Getting Over Replmon

Getting Over Replmon

  • Comments 11
  • Likes

Ned here again. The AD Replication Monitor utility (Replmon.exe) was introduced with the Windows Server 2000 Support Tools many years ago as a GUI mechanism for performing certain DC admin tasks. With the release of Window Server 2008 Replmon was not included and we stopped making add-on Support Tools. Every few weeks someone asks me ‘where do I download the Windows Server 2008 version of Replmon? Nowhere. It’s done. Buried. Gone. Kaput. If you want it, you must run the old Windows Server 2003 version. Today I will talk about moving on with its supported replacement, Repadmin.exe.

Background

Replmon grew out of the need for a more useful tool than the AD Sites and Services snap-in (dssites.msc). DS Sites offered only a basic view of the topology, and had very limited options for forcing replication or seeing errors in the topology.

image

On the other hand, Replmon exposed more information and had a deeper view into the AD partitioning structure. It was designed not by the Windows Product Group but rather by an engineer in PSS. Like all Support Tools, it was not truly supported but instead provided ‘AS IS’.

image

Replmon gave an administrator the ability to quickly force replication, get basic status reports, and see information about the environmental configuration.

image

It was also written in a graphical format rather than a command-line interface. When Active Directory was first released 10 years ago, most tools were given more attention in their GUI rather than command-line versions. Customers were already overwhelmed with the radical changes of AD over NT and having a GUI was a highly desirable feature for a complex and not well-understood product like Active Directory.

That was then.

Now AD is as ubiquitous as Windows in most customer environments. Windows administrators are much more comfortable with the command-line, and that’s great – because repadmin.exe is now equal or superior to Replmon. Don’t believe me? Let’s compare.

Moving On with Repadmin Syncall

The most common operation with Replmon was to have it ”push” AD replication outbound from a given DC where someone had made a change and wanted it to propagate quickly to all partners. I put ”push” in quotes because AD replication is always pull-based; there is no such thing as push. What Replmon was actually doing was contacting the partner DCs and telling them to replicate inbound immediately. To do this you would:

1. Start Replmon.

2. Type in (or search for) the DC.

3. Right click the DC or partition and choose Synchronize to force replication.

4. Select if you wanted to pull or push, cross AD sites or not, and disable transitivity or not.

image

image

Then you waited for it to finish. There were no immediate results to view, and you weren’t always going to see useful messages when something was shown at all. The only progress was a small status bar:

image

And you might also see:

image

If there was a problem you would get an error, but it could be misleading. For example, here is the error you get when forcing replication of the Domain partition and one of the DCs is offline for maintenance:

image

image

Now contrast this with the Repadmin.exe steps for the same server, doing a push replication of all partitions:

1. Run:

Repadmin /syncall DC_name /APed

2. There is no step 2, we’re done. :-)

By running a repadmin /syncall with the /A(ll partitions) P(ush) e(nterprise, cross sites) d(istinguished names) parameters, you have duplicated exactly what Replmon is doing. Except that you did it in one step, not many. And with the benefit of seeing immediate results on how the operations are proceeding. If I am running it on the DC itself, I don’t even have to specify the server name.

image

What about the situation I showed earlier where one of the DCs was offline for maintenance? In this case I am going to have Repadmin synchronize just the Domain partition, pushing across site boundaries:

Repadmin /syncall /Pe dc_name naming_context

With Repadmin we get a much more specific error:

image

Those are legitimate errors that are documented and can be researched.

Status Checking

Replmon had the option to generate a status report text file. It could tell you which servers were configured to replicate with each other, if they had any errors, and so on. It was pretty useful actually, and one of the main reasons people liked the tool.

Repadmin.exe offers similar functionality within a few of its command line options. For example, we can get a summary report:

Repadmin /replsummary *

image

Several DCs have been taken offline. Repadmin shows the correct error of 58 – that the other DCs are not available and cannot tell you their status.

