Event ID 1925: Attempt to establish a replication link failed due to connectivity problem
Applies To: Windows Server 2008
The description text in event ID 1925 reports that the attempt to establish a replication link for the following writable directory partition failed, and the description text provides the distinguished name of the directory partition that the destination is attempting to replicate from the source. The error code in the event gives more specific information about the cause of the problem.
The following is an example of the event text:
Log Name: Directory Service
Date: 3/12/2008 8:14:13 AM
Event ID: 1925
Task Category: Knowledge Consistency Checker
User: ANONYMOUS LOGON
The attempt to establish a replication link for the following
writable directory partition failed.
Source domain controller:
Source domain controller address:
Intersite transport (if any):
This domain controller will be unable to replicate with the source
domain controller until this problem is corrected.
Verify if the source domain controller is accessible or network
connectivity is available.
1908 Could not find the domain controller for this domain.
When Event ID 1925 contains error 1908, "Could not find the domain controller for this domain," Active Directory replication has failed as a result of a connectivity problem between the domain controller that reported the error and the source domain controller that is named in the event text.
Use the following tests to solve this problem:
Verify WAN connectivity
Determine maximum packet size, and change it if necessary.
Verify WAN connectivity
Verify that there are no basic connectivity problems with the underlying network between the domain controllers, especially if they are separated by a wide area network (WAN) link or firewalls. For information about testing this type of problem, see article 310099 (https://go.microsoft.com/fwlink/?LinkId=69995) and article 159211 (https://go.microsoft.com/fwlink/?LinkId=69996) in the Microsoft Knowledge Base).
Determine maximum packet size
By default, the Kerberos authentication protocol in Windows 2000, Windows XP, Windows Server 2003, Windows Server 2003 R2, Windows Vista, and Windows Server 2008 uses the User Datagram Protocol (UDP) when the data can be fit into packets of less than 2,000 bytes. Any data larger than this value uses TCP to carry the packets. Packets of more than 1,500 bytes are often dropped by a device, such as a firewall on the network.
To avoid this problem, you can determine the size of packet that your network can accommodate. Then, you can edit the registry so that the maximum number of bytes for using UDP is set to the lowest value that you receive, less 8 bytes to account for header size.
You can use the ping command to test the size of packets that the network can accommodate.
Membership in Domain Users, or equivalent, and the Log on locally right on the domain controller are the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).
To determine the lowest common packet size
From the destination domain controller, ping the source domain controller by its IP address. At a command prompt, type the following command, and then press ENTER:
ping <IP_address> -f -l 1472
From the source domain controller, use the command in step 1 to ping the destination domain controller by its IP address.
pingcommand completes in both directions, no additional modification is required.
pingcommand fails in either direction, monotonically lower the number that you use in the
-lparameter until you find the lowest common packet size that works between the source and destination domain controllers.
Dcdiag.exe provides the following method to perform this test:
dcdiag /test:CheckSecurityError /s:<SourceDomainControllerName>
You can edit the registry to set the maximum size of packets to the value that you determined by the PING method, minus 8 bytes to account for header size. As an alternative, you can edit the registry so that the maximum number of bytes for using UDP is always exceeded and therefore Kerberos always uses TCP.
You can change the default value of 2,000 bytes by modifying the registry entry MaxPacketSize in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters. Use the following procedure to change this registry setting.
It is recommended that you do not directly edit the registry unless there is no other alternative. Modifications to the registry are not validated by the registry editor or by Windows before they are applied, and as a result, incorrect values can be stored. This can result in unrecoverable errors in the system. When possible, use Group Policy or other Windows tools, such as Microsoft Management Console (MMC), to accomplish tasks rather than editing the registry directly. If you must edit the registry, use extreme caution.
Credentials: Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure.
To change the maximum packet size
Click Start, click Run, type regedit, and then click OK.
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters.
Edit—or, if it does not exist in the details pane, create—the entry MaxPacketSize as follows:
To edit the entry if it exists in the details pane:
Right-click MaxPacketSize, click Modify, and then, in the Value data box, type 1 to force Kerberos to use TCP, or type the value that you established to lower the value to the appropriate maximum size.
To create the entry if it does not exist in the details pane:
Right-click Parameters, click New DWORD Value, type the name MaxPacketSize, and then go to step 3a to edit the entry.
You must restart the domain controller for this change to take effect.