fbpx
Active Directory & Office 365 Reporting Tool

How to Check Active Directory Replication Status Health. Active Directory (AD) replication is an essential process that ensures data consistency across all domain controllers (DC) in an organization. If replication is not functioning correctly, it leads to various issues, including authentication failures and data inconsistencies. In this article, we discuss and test how to check the replication status of our Active Directory environment using built in tools and techniques.

How to Check Active Directory Replication Status Health

Prerequisites

This tutorial will have various demos. To follow along, be sure we have the following:

Understanding AD Sites, Subnets, and Links with PowerShell

Let us start this article by understanding the terrain and inspecting our environment’s AD sites, subnets, and links using PowerShell. First, open PowerShell on a domain-joined Windows PC with the ActiveDirectory PowerShell module installed. We import the module by running the script below:

				
					Import-Module ActiveDirectory
				
			

Active Directory Sites

The Get-AdReplicationSite cmdlet is a PowerShell command that allows us to retrieve information about your organization’s Active Directory replication sites. This command is helpful in a range of tasks, including identifying the replication topology of your domain, troubleshooting replication issues, and monitoring the health and status of our Active Directory environment.

With no parameters, run the Get-ADReplicationSite cmdlet. Following that, PowerShell returns the Active Directory site from which we executed the command.

				
					Get-ADReplicationSite
				
			

Run Get-AdReplicationSite with the Filter parameter and an asterisk (*) to find all Active Directory sites for the entire domain.

				
					Get-ADReplicationSite -Filter *
				
			

The Filter parameter enables us to filter sites in a variety of ways. Run the Get-Help about ActiveDirectory Filter command to learn more about creating queries for the Filter parameter.

Active Directory Site Links

The Get-ADReplicationSiteLink cmdlet is a PowerShell command that allows us to retrieve information about our organization’s Active Directory replication site links. Overall, site links establish the replication pathways between different sites in our Active Directory environment and are an essential component of the overall replication topology. Using the Get-ADReplicationSiteLink cmdlet, we retrieve and analyse information about your site links, including their names, schedules, and cost.

 This command helps to troubleshoot replication issues, monitor the health and status of your Active Directory environment, and optimize your replication infrastructure’s performance. To find AD site links, follow the same steps for finding sites, but use the Get-ADReplicationSiteLink command instead. However, unlike the Get-ADReplicationSite command, the Get-ADReplicationSiteLink command requires the Filter parameter to be specified.

				
					Get-ADReplicationSiteLink -Filter *
				
			

Active Directory Subnets

Finally, the Get-ADReplicationSubnet cmdlet is a PowerShell command that allows you to retrieve information about your organization’s Active Directory replication subnets. Replication subnets define the physical locations of domain controllers within your Active Directory environment and are essential in determining our domain’s replication topology and schedules. Using the Get-ADReplicationSubnet cmdlet, you retrieve and analyse information about your replication subnets, including their names, descriptions, and locations.

				
					Get-ADReplicationSiteSubnet -Filter *
				
			

The three concepts above are essential things for checking AD replication. However, other commands may be vital in a specific situation. For example, run the Get-Command “*ADReplication*” to return all PowerShell commands for working with AD sites.

Improve your Active Directory Health with our Replication Status Health Tool

Try us out for Free, Access to all features. – 200+ AD Report templates Available. Easily customise your own AD reports.

Understanding AD Sites, Links, and Subnets via GUI

Even though this article is about PowerShell, understanding how to inspect and manage active directory sites via the GUI is still necessary. We will likely only sometimes use PowerShell to manage AD sites.

Select Start and then type Active Directory Sites. Active Directory Sites and Services (ADDS) should now be visible in the Windows Administrative Tools program group.

We will see the screen below when we launch Active Directory Sites and Services. There are a few exciting areas in the AD Sites and Services tool:

  1. The DC to which the tool is currently connected: Knowing the DC is advantageous because it may take several hours to replicate between sites when we switch.
  2. Inter-Site Transports: The protocols that the sites will use for replication.
  3. Subnets: Assign and segregate the network.
  4. The list of sites – We will only see Default-First-Site-Name in a default domain.

