Repadmin：如何检查 Active Directory 复制

在本教程中，您将学习如何使用repadmin工具来检查Active Directory复制。

Repadmin 是终极复制诊断工具。

除了检查域控制器的运行状况之外，它还可以用于强制复制和查明错误。

Active Directory 复制是一项关键服务，它使更改与林中的其他域控制器保持同步。

复制问题可能会导致身份验证失败以及访问网络资源（文件、打印机、应用程序）时出现问题。

下面我将通过大量示例和结果向您展示逐步过程。

我们开工吧。

如何安装 Repadmin

Repadmin 于 2003 年随 Windows Server 2003 支持工具一起推出。

Microsoft 开始在 Windows Server 2008 及更高版本中包含 repadmin 命令。它还包含在任何安装了远程服务器管理工具 (RSAT) 的计算机上。

Repadmin 示例

要使用repadmin，您需要以管理员身份运行命令提示符。只需右键单击cmd并选择以管理员身份运行

示例1：显示repadmin帮助菜单

使用以下命令查看帮助菜单，这将显示所有命令行选项。有很多选项，但您可能不会使用其中的大多数。在下面的示例中，我将介绍最常见和最有用的命令行选项。

repadmin /?

显示结果

    C:\Users\rallen>repadmin /?
Usage: repadmin   [/u:{domain\user}] [/pw:{password|*}]
                             [/retry[:][:]]
                             [/csv]

Use these commands to see the help:

/?          Displays a list of commands available for use in repadmin and their
            description.
/help       Same as /?
/?:    Displays the list of possible arguments , appropriate
            syntaxes and examples for the specified command .
/help: Same as /?:
/experthelp Displays a list of commands for use by advanced users only.
/listhelp   Displays the variations of syntax available for the DSA_NAME,
            DSA_LIST, NCNAME and OBJ_LIST strings.
/oldhelp    Displays a list of deprecated commands that still work but
            are no longer supported by Microsoft.


Supported  commands (use /? for detailed help):
     /kcc    Forces the KCC on targeted domain controller(s) to immediately
             recalculate its inbound replication topology.

     /prp    This command allows an admin to view or modify the
             password replication policy for RODCs.

     /queue  Displays inbound replication requests that the  DC needs to issue
             to become consistent with its source replication partners.

     /replicate  Triggers the immediate replication of the specified directory
             partition to the destination domain controller from the source DC.

     /replsingleobj Replicates a single object between any two domain
             controllers that have common directory partitions.

     /replsummary The replsummary operation quickly and concisely summarizes
             the replication state and relative health of a forest.

     /rodcpwdrepl Triggers replication of passwords for the specified user(s)
             from the source (Hub DC) to one or more Read Only DC's.

     /showattr Displays the attributes of an object.

     /showobjmeta Displays the replication metadata for a specified object
             stored in Active Directory, such as attribute ID, version
             number, originating and local Update Sequence Number (USN), and
             originating server's GUID and Date and Time stamp.

     /showrepl Displays the replication status when specified domain controller
             last attempted to inbound replicate Active Directory partitions.

     /showutdvec displays the highest committed Update Sequence Number (USN)
             that the targeted DC's copy of Active Directory shows as
             committed for itself and its transitive partners.

     /syncall Synchronizes a specified domain controller with all replication
              partners.

Supported additional parameters:

     /u:    Specifies the domain and user name separated by a backslash
            {domain\user} that has permissions to perform operations in
            Active Directory. UPN logons not supported.

     /pw:   Specifies the password for the user name entered with the /u
            parameter.

     /retry This parameter will cause repadmin to repeat its attempt to bind
            to the target dc should the first attempt fail with one of the
            following error status:

            1722 / 0x6ba : "The RPC Server is unavailable"
            1753 / 0x6d9 : "There are no more endpoints available from the
                            endpoint mapper"

     /csv   Used with /showrepl to output results in comma separated
            value format. See /csvhelp

示例2：总结复制状态并查看整体运行状况

您应该使用的第一个命令是 replsummary。此命令将快速显示整体复制运行状况。此命令将显示失败的复制尝试的百分比以及最大的复制增量。

repadmin /replsummary

显示结果

:\WINDOWS\system32>repadmin /replsummary
Replication Summary Start Time: 2018-03-13 04:44:54

Beginning data collection for replication summary, this may take awhile:
  .....


