When two domain controllers stop syncing, the effects ripple across your network. Logins can fail. Password changes might not reflect everywhere. New accounts may not appear as expected. For businesses, these problems can quickly turn into costly downtime or security risks.
Many IT professionals face this headache at some point, and the reasons behind it are not always obvious.
This guide explains why two domain controllers might not sync, how to diagnose the root cause, and what you can do to fix the issue. Even if you’re not a seasoned Active Directory expert, you will learn clear steps, practical examples, and helpful tips to restore synchronization.
Let’s dig in and get your Active Directory environment healthy again.
Understanding Domain Controller Synchronization
A domain controller is a server that manages security and permissions within a Windows domain. It stores a copy of the Active Directory database. When you have more than one domain controller, each must stay in sync. This means changes made on one controller should automatically appear on the others.
Synchronization happens through a process called replication. There are two main types:
- Intra-site replication: Between controllers in the same physical location.
- Inter-site replication: Between controllers in different sites or offices.
If replication stops, your domain controllers work with different versions of data. This can lead to failed logins, missing accounts, or incorrect group memberships.
Common Symptoms Of Domain Controllers Not Syncing
How do you know if two domain controllers are not syncing? Here are some clear signs:
- Password changes on one controller do not work on another.
- New users or groups created on one DC are missing on others.
- Event log errors related to replication, such as Event IDs 1311, 2042, or 1865.
- Time differences between domain controllers, causing Kerberos errors.
- Active Directory Sites and Services shows “last attempt failed” messages.
- Sysvol folder content is not matching between controllers.
- Account lockouts or policy changes not applying everywhere.
These symptoms often appear together. Paying attention to them can help you spot synchronization problems early.
Credit: learn.microsoft.com
How Active Directory Replication Works
Active Directory uses a multi-master replication model. This means changes can be made on any domain controller, and those changes will flow to the others. Replication is handled by the Knowledge Consistency Checker (KCC), which builds a replication topology.
Replication uses protocols such as Remote Procedure Call (RPC) or sometimes Simple Mail Transfer Protocol (SMTP) for special cases. Most environments use RPC over TCP/IP. Changes are sent as update packets. Each update has a USN (Update Sequence Number) to track version history.
Replicas are sent at regular intervals (default: every 15 minutes for intra-site). If a controller does not replicate for a long time (default: 60 days), it is considered a tombstone and will not be accepted by other controllers.
Top Causes Of Domain Controllers Not Syncing
Many things can break synchronization. Here are the most common causes, explained clearly:
1. Network Connectivity Issues
If controllers cannot reach each other, replication fails. This might be due to:
- Firewall rules blocking ports (e.g., port 135 for RPC)
- VPN or WAN outages between sites
- Incorrect IP addressing
A simple ping test can help, but sometimes only replication traffic is blocked.
2. Dns Problems
Active Directory depends heavily on DNS. If DNS is misconfigured:
- Controllers cannot find each other.
- Replication partners are missing.
Check that all domain controllers point to the correct DNS servers and that required SRV records exist.
3. Time Synchronization Errors
Kerberos authentication requires that all computers have closely matched time. If controllers are more than 5 minutes apart, replication may fail with clock skew errors.
4. Replication Topology Errors
The KCC builds the replication paths. If the topology is broken (for example, a bridgehead server is down), some controllers may not have a path to replicate.
5. Usn Rollback
If a controller is restored from an old backup or virtual snapshot, its USN values may cause confusion. This is called a USN rollback and can be very serious.
6. Lingering Objects
If one controller misses deletions for a long time (over the tombstone lifetime, usually 180 days), it may have lingering objects that other controllers do not.
7. Disk Space Or Database Issues
If the NTDS database runs out of disk space or becomes corrupted, replication halts. Look for Event ID 2108 and Event ID 2042 in the logs.
8. Incorrect Site Links Or Site Configurations
If sites and subnets are not set up correctly, controllers may try to replicate with the wrong partners or fail to replicate at all.
9. Frs Or Dfs Replication Failures
The Sysvol folder, which holds group policies and scripts, uses File Replication Service (FRS) or Distributed File System Replication (DFSR). If these fail, group policies may not sync even if the directory database does.
10. Permissions Or Access Denied Errors
Replication requires the correct permissions. Changing security settings can block replication.
Diagnosing The Problem
Troubleshooting two domain controllers not syncing requires a systematic approach. Here’s a step-by-step guide:
Step 1: Check Event Logs
Open the Event Viewer on both domain controllers. Look for replication errors under the Directory Service and File Replication Service logs. Make note of Event IDs and error descriptions.
