How to Troubleshoot AD Replication Issues on Windows Server 2025

How to Troubleshoot AD Replication Issues on Windows Server 2025

Active Directory replication is the mechanism by which changes made on one domain controller propagate to all others in the environment. When replication breaks down, domain controllers diverge—objects created, modified, or deleted on one DC may not appear on others, causing authentication failures, Group Policy inconsistencies, and account lockout issues. Windows Server 2025 retains the mature replication troubleshooting toolkit built into earlier versions while benefiting from improved event logging and enhanced dcdiag output. This tutorial provides a systematic, step-by-step approach to diagnosing and resolving the most common AD replication failures.

Prerequisites

• Windows Server 2025 domain controllers with the AD DS role
• Domain Admin or Enterprise Admin credentials
• Access to the DNS server hosting AD-integrated zones
• RSAT AD tools installed (Active Directory Users and Computers, Sites and Services)
• Network access between all domain controllers (TCP 135, 49152–65535 for RPC, UDP/TCP 389, 636, 3268, 88)

Step 1: Establish a Baseline with repadmin /replsummary

Before diving into individual errors, get an overview of replication health across all domain controllers. repadmin /replsummary provides a concise table showing which DCs are experiencing the largest replication delays and failure counts.

# Run from any DC or management workstation with RSAT
repadmin /replsummary

# Target a specific DC
repadmin /replsummary dc01.contoso.com

# Show replication status for all DCs in the forest
repadmin /replsummary *

# Identify DCs with the most failures
repadmin /replsummary | Select-String "FAIL"

The output groups DCs by source and destination, showing consecutive failures and the time of the last successful replication. Any DC showing failures greater than 0 or a last success timestamp older than your replication interval requires investigation.

Step 2: Deep Replication Diagnostics with dcdiag

dcdiag performs a comprehensive health check. The /test:replications flag targets the replication engine specifically, while /v increases verbosity to expose the underlying error codes.

# Run full replication test with verbose output
dcdiag /test:replications /v

# Target a specific DC
dcdiag /s:dc02.contoso.com /test:replications /v

# Run all dcdiag tests and save output for review
dcdiag /test:replications /v /f:C:Logsdcdiag-$(Get-Date -Format yyyyMMdd-HHmm).txt

# Check DNS registration which is a prerequisite for replication
dcdiag /test:dns /v /DnsDynamicUpdate

# Run connectivity tests
dcdiag /test:connectivity /v
dcdiag /test:frssysvol /v
dcdiag /test:sysvolcheck /v

Pay attention to the specific error codes reported. The three most common codes—1722, 8453, and 1908—each point to different root causes and require different remediation paths.

Step 3: Diagnosing Error 1722 — RPC Server Unavailable

Error 1722 (ERROR_RPC_S_SERVER_UNAVAILABLE) means the destination DC cannot establish an RPC connection to the source DC. This is typically a network, firewall, or name resolution issue rather than an AD problem itself.

# Verify basic connectivity
Test-NetConnection -ComputerName dc01.contoso.com -Port 135
Test-NetConnection -ComputerName dc01.contoso.com -Port 389
Test-NetConnection -ComputerName dc01.contoso.com -Port 3268

# Use portqry to test RPC endpoint mapper and dynamic ports
# (portqry.exe must be downloaded separately or use built-in equivalent)
portqry -n dc01.contoso.com -e 135 -p TCP

# Check that the RPC service is running on the source DC
Invoke-Command -ComputerName dc01.contoso.com -ScriptBlock {
    Get-Service RpcSs, RpcEptMapper | Select-Object Name, Status, StartType
}

# Test RPC endpoint mapping explicitly
rpcdump /p dc01.contoso.com 2>&1 | Select-String "ncacn_ip_tcp"

# Verify Windows Firewall is not blocking RPC dynamic ports
Invoke-Command -ComputerName dc01.contoso.com -ScriptBlock {
    Get-NetFirewallRule -DisplayName "*Remote Procedure Call*" | 
        Select-Object DisplayName, Enabled, Direction, Action
}

If firewall rules are correct but RPC still fails, check that the Kerberos authentication infrastructure is healthy—RPC uses Kerberos for secure channel establishment. Also verify that DNS resolves the source DC hostname to the correct IP.

Step 4: Diagnosing Error 8453 — Replication Access Denied

Error 8453 indicates a permissions problem. The destination DC’s computer account does not have sufficient rights to pull replication data from the source. This commonly occurs after domain functional level changes, incorrect delegation, or when a DC is demoted and re-promoted incorrectly.

# Verify the DC computer account exists and is enabled
Get-ADComputer -Identity "DC01" -Properties * | 
    Select-Object Name, Enabled, DistinguishedName, msDS-RevealedDSAs

# Check that "Replicating Directory Changes" permission exists on the domain NC
# Use ADSI Edit or dsacls
$domainDN = (Get-ADDomain).DistinguishedName
dsacls "AD:$domainDN" | Select-String "Replicating"

# Verify the DC has Replicating Directory Changes permission
# If missing, add it:
$domainDN = (Get-ADDomain).DistinguishedName
$dc = "DC01$"
$SID = (Get-ADComputer $dc).SID

# Check msDS-ReplAttributeMetaData for the DC object
Get-ADComputer -Identity "DC01" -Properties msDS-ReplAttributeMetaData |
    Select-Object -ExpandProperty "msDS-ReplAttributeMetaData" |
    ConvertFrom-Xml |
    Select-Object pszAttributeName, dwVersion, ftimeLastOriginatingChange

# Reset the Netlogon secure channel from the affected DC
Test-ComputerSecureChannel -Server dc01.contoso.com -Verbose
Reset-ComputerMachinePassword -Server dc01.contoso.com

Step 5: Diagnosing Error 1908 — KDC Not Found

Error 1908 means the Kerberos Key Distribution Center (KDC) could not be located. AD replication relies on Kerberos for authentication, so a missing or unreachable KDC blocks all replication. This usually points to a DNS issue where the DC cannot find SRV records for the KDC.

