If you are a system administrator and have on your hands an Active Directory infrastructure, then you must read this. I will tell you how to check if your Active Directory infrastructure is full functional.
You need to know these commands:
1. Repadmin /replsummary
2. Repadmin /Queue
3. Repadmin /Showrepl
4. Repadmin /syncall
5. Repadmin /KCC
6. Repadmin /replicate
Step 1 – Check the replication health
Use cmd: repadmin /replsummary
The “/replsummary” operation quickly summarizes replication state and relative health of a forest.
Step 2 – Check the inbound replication requests that are queued.
Use cmd: repadmin /queue
This command lists elements that are remaining in the replication queue. It displays inbound replication requests that the Domain Controller needs to issue in order to become consistent with its source replication partners.
Step 3 – Check the replication status
Use cmd: repadmin /showrepl
This command displays the replication status when the specified domain controller last attempted to implement an inbound replication of Active Directory partitions. It helps in figuring out the replication topology and replication failure.
Step 4 – Synchronize replication between replication partners
Use cmd: repadmin /syncall
It ensures synchronization between replication partners
Step 5 – Force the KCC to recalculate the topology
Use cmd: repadmin /kcc
This command forces the Knowledge Consistency Checker ( known as KCC ) on targeted domain controllers to immediately recalculate its inbound replication topology. It checks and creates the connections between the Domain Controllers. By default KCC runs every 15 minutes to check if a new connection has been established between Domain Controllers.
Step 6 – Force replication
Use cmd: repadmin /replicate
This command forces the replication of the specified directory partition to the destination domain controller from the source DC.
So, if you encounter problems with your Active Directory infrastructure, this article is a good starting point in detecting possible causes. Or you can simply contact us to help you solve your problems.
- Restoring Active Directory from a backup should be your last option for recovery.
- You should have multiple domain controllers. This will allow for a single domain controller to fail and still provide full recovery without a backup.
- DO NOT rely on multiple controllers as your only source of recovery. You should absolutely still be doing a backup of Active directory. All domain controllers can fail, database corruption can occur, viruses, ransomware or some other disaster could wipe out all domain controllers. In this situation, you would need to restore it from a backup. Also backing up Active Directory is FREE so there is no reason not to do it.
- You should enable the Active Directory Recycle Bin, this will give you the ability to restore deleted objects without the need for a backup.
- Document your Active Directory environment, backup policy, and disaster recovery plans.
- Backup Active Directory at least daily, if you have a large environment with lots of changes then consider twice a day backups.
- Ensure you have an offsite backup of Active Directory. This will be explained more throughout this guide.
- Backup two domain controllers in each domain, one of those should hold the Operation master role.
Full Backup VS System State Backup
- Backs up all server data, including applications and the operating system;
- Includes the system state;
- Allows for bare metal recovery – This allows for restoring to an entirely different piece of hardware. Although, it is recommended that the hardware receiving the restore have the same hardware configuration;
- If you have lots of data or 3rd party applications installed on your domain controller (not recommended) your backups will be considerably larger;
- The full backup option is best used for restoring the whole server to the same or different server. A full restore will allow you to easily re-install the operating system and use the backup to recover.
System State Backup
The system state backup includes only the components needed to restore Active Directory. The system state includes the following:
- SYSVOL from the domain controller – The sysvol includes group policy objects but I still recommend you backup group policy from the GPMC;
- Active Directory database and related files;
- DNZ zones and records (only for Active Directory integrated DNS);
- System registry;
- Com+ Class registration database;
- System startup files;
- The system state backup is best used for recovering AD only on the same server. It cannot be used to recover a corrupt server operation system. Microsoft does not support restoring a system state backup from one computer to a second computer of a different make, model, or hardware configuration.