When monitoring Active Directory replication, you notice an update or updates has not arrived as expected. Replication status is reported in repadmin /showrepl output. When replication is successful the Last Failure Status will be 0 (zero). However, when replication fails the Last Failure Status will be a number other than 0 (zero).
Active Directory replication problems can have several different sources. For example, Domain Name System (DNS) problems, networking issues, or security problems can all cause Active Directory replication to fail. Inbound or outbound replication failure causes Active Directory objects that represent the replication topology, replication schedule, domain controllers, users, computers, passwords, security groups, group memberships, and Group Policy to be inconsistent between domain controllers. Directory inconsistency causes either operational failures or inconsistent results, depending on the domain controller that is contacted for the operation. Active Directory Domain Services (AD DS) depends on network connectivity, name resolution, authentication and authorization, the directory database, the replication topology, and the replication engine. When the root cause of a replication problem is not immediately obvious, determining the cause among the many possible causes requires systematic elimination of probable causes.
This article is intended to supply Active Directory administrators with a method to diagnose replication failures and determine where the failures are occurring, from which source servers to which destinations, what the failure status is, how long the failure has been occurring, and for which naming context the failure is happening.
A good first step in tracking down the cause of Active Directory replication failures is to get a list of the replication errors encountered. This is a very simple procedure using repadmin /showrepl with the /csv option. For every domain controller in the forest, the spreadsheet shows the source replication partner, the time that replication last occurred, and the time that the last replication failure occurred for each naming context (directory partition). By using Autofilter in Excel, you can view the replication health for working domain controllers only, failing domain controllers only, or domain controllers that are the least or most current, and you can see the replication partners that are replicating successfully.
To generate a forest-wide replication status spreadsheet for domain controllers:
Open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, provide Enterprise Admins credentials, if required, and then click Continue.
At the command prompt, type the following command, and then press ENTER
repadmin /showrepl * /csv >showrepl.csv
Open Microsoft Excel.
Click the Office button (File menu for versions prior to Excel 2010), click Open, navigate to showrepl.csv, and then click Open.
Hide or delete column A and column G, as follows:
To hide a column, right click the column header then click Hide
To delete a column, right click the column header then click Delete
Select a column that you want to hide or delete.
Select row 1 beneath the column heading row. On the View tab, click Freeze Panes, and then click Freeze Top Row.
Select the entire spreadsheet. On the Data tab, click Filter.
In the Last Success Time column, click the down arrow, point to Text Filters, and then click Customer Filter.
In the Source DC column, click the filter down arrow, point to Text Filters, and then click Custom Filter.
In the Custom AutoFilter dialog box, under Show rows where, click does not contain. In the adjacent text box, type del to eliminate deleted domain controllers from the view.
Repeat step 11 for the Last Failure Time column, but use the value does not equal, and then type the value 0.
Resolve replication failures.
For detailed Active Directory Replication troubleshooting guidance, see the following Technet articles:
Microsoft KB 2020053: How to troubleshoot Active Directory operations that fail with error 8614: "The Active Directory cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime"
Microsoft KB 2028495: How to troubleshoot Active Directory operations that fail with error 8606: "Insufficient attributes were given to create an object"
Microsoft KB 2023007: How to troubleshoot Active Directory operations that fail with error 8456 or 8457: "The source | destination server is currently rejecting replication requests"
Active Directory Replication failure /showrepl repadmin
Windows Server 2008 Enterprise without Hyper-V, Windows Server 2008 Foundation, Windows Server 2008 R2 Datacenter, Windows Server 2008 R2 Datacenter without Hyper-V, Windows Server 2008 R2 Enterprise, Windows Server 2008 R2 Enterprise without Hyper-V, Windows Server 2008 R2 for Itanium-Based Systems, Windows Server 2008 R2 Foundation, Windows Server 2008 R2 Service Pack 1, Windows Server 2008 R2 Standard, Windows Server 2008 R2 Standard without Hyper-V, Windows Server 2008 Service Pack 2, Windows Server 2008 Standard, Windows Server 2008 Standard without Hyper-V