View Categories

How to resolve Active Directory replication issues

Estimated Reading Time: 1 min read

Table of Contents

Case #

This article provides the most common troubleshooting steps for resolving Active Directory replication issues. These instructions are primarily intended for Active Directory Domain Services (running on either on-premise or cloud-based virtual machines) but some of them may also be applied to PaaS-based services.

Solution #

To resolve Active Directory replication issues, carry out the steps below.

  1. Run the following replication check commands on all domain controllers.
    dcdiag /e /q /v /f:C:\Scripts\dcdiag.txt
    repadmin /showrepl
    repadmin /replsummary
    netdom query fsmo
  2. Check the Administrative, System and Application event logs on all domain controllers
  3. Create/edit a test AD object on each domain controller to verify replication to all (or not).
  4. Check DNS replication among ADDC servers.
  5. Run the following Powershell cmdlets on all Domain Controllers and at least one domain-joined machine:
    1. Test-ComputerSecureChannel
    2. Test-ComputerSecureChannel -Server "DCName.fabrikam.com", where DCName is the hostname of a functional domain controller.
  6. Turn the KDC service to manual, restart computer, then run following command.
  7. Test-ComputerSecureChannel - Repair
  8. Turn KDC service to automatic again and restart the computer in question.
  9. If the above is not working, stop KDC service, then run "Test-ComputerSecureChannel - Repair",   and then start KDC service and re-check replication.

If none of the above actions resolves the issue, carry out the steps below:

  1. Click Start, point to Programs, click Administrative Tools, and then click Services. Double-click KDC, set the startup type to Disabled, and then restart the computer.
  2. Run command   netdom resetpwd /server: server_name /userd: domain_name\administrator /passwordd: administrator_password  ,  where server_name is the working AD DC holding FSMO roles.
  3. Restart again the domain controller in question.
  4. Upon start, restart the KDC service and re-check replication.
  5. As a last resort, try to manual replicate DCs as per https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/replication-error-2146893022.
  6. You should carefully also review and try out the approach discussed in the articles below, in the references section.

References #

https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/target-principal-name-is-incorrect-when-replicating-data

https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/replication-error-2146893022#resolution

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc742152(v=ws.11)

https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/use-netdom-reset-domain-controller-password

https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/klist

Active Directory, AD
What are your Feelings

Powered by BetterDocs