Get a Handle on AD Internals

Use Repadmin to diagnose Active Directory problems

With luck, you'll never have to worry about Active Directory's (AD's) innards—every domain controller (DC) will replicate smoothly to every other DC. But should AD ever act oddly, you'll need tools to help diagnose the problem. The Microsoft Windows 2000 Server Resource Kit includes one such tool: repadmin.exe.

Repadmin can determine which machines a given DC replicates with. In domains of six or fewer DCs, the DCs form a bidirectional ring for replication, so every DC in the ring has a partner to its "left" and its "right." (More than six DCs leads to a more complex mesh structure.) To identify those partner DCs, type

repadmin /showreps <DCname>

where DCname is the DNS name of the DC whose partners you want to know. You'll get some fairly lengthy output—Figure 1 shows an excerpt.

Figure 1's DSA Options line tells you that this server is a Global Catalog (GC) server. The objectGuid line identifies the DC by its globally unique ID (GUID) rather than its DNS name. (If you ever need to find a DNS name from a DC's GUID, open the Forward Lookup Zones folder in the Microsoft Management Console—MMC—DNS snap-in. In the folder for your AD domain, open the _msdcs folder. For each DC in the domain, you'll see a record that contains the DC's GUID and DNS name.) Repadmin also documents the most recent replication attempts. Figure 1 shows that the DC successfully replicated to both its partners the last time that it tried.

The complete output also includes basic forest information. The configuration naming context lists the domains, sites, and DCs in the forest. Naming context is Lightweight Directory Access Protocol (LDAP) terminology for "information that AD needs to replicate." Repadmin also provides the schema naming context—a list of the fields in the AD database. Finally, Repadmin lists the domain naming context—the actual user and machine accounts and any other information the AD stores.

By default, Repadmin reports on your DC's replication partners for all three naming contexts. To limit output to a specific domain's domain naming context, include the LDAP terminology for that naming context in the command

repadmin /showreps 
<naming-context> <DCname>

To build the naming context, prefix each piece of the DNS name with dc=. So, to find out about the DC's replication partners, you'd type

repadmin /showreps dc=uptown,dc=acme,dc=com

I'll explore Repadmin further in upcoming columns.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.