Active Directory uses replication to keep data consistent between your domain controllers. When you create, delete or modify a domain controller, the change is replicated to the other domain controllers in the domain.
Active Directory replication troubleshooting can be tricky because there can be several potential reasons behind a replication failure. Two of the more common causes include a loss of network connectivity or a DNS configuration error. Replication errors can also occur as a result of authentication errors or a situation when the domain controller lacks the hardware resources to keep pace with the current demand. This is by no means a comprehensive list, but rather a rundown of some of the issues that commonly cause Active Directory replication failures.
Check the basics first
When starting the Active Directory replication troubleshooting process, it’s best to check the simple things first. Make sure that the domain controllers are powered on, functioning and able to communicate with one another across the network. It’s also important to make sure your firewalls are configured to allow Remote Procedure Call (RPC) traffic on port 135.
Similarly, take the time to review any recent changes to your network. This might include DNS configuration adjustments, modifications to the network topology or Dynamic Host Configuration Protocol alterations.
In addition, there are several system services that need to be running on your domain controllers for Active Directory replication to work properly. You should use the service control manager or PowerShell’s Get-Service cmdlet to verify the DNS infrastructure, Kerberos authentication protocol, Windows time service (W32time), RPC and network connectivity services are running.
Make sure your domain controller clocks are all in sync. The Active Directory depends on the Kerberos protocol, which is sensitive to clock skew. If the domain controller clocks fall out of sync by more than a few minutes, it will cause Kerberos to stop working, which can cause a variety of problems.
Begin Active Directory replication troubleshooting with DCDiag
Windows provides several native tools to help you figure out why you are experiencing problems with Active Directory replication. One of the first tools to try is DCDiag.
DCDiag is a general-purpose Active Directory diagnostic tool that is not specifically designed for troubleshooting Active Directory replication failures, but it is a great tool to start with. The reason for this is many times Active Directory replication issues are a symptom of a deeper problem. If your Active Directory is suffering from troubles that extend beyond simple replication problems, then the DCDiag tool can help pinpoint those issues.
To use the DCDiag tool, open an elevated command prompt window on a domain controller experiencing replication problems. Next, enter the DCDiag command. When you do, Windows will run a series of tests designed to assess the health of various Active Directory components. You can see an example of this in Figure 1.
If the DCDiag tool does not detect any problems, then you might consider running it on each domain controller within the domain. Occasionally, you may find that the tool returns very different results depending where it runs.
Try the Active Directory Replication Status tool
Once you have verified the overall health of your Active Directory environment, you should run the Active Directory Replication Status tool, provided by Microsoft at this link.
This tool, which you can see in Figure 2, discovers your Active Directory environment and provides information about the state of replication on the domain controllers.
To start, use the workspace on the left side of the tool to select either your forest or a specific domain within the forest. After your selection, click the Refresh Replication Status button. When you do, the tool collects information from your domain controllers and displays the results. The Environment Discovery tab, which you can see in the previous figure, will display the Active Directory nodes and the status of each. Similarly, the Replication Status Collection Details tab, shown in Figure 3, displays where replication is succeeding and where it is failing.
Get additional details from the Replication Status Admin tool
The Replication Status Admin tool, often referred to as RepAdmin, is one of the most widely used tools for troubleshooting Active Directory replication problems. When you run this tool on a domain controller and use the /showrepl switch, it will show all the inbound replication partner domain controllers, as well as the status of the most recent replication attempt from each. You can see what this looks like in Figure 4.
For the purposes of this article, we ran the RepAdmin tool on a domain controller in a small Active Directory domain. In larger environments, it may be helpful to export the information to a CSV file rather than display it on screen. That way, you can sort and filter the information as needed. To create a CSV file, use this command:
RepAdmin /Showrepl * /CSV > showrepl.csv
One last bit of advice
The tools and techniques discussed in this article should help get you started with your Active Directory replication troubleshooting method. However, if you are pressed for time and need a quick resolution, you can forcibly remove the malfunctioning domain controller from the domain and then add it back in. This will almost always either resolve the issue or yield additional clues as to why the problem is happening.