Most AD administrators use the repadmin (appeared in Windows Server 2003) and replmon (must be copied from Support Tool for WS2003) console tools to monitor and control Active Directory replication. In Windows Server 2012, Microsoft added a number of PowerShell cmdlets to manage and check replication status in the Active Directory forest. In this article we’ll look at the main useful PoSh cmdlets that an AD administrator can use to control replication between domain controllers.
The cmdlets for managing and monitoring AD replication are a part of Active Directory Module for Windows PowerShell. You can enable it on the desktop Windows editions after RSAT installation. To import the module into a PowerShell session, run this command:
Import-Module ActiveDirectory
You can display the full list of replication-related cmdlets in the ActiveDirectory module as follows:
get-command -module activedirectory -name *ADReplicat*
To collect the information about replication failures for the specific domain controller, use the Get-ADReplicationFailure cmdlet:
Get-ADReplicationFailure -Target DC1
If there are no errors, the cmdlet will return nothing. Otherwise, you will see the list of failed objects and the causes of replication errors.
You can query multiple DCs at once:
Get-ADReplicationFailure -Target DC1,DC2
In this case, you can see that there was the domain controller dc2 (link failure) connection problem on February, 22, but there are no errors at the moment.
To quickly get the replication status for all DCs on the specified site:
Get-ADReplicationFailure -scope site -target Madrid | FT Server, LastError, Partner-Auto
Or for all domain controllers in the domain or in the forest (-Scope Forest):
Get-ADReplicationFailure -Target "woshub.com" -Scope Domain
Get-ADReplicationConnection cmdlet is used to display information about the replication partners for the current domain controller.
Get-ADReplicationConnection -Filter *
If you want to display the replication connections for the specific DC, run this command:
Get-ADReplicationConnection -Filter {ReplicateToDirectoryServer -eq "DC2"}
To force synchronization of the specific object between domain controllers, Sync-ADObject cmdlet is used. For example, let’s consider the case when an AD object has been deleted, moved to the AD Recycle Bin and then restored. After the object has been restored, you can force replication of the recovered object to all domain controllers using Sync-ADObject cmdlet:
Get-ADDomainController -filter * | foreach {Sync-ADObject -Object "cn=John Silvia,cn=Users,dc=woshub,dc=com" -source DC1 -Destination $_.hostname}
Get-ADReplicationPartnerMetadata cmdlet enables getting information about the replication of metadata between DCs and partners. For example, to get the information about the time of the last try to perform replication with a partner and the time of the last successful replication for all DCs, enter the following command:
Get-ADReplicationPartnerMetadata -Target "$env:userdnsdomain" -Scope Domain | Select-Object Server, LastReplicationAttempt, LastReplicationSuccess, Partner
You can get the replication status of a certain object:
Get-ADReplicationAttributeMetadata -Object "CN=Maggie Skosana,OU=Users,DC=woshub,DC=com" -Server DC1
Using Get-ADReplicationQueueOperation cmdlet, you can get the list of pending replication operations on the specific server.
Get-ADReplicationUpToDatenessVectorTable cmdlet allows to get the list of USN values for replication partners:
Get-ADReplicationUpToDatenessVectorTable * | ft Partner,Server,UsnFilter
Thus, PowerShell is a powerful and convenient tool for replication monitoring and troubleshooting in the AD forest, which can be a 100% substitute for repadmin in the Active Directory replication management tasks. You can use Powershell along with the dcdiag and repadmin tools to check the health of your Active Directory domain.