Replication Diagnostics Tool is the only facility that allows an administrator to view and manage Active Directory replication topology and events from the command prompt or batch files. This tool, coupled with DsaStat.exe, helps to troubleshoot Active Directory consistency problems at a forest-wide level.
The Windows .NET version of RepAdmin provides about a dozen new operations (in contrast with Windows 2000 version) as well as a few new parameters to previously available operations (some of which are discussed below).
We will consider some of the most frequently used options of this tool. Some of these options may seem to be too complicated. However, if you understand the Active Directory replication model well, you will quickly learn how to use the tool in the most effective way.
To use RepAdmin, you should be logged on to the network as a domain administrator. Furthermore, some operations can only be performed on a domain controller rather than on a client computer.
Essentially, the Windows 2000 and Windows .NET versions of RepAdmin work in a similar way and slightly differ in their screen output messages as well as in their usage of some parameters.
Normally, the Knowledge Consistency Checker (KCC) periodically verifies and automatically rebuilds the replication topology. You might want to forcibly start this process after some topology changes (e.g., after deleting connections). Take a look at the example:
C:\>repadmin /kcc netdc1.net.dom Consistency check on netdc1.net.dom successful.
The first and one of the most important steps for managing replication is to enumerate partners (neighbors) that have connections to the specified DC and to determine the replication topology for each naming context. (This information is used with many other of RepAdmin's parameters.) The following example was obtained for a forest that consists of two domains and two sites. The root domain net.dom is located in the NET-Site and contains two DCs (NETDC1 and NETDC3A). The child domain subdom.net.dom is located in the Remote-Site and has a single DC (NETDC2). Let's see what kind of information RepAdmin displays for the specified DC. (In-line comments are in bold brackets.)
C:\>repadmin /showreps netdc1.net.dom NET-Site /NETDC1 DC Options: IS_GC [The specified DC is a Global Catalog server] Site Options: (none) DC object GUID: 02c2b1f6-e9b6-4e64-91f6-3a54b087bacc [By using this GUID, you can bind to the DSA object named CN=NTDS Settings, CN=NETDC1, CN=Servers, CN=NET-site, CN=Sites, CN=Configuration, DC=net, DC=dom.] DC invocationID: 02c2b1f6-e9b6-4e64-91f6-3a54b087bacc ====INBOUND NEIGHBORS=================== DC=net,DC=dom [The Domain partition is only replicated among DCs that serve the same domain.] NET-Site\NETDC3A via RPC DC object GUID: a10bc624-6d04-44e7-adf9-5ef4282efbb1 Last attempt @ 2002-06-02 18:13:57 was successful. [The last replication time and the result of this operation is displayed for each connection.] CN=Configuration,DC=net,DC=dom [The Configuration and Schema partitions are replicated among all DCs in the forest.] Remote-Site\NETDC2 via RPC DC object GUID: 8c19c6f6-1821-4ca7-97b5-c23307c5c49c Last attempt @ 2002-06-02 16:58:51 was successful. NET-Site\NETDC3A via RPC DC object GUID: a10bc624-6d04-44e7-adf9-5ef4282efbb1 Last attempt @ 2002-06-02 17:57:40 was successful. CN=Schema,CN=Configuration,DC=net,DC=dom Remote-Site\NETDC2 via RPC DC object GUID: 8c19c6f6-1821-4ca7-97b5-c23307c5c49c Last attempt @ 2002-06-02 16:58:51 was successful. NET-Site\NETDC3A via RPC DC object GUID: a10bc624-6d04-44e7-adf9-5ef4282efbb1 Last attempt @ 2002-06-02 17:57:40 was successful. DC=App-Part,DC=net,DC=dom [The application directory partition is only replicated among specifically assigned DCs.] NET-Site\NETDC3A via RPC DC object GUID: a10bc624-6d04-44e7-adf9-5ef4282efbb1 Last attempt @ 2002-06-02 17:57:40 was successful. DC=subdom,DC=net,DC=dom [This domain partition is also partially replicated to this DC, since it is a GC server.] Remote-Site\NETDC2 via RPC DC object GUID: 8c19c6f6-1821-4ca7-97b5-c23307c5c49c Last attempt @ 2002-06-02 16:58:51 was successful.
