Repadmin

 

Applies To: Windows Server 2003, Windows Server 2008, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012, Windows Server 2003 with SP1, Windows 8

Repadmin.exe helps administrators diagnose Active Directory replication problems between domain controllers running Microsoft Windows operating systems.

Repadmin.exe is built into Windows Server 2008 and Windows Server 2008 R2. It is available if you have the AD DS or the AD LDS server role installed. It is also available if you install the Active Directory Domain Services Tools that are part of the Remote Server Administration Tools (RSAT). For more information, see How to Administer Microsoft Windows Client and Server Computers Locally and Remotely (https://go.microsoft.com/fwlink/?LinkID=177813).

To use Repadmin.exe, you must run the ntdsutil command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

You can use Repadmin.exe to view the replication topology, as seen from the perspective of each domain controller. In addition, you can use Repadmin.exe to manually create the replication topology, to force replication events between domain controllers, and to view both the replication metadata and up-to-dateness vectors (UTDVECs). You can also use Repadmin.exe to monitor the relative health of an Active Directory Domain Services (AD DS) forest.

Important

During the normal course of operations, there is no need to create the replication topology manually. Incorrect use of Repadmin can adversely impact the replication topology. The primary use of Repadmin is to monitor replication so that you can identify problems, such as offline servers or an unavailable local area network (LAN) or wide area network (WAN) connection.

Repadmin also requires administrative credentials on each domain controller that is targeted by the command. Members of the Domain Admins group have the sufficient permissions to run repadmin on domain controllers in that domain. Members of the Enterprise Admins group are, by default, granted membership in the Domain Admins group in each domain in the forest.

You can also delegate the specific permissions that are required to view and manage replication status.

For more information about how to run repadmin.exe commands in different troubleshooting scenarios and how to interpret the output, see Monitoring and Troubleshooting Active Directory Replication Using Repadmin (https://go.microsoft.com/fwlink/?LinkId=197165). For more information about using repadmin.exe to remove lingering objects, see Use Repadmin to Remove Lingering Objects(https://go.microsoft.com/fwlink/?LinkId=197166).

Syntax

repadmin <cmd> <args> [/u:{domain\user}] [/pw:{password | *}] [/retry[:<retries>][:<delay>]] [/csv]

Help commands

Repadmin provides different Help menus for different types of information and for different levels of experience among administrators. The following table shows the commands that you can run for different Help menus in Repadmin.

Command

Description

/?

Displays and describes commands that are available.

/help

Same as /?

/?:<cmd>

Displays possible arguments <args>, appropriate syntaxes, and examples for the specified command <cmd>.

/help:<cmd>

Same as /?:<cmd>

/experthelp

Displays commands that are available for advanced users only.

/listhelp

Displays the variations of syntax that are available for the DSA_NAME, DSA_LIST, NCNAME and OBJ_LIST strings.

Note

The DSA_LIST parameter is the same as the DC_LIST parameter in the Windows Server 2003 version of Repadmin.exe.

/oldhelp

Displays help for commands in the Windows 2000 Server and Windows Server 2003 versions of Repadmin.exe.

Commands

Parameter

Description

Repadmin -kcc

Forces the Knowledge Consistency Checker (KCC) on targeted domain controllers to immediately recalculate the inbound replication topology.

Repadmin -prp

Specifies the Password Replication Policy (PRP) for read-only domain controllers (RODCs).

Repadmin -queue

Displays inbound replication requests that the domain controller must issue to become consistent with its source replication partners.

Repadmin -replicate

Triggers the immediate replication of the specified directory partition to a destination domain controller from a source domain controller.

Repadmin -replsingleobj

Replicates a single object between any two domain controllers that have common directory partitions.

Repadmin -replsummary

Identifies domain controllers that are failing inbound replication or outbound replication, and summarizes the results in a report.

Repadmin -rodcpwdrepl

Triggers replication of passwords for the specified users from the source domain controller to one or more read-only domain controllers. (The source domain controller is typically a hub site domain controller.)

Repadmin -showattr

Displays the attributes of an object.

Repadmin -showobjmeta

Displays the replication metadata for a specified object that is stored in AD DS, such as attribute ID, version number, originating and local update sequence numbers (USNs), globally unique identifier (GUID) of the originating server, and date and time stamp.

Repadmin -showrepl

Displays the replication status when the specified domain controller last attempted to perform inbound replication on Active Directory partitions.

Repadmin -showutdvec

Displays the highest, committed USN that AD DS, on the targeted domain controller, shows as committed for itself and its transitive partners.

Repadmin -syncall

Synchronizes a specified domain controller with all replication partners.

Additional parameters

Parameter

Description

u

Specifies the domain and user name with permission to perform operations in AD DS. (The domain and user name are separated by a backslash, for example, domain\user.) This parameter does not support using a User Principal Name (UPN) to log on to a domain.

pw

Specifies the password for the user name that you enter with the /u parameter.

Retry

Causes Repadmin to retry its attempt to bind to the target domain controller, if the first attempt fails with one of the following errors:

  • Event ID 1722 (0x6ba): "The RPC Server is unavailable"

  • Event ID 1753 (0x6d9): "There are no more endpoints available from the endpoint mapper"

csv

Displays the results of the /showrepl parameter in a comma-separated-value (CSV) format.

