Replication Diagnostics Tool (RepAdmin.exe) (ST)

Replication Diagnostics Tool is the only facility that allows an administrator to view and manage Active Directory replication topology and events from the command prompt or batch files. This tool, coupled with DsaStat.exe, helps to troubleshoot Active Directory consistency problems at a forest-wide level.

The Windows .NET version of RepAdmin provides about a dozen new operations (in contrast with Windows 2000 version) as well as a few new parameters to previously available operations (some of which are discussed below).

We will consider some of the most frequently used options of this tool. Some of these options may seem to be too complicated. However, if you understand the Active Directory replication model well, you will quickly learn how to use the tool in the most effective way.

Note

To use RepAdmin, you should be logged on to the network as a domain administrator. Furthermore, some operations can only be performed on a domain controller rather than on a client computer.

Note

Essentially, the Windows 2000 and Windows .NET versions of RepAdmin work in a similar way and slightly differ in their screen output messages as well as in their usage of some parameters.

Monitoring Replication Topology and Events

Triggering KCC

Normally, the Knowledge Consistency Checker (KCC) periodically verifies and automatically rebuilds the replication topology. You might want to forcibly start this process after some topology changes (e.g., after deleting connections). Take a look at the example:

    C:\>repadmin /kcc netdc1.net.dom    Consistency check on netdc1.net.dom successful. 

Viewing Replication Partners (/showreps)

The first and one of the most important steps for managing replication is to enumerate partners (neighbors) that have connections to the specified DC and to determine the replication topology for each naming context. (This information is used with many other of RepAdmin's parameters.) The following example was obtained for a forest that consists of two domains and two sites. The root domain net.dom is located in the NET-Site and contains two DCs (NETDC1 and NETDC3A). The child domain subdom.net.dom is located in the Remote-Site and has a single DC (NETDC2). Let's see what kind of information RepAdmin displays for the specified DC. (In-line comments are in bold brackets.)

    C:\>repadmin /showreps netdc1.net.dom    NET-Site /NETDC1    DC Options: IS_GC [The specified DC is a Global Catalog server]    Site Options: (none)    DC object GUID: 02c2b1f6-e9b6-4e64-91f6-3a54b087bacc [By using this    GUID, you can bind to the DSA object named CN=NTDS Settings, CN=NETDC1,    CN=Servers, CN=NET-site, CN=Sites, CN=Configuration, DC=net, DC=dom.]    DC invocationID: 02c2b1f6-e9b6-4e64-91f6-3a54b087bacc    ====INBOUND NEIGHBORS===================    DC=net,DC=dom   [The Domain partition is only replicated among    DCs that serve the same domain.]        NET-Site\NETDC3A via RPC            DC object GUID: a10bc624-6d04-44e7-adf9-5ef4282efbb1            Last attempt @ 2002-06-02 18:13:57 was successful.         [The last replication time and the result of this operation is             displayed for each connection.]    CN=Configuration,DC=net,DC=dom    [The Configuration and Schema    partitions are replicated among all DCs in the forest.]         Remote-Site\NETDC2 via RPC             DC object GUID: 8c19c6f6-1821-4ca7-97b5-c23307c5c49c             Last attempt @ 2002-06-02 16:58:51 was successful.         NET-Site\NETDC3A via RPC             DC object GUID: a10bc624-6d04-44e7-adf9-5ef4282efbb1             Last attempt @ 2002-06-02 17:57:40 was successful.    CN=Schema,CN=Configuration,DC=net,DC=dom        Remote-Site\NETDC2 via RPC            DC object GUID: 8c19c6f6-1821-4ca7-97b5-c23307c5c49c            Last attempt @ 2002-06-02 16:58:51 was successful.        NET-Site\NETDC3A via RPC            DC object GUID: a10bc624-6d04-44e7-adf9-5ef4282efbb1            Last attempt @ 2002-06-02 17:57:40 was successful.    DC=App-Part,DC=net,DC=dom    [The application directory partition    is only replicated among specifically assigned DCs.]        NET-Site\NETDC3A via RPC            DC object GUID: a10bc624-6d04-44e7-adf9-5ef4282efbb1            Last attempt @ 2002-06-02 17:57:40 was successful.    DC=subdom,DC=net,DC=dom [This domain partition is also partially    replicated to this DC, since it is a GC server.]    Remote-Site\NETDC2 via RPC        DC object GUID: 8c19c6f6-1821-4ca7-97b5-c23307c5c49c        Last attempt @ 2002-06-02 16:58:51 was successful. 

