ha(e fi(e sites and Eridge all site lin3s is enabled%
!hich means that site lin3 transiti(ity is enabled# herefore% if !e see any \01:0:0\ entries for
one or more co(ered 'cti(e )irectory sites% !e must ensure that the affected sites are listed
in a site lin3# -n this e$ample% site Eranch: is not included in any site lin3s and therefore
disconnected from rest of the sites# 4(ent 1,11 !ill certainly occur here due to this
configuration problem#
;ields of interest )efinition
\0:0:0\ 4ach site matri$ contains one \0:0:0\ entry that refers to itself#
\200:,0:1\ 'n entry that contains positi(e numbers for the cost (alue and
replication inter(al (alue 1for e$ample% \200:,0:1\ or \100:1?:1\2
indicates that the site connection is good# Specifically in our
e$ample for Site E"'AC@1
=2
Site102
CAKE"'AC@1%CAKSites%CAKConfiguration%)CKcontoso%)CKcom
0:0:0% 200:,0:1% 200:,0:1% 01:0:0% 100:1?:1
200 stands for the cost to replicate from site112 !hich is
E"'AC@2 that is an aggregate cost bet!een t!o hops 1100 a
1002 because a direct replication lin3 bet!een the t!o sites
does not e$ist#
,0 is the replication inter(al that is common bet!een the
t!o branches
1 is the option on the site lin3 !hich denotes VChange
Aotifications are enabled across the site lin3W
'nd so on the rest of the sites_
\01:0:0\ ' \01:0:0\ entry indicates that the site connection is not !or3ing#
his occurs if one or more of the follo!ing conditions are true:
Site is not included in a site lin3#
Site does not host any domain controllers 1this is 3no!n as
an \unco(ered\ site2#
"eplication protocol is not used# ;or e$ample% if SMP
replication is not configured% the entries in the SMP portion of
the 6S@O+-SM matri$ all appear as \01:0:0\#
-f site lin3 bridging is enabled and the repadmin 0showism command returns a site !ith
a full complement of \01:0:0\ entries and one \0:0:0\ entry is orphaned unless the site is
unco(ered 1no domain controllers reside in that site2#
-f site lin3 bridging is disabled% \01:0:0\ entries are less meaningful# -f this is the case% you
must manually determine if each site is included in a site lin3# o do so% !rite do!n the list of
sites and site lin3s% and manually map each site to a site lin3#
Repadmin 0ailcache
Repadmin 0ailcache displays a list of replication failures that GCC is a!are of# "un this
command from the console of each -S8 domain controller in the forest to disco(er replication
failures for bridgeheads in the site for that -S8#
#ynta.
repadmin /.ailcache <!")*+,>
"otes
=,
repadmin 0listhelp#
>.ample7 Display replication ailures that &CC is aware o
he e$ample in figure ,#11#: sho!s sample output from the repadmin 0ailcache command#
/igure ;!55!4!5
he output from the repadmin 0ailcache command is di(ided into t!o sections e$plained in the
follo!ing table#
GCC .in3 ;ailures .ists errors for e$isting connection lin3s# he
-S8 domain controller imports sho!reps
1\repsfroms\2 data for e(ery bridgehead ser(er
in its site# @o!e(er% the -S8 domain controller
does not list errors# he lin3 failure cache is
emptied at the beginning of e(ery GCC run and
refilled during the course of the current run#
GCC Connection ;ailures .ists unsuccessful attempts to build connection
ob/ects bet!een domain controllers 1\reps from\
or \reps to\2# +hen you run the repadmin
0ailcache command from the -S8 domain
controller% it lists entries that are imported from
bridgeheads in the site# 't the beginning of
=:
each GCC run% the GCC e$amines each entry in
the connection failure cache and tries to )sEind
to the failing ser(er# -f the bind succeeds% the
entry is remo(ed#
-n the e$ample in figure ,#11#:#1% the failures are a result of some topology changes from the past
and !ould continue to e$ist due to the (alue of the replTopology#tayO>.ecution attribute%
!hich determines ho! long domain controller metadata is retained in 'cti(e )irectory after a
domain controller has been remo(ed#
>.ample7 Output when there are no ailures
+hen there are no failures% the output should appears as it does in figure ,#11#:#2#
/igure ;!55!4!2
he repadmin 0ailcache command differs from the repadmin 0showrepl command in
t!o !ays:
he repadmin 0showrepl command sho!s the naming conte$t that is failing#
he repadmin 0ailcache command does not#
Repadmin 0&CC
Repadmin 0&CC forces the GCC to recalculate replication topology for a specified domain
controller# Ey default% this recalculation occurs e(ery 1? minutes#
#ynta.
repadmin /Ecc <!")*+,> [/as(nc]
"otes
=?
repadmin 0listhelp!
0async Specifies that replication !ill be asynchronous#
his means that repadmin starts the replication
e(ent% but it does not e$pect an immediate
response from the destination domain
controller# Use this parameter to start the GCC
and not !ait for it to finish#
>.ample 57 Running the &CC on the local domain controller
/igure ;!55!'!5
>.ample 27 Running the &CC against the I#T* o the <UK site
/igure ;!55!'!2
>.ample ;7 Running the &CC against all the global catalog
servers in the orest
/igure ;!55!'!;
=<
>.ample 47 Running the &CC against all the domain controllers
in the KRA"C<2 site
/igure ;!55!'!4
Repadmin 0I#T*
Repadmin 0I#T* returns the ser(er name of the -S8 ser(er for a specified site#
#ynta.
repadmin /is-0 <!")*+,> [/verbose]
Parameters )escriptions
repadmin 0listhelp#
>.ample7 Display I#T*s in my environment
/igure ;!55!C
-n the e$ample in figure ,#11#<% the -S8s are listed from the perspecti(e of the local domain
controller from !hich the command !as run# -t is important to note that this information may be
different from the perspecti(e of each domain controller% depending on the forest0!ide
'cti(e )irectory con(ergence time and replication status#
==
Repadmin 0,uerysites
Repadmin 0,uerysites use routing information to determine cost of a route from a specified site
to another specified site or sites#
#ynta.
repadmin /Nuer(si-es <Irom+i-e&N> <,o+i-e3&N> <,o+i-e5&N>''']
<"romSite!DN> Specifies the relati(e distinguished name of the
site from !hich the cost is calculated#
<ToSite#!DN> Specifies the relati(e distinguished name of the
site to !hich the cost is calculated#
>.ample 57 Display cost between KRA"C<5 and <UK
/igure ;!55!B!5
>.ample 27 Display cost between KRA"C<5 and KRA"C<2
)ue to site lin3 transiti(ity% the cost from E"'AC@1 to E"'AC@2 is aggregated by adding the
cost from E"'AC@1 to @UE 11002 !ith the cost from @UE to E"'AC@2 11002#
/igure ;!55!B!2
>.ample ;7 Display cost between KRA"C<5 and Kranch2
Aote that the relati(e distinguished name of the site is case sensiti(e and hence the error#
=8
/igure ;!55!B!;
he relati(e distinguished name of the site is case sensiti(e#
he repadmin 0,uerysites parameter does not allo! the use of alternate credentials#
Repadmin 0,ueue
Repadmin 0,ueue displays tas3s that are !aiting in the replication 9ueue#
#ynta.
repadmin /Nueue <!")*+,>
repadmin 0listhelp#
>.ample7 Display the ,ueue length against the local domain
controller
Under normal circumstances this list should al!ays be empty and the command should be run
outside of the replication !indo! !hen troubleshooting domain controller o(erload !as caused
due to replication re9uests#
/igure ;!55!L!5
"otes
=7
>.ample7 Oueue contains one item
igure ;!55!L!2
Repadmin 0bridgeheads
Repadmin 0bridgeheads lists the bridgehead ser(ers for a specified site#
#ynta.
repadmin /brid0eheads [<!")*+,>] [/verbose]
repadmin 0listhelp#
;or clarity:
he follo!ing e$ample sho!s only bridgeheads only for the @UE site#
he follo!ing e$ample sho!s the normal and (erbose modes to help compare them#
Vhe "PC ser(ice is una(ailableW status is abbre(iated as RPC!
Vhe operation completed successfullyW status is abbre(iated as status!
