Active Directory replication troubleshooting

blog.payperitem.com,
🔍 Step 1: Identify the Replication Issue
  1. Check Replication Status Run the following command to detect any replication errors:
  2. powershell
  3. repadmin /showrepl Look for failure codes in the output.
  4. Force Replication and Check Errors powershellCopyEditrepadmin /syncall /AdeP
    • /A – All partitions
    • /d – Shows changes
    • /e – Enterprise-wide
    • /P – Push replication
  5. Check AD Event Logs Open Event Viewer (eventvwr.msc) and navigate to:
    • Directory Service Logs (Event ID 1865, 2042, 1311, 1988 indicate replication problems)
    • DNS Server Logs (if DNS is involved)

⚠️ Step 2: Common Causes and Fixes

1️⃣ Network Connectivity Issues

  • Verify DCs can communicate using:
  • powershell
  • Test-NetConnection <DC-IP> -Port 135
  • Use ping, tracert, or PathPing to check for delays.
  • Ensure firewalls allow necessary ports:
    • RPC (TCP 135)
    • LDAP (TCP/UDP 389)
    • Kerberos (TCP/UDP 88)
    • SMB (TCP 445)
    • DNS (TCP/UDP 53)

2️⃣ DNS Misconfiguration

  • Ensure correct DNS settings (dcdiag /test:dns /v).
  • All DCs should use internal DNS, not external (e.g., Google DNS 8.8.8.8).
  • Check DNS zones for stale or missing records (nslookup, dnscmd).

3️⃣ Time Sync Issues

  • Run:
  • powershell
  • w32tm /query /status
  • Ensure all DCs sync time with a valid NTP source (PDC Emulator should sync with an external NTP).

4️⃣ USN Rollback / Tombstoned DC

  • If a DC was restored from an old backup, it may be in a “lingering object” state.
  • Check for lingering objects:
  • powershell
  • repadmin /removelingeringobjects <Source_DC> <Dest_DC_GUID> <NamingContext>
  • If a DC is tombstoned (default is 60 days of no replication), consider demoting and re-promoting it.

5️⃣ Global Catalog (GC) & FSMO Role Issues

  • Check if GC is enabled on key DCs:
  • powershell
  • Get-ADForest | Select-Object GlobalCatalogs
  • Check FSMO role holders: powershellCopyEditnetdom query fsmo
    • If a role holder is offline, seize the role using ntdsutil.

🔄 Step 3: Force Replication & Reset Services

  1. Restart Active Directory Services
  2. powershell
  3. net stop ntds && net start ntds Or restart all dependent services: powershellCopyEditnet stop netlogon && net start netlogon
  4. Manually Trigger Replication
  5. powershell
  6. repadmin /replicate <DestinationDC> <SourceDC> DC=Domain,DC=com
  7. Rebuild SYSVOL & Netlogon If policies or scripts are missing:
  8. powershell
  9. net stop dfsr cd C:\Windows\SYSVOL\domain rd /s /q policies net start dfsr Then run: powershellCopyEditdfsrdiag pollad

🛠 Step 4: Escalation & Recovery

  • If a DC is beyond repair, consider: powershellCopyEditdcpromo /forceremoval Then clean metadata: powershellCopyEditntdsutil metadata cleanup
  • For large-scale failures, restore from a system state backup.

🚀 Final Verification

Run:

powershell

dcdiag /c /v /e

And ensure repadmin /showrepl shows no errors.

Active Directory Server 2025 Website Windows

Related Posts

Download Professional Windows Desktop and Server Hardening PDF

​”Professional Windows Desktop and Server Hardening” is a comprehensive guide that offers practical advice on enhancing the security of Microsoft Windows desktops and servers. The book emphasizes configuring default security settings before deploying additional security products, providing readers with a solid foundation in understanding significant security threats and implementing effective…

Read More