RepAdmin Advanced Commands
Usage: repadmin <cmd> <args> [/u:{domain\user}] [/pw:{password|*}]
[/retry[:<retries>][:<delay>]]
[/csv]
Use these commands to see the help:
/? Displays a list of commands available for use in repadmin and their
description.
/help Same as /?
/?:<cmd> Displays the list of possible arguments <args>, appropriate
syntaxes and examples for the specified command <cmd>.
/help:<cmd> Same as /?:<cmd>
/experthelp Displays a list of commands for use by advanced users only.
/listhelp Displays the variations of syntax available for the DSA_NAME,
DSA_LIST, NCNAME and OBJ_LIST strings.
/oldhelp Displays a list of deprecated commands that still work but
are no longer supported by Microsoft.
Supported <cmd> commands (use /?<cmd> for detailed help):
/kcc Forces the KCC on targeted domain controller(s) to immediately
recalculate its inbound replication topology.
/prp This command allows an admin to view or modify the
password replication policy for RODCs.
/queue Displays inbound replication requests that the DC needs to issue
to become consistent with its source replication partners.
/replicate Triggers the immediate replication of the specified directory
partition to the destination domain controller from the source DC.
/replsingleobj Replicates a single object between any two domain
controllers that have common directory partitions.
/replsummary The replsummary operation quickly and concisely summarizes
the replication state and relative health of a forest.
/rodcpwdrepl Triggers replication of passwords for the specified user(s)
from the source (Hub DC) to one or more Read Only DC's.
/showattr Displays the attributes of an object.
/showobjmeta Displays the replication metadata for a specified object
stored in Active Directory, such as attribute ID, version
number, originating and local Update Sequence Number (USN), and
originating server's GUID and Date and Time stamp.
/showrepl Displays the replication status when specified domain controller
last attempted to inbound replicate Active Directory partitions.
/showutdvec displays the highest committed Update Sequence Number (USN)
that the targeted DC's copy of Active Directory shows as
committed for itself and its transitive partners.
/syncall Synchronizes a specified domain controller with all replication
partners.
Supported additional parameters:
/u: Specifies the domain and user name separated by a backslash
{domain\user} that has permissions to perform operations in
Active Directory. UPN logons not supported.
/pw: Specifies the password for the user name entered with the /u
parameter.
/retry This parameter will cause repadmin to repeat its attempt to bind
to the target dc should the first attempt fail with one of the
following error status:
1722 / 0x6ba : "The RPC Server is unavailable"
1753 / 0x6d9 : "There are no more endpoints available from the
endpoint mapper"
/csv Used with /showrepl to output results in comma separated
value format. See /csvhelp
Note: Most commands take their parameters in the order of "Destination or
Target DSA_LIST", then a "Source DSA_NAME" if required, and finally the
NC or Object DN if required.
<DSA_NAME> (or <DSA_LIST>
is a Directory Service Agent binding
string. For Active Directory Domain Services, this is simply a network
label (such as a DNS, NetBios, or IP address) of a Domain Controller.
For Active Directory Lightweight Directory Services, this must be a
network label of the AD LDS server followed by a colon and the LDAP
port of the AD LDS instance
Examples (AD DS): dc-01
dc-01.microsoft.com
Examples (AD LDS): ad-am-01:2000
ad-am-01.microsoft.com:2000
<Naming Context> is the Distinguished Name of the root of the NC
Example: DC=My-Domain,DC=Microsoft,DC=Com
Note: Text (Naming Context names, server names, etc) with International or
Unicode characters will only display correctly if appropriate fonts and
language support are loaded.
WARNING:
Some of these commands have the potential to break your Active Directory Domain Services installation,
and should be used only under the expert guidance of Microsoft PSS.
Expert Help
/add The add command will create a RepsFrom attribute on the destination
domain controller for the specified naming context and initiate a
replication request. During a normal replication cycle, the
destination domain controller will request updates from the source
domain controller.
/addrepsto This will create Reps-To attribute on the domain controller for
the specified naming context. Ordinarily there is no requirement to
perform this command as the KCC will automatically create the RepsTo
attributes on destination DSA's from other DSA's Reps-From entries.
/bind Connects to and displays the replication features for a domain
controller.
/bridgeheads Lists the domain controllers acting as bridgehead servers
for a specified site.
