Troubleshooting replication

Updated: April 4, 2008 Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Troubleshooting replication
For more detailed replication troubleshooting information than is available here, and for additional information about functionality in the version of Dcdiag.exe that is included in Windows Support Tools that ship with Windows Server 2003 with Service Pack 1 (SP1), see Troubleshooting Active Directory Replication Problems on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=60980). What problem are you having? Monitoring replication. Replication between sites is slow. Received Event ID 1311 in the directory service log. Received Event ID 1265 with error "DNS Lookup Failure," or "RPC server is unavailable" in the directory service log. Or, received "DNS Lookup Failure" or "Target account name is incorrect" from the repadmin command. Received Event ID 1265 "Access denied," in directory service log. Or, received "Access denied" from the repadmin command. Received "Access denied" from Active Directory Sites and Services when manual replication was attempted. Unable to connect to a domain controller running Windows 2000 from the Active Directory Sites and Services snap-in. Search for new and updated information about replication. Or, your question does not match any of those listed above. Monitoring replication. Cause: You should monitor replication regularly to help you identify and fix problems before they grow. Solution: Regular monitoring is the key to good replication maintenance. Repadmin.exe and dcdiag.exe (both part of the Windows Support Tools) and the directory service event log (accessible through the Event Viewer) are the primary tools for monitoring replication. Repadmin is a command-line tool that report failures on a replication link between two replication partners. The following repadmin example displays the replication partners and any replication link failures for Server1 on the microsoft.com domain: repadmin /showrepl server1.microsoft.com

y y y y

y

y

y

y

y y

replication frequency. see When to establish a single or separate sites and Designing the Site Topology on the Microsoft Web site (http://go. use the ? option: repadmin /? Dcdiag is a command-line tool that can check the DNS registration of a domain controller.com/fwlink/?LinkId=38341). For more information. For information about viewing the directory service log. Large enterprises may also want to use the Microsoft Operations Manager for automated monitoring of large numbers of domain controllers. see Active Directory Management Pack Technical Reference for Microsoft Operations Manager 2005 on the Microsoft Web site (http://go. the number of sites. you can more easily determine if a problem is occurring. Technical support options Replication between sites is slow. Replication latency can vary greatly. depending on the number of domain controllers. Adlb. A good site topology design is important for replication efficiency. See also: Event Viewer. while others require the Windows Server 2003 functional level.microsoft. Also. check to see that the security descriptors (SIDs) on the naming context heads have appropriate permissions for replication. You will gain the greatest improvement from these enhancements by upgrading your forest to Windows Server 2003 functional level. use the ? option: dcdiag /? The directory service log reports replication errors that occur after a replication link has been established. Review the directory service log for any recent replication errors. and more.microsoft. see the "Monitoring Replication" troubleshooting topic above.For a complete list of repadmin options. Solution: Monitoring replication regularly is a good way to determine the normal replication latency on your network. analyze the state of domain controllers in a forest or enterprise. Some of these enhancements take effect in a forest set to Windows 2000 functional level. A number of algorithm enhancements have been made to replication in the Windows Server 2003 operating systems to improve replication efficiency and scalability. and more. The following dcdiag example checks for any replication errors between domain controllers: dcdiag /test:replications For a complete list of dcdiag options. see View an event log.exe is a tool that can help improve replication y y y y y y . Install Windows Support Tools. the available bandwidth between sites. Cause: The time required to replicate directory data between domain controllers is known as the replication latency.com/fwlink/?LinkId=4724). run repadmin /showrepl and review any resulting errors. For more information. With this knowledge. For information about site topology design guidelines.

Solution: To resolve an error in the configuration of replication: y y y y y y y y y y Make sure all sites belong to at least one site link. Site links contain all sites but the site links are not all site links are interconnected. For more information about Network Monitor. Replication between sites. see Network Monitor overview. If you have manually assigned preferred bridgehead servers. if your network is fully routed and you have cleared the Bridge all site links check box.microsoft. Make sure that the combination of site links you have created allows a path between all domain controllers containing a replica of a given directory partition. Bandwidth. make sure that Site A and Site C belong to a common site link.com/fwlink/?LinkId=28523). see the Windows Server 2003 Active Directory Branch Office Planning and Deployment Guide on the Microsoft Web site (http://go. Cause: The replication configuration information in Active Directory Sites and Services does not accurately reflect the physical topology of the network. See also: Replication overview. For example. For more information about forest functionality. (It is generally recommended that you allow Active Directory to select bridgehead servers automatically. Checklist: Optimizing intersite replication Received Event ID 1311 in the directory service log.exe and Network Monitor to verify connectivity through WAN links and across routers. see Enable or disable site link bridges. Make sure that you have cleared the Bridge all site links check box in Active Directory Sites and Services if your network is not fully routed. For more information.) Use Ping. see Add a site to a site link. Preferred bridgehead servers defined by administrators are online but do not host the required naming contexts. or that an intermediary site exists that has at least one site link in common with Site A and at least one site link in common with Site B. Common causes of Event ID 1311 include: One or more domain controllers are offline. if a directory partition is held by domain controllers in both Site A and Site C. make sure these servers are not offline. you may need to select it again to allow full replication of a directory partition. y y y . For more information. For more information about Adlb. Bridgehead servers are online but experiencing errors replicating a required naming context between Active Directory sites. One or more sites are not contained in site links. Managing replication. Or. see Domain and forest functionality. Preferred bridgeheads defined by the administrator are offline.efficiency even further in forests set to the Windows Server 2003 functional level.