To see outbound partners, add the /repsto parameter (or/all) to the previous command. RepAdmin will append the following lines to the output:

    ====OUTBOUND NEIGHBORS FOR CHANGE NOTIFICATIONS========    DC=net, DC=dom        NET-Site\NETDC3A via RPC            DC object GUID: a10bc624-6d04-44e7-adf9-5ef4282efbb1    CN=Configuration,DC=net,DC=dom        NET-Site\NETDC3A via RPC            DC object GUID: a10bc624-6d04-44e7-adf9-5ef4282efbb1    CN=Schema,CN=Configuration,DC=net,DC=dom         NET-Site\NETDC3A via RPC             DC object GUID: a10bc624-6d04-44e7-adf9-5ef4282efbb1    DC=App-Part,DC=net,DC=dom         NET-Site\NETDC3A via RPC             DC object GUID: a10bc624-6d04-44e7-adf9-5ef4282efbb1 

Note

In fact, the NETDC1 and NETDC2 domain controllers are connected by the IP transport (since these DCs are related to the different sites). However, both IP and RPC transports are displayed as "via RPC". The /showconn operation (see below) displays more detailed information.

To obtain more details, add the /verbose parameter to a command. Verbose mode displays additional information; for example:

    ...    CN=Schema,CN=Configuration,DC=net,DC=dom        Remote-Site\NETDC2 via RPC            DC object GUID: 8c19c6f6-1821-4ca7-97b5-c23307c5c49c            Address: 8c19c6f6-1821-4ca7-97b5-c23307c5c49c._msdcs.net.dom            DC invocationID: a2043786-1d80-4ea7-b759-c5884ad6085f            DO_SCHEDULED_SYNCS WRITEABLE COMPRESS_CHANGES            NO_CHANGE_NOTIFICATIONS            USNs: 148919/OU, 148919/PU            Last attempt @ 2002-06-02 16:58:51 was successful.        NET-Site\NETDC3A via RPC            DC object GUID: a10bc624-6d04-44e7-adf9-5ef4282efbb1            Address: a10bc624-6d04-44e7-adf9-5ef4282efbb1._msdcs.net.dom            DC invocationID: 15eaa260-364d-469c-b2aa-1fe3c74059df            SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE            USNs: 79723 /OU, 79723 /PU            Last attempt @ 2002-06-02 18:57:37 was successful.    ... 

Look at the highlighted flags from this output. You can conclude the following from them:

• Both inter- and intra-site replications are scheduled (but these are different schedules!)

• Inter-site replication is compressed.

• There is no change notification between DCs related to different sites (this is the default option).

• DCs in the same site are synchronized upon their startup.

Viewing Connections with Replication Partners (/showconn)

To display the most comprehensive information on connections that have been established for a DC, use the /showconn operation. You can specify:

• The DNS name of the DC that will serve as the source of information

• The GUID (or the NetBIOS name) of the DC you are interested in

(Without the second parameter, you will get all connections for the site where the specified DC is located.) For example, the NETDC1 domain controller from the sample configuration has two inbound connections:

