Force replication throughout the Forest

So there are a million posts already on how to force Active Directory replication, I know that. Mine has a little twist though, so keep reading. Forcing AD replication is not something you need to do often. If you find yourself doing it daily, there is probably room for improvement in your replication topology. However, in a test environment it can be very useful to make sure a change gets everywhere quickly, or to refresh replication after the VMs were asleep for a long time.

So how to force replication? You need a tool called repadmin, and it comes with the AD management tools. Any DC or machine with RSAT for AD will have it. This tool is the Swiss army knife or replication and it has a million options. The one we need is:

repadmin /syncall <DC> /A /e

This will force inbound replication on that DC for all partitions it hosts (Domain, GC, schema, DNS, etc), and for all its replication partners even when these are in another site. The trick is to repeat this for all DCs in the forest, and here is one way to do it:

[ System . DirectoryServices . ActiveDirectory . Forest ]:: GetCurrentForest (). Sites | Sort-Object - Property @ { Expression ={$_. Servers . Count }} - Descending | ForEach-Object { $_. Servers } | Foreach-Object { repadmin / syncall $_. name / A / e }

First, we list all sites in the current forest. These sites are then sorted by the number of DCs that they contain. In other words, the sites with the most DCs get replicated first. The effect is that replication is forced from the hub sites outwards, which is generally exactly what you want. Then, for each site we get all DCs, and for each DC we call repadmin.

A number of conditions must be met for this to work. You must have sufficient permissions to trigger replication, you must have RPC and LDAP access to each DC (no firewalls), and you need the AD tools locally installed. There is no dependency on Active Directory Web Services. Also, keep in mind that this triggers AD replication only. Replication of SYSVOL (either FRS or DFSR mode) is completely out of this.

Here is an example of my lab starting up. The quick way to verify AD replication is again using the Swiss army knife (repadmin /replsum) and this is what it looks like just after all VMs came online:

It's a mess. Most VMs were turned off for 18 days, and have currently trouble finding other DCs. This will resolve itself over time, but the whole point of the exercise was exactly to avoid this wait. So, I executed the PowerShell code above (not shown), and 2 minutes later it looks like this:

Much better; everything in sync and ready to go. Put this in your toolbox, and before you go: bonus points if you can explain why my count of Destination DSA is higher than Source DSA.