Error 1311 active directory

Обновлено 02.01.2021

Добрый день! Уважаемые читатели и гости одного из крупнейших IT блогов рунета Pyatilistnik.org. В прошлый раз мы с вами освежили в памяти комбинации горячих клавиш Windows 10. В сегодняшней статье я хочу потраблшутить с активным каталогом, а именно мы рассмотрим как устраняется и в чем причины ошибки с кодом ID 1311 при репликации Active Directory. Данная ошибка может появляться каждые 15 минут. Давайте ее исправим и на будущее научимся ее диагностировать сходу.

Описание ошибки 1311

У меня есть два домена Active Directory, корневой root и дочерний child, все в рамках одного дерева и леса. В какой-то момент в логах Windows на контроллерах домена я обнаружил ошибку:

Данная ошибка появляется каждые 15 минут.

Причины ошибки 1311

Одна из самых печально известных ошибок репликации — это событие с кодом 1311, оно может быть вызвано рядом причины:

• Один или несколько контроллеров домена недоступны по сети или один или несколько контроллеров домена находятся в автономном режиме.
• Один или несколько сайтов не могут взаимодействовать друг с другом из сетевых ошибок, например один или несколько сайтов не содержатся в ссылке на сайт.
• Ссылки сайта содержат все сайты, но ссылки сайта не связаны между собой. Это условие известно как несвязанные ссылки на сайте.
• Контроллеры домена-плацдарма подключены, но возникают ошибки при попытке репликации необходимого раздела каталога между сайтами Active Directory.
• Предпочтительные серверы-плацдармы, определенные администратором, подключены к сети, но на них не размещен необходимый раздел каталога. Наиболее распространенная неправильная конфигурация — это определение серверов не глобального каталога в качестве серверов-плацдармов.
• Предпочтительные плацдармы правильно определены администратором, но в настоящее время они отключены.
• Сервер-плацдарм перегружен, поскольку сервер не производительный, слишком много сайтов филиалов пытаются реплицировать изменения с одного и того же контроллера домена-концентратора, или расписание репликации на сайтах слишком частое.
• Средство проверки согласованности знаний (KCC) создало альтернативный путь для обхода межсайтового соединения, но продолжает повторять попытку сбойного соединения каждые 15 минут.
• Мост включен в сайтах и службах Active Directory, но сеть не позволяет подключаться к сети между любыми двумя контроллерами домена в лесу.
• Предпочитаемый сервер-плацдарм настроен и отключен
• Ошибка разрешения DNS-имени
• Ошибка 1311 может быть просто результатом другой, более серьезной проблемы и исчезнет, ​​когда эта проблема будет решена.

Диагностика и устранение ошибки 1311

KCC — это специальный процесс, который выполняется абсолютно на всех контроллерах домена и создает топологию репликации для Active Directory леса. KCC создает отдельные топологии репликации в зависимости от того, выполняется ли репликация на сайте (внутрисайтовая) или между сайтами (межсайтовой). KCC также динамически корректирует топологию, чтобы она соответствовала добавлению новых контроллеров домена, удалению существующих контроллеров домена, перемещению контроллеров домена на сайты, изменяющимся затратам и расписаниям, а также к контроллерам домена, временно недоступен или находится в состоянии ошибки.

Если вы подробно еще раз посмотрите ошибку 1311, то там нет точного упоминания какой именно контроллер домена является проблемным. Для этого мы с вами можем воспользоваться уже знакомой утилитой Repadmin по проверке репликации Active Directory. Выполните команду:

Несмотря на то, что 1311 может не отображаться здесь, для него характерно сопряжение с событием «1722 Сервер RPC недоступен (The RPC server is unavailable)» (что в основном означает отсутствие физической связи). Тут же я вижу, что контроллер недоступен более 60 дней.

так же полезно будет выполнить команду, которая покажет подробную топологию по сайтам:

Вот вам пример, когда отсутствует связь с контроллером домена «The remote system is not available. For information about network troubleshooting».

Элементарно проверить сетевую доступность нужного контроллера домена можно с помощью утилит командной строки ping и tracert. Убедитесь, что у вас правильные настройки ip адреса на недоступном контроллере, правильные маршруты, нет блокировок на уровне брандмауэра, разрешены порты Active Directory.

Если по сети контроллер отвечает, то нужно убедиться, что существует адекватное подключение к сайту. Выполните следующую процедуру на каждом контроллере домена, на котором размещен раздел, для которого KCC сообщает, что путь репликации не может быть вычислен. Начните с контроллера домена, который сообщает об этой проблеме. Для выполнения этой процедуры у вас должно быть членство в группе «Администраторы домена» или вам должны быть делегированы соответствующие полномочия. Чтобы убедиться, что контроллеры домена, на которых размещен указанный раздел каталога, доступны откройте командную строку в режиме администратора и введите:

Эта команда проверяет, доступны ли контроллеры домена и правильно ли они зарегистрированы на серверах системы доменных имен (DNS). Устраните все проблемы, обнаруженные при запуске этого теста.

Более подробную диагностическую информацию можно получить из команды представленной ниже, единственное необходимо в рамках леса иметь права администратора предприятия.

Если вы видите ошибки в топологии сайтов, то вы можете проверить вот такие вещи:

• Настройте предпочтительный сервер-плацдарм. В Windows 2003 и выше все контроллеры домена рандомизируются в качестве серверов-плацдармов вместо того, чтобы иметь один единственный, как требуется для Windows 2000. При установке этого значения один контроллер домена становится сервером-плацдармом — и, если вы установите только один, и он будет не доступен, то проверка согласованности знаний (KCC) не найдет других партнеров? Просто скажи нет на этом. Если у вас есть какие-либо из них, отмените их, сняв флажок в оснастке «Сайты и службы».

• Убедитесь, что все сайты определены в ссылках сайта — это может показаться очевидным, но вы будете удивлены, насколько часто это проблема. В одном случае администратор сообщил, что один регион, содержащий несколько сайтов AD, вообще не реплицировался. После проверки я обнаружил, что на сайте хаба в этом регионе не было ссылок на сайты, определенные для какого-либо сайта. Я был поражен, что они не обнаружили это раньше, так как не было никакой репликации на любой другой DC вообще.

Осиротевшие объекты

Однажды один сервер глобального каталога был понижен в должности, но нетерпеливый администратор хотел ускорить очистку Active Directory, поэтому он сократил значение времени tombstonelifetime и затем принудительно запустил сборку мусора. К сожалению, он сделал это до того, как удаление сервера глобального каталога (GC) было отреплицировано на все DC и GC в лесу. Я получал ошибку 1311 вместе с множеством других, заявляющих, что Active Directory пытается реплицировать объект, у которого нет родителя, но он не идентифицирует родителя. В итоге я включал подробное ведение журнала и наконец определил GUID проблемного объекта. Используя инструмент LDP.exe, я смог удалить этот объект и остановить события 1311.

Ошибки DNS

Поскольку репликация AD зависит от разрешения имен DNS, чтобы найти контроллеры домена для репликации, в случае поломки DNS может привести к возникновению событий 1311. Здесь полезно то, что если виновником является DNS, то в событии 1311 фраза «Ошибка поиска DNS» будет включена в описание. Если вы видите эту фразу, то у вас абсолютно точно есть проблема с DNS, которую нужно исправить. Я никогда не видел, чтобы эта ошибка оказалась ложной. Обратите внимание, что это не обязательно будет регистрировать событие в журнале DNS, и вы увидите это и в других событиях. Помните, что отсутствие значительных ошибок в журнале событий DNS не означает, что DNS исправен.

Если вернуться конкретно к моему случаю, то у меня контроллер домена отсутствовал уже более 60 дней, и очень глупо его включать, так как это приведет к другим проблемам. Проще такой контроллер домена удалить и по необходимости развернуть новый. Даже если контроллер домена недоступен его можно корректно удалить.

Так же не забывайте проверить, что у вас контроллер удалился с сайта, и если он был в нем один, то лучше удалить сам сайт, если он не используется. Убедитесь, что теперь команды репликации не показывают ошибок 1722 или 1311. На этом у меня все с вами был Иван Семин, автор и создатель IT портала Pyatilistnik.org.

Дополнительно

• https://docs.microsoft.com/ru-ru/windows-server/identity/ad-ds/get-started/replication/active-directory-replication-concepts
• https://social.technet.microsoft.com/wiki/contents/articles/1375.event-id-1311-microsoft-windows-activedirectory-domainservice.aspx

Event ID 1311 — Microsoft-Windows-ActiveDirectory_DomainService

Error 1311 active directory

Добрый день! Уважаемые читатели и гости одного из крупнейших IT блогов рунета Pyatilistnik.org. В прошлый раз мы с вами освежили в памяти комбинации горячих клавиш Windows 10. В сегодняшней статье я хочу потраблшутить с активным каталогом, а именно мы рассмотрим как устраняется и в чем причины ошибки с кодом ID 1311 при репликации Active Directory. Данная ошибка может появляться каждые 15 минут. Давайте ее исправим и на будущее научимся ее диагностировать сходу.