Source DSA          largest delta    fails/total %%   error
 DC1                       52m:48s    0 /   5    0
 DC2                       52m:46s    0 /   5    0


Destination DSA     largest delta    fails/total %%   error
 DC1                       52m:46s    0 /   5    0
 DC2                       52m:48s    0 /   5    0

示例 3：显示复制合作伙伴和状态

接下来，使用以下命令查看复制伙伴以及复制状态。这有助于您了解每个域控制器在复制过程中的角色。

此外，此命令还显示已复制的每个对象的 GUID 及其结果。这有助于识别哪些对象无法复制。

repadmin /showrepl

显示结果

C:\Users\rallen>repadmin /showrepl

Repadmin: running command /showrepl against full DC dc1.ad.activedirectorypro.com
Default-First-Site-Name\DC1
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: a4d22a63-1918-492a-bcd6-7fe286941e72
DSA invocationID: a4d22a63-1918-492a-bcd6-7fe286941e72

==== INBOUND NEIGHBORS ======================================

DC=ad,DC=activedirectorypro,DC=com
    Default-First-Site-Name\DC2 via RPC
        DSA object GUID: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408
        Last attempt @ 2018-03-13 03:52:08 was successful.

CN=Configuration,DC=ad,DC=activedirectorypro,DC=com
    Default-First-Site-Name\DC2 via RPC
        DSA object GUID: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408
        Last attempt @ 2018-03-13 03:52:08 was successful.

CN=Schema,CN=Configuration,DC=ad,DC=activedirectorypro,DC=com
    Default-First-Site-Name\DC2 via RPC
        DSA object GUID: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408
        Last attempt @ 2018-03-13 03:52:08 was successful.

DC=DomainDnsZones,DC=ad,DC=activedirectorypro,DC=com
    Default-First-Site-Name\DC2 via RPC
        DSA object GUID: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408
        Last attempt @ 2018-03-13 03:52:08 was successful.

DC=ForestDnsZones,DC=ad,DC=activedirectorypro,DC=com
    Default-First-Site-Name\DC2 via RPC
        DSA object GUID: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408
        Last attempt @ 2018-03-13 03:52:08 was successful.

示例 4：显示特定域控制器的复制伙伴

如果您想查看特定域控制器的复制状态，请使用此命令。

将 替换为您的域控制器的名称。

repadmin /showrepl <ServerName>

显示结果

C:\WINDOWS\system32>repadmin /showrepl dc2
Default-First-Site-Name\DC2
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408
DSA invocationID: 2eb95693-bfa7-4f3f-b52c-139737aa883f

==== INBOUND NEIGHBORS ======================================

DC=ad,DC=activedirectorypro,DC=com
    Default-First-Site-Name\DC1 via RPC
        DSA object GUID: a4d22a63-1918-492a-bcd6-7fe286941e72
        Last attempt @ 2018-03-14 04:21:02 was successful.

CN=Configuration,DC=ad,DC=activedirectorypro,DC=com
    Default-First-Site-Name\DC1 via RPC
        DSA object GUID: a4d22a63-1918-492a-bcd6-7fe286941e72
        Last attempt @ 2018-03-14 03:52:07 was successful.

CN=Schema,CN=Configuration,DC=ad,DC=activedirectorypro,DC=com
    Default-First-Site-Name\DC1 via RPC
        DSA object GUID: a4d22a63-1918-492a-bcd6-7fe286941e72
        Last attempt @ 2018-03-14 03:52:07 was successful.

DC=DomainDnsZones,DC=ad,DC=activedirectorypro,DC=com
    Default-First-Site-Name\DC1 via RPC
        DSA object GUID: a4d22a63-1918-492a-bcd6-7fe286941e72
        Last attempt @ 2018-03-14 03:52:07 was successful.

DC=ForestDnsZones,DC=ad,DC=activedirectorypro,DC=com
    Default-First-Site-Name\DC1 via RPC
        DSA object GUID: a4d22a63-1918-492a-bcd6-7fe286941e72
        Last attempt @ 2018-03-14 03:52:07 was successful.