    C:\>repadmin /showconn netdc1.net.dom NETDC1    Base DN: CN=NETDC1,CN=Servers,CN=NET-    Site,CN=Sites,CN=Configuration,DC=net,DC=dom    ====KCC CONNECTION OBJECTS================    Connection --- [I.]           Connection name : fcaa1598-8958-40ce-8be7-f585832d086b           Server DNS name : netdc1.net.dom           Server DN name : CN=NTDS Settings,CN=NETDC1,CN=Servers,CN=NET-       Site,CN=Sites,CN=Configuration,DC=net, DC=dom               Source: NET-Site\NETDC3A                  [From DC...]                       No Failures.               TransportType: intrasite RPC               options: isGenerated    [1] ReplicatesNC: CN=Schema,CN=Configuration,DC=net,DC=dom               Reason: RingTopology                      Replica link has been added.    [2] ReplicatesNC: DC=App-Part,DC=net,DC=dom               Reason: RingTopology                      Replica link has been added.    [3] ReplicatesNC: CN=Configuration,DC=net,DC=dom               Reason: RingTopology                      Replica link has been added.    [4] ReplicatesNC: DC=net, DC=dom               Reason: RingTopology                      Replica link has been added.    Connection - [II.]        Connection name : 8d7bc72b-335c-41c2-82f3-270ce2724c6c        Server DNS name : netdc1.net.dom        Server DN name : CN=NTDS Settings,CN=NETDC1,CN=Servers,CN=NET-        Site,CN=Sites,CN=Configuration,DC=net, DC=dom            Source: Remote-Site\NETDC2                   [From DC...]                    No Failures.            TransportType: IP            options: isGenerated    [1]     ReplicatesNC: CN=Configuration,DC=net,DC=dom                    Replica link has been added.    [2]     ReplicatesNC: DC=subdom,DC=net,DC=dom                    Replica link has been added.   2 connections found. 

Notice that two different transport types — one for intra-site (intrasite RPC) and one for inter-site replication (IP) — are displayed.

The command shown will display all fault connections (that have not been replicated over a period of time) and the possible cause of failure.

Triggering Replication Events

By using RepAdmin, you can initiate replication events very flexibly. For a domain controller, the following replication scenarios are available:

• One directory partition is replicated from another DC.

• One directory partition is replicated from all neighbors.

• All directory partitions are replicated from all neighbors.

• A cross-site replication of a directory partition.

• Replication that will be switched from pull mode to push mode.

Let us consider them in detail.

Replication between Two Neighbors

To perform the most atomic replication operation, you must specify:

• A directory context (in Windows .NET, you can also specify a single directory object; see below)

• The DNS name of the target (destination) server

• The GUID of the source server (from which the changes are copied)

For example, to replicate the domain partition between two DCs, use a command similar to:

    C:\>repadmin /sync DC=net,DC=dom netdc1.net.dom a10bc624-6d04-44e7-adf9-    5ef4282efbb1    Sync from a10bc624-6d04-44e7-adf9-5ef4282efbb1 to netdc1.net.dom    completed successfully. 

The following command replicates one directory object only, which allows you to avoid excessive network traffic:

    C:\>repadmin /replsingleobj netdc1.net.dom a10bc624-6d04-44e7-adf9-    5ef4282efbb1 OU=Staff,DC=net,DC=dom 

You must wait until the operation is completed, or you can start the operation asynchronically and check the replication queue to see whether the operation has completed. To trigger a full replication of a directory context, you can, for example, use the following command:

    C:\>repadmin /sync DC=net,DC=dom netdc1.net.dom a10bc624-6d04-44e7-adf9-    5ef4282efbb1  /full /async    Successfully enqueued sync from a10bc624-6d04-44e7-adf9-5ef4282efbb1 to    netdc1.net.dom. 

Then, to monitor the operation, use the command

    C:\>repadmin /queue 

Here is a sample output:

    Queue contains 1 items.    Current task began executing at 2002-06-02 20:01:05.    Task has been executing for 0 minutes, 7 seconds.    [144] Enqueued 2002-06-02 20:01:05 at priority 250        SYNC FROM SOURCE        NC DC=net,DC=dom        DC NET-Site\NETDC3A        DC object GUID a10bc624-6d04-44e7-adf9-5ef4282effbb1        DC transport addr a10bc624-6d04-44e7-adf9-    5ef4282efbb1._msdcs.net.dom           ASYNCHRONOUS_OPERATION WRITEABLE FULL 

Replication from All Partners

The /syncall parameter can be used to synchronize a directory partition between a DC and all its partners. The /A parameter available on Windows .NET-based DCs, can initiate replication of all partitions stored on a DC.

