Repadmin for Experts - The IT PPL by wangping12

VIEWS: 180 PAGES: 113

									Monitoring and troubleshooting Active
Directory replication using Repadmin
   Microsoft Corporation
   Published: September 2008


Abstract
This document describes how to use Repadmin.exe to monitor, diagnose, and troubleshoot the
most common replication problems that organizations might experience in their Active Directory®
environments. All the information in this document applies to computers running the Microsoft®
Windows® 2000 Server and Windows Server® 2003 operation systems.
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,
and no association with any real company, organization, product, domain name, e-mail address,
logo, person, place, or event is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part
of this document may be reproduced, stored in, or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or
otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
© 2008 Microsoft Corporation. All rights reserved.
Active Directory, Microsoft, Windows, and Windows Server are either registered trademarks or
trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their
respective owners.
Contents
Monitoring and Troubleshooting Active Directory Replication Using Repadmin ............................. 9

Repadmin Introduction and Technology Overview.......................................................................... 9
 Active Directory replication dependencies ................................................................................... 9
 Glossary of replication terms ...................................................................................................... 10
 Glossary of other replication-related terms ................................................................................ 12

Repadmin Requirements, Syntax, and Parameter Descriptions ................................................... 13
 System requirements ................................................................................................................. 13
 File requirements........................................................................................................................ 14
 Repadmin command-line options............................................................................................... 15
    Syntax ..................................................................................................................................... 15
    Parameters ............................................................................................................................. 15
 Repadmin subcommands .......................................................................................................... 16
 Repadmin /listhelp ...................................................................................................................... 22
 CSV format ................................................................................................................................. 24

Repadmin Usage Scenarios .......................................................................................................... 24

Monitor Forest-Wide Replication ................................................................................................... 25
   Syntax ..................................................................................................................................... 25
   Simple usage of repadmin /replsummary ............................................................................... 27
   How to interpret the output ..................................................................................................... 27
   How to make more sense of some of the fields ...................................................................... 28
   Common factors that influence the largest delta field............................................................. 29
   Where do REPADMIN /REPLSUMMARY read replication status information? ..................... 29
   Wild card and other parameter usage .................................................................................... 30
   Replsummary reporting failures .............................................................................................. 30

Display Replication Partners and Status of a Domain Controller .................................................. 31
  Syntax ........................................................................................................................................ 32
  Show replication partners and replication status ....................................................................... 33
  Using repadmin /showrepl to display detailed and precise information ..................................... 34
  High-watermark value ................................................................................................................ 35
  Showing outbound neighbors ..................................................................................................... 36
  Some of the repadmin /showrepl Error Messages and their root cause .................................... 37
    No inbound neighbors ............................................................................................................. 38
    Active Directory replication has been preempted ................................................................... 39
    Last attempt @ never was successful .................................................................................... 40
    Access denied......................................................................................................................... 40
Replication Latency ....................................................................................................................... 40
 Syntax ........................................................................................................................................ 41
 How to interpret the data ............................................................................................................ 41
 How to interpret the data ............................................................................................................ 43
 Display the latency only for the domain partition ....................................................................... 44

View Replication Metadata of an Object ....................................................................................... 44
  Syntax ........................................................................................................................................ 44
  Example 1: Metadata of a group object ..................................................................................... 45
  Example 2: Comparing replication metadata of a user object between two domain controllers 45

Display the Attributes of a Specific Object .................................................................................... 46
  Syntax ........................................................................................................................................ 47
  Example: Display select attributes ............................................................................................. 48

How Up to Date Are My Domain Controllers? ............................................................................... 48
 Syntax ........................................................................................................................................ 48
 Example: Checking replication latency on the BRANCH3 domain controller ............................ 49
 Example: Comparing how up-to-date other domain controllers in the enterprise are with respect
   to the OriginatingUSN ............................................................................................................. 50
 Example: Further investigation from the perspective of the BRANCH2 domain controller ........ 50

Can I Look at My Connection Objects and Schedule Details? ...................................................... 51
 Syntax ........................................................................................................................................ 51
 Example: Simple usage of /showconn ....................................................................................... 52

Fine-Tuning Change Notification Values ....................................................................................... 53
  Syntax ........................................................................................................................................ 55
  Example 1: Displaying the default notification delay on the ForestDnsZones partition ............. 56
  Example 2: Changing the defaults to 300/30 on the ForestDnsZones ...................................... 56

Forcing Replication ........................................................................................................................ 56
  Replicate a single object between two domain controllers ........................................................ 57
    Syntax ..................................................................................................................................... 57
    Example: Replicate a single object between all the branch domain controllers by using wild
      card character ...................................................................................................................... 58
  Force a replication event between two partners ........................................................................ 58
    Syntax1 ................................................................................................................................... 58
    Syntax2 ................................................................................................................................... 58
    Example: replicate in domain partition between two specific partners ................................... 59
  Force a replication event with all partners ................................................................................. 60
    Syntax ..................................................................................................................................... 60
    Example 1: Synchronizing Configuration Partition within the site .......................................... 62
    Example 2: Crossing site boundaries and other features ....................................................... 62
Keeping Track of Changes That Have Occurred Over a Period of Time ...................................... 63
 Syntax1 ...................................................................................................................................... 64
 Syntax2 ...................................................................................................................................... 64
 Example: Compare changes occurred to configuration partition over a period of time ............. 65
 How to interpret the data ............................................................................................................ 66
 Display changes not replicated between two partners............................................................... 66
   Example: Display pending replication changes (config partition) between two replication
     partners ............................................................................................................................... 66
   Example: Usage of a filter ....................................................................................................... 67
   Example: listing only the summary as opposed to individual changes ................................... 67

Usage of Repadmin When Troubleshooting Event ID 1311 ......................................................... 68
 Determine if site link bridging is turned on ................................................................................. 70
 Detect preferred bridgeheads .................................................................................................... 71
 Verify inter-site cost matrix and orphaned sites ......................................................................... 72
   Syntax ..................................................................................................................................... 72
   Example: Display inter-site cost matrix ................................................................................... 73
   How to interpret the data ........................................................................................................ 73
 Repadmin /failcache ................................................................................................................... 74
   Syntax ..................................................................................................................................... 74
   Example: Display replication failures that KCC is aware of .................................................... 75
   Example: Output when there are no failures .......................................................................... 76
 Repadmin /KCC ......................................................................................................................... 76
   Syntax ..................................................................................................................................... 76
   Example 1: Running the KCC on the local domain controller ................................................ 77
   Example 2: Running the KCC against the ISTG of the HUB site ........................................... 77
   Example 3: Running the KCC against all the global catalog servers in the forest ................. 77
   Example 4: Running the KCC against all the domain controllers in the BRANCH2 site ........ 77
 Repadmin /ISTG......................................................................................................................... 78
   Syntax ..................................................................................................................................... 78
   Example: Display ISTGs in my environment .......................................................................... 78
 Repadmin /querysites ................................................................................................................ 78
   Syntax ..................................................................................................................................... 78
   Example 1: Display cost between BRANCH1 and HUB ......................................................... 79
   Example 2: Display cost between BRANCH1 and BRANCH2 ............................................... 79
   Example 3: Display cost between BRANCH1 and Branch2 ................................................... 79
 Repadmin /queue ....................................................................................................................... 80
   Syntax ..................................................................................................................................... 80
   Example: Display the queue length against the local domain controller ................................ 80
   Example: Queue contains one item ........................................................................................ 80
 Repadmin /bridgeheads ............................................................................................................. 81
   Syntax ..................................................................................................................................... 81
   Example 1: Repadmin /bridgeheads rootdns ......................................................................... 81
    Example 2: Repadmin /bridgeheads rootdns /verbose........................................................... 81
    How to interpret the data ........................................................................................................ 82
   Repadmin /showmsg .................................................................................................................. 83
    Syntax ..................................................................................................................................... 83
    Example: Display the error message for the win32error 1722 and DS event ID 1404 ........... 84
   Repadmin /viewlist ..................................................................................................................... 84
    Syntax ..................................................................................................................................... 84
    Example 1: Display all the DC’s in the forest .......................................................................... 85
    Example 2: Display all the Group Policy objects in the domain directory partition for the
      domain of the domain controller that repadmin is running against ..................................... 85
   Open sessions with the domain controller ................................................................................. 85
    Syntax ..................................................................................................................................... 85
    Example: Show open sessions with a DSA ............................................................................ 86

Subcommands Not Covered Under the Previous Scenarios ........................................................ 86
 Display replication features ........................................................................................................ 86
   Syntax ..................................................................................................................................... 86
   Example: Display replication features on the local domain controller, which is running
     Windows Server 2003 ......................................................................................................... 86
 Server object GUID (DSA GUID) & Database GUID ................................................................. 87
   Syntax ..................................................................................................................................... 87
   Example: Display the domain controller name when given a GUID ....................................... 88
 Certificates loaded on a domain controller ................................................................................. 88
   Syntax ..................................................................................................................................... 88
 Retired Application partition GUIDs (signature) ......................................................................... 88
   Syntax ..................................................................................................................................... 88
   Example: Display the recently retired ForestDnsZone application directory partition on the
     local domain controller ........................................................................................................ 89
 Unanswered replication calls ..................................................................................................... 89
   Syntax ..................................................................................................................................... 89
   Example: Hub domain controller waiting for the request to be answered from a spoke domain
     controller .............................................................................................................................. 90
 showproxy .................................................................................................................................. 90
   Syntax1 ................................................................................................................................... 90
   Syntax2 ................................................................................................................................... 90
 Retired Database GUIDs (signature) ......................................................................................... 91
   Syntax ..................................................................................................................................... 91
   Example 1: Simple usage of no retired signatures ................................................................. 91
   Example 2: Simple usage of retired signature ........................................................................ 91
 Convert directory service time to readable time ......................................................................... 92
   Syntax ..................................................................................................................................... 92
   Example 1: Usage with directory service time format............................................................. 92
   Example 2: Current system time............................................................................................. 92
   Active Directory domains trusted by domain controller .............................................................. 92
     Syntax ..................................................................................................................................... 92
     Example: Display Active Directory domains that are trusted by the domain of the local domain
       controller .............................................................................................................................. 93
   Linked Distinguished Name values ............................................................................................ 93
     Syntax ..................................................................................................................................... 93
     Example: Display members of the Domain Admins group ..................................................... 94

Oldhelp .......................................................................................................................................... 94
  sync ............................................................................................................................................ 94
    Syntax ..................................................................................................................................... 94
  propcheck ................................................................................................................................... 95
    Syntax ..................................................................................................................................... 95
  getchanges ................................................................................................................................. 96
    Syntax1 ................................................................................................................................... 96
    Syntax2 ................................................................................................................................... 96
  showreps .................................................................................................................................... 97
    Syntax ..................................................................................................................................... 97
  showvector ................................................................................................................................. 98
    Syntax ..................................................................................................................................... 98
  showmeta ................................................................................................................................... 99
    Syntax ..................................................................................................................................... 99

Repadmin for Experts .................................................................................................................... 99
 Add, Modify, or Delete replication links .................................................................................... 100
   Syntax ................................................................................................................................... 100
 Add, Modify, or Delete outbound replication partners .............................................................. 102
   Syntax ................................................................................................................................... 102
 Hosting and unhosting read-only partitions .............................................................................. 103
   Syntax ................................................................................................................................... 104
 Detecting and removing lingering objects ................................................................................ 105
   Strict and loose replication consistency ................................................................................ 106
   Syntax ................................................................................................................................... 108
 Advanced domain controller options ........................................................................................ 108
   Syntax ................................................................................................................................... 108
 Advanced site options .............................................................................................................. 110
   Syntax ................................................................................................................................... 110
 Miscellaneous ........................................................................................................................... 111
Monitoring and Troubleshooting Active
Directory Replication Using Repadmin
This document describes how to use the Repadmin.exe tool to monitor, diagnose, and
troubleshoot common replication problems in your Active Directory® environment. All the
information in this document applies to computers running the Microsoft® Windows® 2000 Server
and Windows Server® 2003 operation systems. This document includes the following topics:
   Repadmin Introduction and Technology Overview
   Repadmin Requirements, Syntax, and Parameter Descriptions
   Repadmin Usage Scenarios
   Repadmin for Experts



Repadmin Introduction and Technology
Overview
Repadmin.exe is a command line tool that is designed to assist administrators in diagnosing,
monitoring, and troubleshooting Active Directory replication problems.


Active Directory replication dependencies
Active Directory replication has the following dependencies:
   Routable IP infrastructure. The replication topology depends on a routable IP infrastructure
     from which you can map IP subnet address ranges to site objects. This mapping generates
     the information that client workstations use to communicate with domain controllers that are
     close by—when there is a choice—rather than with domain controllers that are located across
     wide area network (WAN) links.
   DNS. The Domain Name System (DNS) that resolves DNS names to IP addresses.
     Active Directory requires that DNS is properly designed and deployed so that domain
     controllers can correctly resolve the DNS names of replication partners.
   Remote procedure call (RPC). Active Directory replication requires IP connectivity and the
     remote procedure call (RPC) to transfer updates between replication partners.
   Kerberos version 5 (V5) authentication. The authentication protocol for both authentication
     and encryption that is required for all Active Directory RPC replication.
   Lightweight Directory Services Protocol (LDAP). The primary access protocol for
     Active Directory. Replication of an entire replica of an Active Directory domain, as occurs
     when Active Directory is installed on an additional domain controller in an existing domain,
     uses LDAP communication rather than RPC.

                                                                                                    9
   NetLogon. NetLogon dynamically registers the globally unique identifier (GUID) CNAME in
     DNS that a domain controller uses to resolve its partner’s host name and IP address for
     Active Directory replication.
   Intersite Messaging. Intersite Messaging is required for Simple Mail Transfer Protocol
     (SMTP) intersite replication and for site coverage calculations. If the forest functional level is
     Windows 2000, Intersite Messaging is also required for intersite topology generation.

Replication Topology and Dependent Technologies




Glossary of replication terms
The following table lists terms that are commonly used in discussions about Active Directory
replication.


Term                                                 Definition

Active Directory replication                         Active Directory is a distributed directory
                                                     service, in which not all objects in the directory
                                                     are stored on every domain controller. In
                                                     addition, all domain controllers in a domain can
                                                     be updated directly, not just one primary
                                                     domain controller. Active Directory replication is
                                                     the means by which changes that are made on
                                                     one domain controller are synchronized with all
                                                     other appropriate domain controllers in the
                                                     domain or forest that store copies of the same
                                                     information. Data integrity is maintained by

                                                                                                      10
                                        tracking changes on each domain controller
                                        and updating other domain controllers in a
                                        systematic way. Replication uses a connection
                                        topology that is created automatically to make
                                        optimal use of beneficial network connections.

Active Directory replication topology   Replication topology is the current set of
                                        Active Directory connections by which domain
                                        controllers in a forest communicate over local
                                        area networks (LANs) and WANs to
                                        synchronize the directory partition replicas that
                                        the domain controllers have in common.
                                        Replication topology generation is usually
                                        dynamic. It adapts to the network conditions
                                        and availability of domain controllers. As a
                                        result of how much we rely and depend on
                                        directory services today, it is very important to
                                        ensure that a directory replication topology is
                                        fine-tuned to maintain and deliver the expected
                                        level of performance.

Active Directory sites                  A site is a part of the network with high
                                        bandwidth connectivity. By definition, it is a
                                        collection of well-connected computers, based
                                        on IP subnets. You can use the Active Directory
                                        Sites and Services snap-in to administer sites.
                                        Because sites control how replication occurs,
                                        changes that you make with this snap-in affect
                                        how efficiently domain controllers within a
                                        domain (but separated by great distances) will
                                        coalesce.

Knowledge Consistency Checker (KCC)     A part of the ISTG role in Active directory. The
                                        KCC checks and, as an option, re-creates
                                        topology information for the Active Directory
                                        domain.

Intersite Topology Generator (ISTG)     This is a role that one domain controller in an
                                        Active Directory site must perform.The ISTG
                                        designates one or more bridgehead servers to
                                        perform replication between sites.

Multimaster replication                 Every domain controller can receive originating
                                        updates to data for which it is authoritative,
                                        rather than having a single domain controller
                                        that receives all original updates (also known

                                                                                       11
                                                   as single-master replication, such as Microsoft
                                                   Windows NT® 4.0 replication).

Pull replication                                   Domain controllers request (pull) changes
                                                   rather than send (push) changes that might not
                                                   be necessary.

Store-and-forward replication                      Each domain controller communicates with a
                                                   subset of domain controllers to transfer
                                                   replication changes, rather than one domain
                                                   controller being responsible for communicating
                                                   with every other domain controller that requires
                                                   the change.

High water mark                                    High water mark is a value that the destination
                                                   domain controller maintains to keep track of the
                                                   most recent changes that it has received from a
                                                   specific source domain controller for an object
                                                   in a specific partition. High water mark prevents
                                                   irrelevant objects from being considered by the
                                                   source domain controller with respect to a
                                                   single destination.

Up-to-dateness vector                              The up-to-dateness vector is a value that the
                                                   destination domain controller maintains for
                                                   tracking the originating updates that are
                                                   received from all source domain controllers.
                                                   When a destination domain controller requests
                                                   changes for a directory partition, it provides its
                                                   up-to-dateness vector to the source domain
                                                   controller. The source domain controller then
                                                   uses this value to reduce the set of attributes
                                                   that it sends to the destination domain
                                                   controller.




Glossary of other replication-related terms
The following table lists terms that are related to other technologies that depend on
Active Directory replication topology.


Term                                               Definition

File Replication Service (FRS)                     The replication service in Windows 2000 Server
                                                   and Windows Server 2003 that is used to


                                                                                                   12
                                               replicate the SYSVOL shared folder.

Replica set                                    The collection of servers that are all replicating
                                               a given set of directories is called a replica set.
                                               With an appropriate topology design and
                                               sufficient network support, a Windows 2000 or
                                               Windows Server 2003 FRS replica set can
                                               span thousands of computers. It is also
                                               possible for a single computer to be a member
                                               of multiple replica sets.

