- Windows security event log backup to SQL Server Express with PowerShell - Fri, Mar 18 2022
- Exploiting the CVE-2021-42278 (sAMAccountName spoofing) and CVE-2021-42287 (deceiving the KDC) Active Directory vulnerabilities - Thu, Feb 10 2022
- Perform Active Directory security assessment using PowerShell - Thu, Jan 6 2022
The Repadmin tool
Repadmin.exe is a command-line tool available if you've installed the Active Directory role; otherwise, you have to install Remote Server Administration Tools (RSAT). The output is usually in text form. If you have to customize the format of the output, things can get time consuming.
In the example that follows, Repadmin triggers a request to pull inbound replication information from a domain controller named DC2012. The command /csv gives the output in .csv format, and /Errorsonly shows only connections with errors.
repadmin /showrepl DC2012 "DC=test,DC=local" /csv /Errorsonly
Get the replication info using Repadmin
Repadmin outputs info as a string
If you plan to work with the output in PowerShell, you can pipe the output to the ConvertFrom-Csv cmdlet to create objects. Then you can format the information as shown below.
repadmin /showrepl DC2012 "DC=test,DC=local" /csv | ConvertFrom-Csv | ? { $_.'Number of Failures' -ne 0} | select 'Source DSA','Destination DSA','Last Failure Time'
Conversion of Repadmin data into objects
PowerShell replication cmdlets
Microsoft added a number of PowerShell cmdlets in Windows Server 2012 that allow you check the Active Directory replication status. The cmdlets belong to the Active Directory PowerShell module. The RSAT tools give you the cmdlets on a Windows workstation.
Unlike Repadmin, the PowerShell cmdlets create objects rather than text as output. An object has a rich set of properties and methods you can reuse effectively within your scripts and can pipe to another cmdlet. With this, you simplify your automation and reporting tasks.
Why cmdlets
The ability to present the output as an object is the main advantage of PowerShell replication cmdlets compared to the Repadmin tool.
The following example demonstrates nicely how useful the output is as an object for troubleshooting issues.
Get-ADReplicationPartnerMetadata -Target DC2012 -Partition domain | Select Server,@{n="Partner";e={(Resolve-DnsName $_.PartnerAddress).NameHost}},LastReplicationAttempt
Get the last replication info using cmdlets
Cmdlet outputs as objects
Compared to the solution with Repadmin plus ConvertFrom-Csv, the PowerShell cmdlets return objects with more properties.
Return the property count from both
The major advantage of working with an object with many properties is that you can easily extract the information you need by piping the object to additional PowerShell commands.
The example below shows three cmdlets connected by a pipeline. The first pipe extracts replication details such as the computer name. We then pass the result to Test-Connection to check whether corresponding computers are online.
Using the pipeline with the PowerShell replication cmdlets
Another advantage of the PowerShell cmdlets is that it is easy to understand what a particular command is supposed to do. If you compare the following commands that both return the replication metadata, you will understand what I mean.
Get-ADReplicationPartnerMetadata -Target DC2012 -Partition Schema repadmin /showrepl DC2012 "DC=test,DC=local"
PowerShell replication cmdlet examples
Below you will find a few examples of how you can use the PowerShell replication cmdlets.
Get-AD Replication partner metadata
This gets the inbound replication partners for a designated server or set of servers within the forest.
Get-ADReplicationPartnerMetadata -Target DC2012 -Partition Schema ‑PartnerType Both | select Server,@{n="Partner";e={(Resolve-DnsName $_.PartnerAddress).NameHost}},Partition,LastReplicationResult,PartnerType | ft
Get both the incoming and outgoing partners' replication info
Get-ADReplicationFailure
This queries the failed replication details for a designated server based on the input target and scope.
The first figure shows that there currently is no replication issue from ADC2012 to DC2012, but the connection failed on 09/25/2019 at 12:01 AM. Yet note it is not the most recent failure time. Any number of retry attempts might have happened from the time of failure until the replication succeeded. The failed retries are stored in the FailureCount property, but only if the connection is still in a failed state; otherwise the value is 0.
Get-ADReplicationFailure -Target ADC2012 | select Server,Partner,FirstFailureTime,FailureCount,FailureType
Get the failed replication details
Get-ADReplicationConnection
This returns a specific Active Directory replication connection or a set of AD replication connection objects based on a specified filter.