To see outbound partners, add the /repsto parameter (or/all) to the previous command. RepAdmin will append the following lines to the output:
====OUTBOUND NEIGHBORS FOR CHANGE NOTIFICATIONS======== DC=net, DC=dom NET-Site\NETDC3A via RPC DC object GUID: a10bc624-6d04-44e7-adf9-5ef4282efbb1 CN=Configuration,DC=net,DC=dom NET-Site\NETDC3A via RPC DC object GUID: a10bc624-6d04-44e7-adf9-5ef4282efbb1 CN=Schema,CN=Configuration,DC=net,DC=dom NET-Site\NETDC3A via RPC DC object GUID: a10bc624-6d04-44e7-adf9-5ef4282efbb1 DC=App-Part,DC=net,DC=dom NET-Site\NETDC3A via RPC DC object GUID: a10bc624-6d04-44e7-adf9-5ef4282efbb1
In fact, the NETDC1 and NETDC2 domain controllers are connected by the IP transport (since these DCs are related to the different sites). However, both IP and RPC transports are displayed as "via RPC". The /showconn operation (see below) displays more detailed information.
To obtain more details, add the /verbose parameter to a command. Verbose mode displays additional information; for example:
... CN=Schema,CN=Configuration,DC=net,DC=dom Remote-Site\NETDC2 via RPC DC object GUID: 8c19c6f6-1821-4ca7-97b5-c23307c5c49c Address: 8c19c6f6-1821-4ca7-97b5-c23307c5c49c._msdcs.net.dom DC invocationID: a2043786-1d80-4ea7-b759-c5884ad6085f DO_SCHEDULED_SYNCS WRITEABLE COMPRESS_CHANGES NO_CHANGE_NOTIFICATIONS USNs: 148919/OU, 148919/PU Last attempt @ 2002-06-02 16:58:51 was successful. NET-Site\NETDC3A via RPC DC object GUID: a10bc624-6d04-44e7-adf9-5ef4282efbb1 Address: a10bc624-6d04-44e7-adf9-5ef4282efbb1._msdcs.net.dom DC invocationID: 15eaa260-364d-469c-b2aa-1fe3c74059df SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE USNs: 79723 /OU, 79723 /PU Last attempt @ 2002-06-02 18:57:37 was successful. ...
Look at the highlighted flags from this output. You can conclude the following from them:
Both inter- and intra-site replications are scheduled (but these are different schedules!)
Inter-site replication is compressed.
There is no change notification between DCs related to different sites (this is the default option).
DCs in the same site are synchronized upon their startup.
To display the most comprehensive information on connections that have been established for a DC, use the /showconn operation. You can specify:
The DNS name of the DC that will serve as the source of information
The GUID (or the NetBIOS name) of the DC you are interested in
(Without the second parameter, you will get all connections for the site where the specified DC is located.) For example, the NETDC1 domain controller from the sample configuration has two inbound connections:
C:\>repadmin /showconn netdc1.net.dom NETDC1 Base DN: CN=NETDC1,CN=Servers,CN=NET- Site,CN=Sites,CN=Configuration,DC=net,DC=dom ====KCC CONNECTION OBJECTS================ Connection --- [I.] Connection name : fcaa1598-8958-40ce-8be7-f585832d086b Server DNS name : netdc1.net.dom Server DN name : CN=NTDS Settings,CN=NETDC1,CN=Servers,CN=NET- Site,CN=Sites,CN=Configuration,DC=net, DC=dom Source: NET-Site\NETDC3A [From DC...] No Failures. TransportType: intrasite RPC options: isGenerated  ReplicatesNC: CN=Schema,CN=Configuration,DC=net,DC=dom Reason: RingTopology Replica link has been added.  ReplicatesNC: DC=App-Part,DC=net,DC=dom Reason: RingTopology Replica link has been added.  ReplicatesNC: CN=Configuration,DC=net,DC=dom Reason: RingTopology Replica link has been added.  ReplicatesNC: DC=net, DC=dom Reason: RingTopology Replica link has been added. Connection - [II.] Connection name : 8d7bc72b-335c-41c2-82f3-270ce2724c6c Server DNS name : netdc1.net.dom Server DN name : CN=NTDS Settings,CN=NETDC1,CN=Servers,CN=NET- Site,CN=Sites,CN=Configuration,DC=net, DC=dom Source: Remote-Site\NETDC2 [From DC...] No Failures. TransportType: IP options: isGenerated  ReplicatesNC: CN=Configuration,DC=net,DC=dom Replica link has been added.  ReplicatesNC: DC=subdom,DC=net,DC=dom Replica link has been added. 2 connections found.