>.ample 57 Repadmin 0bridgeheads rootdns
;rid0eheads .or si-e :U; <roo-dns'con-oso'com=:
+ource +i-e )ocal ;rid0e ,rns Iail' ,ime O +-a-us
CCCCCCCCCCC CCCCCCCCCCCC CCCC CCCCCCCCCCCCCC CCC CCCCCC
;&#N!:5 ;&#N!:@:U;@;: *P 5>>1@>5@3A 3A:32:15 G &P!'
!on.i0ura-ion research
;&#N!:3 ;&#N!:@:U;@;: *P <never= > +uccess'
80
!on.i0ura-ion Iores-nsKones omainnsKones research
;&#N!:G ;&#N!:@:U;@;: *P <never= > +uccess'
!on.i0ura-ion omainnsKones Iores-nsKones research
>.ample 27 Repadmin 0bridgeheads rootdns 0verbose
;rid0eheads .or si-e :U; <roo-dns'con-oso'com=:
;&#N!:5 ;&#N!:@:U;@;: *P 5>>1@>5@3A 3A:32:15 G &P!'
Namin0 !on-e9- #--emp- ,ime +uccess ,ime OIail )as- &esul-
CCCCCCCCCCCCCC CCCCCCCCCCCC CCCCCCCCCCCC CCCCC CCCCCCCCCCC
!on.i0ura-ion 5>>1@>5@3A 3A:13:A3 5>>1@>5@3A 3A:32:13 G &P!'
research 5>>1@>5@3A 3A:1G:31 5>>1@>5@3A 3A:32:15 5 &P!'
;&#N!:3 ;&#N!:@:U;@;: *P <never= > +uccess
!on.i0ura-ion 5>>1@>5@3A 3A:13:A3 5>>1@>5@3A 3A:13:A3 > +uccess'
Iores-nsKones 5>>1@>5@3A 3A:15:G4 5>>1@>5@3A 3A:15:G4 > +uccess'
omainnsKones 5>>1@>5@3A 3A:1G:31 5>>1@>5@3A 3A:1G:31 > +uccess'
research 5>>1@>5@3A 3A:15:G4 5>>1@>5@3A 3A:15:G4 > +uccess'
;&#N!:G ;&#N!:@:U;@;: *P <never= > +uccess'
!on.i0ura-ion 5>>1@>5@3A 3A:13:A5 5>>1@>5@3A 3A:13:A5 > +uccess'
omainnsKones 5>>1@>5@3A 3A:1G:31 5>>1@>5@3A 3A:1G:31 > +uccess'
Iores-nsKones 5>>1@>5@3A 3A:15:G4 5>>1@>5@3A 3A:15:G4 > +uccess'
research 5>>1@>5@3A 3A:1G:31 5>>1@>5@3A 3A:1G:31 > +uccess'
Repadmin 0bridgeheads is run remotely against a domain controller in the @UE site and the
output is the perspecti(e of the topology for "OO)AS# -n these e$amples% !e are seeing local
81
bridgehead ser(er KRA"C<+<UK+K< is ha(ing replication problems !ith the remote bridgehead
ser(er in the KRA"C<2 site#
;ields of interest 4$planation
Source Site Source site from !here the local bridge head
1inbound2 is pulling data# "emember replication
is al!ays inbound#
.ocal Eridge .ocal Eridge head ser(er for the site for !hich
the tool is displaying results# -n the e$ample in
figure ,#11#7#2% E"'AC@0@UE0E@ is the
bridgehead ser(er of the @UE site#
rns -n the e$ample in figure ,#11#7#2% the transport
is -P#
;ail time his is the last successful replication time#
b Aumber of failures since the last successful
replication time#
Status "eplication status#
Aaming Conte$t )irectory partition# "emember Eridgeheads are
partition specific#
'ttempt time .ast replication attempt time !ith the remote
bridgehead#
Success time .ast successful replication time !ith the remote
bridgehead#
b;ail Aumber of attempts since the failure per
partition#
.ast result .atest replication status#
"eplication is performed for each partition# Eut sometimes !e do not see the Schema
partition listed in the pre(ious e$ample as a naming conte$t 1partition2 and hence there
are no bridgeheads listed# his is not a limitation of the tool^ it has to do !ith the ho!
information is stored in the connection ob/ect that is 9ueried to determine the bridgehead#
-f you see the configuration partition in the output% it is implied that schema is also
included because the GCC calculates the configuration and schema partitions to ha(e the
same replication topology#
"otes
82
Repadmin 0showmsg
Repadmin 0showmsg displays the error message for a gi(en error number#
#ynta.
repadmin /showms0 <LinG5%rror> | <+%ven-*> /N,+$+8}
<.in)$/rror> "eturns a short description of the gi(en +in,2
error code#
<DS/ventID> 0"TD#M#* "eturns the actual e(ent log te$t for the
specified e(ent -)#
>.ample7 Display the error message or the win;2error 5B22 and
D# event ID 54D4
/igure ;!55!5D
Repadmin 0viewlist
Ey default% this subcommand is used to displays a list of domain controllers# -t could also be used
to form an .ight!eight )irectory 'ccess Protocol 1.)'P2 9uery to list only ob/ects in the directory#
#ynta.
repadmin /viewlis- <!")*+,> <6;H")*+,>
repadmin 0listhelp#
<O*+_LIST> his parameter ta3es a distinguished name
1)A2 or a special 3ey!ord that e$pands into a
8,
)A# he 3ey!ords are:
"cobG7conig7 his 3ey!ord is the
Configuration directory partition for the
forest#
"cobG7schema7 his 3ey!ord is the
Schema directory partition for the forest#
"cobG7domain7 his 3ey!ord is the
domain partition )A of the home ser(er#
DsaobG: his 3ey!ord is the A)S
settings ob/ect of the home ser(er#
>.ample 57 Display all the DCPs in the orest
igure ;!55!55!5
>.ample 27 Display all the *roup Policy obGects in the domain
directory partition or the domain o the domain controller
that repadmin is running against
/igure ;!55!55!2
Aote the usage of OKQE)I#T and OKQE)I#T OPTIO"## ;or details please refer to repadmin
0listhelp#
Open sessions with the domain controller
he repadmin 0showct. command displays a list of computers that ha(e opened sessions !ith a
specified domain controller#
#ynta.
repadmin /showc-9 <!")*+,> [/nocache]
8:
repadmin 0listhelp#
0nocache Specifies that globally uni9ue identifiers
18U-)s2 are left in he$adecimal form# Ey
default% 8U-)s are translated into strings#
>.ample7 #how open sessions with a D#A
/igure ;!55!52
#ubcommands "ot Covered Under the
Previous #cenarios
his topic co(ers additional subcommands that you can use !ith repadmin#
Display replication eatures
he repadmin 0bind command connects to% and displays the replication features for a directory
partition on a domain controller#
#ynta.
repadmin /bind <!")*+,>
8?
repadmin 0listhelp#
>.ample7 Display replication eatures on the local domain
controller- which is running 6indows #erver 2DD;
Aote that the .-AG4)X>'.U4X"4P.-C'-OA is set to AO because the forest functional le(el is
set to +indo!s 2000 instead of +indo!s Ser(er 200,#
/igure;!52!5
#erver obGect *UID $D#A *UID% R Database *UID
he repadmin 0dsaguid command returns a ser(er name !hen gi(en a globally uni9ue identifier
18U-)2#
#ynta.
repadmin /dsa0uid <!")*+,> <8U*>
8<
repadmin 0listhelp#
<GUID> Specifies the uni9ue he$adecimal number that
identifies the domain controller# he globally
uni9ue identifier 18U-)2 can be retrie(ed by
using the showreps operation#
>.ample7 Display the domain controller name when given a
*UID
.oo3 at the usage of V#W here for <DC_LIST>#
/igure ;!52!2
Please refer to repadmin 0showrepl for a detailed e$planation and difference bet!een )S'
8U-) and )atabase 8U-)#
Certiicates loaded on a domain controller
he repadmin 0showcert command displays the ser(er certificates loaded on a specified domain
controller#
#ynta.
repadmin /showcer- <!")*+,>
repadmin 0listhelp!
