Troubleshooting Active Directory replication issues

Active Directory is the core subsystem for applications that require authentication and authorization services. About 90 percent of organizations are using Active Directory to provide an identity management system. Active Directory replication ensures that changes to any objects such as user or security group or group policy are replicated to all the domain controllers in an active directory domain. There are two types of replication in Active Directory; changes that need to be replicated to all the domain controllers of a domain and changes that need to be replicated to all domain controllers in an Active Directory forest. You need to ensure that Active Directory replication is working as expected. You can run various tools provided by Microsoft to check replication status. In this article, we will explain how you can check Active Directory replication status and troubleshoot replication issues, if any.

Using RepAdmin tool

RepAdmin tool has been in use for several years. It still exists with the newer version of Windows operating system such as Windows Server 2016. RepAdmin provides various options that you can use to check the status replication in an Active Directory site, in a domain, and forest-wide replication status. Here are some useful examples of the RepAdmin tool:

The most common parameter that Active Directory admins use with the RepAdmin tool is the “ReplSummary” parameter as shown in the command below:

RepAdmin /ReplSummary

The command contacts all domain controllers in the Active Directory forest and collects a summary of Active Directory replication. This is the quickest way to check if there are any errors in the Active Directory replication. When you run the command, it shows a summary of replication as seen in the screenshot below:

Active Directory Replication

 

As you can see in the screenshot, the RepAdmin command shows the error “The RPC Server is unavailable” for one of the domain controllers. You can see a total of five replication attempts were made and those failed. The “RPC Server is unavailable” error indicates issues with the DNS configuration on the domain controller or the domain controller is not able to reach its replication partner.

In case you would like to see how many items are in the replication queue on a domain controller, run the RepAdmin /Queue command. The command will display “0” if there are no pending replication operations on the local domain controller.

Starting with Windows Server 2012, Microsoft provides PowerShell cmdlets to check Active Directory replication status and troubleshoot any replication issues. There are several PowerShell replication cmdlets available, but the one that helps you identify any issues with the replication is Get-ADReplicationFailure. As the name suggests, Get-ADReplicationFailure checks replication status for a specific or all domain controllers and then displays any errors that have been encountered in the Active Directory. For example, to get the replication status for a particular domain controller, total failure counts, last error that was reported, and the replication partner it failed to replicate with, execute this command from a PowerShell prompt:

Get-ADReplicationFailure TGAD1.TechGenix.coma

While the above command checks replication status for a particular command, the command below checks replication status for all domain controllers in a specific Active Directory site:

Get-ADReplicationFailure –Scope SITE –Target London | Format-Table Server, FirstFailureTime, FailureCount, LastError, Partner -Auto

The PowerShell command above checks all domain controllers in the “London” Active Directory site and shows the last date and time of the first failure and other details such as total failures, last error number, etc. In case you need to convert an error number into a descriptive text, run NET HELPMSG <Error Number>.

A better insight into Active Directory replication

We provided a few examples of using RepAdmin to check Active Directory replication status and troubleshoot any replication issues that turn up. We also explained how you can use Get-ADReplicationFailure PowerShell cmdlet to quickly identify any Active Directory replication issues. Though there are other ways to check replication status and troubleshoot replication issues, running the commands explained in this article should you give you an insight of Active Directory replication.

Photo credit: Shutterstock

Leave a Comment

Your email address will not be published.

Scroll to Top