AD Replication using Repadmin & Powershell cmdlets

AD Replication using Repadmin & Powershell cmdlets

August 17, 2021 Active Directory 0

The Repadmin tool

Repadmin.exe is a command-line tool available if you’ve installed the Active Directory role; otherwise, you have to install Remote Server Administration Tools (RSAT). The output is usually in text form. If you have to customize the format of the output, things can get time consuming.

In the example that follows, Repadmin triggers a request to pull inbound replication information from a domain controller named DC2012. The command /csv gives the output in .csv format, and /Errorsonly shows only connections with errors.

repadmin /showrepl DC2012 “DC=test,DC=local” /csv /Errorsonly

Figure : Get the replication info using Repadmin

Figure : Repadmin outputs info as a string

If you plan to work with the output in PowerShell, you can pipe the output to the ConvertFrom-Csv cmdlet to create objects. Then you can format the information as shown below.

repadmin /showrepl DC2012 “DC=test,DC=local” /csv | ConvertFrom-Csv | ? { $_.’Number of Failures’ -ne 0} | select ‘Source DSA’,’Destination DSA’,’Last Failure Time’

Figure : Conversion of Repadmin data into objects

PowerShell replication cmdlets

Microsoft added a number of PowerShell cmdlets in Windows Server 2012 that allow you to check the Active Directory replication status. The cmdlets belong to the Active Directory PowerShell module. The RSAT tools give you the cmdlets on a Windows workstation.

Unlike Repadmin, the PowerShell cmdlets create objects rather than text as output. An object has a rich set of properties and methods you can reuse effectively within your scripts and can pipe to another cmdlet. With this, you simplify your automation and reporting tasks.

Why cmdlets

The ability to present the output as an object is the main advantage of PowerShell replication cmdlets compared to the Repadmin tool.

The following example demonstrates nicely how useful the output is as an object for troubleshooting issues.

Get-ADReplicationPartnerMetadata -Target DC2012 -Partition domain | Select Server,@{n=”Partner”;e={(Resolve-DnsName $_.PartnerAddress).NameHost}},LastReplicationAttempt

Figure : Get the last replication info using cmdlets

Get-ADReplicationPartnerMetadata -Target DC2012 -Partition “DC=test,DC=local” | gm

Figure : Cmdlet outputs as objects

Compared to the solution with Repadmin plus ConvertFrom-Csv, the PowerShell cmdlets return objects with more properties.

repadmin /showrepl DC2012 “DC=test,DC=local” /csv | ConvertFrom-Csv | gm | Group-Object -Property MemberType

Figure : Return the property count from both

The major advantage of working with an object with many properties is that you can easily extract the information you need by piping the object to additional PowerShell commands.

The example below shows three cmdlets connected by a pipeline. The first pipe extracts replication details such as the computer name. We then pass the result to Test-Connection to check whether corresponding computers are online.

Get-ADReplicationPartnerMetadata -Target DC2012 –Scope Server | Select @{N=”ComputerName”;e={$_.PartnerAddress}} | Test-Connection

Figure : Using the pipeline with the PowerShell replication cmdlets

Another advantage of the PowerShell cmdlets is that it is easy to understand what a particular command is supposed to do. If you compare the following commands that both return the replication metadata, you will understand what I mean.

Get-ADReplicationPartnerMetadata -Target DC2012 -Partition Schema

repadmin /showrepl DC2012 “DC=test,DC=local”

PowerShell replication cmdlet examples

Below you will find a few examples of how you can use the PowerShell replication cmdlets.

Get-AD Replication partner metadata

This gets the inbound replication partners for a designated server or set of servers within the forest.

Get-ADReplicationPartnerMetadata -Target DC2012 -Partition Schema ‑PartnerType Both | select Server,@{n=”Partner”;e={(Resolve-DnsName $_.PartnerAddress).NameHost}},Partition,LastReplicationResult,PartnerType | ft

Figure : Get both the incoming and outgoing partners’ replication info

Get-ADReplicationFailure

This queries the failed replication details for a designated server based on the input target and scope.

The first figure shows that there currently is no replication issue from ADC2012 to DC2012, but the connection failed on 09/25/2019 at 12:01 AM. Yet note it is not the most recent failure time. Any number of retry attempts might have happened from the time of failure until the replication succeeded. The failed retries are stored in the FailureCount property, but only if the connection is still in a failed state; otherwise the value is 0.