Описание ошибки 1311

У меня есть два домена Active Directory, корневой root и дочерний child, все в рамках одного дерева и леса. В какой-то момент в логах Windows на контроллерах домена я обнаружил ошибку:

Directory partition:
DC=child,DC=pyatilistnik,DC=org

There is insufficient site connectivity information for the KCC to create a spanning tree replication topology. Or, one or more directory servers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible directory servers.

User Action
Perform one of the following actions:
— Publish sufficient site connectivity information so that the KCC can determine a route by which this directory partition can reach this site. This is the preferred option.
— Add a Connection object to a directory service that contains the directory partition in this site from a directory service that contains the same directory partition in another site.

If neither of the tasks correct this condition, see previous events logged by the KCC that identify the inaccessible directory servers.

Данная ошибка появляется каждые 15 минут.

Причины ошибки 1311

Одна из самых печально известных ошибок репликации — это событие с кодом 1311, оно может быть вызвано рядом причины:

• Один или несколько контроллеров домена недоступны по сети или один или несколько контроллеров домена находятся в автономном режиме.
• Один или несколько сайтов не могут взаимодействовать друг с другом из сетевых ошибок, например один или несколько сайтов не содержатся в ссылке на сайт.
• Ссылки сайта содержат все сайты, но ссылки сайта не связаны между собой. Это условие известно как несвязанные ссылки на сайте.
• Контроллеры домена-плацдарма подключены, но возникают ошибки при попытке репликации необходимого раздела каталога между сайтами Active Directory.
• Предпочтительные серверы-плацдармы, определенные администратором, подключены к сети, но на них не размещен необходимый раздел каталога. Наиболее распространенная неправильная конфигурация — это определение серверов не глобального каталога в качестве серверов-плацдармов.
• Предпочтительные плацдармы правильно определены администратором, но в настоящее время они отключены.
• Сервер-плацдарм перегружен, поскольку сервер не производительный, слишком много сайтов филиалов пытаются реплицировать изменения с одного и того же контроллера домена-концентратора, или расписание репликации на сайтах слишком частое.
• Средство проверки согласованности знаний (KCC) создало альтернативный путь для обхода межсайтового соединения, но продолжает повторять попытку сбойного соединения каждые 15 минут.
• Мост включен в сайтах и службах Active Directory, но сеть не позволяет подключаться к сети между любыми двумя контроллерами домена в лесу.
• Предпочитаемый сервер-плацдарм настроен и отключен
• Ошибка разрешения DNS-имени
• Ошибка 1311 может быть просто результатом другой, более серьезной проблемы и исчезнет, ​​когда эта проблема будет решена.

Диагностика и устранение ошибки 1311

KCC — это специальный процесс, который выполняется абсолютно на всех контроллерах домена и создает топологию репликации для Active Directory леса. KCC создает отдельные топологии репликации в зависимости от того, выполняется ли репликация на сайте (внутрисайтовая) или между сайтами (межсайтовой). KCC также динамически корректирует топологию, чтобы она соответствовала добавлению новых контроллеров домена, удалению существующих контроллеров домена, перемещению контроллеров домена на сайты, изменяющимся затратам и расписаниям, а также к контроллерам домена, временно недоступен или находится в состоянии ошибки.

Если вы подробно еще раз посмотрите ошибку 1311, то там нет точного упоминания какой именно контроллер домена является проблемным. Для этого мы с вами можем воспользоваться уже знакомой утилитой Repadmin по проверке репликации Active Directory. Выполните команду:

Несмотря на то, что 1311 может не отображаться здесь, для него характерно сопряжение с событием «1722 Сервер RPC недоступен (The RPC server is unavailable)» (что в основном означает отсутствие физической связи). Тут же я вижу, что контроллер недоступен более 60 дней.

так же полезно будет выполнить команду, которая покажет подробную топологию по сайтам:

Вот вам пример, когда отсутствует связь с контроллером домена «The remote system is not available. For information about network troubleshooting».

Элементарно проверить сетевую доступность нужного контроллера домена можно с помощью утилит командной строки ping и tracert. Убедитесь, что у вас правильные настройки ip адреса на недоступном контроллере, правильные маршруты, нет блокировок на уровне брандмауэра, разрешены порты Active Directory.

Если по сети контроллер отвечает, то нужно убедиться, что существует адекватное подключение к сайту. Выполните следующую процедуру на каждом контроллере домена, на котором размещен раздел, для которого KCC сообщает, что путь репликации не может быть вычислен. Начните с контроллера домена, который сообщает об этой проблеме. Для выполнения этой процедуры у вас должно быть членство в группе «Администраторы домена» или вам должны быть делегированы соответствующие полномочия. Чтобы убедиться, что контроллеры домена, на которых размещен указанный раздел каталога, доступны откройте командную строку в режиме администратора и введите:

Эта команда проверяет, доступны ли контроллеры домена и правильно ли они зарегистрированы на серверах системы доменных имен (DNS). Устраните все проблемы, обнаруженные при запуске этого теста.

Более подробную диагностическую информацию можно получить из команды представленной ниже, единственное необходимо в рамках леса иметь права администратора предприятия.

Если вы видите ошибки в топологии сайтов, то вы можете проверить вот такие вещи:

• Настройте предпочтительный сервер-плацдарм. В Windows 2003 и выше все контроллеры домена рандомизируются в качестве серверов-плацдармов вместо того, чтобы иметь один единственный, как требуется для Windows 2000. При установке этого значения один контроллер домена становится сервером-плацдармом — и, если вы установите только один, и он будет не доступен, то проверка согласованности знаний (KCC) не найдет других партнеров? Просто скажи нет на этом. Если у вас есть какие-либо из них, отмените их, сняв флажок в оснастке «Сайты и службы».

• Убедитесь, что все сайты определены в ссылках сайта — это может показаться очевидным, но вы будете удивлены, насколько часто это проблема. В одном случае администратор сообщил, что один регион, содержащий несколько сайтов AD, вообще не реплицировался. После проверки я обнаружил, что на сайте хаба в этом регионе не было ссылок на сайты, определенные для какого-либо сайта. Я был поражен, что они не обнаружили это раньше, так как не было никакой репликации на любой другой DC вообще.

Осиротевшие объекты

Однажды один сервер глобального каталога был понижен в должности, но нетерпеливый администратор хотел ускорить очистку Active Directory, поэтому он сократил значение времени tombstonelifetime и затем принудительно запустил сборку мусора. К сожалению, он сделал это до того, как удаление сервера глобального каталога (GC) было отреплицировано на все DC и GC в лесу. Я получал ошибку 1311 вместе с множеством других, заявляющих, что Active Directory пытается реплицировать объект, у которого нет родителя, но он не идентифицирует родителя. В итоге я включал подробное ведение журнала и наконец определил GUID проблемного объекта. Используя инструмент LDP.exe, я смог удалить этот объект и остановить события 1311.

Ошибки DNS

Поскольку репликация AD зависит от разрешения имен DNS, чтобы найти контроллеры домена для репликации, в случае поломки DNS может привести к возникновению событий 1311. Здесь полезно то, что если виновником является DNS, то в событии 1311 фраза «Ошибка поиска DNS» будет включена в описание. Если вы видите эту фразу, то у вас абсолютно точно есть проблема с DNS, которую нужно исправить. Я никогда не видел, чтобы эта ошибка оказалась ложной. Обратите внимание, что это не обязательно будет регистрировать событие в журнале DNS, и вы увидите это и в других событиях. Помните, что отсутствие значительных ошибок в журнале событий DNS не означает, что DNS исправен.

Если вернуться конкретно к моему случаю, то у меня контроллер домена отсутствовал уже более 60 дней, и очень глупо его включать, так как это приведет к другим проблемам. Проще такой контроллер домена удалить и по необходимости развернуть новый. Даже если контроллер домена недоступен его можно корректно удалить.

Источник

How to troubleshoot Event ID 1311 messages on a Windows domain

This article describes how to troubleshoot event ID 1311 messages in the Directory Service event log on a Windows domain.

Applies to: В Windows Server 2016, Windows Server 2019, Windows Server 2012 R2
Original KB number: В 307593

Symptoms

The Knowledge Consistency Checker (KCC) constructs and maintains the replication topology for Active Directory. To do this, the KCC examines the sum of all naming contexts that reside in the forest and all administrator-defined constraints for site, site link, and link cost.