The DSA_LIST parameter

This section explains the syntax of the DSA_LIST parameter.

Note

The DSA_LIST parameter is the same as the DC_LIST parameter in the Windows Server 2003 version of Repadmin.exe.

Syntax

{<dc_name> | * |<partial_server_name>* | site:<site_name> |gc: |fsmo_<type>:[<name> | <site_name>]}

Parameters

Parameter

Definition

<dc_name>

Specifies the host name of a domain controller.

*

Specifies that the repadmin command will target all domain controllers in the forest of the computer that you are running Repadmin.exe on. Improper use of this standard wildcard character can cause a significant increase in network traffic.

<partial_server_name>

Uses wildcard characters to return partial matches. For example, if you append an asterisk (*) when you specify the partial domain controller name "Contoso-DC-*", the command returns Contoso-DC-01, Contoso-DC-02, Contoso-DC-03, and so on, but the command does not return Contoso-diff-name. This parameter works best when you use a common prefix for domain controllers in the domain. You cannot use a wildcard character at the beginning of the partial server name.

site:<site_name>

Returns all domain controllers in the Active Directory site that you specify in this parameter.

gc

Queries all global catalog servers in the enterprise.

fsmo_<type>

Specifies a group of domain controllers to query by operations master role. (The operations master role is also known as flexible single master operations or FSMO.). Valid operations master roles are listed in the following table.

Valid operations master roles

Operations master role

Description

fsmo_pdc:[<name>]

Runs Repadmin.exe against the primary domain controller (PDC) emulator operations master. The <name> parameter takes a naming context.

fsmo_rid:[<name>]

Runs Repadmin.exe against the relative ID (RID) operations master. The <name> parameter takes a naming context.

fsmo_im:[<name>]

Runs Repadmin.exe against the infrastructure operations master. The <name> parameter takes a naming context.

fsmo_istg:[<site_name>]

Runs Repadmin.exe against the Intersite Topology Generator (ISTG). The <site_name> parameter takes a site distinguished name.

fsmo_dnm:

Runs Repadmin.exe against the domain naming operations master.

fsmo_schema:

Runs Repadmin.exe against the schema operations master.

Remarks

  • Repadmin syntax uses the following terminology:

    • Naming context

      The distinguished name of a directory partition in an AD DS forest. Naming contexts include the three Read/Write naming contexts—domain, schema, and configuration—and the optional read-only naming contexts that are present on domain controllers that are global catalog servers. A naming context can also be an application directory partition. You specify a naming context as a distinguished name, which indicates its hierarchical relationship to the forest root domain, for example, DC=MyDomain,DC=Contoso,DC=Com.

    • Globally unique identifier (GUID)

      The 128-bit number that is used to uniquely identify objects that are stored in the directory, for example, fa1a9e6e-2e14-11d2-aa9b-bbfc0a30094c. The GUID is sometimes referred to in syntax as a universally unique identifier (UUID). For the purposes of Repadmin, these two terms are synonymous.

    • Distinguished name

      An X.500 distinguished name, for example, CN=Server1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Contoso,DC=Com.

  • In the Repadmin examples that are included in each command topic, the domain controller object GUID and the domain controller Invocation ID that are returned by some commands, such as the /showrepl command, initially show identical hexadecimal values (until system state is restored). However, these two values identify different objects. The domain controller object GUID is a unique identifier for the NTDS Settings object on the domain controller. The value of the domain controller object GUID does not change unless you remove AD DS from the domain controller, and then reinstall it. The domain controller Invocation ID identifies the directory database on the domain controller. This value changes when you restore a domain controller from a backup. When you first install a domain controller, the values for these two identifiers are the same; however, whenever you restore a domain controller from a backup, the Invocation ID value changes.

  • Most Repadmin commands take their parameters in the following order:

    1. "Destination or Target DSA_LIST"

    2. "Source DSA_NAME", if required

    3. <Naming Context> or Object distinguished name, if required

    For example:

    repadmin /showrepl <DSA_LIST> <Source_DSA_NAME> <Naming Context>
    

    <DSA_NAME> is a Directory Service Agent binding string, as is <DSA_LIST>. For AD DS, this string is a network label. For a domain controller, network labels include Domain Name System (DNS), NetBIOS, and IP address. For example:

    dc-01
    dc-01.contoso.com
    localhost
    

    For Active Directory Lightweight Directory Services (AD LDS), this string must be a network label of the AD LDS server that is followed by a colon, and then followed by the Lightweight Directory Access Protocol (LDAP) port of the AD LDS instance. For example:

    ad-am-01:2000
    ad-am-01.contoso.com:2000
    

    <Naming Context> is the distinguished name of the root of the naming context. For example:

    DC=My-Domain,DC=Contoso,DC=Com
    
  • Text with international or Unicode characters displays correctly if you install appropriate fonts and language support on the computer from which you run Repadmin. Examples of such text are naming context names and server names.

Additional references

Command-Line Syntax Key