Active Directory replication keeps domain controllers in sync — changes made on one DC must replicate to all others. When replication fails or falls behind, you end up with inconsistent directory data: password changes not applying, objects missing on some DCs, and authentication failures. Here is how to check and troubleshoot AD replication health.
Check Replication Status with repadmin
repadmin is the primary command-line tool for AD replication. Run it on any domain controller or from a machine with the AD DS Remote Server Administration Tools (RSAT) installed:
# Show replication status for all domain controllers
repadmin /replsummary
# Show detailed replication status
repadmin /showrepl
# Show any replication failures
repadmin /showrepl * /errorsonlyThe /replsummary output shows each DC and the number of replication failures. Zero failures means everything is healthy. Any non-zero value warrants investigation. The /errorsonly flag filters out successful replications so you see only what is failing.
Check Replication with PowerShell
# Import the AD module
Import-Module ActiveDirectory
# Get replication failure summary
Get-ADReplicationFailure -Scope Forest | Select-Object Server, FirstFailureTime, FailureCount, LastError
# Check replication metadata for a specific object
Get-ADReplicationAttributeMetadata -Object "CN=Administrator,CN=Users,DC=contoso,DC=local" -Server DC01 | Select-Object AttributeName, LastOriginatingChangeTime, VersionCheck Replication via Active Directory Sites and Services
- Open Active Directory Sites and Services from Server Manager → Tools
- Expand Sites → [your site] → Servers → [DC name] → NTDS Settings
- Right-click a connection object and select Replicate Now to trigger immediate replication
- Right-click NTDS Settings → Check Replication Topology to have KCC verify the replication links
Force Replication Across All DCs
# Force replication from all partners to this DC
repadmin /syncall /AdeP
# Force replication to a specific DC from all partners
repadmin /syncall DC01 /AdePThe flags mean: /A all naming contexts, /d identify servers by DNS, /e enterprise (cross-site), /P push changes outward.
Check the Event Log for Replication Errors
AD replication errors appear in the Directory Service log in Event Viewer:
- Open Event Viewer → Applications and Services Logs → Directory Service
- Filter for Warning and Error level events
Common replication error events:
- Event ID 1864: replication has not occurred in over 14 days — the DC may be lingering and should be investigated
- Event ID 1311: replication configuration has errors — the replication topology is inconsistent
- Event ID 2042: replication has not occurred for the tombstone lifetime — this DC is in a dangerous state
Run DCDiag for a Full Health Check
# Run full DC diagnostics including replication tests
dcdiag /test:Replications /v
# Run all tests
dcdiag /v
# Run against a remote DC
dcdiag /s:DC02 /test:Replicationsdcdiag tests many aspects of DC health including DNS, Kerberos, FSMO roles, and replication. Each test returns PASSED or FAILED. Any FAILED tests should be investigated — the output includes the specific error.
Common Replication Problems and Fixes
Error 1722 — RPC server is unavailable: network connectivity or firewall issue between DCs. Check that TCP port 135 and the dynamic RPC port range (49152–65535) are open between DCs.
Error 1256 — Remote system not available: the partner DC is down or unreachable. Check the DC is online and that DNS resolves its name correctly.
Error 8606 — Insufficient attributes were given to create an object: a lingering object issue. Run repadmin /removelingeringobjects to clean up.
Time skew: if the time difference between DCs exceeds 5 minutes, Kerberos will refuse to authenticate and replication stops. Run w32tm /query /status on each DC and ensure they are all synchronising to the same NTP source.