示例 5：仅显示复制错误

showrepl 命令可以输出很多信息。如果您只想查看错误，请使用此命令。在此示例中，DC2 已关闭，您可以看到结果都是来自 DC2 的错误。

C:\WINDOWS\system32>repadmin /showrepl /errorsonly

Repadmin: running command /showrepl against full DC dc1.ad.activedirectorypro.com
Default-First-Site-Name\DC1
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: a4d22a63-1918-492a-bcd6-7fe286941e72
DSA invocationID: a4d22a63-1918-492a-bcd6-7fe286941e72

==== INBOUND NEIGHBORS ======================================

DC=ad,DC=activedirectorypro,DC=com
    Default-First-Site-Name\DC2 via RPC
        DSA object GUID: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408
        Last attempt @ 2018-03-15 04:19:38 failed, result 8524 (0x214c):
            The DSA operation is unable to proceed because of a DNS lookup failure.
        1 consecutive failure(s).
        Last success @ 2018-03-14 07:52:08.

CN=Configuration,DC=ad,DC=activedirectorypro,DC=com
    Default-First-Site-Name\DC2 via RPC
        DSA object GUID: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408
        Last attempt @ 2018-03-15 04:19:38 failed, result 8524 (0x214c):
            The DSA operation is unable to proceed because of a DNS lookup failure.
        1 consecutive failure(s).
        Last success @ 2018-03-14 07:52:08.

CN=Schema,CN=Configuration,DC=ad,DC=activedirectorypro,DC=com
    Default-First-Site-Name\DC2 via RPC
        DSA object GUID: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408
        Last attempt @ 2018-03-15 04:19:38 failed, result 8524 (0x214c):
            The DSA operation is unable to proceed because of a DNS lookup failure.
        1 consecutive failure(s).
        Last success @ 2018-03-14 07:52:08.

DC=DomainDnsZones,DC=ad,DC=activedirectorypro,DC=com
    Default-First-Site-Name\DC2 via RPC
        DSA object GUID: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408
        Last attempt @ 2018-03-15 04:19:38 failed, result 8524 (0x214c):
            The DSA operation is unable to proceed because of a DNS lookup failure.
        1 consecutive failure(s).
        Last success @ 2018-03-14 07:52:08.

DC=ForestDnsZones,DC=ad,DC=activedirectorypro,DC=com
    Default-First-Site-Name\DC2 via RPC
        DSA object GUID: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408
        Last attempt @ 2018-03-15 04:19:38 failed, result 8524 (0x214c):
            The DSA operation is unable to proceed because of a DNS lookup failure.
        1 consecutive failure(s).
        Last success @ 2018-03-14 07:52:08.

Source: Default-First-Site-Name\DC2
******* 1 CONSECUTIVE FAILURES since 2018-03-14 07:52:08
Last error: 8524 (0x214c):
            The DSA operation is unable to proceed because of a DNS lookup failure.

示例 6：显示复制队列

在队列中看到项目是正常的。如果您的环境较小，则该值通常为零，因为发生的复制很少。如果您发现队列中的物品永远不会被清除，那么您就有问题了。

使用此命令查看复制队列

Repadmin /Queue

显示结果

C:\Users\rallen>repadmin /queue

Repadmin: running command /queue against full DC dc1.ad.activedirectorypro.com
Queue contains 0 items.

示例 7：如何强制 Active Directory 复制

如果要强制在域控制器之间进行复制，请使用以下命令。您将需要在要更新的 DC 上运行此命令。例如，如果 DC1 不同步，我将在 DC1 上运行它。

这将执行拉复制，这意味着它将更新从 DC2 拉到 DC1。

repadmin /syncall dc1 /Aed

如果您想推送复制，您将使用 /P 开关。例如，如果您在 DC1 上进行更改并希望将这些更改复制到其他 DC，请使用此命令。

repadmin /syncall dc1 /APed

显示结果

C:\WINDOWS\system32>repadmin /syncall dc1 /Aed
Syncing all NC's held on dc1.
Syncing partition: DC=ForestDnsZones,DC=ad,DC=activedirectorypro,DC=com
CALLBACK MESSAGE: The following replication is in progress:
    From: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408._msdcs.ad.activedirectorypro.com
    To  : a4d22a63-1918-492a-bcd6-7fe286941e72._msdcs.ad.activedirectorypro.com
CALLBACK MESSAGE: The following replication completed successfully:
    From: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408._msdcs.ad.activedirectorypro.com
    To  : a4d22a63-1918-492a-bcd6-7fe286941e72._msdcs.ad.activedirectorypro.com
CALLBACK MESSAGE: SyncAll Finished.
SyncAll terminated with no errors.