If an Active Directory domain, a schema, a configuration, an application partition, or the global catalog naming contexts can’t be replicated between domain controllers or sites, an event ID 1311 message similar to the following is logged in the Directory Service event log:

Event Type: Error
Event Source: NTDS KCC
Event Category: Knowledge Consistency Checker
Event ID: 1311
Date: MM/DD/YYYY
Time: HH:MM:SS AM|PM
User: N/A
Computer:
Description:
The Directory Service consistency checker has determined that either (a) there is not enough physical connectivity published via the Active Directory Sites and Services Manager to create a spanning tree connecting all the sites containing the Partition CN=

,DC= ,DC=com, or (b) replication cannot be performed with one or more critical servers in order for changes to propagate across all sites (most often because of the servers being unreachable).

Cause

This behavior occurs if one or more of the following conditions are true:

Site link bridging is enabled on a network that doesn’t support physical network connectivity between two domain controllers in different sites that are connected by a KCC link.

One or more sites aren’t contained in site links.

Site links contain all sites, but the site links aren’t interconnected. This condition is known as disjoint site links.

One or more domain controllers are offline.

Bridgehead domain controllers are online, but errors occur when they try to replicate a required naming context between Active Directory sites.

Administrator-defined preferred bridgeheads are online, but they don’t host the required naming contexts.

Preferred bridgeheads are defined correctly by the administrator, but they’re currently offline.

The bridgehead server is overloaded either because the server is undersized, too many branch sites are trying to replicate changes from the same hub domain controller, or the site link schedules are too frequent.

KCC has built a different path around a site-to-site connection failure, but it retries the failing connection every 15 minutes because it is in connection keeping mode.

The common causes of event ID 1311 messages fall into two categories: improper logical configuration and infrastructure failure. Event ID 1311 messages are logged when an improper logical configuration or a replication error occurs.

Improper logical configuration

A logical configuration is improperly configured when information in the Configuration naming context (NC) (visible in the Sites and Services snap-in) doesn’t match the physical topology of the network that hosts the Active Directory forest. For example, a site may not be properly defined, sites that are missing from site links may be included, site links may not be interconnected, or incorrect bridgeheads may be selected by the administrator.

An infrastructure failure occurs because of one of more of the following events:

• A wide area network (WAN) link fails.
• A domain controller that hosts a necessary naming context is offline.
• A replication failure occurs for one or more naming contexts.
• The inbound partner for the replication has disabled outbound replication.

Resolution

To troubleshoot event ID 1311 messages, use the following methods.

Determine if the event ID 1311 messages are site-specific or forest-wide.

Determine if site link bridging is turned on and if the network is fully routed.

Verify that all sites are defined in site links.

Detect and remove preferred bridgeheads.

Resolve Active Directory replication failures in the forest.

Determine if source servers are overloaded.

Determine if site links are disjointed.

Delete connections if KCC is in «Connection Keeping» mode.

Determine if the Event ID 1311 messages are site-specific or forest-wide

Determine if event ID 1311 messages are logged on all inter-site topology generator (ISTG) domain controllers in the forest or only on site-specific ISTG domain controllers. To locate ISTG domain controllers, use the Ldp.exe tool to search for the following attributes:

• Base DN: CN=Sites,CN=Configuration,DC=RootDomainName,DC=Com
• Filter: (cn=NTDS Site Settings)
• Scope: Subtree
• Attributes: interSiteTopologyGenerator

To determine the scope of the event, use one of the following methods:

Examine the Directory Service event logs of an appropriate number of ISTG domain controllers in the forest.

Use the Eventcombmt.exe tool (available from Microsoft Product Support Services) to search for event ID 1311 messages on an appropriate number of ISTG domain controllers in the forest.

Determine if site link bridging is turned on and if the network is fully routed

When you enable site link bridging in the Active Directory Sites and Services snap-in, you must make sure that any site defined in Active Directory has a fully routed network connection to any other site that is defined by the administrator. If KCC builds a connection link between two unconnected sites in which site link bridging is enabled, event ID 1311 messages may be logged.

Site link bridging is enabled in Active Directory if the following conditions are true:

The Bridge all site links check box is selected for the IP protocol and the SMTP protocol in the Active Directory Sites and Services snap-in.

The Options attribute for the IP protocol and the SMTP protocol is NULL or set to 0 (zero) for the following Domain Name (DN) paths:

• CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC= root domain of forest
• CN=SMTP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC= root domain of forest

To determine if a fully routed network connection exists between two sites, contact your NOS administrator, network administrator, or Active Directory architect.

If site link bridging is enabled in a non-routed environment, either make the network fully routed, or disable site link bridging and then create the site links and site link bridges that you must use. Wait for two times the longest replication interval in the forest. If event ID 1311 messages continue to be logged or if site link bridging is enabled in a fully routed network, continue to the «Verify That All Sites Are Defined in Site Links» method.

By default, site link bridging is turned on. Additionally, the best practice guidelines recommend that you keep site link bridging turned on.

The following diagram uses plus signs (+) and minus signs (-) to illustrate physical network connections between Active Directory sites. Site AZ is listed in site link WEST and site GA is listed in site link EAST, but sites AZ and GA don’t have fully routed network connections to sites WA and NY in an Active Directory configuration where site link bridging is enabled.

Verify that all sites are defined in site links

Every site defined in Active Directory must be hosted or reside in a site link. For example if sites WA, CA, AZ, NY, IL, and GA are defined, and site links WEST, EAST and WANY are defined, event ID 1311 messages are logged if any one site (for example, AZ or GA) isn’t listed in a site link where the sites are physically connected. Sites are orphaned when sites in a deleted site link aren’t added to an appropriate existing site link.

Because sites AZ and GA are not listed in any site links, they are orphaned and the KCC does not consider them when it constructs the replication topology for Active Directory.

The repadmin /showism command is useful for locating improperly configured sites. Output from the repadmin /showism command appears similar to the following example from a forest named corp:

==== TRANSPORT CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=corp,DC=com CONNECTIVITY INFORMATION FOR 3 SITES: ====
0, 1, 2
( 0) CN=US-NC,CN=Sites,CN=Configuration,DC=corp,DC=com 0:0:0, 100:15:0, 200:15:0
( 1) CN=US-TX,CN=Sites,CN=Configuration,DC=corp,DC=com 100:15:0, 0:0:0, 100:15:0
( 2) CN=US-WA,CN=Sites,CN=Configuration,DC=corp,DC=com 200:15:0, 100:15:0, 0:0:0

Unlike other arguments for the repadmin command, you cannot run the repadmin /showism command from a remote computer. You must run the repadmin /showism command from the console of the domain controller that you want to examine (in most cases, this is the ISTG domain controller).

For each site that is configured for IP-based replication or for SMTP-based replication (not shown), the repadmin /showism command returns a site matrix that represents the connections to all the sites in the forest. Each entry in the site matrix contains three numbers delimited by colons (:) that represent the cost, replication interval, and options for each replication link to another site in the Active Directory forest. The numbers in an entry appear in the following order:
Cost : Replication interval : Options

The Cost value indicates the preference for a network link for replicating directory information between sites. The administrator uses the Active Directory Sites and Services snap-in to define the Cost value for each site link.

The Replication interval value indicates the replication frequency of the link in minutes.

The Options value indicates the options for the site link, including site link notification.

When you troubleshoot event ID 1311 messages, you can ignore the Options value.

In the example from the corp.com forest, site link bridging is enabled, and the forest contains three Active Directory sites:

• Site 0: US-NC, an uncovered site that uses the TX NC link to connect to Site 1 (US-TX).
• Site 1: US-TX, which hosts two domain controllers.
• Site 2: US-WA, a covered site that uses the TX WA link to connect to Site 1 (US-TX).

Each site matrix contains one 0:0:0 entry that refers to itself. An entry that contains positive numbers for the cost value and replication interval value (for example, 200:15:0 or 100:15:0) indicates that the site connection is good. A -1:0:0 entry indicates that the site connection isn’t working. Which occurs if one or more of the following conditions is true:

• The replication protocol isn’t used. For example, if SMTP replication isn’t configured, the entries in the SMTP portion of the /SHOWISM matrix all appear as -1:0:0.
• The site doesn’t host any domain controllers (this is known as an uncovered site).
• The site isn’t included in a site link.

If site link bridging is enabled and the repadmin /showism command returns -1:0:0 entries for one or more covered Active Directory sites, make sure that the affected sites are listed in a site link.

