Troubleshooting replication

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Troubleshooting replication

For more detailed replication troubleshooting information than is available here, and for additional information about functionality in the version of Dcdiag.exe that is included in Windows Support Tools that ship with Windows Server 2003 with Service Pack 1 (SP1), see Troubleshooting Active Directory Replication Problems on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=60980).

What problem are you having?

  • Monitoring replication.

  • Replication between sites is slow.

  • Received Event ID 1311 in the directory service log.

  • Received Event ID 1265 with error "DNS Lookup Failure," or "RPC server is unavailable" in the directory service log. Or, received "DNS Lookup Failure" or "Target account name is incorrect" from the repadmin command.

  • Received Event ID 1265 "Access denied," in directory service log. Or, received "Access denied" from the repadmin command.

  • Received "Access denied" from Active Directory Sites and Services when manual replication was attempted.

  • Unable to connect to a domain controller running Windows 2000 from the Active Directory Sites and Services snap-in.

  • Search for new and updated information about replication. Or, your question does not match any of those listed above.

Monitoring replication.
  • Cause:  You should monitor replication regularly to help you identify and fix problems before they grow.

  • Solution:  Regular monitoring is the key to good replication maintenance. Repadmin.exe and dcdiag.exe (both part of the Windows Support Tools) and the directory service event log (accessible through the Event Viewer) are the primary tools for monitoring replication.

    Repadmin is a command-line tool that report failures on a replication link between two replication partners. The following repadmin example displays the replication partners and any replication link failures for Server1 on the microsoft.com domain:

    repadmin /showrepl server1**.microsoft.com**

    For a complete list of repadmin options, use the ? option:

    repadmin /?

    Dcdiag is a command-line tool that can check the DNS registration of a domain controller, check to see that the security descriptors (SIDs) on the naming context heads have appropriate permissions for replication, analyze the state of domain controllers in a forest or enterprise, and more. The following dcdiag example checks for any replication errors between domain controllers:

    dcdiag /test:replications

    For a complete list of dcdiag options, use the ? option:

    dcdiag /?

    The directory service log reports replication errors that occur after a replication link has been established. For information about viewing the directory service log, see View an event log.

    Large enterprises may also want to use the Microsoft Operations Manager for automated monitoring of large numbers of domain controllers. For more information, see Active Directory Management Pack Technical Reference for Microsoft Operations Manager 2005 on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=38341).

See also:  Event Viewer; Install Windows Support Tools; Technical support options

Replication between sites is slow.
  • Cause:  The time required to replicate directory data between domain controllers is known as the replication latency. Replication latency can vary greatly, depending on the number of domain controllers, the number of sites, the available bandwidth between sites, replication frequency, and more.

  • **Solution:  **

    • Monitoring replication regularly is a good way to determine the normal replication latency on your network. With this knowledge, you can more easily determine if a problem is occurring. For more information, see the "Monitoring Replication" troubleshooting topic above.

    • Review the directory service log for any recent replication errors. Also, run repadmin /showrepl and review any resulting errors.

    • A good site topology design is important for replication efficiency. For information about site topology design guidelines, see When to establish a single or separate sites and Designing the Site Topology on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=4724).

    • A number of algorithm enhancements have been made to replication in the Windows Server 2003 operating systems to improve replication efficiency and scalability. Some of these enhancements take effect in a forest set to Windows 2000 functional level, while others require the Windows Server 2003 functional level. You will gain the greatest improvement from these enhancements by upgrading your forest to Windows Server 2003 functional level. Adlb.exe is a tool that can help improve replication efficiency even further in forests set to the Windows Server 2003 functional level. For more information about Adlb, see the Windows Server 2003 Active Directory Branch Office Planning and Deployment Guide on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=28523). For more information about forest functionality, see Domain and forest functionality.

See also:  Replication overview; Replication between sites; Managing replication; Bandwidth; Checklist: Optimizing intersite replication

Received Event ID 1311 in the directory service log.
  • Cause:  The replication configuration information in Active Directory Sites and Services does not accurately reflect the physical topology of the network.

    Common causes of Event ID 1311 include:

    • One or more domain controllers are offline.

    • Bridgehead servers are online but experiencing errors replicating a required naming context between Active Directory sites.

    • Preferred bridgehead servers defined by administrators are online but do not host the required naming contexts.

    • One or more sites are not contained in site links.

    • Site links contain all sites but the site links are not all site links are interconnected.

    • Preferred bridgeheads defined by the administrator are offline.

  • Solution:   To resolve an error in the configuration of replication:

    • Make sure all sites belong to at least one site link. For more information, see Add a site to a site link.

    • Make sure that the combination of site links you have created allows a path between all domain controllers containing a replica of a given directory partition. For example, if a directory partition is held by domain controllers in both Site A and Site C, make sure that Site A and Site C belong to a common site link, or that an intermediary site exists that has at least one site link in common with Site A and at least one site link in common with Site B.