Sometimes, a command fails. Take a look, for example, at the following output produced by a command:

    C:\>repadmin /syncall netdc1.net.dom DC=net,DC=dom    Syncing partition: DC=net,DC=dom    CALLBACK MESSAGE: Error contacting server a10bc624-6d04-44e7-adf9-    5ef4282efbb1._msdcs.net.dom (network error):     1722 (0x6ba) :        The RPC server is unavailable.     CALLBACK MESSAGE: SyncAll Finished.     SyncAll reported the following errors:    Error contacting server a10bc624-6d04-44e7-adf9-    5ef4282efbb1._msdcs.net.dom (network error) : 1722 (0x6ba) :          The RPC server is unavailable. 

(To see a name which corresponds to the GUID shown, use repadmin /showreps.)

In Windows 2000, only an error code is displayed. You can get a text description of a message by running RepAdmin with the /showmsg parameter and specifying the error code.

When the command runs successfully, it reports all partners' names:

    C:\>repadmin /syncall netdc1.net.dom DC=net,DC=dom    Syncing partition: DC=net,DC=dom    CALLBACK MESSAGE: The following replication is in progress:       From: a10bc624-6d04-44e7-adf9-5ef4282efbb1._msdcs.net.dom       To : 02c2b1f6-e9b6-4e64-91f6-3a54b087bacc._msdcs.net.dom    CALLBACK MESSAGE: The following replication completed successfully:       From: a10bc624-6d04-44e7-adf9-5ef4282efbb1._msdcs.net.dom       To : 02c2b1f6-e9b6-4e64-91f6-3a54b087bacc._msdcs.net.dom    CALLBACK MESSAGE: SyncAll Finished.    SyncAll terminated with no errors. 

Attention

If you do not specify a naming context in the repadmin /syncall command, the Configuration partition is only replicated.

Use the repadmin /syncall /h command to see help information for additional parameters (flags), some of which are especially important:

• /A — replicates all naming contexts stored on the DC. (A new option in the Windows .NET version of RepAdmin.) For example, the following command synchronizes all partitions on NETDC1 DC with all their replicas:

      repadmin /syncall netdc1.net.dom  /A 

• /d — changes representation of DCs in output messages, for example, instead of:

      a10bc624-6d04-44e7-adf9-5ef4282efbb1._msdcs.net.dom 

  you will see

      CN=NTDS Settings,CN=NETDC3A,CN=Servers,CN=NET-Site,CN=Sites,      CN=Configuration,DC=net,DC=dom 

• /e — enables cross-site replication. You can see the difference if, for example, you try to synchronize the Configuration partition by using a command with this parameter, and then without it.

• /P — reverses the direction of replication. When this parameter is used, the changes are propagated from the specified server to all partners (vice versa by default).

Failed Replications

If a replication partner is not available, or a network connection doesn't work, the scheduled replications periodically fail. The following command allows you to see the statistics on failed replications:

    C:\>repadmin /failcache netdc1.net.dom    ====KCC CONNECTION FAILURES===========    (none)    ====KCC LINK FAILURES===========       NET-Site\NETDC3A           DC object GUID: a10bc624-6d04-44e7-adf9-5ef4282efbb1           No Failures.       Remote-Site\NETDC2           DC object GUID: 8c19c6f6-1821-4ca7-97b5-c23307c5c49c           2 consecutive failures since 2002-06-02 19:57:37.           Last error: 1722 (0x6ba):               The RPC server is unavailable. 

Viewing Directory Changes

RepAdmin has a few options that can be used for monitoring the actual state of domain controllers. You can easily determine whether changes have been made on a DC, and whether directory partitions have been synchronized on different DCs.

Is a Domain Controller up to Date?

Suppose we want to determine whether the domain partition (DC=net, DC=dom) is synchronized on two domain controllers — NETDC1 and NETDC4. We need to first find the highest USN on the first DC. Use the following command:

    C:\>repadmin /showvector DC=net,DC=dom netdc1.net.dom    NET-Site\NETDC1           @ USN     11785 @ Time 2002-06-07 17:11:21    NET-Site\NETDC4           @ USN     18241 @ Time 2002-06-07 17:09:41 

Then we must check the value known to the second DC. We should specify: the invocationID of the first DC (see description of the /showreps operation above), the USN found, and the DNS name of either DC:

    C:\>repadmin /propcheck DC=net,DC=dom b202a2a9-2e6b-4c9f-9e99-    ac00b873e5c2 11785 netdc1.net.dom    NET-Site\NETDC1: yes (USN 11785)    NET-Site\NETDC4: ** NO! ** (USN 11767) [11767 < 11785] 

