How To Check Replication Between Domain Controllers

Domain Controller Wellness Cheque Guide

Continue an eye on Active Directory (Ad) health with commands that are congenital into Windows Server.

@VPN_News UPDATED: October 5, 2021

Domain Controller Health Check

Active Directory is coordinated by domain controllers. These controllers are essential to the smoothen running of your Ad implementations. Therefore, it is important to know how to check on their statuses.

A health check for Active Directory domain controllers can be performed with native Microsoft tools that cost nil. However, there are some skills you need to acquire in order to carry out the bank check. We will bear witness you how.

Repadmin

The first tool that you need in order to check upwardly on your domain controllers is called repadmin. This is a control that is built into Windows Server, and then you don't need to download or install whatever software in order to use information technology.

All of the domains in a woods demand to be coordinated through replication. The repadmin utility lets yous check on how that procedure is faring by accessing a summary report from repadmin. This is available through the command repadmin /replsumary.

In the output of the summary, yous will be able to meet that all of your domain controllers are replicating properly. The largest replication delta means the longest time gap that occurred between replications for that domain controller. You can likewise run into in the output if any replication activities failed.

You can go more particular of the replication activity of each domain controller with the command repadmin /showrepl. To limit the output to just the information for one domain controller, put its characterization at the terminate of the showrepl option, such as repadmin /showrepl DC1. The showrepl option volition display the neighbors (replication partners) that update the domain controller.

You lot tin can home in on the replication errors if any were reported in the summary output by specifying the /errorsonly option, eg. repadmin /showrepl /errorsonly.

If ane of your domain controllers is out of date, you tin can command an immediate replication run with the pick repadmin /syncall. Proper name the domain controller that needs to exist updated in the repadmin control. This command should be run on the server that hosts the Advertising domain. For example, to update domain controller DC2 immediately, you lot would apply repadmin /syncall dc2. At that place is a long list of options that can be added to the end of this command. To run into them all, enter repadmin /syncall /?.

To see the full list of repadmin commands, blazon repadmin /?.

Services-check in PowerShell

Access PowerShell to see that the Active Directory Domain services are running properly. These are the six services to look at:

DNS server
DFS replication
Intersite messaging
Kerberos central distribution
Active Directory Domain Services
NetLogon

In order to cheque that these four services are all running, use the following two lines:

          $Services='DNS','DFS Replication','Intersite Messaging','Kerberos Key Distribution Middle','NetLogon','Agile Directory Domain Services' ForEach ($Service in $Services) {Get-Service $Service | Select-Object Name, Status}

Although this is a complicated asking to write, the output is very straightforward, yous should just get a study that each of these services is running.

DCDiag (dcdiag.exe)

A key tool that y'all need in order to go along tabs on your Advert domain controllers is called DCDiag, or dcdiag.exe. This besides covers issues around replication. Also every bit this, it tin can cheque on DNS servers and other essential services. The command is bundled in with the Remote Server Assistants Tools (RAST) and it is also included with the AD DS role.

DCDiag is able to run 30 different tests on your Active Directory domain controllers and their supporting services. Among these tests are:

Initial tests to verify the availability of key services and to ensure that they are contactable. These tests must be performed earlier all others and they can't be left out. They check on the DNS server, that the domain controller can exist contacted over the network, that the domain controller allows bounden to an LDAP instance, and to the AD RPC interface.
Advertizing tests that cheque on the ability of other devices to locate the domain controller, which means that the controller is correctly notifying all other devices of its presence. The details of the response to this examination are of import – not just that at that place is a response – because information technology includes flags that indicate which services the domain controller can locate. These services are an LDAP server, the Write or Read-Only condition, the fourth dimension server, whether the DC is a global catalog and whether it is fix to respond, and the Key Distribution Heart (KDC).
Cross-reference objects test to see if the awarding partition'due south cross-reference objects take the correct domain name.
Cross-reference validation gets the naming contexts in the DC and checks them.
Security services check to test that there is at to the lowest degree one reachable KDC per domain, that the Knowledge Consistency Checker (KCC) is working, that the GC's figurer object has replicated to other domain controllers, that information technology as well has an account within the Active Directory setup that marks information technology equally a domain controller and has the correct flags set. It besides checks on the likelihood of fragmentation of Kerberos packets.
DC connectivity tests examine whether all domain controllers can communicate with their partner DCs.
File Replication Service tests await in the Result log for whatever error warnings related to the FRS that occurred over the last 24 hours. This is for Windows Server versions before 2008.
Distributed File Service Replication tests examine DFSR Event log warnings over the terminal 24 hours to verify that the replication system is working correctly. This is for Windows Server 2008 and afterward.
Registry key validation is carried out to ensure that the domain controller's Netlogon SysvolReady value in the registry is properly set. This test contributes to the FRS and DFRS tests that are outlined above.
Account validation makes sure that the user accounts that require admission to the domain controller's NetLogon and Sysvol values in gild to function tin actually get access. Other account-related tests include a verification that the account of the domain controller tin access Active Directory and that it is marked as a Domain Controller account, that all flags on the business relationship are correct and that it has the correct server reference. These account tests besides offer repair options in the commands that run the checks.
Object replication verification checks a small-scale number of objects and attributes on several domain controllers to ensure that they take been replicated. The test volition also show the last update date and time of each value on each example. Annotation that this replication is for the data within the domain controller.
Replication checks render data on recent replication attempts, showing statuses and times of each event. It particularly focuses on whether any replication took more than 12 hours and whether any domain controller has replication disabled.
RID Master tests come across whether the RID Main part holder can be located and contacted and has valid RID puddle values.
Services tests await at the statuses of all vital services for Advertizement, such as DNS, FRS/DFRS, and KDC.
Event log tests ensure that Windows Event logs related to Active Directory are being preserved. These impress all related log messages from the last hour.
Replication topology checks look at whether inter and intra-site replication is possible for a specific domain controller by exploring the settings of all upstream and downstream replication partners.