/checkprop Compares the properties of specified domain controllers to
determine if they are up to date with each other.
/delete The delete command will remove a RepsFrom attribute on the
destination domain controller for the specified naming context.
/delrepsto Delrepsto deletes the Reps-To attribute on the domain controller
for the specified naming context.
/dnslookup Allows the lookup of an IP address.
/dsaguid Returns a server name when given a GUID.
/failcache Displays a list of replication failures that (KCC) is aware of.
/istg Returns the computer name of the Intersite Topology Generator
(ISTG) server for a specified site.
/latency Displays the amount of time between replications, using the
ISTG Keep Alive time stamp.
/mod The mod command will modify the RepsFrom attribute on the
destination domain controller for the specified naming context and
initiate a replication request. During a normal replication cycle,
the destination domain controller will request updates from the
source domain controller.
/notifyopt used to view / change the notification timing settings of a
specified directory partition.
/options Modifies the ntdssettings object of the domain controller targeted
by the "[DC]"parameter.
/querysites Uses routing information to determine the cost of a route
from a specified site to another specified site or sites.
/rebuildgc Rehosts all the GC partitions.
/regkey Enables and disables the values for two registry keys located
under HKLM\system\ccs\services\ntds\parameters :
"Strict Replication Consistency"
"Allow Replication With Divergent and Corrupt Partner"
/rehost Instructs a global catalog to drop its copy of a read-only
domain partition, then perform a full sync of that partition from a
domain controller that contains a writable copy of that partition.
/removelingeringobjects Removes lingering objects - an object stored
in Active Dircetory that has seen, deleted and garbage collected by
a reference DC but continues to incorrectly exist on direct or
transitive replication partners DC's that have not inbound
replicated knowledge of the objects deletion within tombstone
lifetime number of days.
/removesources Removes all replication links for a given naming context.
/replauthmode Modifies or displays the replication authentication mode
in use by an ADAM configuration set.
/setattr Sets / modifies the value of an attribute.
/showbackup Displays the date, time and domain controller that last backed up each
writable directory partition in the forest by reading the DSASignature
attribute on the root of the NC head of each directory partition.
/showcert Displays the certificates (used with Simple Mail Transfer
Protocol (SMTP)-based replication) that are loaded on a specified
domain controller.
/showchanges Can be used to determine which changes have not yet been
replicated between two replication partners or track statistics
for changes which have replicated between them.
/showconn Displays the connection objects for a specified domain controller.
The default is local site
/showctx Displays a list of computers that have opened sessions with a
specified domain controller.
/showism displays inter-site messaging routes calculated by the
Inter-site Messaging Service.
/showmsg Displays the error message string for a given error number
or the event text for a given Directory Services Event.
/showncsig This command displays a list of the removed application
partition GUIDs.
/showoutcalls A list of the entries in the DS Bind cache.
/showproxy Lists cross-domain move proxy objects. When an object is moved
from one domain to another, a marker remains in the original domain.
This marker is called a proxy.
/showscp dumps service connection points on a GC.
/showsig Displays the retired invocation IDs on a domain controller.
A domain controller changes its invocation ID when it is restored
or when it rehosts an application partition.
/showtime Converts a directory service time value to string format for
both the local and the Universal Time, Coordinated (UTC) time
zones.
/showtrust Lists all Active Directory domains that are trusted by a
specified Active Directory domain.
/showvalue Displays the values of the type, last modified time,
originating domain controller, and distinguished name of a specified
object.
/siteoptions used to modify the options attribute of an NTDS Site Settings Object.
/testhook Internal use only
/unhost Remove a specific read-only partition from a GC
/updrepsto This will update the Reps-To attribute on the domain controller
for the specified naming context. More specifically it updates the
network address used by the source DSA to contact the destination DSA.
/viewlist Displays a list of domain controllers.
/writespn Used to add a new SPN or to delete or modify an existing SPN.
nbrflagoptions:
SYNC_ON_STARTUP DO_SCHEDULED_SYNCS TWO_WAY_SYNC
NEVER_SYNCED IGNORE_CHANGE_NOTIFICATIONS DISABLE_SCHEDULED_SYNC
COMPRESS_CHANGES NO_CHANGE_NOTIFICATIONS
[/retry[:<retries>][:<delay>]]
[/csv]
Use these commands to see the help:
/? Displays a list of commands available for use in repadmin and their
description.
