Repadmin Tool

Repadmin Tool: Checking Active Directory Replication Status

To keep your Active Directory domain in a healthy state, you should periodically check the replication between domain controllers using the repadmin and dcdiag tools (we looked at using the dcdiag utility in a previous post. The Active Directory replication is fully automated, and proper planning and configuration of the AD architecture, sites, and replication schedules almost does not require manual replication management by system administrator. Indeed, in small AD domains with several DCs (2-5), there are usually almost no problems with replication. But in large infrastructures out of tens and hundreds of domain controllers, the domain administrator often has to intervene in the replication process and correct errors.

The repadmin command line tool can be used to monitor replication, track replication failures between domain controllers, and force data replication.

The repadmin utility in Windows Server 2003 was included in the Support Tools package, which needed to be downloaded and installed manually. In Windows Server 2008 R2 and higher, the repadmin tool is automatically installed on the domain controller when you install the ADDS (Active Directory Domain Services) role.

You can install repadmin on desktop Windows versions (Wndows 10/8.1/7). To do this, install RSAT and enable the AD DS and AD LDS Tools option.

To use repadmin, open a command prompt as administrator. You can list the full syntax of the command by typing:

repadmin /?

Usage: repadmin <cmd> <args> [/u:{domain\user}] [/pw:{password|*}]



active directory replication status tool

As you can see, the command has quite a few options. Let’s try to study some useful examples of using repadmin.

To quickly check the health of replication between domain controllers, the following command is usually used:

Repadmin /replsummary

active directory replication status repadmin tool

As you can see, there are only 2 domain controllers in the AD domain, between which there are currently no replication errors. Each server acts as a Source DSA and Destination DSA.

To check the remaining number of AD directory objects in the replication queue, run:

Repadmin /Queue


Queue contains 0 items.

Using the command Repadmin /Showrepl, you can display the replication status for the current DC. It displays the time of the last attempt to replicate Active Directory partitions. If you think that some kind of domain controller is not receiving replication updates, run this command for it.

active directory repadmin tool

Tip. To display detailed information in any command, use the parameter /verbose.

The basic availability of the LDAP directory on a specific DC can be checked with the command:

repadmin /bind

You can force the replication of the specified domain controller with all DC replication partners using the command:

Repadmin /syncall

It is not recommended to run this command in large Active Directory domains, since you can cause a heavy load on the network.

To start replicating all Active Directory partitions across the entire forest, run the command:

Repadmin /syncall /AeS

When using this command, high load on communication channels is also possible.

The Repadmin /kcc command tells the KCC (Knowledge Consistency Checker) on the specified DC to immediately recalculate the incoming replication topology (it runs automatically every 15 minutes).

The Repadmin /replicate command allows you to replicate a specific directory partition from the source DC to the target. For example:

repadmin /replicate dc=theitbros,dc=com

You may also like:

Installing Active Directory Users and Computers MM... One of the main Active Directory domain management tools is the MMC snap-in Active Directory Users and Computers (ADUC). The ADUC snap-in is used to p...
AD Account Keeps Locking Out Sometimes there are situations when AD account keeps locking out, this happen when you try to log on to a domain computer and getting an error on the ...
Store BitLocker Recovery Keys using Active Directo... In a domain network, you can store the BitLocker recovery keys for encrypted drives in the Active Directory Domain Services (AD DS). This is one of th...
How to transfer FSMO Roles From a Failed Domain Co... In case domain controller, which owns FSMO (Flexible Single Master Operation) roles, is fail (virus attack, fatal software problems or catastrophic ha...
Fix: Active Directory Domain Controller Could Not ... In this article, we’ll take a look at why it’s not possible to join a new computer to the Active Directory domain with an error Active Directory Domai...

Add Your Comment