Get-ADReplicationFailure -Target ADC2012 | select Server,Partner,FirstFailureTime,FailureCount,FailureType

Figure : Get the failed replication details

Get-ADReplicationConnection

This returns a specific Active Directory replication connection or a set of AD replication connection objects based on a specified filter.

The first one lists all the connection objects within the AD forest using the filter parameter, while the second one lists the details of specific connection object using the identity parameter.

Get-ADReplicationConnection -Properties * -Filter * | select Name,AutoGenerated,InterSiteTransportProtocol,schedule,fromServer | ft

Figure : Get all the connections from the forest using the filter parameter

Get-ADReplicationConnection -Identity ADC2012->WIN-H5A3L7FJOB4 -Properties * | select Name,AutoGenerated,InterSiteTransportProtocol,schedule,fromServer | ft

Figure : Get the specific connection using the identity parameter

Get-ADReplicationAttributeMetadata

This cmdlet queries replication metadata for an object from a specified directory server. The output of this command shows the what, when, and where for a particular object’s modification within the boundary of your AD, but it doesn’t say who modified the object. If auditing is enabled, it helps you identify the modifier details.

Get-ADReplicationAttributeMetadata “DC=Win8,DC=test.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=local” -Server DC2012 -IncludeDeletedObjects -ShowAllLinkedValues | Where-Object { $_.attributename -eq “dnsTombstoned” }

The command displays the metadata of a deleted record from Windows 8 from the zone test.local. This object was deleted on 09/29/2019 from the server DC2012.

If you want to know who deleted this record, check the security event 4662 from the security log. Note that you should enable DNS auditing to get the events under security.

Figure : Get replication metadata for a deleted DNS record

Figure : Get the modifier details from the security log using a metadata timestamp

Get-ADReplicationSite, SiteLink, Subnet, SitelinkBridge

These cmdlets can query a single or set of respective site components based on a specific filter. You can query the cost of a site and replication frequency, which allows you to understand the replication topology and expected replications delays.

Figure : Example of subnet and sitelink cmdlets

PowerShell equivalents for Repadmin commands

The following table includes a few replication functions available from both of the tools.

Get replication partner status
repadmin /showrepl Get-ADReplicationPartnerMetadata
Get Inbound replication queue details
repadmin /queue Get-ADReplicationQueueOperation
Replicate specific AD objects between domain controllers
repadmin /replsingleobj Sync-ADObject
Get replication metadata of an AD object
repadmin /showobjmeta Get-ADReplicationAttributeMetadata
Shows highest committed USN
repadmin /showutdvec Get-ADReplicationUpToDatenessVectorTable
Displays ISTG details
repadmin /istg * Get-ADReplicationSite –filter * | Select InterSiteTopologyGenerator
List all the subnets in the forest
dsquery subnet Get-ADReplicationSubnet
List the AD sites in the domain
dsquery site Get-ADReplicationSite

Why Repadmin still matters

The PowerShell replication cmdlets cannot completely replace Repadmin because some powerful Repadmin functions are still not available in PowerShell. Notably, these are commands that can help you force the replication of all the directory partitions after a change occurs. Another important task you currently can’t do with PowerShell is creating the replication topology for any missing connections.

Below are some examples that show a few Repadmin tasks you can’t process in PowerShell.

The following command forces and pushes all the replication changes.

repadmin /syncall /Aped (or) repadmin /syncall /Aed

[A-All partitions P-Push e-enterprise, cross sites d-distinguished names]

The next command forces the domain-naming context changes from ADC2012 to DC2012.

repadmin /replicate DC2012 ADC2012 “DC=test,DC=local” /force

And this last command creates the missing replication connection object for each domain controller in a specified site.

repadmin /kcc Site:Default-First-Site-Name

Conclusion

The main advantage to the PowerShell replication cmdlets is that you work with rich objects that simplify many automation tasks. However, because PowerShell still lacks a few features of Repadmin, the AD admin has to keep this utility in his toolbox for a while.

 

 1,351 total views,  1 views today

Leave a Reply

Your email address will not be published. Required fields are marked *