Imagine that your house has only one door. No windows, no patio doors, just one door. What happens if you can’t open this door? The house and everything in it is useless to you.
A domain controller is, in a sense, like a door. One with the bouncer. This is the path to what you need. Active Directory (AD) – Bouncer at the door. It validates your credentials, determines if you are allowed to walk through the door, and what resources you can access once inside.
Active Directory“/>
If you have any type of network and only one domain controller, you live in a house with one door. If something happens to this domain controller, your entire server system will fall apart. Always use more than one domain controller (DC).
But how can you ensure that both domain controllers have the same information? Let’s say you made a security change on one DC. You want to ensure that the change is immediately replicated to your other domain controllers. Why wait 15 minutes or more for this to happen on schedule? You need to force replication of domain controllers in Active Directory
There are 3 approaches to this; through the graphical user interface (GUI), through the command line interface (CLI), or through PowerShell.
Force domain controller replication through GUI
Windows servers often use a graphical interface, which is good for novice sysadmins. It’s easier to understand and sometimes helps you visualize what’s really going on.
– /
- Log in to one of your domain controllers and open Active Directory Sites and Services.
- Go to the site for which you want to replicate domain controllers. Expand it by clicking the arrow next to the site name. Expand Servers. Expand the DC you want to play. Click “NTDS Settings”.
Active Directory“/>
- In the right pane, right-click the server and select Replicate Now.
Active Directory“/>
- Depending on the number of domain controllers, this can take anywhere from a second to several minutes. When finished, you will see a notification: “Active Directory Domain Services replicated connections.” Click OK to finish.
Active Directory“/>
Active Directory“/>
Force replication to domain controllers through CLI Command
If you are familiar with the good old Windows CMD, then the repadmin command is for you. This is the fastest one-time way to force DC duplication. If you are not familiar, now is a good time to learn about Windows CMD
- Log into one of your domain controllers and open a command prompt.
- Type the following command and press Enter.
repadmin / syncall / AdeP
Active Directory“/>
- A lot of information will scroll up the screen. If you see the last line says “SyncAll completed without errors” and then on the command line below it, your domain controllers have successfully replicated.
Active Directory“/>
Active Directory“/>
Force domain controller replication with PowerShell
If you don’t use PowerShell in your day to day life, you have a lot to lose. You really owe it to yourself to learn PowerShell It will make your life easier, and if you become a junior sysadmin it will go a long way towards taking your career to the next level.
These steps can be done in a regular PowerShell command line interface, but we did it in PowerShell ISE to better display commands and their results. We’re going to create a script that can be saved or even turned into a cmdlet that can be invoked from the PowerShell command line.
- Log in to one of your domain controllers and open PowerShell or PowerShell. ISE.
- Before writing any script, save it with a descriptive name such as force-DCReplication.ps1 so that you can reuse it. Enter the following code and run it to see how it gets the names of all your domain controllers.
(Get-ADDomainController -Filter *). Name
Active Directory“/>
See how it returns domain controller names? Now you can pipe this result to the next cmdlet. The vertical bar is the vertical line (|) character that is usually found on the keyboard just above the Enter key.
- At the end of the previous command, enter the following code:
| Foreach-Object {repadmin / syncall $ _ (Get-ADDomain) .DistinguishedName / AdeP}
Active Directory“/>
The command should look like the image below. Run it. It should return a message similar to the one in the “Force replicating a domain controller through the GUI” section above. If it ends with “SyncAll completed without errors.” then it worked.
Active Directory“/>
Have you seen how he also uses the repadmin command?
- Let’s add another line to help you verify that replication has actually finished. The following code will return the date and time of the last replication of each of your domain controllers. This command can be used alone at other times if you are just wondering when your domain controllers were last replicated. Enter the code and run it.
Get-ADReplicationPartnerMetadata -Target “$ env: userdnsdomain” -Scope Domain | Select-Object Server, LastReplicationSuccess
The result should resemble the image below. Below you will see the exact date and time of the last replication.
- To improve this script a bit, let’s make its output less verbose. At the end of the first line, enter | Out-Null between / AdeP and end brace. This tells it to not output the results of this cmdlet. The end result will look like this.
Active Directory“/>
Active Directory“/>
Keep its replica
Now you know 3 ways to force replication of domain controllers in AD. You’ve also created a reusable PowerShell script that you can invoke from the PowerShell command line at any time. There is no excuse for your last DC changes to sit and wait for the next scheduled replication, whenever it is.
–