Topology                                       Topology defines the set of connections that
                                               are used to send updates between members of
                                               a replica set. The topology definition includes
                                               both the connections and the properties of
                                               those connections, such as the schedule,
                                               enabled and disabled flags, and so on.

Disconnected operation                         FRS can operate even if some or all member
                                               computers are disconnected from each other
                                               for periods of time. Changes can be accepted
                                               by any computer, and changes are replicated to
                                               other member computers when connectivity is
                                               reestablished.

Authenticated RPC with encryption              To provide secure communications, FRS uses
                                               the Kerberos authentication protocol for
                                               authenticated RPC to encrypt and tamper-proof
                                               the data that is sent between replication
                                               partners.




Repadmin Requirements, Syntax, and
Parameter Descriptions
You can use the repadmin command to perform replication tasks and to manage and modify the
replication topology, force replication events, and display replication metadata and up-to-
dateness vectors.


System requirements
The following are the system requirements for repadmin:
   Windows XP Professional, Windows Vista®, Windows Server 2003, or Windows Server 2008

                                                                                                13
   Administrator rights on the domain controller:
        Required replication rights can be delegated
        Some commands do not require Administrator rights


File requirements
Repadmin.exe is included in the Windows Server 2003 Service Pack 1 (SP1) Support tools. You
must install the Support tools before you can use them. For more information about how to install
the Support tools, see Windows Server 2003 SP1 Support Tools in the Microsoft Knowledge
Base (http://go.microsoft.com/fwlink/?LinkID=44321).
To obtain the Support tools if you do not have the Windows Server 2003 operating system disc,
see Windows Server 2003 SP1 32-bit Support Tools on the Microsoft Download Center
(http://go.microsoft.com/fwlink/?LinkID=70775).
Previous versions of repadmin have similar functionality, but they have some limitations
regarding the workstations that they can be run on and which functions they can perform. The
following table lists the versions of repadmin, which operating systems they can be run on, and
which domain controllers they can target.


Version                 Client operating system   Target operating system   Important feature sets

Windows 2000            Windows 2000 and          All Active Directory      /sync
                        later                     versions                  /propcheck
                                                                            /showreps
                                                                            /showvector
                                                                            /showmeta

Windows Server 20       Windows XP Professio      All Active Directory      /notifyopt
03                      nal and                   versions                  /replsummary
                        Windows Server 2003
                                                                            /replicate
                                                                            /replsingleobj
                                                                            /removelingeringobjec
                                                                            ts
                                                                            /rehost and /unhost
                                                                            /showmsg
                                                                            /showattr
                                                                            /syncall
                                                                            /viewlist
                                                                            DC_LIST

Windows Server 20       Windows XP Professio      All Active Directory      /showbackup
                        nal and

                                                                                                  14
03 with SP 1        Windows Server 2003      versions                 /rehost bug fix
                                             Rehost requires          /regkey
                                             Windows 2000 Server S
                                             P4 and later
                                             Remove lingering
                                             objects requires
                                             Windows Server 2003

Active Directory    Windows XP Professio     All Active Directory     /setattr
Application Mode    nal and                  versions                 /listhelp
(ADAM)              Windows Server 2003



Deprecated subcommands (from                  Equivalent or improved subcommands in
Windows 2000 Server)                          Windows Server 2003

/sync                                         /repl or /replicate
/propcheck                                    /showchanges
/showreps                                     /showrepl
/showvector                                   /showutdvec
/showmeta                                     /showobjmeta




Repadmin command-line options
Repadmin is executed at the command prompt, and it contains several subcommands, which are
described in detail in the following section.


Syntax
repadmin <subcommand> [<dsa>] [/u: <UserName>] [/pw: {<Password> | *}] [/rpc] [/ldap]
[/homeserver: <dsaname>]



Parameters

Parameter                                     Description

<subcommand>                                  One of the repadmin subcommands that is
                                              described in the subcommands section.

<Dsa>                                         Directory System Agent (DSA) represents the
                                              domain controller to be targeted by the
                                              repadmin subcommand.


                                                                                        15
                        Not all repadmin subcommands require the
                        dsa parameter
                        Type repadmin /listhelp at the command line
                        for additional information about the dsa
                        parameter.

/u:<UserName>           Specifies the account name to use for binding
                        to the directory. By default, /u uses the account
                        name with which the user is currently logged
                        on. You can use any of the following formats to
                        specify an account name:
                           account name (for example, Bob)
                           domain\account name (for example,
                             contoso\Bob)
                           user principal name (UPN) (for example,
                             Bob@contoso.com)

/pw {<Password> | *}    Specifies the password to use for
                        authentication. If you type *, you are prompted
                        for a password.

/rpc                    Forces repadmin to communicate by using a
                        remote procedure call (RPC) session.

/ldap                   Forces repadmin to communicate by using a
                        Lightweight Directory Access Protocol (LDAP)
                        session. If LDAP communication fails,
                        repadmin attempts to communicate by using
                        RPC. LDAP is the default communication
                        method for repadmin.

/homeserver:<dsaname>   Forces repadmin to run against a specific
                        domain controller, which is determined by the
                        forest membership of the directory server that
                        is represented by <dsaname>.
                        You can specify <dsaname> in the following
                        formats:
                        <Computername>, <Dnsname>, <Dsaguid>, *,
                        ., “site:<site>”, “fsmo_dnm:”, or
                        “fsmo_schema:”.




Repadmin subcommands

                                                                       16
Subcommand    Syntax and description

bind          repadmin /bind [dsa]
              Connects to and displays the replication features for a
              directory server.

bridgeheads   repadmin /bridgeheads [dsa]
              Lists the directory servers that act as bridgehead
              servers for a specified site.

checkprop     repadmin /checkprop [dsa] Naming
              ContextOriginatingDCInvocationIDOriginatingUSN
              Compares the properties of specified directory servers
              to determine if they are up to date with each other.
              The source directory server contains the original
              information that must be checked. The data on the
              destination directory server is compared to the data on
              the source directory server.

dsaguid       repadmin /dsaguid [dsa] [GUID]
              Returns a server name when given a globally unique
              identifier (GUID).

failcache     repadmin /failcache [dsa]
              Displays a list of failed replication links that are
              detected by the Knowledge Consistency Checker
              (KCC).

istg          repadmin /istg [dsa] [/verbose]
              Returns the computer name of the Intersite Topology
              Generator (ISTG) server for a specified site.

kcc           repadmin /kcc [dsa] [/async]
              Forces KCC to calculate replication topology for a
              specified directory server. By default, this calculation
              occurs every 15 minutes.

latency       repadmin /latency [dsa] [/verbose]
              Displays the amount of time between replications, by
              using the ISTG Keep Alive time stamp. The ISTG
              Keep Alive time stamp is not used in forests that are
              set to the Windows Server 2003 forest functional level.
              Instead, in those environments, use repadmin
              /showutdvec /latency.

notifyopt     repadmin /notifyopt [dsa] Naming Context [/first:Value]

                                                                     17
                [/subs:Value]
                Displays or sets the notification timing settings for
                replication of a specified directory partition.

queue           repadmin /queue [dsa]
                Displays tasks that are waiting in the replication
                queue.

querysites      repadmin /querysites FromSiteRDNToSite1RDN
                [ToSite2RDN...]
                Uses routing information to determine the cost of a
                route from a specified site to another specified site or
                sites. The querysites parameter does not allow the
                use of alternate credentials. The relative distinguished
                names that are used in this command are case
                sensitive.

replicate       Syntax 1
                repadmin /replicate destination_dsasource_dsa
                [/force] [/async] [/full] [/addref]
                Syntax 2
                repadmin /replicate destination_dsa [/force] [/async]
                [/full] [/addref] /allsources
                Starts a replication event for the specified directory
                partition between the source and destination directory
                servers. You can determine the source GUID when
                you view the replication partners by using showrepl.

replsingleobj   repadmin /replsingleobject
                dsaDsaSourceGUIDObjectDN
                Replicates a single object between any two directory
                servers that have partitions in common. The two
                directory servers do not have a replication agreement.
                You can show replication agreements by using the
                repadmin /showrepl command.

replsummary     repadmin /replsummary [dsa] [/bysrc] [/bydest]
                [/errorsonly][/sort:{delta|partners|failures|error|percent}]
                Summarizes the replication state and relative health of
                an Active Directory forest.

showattr        repadmin /showattr dsa [OBJ_LIST]
                [OBJ_LIST_OPTIONS] [/attr|/attrs: attributeattribute ...]
                [/allvalues] [/long] [/nolongblob] [/nolongblob]

                                                                         18
              [/nolongfriendly] [/dumpallblob]
              The /showattr operation displays the attributes and
              contents of an object.

showcert      repadmin /showcert dsa
              Displays the certificates (used with Simple Mail
              Transfer Protocol (SMTP)–based replication) that are
              loaded on a specified directory server.

showchanges   Syntax 1
              repadmin /showchanges source_dsaNaming Context
              [/cookie: File] [/atts: attribute1,attribute2,...]
              Syntax 2
              repadmin /showchanges
              dest_dsaSourcedsaObjectGUIDNaming Context
              [/verbose] [/statistics] [/noincremental] [/objectsecurity]
              [/ancestors] [/atts: attribute1,attribute2,...] [/filter: ldap
              filter]
              Displays changes from a specified directory partition
              or changes to a specified object. "Syntax 1" saves
              changes to a directory partition. If this information is
              saved to a file, you can run the getchanges operation
              again for comparison. "Syntax 2" lists changes to a
              specified object. For this command to run properly, the
              account under which the command is run must
              possess the replication get changes right on the
              specified directory partition.

showconn      repadmin /showconn [dsa] [ServerRDN | ContainerDN
              | dsa_GUID] [/From:ServerRDN] [/intersite]
              Displays the connection objects for a specified
              directory server. The default is local site.

showctx       repadmin /showctx [dsa] [/nocache]
              Displays a list of computers that have opened
              sessions with a specified directory server.

showism       repadmin /showism [TransportDN] [/verbose]
              Queries the Intersite Messaging Service (ISM) for site
              routes. This operation cannot be executed remotely.

showmsg       repadmin /showmsg {Win32Error | DSEventID |
              NTDSMSG}
              Displays the error message for a given error number.

                                                                          19
showncsig      repadmin /showncsig [dsa]
               Each directory server maintains a directory partition
               signature list. This command displays a list of the
               removed application partition GUIDs. You can
               configure an application directory partition to be held
               or not held on a particular directory server by using
               ntdsutil (for Active Directory).

showobjmeta    repadmin /showobjmeta [dsa] ObjectDN [/nocache]
               [/linked]
               Displays the replication metadata for a specified object
               that is stored in the directory, including attribute ID,
               version number, originating and local update
               sequence number (USN), and originating server's
               GUID and Date and Time stamp. When you compare
               the replication metadata for the same object on
               different directory servers, you can determine whether
               replication has occurred.

showoutcalls   repadmin /showoutcalls [dsa]
               Displays calls that have been made by the specified
               directory server to other directory servers but not yet
               answered.

showproxy      Syntax 1
               repadmin /showproxy [dsa] [Naming Context]
               [matchstring]
               Syntax 2
               repadmin /showproxy [dsa] [ObjectDN] [matchstring]
               /movedobject
               Lists cross-domain move proxy objects. When an
               object is moved from one domain to another, a marker
               remains in the original domain. This marker is called a
               proxy.

showrepl       repadmin /showrepl [dsa] [SourceDCObjectGUID]
               [Naming Context] [/verbose] [/nocache] [/repsto]
               [/conn] [/csv] [/all] [/errorsonly] [/intersite]
               Displays replication information. Inbound replica links
               are displayed by default. Outbound links can also be
               shown, as well as connections corresponding to those
               links. The command also displays errors that
               correspond to replica links that cannot be created by

                                                                         20
             KCC. This helps an administrator build a visual
             representation of the replication topology and see the
             role of each directory server in the replication process.

showcig      repadmin /showsig [dsa]
             Displays the retired invocation IDs on a directory
             server. A directory server changes its invocation ID
             when it is restored or when it rehosts an application
             partition.

showtime     repadmin /showtime [DSTimeValue]
             Converts a directory service time value to string format
             for both the local and the UTC time zones.

showtrust    repadmin /showtrust [dsa]
             Lists all Active Directory domains that are trusted by a
             specified Active Directory domain.

showutdvec   repadmin /showutdvec dsaNaming Context [/nocache]
             [/latency]
             Displays the highest USN for the specified directory
             server. This information shows how up to date a
             replica is with its replication partners.

showvalue    repadmin /showvalue [dsa] ObjectDN [AttributeName]
             [ValueDN] [/nocache]
             Displays the values of the type, last modified time,
             originating directory server, and distinguished name of
             a specified object.

syncall      repadmin /syncall dsa [Naming Context] [Flags]
             Synchronizes a specified directory server with all
             replication partners. This command contains several
             subcommands, which are described in the usage
             scenarios.
             By default, if no directory partition is provided in the
             NamingContext parameter, the command performs its
             operations on the configuration directory partition.

viewlist     repadmin /viewlist [dsa] [OBJ_LIST]
             Displays a list of directory servers.

oldhelp      Displays a list of the operations that have been
             deprecated in this version of repadmin.



                                                                     21
Repadmin /listhelp
Arguments    Values                   Description

DC_LIST      “*”                      All domain controllers in the
                                      enterprise

             DC_Name                  See under DC_NAME argument

             Part-server_name*        Would pick
                                      "part_server_name_dc_01" and
                                      "part_server_name_dc_02" but
                                      not server
                                      "part_server_diff_name".

             Site:site_name           All domain controllers in the
                                      specified site.

             Gc:                      All global catalog servers in the
                                      enterprise.

             Fsmo_fsmo_type:fsmo_dn   See under FSMO_TYPE

FSMO_TYPE                             Types of operations master (also
                                      known as flexible single master
                                      operations or FSMO) role holders
                                      require different base
                                      distinguished names or relative
                                      distinguished names.

             Fsmo_dnm:                Enterprise-wide FSMO; does not
                                      take any distinguished name (also
                                      known as DN).

             Fsmo_schema:             Enterprise-wide FSMO; does not
                                      take any distinguished name.

             Fsmo_pdc:                Domain-specific FSMO; takes the
                                      distinguished name of the domain
                                      that the user specifies.

             Fsmo_rid:                Domain-specific FSMO; takes the
                                      distinguished name of the domain
                                      that the user specifies.

             Fsmo_im:                 Domain-specific FSMO; takes the
                                      distinguished name of the domain
                                      that the user specifies.


                                                                          22
                   Fsmo_istg:               Site-specific quasi-FSMO; takes
                                            the relative distinguished name of
                                            the site.

DC_NAME

                   “.”                      Tells repadmin to try to pick a
                                            domain controller for you.

                   Server_dns               Specifies a server by DNS.

                   Dc_dsa_guid              Specifies a specific server by its
                                            Directory System Agent (DSA)
                                            GUID.

                   Server_obj_rdn           Specifies a server by its server
                                            object relative distinguished name
                                            (usually the same as its NetBios
                                            name).

                   Dsa_dn                   Specifies a server by the
                                            distinguished name of its DSA
                                            object.

OBJ_LIST

                   Ncobj:NC_NAME            Specifies the use of the
                                            distinguished name of NC Head
                                            that is specified in NC_NAME.

                   Dsaobj:                  Specifies the use of the
                                            distinguished name of the DSA
                                            that repadmin is connected to.

NC_NAME            Config:                  Configuration directory partition.

                   Schema:                  Schema directory partition.

                   Domain:                  Domain directory partition for the
                                            domain of the domain controller
                                            that repadmin is running against.

OBJ_LIST OPTIONS   {/onelevel | /subtree}   With these options, you can use
                   /filter:{ldap_filter}    the showattr and viewlist
                                            commands to cover a list of
                                            objects, instead of just a single
                                            object.




                                                                              23
CSV format
The output that repadmin /showrepl returns can be difficult to navigate when you are
troubleshooting replication errors or viewing replication topology in a large enterprise. There is a
new feature (/CSV) that you can use to force /showrepl output to print in a tightly constrained
comma-separated-value (CSV) format for programmatic manipulation or quick import and
correlation in Excel.
The CSV format is also an effective way to exchange repadmin outputs because it is not prone
to user errors.
To generate output as a .csv (comma-delimited) file, perform the following steps:
1. Open a command prompt, type the following command, and then press ENTER:
     repadmin /showrepl <DC_NAME> /csv > Repl.csv

2. Open Repl.csv, and then delete or hide column A and both RPC and SMTP columns.
3. Select row 2. Click View, and then click Freeze Panes.
4. Highlight the column heading row. Click Data, point to Filter, and then click AutoFilter.
5. Click the drop-down arrow to display replication status based on your situation.

Figure 2.4.1




Repadmin Usage Scenarios
This section includes explanations and examples for the following usage scenarios:
   Monitor Forest-Wide Replication
   Display Replication Partners and Status of a Domain Controller
   Replication Latency
   View Replication Metadata of an Object
   Display the Attributes of a Specific Object
   How Up to Date Are My Domain Controllers?
   Can I Look at My Connection Objects and Schedule Details?

                                                                                                   24
   Fine-Tuning Change Notification Values
   Forcing Replication
   Keeping Track of Changes That Have Occurred Over a Period of Time
   Usage of Repadmin When Troubleshooting Event ID 1311
   Subcommands Not Covered Under the Previous Scenarios
   Oldhelp



Monitor Forest-Wide Replication
Maintaining the health of enterprise-wide directory replication is very important so that the users,
services, machines, and applications that rely on it can operate successfully. The
Windows Server 2003 version of repadmin has enhanced functionality that makes it easier to
monitor forest-wide directory replication and it is compatible with Windows 2000 domains.
Repadmin /replsummary summarizes the replication state and relative health of an
Active Directory forest by inventorying and contacting every domain controller in the forest,
collecting information such as replication deltas and replication failures.
It will also identify any domain controllers that could not be contacted and would report the failure
reason (for an example, see Figure 3.1.4).


