When a user change does not appear on other domain controllers, the right question is not just “how do I force sync?” but “what exactly needs to replicate, from which DC, and is replication actually healthy?” Active Directory replication depends on DNS resolution, RPC/network connectivity, authentication and authorization, time accuracy, replication topology, and the AD DS database engine. Forcing replication can move data faster, but it does not remove the underlying cause if one of those dependencies is broken.
This runbook is for on-premises AD DS replication between domain controllers. If your problem is only that an object is not reaching Microsoft Entra ID, use Microsoft Entra Connect tools such as Invoke-ADSyncSingleObjectSync or Start-ADSyncSyncCycle instead of repadmin, because that is a different sync path entirely.
What to use, in one line
Use repadmin /replsingleobj or Sync-ADObject when one urgent user object must be pushed now. Use repadmin /replicate when you need to replicate one naming context from one source DC to one destination DC. Use repadmin /syncall when you need to force a broader replication pass from a DC to all of its partners. Validate with repadmin /replsummary, repadmin /showrepl, repadmin /queue, and PowerShell replication cmdlets. (Microsoft Learn)
Before you force replication
Run commands from an elevated prompt on a domain controller or a management host with RSAT. Repadmin requires administrative credentials on the target DCs; by default, Domain Admins in the domain have sufficient permissions. Also, Microsoft’s guidance is that Repadmin is primarily a monitoring and troubleshooting tool, and incorrect use can adversely affect replication operations and topology decisions.
First confirm which DC has the newest copy of the user object. Do not assume it is always the PDC emulator. AD is multi-master; the source should be the DC that actually holds the latest originating metadata for that object. repadmin /showobjmeta is the cleanest way to prove that. (Microsoft Learn)
Use these commands on the suspected source DC and one affected destination DC:
repadmin /showobjmeta DC01 "CN=Jane Doe,OU=Users,DC=contoso,DC=com"
repadmin /showobjmeta DC05 "CN=Jane Doe,OU=Users,DC=contoso,DC=com"
Compare the attribute version, originating server, and timestamp. The DC with the latest originating metadata is the one you want to replicate from. repadmin /showobjmeta is specifically designed to show object replication metadata so you can determine whether replication occurred and which DC originated a given change.
Step 1: Check whether the problem is isolated or systemic
Start with a fast health snapshot before forcing anything:
repadmin /replsummary
repadmin /showrepl *
repadmin /queue *
/replsummary is the forest-wide summary view for inbound and outbound failures. /showrepl shows the last inbound replication attempt per naming context and partner for the targeted DCs. /queue shows pending inbound replication requests; if the queue keeps growing on an online DC, Microsoft notes that common causes include too many partners, high change volume, or insufficient CPU/network bandwidth.
For a PowerShell view that is easier to filter:
Get-ADReplicationPartnerMetadata -Target * -Scope Server |
Where-Object {$_.LastReplicationResult -ne 0} |
Format-Table Server,Partner,LastReplicationAttempt,LastReplicationResult -Auto
Get-ADReplicationFailure -Scope Site -Target "Default-First-Site-Name" |
Format-Table Server,Partner,FirstFailureTime,FailureCount,LastError -Auto
Microsoft’s current Windows Server guidance highlights Get-ADReplicationPartnerMetadata and Get-ADReplicationFailure as structured alternatives to parsing Repadmin text output.
Step 2: Force the smallest useful scope first
For user synchronization problems, the shallow answer is “run repadmin /syncall.” The better operational answer is to start with the smallest scope that fixes the issue. That reduces unnecessary WAN traffic and avoids masking the real fault. Microsoft explicitly documents both object-level and naming-context-level force options, not just whole-domain pushes.
Option A: Force a single user object
If exactly one user is stale and you already know the good source DC, replicate only that object.
repadmin /replsingleobj DC05 DC01 "CN=Jane Doe,OU=Users,DC=contoso,DC=com"
Or with PowerShell:
Sync-ADObject -Object "CN=Jane Doe,OU=Users,DC=contoso,DC=com" -Source DC01 -Destination DC05
repadmin /replsingleobj replicates a single object between DCs that share the naming context, and Microsoft’s current PowerShell guidance describes Sync-ADObject as the analogous object-level replication cmdlet. This is usually the best choice when one restored, renamed, enabled, or corrected user must appear immediately on another DC without forcing unrelated changes.
Option B: Force one naming context from one source to one destination
If the problem affects more than one object in the same partition, replicate the naming context explicitly:
repadmin /replicate DC05 DC01 "DC=contoso,DC=com"
Use this when you want one destination DC to pull a specific partition from one known-good source. Microsoft documents /replicate as an immediate naming-context replication test after suspected faults are removed.