    • Make sure that you have cleared the Bridge all site links check box in Active Directory Sites and Services if your network is not fully routed. Or, if your network is fully routed and you have cleared the Bridge all site links check box, you may need to select it again to allow full replication of a directory partition. For more information, see Enable or disable site link bridges.

    • If you have manually assigned preferred bridgehead servers, make sure these servers are not offline. (It is generally recommended that you allow Active Directory to select bridgehead servers automatically.)

    • Use Ping.exe and Network Monitor to verify connectivity through WAN links and across routers. For more information about Network Monitor, see Network Monitor overview.

    • You can also search the Microsoft Knowledge Base on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=4441) for new and updated information about Event ID 1311.

See also:  Create a site link; Add a site to a site link; Enable or disable site link bridges; Install Windows Support Tools

Received Event ID 1265 with error "DNS Lookup Failure," or "RPC server is unavailable" in the directory service log. Or, received "DNS Lookup Failure" or "Target account name is incorrect" from the repadmin command.
  • Cause:  These messages are often the result of DNS problems. Active Directory replication depends on the following:

    • Each domain controller in the forest must register its CNAME record for the name DsaGuid._msdcs.ForestName. DsaGuid is the GUID of the NTDS Settings object of the domain controller (visible in Active Directory Sites and Services as the DNS alias property of the server object's NTDS settings). This record usually belongs to the _msdcs.ForestName zone or, if that zone does not exist, the ForestName zone.

    • Each advertising domain controller in the forest must register its A record in the appropriate zone for each domain in the forest.

    • The A record must map to the current IP address of the respective domain controller.

    • The records must have replicated to the DNS servers used by direct replication partners.

    • Each DNS zone must have the proper delegations to the child zones.

    • The IP configuration of the domain controllers must contain correct preferred and alternate DNS servers.

    DNS errors that are reported by the directory service log or by repadmin /showrepl mean that the destination domain controller could not resolve the GUID-based DNS name of its source replication partner.

  • **Solution:  **Do the following:

  1. Verify CNAME and A records. At a command prompt, type the following:

    dcdiag /test:connectivity

  2. If the CNAME and A records are missing, restart netlogon. At a command prompt, type the following:

    net start netlogon

  3. Again, verify CNAME and A records, by repeating step 1.

  4. If the records are still missing, verify IP configuration. Verify that the preferred and alternate DNS servers specified in the IP configuration of the source and destination domain controllers are correct.

  5. If the client is configured correctly, verify that the zone is dynamic. At a command prompt, type the following:

    dcdiag /test:registerindns /dnsdomain

  6. To verify that name resolution is the cause of the problem, ping the GUID-based name of the domain controller where replication failed. If it works, the next replication cycle should not return this error.

  7. If the ping fails, further DNS troubleshooting is required. For more information, see Troubleshooting Domain Name System on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=62177).

See also:  Nslookup; Ping; Troubleshooting DNS; Install Windows Support Tools

Received Event ID 1265 "Access denied," in directory service log. Or, received "Access denied" from the repadmin command.
  • Cause:  This error can occur if the local domain controller failed to authenticate against its replication partner when creating the replication link or when trying to replicate over an existing link. This typically happens when the domain controller has been disconnected from the rest of the network for a long time and its computer account password is not synchronized with its computer account password stored in the directory of its replication partner.

  • **Solution:  **Do the following:

  1. Stop the Key Distribution Center (KDC) service using net stop KDC.

  2. Purge the ticket cache on the local domain controller.

  3. Reset the domain controller's account password on the primary domain controller (PDC) emulator master using netdom /resetpwd. (Netdom.exe is available in Windows Support Tools).

  4. Synchronize the domain directory partition of the replication partner with the PDC emulator master

  5. Manually force replication between the replication partner and the PDC emulator master.

  6. Start the KDC on the local domain controller:

    net start KDC

See also:  User and computer accounts; Net start; Install Windows Support Tools

Received "Access denied" from Active Directory Sites and Services when manual replication was attempted.
  • Cause:  Using Active Directory Sites and Services to force replication initiates replication on all common directory partitions between the replication partners. However, a user can only force manual replication for containers on which they have been assigned the Replication Synchronization permission. The replication of other directory partitions will fail, causing the "Access Denied" error.

  • Solution:   The repadmin or replmon command-line tools from Windows Support Tools can be used to manually force the replication of a specific directory partition.

    Replication synchronization is a special permission. For more information about special permissions, see Set, view, change, or remove special permissions and Active Directory object permissions.

See also:  Install Windows Support Tools; Force replication over a connection; Active Directory support tools

Unable to connect to a domain controller running Windows 2000 from the Active Directory Sites and Services snap-in.
  • Cause:  You are trying to connect to a domain controller running Windows 2000 that does not have Service Pack 3 or later installed.

  • Solution:  Upgrade domain controllers running Windows 2000 to Service Pack 3 or later.

See also: Connecting to domain controllers running Windows 2000; Managing Active Directory from MMC

Search for new and updated information about replication. Or, your question does not match any of those listed above.

See also:  Technical support options; Install Windows Support Tools; Using the Windows Deployment and Resource Kits