Step 2: Use Repadmin Tool
Repadmin is a command-line tool that checks and manages replication. Useful commands include:
- `repadmin /replsummary` – Summarizes overall replication health.
- `repadmin /showrepl` – Shows last replication attempts and errors.
- `repadmin /syncall` – Forces synchronization.
Example output:
C:> repadmin /replsummary
Source DSA largest delta fails/total %% error
DC1 00m:20s 0 / 5 0
DC2 12h:30m 5 / 5 100 error 8452 (The naming context is in the process of being removed or is not replicated from the specified server.)
If you see long deltas (over an hour) or high failure rates, that controller is not syncing.
Step 3: Test Network Connectivity
- Use `ping
` to test basic connectivity. - Use `telnet
135` to check RPC port. - Try `nslookup` to verify DNS resolution.
Step 4: Check Dns Health
Run `dcdiag /test:DNS` to test DNS setup. Make sure all domain controllers register the right SRV records.
Step 5: Confirm Time Synchronization
On each controller, run `w32tm /query /status`. All domain controllers should show close time offsets (less than 5 minutes).
Step 6: Review Site And Services Configuration
In Active Directory Sites and Services, check that each controller is in the correct site and subnet. Check site links for proper configuration.
Step 7: Check Frs/dfsr Status
For Sysvol, run:
- `ntfrsutl ds` (FRS) or
- `dfsrdiag ReplicationState` (DFSR)
Look for errors or backlog.
Step 8: Inspect Usn And Database Health
Run `ntdsutil` to check database integrity and disk space. Watch out for warnings about old backups or restores.
Step 9: Review Security Permissions
Ensure that replicating directory changes permissions are not blocked. Avoid unnecessary changes to default AD security groups.
Fixing Domain Controller Synchronization Issues
Once you identify the cause, use these solutions tailored to each problem.
Network And Connectivity Fixes
- Adjust firewall rules to allow necessary ports (like 135, 389, 636, 3268, 3269).
- Repair VPN or WAN connections.
- Fix IP address or subnet mask errors.
Dns Solutions
- Ensure all domain controllers use only internal DNS servers.
- Remove any external DNS entries from controller network settings.
- Re-register DNS by running `ipconfig /registerdns` on each controller.
Time Sync Corrections
- Set one domain controller to sync with an external time source.
- Make all others sync with the PDC emulator.
- Use `w32tm /config` to set source.
Topology And Site Adjustments
- In Sites and Services, ensure each controller is in the right site.
- Edit site links to connect all sites.
- Force KCC to rebuild topology using `repadmin /kcc`.
Handling Usn Rollbacks
If you suspect a USN rollback:
- Remove the affected domain controller from the domain.
- Clean up metadata using `ntdsutil`.
- Re-promote as a new domain controller.
Dealing With Lingering Objects
Use `repadmin /removelingeringobjects` to clean up outdated objects. This step can be risky; take backups before proceeding.
Database And Disk Space Repairs
- Free up disk space on the NTDS partition.
- Run `ntdsutil` for integrity checks.
- If corrupted, consider restoring from backup.
Fixing Frs/dfsr Issues
- For FRS, restart the File Replication Service and check for missing or morphed Sysvol folders.
- For DFSR, use `dfsrdiag` to check health and backlog.
- If Sysvol is not shared, reinitialize the replication.
Permissions Resets
- Restore default permissions using the dsacls command.
- Avoid manual changes to system containers or replication permissions.
Practical Examples
Let’s walk through two common scenarios with step-by-step fixes.
Example 1: Dns Misconfiguration
A company has two domain controllers: DC1 (main office), DC2 (branch office). Replication stops after a network change. Passwords changed in the branch office do not work in the main office.
Diagnosis:
- On DC2, `ipconfig /all` shows it uses a public DNS server (8.8.8.8).
- `dcdiag /test: DNS` shows missing SRV records.
Fix:
- Change DC2’s DNS to point only to DC1 and itself.
- Run `ipconfig /registerdns` and `net stop netlogon && net start netlogon` on DC2.
- Run `dcdiag /test: DNS` again to confirm SRV records are present.
- Run `repadmin /syncall` to force synchronization.
Result: Replication resumes, password changes sync as expected.
Example 2: Frs/dfsr Issue
After a failed update, group policy changes are not applied across all computers.
Diagnosis:
- On DC1, Event Viewer shows FRS errors.
- The Sysvol folder is not shared on DC2.
Fix:
- Restart the File Replication Service on both controllers.
- If the problem persists, use `ntfrsutl ds` to check the backlog.
- Reinitialize FRS by setting the BurFlags registry key to D2 on DC2.