8=
Retired Application partition *UIDs $signature%
4ach domain controller has a naming conte$t signature list# he repadmin 0showncsig
command displays a list of the remo(ed application directory partition 8U-)s# 'n application
directory partition can be configured to be held or not held on a particular domain controller by
using ntdsutil!
#ynta.
repadmin /showncsi0 <!")*+,>
repadmin 0listhelp!
>.ample7 Display the recently retired /orestDnsMone application
directory partition on the local domain controller
/igure ;!52!4
he follo!ing information is displayed in figure ,#12#::
Partition name
-n(ocation-) at the time of remo(al
@ighest update se9uence number 1USA2 at the time of remo(al
)ate of remo(al
Unanswered replication calls
he repadmin 0showoutcalls command displays calls that ha(e not yet been ans!ered% made
by the specified domain controller to other domain controllers#
#ynta.
repadmin /showou-calls <!")*+,>
88
repadmin 0listhelp!
>.ample7 <ub domain controller waiting or the re,uest to be
answered rom a spo=e domain controller
/igure ;!52!'
showpro.y
.ists cross domain mo(e pro$y ob/ects# +hen an ob/ect is mo(ed to another domain% a mar3er is
left in the old domain indicating that the ob/ect used to be there# his is called the pro$y#
#ynta.5
repadmin /showpro9( <!")*+,> <Namin0!on-e9-> [ma-chs-rin0]
#ynta.2
repadmin /showpro9( <!")*+,> <6b7ec-N> [ma-chs-rin0] /movedob7ec-
repadmin 0listhelp!
controller#
matchstring Specifies the distinguished name of the ob/ect#
87
<O%&ectDN> Specifies a filter for the output# ype a string of
characters that must be present in the
distinguished name in order to display the
ob/ect#
0movedobGect )isplays a history of information from the
original domain on a mo(ed ob/ect after it has
reached the ne! domain#
Retired Database *UIDs $signature%
he repadmin 0showsig command displays the retired -n(ocation-)s on a domain controller# '
domain controller changes its -n(ocation-) on being restored or !hen re0hosting an application
partition#
#ynta.
repadmin /showsi0 <!")*+,>
repadmin 0listhelp!
>.ample 57 #imple usage o no retired signatures
igure ;!52!B!5
70
>.ample 27 #imple usage o retired signature
igure ;!52!B!2
Convert directory service time to readable time
he repadmin 0showtime command con(erts a directory ser(ice time (alue to string format for
both the local and the Coordinated Uni(ersal ime 1UC2 time &ones#
#ynta.
repadmin /show-ime <+,imeMalue>
<DSTimeVaue> Specifies the time (alue that needs to be
con(erted#
+ith parameters omitted% repadmin 0showtime displays the current system time in both
the directory ser(ice format and string format#
>.ample 57 Usage with directory service time ormat
igure ;!52!L!5
>.ample 27 Current system time
/igure ;!52!L!2
"ote
71
Active Directory domains trusted by domain
controller
he repadmin 0showtrust command lists all 'cti(e )irectory domains 1in the same forest2 that
are trusted by the specified domain controllerIs domain#
#ynta.
repadmin /show-rus- <!")*+,>
or a list of domain controllers% separated by a
repadmin 0listhelp#
>.ample7 Display Active Directory domains that are trusted by
the domain o the local domain controller
/igure ;!52!A
)in=ed Distinguished "ame values
he repadmin 0showvalue command is used to list only lin3ed distinguished name (alues#
.in3ed distinguished name (alues can also be obtained by the repadmin 0showobGmeta
subcommand !ith the 0lin=ed s!itch#
#ynta.
repadmin /showvalue <!")*+,> 6b7ec-N <#--ribu-eName> <MalueN> [/nocache]
or a list of domain controllers% separated by a
space# ;or details about DCE)I#T% see
72
repadmin 0listhelp#
<'ttri%uteName> Specifies a single attribute !hose (alue you
!ant to display#
<VaueDN> Specifies the distinguished name of the attribute
that is displayed#
strings#
>.ample7 Display members o the Domain Admins group
Aote that sho!(alue lists (alue for only for!ard lin3s# Eac3!ard lin3s 1such as memberO2 are
not obtained#
/igure ;!52!5D
Oldhelp
Oldhelp displays a list of the operations that ha(e been deprecated in the +indo!s Ser(er 200,
(ersion of repadmin#
sync
Starts a replication e(ent for the specified directory partition bet!een the source and destination
domain controllers# he source uni(ersally uni9ue identifier 1UU-)2 can be determined !hen
(ie!ing the replication partners by using the sho!reps operation#
7,
#ynta.
repadmin /s(nc <Namin0!on-e9-> <es-!> <+ource!UU*> [/.orce] [/as(nc] [/.ull]
[/addre.] [/allsources]
<DestDC> Specifies the host name of the domain
controller 1)irectory Ser(er 'gent2 !ith !hich
you !ant to replicate#
<SourceDCUUID> Specifies the uni9ue he$adecimal number that
using the sho!reps operation#
0orce O(errides the normal replication schedule
0async Specifies that the replication !ill be
asynchronous# his means that repadmin starts
the replication e(ent% but it does not e$pect an
immediate response from the destination
domain controller# Use this parameter !hen
there are slo! lin3s bet!een domain
controllers#
0ull ;orces a full replication of all ob/ects from the
destination domain controller#
0addre )irects the source to chec3 for a notification
entry on the source# -f the source does not ha(e
a notification entry for this destination% one is
added#
6allsources ' gi(en destination can ha(e multiple sources
for the same naming conte$t# )irects the
destination to sync !ith all sources instead of
/ust one#
propchec=
Compares properties of specified domain controllers to determine if they are up0to0date !ith each
other# he source domain controller contains the original information that needs to be chec3ed#
he destination domain controller data !ill be compared to the source domain controller data#
7:
#ynta.
repadmin /propchecE <Namin0!on-e9-> <6ri0ina-in0!*nvoca-ion*> <6ri0ina-in0U+N> <es-!>
controller#
<OriginatingDCInvocationID> Specifies the uni9ue he$adecimal number that
identifies an ob/ect on a source domain
controller# he -n(ocation-) can be retrie(ed by
<OriginatingUSN> Specifies the update se9uence number 1USA2
for the ob/ect on the source domain controller#
he USA is for the ob/ect !hose -n(ocation-) is
already listed#
DestDC Specifies the host name of the destination
getchanges
)isplays changes from a specified directory partition or changes to a specified ob/ect# Synta$ 1
sa(es changes to a directory partition# -f this information is sa(ed to a file the getchanges
operation can be run again for comparison# Synta$ 2 lists changes to a specified ob/ect#
#ynta.5
repadmin /0e-chan0es <Namin0!on-e9-> <+ource!> [/cooEie: <Iile>] [/a--s:
<a--ribu-e3>D<a--ribu-e5>D''']
#ynta.2
repadmin /0e-chan0es <Namin0!on-e9-> <es-!> <+ource!6b7ec-8U*> [/verbose]
[/s-a-is-ics] [/noincremen-al] [/ob7ec-securi-(] [/ances-ors] [/a--s:
<a--ribu-e3>D<a--ribu-e5>D'''] [/.il-er: <ldap .il-er>]
<SourceDC> Specifies the host name of the domain
7?
controller that hosts the directory partition
!hose changes you !ant to (ie!#
coo=ie7 <"ie> Specifies a name for the file to !hich list
changes are sa(ed#
atts7 <attri%ute#>%<attri%ute$> "eturns only the attributes specified# Separate
each listed attribute !ith a comma#
<DestDC> Specifies the host name of the destination
0statistics )isplays a summary of information about
changes instead of a list of indi(idual changes#
0noincremental "eturns changes in (alue change format% !hich
lists current (alues for attributes as !ell as !hat
attributes ha(e been added or deleted# -f not
specified% changes are returned in attribute
change format% !hich sho!s only the current
(alue of the attribute#
0obGectsecurity O(errides the need for the 8et Changes right to
the directory partition# Ey default this right is
needed to run the 0getchanges parameter#
@o!e(er% only changes that the currently
logged on user has the rights to (ie! are
displayed#
0ilter7 <dap -iter> "eturns only those changes that meet the filter
re9uirements#
0ancestors "eturns changes in USA order
he information from Synta$1 can be sa(ed to a file for later comparison#
"ote
7<
showreps
)isplays the replication partners for each directory partition on the specified domain controller#
@elps the administrator build a (isual representation of the replication topology and see the role
of each domain controller in the replication process#
#ynta.
