Troubleshooting Active Directory Replication

8/8/2019 Troubleshooting Active Directory Replication

1/7

Troubleshooting replication

Updated: April 4, 2008

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server2003 with SP2

Troubleshooting replication

For more detailed replication troubleshooting information than is available here, and for additional informationabout functionality in the version of Dcdiag.exe that is included in Windows Support Tools that ship with

Windows Server 2003 with Service Pack 1 (SP1), see Troubleshooting Active Directory Replication Problems on theMicrosoft Web site (http://go.microsoft.com/fwlink/?LinkId=60980).

What problem are you having?

y Monitoring replication.y Replication between sites is slow.y Received Event ID 1311 in the directory service log.y Received Event ID 1265 with error "DNS Lookup Failure," or "RPC server is unavailable" in the directory

service log. Or, received "DNS Lookup Failure" or "Target account name is incorrect" from the repadmin

command.

y Received Event ID 1265 "Access denied," in directory service log. Or, received "Access denied" from therepadmin command.

y Received "Access denied" from Active Directory Sites and Services when manual replication wasattempted.

y Unable to connect to a domain controller running Windows 2000 from the Active Directory Sites andServices snap-in.

y Search for new and updated information about replication. Or, your question does not match any of thoselisted above.

Monitoring replication.

y Cause: You should monitor replication regularly to help you identify and fix problems before they grow.y Solution: Regular monitoring is the key to good replication maintenance. Repadmin.exe and dcdiag.exe

(both part of the Windows Support Tools) and the directory service event log (accessible through the

Event Viewer) are the primary tools for monitoring replication.

Repadmin is a command-line tool that report failures on a replication link between two replication

partners. The following repadmin example displays the replication partners and any replication link

failures for Server1 on the microsoft.com domain:

repadmin /showrepl server1.microsoft.com


2/7

For a complete list ofrepadmin options, use the ? option:

repadmin /?

Dcdiag is a command-line tool that can check the DNS registration of a domain controller, check to see

that the security descriptors (SIDs) on the naming context heads have appropriate permissions for

replication, analyze the state of domain controllers in a forest or enterprise, and more. The following

dcdiag example checks for any replication errors between domain controllers:

dcdiag /test:replications

For a complete list of dcdiag options, use the ? option:

dcdiag /?

The directory service log reports replication errors that occur after a replication link has been established.

For information about viewing the directory service log, see View an event log.

Large enterprises may also want to use the Microsoft Operations Manager for automated monitoring of

large numbers of domain controllers. For more information, see Active Directory Management Pack

Technical Reference for Microsoft Operations Manager 2005 on the Microsoft Web site

(http://go.microsoft.com/fwlink/?LinkId=38341).

See also: Event Viewer; Install Windows Support Tools; Technical support options

Replication between sites is slow.

y Cause: The time required to replicate directory data between domain controllers is known as thereplication latency. Replication latency can vary greatly, depending on the number of domain controllers,

the number of sites, the available bandwidth between sites, replication frequency, and more.

y Solution:y Monitoring replication regularly is a good way to determine the normal replication latency on your

network. With this knowledge, you can more easily determine if a problem is occurring. For more

information, see the "Monitoring Replication" troubleshooting topic above.

y Review the directory service log for any recent replication errors. Also, run repadmin /showrepl andreview any resulting errors.

y A good site topology design is important for replication efficiency. For information about site topologydesign guidelines, see When to establish a single or separate sites and Designing the Site Topology on

the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=4724).

y A number of algorithm enhancements have been made to replication in the Windows Server 2003operating systems to improve replication efficiency and scalability. Some of these enhancements take

effect in a forest set to Windows 2000 functional level, while others require the Windows Server 2003

functional level. You will gain the greatest improvement from these enhancements by upgrading your

forest to Windows Server 2003 functional level. Adlb.exe is a tool that can help improve replication


3/7

efficiency even further in forests set to the Windows Server 2003 functional level. For more information

about Adlb, see the Windows Server 2003 Active Directory Branch Office Planning and Deployment

Guide on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=28523). For more information

about forest functionality, see Domain and forest functionality.

See also: Replication overview; Replication between sites; Managing replication; Bandwidth; Checklist: Optimizing

intersite replication

Received Event ID 1311 in the directory service log.

y Cause: The replication configuration information in Active Directory Sites and Services does notaccurately reflect the physical topology of the network.

Common causes of Event ID 1311 include:

y One or more domain controllers are offline.y Bridgehead servers are online but experiencing errors replicating a required naming context between

Active Directory sites.

y Preferred bridgehead servers defined by administrators are online but do not host the required namingcontexts.

y One or more sites are not contained in site links.y Site links contain all sites but the site links are not all site links are interconnected.y Preferred bridgeheads defined by the administrator are offline.

y Solution: To resolve an error in the configuration of replication:y Make sure all sites belong to at least one site link. For more information, see Add a site to a site link.y Make sure that the combination of site links you have created allows a path between all domain

controllers containing a replica of a given directory partition. For example, if a directory partition is held

by domain controllers in both Site A and Site C, make sure that Site A and Site C belong to a common

site link, or that an intermediary site exists that has at least one site link in common with Site A and at

least one site link in common with Site B.

y Make sure that you have cleared the Bridge all site links check box in Active Directory Sites andServices if your network is not fully routed. Or, if your network is fully routed and you have cleared the

Bridge all site links check box, you may need to select it again to allow full replication of a directory

partition. For more information, see Enable or disable site link bridges.

y If you have manually assigned preferred bridgehead servers, make sure these servers are not offline.(It is generally recommended that you allow Active Directory to select bridgehead servers

automatically.)

y Use Ping.exe and Network Monitor to verify connectivity through WAN links and across routers. Formore information about Network Monitor, see Network Monitor overview.


