How To Use Repadmin for Active Directory Troubleshooting

如何使用Repamin对活动目录故障诊断


文章出自:https://redmondmag.com/articles/2014/08/08/repadmin-for-ad-troubleshooting.aspx


Most of the time Active Directory replication seems to  work pretty well. When the replication process does break down however,  troubleshooting the problem can sometimes be surprisingly difficult.  Thankfully, the Windows operating system includes a command line tool called  Repadmin that you can use to diagnose (and in some cases repair) Active  Directory replication.


The Repadmin tool has been a part of the Windows Server  operating system since at least Windows Server 2003, and is alive and well in  Windows Server 2012 R2. To use the Repadmin tool, you must open an elevated  Command Prompt window. This can be done in Windows Server 2012 and Windows  Server 2012 R2 by right clicking on the Start button and then choosing the  Command Prompt (Admin) option from the shortcut menu.

The way that you would use Repadmin depends on exactly  what it is that you are trying to accomplish. For the purposes of this article,  I will show you the basics. The techniques that I am about to describe assume  that you are running Repadmin directly on a domain controller and that you are  logged in as a domain administrator.

The first command that you probably want to run is:

Repadmin /replsummary

You can see an example of this command in Figure 1.

[Click on p_w_picpath for larger view.]  Figure 1. The Repadmin /Replsummary command provides an active  directory replication summary.


As you can see in the figure above, this command provides  you with a summary view of the current replication health. So let's take a look  at this summary in a bit more detail.

As you look at the figure, you will notice that it is  divided into two main sections -- Source DSA and Destination DSA. You will also  notice that the same servers are listed in both sections. The reason for this  is that the Active Directory uses a multi master domain model. In other words,  Active Directory updates can be written to any domain controller (with read-only  domain controllers being the notable exception). Those updates are then  replicated to the other domain controllers in the domain. This is the reason  why you see the same domain controllers listed as both source and destination  DSAs. If my domain contained any read only domain controllers, they would only  be listed in the Destination DSA section.


Of course the replication summary report does more than  just list your domain controllers. It also lists the largest replication  deltas. You can also see the total number of replications that have recently  been attempted, as well as how many of those attempts failed. You can even see  the percentage of attempts that resulted in an error.

Obviously the summary is a good starting place, but you  might be wondering what other types of information we can see.  Here's another interesting command to take a  look at:

Repadmin /Queue
The Repadmin /queue command shows you how many items are  in the queue waiting to be replicated.

 [Click on p_w_picpath for larger view.]  Figure 2. An empty queue list.

If you look at Figure 2, you can see that there are  currently no items in my queue. It's actually normal to see some items in the  queue. The only reason why my queue is showing zero items is because I work in  a small shop with infrequent Active Directory updates. So if you see items in  your queue, it does not necessarily indicate a problem. It's only a problem if  those items sit in the queue indefinitely or if the queue length increases  indefinitely.


OK, so there is nothing in my Active Directory queue  right now, but if you look back at Figure 1, you will recall that there were  five recent replication operations that completed successfully. What if I wanted  to know more about those five objects? Well, in that type of situation, I could  use the following command:

Repadmin /Showrepl
As you can see in Figure 3, this command displays the  GUID of each object that was initially replicated, as well as the replication  result. This is useful because you may find that there is a single object for  which replication is failing.

[Click on p_w_picpath for larger view.]  Figure 3. You can see the results of attempted replication  operations by using the Repadmin /showrepl command.


So what can you do if you suspect that there may be a  problem with Active Directory replication? Well, the Repadmin command supports  about a dozen different switches that you can use to correct a wide variety of  problems. The first thing that I would recommend doing however, is running the  Repadmin /replicate command. This command manually initiates the replication  process. If that does not fix your problem then I recommend checking out the TechNet  documentation for Repadmin. The documentation explains how to use some  Repadmin's more advanced troubleshooting and repair functions.