repadmin /showreps <Namin0!on-e9-> <!> <+ource!6b7ec-8U*> [/verbose] [/nocache]
[/reps-o] [/conn] [/all]
DC Specifies the host name of the domain
controller#
identifies the ob/ect !hose replication e(ents
!ill be listed#
0nocache Specifies that globally uni9ue identifier 18U-)s2
are left in he$adecimal form# Ey default% 8U-)s
are translated into strings#
H0repstoS .ists the domain controllers that pull replication
information from the specified directory
partition#
0conn )isplays the connection ob/ects associated !ith
each lin3#
0all )isplays all replication partners#
showvector
)isplays the highest USA for the specified domain controller# his information sho!s ho! up0to0
date a replica is !ith its replication partners#
#ynta.
repadmin /showvec-or <Namin0!on-e9-> <!> [/nocache] [/la-enc(]
7=
controller#
strings#
0latency Sorts the information by the time re9uired to
complete the replication# Ey default the
information is sorted by USA#
showmeta
)isplays the replication metadata for a specified ob/ect stored in 'cti(e )irectory such as attribute
-)% (ersion number% originating and local Update Se9uence Aumber 1USA2% and originating
ser(er]s 8U-) and )ate and ime stamp# Ey comparing the replication metadata for the same
ob/ect on different domain controllers% an administrator can determine !hether replication has
ta3en place#
#ynta.
repadmin /showme-a <6b7ec-N> <!> [/nocache] [/linEed]
controller that hosts the ob/ect#
strings#
0lin=ed )isplays metadata associated !ith% but not
stored !ith the specified ob/ect#
78
Administer Passwords and Password
Replication Policy or Read+Only Domain
Controllers with Repadmin!e.e
his topic describes the follo!ing commands that !ere added to "epadmin#e$e in +indo!s
Ser(er 2008 to manage pass!ords and Pass!ord "eplication Policy 1P"P2 for read0only domain
controllers 1"O)Cs2# "O)Cs are a(ailable in +indo!s Ser(er 2008 and +indo!s
Ser(er 2008 "2#
"epadmin#e$e is built into +indo!s Ser(er 2008 and +indo!s Ser(er 2008 "2# -t is a(ailable if
you ha(e the 'cti(e )irectory )omain Ser(ices 1') )S2 ser(er role or the 'cti(e )irectory
.ight!eight )irectory Ser(ices 1') .)S2 ser(er role installed# -t is also a(ailable if you install the
'cti(e )irectory )omain Ser(ices ools that are part of the "emote Ser(er 'dministration ools
1"S'2# ;or more information% see @o! to 'dminister Microsoft +indo!s Client and Ser(er
Computers .ocally and "emotely 1http:66go#microsoft#com6f!lin36C.in3-)K1==81,2#
-n +indo!s Ser(er 2008 and +indo!s Ser(er 2008 "2% you must run command0line0based tools
from an ele(ated command prompt# o open an ele(ated Command Prompt using the credentials
of a )omain 'dmin% clic3 #tart# -n #tart #earch% type runas
0user7Idomain"ameJTIdomainAdminAccountUserJ cmd% and then press 4A4"# "eplace
Idomain"ameJ !ith the domain name% and replace IdomainAdminUserJ !ith the name of a
user account that is a member of the )omain 'dmins group in that domain#
repadmin 6prp
repadmin 6rodcp!drepl
;or more information about managing pass!ords and the P"P for "O)Cs% see 'dministering the
Pass!ord "eplication Policy 1http:66go#microsoft#com6f!lin36C.in3-dK18?==82#
repadmin 0prp
Bou can use this command to (ie! or modify the P"P for an "O)C# he P"P determines !hich
account pass!ords are allo!ed to be cached on an "O)C and !hich account are denied from
being cached#
#ynta.
&epadmin /prp [operation] R$DC [additional arg"ments]
Operations
he repadmin 0prp command can perform the follo!ing operations:
'dd
77
)elete
Mo(e
>ie!
'dditional arguments are a(ailable for each operation#
Add
'dds the specified security principal to the msD#+RevealOnDemand*roup attribute that is
associated !ith the "O)C# 1his attribute is also 3no!n as the 'llo!ed .ist#2
Bou cannot use repadmin 0prp commands to add an account to the )eny .ist or remo(e
an account from the )eny .ist# o configure the )eny .ist% you can use the
'cti(e )irectory Users and Computers snap0in or you can create a script# ;or e$ample% if
you !ant to deny members of the group "O)C2'dmins from caching pass!ords on
"O)C2% !hich is located in the Eranch2 organi&ational unit 1OU2 of h9#cpandl#com% you
can use the follo!ing script:
P,he .ollowin0 i-ems speci.( -o !learD Upda-eD #ppendD or ele-e a proper-( o. an #c-ive
irec-or( ob7ec-
!ons- #+"P&6P%&,Q"!)%#& C 3
!ons- #+"P&6P%&,Q"UP#,% C 5
!ons- #+"P&6P%&,Q"#PP%N C G
!ons- #+"P&6P%&,Q"%)%,% C A
!ons- #,, C Rms+@Never&eveal8roupR
P,he se--in0 .or #,, de-ermines which lis- will be modi.ied
Pms+@#u-hen-ica-ed,o#ccoun-lis- is .or -he au-hen-ica-ed -o or #u-h5 lis-
Pms+@&evealed)is- is .or -he password revealed or cached lis-
Pms+@&eveal6nemand8roup is .or -he allowed -o au-hen-ica-e lis-
Pms+@Never&eveal8roup is .or -he denied .rom au-hen-ica-in0 lis-
PP&P6b7 de.ines -he ob7ec- -ha- needs -o be modi.ied in -he P&P lis-
P&P6b7 C R!NC&6!5#dminsD6UC;ranch5D!ChND!CcpandlD!CcomR
P&6!6b7 de.ines -he &6! .or which -he P&P should be modi.ied
&6!6b7 C R)#P://!NC&6!5D6UComain !on-rollersD!ChND!CcpandlD!CcomR
P+e-s -he ob7ec- -o modi.( based on -he )#P pa-h se- in &6!6b7
"ote
100
+e- ob7!ompu-er C 8e-6b7ec-<&6!6b7=
P*mplemen-s -he chan0eD whichD dependin0 on -he word a.-er #+"P&6P%&,Q"D is a !)%#&D
UP#,%D #PP%ND or %)%,% opera-ion
ob7!ompu-er'Pu-%9 #+"P&6P%&,Q"#PP%ND #,,D #rra(<P&P6b7=
ob7!ompu-er'+e-*n.o
P!on.irms -ha- -he modi.ica-ion has -aEen place <-his is op-ional=
wscrip-'echo R$odi.ied lis- a--ribu-es .or ob7ec- R S P&P6b7
P!loses -he scrip-
wscrip-'Nui-<>=
#ynta.
repadmin /prp add <&6!> allow <P&*N!*P#)>
Additional parameters
Parameter Deinition
O"O)CP Specifies the host name of the "O)C# Bou can
specify the single0label host name or the fully
9ualified domain name 1;H)A2# -n addition% you
can use an asteris3 1T2 as a !ildcard character
to specify multiple "O)Cs in one domain#
OP"-AC-P'.P Specifies the name of the security principal that
you !ant to add to the 'llo!ed .ist#
Delete
)eletes one or more specified security principals from the msD#+AuthenticatedToAccount)ist
attribute or from the msD#+RevealOnDemand*roup attribute that is associated !ith the "O)C#
1he AuthenticatedToAccount)ist attribute is also 3no!n as the 'uthenticated to .ist% and the
msD#+RevealOnDemand*roup attribute is also 3no!n as the 'llo!ed .ist#2
#ynta.
