Powershell: AD replication
Repadmin monitors the replication in your Active Directory Forest, you can read this AskDs post about this tool. The command line “repadmin /replsum” helps you retrieve the global forest replication status. The data retrieved for a given Domain Controller is:
- Largest Delta: longest time since he successfully replicated all the Naming Contexts with his replication partners.
- Number of failed replications that occured for all the Naming Contexts (aka Directory Partitions) with his replication partners.
The purpose of the powershell script is to analyse DC’s inbound replication thanks to the command line “repadmin /replsum /bydest”. If there are RODCs in your domain they do not show up if you use the /bysrc switch. You can read this post if you need to know more about running the repadmin /replsum command in a domain with RODCs.
If for a given DC the “largest delta” exceeds a given threshold (in minutes), or there are replication failures, we will read on the RootDSE object the msDS-ReplAllInboundNeighbors attribute. With that information we will retrieve which replication partners and “Naming Contexts” that are having trouble to replicate. You can retrieve the same type of information with the “replsum /showrepl %dc_name% /csv” command line, but the data stored in the msDS-ReplAllInboundNeighbors attribute is in XML format, which easy and convenient to manipulate with Powershell.
You can already find on the Technodrone blog a script that does quiet the same thing, it uses the “replsum /showrepl * /csv command. My script will use a different method (msDS-ReplAllInboundNeighbors) and the display of the results is slightly different.
First we will parse the results of the “repadmin /replsum /bydest” by using regular expressions:
We need to retrieve the following values: “Destination DSA”, “largest delta” and “fails” which is a number with one or two digits. We will parse this information thanks to this regular expression:
[regex]$regex = '\s+(?\S+)\s+(?\S+)\s+(?\d{1,2}\s)' |
If a DC is offline an error is displayed at the last line of the command result, the regular expression we will use to parse the result is:
[regex]$regex2 = '\s+(?\d{1,2}\S+)\s\-\s+(?\S+)' |
We will use the $matches variable in order to parse our results with the regular expressions mentioned previously. For a detailed example of this method you can read this article that explains how to parse the results of the “route print” command line, or this one which deals with the “netstat” command line.
In our case we will use the following powershell code:
$repadmin = repadmin /replsum /bydest $repadmin | ForEach-Object { if ( $_ -match $regex ) { $process = "" | Select-Object DC, Delta, fail $process.dc = $matches.dc $process.Delta = $matches.Delta $process.fail = [int]($matches.fail) $process } Elseif ( $_ -match $regex2 ) { $process2 = "" | Select-Object DC,fail $process2.fail = $matches.fail $process2.DC = $matches.DC $process2 } } |
The New-Timespan cmdlet will help us parse the “largest delta” data ($process.Delta = XXd:XXh:XXm:XXs) in order to convert it in minutes. If the result ($DeltaMinutes.Minutes) exceeds a given treshold or there is at least one replication error ($process.fail) then we will retrieve the DC’s msDS-ReplAllInboundNeighbors XML metadata attribute on the RootDSE object.
In order to analyse the data of the ms-DS-Repl-AttributeMetaData attribute we will use the same method as decribed by this Active Directory Powershell blog post. In order to read the msDS-ReplAllInboundNeighbors attribute on every DC’s RootDSE object you need Active Directory Web Services (shipped with Windows 2008R2) on every Domain Controller.
Here is the result when you launch the repl-status.ps1 script, the treshold for the $DeltaMinutes.Minutes value is 20 minutes, you can change this by editing the $LargestDeltaTreshold variable:
Just click on the button bellow to download the repl-status.ps1 script:
This post is also available in: French