As you can see, the second DC holds an older USN. If we run the command again after replicating changes from NETDC1 to NETDC4, the result should be the following:

    C:\>repadmin /propcheck DC=net,DC=dom b202a2a9-2e6b-4c9f-9e99-    ac00b873e5c2 11785 netdc1.net.dom    NET-Site\NETDC1: yes (USN 11785)    NET-Site\NETDC4: yes (USN 11785) 

Displaying Replication Metadata

By viewing replication metadata for a directory object, you can check the consistency between different replicas if you compare attribute versions and USN numbers on different domain controllers. Furthermore, you can see which DC (it is considered to be the originating DC) the attributes were last changed on. The following example shows metadata for an OU object. (The output has been compressed horizontally to fit the page.)

    C:\>repadmin /showmeta OU=Staff,DC=net,DC=dom netdc1.net.dom    13 entries.    Loc.USN     Originating DC  Org.USN  Org.Time/Date       Ver Attribute    =======     ==============  =======   =============         =============      11826     NET-Site\NETDC1   11826   2002-06-07 17:24:38    1 gPOptions      11826     NET-Site\NETDC1   11826   2002-06-07 17:24:38    1 gPLink      11767     NET-Site\NETDC1   11767   2002-06-07 17:09:11    1 objectCategory      11893     NET-Site\NETDC1   11893   2002-06-07 17:33:59    4 name      11907     NET-Site\NETDC1   11907   2002-06-07 17:34:49    3 nTSecurityDescriptor      11767     NET-Site\NETDC1   11767   2002-06-07 17:09:11    1 whenCreated      11767     NET-Site\NETDC1   11767   2002-06-07 17:09:11    1 instanceType      11817     NET-Site\NETDC4   18306   2002-06-07 17:24:17    2 description      11893     NET-Site\NETDC1   11893   2002-06-07 17:33:59    4 ou      11923     NET-Site\NETDC4   18389   2002-06-07 17:40:59    2 street      11923     NET-Site\NETDC4   18389   2002-06-07 17:40:59    2 st      11923     NET-Site\NETDC4   18389   2002-06-07 17:40:59    2 1      11767     NET-Site\NETDC1   11767   2002-06-07 17:09:11    1 objectClass 

This output is easier to analyze when compared to the metadata information produced by the Ldp.exe tool (see Fig. 12.17 in Chapter 12, "Manipulating Active Directory Objects"). As you can see, the attribute names are displayed here in text format.

Note

If an authoritative restore is performed on a DC, the attribute version numbers will have large values, since by default these numbers increased by a minimum of 100,000 for each "standard" restore operation (i.e., if the verinc parameter is not used).

Registering Changes Made on a Specific DC

It is possible to register all of the changes that have been made on a domain controller from a specific time point. The following command analyzes the current state of the domain partition and writes the result to a file:

    C:\>repadmin /getchanges DC=net,DC=dom netdc1.net.dom  /cookie:log1.txt    Using empty cookie (full sync).    ==== SOURCE DC: netdc1.net.dom ====    Objects returned: 100    (0) add DC=net, DC=dom    ...    Objects returned: ...    ...    New cookie written to file log1.txt (132 bytes) 

The command produces a very large screen output; therefore, you might prefer to add the /statistics parameter to this command.

After some time elapses, you can re-run the command:

    C:\>repadmin /getchanges DC=net,DC=dom netdc1.net.dom  /cookie:log1.txt    Using cookie from file log1.txt (132 bytes)    ==== SOURCE DC: netdc1.net.dom ====    Objects returned: 3    (0) modify CN=Backup Operators,CN=Builtin,DC=net,DC=dom               1> objectGUID: c997318b-324a-4fa4-b29d-2b045904e093               1> member: CN=John Smith, OU=Staff,DC=net,DC=dom               1> instanceType: 4    (1) delete OU=Marketing\0ADEL:d43d3ee7-861b-4ea1-8b8b-                              0b51c0db3de1,CN=Deleted Objects,DC=net,DC=dom               1> parentGUID: eebc28cc-c7b3-4d6f-bd5e-13aef642e30a               1> objectGUID: d43d3ee7-861b-4ea1-8b8b-0b51c0db3de1               1> instanceType: 4               1> isDeleted: TRUE               1> name: Marketing    DEL:d43d3ee7-861b-4ea1-8b8b-0b51c0db3de1               1> lastKnownParent: OU=Staff,DC=net,DC=dom    (2) modify CN=John Smith, OU=Staff, DC=net, DC=dom               1> objectGUID: 50e649bc-69f8-4313-87a6-765e4a335bdd               1> description: A test user               1> instanceType: 4    New cookie written to file log1.txt (132 bytes) 

