This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(144, 11%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELD%3C/text%3E%3C/svg%3E)
Hi,
I have 7 domain controllers across a couple physical locations.
If I randomly spot check GPO Replication Status, sometimes I get all in sync, sometimes I get none in sync, sometimes I get some in sync and some not in sync.
Some of the time the not in sync are ACL mismatch and some of the time it's a GPO Version mismatch.
Some time replication is very slow and other times it's very quick.
What troubleshooting can I do to show the root cause of this randomness; specifically for GPO. repadmin etc. all show good.
There are hundreds of GPOs from a previous "design"; all the printers for example are in their own GPO, instead of using one GPO with Item Level Targeting. I think the amount of GPOs is partly to blame, but not solely.
Thanks
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Sounds like there could be network issues. This tool may help to visualize.
https://www.microsoft.com/en-us/download/details.aspx?id=30005
--please don't forget to upvote and Accept as answer if the reply is helpful--
Just checking if there's any progress or updates?
--please don't forget to upvote and Accept as answer if the reply is helpful--
Hi LankyDoodle-7423,
There are a multitude of potential reasons why DCs may not be syncing correctly. This article is a good starting point for diagnosing issues:
When starting the Active Directory replication troubleshooting process, it's best to check the simple things first. Make sure that the domain controllers are powered on, functioning and able to communicate with one another across the network. It's also important to make sure your firewalls are configured to allow Remote Procedure Call (RPC) traffic on port 135.
Similarly, take the time to review any recent changes to your network. This might include DNS configuration adjustments, modifications to the network topology or Dynamic Host Configuration Protocol alterations.
In addition, there are several system services that need to be running on your domain controllers for Active Directory replication to work properly. You should use the service control manager or PowerShell's Get-Service cmdlet to verify the DNS infrastructure, Kerberos authentication protocol, Windows time service (W32time), RPC and network connectivity services are running.
Make sure your domain controller clocks are all in sync. The Active Directory depends on the Kerberos protocol, which is sensitive to clock skew. If the domain controller clocks fall out of sync by more than a few minutes, it will cause Kerberos to stop working, which can cause a variety of problems.
Windows provides several native tools to help you figure out why you are experiencing problems with Active Directory replication. One of the first tools to try is DCDiag.
DCDiag is a general-purpose Active Directory diagnostic tool that is not specifically designed for troubleshooting Active Directory replication failures, but it is a great tool to start with. The reason for this is many times Active Directory replication issues are a symptom of a deeper problem. If your Active Directory is suffering from troubles that extend beyond simple replication problems, then the DCDiag tool can help pinpoint those issues.
To use the DCDiag tool, open an elevated command prompt window on a domain controller experiencing replication problems. Next, enter the DCDiag command. When you do, Windows will run a series of tests designed to assess the health of various Active Directory components. You can see an example of this in
If the DCDiag tool does not detect any problems, then you might consider running it on each domain controller within the domain. Occasionally, you may find that the tool returns very different results depending on where it runs.
---------------------------------------------------------------------------------------------------------------------------------------------------------------
--If the reply is helpful, please Upvote and Accept as answer--