Syntax
Repadmin /replsummary <DC_LIST> [/bysrc] [/bydest] [/errorsonly] [/sort:{delta | partners
| failures | error | percent}]


Parameters                                          Definition

<DC_LIST>                                           Specifies the host name of a domain controller
                                                    or a list of domain controllers separated by a
                                                    space that the object will be replicated to. For
                                                    details about <DC_LIST>, see repadmin
                                                    /listhelp.

/bysrc                                              Shows the output of repadmin /replsummary,
                                                    from the perspective of the replication source
                                                    (outbound domain controller), in the form of a
                                                    table. This means that a given source directory
                                                    server is "pulled on" by multiple client domain
                                                    controllers. The table is sorted in order of the
                                                    source domain controllers that are having the
                                                    most problems, across all the clients in the
                                                    configuration set. This parameter does not


                                                                                                   25
                                                  display the destination domain controller.

/bydest                                           Shows the output of repadmin /replsummary,
                                                  from the perspective of the replication
                                                  destination, in the form of a table. This means
                                                  that a given replication destination (inbound
                                                  domain controller) is pulling the changes from
                                                  one or more replication source(s). The table
                                                  shows the inbound domain controllers and what
                                                  problems they are having with their partners.
                                                  The table is sorted in order of the inbound
                                                  domain controllers that are having the most
                                                  problem with inbound replication, across all the
                                                  possible partners in the configuration set. This
                                                  parameter does not display the source domain
                                                  controller.

/errorsonly                                       Shows only the domain controllers where the
                                                  partner error is not zero.

/sort:{delta | partners | failures | error |      Sorts the replsummary table by the specified
percent}                                          column heading.


    Note
    The /bysrc and /bydest parameters may be specified at the same time. If they are
    specified at the same time, repadmin displays the /bysrc table first and the /bydest table
    next. If the parameters /bysrc and /bydest are both absent, repadmin picks the best one
    and displays the one with the least number of partner errors.




                                                                                                 26
Simple usage of repadmin /replsummary
Figure 3.1.1




How to interpret the output
The output of repadmin /replsummary is organized by destination and source domain
controllers. You should focus on the destination domain controllers first, because the replication
model is pull-based. Replication between domain controllers does not use a "push" mechanism. If
the replication is within a site, a domain controller (DC1) notifies another domain controller (DC2)
that it has updates, and then the DC2 pulls the updates from DC1. If the replication is between
sites, a domain controller requests updates at a scheduled time and if updates are available, the
domain controller pulls the updates from a domain controller in the other site.


Fields of interest                                 Definition

…..                                                Each dot after the first three represents a
                                                   domain controller, with not more than 50 dots
                                                   per line. So, if you have two lines full of dots, it
                                                   indicates 97 domain controllers (100-3).
                                                   In figure 3.1.1, there are nine dots, which
                                                   relates to six domain controllers (9-3).

Destination DC                                     Replication destination. A single destination
                                                   might be pulling data from one or more
                                                   sources.
                                                   In figure 3.1.1, we are focusing on ROOTDC01.

Source DC                                          Replication source. Multiple destinations might


                                                                                                     27
                                                   be pulling from a single source.
                                                   In figure 3.1.1, we do not yet know the source
                                                   domain controller.

Largest delta                                      Denotes the longest replication gap amongst all
                                                   replication links for a particular domain
                                                   controller.
                                                   In figure 3.1.1, the largest delta is 45m:47s.

Total                                              Replica links for a particular domain controller
                                                   (one for each naming context on each domain
                                                   controller). Please note that this is not the
                                                   connection objects or replication partners per
                                                   domain controller.
                                                   In figure 3.1.1, we have seven replication links.

Fails                                              Total number of replica links failing to replicate
                                                   for one reason or the other. This will never be
                                                   greater than the Total field.
                                                   No failures in our example.

Percentage                                         Percentage of failures in relation to the total
                                                   replica links on the domain controller.



How to make more sense of some of the fields
We ran repadmin /showrepl against ROOTDC01 to get detailed replication status. Always focus
on inbound neighbors because replication is inbound.
If you notice Figure 3.1.1, the time replsummary taken was 22:36:30. Now, if you look at the
schema naming context replication time, 21:49:44 from figure 3.1.2, the difference is 45m:47s,
which relates to the largest delta.
   Interestingly, 45 minutes is relatively high in our example because our partners belong to the
     same site. This is because the default periodic replication frequency is once per hour within a
     site and because the schema naming context did not have any changes, periodic replication
     took place only at 21:49:44 as opposed to other partitions that replicated in response to
     change notifications from its partners.
   We also see seven replica links, one for each naming context on each domain controller.




                                                                                                     28
Figure 3.1.2




Common factors that influence the largest delta field
   Periodic intrasite replication frequency.
   Intersite replication schedule and frequency.
   Redundant replication paths with staggered replication schedules.
   Intrasite and intersite change notifications; first and subsequent replication notification delay
     values.


Where do REPADMIN /REPLSUMMARY read replication status
information?
   Similar to /showrepl, Repadmin /replsummary gathers this information from the Reps-from
     and Repsto multivalued attributes stored at the root of each directory partition replica (also
     known as naming contexts) stored on the domain controller. It is local to the domain controller
     and not replicated.
   The Repsfrom attribute contains configuration and persistent state information associated
     with inbound replication from each source replica of that directory partition.


                                                                                                     29
   The Repsto attribute contains outbound change notification partners. Typically this list would
     be your intrasite partners.


Wild card and other parameter usage
The following example uses a wildcard character to show the replication summary for all of the
domain controllers in the forest that have a name that begins with ‘ROOT’.

Figure 3.1.3




     Important


Replsummary reporting failures
The following example reports replication failure and a domain controller that could not be
reached, with the error codes and reasons.




                                                                                                 30
Figure 3.1.4




C:\>net helpmsg 58

The specified server cannot perform the returned operation.

C:\>net helpmsg 1722

The RPC server is unavailable.

In our example, the following occurred:
   We could not reach BRANCH2 and hence the error 58.
   “RPC server is unavailable” being reported by BRANCH-HUB-BH co-relates to the above
     finding. It could mean that BRANCH2 domain controller is either down or not reachable due
     to communication link problem.
   We also used /homeserver:rootdns to demonstrate that sometimes you have to specify a
     server (/homeserver:<domain controller name>) if you are not running the command from a
     domain controller.



Display Replication Partners and Status of a
Domain Controller
When troubleshooting replication errors, it is helpful to know who are the replication partners of a
specific domain controller and the status of replication with each of those partners.
Repadmin /showrepl displays the replication partners (RepsFrom and RepsTo) for each
naming context that is held on the specified domain controller. By enumerating each RepsFrom
                                                                                                  31
and each RepsTo for each domain controller, you can visualize the replication topology for each
naming context.
It also indicates whether the domain controller is also a global catalog server. Inbound replica
links are displayed by default. Outbound links can also be shown, as well as connections that
correspond to those links. The command also displays errors that correspond to replica links that
cannot be created by the Knowledge Consistency Checker (KCC). This helps the administrator
build a visual representation of the replication topology and see the role of each directory server
in the replication process.


Syntax
Repadmin /showrepl <DC_LIST> <SourceDCObjectGUID> [NamingContext] [/verbose] [/nocache]
[/repsto] [/conn] [/csv] [/all] [/errorsonly] [/intersite]


Parameters                                         Definition

<DC_LIST>                                          Specifies the host name of a domain controller
                                                   or a list of domain controllers separated by a
                                                   space that the object will be replicated to. See
                                                   above for detailed syntax. For details about
                                                   <DC_LIST>, see repadmin /listhelp.

SourceDCObjectGUID                                 Specifies the unique hexadecimal number that
                                                   identifies the object whose replication events
                                                   will be listed.

NamingContext                                      Specifies the distinguished name of the
                                                   directory partition.

/verbose                                           Lists detailed information.

/nocache                                           Specifies that globally unique identifiers
                                                   (GUIDs) are left in hexadecimal form. By
                                                   default, GUIDs are translated into strings.

/repsto                                            Lists the directory servers that pull replication
                                                   information from the specified directory
                                                   partition. To see the outbound neighbors,
                                                   specify /repsto or /all.

/conn                                              Displays the connection objects that are
                                                   associated with each link.

/csv                                               Displays the output of the repadmin /showrepl
                                                   operation in a Comma Separated Variable
                                                   (CSV) format for viewing and analysis in
                                                   Microsoft Excel. Repadmin supports redirection

                                                                                                       32
                                                  of screen output to a file.

/all                                              Displays all replication partners.

/errorsonly                                       Only shows the partnership if it has an error
                                                  associated with it.

/intersite                                        Only shows this partnership if the source server
                                                  belongs to a different site than the site of the
                                                  server on which the command is being run.




Show replication partners and replication status
The following example uses the showrepl operation of repadmin to display the replication status
of ROOTDNS in relation to its partners. In our example, there are no problems reported because
replication is running properly. There is lot of information one could gather from this output and
please read the comments next to each line explaining what it means.
Figure 3.2.1
C:\>repadmin /showrepl rootdns

HUB\ROOTDNS (Site name and domain controller name)

DC Options: IS_GC (DC Options)

Site Options: (none) (Site options)

DC object GUID: 076cd5dd-e25e-4897-acd2-7c8691621522 (GUID of NTDS settings)

DC invocationID: 076cd5dd-e25e-4897-acd2-7c8691621522 (Database signature)



==== INBOUND NEIGHBORS =========================================================



DC=contoso,DC=com (Naming Context)

HUB\ROOTDC01 via RPC (Replication link)

DC object GUID: 2a92f776-6c0f-4cb4-a111-f5dcd447af6c (GUID of replication partner)

Last attempt @ 2005-01-05 01:04:34 was successful. (Status of last replication)



CN=Configuration,DC=contoso,DC=com (Naming Context)

HUB\ROOTDC01 via RPC (Replication link)

DC object GUID: 2a92f776-6c0f-4cb4-a111-f5dcd447af6c (GUID of replication partner)

Last attempt @ 2005-01-05 01:01:31 was successful. (Status of last replication)

HUB\BRANCH-HUB-BH via RPC (Replication link)

DC object GUID: 9090b7ce-53a6-4a44-91bf-b50ed232be53

                                                                                                  33
Last attempt @ 2005-01-05 01:01:44 was successful.



CN=Schema,CN=Configuration,DC=contoso,DC=com (Naming Context)

HUB\BRANCH-HUB-BH via RPC (Replication link)

DC object GUID: 9090b7ce-53a6-4a44-91bf-b50ed232be53

Last attempt @ 2005-01-05 00:53:34 was successful.

HUB\ROOTDC01 via RPC (Replication link)

DC object GUID: 2a92f776-6c0f-4cb4-a111-f5dcd447af6c

Last attempt @ 2005-01-05 00:53:34 was successful.

In the output under INBOUND NEIGHBORS, repadmin.exe shows the Lightweight Directory
Access Protocol (LDAP) distinguished name of each directory partition for which inbound
directory replication has been attempted, the site and name of the source domain controller, and
whether it succeeded or not, as follows:
   Last attempt @ YYYY-MM-DD HH:MM.SS was successful.
   Last attempt @ [Never] was successful.
If repadmin.exe reports any of the following conditions, further investigation is required:
   The last successful inter-site replication was prior to the last scheduled replication.
   The last intra-site replication was longer than one hour ago.
   Replication was never successful.
DC Object GUID is a reference point used in the Active Directory and Domain Name System
(DNS) to locate a domain controller primarily for the purposes of replication. This GUID is
automatically generated for each domain controller, is unique when created, and will not be
duplicated.
DC invocationID – Active Directory database has its own GUID, which the Directory System
Agent (DSA) uses to identify the database instance (version of the database). The database
GUID is stored in the invocationId attribute on the nTDSDSA object. Although the DSA GUID
never changes for the lifetime of the domain controller, the Active Directory database GUID (also
known as the invocation ID or database signature) is changed during the Active Directory restore
process to ensure the consistency of the replication process. In Windows Server 2003, it changes
when application directory partitions are removed or added to the domain controller.


Using repadmin /showrepl to display detailed and
precise information
The following showrepl output is returned by combining <Naming Context> and /verbose.




                                                                                               34
Figure 3.2.2




For two domain controllers to engage in replication, they have to first resolve each other’s GUID
CNAME to a host name and the host name to an IP address, such as the following:

Figure 3.2.3




2a92f776-6c0f-4cb4-a111-f5dcd447af6c._msdcs.contoso.com is the GUID CNAME
registration in DNS.

Figure 3.2.4




High-watermark value
The high-watermark value is not required for any administrative task. However, it can help you
deduce the state of progress on that replication link. You can see the high-watermark in the
output of the repadmin /showrepl /verbose command in Figure 3.2.2. Look for lines that begin
with USNs:. The high-watermark USN is the number that is followed by /OU.

                                                                                                35
The object update (OU) USN saves the position when in the middle of a replication cycle. It stays
the same as the property update (PU) when replication is not occurring, and increases during a
replication cycle. At the end of the cycle, the final USN replicated becomes the PU value and the
OU is left to match. Thus, the OU indicates progress within a cycle, and the PU indicates the last
update seen at the conclusion of a successful cycle. A PU of zero means that the link has never
completed a successful cycle, as is the case when performing its first synchronization on a new
domain controller connection. If the OU and PU are not equal, it means a replication cycle is in
progress.
The following table lists nbrflagoptions, which are flags that define expected replication actions
with its partner.


Nbrflagoptions                                     Meaning

WRITEABLE                                          The local copy of the naming context is
                                                   writable.

SYNC_ON_STARTUP                                    Replication of this naming context from this
                                                   source is attempted when the destination
                                                   server is booted. This normally only applies to
                                                   intrasite neighbors.

DO_SCHEDULED_SYNCS                                 Perform replication on a schedule. This flag is
                                                   normally set unless the schedule for this
                                                   naming context/source is "never," that is, the
                                                   empty schedule.




Showing outbound neighbors
By default, repadmin /showrepl does not display outbound neighbors, as with previous versions.
The /repsto parameter provides this feature, as shown in Figure 3.2.5.




                                                                                                 36
Figure 3.2.5




Some of the repadmin /showrepl Error Messages
and their root cause
The following table lists some repadmin /showrepl errors and their root cause. The next sections
after the table explain some errors in more detail.


Repadmin error                                  Root cause

No Inbound neighbors                            If no items appear in the “Inbound Neighbors”
                                                section of the output generated by the
                                                repadmin /showrepl command, the domain
                                                controller could not establish replication links
                                                with another domain controller.

Access denied                                   A replication link exists between two domain
                                                controllers, but replication cannot be properly
                                                performed.

Last attempt at <date - time> failed with the   This problem can be related to connectivity,
“Target account name is incorrect.”             DNS, or authentication issues.
                                                If it is a DNS error, the local domain controller
                                                could not resolve the GUID–based DNS name
                                                of its replication partner.


                                                                                                  37
No more end point                                   This can be caused because no more end-
                                                    points are available to establish the TCP
                                                    session with the replication partner.
                                                     This error can also result when the replication
                                                    partner can be contacted, but its RPC interface
                                                    is not registered. This usually indicates that the
                                                    domain controller’s DNS name is registered but
                                                    with the wrong IP address.

LDAP Error 49                                       The domain controller computer account might
                                                    not be synchronized with the Key Distribution
                                                    Center (KDC).

Cannot open LDAP connection to local host.          The administration tool could not contact
                                                    Active Directory.

Active Directory replication has been Pre-          An inbound replication in progress was
empted                                              interrupted by a higher priority replication
                                                    request, such as a request generated manually
                                                    by using the repadmin /syncall command.

Replication posted, waiting.                        The domain controller posted a replication
                                                    request and is waiting for an answer.
                                                    Replication is in progress from this source.

Last attempt @ never was successful                 The KCC successfully created the replication
                                                    link between the local domain controller and its
                                                    replication partner, but because of the schedule
                                                    or possible bridgehead overload, replication
                                                    has not occurred.
                                                    A large backlog of inbound replication must be
                                                    performed on this domain controller.



No inbound neighbors
A “no inbound neighbor” error appears in the repadmin /showrepl command output when one or
more of the following conditions exists:
   No connection object exists to indicate which domain controller(s) this domain controller
     should replicate from. These connection objects are typically created by the KCC. However,
     in some environments, administrators have turned off the part of KCC (Intersite) that creates
     connection objects for inbound replication from domain controllers in other sites, relying on
     manual connections instead.
   One or more connection objects exist, but the domain controller cannot contact the source
     domain controller to create the replication links. In this case, the KCC logs events each time it

                                                                                                   38
     runs (by default, every 15 minutes) detailing the error that occurred when it attempted to add
     the replication links.
   Existing replication links has been inadvertently deleted in between KCC executions.
Repadmin in this scenario could be used only to diagnose. The following table explains
subcommand usage that can help you diagnose the problems leading to this situation.


Subcommand                                         Description

Repadmin /showrepl                                 Verify replication status.

Repadmin /showconn                                 Verify whether a valid connection object exists
                                                   between the source and destination.

Repadmin /failcache                                Resolve the underlying connection translation
                                                   problems. For more information about using
                                                   Repadmin /failcache, see Repadmin
                                                   /failcache.

Repadmin /KCC                                      Ensure that a connection object (Automatic or
                                                   Manual) has been created properly between
                                                   the domain controller and its replication partner.
                                                   And then force the KCC to run so that the
                                                   connection object is translated to an
                                                   appropriate replication link.



Active Directory replication has been preempted
When Active Directory replication has been preempted, an inbound replication in progress was
interrupted by a higher priority replication request. An example of a higher priority replication
request is a request generated manually by using the repadmin /sync command.
Repadmin in this scenario could be used only to diagnose. The following table explains
subcommand usage that can help you diagnose the problems leading to this situation.