As you can see, two objects have been modified, and one object has been deleted. The time stamp is renewed, and only new changes will be registered from that moment.

The same information will be displayed if you run a comparison command:

    C:\>repadmin /getchanges DC=net,DC=dom netdc4.net.dom b202a2a9-2e6b-                                    4c9f-9e99-ac00b873e5c2 

Notice that the command contains the domain partition name, the DNS name of a replication partner (in that case, this is a "reference" DC), and the GUID of a tested domain controller (netdc1.net.dom). This command displays changes made on NETDC1 before the replication will be performed and two directory replicas will be synchronized. In comparison to the previous command (with a cookie file), the last command will display the same result (the changes made) repeatedly unless the synchronization of replicas will be carried out. You can choose either command that is the most appropriate for your conditions.

Comparing Information on Different Domain Controllers

A command that compares the partition replicas stored on different servers must contain the DNS name of a "reference" server and the GUID of a "source" (tested) server. All changes made in the source server will be registered. Actually, this command performs the same job as the DsaStat tool does. The output shown below was obtained at the time when a great number of user objects on the NETDC1 domain controller were being removed.

    C:\>repadmin /getchanges DC=net,DC=dom netdc4.net.dom b202a2a9-2e6b-    4c9f-9e99-ac00b873e5c2 /statistics    Building starting position from destination server netdc4.net.dom    Source Neighbor:    DC=net, DC=dom       NET-Site\NETDC1 via RPC           DC object GUID: b202a2a9-2e6b-4c9f-9e99-ac00b873e5c2           Address: b202a2a9-2e6b-4c9f-9e99-ac00b873e5c2._msdcs.net.dom           DC invocationID: b202a2a9-2e6b-4c9f-9e99-ac00b873e5c2           SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE           USNs: 12769 /OU, 12769 /PU           Last attempt @ 2002-06-07 19:11:29 was successful.    Destination's up-to-date vector:    6a0cdbee-e064-449f-8c09-3f3c45b54fd6 @ USN 20291    b202a2a9-2e6b-4c9f-9e99-ac00b873e5c2 @ USN 12771    ==== SOURCE DC: b202a2a9-2e6b-4c9f-9e99-ac00b873e5c2._msdcs.net.dom ====    ******** Cumulative packet totals ***********    Packets:             1    Objects:             100    Object Additions:    0    Object Modifications:0    Object Deletions:  100    Object Moves:        0    Attributes:          600    Values:              600    Dn-valued Attributes:100    MaxDnVals on any attr:1    ObjectDn with maxattr:C    Attrname with maxattr:1    #dnvals 1-250  251-500 501-750 751-1000 1000+    add     0      0       0       0        0    mod     100    0       0       0        0    ******************************************    ...    Packets:              2    ...    Packets:              3    ...    **********Grand total*********************    Packets:              3    Objects:              230    Object Additions:     0    Object Modifications: 0    Object Deletions:     230     Object Moves:         0    Attributes:           1380    Values:               1380    Dn-valued Attributes: 230    MaxDnVals on any attr:1    ObjectDn with maxattr:C    Attrname with maxattr:1    #dnvals  1-250  251-500 501-750 751-1000 1000+    add      0      0       0       0        0    mod      230    0       0       0        0    ****************************************** 

If both replicas are synchronized, the command reports

    No changes 

and all totals are equal to zero.

New "Inter-Site" Operations

The Windows .NET version of RepAdmin offers a number of new operations that are especially useful in large multi-site forests. Among them are the following:

• repadmin /bridgeheads — lists the bridgehead servers for sites.

