Identifying and Solving AD Replication Problems. One part of Active Directory AD that can cause all sorts of problems is replication. Replication is crucial when dealing with one or more domains or domain controllers DCs, no matter whether theyre in the same site or different sites. Find Active Directory replication tutorials and advice, including info on topology design and troubleshooting Active Directory replication errors. Technical articles, content and resources for IT Professionals working in Microsoft technologies. Learn to find and fix DC and server replication failure with RepAdmin in Active Directory. Microsoft Dns Server Force Replication In Ad' title='Microsoft Dns Server Force Replication In Ad' />Windows Server 2016 training with official curriculum and instructors. Sit exams onsite on this Windows Server 2016 course and get certified 40 faster. Healthy replication in an AD forest is crucial. Heres how to check the replication status, discover errors, and resolve common AD replication problems. The following attributes are defined by Active Directory. This topic explains symptoms, causes and how to resolve Active Directory replication error 1722 The RPC server is unavailable. Symptoms Causes Resolutions 1125. Referring to this previous issue My new 2008R2 server takes 510 minutes in each boot, when trying to log in says the domain cannot be contacted. Also. AD problem in Windows 2003. Q. How do you force replication between DCs that are all listed in Sites and Services, but only partial lists in each DCs NTDS. Problems with replication can lead to authentication problems and problems with accessing resources on the network. AD object updates are replicated between DCs to ensure all partitions are synchronized. In large companies, having multiple domains and multiple sites is common. Replication must occur within the local site as well as the additional sites to keep domain and forest data the same between all DCs. Ill show you how to identify AD replication problems. Ill also show you how to troubleshoot and resolve four of the most common AD replication errors Error 2. The target principle name is incorrectError 1. Could not find the domain controllerError 8. Insufficient attributes were given to create an objectError 8. Microsoft Dns Server Force Replication In Ad' title='Microsoft Dns Server Force Replication In Ad' />Force active directory replication Force AD replication through the Microsoft Management Console MMC or Forcing replication through Active Directory Sites and. Replication access was deniedAlong the way, youll learn how to analyze replication metadata using tools such as the AD Replication Status Tool, the built in command line utility Rep. Admin. exe, and Windows Power. Shell. For this discussion, Ill use the Contoso forest shown in Figure 1. Table 1 contains the roles, IP addresses, and DNS client settings for the machines in that forest. Table 1 Machine Roles and Settings. Machine. Roles. IP Address. DNS Client Settings. DC1. DC in the forest root domain, DNS, GC server, all Flexible Single Master Operation FSMO roles. DC2. DC in the forest root domain, DNS, GC server. Child. DC1. DC in a child domain in the forest, DNS, GC server, domain wide FSMO roles. Child. DC2. RODC in the child domain in the forest, DNS, GC server, Min. Shell. 19. 2. 1. 68. TRDC1. DC in a tree root domain in the forest, DNS, GC server, domain wide FSMO roles. Win. 8Client. Windows 8. Identifying AD Replication Problems. To identify the AD replication problems, you can run the AD Replication Status Tool from your administration workstation in the forests root domain. For this example, youd open this tool from the Win. Client machine, then click the Refresh Replication Status button to ensure youre communicating properly with all the DCs. On the Discovery Missing Domain Controllers tab of the tools ConfigurationScope Settings page, you can see two DCs are missing, as Figure 2 shows. On the Replication Status Collection Details tab, you can see the replication status of the DCs that arent missing, as shown in Figure 3. By going to the Replication Status Viewer page, you can see any replication errors that are occurring. As you can see in Figure 4, there are quite a few replication errors occurring in the Contoso forest. Note that out of the five DCs, two of them cant see the other DCs, which means replication isnt going to occur on the DCs that cant be seen. Therefore, users connecting to the child DCs arent going to have the most up to date information, which can lead to problems. Because there are replication errors, its helpful to use Rep. Admin. exe to get a forest wide replication health report. To create the file, you