c




  


Updated: April 4, 2008

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server
2003 with SP2

c



   


3or more detailed replication troubleshooting information than is available here, and for additional information
about functionality in the version of Dcdiag.exe that is included in Windows Support Tools that ship with
Windows Server 2003 with Service Pack 1 (SP1), see Troubleshooting Active Directory Replication Problems on the
Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=60980).

What problem are you having?

xà Monitoring replication.

xà Replication between sites is slow.

xà Received Event ID 1311 in the directory service log.

xà Received Event ID 1265 with error "DNS Lookup 3ailure," or "RPC server is unavailable" in the directory
service log. Or, received "DNS Lookup 3ailure" or "Target account name is incorrect" from the repadmin
command.

xà Received Event ID 1265 "Access denied," in directory service log. Or, received "Access denied" from the
repadmin command.

xà Received "Access denied" from Active Directory Sites and Services when manual replication was
attempted.

xà Unable to connect to a domain controller running Windows 2000 from the Active Directory Sites and
Services snap-in.

xà Search for new and updated information about replication. Or, your question does not match any of those
listed above.





   



xà [ You should monitor replication regularly to help you identify and fix problems before they grow.

xà !


 Regular monitoring is the key to good replication maintenance. Repadmin.exe and dcdiag.exe
(both part of the Windows Support Tools) and the directory service event log (accessible through the
Event Viewer) are the primary tools for monitoring replication.

Repadmin is a command-line tool that report failures on a replication link between two replication
partners. The following  
example displays the replication partners and any replication link
failures for Server1 on the microsoft.com domain:

 

  p

 



 3or a complete list of  
options, use the  option:

 


Dcdiag is a command-line tool that can check the DNS registration of a domain controller, check to see
that the security descriptors (SIDs) on the naming context heads have appropriate permissions for
replication, analyze the state of domain controllers in a forest or enterprise, and more. The following
  example checks for any replication errors between domain controllers:

    



3or a complete list of dcdiag options, use the  option:

 

The directory service log reports replication errors that occur after a replication link has been established.
3or information about viewing the directory service log, see View an event log.

Large enterprises may also want to use the Microsoft Operations Manager for automated monitoring of
large numbers of domain controllers. 3or more information, see Active Directory Management Pack
Technical Reference for Microsoft Operations Manager 2005 on the Microsoft Web site
(http://go.microsoft.com/fwlink/?LinkId=38341).

!
 Event Viewer; Install Windows Support Tools; Technical support options

  


  


xà [ The time required to replicate directory data between domain controllers is known as the
replication latency. Replication latency can vary greatly, depending on the number of domain controllers,
the number of sites, the available bandwidth between sites, replication frequency, and more.

xà !




xà Monitoring replication regularly is a good way to determine the normal replication latency on your
network. With this knowledge, you can more easily determine if a problem is occurring. 3or more
information, see the "Monitoring Replication" troubleshooting topic above.

xà Review the directory service log for any recent replication errors. Also, run  

   and
review any resulting errors.

xà A good site topology design is important for replication efficiency. 3or information about site topology
design guidelines, see When to establish a single or separate sites and Designing the Site Topology on
the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=4724).

xà A number of algorithm enhancements have been made to replication in the Windows Server 2003
operating systems to improve replication efficiency and scalability. Some of these enhancements take
effect in a forest set to Windows 2000 functional level, while others require the Windows Server 2003
functional level. You will gain the greatest improvement from these enhancements by upgrading your
forest to Windows Server 2003 functional level. Adlb.exe is a tool that can help improve replication
 efficiency even further in forests set to the Windows Server 2003 functional level. 3or more information
about Adlb, see the Windows Server 2003 Active Directory Branch Office Planning and Deployment
Guide on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=28523). 3or more information
about forest functionality, see Domain and forest functionality.

!
 Replication overview; Replication between sites; Managing replication; Bandwidth; Checklist: Optimizing
intersite replication

 


 
  


xà [ The replication configuration information in Active Directory Sites and Services does not
accurately reflect the physical topology of the network.

Common causes of Event ID 1311 include:

xà One or more domain controllers are offline.

xà Bridgehead servers are online but experiencing errors replicating a required naming context between
Active Directory sites.

xà Preferred bridgehead servers defined by administrators are online but do not host the required naming
contexts.

xà One or more sites are not contained in site links.

xà Site links contain all sites but the site links are not all site links are interconnected.

xà Preferred bridgeheads defined by the administrator are offline.

xà !


 To resolve an error in the configuration of replication:

xà Make sure all sites belong to at least one site link. 3or more information, see Add a site to a site link.

xà Make sure that the combination of site links you have created allows a path between all domain
controllers containing a replica of a given directory partition. 3or example, if a directory partition is held
by domain controllers in both Site A and Site C, make sure that Site A and Site C belong to a common
site link, or that an intermediary site exists that has at least one site link in common with Site A and at
least one site link in common with Site B.

xà Make sure that you have cleared the A  

 check box in Active Directory Sites and
Services if your network is not fully routed. Or, if your network is fully routed and you have cleared the
A  
 check box, you may need to select it again to allow full replication of a directory
partition. 3or more information, see Enable or disable site link bridges.

xà If you have manually assigned preferred bridgehead servers, make sure these servers are not offline.
(It is generally recommended that you allow Active Directory to select bridgehead servers
automatically.)

xà Use Ping.exe and Network Monitor to verify connectivity through WAN links and across routers. 3or
more information about Network Monitor, see Network Monitor overview.
 xà You can also search the Microsoft Knowledge Base on the Microsoft Web site
(http://go.microsoft.com/fwlink/?LinkId=4441) for new and updated information about Event ID 1311.