• repadmin /istg — lists servers that perform the role of the Inter-site Topology Generator (ISTG) in sites.

• repadmin /querysites — displays the cost of the link between specified sites.

• repadmin /latency — displays replication latency between sites; this information allows an administrator to quickly find sites that have not replicated with their partners over a long period of time.

Auxiliary Options

Managing Replication Status (DSA Options)

Each Directory System Agent (DSA) is represented in Active Directory by an object of the nTDSDSA class named CN=NTDS Settings that belongs to the appropriate server object in the Configuration partition. (You can view the attributes of DSA objects with the ADSI Edit snap-in.) DSA objects have the options attribute, which significantly affects their state and behavior. An administrator can set the value of this attribute by using RepAdmin with an undocumented parameter /options. Let us discuss a few examples.

The following command detects that the specified domain controller is a Global Catalog server:

    C:\>repadmin /options netdc1.net.dom    Current DC Options: IS_GC 

The options attribute is equal to 1 in this case. You can set the IS_GC flag to promote a DC to GC server. Usually, this operation is performed with the Active Directory Sites and Services snap-in.

The following two parameters allow you to "isolate" a DC from its replication partners for troubleshooting or some other purpose. The next example shows that replication from the specified DC (outbound replication) is disabled:

    C:\>repadmin /options netdc4.net.dom    Current DC Options: DISABLE_OUTBOUND_REPL 

The options attribute is equal to 4 (hex) in this case (if the DC is not a GC server!).

The state of inbound replication (from partners to a specified DC) is determined by the DISABLE_INBOUND_REPL flag. (This flag corresponds to an options attribute value equal to 2.) You can set both flags and totally disable replication for the DC.

To set a flag, specify it with a "+" (plus) sign. To clear a flag, use "-" (minus). For example, the following command clears the flag and re-enables outbound replication from the DC:

    C:\>repadmin /options netdc4.net.dom -DISABLE_OUTBOUND_REPL    Current DC Options: DISABLE_OUTBOUND_REPL    New DC Options: (none) 

Every "disable replication" operation is registered in the Directory Service log (Event ID 1113, 1114, 1115, and 1116). Look at the following two examples:

    Event Type: Warning    Event Source: NTDS General    Event Category: Replication    Event ID: 1115    ...    Computer: NETDC1    Description:    Outbound replication has been disabled by the user. 

When replication is enabled, an informational event is also registered:

    Event Type: Information    Event Source: NTDS General    Event Category: Replication    Event ID: 1116    ...    Computer: NETDC1    Description:    Outbound replication has been enabled by the user. 

Converting Directory Time (/showtime)

RepAdmin can convert time values stored in Active Directory into a readable format. (See also NLtest description at the beginning of this chapter.) Let us convert the same value 126679218485309520. Enter repadmin /showtime at the command prompt, and paste the value in. Erase the seven rightmost digits and press <Enter>. The result should be the following:

    C:\>repadmin /showtime 12667921848    12667921848 =0x2f31125b8 = 02-06-07 11:10.48 UTC = 2002-06-07 15:10:48 local 

You may notice that both UTC and local time are displayed.

In Windows .NET, you can obtain the same result easier — use the W32tm command:

    C:\>w32tm /ntte 126679218485309520    146619 11:10:48.5309520 --- 6 /7 /2002 3:10:48 PM (local time) 

Displaying Error Description (/showmsg)

RepAdmin.exe has an option that will help you when you write and debug ADSI scripts and application and analyze event logs, as well as in many other cases. You can use this utility rather than searching the documentation for information on each error. The utility provides many more options than the net helpmsg command does. RepAdmin.exe can display error text for both Win32 error codes (including errors for ADSI 2.5) and generic COM error codes.

You can specify an error code in either form: as a long integer (e.g., -2147016684) or a hexadecimal value (e.g., 0x80072014; the 0x prefix is mandatory, do not forget to add this prefix if you have copied an error's code from the Event Viewer). Short integers, such as 8453, are also acceptable. Here is an example of how to use this parameter:

    C:\repadmin /showmsg 0x80072014    -2147016684 = 0x80072014 = "The requested operation did not satisfy one    or more constraints associated with the class of the object."