Microsoft included ReplMon in the first set of Windows Support Tools and it survives in the latest version for Windows Server 2003. But with so many tools developed over the past seven years, it's easy to forget how powerful ReplMon still is. This article will take a close look at how ReplMon can help diagnose a host of AD replication issues.
Getting started with ReplMon
Replication Monitor is a Windows Support Tools component that can be initiated by simply entering ReplMon from Start-Run or the command window. Initially it's empty, so you have to add monitored servers. From the Edit menu on the tool bar, select "Add monitored server," then add the domain controllers you want to view. Figure 1 shows several DCs added and expanded.
Under each server you'll see a list of naming contexts (configuration, schema, domain, forestdnszones, etc.) hosted on that DC, along with the name of the replication partner. Clicking on any of these partitions will display the replication details in the right pane. This is the information you'd get from the repadmin/showrepl command, except that you get a lot more information from other servers quickly.
To get the most out of ReplMon, you should enable additional logging. Go to View – Options to get the dialog shown in Figure 2. These options are pretty self explanatory, but I recommend enabling at least "Show Transitive Replication Partners and Extended Data." Then click the Status Logging tab (Figure 3) and check "Group Policy Objects" and "Display Changed Attributes when Replication Occurs." This will provide additional information in the left pane for monitored servers about GPO replication success or failure, and identifies the object that was replicated and the update sequence number (USN).
In terms of troubleshooting with ReplMon, here are my favorite selections:
Go to Action-Domain-Search domain controllers for replication errors. On the ensuing screen, select the Run Search button to find all replication errors on all DCs in the domain (Figure 4). You can then save this to a text file. And it's a great way to collect all replication errors in the domain in one spot rather than having to examine many event logs.
There are also some powerful server options. Right click a DC icon and a list of actions will be shown (Figure 5). Most are obvious and the results can be saved as text files.
Under a DC in the left pane, select one of the partitions and the associated replication partner. You can force replication between the two by selecting Action – Replication Partner – Synchronize with this replication partner. It is much faster than going to the Sites and Services snap-in.
Go under Action – Replication Partner – Check current USN and unreplicated objects. This will show the replication queue for a given partition/replication partner and show objects that have not yet replicated.
At the end of the list shown in Figure 5, there is a Properties option where there are some more cool features:
Synchronize each directory partition (for this DC) with all servers. This includes the option to "push" replication to other DCs. No other tool does this.
Show Replication Topologies -- Careful! This only shows intra-site replication topology (pretty useless).
Show Group Policy Object Status -- This shows all GPOs in the domain, the GUID, the AD and Sysvol versions. It's similar to a mini GPOTool output.
Show Attribute Meta-Data for Active Directory Object -- This displays attributes for a given object (originating server, version, last write time and so on). It is very similar to the repadmin/showobjmeta command, but with a very cool feature. Click on one attribute and hit the compare button. It shows you that attribute on all DCs in the domain (or forest) -- much easier than doing that with the repadmin command. And, of course you can save it to a text file.
You can see DCs in the domain and global catalog servers in the enterprise.
FSMO Roles -- As shown in Figure 6, this tab lists all FSMO role holders, but notice the query button. NTDSUtil and various MMCs (and even Netdom) will list FSMOs, but ReplMon will query them to see if they are responsive.
Inbound Replication Connections -- This offers details about each replication connection- GUID, reasons for the connection, replication partner, etc.
Finally, to eliminate the need to manually connect to the domain controllers each time you use ReplMon, go to File-Save Monitored List As. You can save the list of DCs in the tool to a text file (*.ini). You can also edit the file to add additional DCs. Then you can select File-Open Script and select the .ini file you saved to load the DCs.
While all of these features are great, I've left the best for last -- the Status Report. Right click on the DC icon and select Generate Status Report. Keep the default options and provide a file name. This status report is a dump of all data related to replication. It evaluates DNS, replication objects, connections and so forth. You can then take the status report and construct the replication topology -- site names, DC names, site link information, as well as replication related errors and significant events. It serves as a very nice one-stop shopping list for troubleshooting Active Directory replication failure.
Yes, there are a lot of sophisticated tools out there, but don't forget ReplMon. It is still a very powerful tool for monitoring and troubleshooting all aspects of Active Directory replication.
Do you have an Active Directory issue or problem that you'd like Gary to write an article about? Email him at firstname.lastname@example.org. Note: Gary cannot answer each query personally or guarantee that all will be answered. However those queries that have widespread interest or involve common AD issues will be addressed.
Gary Olsen is a systems software engineer for Hewlett-Packard in Global Solutions Engineering. He authored Windows 2000: Active Directory Design and Deployment and co-authored Windows Server 2003 on HP ProLiant Servers. Gary is a Microsoft MVP for Directory Services and formerly for Windows File Systems.