How to Configure Active Directory Replication on Windows Server 2019

Introduction to Active Directory Replication

Active Directory is a distributed database. In a multi-domain-controller environment, changes made on one DC must propagate to all other DCs in the domain. This process is called replication. Windows Server 2019 uses two replication topologies: intrasite replication (within a site, using RPCs over TCP/IP, triggered within seconds) and intersite replication (between sites, using IP or SMTP, scheduled by administrators). Understanding and properly configuring replication ensures consistent authentication data and prevents replication failures that can lead to login problems, stale group policies, or split-brain scenarios.

Active Directory Replication Topology

Active Directory uses a multi-master replication model. The Knowledge Consistency Checker (KCC) service runs on each DC and automatically builds a bidirectional ring replication topology called a connection object graph. The KCC creates connection objects in the NTDS Settings of each DC, defining which DC is the replication partner. In large environments, the Intersite Topology Generator (ISTG) role holder builds cross-site connection objects.

Replication occurs on two planes: the AD partition namespace (NC), which includes the Domain NC, Configuration NC, Schema NC, and Application NCs, and the SYSVOL share, which replicates Group Policy files using either FRS (legacy) or DFSR (preferred and default on Server 2019 domains).

Checking Replication Status

The repadmin utility is the primary tool for monitoring and troubleshooting replication. Run repadmin /replsummary for an overview of replication health across all DCs.

repadmin /replsummary

To check the replication status from the perspective of a specific DC:

repadmin /showrepl DC01

For a concise health check across all DCs in the forest:

repadmin /replsummary /bysrc
repadmin /replsummary /bydest

Viewing Replication Partners

View the replication partners and their current connection objects for a specific DC. This shows which DCs exchange replication data and the partitions being replicated.

repadmin /showconn DC01

repadmin /showrepl DC01 /csv > C:repl_report.csv

Forcing Immediate Replication

To force immediate replication between two specific DCs, use repadmin /replicate. Specify the destination DC, source DC, and the naming context (partition) to replicate. This is useful after making urgent changes such as user account modifications or security policy updates that need to propagate immediately.

repadmin /replicate DC02 DC01 DC=yourdomain,DC=com

To force replication of all partitions from all partners on all DCs simultaneously:

repadmin /syncall /Ade

The flags mean: /A = replicate all partitions, /d = display object distinguished names in messages, /e = enterprise-wide (cross-site). This is the fastest way to force full convergence across the entire forest.

Configuring Active Directory Sites

AD Sites define replication boundaries based on network topology. Each site corresponds to a well-connected IP subnet. Open Active Directory Sites and Services to manage site topology.

dssite.msc

Create sites for each physical location, assign subnets to sites, and move domain controllers to their correct sites. Proper site configuration ensures clients authenticate against the nearest DC and replication follows the correct network paths.

# Create a new site
New-ADReplicationSite -Name "London"

# Create a subnet and assign to site
New-ADReplicationSubnet -Name "10.20.0.0/16" -Site "London"

# Move a DC to a site
Move-ADDirectoryServer -Identity DC03 -Site "London"

Configuring Site Links

Site links define how sites connect to each other for replication. A site link has three key properties: cost (lower cost = preferred path), replication interval (minimum 15 minutes), and schedule (windows when replication is allowed). Create a site link between London and the Default-First-Site-Name.

New-ADReplicationSiteLink `
    -Name "HQ-London-Link" `
    -SitesIncluded "Default-First-Site-Name","London" `
    -Cost 100 `
    -ReplicationFrequencyInMinutes 15 `
    -InterSiteTransportProtocol IP

Modify an existing site link’s cost and schedule:

Set-ADReplicationSiteLink `
    -Identity "HQ-London-Link" `
    -Cost 50 `
    -ReplicationFrequencyInMinutes 30

Diagnosing Replication Failures

Replication failures often appear as USN rollback, replication quarantine, or lingering objects. Use repadmin /showrepl to identify failed replication attempts and the error codes.

repadmin /showrepl * /errorsonly

Common replication error codes: 8606 = Insufficient attributes were given to create an object (USN rollback), 1256 = Remote computer not available, 1722 = RPC server unavailable, 1908 = Could not find DC for domain. For DNS-related failures:

dcdiag /test:replications /v

dcdiag /test:dns /v

Checking for Lingering Objects

Lingering objects occur when a DC is offline longer than the tombstone lifetime (default 180 days) and then brought back online. It has outdated objects that were deleted on other DCs. Use repadmin /removelingeringobjects to clean them up. First, run in advisory mode to see what would be removed.

repadmin /removelingeringobjects DC02 DC01 "DC=yourdomain,DC=com" /advisory_mode

After reviewing the advisory output, remove them for real:

repadmin /removelingeringobjects DC02 DC01 "DC=yourdomain,DC=com"

Monitoring SYSVOL Replication with DFSR

SYSVOL replication via DFSR has its own health commands. Check DFSR replication state using dfsrdiag and the Get-DfsReplicatedFolder cmdlet.

dfsrdiag replicationstate /member:DC01

Get-DfsReplicatedFolder -GroupName "Domain System Volume"

Get-DfsrMember | Select-Object ComputerName, State, StagingPath

Viewing Replication Metadata for an Object

Replication metadata shows the version number, originating DC, and timestamp for each attribute of an AD object. This is invaluable for tracking down where a change originated and verifying that a change has replicated everywhere.

repadmin /showobjmeta DC01 "CN=John Smith,OU=Users,DC=yourdomain,DC=com"

Conclusion

Active Directory replication is the mechanism that keeps all domain controllers in sync. On Windows Server 2019, the KCC automates most topology management, but administrators must understand site design, site links, and replication monitoring to maintain a healthy AD environment. Regular use of repadmin /replsummary and dcdiag as part of operational monitoring catches replication failures before they become login issues. Proper site design reduces unnecessary WAN traffic and ensures fast authentication for remote users.