Having an adequate toolkit for troubleshooting Active Directory (AD) replication is important. I recommend that you go to the Windows Server 2003 Service Pack 1 32-bit Support Tools Web site (http://www.microsoft.com/downloads/details.aspx?familyid=6ec50b78-8be1-4e81-b3be-4e7ac4f0912d&displaylang=en) and create a basic toolkit that contains the following Windows Server Support Tools. (Third-party vendors such as NetPro Computing and Quest Software also offer utilities that simplify the process of AD troubleshooting, including replication troubleshooting.)

  • Event Viewer: This tool might seem obvious, but I’ve seen several systems administrators skip right past the log when they’re having replication problems. Use the directory service log, the system log, and the DNS log if DNS is installed on your domain controller (DC). Event messages are considerably more helpful in Windows Server 2003 than in previous OSs, although the built-in links to Microsoft help are useful only occasionally.
  • DCDiag (http://technet2.microsoft.com/windowsserver/f/?en/library/f7396ad6-0baa-4e66-8d18-17f83c5e4e6c1033.mspx): You can often use this powerful testing program without any parameters. Use the /test:testname switch to specify individual tests. I recommend that you read about and understand all the available tests. Some important options and tests include the following:

/S:server—Specifies a remote DC to test.
/A—Tests all DCs in a site.
/E—Tests all DCs in the forest.
/test:DNS—This comprehensive set of seven DNS tests is new for Windows 2003 SP1. (For more information, see http://technet2.microsoft.com/windowsserver/en/library/5237db58-a1e8-40cd-ae8a-7f52848a90f21033.mspx?mfr=true for details.)
/CheckSecurityError—Detects security configurations that can cause replication to fail.

  • Repadmin (http://technet2.microsoft.com/windowsserver/f/?en/library/24d8a2dd-2596-46cb-9b0f-179f977d434a1033.mspx): Repadmin is like the kitchen sink of replication utilities—if you’ve heard of a new way to manage or troubleshoot replication, odds are that Microsoft has added the method to this tool. (Note that the /experthelp option displays 2_ pages of syntax.) You can use this tool immediately to help resolve replication problems, but mastery takes time and requires a solid understanding of the replication process. Some important Repadmin commands to know include the following:

/Showrepl—Shows the inbound replication partners for a DC for all directory partitions. The /RepsTo option shows you the DC’s outbound neighbors.
/ReplSummary—Shows the replication health of the entire forest.
/KCC—Forces the Knowledge Consistency Checker (KCC) to recalculate the replication topology, which is useful when you need the KCC to account for DC changes more quickly than it normally does.
/Queue—Shows tasks waiting in the replication queue.
/ShowObjMeta—Shows which DC originated updates to the attributes of an object you specify.
/Replicate—Forces replication of a naming context (directory partition).
/OldHelp—Lists old (deprecated) commands.
/ExpertHelp—Lists advanced commands.

Sean writes about cloud identity, Microsoft hybrid identity, and whatever else he finds interesting at his blog on Enterprise Identity and on Twitter at @shorinsean.