4/7

y You can also search the Microsoft Knowledge Base on the Microsoft Web site(http://go.microsoft.com/fwlink/?LinkId=4441) for new and updated information about Event ID 1311.

See also: Create a site link; Add a site to a site link; Enable or disable site link bridges; Install Windows Support

Tools

Received Event ID 1265 with error "DNS

Lookup Failure," or "RPC

server is unavailable" in thedirectory service log. Or, received "DNS Lookup Failure" or "Target account name is incorrect" from the

repadmin command.

y Cause: These messages are often the result of DNS problems. Active Directory replication depends onthe following:

y Each domain controller in the forest must register its CNAME record for the nameDsaGuid._msdcs.ForestName. DsaGuid is the GUID of the NTDS Settings object of the domain

controller (visible in Active Directory Sites and Services as the DNS alias property of the server

object's NTDS settings). This record usually belongs to the _msdcs.ForestName zone or, if that zone

does not exist, the ForestName zone.

y Each advertising domain controller in the forest must register its A record in the appropriate zone foreach domain in the forest.

y The A record must map to the current IP address of the respective domain controller.y The records must have replicated to the DNS servers used by direct replication partners.y Each DNS zone must have the proper delegations to the child zones.y The IP configuration of the domain controllers must contain correct preferred and alternate DNS

servers.

DNS errors that are reported by the directory service log or by repadmin /showrepl mean that the

destination domain controller could not resolve the GUID-based DNS name of its source replication

partner.

y Solution: Do the following:1. Verify CNAME and A records. At a command prompt, type the following:

dcdiag /test:connectivity

2. If the CNAME and A records are missing, restart netlogon. At a command prompt, type the following:

net start netlogon

3. Again, verify CNAME and A records, by repeating step 1.4. If the records are still missing, verify IP configuration. Verify that the preferred and alternate DNS servers

specified in the IP configuration of the source and destination domain controllers are correct.


5/7

5. If the client is configured correctly, verify that the zone is dynamic. At a command prompt, type thefollowing:

dcdiag /test:registerindns /dnsdomain

6. To verify that name resolution is the cause of the problem, ping the GUID-based name of the domaincontroller where replication failed. If it works, the next replication cycle should not return this error.

7. If the ping fails, further DNS troubleshooting is required. For more information, see TroubleshootingDomain Name System on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=62177).

See also: Nslookup; Ping; Troubleshooting DNS; Install Windows Support Tools

Received Event ID 1265 "Access denied," in directory service log. Or, received "Access denied" from

the repadmin command.

y Cause: This error can occur if the local domain controller failed to authenticate against its replicationpartner when creating the replication link or when trying to replicate over an existing link. This typically

happens when the domain controller has been disconnected from the rest of the network for a long time

and its computer account password is not synchronized with its computer account password stored in the

directory of its replication partner.

y Solution: Do the following:1. Stop the Key Distribution Center (KDC) service using net stop KDC.2. Purge the ticket cache on the local domain controller.3. Reset the domain controller's account password on the primary domain controller (PDC) emulator master

using netdom /resetpwd. (Netdom.exe is available in Windows Support Tools).

4. Synchronize the domain directory partition of the replication partner with the PDC emulator master5. Manually force replication between the replication partner and the PDC emulator master.6. Start the KDC on the local domain controller:

net start KDC

See also: User and computer accounts; Net start; Install Windows Support Tools

Received "Access denied" from Active Directory Sites and Services when manual replication was

attempted.

y Cause: Using Active Directory Sites and Services to force replication initiates replication on all commondirectory partitions between the replication partners. However, a user can only force manual replication

for containers on which they have been assigned the Replication Synchronization permission. The

replication of other directory partitions will fail, causing the "Access Denied" error.


6/7

y Solution: The repadmin or replmon command-line tools from Windows Support Tools can be used tomanually force the replication of a specific directory partition.

Replication synchronization is a special permission. For more information about special permissions, see

Set, view, change, or remove special permissions and Active Directory object permissions.

See also: Install Windows Support Tools; Force replication over a connection; Active Directory support tools

Unable to connect to a domain controller running Windows 2000 from the Active Directory Sites and

Services snap-in.

y Cause: You are trying to connect to a domain controller running Windows 2000 that does not haveService Pack 3 or later installed.

y Solution: Upgrade domain controllers running Windows 2000 to Service Pack 3 or later.See also: Connecting to domain controllers running Windows 2000; Managing Active Directory from MMC

Search for new and updated information about replication. Or, your question does not match any ofthose listed above.

y Cause: New and updated information is regularly published on the Microsoft Web site.y Solution: Visit the following links for the latest information:

y Searching the Knowledge Base on the Microsoft Web site(http://go.microsoft.com/fwlink/?LinkId=4441)

Search the Microsoft Knowledge Base of technical support information and self-help tools for Microsoft

products.

y Product Support Services on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=281)Search FAQs by product, browse the product support newsgroups, and contact Microsoft Support.

y Active Directory Collection in the Windows Server 2003 Technical Reference on the Microsoft Web site(http://go.microsoft.com/fwlink/?LinkId=4549)

View detailed technical information about Active Directory replication and other technologies, including

troubleshooting Active Directory replication.

y Microsoft Windows Server TechCenter on the Microsoft Web site(http://go.microsoft.com/fwlink/?LinkId=34403)

Search for troubleshooting information, service packs, patches, and downloads for your system. View

the Technical Library for the latest product information, including deployment, operations, and

technical reference.


7/7

y Windows Server Community on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=832)The official online community for enthusiasts of the Windows server operating systems.

See also: Technical support options; Install Windows Support Tools; Using the Windows Deployment and

Resource Kits

Troubleshooting Active Directory Replication

Documents

Transcript of Troubleshooting Active Directory Replication