Active Directory Replication

Read Time:4 Minute, 24 Second
Active Directory Replication

Basic Troubleshooting Steps (Single AD Domain in a Single AD Forest)

Most of Active Directory Replication problems are sometimes caused by one among the following:

  • DNS registration / resolution problems
  • Blocked or Filtered Active Directory replication ports
  • Tombstoned Domain Controllers
  • This article describes the essential troubleshooting steps which will be followed to troubleshoot these problems after you have one domain in an exceedingly single AD forest:

DNS registration / resolution issues:

For DNS registration / resolution problems, you’ll begin by the subsequent troubleshooting steps:

  • Make sure that your domain DNS zone domain.com is about to just accept dynamic updates (It is suggested to possess dynamic updates set to secure only).
  • Make sure that your _msdcs.domain.com is about to just accept dynamic updates (It is suggested to possess dynamic updates set to secure only).
  • Make sure that your domain controllers don’t seem to be multi-homed (Each Domain Controller ought to have one NIC card enabled and just one science address in use).
  • Make sure that public DNS servers don’t seem to be set as forwarders and not in science settings of domain Controllers.

Use the subsequent for the configuration of science settings of Domain Controllers:

ScenarioHow to proceed
A single Domain with a single Domain ControllerMake the Domain Controller point to:Its private IP address as primary DNS server and 127.0.0.1 as secondary one
A single Domain with two Domain ControllersMake each Domain Controller point to:The private IP address of the other Domain Controller as primary DNS serverIts private IP address as secondary DNS server127.0.0.01 as third DNS server(Both Domain Controllers should be DNS servers to have this applied)
A single Domain with more than two Domain ControllersMy recommendation is to proceed like the following:Choose a healthy DC / DNS serverMake the other Domain Controllers point to the private IP address of the chosen Domain Controller as primary DNS serverFor each DC/DNS server except the chosen one, make it point to its private IP address as secondary DNS serverFor each DC/DNS server except the chosen one, make it point to its 127.0.0.1 as third DNS serverYou can make the chosen Domain Controller point to its private IP address as primary DNS server and 127.0.0.1 as secondary one (After solving the AD replication issue resolution, I recommend to make it point to another Domain Controller as primary DNS server)

Once done, run ipconfig /registerdns and then restart netlogon service on each DC you have.


Blocked or Filtered Active Directory replication ports:

The following Active Directory ports should be opened in both directions (incoming and outgoing) between domain controllers: http://technet.microsoft.com/en-us/library/bb727063.aspx 

PortQryUI or PortQry v2 are very useful tools that helps in querying ports to see if they are listening, filtered or not listening.

To download PortQryUI: http://www.microsoft.com/en-us/download/details.aspx?id=24009 

To download PortQry V2: http://www.microsoft.com/en-gb/download/details.aspx?id=17148 

In some situations, security software installed on Domain Controllers may be the cause of communication issues. If you suspect that this could be the issue of your AD replication issue, you can simply disable them temporary for troubleshooting (If you find that security software is the cause of an AD replication issue, you need to check if your security policies could be adjusted and contact its vendor technical support for assistance if this is required).

Virus scanning recommendations for Enterprise computers that are running currently supported versions of Windowshttp://support.microsoft.com/kb/822158 

 Tombstoned Domain Controllers:

A Domain Controller becomes tombstoned if it exceeds your forest tombstone lifetime period without replicating with other Domain Contollers.

Determine the tombstone lifetime for the foresthttp://technet.microsoft.com/en-us/library/cc784932(v=ws.10).aspx 

This condition can be identified by running dcdiag and repadmin commands. Details are in the following Microsoft KB.

Troubleshooting AD Replication error 8614: “The Active Directory cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime”http://support.microsoft.com/kb/2020053 

If you have a tombstoned Domain Controller, you need to proceed like the following:

——————————————————

If your Active Directory replication is fine but you notice that there SYSVOL/netlogon replication failures, you can do a non-authoritative restore of SYSVOL on the faulty Domain Controller:

Happy
Happy
0 %
Sad
Sad
0 %
Excited
Excited
0 %
Sleepy
Sleepy
0 %
Angry
Angry
0 %
Surprise
Surprise
0 %

Average Rating

5 Star
0%
4 Star
0%
3 Star
0%
2 Star
0%
1 Star
0%

Leave a Reply

Your email address will not be published.

Previous post New features coming to WhatsApp – including ‘stealth mode’
Next post Coolest Feature That Makes AirPods Pro Worth Your Money.