Tools You Can Use to Maintain Active Directory's Health
In Part 2 of this series, I began discussing the Replication Diagnostic Tool. In this article, I'll discuss this tool in greater detail. I'll then go on to discuss some other tools that you can use to keep your Active Directory healthy.
The Replication Diagnostic Tool
As I discussed in Part 2, the Replication Diagnostic Tool is a command-line tool that can be used to spot replication problems such as an offline server or a LAN or WAN link that's unavailable. This tool can also be used to establish a replication topology. However, you should never create your own replication topology unless you have a good reason for doing so and know exactly what you're doing, because creating a custom replication topology interferes with the replication topology that Windows creates automatically. Under normal circumstances, the Knowledge Consistency Checker (KCC) automatically manages the replication topology. Incorrectly using this tool interferes with Windows' built-in ability to manage replication and can even cause replication to stop completely. With that said, I'll begin discussing how to use the tool for diagnostic purposes.
The Replication Diagnostic Tool relies on an executable file called REPADMIN.EXE. If you enter the command REPADMIN /?, you'll find that the syntax of this command can be a bit tedious. However, as you'll see later, using the Replication Diagnostic Tool isn't as complicated as it might first appear.
Basically, like many other command-line tools, the Replication Diagnostic Tool only requires you to follow the name of the executable file with a command and the arguments that the command requires. You can also supplement the command and arguments with the domain, username, and password of the user who should be executing the command. However, you have to add this information only if you're currently logged in as a user who has insufficient privileges to execute the command.
If you're building a batch file or you simply don't want the password to appear on screen, you can use an asterisk (*) in place of the password; doing so will make the tool ask for the password when the command is executed. You can see how to add a user name and password to the command in this example:
REPADMIN /command <arguments> /U:domain\\username /pw:*
Forcing the KCC to Run
Now that you understand the basic syntax of the command, let's look at how to use some of the Replication Diagnostic Tool's more common functions. I mentioned earlier that the KCC is normally responsible for managing the network's replication topology. You can use the REPADMIN command to force the KCC to run. To do so, enter the following command:
REPADMIN /KCC <server name>
The Replication Diagnostic Tool can also be used to view the current replication topology. Essentially, this means viewing all of a server's replication partners, as long as those partners can be reached. As you can see, because this tool doesn't display any replication partners that are unreachable, it can help you spot communications problems. To display the replication partners for a given server, enter the following command:
Viewing the Current Replication Topology
REPADMIN /SHOWREPS <server name>
You can also append a directory context to the command in the form of DC=POSEY. When you execute this command, you'll see results similar to the following. In real life, you'd also see a summary of the replication partners, but I've cut off that part in the interest of saving space:
C:\>repadmin /showreps cartman
DSA Options : IS_GC
objectGuid : 6d50c320-84f2-4197-bc98-5b51f9a93f9b
==== INBOUND NEIGHBORS ======================================
==== OUTBOUND NEIGHBORS FOR CHANGE NOTIFICATIONS ============
Finally, you can use the Replication Diagnostic Tool to force replication between two servers. The syntax for doing so can be a little tricky; so, unless you need to build this ability into a batch file or you're just a command-line junky, you're usually better off forcing replication through another method, such as using the Active Directory Sites and Services console.
To understand the syntax for forcing replication, notice that when I ran the REPADMIN /SHOWREPS command, one of the returned pieces of information was the objectGuid. You'll need to know the objectGuid of the source server in order to force replication. Here's the syntax for forcing replication:
REPADMIN /SYNC <directory partition DN> <Destination server name> <source server objectGuid>
To get a feel for how this command works, suppose that I want to replicate between a server named CARTMAN and a server named BEAVIS. To do so, I can use a command like the following:
REPADMIN /SYNC DC=Posey,DC=COM Beavis 6d50c320-84f2-4197-bc98-5b51f9a93f9b
Active Directory Diagnostic Tool
Now that you're familiar with the functionality of the Replication Diagnostic Tool, let's look at another tool that you can use to keep your Active Directory healthy. The Active Directory Diagnostic Tool is a command-line utility that you can use to detect differences between naming contexts on domain controllers. You can use this tool to compare two replica's directory trees. You can either compare replicas within the same domain, or you can compare a replica within any domain to the global catalog.
The Active Directory Diagnostic Tool isn't quite as complicated to use as the Replication Diagnostic Tool. To use this tool, simply enter its executable file name (DSASTAT.EXE) followed by the arguments you want to use. You can view the full syntax by entering the command DSASTAT /?.
As you can see, using the Active Directory Diagnostic Tool is a great way to make sure that your Active Directory remains consistent across your entire enterprise. In Part 4, I'll introduce you to some other tools that you can use to keep your Active Directory healthy. //
Brien M. Posey is an MCSE who works as a freelance writer. His past experience includes working as the director of information systems for a national chain of health care facilities and as a network engineer for the Department of Defense. Because of the extremely high volume of e-mail that Brien receives, it's impossible for him to respond to every message, although he does read them all.