Article ID: 2498185 - View products that this article applies to.
When monitoring Active Directory replication, you notice an update or updates has not arrived as expected. Replication status is reported in repadmin /showrepl output. When replication is successful the Last Failure Status will be 0 (zero). However, when replication fails the Last Failure Status will be a number other than 0 (zero).
Active Directory replication problems can have several different sources. For example, Domain Name System (DNS) problems, networking issues, or security problems can all cause Active Directory replication to fail. Inbound or outbound replication failure causes Active Directory objects that represent the replication topology, replication schedule, domain controllers, users, computers, passwords, security groups, group memberships, and Group Policy to be inconsistent between domain controllers. Directory inconsistency causes either operational failures or inconsistent results, depending on the domain controller that is contacted for the operation. Active Directory Domain Services (AD DS) depends on network connectivity, name resolution, authentication and authorization, the directory database, the replication topology, and the replication engine. When the root cause of a replication problem is not immediately obvious, determining the cause among the many possible causes requires systematic elimination of probable causes.
This article is intended to supply Active Directory administrators with a method to diagnose replication failures and determine where the failures are occurring, from which source servers to which destinations, what the failure status is, how long the failure has been occurring, and for which naming context the failure is happening.
A good first step in tracking down the cause of Active Directory replication failures is to get a list of the replication errors encountered. This is a very simple procedure using repadmin /showrepl with the /csv option. For every domain controller in the forest, the spreadsheet shows the source replication partner, the time that replication last occurred, and the time that the last replication failure occurred for each naming context (directory partition). By using Autofilter in Excel, you can view the replication health for working domain controllers only, failing domain controllers only, or domain controllers that are the least or most current, and you can see the replication partners that are replicating successfully.
To generate a forest-wide replication status spreadsheet for domain controllers:
For detailed Active Directory Replication troubleshooting guidance, see the following Technet articles:
TechNet: Troubleshooting Active Directory Replication Problems
TechNet: Monitoring and Troubleshooting Active Directory Replication Using Repadmin
Microsoft KB 2020053
(https://support.microsoft.com/kb/2020053/ ): How to troubleshoot Active Directory operations that fail with error 8614: "The Active Directory cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime"
Microsoft KB 2028495
(https://support.microsoft.com/kb/2028495/ ): How to troubleshoot Active Directory operations that fail with error 8606: "Insufficient attributes were given to create an object"
Microsoft KB 2023007
(https://support.microsoft.com/kb/2023007/ ): How to troubleshoot Active Directory operations that fail with error 8456 or 8457: "The source | destination server is currently rejecting replication requests"
(http://go.microsoft.com/fwlink/?LinkId=151500)for other considerations.
Article ID: 2498185 - Last Review: February 14, 2011 - Revision: 1.0