Active Directory Replication Issues – Basic Troubleshooting Steps (Single AD Domain in a Single AD Forest)

Article
1/17/2024

Most of Active Directory Replication issues are usually caused by one of the following:

DNS registration / resolution issues
Blocked or Filtered Active Directory replication ports
Tombstoned Domain Controllers

This article describes the basic troubleshooting steps that can be followed to troubleshoot these issues when you have a single domain in a single AD forest:

DNS registration / resolution issues:

For DNS registration / resolution issues, you can start by the following troubleshooting steps:

Make sure that your domain DNS zone domain.com is set to accept dynamic updates (It is recommended to have dynamic updates set to secure only)
Make sure that your _msdcs.domain.com is set to accept dynamic updates (It is recommended to have dynamic updates set to secure only)
Make sure that your domain controllers are not multi-homed (Each Domain Controller should have a single NIC card enabled and only one IP address in use)
Make sure that public DNS servers are not set as forwarders and not in IP settings of Domain Controllers
Use the following for the configuration of IP settings of Domain Controllers:

Scenario	How to proceed
A single Domain with a single Domain Controller	Make the Domain Controller point to: Its private IP address as primary DNS server and 127.0.0.1 as secondary one
A single Domain with two Domain Controllers	Make each Domain Controller point to: The private IP address of the other Domain Controller as primary DNS server Its private IP address as secondary DNS server 127.0.0.01 as third DNS server (Both Domain Controllers should be DNS servers to have this applied)
A single Domain with more than two Domain Controllers	My recommendation is to proceed like the following: Choose a healthy DC / DNS server Make the other Domain Controllers point to the private IP address of the chosen Domain Controller as primary DNS server For each DC/DNS server except the chosen one, make it point to its private IP address as secondary DNS server For each DC/DNS server except the chosen one, make it point to its 127.0.0.1 as third DNS server You can make the chosen Domain Controller point to its private IP address as primary DNS server and 127.0.0.1 as secondary one (After solving the AD replication issue resolution, I recommend to make it point to another Domain Controller as primary DNS server)

Once done, run ipconfig /registerdns and then restart netlogon service on each DC you have.

Blocked or Filtered Active Directory replication ports:

The following Active Directory ports should be opened in both directions (incoming and outgoing) between domain controllers: http://technet.microsoft.com/en-us/library/bb727063.aspx

PortQryUI or PortQry v2 are very useful tools that helps in querying ports to see if they are listening, filtered or not listening.

To download PortQryUI: http://www.microsoft.com/en-us/download/details.aspx?id=24009

To download PortQry V2: http://www.microsoft.com/en-gb/download/details.aspx?id=17148

In some situations, security software installed on Domain Controllers may be the cause of communication issues. If you suspect that this could be the issue of your AD replication issue, you can simply disable them temporary for troubleshooting (If you find that security software is the cause of an AD replication issue, you need to check if your security policies could be adjusted and contact its vendor technical support for assistance if this is required).

Virus scanning recommendations for Enterprise computers that are running currently supported versions of Windows: http://support.microsoft.com/kb/822158

** Tombstoned Domain Controllers:**

A Domain Controller becomes tombstoned if it exceeds your forest tombstone lifetime period without replicating with other Domain Contollers.

Determine the tombstone lifetime for the forest: http://technet.microsoft.com/en-us/library/cc784932(v=ws.10).aspx

This condition can be identified by running dcdiag and repadmin commands. Details are in the following Microsoft KB.

Troubleshooting AD Replication error 8614: "The Active Directory cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime": http://support.microsoft.com/kb/2020053

If you have a tombstoned Domain Controller, you need to proceed like the following:

Force the demotion of the Domain Controller using dcpromo /forceremoval command (You can also re-install it or just decommission it)
Seize FSMO roles that this Domain Controller was holding to another Domain Controller (You can use netdom query fsmo command to get the list of FSMO holders): http://support.microsoft.com/kb/255504
Do metadata cleanup of the faulty Domain Controller references: http://technet.microsoft.com/en-us/library/cc736378(v=ws.10).aspx

If your Active Directory replication is fine but you notice that there SYSVOL/netlogon replication failures, you can do a non-authoritative restore of SYSVOL on the faulty Domain Controller:

Using the BurFlags registry key to reinitialize File Replication Service replica sets: http://support.microsoft.com/kb/290762
How to force an authoritative and non-authoritative synchronization for DFSR-replicated SYSVOL (like "D4/D2" for FRS): http://support.microsoft.com/kb/2218556

If all of your Domain Controllers are faulty, you need to proceed by rebuilding the SYSVOL tree and its content in your domain.

How to rebuild the SYSVOL tree and its content in a domain: http://support.microsoft.com/kb/315457

Share via

Active Directory Replication Issues – Basic Troubleshooting Steps (Single AD Domain in a Single AD Forest)

Additional resources