e2e: How to troubleshoot common Active Directory replication errors

Summary
This article contains information and links to help you troubleshoot Active Directory Replication errors. It is intended to provide Active Directory administrators with a method to diagnose replication failures and to determine where those failures are occurring.
What to try
To troubleshoot specific errors, refer to the following table.

Replication error codeCauseRelated Knowledge Base article
8464This issue occurs because partial attribute set (PAS) synchronization is triggered when an attribute is added to the PAS.3001248
8477This code is informational and represents a regular Active Directory replication operation. It indicates that replication is currently in progress from the source and has not yet been applied to the destination domain controller's database replica.2758780
8418Attempts to replicate Active Directory when schema information is not consistent between the domain controller partners that are involved result in a "Schema Mismatch" error status. This symptom manifest itself in several ways. The underlying cause of the error may vary.2734946
1908This error has two primary causes:
  • The destination domain controller can't contact a key distribution center (KDC).
  • The computer is experiencing Kerberos-related errors.
2712026
8333This error has multiple causes. They include the following:
  • Database corruption, with additional associated errors that are logged in the event log of the source domain controller
  • Lingering objects that have associated errors logged
  • Conflict objects
  • A third-party process
2703708
8589This error most commonly occurs on a domain controller after a replication partner has Active Directory forcibly removed and then is re-promoted before end-to-end replication can complete. This error can also occur when you rename a domain controller and the serverReference attribute is not updated.2703028
1818The issue occurs when the destination domain controller that is performing incoming replication does not receive replication changes within the number of seconds that is specified in the RPC Replication Timeout registry key.2694215
8446This error can occur when the Active Directory replication engine cannot allocate memory to run Active Directory replication.2693500
8240This error indicates that the specific object could not be found in the directory. This error may be encountered in the following situations:
  • During AD replication
  • Reported 8240 in 1126 Event (NTDS)
2680976
8451Status 8451: "The replication operation encountered a database error" has multiple causes. Refer to the related Knowledge Base article in the third column.2645996
1256This error is logged because of a connectivity failure. 2200187
1396Known causes of this error include the following:
  • The service principal name (SPN) does not exist on the global catalog that is searched by the Kerberos Key Distribution Center (KDC) on behalf of the client that is trying to authenticate by using the Kerberos protocol.
  • The user or service account that should contain the SPN that is being looked up does not exist on the global catalog that is searched by the KDC on behalf of the destination domain controller that is trying to replicate.
  • The destination domain controller lacks a Local Security Authority (LSA) secret for the source domain controller's domain.
  • The SPN that is being looked up exists on the account of a different computer than the source domain controller.
2183411
1722Remote Procedure Call (RPC) is an intermediate layer between the network transport and the application protocol. RPC itself has no special insight into failures. However, it tries to map lower-layer protocol failures into an error at the RPC layer. 2102154
-2146893022This error code is not returned by Active Directory. However, it may be returned by lower-layer components. These include RPC, the Kerberos protocol, Secure Sockets Layer (SSL), LSA, and NT LAN Manager (NTLM). The code is returned for various reasons.2090913
1753Specific causes of this error include the following:
  • The server app never started.  
  • The server app started. However, there was a failure during initialization that prevented the server app from registering with the RPC Endpoint Mapper.
  • The server app started but later died.  
  • The server app manually unregistered its endpoints. (This resembled the previous cause, but its occurrence was intentional. You are unlikely to receive this error for this reason. However, we include it for completeness.)
  • The RPC client (that is, the destination domain controller) contacted a different RPC server than the intended one because of a name-to-IP mapping error in DNS, WINS, or the host / lmhosts file.
2089874
8606Error 8606 is logged when the following conditions are true:
  • A source domain controller sends an update to an object (instead of sending an originating object create request) that was already created, deleted, and then reclaimed by garbage collection from a destination domain controller's copy of Active Directory.
  • The destination domain controller was configured to run in strict replication consistency.
2028495
1127Error 8606 is logged when the following conditions are true:
  • A source domain controller sends an update to an object (instead of sending an originating object create request) that was already created, deleted, and then reclaimed by garbage collection from a destination domain controller's copy of Active Directory.
  • The destination domain controller was configured to run in strict replication consistency. duplication of above?
2025726
8452This error most frequently occurs when the replication topology in a domain controller that is starting replication differs from the replication topology that is defined in the destination domain controller's copy of Active Directory.2023704
8456 or 8457Incoming or outgoing replication was automatically disabled by the operating system because of multiple root causes.2023007
8453This "Replication Access was denied" error has multiple causes.2022387
8524This is a catch-all error for all possible DNS failures that affect Active Directory on post-Windows Server 2003 SP1-based domain controllers. 2021446
8614Causes of this error (and for NTDS Replication Event 2042) include the following:
  • The destination domain controller that is logging the 8614 error did not inbound-replicate a directory partition from one or more source domain controllers for Tombstone lifetime number of days.
  • System time on the destination domain controller moved, or "jumped," Tombstone lifetime one or more days into the future after the last successful replication.
2020053
8545This Active Directory replication error is logged when the source domain controller tries to send changes for a recently migrated object when the destination domain controller has the object present in a different partition.2009819
5This Active Directory replication error has multiple causes.2002013
More information
Microsoft Developer Network (MSDN): Troubleshooting Active Directory Replication Problems

Microsoft TechNet: Troubleshooting Active Directory Replication Problems

Microsoft Knowledge Base: 2498185 How to diagnose Active Directory replication failures
Propiedades

Id. de artículo: 3108513 - Última revisión: 11/11/2015 19:39:00 - Revisión: 2.0

Windows Server 2012 R2 Datacenter, Windows Server 2012 R2 Standard

  • kbexpertiseadvanced KB3108513
Comentarios