You can also use more verbose commands with Repadmin to see details about which DCs are or are not replicating:

Repadmin /showrepl *

image

If you want to generate a ‘repadmin status report’ that generates a bunch of useful status information, give this simple batch file a try:

@echo off

echo.
echo Gathering Report for DCLIST = %1
echo.
Echo Report for DCLIST = %1 > replreport.txt

echo. >> replreport.txt
echo. >> replreport.txt

echo Gathering Verbose Replication and Connections
echo Verbose Replication and Connections >> replreport.txt echo. >> replreport.txt
repadmin /showrepl %1 /all >> replreport.txt
echo. >> replreport.txt

echo Gathering Bridgeheads
echo Bridgeheads >> replreport.txt
echo. >> replreport.txt
repadmin /bridgeheads %1 /verbose >> replreport.txt
echo. >> replreport.txt

echo Gathering ISTG
echo ISTG >> replreport.txt
echo. >> replreport.txt
repadmin /istg %1 >> replreport.txt
echo. >> replreport.txt

echo Gathering DRS Calls
echo Outbound DRS Calls >> replreport.txt
echo. >> replreport.txt
repadmin /showoutcalls %1 >> replreport.txt
echo. >> replreport.txt

echo Gathering Queue
echo Queue >> replreport.txt
echo. >> replreport.txt
repadmin /queue %1 >> replreport.txt
echo. >> replreport.txt

echo Gathering KCC Failures
echo KCC Failures >> replreport.txt
echo. >> replreport.txt
repadmin /failcache %1 >> replreport.txt
echo. >> replreport.txt

echo Gathering Trusts
echo Trusts >> replreport.txt
echo. >> replreport.txt
repadmin /showtrust %1 >> replreport.txt
echo. >> replreport.txt

echo Gathering Replication Flags
echo Replication Flags >> replreport.txt
echo. >> replreport.txt
repadmin /bind %1 >> replreport.txt
echo. >> replreport.txt

echo Done.

Copy and paste into notepad, save as a CMD file and run it with a server name, a partial server name with wildcards, or an asterisk. It supports whatever Repadmin supports.

So to get data from one server, like with Replmon:

Replreport.cmd server1

Or to get data from all DC’s (which Replmon cannot do):

Replreport.cmd *

Or to get data from all servers that have names starting with “SANFRAN“:

Replreport.cmd sanfran*

It will output to a text file called replreport.txt. Anything Repadmin can do, you can do in this batch file.

More More More

Repadmin can do even more for monitoring. Such as:

Tell you the last time your DCs were backed up, by reading the DSASignature attribute from all servers:

Repadmin /showbackup *

image

Or output all replication summary information from all DCs to a CSV format that you can open in a spreadsheet or database. Here I’ve brought my DCs back online and replicated any pending changes. Then I get a replication report:

Repadmin /showrepl * /csv

image

Or you can see what your replication backlog is currently in the queue, like here:

Repadmin /queue *

image

Or you can see which changes have not yet replicated from a server, as well as what changes have replicated since the last time the command was run, with /showchanges:

repadmin /showchanges destination_DC source_DSA_GUID domain_DN

(69) add CN=Ned Pyle,CN=Users,DC=adatum,DC=com
1> parentGUID: a90a9633-2682-4896-be86-21220cf24f0c
1> objectGUID: e8f0e0a2-69aa-4e4e-9f74-3db79ad6f3b7
4> objectClass: top; person; organizationalPerson; user
1> sn: Pyle
1> givenName: Ned
1> instanceType: 0x4 = ( WRITE )
1> whenCreated: 6/21/2009 9:05:32 AM Pacific Daylight Time
1> displayName: Ned Pyle
1> nTSecurityDescriptor: O:DAG:DAD:AI
1> name: Ned Pyle
1> userAccountControl: 0x10200 = ( NORMAL_ACCOUNT | DONT_EXPIRE_PASSWD )
1> codePage: 0
1> countryCode: 0
1> pwdLastSet: 6/21/2009 9:05:32 AM Pacific Daylight Time
1> primaryGroupID: 513 = ( GROUP_RID_USERS )
1> objectSid: S-1-5-21-3776065869-1984782319-1196103478-1107
1> accountExpires: (never)
1> sAMAccountName: nedpyle
1> sAMAccountType: 805306368 = ( NORMAL_USER_ACCOUNT )
1> userPrincipalName:
nedpyle@adatum.com
1> objectCategory: <GUID=4ed8da23575bed48b12cd36061257c14>;CN=Person,CN=Schema,CN=Configuration,DC=adatum,DC=com

Neat right? That’s a user I created while the other DC was offline, in the list of pending changes. I snipped out another long list of changes that were also pending. Pretty useful to see if a DC that has not been replicating for a while is worth spending time trying to fix or is better off demoting.