A site with a full complement of -1:0:0 entries and one 0:0:0 entry is orphaned unless the site is uncovered (no domain controllers reside in that site). When you troubleshoot event ID 1311 messages, record the names of all orphaned sites, but don’t record the names of uncovered sites.

If site link bridging is disabled, -1:0:0 entries are less meaningful. If it’s the case, you must manually determine if each site is included in a site link. To do so, write down the list of sites and site links, and manually map each site to a site link.

The repadmin /showism command always returns -1:0:0 entries for an uncovered site.

In the following repadmin /showism example, site link bridging is enabled in the corp.com forest, and site link TX WA was deleted. Site 2 (US-WA) is orphaned from all other sites in the forest and must be added to an appropriate site link.

==== TRANSPORT CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=corp,DC=com CONNECTIVITY INFORMATION FOR 3 SITES: ====
0, 1, 2 ( 0) CN=US-NC,CN=Sites,CN=Configuration,DC=corp,DC=com 0:0:0, 100:15:0, -1:0:0
( 1) CN=US-TX,CN=Sites,CN=Configuration,DC=corp,DC=com 100:15:0, 0:0:0, -1:0:0
( 2) CN=US-WA,CN=Sites,CN=Configuration,DC=corp,DC=com -1:0:0, -1:0:0, 0:0:0

Detect and remove preferred bridgeheads

Because correct bridgehead selection is difficult in multi-domain forests, and because Windows 2000 has good fail-over logic in case a KCC-selected bridgehead goes offline, Microsoft strongly recommends that you don’t define preferred bridgehead servers.

To search for preferred bridgehead servers:

Use the Ldp.exe command-line tool to do an LDAP search for the following criteria:
DN Path: cn=sites,cn=configuration,dc=
ObjectClass: server
Attributes: bridgeheadTransportList

Use the FINDSTR command against an LDIFDE export file from the CN=Sites,CN=Configuration container:
LDIFDE CN=SITES,CN=CONFIGURATION,DC= SITEDUMP.LDF
FINDSTR /i «bridgeheadTransportList» SITEDUMP.LDF

If the search returns any results, note the name of server in the Domain Name path in which the bridgeheadTransportList attribute is populated.

If you find any preferred bridgehead servers, use the Site and Services snap-in to remove them, and then wait two times the maximum replication interval in the forest. If event ID 1311 messages continue to be logged, continue to the next method.

Resolve Active Directory replication failures in the forest

Active Directory replication requires the transitive replication of all naming contexts in the forest to all domain controllers that replicate a common partition.

Resolve replication failures for online domain controllers as quickly as possible, especially those that host one-of-a-kind naming contexts in a forest (for example, the only domain controller for a particular domain in the forest). As a last resort, if you can’t make a domain controller replicate, remove it from the forest.

If a domain controller is offline for fewer days than the tombstone lifetime number (by default 60), bring the domain controller online and force it to replicate, or as a last resort, remove it from the forest.

If a domain controller is offline or does not replicate inbound changes for more days than the tombstone lifetime number, do not resuscitate it. Instead, immediately remove it from the forest.

For more information about the TombstoneLifetime value, click the following article numbers to view the articles in the Microsoft Knowledge Base:

• 216993 Useful shelf life of a system-state backup of Active Directory
• 314282 Lingering objects may remain after you bring an out-of-date Global Catalog server back online

When you want to discover and troubleshoot replication failures, the following tools can be useful:

repadmin /failcache : Run this command from the console of each ISTG domain controller in the forest to discover replication failures for bridgeheads in the site for that ISTG.

You can also run this command remotely against other ISTG domain controllers in the forest.

repadmin /showreps : Run this command from the console of each ISTG domain controller in the forest to analyze replication of specific domain controllers that are exposed by the repadmin /failcache command.

dcdiag /test:intersite /e /q : This command tests inter-site connectivity for bridgehead domain controllers in the forest. The result set is limited to domain controllers that experience errors with the /q switch.

dcdiag /test:connectivity /e /q : This command tests name resolution and ldap / rpc connectivity to all domain controllers in the forest. The result set is limited to domain controllers that experience errors with the /q switch.

Examine the Directory Service Event log on ISTG domain controllers and Bridgehead servers, using the following settings for the NTDS Diagnostic levels:

• One Knowledge Consistency Checker: 3
• Five Replication Events: 3
• Internal Processing: 1

The repadmin /failcache command lists replication failures that KCC knows about. The output from the repadmin /failcache command is divided into two sections:

The KCC Link Failures cache lists errors for existing connection links. The ISTG domain controller imports showreps (repsfroms) data for every bridgehead server in its site. However, the ISTG domain controller does not list errors. The link failure cache is emptied at the beginning of every KCC run and refilled during the course of the current run.

The KCC Connection Failures cache lists unsuccessful attempts to build connection objects between domain controllers (reps from or reps to). When you run the repadmin /failcache command from the ISTG domain controller, it lists entries that are imported from bridgeheads in the site. At the beginning of each KCC run, the KCC examines each entry in the connection failure cache and tries to DsBind to the failing server. If the bind succeeds, the entry is removed.

The repadmin /failcache command differs from the repadmin /showreps command in two ways:

• The repadmin /showreps command shows the naming context that is failing. The repadmin /failcache command doesn’t.
• Data from the repadmin /failcache command isn’t replicated between domain controllers.

The following example shows sample output from the repadmin /failcache command.

==== KCC LINK FAILURES > ==================================
USA-WA-24C-24-DC03 DC object GUID: 134244cd-26be-4944-82a7-ac3eb74fc02f No Failures. USA-WA-24B-24-DC02 DC object GUID: 21b050d6-33b5-424d-aa9b-060fe209233d No Failures. USA-WA-24Z-24-DC-05 DC object GUID: bfb3b008-3849-4e5d-81d8-53dbb76d587a No Failures.

Determine if source servers are overloaded

A domain controller that is overloaded with a large number of direct replication partners or a replication schedule that is overly aggressive can create a backlog in which some partners never receive changes from a hub domain controller. In the output from the repadmin /showreps command, partner domain controllers of overloaded source domain controllers appear with the at never status.

To resolve this issue, resize hardware, reconfigure site links and reconfigure site link or connection schedules as necessary to reduce the load on overloaded domain controllers.

Determine if site links are disjointed

Disjoint site links is an Active Directory configuration in which the topology is broken into two parts or in which some sites don’t replicate because site definitions and site link definitions are incorrect. For example, the following diagram shows a configuration in which Sitelink_ABC contains sites A, B, and C and Sitelink_DEF contains sites D, E, and F, but no site link connects any of the sites in Sitelink_ABC to any of the sites in Sitelink_DEF. To resolve the disjoint site links condition, a new site link must connect at least one site in Sitelink_ABC with at least one site in Sitelink_DEF (for example, a new site link between site A and site D).

The following diagram shows another possible a disjoint site links configuration. In this case, a new site link must join any site in Sitelink_ABDC with at least one site in Sitelink_FG (for example, a new site link between site A and site F) to resolve the disjoint site links condition.

Disjoint site links are the most difficult improper configuration to troubleshoot. Look for disjoint site links only after you rule out all other known causes. Use a pencil and paper to graph site topology and locate orphaned sites.

Delete connections if KCC is in Keep Connection mode

If KCC builds a different path around a site-to-site connection failure, but it retries the failing connection every 15 minutes because it is in connection keeping mode, delete all broken connections and let KCC rebuild them. Wait two times the longest replication schedule in the forest.

Terminology and concepts

Bridgehead server: Any domain controller in an Active Directory site that replicates an Active Directory partition (for example, schema, configuration, domain, application partition, or global catalog) to a domain controller in another Active Directory site.

A bridgehead is selected for each unique directory partition, domain, or application partition in an Active Directory site, so a site that hosts three different domains has three in-site bridgehead servers.

Domain controllers replicate all naming contexts that are held in common with their direct replication partners, so a domain controller in the «corp.com» domain replicates CN=SCHEMA and CN=CONFIGURATION in addition to the «corp.com» domain naming context with its inter-site bridgehead partner.

Inter-site topology generator (ISTG): For each Active Directory site, a single server, known as the ISTG, is nominated to build the inter-site replication topology.

Uncovered Site: An Active Directory site defined in the Sites and Services snap-in that does not currently contain any Windows 2000 domain controllers. An uncovered site may be waiting for its domain controller to arrive from a staging site. Additionally, a site may be defined as uncovered to provide site preference for client operations.

Truncated output from the REPADMIN /SHOWISM command

In some environments, the repadmin /showism command from build 2195 of Windows quits prematurely during execution and its output is truncated because of an internal error. For example, the top portion of this successful /SHOWISM output from a domain controller in the corp.com domain indicates that 128 sites are defined (0-127).