# Verify Kerberos SRV records exist in DNS
nslookup -type=SRV _kerberos._tcp.contoso.com
nslookup -type=SRV _ldap._tcp.dc._msdcs.contoso.com

# Use Resolve-DnsName for PowerShell-friendly output
Resolve-DnsName -Name "_kerberos._tcp.contoso.com" -Type SRV -Server 10.0.0.10
Resolve-DnsName -Name "_ldap._tcp.dc._msdcs.contoso.com" -Type SRV -Server 10.0.0.10

# Check the Netlogon service is running (it registers SRV records)
Get-Service Netlogon | Select-Object Status

# Force re-registration of DNS records
nltest /dsregdns
ipconfig /registerdns

# Verify KDC service on the PDC emulator
$PDC = (Get-ADDomain).PDCEmulator
Invoke-Command -ComputerName $PDC -ScriptBlock { Get-Service kdc | Select-Object Status }

# Test Kerberos ticket acquisition
klist purge
klist tickets

Step 6: Using repadmin for Detailed Replication Analysis

The repadmin toolset provides granular per-partition, per-DC replication state information that is essential for pinpointing where in the replication topology a break has occurred.

# Show full replication partners and status for all partitions
repadmin /showrepl dc01.contoso.com

# Show replication status for all DCs in one view
repadmin /showrepl * /csv > C:Logsrepl-status.csv

# Show Up-to-Dateness Vector — how current each DC's knowledge is
repadmin /showutdvec dc01.contoso.com dc=contoso,dc=com

# Force immediate replication of all partitions from all partners
repadmin /syncall /AdeP

# Force replication of a specific partition from a specific source
repadmin /replicate dc02.contoso.com dc01.contoso.com "DC=contoso,DC=com"

# Show replication metadata for a specific object (useful for tracking propagation)
repadmin /showobjmeta dc01.contoso.com "CN=JohnSmith,OU=Users,DC=contoso,DC=com"

# Show which attributes have been replicated and their version numbers
repadmin /showattr dc01.contoso.com "DC=contoso,DC=com" /atts:objectVersion

Step 7: Detecting and Removing Lingering Objects

Lingering objects occur when a DC that was offline longer than the tombstone lifetime is brought back online. It contains objects that were deleted on other DCs but still exist locally, causing replication inconsistencies. Windows Server 2025 retains the repadmin /removelingeringobjects command for remediation.

# Check the tombstone lifetime (default 180 days in modern forests)
$configDN = (Get-ADRootDSE).configurationNamingContext
$ts = Get-ADObject -Identity "CN=Directory Service,CN=Windows NT,CN=Services,$configDN" `
    -Properties tombstoneLifetime
$ts.tombstoneLifetime

# Detect lingering objects — advisory mode (no removal, just detection)
# Reference DC is one you trust has current state
repadmin /removelingeringobjects dc-stale.contoso.com dc-reference.contoso.com `
    "DC=contoso,DC=com" /advisory_mode

# Remove lingering objects after confirming they exist
repadmin /removelingeringobjects dc-stale.contoso.com dc-reference.contoso.com `
    "DC=contoso,DC=com"

# Check for lingering objects in the Configuration partition
repadmin /removelingeringobjects dc-stale.contoso.com dc-reference.contoso.com `
    "CN=Configuration,DC=contoso,DC=com" /advisory_mode

# Enable strict replication consistency to prevent future propagation
repadmin /regkey dc-stale.contoso.com +strict_replication_consistency

Step 8: Detecting USN Rollback

USN rollback happens when a DC is restored from a snapshot or backup without using a VSS-aware restore procedure. The DC presents an old Update Sequence Number (USN), causing other DCs to stop accepting its updates. Windows Server 2025 with VM-GenerationID support prevents this automatically in virtualized environments, but physical DCs and legacy hypervisors remain vulnerable.

# Check for USN rollback indicators in the Directory Service event log
Get-WinEvent -LogName "Directory Service" -MaxEvents 500 |
    Where-Object { $_.Id -in @(2095, 2103) } |
    Format-Table TimeCreated, Id, Message -AutoSize

# View the current USN on a DC
repadmin /showutdvec dc01.contoso.com dc=contoso,dc=com

# Check if VM-GenerationID protection is active (virtualized DCs)
Invoke-Command -ComputerName dc01.contoso.com -ScriptBlock {
    Get-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetServicesNTDSParameters" |
        Select-Object "Database epoch", "DSA Database Epoch"
}

# If USN rollback is confirmed, the DC must be demoted and re-promoted
# Safely demote a DC (do not force unless the DC is unrecoverable)
Uninstall-ADDSDomainController `
    -DemoteOperationMasterRole $true `
    -LastDomainControllerInDomain $false `
    -Credential (Get-Credential) `
    -Force:$true

Conclusion

Active Directory replication troubleshooting on Windows Server 2025 is a methodical process that begins with a high-level summary (repadmin /replsummary), moves into targeted diagnostics (dcdiag /test:replications /v), and then addresses specific error conditions using the right tools for each failure code. Error 1722 points to RPC and network stack issues, 8453 to permissions and secure channel problems, and 1908 to KDC and DNS SRV record failures. Lingering objects and USN rollback require their own detection and remediation procedures. By working through these steps systematically—verifying DNS, connectivity, service health, permissions, and replication metadata—you can restore a healthy replication topology in the shortest possible time and build operational runbooks to prevent recurrence.