A key nuance: /replicate is not a generic “copy anything from anywhere” command. If the source DC is not an actual replication partner for that naming context, you can hit error 8452. Microsoft’s troubleshooting guidance calls this out directly.
Option C: Force replication throughout the domain or forest
If the issue is broader and you need a push from the DC that has the good data out to all partners, use syncall:
repadmin /syncall DC01 /A /e /P /d
A commonly used switch set here is /A /e /P /d, meaning all naming contexts held on the home server, across sites, push outward, and show distinguished names in the output. repadmin /syncall synchronizes the chosen DC with its replication partners; the broader Repadmin documentation also lists syncall as the command for synchronizing a specified DC with all replication partners.
Do not add quiet switches until you have seen one clean run. For troubleshooting, visible output is useful because syncall will print partner and partition failures inline. Microsoft’s own replication error articles show syncall surfacing errors such as 8418, 1127, and similar replication failures directly in command output.
Step 3: Validate success immediately
After the force operation, validate at three levels: forest summary, partner status, and the user object itself.
Start with summary and partner status:
repadmin /replsummary
repadmin /showrepl DC05
repadmin /queue DC05
You want to see failures clear from /replsummary, recent successful inbound attempts in /showrepl, and a queue that is draining rather than accumulating. /showrepl is the direct view of the last inbound replication attempt by naming context and source partner. /queue is the pending inbound work list.
Then validate the actual user on the destination DC:
repadmin /showobjmeta DC05 "CN=Jane Doe,OU=Users,DC=contoso,DC=com"
If the metadata version, originating server, and timestamp now match the source DC, the user object replication succeeded. That is more reliable than checking only whether a command returned without error.
You can also validate DNS health when replication symptoms point to stale lookups or unreachable partners:
dcdiag /test:dns /e /v
dcdiag /test:dns /s:DC01 /DnsRecordRegistration
Microsoft’s DNS replication troubleshooting guidance recommends dcdiag /test:dns to verify DNS basics, record registration, and dynamic update behavior because broken DC locator records and _msdcs lookups can block replication altogether.
Step 4: If the force fails, branch by the error family
If repadmin still fails, do not keep hammering syncall. Read the failure code and branch.
DNS and name resolution issues. Event ID 2087 indicates the destination DC could not resolve the source DC correctly in DNS. Microsoft’s guidance is to test DNS with DCDiag, verify _msdcs CNAME and host record registration, and re-register records if needed using Netlogon restart and ipconfig /registerdns.
RPC or network path issues. Microsoft lists network connectivity and the ports/protocols used by AD DS replication as a core dependency. If you see RPC server unavailable or endpoint mapper problems, fix connectivity first; force replication will not bypass a broken transport path.
Access denied / permissions issues. Error 8453 can mean the user triggering ad-hoc replication lacks the necessary permission set, even when scheduled replication permissions are intact. Microsoft explicitly includes repadmin /replicate and repadmin /syncall in this category.
Wrong source or missing connection relationship. Error 8452 commonly appears when /replicate is aimed at a source that is not an actual partner for that naming context on the destination. In that case, either target the correct partner or let topology and connection objects be corrected first.
Topology issues. If connection objects are missing or stale, Repadmin includes a kcc command to force the Knowledge Consistency Checker to recalculate inbound topology. Use that to refresh topology logic before retrying manual replication.
Step 5: A practical run order for user sync incidents
For a real incident where a newly created or updated user is missing on some DCs, use this sequence:
- Find the correct source DC with
repadmin /showobjmeta. - Check scope with
repadmin /replsummaryandrepadmin /showrepl *. - If it is one urgent user, use
repadmin /replsingleobjorSync-ADObject. - If multiple objects in one partition are stale, use
repadmin /replicate <dest> <src> "<NC>". - If multiple DCs are behind and the source is known-good, use
repadmin /syncall <source> /A /e /P /d. - Recheck
/replsummary,/showrepl,/queue, and then confirm the user object metadata on a destination DC.
That sequence is safer than jumping straight to a forest-wide push because it proves origin, limits blast radius, and validates the actual object rather than trusting a single success message.
About the Active Directory Replication Status Tool
The Active Directory Replication Status Tool (ADREPLSTATUS) is now mainly historical context. Microsoft states that as of June 2, 2023, it is no longer available for download, and the Learn article is kept for historical purposes. For current operations, use Repadmin, DCDiag, and the AD PowerShell replication cmdlets.
Bottom line
For user synchronization issues, the best default is not “force the whole forest.” The best default is: identify the authoritative source DC, replicate the smallest necessary scope, and then verify success with partner status plus object metadata. Use syncall when the problem is broad, but use replsingleobj or Sync-ADObject when the incident is only one user. That is the fastest path that also preserves diagnostic clarity.