==== TRANSPORT CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=corp,DC=com

CONNECTIVITY INFORMATION FOR 128 SITES: ====
0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13,

14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28,

29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43,

44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58,

59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73,

74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88,

89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103,

104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 116, 117, 118,

119, 120, 121, 122, 123, 124, 125, 126, 127

In the following example, the repadmin /showism output stops in the middle of the line for site 115, CN=HeadQuarters.

All DCs in site CN=Headquarters,CN=Sites,CN=Configuration,DC=corp,DC=com (with trans & hosting NC) are bridgehead candidates. (115) CN=headquarters,CN=Sites,CN=Configuration,DC=corp,DC=com -1:0:0, -1:0:0, -1:0:0, -1:0:0, -1:0:0, -1:0:0, -1:0:0, -1:0:0, -1:0:0, -1:0:0, -1:0:0,

-1:0:0, -1:0:0, -1:0:0, -1:0:0, -1:0:0, -1:0:0, -1:0:0, -1:0:0, -1:0:0, -1:0:0, -1:0:0,

-1:0:0, -1:0:0, -1:0:0, -1:0:0, -1:0:0, -1:0:0, -1:0:0, -1:0:0, -1:0:0, -1:0:0, -1:0:0,

-1:0:0, -1:0:0, -1:0:0, -1:0:0, -1:0:0, -1:0:0, -1:0:0, -1:0:0, -1:0:0, -1:0:0, -1:0:0,

-1:0:0, -1:0:0, -1:0:0, -1:0:0, -1:0:0, -1:0:0, -1:0:0, -1:0:0, -1:0:0, -1:0:0, -1:0:0,

Источник

description	ms.assetid	title	author	ms.author	manager	ms.date	ms.topic
Learn more about: Troubleshooting Active Directory Replication Problems	b11f7a65-ec7b-4c11-8dc4-d7cabb54cd94	Troubleshooting Active Directory Replication Problems	iainfoulds	daveba	daveba	05/31/2017	article

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

Try our Virtual Agent — It can help you quickly identify and fix common Active Directory replication issues

Active Directory replication problems can have several different sources. For example, Domain Name System (DNS) problems, networking issues, or security problems can all cause Active Directory replication to fail.

The rest of this topic explains tools and a general methodology to fix Active Directory replication errors. The following subtopics cover symptoms, causes, and how to resolve specific replication errors:

Introduction and resources for troubleshooting Active Directory replication

Inbound or outbound replication failure causes Active Directory objects that represent the replication topology, replication schedule, domain controllers, users, computers, passwords, security groups, group memberships, and Group Policy to be inconsistent between domain controllers. Directory inconsistency and replication failure cause either operational failures or inconsistent results, depending on the domain controller that is contacted for the operation, and can prevent the application of Group Policy and access control permissions. Active Directory Domain Services (AD DS) depends on network connectivity, name resolution, authentication and authorization, the directory database, the replication topology, and the replication engine. When the root cause of a replication problem is not immediately obvious, determining the cause among the many possible causes requires systematic elimination of probable causes.

For a UI-based tool to help monitor replication and diagnose errors, download and run the Microsoft Support and Recovery Assistant tool, or use the Active Directory Replication Status Tool if you only want to analyze the replication status.

For a comprehensive document that describes how you can use the Repadmin tool to troubleshoot Active Directory replication is available; see Monitoring and Troubleshooting Active Directory Replication Using Repadmin.

For information about how Active Directory replication works, see the following technical references:

• Active Directory Replication Model Technical Reference
• Active Director Replication Topology Technical Reference

Event and tool solution recommendations

Ideally, the red (Error) and yellow (Warning) events in the Directory Service event log suggest the specific constraint that is causing replication failure on the source or destination domain controller. If the event message suggests steps for a solution, try the steps that are described in the event. The Repadmin tool and other diagnostic tools also provide information that can help you resolve replication failures.

For detailed information about using Repadmin for troubleshooting replication problems, see Monitoring and Troubleshooting Active Directory Replication Using Repadmin.

Ruling out intentional disruptions or hardware failures

Sometimes replication errors occur because of intentional disruptions. For example, when you troubleshoot Active Directory replication problems, rule out intentional disconnections and hardware failures or upgrades first.

Intentional disconnections

If replication errors are reported by a domain controller that is attempting replication with a domain controller that has been built in a staging site and is currently offline awaiting its deployment in the final production site (a remote site, such as a branch office), you can account for those replication errors. To avoid separating a domain controller from the replication topology for extended periods, which causes continuous errors until the domain controller is reconnected, consider adding such computers initially as member servers and using the install from media (IFM) method to install Active Directory Domain Services (AD DS). You can use the Ntdsutil command-line tool to create installation media that you can store on removable media (CD, DVD, or other media) and ship to the destination site. Then, you can use the installation media to install AD DS on the domain controllers at the site, without the use of replication.

Hardware failures or upgrades</title>

If replication problems occur as a result of hardware failure (for example, failure of a motherboard, disk subsystem, or hard drive), notify the server owner so that the hardware problem can be resolved.

Periodic hardware upgrades can also cause domain controllers to be out of service. Ensure that your server owners have a good system of communicating such outages in advance.

Firewall configuration

By default, Active Directory replication remote procedure calls (RPCs) occur dynamically over an available port through the RPC Endpoint Mapper (RPCSS) on port 135. Make sure that Windows Firewall with Advanced Security and other firewalls are configured properly to allow for replication. For information about specifying the port for Active Directory replication and port settings, see article 224196 in the Microsoft Knowledge Base.

For information about the ports that Active Directory replication uses, see Active Directory Replication Tools and Settings.

For information about managing Active Directory replication over firewalls, see Active Directory Replication over Firewalls.

Responding to failure of an outdated server running Windows 2000 Server

If a domain controller running Windows 2000 Server has failed for longer than the number of days in the tombstone lifetime, the solution is always the same:

1. Move the server from the corporate network to a private network.
2. Either forcefully remove Active Directory or reinstall the operating system.
3. Remove the server metadata from Active Directory so that the server object cannot be revived.

You can use a script to clean up server metadata on most Windows operating systems. For information about using this script, see Remove Active Directory Domain Controller Metadata.

By default, NTDS Settings objects that are deleted are revived automatically for a period of 14 days. Therefore, if you do not remove server metadata (use Ntdsutil or the script mentioned previously to perform metadata cleanup), the server metadata is reinstated in the directory, which prompts replication attempts to occur. In this case, errors will be logged persistently as a result of the inability to replicate with the missing domain controller.

Root causes

If you rule out intentional disconnections, hardware failures, and outdated Windows 2000 domain controllers, the remainder of replication problems almost always have one of the following root causes:

• Network connectivity: The network connection might be unavailable, or network settings are not configured properly.
• Name resolution: DNS misconfigurations are a common cause of replication failures.
• Authentication and authorization: Authentication and authorization problems cause «Access denied» errors when a domain controller tries to connect to its replication partner.
• Directory database (store): The directory database might not be able to process transactions fast enough to keep up with replication time-outs.
• Replication engine: If intersite replication schedules are too short, replication queues might be too large to process in the time that is required by the outbound replication schedule. In this case, replication of some changes can be stalled indefinitely potentially, long enough to exceed the tombstone lifetime.
• Replication topology: Domain controllers must have intersite links in AD DS that map to real wide area network (WAN) or virtual private network (VPN) connections. If you create objects in AD DS for the replication topology that are not supported by the actual site topology of your network, replication that requires the misconfigured topology fails.

General approach to fixing problems

Use the following general approach to fixing replication problems:

1. Monitor replication health daily, or use Repadmin.exe to retrieve replication status daily.

2. Attempt to resolve any reported failure in a timely manner by using the methods that are described in event messages and this guide. If software might be causing the problem, uninstall the software before you continue with other solutions.

3. If the problem that is causing replication to fail cannot be resolved by any known methods, remove AD DS from the server and then reinstall AD DS. For more information about reinstalling AD DS, see Decommissioning a Domain Controller.

4. If AD DS cannot be removed normally while the server is connected to the network, use one of the following methods to resolve the problem:

   • Force AD DS removal in Directory Services Restore Mode (DSRM), clean up server metadata, and then reinstall AD DS.
   • Reinstall the operating system, and rebuild the domain controller.

For more information about forcing removal of AD DS, see Forcing the Removal of a Domain Controller.

Using Repadmin to retrieve replication status</title>

Replication status is an important way for you to evaluate the status of the directory service. If replication is working without errors, you know the domain controllers that are online. You also know that the following systems and services are working:

• DNS infrastructure
• Kerberos authentication protocol
• Windows Time service (W32time)
• Remote procedure call (RPC)
• Network connectivity

Use Repadmin to monitor replication status daily by running a command that assesses the replication status of all the domain controllers in your forest. The procedure generates a .csv file that you can open in Microsoft Excel and filter for replication failures.

