Field Guide

Restore Active Directory replication health with `repadmin`, DNS checks, and site-path validation.

Use this guide when AD replication is failing, inconsistent across sites, or slowly diverging. The recovery path follows the dependency model Microsoft documents: network, DNS, authentication, topology, and directory service health.

Search AD RecoveryOpen AD Domain
Situation

Replication failures rarely stand alone.

Replication errors are usually the downstream symptom of unresolved DNS, broken transport, failed authentication, stale metadata, or topology mismatch. Treating `repadmin` output as the beginning of the investigation, not the end, is what restores stability faster.

What To Verify

Validate the chain before forcing replication.

  • Run `repadmin /showrepl` and identify which naming contexts and partners actually fail.
  • Confirm forward and reverse DNS for each partner DC, including site-specific paths.
  • Verify required ports and whether any firewall or network path changed recently.
  • Check secure channel, Kerberos, and clock source alignment if auth-related errors appear.
  • Review lingering metadata, demotions, or rebuilt DC history before broad repair actions.
Working Sequence

Recover the directory without making it dirtier.

  • Identify whether the failure is isolated to one partner, one site, or one naming context.
  • Fix DNS and transport reachability before retrying replication.
  • Verify time source and authentication path if errors indicate access or trust failure.
  • Re-run replication tests after each dependency fix instead of stacking blind changes.
  • Only move into metadata cleanup or rebuild procedures once the dependency picture is clear.