repadmin /prp dele-e <&6!> allow {<P&*N!*P#)>|/all}
repadmin /prp dele-e <&6!> au-h5 /all
101
Parameter Deinition
specify the single0label host name or the ;H)A#
-n addition% you can use an asteris3 1T2 as a
!ildcard character to specify multiple "O)Cs in
one domain#
OP"-AC-P'.P Specifies the name of the security principal that
you !ant to delete from the 'llo!ed .ist#
Specify 0all to ha(e the operation delete all
security principals#
6all Specifies all security principals# Bou cannot
delete only one security principal from the
msD#+AuthenticatedToAccount)ist attribute#
Move
Mo(es all the security principals from the msD#+AuthenticatedToAccount)ist attribute to the
specified group# -f the group does not e$ist% this command creates the group# -f necessary% this
command also adds the group to the msD#+RevealOnDemand*roup attribute of the "O)C#
1he msD#+AuthenticatedToAccount)ist attribute is also 3no!n as the 'uthenticated o .ist%
and the msD#+RevealOnDemand*roup attribute is also 3no!n as the 'llo!ed .ist#2
#ynta.
repadmin /prp move <&6!> <8roup> [/noau-h5cleanup] [/users"onl( | /comps"onl(]
Parameter Deinition
O"O)CP Specifies the host name of the "O)C# ;or this
operation% you can specify the single0label host
name or the ;H)A#
O8roupP Specifies the name of the security group to
!hich you !ant to mo(e the security principals#
-f the security group does not e$ist% this
command creates the security group in the built0
in Users container# Bou can specify the name of
the security group but not the distinguished
name#
6noauth2cleanup "etains the list of security principals in the
msD#+AuthenticatedToAccount)ist attribute
after the Mo(e operation is complete# Ey
102
Parameter Deinition
default% the msD#+
AuthenticatedToAccount)ist attribute is
cleared#
6usersXonly Mo(es only user accounts from the msD#+
AuthenticatedToAccount)ist attribute to the
specified group# he group is then added to the
msD#+RevealOnDemand*roup attribute#
6compsXonly Mo(es only computer accounts from the msD#+
AuthenticatedToAccount)ist attribute to the
specified group# he group is then added to the
msD#+RevealOnDemand*roup attribute#
(iew
)isplays the security principals in the specified list or displays the current P"P setting 1allo!ed or
denied2 for a specified user#
#ynta.
repadmin /prp view <&6!> {<)is-"Name>|<User>}
Parameter Deinition
specify the single0label host name or the ;H)A#
-n addition% you can use an asteris3 1T2 as a
!ildcard character to specify multiple "O)Cs in
one domain#
O.istXAameP Specifies all the security principals that are in
the list that you !ant to (ie!# he (alid list
names are as follo!s:
auth2: he list of security principals that
the "O)C has authenticated#
re(eal: he list of security principals for
!hich the "O)C has cached pass!ords#
allo!: he list of security principals in
the msD#+RevealOnDemand*roup
attribute# he "O)C can cache pass!ords
for this list of security principals only#
10,
Parameter Deinition
deny: he list of security principals in
the msD#+"everReveal*roup attribute#
he "O)C cannot cache pass!ords for
any security principals in this list#
OUserP Specifies the effecti(e P"P setting 1allo!ed or
denied2 for the specified user# Bou can specify
the user name only or the distinguished name#
>.ample 57 (iew the PRP o an RODC
he follo!ing e$amples sho! ho! to (ie! the accounts that are configured in the P"P that
applies to an "O)C !ith the host name "O)C2 in the domain h9#cpandl#com#
o (ie! the accounts that are allo!ed to ha(e their pass!ords cached on the "O)C% use the
follo!ing command:
repadmin /prp view rodc5'hN'cpandl'com allow
o (ie! the accounts that are denied from ha(ing their pass!ords cached on the "O)C 1also
3no!n as the )eny list2% use the follo!ing command:
repadmin /prp view rodc5'hN'cpandl'com den(
>.ample 27 (iew accounts that an RODC has authenticated
o re(ie! the list of authenticated accounts for "O)C2 in the h9#cpandl#com domain% use the
follo!ing command:
repadmin /prp view rodc5'hN'cpandl'com au-h5
>.ample ;7 Clear the list o authenticated accounts
Aote that this command does not actually remo(e account pass!ords from an "O)C# -t only
deletes the list of those accounts#
here is no mechanism to erase pass!ords after they are cached on an "O)C# -f you !ant to
clear a pass!ord that is stored on an "O)C% reset the pass!ord in the hub site# his !ay% the
pass!ord that is cached in the branch !ill no longer be (alid for accessing any resources in the
hub site or other branches# -n the branch that contains the "O)C on !hich the pass!ord may
ha(e been compromised% the pass!ord !ill still be (alid for authentication purposes until the ne$t
replication cycle% at !hich time its (alue that is stored on the "O)C !ill be changed to Aull# he
ne! pass!ord !ill be cached only after the user authenticates !ith itMor the ne! pass!ord is
prepopulated on the "O)CMand if the P"P has not been changed#
o clear the list of authenticated accounts for "O)C2% use the follo!ing command:
repadmin /prp dele-e rodc5 au-h5 /all
10:
>.ample 47 Conigure the PRP
o add an account named "O)C2users from a top0le(el OU named +est in the domain
h9#cpandl#com to the 'llo!ed .ist 1or to remo(e it from the 'llo!ed .ist2 for an "O)C computer
!ith a hostname of "O)C2% use one of the follo!ing commands:
o find the .ight!eight )irectory 'ccess Protocol 1.)'P2 distinguished name of a
directory ob/ect from the command line% you can use the ds,uery command# ;or
e$ample% if you !ant to find the distinguished name of a group that has V"O)CW as part
of its name from a computer in the local domain% you can run the command ds,uery
group Uname 1RODC1! he asteris3s around V"O)CW indicate that any number of
characters can come before or after the letters "O)C# -f instead you !ant to find the
distinguished name of a computer or user% substitute either the !ord computer or the
!ord user 1respecti(ely2 for the !ord group in the command# ;or more information about
ds,uery command synta$% see )s9uery 1http:66go#microsoft#com6f!lin36C.in3-dK12017<2#
o allo! the account "O)C2users to be cached on "O)C2% use the follo!ing command:
repadmin /prp add rodc5'hN'cpandl'com allow cnC&6!5usersDouCwes-DdcChNDdcCcpandlDdcCcom
o remo(e the account from the 'llo!ed .ist% use the follo!ing command:
repadmin /prp dele-e rodc5'hN'cpandl'com allow
cnC&6!5usersDouCwes-DdcChNDdcCcpandlDdcCcom
>.ample '7 Move accounts that an RODC has authenticated to
the Allowed RODC Password Replication Policy *roup
o mo(e the current list of only the users from "O)C2 to the 'llo!ed .ist% use the follo!ing
command:
&epadmin /prp move rodc5 /users"onl(
Bou cannot selecti(ely mo(e entries from the 'uth2 list to the 'llo!ed .ist by using the
repadmin 0prp move command# @o!e(er% !hen you ha(e created an appropriate group%
you can use 'cti(e )irectory Users and Computers% )sadd% and similar tools to add
users or computers to that group#
>.ample C7 (iew accounts with cached passwords on an RODC
o see the accounts !ith cached pass!ords on an "O)C !ith the host name "O)C2 in the
domain contoso#com% use the follo!ing command:
repadmin /prp view rodc5'con-oso'com reveal
-f you ha(e a large number of accounts cached% the repadmin 0prp view IhostnameJ
reveal command might return only a subset of the accounts# ;or more information% see
"epadmin 6P"P might return only a subset of accounts 1http:66go#microsoft#com6f!lin36C
.in3-dK18?==?2#
"ote "ote Important
10?
repadmin 0rodcpwdrepl
riggers replication of pass!ords for the specified users from the source 1@ub site domain
controllers2 to one or more "O)Cs#
;or each destination "O)C% the ability to cache the userIs pass!ord is e(aluated before the
operation succeeds# -n other !ords% the specified user must be in the 'llo!ed "O)C Pass!ord
"eplication 8roup and not be a member of the )enied "O)C Pass!ord "eplication 8roup for
the destination "O)C# Bou can specify pass!ords for multiple users% but if a userIs pass!ord is
not allo!ed to be cached for a destination "O)C% the re9uest for that specific user and
destination "O)C !ill fail#
#ynta.
