Repadmin helps administrators diagnose Active Directory replication problems between domain controllers running Microsoft Windows operating systems.
You can use Repadmin to view the replication topology, as seen from the perspective of each domain controller. In addition, you can use Repadmin to manually create the replication topology, to force replication events between domain controllers, and to view both the replication metadata and up-to-dateness vectors (UTDVECs). You can also use Repadmin to monitor the relative health of an Active Directory Domain Services (AD DS) forest.
|
Important |
|
During the normal course of operations, there is no need to create the replication topology manually. Incorrect use of Repadmin can adversely impact the replication topology. The primary use of Repadmin is to monitor replication so that you can identify problems, such as offline servers or an unavailable local area network (LAN) or wide area network (WAN) connection. |
You must run the repadmin command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.
Repadmin also requires administrative credentials on each domain controller that is targeted by the command. Members of the Domain Admins group have the sufficient permissions to run repadmin on domain controllers in that domain. Members of the Enterprise Admins group are, by default, granted membership in the Domain Admins group in each domain in the forest.
You can also delegate the specific permissions that are required to view and manage replication status.
Syntax
repadmin <cmd> <args> [/u:{domain\user}] [/pw:{password | *}] [/retry[:<retries>][:<delay>]] [/csv]
Help commands
Repadmin provides different Help menus for different types of information and for different levels of experience among administrators. The following table shows the commands that you can run for different Help menus in Repadmin.
| Command | Description | ||||
|---|---|---|---|---|---|
|
/? |
Displays and describes commands that are available. |
||||
|
/help |
Same as /? |
||||
|
/?:<cmd> |
Displays possible arguments <args>, appropriate syntaxes, and examples for the specified command <cmd>. |
||||
|
/help:<cmd> |
Same as /?:<cmd> |
||||
|
/experthelp |
Displays commands that are available for advanced users only. |
||||
|
/listhelp |
Displays the variations of syntax that are available for the DSA_NAME, DSA_LIST, NCNAME and OBJ_LIST strings.
|
||||
|
/oldhelp |
Displays help for commands in the Windows 2000 Server and Windows Server 2003 versions of Repadmin.exe. |
Commands
| Parameter | Description |
|---|---|
|
Forces the Knowledge Consistency Checker (KCC) on targeted domain controllers to immediately recalculate the inbound replication topology. |
|
|
Specifies the Password Replication Policy (PRP) for read-only domain controllers (RODCs). |
|
|
Displays inbound replication requests that the domain controller must issue to become consistent with its source replication partners. |
|
|
Triggers the immediate replication of the specified directory partition to a destination domain controller from a source domain controller. |
|
|
Replicates a single object between any two domain controllers that have common directory partitions. |
|
|
Identifies domain controllers that are failing inbound replication or outbound replication, and summarizes the results in a report. |
|
|
Triggers replication of passwords for the specified users from the source domain controller to one or more read-only domain controllers. (The source domain controller is typically a hub site domain controller.) |
|
|
Displays the attributes of an object. |
|
|
Displays the replication metadata for a specified object that is stored in AD DS, such as attribute ID, version number, originating and local update sequence numbers (USNs), globally unique identifier (GUID) of the originating server, and date and time stamp. |
|
|
Displays the replication status when the specified domain controller last attempted to perform inbound replication on Active Directory partitions. |
|
|
Displays the highest, committed USN that AD DS, on the targeted domain controller, shows as committed for itself and its transitive partners. |
|
|
Synchronizes a specified domain controller with all replication partners. |
Additional parameters
| Parameter | Description |
|---|---|
|
u |
Specifies the domain and user name with permission to perform operations in AD DS. (The domain and user name are separated by a backslash, for example, domain\user.) This parameter does not support using a User Principal Name (UPN) to log on to a domain. |
|
pw |
Specifies the password for the user name that you enter with the /u parameter. |
|
Retry |
Causes Repadmin to retry its attempt to bind to the target domain controller, if the first attempt fails with one of the following errors:
|
|
csv |
Displays the results of the /showrepl parameter in a comma-separated-value (CSV) format. |
The DSA_LIST parameter
This section explains the syntax of the DSA_LIST parameter.
