What causes AD Replication Failure between DCs?

Network — site link RPC/445/389 blocked or latent • DNS misconfiguration on the source or destination DC • Replication error 8453 — access denied (machine account, replication permissions) • Lingering objects after a long-disconnected DC is reconnected • Tombstone-lifetime exceeded — DC offline >180 days • DC removed by deleting the VM or powering off hardware without running dcpromo /forceremoval or Uninstall-ADDSDomainController • AD metadata cleanup not performed after forced or failed demotion • DC experienced catastrophic failure and could not be demoted gracefully • Server reinstalled without removing its AD role, leaving original computer object and NTDS Settings in place

How do I resolve AD Replication Failure between DCs?

Identify and resolve the underlying cause (network / DNS / permissions) • Force replication: repadmin /syncall /AeD • Remove any lingering objects • Verify with /replsummary cleanly returns zero errors • Document and monitor going forward • If the dead DC held FSMO roles, seize them first: ntdsutil → roles → connections → connect to server → quit → seize ; or PowerShell: Move-ADDirectoryServerOperationMasterRole -Identity ' ' -OperationMasterRole PDCEmulator,RIDMaster,InfrastructureMaster,SchemaMaster,DomainNamingMaster -Force • Remove NTDS Settings object: Active Directory Sites and Services → expand site → Servers → right-click old DC → Delete (removes replication agreements and KCC topology entry) • Remove DC computer object: ADUC → Domain Controllers OU → right-click old DC computer object → Delete • Alternative CLI metadata cleanup: ntdsutil → metadata cleanup → connections → connect to server → quit → select operation target → list/select domain, site, server → quit → remove selected server • Clean up DNS: delete A and PTR records for old DC in DNS Manager; remove SRV records under _msdcs, _tcp, _udp subzones; run ipconfig /flushdns on remaining DCs • Remove any empty site objects or orphaned site link entries in AD Sites and Services if the old DC was the sole DC in a site

How do I prevent AD Replication Failure between DCs?

Replication monitoring with alerting (RMM check or scheduled dcdiag) • Site link cost / schedule sanity-checked annually • Strict replication consistency enabled (default on modern AD) • DC-to-DC firewall paths documented • Always demote gracefully via Server Manager or Uninstall-ADDSDomainController — triggers automatic metadata cleanup and DNS deregistration • If graceful demotion is impossible, perform metadata cleanup on a surviving DC immediately — before tombstone lifetime (default 180 days) expires • Enable AD Recycle Bin: Enable-ADOptionalFeature 'Recycle Bin Feature' -Scope ForestOrConfigurationSet -Target 'yourdomain.com' — allows recovery of accidentally deleted AD objects • Document all DCs with their FSMO role assignments, Global Catalog status, and site assignments so decommissioning can be planned against a known baseline

P2 · Active Directory

AD Replication Failure between DCs

Domain controllers are not replicating, or a decommissioned DC has left stale metadata in Active Directory. Changes made on one DC do not appear on others; stale DC objects cause replication errors, DNS pollution, and KCC failures. If left unresolved, the directory diverges and tombstone lifetime becomes a hard deadline.

Indicators

repadmin /replsummary shows non-zero failures
Event IDs 1722, 1925, 1311, 8606, 2042 on the failing DC
User created on one DC cannot log in if they hit a different DC
Group Policy changes not propagating to certain sites
Replication errors referencing a DC name that no longer exists on the network
DNS SRV records for _ldap._tcp and _kerberos._tcp still referencing the decommissioned DC
repadmin /showrepl shows persistent errors for a DC with no network presence
dcdiag /test:replications reports failures for a removed DC

Likely causes

Network — site link RPC/445/389 blocked or latent
DNS misconfiguration on the source or destination DC
Replication error 8453 — access denied (machine account, replication permissions)
Lingering objects after a long-disconnected DC is reconnected
Tombstone-lifetime exceeded — DC offline >180 days
DC removed by deleting the VM or powering off hardware without running dcpromo /forceremoval or Uninstall-ADDSDomainController
AD metadata cleanup not performed after forced or failed demotion
DC experienced catastrophic failure and could not be demoted gracefully
Server reinstalled without removing its AD role, leaving original computer object and NTDS Settings in place

Diagnostic steps

repadmin /showrepl <dc> /errorsonly — surface the actual error code first

Identifies specific replication errors and error codes per DC partner
repadmin /replsummary — total view across the domain

Provides a domain-wide summary of replication success and failure counts
dcdiag /test:replications /test:dns /test:advertising on each DC

Runs targeted health checks on replication, DNS, and DC advertisement
Check connectivity DC-to-DC: portqry on 135/389/445/3268/53; firewall logs if cross-site