You can use the following procedure to retrieve the replication status of all domain controllers in the forest.

Requirements

Membership in Enterprise Admins, or equivalent, is the minimum required to complete this procedure.

Tools:

• Repadmin.exe
• Excel (Microsoft Office)

To generate a repadmin /showrepl spreadsheet for domain controllers

1. Open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, provide Enterprise Admins credentials, if required, and then click Continue.

2. At the command prompt, type the following command, and then press ENTER: repadmin /showrepl * /csv > showrepl.csv

3. Open Excel.

4. Click the Office button, click Open, navigate to showrepl.csv, and then click Open.

5. Hide or delete column A as well as the Transport Type column, as follows:

6. Select a column that you want to hide or delete.

   • To hide the column, right-click the column, and then click Hide.
   • To delete the column, right-click the selected column, and then click Delete.

7. Select row 1 beneath the column heading row. On the View tab, click Freeze Panes, and then click Freeze Top Row.

8. Select the entire spreadsheet. On the Data tab, click Filter.

9. In the Last Success Time column, click the down arrow, and then click Sort Ascending.

10. In the Source DC column, click the filter down arrow, point to Text Filters, and then click Custom Filter.

11. In the Custom AutoFilter dialog box, under Show rows where, click does not contain. In the adjacent text box, type del to eliminate from view the results for deleted domain controllers.

12. Repeat step 11 for the Last Failure Time column, but use the value does not equal, and then type the value 0.

13. Resolve replication failures.

For every domain controller in the forest, the spreadsheet shows the source replication partner, the time that replication last occurred, and the time that the last replication failure occurred for each naming context (directory partition). By using Autofilter in Excel, you can view the replication health for working domain controllers only, failing domain controllers only, or domain controllers that are the least or most current, and you can see the replication partners that are replicating successfully.

Replication problems and resolutions

Replication problems are reported in event messages and in various error messages that occur when an application or service attempts an operation. Ideally, these messages are collected by your monitoring application or when you retrieve replication status.

Most replication problems are identified in the event messages that are logged in the Directory Service event log. Replication problems might also be identified in the form of error messages in the output of the repadmin /showrepl command.

repadmin /showrepl error messages that indicate replication problems

To identify Active Directory replication problems, use the repadmin /showrepl command, as described in the previous section. The following table shows error messages that this command generates, along with the root causes of the errors and links to topics that provide solutions for the errors.

Repadmin error	Root Cause	Solution
The time since last replication with this server has exceeded the tombstone lifetime.	A domain controller has failed inbound replication with the named source domain controller long enough for a deletion to have been tombstoned, replicated, and garbage-collected from AD DS.	Event ID 2042: It has been too long since this machine replicated
No inbound neighbors.	If no items appear in the «Inbound Neighbors» section of the output that is generated by repadmin /showrepl, the domain controller was not able to establish replication links with another domain controller.	Fixing Replication Connectivity Problems (Event ID 1925)
Access is denied.	A replication link exists between two domain controllers, but replication cannot be performed properly as a result of an authentication failure.	Fixing Replication Security Problems
Last attempt at <date — time> failed with the «Target account name is incorrect.»	This problem can be related to connectivity, DNS, or authentication issues. If this is a DNS error, the local domain controller could not resolve the globally unique identifier (GUID)-based DNS name of its replication partner.	Fixing Replication DNS Lookup Problems (Event IDs 1925, 2087, 2088) Fixing Replication Security Problems Fixing Replication Connectivity Problems (Event ID 1925)
LDAP Error 49.	The domain controller computer account might not be synchronized with the Key Distribution Center (KDC).	Fixing Replication Security Problems
Cannot open LDAP connection to local host	The administration tool could not contact AD DS.	Fixing Replication DNS Lookup Problems (Event IDs 1925, 2087, 2088)
Active Directory replication has been preempted.	The progress of inbound replication was interrupted by a higher-priority replication request, such as a request that was generated manually with the repadmin /sync command.	Wait for replication to complete. This informational message indicates normal operation.
Replication posted, waiting.	The domain controller posted a replication request and is waiting for an answer. Replication is in progress from this source.	Wait for replication to complete. This informational message indicates normal operation.

The following table lists common events that might indicate problems with Active Directory replication, along with root causes of the problems and links to topics that provide solutions for the problems.

Event ID and source	Root cause	Solution
1311 NTDS KCC	The replication configuration information in AD DS does not accurately reflect the physical topology of the network.	Fixing Replication Topology Problems (Event ID 1311)
1388 NTDS Replication	Strict replication consistency is not in effect, and a lingering object has been replicated to the domain controller.	Fixing Replication Lingering Object Problems (Event IDs 1388, 1988, 2042)
1925 NTDS KCC	The attempt to establish a replication link for a writable directory partition failed. This event can have different causes, depending on the error.	Fixing Replication Connectivity Problems (Event ID 1925) Fixing Replication DNS Lookup Problems (Event IDs 1925, 2087, 2088)
1988 NTDS Replication	The local domain controller has attempted to replicate an object from a source domain controller that is not present on the local domain controller because it may have been deleted and already garbage-collected. Replication does not proceed for this directory partition with this partner until the situation is resolved.	Fixing Replication Lingering Object Problems (Event IDs 1388, 1988, 2042)
2042 NTDS Replication	Replication has not occurred with this partner for a tombstone lifetime, and replication cannot proceed.	Fixing Replication Lingering Object Problems (Event IDs 1388, 1988, 2042)
2087 NTDS Replication	AD DS could not resolve the DNS host name of the source domain controller to an IP address, and replication failed.	Fixing Replication DNS Lookup Problems (Event IDs 1925, 2087, 2088)
2088 NTDS Replication	AD DS could not resolve the DNS host name of the source domain controller to an IP address, but replication succeeded.	Fixing Replication DNS Lookup Problems (Event IDs 1925, 2087, 2088)
5805 Net Logon	A machine account failed to authenticate, which is usually caused by either multiple instances of the same computer name or the computer name not replicating to every domain controller.	Fixing Replication Security Problems

For more information about replication concepts, see Active Directory Replication Technologies.

Next steps

For more information, including support articles specific to error codes see the support article: How to troubleshoot common Active Directory replication errors

Disclaimer

I am writing this blog  and others to explain how things work and some ways deployment and operational tasks can be handled. In other words, these postings are for demonstration purposes only. Since I am not familiar with your organization or environment I do not know if these steps are applicable to your environment or are even safe to perform in your environment. It is recommended that you contact Microsoft Support prior to making changes in your environment to ensure that these steps are applicable to your environment, and are safe to perform in your environment. By writing this blog I am in no way recommending that you perform these steps in your own environment. If you choose to follow the steps outlined in this or other blog postings on this site, you are assuming the risk for your actions.

1.1                 Repadmin.exe

Repadmin is a tool for checking replication status and troubleshooting replication issue.  Below is a table highlighting commonly used syntax of the repadmin tool.

Syntax	Usage
Repadmin /replsummary	The replsummary operation quickly and concisely summarizes the replication state and relative health of a forest.
Repadmin /replsummary /bysrc /bydest /sort: delta	The replsummary operation quickly and concisely summarizes the replication state and relative health of a forest.
Repadmin /showrepl <DC Name>	Displays the replication partners for each directory partition on the specified domain controller. Helps the administrator build a visual representation of the replication topology and see the role of each domain controller in the replication process.
Repadmin /showutdvec	Displays the highest Update Sequence Number (USN) for the specified domain controller. This information shows how up-to-date a replica is with its replication partners.
Repadmin /showobjmeta <DC> <DN of object>	Displays the replication metadata for a specified object stored in Active Directory, such as attribute ID, version number, originating and local Update Sequence Number (USN), and originating server’s GUID and Date and Time stamp. By comparing the replication metadata for the same object on different domain controllers, an administrator can determine whether replication has taken place.
Repadmin /showconn	Displays the connection objects for a specified domain controller. Default is local site.
Repadmin /replsingleobj <DC List> <Source DSA Name> <Object DN>	Replicates a single object between any two domain controllers that have partitions in common. The two domain controllers do not have a replication agreement. Replication agreements can be shown by using the Repadmin /showrepl command.
Repadmin /replicate <Destination_DC_List> <Naming Context>	Starts a replication event for the specified directory partition between the source and destination domain controllers. The source UUID can be determined when viewing the replication partners by using the Repadmin showrepl operation.
Repadmin /syncall <DC>	Synchronizes a specified domain controller with all replication partners.
Repadmin /queue	Displays tasks waiting in the replication queue.
Repadmin /showmsg <Error>	Displays the error message for a given error number.
Repadmin /viewlist <DC_List>	Displays a list of domain controllers.
Repadmin /showctx <DC_List>	Displays a list of computers that have opened sessions with a specified domain controller.
Repadmin /showcert	Displays the server certificates loaded on a specified domain controller.
Repadmin /removelingeringobjects <Dest_DC_List> <Source DC GUID> <NC> [/ADVISORY_MODE]	Uses an authoritative domain controller to compare the directory of a domain controller (destination) that is suspected of having lingering objects against the directory of a domain controller (source) that is designated as a reference source for up-to-date values for the domain of the destination. When the advisory mode parameter is used, this command provides a list of found lingering objects. When the advisory mode parameter is not used, this command removes lingering objects from the destination domain controller.