Result: Sysvol shares are restored, and group policies sync.
Comparing Replication Tools
Active Directory offers several tools for managing and checking replication. Here’s a quick comparison:
| Tool | Purpose | Common Commands | Best For |
|---|---|---|---|
| Repadmin | Replication status, force sync, cleanup | /replsummary, /showrepl, /syncall | Admins troubleshooting sync issues |
| DCDiag | Health checks, DNS, connectivity | /test:DNS, /e | Quick overall health checks |
| NTDSUtil | Database maintenance, metadata cleanup | Files, metadata cleanup | Advanced repairs, after failed restores |
Credit: jumpcloud.com
Preventing Future Synchronization Problems
Fixing the current issue is only part of the solution. To avoid future headaches, follow these best practices:
- Monitor replication regularly with automated tools.
- Document network changes and update controller settings accordingly.
- Keep DNS healthy and avoid external DNS entries on domain controllers.
- Maintain time synchronization across all devices.
- Avoid restoring domain controllers from old backups or snapshots.
- Train IT staff to recognize early signs of replication failure.
- Test group policies and logins after major changes.
Data Loss Risks: Understanding The Impact
When domain controllers do not sync, data loss is a real risk. Consider these scenarios:
- A user is deleted on DC1, but DC2 never gets the update. That account could be used by a malicious actor.
- Password resets may not apply, leaving users locked out or insecure.
- Group policy changes may not reach all computers, exposing gaps in security.
If you suspect data loss, use the Active Directory Recycle Bin to recover deleted objects. Act fast, as tombstone lifetimes control how long deleted data is recoverable.
Real-world Statistics
According to a 2022 survey of IT professionals:
- 67% have experienced at least one domain controller replication issue in the past year.
- 29% report user lockouts as the first sign.
- 18% had to rebuild at least one domain controller due to corruption.
Unplanned downtime from replication failures averages 6 hours, leading to lost productivity and increased help desk calls.
Advanced Troubleshooting: Non-obvious Insights
While many guides focus on basic checks, here are two advanced tips often missed by beginners:
1. Check for Duplicate SIDs
Sometimes, cloning or restoring virtual machines creates domain controllers with duplicate security identifiers (SIDs). This confuses replication. Use the `sysprep` tool before imaging controllers.
2. Monitor Intersite Replication Intervals
Inter-site replication defaults to 180 minutes. For critical environments, lowering this to 15–30 minutes improves consistency, especially after major changes.
Example Replication Failure And Recovery Timeline
To illustrate the process, here’s a simplified timeline for a recovery scenario:
| Time | Event | Action Taken |
|---|---|---|
| 10:00 AM | Admins notice missing user accounts | Check replication status with repadmin |
| 10:30 AM | Replication errors found in event logs | Test network connectivity, DNS health |
| 11:00 AM | DNS misconfiguration found on DC2 | Update DNS settings, re-register |
| 11:15 AM | Force replication with repadmin | Accounts appear on both DCs |
| 11:30 AM | Monitor for errors, confirm resolution | Issue closed |
Frequently Asked Questions
Why Do I See “last Attempt Failed” In Active Directory Sites And Services?
This message means the last replication attempt between two domain controllers did not complete successfully. Common causes include network outages, DNS issues, or security restrictions. Check event logs on both controllers for more details.
Can I Force Two Domain Controllers To Sync Immediately?
Yes, you can use the `repadmin /syncall` command to force immediate synchronization. However, if the underlying issue is not fixed (such as network or DNS problems), the command will fail or only work temporarily.
What Ports Must Be Open For Domain Controller Replication?
At a minimum, ensure the following ports are open between controllers:
- 135 (RPC)
- 389 (LDAP)
- 636 (LDAPS)
- 3268 (Global Catalog)
- 3269 (Global Catalog SSL)
For more details, refer to official Microsoft documentation or this Microsoft guide.
What Is A Lingering Object And Why Is It A Problem?
A lingering object is an Active Directory object that remains on a domain controller after it was deleted on another controller. This happens when replication is broken for a long time. Lingering objects can cause authentication problems, security risks, and further replication failures.
How Can I Check If My Domain Controllers Are Healthy?
Use `dcdiag` for a quick health check, and `repadmin /replsummary` to see if all controllers are replicating properly. Also, check event logs and monitor for errors related to DNS, time sync, and FRS/DFSR.
Solving domain controller synchronization issues is critical for a stable and secure IT environment. With the steps and insights in this guide, you’re equipped to identify, fix, and prevent these problems—keeping your users productive and your data safe.
Credit: www.msb365.blog