/help Same as /?
/?:<cmd> Displays the list of possible arguments <args>, appropriate
syntaxes and examples for the specified command <cmd>.
/help:<cmd> Same as /?:<cmd>
/experthelp Displays a list of commands for use by advanced users only.
/listhelp Displays the variations of syntax available for the DSA_NAME,
DSA_LIST, NCNAME and OBJ_LIST strings.
/oldhelp Displays a list of deprecated commands that still work but
are no longer supported by Microsoft.
Supported <cmd> commands (use /?<cmd> for detailed help):
/kcc Forces the KCC on targeted domain controller(s) to immediately
recalculate its inbound replication topology.
/prp This command allows an admin to view or modify the
password replication policy for RODCs.
/queue Displays inbound replication requests that the DC needs to issue
to become consistent with its source replication partners.
/replicate Triggers the immediate replication of the specified directory
partition to the destination domain controller from the source DC.
/replsingleobj Replicates a single object between any two domain
controllers that have common directory partitions.
/replsummary The replsummary operation quickly and concisely summarizes
the replication state and relative health of a forest.
/rodcpwdrepl Triggers replication of passwords for the specified user(s)
from the source (Hub DC) to one or more Read Only DC's.
/showattr Displays the attributes of an object.
/showobjmeta Displays the replication metadata for a specified object
stored in Active Directory, such as attribute ID, version
number, originating and local Update Sequence Number (USN), and
originating server's GUID and Date and Time stamp.
/showrepl Displays the replication status when specified domain controller
last attempted to inbound replicate Active Directory partitions.
/showutdvec displays the highest committed Update Sequence Number (USN)
that the targeted DC's copy of Active Directory shows as
committed for itself and its transitive partners.
/syncall Synchronizes a specified domain controller with all replication
partners.
Supported additional parameters:
/u: Specifies the domain and user name separated by a backslash
{domain\user} that has permissions to perform operations in
Active Directory. UPN logons not supported.
/pw: Specifies the password for the user name entered with the /u
parameter.
/retry This parameter will cause repadmin to repeat its attempt to bind
to the target dc should the first attempt fail with one of the
following error status:
1722 / 0x6ba : "The RPC Server is unavailable"
1753 / 0x6d9 : "There are no more endpoints available from the
endpoint mapper"
/csv Used with /showrepl to output results in comma separated
value format. See /csvhelp
Note: Most commands take their parameters in the order of "Destination or
Target DSA_LIST", then a "Source DSA_NAME" if required, and finally the
NC or Object DN if required.
<DSA_NAME> (or <DSA_LIST>
is a Directory Service Agent binding string. For Active Directory Domain Services, this is simply a network
label (such as a DNS, NetBios, or IP address) of a Domain Controller.
For Active Directory Lightweight Directory Services, this must be a
network label of the AD LDS server followed by a colon and the LDAP
port of the AD LDS instance
Examples (AD DS): dc-01
dc-01.microsoft.com
Examples (AD LDS): ad-am-01:2000
ad-am-01.microsoft.com:2000
<Naming Context> is the Distinguished Name of the root of the NC
Example: DC=My-Domain,DC=Microsoft,DC=Com
Note: Text (Naming Context names, server names, etc) with International or
Unicode characters will only display correctly if appropriate fonts and
language support are loaded.
WARNING:
Some of these commands have the potential to break your Active Directory Domain Services installation,
and should be used only under the expert guidance of Microsoft PSS.
Expert Help
/add The add command will create a RepsFrom attribute on the destination
domain controller for the specified naming context and initiate a
replication request. During a normal replication cycle, the
destination domain controller will request updates from the source
domain controller.
/addrepsto This will create Reps-To attribute on the domain controller for
the specified naming context. Ordinarily there is no requirement to
perform this command as the KCC will automatically create the RepsTo
attributes on destination DSA's from other DSA's Reps-From entries.
/bind Connects to and displays the replication features for a domain
controller.
/bridgeheads Lists the domain controllers acting as bridgehead servers
for a specified site.
/checkprop Compares the properties of specified domain controllers to
determine if they are up to date with each other.
/delete The delete command will remove a RepsFrom attribute on the
destination domain controller for the specified naming context.