&epadmin /rodcpwdrepl <hos-name&6!> <hos-nameL!> <User3)dapPa-h> <!ompu-er3)dapPa-h>
<UserN)dapPa-h> <!ompu-erN)dapPa-h>
Parameters Deinitions
Ohostname"O)CP he host name or ;H)A of the target "O)CIs
pass!ord cache that you !ant to prepopulate# -f
you are running the command from outside the
target domain% use the ;H)A#
Ohostname+)CP he host name or ;H)A of the !ritable domain
controller that is the replication partner of the
"O)C# -f you are running the command from
outside the target domain% use the ;H)A#
OUser1.dapPathP he .)'P distinguished name of a user
account pass!ord that you !ant to prepopulate#
OComputer1.dapPathP he .)'P distinguished name of a computer
account !hose pass!ord that you !ant to
populate# Bou must add the computer accounts
of the users or they !ill not be able to log on#
OUserA.dapPathP he .)'P distinguished name of another user
account pass!ord that you !ant to populate#
OComputerA.dapPathP he .)'P distinguished name of another
computer !hose account pass!ord you !ant to
prepopulate# Bou must add the computer
accounts of the users or they !ill not be able to
log on#
10<
>.ample
he follo!ing command prepopulates the pass!ord cache for an "O)C named "O)C2 in the
domain h9#cpandl#com% using the !riteable domain controller named +S2008' to transfer the
pass!ords for a user account for Mi3e )anseglio 1Mi3e)an2 and his computer named M)>ista1#
he Mi3e)an account is in a top0le(el OU named E1 Users% and the M)>ista1 account is in the
default Computers container#
repadmin /rodcpwdrepl rodc5'hN'cpandl'com ws5>>2a'hN'cpandl'com TcnCmiEedanDouCb3
usersDdcChNDdcCcpandlD!CcomU cnCmdvis-a3DcnC!ompu-ersDdcChNDdcCcpandlDdcCcom
Repadmin or >.perts
he pre(ious topics in this guide ha(e loo3ed at ho! an administrator can use repadmin to (ie!
the replication topology 1sometimes referred to as Reps+/rom and Reps+To2 as seen from the
perspecti(e of each domain controller% monitor forest0!ide replication% diagnose replication
problems% and perform miscellaneous tas3s#
he follo!ing sections are used for ad(anced operations only# hese commands ha(e the
potential to brea3 your 'cti(e )irectory installation% and they should be used only under the
e$pert guidance of Microsoft Customer Support Ser(ice representati(e or engineer#
Add- Modiy- or Delete replication lin=s
)uring normal operation% the Gno!ledge Consistency Chec3er 1GCC2 automatically manages the
replication topology for each naming conte$t held on domain controllers#
'lthough in normal practice this should not be necessary% repadmin can be used to manually
create the replication topology# his topology !ould be temporary in nature by default and !ould
last until the ne$t time the GCC is run# So !e need to engage these steps only during
troubleshooting issues related to 'cti(e )irectory replication#
)uring the normal course of operations% there is no re9uirement for manual creation of
the replication topology# -ncorrect use of this tool may ad(ersely impact the replication
topology#
#ynta.
&epadmin /add <Namin0 !on-e9-> <es- !> <+ource !> [/as(ncrep] [/s(ncdisable]
[/dsadn:< +ource ! N>] [/-ranspor-dn:< ,ranspor- N>] [/mail] [/as(nc] [/readonl(]
&epadmin /mod <Namin0 !on-e9-> <es- !> <+ource 8U*> [/readonl(] [/srcdsaaddr:< dns
address>] [/-ranspor-dn:< ,ranspor- N>] [Vnbr.la0op-ion] [@nbr.la0op-ion]
&epadmin /dele-e <Namin0 !on-e9-> <es- !> [<+ource ! #ddress>] [/localonl(]
[/nosource] [/as(nc]
he follo!ing table lists the purpose for each of the subcommands#
"ote
10=
Subcommand Purpose
add he add command !ill create a Reps/rom
attribute on the destination domain controller for
the specified naming conte$t and initiate a
replication re9uest# )uring a normal replication
cycle% the destination domain controller !ill
re9uest updates from the source domain
controller#
mod he mod command !ill modify the Reps/rom
the specified naming conte$t and initiate a
replication re9uest# )uring a normal replication
cycle% the destination domain controller !ill
re9uest updates from the source domain
controller#
delete he delete command !ill remo(e a Reps/rom
the specified naming conte$t#
he follo!ing table lists the parameters that can be used !ith the subcommands#
<Dest DC> )omain controller to !hich the lin3 is created#
<Source DC> )omain controller from !hich to source the
partition#
asyncrep Hueue the replication e(ent% but do not !ait for
the replication to complete before you return
control to the user#
syncdisable 'dd the Reps/rom attribute but do not
participate in the replication cycle# o perform
replication bet!een the destination and source
domain controllers% repadmin 0sync 0orce
must be used#
0dsadn7O<Source DC DN>
transportdn he distinguished name of the -nter Site
Message transport% only used for mail0based
108
replication#
mail specify that the replication is mail0based%
therefore re9uires the 0transportdn option#
async Hueue the add0delete operation !ithout
interrupting the current replication cycle and
return control to the user#
readonly Specify that the partition is read0only#
0srcdsaaddr7Odns addressP
nbrlagoption
localonly )o not delete the corresponding RepsTo
attribute on the source )irectory System 'gent
1)S'2#
nosource +hen you remo(e a read0only naming conte$t
such as the global catalog% the associated data
stored in the directory is remo(ed in bloc3s of
?00 ob/ects# his allo!s the 0delete command
to be re0e$ecuted !ithout ha(ing to specify the
Source )S' to remo(e the remaining ob/ects#
+hen you create temporary replication lin3s bet!een replication partners% the process could fail if
the GCC starts !hile you are performing the procedure# he GCC !ill delete any replication lin3s
for !hich no corresponding connection ob/ect e$ists#
Eecause these commands can ta3e a (ery long time to complete as they trigger the replication of
the corresponding naming conte$t% it is important to ensure that GCC do not disturb the process#
his is !here you !ould use a)-S'E.4XA)SCOAAXN.'4 !hich effecti(ely disables
capability for the GCC to translate connection ob/ects to replication lin3s#
Add- Modiy- or Delete outbound replication
partners
Similar to inbound replication 1Reps+/rom2 partners% outbound replication 1Reps+To2 partners are
instantiated from connection ob/ects by a process called VConnection ranslation#W
Eoth Reps+/rom and Reps+To attributes are for each partition and they are not replicated#
Reps+To is only needed !hen the destination re9uires the source to notify him that there is a
change in the partition at the source% and the destination should synchroni&e# Eecause Reps+To
attributes are used for notification% if the destination has a Reps+/rom mar3ed AOXAO-;B% then
the source !ill not ha(e a Reps+To#
107
)epending on the underlying operating system% sometimes you might see outbound partners
lingering# +hile +indo!s Ser(er 200, ta3es care of this% +indo!s 2000 !ould need some help
cleaning out lingering outbound partners#
#ynta.
&epadmin /addreps-o <Namin0 !on-e9-> <!> <&eps@,o !> <&eps@,o ! 8U*> &epadmin
/updreps-o <Namin0 !on-e9-> <!> <&eps@,o !> <&eps@,o ! 8U*> &epadmin /delreps-o
<Namin0 !on-e9-> <!> <&eps@,o !> <&eps@,o ! 8U*>
Subcommand Purpose
addrepsto his !ill create a Reps+To attribute on the
domain controller for the specified naming
conte$t# Ordinarily there is no re9uirement to
perform this command as the GCC !ill
automatically create the Reps+To attributes on
destination )S's based on other )S's Reps+
/rom entries#
updrepsto his !ill update the Reps+To attribute on the
conte$t# More specifically it updates the net!or3
address used by the source )S' to contact the
destination )S'#
delrepsto )elrepsto deletes the Reps+To attribute on the
conte$t#
<DC> he domain controller on !hich the Reps+To
attribute is modified#
<!eps2To DC> Outbound replication partner#
<!eps2To DC GUID> )S' globally uni9ue identifier 18U-)2 of
outbound replication partner#
110
<osting and unhosting read+only partitions
@osting and unhosting global catalog partitions is con(enient% especially !hen you !ant to ensure
a faster global catalog remo(al process# 's noted in the follo!ing table% these subcommands !ill
also facilitate remo(al of lingering ob/ects from 'cti(e )irectory#
8lobal catalog remo(al process -n +indo!s 2000 (ersions earlier than
Ser(ice Pac3 : 1SP:2% !hen the -SX8C bit is
turned off% the GCC deletes the read0only
ob/ects at a rate of only ?00 for each time the
GCC runs% !hich allo!s a ma$imum of 2000
ob/ect remo(als for each hour# his presents
some challenges in large en(ironments# -n
order to ma3e the global catalog remo(al faster%
you could potentially remo(e one partition at a
time by using the unhost subcommand#
.ingering Ob/ects ' lingering ob/ect is an ob/ect that is present on
one replica% but on another replica it has been
deleted and remo(ed from the directory by the
garbage collection process#
+hen lingering ob/ect e$ists only in one or more
read0only naming conte$ts 1global catalog2% it
ma3es it all the more difficult to delete the
ob/ect# Clearing the -SX8C bit may not al!ays
be appropriate% because it remo(es all read0
only naming conte$ts from the global catalog
ser(er#
Unhosting and rehosting a read0only naming
conte$t is therefore sometimes considered to be
a good solution% especially because you could
specify the source to be a good replica that
does not contain lingering ob/ects#
#ynta.