can run the following command from Cmd. Repadmin showrel csv Show. Repl. csv. Because there are problems with two of the DCs, youll see two occurrences of LDAP error 8. Server Down Win. Err 5. Well deal with those errors later on. For now, open up the Show. Repl. csv in Excel and follow these steps From the Home menu, click Format as table and choose one of the styles. While holding down the Ctrl key, click both column A ShowreplCOLUMNS and column G Transport Type. Right click somewhere in those columns and select Hide. Reduce the width of the remaining columns if needed so that column K Last Failure Status is visible. For column I Last Failure Time, click the down arrow and deselect 0. Look at the date in column J Last Success Time. This is the last time that replication was successful. Look at the errors in column K Last Failure Status. These errors will be same as what you saw in the AD Replication Status Tool. You can also run the Rep. Admin. exe tool from Power. Shell. To do so, follow these steps Go to a Power. Shell prompt and run the command Repadmin showrepl csv Convert. From Csv Out Grid. View. In the grid window that appears, select Add Criteria, select Last Failure Status, and press Add. Select the blue underlined word contains in the filter and select does not equal. As shown in Figure 5, type a 0 in the box so that it filters out everything with a 0 success and shows only the errors. Now that you know how to check the replication status and discover any errors, lets look at how to troubleshoot and resolve the four most common errors. Troubleshooting and Resolving AD Replication Error 2. Lets start with resolving error 2. DC2 is failing to replicate to DC1. From DC1, run the following Repadmin command to check the replication status of DC2 Repadmin showrepl dc. Figure 6 shows the results, which indicate that replication is failing because DC2s target principle name is incorrect. However, error descriptions like this can be misleading, so you need to dig deeper. First, you should determine whether theres basic LDAP connectivity between the machines. Rhinoceros 5 Beta Keygen Free on this page. To check this, run the following command from DC2 Repadmin bind DC1. As Figure 6 shows, youre getting an LDAP error. Next, try to initiate AD replication from DC2 to DC1 Repadmin replicate dc. Once again, you see the same principle name error, as shown in Figure 6. If you open the Event Viewer on DC2, youll see Event 4, as shown in Figure 7. The highlighted text in the event indicates the reason for the error. What this means is that DC1s computer account password is different than the password stored in AD for DC1 on the Key Distribution Center KDC, which in this case, is running on DC2. So, the next task is to determine whether DC1s computer account password matches what is stored on DC2. From a command prompt on DC1, run the following two commands Repadmin showobjmeta dc. Repadmin showobjmeta dc. Afterward, open the dc. BCSPwd, Unicode. PWD, Nt. Pwd. History, Pwd. Last. Set, and lm. Pwd. History. In this case, the dc. So, comparing these two files reveals that DC2 has old password information for DC1. The Kerberos operation failed because DC1 was unable to decrypt the service ticket presented by DC2. The KDC running on DC2 cant be used for Kerberos with DC1 because DC2 has the old password information. To resolve this problem, you must force DC2 to use the KDC on DC1 so the replication will complete. To do so, you first need to stop the KDC service on DC2 Net stop kdc. Then, you need to initiate replication of the Root partition Repadmin replicate dc. Next, you should run the two Repadmin showobjmeta commands again to verify the versions are the same. If all is well, you can restart the KDC service Net start kdc. Troubleshooting and Resolving AD Replication Error 1. Now that the 2. AD replication error 1. DC1, DC2, and TRDC1 failed to replicate from Child. DC1. To troubleshoot this problem, you can use Nltest. Netlogon. log file to determine the cause of error 1. First, enable verbose logging on DC1 by running the command Nltest dbflag 2. Now that logging is enabled, you need to initiate replication on the DCs so that any errors are logged. Its helpful to run three commands to reproduce the errors. First, run the following command on DC1 Repadmin replicate dc. As you can see in Figure 8, the results indicate that replication is failing because the domains DC couldnt be found. Second, from DC1, try to locate the KDC in the child. Nltest dsgetdc child kdc. The results in Figure 8 indicate that theres no such domain. Third, because you cant find the KDC, try to reach any DC in the child domain using the command Nltest dsgetdc child.