Notice that two different transport types — one for intra-site (intrasite RPC) and one for inter-site replication (IP) — are displayed.
The command shown will display all fault connections (that have not been replicated over a period of time) and the possible cause of failure.
By using RepAdmin, you can initiate replication events very flexibly. For a domain controller, the following replication scenarios are available:
One directory partition is replicated from another DC.
One directory partition is replicated from all neighbors.
All directory partitions are replicated from all neighbors.
A cross-site replication of a directory partition.
Replication that will be switched from pull mode to push mode.
Let us consider them in detail.
To perform the most atomic replication operation, you must specify:
A directory context (in Windows .NET, you can also specify a single directory object; see below)
The DNS name of the target (destination) server
The GUID of the source server (from which the changes are copied)
For example, to replicate the domain partition between two DCs, use a command similar to:
C:\>repadmin /sync DC=net,DC=dom netdc1.net.dom a10bc624-6d04-44e7-adf9- 5ef4282efbb1 Sync from a10bc624-6d04-44e7-adf9-5ef4282efbb1 to netdc1.net.dom completed successfully.
The following command replicates one directory object only, which allows you to avoid excessive network traffic:
C:\>repadmin /replsingleobj netdc1.net.dom a10bc624-6d04-44e7-adf9- 5ef4282efbb1 OU=Staff,DC=net,DC=dom
You must wait until the operation is completed, or you can start the operation asynchronically and check the replication queue to see whether the operation has completed. To trigger a full replication of a directory context, you can, for example, use the following command:
C:\>repadmin /sync DC=net,DC=dom netdc1.net.dom a10bc624-6d04-44e7-adf9- 5ef4282efbb1 /full /async Successfully enqueued sync from a10bc624-6d04-44e7-adf9-5ef4282efbb1 to netdc1.net.dom.
Then, to monitor the operation, use the command
Here is a sample output:
Queue contains 1 items. Current task began executing at 2002-06-02 20:01:05. Task has been executing for 0 minutes, 7 seconds.  Enqueued 2002-06-02 20:01:05 at priority 250 SYNC FROM SOURCE NC DC=net,DC=dom DC NET-Site\NETDC3A DC object GUID a10bc624-6d04-44e7-adf9-5ef4282effbb1 DC transport addr a10bc624-6d04-44e7-adf9- 5ef4282efbb1._msdcs.net.dom ASYNCHRONOUS_OPERATION WRITEABLE FULL
The /syncall parameter can be used to synchronize a directory partition between a DC and all its partners. The /A parameter available on Windows .NET-based DCs, can initiate replication of all partitions stored on a DC.
Sometimes, a command fails. Take a look, for example, at the following output produced by a command:
C:\>repadmin /syncall netdc1.net.dom DC=net,DC=dom Syncing partition: DC=net,DC=dom CALLBACK MESSAGE: Error contacting server a10bc624-6d04-44e7-adf9- 5ef4282efbb1._msdcs.net.dom (network error): 1722 (0x6ba) : The RPC server is unavailable. CALLBACK MESSAGE: SyncAll Finished. SyncAll reported the following errors: Error contacting server a10bc624-6d04-44e7-adf9- 5ef4282efbb1._msdcs.net.dom (network error) : 1722 (0x6ba) : The RPC server is unavailable.
