We've looked at repadmin in a previous entry , but as a quick recap, repadmin has two main switches for reviewing replication status. That is, it will show any errors replicating into the local DC you're running the command on.
Here are some examples of good and bad results for each form of the command: In addition to the repadmin tool, the Directory Services event log can provide insight into replication issues.
These examples both show unhealthy replication:. Using the above tools, you may find that there are replication issues affecting one or more DCs in the environment. The first troubleshooting step is to identify which DCs are affected and in which direction replication is failing between them.
This is because replication is always a pull operation. Since DC02 is initiating the replication operation, most troubleshooting would be done on that server. Looking at the first failure example from the previous section, DC5 is attempting to receive changes from DC4, but is unable to. It still exists with the newer version of Windows operating system such as Windows Server RepAdmin provides various options that you can use to check the status replication in an Active Directory site, in a domain, and forest-wide replication status.
Here are some useful examples of the RepAdmin tool:. The command contacts all domain controllers in the Active Directory forest and collects a summary of Active Directory replication.
This is the quickest way to check if there are any errors in the Active Directory replication. When you run the command, it shows a summary of replication as seen in the screenshot below:.
You can see a total of five replication attempts were made and those failed. Starting with Windows Server , Microsoft provides PowerShell cmdlets to check Active Directory replication status and troubleshoot any replication issues.
There are several PowerShell replication cmdlets available, but the one that helps you identify any issues with the replication is Get-ADReplicationFailure. You can try the NetDiag Trust Relationshiptest to check for broken trusts. The Netdiag. Trust relationship test. For example, if you have a multi-domain forest that contains a root domain Contoso. COM , a child domain B. COM , a grandchild domain C. COM , and a tree domain in same forest Fabrikam. COM and if replication is failing between domain controllers in the grandchild domain C.
COM and the tree domain Fabrikam. COM , you should verify trust health between C. COM and B. COM, between B. COM and Contoso. COM, and then finally between Contoso. COM and Fabrikam. If a shortcut trust exists between the destination domains, you do not have to validate the trust path chain. Instead, you should validate the shortcut trust between the destination and source domain.
Check for recent password changes to the trust by running the following command:. Verify that the destination domain controller is transitively inbound replicating the writable domain directory partition where trust password changes may take effect. Commands to reset trusts from the root domain PDC are as follows:. Kerberos policy settings in the default domain policy allow for a five-minute difference in system time this is the default value between KDC domain controllers and Kerberos target servers to prevent replay attacks.
Some documentation states that the system time of the client and that of the Kerberos target must be within five minutes of one another.
Other documentation states that, in the context of Kerberos authentication, the time that is important is the delta between the KDC that is used by the caller and the time on the Kerberos target. Also, Kerberos does not care whether the system time on the relevant domain controllers matches current time. It cares only that the relativetime difference between the KDC and target domain controller is within the maximum time skew that Kerberos policy allows.
The default time is five minutes or less. In the context of Active Directory operations, the target server is the source domain controller that is contacted by the destination domain controller. Therefore, you have to consider time accuracy on all other domain controllers against the source domain controller. This includes time on the destination domain controller itself.
You can use the following two commands to check time accuracy:. This sample shows excessive time skew on Windows Server based and Windows Server R2-based domain controllers. Look for events that resemble the following:. The time at the Primary Domain Controller is different than the time at the Backup Domain Controller or member server by too large an amount. This indicates excessive time skew.
Make sure that likely KDCs and the source domain controller if these are in the same domain inbound replicate knowledge of the destination domain controller's new password. Restart the destination domain controller to update Kerberos tickets and retry the replication operation. See How to use Netdom. In a default installation of Windows, the default domain controller policy is linked to the domain controller's organization unit OU.
The OU grants the Access this computer from network user right to the following security groups:. Security groups in the table are granted the Access this computer from network user right in the default domain controller's policy.
The default domain controller's policy is linked to the domain controller's OU or to alternative OUs that are hosting computer accounts. Ideally, these messages are collected by your monitoring application or when you retrieve replication status.
Most replication problems are identified in the event messages that are logged in the Directory Service event log. The following table shows error messages that this command generates, along with the root causes of the errors and links to topics that provide solutions for the errors.
The following table lists common events that might indicate problems with Active Directory replication, along with root causes of the problems and links to topics that provide solutions for the problems. For more information about replication concepts, see Active Directory Replication Technologies. For more information, including support articles specific to error codes see the support article: How to troubleshoot common Active Directory replication errors.
Skip to main content. This browser is no longer supported. Download Microsoft Edge More info. Contents Exit focus mode. Is this page helpful? Please rate your experience Yes No.
Any additional feedback? Submit and view feedback for This product This page. View all page feedback. In this article. A domain controller has failed inbound replication with the named source domain controller long enough for a deletion to have been tombstoned, replicated, and garbage-collected from AD DS.
A replication link exists between two domain controllers, but replication cannot be performed properly as a result of an authentication failure. This problem can be related to connectivity, DNS, or authentication issues. The domain controller posted a replication request and is waiting for an answer.
0コメント