Additional information on Repadmin.exe is available here: https://technet.microsoft.com/en-us/library/cc736571(v=ws.10).aspx

1.2                 Repadmin /replsummary

As seen in the screenshot below repadmin /replsummary will give statistics for replication with replication partners.  The output also lists any errors that were encountered with replication. This is useful for getting an overview of any replication issues the DC is having.

You can also sort the output.  In the example below, the output is sorted by the largest delta since last replication.

1.3                 Repadmin /showrepl

As seen below repadmin /showrepl shows the replication status with all of the DCs replication partners and is sorted by the Naming Context that is being replicated.

One trick that can be used to get a more manageable output is to use repadmin to send its output to a CSV and the use PowerShell to convert the CSV to a GridView.  The command to do this is repadmin /showrepl * /csv | ConvertFrom-CSV | Out-GridView

The resulting output is in a manageable GUI.

In GridView you can sort and filter.  Below is an example of filtering on Number of Failures, so that I can easily see what failed.

1.4                 Repadmin /showutdvec

Replications changes are tracked through incrementing numbers called USNs.  There are times where you will want to know what knowledge each DC has about other DCs current state.  The up-to-dateness vector is the knowledge that a DC as about the current state of other DCs.  This information can be useful when trying to troubleshoot replication issues such as USN Rollback.  USN Rollback is when a DC is restored from an unsupported method such as a snapshot.  In that case the up-to-dateness vector would be much larger than the actual USN of the DC. Since, there is going to be some delay in replication you will notice some differences but the numbers should be relatively close.  For example, if you compare the up-to-dateness vector for DC01 across DCs you will notice the following: for itself DC01 has USN of 17347, DC02 has a USN of 17346 for DC01, and DC03 has a USN of 17346 for DC01.  So, we can see the numbers are relatively close and that DC01 potentially has one change that it needs to replicate to DC02 and DC03.

1.5                 Repadmin /showobjmeta

The /showobjmeta switch shows detailed information for attributes of an object.  It is most commonly used when comparing the output of the command from 2 DCs to see if they are in sync and the current status of the attributes.  Differences can be used to identify replication problems.

1.6                 Repadmin /syncall

Repadmin /syncall is used to force replication between domain controllers.  You can easily view options for the /syncall switch with the following command: repadmin /syncall /?

A normal use of repadmin /syncall is with the /AeP switch

1.7                 Repadmin /showmsg

The /showmsg switch is used to convert an error message you may receive as the result of a repadmin command and converts it to human readable text.

1.8                 Repadmin /viewlist

Repadmin /viewlist is used to get a list of domain controllers.

1.9                 PowerShell

PowerShell is an object oriented scripting language that allows enterprises to automate IT tasks.

Below is a conversion table that shows the PowerShell command that can be used in place of the Repadmin command.  So, why would you choose to use PowerShell?  The output of PowerShell commands are objects those objects can be filtered with properties, piped through other PowerShell commands and manipulated to many useful things including great control in how the data is presented to the user.

Command	PowerShell Cmdlet
Repadmin /FailCache	Get-ADReplicationFailure
Repadmin /Queue	Get-ADReplicationQueueOperation
Repadmin /ReplSingleObj	Sync-ADObject
Repadmin /ShowConn	Get-ADReplicationConnection
Repadmin /ShowObjMeta	Get-ADReplicationAttributeMetadata
Repadmin /ReplSummary	Get-ADReplicationPartnerMetadata
Repadmin /Showutdvec	Get-ADReplicationUpToDatenessVectorTable
Repadmin /SiteOptions	Set-ADReplicationSite
Repadmin /ShowAttr	Get-ADObject
Repadmin /Set Attr	Set-ADObject

Get-ADReplicationParnerMetadata is very similar to running repadmin /showrepl.  Without passing the output through another cmdlet the formatting is a bit different then to what you get with repadmin.

However, the advantage is that the output of the command are objects.  You can constrain your views to certain properties.

The other advantage is that you can pass objects through other cmdlets.  As seen here I am passing the output of Get-ADReplicationPartnerMetadata through Output-GridView.

Once in GridView you have the ability to sort and filter the data.

Here is another example of the usefulness of using PowerShell over repadmin.  In this example I take the output of Get-ADReplicationPartnerMetadata then passing it through Select-Object so that we can then limit what objects are presented in GridView.

Here we see the output of that command.

1.10             Replication Errors

Here is a list of replication errors you may come across in either the Directory Services event log or while running repadmin.

Event ID	Replication Error	Issue
1388		Lingering Objects
1988		Lingering Objects
2042		Lingering Objects
1925		DNS Lookup Issues or Connectivity Problems
2087		DNS Lookup Issues
2088		DNS Lookup Issues
1311		Replication Topology Issues
	8614	Tombstone lifetime exceeded
	8524	DNS Lookup failure
	8456	Server is currently rejecting replication requests
	8457	Server is currently rejecting replication requests
	8453	Access was denied
	8452	The naming context is in the process of being removed or is not replicated from the specified server
	5	Access is denied
	-21468930222	The target principal name is incorrect
	1753	There are no more endpoints available from the endpoint mapper
	1722	The RPC server is unavailable
	1396	Logon Failure The Target account name is incorrect
	1256	The remote system is not available
	1127	While accessing the hard disk, a disk operation failed even afer retries
	8451	The replication operation encountered a database error
	8606	Insufficient attributes were given to create an object

2              Troubleshooting Steps for Common Replication Issues

2.1                 Troubleshooting -21468930222  (The target principal name is incorrect)

On the DC that is the cause of the error, perform the following steps:

Step 1: Open Services.msc

Step 2: Configure KDC Service for Manual

Step 3: Stop the Service

Step 4: Restart the Domain Controller

Step 5: Open PowerShell as an Administrator

Step 6: Run: $cred = Get-Credential

Step 7: Enter Credentials and click OK

Step 8: Run, Reset-ComputerMachinePassword –Server <ServerName> -Credential $cred

Step 9: Restart the server

Step 10: Set the KDC service to Automatic, Start the service and click OK.

2.2                 Troubleshoot Replication Error 8606, Event ID 1388, and Event ID 1988

These issues are caused by lingering objects.  Lingering objects can be caused when a domain controller is taken offline for an extended period of time, does not replicate for longer than the tombstone lifetime, or is restored from a backup that is older than the tombstone lifetime. 

When an object is deleted it is put in a tombstone state.  After the tombstone lifetime passes (typically 180 days), DC run garbage collection and those tombstone objects are deleted.  If a DC was offline for the entire TSL and then were brought back online they may have objects that have since been deleted, tombstoned, and garbage collected.  Any objects that were deleted will still exist on that DC.  These objects go unnoticed until a change is made to that object then the DC attempts to replicate that object, and at that point that is where it is either re-introduced into the environment or if strict replication consistency is enabled, blocked. 

2.2.1   How to Determine TSL

Run the following command: dsquery * “cn=directory service,cn=windows nt,cn=services,cn=configuration,<Forest DN>” –scope base –attr tombstonelifetime

2.2.2   How to Remove Lingering Objects

2.2.2.1          Repadmin /removelingeringobjects

One way to remove lingering objects is to user repadmin with the /removelingeringobjects switch.  First you must identify a clean source of the partition.  The syntax of the command is repadmin /removelingeringobjects <Dest DC Name> <Source DC Guid> <Naming Context>.  So, in other words you need to identify the source DCs guid and the Naming Context you want to clean.  The naming context will be available in the Event 1388 or 1988 you receive in the event long.  Once you find a clean source you can obtain the guid by opening DNS Manager and opening up the _msdcs Zone and obtaining the CName record for the DC in question.

Below is an example of running the repadmin /removelingeringobjects command

You will receive an Event 1937 when the removal of lingering objects begins.

You will then receive an Event 1939 when removal completes.