Rules out network or firewall blockages as the root cause
For 8606 (lingering objects): repadmin /removelingeringobjects from a known-good source

Removes lingering objects that block strict replication consistency
If a DC was offline >tombstone lifetime: do not allow it to replicate — demote and rebuild

Prevents USN rollback and directory divergence from a tombstone-exceeded DC
Get-ADDomainController -Filter * | Select-Object Name, Site, IsGlobalCatalog, OperationMasterRoles, IPv4Address — enumerate registered DCs to identify stale entries

Confirms which DC objects still exist in AD and pinpoints the stale object to be removed
netdom query fsmo — identify which FSMO roles are assigned to the potentially dead DC

FSMO roles on a dead DC must be seized to a surviving DC before metadata cleanup proceeds
Get-ADObject -Filter {ObjectClass -eq 'nTDSDSA'} -SearchBase 'CN=Sites,CN=Configuration,DC=domain,DC=com' -Properties * | Select-Object DistinguishedName, Name — check for stale NTDS Settings objects

Confirms the NTDS Settings object is still present and must be removed as part of metadata cleanup
Get-DnsServerResourceRecord -ZoneName 'yourdomain.com' | Where-Object { $_.RecordData -like '*<OldDCName>*' } — enumerate stale DNS records

Identifies A, PTR, and SRV records that must be removed after the DC object is cleaned up

Resolution path

Identify and resolve the underlying cause (network / DNS / permissions)
Force replication: repadmin /syncall /AeD
Remove any lingering objects
Verify with /replsummary cleanly returns zero errors
Document and monitor going forward
If the dead DC held FSMO roles, seize them first: ntdsutil → roles → connections → connect to server <HealthyDC> → quit → seize <role>; or PowerShell: Move-ADDirectoryServerOperationMasterRole -Identity '<HealthyDC>' -OperationMasterRole PDCEmulator,RIDMaster,InfrastructureMaster,SchemaMaster,DomainNamingMaster -Force
Remove NTDS Settings object: Active Directory Sites and Services → expand site → Servers → right-click old DC → Delete (removes replication agreements and KCC topology entry)
Remove DC computer object: ADUC → Domain Controllers OU → right-click old DC computer object → Delete
Alternative CLI metadata cleanup: ntdsutil → metadata cleanup → connections → connect to server <HealthyDC> → quit → select operation target → list/select domain, site, server → quit → remove selected server
Clean up DNS: delete A and PTR records for old DC in DNS Manager; remove SRV records under _msdcs, _tcp, _udp subzones; run ipconfig /flushdns on remaining DCs
Remove any empty site objects or orphaned site link entries in AD Sites and Services if the old DC was the sole DC in a site

Prevention

Replication monitoring with alerting (RMM check or scheduled dcdiag)
Site link cost / schedule sanity-checked annually
Strict replication consistency enabled (default on modern AD)
DC-to-DC firewall paths documented
Always demote gracefully via Server Manager or Uninstall-ADDSDomainController — triggers automatic metadata cleanup and DNS deregistration
If graceful demotion is impossible, perform metadata cleanup on a surviving DC immediately — before tombstone lifetime (default 180 days) expires
Enable AD Recycle Bin: Enable-ADOptionalFeature 'Recycle Bin Feature' -Scope ForestOrConfigurationSet -Target 'yourdomain.com' — allows recovery of accidentally deleted AD objects
Document all DCs with their FSMO role assignments, Global Catalog status, and site assignments so decommissioning can be planned against a known baseline

Tools

repadmin
dcdiag
PowerShell: Get-ADReplicationFailure, Get-ADReplicationPartnerMetadata
portqry (Microsoft connectivity checker)
Sites and Services for site link review
ntdsutil (built-in — metadata cleanup and FSMO role seizure)
netdom (built-in — FSMO role query)
DNS Manager / dnsmgmt.msc (GUI — remove stale DNS A, PTR, and SRV records)
Active Directory Sites and Services / dssite.msc (GUI — remove NTDS Settings and server objects)
Active Directory Users and Computers / dsa.msc (GUI — remove DC computer object from Domain Controllers OU)
Move-ADDirectoryServerOperationMasterRole (PowerShell RSAT — seize or transfer FSMO roles)
Get-ADDomainController (PowerShell RSAT — enumerate registered DCs)
ipconfig /flushdns (built-in — clear DNS resolver cache after record removal)

References

active-directoryreplicationrepadmindcdiaglingering-objectsmetadata-cleanupntdsutilfsmodecommissionwindows-serverdomain-controllerdnsad-ds