Active Directory Replication Issues – Basic Troubleshooting Steps (Single AD Domain in a Single AD Forest)
Most of Active Directory Replication issues are usually caused by one of the following:
- DNS registration / resolution issues
- Blocked or Filtered Active Directory replication ports
- Tombstoned Domain Controllers
This article describes the basic troubleshooting steps that can be followed to troubleshoot these issues when you have a single domain in a single AD forest:
DNS registration / resolution issues:
For DNS registration / resolution issues, you can start by the following troubleshooting steps:
- Make sure that your domain DNS zone domain.com is set to accept dynamic updates (It is recommended to have dynamic updates set to secure only)
- Make sure that your _msdcs.domain.com is set to accept dynamic updates (It is recommended to have dynamic updates set to secure only)
- Make sure that your domain controllers are not multi-homed (Each Domain Controller should have a single NIC card enabled and only one IP address in use)
- Make sure that public DNS servers are not set as forwarders and not in IP settings of Domain Controllers
- Use the following for the configuration of IP settings of Domain Controllers:
Scenario |
How to proceed |
A single Domain with a single Domain Controller |
Make the Domain Controller point to:
|
A single Domain with two Domain Controllers |
Make each Domain Controller point to:
|
A single Domain with more than two Domain Controllers |
My recommendation is to proceed like the following:
|
Once done, run ipconfig /registerdns and then restart netlogon service on each DC you have.
Blocked or Filtered Active Directory replication ports:
The following Active Directory ports should be opened in both directions (incoming and outgoing) between domain controllers: http://technet.microsoft.com/en-us/library/bb727063.aspx
PortQryUI or PortQry v2 are very useful tools that helps in querying ports to see if they are listening, filtered or not listening.
To download PortQryUI: http://www.microsoft.com/en-us/download/details.aspx?id=24009
To download PortQry V2: http://www.microsoft.com/en-gb/download/details.aspx?id=17148
In some situations, security software installed on Domain Controllers may be the cause of communication issues. If you suspect that this could be the issue of your AD replication issue, you can simply disable them temporary for troubleshooting (If you find that security software is the cause of an AD replication issue, you need to check if your security policies could be adjusted and contact its vendor technical support for assistance if this is required).
Virus scanning recommendations for Enterprise computers that are running currently supported versions of Windows: http://support.microsoft.com/kb/822158
** Tombstoned Domain Controllers:**
A Domain Controller becomes tombstoned if it exceeds your forest tombstone lifetime period without replicating with other Domain Contollers.
Determine the tombstone lifetime for the forest: http://technet.microsoft.com/en-us/library/cc784932(v=ws.10).aspx
This condition can be identified by running dcdiag and repadmin commands. Details are in the following Microsoft KB.
Troubleshooting AD Replication error 8614: "The Active Directory cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime": http://support.microsoft.com/kb/2020053
If you have a tombstoned Domain Controller, you need to proceed like the following:
- Force the demotion of the Domain Controller using dcpromo /forceremoval command (You can also re-install it or just decommission it)
- Seize FSMO roles that this Domain Controller was holding to another Domain Controller (You can use netdom query fsmo command to get the list of FSMO holders): http://support.microsoft.com/kb/255504
- Do metadata cleanup of the faulty Domain Controller references: http://technet.microsoft.com/en-us/library/cc736378(v=ws.10).aspx
If your Active Directory replication is fine but you notice that there SYSVOL/netlogon replication failures, you can do a non-authoritative restore of SYSVOL on the faulty Domain Controller:
- Using the BurFlags registry key to reinitialize File Replication Service replica sets: http://support.microsoft.com/kb/290762
- How to force an authoritative and non-authoritative synchronization for DFSR-replicated SYSVOL (like "D4/D2" for FRS): http://support.microsoft.com/kb/2218556
If all of your Domain Controllers are faulty, you need to proceed by rebuilding the SYSVOL tree and its content in your domain.
How to rebuild the SYSVOL tree and its content in a domain: http://support.microsoft.com/kb/315457
See Also
- Central Management of DNS Configuration Compliance and Updates
- How to manage your DC/DNS servers with dynamic IPs in Windows Azure