There are other utilities out in the wild that can be used to give a comprehensive test of AD replication, but few are as definitive as REPADMIN /SHOWREPL command in the CSV format.
I'm willing to bet there are some folks who just read that statement and are thinking that it sounds pretty silly. I promise you'll be believers after using this tool, particularly those folks out there who are new to the environment they administer or that may work as consultants and so get confronted by new environments all the time.
Here’s the skinny on this from REPADMIN help:
/showrepl [DC_LIST [Source DC object GUID]] [Naming Context] [/verbose]
[/nocache] [/repsto] [/conn] [/all] [/errorsonly] [/intersite]
And here's a synopsis of what this command puts at your fingertips:
· replication status (programmatic error code) for a naming context(s)
· last success and failure times
· number of last success and failures
· network transport used for the replication (nearly always RPC)
· source and destination DCs
· source and destination AD sites
The above doesn’t sound like much until you put it into practice. Let’s talk about doing that.
REPADMIN /SHOWREPL * /CSV >resultfile.csv
The above command will run on all DCs in the forest and gathers the latest replication status codes for all naming contexts (NCs) present. I probably don’t need to say this, but in case I do: NCs are the containers such as your default Configuration and Schema partition, as well as every domain partition in your forest. In my test case we have the Thatsnotright, the Wackiness, and the Silliness domains adding to the default partitions of Config and Schema. The above command will get the replication status for all of these, on every DC.
Key points to keep in mind around this are:
-not every DC will have a copy of every NC; only Global Catalogs will
-Not every site may host a DC for every domain; it just depends on what was deployed there
-This command does not indicate whether a hosted NC is read only (such as in the case of a GC hosting it) or writable (a domain partition).
-This command does not indicate OS version. You could add or get that separately, but that’s important stuff to know in lingering object and other scenarios.
-This command does not display whether a DC is set for strict or loose replication consistency
-The number zero (0) indicates success, no failure present.
So, once you run the command above you need to open and use the file. Here are the steps to do that using Microsoft Excel:
-
Start Microsoft Excel, and then open the Showrepl.csv file.
-
Select the A + RPC and SMTPcolumns, and then, on the Edit menu, click Delete.
-
Select the row that is immediately under the column headers. On the Windows menu, click Freeze Pane.
-
Select the complete spread sheet. On the Data menu, point to Filter, and then click Auto-Filter.
-
On the heading of the Last Success column, click the down arrow, and then click Sort Ascending.
-
On the heading of the source DC column, click the down arrow, and then click Custom.
-
In the Custom AutoFilter dialog box, select the operand does not contain and type del in the box to the right of the operand. This prevents the display of deleted domain controllers in the results.
-
On the heading of the Last Failure column, click the down arrow, and then click Custom. In the Custom AutoFilter dialog box, select the operand does not equal, and then type 0 in the box to the right of the operand.
-
Resolve the replication failures that are displayed.
So now you have a selectable spreadsheet which details your AD replication status as of the moment the report was completed. You can select a single error code, or do a filter for multiple (such as 1722 and 1753). The ways you can reselect this data are infinite, so it is very customizable for any environment, problem and need.
The selected data below is an example of a selection of all DC which show the 8606 error in a test environment:
Destination DC Site
|
Destination DC
|
Naming Context
|
Source DC Site
|
Source DC
|
Transport Type
|
Number of Failures
|
Last Failure Time
|
Last Success Time
|
Last Failure Status
|
DALLAS
|
DC111
|
DC=thatsnotright,DC=wackiness,DC=silliness,DC=org
|
DALLAS
|
DC045
|
RPC
|
189
|
4/20/2006 22:06
|
(never)
|
8606
|
DALLAS
|
DC089
|
DC=thatsnotright,DC=wackiness,DC=silliness,DC=org
|
DALLAS
|
DC030
|
RPC
|
3172
|
4/20/2006 22:06
|
4/20/2006 4:22
|
8606
|
DALLAS
|
DC122
|
DC=thatsnotright,DC=wackiness,DC=silliness,DC=org
|
DALLAS
|
DC112
|
RPC
|
3909
|
4/20/2006 22:07
|
4/20/2006 4:22
|
8606
|
CHICAGO
|
DC070
|
DC=thatsnotright,DC=wackiness,DC=silliness,DC=org
|
CHICAGO
|
DC345
|
RPC
|
216
|
4/20/2006 22:03
|
4/20/2006 4:27
|
8606
|
CHICAGO
|
DC070
|
DC=thatsnotright,DC=wackiness,DC=silliness,DC=org
|
CHICAGO
|
DC220
|
RPC
|
1859
|
4/20/2006 22:07
|
4/20/2006 4:31
|
8606
|
DALLAS
|
DC110
|
DC=thatsnotright,DC=wackiness,DC=silliness,DC=org
|
DALLAS
|
DC245
|
RPC
|
3175
|
4/20/2006 22:07
|
4/20/2006 4:21
|
8606
|
DALLAS
|
DC183
|
DC=thatsnotright,DC=wackiness,DC=silliness,DC=org
|
DALLAS
|
DC045
|
RPC
|
216
|
4/20/2006 22:06
|
4/20/2006 4:14
|
8606
|
DALLAS
|
DC090
|
DC=thatsnotright,DC=wackiness,DC=silliness,DC=org
|
DALLAS
|
DC067
|
RPC
|
215
|
4/20/2006 22:05
|
4/20/2006 4:15
|
8606
|
DALLAS
|
DC090
|
DC=thatsnotright,DC=wackiness,DC=silliness,DC=org
|
DALLAS
|
DC093
|
RPC
|
806
|
4/20/2006 22:07
|
(never)
|
8606
|
CHICAGO
|
DC056
|
DC=thatsnotright,DC=wackiness,DC=silliness,DC=org
|
CHICAGO
|
DC114
|
RPC
|
216
|
4/20/2006 22:03
|
4/20/2006 4:27
|
8606
|
CHICAGO
|
DC075
|
DC=thatsnotright,DC=wackiness,DC=silliness,DC=org
|
CHICAGO
|
DC556
|
RPC
|
1862
|
4/20/2006 22:07
|
4/20/2006 4:31
|
8606
|
So, you’re probably saying to yourself “Self, how do I tell what this error number really means?”. Good question, O Reader. These error codes are the programmatic error codes from winerr.h, they are not the same as what you will see in a fully fleshed out event in the event log. As a result, they are lacking in every detail since this code is used to trigger (ultimately) that event to appear in the event log.
But there’s a way to see the comment associated with that error code, and thereby get a better understanding or more info on it. That is the ERR.EXE tool which can be downloaded from this link:
Err.exe
This is command line tool which can take the Windows (not just DS, all Windows error codes) error number as an argument and provide the comment for it. Here’s the example for our “Last Failure Status” above.
C: > Err.exe 8606
# for decimal 8606 / hex 0x219e :
ERROR_DS_INSUFFICIENT_ATTR_TO_CREATE_OBJECT winerror.h
# Insufficient attributes were given to create an object.
# This object may not exist because it may have been deleted
# and already garbage collected.
# 1 matches found for "8606"
So, we’ve have a pretty good overview of a REPADMIN.EXE technique that can save some time and ease some general “is this domain replicating or what?” questions. I’m still deciding on the next post (slated for about a week or so from now) so if anyone has a special request just let me know.