The continuous monitoring of the health of all your critical IT systems is an essential requirement to help prevent system downtime and mitigate the damage associated with workplace server disruptions.
Monitoring the replication status of the Active Directory (AD) environment ensures that AD performance is optimized, and any errors are identified and fixed as soon as possible.
In this article, we will explain how to check AD replication status using the native methods of Repadmin and PowerShell and then take a look at a more straightforward way to do this using the Lepide Data Security Platform dashboard.
What is Active Directory Replication?
The network information for Active Directory is being constantly modified or updated. So, when information is updated on one domain controller (DC) of the AD network, all the other DCs in the network need to be updated with the new information. This is done in Active Directory through a process called replication.
The replication process ensures that all the controllers store the same set of information and are in sync with each other. Replication in Active Directory is independent of the forest, tree or domain structure.
Before Windows server 2000, Windows NT followed a master-slave approach by employing a single, writable Primary Domain controller (PDC) and multiple associated, read-only Backup Domain Controllers (BDC). The main shortcoming of this model was that no changes can be made to the database if the Primary Domain Controller (PDC) was unavailable. However, in the multi-master approach, all the domain controllers can act as masters and are provided with both read and write access. This makes replication more synchronous and easier to manage.
Types of Active Directory Replication
Active Directory replication can be classified into two types and these are discussed as follows:
1. Intra-site Replication: As the name suggests, intra-site replication takes place between domain controllers within the same site. This process is quite straightforward and despite the number of domain controllers, any directory update will be replicated in less than a minute. This replication is performed within a site by means of the ring topology and does not need to be configured manually as it occurs automatically within the site.
2. Inter-site Replication: If Active Directory infrastructure contains more than one site, when a change happens to a domain controller in one site this change needs to be replicated to domain controllers in other sites. This is known as inter-site replication. This type of replication takes place by means of site links and also utilizes the ring topology, but it is different to the intra-site replication. Inter-site replication occurs between two domain controllers called bridgeheads. At least one domain controller within a site is assigned the role of bridgehead. In contrast to the intra-site replication, this inter-site replication must be configured and does not occur automatically.
Methods to check Active Directory Replication
If there are problems in replication between domain controllers, this can lead to issues such as authentication failures and the failure to access network resources. This can then lead to disruptions in the functioning of the organization. To overcome these problems, replication between domain controllers must be monitored regularly. This can be achieved by using tools such as Repadmin, the Active Directory Replication Status Tool or by using Windows PowerShell.
Using Repadmin to check Active Directory Replication
Repadmin is a command line tool that is used for checking the replication status, diagnosing replication failures and troubleshooting replication errors. Windows Server 2003 and later versions of Windows Server have Repadmin.exe built in and it can be run as a Domain Administrator or Enterprise Administrator.
The repadmin.exe tool provides a convenient way to check and resolve the replication problems that occur in Active Directory, however, the same functions can also be performed using Windows PowerShell commands and these are explained later in this guide.
Repadmin can be used by following the steps below:
- From the Start menu, right click on CommandPrompt
- Click on Run as Administrator. This opens an elevated command prompt
- Run the ntdsutil command from the elevated command prompt
This will open Repadmin.exe. Among other functions, this can be used to check the replication status, view the replication topology, create replication topology and force replication between domain controllers.
The commands for some basic operations using Repadmin are given as follows:
repadmin /replsummary
This command is used to provide the replication status within the Active Directory forest. It also displays the number of replication attempts with respect to the failures. It identifies the domain controllers that have failed replication (both inbound and outbound) and summarizes the results.
repadmin /showrepl
This command is used to obtain detailed information regarding the replication attempts. It also gives an overview of the replication topology. It helps identify the specific domain controller that has failed to replicate while troubleshooting. This command can also be modified to show the replication partners for a specific domain controller. This can be done by specifying the hostname of the domain controller after the repadmin /showrepl comman. For example, repadmin /showrepl DC02.
This command can also be modified to display only the errors using: repadmin /showrepl /errorsonly.
repadmin / queue
This command can be used to get the queue status of the domain controller. It displays the inbound replication requests that must be issued by the domain controller. The number of items in the queue is also displayed. A replication problem is indicated if the queue is very long. Using this command will highlight if there is a problem with replication or if the required replication has just been queued.
repadmin /replicate
This command is used to force the immediate replication of a directory or schema partition from a source domain controller to a destination domain controller. It can be used to check the replication success after any suspected fault conditions are removed. As well as this, it can also be used to check the replication status between two domain controllers.
repadmin /syncall
This command is for synchronizing a specific domain controller with all its replication partners. The following syntax is used:
repadmin /syncall
Here, DSA is used to specify the host name of the domain controller and the Naming Context is used to specify the distinguished name of the directory partition. The flags can be used to perform specific actions. Examples of some of the flags that can be used are:
- /a – Aborts if a server is unavailable.
- /A – Synchronizes all the naming contexts on the home server.
- /d – Identifies the servers by the distinguished names.
- /e – Synchronizes domain controllers across all sites.
- /h – Displays help.
- /i – Iterates indefinitely.
- /I – Runs the repadmin / showrepl command
- /s – Does not synchronize.
Checking Active Directory Replication using PowerShell
Windows PowerShell can also be used to perform several operations associated with replication and these are as follows:
Get-ADReplicationUpToDatenessVectorTable DC01
This is used to view the replication status information. It displays a replication report using the up-to-dateness vector table. This is maintained by every domain controller and helps keep track of the highest USN from each domain controller in the forest. There are several modifications of this command that can be used for specific purposes.
Get-ADReplicationPartnerMetadata
This command is used to obtain the replication metadata of a specific object in Active Directory.
Get-ADReplicationQueueOperation
This can be the PowerShell equivalent of the repadmin /queue command. It is used to get the inbound replication queue details.
Sync-ADObject
This command can be used to replicate specific objects between two domain controllers that have partitions in common. However, they need not be direct replication partners.
Get-ADReplicationFailure
This can be used to obtain a collection of data that can be used to describe a replication failure. It returns all the failures for a specific domain controller.
How Lepide Helps with AD Health Monitoring
An alternative, more straightforward method of checking Active Directory replication status is to use the Health Monitoring dashboard within the Lepide Data Security Platform.
The Active Directory Health Check is an integrated feature of the Lepide Solution. It provides a simple and powerful means of keeping track of important elements of your Active Directory to ensure the continuity and health of the AD environment. It provides continuous monitoring and real-time alerts for NT Directory services, DNS Servers, Disk space, CPU, and memory along with service and replication activity.
To display the Lepide dashboard, click the Health Monitoring icon.
The example below shows the Health Monitoring dashboard including replication status:
The twelve elements which are monitored on the Health Monitoring dashboard are:
- Server Availability
- CPU and Memory Usage
- Active Directory Services
- ESENT Database Performance
- Active Directory Web Services
- DFSR Replicated Folders
- Replication Status
- LDAP Status
- Address Book Status
- Directory Service Status
- NTDS Performance Counters
- DNS Performance Counters