You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: support/windows-server/active-directory/troubleshoot-adreplication-guidance.md
+24-18Lines changed: 24 additions & 18 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -27,24 +27,24 @@ Use the following checklist to troubleshoot these replication issues:
27
27
- Rule out intentional disruptions or hardware failures.
28
28
- In a scenario: A domain controller is built in a staging site. The domain controller is currently offline, and is waiting for its deployment in the final production site, a remote site such as a branch office.
29
29
30
-
When another domain controller is trying to replica with the domain controller, it reports replication errors. You can account for such replication errors.
30
+
When another domain controller is trying to replicate to the domain controller, it reports replication errors. You can account for such replication errors.
31
31
- Replication problems might be caused by hardware failure.
32
-
- Active Directory replication remote procedure calls (RPCs) occur dynamically over an available port through the RPC Endpoint Mapper (RPCSS) on port 135. Make sure that Windows Defender Firewall with Advanced Security and other firewalls are configured correctly to enable replication.
32
+
- Active Directory replication remote procedure calls (RPCs) occur dynamically over an available port through the RPC Endpoint Mapper (RPCSS) on port 135. Make sure that Windows Firewall with Advanced Security and other firewalls are configured correctly to enable replication.
33
33
34
34
After you rule out intentional disconnections and hardware failures, the replication issues might have one of the following causes:
35
35
36
-
- Network connectivity: The network connection might be unavailable, or network settings might not configured correctly.
37
-
- Name resolution:DNS misconfigurations are a common cause of replication failures.
38
-
- Replication engine: If intersite replication schedules are too short, replication queues might be too large to process in the time that is required by the outbound replication schedule. In this case, replication of some changes might be stalled indefinitely, or long enough to exceed the tombstone lifetime.
39
-
- Replication topology: Domain controllers must have intersite links in Active Directory Domain Services (AD DS) that map to real wide area network (WAN) or virtual private network (VPN) connections. If you create objects in AD DS for the replication topology that aren't supported by the actual site topology of your network, replication that requires the misconfigured topology fails.
40
-
- Authentication and authorization: Authentication and authorization problems cause "access denied" errors when a domain controller tries to connect to its replication partner.
41
-
- Directory database store: The directory database might not be able to process transactions fast enough to keep up with replication time-outs.
36
+
-**Network connectivity:** The network connection might be unavailable, or network settings might not be configured correctly.
37
+
-**Name resolution:** Domain name system (DNS) misconfigurations are a common cause of replication failures.
38
+
-**Replication engine:** If intersite replication schedules are too short, replication queues might be too large to process in the time that is required by the outbound replication schedule. In this case, replication of some changes might be stalled indefinitely, or long enough to exceed the tombstone lifetime.
39
+
-**Replication topology:** Domain controllers must have intersite links in Active Directory Domain Services (AD DS) that map to real wide area network (WAN) or virtual private network (VPN) connections. If you create objects for the replication topology in AD DS that aren't supported by the actual site topology of your network, replication that requires the misconfigured topology fails.
40
+
-**Authentication and authorization:** Authentication and authorization problems cause "access denied" errors when a domain controller tries to connect to its replication partner.
41
+
-**Directory database store:** The directory database might not be able to process transactions fast enough to keep up with replication timeouts.
42
42
43
43
## Common solutions for Active Directory replication issues
44
44
45
45
- Monitor replication health daily, or use `Repadmin` to retrieve replication status daily.
46
46
- Try to resolve any reported failure in a timely manner by using the methods that are described in the event messages and this guide. If software is causing the problem, uninstall the software before you continue to try other solutions.
47
-
- If the problem that is causing replication to fail can't be resolved by any known methods, remove AD DS from the server, and then reinstall it. For more information about reinstalling AD DS, see [Decommissioning a Domain Controller](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc816644%28v=ws.10%29).
47
+
- If the problem that's causing replication to fail can't be resolved by any known methods, remove AD DS from the server, and then reinstall it. For more information about reinstalling AD DS, see [Decommissioning a Domain Controller](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc816644%28v=ws.10%29).
48
48
- If AD DS can't be removed in a typical manner while the server is connected to the network, use one of the following methods to resolve the problem:
49
49
- Force AD DS removal in Directory Services Restore Mode (DSRM), clean up server metadata, and then reinstall AD DS.
50
50
- Reinstall the operating system, and rebuild the domain controller.
@@ -56,45 +56,51 @@ Most replication problems are identified in the event messages that are logged i
56
56
### Event ID 2042
57
57
58
58
Repadmin message:
59
-
> The time since last replication with this server has exceeded the tombstone lifetime.
60
59
61
-
A domain controller has failed inbound replication with the named source domain controller long enough for a deletion to have been tombstoned, replicated, and garbage-collected from AD DS. See [Active Directory replication Event ID 2042](active-directory-replication-event-id-2042.md).
60
+
> `The time since last replication with this server has exceeded the tombstone lifetime.`
61
+
62
+
A domain controller failed inbound replication to the named source domain controller long enough for a deletion to have been tombstoned, replicated, and garbage-collected from AD DS. See [Active Directory replication Event ID 2042](active-directory-replication-event-id-2042.md).
62
63
63
64
### Event ID 1925
64
65
65
66
Repadmin message:
66
-
> No inbound neighbors
67
67
68
-
If no items appear in the "Inbound Neighbors" section of the output that is generated by `repadmin /showrepl`, the domain controller wasn't able to establish replication links with another domain controller. See [Active Directory replication Event ID 1925](active-directory-replication-event-id-1925-dns-lookup.md).
68
+
> `No inbound neighbors`
69
+
70
+
If no items appear in the "Inbound Neighbors" section of the output that `repadmin /showrepl` generates, the domain controller wasn't able to establish replication links to another domain controller. See [Active Directory replication Event ID 1925](active-directory-replication-event-id-1925-dns-lookup.md).
69
71
70
72
### Error code 5
71
73
72
74
Repadmin message:
73
-
> Access is denied.
75
+
76
+
> `Access is denied.`
74
77
75
78
A replication link exists between two domain controllers, but replication can't be done correctly because of an authentication failure. See [Active Directory replication fails with error 5: Access is denied](replications-fail-with-error-5.md).
76
79
77
80
### Error code 49
78
81
79
82
Repadmin message:
80
-
> LDAP Error 49.
83
+
84
+
> `LDAP Error 49.`
81
85
82
86
The domain controller computer account might not be synchronized with the Key Distribution Center (KDC). Fix replication security issues.
83
87
84
88
### Event ID 1925 and event ID 2087
85
89
86
90
Repadmin message:
87
-
> Cannot open LDAP connection to local host.
91
+
92
+
> `Cannot open LDAP connection to local host.`
88
93
89
94
The administration tool couldn't contact AD DS. See the following articles:
90
95
91
96
-[Active Directory replication Event ID 1925](active-directory-replication-event-id-1925-dns-lookup.md)
92
97
-[Active Directory replication Event ID 2087](active-directory-replication-event-id-2087.md)
93
98
94
-
### Event ID 1925, event ID 2087 and event ID 2088
99
+
### Event ID 1925, Event ID 2087, and Event ID 2088
95
100
96
101
Repadmin message:
97
-
> Last attempt at \<date - time\> failed with the "Target account name is incorrect."
102
+
103
+
> `Last attempt at <date - time> failed with the "Target account name is incorrect."`
98
104
99
105
This problem can be related to connectivity, DNS, or authentication issues. If this error is a DNS error, the local domain controller couldn't resolve the globally unique identifier (GUID)-based DNS name of its replication partner. See the following articles:
0 commit comments