How to Verify Active Directory Replication Between Domain Controllers Before Decommissioning


2 views

When preparing to decommission a domain controller (DC) in a multi-DC environment, verifying proper replication between the remaining DCs is critical. The scenario involves:

  • 3 DCs across different networks
  • Ping connectivity exists between target DCs
  • repadmin /showrepl only shows replication with the DC to be removed
  • Network configuration concerns about replication paths

Here are several techniques to thoroughly test replication:

# 1. Check replication partners
repadmin /replsummary dc1 dc2

# 2. Force replication and verify
repadmin /syncall /A /e

# 3. Check connection objects
repadmin /showconn dc1
repadmin /showconn dc2

For more detailed verification, use these PowerShell commands:

# Get replication status for all partitions
Get-ADReplicationPartnerMetadata -Target "dc1.domain.com" -Scope Domain |
  Select-Object Server, Partition, LastReplicationSuccess

# Test replication connectivity
Test-ADReplicationConnection -VerifyReplicationAccess

# Check health of all DCs
Test-ADReplicationHealth

Before decommissioning, ensure proper topology with:

repadmin /kcc dc1
repadmin /kcc dc2
repadmin /showrepl dc1 /v
repadmin /showrepl dc2 /v
  1. Create a test OU: New-ADOrganizationalUnit -Name "ReplTestOU"
  2. Modify an existing object (e.g., add a description)
  3. Force replication: repadmin /replicate dc2 dc1 "DC=domain,DC=com"
  4. Verify changes appear on both DCs

Ensure these ports are open between DCs:

  • TCP/UDP 53 (DNS)
  • TCP/UDP 88 (Kerberos)
  • TCP/UDP 389 (LDAP)
  • TCP 636 (LDAPS)
  • TCP/UDP 445 (SMB)
  • TCP 3268/3269 (GC)

Run this comprehensive check:

dcdiag /test:replications /v /e
dcdiag /test:kccevent /v /e
dcdiag /test:knowsofroleholders /v /e

When planning to decommission a domain controller (DC) in a multi-DC environment, verifying replication health between the remaining DCs is critical. The scenario you described - where repadmin /showrepl only shows replication with the DC you want to remove - indicates a potential replication topology issue.

Use these PowerShell commands to check replication status between specific DCs:


# Check replication summary for all DCs
repadmin /replsummary

# Force replication and verify between specific DCs
repadmin /syncall /A /e /q

# Show replication partners for a specific DC
repadmin /showrepl DC2 | findstr "DC1"

For deeper analysis, use these techniques:


# Check connection objects
Get-ADReplicationConnection -Filter * | 
  Where-Object {($_.ReplicateFromDirectoryServer -like "*DC1*") -and 
                ($_.ReplicateToDirectoryServer -like "*DC2*")}

# Verify replication metadata
repadmin /showobjmeta DC1 "CN=Configuration,DC=domain,DC=com"

# Check DNS SRV records crucial for replication
nslookup -type=SRV _ldap._tcp.dc._msdcs.domain.com

Even if ping works, replication requires specific ports:


# Test required ports (sample PowerShell function)
function Test-ADReplicationPorts {
    param($DC)
    $ports = 389,636,3268,3269,88,445,464,135,139,53,42,123,5722,9389
    $ports | ForEach-Object {
        try {
            $socket = New-Object System.Net.Sockets.TcpClient($DC, $_)
            "$_ open" | Write-Output
            $socket.Close()
        } catch {
            "$_ closed or filtered" | Write-Output
        }
    }
}

To actively test replication between the two DCs:


# Force replication of a specific partition
repadmin /replicate DC2 DC1 "DC=domain,DC=com"

# Create a test object and track its replication
$testOU = New-ADOrganizationalUnit -Name "ReplicationTest_$(Get-Date -Format yyyyMMddHHmmss)" -Path "DC=domain,DC=com" -PassThru
repadmin /showobjmeta DC1 $testOU.DistinguishedName
repadmin /showobjmeta DC2 $testOU.DistinguishedName

If replication isn't working between the two DCs:

  1. Check firewall rules between the DCs (Kerberos, LDAP, RPC ports)
  2. Verify DNS resolution in both directions
  3. Check if the sites and services configuration is correct
  4. Ensure the DCs are in the same AD site if they should replicate directly
  5. Verify time synchronization between DCs

Here's a PowerShell script to monitor replication health:


$DCs = "DC1","DC2"
$report = foreach ($DC in $DCs) {
    $status = repadmin /showrepl $DC /errorsonly
    if ($status -ne $null) {
        [PSCustomObject]@{
            DC = $DC
            Status = "Error"
            Details = $status
        }
    } else {
        [PSCustomObject]@{
            DC = $DC
            Status = "Healthy"
            Details = "No replication errors"
        }
    }
}
$report | Export-Csv -Path "C:\ADReplicationReport_$(Get-Date -Format yyyyMMdd).csv" -NoTypeInformation