🔴 Critical   ⏱ 5–30 min  Last verified: 19 May 2026
Affected versions: Windows Server 2025

📖 ~2 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution — Primary Fix
  7. Solution — Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

Domain controllers on Windows Server 2025 show AD replication failures with RPC unavailable errors (1722), often visible in repadmin and Event Viewer. Password changes, group membership updates, and GPO changes fail to converge between sites. Left unresolved, this causes authentication drift and policy inconsistency across production workloads.

Environment & Reproduction

This appears in multi-DC forests after firewall changes, subnet updates, or DNS misregistration. Reproduction is straightforward in a lab by blocking TCP 135 and dynamic RPC high ports between two DCs. Replication attempts then fail while basic ping still succeeds.

repadmin /replsummary
repadmin /showrepl
Get-NetFirewallProfile
Resolve-DnsName dc02.corp.local

Root Cause Analysis

Primary causes include blocked RPC endpoint mapper traffic, stale DNS records, broken secure channel metadata, or time skew affecting Kerberos. Windows Server 2025 AD replication still depends on accurate DNS and RPC negotiation. If either dependency is degraded, KCC cannot maintain healthy replication topology.

Quick Triage

Confirm DNS resolution, RPC reachability, and replication status in under five minutes. Validate that source and destination DCs register correct A and SRV records. Check Directory Service and System logs for correlated errors.

Test-NetConnection dc02.corp.local -Port 135
repadmin /replsummary
dcdiag /test:dns /v
Get-WinEvent -LogName 'Directory Service' -MaxEvents 30

Step-by-Step Diagnosis

Start with repadmin output to isolate failing naming contexts and partners. Validate DNS records, then test RPC ports and firewall rules between site pairs. Finally verify AD site/subnet mappings and Kerberos time offset.

repadmin /showrepl * /csv
Get-ADReplicationFailure -Target * -Scope Forest
Get-DnsServerResourceRecord -ZoneName corp.local -RRType A | ? {$_.HostName -like 'dc*'}
w32tm /monitor

Solution — Primary Fix

Restore DNS correctness and allow RPC endpoint mapper plus dynamic RPC ports between domain controllers. Force registration and trigger replication from known healthy partners. Re-run dcdiag and repadmin before closing incident.

Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.

ipconfig /registerdns
Set-NetFirewallRule -DisplayGroup 'Remote Service Management' -Enabled True
repadmin /syncall /AdeP
repadmin /replsummary

Solution — Alternative Approaches

If network controls cannot be relaxed immediately, use temporary site-link cost tuning and controlled replication windows. For persistent security constraints, define explicit RPC static port ranges and firewall allowlists. Ensure these controls are documented and monitored.

Verification & Acceptance Criteria

Acceptance requires zero consecutive replication failures for each naming context and no fresh 1722 errors for at least one replication interval. AD object updates created on one DC must appear on peer DCs quickly. Monitoring should show stabilized queue depth.

repadmin /replsummary
repadmin /queue
Get-WinEvent -LogName 'Directory Service' -MaxEvents 20 | ? {$_.Id -in 1311,1865,2042}

Rollback Plan

If a firewall or RPC range change causes side effects, restore prior rules from backup policy export. Revert temporary site-link edits and restart AD-related services only if required in maintenance windows. Keep a snapshot of before/after rule sets.

netsh advfirewall export C:Tempfw_after.wfw
# import prior backup if needed
# netsh advfirewall import C:Tempfw_before.wfw

Prevention & Hardening

Baseline DNS health checks, RPC port validation, and replication SLA alarms in monitoring. Enforce change controls for firewall and subnet updates with AD dependency review. Schedule weekly repadmin and dcdiag reports with exception routing.

Illustrative mockup for windows-server-2025 — terminal_or_powershell
Diagnostics commands in PowerShell — Illustrative mockup — Progressive Robot
Illustrative mockup for windows-server-2025 — event_or_log_viewer
Event log verification for Windows Server 2025 — Illustrative mockup — Progressive Robot

Common companion errors include Event ID 1311, 1865, and Kerberos KDC reachability issues. You may also see SYSVOL lag, Group Policy processing failures, and delayed account lockout propagation. Address DNS/RPC dependencies first before deeper AD recovery actions.

Related tutorial: View the step-by-step tutorial for Windows Server 2025.

View all Windows Server 2025 tutorials on the Tutorials Hub →

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Microsoft Learn AD replication troubleshooting guidance, repadmin reference documentation, and DNS best practices for domain controllers should be part of runbooks. Include internal network policy documents that define allowed AD service ports and site-to-site controls.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today — we respond within one business day.