(To see a name which corresponds to the GUID shown, use repadmin /showreps.)
In Windows 2000, only an error code is displayed. You can get a text description of a message by running RepAdmin with the /showmsg parameter and specifying the error code.
When the command runs successfully, it reports all partners' names:
C:\>repadmin /syncall netdc1.net.dom DC=net,DC=dom Syncing partition: DC=net,DC=dom CALLBACK MESSAGE: The following replication is in progress: From: a10bc624-6d04-44e7-adf9-5ef4282efbb1._msdcs.net.dom To : 02c2b1f6-e9b6-4e64-91f6-3a54b087bacc._msdcs.net.dom CALLBACK MESSAGE: The following replication completed successfully: From: a10bc624-6d04-44e7-adf9-5ef4282efbb1._msdcs.net.dom To : 02c2b1f6-e9b6-4e64-91f6-3a54b087bacc._msdcs.net.dom CALLBACK MESSAGE: SyncAll Finished. SyncAll terminated with no errors.
If you do not specify a naming context in the repadmin /syncall command, the Configuration partition is only replicated.
Use the repadmin /syncall /h command to see help information for additional parameters (flags), some of which are especially important:
/A — replicates all naming contexts stored on the DC. (A new option in the Windows .NET version of RepAdmin.) For example, the following command synchronizes all partitions on NETDC1 DC with all their replicas:
repadmin /syncall netdc1.net.dom /A
/d — changes representation of DCs in output messages, for example, instead of:
you will see
CN=NTDS Settings,CN=NETDC3A,CN=Servers,CN=NET-Site,CN=Sites, CN=Configuration,DC=net,DC=dom
/e — enables cross-site replication. You can see the difference if, for example, you try to synchronize the Configuration partition by using a command with this parameter, and then without it.
/P — reverses the direction of replication. When this parameter is used, the changes are propagated from the specified server to all partners (vice versa by default).
If a replication partner is not available, or a network connection doesn't work, the scheduled replications periodically fail. The following command allows you to see the statistics on failed replications:
C:\>repadmin /failcache netdc1.net.dom ====KCC CONNECTION FAILURES=========== (none) ====KCC LINK FAILURES=========== NET-Site\NETDC3A DC object GUID: a10bc624-6d04-44e7-adf9-5ef4282efbb1 No Failures. Remote-Site\NETDC2 DC object GUID: 8c19c6f6-1821-4ca7-97b5-c23307c5c49c 2 consecutive failures since 2002-06-02 19:57:37. Last error: 1722 (0x6ba): The RPC server is unavailable.
RepAdmin has a few options that can be used for monitoring the actual state of domain controllers. You can easily determine whether changes have been made on a DC, and whether directory partitions have been synchronized on different DCs.
Suppose we want to determine whether the domain partition (DC=net, DC=dom) is synchronized on two domain controllers — NETDC1 and NETDC4. We need to first find the highest USN on the first DC. Use the following command:
C:\>repadmin /showvector DC=net,DC=dom netdc1.net.dom NET-Site\NETDC1 @ USN 11785 @ Time 2002-06-07 17:11:21 NET-Site\NETDC4 @ USN 18241 @ Time 2002-06-07 17:09:41
Then we must check the value known to the second DC. We should specify: the invocationID of the first DC (see description of the /showreps operation above), the USN found, and the DNS name of either DC:
C:\>repadmin /propcheck DC=net,DC=dom b202a2a9-2e6b-4c9f-9e99- ac00b873e5c2 11785 netdc1.net.dom NET-Site\NETDC1: yes (USN 11785) NET-Site\NETDC4: ** NO! ** (USN 11767) [11767 < 11785]
As you can see, the second DC holds an older USN. If we run the command again after replicating changes from NETDC1 to NETDC4, the result should be the following:
C:\>repadmin /propcheck DC=net,DC=dom b202a2a9-2e6b-4c9f-9e99- ac00b873e5c2 11785 netdc1.net.dom NET-Site\NETDC1: yes (USN 11785) NET-Site\NETDC4: yes (USN 11785)
By viewing replication metadata for a directory object, you can check the consistency between different replicas if you compare attribute versions and USN numbers on different domain controllers. Furthermore, you can see which DC (it is considered to be the originating DC) the attributes were last changed on. The following example shows metadata for an OU object. (The output has been compressed horizontally to fit the page.)