Subcommand                                         Description

Repadmin /showrepl                                 Verify replication status.

Repadmin /queue                                    Check how many inbound synchronizations are
                                                   in the queue.




                                                                                                    39
Last attempt @ never was successful
Last attempt @ never was successful error typically indicates that KCC successfully created the
replication link between the local domain controller and its replication partner, but because of the
schedule or possible bridgehead overload, replication has not occurred.
Repadmin in this scenario may be used for both diagnosis and resolution. The following table
explains subcommand usage that can help you diagnose or solve the problems.


Subcommand                                         Description

Repadmin /showrepl                                 Verify replication status.

Repadmin /queue                                    Check how many inbound synchronizations are
                                                   in the queue.

Repadmin /sync                                     Synchronize replication from a source domain
                                                   controller.



Access denied
This error indicates that the local domain controller failed to authenticate against its replication
partner when creating the replication link or when trying to replicate over an existing link. This
typically happens when the domain controller has been disconnected from the rest of the network
for a long time and its computer account password is not synchronized with the computer account
password that is stored in the Active Directory of its replication partner.



Replication Latency
There are two mechanisms each specific to the underlying operating system functionality to
measure replication latencies. Repadmin could be used against both environments based on the
following table.


Windows 2000 functionality                         Windows Server 2003 functionality

/latency provides you replication latency report   /showutdvec provides you replication latency
by measuring how recently the Intersite            report by leveraging a new field stored in the
Topology Generator (ISTG) attribute has            Up-To-Dateness (UTD) vector – “last
changed.                                           successful replication timestamp.”

Note that this report ceases to give meaningful    /showutdvec provides you replication latency
results when the forest functional level is        report by leveraging a new field stored in the
Windows Server 2003 because the                    UTD vector – “last successful replication
interSiteTopologyGenerator on the NTDS             timestamp.”
site settings object is not updated at that        This timestamp records the last time the

                                                                                                  40
functional level.                                  corresponding domain controller completed a
                                                   successful replication cycle with its partner. The
                                                   replication cycle may have occurred directly
                                                   (direct replication partner) or indirectly
                                                   (transitive replication partner).

Latency is shown for configuration naming          Because this data is recorded on all domain
context only.                                      controllers that host the partition, it is possible
                                                   to identify non-replicating domain controllers
                                                   from any domain controller in the forest that
                                                   has a common partition between them.




Syntax
The following command displays the amount of time between replications on a site by site basis
from the perspective of the servers listed in <DC_LIST>, using the ISTG Keep Alive time stamp.

    Note
    The ISTG Keep Alive time stamp is the mechanism used in Windows 2000 to determine
    whether a new ISTG is required for the site. Prior to Windows Server 2003, all ISTGs will
    record a time stamp every 30 minutes to indicate they are alive. After this gets replicated
    within the site, all of the domain controllers in the site know whether an ISTG is down or
    not by verifying this attribute, which is stored in Active Directory.
repadmin /latency<DC_LIST>

Figure 3.3.1




How to interpret the data
In this example, the forest has only four sites.



                                                                                                     41
Field                                              Explanation

Origination site                                   This column has a row for each site in the
                                                   forest

Ver                                                Version number for site specific
                                                   interSiteTopologyGenerator

Time Local Update                                  Local time when the remote ISTG attribute
                                                   change was replicated in.

Time Orig. Update                                  Time when the ISTG attribute was changed on
                                                   the originating server.

Latency                                            Difference between the Time Orig. Update and
                                                   Time Local Update

Since Last                                         Difference between the Tool execution time and
                                                   Time Local Update


Examining the UTD vector from time to time on one bridgehead server is another good way to
ensure that replication is healthy. The (UTD) vector shows the last time that a domain controller
has received updates from each replication partner for a particular naming context. The UTD
vector is transitive in that one domain controller does not have to talk directly to another domain
controller to receive an update from it.
repadmin /showutdvec <DC_LIST> <NamingContext> [/nocache][/latency]


Parameters                                         Definition

<DC_LIST>                                          Specifies the host name of a domain controller
                                                   or a list of domain controllers separated by a
                                                   space that the object will be replicated to. For
                                                   details about DC_LIST, see repadmin
                                                   /listhelp.

<NamingContext>                                    Specifies the distinguished name of the
                                                   directory partition.

/nocache                                           Specifies that globally unique identifier (GUIDs)
                                                   are left in hexadecimal form. By default, GUIDs
                                                   are translated into strings.

/latency                                           Sorts the information by the time required to
                                                   complete the replication. By default, the
                                                   information is sorted by Update Sequence
                                                   Number (USN).



                                                                                                   42
Figure 3.3.2




How to interpret the data
   In Figure 3.3.2, there are four sites, two domains and six domain controllers in the forest.
   The output is a list of dates and times indicating the last time that inbound replication of the
     configuration container occurred from each domain controller. If an excessive amount of time
     has passed since replication last took place it could indicate a problem and there is reason to
     be concerned.
   The entries are listed by domain controller and the /latency parameter sorts the output by
     date/time.
   As given in the example, occasionally GUID’s will be displayed instead of a domain
     controller’s name. It is safe to ignore the GUID entries as these are a result of InvocationID
     changes or domain controllers being demoted or rebuilt and do not affect the health of the
     topology.
   HUB\ROOTDNS will always report the current date and time and the highest committed USN.
     The reason is that a domain controller does not keep itself in its own UTDVEC and always
     builds its entry on the fly based on the current state.
   Latency from the perspective ROOTDNS is the difference between its current date/time with
     respect to other partners (direct or transitive) for the given Naming Context. For example,
     latency between ROOTDNS and BRANCH1 is 00:24:17.




                                                                                                      43
Display the latency only for the domain partition
Figure 3.3.3




In this example, we are only interested in the domain naming context latency. Both the domain
controllers are running Windows Server 2003 and reside in the same site; hence the latency is
less than a minute. Also please note that we are only displaying the domain members and not the
whole forest due to the scope of the naming context.
While it is important to measure replication latencies, it is equally important to understand that
intersite replication depends on many factors such as:
   Site link schedules and intervals
   Availability of bridgehead servers and their load
   Whether change notifications are enabled
   LAN/WAN infrastructure



View Replication Metadata of an Object
Displays the replication metadata for a specified object stored in Active Directory, such as
attribute ID, version number, originating and local Update Sequence Number (USN), and
originating server's globally unique identifier (GUID) and date and time stamp. By comparing the
replication metadata for the same object on different domain controllers, an administrator can
determine whether replication has occurred.


Syntax
repadmin /showobjmeta <DC_LIST> <ObjectDN> [/nocache] [/linked]


Parameters                                          Definitions

<DC_LIST>                                           Specifies the host name of a domain controller
                                                    or a list of domain controllers separated by a
                                                    space that the object will be replicated to. For
                                                    details about DC_LIST, see repadmin
                                                    /listhelp.

<ObjectDN>                                          Specifies the distinguished name of the object.

                                                                                                     44
/nocache                                          Specifies that GUIDs are left in hexadecimal
                                                  form. By default, GUIDs are translated into
                                                  strings.

/linked                                           Displays metadata associated with, but not
                                                  stored with, the specified object.




Example 1: Metadata of a group object
In this example, we are viewing the metadata of a group object (Domain Admins) and therefore
the forward links (members) are listed as well.

Figure 3.4.1




Example 2: Comparing replication metadata of a
user object between two domain controllers
A domain administrator has restricted user Lee’s logon hrs. Lee claims he could still log on during
restricted hours from BRANCH3 as opposed to other branch offices. The domain administrator
could easily figure whether this is related to Active Directory replication latencies by comparing
the replication metadata of Lee’s account.




                                                                                                 45
Figure 3.4.2




Figure 3.4.2 is the metadata of Lee from HUB domain controller (where the change was made)
and Figure 3.4.3 is the metadata from the BRANCH3 domain controller. The attribute
logonHours has been highlighted for clarity.
BRANCH-HUB-BH has version 2, last Orig. time/date is 2005-01-06 01:19:59 and Orig.USN as
20654.
 BRANCH3 is still on version 1, last Orig. time/date is 2005-01-06 00:52:03 and Orig.USN as
20578 and hence the logon succeeds in BRANCH3 because that domain controller has not yet
replicated the update.

Figure 3.4.3




Display the Attributes of a Specific Object
The /showattr operation displays the attributes and contents of an object.

                                                                                              46
Syntax
repadmin /showattr <DC_LIST> <OBJ_LIST> <OBJ_LIST_OPTIONS> [/atts: <<att1>>,<<att2>>,...]
[/allvalues] [/long] [/dumpallblob]


Parameters                                   Definition

<DC_LIST>                                    Specifies the host name of a domain controller
                                             or a list of domain controllers separated by a
                                             space that the object will be replicated to. For
                                             details about DC_LIST, see repadmin
                                             /listhelp.

<OBJ_LIST>                                   This parameter takes a distinguished name or a
                                             special keyword that expands into a
                                             distinguished name. The keywords are as
                                             follows:
                                                Ncobj:config: Distinguished name of the
                                                  Configuration partition of the domain
                                                  controller
                                                Ncobj:schema: Distinguished name of the
                                                  Schema partition of the domain controller
                                                Ncobj:domain: Distinguished name of the
                                                  Domain partition of the domain controller
                                                Dsaobj: NTDS settings object of the
                                                  directory server

<OBJ_LIST_OPTIONS>                           The OBJ_LIST_OPTION parameter is required
                                             to perform a generic Lightweight Directory
                                             Access Protocol (LDAP) search from the
                                             command line. The parameter requires a
                                             BaseDN, with the ability to use a search
                                             modifier option. The valid search modifier
                                             options are as follows:
                                                /filter:<ldap_filter>
                                                /base
                                                /subtree
                                                /onelevel

[/atts:<att1>,<att2>,...                     Returns only the attributes that are specified.
                                             Separate each listed attribute with a comma.

/allvalues                                   For an attribute, the tool only displays 20
                                             values unless this flag is specified, in which

                                                                                               47
                                                  case it shows all values.

/long                                             Displays one value per line.

/dumpallblob                                      Dumps the BLOB in a default byte-by-byte
                                                  format if there is not a friendly formatted
                                                  interpretation available for it.


    Note
    A BLOB in this context means an attribute that is not a simple type, like a string or an
    integer. A BLOB is a complex structured type that is stored as binary bytes. To make
    sense of the BLOB, a program must interpret it and format it. A friendly BLOB is a BLOB
    that the program knows about and can format in an understandable way. The program
    has a list of BLOBs that it understands.


Example: Display select attributes
Please note how we specify the naming context as ncobj:domain:

Figure 3.5.1




How Up to Date Are My Domain Controllers?
Checkprop compares properties of specified domain controllers to determine if they are up-to-
date with each other. The source domain controller contains the original information that needs to
be checked. The destination domain controller data is compared to the source domain controller
data.


Syntax
repadmin /checkprop <DC_LIST> <NamingContext> <OriginatingDCInvocationID>
<OriginatingUSN>




                                                                                                48
Parameter                                         Definition

<DC_LIST>                                         Specifies the host name of a domain controller,
                                                  or a list of domain controllers separated by a
                                                  space. For details about <DC_LIST>, see
                                                  repadmin /listhelp.

<NamingContext>                                   Specifies the distinguished name of the
                                                  directory partition on the source domain
                                                  controller.

<OriginatingDCInvocationID>                       Specifies the unique hexadecimal number that
                                                  identifies an object on a source domain
                                                  controller. The InvocationID can be retrieved by
                                                  using the /showrepl operation.

<OriginatingUSN>                                  Specifies the Update Sequence Number (USN)
                                                  for the object on the source domain controller.
                                                  The USN is for the object whose InvocationID
                                                  is already listed.




Example: Checking replication latency on the
BRANCH3 domain controller
Latency output reveals that the highest OriginatingUSN that BRANCH3 has knowledge of for its
HUB site bridgehead server, BRANCH-HUB-BH, is 137844. It is also apparent that the last
successful replication attempt with this HUB site bridgehead server was just less than 5 minutes.

Figure 3.6.1




                                                                                               49
Example: Comparing how up-to-date other
domain controllers in the enterprise are with
respect to the OriginatingUSN
In Figure 3.6.2, note that BRANCH2 domain controller is not up-to-date with the rest of the
domain controllers.

Figure 3.6.2




Example: Further investigation from the
perspective of the BRANCH2 domain controller
Latency was calculated for BRANCH2 which revealed that it is not aware of the latest
OriginatingUSN from BRANCH-HUB-BH and in fact it is behind by approximately 20 minutes.
Because the latency in this example is just less than 20 minutes (replication interval being 30
minutes) it is expected to catch up during the next replication cycle.

Figure 3.6.3




                                                                                                  50
Can I Look at My Connection Objects and
Schedule Details?
Every domain controller that is also a member of the SYSVOL replica set has to have at least one
inbound connection. Otherwise, Active Directory and File Replication Service (FRS) would not
replicate inbound. The /showconn subcommand is very useful to verify this especially:
   When you don’t have access to the graphical user interface (GUI)
or
   When you find it task-oriented to directly connect to the various domain controllers from the
     user interface (UI) to look at Active Directory topology from the perspective of that domain
     controller.
     The /showconn subcommand displays the connection objects for a specified domain
     controller. The default is the local site.


Syntax
repadmin /showconn <DC_LIST> {<ServerRDN> | <ContainerDN> | <DC_GUID>} [/From:
<ServerRDN>] [/intersite]


Parameter                                          Definition

<DC_LIST>                                          Specifies the host name of a domain controller
                                                   from where to read the configuration, or a list of
                                                   domain controllers separated by a space. For
                                                   details about <DC_LIST>, see repadmin
                                                   /listhelp.

<ServerRDN>                                        Specifies the relative distinguished name of a
                                                   server.

<ContainerDN>                                      Specifies the distinguished name of a
                                                   container.

<DC_GUID>                                          Specifies the unique hexadecimal number that
                                                   identifies the domain controller. The globally
                                                   unique identifier (GUID) can be retrieved by
                                                   using the /showreps operation.

/intersite                                         Displays only those connection objects that are
                                                   between sites.




                                                                                                     51
Example: Simple usage of /showconn
Figure 3.7.1 shows a simple example of output returned by /showconn.
C:\>repadmin /showconn branch1

Base DN: CN=BRANCH1,CN=Sites,CN=Configuration,DC=contoso,DC=com

=====   KCC CONNECTION OBJECTS    =================================

Connection --

     Connection name : ed5e0d25-bec3-4556-9f18-f24cf4ea3a57

     Server DNS name : BRANCH1.research.contoso.com

     Server DN    name : CN=NTDS Settings,CN=BRANCH1,CN=Servers,CN=BRANCH1,CN=Sites,CN=C

onfiguration,DC=contoso,DC=com

           Source: HUB\BRANCH-HUB-BH

                 No Failures.

           TransportType: IP

           options:   isGenerated overrideNotifyDefault

           ReplicatesNC: DC=DomainDnsZones,DC=research,DC=contoso,DC=com

           Reason:    IntersiteTopology

                 Replica link has been added.

           ReplicatesNC: DC=ForestDnsZones,DC=contoso,DC=com

           Reason:    IntersiteTopology

                 Replica link has been added.

           ReplicatesNC: CN=Configuration,DC=contoso,DC=com

           Reason:    IntersiteTopology

                 Replica link has been added.

           ReplicatesNC: DC=research,DC=contoso,DC=com

           Reason:    IntersiteTopology

                 Replica link has been added.

1 connections found.

In the example in figure 3.7.1, there is only one connection object for the BRANCH1 site. It is also
automatically created (options: isgenerated). Depending on the number of connection objects, we
may have to further qualify our query to just list what we are interested in such as in the following
cases:
Figure 3.7.2
repadmin /showconn BRANCH1 CN=HUB,CN=Sites,CN=Configuration,DC=contoso,DC=com /intersite
/v



                                                                                                  52
Here repadmin contacts BRANCH1 DC and list all the incoming intersite connections for HUB
site with verbose details.

Figure 3.7.3
repadmin /showconn BRANCH-HUB-BH BRANCH-HUB-BH /from:BRANCH3

Here repadmin contacts the BRANCH-HUB-BH DC which is also located in the HUB site and
displays just the connection object from BRANCH3 DC to BRANCH-HUB-BH.

With the verbose switch, showconn provides you much more information such as the following:
   Connection replication schedule
   Partition Replication Schedule Loading
Figure 3.7.4 Connection replication schedule
day: 0123456789ab0123456789ab

Sun: ffffffffffffffffffffffff

Mon: ffffffffffffffffffffffff

Tue: ffffffffffffffffffffffff

Wed: ffffffffffffffffffffffff

Thu: ffffffffffffffffffffffff

Fri: ffffffffffffffffffffffff

Sat: ffffffffffffffffffffffff

Every single number of the above represents one hour of the day as a decimal 4-bit value. Each
single bit represents 15 minutes of this hour.
So if we have “1” in decimal, then one bit is set in binary (0001) and we replicate once per hour in
which case the output will be:
111111111111111111111111
If the decimal value is five (0101 in binary) we replicate twice per hour, for example:
555555555555555555555555
Finally if it is F (1111) we replicate four times per hour:
FFFFFFFFFFFFFFFFFFFFFFFF
So in our example we replicate four times per hour for the entire week.



Fine-Tuning Change Notification Values
Replication within a site occurs as a response to changes elsewhere in the site. Replication
across sites occurs based on the replication schedule and interval. It is also possible to enable
change notifications across sites.
When a change occurs on a domain controller, two configurable intervals determine the delay
between the following events:

                                                                                                    53
   Notification to the first partner.
   Notification to each subsequent partner.
The above two intervals serve to:
   Stagger network traffic caused by replication.
   Spreads out the load of responding to replication requests from its partners.
The following table lists the default notification delays:


Operating system                          Notify first    Subsequent      Forest functional level
                                          partner (sec)   partner (sec)

Windows 2000                              300             30              Windows 2000

Windows Server 2003 (upgraded             300             30              Windows 2000
from Windows 2000)

     Note
     If you changed the
     default values, then
     those values that you set
     are retained after you
     upgrade from
     Windows 2000 to
     Windows Server 2003.

