Run the repadmin /showrepl command to view the replication status. For an overall replication health summary of replication health, use repadmin /replsummary.
Why checking domain controller replication status matters
AD replication ensures all domain controllers have up-to-date directory information. If domain controllers fall out of sync, authentication and authorization can fail, leading to security risks and service outages. Regular AD health checks help prevent these issues.
- Using native tools
- Using ADAudit Plus
How to check domain controller synchronization using repadmin
Repadmin, part of the Remote Server Administration Tools (RSAT) for Windows, is a powerful command-line tool that helps diagnose and troubleshoot AD replication issues. To install repadmin on Windows 10/11:
- Open Settings > Apps > Optional Features.
- Click Add a feature.
- Search for RSAT: Active Directory Tools and install.
- Use Command Prompt or PowerShell to run repadmin.
Key repadmin commands:
| Command | Purpose |
|---|---|
| repadmin /showrepl | Shows detailed replication status per domain controller. |
| repadmin /syncall | Forces replication between domain controllers. |
| repadmin /replsummary | Provides a summary of replication health. |
| repadmin /queue | Lists inbound replication requests. |
| repadmin /kcc | Triggers the Knowledge Consistency Checker. |
| repadmin /replicate | Initiates replication of a directory partition. |
Repadmin commands and outputs to check if domain controllers are in sync
Step 1: Check replication health
Run the repadmin /replsummary command to get a brief summary of the replication status across the forest or domain, including counts of successes and failures:
repadmin /replsummary
Step 2: Check the inbound replication queue
Run the repadmin /queue command to view the replication queue of a specified domain controller that shows the inbound replication operations that are waiting to be processed by that domain controller.
repadmin /queue
Step 3: Check the replication status
Run the repadmin /Showrepl command to view inbound replication status and details about the last replication attempt for each naming context.
repadmin /showrepl
Step 4: Synchronize replication between replication partners
Run the repadmin /syncall command to force synchronization between replication partners for a domain controller.
repadmin /syncall
Step 5: Force the KCC to recalculate the topology
Run the repadmin /kcc command to force the Knowledge Consistency Checker (KCC) on the target domain controller to recalculate its replication topology immediately.
repadmin /kcc
Step 6: Force replication
Run the repadmin /replicate command to manually force replication of a specified naming context from a source domain controller to a destination domain controller.
repadmin /replicate <DestinationDC> <SourceDC> <NamingContext>
How to use PowerShell to check domain controller replication
PowerShell offers cmdlets to check AD replication. The following cmdlets provide detailed information about replication status, failures, and queued replication operations.
-
Get-ADReplicationPartnerMetadata
Retrieves information about the replication partners for a specified domain controller, including the status and last replication attempt.
Get-ADReplicationPartnerMetadata -Target "DC1" -
Get-ADReplicationFailure
Shows recent replication failures for the specified domain controller.
Get-ADReplicationFailure -Target "DC1" -
Get-ADReplicationQueueOperation
Displays any replication operations currently queued on the target domain controller.
Get-ADReplicationQueueOperation -Target "DC1"
Troubleshooting common replication issues
| Issue | Symptoms | Troubleshooting steps |
|---|---|---|
| Replication latency | Changes not appearing on other domain controllers | Use repadmin /replsummary and check network connectivity. |
| Replication failures | Event log errors, errors in showrepl | Verify DNS, time sync, and check firewall ports. |
| Stale or lingering objects | Objects deleted on one domain controller still exist | Use repadmin /removelingeringobjects. |
| KCC topology problems | Replication partners not correct | Run repadmin /kcc on the affected domain controller. |
How ADAudit Plus provides visibility into AD replication
ManageEngine ADAudit Plus offers comprehensive AD replication auditing with exclusive reports that provide:
- Visual dashboards showing replication status
- Alerts for replication failures and delays
- Detailed logs of replication events
- Reports for analyzing replication traffic and timing
Customizable reports to track replica sync history:
Intuitive charts highlighting replication failures:
Limitations of using native methods to check AD replication
Native tools like repadmin and Event Viewer are commonly used to monitor AD replication, but they have several drawbacks.
- Manual and time-intensive: They require manual execution and interpretation, making real-time monitoring and proactive issue detection difficult, especially for non-experts.
- No centralized view or alerts: Admins must check each domain controller individually. There’s no unified dashboard or built-in alerting, which can delay response to critical issues.
- Limited scalability and tracking: Native tools don’t scale well in large or multi-site environments. Historical tracking is minimal, with no built-in reporting or data retention.
To overcome these challenges, a change auditing tool like ADAudit Plus that offers real-time dashboards, automated alerts, and historical insights makes AD replication monitoring simpler, faster, and more reliable.
A one-stop solution for all your IT auditing, compliance, and security needs
ADAudit Plus provides capabilities like change auditing, logon monitoring, file tracking, compliance reporting, attack surface analysis, response automation, and backup and recovery for diverse IT systems.
Frequently asked questions
To diagnose replication errors, run the Active Directory Replication Status Tool available on domain controllers, or use repadmin /showrepl. To view only replication errors, run repadmin /showrepl /errorsonly.
To force replication between two domain controllers, run the following command on the domain controller you want to update:
repadmin /syncall <DC-name> /AeD
In case you want to make changes on one domain controller and replicate those changes to other domain controllers, use:
repadmin /syncall <DC-name> /APeD
- Intra-site replication: With the exception of critical directory updates that are replicated immediately, the source domain controller updates changes to its closest replication partner every 15 seconds.
- Inter-site replication: By default, the replication interval is 180 minutes, but it can be configured to run as frequently as every 15 minutes.
To change the default replication time, open the Active Directory Sites and Services snap-in > go to the Inter-Site Transport container > select the IP container > choose the site link you want to modify > enter your desired value next to Replicate every > save your changes.
Experience
ADAudit Plus for free
With ADAudit Plus, you get:
- Replication status
- Clean dashboards
- Comprehensive reports
- Real-time alerts
- And much more
