Home »
Active Directory issues and fixes

Fixing Active Directory Replication Failures

From fixing time sync drama and lingering AD ghosts to dealing with firewall blockades and stale Knowledge Consistency Checker (KCC) caches, this guide has all the tips you need.

  • Replication topology misfit
  • Time sync drama
  • Lingering objects or ghosts of AD
  • DNS records playing hide and seek
  • Burdened Bridgehead servers

1. Replication topology misfit

Error message: Event ID 1311: "The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition."

Issue

The configuration of how data is replicated between different servers is incorrect.

Fix A:

Open Command Prompt as an administrator and run "repadmin /showrepl" to identify replication failures.

Fix B:

Use Active Directory Sites and Services to review site links and bridgehead servers.

How to do it

  • Open Active Directory Sites and Services
  • Navigate to Sites > Inter-Site Transports > IP
  • Ensure site links and bridgehead servers are configured correctly.
Fixing Active Directory Replication Failures

Fix C:

If the topology is a mess, run the KCC with "repadmin /kcc" in Command Prompt to fix it.

How to do it

Use the following to verify using the following command "bash dcdiag/test:replications"

2. Time sync drama

Error message: "The time service has not synchronized the system time for XXXX seconds"-- Event ID 29/50

Issue

Your computer's system clock has not been able to synchronize with a reliable time source (like an internet time server) for a specified number of seconds

Fix A:

Check time synchronization.

How to do it

  • Open the Command Prompt as an administrator.
  • Run the command "w32tm /query /status"
  • Force sync on all domain controllers using "w32tm /config /syncfromflags:domhier /update net stop w32time and net start w32time"
Fixing Active Directory Replication Failures

Fix B:

Remember: AD hates tardiness. Keep the time gap under five minutes using the command "net time /domain", or it throws a fit.

3. Lingering objects or ghosts of AD

Error message: Event ID 1988: "Active Directory Replication encountered the existence of objects in the following partition that are not present on the replication source."

Issue

A deleted object is haunting your DC. This usually occurs when a DC is disconnected during the deletion process.

Fix A:

Use "repadmin /removelingeringobjects" to exorcize those ghosts.

How to do it

  • Open the Command Prompt as an administrator
  • Use the following command to clean up lingering objects: "repadmin/removelingeringobjects <SourceDC> <Destination DC> DirectoryPartition>"

Replace:

  1. <SourceDC>: The source domain controller
  2. <Destination DC>: The affected domain controller.
  3. <DirectoryPartition>: The distinguished name of the partition (DC= domain, DC= com).

Fix B:

To prevent future haunting, ensure proper tombstone lifetime settings in AD.

How to do it

Run the following PowerShell command to verify tombstone lifetime:

"Get-ADObject -Filter -SearchBase "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=domain,DC=com" -Properties tombstoneLifetime"

If needed, modify it using: "Set-ADObject -Identity "<DN>" -Replace @{tombstoneLifetime=<Days>}"

4. DNS records playing hide and seek

Error message: Event ID 4015: "The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly."

Issue

The DNS record of a specific computer or a service is not being replicated across all domain controllers.

Fix A:

Verify SRV records using "nslookup" or "dcdiag/test:dns".

How to do it

Run the following to check DNS records: "nslookup -type=srv ldap._tcp.dc._msdcs. dcdiag /test:dns"

Fix B:

Reregister DNS records

How to do it

Open the Command Prompt as an administrator and run the following command: "ipconfig /registerdns".

Fix C:

Restart the Netlogon service to trigger automatic DNS updates using the following command "net stop netlogon && net start netlogon"

How to do it

Fixing Active Directory Replication Failures

5. Burdened Bridgehead servers

Error message: Event ID 1566: "All directory servers in the following site that can replicate the directory partition over this transport are currently unavailable."

Issue

The DC cannot synchronize data with other DCs usually due to a connectivity or network topology issue preventing it from reaching any replication partners.

Fix A:

Review bridgehead server assignments in Active Directory Sites and Services.

How to do it

  • Open Active Directory Sites and Services
  • Navigate to Sites > Site Name > Servers > NTDS Settings
  • Check which servers are designated as bridgehead servers.

Fix B:

Distribute the load by assigning additional bridgehead servers.

How to do it

  • Add more servers if needed.
  • Right-click on a server in "NTDS Settings" and select Properties.
  • Enable it as a preferred bridgehead server for the required transport.

A happy bridgehead means smoother replication traffic. Monitor Performance using tools like "repadmin/showrepl".

Awards & recognition

ManageEngine named in 2024 Gartner MQ for SIEM Gartner Peer Insights Customers' choice for SIEM

  Editor's choice  
  7th time in the MQ in 2024  
  Major player in 2024  
  Integrated cloud security Innovator  
  Technical excellence in SIEM  
  Market leader most innovative  

Gartner® Magic Quadrant™ for SIEM 2024

Features

Support

Secure your IT infrastructure with a cloud SIEM solution

Solutions by industry

Related solutions

One-stop solution to all Log Management and Active Directory Auditing

Free Trial Get Quote
Email Download Link