Windows Server 2003                       15              3               Windows 2000

Windows Server 2003 (either               15              3               Windows Server 2003
upgraded from Windows 2000 or
a clean install)


The following table lists the storage location of notification delay values for each operating
system.


Operating system               Location                                            Attribute

Windows 2000 Server            HKLM\SYSTEM\CSS\Services\NTDS\Parameters               Replicator
                                                                                        notify pause
                                                                                        after modify
                                                                                        (secs)
                                                                                      Replicator
                                                                                        notify pause
                                                                                        between
                                                                                        Directory
                                                                                        System

                                                                                                    54
                                                                                      Agent (DSAs)
                                                                                      (secs)

Windows Server 2003        Cross-reference object for each directory partition      msDS-
                           in the configuration partition.                            Replication-
                                                                                      Notify-First-
                                                                                      DSA-Delay
                                                                                    msDS-
                                                                                      Replication-
                                                                                      Notify-
                                                                                      Subsequent-
                                                                                      DSA-Delay


Repadmin /notifyopt could be used to view or change the notification timing settings of a
specified directory partition in Windows Server 2003.


Syntax
repadmin /notifyopt <DC_LIST> <NamingContext> [/first: Value] [/subs: Value]


Parameter                                        Definition

<DC_List>                                        Specifies the host name of a domain controller,
                                                 or a list of domain controllers separated by a
                                                 space. For details about <DC_LIST>, see
                                                 repadmin /listhelp.

<NamingContext>                                  Specifies the distinguished name of the
                                                 directory partition on the source domain
                                                 controller.

/first                                           The number of seconds after a change is made
                                                 before the domain controller notifies its first
                                                 replication partner that there is a change.

/subs                                            Once the first replication partner is notified of a
                                                 change, the subs parameter specifies the
                                                 number of seconds to wait before notifying the
                                                 next replication partner.




                                                                                                  55
Example 1: Displaying the default notification
delay on the ForestDnsZones partition
Figure 3.8.1




Example 2: Changing the defaults to 300/30 on the
ForestDnsZones
Figure 3.8.2




    Note
    In order to make this change, you have to run /notifyopt against the Domain Naming
    Master. See the highlighted text in figure 3.8.2.



Forcing Replication
Sometimes it becomes necessary to forcefully replicate objects and entire partitions between
domain controllers that may or may not have replication agreements




                                                                                               56
    Important
    These are very powerful sub commands and should be used sparingly as they do not
    follow replication agreements that are in place and have the potential to cause replication
    storm and break Active Directory if not used properly.


Replicate a single object between two domain
controllers
The repadmin /replsingleobject command replicates a single object between any two domain
controllers that have partitions in common. The two domain controllers do not require a replication
agreement between them. Replication agreements can be shown by using the repadmin
/showreps command.


Syntax
repadmin /replsingleobject <DC_LIST> <DsaSourceGUID> <ObjectDN>


Parameter                                         Definition

<DC_LIST>                                         Specifies the host name of a domain controller
                                                  or a list of domain controllers separated by a
                                                  space that the object will be replicated to. For
                                                  details about <DC_LIST>, see repadmin
                                                  /listhelp

<DsaSourceGUID>                                   Specifies the unique hexadecimal number that
                                                  identifies the object that will be replicated. The
                                                  objectGUID can be retrieved by using the
                                                  /showreps operation.

<ObjectDN>                                        Specifies the distinguished name of the object.




                                                                                                  57
Example: Replicate a single object between all the branch
domain controllers by using wild card character
Figure 3.9.1.1




Force a replication event between two partners
The repadmin /replicate command starts a replication event for the specified directory partition
between the source and destination domain controllers. The source universally unique identifier
(UUID) can be determined when viewing the replication partners by using the /showreps
operation.

    Important
    The repadmin /replicate command will not work if the partners do not have the specified
    partition in common or replication agreement between them.


Syntax1
repadmin /replicate <Destination_DC_LIST> <Source_DC_NAME> <Naming Context>         [/force]
[/async] [/full] [/addref] [/readonly]



Syntax2
repadmin /replicate <Destination_DC_LIST> <Naming Context> [/allsources] [/force]
[/async] [/full] [/addref] [/readonly]


Parameter                                         Definition

<Destination_DC_LIST>                             Specifies the host name of the destination

                                                                                               58
                                                   domain controller (Directory Server Agent) with
                                                   which you want to replicate. For details about
                                                   <DC_LIST>, see repadmin /listhelp.

<Source_DC_NAME>                                   Specifies the host name of the source domain
                                                   controller with which you want to replicate. This
                                                   parameter accepts a globally unique identifier
                                                   (GUID), GUID-based Domain Name System
                                                   (DNS) name, or the name of a server object.

<Naming Context>                                   Specifies the distinguished name of the
                                                   directory partition.

/force                                             This parameter is used to override the Disable
                                                   Replication option on a server.

/async                                             Specifies that the replication will be
                                                   asynchronous. This means that repadmin starts
                                                   the replication event, but it does not expect an
                                                   immediate response from the destination
                                                   domain controller. Use this parameter when
                                                   there are slow links between domain
                                                   controllers.

/full                                              Forces a full replication of all objects from the
                                                   destination domain controller.

/addref                                            Directs the source to check for a notification
                                                   entry on the source. If the source does not
                                                   have a notification entry for this destination,
                                                   one is added.

/allsources                                        A given destination can have multiple sources
                                                   for the same naming context. Directs the
                                                   destination to sync with all sources instead of
                                                   just one. This parameter cannot be used with
                                                   <Destination_DC_LIST>.

/readonly                                          This parameter is ignored by the /replicate
                                                   operation.



Example: replicate in domain partition between two specific
partners
In the example in figure 3.9.2.1, we are attempting to replicate in domain partition between two
specific partners. But the source domain controller is rejecting replication requests as configured
by the administrator for valid reasons.
                                                                                                     59
Figure 3_9_2_1




In the next example, we run repadmin /showrepl against the source domain controller
(BRANCH-HUB-BH) to read the domain controller options. Figure 3.9.2.2 highlights that outbound
replication is currently disabled (DISABLE_OUTBOUND_REPL).

Figure 3.9.2.2




We could work around this by using the /force switch as seen in figure 3.9.2.3. However, use
caution you when using the force replication feature. The /force switch is dangerous because it
overrides any precautions that have been implemented by an enterprise administrator to address
specific business needs. For example, in a large forest with hundreds of sites connected across
unreliable WAN links, use of the /force switch to replicate changes across forest might cause a
replication storm (depending on the changes) that the WAN could not handle.

Figure 3.9.2.3




Force a replication event with all partners
the repadmin /syncall command synchronizes a specified domain controller with all replication
partners.


Syntax
repadmin /syncall <DC> [<NamingContext>] [<Flags>]



                                                                                                60
Parameter                                         Definition

<DC>                                              Specifies the host name of the domain
                                                  controller to synchronize with all replication
                                                  partners.

<NamingContext>                                   Specifies the distinguished name of the
                                                  directory partition.

<Flags>                                           Performs specific actions during the replication.


The following table lists the flags that you can use with repadmin /syncall.


Flag                                              Description

/a                                                Abort if any server is unavailable.

/A                                                Sync all naming contexts which are held on the
                                                  home server.

/d                                                Identify servers by distinguished name in
                                                  messages.

/e                                                Enterprise, cross sites

/h                                                Print this help screen.

/i                                                Iterate indefinitely.

/l                                                Perform showreps on each server pair in path
                                                  instead of synchronizing.

/j                                                Synchronize adjacent servers only.

/p                                                Pause for possible user abort after every
                                                  message.

/P                                                Push changes outward from home server.

/q                                                Run in quiet mode, suppress call back
                                                  messages.

/Q                                                Run in very quiet mode, report fatal errors only.

/s                                                Do not synchronize.

/S                                                Skip initial server response check.


     Important
      Use this command and the above flags cautiously or you can damage the replication
     system because this command does not follow replication agreements nor honor any
                                                                                                   61
    replication restrictions such as DISABLE_INBOUND_REPL or
    DISABLE_OUTBOUND_REPL


Example 1: Synchronizing Configuration Partition within the site
Figure 3.9.3.1




There will be two callback messages for each partner in figure 3.9.3.1. One reports the progress
and the other reports either success or failure (with explanation). Also notice that domain
controllers are denoted by their GUID CNAMES as used in replication.


Example 2: Crossing site boundaries and other features
By default, repadmin /syncall does not cross site boundaries as depicted in figure 3.9.3.2.
BRANCH-HUB-BH does not have any domain members in its own site for domain
dc=research,dc=contoso,dc=com. In this case, use /e.

Figure 3.9.3.2




In figure 3.9.3.3, we are using three additional flags. The /d flag would translate the GUID
CNAME to the distinguished name of the domain controller. The /e flag is used to cross site
boundaries. The /a flag is used to abort if any domain controller is unavailable. In this example,
the BRANCH2 domain controller was not reachable and therefore, the process was aborted.




                                                                                                     62
Figure 3.9.3.3




In figure 3.9.3.4, repadmin /syncall did succeed because the problem with the BRANCH2
domain controller was fixed. Also notice that we omitted the /d switch so that the GUID names
are not translated.

Figure 3.9.3.4




Keeping Track of Changes That Have
Occurred Over a Period of Time
There could be multiple occasions where we would be interested in finding out the number of
changes that are either pending replication or that have occurred to a specified directory partition
over a period of time.
For example:
   You may want to get statistics of all the changes that have occurred to a domain partition
     over a period of one day or one week so that you can use this data to either support or
     calculate intersite replication bandwidth requirements.
   This will help with troubleshooting replication issues and reviewing changes that have not
     replicated between two partners.
The repadmin /showchanges command has two syntaxes that can helpful in these situations.


                                                                                                  63
Syntax1
repadmin /showchanges <SourceDC> <NamingContext> [/cookie:    <File>] [/atts:
<attribute>,<attribute>,...]



Syntax2
repadmin /showchanges <DestDC> <SourceDCObjectGUID> <NamingContext> [/verbose]
[/statistics] [/noincremental] [/objectsecurity] [/ancestors] [/atts:
<attribute1>,<attribute2>,...] [/filter:   <ldap filter>]


Parameter                                     Description

<DestDC>                                      Specifies the host name of the destination
                                              domain controller from which to enumerate the
                                              host domain controllers.

<SourceDC>                                    Specifies the host name of the domain
                                              controller that hosts the directory partition
                                              whose changes you want to view.

<NamingContext>                               Specifies the distinguished name of the
                                              directory partition.

/cookie:<File>                                Specifies a name for the file to which list
                                              changes are saved.

/atts:<attribute>,<attribute>,...             Returns only the attributes specified. Separate
                                              each listed attribute with a comma.

<SourceDCObjectGUID>                          Specifies the unique hexadecimal number that
                                              identifies the object whose changes will be
                                              listed. The objectGUID can be retrieved by
                                              using the /showreps operation.

/verbose                                      Lists detailed information.

/statistics                                   Displays a summary of information about
                                              changes instead of a list of individual changes.

/noincremental                                Returns changes in value change format, which
                                              lists current values for attributes as well with
                                              attributes that have been added or deleted. If
                                              not specified, changes are returned in attribute
                                              change format, which shows only the current
                                              value of the attribute.

/objectsecurity                               Overrides the need for the GetChanges right to


                                                                                              64
                                                    the directory partition. By default, this right is
                                                    necessary to run the GetChanges parameter.
                                                    However, only changes that the currently
                                                    logged on user has the rights to view are
                                                    displayed.

/ancestors                                          Returns changes in Update Sequence Number
                                                    (USN) order.

/filter:<ldap filter>                               Returns only those changes that meet the filter
                                                    requirements.


Syntax 1 can be used to compare changes that occurred to a specified directory partition over a
period of time.
The idea here is to:
1. Create a cookie file that saves changes to a directory partition that could be used for later
   comparisons. The first time you use the cookie option, it may take a long time (depending on
   the size of your partition) to create the file. It is important to note that we store only metadata
   about all the changes that have occurred to this cookie file on the entire set of domain
   controllers.
2. Later on when you present this cookie file to any domain controller, it will update the cookie
   file and provide you with just the change deltas since the last time it was updated.


Example: Compare changes occurred to
configuration partition over a period of time
Figure 3.10.1




                                                                                                     65
How to interpret the data
   Prior to running the showchanges, a cookie file was created using the following syntax:
     repadmin /showchanges . cn=configuration,dc=contoso,dc=com /cookie:config
   Re ran repadmin /showchanges after some time against another domain controller, which
     not only displayed the changes but also updated the cookie file called config.
   Three objects have been changed. In our example, all the changes are pertaining to Intersite
     Topology Generators (ISTGs). Because the forest functional level is Windows 2000, we still
     update the ISTG Keep Alive stamp every 30 minutes.
   You could further apply filters to just target the partitions and objects of your interest.


Display changes not replicated between two
partners
Syntax 2, shown earlier, is used here to display pending replication changes between partners.


Example: Display pending replication changes (config partition)
between two replication partners
In this example (figure 3.10.1.1), we ran repadmin /showchanges to compare the destinations
up-to-date vector with the source and determined that there are two outstanding changes for the
configuration partition.




                                                                                                   66
Figure 3.10.1.1




Example: Usage of a filter
In the following example (figure 3.10.1.2), we applied a filter (/filter:"(objectclass=sitelink)”) to just
provide only changes occurred to the sitelink objectclass since the last successful replication.

Figure 3.10.1.2




Example: listing only the summary as opposed to individual
changes
In the following example (figure 3.10.1.3), the previous changes are listed as summary obtained
by the /statistics switch.

                                                                                                        67
Figure 3.10.1.3




Usage of Repadmin When Troubleshooting
Event ID 1311
By all means, this topic is not about how to troubleshoot events that have Event ID 1311. In this
topic, we are attempting to expose the various usage of repadmin while troubleshooting 1311 in
Windows 2000 domains based on Microsoft Knowledge Base (KB) article 307593, How to
Troubleshoot Event ID 1311 Messages on a Windows 2000 Professional Domain
(http://go.microsoft.com/fwlink/?LinkId=121799). Some or all of the repadmin subcommands used
here may be used in Windows Server 2003 environments as well.
The KB article RESOLUTION section has the following action plan. This topic examines how to
apply the various repadmin subcommands against each action plan. All of the repadmin
subcommands listed in this topic have associated examples either in this section or elsewhere in
this document.


Resolution steps from the KB article             Action plan by using repadmin

Determine if the event ID 1311 messages are      To determine the scope of event ID 1311


                                                                                              68
site-specific or forest-wide.                       messages:
                                                    1. First, find all the Inter Site Topology
                                                       Generators (ISTG) in the forest.
                                                    2. Then, examine the Directory Service logs
                                                       of all the ISTG domain controllers in the
                                                       forest.
                                                    To determine the ISTG’s, use Repadmin /ISTG.

Determine if site link bridging is turned on and if To determine this, use repadmin /showattr
the network is fully routed.                        (Determine if site link bridging is turned on).

Verify that all of the sites are defined in site    Every site defined in Active Directory must be
links.                                              hosted or reside in a site link.
                                                    The repadmin /showism command (Verify
                                                    inter-site cost matrix and orphaned sites) is
                                                    useful for locating improperly configured sites.

Detect and remove preferred bridgeheads.            To search for preferred bridgehead servers use
                                                    repadmin /showattr (Determine if site link
                                                    bridging is turned on).

Resolve Active Directory replication failures in    When you want to discover and troubleshoot
the forest                                          replication failures, the following repadmin
                                                    subcommands can be useful:
                                                       repadmin /replsummary (Monitor Forest-
                                                         Wide Replication)
                                                       repadmin /showrepl (Display Replication
                                                         Partners and Status of a Domain
                                                         Controller)
                                                       Repadmin /failcache
                                                       repadmin /removelingeringobjects
                                                         (Windows Server 2003 only)
                                                       Repadmin /KCC

Determine if source servers are overloaded.         A domain controller that is overloaded with a
                                                    large number of direct replication partners or a
                                                    replication schedule that is overly aggressive
                                                    can create a backlog in which some partners
                                                    never receive changes from a hub domain
                                                    controller. The following subcommands can be
                                                    useful in this situation:
                                                       repadmin /showrepl (Display Replication
                                                         Partners and Status of a Domain


                                                                                                      69
                                                          Controller)
                                                        Repadmin /queue
                                                        repadmin /showctx (Open sessions with
                                                          the domain controller)

Determine if site links are disjointed.              "Disjoint site links" is an Active Directory
                                                     configuration in which the topology is broken
                                                     into two or more parts in which some sites do
                                                     not replicate because site definitions and site
                                                     link definitions are incorrect. Disjoint site links
                                                     are the most difficult improper configuration to
                                                     troubleshoot. The following subcommands may
                                                     be useful in this situation:
                                                        Repadmin /querysites
                                                        repadmin /showconn (Can I Look at My
                                                          Connection Objects and Schedule Details?)
                                                        Repadmin /KCC
                                                        repadmin /showrepl (Display Replication
                                                          Partners and Status of a Domain
                                                          Controller)

Delete connections if the KCC is in "Keep            If the Knowledge Consistency Checker (KCC)
Connection Mode."                                    builds a different path around a site-to-site
                                                     connection failure, but it retries the failing
                                                     connection every 15 minutes because it is in
                                                     "connection keeping mode," delete all broken
                                                     connections and let the KCC rebuild them. Wait
                                                     two times the longest replication schedule in
                                                     the forest.




