Event ID 1925: Attempt to establish a replication link failed due to connectivity problem

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

The description text in event ID 1925 reports that the attempt to establish a replication link for the following writable directory partition failed, and the description text provides the distinguished name of the directory partition that the destination is attempting to replicate from the source. The error code in the event gives more specific information about the cause of the problem.

An example of the event text is as follows:

Event Type:Warning
Event Source:NTDS KCC
Event Category:Knowledge Consistency Checker 
Event ID:1925
Date:3/24/2005
Time:9:15:46 AM
User:NT AUTHORITY\ANONYMOUS LOGON
Computer:DC3
Description:
The attempt to establish a replication link for the following 
writable directory partition failed. 

Directory partition: 
CN=Configuration,DC=contoso,DC=com 
Source domain controller: 
CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=contoso,DC=com 
Source domain controller address: 
f8786828-ecf5-4b7d-ad12-8ab60178f7cd._msdcs.contoso.com 
Intersite transport (if any): 
CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=contoso,DC=com
This domain controller will be unable to replicate with the source 
domain controller until this problem is corrected.

User Action 
Verify if the source domain controller is accessible or network 
connectivity is available. 

Additional Data 
Error value: 
1908 Could not find the domain controller for this domain.

Cause

When event ID 1925 contains error 1908, "Could not find the domain controller for this domain," Active Directory replication has failed as a result of a connectivity problem between the domain controller that reported the error and the source domain controller that is named in the event text.

Solution

Use the following tests to solve this problem:

  • Verify wide area network (WAN) connectivity.

  • Determine the maximum packet size, and change it if necessary.

  • Force replication, and capture replication traffic in Network Monitor.

  • Analyze network traces to see if any traffic is not reaching the source domain controller.

Verify WAN Connectivity

Verify that there are no basic connectivity problems with the underlying network between the domain controllers, especially if they are separated by a WAN link or firewalls. For information about testing this type of problem, see article 310099, Description of the Portquery.exe command-line utility, on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=69995), and see article 159211, Diagnoses and treatment of black hole routers, on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=69996).

Determine Maximum Packet Size

By default, the Kerberos authentication protocol in Windows 2000, Windows XP, and Windows Server 2003 uses the User Datagram Protocol (UDP) when the data can be fit in packets of less than 2,000 bytes. Any data above this value uses TCP to carry the packets. Packets of more than 1,500 bytes are often dropped by a device such as a firewall on the network.

To avoid this problem, you can determine the size of packet that your network can accommodate. Then, you can edit the registry so that the maximum number of bytes for using UDP is set to the lowest value that you receive, less 8 bytes to account for header size.

Use the ping command to test the size of packets that the network can accommodate.

Requirements

  • Administrative credentials: To complete this procedure, you must be a member of the Domain Users group and have the Log on locally right on the domain controller.

  • Tool: PING

To determine the lowest common packet size

  1. From the destination domain controller, ping the source domain controller by its Internet Protocol (IP) address. At a command prompt, type the following command, and then press ENTER:

    ping IP_address -f -l 1472

  2. From the source domain controller, use the command in step 1 to ping the destination domain controller by its IP address.

  3. If the ping command completes in both directions, no additional modification is required.

  4. If the ping command fails in either direction, monotonically lower the number that you use in the -l parameter until you find the lowest common packet size that works between the source and destination domain controllers.

Note

The version of Dcdiag that is included with Windows Server 2003 SP1 Support Tools provides the following method to perform this test: dcdiag /test:CheckSecurityError /s:SourceDomainControllerName

You can edit the registry to set the maximum size of packets to the value that you determined by the PING method, less 8 bytes to account for header size. As an alternative, you can edit the registry so that the maximum number of bytes for using UDP is always exceeded and Kerberos always uses TCP.

You can change the default value of 2,000 bytes by modifying the registry entry MaxPacketSize in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\ Kerberos\Parameters. Use the following procedure to change this registry setting.

Warning

It is recommended that you do not directly edit the registry unless there is no other alternative. Modifications to the registry are not validated by the registry editor or by Windows before they are applied, and as a result, incorrect values can be stored. This can result in unrecoverable errors in the system. When possible, use Group Policy or other Windows tools, such as Microsoft Management Console (MMC), to accomplish tasks rather than editing the registry directly. If you must edit the registry, use extreme caution.

Requirements

  • Administrative credentials: To complete this procedure, you must be a member of the Domain Admins group in the domain of the domain controller.

  • Tool: Regedit.exe change the maximum packet size

To change the maximum packet size

  1. Click Start, click Run, type regedit, and then click OK.

  2. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\ Kerberos\Parameters.