|
Note |
|
The DSA_LIST parameter is the same as the DC_LIST parameter in the Windows Server 2003 version of Repadmin.exe. |
Syntax
{<dc_name dc_name…> | * |<partial_server_name>* | site:<site_name> |gc: |fsmo_<type>:[<name> | <site_name>]}
Parameters
| Parameter | Definition |
|---|---|
|
<dc_name dc_name… > |
Specifies the single-label host name of a domain controller or a list of domain controllers that are separated in the list by single spaces. The repadmin command targets only the domain controllers that you specify. |
|
* |
Specifies that the repadmin command will target all domain controllers in the forest of the computer that you are running Repadmin.exe on. Improper use of this standard wildcard character can cause a significant increase in network traffic. |
|
<partial_server_name> |
Uses wildcard characters to return partial matches. For example, if you append an asterisk (*) when you specify the partial domain controller name "Contoso-DC-*", the command returns Contoso-DC-01, Contoso-DC-02, Contoso-DC-03, and so on. This parameter works best when you use a common prefix for domain controllers in the domain. You cannot use a wildcard character at the beginning of the partial server name. |
|
site:<site_name> |
Returns all domain controllers in the Active Directory site that you specify in this parameter. |
|
gc |
Queries all global catalog servers in the enterprise. |
|
fsmo_<type> |
Specifies a group of domain controllers to query by operations master role. (The operations master role is also known as flexible single master operations or FSMO.). Valid operations master roles are listed in the following table. |
Valid operations master roles
| Operations master role | Description |
|---|---|
|
fsmo_pdc:[<name>] |
Runs Repadmin.exe against the primary domain controller (PDC) emulator operations master. The <name> parameter takes a naming context. |
|
fsmo_rid:[<name>] |
Runs Repadmin.exe against the relative ID (RID) operations master. The <name> parameter takes a naming context. |
|
fsmo_im:[<name>] |
Runs Repadmin.exe against the infrastructure operations master. The <name> parameter takes a naming context. |
|
fsmo_istg:[<site_name>] |
Runs Repadmin.exe against the Intersite Topology Generator (ISTG). The <site_name> parameter takes a site distinguished name. |
|
fsmo_dnm: |
Runs Repadmin.exe against the domain naming operations master. |
|
fsmo_schema: |
Runs Repadmin.exe against the schema operations master. |
Remarks
- Repadmin syntax uses the following terminology:
- Naming context
The distinguished name of a directory partition in an AD DS forest. Naming contexts include the three Read/Write naming contexts—domain, schema, and configuration—and the optional read-only naming contexts that are present on domain controllers that are global catalog servers. A naming context can also be an application directory partition. You specify a naming context as a distinguished name, which indicates its hierarchical relationship to the forest root domain, for example, DC=MyDomain,DC=Contoso,DC=Com.
- Globally unique identifier (GUID)
The 128-bit number that is used to uniquely identify objects that are stored in the directory, for example, fa1a9e6e-2e14-11d2-aa9b-bbfc0a30094c. The GUID is sometimes referred to in syntax as a universally unique identifier (UUID). For the purposes of Repadmin, these two terms are synonymous.
- Distinguished name
An X.500 distinguished name, for example, CN=Server1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Contoso,DC=Com.
- Naming context
- In the Repadmin examples that are included in each command
topic, the domain controller object GUID and the domain controller
Invocation ID that are returned by some commands, such as the
/showrepl command, initially show identical hexadecimal
values (until system state is restored). However, these two values
identify different objects. The domain controller object GUID is a
unique identifier for the NTDS Settings object on the domain
controller. The value of the domain controller object GUID does not
change unless you remove AD DS from the domain controller, and
then reinstall it. The domain controller Invocation ID identifies
the directory database on the domain controller. This value changes
when you restore a domain controller from a backup. When you first
install a domain controller, the values for these two identifiers
are the same; however, whenever you restore a domain controller
from a backup, the Invocation ID value changes.
- Most Repadmin commands take their parameters in the following
order:
- "Destination or Target DSA_LIST"
- "Source DSA_NAME", if required
- <Naming Context> or Object distinguished name, if
required
<DSA_NAME> is a Directory Service Agent binding string, as is <DSA_LIST>. For AD DS, this string is a network label. For a domain controller, network labels include Domain Name System (DNS), NetBIOS, and IP address. For example:repadmin /showrepl <DSA_LIST> <Source_DSA_NAME> <Naming Context>
For Active Directory Lightweight Directory Services (AD LDS), this string must be a network label of the AD LDS server that is followed by a colon, and then followed by the Lightweight Directory Access Protocol (LDAP) port of the AD LDS instance. For example:dc-01 dc-01.contoso.com localhost
<Naming Context> is the distinguished name of the root of the naming context. For example:ad-am-01:2000 ad-am-01.contoso.com:2000
DC=My-Domain,DC=Contoso,DC=Com
- "Destination or Target DSA_LIST"
- Text with international or Unicode characters displays
correctly if you install appropriate fonts and language support on
the computer from which you run Repadmin. Examples of such text are
naming context names and server names.