Determine if site link bridging is turned on
Site link bridging is enabled in Active Directory if the following conditions are true:
   The Bridge all site links check box is selected for the IP protocol and the SMTP protocol in
     the Active Directory Sites and Services snap-in.
   The Options attribute for the IP protocol and the SMTP protocol is NULL or set to zero (0) for
     the following distinguished name (DN) paths:
     CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=root domain of forest
     CN=SMTP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=root domain of forest




                                                                                                      70
Figure 3.11.1




There are two values that we could set from the graphical user interface (GUI): Ignore
Schedules and Bridge all site links. In our example (figure 3.11.1), the IP transport has Bridge
all site links enabled and SMTP transport has both values selected.
The following table lists the various values that the options attribute take.


Option value                                        Description

0X0                                                 Only Bridge all site links is selected from the
                                                    above

0X1                                                 Both the values are selected

0X2                                                 None selected

0X3                                                 Only Ignore schedules is selected




Detect preferred bridgeheads
Preferred bridgeheads are selected when the following condition is true:
bridgeheadTransportList attribute is set to either one of the following values or both values:
    CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=<root domain of forest>
    CN=SMTP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=<root domain of
      forest>
By using repadmin /showattr, we are setting the base at configuration partition and applying a
filter for server ObjectClass and looking for all of the domain controllers that have this value set
to use either IP or SMTP transports.
If the search returns any results, note the name of server in the distinguished name path in which
the bridgeheadTransportList attribute is populated.




                                                                                                   71
Figure 3.11.2




In the example in figure 3.11.2, ROOTDC01 is selected as a preferred Bridgehead for IP
transport in site HUB.


Verify inter-site cost matrix and orphaned sites
Repadmin /showism displays intersite messaging routes calculated by the Intersite Messaging
Service and is very useful for locating improperly configured sites. This operation cannot be
executed remotely.
As the KCC runs through the progressions of analyzing intersite site links and connections, it
must query the Intersite Messaging Service (ISM) service to retrieve data about the network
configuration to make intelligent decisions about routing changes.
To display cost and frequency configurations of replication between sites, use the following
command:


Syntax
repadmin /showism [<TransportDN>] [/verbose]


Parameter                                         Description

<TransportDN>                                     Specifies whether the mail server is using
                                                  SMTP or remote procedure call (RPC) to send
                                                  messages.

/verbose                                          Lists detailed information.


    Note
    The repadmin.exe /showism cannot be executed against a remote domain controller.




                                                                                                 72
Example: Display inter-site cost matrix
figure 3.11.3




How to interpret the data
   Showism was used against the IP transport and hence the output is specific to IP.
   If a specific transport is not specified, the output will contain both IP and SMTP details.
   The numbers in an entry appear in the following order:
          Cost: Replication interval: Options
   There are four key pieces of information:
        Text regarding the status of bridgehead servers.
        Total cost between two sites. The cost value indicates the preference for a network link
          for replicating directory information between sites.
        Frequency of replication in minutes between the two sites.
        Options for each replication link.
   In the example in figure 3.11.3, we have five sites and Bridge all site links is enabled, which
     means that site link transitivity is enabled. Therefore, if we see any "-1:0:0" entries for one or
     more covered Active Directory sites, we must ensure that the affected sites are listed in a site
     link. In this example, site Branch4 is not included in any site links and therefore disconnected
     from rest of the sites. Event 1311 will certainly occur here due to this configuration problem.


Fields of interest               Definition

"0:0:0"                          Each site matrix contains one "0:0:0" entry that refers to itself.

"200:30:1"                       An entry that contains positive numbers for the cost value and
                                 replication interval value (for example, "200:30:1" or "100:15:1")
                                 indicates that the site connection is good. Specifically in our
                                 example for Site BRANCH1


                                                                                                      73
                              Site(0)
                              CN=BRANCH1,CN=Sites,CN=Configuration,DC=contoso,DC=com
                              0:0:0, 200:30:1, 200:30:1, -1:0:0, 100:15:1
                                 200 stands for the cost to replicate from site(1) which is
                                   BRANCH2 that is an aggregate cost between two hops (100 +
                                   100) because a direct replication link between the two sites
                                   does not exist.
                                 30 is the replication interval that is common between the two
                                   branches
                                 1 is the option on the site link which denotes “Change
                                   Notifications are enabled across the site link”
                              And so on the rest of the sites…

"-1:0:0"                      A "-1:0:0" entry indicates that the site connection is not working.
                              This occurs if one or more of the following conditions are true:
                                 Site is not included in a site link.
                                 Site does not host any domain controllers (this is known as an
                                   "uncovered" site).
                                 Replication protocol is not used. For example, if SMTP
                                   replication is not configured, the entries in the SMTP portion of
                                   the /SHOWISM matrix all appear as "-1:0:0".


    Notes


Repadmin /failcache
Repadmin /failcache displays a list of replication failures that KCC is aware of. Run this
command from the console of each ISTG domain controller in the forest to discover replication
failures for bridgeheads in the site for that ISTG.


Syntax
repadmin /failcache <DC_LIST>


Parameter                                          Description

<DC_LIST>                                          Specifies the host name of a domain controller,
                                                   or a list of domain controllers separated by a
                                                   space. For details about <DC_LIST>, see
                                                   repadmin /listhelp.




                                                                                                    74
Example: Display replication failures that KCC is aware of
The example in figure 3.11.4 shows sample output from the repadmin /failcache command.

Figure 3.11.4.1




The output from the repadmin /failcache command is divided into two sections explained in the
following table.


KCC Link Failures                                 Lists errors for existing connection links. The
                                                  ISTG domain controller imports showreps
                                                  ("repsfroms") data for every bridgehead server
                                                  in its site. However, the ISTG domain controller
                                                  does not list errors. The link failure cache is
                                                  emptied at the beginning of every KCC run and
                                                  refilled during the course of the current run.

KCC Connection Failures                           Lists unsuccessful attempts to build connection
                                                  objects between domain controllers ("reps
                                                  from" or "reps to"). When you run the repadmin
                                                  /failcache command from the ISTG domain
                                                  controller, it lists entries that are imported from
                                                  bridgeheads in the site. At the beginning of
                                                  each KCC run, the KCC examines each entry
                                                  in the connection failure cache and tries to
                                                  DsBind to the failing server. If the bind
                                                  succeeds, the entry is removed.


In the example in figure 3.11.4.1, the failures are a result of some topology changes from the past
and would continue to exist due to the value of the replTopologyStayOfExecution attribute,


                                                                                                  75
which determines how long domain controller metadata is retained in Active Directory after a
domain controller has been removed.


Example: Output when there are no failures
When there are no failures, the output should appears as it does in figure 3.11.4.2.

Figure 3.11.4.2




    Notes
       The repadmin /failcache command differs from the repadmin /showrepl command in
         two ways:


Repadmin /KCC
Repadmin /KCC forces the KCC to recalculate replication topology for a specified domain
controller. By default, this recalculation occurs every 15 minutes.


Syntax
repadmin /kcc <DC_LIST> [/async]


Parameter                                         Description

<DC_LIST>                                         Specifies the host name of a domain controller,
                                                  or a list of domain controllers separated by a
                                                  space. For details about <DC_LIST>, see
                                                  repadmin /listhelp.

/async                                            Specifies that replication will be asynchronous.
                                                  This means that repadmin starts the replication
                                                  event, but it does not expect an immediate
                                                  response from the destination domain
                                                  controller. Use this parameter to start the KCC
                                                  and not wait for it to finish.




                                                                                                76
Example 1: Running the KCC on the local domain controller
Figure 3.11.5.1




Example 2: Running the KCC against the ISTG of the HUB site
Figure 3.11.5.2




Example 3: Running the KCC against all the global catalog
servers in the forest
Figure 3.11.5.3




Example 4: Running the KCC against all the domain controllers
in the BRANCH2 site
Figure 3.11.5.4




                                                                77
Repadmin /ISTG
Repadmin /ISTG returns the server name of the ISTG server for a specified site.


Syntax
repadmin /istg <DC_LIST> [/verbose]


Parameters                                        Descriptions

<DC_LIST>                                         Specifies the host name of a domain controller,
                                                  or a list of domain controllers separated by a
                                                  space. For details about <DC_LIST>, see
                                                  repadmin /listhelp.

/verbose                                          Lists detailed information.



Example: Display ISTGs in my environment
Figure 3.11.6




In the example in figure 3.11.6, the ISTGs are listed from the perspective of the local domain
controller from which the command was run. It is important to note that this information may be
different from the perspective of each domain controller, depending on the forest-wide
Active Directory convergence time and replication status.


Repadmin /querysites
Repadmin /querysites use routing information to determine cost of a route from a specified site
to another specified site or sites.


Syntax
repadmin /querysites <FromSiteRDN> <ToSite1RDN> <ToSite2RDN>...]


Parameter                                         Description

                                                                                                  78
<FromSiteRDN>                                      Specifies the relative distinguished name of the
                                                   site from which the cost is calculated.

<ToSite1RDN>                                       Specifies the relative distinguished name of the
                                                   site to which the cost is calculated.



Example 1: Display cost between BRANCH1 and HUB
Figure 3.11.7.1




Example 2: Display cost between BRANCH1 and BRANCH2
Due to site link transitivity, the cost from BRANCH1 to BRANCH2 is aggregated by adding the
cost from BRANCH1 to HUB (100) with the cost from HUB to BRANCH2 (100).

Figure 3.11.7.2




Example 3: Display cost between BRANCH1 and Branch2
Note that the relative distinguished name of the site is case sensitive and hence the error.

Figure 3.11.7.3




                                                                                                 79
    Notes


Repadmin /queue
Repadmin /queue displays tasks that are waiting in the replication queue.


Syntax
repadmin /queue <DC_LIST>


Parameter                                        Description

<DC_LIST>                                        Specifies the host name of a domain controller,
                                                 or a list of domain controllers separated by a
                                                 space. For details about <DC_LIST>, see
                                                 repadmin /listhelp.



Example: Display the queue length against the local domain
controller
Under normal circumstances this list should always be empty and the command should be run
outside of the replication window when troubleshooting domain controller overload was caused
due to replication requests.

Figure 3.11.8.1




Example: Queue contains one item
figure 3.11.8.2




                                                                                               80
Repadmin /bridgeheads
Repadmin /bridgeheads lists the bridgehead servers for a specified site.


Syntax
repadmin /bridgeheads [<DC_LIST>] [/verbose]


Parameter                                          Description

<DC_LIST>                                          Specifies the host name of a domain controller,
                                                   or a list of domain controllers separated by a
                                                   space. For details about <DC_LIST>, see
                                                   repadmin /listhelp.

/verbose                                           Lists detailed information.


For clarity:
   The following example shows only bridgeheads only for the HUB site.
   The following example shows the normal and verbose modes to help compare them.
   “The RPC service is unavailable” status is abbreviated as RPC.
   “The operation completed successfully” status is abbreviated as status.


Example 1: Repadmin /bridgeheads rootdns
Bridgeheads for site HUB (rootdns.contoso.com):

Source Site      Local Bridge    Trns          Fail. Time      #    Status

===========      ============    ====      ==============     ===   ======

BRANCH2         BRANCH-HUB-BH     IP 2005-02-14 14:18:52       3    RPC.

Configuration research

BRANCH1         BRANCH-HUB-BH     IP              (never)      0    Success.

Configuration ForestDnsZones DomainDnsZones research

BRANCH3         BRANCH-HUB-BH     IP              (never)      0    Success.

Configuration DomainDnsZones ForestDnsZones research



Example 2: Repadmin /bridgeheads rootdns /verbose
Bridgeheads for site HUB (rootdns.contoso.com):

Source Site      Local Bridge    Trns          Fail. Time     #     Status

===========      ============    ====      ==============     ===   ======

BRANCH2          BRANCH-HUB-BH    IP    2005-02-14 14:18:52    3    RPC.


                                                                                                81
Naming Context       Attempt Time          Success Time    #Fail       Last Result

==============       ============          ============    =====       ===========

Configuration    2005-02-14 14:51:41     2005-02-14 14:18:51       3    RPC.

research         2005-02-14 14:53:15     2005-02-14 14:18:52       2    RPC.

Source Site      Local Bridge    Trns         Fail. Time       #       Status

===========      ============    ====     ==============    ===        ======

BRANCH1          BRANCH-HUB-BH      IP           (never)       0       Success

Naming Context       Attempt Time          Success Time    #Fail       Last Result

==============       ============          ============    =====       ===========

Configuration    2005-02-14 14:51:41     2005-02-14 14:51:41       0    Success.

ForestDnsZones 2005-02-14 14:52:37       2005-02-14 14:52:37       0    Success.

DomainDnsZones 2005-02-14 14:53:15       2005-02-14 14:53:15       0    Success.

research         2005-02-14 14:52:37     2005-02-14 14:52:37       0    Success.

Source Site      Local Bridge    Trns         Fail. Time       #       Status

===========      ============    ====     ==============    ===        ======

BRANCH3          BRANCH-HUB-BH      IP           (never)       0        Success.

Naming Context       Attempt Time          Success Time    #Fail       Last Result

==============       ============          ============    =====       ===========

Configuration    2005-02-14 14:51:42     2005-02-14 14:51:42       0    Success.

DomainDnsZones 2005-02-14 14:53:15       2005-02-14 14:53:15       0    Success.

ForestDnsZones 2005-02-14 14:52:37       2005-02-14 14:52:37       0    Success.

research         2005-02-14 14:53:15     2005-02-14 14:53:15       0    Success.



How to interpret the data
Repadmin /bridgeheads is run remotely against a domain controller in the HUB site and the
output is the perspective of the topology for ROOTDNS. In these examples, we are seeing local
bridgehead server BRANCH-HUB-BH is having replication problems with the remote bridgehead
server in the BRANCH2 site.


Fields of interest                                Explanation

Source Site                                       Source site from where the local bridge head
                                                  (inbound) is pulling data. Remember replication
                                                  is always inbound.

Local Bridge                                      Local Bridge head server for the site for which
                                                  the tool is displaying results. In the example in

                                                                                                  82
                                                  figure 3.11.9.2, BRANCH-HUB-BH is the
                                                  bridgehead server of the HUB site.

Trns                                              In the example in figure 3.11.9.2, the transport
                                                  is IP.

Fail time                                         This is the last successful replication time.

#                                                 Number of failures since the last successful
                                                  replication time.

Status                                            Replication status.

Naming Context                                    Directory partition. Remember Bridgeheads are
                                                  partition specific.

Attempt time                                      Last replication attempt time with the remote
                                                  bridgehead.

Success time                                      Last successful replication time with the remote
                                                  bridgehead.

#Fail                                             Number of attempts since the failure per
                                                  partition.

Last result                                       Latest replication status.


    Note
    Replication is performed for each partition. But sometimes we do not see the Schema
    partition listed in the previous example as a naming context (partition) and hence there
    are no bridgeheads listed. This is not a limitation of the tool; it has to do with the how
    information is stored in the connection object that is queried to determine the bridgehead.
    If you see the configuration partition in the output, it is implied that schema is also
    included because the KCC calculates the configuration and schema partitions to have the
    same replication topology.


Repadmin /showmsg
Repadmin /showmsg displays the error message for a given error number.


Syntax
repadmin /showmsg <Win32Error> | <DSEventID> /NTDSMSG}


Parameter                                         Description

<Win32Error>                                      Returns a short description of the given Win32
                                                  error code.

                                                                                                  83
<DSEventID>/NTDSMSG                                Returns the actual event log text for the
                                                   specified event ID.



Example: Display the error message for the win32error 1722 and
DS event ID 1404
Figure 3.11.10




Repadmin /viewlist
By default, this subcommand is used to displays a list of domain controllers. It could also be used
to form an Lightweight Directory Access Protocol (LDAP) query to list only objects in the directory.


Syntax
repadmin /viewlist <DC_LIST> <OBJ_LIST>


Parameter                                          Description

<DC_LIST>                                          Specifies the host name of a domain controller,
                                                   or a list of domain controllers separated by a
                                                   space. For details about <DC_LIST>, see
                                                   repadmin /listhelp.

<OBJ_LIST>                                         This parameter takes a distinguished name
                                                   (DN) or a special keyword that expands into a
                                                   DN. The keywords are:
                                                      Ncobj:config: This keyword is the
                                                        Configuration directory partition for the
                                                        forest.
                                                      Ncobj:schema: This keyword is the
                                                        Schema directory partition for the forest.
                                                      Ncobj:domain: This keyword is the
                                                        domain partition DN of the home server.
                                                      Dsaobj: This keyword is the NTDS settings
                                                        object of the home server.

                                                                                                     84
Example 1: Display all the DC’s in the forest
figure 3.11.11.1




Example 2: Display all the Group Policy objects in the domain
directory partition for the domain of the domain controller that
repadmin is running against
Figure 3.11.11.2




Note the usage of OBJ_LIST and OBJ_LIST OPTIONS. For details please refer to repadmin
/listhelp.


Open sessions with the domain controller
The repadmin /showctx command displays a list of computers that have opened sessions with a
specified domain controller.


Syntax
repadmin /showctx <DC_LIST> [/nocache]


Parameter                                     Description

<DC_LIST>                                     Specifies the host name of a domain controller,
                                              or a list of domain controllers separated by a
                                              space. For details about <DC_LIST>, see
                                              repadmin /listhelp.

/nocache                                      Specifies that globally unique identifiers
                                              (GUIDs) are left in hexadecimal form. By
                                              default, GUIDs are translated into strings.


                                                                                            85
Example: Show open sessions with a DSA
Figure 3.11.12




Subcommands Not Covered Under the
Previous Scenarios
This topic covers additional subcommands that you can use with repadmin.


Display replication features
The repadmin /bind command connects to, and displays the replication features for a directory
partition on a domain controller.


Syntax
repadmin /bind <DC_LIST>


Parameter                                       Description

<DC_LIST>                                       Specifies the host name of a domain controller,
                                                or a list of domain controllers separated by a
                                                space. For details about <DC_LIST>, see
                                                repadmin /listhelp.