&epadmin /rehos- <!")*+,> <Namin0 !on-e9-> <8ood +ource ! #ddress> [/applica-ion]
&epadmin /unhos- <!")*+,> <Namin0 !on-e9-> &epadmin /removesources <!")*+,> <Namin0
!on-e9->
Subcommand Purpose
rehost 'dd a specific read0only partition to a global
111
catalog ser(er#
unhost "emo(e a specific read0only partition from a
global catalog ser(er#
removesources "emo(es all replication lin3s for a gi(en naming
conte$t# his does not delete the connection
ob/ects% so the GCC !ill build ne! lin3s on it
regular cycle as re9uired#
0listhelp#
<Good Source DC 'ddress> Specify the source domain controller#
0application 'pplication directory partition
Detecting and removing lingering obGects
here are multiple methods that are a(ailable to detect or remo(e lingering ob/ects from
'cti(e )irectory# his depends on the operating system (ersion that the domain controller is
running# "epadmin could be used to detect or remo(e lingering ob/ects from a directory partition
!hen the source and destination domain controllers are running +indo!s Ser(er 200, and
therefore the scope here is limited to the follo!ing:
-ntroduction to lingering ob/ects
"epadmin usage in +indo!s Ser(er 200,
' lingering ob/ect is an ob/ect that is present on one replica% but on another replica it has been
deleted and remo(ed from the directory by the garbage collection process#
his condition can occur for a (ariety of reasons including:
Prolonged misconfigurations 1such as those that cause e(ent -) 1,11 messages2
Prolonged errors in name resolution% authentication or the replication engine that bloc3
inbound replication#
Eringing a domain controller online after it has been offline for a period greater than the
Tomb#tone )ietime 1S.2#
112
'd(ancing system time or reducing S. (alues in an attempt to accelerate garbage
collection before end0to0end replication has ta3en place for all naming conte$ts in the forest#
Symptoms that you may ha(e lingering ob/ects:
'cti(e )irectory replication is pre(ented from occurring#
' user account that no longer e$ists still appears in the 8lobal 'ddress list for 40mail
clients#
' uni(ersal group that no longer e$ists still appears in a userIs access to3en#
40mail messages cannot be deli(ered due to duplicate e0mail address on t!o different
user ob/ects#
"egardless of the reason% a deleted ob/ect can remain on a domain controller in either of the
follo!ing circumstances:
' domain controller goes offline immediately prior to the deletion of an ob/ect on another
domain controller% and remains offline for a period that e$ceeds the tombstone lifetime#
' domain controller goes offline immediately follo!ing the deletion of an ob/ect on
another domain controller but prior to recei(ing replication of the tombstone% and remains
offline for a period that e$ceeds the tombstone lifetime#
+hat to do !ith a lingering ob/ectC
)etermining !hat to do !ith a lingering ob/ect depends on !hether or not it !as intended#
'ction 4$planation
Unintended Use repadmin to delete the lingering ob/ect on a
domain controller that is running +indo!s
Ser(er 200,#
-ntended Change the replication consistency on the
inbound domain controller 1)C2# he ob/ect !ill
be re0animated on this )C# See strict and loose
replication consistency belo!
#trict and loose replication consistency
-f the attributes of a lingering ob/ect ne(er change% the ob/ect is ne(er considered for replication#
@o!e(er% if an attribute changes% the attribute is considered for outbound replication# he problem
!ith an attribute update for a lingering ob/ect is that the recei(ing domain controller does not hold
the ob/ect for the attribute being replicated# 'n update cannot be performed because the entire
ob/ect does not e$ist on the recei(ing domain controller# +hat happens ne$t depends on the
replication consistency set on the domain controller#
"eplication consistency 4$planation
.oose +hen replication consistency is set to loose% the
11,
recei(ing domain controller detects that it does
not ha(e the ob/ect for the attribute that is being
replicated# he inbound partner re9uests the
entire ob/ect from the outbound partner% and
reanimates the ob/ect on its copy of the
directory# he same process repeats on all
domain controllers that do not ha(e a copy of
the ob/ect# his mechanism can be used to
cause lingering ob/ects to VreanimateW across the
entire forest# -f a lingering ob/ect is disco(ered
and its presence is intended% then perform any
update to the ob/ect# 's long as replication
consistency is set to loose on all domain
controllers% the ob/ect !ill be reanimated as it
replicates around the forest# V.oose replication
consistencyW is the default for +indo!s 2000
domain controllers% !ith the e$ception of domain
controllers that ha(e the MS0100:: security
rollup pac3age installed# ;or more information
about the MS0100:: security rollup pac3age%
see article 27=8<0 in the Microsoft Gno!ledge
Ease 1http:66go#microsoft#com6f!lin36C
.in3-)K122?082#
Strict he default beha(ior for domain controllers that
run +indo!s Ser(er 200, 1and domain
controllers that are upgraded from
+indo!s A :#02 is to bloc3 inbound replication
for each naming conte$t !hen a domain
controller recei(es an update to an ob/ect that it
does not ha(e# "eplication is halted in the
naming conte$t for the ob/ect until the lingering
ob/ect is remo(ed or the replication mode is set
to Vloose#W
#torage or Consistency #etting
he setting for replication consistency is in the registry on each domain controller#
@G4BX.OC'.XM'C@-A4QSBS4MQCurrentControlSetQSer(icesQA)SQParameters
4ntry name: Strict "eplication Consistency
)ata type: "48X)+O")
>alues: 1 for enabled^ 0 for disabled
)efault: 1 1enabled2
11:
here !as a post0SP2 hotfi$ 1also included in the security rollup pac3age from
Ao(ember 20012 that used a different registry (alue# ' setting of 0 !ill not recreate the
missing ob/ect 1strict2% and a setting of 1 !ill create the missing ob/ect# his (alue is only
needed !ith the Ao(ember (ersion of the hotfi$#
>alue Aame: Correct Missing Ob/ects
)ata type: "48X)+O")
>alue data: 1
he repadmin 6remo(elingeringob/ects command does the follo!ing:
)esignates an up0to0date domain controller as the authority#
Compares the 'cti(e )irectory database ob/ects on the authoritati(e ser(er !ith the
ob/ects that are on the suspected domain controller that contains the lingering ob/ects#
+ith 0advisoryEmode% the subcommand logs the potential deletions to the )irectory
Ser(ice log#
+ithout 0advisoryEmode% the subcommand remo(es the lingering ob/ects#
#ynta.
&epadmin /removelin0erin0ob7ec-s <es-"!")*+,> <+ource ! 8U*> <N!> [/#M*+6&Q"$6%]
<Dest_DC_LIST> he domain controller that is suspected to ha(e
lingering ob/ects#
<Source DC GUID> Source domain controller 8U-) used to
compare !ith the suspected domain controller#
<NC> Specifies the distinguished name of the
0AD(I#OR?EMOD> "ead0only mode#
)uring lingering ob/ect remo(al% 4(ent -) 17,= is logged to the )irectory Ser(ice log#
his information includes the source domain controller% the ob/ects that are remo(ed% and
a total count of all the ob/ects that are remo(ed#
Advanced domain controller options
Ey using the option subcommand% !e could change the options attribute stored on the A)S
Settings Ob/ect# he options attribute determines the follo!ing beha(iors on a domain controller:
8lobal catalog installation and remo(al
4nable or disable inbound or outbound replication
"otes "ote
11?