  3. Edit or, if it does not exist in the details pane, create the entry MaxPacketSize as follows:

    • To edit the entry if it exists in the details pane:

      Right-click MaxPacketSize; click Modify; and then, in the Value data box, type 1 to force Kerberos to use TCP, or type the value that you established to lower the value to the appropriate maximum size.

    • To create the entry if it does not exist in the details pane:

      Right-click Parameters, click New DWORD Value, type the name MaxPacketSize, and then go to step 3a to edit the entry.

  4. Click OK.

  5. You must restart the domain controller for this change to take effect.

For information about importing an Administrative Template into Group Policy so that this value can be set for all the Windows 2000–based, Windows Server 2003-based, or Windows XP-based computers in the enterprise, see article 244474, "How to force Kerberos to use TCP instead of UDP in Windows Server 2003, in Windows XP, and in Windows 2000," on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=69997).

Capture Network Traces During Replication

Use Network Monitor to capture simultaneous traces on both source and destination domain controllers while attempting to replicate (all traffic to and from each domain controller; plus, set the capture buffer to a sufficiently large value). You must select the addresses of the domain controllers from the address database and add them to the capture filter. Start the capture, and then start replication between the two domain controllers. Look for Kerberos fragmentation, out-of-order packets, latency, or network traffic that originates on one side of the connection and does not arrive at the other side.

For information about installing Network Monitor, see Network Monitor on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=42987).

Create an Address Database

To use address pairs in a capture filter, you must first build an address database. After the database is created, you can use the addresses that are listed in the database to specify address pairs in a capture filter.

Requirements

  • Administrative credentials: To complete this procedure, you must be a member of the Domain Admins group in the forest root domain or the Enterprise Admins group.

  • Tool: Network Monitor

To create an address database

  1. Open Network Monitor.

  2. If you are prompted, select the local network from which you want to capture data by default.

  3. On the Capture menu, click Start.

  4. On the Capture menu, click Stop and View.

  5. On the Display menu, click Find All Names.

  6. In the Find All Names dialog box, click OK. All addresses are added to the address database.

  7. On the Windows menu, click the local connection.

You can use the names in the addresses database to specify address pairs in the capture filter.

Capture Network Frames

To capture frames that are sent from a specific computer on your network to your computer or that are sent from your computer to a specific computer on your network, specify one or more address pairs in a capture filter. You can monitor up to four address pairs simultaneously.

An address pair consists of:

  • The addresses of the two computers between which you want to monitor traffic.

  • Arrows that specify the traffic direction that you want to monitor.

  • The INCLUDE or EXCLUDE keywords, which indicate how Network Monitor should respond to a frame that meets a filter's specifications.

Requirements

  • Administrative credentials: To complete this procedure, you must be a member of the Domain Admins group in the forest root domain or the Enterprise Admins Group in the forest.

  • Tool: Network Monitor

To capture network frames

  1. Open Network Monitor.

  2. If you are prompted, select the local network from which you want to capture data by default.

  3. On the Capture menu, click Buffer Settings.

  4. In the Capture Buffer Settings dialog box, set the buffer and frame size as appropriate, and then click OK.

  5. On the Capture menu, click Filter.

  6. In the Capture Filter dialog box, double-click Address Pairs.

  7. In the Address Expressions dialog box, select an address in Station 1 and an address in Station 2 for the computers whose traffic you want to capture.

  8. In the Direction box, select one of the symbols:

    <--> to monitor the traffic that passes in either direction between the addresses that you have selected.

    --> or <-- to monitor only the traffic that passes in one direction between the computers..

  9. Click OK twice.

  10. On the Capture menu, click Start.

Force Replication

When you have Network Monitor started to capture traffic between the two domain controllers, use the following procedure to force synchronization between the computers so that you can capture the replication traffic in Network Monitor.

Requirements

  • Credentials: To complete this procedure, you must be a member of the Domain Admins group in the forest root domain or the Enterprise Admins group in the forest.

  • Tools: Active Directory Sites and Services (Administrative Tools)

To synchronize replication from a source domain controller

  1. Open Active Directory Sites and Services.

  2. Double-click the Sites container, double-click the site of the domain controller to which you want to synchronize replication, double-click the Servers container, double-click the server object of the domain controller, and then click NTDS Settings.

  3. In the From Server column in the details pane, locate the connection object that shows the name of the source domain controller.

  4. Right-click the appropriate connection object, and then click Replicate Now.

  5. Click OK.

Analyze the traces from both domain controllers to see if there is any traffic that is not getting to the other domain controller. For information about using Network Monitor, see Network Monitor overview on the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=41936).