Example: Display replication features on the local domain
controller, which is running Windows Server 2003
Note that the LINKED_VALUE_REPLICATION is set to NO because the forest functional level is
set to Windows 2000 instead of Windows Server 2003.




                                                                                             86
Figure3.12.1




Server object GUID (DSA GUID) & Database GUID
The repadmin /dsaguid command returns a server name when given a globally unique identifier
(GUID).


Syntax
repadmin /dsaguid <DC_LIST> <GUID>


Parameter                                     Description

<DC_LIST>                                     Specifies the host name of a domain controller,
                                              or a list of domain controllers separated by a
                                              space. For details about <DC_LIST>, see
                                              repadmin /listhelp.

<GUID>                                        Specifies the unique hexadecimal number that
                                              identifies the domain controller. The globally
                                              unique identifier (GUID) can be retrieved by
                                              using the showreps operation.




                                                                                           87
Example: Display the domain controller name when given a
GUID
Look at the usage of “.” here for <DC_LIST>.

Figure 3.12.2




Please refer to repadmin /showrepl for a detailed explanation and difference between DSA
GUID and Database GUID.


Certificates loaded on a domain controller
The repadmin /showcert command displays the server certificates loaded on a specified domain
controller.


Syntax
repadmin /showcert <DC_LIST>


Parameter                                          Description

<DC_LIST>                                          Specifies the host name of a domain controller,
                                                   or a list of domain controllers separated by a
                                                   space. For details about <DC_LIST>, see
                                                   repadmin /listhelp.




Retired Application partition GUIDs (signature)
Each domain controller has a naming context signature list. The repadmin /showncsig
command displays a list of the removed application directory partition GUIDs. An application
directory partition can be configured to be held or not held on a particular domain controller by
using ntdsutil.


Syntax
repadmin /showncsig <DC_LIST>




                                                                                                    88
Parameter                                          Description

<DC_LIST>                                          Specifies the host name of a domain controller,
                                                   or a list of domain controllers separated by a
                                                   space. For details about <DC_LIST>, see
                                                   repadmin /listhelp.



Example: Display the recently retired ForestDnsZone application
directory partition on the local domain controller
Figure 3.12.4




The following information is displayed in figure 3.12.4:
   Partition name
   InvocationID at the time of removal
   Highest update sequence number (USN) at the time of removal
   Date of removal


Unanswered replication calls
The repadmin /showoutcalls command displays calls that have not yet been answered, made
by the specified domain controller to other domain controllers.


Syntax
repadmin /showoutcalls <DC_LIST>


Parameter                                          Description

<DC_LIST>                                          Specifies the host name of a domain controller,
                                                   or a list of domain controllers separated by a
                                                   space. For details about <DC_LIST>, see
                                                   repadmin /listhelp.




                                                                                                89
Example: Hub domain controller waiting for the request to be
answered from a spoke domain controller
Figure 3.12.5




showproxy
Lists cross domain move proxy objects. When an object is moved to another domain, a marker is
left in the old domain indicating that the object used to be there. This is called the proxy.


Syntax1
repadmin /showproxy <DC_LIST> <NamingContext> [matchstring]



Syntax2
repadmin /showproxy <DC_LIST> <ObjectDN> [matchstring]    /movedobject


Parameter                                      Description

<DC_LIST>                                      Specifies the host name of a domain controller,
                                               or a list of domain controllers separated by a
                                               space. For details about <DC_LIST>, see
                                               repadmin /listhelp.

<NamingContext>                                Specifies the distinguished name of the
                                               directory partition on the source domain
                                               controller.

matchstring                                    Specifies the distinguished name of the object.

<ObjectDN>                                     Specifies a filter for the output. Type a string of
                                               characters that must be present in the
                                               distinguished name in order to display the
                                               object.

/movedobject                                   Displays a history of information from the
                                               original domain on a moved object after it has
                                               reached the new domain.

                                                                                                90
Retired Database GUIDs (signature)
The repadmin /showsig command displays the retired InvocationIDs on a domain controller. A
domain controller changes its InvocationID on being restored or when re-hosting an application
partition.


Syntax
repadmin /showsig <DC_LIST>


Parameter                                        Description

<DC_LIST>                                        Specifies the host name of a domain controller,
                                                 or a list of domain controllers separated by a
                                                 space. For details about <DC_LIST>, see
                                                 repadmin /listhelp.



Example 1: Simple usage of no retired signatures
figure 3.12.7.1




Example 2: Simple usage of retired signature
figure 3.12.7.2




                                                                                              91
Convert directory service time to readable time
The repadmin /showtime command converts a directory service time value to string format for
both the local and the Coordinated Universal Time (UTC) time zones.


Syntax
repadmin /showtime <DSTimeValue>


Parameter                                       Description

<DSTimeValue>                                   Specifies the time value that needs to be
                                                converted.


    Note
    With parameters omitted, repadmin /showtime displays the current system time in both
    the directory service format and string format.


Example 1: Usage with directory service time format
figure 3.12.8.1




Example 2: Current system time
Figure 3.12.8.2




Active Directory domains trusted by domain
controller
The repadmin /showtrust command lists all Active Directory domains (in the same forest) that
are trusted by the specified domain controller’s domain.


Syntax
repadmin /showtrust <DC_LIST>




                                                                                               92
Parameter                                      Description

<DC_LIST>                                      Specifies the host name of a domain controller,
                                               or a list of domain controllers, separated by a
                                               space. For details about <DC_LIST>, see
                                               repadmin /listhelp.



Example: Display Active Directory domains that are trusted by
the domain of the local domain controller
Figure 3.12.9




Linked Distinguished Name values
The repadmin /showvalue command is used to list only linked distinguished name values.
Linked distinguished name values can also be obtained by the repadmin /showobjmeta
subcommand with the /linked switch.


Syntax
repadmin /showvalue <DC_LIST> ObjectDN <AttributeName> <ValueDN> [/nocache]


Parameter                                      Description

<DC_LIST>                                      Specifies the host name of a domain controller,
                                               or a list of domain controllers, separated by a
                                               space. For details about DC_LIST, see
                                               repadmin /listhelp.

<ObjectDN>                                     Specifies the distinguished name of the object.

<AttributeName>                                Specifies a single attribute whose value you
                                               want to display.

<ValueDN>                                      Specifies the distinguished name of the
                                               attribute that is displayed.

/nocache                                       Specifies that GUIDs are left in hexadecimal

                                                                                              93
                                                   form. By default, GUIDs are translated into
                                                   strings.



Example: Display members of the Domain Admins group
Note that showvalue lists value for only forward links. Backward links (such as memberOf) are
not obtained.

Figure 3.12.10




Oldhelp
Oldhelp displays a list of the operations that have been deprecated in the Windows Server 2003
version of repadmin.


sync
Starts a replication event for the specified directory partition between the source and destination
domain controllers. The source universally unique identifier (UUID) can be determined when
viewing the replication partners by using the showreps operation.


Syntax
repadmin /sync <NamingContext> <DestDC> <SourceDCUUID> [/force] [/async] [/full]
[/addref] [/allsources]


Parameter                                          Description

<NamingContext>                                    Specifies the distinguished name of the
                                                   directory partition.

<DestDC>                                           Specifies the host name of the domain
                                                   controller (Directory Server Agent) with which


                                                                                                    94
                                                 you want to replicate.

<SourceDCUUID>                                   Specifies the unique hexadecimal number that
                                                 identifies the object whose changes will be
                                                 listed. The objectGUID can be retrieved by
                                                 using the showreps operation.

/force                                           Overrides the normal replication schedule

/async                                           Specifies that the replication will be
                                                 asynchronous. This means that repadmin starts
                                                 the replication event, but it does not expect an
                                                 immediate response from the destination
                                                 domain controller. Use this parameter when
                                                 there are slow links between domain
                                                 controllers.

/full                                            Forces a full replication of all objects from the
                                                 destination domain controller.

/addref                                          Directs the source to check for a notification
                                                 entry on the source. If the source does not
                                                 have a notification entry for this destination,
                                                 one is added.

/allsources                                      A given destination can have multiple sources
                                                 for the same naming context. Directs the
                                                 destination to sync with all sources instead of
                                                 just one.




propcheck
Compares properties of specified domain controllers to determine if they are up-to-date with each
other. The source domain controller contains the original information that needs to be checked.
The destination domain controller data will be compared to the source domain controller data.


Syntax
repadmin /propcheck <NamingContext> <OriginatingDCInvocationID> <OriginatingUSN> <DestDC>


Parameter                                        Description

<NamingContext>                                  Specifies the distinguished name of the
                                                 directory partition on the source domain
                                                 controller.


                                                                                                     95
<OriginatingDCInvocationID>                       Specifies the unique hexadecimal number that
                                                  identifies an object on a source domain
                                                  controller. The InvocationID can be retrieved by
                                                  using the showreps operation.

<OriginatingUSN>                                  Specifies the update sequence number (USN)
                                                  for the object on the source domain controller.
                                                  The USN is for the object whose InvocationID
                                                  is already listed.

DestDC                                            Specifies the host name of the destination
                                                  domain controller from which to enumerate the
                                                  host domain controllers.




getchanges
Displays changes from a specified directory partition or changes to a specified object. Syntax 1
saves changes to a directory partition. If this information is saved to a file the getchanges
operation can be run again for comparison. Syntax 2 lists changes to a specified object.


Syntax1
repadmin /getchanges <NamingContext> <SourceDC> [/cookie: <File>] [/atts:
<attribute1>,<attribute2>,...]



Syntax2
repadmin /getchanges <NamingContext> <DestDC> <SourceDCObjectGUID> [/verbose]
[/statistics] [/noincremental] [/objectsecurity] [/ancestors] [/atts:
<attribute1>,<attribute2>,...] [/filter:      <ldap filter>]


Parameter                                         Description

<NamingContext>                                   Specifies the distinguished name of the
                                                  directory partition.

<SourceDC>                                        Specifies the host name of the domain
                                                  controller that hosts the directory partition
                                                  whose changes you want to view.

cookie:<File>                                     Specifies a name for the file to which list
                                                  changes are saved.

atts:<attribute1>,<attribute2>                    Returns only the attributes specified. Separate
                                                  each listed attribute with a comma.


                                                                                                   96
<DestDC>                                           Specifies the host name of the destination
                                                   domain controller from which to enumerate the
                                                   host domain controllers.

<SourceDCObjectGUID>                               Specifies the unique hexadecimal number that
                                                   identifies the object whose changes will be
                                                   listed. The objectGUID can be retrieved by
                                                   using the showreps operation.

/verbose                                           Lists detailed information.

/statistics                                        Displays a summary of information about
                                                   changes instead of a list of individual changes.

/noincremental                                     Returns changes in value change format, which
                                                   lists current values for attributes as well as
                                                   what attributes have been added or deleted. If
                                                   not specified, changes are returned in attribute
                                                   change format, which shows only the current
                                                   value of the attribute.

/objectsecurity                                    Overrides the need for the Get Changes right to
                                                   the directory partition. By default this right is
                                                   needed to run the /getchanges parameter.
                                                   However, only changes that the currently
                                                   logged on user has the rights to view are
                                                   displayed.

/filter:<ldap filter>                              Returns only those changes that meet the filter
                                                   requirements.

/ancestors                                         Returns changes in USN order


    Note
    The information from Syntax1 can be saved to a file for later comparison.


showreps
Displays the replication partners for each directory partition on the specified domain controller.
Helps the administrator build a visual representation of the replication topology and see the role
of each domain controller in the replication process.


Syntax
repadmin /showreps <NamingContext> <DC> <SourceDCObjectGUID> [/verbose] [/nocache]
[/repsto] [/conn] [/all]


                                                                                                     97
Parameter                                        Description

<NamingContext>                                  Specifies the distinguished name of the
                                                 directory partition.

DC                                               Specifies the host name of the domain
                                                 controller.

<SourceDCObjectGUID>                             Specifies the unique hexadecimal number that
                                                 identifies the object whose replication events
                                                 will be listed.

/verbose                                         Lists detailed information.

/nocache                                         Specifies that globally unique identifier (GUIDs)
                                                 are left in hexadecimal form. By default, GUIDs
                                                 are translated into strings.

[/repsto]                                        Lists the domain controllers that pull replication
                                                 information from the specified directory
                                                 partition.

/conn                                            Displays the connection objects associated with
                                                 each link.

/all                                             Displays all replication partners.




showvector
Displays the highest USN for the specified domain controller. This information shows how up-to-
date a replica is with its replication partners.


Syntax
repadmin /showvector <NamingContext> <DC> [/nocache] [/latency]


Parameter                                        Description

<NamingContext>                                  Specifies the distinguished name of the
                                                 directory partition.

<DC>                                             Specifies the host name of the domain
                                                 controller.

/nocache                                         Specifies that GUIDs are left in hexadecimal
                                                 form. By default, GUIDs are translated into
                                                 strings.


                                                                                                 98
/latency                                           Sorts the information by the time required to
                                                   complete the replication. By default the
                                                   information is sorted by USN.




showmeta
Displays the replication metadata for a specified object stored in Active Directory such as attribute
ID, version number, originating and local Update Sequence Number (USN), and originating
server's GUID and Date and Time stamp. By comparing the replication metadata for the same
object on different domain controllers, an administrator can determine whether replication has
taken place.


Syntax
repadmin /showmeta <ObjectDN> <DC> [/nocache] [/linked]


Parameter                                          Description

<ObjectDN>                                         Specifies the distinguished name of the object.

<DC>                                               Specifies the host name of the domain
                                                   controller that hosts the object.

/nocache                                           Specifies that GUIDs are left in hexadecimal
                                                   form. By default, GUIDs are translated into
                                                   strings.

/linked                                            Displays metadata associated with, but not
                                                   stored with the specified object.




Repadmin for Experts
The previous topics in this guide have looked at how an administrator can use repadmin to view
the replication topology (sometimes referred to as Reps-From and Reps-To) as seen from the
perspective of each domain controller, monitor forest-wide replication, diagnose replication
problems, and perform miscellaneous tasks.
The following sections are used for advanced operations only. These commands have the
potential to break your Active Directory installation, and they should be used only under the
expert guidance of Microsoft Customer Support Service representative or engineer.




                                                                                                   99
Add, Modify, or Delete replication links
During normal operation, the Knowledge Consistency Checker (KCC) automatically manages the
replication topology for each naming context held on domain controllers.
Although in normal practice this should not be necessary, repadmin can be used to manually
create the replication topology. This topology would be temporary in nature by default and would
last until the next time the KCC is run. So we need to engage these steps only during
troubleshooting issues related to Active Directory replication.

      Note
      During the normal course of operations, there is no requirement for manual creation of
      the replication topology. Incorrect use of this tool may adversely impact the replication
      topology.


Syntax
Repadmin /add <Naming Context> <Dest DC> <Source DC> [/asyncrep] [/syncdisable]
[/dsadn:< Source DC DN>] [/transportdn:< Transport DN>] [/mail] [/async] [/readonly]

Repadmin /mod <Naming Context> <Dest DC> <Source GUID> [/readonly] [/srcdsaaddr:< dns
address>] [/transportdn:< Transport DN>] [+nbrflagoption] [-nbrflagoption]

Repadmin /delete <Naming Context> <Dest DC> [<Source DC Address>] [/localonly]
[/nosource] [/async]

The following table lists the purpose for each of the subcommands.


Subcommand                                           Purpose

add                                                  The add command will create a RepsFrom
                                                     attribute on the destination domain controller
                                                     for the specified naming context and initiate a
                                                     replication request. During a normal replication
                                                     cycle, the destination domain controller will
                                                     request updates from the source domain
                                                     controller.

mod                                                  The mod command will modify the RepsFrom
                                                     attribute on the destination domain controller
                                                     for the specified naming context and initiate a
                                                     replication request. During a normal replication
                                                     cycle, the destination domain controller will
                                                     request updates from the source domain
                                                     controller.

delete                                               The delete command will remove a RepsFrom
                                                     attribute on the destination domain controller


                                                                                                  100
                                                for the specified naming context.


The following table lists the parameters that can be used with the subcommands.


Parameter                                       Description

<Naming Context>                                Specifies the distinguished name of the
                                                directory partition.

<Dest DC>                                       Domain controller to which the link is created.

<Source DC>                                     Domain controller from which to source the
                                                partition.

asyncrep                                        Queue the replication event, but do not wait for
                                                the replication to complete before you return
                                                control to the user.

syncdisable                                     Add the RepsFrom attribute but do not
                                                participate in the replication cycle. To perform
                                                replication between the destination and source
                                                domain controllers, repadmin /sync /force
                                                must be used.

/dsadn:<<Source DC DN>

transportdn                                     The distinguished name of the Inter Site
                                                Message transport, only used for mail-based
                                                replication.

mail                                            specify that the replication is mail-based,
                                                therefore requires the /transportdn option.

async                                           Queue the add/delete operation without
                                                interrupting the current replication cycle and
                                                return control to the user.

readonly                                        Specify that the partition is read-only.

/srcdsaaddr:<dns address>

nbrflagoption

localonly                                       Do not delete the corresponding RepsTo
                                                attribute on the source Directory System Agent
                                                (DSA).

nosource                                        When you remove a read-only naming context
                                                such as the global catalog, the associated data
                                                stored in the directory is removed in blocks of

                                                                                                 101
                                                  500 objects. This allows the /delete command
                                                  to be re-executed without having to specify the
                                                  Source DSA to remove the remaining objects.


When you create temporary replication links between replication partners, the process could fail if
the KCC starts while you are performing the procedure. The KCC will delete any replication links
for which no corresponding connection object exists.
Because these commands can take a very long time to complete as they trigger the replication of
the corresponding naming context, it is important to ensure that KCC do not disturb the process.
This is where you would use +DISABLE_NTDSCONN_XLATE which effectively disables
capability for the KCC to translate connection objects to replication links.