The first one lists all the connection objects within the AD forest using the filter parameter, while the second one lists the details of specific connection object using the identity parameter.
Get-ADReplicationConnection -Properties * -Filter * | select Name,AutoGenerated,InterSiteTransportProtocol,schedule,fromServer | ft
Get all the connections from the forest using the filter parameter
Get-ADReplicationConnection -Identity ADC2012->WIN-H5A3L7FJOB4 -Properties * | select Name,AutoGenerated,InterSiteTransportProtocol,schedule,fromServer | ft
Get the specific connection using the identity parameter
Get-ADReplicationAttributeMetadata
This cmdlet queries replication metadata for an object from a specified directory server. The output of this command shows the what, when, and where for a particular object's modification within the boundary of your AD, but it doesn't say who modified the object. If auditing is enabled, it helps you identify the modifier details.
Get-ADReplicationAttributeMetadata "DC=Win8,DC=test.local,CN=MicrosoftDNS,DC=DomainDnsZones,DC=test,DC=local" -Server DC2012 -IncludeDeletedObjects -ShowAllLinkedValues | Where-Object { $_.attributename -eq "dnsTombstoned" }The command displays the metadata of a deleted record from Windows 8 from the zone test.local. This object was deleted on 09/29/2019 from the server DC2012.
If you want to know who deleted this record, check the security event 4662 from the security log. Note that you should enable DNS auditing to get the events under security.
Get replication metadata for a deleted DNS record
Get the modifier details from the security log using a metadata timestamp
Get-ADReplicationSite, SiteLink, Subnet, SitelinkBridge
These cmdlets can query a single or set of respective site components based on a specific filter. You can query the cost of a site and replication frequency, which allows you to understand the replication topology and expected replications delays.
Example of subnet and sitelink cmdlets
PowerShell equivalents for Repadmin commands
The following table includes a few replication functions available from both of the tools.
| Get replication partner status | |
| repadmin /showrepl | Get-ADReplicationPartnerMetadata |
| Get Inbound replication queue details | |
| repadmin /queue | Get-ADReplicationQueueOperation |
| Replicate specific AD objects between domain controllers | |
| repadmin /replsingleobj | Sync-ADObject |
| Get replication metadata of an AD object | |
| repadmin /showobjmeta | Get-ADReplicationAttributeMetadata |
| Shows highest committed USN | |
| repadmin /showutdvec | Get-ADReplicationUpToDatenessVectorTable |
| Displays ISTG details | |
| repadmin /istg * | Get-ADReplicationSite –filter * | Select InterSiteTopologyGenerator |
| List all the subnets in the forest | |
| dsquery subnet | Get-ADReplicationSubnet |
| List the AD sites in the domain | |
| dsquery site | Get-ADReplicationSite |
Why Repadmin still matters
The PowerShell replication cmdlets cannot completely replace Repadmin because some powerful Repadmin functions are still not available in PowerShell. Notably, these are commands that can help you force the replication of all the directory partitions after a change occurs. Another important task you currently can't do with PowerShell is creating the replication topology for any missing connections.
Below are some examples that show a few Repadmin tasks you can't process in PowerShell.
The following command forces and pushes all the replication changes.
repadmin /syncall /Aped (or) repadmin /syncall /Aed [A-All partitions P-Push e-enterprise, cross sites d-distinguished names]
The next command forces the domain-naming context changes from ADC2012 to DC2012.
repadmin /replicate DC2012 ADC2012 "DC=test,DC=local" /force
And this last command creates the missing replication connection object for each domain controller in a specified site.
Subscribe to 4sysops newsletter!
repadmin /kcc Site:Default-First-Site-Name
Conclusion
The main advantage to the PowerShell replication cmdlets is that you work with rich objects that simplify many automation tasks. However, because PowerShell still lacks a few features of Repadmin, the AD admin has to keep this utility in his toolbox for a while.
Great article. Is there a way to replicate AD Integrated DNS Zones using PowerShell? For example inside a script you create a DNS A record and you want that to immediately replicated to all the other DNS of the forest or domain
DNS resides inside NDTS.dit file which means DNS data also get replicationd when AD replication happens
Thanks!
Great post Mr Krishna. The PowerShell Equivalents for Repadmin commands table in the end is very useful for admins who want to move away from legacy tool to PowerShell. Excellent writeup.
I was able to use this info to retrieve data not even present in our Varonis , so double awesome.Very good writeup!