C:\>repadmin /showmeta OU=Staff,DC=net,DC=dom netdc1.net.dom 13 entries. Loc.USN Originating DC Org.USN Org.Time/Date Ver Attribute ======= ============== ======= ============= ============= 11826 NET-Site\NETDC1 11826 2002-06-07 17:24:38 1 gPOptions 11826 NET-Site\NETDC1 11826 2002-06-07 17:24:38 1 gPLink 11767 NET-Site\NETDC1 11767 2002-06-07 17:09:11 1 objectCategory 11893 NET-Site\NETDC1 11893 2002-06-07 17:33:59 4 name 11907 NET-Site\NETDC1 11907 2002-06-07 17:34:49 3 nTSecurityDescriptor 11767 NET-Site\NETDC1 11767 2002-06-07 17:09:11 1 whenCreated 11767 NET-Site\NETDC1 11767 2002-06-07 17:09:11 1 instanceType 11817 NET-Site\NETDC4 18306 2002-06-07 17:24:17 2 description 11893 NET-Site\NETDC1 11893 2002-06-07 17:33:59 4 ou 11923 NET-Site\NETDC4 18389 2002-06-07 17:40:59 2 street 11923 NET-Site\NETDC4 18389 2002-06-07 17:40:59 2 st 11923 NET-Site\NETDC4 18389 2002-06-07 17:40:59 2 1 11767 NET-Site\NETDC1 11767 2002-06-07 17:09:11 1 objectClass
This output is easier to analyze when compared to the metadata information produced by the Ldp.exe tool (see Fig. 12.17 in Chapter 12, "Manipulating Active Directory Objects"). As you can see, the attribute names are displayed here in text format.
If an authoritative restore is performed on a DC, the attribute version numbers will have large values, since by default these numbers increased by a minimum of 100,000 for each "standard" restore operation (i.e., if the verinc parameter is not used).
It is possible to register all of the changes that have been made on a domain controller from a specific time point. The following command analyzes the current state of the domain partition and writes the result to a file:
C:\>repadmin /getchanges DC=net,DC=dom netdc1.net.dom /cookie:log1.txt Using empty cookie (full sync). ==== SOURCE DC: netdc1.net.dom ==== Objects returned: 100 (0) add DC=net, DC=dom ... Objects returned: ... ... New cookie written to file log1.txt (132 bytes)
The command produces a very large screen output; therefore, you might prefer to add the /statistics parameter to this command.
After some time elapses, you can re-run the command:
C:\>repadmin /getchanges DC=net,DC=dom netdc1.net.dom /cookie:log1.txt Using cookie from file log1.txt (132 bytes) ==== SOURCE DC: netdc1.net.dom ==== Objects returned: 3 (0) modify CN=Backup Operators,CN=Builtin,DC=net,DC=dom 1> objectGUID: c997318b-324a-4fa4-b29d-2b045904e093 1> member: CN=John Smith, OU=Staff,DC=net,DC=dom 1> instanceType: 4 (1) delete OU=Marketing\0ADEL:d43d3ee7-861b-4ea1-8b8b- 0b51c0db3de1,CN=Deleted Objects,DC=net,DC=dom 1> parentGUID: eebc28cc-c7b3-4d6f-bd5e-13aef642e30a 1> objectGUID: d43d3ee7-861b-4ea1-8b8b-0b51c0db3de1 1> instanceType: 4 1> isDeleted: TRUE 1> name: Marketing DEL:d43d3ee7-861b-4ea1-8b8b-0b51c0db3de1 1> lastKnownParent: OU=Staff,DC=net,DC=dom (2) modify CN=John Smith, OU=Staff, DC=net, DC=dom 1> objectGUID: 50e649bc-69f8-4313-87a6-765e4a335bdd 1> description: A test user 1> instanceType: 4 New cookie written to file log1.txt (132 bytes)
As you can see, two objects have been modified, and one object has been deleted. The time stamp is renewed, and only new changes will be registered from that moment.