2.2.2.2          Repadmin /rehost

An alternative to using repadmin /removelingeringobjects command is to unhost the partition so that the domain controller no longer has that partition and then rehosting the entire partition with a good source.

The repadmin syntax for unhosting the partition is repadmin /unhost <DC Name> <Partition Name>

You will receive an event an event 1658 when the removal begins.

You will receive an event 1660 when the removal completes

The syntax for rehosting the partition is: repadmin /rehost <Dest DC Name> <Partition> <Source DC Name>

2.3                 Troubleshooting Event ID 2042

Review event log for any 1988 or 1388 errors.  If found use the previous section to remove the lingering objects from the domain controller. 

Option 1: Re-hosting the partition that has not replicated

If the partition is a GC partition consider unhosting and rehosting the partition. Instructions for unhosting and rehosting are in the previous section called Repadmin /rehost

Option 2: Removing and then re-adding the domain controller to Active Directory

Another option is removing the DC from Active Directory and Re-promoting the Domain Controller

Step 1: Run Import-Module ADDSDeployment

Step 2: Run: Uninstall-ADDSDomainController –DemoteOperationMasterRole:$true –Force:$true

Step 3: Enter and confirm the new local password

Step 4:  Next you will need to run the Install –ADDSDomainController cmdlet.  Below is a sample that you can use.  You will need to modify the template to meet the requirements of your environment. 

Install-ADDSDomainController –NoGlobalCatalog:$false –CreateDnsDelegation:$false –CriticalReplicationOnly:$false –DatabasePath “C:WindowsNTDS” –DomianName “fabrikam.com” –InstallDNS:$true –LogPath “C:WindowsNTDS” –ReBootOnCompletion:$false –ReplicationSourceDC “DC01.fabrikam.com” –SiteName “Default-First-Site-Name” –SysvolPath “C:WindowsSYSVOL” –Force:$true

Option 3: Enabling Replication with Divergent and Corrupt Partner

Due to the risk of adding lingering objects to Active Directory the final consideration should be enabling the following setting: Allow Replication With Divergent and Corrupt Partner. 

Step 1: To enable this setting run the following command on the domain controller:

repadmin /regkey <hostname> +allowDivergent

Step 2: Let replication complete

Step 3: Disable the setting with the following command: repadmin /regkey <hostname> -allowDivergent

2.4                 Troubleshooting Event ID 1311

Event 1311 is caused when there is not complete connectivity between domain controllers. There are a number of reasons there may not be complete connectivity. 

2.4.1   ISTG

The Inter-Site Topology Generator (ITSG) is responsible for building the replication topology.  So to determine what the scope of the connectivity issues it is important to identify the ISTGs that are logging 1311. 

To find the ISTGs in your environment you need to use ldp.exe

Below are the steps for locating the ISTGs:

Step 1: Launch ldp.exe

Step 2: When LDP opens, select Connection and then Connect…

Step 3: In the Connect dialog box, enter the name of a Domain Controller for the Server you want to connect to and then click OK

Step 4: Click on Connection and then click Bind…

Step 5: In the Bind dialog box, click OK

Step 6: Select the Browse menu and then select Search

Step 7: In the search enter the following:

Base DN: CN=Sites,CN=Configuration,<DN of Forest Root> (example: CN=Sites,CN=Configuration,DC=fabrikam,DC=com)

Filter: (CN=NTDS Site Settings)

Scope: Subtree

Attributes: Append the following to the attributes that are already listed: ;interSiteTopologyGenerator

Step 8: Click Run

Step 9: For each site you will then need to look for interSiteTopologyGenerator to determine the ITSG for each site.

2.4.2   BASL

By default, Bridge All Site Links (BASL) is enabled in Active Directory.  If your environment is not fully routed, then you will want to disable BASL.  By fully routed we mean each site can contact every other site.  If BASL is configured on a network which is not fully routed, the KCC will generate site bridges that cannot actually be reached. To determine if BASL is enabled launch Active Directory Sites and Services (dssite.msc). 

Expand Sites, then Inter-site Transports.

Right-click on IP and select Properties from the context menu

If Bridge all site links is enabled, there will be a check box next to it.  To disable BASL, uncheck the checkbox and click OK.

2.4.3   Site Link Bridges

If you disable BASL you can still bridge site links.  You would do that if you wanted two spoke sites to communicate directly if they could not communicate with the hub site.  In a hub and spoke configuration the cost of crossing to site links (bridging a site link) will typically be a higher then just connecting directly to the hub site.  So, ordinarily you would not have to worry about the Site Link Bridge being used instead of a direct site link.  That being said, there are not a whole lot of scenarios where you would need to create Site Link bridges.

The following steps will allow you to bridge two site links.

Step 1: Open the Active Directory Sites and Services MMC.

Step 2: Expand Sites and then expand Inter-site Transports

Step 3: Select New Site Link Bridge… from the context menu

Add at least two sites to the Site Link Bridge, give it a Name, and click OK

And the Site Link Bridge has been completed.

2.4.4   Verify that all Sites are in a Site Link

Step 1: Run the following command in a PowerShell Console: Get-ADObject –LDAPFilter ‘(objectClass=site)’ –SearchBase (Get-ADRootDSE).ConfigurationNamingContext –Property Name | Format-Table Name

Step 2: In another PowerShell Console run: Get-ADObject –LDAPFilter ‘(objectClass=sitelink)’ –SearchBase (Get-ADRootDSE).ConfigurationNamingContext –Property Name, Cost, Description, Sitelist | Format-List Name, Sitelist

Step 3: Verify that each site that was listed in Step 1 exists in one of the site lists returned in Step 2

If not all sites are contained in a site link that you need to determine what site link that site needs to be added to or if a new site link needs to be created.

And that is all I have for replication troubleshooting for today.

-Chris

Event ID 1311: Replication configuration does not reflect the physical network

Updated: May 1, 2010

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

KB ID 0000126 

Problem

Event ID 1311

Solution

The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.

Directory partition: CN=Configuration,DC=domainname,DC=co,DC=uk

There is insufficient site connectivity information in Active Directory Sites and Services for the KCC to create a spanning tree replication topology.

Or, one or more domain controllers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible domain controllers.

Two possible causes, either you have VPN’s connecting all the sites and there is an MTU problem OR there is a dead domain controller that the other domain controllers cannot see.

1. Install Security Update for Windows Server 2003 (KB913446)

2. Added the following DWORD values under HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTCPIPParameters:

Value name: EnablePMTUBHDetect Value: 1

Value name: MTU Value: 1360

4. Open Active Directory Sites and Services – expand everything and make sure there are no domain controllers listed that no longer exist, either as servers or displayed on a replication link.

Related Articles, References, Credits, or External Links

NA

При возникновении этой ошибки в процессе диагностики отказа репликации можно делать вывод о нарушении в работе сети или о неправильных параметрах сети. Если для ускорения работы Active Directory используются сайты, их топология обычно повторяет топологию подключений в глобальной сети.

Если топология подключений через глобальную сеть меняется, необходимо перенастроить связи между сайтами и, возможно, серверы-плацдармы, чтобы они соответствовали новой топологии физической сети. При возникновении такой проблемы необходимо проверить следующие условия.

• Один или несколько контроллеров домена недоступны.
• Один или несколько сайтов находятся за пределами связей между сайтами.
• Предпочтительный сервер-плацдарм настроен неправильно.
• Предпочтительный сервер-плацдарм недоступен.

Для решения этой проблемы необходимо убедиться, что сайты, связи между сайтами и подсети настроены в соответствии с рекомендациями компании Microsoft. Если это так, то можно воспользоваться утилитами ping и pathping для определения проблемы в сети или на одном из маршрутизаторов.

Если настроены предпочтительные серверы-плацдармы, убедитесь, что они доступны. Если сеть не поддерживает полную маршрутизацию, убедитесь, что флажок Установить мост для всех связей сайтов (Bridge all site links) сброшен (этот флажок находится в диалоговом окне Свойства (Properties) связи между сайтами).

После создания связей между сайтами необходимо убедиться в соответствии между связями и топологией сетевых подключений предприятия. Это необходимо, так как домены в разных сайтах должны иметь возможность репликации. Все сайты должны принадлежать как минимум одной связи между сайтами.

Все несоседние сайты должны иметь как минимум одну общую связь. Например, если организация имеет три филиала: в Нью-Йорке, Чикаго и Лос Анджелесе, можно настроить две связи между сайтами: между Нью-Йорком и Чикаго, а также между Чикаго и Лос Анджелесом.

Пока обе связи между сайтами остаются открытыми достаточно долго (не блокируются расписанием) для репликации данных из Нью-Йорка в Лос Анджелес, в конфигурации связей между сайтами не должно возникать проблем.