Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
View Regular
roy Profile picture
roy
@duff22b
Security Engineer @ Palantir

Sep 6, 2021, 8 tweets

A hat tip to repadmin.exe (thread🧵).

Commonly used for a quick view of replication health with: “repadmin /replsum” which will inspect the Repsfrom multi-valued attribute stored at the root of each directory partition on each DC; bubbling up the summary 🪄 (#ActiveDirectory)

If your output from replsum is more interesting than the example above and you want to take a closer look at replication health "showrepl" is the way. If you want to quickly see ALL partitions from ALL domain controllers in an easy view: “repadmin /showrepl * /csv > allrepl.csv”

Maybe one domain controller stands out as a troublemaker or victim and we want to quickly see who it is replicating with and the status for each partition? “repadmin /showrepl dc1”.

(While not only repadmin.exe related it's useful to remember that the "DSA Object Guid's" are registered in the _msdcs DNS zone. So if you see the DSA GUID in an error message or log, map them to DC name easily via nslookup, ping or by inspecting the DNS zone to investigate.)

You might need to verify the list of the domain controllers in your forest to double check that you have the full replication picture while you’re digging in to a replication problem: “repadmin /viewlist *”.

In a larger environment you could have a hunch that topology design choices are preventing full convergence. Some DC’s are getting the change, others aren't. Where did this DC get an attribute change from? “repadmin /showobjmeta dc1 “CN=Chad Duffey, CN=Users, DC=mydomain,DC=com”

What if you think DC's from different sites are behaving differently WRT replication? “repadmin.exe /siteoptions dc1”. (In the example, we find the setting is old & longer required. We make adjustments: “repadmin /siteoptions -IS_REDUNDANT_SERVER_TOPOLOGY_ENABLED dc1”)

To check that your Active Directory backups are “supported” system state backups; usable in a full forest recovery/disaster: “repadmin /showbackup”. Only backup products that call the standard/supported AD backup API will update the timestamp on the partition with the backup time

Share this Scrolly Tale with your friends.

A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.

Keep scrolling