The same information will be displayed if you run a comparison command:
C:\>repadmin /getchanges DC=net,DC=dom netdc4.net.dom b202a2a9-2e6b- 4c9f-9e99-ac00b873e5c2
Notice that the command contains the domain partition name, the DNS name of a replication partner (in that case, this is a "reference" DC), and the GUID of a tested domain controller (netdc1.net.dom). This command displays changes made on NETDC1 before the replication will be performed and two directory replicas will be synchronized. In comparison to the previous command (with a cookie file), the last command will display the same result (the changes made) repeatedly unless the synchronization of replicas will be carried out. You can choose either command that is the most appropriate for your conditions.
A command that compares the partition replicas stored on different servers must contain the DNS name of a "reference" server and the GUID of a "source" (tested) server. All changes made in the source server will be registered. Actually, this command performs the same job as the DsaStat tool does. The output shown below was obtained at the time when a great number of user objects on the NETDC1 domain controller were being removed.
C:\>repadmin /getchanges DC=net,DC=dom netdc4.net.dom b202a2a9-2e6b- 4c9f-9e99-ac00b873e5c2 /statistics Building starting position from destination server netdc4.net.dom Source Neighbor: DC=net, DC=dom NET-Site\NETDC1 via RPC DC object GUID: b202a2a9-2e6b-4c9f-9e99-ac00b873e5c2 Address: b202a2a9-2e6b-4c9f-9e99-ac00b873e5c2._msdcs.net.dom DC invocationID: b202a2a9-2e6b-4c9f-9e99-ac00b873e5c2 SYNC_ON_STARTUP DO_SCHEDULED_SYNCS WRITEABLE USNs: 12769 /OU, 12769 /PU Last attempt @ 2002-06-07 19:11:29 was successful. Destination's up-to-date vector: 6a0cdbee-e064-449f-8c09-3f3c45b54fd6 @ USN 20291 b202a2a9-2e6b-4c9f-9e99-ac00b873e5c2 @ USN 12771 ==== SOURCE DC: b202a2a9-2e6b-4c9f-9e99-ac00b873e5c2._msdcs.net.dom ==== ******** Cumulative packet totals *********** Packets: 1 Objects: 100 Object Additions: 0 Object Modifications:0 Object Deletions: 100 Object Moves: 0 Attributes: 600 Values: 600 Dn-valued Attributes:100 MaxDnVals on any attr:1 ObjectDn with maxattr:C Attrname with maxattr:1 #dnvals 1-250 251-500 501-750 751-1000 1000+ add 0 0 0 0 0 mod 100 0 0 0 0 ****************************************** ... Packets: 2 ... Packets: 3 ... **********Grand total********************* Packets: 3 Objects: 230 Object Additions: 0 Object Modifications: 0 Object Deletions: 230 Object Moves: 0 Attributes: 1380 Values: 1380 Dn-valued Attributes: 230 MaxDnVals on any attr:1 ObjectDn with maxattr:C Attrname with maxattr:1 #dnvals 1-250 251-500 501-750 751-1000 1000+ add 0 0 0 0 0 mod 230 0 0 0 0 ******************************************
If both replicas are synchronized, the command reports
and all totals are equal to zero.