Add, Modify, or Delete outbound replication
partners
Similar to inbound replication (Reps-From) partners, outbound replication (Reps-To) partners are
instantiated from connection objects by a process called “Connection Translation.”
Both Reps-From and Reps-To attributes are for each partition and they are not replicated.
Reps-To is only needed when the destination requires the source to notify him that there is a
change in the partition at the source, and the destination should synchronize. Because Reps-To
attributes are used for notification, if the destination has a Reps-From marked NO_NOTIFY, then
the source will not have a Reps-To.
Depending on the underlying operating system, sometimes you might see outbound partners
lingering. While Windows Server 2003 takes care of this, Windows 2000 would need some help
cleaning out lingering outbound partners.


Syntax
Repadmin /addrepsto <Naming Context> <DC> <Reps-To DC> <Reps-To DC GUID> Repadmin
/updrepsto <Naming Context> <DC> <Reps-To DC> <Reps-To DC GUID> Repadmin /delrepsto
<Naming Context> <DC> <Reps-To DC> <Reps-To DC GUID>

The following table lists the purpose for each of the subcommands.


Subcommand                                        Purpose

addrepsto                                         This will create a Reps-To attribute on the
                                                  domain controller for the specified naming
                                                  context. Ordinarily there is no requirement to
                                                  perform this command as the KCC will
                                                  automatically create the Reps-To attributes on
                                                  destination DSAs based on other DSAs Reps-
                                                  From entries.

                                                                                               102
updrepsto                                        This will update the Reps-To attribute on the
                                                 domain controller for the specified naming
                                                 context. More specifically it updates the
                                                 network address used by the source DSA to
                                                 contact the destination DSA.

delrepsto                                        Delrepsto deletes the Reps-To attribute on the
                                                 domain controller for the specified naming
                                                 context.


The following table lists the parameters that can be used with the subcommands.


Parameter                                        Description

<Naming Context>                                 Specifies the distinguished name of the
                                                 directory partition.

<DC>                                             The domain controller on which the Reps-To
                                                 attribute is modified.

<Reps-To DC>                                     Outbound replication partner.

<Reps-To DC GUID>                                DSA globally unique identifier (GUID) of
                                                 outbound replication partner.




Hosting and unhosting read-only partitions
Hosting and unhosting global catalog partitions is convenient, especially when you want to ensure
a faster global catalog removal process. As noted in the following table, these subcommands will
also facilitate removal of lingering objects from Active Directory.


Global catalog removal process                   In Windows 2000 versions earlier than
                                                 Service Pack 4 (SP4), when the IS_GC bit is
                                                 turned off, the KCC deletes the read-only
                                                 objects at a rate of only 500 for each time the
                                                 KCC runs, which allows a maximum of 2000
                                                 object removals for each hour. This presents
                                                 some challenges in large environments. In
                                                 order to make the global catalog removal faster,
                                                 you could potentially remove one partition at a
                                                 time by using the unhost subcommand.

Lingering Objects                                A lingering object is an object that is present on
                                                 one replica, but on another replica it has been


                                                                                               103
                                                 deleted and removed from the directory by the
                                                 garbage collection process.
                                                 When lingering object exists only in one or
                                                 more read-only naming contexts (global
                                                 catalog), it makes it all the more difficult to
                                                 delete the object. Clearing the IS_GC bit may
                                                 not always be appropriate, because it removes
                                                 all read-only naming contexts from the global
                                                 catalog server.
                                                 Unhosting and rehosting a read-only naming
                                                 context is therefore sometimes considered to
                                                 be a good solution, especially because you
                                                 could specify the source to be a good replica
                                                 that does not contain lingering objects.



Syntax
Repadmin /rehost <DC_LIST> <Naming Context> <Good Source DC Address> [/application]
Repadmin /unhost <DC_LIST> <Naming Context> Repadmin /removesources <DC_LIST> <Naming
Context>

The following table lists the purpose for each of the subcommands.


Subcommand                                       Purpose

rehost                                           Add a specific read-only partition to a global
                                                 catalog server.

unhost                                           Remove a specific read-only partition from a
                                                 global catalog server.

removesources                                    Removes all replication links for a given naming
                                                 context. This does not delete the connection
                                                 objects, so the KCC will build new links on it
                                                 regular cycle as required.


The following table lists the parameters that can be used with the subcommands.


Parameter                                        Description

<DC_LIST>                                        Specifies the host name of a domain controller
                                                 or a list of domain controllers separated by a
                                                 space that the object will be replicated to. For
                                                 details about <DC_LIST>, see repadmin

                                                                                                  104
                                                     /listhelp.

<Naming Context>                                     Specifies the distinguished name of the
                                                     directory partition.

<Good Source DC Address>                             Specify the source domain controller.

/application                                         Application directory partition




Detecting and removing lingering objects
There are multiple methods that are available to detect or remove lingering objects from
Active Directory. This depends on the operating system version that the domain controller is
running. Repadmin could be used to detect or remove lingering objects from a directory partition
when the source and destination domain controllers are running Windows Server 2003 and
therefore the scope here is limited to the following:
   Introduction to lingering objects
   Repadmin usage in Windows Server 2003
A lingering object is an object that is present on one replica, but on another replica it has been
deleted and removed from the directory by the garbage collection process.
This condition can occur for a variety of reasons including:
   Prolonged misconfigurations (such as those that cause event ID 1311 messages)
   Prolonged errors in name resolution, authentication or the replication engine that block
     inbound replication.
   Bringing a domain controller online after it has been offline for a period greater than the
     TombStone Lifetime (TSL).
   Advancing system time or reducing TSL values in an attempt to accelerate garbage collection
     before end-to-end replication has taken place for all naming contexts in the forest.
Symptoms that you may have lingering objects:
   Active Directory replication is prevented from occurring.
   A user account that no longer exists still appears in the Global Address list for E-mail clients.
   A universal group that no longer exists still appears in a user’s access token.
   E-mail messages cannot be delivered due to duplicate e-mail address on two different user
     objects.
Regardless of the reason, a deleted object can remain on a domain controller in either of the
following circumstances:
   A domain controller goes offline immediately prior to the deletion of an object on another
     domain controller, and remains offline for a period that exceeds the tombstone lifetime.




                                                                                                     105
   A domain controller goes offline immediately following the deletion of an object on another
     domain controller but prior to receiving replication of the tombstone, and remains offline for a
     period that exceeds the tombstone lifetime.
What to do with a lingering object?
Determining what to do with a lingering object depends on whether or not it was intended.


Action                                              Explanation

Unintended                                          Use repadmin to delete the lingering object on
                                                    a domain controller that is running Windows
                                                    Server 2003.

Intended                                            Change the replication consistency on the
                                                    inbound domain controller (DC). The object will
                                                    be re-animated on this DC. See strict and loose
                                                    replication consistency below



Strict and loose replication consistency
If the attributes of a lingering object never change, the object is never considered for replication.
However, if an attribute changes, the attribute is considered for outbound replication. The
problem with an attribute update for a lingering object is that the receiving domain controller does
not hold the object for the attribute being replicated. An update cannot be performed because the
entire object does not exist on the receiving domain controller. What happens next depends on
the replication consistency set on the domain controller.


Replication consistency                            Explanation

Loose                                              When replication consistency is set to loose, the
                                                   receiving domain controller detects that it does
                                                   not have the object for the attribute that is being
                                                   replicated. The inbound partner requests the
                                                   entire object from the outbound partner, and
                                                   reanimates the object on its copy of the
                                                   directory. The same process repeats on all
                                                   domain controllers that do not have a copy of
                                                   the object. This mechanism can be used to
                                                   cause lingering objects to “reanimate” across
                                                   the entire forest. If a lingering object is
                                                   discovered and its presence is intended, then
                                                   perform any update to the object. As long as
                                                   replication consistency is set to loose on all
                                                   domain controllers, the object will be reanimated

                                                                                                  106
                                                     as it replicates around the forest. “Loose
                                                     replication consistency” is the default for
                                                     Windows 2000 domain controllers, with the
                                                     exception of domain controllers that have the
                                                     MS01-044 security rollup package installed. For
                                                     more information about the MS01-044 security
                                                     rollup package, see article 297860 in the
                                                     Microsoft Knowledge Base
                                                     (http://go.microsoft.com/fwlink/?LinkID=122508).

Strict                                               The default behavior for domain controllers that
                                                     run Windows Server 2003 (and domain
                                                     controllers that are upgraded from
                                                     Windows NT 4.0) is to block inbound replication
                                                     for each naming context when a domain
                                                     controller receives an update to an object that it
                                                     does not have. Replication is halted in the
                                                     naming context for the object until the lingering
                                                     object is removed or the replication mode is set
                                                     to “loose.”


Storage for Consistency Setting
The setting for replication consistency is in the registry on each domain controller.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Entry name: Strict Replication Consistency
Data type: REG_DWORD
Values: 1 for enabled; 0 for disabled
Default: 1 (enabled)

     Notes
        There was a post-SP2 hotfix (also included in the security rollup package from
          November 2001) that used a different registry value. A setting of 0 will not recreate the
          missing object (strict), and a setting of 1 will create the missing object. This value is only
          needed with the November version of the hotfix.
The repadmin /removelingeringobjects command does the following:
   Designates an up-to-date domain controller as the authority.
   Compares the Active Directory database objects on the authoritative server with the objects
     that are on the suspected domain controller that contains the lingering objects.
   With /advisory_mode, the subcommand logs the potential deletions to the Directory Service
     log.
   Without /advisory_mode, the subcommand removes the lingering objects.

                                                                                                     107
Syntax
Repadmin /removelingeringobjects <Dest_DC_LIST> <Source DC GUID> <NC> [/ADVISORY_MODE]


Parameter                                          Description

<Dest_DC_LIST>                                     The domain controller that is suspected to have
                                                   lingering objects.

<Source DC GUID>                                   Source domain controller GUID used to
                                                   compare with the suspected domain controller.

<NC>                                               Specifies the distinguished name of the
                                                   directory partition.

/ADVISORY_MODE                                     Read-only mode.


     Note
     During lingering object removal, Event ID 1937 is logged to the Directory Service log.
     This information includes the source domain controller, the objects that are removed, and
     a total count of all the objects that are removed.


Advanced domain controller options
By using the option subcommand, we could change the options attribute stored on the NTDS
Settings Object. The options attribute determines the following behaviors on a domain controller:
   Global catalog installation and removal
   Enable or disable inbound or outbound replication
   Disable connection translation
Note that disabling inbound or outbound replication is specific to the domain controller where you
target the operation. So this does not disable intrasite or intersite replication. It just disables
Active Directory replication for that domain controller. If the domain controller happens to be the
bridgehead server and the Intersite Topology Generator (ISTG) is disabled, then effectively
intersite replication to and from that site is disabled.


Syntax
Repadmin /options <DC> [{+|-} IS_GC] [{+|-} DISABLE_INBOUND_REPL] [{+|-
DISABLE_OUTBOUND_REPL] [{+|-} DISAB LE_NTDSCONN_XLATE]

+|- turns on or off the associated parameter.


Parameter                                          Description

<DC>                                               Domain controller


                                                                                                 108
IS_GC                                                DSA is a global catalog server.

DISABLE_INBOUND_REPL                                 Disables inbound replication.

DISABLE_OUTBOUND_REPL                                Disables outbound replication.

DISAB LE_NTDSCONN_XLATE                              Turns off the capability of the KCC to translate
                                                     connection objects to replication links.


The following table lists the possible values for the options attribute.


Value                                                Description

1                                                    Global catalog server

2                                                    Disable inbound replication

3                                                    2+1

4                                                    Disable outbound replication

5                                                    4+1

6                                                    4+2

7                                                    4+2+1

8                                                    Disable connection translation


The following table lists the purpose for the possible procedures using the options attribute.


Procedure                                         Purpose

Disable Outbound Replication                      Use this procedure to disable Active Directory
                                                  replication from a domain controller. The domain
                                                  controller continues to receive inbound replication.
                                                  Repadmin
                                                  /options<ServerName>+disable_outbound_repl
                                                  where <ServerName> is the name of the domain
                                                  controller on which you want to disable outbound
                                                  replication. The tool reports the current options
                                                  (the options that were in effect prior to pressing
                                                  ENTER) and the new options (all options that are
                                                  in effect after pressing ENTER).

Disable inbound Replication                       Similar to the above step you could disable
                                                  inbound replication to a server as well.
                                                  repadmin

                                                                                                  109
                                              /options<ServerName>+disable_inbound_repl

Disable the ability of the KCC to translate   When creating temporary replication links
connection objects.                           between replication partners, the process could
                                              fail if the KCC starts while you perform the
                                              procedure. The KCC will delete any replication
                                              links for which no corresponding connection
                                              object exists.




Advanced site options
By using the siteoptions subcommand, we could change the options attribute stored on the
NTDS Site Settings Object.


Syntax
Repadmin /siteoptions <DC> /site:< Site> [{+|-}IS_AUTO_TOPOLOGY_DISABLED] [{+|-}
IS_TOPL_CLEANUP_DISABLED] [{+|-} IS_TOPL_MIN_HOPS_DISABLED] [{+|-}
IS_TOPL_DETECT_STALE_DISABLED] [{+|-} IS_INTER_SITE_AUTO_TOPOLOGY_DISABLED] [{+|-}
IS_GROUP_CACHING_ENABLED] [{+|-} FORCE_KCC_WHISTLER_BEHAVIOR] [{+|-}
FORCE_KCC_W2K_ELECTION] [{+|-} IS_RAND_BH_SELECTION_DISABLED] [{+|-}
IS_SCHEDULE_HASHING_ENABLED] [{+|-} IS_REDUNDANT_SERVER_TOPOLOGY_ENABLED]


Parameter                                             Description

<DC>                                                  Domain controller

site: <Site>                                          Site name where the domain controller
                                                      resides

IS_AUTO_TOPOLOGY_DISABLED                             Disables the automatic generation of
                                                      intra-site topology.

IS_TOPL_CLEANUP_DISABLED                              Disables the cleanup or unneeded
                                                      connection objects and replication links.

IS_TOPL_MIN_HOPS_DISABLED                             Disables the KCC rule that all intrasite
                                                      replication partners should be no more
                                                      than three hops from any other partner.

IS_TOPL_DETECT_STALE_DISABLED                         Disables the detection by the KCC of
                                                      failing replication links and the behavior
                                                      of the KCC to route around failing links.
                                                      Use this with the KCC Branch Office
                                                      mode.


                                                                                              110
IS_INTER_SITE_AUTO_TOPOLOGY_DISABLED              Disables the automatic generation of the
                                                  intersite topology. Commonly used for
                                                  creating manual connections, either by
                                                  hand or with MKDSX.

IS_GROUP_CACHING_ENABLED                          Enables group caching for use with “no-
                                                  GC logon.” This setting is also exposed in
                                                  the UI of Active Directory Sites and
                                                  Services.

FORCE_KCC_WHISTLER_BEHAVIOR                       Forces the KCC to operate using the new
                                                  spanning tree algorithm. It’s not
                                                  recommended to manually change this
                                                  setting. The recommended alternative is
                                                  to raise the forest functional level to
                                                  Windows Server 2003.

FORCE_KCC_W2K_ELECTION                            Forces the Windows 2000 domain
                                                  controller ISTG election logic. The default
                                                  is for any Windows Server 2003 domain
                                                  controller to assume the ISTG role.

IS_RAND_BH_SELECTION_DISABLED                     Disables the new random bridgehead
                                                  selection behavior. Reverts to
                                                  Windows 2000 KCC behavior of using a
                                                  single bridgehead server.

IS_SCHEDULE_HASHING_ENABLED                       Creates a random schedule on each new
                                                  connection object based in hashed value.
                                                  Helps to balance the load on bridgehead
                                                  servers.

IS_REDUNDANT_SERVER_TOPOLOGY_ENABLED Creates two inbound connection objects
                                     from different domain controllers in a hub
                                     site. Reduces impact on FRS (vvjoin)
                                     during failover.




Miscellaneous
The following table lists nbrflagoptions.


Parameter                                   Definition

SYNC_ON_STARTUP                             Replication of this naming context from this
                                            source is attempted when the destination


                                                                                           111
                              server is booted. This normally only applies to
                              intra-site neighbors.

DO_SCHEDULED_SYNCS            Perform replication on a schedule. This flag is
                              normally set unless the schedule for this
                              naming context and source is "never", that is,
                              the empty schedule.

WRITEABLE                     The local copy of the naming context is
                              writable.

TWO_WAY_SYNC                  If set, indicates that when inbound replication is
                              complete, the destination server must tell the
                              source server to synchronize in the reverse
                              direction. This feature is used in dial-up
                              scenarios where only one of the two servers
                              can initiate a dial-up connection. For example,
                              this option would be used in a corporate
                              headquarters and branch office, where the
                              branch office connects to the corporate
                              headquarters over the Internet by means of a
                              dial-up ISP connection.

NEVER_SYNCED                  Synchronization has never been successfully
                              completed from this source.

IGNORE_CHANGE_NOTIFICATIONS   This neighbor is set to disable notification-
                              based synchronizations. Within a site, domain
                              controllers synchronize with each other based
                              on notifications when changes occur. This
                              setting prevents this neighbor from performing
                              synchronizations that are triggered by
                              notifications. The neighbor will still do
                              synchronizations based on its schedule, or in
                              response to manually requested
                              synchronizations.

DISABLE_SCHEDULED_SYNC        This neighbor is set to not perform
                              synchronizations based on its schedule. The
                              only way this neighbor will perform
                              synchronizations is in response to change
                              notifications or to manually requested
                              synchronizations.

COMPRESS_CHANGES              Changes received from this source are to be
                              compressed. This is normally set if, and only if,


                                                                            112
                          the source server is in a different site.

NO_CHANGE_NOTIFICATIONS   No change notifications should be received
                          from this source. Normally set if, and only if, the
                          source server is in a different site.




                                                                         113

								
To top