How-to: Troubleshoot Active Directory Replication
July 13 2010
Initial check list
- Check Directory Service Event Log for error and warning events and follow up accordingly
- Rule out the obvious problems
- Check event logs for any errors
- Network connectivity
- Name resolution – DNS errors are the most common reason for failed replication
- Replication topology
- Replication/Database overload – can the server process the replication information in time
- Kerberose and time stamps
Network Connectivity
- Use ping and tracert to check connectivity
- Use telnet < serverip > 389 to confirm LDAP connectivity (port is open if you do NOT get a connection failed message)
Name resolution
- Use ping and nslookup to check if names resolves to the correct addresses
- Clear the cache on the server(s) and client
- Examine DNS records for accuracy (include PTR records)
DNSLint (http://support.microsoft.com/kb/321046)
- To get general dns information = dnslint /d < domain.name > /s <dnsipaddress >
- To determine whether DNS is causing an Active Directory replication problem among domain controllers in an Active Directory forest = dnslint /ad <dcipaddress > /s <dnsipaddress >
- To determine whether a particular Active Directory domain controller can resolve all of the DNS records needed to successfully synchronize partition replicas among domain controllers in an Active Directory forest = dnslint /ad /s localhost
Continue to check event logs for errors
Replication Topology
- Review replication topology/site replication setup (sites and services… NTDS Setting)
- Use repadmin or replmon (found in Support Tools) to test replication
- Use dcdiag to test replication
- For full tests = dcdiag
- For just DC replication = dcdiag /test:replications
- Test SYSVOL (NTFRS) replication
- Add a simple text file to one of the NETLOGON shares (%systemroot%\SYSVOL\SYSVOL\mydomain.com) and see if it replicates
- Can also use FRSDiag.exe tool if needed