Syncing partition: DC=DomainDnsZones,DC=ad,DC=activedirectorypro,DC=com
CALLBACK MESSAGE: The following replication is in progress:
    From: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408._msdcs.ad.activedirectorypro.com
    To  : a4d22a63-1918-492a-bcd6-7fe286941e72._msdcs.ad.activedirectorypro.com
CALLBACK MESSAGE: The following replication completed successfully:
    From: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408._msdcs.ad.activedirectorypro.com
    To  : a4d22a63-1918-492a-bcd6-7fe286941e72._msdcs.ad.activedirectorypro.com
CALLBACK MESSAGE: SyncAll Finished.
SyncAll terminated with no errors.

Syncing partition: CN=Schema,CN=Configuration,DC=ad,DC=activedirectorypro,DC=com
CALLBACK MESSAGE: The following replication is in progress:
    From: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408._msdcs.ad.activedirectorypro.com
    To  : a4d22a63-1918-492a-bcd6-7fe286941e72._msdcs.ad.activedirectorypro.com
CALLBACK MESSAGE: The following replication completed successfully:
    From: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408._msdcs.ad.activedirectorypro.com
    To  : a4d22a63-1918-492a-bcd6-7fe286941e72._msdcs.ad.activedirectorypro.com
CALLBACK MESSAGE: SyncAll Finished.
SyncAll terminated with no errors.

Syncing partition: CN=Configuration,DC=ad,DC=activedirectorypro,DC=com
CALLBACK MESSAGE: The following replication is in progress:
    From: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408._msdcs.ad.activedirectorypro.com
    To  : a4d22a63-1918-492a-bcd6-7fe286941e72._msdcs.ad.activedirectorypro.com
CALLBACK MESSAGE: The following replication completed successfully:
    From: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408._msdcs.ad.activedirectorypro.com
    To  : a4d22a63-1918-492a-bcd6-7fe286941e72._msdcs.ad.activedirectorypro.com
CALLBACK MESSAGE: SyncAll Finished.
SyncAll terminated with no errors.

Syncing partition: DC=ad,DC=activedirectorypro,DC=com
CALLBACK MESSAGE: The following replication is in progress:
    From: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408._msdcs.ad.activedirectorypro.com
    To  : a4d22a63-1918-492a-bcd6-7fe286941e72._msdcs.ad.activedirectorypro.com
CALLBACK MESSAGE: The following replication completed successfully:
    From: 57a1cfbc-88bb-41da-a1a6-f14f5c9df408._msdcs.ad.activedirectorypro.com
    To  : a4d22a63-1918-492a-bcd6-7fe286941e72._msdcs.ad.activedirectorypro.com
CALLBACK MESSAGE: SyncAll Finished.
SyncAll terminated with no errors.

示例 8：将结果导出到文本文件

有时这些命令可以显示很多信息。您可以将上面的任何示例导出到文本文件，这使得以后查看或保存文档变得更容易。

只需将 > c:\destinationfolder\filename.txt 添加到任何命令的末尾

这里有一些例子

repadmin /replsummary > c:\it\replsummary.txt

repadmin /showrepl > c:\it\showrepl.txt

更多示例

查找上次备份 DC 的时间

Repadmin /showbackup *

显示尚未接听的呼叫

repadmin /showoutcalls *

列出拓扑信息

repadmin /bridgeheads * /verbose

站点间拓扑生成器报告

repadmin /istg * /verbose

结论

作为系统管理员，了解如何排除故障并验证复制是否正常工作非常重要。 repadmin 是一个简单但功能强大的工具，您应该知道如何使用。

我希望您觉得本指南很有用。如果您有任何疑问，请在下面发表评论。如果您喜欢这篇文章，请查看：如何使用 NSLookup 检查 DNS 记录。