If we expand the items in AD Sites and Services, we will see the following:

  1. An IP transport.
  2. Subnets.
  3. The domain controller is assigned to the sites.

Monitoring Replication Status Using Repadmin

We must first understand DC replication to understand user account changes or any AD object changes. What is the relationship between replication and detecting changes? Updated Sequence Numbers (USNs).

Understanding AD Replication Changes using USNs

All in all, Active Directory may contain millions of user accounts in a large enterprise environment. With that many accounts, tracking what’s changing daily is nearly impossible. However, we build systems to monitor user account changes by understanding how Active Directory processes change.

Even if we only have a single DC replicating our environment, understanding USNs is essential.

DCs always keep a backup of the Active Directory database. They keep a copy of the database by replicating it. If that’s the case, how do they know when replication takes place on a single DC? This kind of situation is where the USN comes into play.

When an Active Directory object attribute changes on a DC, the DC increments the USN value for that object. Once incremented, the change is sent to all other DCs in the domain along with the USN.

What is a USN?

Well, Active Directory contains many objects, such as users, computers, contacts, etc. Each object has several attributes that we can change. Furthermore, each feature is assigned a unique number known as a USN.

When Active Directory modifies an object’s attributes, it automatically increments the USN of that attribute.

How USNs and DC Replication Work

When we increment an object attribute on a single DC in Active Directory, that DC sends a replication pull request. The DC pull request instructs DC’s replication partners to retrieve the most recent features from its database. After that, the replication partners compare copies of the attribute’s USN with the replication-initiating DC. If the other USN is greater, the destination DC permits the replicating DC.

Monitoring USN Changes with Repadmin

Now that we know how USNs get updated let’s jump into an example of monitoring Active Directory changes with Microsoft’s replication administration (repadmin) tool. Repadmin is a tool with Active Directory that allows us to perform replication troubleshooting between DCs in an Active Directory forest.

1. Login to a Domain Controller and open PowerShell.
2. Run the following repadmin command to list all of the properties of the user1 user account along with its version number. The below example assumes the location of the user1 user account in the Test OU of the article’s test.local Active Directory domain.

				
					repadmin /ShowObjMeta dc01 CN=User1,OU=Test,DC=test,DC=local
				
			

The /ShowObjMeta parameter requires a domain controller to contact the object’s distinguished name. The output returned displays the replication metadata for a specified object stored in Active Directory, such as attribute ID, version number, originating and local USN, and originating server’s GUID and Date and Timestamp.

We will notice below that repadmin has a Ver column. This Version (Ver) column is an incrementing number representing how many times the attribute has changed. This value is the indicator to detect where the system has changed along with the date.

Take specific note of the displayName attribute. The version is 3, meaning that the attribute value has significantly changed.

3. Run the PowerShell command below to change the displayName attribute for the User1 user account. The reason that we do this step to simulate changes to our AD environment.

				
					Set-ADUser User1 -DisplayName "User 1"
				
			

4. Now, rerun repadmin with the same command as step two to see the USNs and version have incremented and updated the Org. Time/Date.

				
					repadmin /ShowObjMeta dc01 CN=User1,OU=Test,DC=test,DC=local
				
			

Thank you for reading How to Check Active Directory Replication Status Health. We shall conclude this article now. 

How to Check Active Directory Replication Status Health Conclusion

In conclusion, checking the replication status of our Active Directory environment is an essential task for ensuring the health and stability of your network. Using the built-in tools and techniques outlined in this article, you can quickly and easily check the replication status of your domain controllers and identify any existing issues. Whether you are a network administrator or simply looking to ensure the smooth operation of your Active Directory environment, this guide provides the information you need to get started.

Do explore more of our Active Directory knowledge hub by navigating to our blog over here.

InfraSOS-AD-Tools

Try InfraSOS for FREE

Invite your team and explore InfraSOS features for free

Marion Mendoza

Marion Mendoza

Windows Server and VMware SME. Powershell Guru. Currently working with Fortune 500 companies responsible for participating in 3rd level systems support across the enterprise. Acting as a Windows Server engineer and VMware Specialist.

Leave a comment

Your email address will not be published. Required fields are marked *