Other Repadmin capabilities

Repadmin has plenty of other secrets you can use for monitoring, administering, and troubleshooting – most of which Replmon cannot do:

  • Replicate a single specific object
  • View and modify RODC password policies as well as trigger password caching
  • Create, modify, and delete replication topology
  • Remove lingering objects
  • Manipulate Global Catalog partitions
  • Set replication registry values
  • Export data to Excel-ready text
  • Way more cool stuff…

Need to see all the help?

Basic help - Repadmin /?

Help on selecting DCs - Repadmin /listhelp

Advanced command help - Repadmin /experthelp

Help and examples for every parameter- Repadmin /?:Your specific parameter here

Wrapping it up

Repadmin may not be as pretty as Replmon or Dssites.msc, but it is far more powerful than both of those utilities combined. Being an AD administrator brings a lot of responsibility – you are accountable for identity management, authentication, authorization, and general network availability for your entire company. You owe it to yourself to learn and use AD’s most powerful tools, even if they don’t support a mouse.

Update July 2 2009: One of our readers also points out that we have an excellent whitepaper on using Repadmin to troubleshoot problems.

Grab it here: http://www.microsoft.com/downloads/details.aspx?familyid=c6054092-ee1e-4b57-b175-5aabde591c5f&displaylang=en

(Nice one, Mike!)

- Ned ‘Cursor’ Pyle

  • On-topic: Preaching to the converted, here. I've loved replmon since early Server 2003 (when it got some more options with bite), once I wrapped my head around the various commands.

    Off-topic: As much as I enjoy reading your articles, I'd be lieing if I didn't confess that part of the attraction is seeing what new middle name you've come up with per article! And although you're stretching my memory this time around, I think we still got that pilot here in Aus.

    I may work with directory services, but clearly, simple things amuse this mind!

    Cheers,

    Lain

  • :-D

    Thanks very much Lain.

    - Ned

  • Another good article Ned, repadmin should definitely be in everyone's toolkit.

    Not sure if you or members of your team were involved in the reapadmin whitepaper published last fall but it was one of my top 5 all-time white papers from Microsoft.

    http://www.microsoft.com/downloads/details.aspx?familyid=c6054092-ee1e-4b57-b175-5aabde591c5f&displaylang=en

    Have a safe and happy July 4th weekend...no DFSR entries this Saturday :)

    Talk to you later

    Mike

  • Oh snap, I forgot to link that! Thanks for the great catch Mike, I'm updating the article now.

    - Ned

  • Hello Ned,

    first, thank you very much for this article, nice job.

    I have a question and I can't find any reasonable solution anywhere, maybe you will know.

    Replmon has a perfect feature - it's able to show you FSMO holders. I can't find it in repadmin. The only solution I found is this:

    repadmin /showrepl fsmo_type:dc=domain,dc=com

    fsmo_type could be fsmo_schema, fsmo_dnm, fsmo_im, fsmo_pdc, fsmo_rid

    Is there any better solution for this? Thank you very much for answer and great articles.

    Igor

  • Beyond what you found already in repadmin.exe, the tool I've always used over teh years is NETDOM.EXE:

    netdom query fsmo

    Schema master               srv1.contoso.com

    Domain naming master        srv3.contoso.com

    PDC                         srv2.contoso.com

    RID pool manager            srv3.contoso.com

    Infrastructure master       srv3.contoso.com

  • Thank you very much for answer Ned ... I know netdom.exe utility, I just thought that repadmin.exe has similar parameter for FSMO roles

    Thank you again, igor

  • The only thing missing is the fact that Replmon will email when there are replication failures and SCOM's management packs don't allow you to put in an override for ignoring replication failures from a specific DC (due to a lag site/etc.).  That tool needed an update anyway... I guess I'll write something in C# to imitate the functions of replmon but mine won't require outlook to be installed.