I was doing some maintenance work on one of the many different environments I help maintain today when I noticed that Active Directory replication failed to one of the Domain Controllers in the domain.
When performing a repadmin /showrepl I saw the following:
C:\WINDOWS\system32>repadmin /replsummary
Replication Summary Start Time: 2023-06-28 09:41:07
Beginning data collection for replication summary, this may take awhile:
.....
Source DSA largest delta fails/total %% error
ServerDC01 >60 days 5 / 5 100 (2148074274) The target principal name is incorrect.
ServerDC02 02m:15s 0 / 5 0
Destination DSA largest delta fails/total %% error
ServerDC01 02m:15s 0 / 5 0
ServerDC02 >60 days 5 / 5 100 (2148074274) The target principal name is incorrect.I then proceeded to RDP into the server ServerDC02 to examine the Windows Event Log. From experience, I suspected finding traces of what was going on in the log Applications and Service Logs -> Directory Service.
Here I could see several errors pertaining to the KDC (Knowledge Consistency Checker), both warnings and errors. Event IDs logged were 1308, 1311, 1566 and 1865. Taking a closer look, the useful information needed was found in Event ID 1311:
The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
Directory partition:
CN=Configuration,DC=contoso,DC=com
There is insufficient site connectivity information for the KCC to create a spanning tree replication topology. Or, one or more directory servers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible directory servers.
Having worked with Windows Servers and Active Directory for quite some time, I quickly suspected that replication had failed for quite some time, causing the inconsistency. I had also seen similar issues quite a few years ago, so I decided to force a new replication from the Domain Controller having the FSMO role (Flexible Single Master Operation) in the domain to the Domain Controller that was having issues.
This requires you to stop the KDC service on the failing Domain Controller and reset its Machine Account Password.
To do this, I had to perform the following actions:
- Stop and disable the KDC service on the Domain Controller having issues, ServerDC02
Stop-Service KDCSet-Service KDC -StartupType DisabledRestart-Computer
- Once the server came back online, RDP in and open CMD with Administrative Privileges
- Issue the command
netdom resetpwd /s:ServerDC01.contoso.com /ud:contoso\adDomainAdminAccount /pd:*- Use the server address to the working domain controller for
/s: - Use a valid Domain Admin account for
/ud: - Using * for
/pd:will ensure CMD prompts for the account password
- Use the server address to the working domain controller for
- The command should return
The machine account password for the local machine has been successfully reset. - Go to the working Domain Controller and open CMD with administrative privileges
- Issue the command
repadmin /replicate <destination_dc> <source_dc> "DC=contoso,DC=com"- Replace
<destination_dc>with the full address for the faulty Domain Controller, in this caseServerDC02.contoso.com - Replace
<source_dc>with the full address for the working Domain Controller, in this caseServerDC01.contoso.com
- Replace
- The command should return
Sync from ServerDC01.contoso.com to ServerDC02.contoso.com completed successfully - Head back to ServerDC02
- Start the KDC service
Set-Service KDC -StartupType AutoStart-Service KDC
- Wait until replication starts and completes
Replication can take a while to complete, depending on both the number of objects found in your Active Directory, as well as the latency between the two Domain Controllers.
Once completed, you should see the following from repadmin.
C:\WINDOWS\system32>repadmin /replsummary
Replication Summary Start Time: 2023-06-28 09:56:59
Beginning data collection for replication summary, this may take awhile:
.....
Source DSA largest delta fails/total %% error
ServerDC01 10m:41s 0 / 5 0
ServerDC02 03m:07s 0 / 5 0
Destination DSA largest delta fails/total %% error
ServerDC01 03m:07s 0 / 5 0
ServerDC02 10m:41s 0 / 5 0
Hope you found this guide useful.