Almost all roles and features that ship with Windows have the PowerShell modules included. Active Directory PowerShell provides necessary modules to manage Active Directory and its components including Active Directory replication. By using Active Directory replication modules, you can make modifications to replication connection objects as well as troubleshoot Active Directory replication issues. This article provides some basic information on how to troubleshoot Active Directory replication using PowerShell cmdlets.
Starting with Windows Server 2012, Microsoft provides new Active Directory replication PowerShell cmdlets that can be used to troubleshoot Active Directory replication issues. In earlier versions of Windows, you had to use the Repadmin command line utility to troubleshoot replication issues as earlier versions of Windows did not have PowerShell cmdlets for Active Directory replication. There are five basic PowerShell cmdlets for troubleshooting Active Directory replication; Get-ADReplicationFailure, Get-ADReplicationAttributeMetadata, Get-ADReplicationPartnerMetadata, Get-ADReplicationQueueOperation, and Get-ADReplicationUpToDatenessVectorTable. Let’s look at some examples of using these PowerShell cmdlets.
Checking Active Directory replication status throughout a forest
You can use a simple PowerShell command to check replication status throughout the Active Directory forest. By executing the Get-ADReplicationPartnerMetadata and by specifying some parameters, you are going to see a complete replication view as shown in the command below:
Get-ADReplicationPartnerMetadata –Target * -Scope Server | Where {$_.LastReplicationResult –ne “0”} | FT Server, LastReplicationAttempt, LastReplicationResult, Partner, Site
As you can see in the above command, we specify “*” for “-Target” parameter and a logical condition ($_.LastReplicationResult –ne “0”) is set to return only the domain controllers with replication failures. The output shows the domain controller name, last time when the replication attempt was made, the value of LastReplicationResult value, domain controller partner with which the replication failed and the site name of the domain controller.
Checking domain controllers for replication failures
As the name suggests, the Get-ADReplicationFailure cmdlet can quickly get you to see if there are any replication errors in an Active Directory domain controller. For example, by executing the below command you are checking to see if there any replication failures on a specific domain controller:
Get-ADReplicationFailure TGDC1.TechGenix.com
The above PowerShell command, when executed, shows any replication errors on the TGDC1.TechGenix.com domain controller, which includes showing failure counts, last error, and the replication partners the replication failed with. You can also define the scope for the replication check by specifying the –Scope parameter as it shows in the command below:
Get-ADReplicationFailure –Scope SITE –Target Seattle | Format-Table Server, FirstFailureTime, FailureCount, LastError, Partner –AUTO
The above PowerShell command, when executed, shows replication status in Seattle Site. If you wanted to export output to a file, simply add “Export-CSV” as shown in the command below:
Get-ADReplicationFailure –Scope SITE –Target Seattle | Format-Table Server, FirstFailureTime, FailureCount, LastError, Partner –AUTO | Export-CSV C:\Temp\ReplStatusSeattleSite.CSV
Collecting domain controller metadata information for troubleshooting
If you are troubleshooting a specific domain controller for replication issues, you can use Get-ADReplicationPartnerMetadata, which, in turn shows metadata information about the replication on that domain controller which includes showing LastChangeUSN, the last date and time the replication attempt was made, and last date and time the replication was successful with the replication partners. By executing the command below, you are going to see metadata information for TGDC1.TechGenix.com domain controller.
Get-ADReplicationPartnerMetadata –Target TGDC1.TechGenix.com
Checking domain controller USN
When you are troubleshooting replication issues, you must check the update sequence number (USN) on each domain controller to check how up to date replication is with the partner domain controllers. For example, when you modify an object in the local domain controller, the USN for that object is incremented by one. The same USN must be replicated with the partner domain controller. Let’s say you want to see the highest USN number for domain partition (TechGenix.Local) on two domain controllers to ensure two domain controllers have the updated copy of domain partition.
Get-ADReplicationUpToDatenessVectorTable –Target TGDC1 –Scope Server Get-ADReplicationUpToDatenessVectorTable –Target TGDC2 –Scope Server
By executing the above commands, you are going to list the USN number for domain partition on TGDC1 and TGDC2 and the USN should match to ensure both the domain controllers hold the good copy of domain partition.
If a specific domain controller is unable to send and receive replication changes for quite a long duration, your first task is to verify to ensure domain controller does not have any pending replication operations by executing the command below:
Get-ADReplicationQueueOperation –Target TGDC1.TechGenix.com
Once you have fixed the replication issues with the domain controller in question, you can always determine the replication changes status by executing the command above. Once the replication problem is fixed, the queue must show as empty.
If you need to check replication status for a specific Active Directory say a user account, you can use Get-ADReplicationAttributeMetadata PowerShell cmdlet as shown in the command below:
Get-ADReplicationAttributeMetadata –Object “CN=TestUser1, CN=Users, DC=TechGenix, DC=Local” –ShowAllLinkedValues
Active Directory replication troubleshooting made easy
With these useful PowerShell commands, you can make the sometimes laborious process of troubleshooting Active Directory replication issues a lot easier. And with the Get-ADReplicationUpToDatenessVectorTable, you can check if two or more domain controllers have the updated copy of the domain partition.
Featured image: Shutterstock
