USNs troubleshooting with REPADMIN

el_malickel_malick Member Posts: 7 ■□□□□□□□□□

I'm trying to understand how I can troubleshoot replication, by using the commands below on DC1 (with DC1, and next DC2, as parameters).

repadmin /showutdvec DC1 "DC=CONTOSO,DC=COM"
repadmin /showutdvec DC2 "DC=CONTOSO,DC=COM"

Result : For the two commands above ; the USN displayed on first line is not the same on the two commands ; but, USN returned on second line is always the same.
Question 1 : Are the results of the two commands not supposed to be the same, if replication is going fine ?

repadmin /showrepl /verbose DC1 "DC=CONTOSO,DC=COM"

repadmin /showrepl /verbose DC2 "DC=CONTOSO,DC=COM"

Result : The /verbose option does show two kinds of USNs (OU and PU).
Question 2 : How the result of /showrepl /verbose is related to the result of /showutdvec ?
Thanks, in advance, for any helpful practical documentation.


  • gespensterngespenstern Member Posts: 1,243 ■■■■■■■□□□
    It's not clear which DC you get in your output on which line. Hard to tell what "first line" or "second line" is.

    If in your output you get DC names and their respective USNs. Why would the USN on the first line be different when you run this command on two DCs while the USN on the second line is the same in both cases? Not knowing your infrastructure I'd suggest the following speculation.

    Actually, in a working environment USNs on DCs change all the time. If you launch the same command on the same DC the USN for this DC most likely will be different because some changes have happened while the command was running and you retyped it or brought it up from the history and pressed the "enter" button. But since every DC has a full replica of whole AD (while in the same domain) it also has a replica of all other DC objects in AD among with all their USN numbers. So when you are querying a certain DC it gives you its own impression on where everybody stands. It could be not exactly up to date, especially for DCs located in a different site as site-2-site replication is slower then intrasite one.

    For example, if you query two DCs in the same site they may and most likely will show you the same USN for a remote DC from a different site. But if you at the same point in time do query this remote DC it will show you a slightly higher USN for itself, while slightly lower USNs for your two local DCs. Makes sense?

    So I'd say that on a second line you get a remote (or defunkt) DC while on the first line you have local DCs. Also please check your timestamp of the last change (same line of the output of the same command after USN) -- if it is seriously older than your inter-site replication schedule and period then you may have a replication issue.
  • el_malickel_malick Member Posts: 7 ■□□□□□□□□□
    Hi gespenstern,

    I think you're going quickly in deeper of what I'm trying to understand for my 70-640 and 70-646 certifications.

    Let me ask you some basic questions. If I am logged on DC1 and I run repadmin /showutdvec DC2 "DC=CONTOSO,DC=COM". That command is supposed to tell :

    - The exact last USN that has been generated by DC1.
    - The supposed last USN that has been generated by DC2.

    1) Is it right what I am telling ?
    2) How do I know the exact last USN generated by DC when I'm logged on the DC ?
    3) How USNs displayed by /showutdvec are related to USNs displayed by /showrepl ?
  • gespensterngespenstern Member Posts: 1,243 ■■■■■■■□□□
    1) Yes, according to my understanding, let me check manuals to confirm that.
    2) By running repadmin against DC in question and reading its USN value or reading highestCommittedUSN attribute of rootDSE object of a DC using ldp or other tool. It should not matter where you are logged in at the moment because you always run repadmin against a particular DC and therefore read this DC's impression on directory state.
    3) Yeah, sorry, forgot to answer this one the first time. The difference is the first one shows you up-to-dateness vector USN and the second shows you high-watermark USN (and just in case, there are tons of different types of USNs, we talk here usnChanged for the most part). The difference is simple: the first one is the highest USN that came from a particular DC with the last replicated object/attribute from it, the second one is the highest USN that came from a DIRECT replication partner during the last replication REGARDING objects/attributes in particular directory partition (i.e. domain, configuration, schema, DNS zones, ADAM/ADLDS). It takes into account replication paths that were built by KCC or built manually by domain admins as in a large enough environment, as opposed to a lab, it usually happens so not every DC talks to every other DC, but there are direct and transitive replication partners instead.
  • el_malickel_malick Member Posts: 7 ■□□□□□□□□□
    So far ; one interesting result about my question number 2).

    I did run Powershell Cmdlet "Get-ADRootDSE" on my two domain controllers. On each of DCs, highestCommittedUSN value is the same. Running "repadmin /showutdvec" on one of the domain controllers, it does display a value equal to highestCommittedUSN. In conclusion ; It seems that highestCommittedUSN on rootDSE does keep the exact last USN of only one of the domain controllers.
Sign In or Register to comment.