!
 Create a site link; Add a site to a site link; Enable or disable site link bridges; Install Windows Support
Tools

 

!"# 
$%!&

 '  ($
$)[   
 $

 
  
* (  $%!&

 '  $
$c 


 

$

 




xà [ These messages are often the result of DNS problems. Active Directory replication depends on
the following:

xà Each domain controller in the forest must register its CNAME record for the name
p._msdcs.

p . DsaGuid is the GUID of the NTDS Settings object of the domain
controller (visible in Active Directory Sites and Services as the %!  property of the server
object's NTDS settings). This record usually belongs to the _msdcs.

p zone or, if that zone
does not exist, the

p zone.

xà Each advertising domain controller in the forest must register its A record in the appropriate zone for
each domain in the forest.

xà The A record must map to the current IP address of the respective domain controller.

xà The records must have replicated to the DNS servers used by direct replication partners.

xà Each DNS zone must have the proper delegations to the child zones.

xà The IP configuration of the domain controllers must contain correct preferred and alternate DNS
servers.

DNS errors that are reported by the directory service log or by  

   mean that the
destination domain controller could not resolve the GUID-based DNS name of its source replication
partner.

xà !


Do the following:

1.à Verify CNAME and A records. At a command prompt, type the following:

 

  

2.à If the CNAME and A records are missing, restart netlogon. At a command prompt, type the following:

 



3.à Again, verify CNAME and A records, by repeating step 1.

4.à If the records are still missing, verify IP configuration. Verify that the preferred and alternate DNS servers
specified in the IP configuration of the source and destination domain controllers are correct.
 5.à If the client is configured correctly, verify that the zone is dynamic. At a command prompt, type the
following:

   






6.à To verify that name resolution is the cause of the problem, ping the GUID-based name of the domain
controller where replication failed. If it works, the next replication cycle should not return this error.

7.à If the ping fails, further DNS troubleshooting is required. 3or more information, see Troubleshooting
Domain Name System on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=62177).

!
 Nslookup; Ping; Troubleshooting DNS; Install Windows Support Tools

 

!"#$+
($
 
  
* (  $+
$

  




xà [ This error can occur if the local domain controller failed to authenticate against its replication
partner when creating the replication link or when trying to replicate over an existing link. This typically
happens when the domain controller has been disconnected from the rest of the network for a long time
and its computer account password is not synchronized with its computer account password stored in the
directory of its replication partner.

xà !


Do the following:

1.à Stop the Key Distribution Center (KDC) service using


,[.

2.à Purge the ticket cache on the local domain controller.

3.à Reset the domain controller's account password on the primary domain controller (PDC) emulator master
using

  . (Netdom.exe is available in Windows Support Tools).

4.à Synchronize the domain directory partition of the replication partner with the PDC emulator master

5.à Manually force replication between the replication partner and the PDC emulator master.

6.à Start the KDC on the local domain controller:

 ,[

!
 User and computer accounts; Net start; Install Windows Support Tools

 $+

$
+  
! 
!  

   


 

xà [ Using Active Directory Sites and Services to force replication initiates replication on all common
directory partitions between the replication partners. However, a user can only force manual replication
for containers on which they have been assigned the   

!


-

permission. The
replication of other directory partitions will fail, causing the "Access Denied" error.
 xà !


 The  
or  

command-line tools from Windows Support Tools can be used to
manually force the replication of a specific directory partition.

Replication synchronization is a special permission. 3or more information about special permissions, see
Set, view, change, or remove special permissions and Active Directory object permissions.

!
 Install Windows Support Tools; 3orce replication over a connection; Active Directory support tools

.









  

/

!000
+  
! 

!  
 1


xà [ You are trying to connect to a domain controller running Windows 2000 that does not have
Service Pack 3 or later installed.

xà !


 Upgrade domain controllers running Windows 2000 to Service Pack 3 or later.

!
 Connecting to domain controllers running Windows 2000; Managing Active Directory from MMC

! 


 




   

* (
 2








 


xà [ New and updated information is regularly published on the Microsoft Web site.

xà !


 Visit the following links for the latest information:

xà Searching the Knowledge Base on the Microsoft Web site

(http://go.microsoft.com/fwlink/?LinkId=4441)

Search the Microsoft Knowledge Base of technical support information and self-help tools for Microsoft
products.

xà Product Support Services on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=281)

Search 3AQs by product, browse the product support newsgroups, and contact Microsoft Support.

xà Active Directory Collection in the Windows Server 2003 Technical Reference on the Microsoft Web site
(http://go.microsoft.com/fwlink/?LinkId=4549)

View detailed technical information about Active Directory replication and other technologies, including
troubleshooting Active Directory replication.

xà Microsoft Windows Server TechCenter on the Microsoft Web site

(http://go.microsoft.com/fwlink/?LinkId=34403)

Search for troubleshooting information, service packs, patches, and downloads for your system. View
the Technical Library for the latest product information, including deployment, operations, and
technical reference.
 xà Windows Server Community on the Microsoft Web site (http://go.microsoft.com/fwlink/?LinkId=832)

The official online community for enthusiasts of the Windows server operating systems.

!
 Technical support options; Install Windows Support Tools; Using the Windows Deployment and
Resource Kits