Blog Post

Microsoft Entra Blog
5 MIN READ

Get the Lowdown on your Replication

Alex Simons (AZURE)'s avatar
Sep 07, 2018
First published on CloudBlogs on Jun, 23 2006

There are other utilities out in the wild that can be used to give a comprehensive test of AD replication, but few are as definitive as REPADMIN /SHOWREPL command in the CSV format.

I'm willing to bet there are some folks who just read that statement and are thinking that it sounds pretty silly.    I promise you'll be believers after using this tool, particularly those folks out there who are new to the environment they administer or that may work as consultants and so get confronted by new environments all the time.

Here’s the skinny on this from REPADMIN help:

/showrepl [DC_LIST [Source DC object GUID]] [Naming Context] [/verbose]

[/nocache] [/repsto] [/conn] [/all] [/errorsonly] [/intersite]

And here's a synopsis of what this command puts at your fingertips:

·         replication status (programmatic error code) for a naming context(s)

·         last success and failure times

·         number of last success and failures

·         network transport used for the replication (nearly always RPC)

·         source and destination DCs

·         source and destination AD sites

The above doesn’t sound like much until you put it into practice.  Let’s talk about doing that.

REPADMIN /SHOWREPL * /CSV >resultfile.csv

The above command will run on all DCs in the forest and gathers the latest replication status codes for all naming contexts (NCs) present.  I probably don’t need to say this, but in case I do:  NCs are the containers such as your default Configuration and Schema partition, as well as every domain partition in your forest.  In my test case we have the Thatsnotright, the Wackiness, and the Silliness domains adding to the default partitions of Config and Schema.  The above command will get the replication status for all of these, on every DC.

Key points to keep in mind around this are:

-not every DC will have a copy of every NC; only Global Catalogs will

-Not every site may host a DC for every domain; it just depends on what was deployed there

-This command does not indicate whether a hosted NC is read only (such as in the case of a GC hosting it) or writable (a domain partition).

-This command does not indicate OS version.  You could add or get that separately, but that’s important stuff to know in lingering object and other scenarios.

-This command does not display whether a DC is set for strict or loose replication consistency

-The number zero (0) indicates success, no failure present.

So, once you run the command above you need to open and use the file.  Here are the steps to do that using Microsoft Excel:

  1. Start Microsoft Excel, and then open the Showrepl.csv file.
  2. Select the A + RPC and SMTPcolumns, and then, on the Edit menu, click Delete.
  3. Select the row that is immediately under the column headers. On the Windows menu, click Freeze Pane.

  4. Select the complete spread sheet. On the Data menu, point to Filter, and then click Auto-Filter.

  5. On the heading of the Last Success column, click the down arrow, and then click Sort Ascending.

  6. On the heading of the source DC column, click the down arrow, and then click Custom.

  7. In the Custom AutoFilter dialog box, select the operand does not contain and type del in the box to the right of the operand. This prevents the display of deleted domain controllers in the results.

  8. On the heading of the Last Failure column, click the down arrow, and then click Custom. In the Custom AutoFilter dialog box, select the operand does not equal, and then type 0 in the box to the right of the operand.

  9. Resolve the replication failures that are displayed.

So now you have a selectable spreadsheet which details your AD replication status as of the moment the report was completed.    You can select a single error code, or do a filter for multiple (such as 1722 and 1753).  The ways you can reselect this data are infinite, so it is very customizable for any environment, problem and need.

The selected data below is an example of a selection of all DC which show the 8606 error in a test environment:

Destination DC Site

Destination DC

Naming Context

Source DC Site

Source DC

Transport Type

Number of Failures

Last Failure Time

Last Success Time

Last Failure Status

DALLAS

DC111

DC=thatsnotright,DC=wackiness,DC=silliness,DC=org

DALLAS

DC045

RPC

189

4/20/2006 22:06

(never)

8606

DALLAS

DC089

DC=thatsnotright,DC=wackiness,DC=silliness,DC=org

DALLAS

DC030

RPC

3172

4/20/2006 22:06

4/20/2006 4:22

8606

DALLAS

DC122

DC=thatsnotright,DC=wackiness,DC=silliness,DC=org

DALLAS

DC112

RPC

3909

4/20/2006 22:07

4/20/2006 4:22

8606

CHICAGO

DC070

DC=thatsnotright,DC=wackiness,DC=silliness,DC=org

CHICAGO

DC345

RPC

216

4/20/2006 22:03

4/20/2006 4:27

8606

CHICAGO

DC070

DC=thatsnotright,DC=wackiness,DC=silliness,DC=org

CHICAGO

DC220

RPC

1859

4/20/2006 22:07

4/20/2006 4:31

8606

DALLAS

DC110

DC=thatsnotright,DC=wackiness,DC=silliness,DC=org

DALLAS

DC245

RPC

3175

4/20/2006 22:07

4/20/2006 4:21

8606

DALLAS

DC183

DC=thatsnotright,DC=wackiness,DC=silliness,DC=org

DALLAS

DC045

RPC

216

4/20/2006 22:06

4/20/2006 4:14

8606

DALLAS

DC090

DC=thatsnotright,DC=wackiness,DC=silliness,DC=org

DALLAS

DC067

RPC

215

4/20/2006 22:05

4/20/2006 4:15

8606

DALLAS

DC090

DC=thatsnotright,DC=wackiness,DC=silliness,DC=org

DALLAS

DC093

RPC

806

4/20/2006 22:07

(never)

8606

CHICAGO

DC056

DC=thatsnotright,DC=wackiness,DC=silliness,DC=org

CHICAGO

DC114

RPC

216

4/20/2006 22:03

4/20/2006 4:27

8606

CHICAGO

DC075

DC=thatsnotright,DC=wackiness,DC=silliness,DC=org

CHICAGO

DC556

RPC

1862

4/20/2006 22:07

4/20/2006 4:31

8606

So, you’re probably saying to yourself “Self, how do I tell what this error number really means?”.  Good question, O Reader.  These error codes are the programmatic error codes from winerr.h, they are not the same as what you will see in a fully fleshed out event in the event log.  As a result, they are lacking in every detail since this code is used to trigger (ultimately) that event to appear in the event log.

But there’s a way to see the comment associated with that error code, and thereby get a better understanding or more info on it.  That is the ERR.EXE tool which can be downloaded from this link:

Err.exe

http://www.microsoft.com/downloads/details.aspx?familyid=be596899-7bb8-4208-b7fc-09e02a13696c&displaylang=en

This is command line tool which can take the Windows (not just DS, all Windows error codes) error number as an argument and provide the comment for it.  Here’s the example for our “Last Failure Status” above.

C: > Err.exe 8606

# for decimal 8606 / hex 0x219e :

ERROR_DS_INSUFFICIENT_ATTR_TO_CREATE_OBJECT                   winerror.h

# Insufficient attributes were given to create an object.

# This object may not exist because it may have been deleted

# and already garbage collected.

# 1 matches found for "8606"

So, we’ve have a pretty good overview of a REPADMIN.EXE technique that can save some time and ease some general “is this domain replicating or what?” questions.  I’m still deciding on the next post (slated for about a week or so from now) so if anyone has a special request just let me know.

Published Sep 07, 2018
Version 1.0
No CommentsBe the first to comment