How to Force Active Directory Replication in a Batch Script

In a healthy Active Directory environment, changes made on one Domain Controller (DC) automatically replicate to other DCs based on a schedule managed by the Knowledge Consistency Checker (KCC). However, sometimes you need a change to be replicated immediately. This is critical after urgent updates like a user password reset, a change in group membership for permissions, or the creation of a new user account that needs immediate access.

This guide will teach you how to use the powerful, built-in repadmin.exe command-line utility to force immediate AD replication from a batch script. You will learn the commands to synchronize a single DC, to replicate a specific partition, and to verify the overall health of replication afterward.

danger

CRITICAL WARNING: Forcing replication is a high-privilege operation. You must be a member of the Domain Admins or Enterprise Admins group (or have been delegated the appropriate rights) to run these commands. This script must be run from an elevated, domain-aware command prompt.

The Core Command: `repadmin.exe`

The Replication Administration Tool (repadmin.exe) is the definitive command-line utility for managing and troubleshooting Active Directory replication. It is installed by default on all Domain Controllers and is available on client machines as part of the Remote Server Administration Tools (RSAT) package.

Method 1: Synchronizing a Single Domain Controller (`/syncall`)

The /syncall command is the most common and straightforward way to force a DC to update itself. It tells a specific DC to contact all of its replication partners and synchronize all directory partitions it holds.

Syntax: repadmin /syncall <DCNAME> /A /P /e /d

<DCNAME>: The name of the Domain Controller you want to initiate the synchronization from.

This script forces a DC named DC-01 to pull updates from its partners.

@ECHO OFF
REM This script must be run as a Domain Admin.
SET "TargetDC=DC-01"

ECHO Forcing synchronization for %TargetDC%...
repadmin /syncall %TargetDC% /A /P /e /d

This command will display the progress of the replication as it happens.

Method 2: Replicating a Specific Partition (`/replicate`)

This is a more advanced and targeted command. It is used to force replication of a specific directory partition (like the Domain or Schema partition) from a specific source DC to a specific destination DC. This is faster than /syncall if you know exactly what you need to sync.

Syntax: repadmin /replicate <Destination_DC> <Source_DC> <NamingContext>

<NamingContext>: The distinguished name of the partition (e.g., DC=corp,DC=example,DC=com).

@ECHO OFF
SET "DestDC=DC-02"
SET "SourceDC=DC-01"
SET "DomainDN=DC=corp,DC=example,DC=com"

ECHO Replicating the Domain partition from %SourceDC% to %DestDC%...
repadmin /replicate %DestDC% %SourceDC% %DomainDN%

The Essential Final Step: Checking Replication Status (`/replsummary`)

After forcing replication, you must verify that it completed successfully. The repadmin /replsummary command provides a high-level health report of the replication status for your entire forest.

Command: repadmin /replsummary

This command shows a summary of replication attempts, highlighting any failures. You are looking for a "Fails" and "error" count of 0.

Replication Summary Start Time: 2023-10-27 15:30:00

Beginning data collection for replication summary, this may take awhile:
  ......

Source DSA          largest delta    fails/total %%   error
 DC-01                    15m:20s    0 /  5   0
 DC-02                    10m:15s    0 /  5   0

Destination DSA     largest delta    fails/total %%   error
 DC-01                    10m:15s    0 /  5   0
 DC-02                    15m:20s    0 /  5   0

Key `repadmin` Parameters Explained

/syncall: Tells a DC to synchronize all partitions with all of its partners.
- /A: All partitions.
- /P: Push the change outward from the target DC.
- /e: Enterprise. Includes partners across different Active Directory sites.
- /d: Uses distinguished dnames in messages.
/replicate: Replicates a specific partition between two specific DCs.
/replsummary: Displays a health summary of replication for the forest.

Common Pitfalls and How to Solve Them

Permissions: This is the number one reason for failure. You will see an "Access is denied" error.
- Solution: You must be logged in as a Domain or Enterprise Administrator and running the script from an elevated command prompt.
Firewall Issues: Active Directory replication relies on specific RPC ports. If a network firewall between your Domain Controllers is blocking these ports, replication will fail.
- Solution: Ensure that the necessary AD ports are open between your DCs. This often requires working with your network security team.
Overusing the Command: Forcing replication should be the exception, not the rule. The KCC (Knowledge Consistency Checker) is designed to manage the replication topology automatically. If you find yourself needing to force replication constantly, it's a sign of an underlying problem with your AD health (e.g., network latency, misconfigured sites).
- Solution: Use these commands for urgent changes, but rely on the automatic process for routine updates.

Practical Example: A Script to Synchronize All DCs in a Domain

This script is a powerful tool. It first gets a list of all Domain Controllers in the domain and then runs repadmin /syncall on each one, effectively triggering a domain-wide synchronization.

@ECHO OFF
SETLOCAL
REM This script must be run as a Domain Admin.

ECHO --- Forcing Domain-Wide Active Directory Synchronization ---
ECHO.
ECHO Getting a list of all Domain Controllers...
ECHO.

FOR /F "delims=" %%D IN ('dsquery server -o rdn') DO (
    ECHO --- Syncing DC: %%~D ---
    repadmin /syncall %%~D /A /P /e /d
    ECHO.
)

ECHO --- Synchronization commands issued for all DCs. ---
ECHO.
ECHO Running replication summary to check status...
repadmin /replsummary

ENDLOCAL

dsquery server -o rdn: This command gets a clean list of all DC names in the domain.

Conclusion

The repadmin.exe command is the essential and authoritative tool for managing Active Directory replication from a script.

For effective replication management:

Run your script as a Domain or Enterprise Administrator.
Use repadmin /syncall <DCNAME> to force a specific DC to sync with all its partners.
Use repadmin /replicate for a more targeted replication of a specific partition.
Always verify the outcome with repadmin /replsummary.
Reserve this tool for urgent changes, and let the automatic KCC process handle routine replication.

The Core Command: repadmin.exe​

Method 1: Synchronizing a Single Domain Controller (/syncall)​

Method 2: Replicating a Specific Partition (/replicate)​

The Essential Final Step: Checking Replication Status (/replsummary)​

Key repadmin Parameters Explained​

Common Pitfalls and How to Solve Them​

Practical Example: A Script to Synchronize All DCs in a Domain​

Conclusion​

Table of Contents