/delrepsto Delrepsto deletes the Reps-To attribute on the domain controller
for the specified naming context.
/dnslookup Allows the lookup of an IP address.
/dsaguid Returns a server name when given a GUID.
/failcache Displays a list of replication failures that (KCC) is aware of.
/istg Returns the computer name of the Intersite Topology Generator
(ISTG) server for a specified site.
/latency Displays the amount of time between replications, using the
ISTG Keep Alive time stamp.
/mod The mod command will modify the RepsFrom attribute on the
destination domain controller for the specified naming context and
initiate a replication request. During a normal replication cycle,
the destination domain controller will request updates from the
source domain controller.
/notifyopt used to view / change the notification timing settings of a
specified directory partition.
/options Modifies the ntdssettings object of the domain controller targeted
by the "[DC]"parameter.
/querysites Uses routing information to determine the cost of a route
from a specified site to another specified site or sites.
/rebuildgc Rehosts all the GC partitions.
/regkey Enables and disables the values for two registry keys located
under HKLM\system\ccs\services\ntds\parameters :
"Strict Replication Consistency"
"Allow Replication With Divergent and Corrupt Partner"
/rehost Instructs a global catalog to drop its copy of a read-only
domain partition, then perform a full sync of that partition from a
domain controller that contains a writable copy of that partition.
/removelingeringobjects Removes lingering objects - an object stored
in Active Dircetory that has seen, deleted and garbage collected by
a reference DC but continues to incorrectly exist on direct or
transitive replication partners DC's that have not inbound
replicated knowledge of the objects deletion within tombstone
lifetime number of days.
/removesources Removes all replication links for a given naming context.
/replauthmode Modifies or displays the replication authentication mode
in use by an ADAM configuration set.
/setattr Sets / modifies the value of an attribute.
/showbackup Displays the date, time and domain controller that last backed up each
writable directory partition in the forest by reading the DSASignature
attribute on the root of the NC head of each directory partition.
/showcert Displays the certificates (used with Simple Mail Transfer
Protocol (SMTP)-based replication) that are loaded on a specified
domain controller.
/showchanges Can be used to determine which changes have not yet been
replicated between two replication partners or track statistics
for changes which have replicated between them.
/showconn Displays the connection objects for a specified domain controller.
The default is local site
/showctx Displays a list of computers that have opened sessions with a
specified domain controller.
/showism displays inter-site messaging routes calculated by the
Inter-site Messaging Service.
/showmsg Displays the error message string for a given error number
or the event text for a given Directory Services Event.
/showncsig This command displays a list of the removed application
partition GUIDs.
/showoutcalls A list of the entries in the DS Bind cache.
/showproxy Lists cross-domain move proxy objects. When an object is moved
from one domain to another, a marker remains in the original domain.
This marker is called a proxy.
/showscp dumps service connection points on a GC.
/showsig Displays the retired invocation IDs on a domain controller.
A domain controller changes its invocation ID when it is restored
or when it rehosts an application partition.
/showtime Converts a directory service time value to string format for
both the local and the Universal Time, Coordinated (UTC) time
zones.
/showtrust Lists all Active Directory domains that are trusted by a
specified Active Directory domain.
/showvalue Displays the values of the type, last modified time,
originating domain controller, and distinguished name of a specified
object.
/siteoptions used to modify the options attribute of an NTDS Site Settings Object.
/testhook Internal use only
/unhost Remove a specific read-only partition from a GC
/updrepsto This will update the Reps-To attribute on the domain controller
for the specified naming context. More specifically it updates the
network address used by the source DSA to contact the destination DSA.
/viewlist Displays a list of domain controllers.
/writespn Used to add a new SPN or to delete or modify an existing SPN.
nbrflagoptions:
SYNC_ON_STARTUP DO_SCHEDULED_SYNCS TWO_WAY_SYNC
NEVER_SYNCED IGNORE_CHANGE_NOTIFICATIONS DISABLE_SCHEDULED_SYNC
COMPRESS_CHANGES NO_CHANGE_NOTIFICATIONS
Posted by Madferret at 12 Aug 2010, 12:11 PM 
Categories: Active Directory 2008
Tags: RepAdmin Advanced Commands
Categories: Active Directory 2008
Tags: RepAdmin Advanced Commands
Comments