restart netlogon.com/fwlink/?LinkId=4441) for new and updated information about Event ID 1311. At a command prompt. the ForestName zone.ForestName zone or. verify CNAME and A records._msdcs. received "DNS Lookup Failure" or "Target account name is incorrect" from the repadmin command. If the CNAME and A records are missing. Add a site to a site link. type the following: dcdiag /test:connectivity 2. Or. Cause: These messages are often the result of DNS problems.ForestName. The records must have replicated to the DNS servers used by direct replication partners. DsaGuid is the GUID of the NTDS Settings object of the domain controller (visible in Active Directory Sites and Services as the DNS alias property of the server object's NTDS settings)." or "RPC server is unavailable" in the directory service log. Again. 4. y y y y y y y DNS errors that are reported by the directory service log or by repadmin /showrepl mean that the destination domain controller could not resolve the GUID-based DNS name of its source replication partner. The A record must map to the current IP address of the respective domain controller. Enable or disable site link bridges. If the records are still missing. The IP configuration of the domain controllers must contain correct preferred and alternate DNS servers. Solution: Do the following: Verify CNAME and A records. Install Windows Support Tools Received Event ID 1265 with error "DNS Lookup Failure. verify IP configuration. if that zone does not exist. . Each DNS zone must have the proper delegations to the child zones.microsoft. See also: Create a site link. Verify that the preferred and alternate DNS servers specified in the IP configuration of the source and destination domain controllers are correct. This record usually belongs to the _msdcs. Active Directory replication depends on the following: Each domain controller in the forest must register its CNAME record for the name DsaGuid. At a command prompt.y You can also search the Microsoft Knowledge Base on the Microsoft Web site (http://go. y 1. Each advertising domain controller in the forest must register its A record in the appropriate zone for each domain in the forest. type the following: net start netlogon 3. by repeating step 1.

received "Access denied" from the repadmin command. If the client is configured correctly. Stop the Key Distribution Center (KDC) service using net stop KDC. Synchronize the domain directory partition of the replication partner with the PDC emulator master Manually force replication between the replication partner and the PDC emulator master. The replication of other directory partitions will fail. causing the "Access Denied" error. 5.5. Cause: This error can occur if the local domain controller failed to authenticate against its replication partner when creating the replication link or when trying to replicate over an existing link. Purge the ticket cache on the local domain controller. Install Windows Support Tools Received "Access denied" from Active Directory Sites and Services when manual replication was attempted. Solution: Do the following: y y 1. At a command prompt. a user can only force manual replication for containers on which they have been assigned the Replication Synchronization permission. To verify that name resolution is the cause of the problem. For more information. Cause: Using Active Directory Sites and Services to force replication initiates replication on all common directory partitions between the replication partners. This typically happens when the domain controller has been disconnected from the rest of the network for a long time and its computer account password is not synchronized with its computer account password stored in the directory of its replication partner.exe is available in Windows Support Tools). 6. y . (Netdom.microsoft. the next replication cycle should not return this error. further DNS troubleshooting is required.com/fwlink/?LinkId=62177). However. 3. If it works. Reset the domain controller's account password on the primary domain controller (PDC) emulator master using netdom /resetpwd. 7. Or. Troubleshooting DNS. See also: Nslookup. ping the GUID-based name of the domain controller where replication failed. verify that the zone is dynamic. 4." in directory service log. see Troubleshooting Domain Name System on the Microsoft Web site (http://go. Net start. Start the KDC on the local domain controller: net start KDC See also: User and computer accounts. 2. Ping. Install Windows Support Tools Received Event ID 1265 "Access denied. type the following: dcdiag /test:registerindns /dnsdomain 6. If the ping fails.

and downloads for your system. Replication synchronization is a special permission.microsoft. your question does not match any of those listed above. including deployment.microsoft. See also: Install Windows Support Tools. Cause: You are trying to connect to a domain controller running Windows 2000 that does not have Service Pack 3 or later installed. view. Or. service packs. or remove special permissions and Active Directory object permissions. Microsoft Windows Server TechCenter on the Microsoft Web site (http://go. Active Directory Collection in the Windows Server 2003 Technical Reference on the Microsoft Web site (http://go. Managing Active Directory from MMC Search for new and updated information about replication. operations. Product Support Services on the Microsoft Web site (http://go.y Solution: The repadmin or replmon command-line tools from Windows Support Tools can be used to manually force the replication of a specific directory partition. Force replication over a connection. Active Directory support tools Unable to connect to a domain controller running Windows 2000 from the Active Directory Sites and Services snap-in. Solution: Visit the following links for the latest information: Searching the Knowledge Base on the Microsoft Web site (http://go. browse the product support newsgroups.microsoft. Cause: New and updated information is regularly published on the Microsoft Web site.com/fwlink/?LinkId=281) Search FAQs by product. change. patches. and technical reference.com/fwlink/?LinkId=4549) View detailed technical information about Active Directory replication and other technologies.com/fwlink/?LinkId=4441) Search the Microsoft Knowledge Base of technical support information and self-help tools for Microsoft products. see Set. and contact Microsoft Support. y y y y y y .com/fwlink/?LinkId=34403) Search for troubleshooting information. View the Technical Library for the latest product information. Solution: Upgrade domain controllers running Windows 2000 to Service Pack 3 or later. including troubleshooting Active Directory replication.microsoft. y y See also: Connecting to domain controllers running Windows 2000. For more information about special permissions.

y Windows Server Community on the Microsoft Web site (http://go.com/fwlink/?LinkId=832) The official online community for enthusiasts of the Windows server operating systems. Install Windows Support Tools.microsoft. See also: Technical support options. Using the Windows Deployment and Resource Kits .