A healthy Active Directory (AD) environment is the backbone of any Windows-based enterprise network. When Domain Controllers (DCs) stop communicating or fail to replicate changes properly, you will experience bizarre authentication issues, missing user accounts, and erratic GPO behaviors.
As a system administrator, knowing how to quickly diagnose AD health and manually force replication is a critical skill. This guide outlines the most essential CMD and PowerShell commands used to verify Active Directory status, assess replication health, and manually trigger synchronization between servers.
1. Checking AD Health using PowerShell
PowerShell provides modern, object-oriented cmdlets for interacting with Active Directory. Ensure you have the Active Directory module installed and run these commands from an elevated prompt.
a. Summarize Replication Status
To get a rapid overview of replication health across all Domain Controllers:
Get-ADReplicationSummary
This command displays the replication status between DCs, highlighting any immediate errors or failures in inbound/outbound links.
b. Detailed Partner Metadata
If you need a granular view of a specific DC’s replication partners:
Get-ADReplicationPartnerMetadata -Target "Your_DC_Name" | Format-List
This reveals exact details concerning the replication links, consecutive failure counts, and last successful sync times for a given server.
c. Identify FSMO Role Holders
Flexible Single Master Operations (FSMO) roles are five critical tasks assigned to specific DCs. To verify which server holds which role:
Get-ADDomain | Select-Object InfrastructureMaster, PDCEmulator, RIDMaster
Get-ADForest | Select-Object SchemaMaster, DomainNamingMaster
If a server holding a FSMO role goes offline permanently, you will need to forcefully seize these roles to another healthy DC.
2. Checking AD Health using CMD
For legacy systems or quick checks, the native command-line executables are incredibly powerful.
a. The DCDIAG Diagnostic Tool
dcdiag is arguably the most important utility for verifying overall Domain Controller health. It runs a comprehensive suite of tests covering networking, DNS, and services.
- Open CMD as Administrator.
- Run a standard diagnostic on the local DC:
dcdiag - Run a targeted DNS test on a specific DC:
dcdiag /test:dns /s:Your_DC_Name - Output a highly detailed (verbose) report:
dcdiag /v
b. Verify Replication with Repadmin
repadmin is the definitive tool for viewing and troubleshooting replication topology.
Replication Summary:
repadmin /replsummaryProvides a high-level summary of replication state and errors across the forest.
Detailed Partner Status:
repadmin /showrepl Your_DC_NameDisplays the inbound replication partners for the specified DC and the status of each connection.
Show Errors Only:
repadmin /showrepl * /errorsonlyFilters the output to only show connections that are currently failing to replicate across all DCs in the forest.
c. Identify FSMO Roles via CMD
Alternatively to PowerShell, you can quickly query the FSMO role holders using:
netdom query fsmo
d. Test Connectivity and Site Info
To verify basic LDAP connectivity to a domain controller:
nltest /dsgetdc:Your_Domain_Name
To verify which Active Directory Site the current machine belongs to:
nltest /dsgetsite
3. How to Force Active Directory Replication
Sometimes, you make a critical change (like resetting a vital password, changing a group policy, or adding a user) on one DC, and you cannot wait the default 15 minutes for it to propagate to the rest of the network. You can manually force replication using repadmin.
a. Force Sync Between All Domain Controllers
The most common and powerful command to forcefully push and pull changes across your entire AD site/domain is:
repadmin /syncall /A /e /P /d /q
Explanation of the parameters:
/A: Performs the synchronization for All naming contexts (partitions) on the server./e: Synchronizes across all sites in the Enterprise (bypasses site boundaries)./P: Pushes changes outward from the specified DC to all partners./d: Identifies the servers by their Distinguished Name in messages./q: Quiet mode (suppresses successful messages, showing only fatal errors).
b. Force Pull from a Specific Partner
If you want a specific DC to immediately retrieve changes from another specific DC:
repadmin /replicate Destination_DC Source_DC Naming_Context
(Example: repadmin /replicate DC02 DC01 DC=corp,DC=local forces DC02 to pull the domain partition from DC01).
Conclusion
Maintaining a healthy Active Directory requires proactive monitoring. Tools like dcdiag are excellent for deep-dive health checks and DNS validation, while repadmin is your absolute best friend when diagnosing broken sync topologies. Modern PowerShell cmdlets like Get-ADReplicationSummary offer cleaner, scriptable outputs.
Whenever you experience bizarre logical errors across your network, always check DNS and AD Replication first. If the domain controllers are out of sync, forcing replication with /syncall can save you hours of phantom troubleshooting!