The Windows .NET version of RepAdmin offers a number of new operations that are especially useful in large multi-site forests. Among them are the following:
repadmin /bridgeheads — lists the bridgehead servers for sites.
repadmin /istg — lists servers that perform the role of the Inter-site Topology Generator (ISTG) in sites.
repadmin /querysites — displays the cost of the link between specified sites.
repadmin /latency — displays replication latency between sites; this information allows an administrator to quickly find sites that have not replicated with their partners over a long period of time.
Each Directory System Agent (DSA) is represented in Active Directory by an object of the nTDSDSA class named CN=NTDS Settings that belongs to the appropriate server object in the Configuration partition. (You can view the attributes of DSA objects with the ADSI Edit snap-in.) DSA objects have the options attribute, which significantly affects their state and behavior. An administrator can set the value of this attribute by using RepAdmin with an undocumented parameter /options. Let us discuss a few examples.
The following command detects that the specified domain controller is a Global Catalog server:
C:\>repadmin /options netdc1.net.dom Current DC Options: IS_GC
The options attribute is equal to 1 in this case. You can set the IS_GC flag to promote a DC to GC server. Usually, this operation is performed with the Active Directory Sites and Services snap-in.
The following two parameters allow you to "isolate" a DC from its replication partners for troubleshooting or some other purpose. The next example shows that replication from the specified DC (outbound replication) is disabled:
C:\>repadmin /options netdc4.net.dom Current DC Options: DISABLE_OUTBOUND_REPL
The options attribute is equal to 4 (hex) in this case (if the DC is not a GC server!).
The state of inbound replication (from partners to a specified DC) is determined by the DISABLE_INBOUND_REPL flag. (This flag corresponds to an options attribute value equal to 2.) You can set both flags and totally disable replication for the DC.
To set a flag, specify it with a "+" (plus) sign. To clear a flag, use "-" (minus). For example, the following command clears the flag and re-enables outbound replication from the DC:
C:\>repadmin /options netdc4.net.dom -DISABLE_OUTBOUND_REPL Current DC Options: DISABLE_OUTBOUND_REPL New DC Options: (none)
Every "disable replication" operation is registered in the Directory Service log (Event ID 1113, 1114, 1115, and 1116). Look at the following two examples:
Event Type: Warning Event Source: NTDS General Event Category: Replication Event ID: 1115 ... Computer: NETDC1 Description: Outbound replication has been disabled by the user.
When replication is enabled, an informational event is also registered:
Event Type: Information Event Source: NTDS General Event Category: Replication Event ID: 1116 ... Computer: NETDC1 Description: Outbound replication has been enabled by the user.
RepAdmin can convert time values stored in Active Directory into a readable format. (See also NLtest description at the beginning of this chapter.) Let us convert the same value 126679218485309520. Enter repadmin /showtime at the command prompt, and paste the value in. Erase the seven rightmost digits and press <Enter>. The result should be the following:
C:\>repadmin /showtime 12667921848 12667921848 =0x2f31125b8 = 02-06-07 11:10.48 UTC = 2002-06-07 15:10:48 local
You may notice that both UTC and local time are displayed.
In Windows .NET, you can obtain the same result easier — use the W32tm command:
C:\>w32tm /ntte 126679218485309520 146619 11:10:48.5309520 --- 6 /7 /2002 3:10:48 PM (local time)
RepAdmin.exe has an option that will help you when you write and debug ADSI scripts and application and analyze event logs, as well as in many other cases. You can use this utility rather than searching the documentation for information on each error. The utility provides many more options than the net helpmsg command does. RepAdmin.exe can display error text for both Win32 error codes (including errors for ADSI 2.5) and generic COM error codes.
You can specify an error code in either form: as a long integer (e.g., -2147016684) or a hexadecimal value (e.g., 0x80072014; the 0x prefix is mandatory, do not forget to add this prefix if you have copied an error's code from the Event Viewer). Short integers, such as 8453, are also acceptable. Here is an example of how to use this parameter:
C:\repadmin /showmsg 0x80072014 -2147016684 = 0x80072014 = "The requested operation did not satisfy one or more constraints associated with the class of the object."