)isable connection translation
Aote that disabling inbound or outbound replication is specific to the domain controller !here you
target the operation# So this does not disable intrasite or intersite replication# -t /ust disables
'cti(e )irectory replication for that domain controller# -f the domain controller happens to be the
bridgehead ser(er and the -ntersite opology 8enerator 1-S82 is disabled% then effecti(ely
intersite replication to and from that site is disabled#
#ynta.
&epadmin /op-ions <!> [{V|@} *+"8!] [{V|@} *+#;)%"*N;6UN"&%P)] [{V|@
*+#;)%"6U,;6UN"&%P)] [{V|@} *+#; )%"N,+!6NN"W)#,%]
aS0 turns on or off the associated parameter#
<DC> )omain controller
I#E*C )S' is a global catalog ser(er#
DI#AK)>EI"KOU"DER>P) )isables inbound replication#
DI#AK)>EOUTKOU"DER>P) )isables outbound replication#
DI#AK )>E"TD#CO""EV)AT> urns off the capability of the GCC to translate
connection ob/ects to replication lin3s#
he follo!ing table lists the possible (alues for the options attribute#
>alue )escription
1 8lobal catalog ser(er
2 )isable inbound replication
, 2 a 1
: )isable outbound replication
? : a 1
< : a 2
= : a 2 a 1
8 )isable connection translation
he follo!ing table lists the purpose for the possible procedures using the options attribute#
Procedure Purpose
11<
)isable Outbound "eplication Use this procedure to disable 'cti(e )irectory
replication from a domain controller# he
domain controller continues to recei(e inbound
replication#
Repadmin 0options <ServerName>
WdisableEoutboundErepl !here
<ServerName> is the name of the domain
controller on !hich you !ant to disable
outbound replication# he tool reports the
current options 1the options that !ere in effect
prior to pressing 4A4"2 and the ne! options
1all options that are in effect after pressing
4A4"2#
)isable inbound "eplication Similar to the abo(e step you could disable
inbound replication to a ser(er as !ell#
repadmin 0options <ServerName>
WdisableEinboundErepl
)isable the ability of the GCC to translate
connection ob/ects#
+hen creating temporary replication lin3s
bet!een replication partners% the process could
fail if the GCC starts !hile you perform the
procedure# he GCC !ill delete any replication
lin3s for !hich no corresponding connection
ob/ect e$ists#
Advanced site options
Ey using the siteoptions subcommand% !e could change the options attribute stored on the
A)S Site Settings Ob/ect#
#ynta.
&epadmin /si-eop-ions <!> /si-e:< +i-e> [{V|@}*+"#U,6",6P6)68Q"*+#;)%] [{V|@}
*+",6P)"!)%#NUP"*+#;)%] [{V|@} *+",6P)"$*N":6P+"*+#;)%] [{V|@}
*+",6P)"%,%!,"+,#)%"*+#;)%] [{V|@} *+"*N,%&"+*,%"#U,6",6P6)68Q"*+#;)%] [{V|@}
*+"8&6UP"!#!:*N8"%N#;)%] [{V|@} I6&!%"J!!"L:*+,)%&";%:#M*6&] [{V|@}
I6&!%"J!!"L5J"%)%!,*6N] [{V|@} *+"&#N";:"+%)%!,*6N"*+#;)%] [{V|@}
*+"+!:%U)%":#+:*N8"%N#;)%] [{V|@} *+"&%UN#N,"+%&M%&",6P6)68Q"%N#;)%]
<DC> )omain controller
site: OSiteP Site name !here the domain controller
11=
resides
-SX'UOXOPO.O8BX)-S'E.4) )isables the automatic generation of
intra0site topology#
-SXOP.XC.4'AUPX)-S'E.4) )isables the cleanup or unneeded
connection ob/ects and replication lin3s#
-SXOP.XM-AX@OPSX)-S'E.4) )isables the GCC rule that all intrasite
replication partners should be no more
than three hops from any other partner#
-SXOP.X)44CXS'.4X)-S'E.4) )isables the detection by the GCC of
failing replication lin3s and the beha(ior of
the GCC to route around failing lin3s# Use
this !ith the GCC Eranch Office mode#
-SX-A4"XS-4X'UOXOPO.O8BX)-S'E.4) )isables the automatic generation of the
intersite topology# Commonly used for
creating manual connections% either by
hand or !ith MG)SN#
-SX8"OUPXC'C@-A8X4A'E.4) 4nables group caching for use !ith Vno0
8C logon#W his setting is also e$posed in
the U- of 'cti(e )irectory Sites and
Ser(ices#
;O"C4XGCCX+@-S.4"XE4@'>-O" ;orces the GCC to operate using the ne!
spanning tree algorithm# -tIs not
recommended to manually change this
setting# he recommended alternati(e is
to raise the forest functional le(el to
+indo!s Ser(er 200,#
;O"C4XGCCX+2GX4.4C-OA ;orces the +indo!s 2000 domain
controller -S8 election logic# he default
is for any +indo!s Ser(er 200, domain
controller to assume the -S8 role#
-SX"'A)XE@XS4.4C-OAX)-S'E.4) )isables the ne! random bridgehead
selection beha(ior# "e(erts to
+indo!s 2000 GCC beha(ior of using a
single bridgehead ser(er#
-SXSC@4)U.4X@'S@-A8X4A'E.4) Creates a random schedule on each ne!
connection ob/ect based in hashed (alue#
@elps to balance the load on bridgehead
ser(ers#
118
-SX"4)UA)'AXS4">4"XOPO.O8BX4A'E.4) Creates t!o inbound connection ob/ects
from different domain controllers in a hub
site# "educes impact on ;"S 1((/oin2
during failo(er#
Miscellaneous
he follo!ing table lists nbrflagoptions#
SBACXOAXS'"UP "eplication of this naming conte$t from this
source is attempted !hen the destination ser(er
is booted# his normally only applies to intra0
site neighbors#
)OXSC@4)U.4)XSBACS Perform replication on a schedule# his flag is
normally set unless the schedule for this
naming conte$t and source is \ne(er\% that is%
the empty schedule#
+"-4'E.4 he local copy of the naming conte$t is
!ritable#
+OX+'BXSBAC -f set% indicates that !hen inbound replication is
complete% the destination ser(er must tell the
source ser(er to synchroni&e in the re(erse
direction# his feature is used in dial0up
scenarios !here only one of the t!o ser(ers
can initiate a dial0up connection# ;or e$ample%
this option !ould be used in a corporate
head9uarters and branch office% !here the
branch office connects to the corporate
head9uarters o(er the -nternet by means of a
dial0up -SP connection#
A4>4"XSBAC4) Synchroni&ation has ne(er been successfully
completed from this source#
-8AO"4XC@'A84XAO-;-C'-OAS his neighbor is set to disable notification0
based synchroni&ations# +ithin a site% domain
controllers synchroni&e !ith each other based
on notifications !hen changes occur# his
setting pre(ents this neighbor from performing
synchroni&ations that are triggered by
notifications# he neighbor !ill still do
117
synchroni&ations based on its schedule% or in
response to manually re9uested
synchroni&ations#
)-S'E.4XSC@4)U.4)XSBAC his neighbor is set to not perform
synchroni&ations based on its schedule# he
only !ay this neighbor !ill perform
synchroni&ations is in response to change
notifications or to manually re9uested
synchroni&ations#
COMP"4SSXC@'A84S Changes recei(ed from this source are to be
compressed# his is normally set if% and only if%
the source ser(er is in a different site#
AOXC@'A84XAO-;-C'-OAS Ao change notifications should be recei(ed
from this source# Aormally set if% and only if% the
source ser(er is in a different site#
120

Rep Admin

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Rep Admin

Hochgeladen von

Copyright:

Verfügbare Formate

Monitoring and troubleshooting Active

Directory replication using Repadmin

Das könnte Ihnen auch gefallen