It is possible to meet all of the test categories available in dcdiag.exe by issuing the command dcdiag /h.

How to run DCDiag tests

The dcdiag.exe program makes operating tests very piece of cake. You don't demand to issue a command for each exam. Instead, one curt dcdiag.exe request launches a grouping of tests. Some guides tell y'all that you accept to proper noun the dcdiag program in full in social club to run it, typing dcdiag.exe. However, this is non necessary – typing dcdiag is enough.

There are 2 formats to running the command depending on whether you desire to query the domain controller that is resident on the host on which y'all run the control or on a DC that is hosted on a remote server. If you want to test a remote domain controller, y'all put its name immediately afterwards the command with the /southward: switch; if you lot are examining the local domain controller, you leave that fleck out.

It is likewise possible to specify a username and countersign for a remote domain controller account. The label for the account proper name is /u: and for the password is /p. So, an case of a command to test a remote domain controller could be:

          dcdiag /south:DC01 /u:Administrator /p:ComPlex1PssWd7

To run tests on a local domain controller, you would just need to type in

          dcdiag

The adept news is that this 1 command runs a battery of tests. There is a list of private examination names that y'all can run individually.

DCDiag options

DCDiag options get after the control and an optional identifier for a remote domain controller. You tin can get a list of them by entering dcdiag /? Or dcdiag /h. Here is the listing:

/a Test all domain controllers on this site.
/eastward Test all domain controllers for this enterprise.
/q Serenity mode. Only evidence fault messages.
/v Verbose mode. Display detailed information on each examination.
/c Comprehensive way. Run all tests except DCPromo, RegisterInDNS, Topology, CutoffServers, and OutboundSecureChannels.
/i Ignore superfluous error messages.
/fix Fix the Service Principal Name (merely for the MachineAccount exam).
/f: <filename> Send all output to the named file.
/test: <testname> Perform simply the named test.
/skip: <testname> Skip the named test from the series.
/ReplSource: <SourceDomainController> Examination the relationship betwixt the subject DC and the named DC.

It isn't necessary to add any options to the control; DCDiag tin exist run lone, without whatever further keywords, only the command name itself.

Running specific tests with DCDiag (dcdiag.exe)

The straightforward dcdiag command runs a bombardment of tests. Information technology is possible to just run one of these tests or a category of tests. For case, DNS-related tests are all grouped under the test proper noun DNS. To run these tests on a local server, you but need to enter:

          dcdiag /test:DNS

This command will run a suite of tests:

DNSBasic Basic tests, such as connectivity, DNS client configuration, service availability, and zone existence.
DnsForwarders Checks the configuration of forwarders plus the DnsBasic tests.
DnsDelegation Checks for proper delegations plus the DnsBasic tests.
DnsDynamicUpdate Checks whether a dynamic update is enabled in the Active Directory zone plus the DnsBasic tests.
DnsRecordRegistration Checks if the address (A), canonical proper noun (CNAME), and well-known service (SRV) resource records are registered, creating an inventory report. Also performs the DnsBasic tests.
DnsResolveExtName [/DnsInternetName:<InternetName>] Tests the DNS records by resolving Microsoft.com. if the optional DnsInternetName is specified, this will be resolved instead. Also runs the DnsBasic tests.
DnsAll Performs all tests, except for DnsResolveExtName.

Likewise as running a grouping of tests, the /test choice tin launch private tests. And then, in the DNS option above, the user could also cull to just run the DnsBasic package with the command:

          dcdiag /test:DnsBasic

DCDiag (dcdiag.exe) is a very useful tool just be aware that some tests can take a long fourth dimension to run. Especially if you use the /eastward option to examination the entire system, don't await to see a report straight abroad. Those administrating the system for a large company with many inter-connected sites that share an AD structure should launch the command and then go to lunch while waiting for a response.

Summary

By using Repadmin, a PowerShell services check, and DCDiag, you can go a very good view of your Advertising structure. However, despite the great services of these free utilities, yous will still be using transmission methods to maintain a complicated It system.

Active Directory is vital for constructive system security simply information technology can be difficult to visualize and manage. Consider an automatic tool instead. You lot should bank check out ManageEngine ADManager Plus and the SolarWinds Agile Directory Monitoring tool for some good automated Advert direction tools.