AD Replication

KratosDefense used Ask the Experts™
I’ve been having issues with AD replication on my win 2008 r2 DC. Its taking around 3 hours for it to replicate to a DC on the west coast. I’ve tried numerous troubleshooting steps. I THINK DNS is ok. The eventlogs are clean.
I found the following Microsoft article explain the ports needed for AD replication:
I noticed the only ports that don’t seem to be open are the following:
RPC endpoint mapper  135/UDP
RPC dynamic assignment  1024-65535/tcp
WINS replication  42/tcp, 42/udp

Could the above closed ports be causing the delay ?

This is the only event error I’m getting:
Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          10/16/2010 12:59:11 PM
Event ID:      2087
Task Category: DS RPC Client
Level:         Error
Keywords:      Classic
User:          ANONYMOUS LOGON
Active Directory Domain Services could not resolve the following DNS host name of the source domain controller to an IP address. This error prevents additions, deletions and changes in Active Directory Domain Services from replicating between one or more domain controllers in the forest. Security groups, group policy, users and computers and their passwords will be inconsistent between domain controllers until this error is resolved, potentially affecting logon authentication and access to network resources.
Source domain controller:
Failing DNS host name:
NOTE: By default, only up to 10 DNS failures are shown for any given 12 hour period, even if more than 10 failures occur.  To log all individual failure events, set the following diagnostics registry value to 1:
Registry Path:
HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics\22 DS RPC Client
User Action:
 1) If the source domain controller is no longer functioning or its operating system has been reinstalled with a different computer name or NTDSDSA object GUID, remove the source domain controller's metadata with ntdsutil.exe, using the steps outlined in MSKB article 216498.
 2) Confirm that the source domain controller is running Active Directory Domain Services and is accessible on the network by typing "net view \\<source DC name>" or "ping <source DC name>".
 3) Verify that the source domain controller is using a valid DNS server for DNS services, and that the source domain controller's host record and CNAME record are correctly registered, using the DNS Enhanced version of DCDIAG.EXE available on 
  dcdiag /test:dns
 4) Verify that this destination domain controller is using a valid DNS server for DNS services, by running the DNS Enhanced version of DCDIAG.EXE command on the console of the destination domain controller, as follows:
  dcdiag /test:dns
 5) For further analysis of DNS error failures see KB 824449:
Additional Data
Error value:
 11004 The requested name is valid, but no data of the requested type was found.

Event Xml:
<Event xmlns="">
    <Provider Name="Microsoft-Windows-ActiveDirectory_DomainService" Guid="{0e8478c5-3605-4e8c-8497-1e730c959516}" EventSourceName="NTDS Replication" />
    <EventID Qualifiers="49152">2087</EventID>
    <TimeCreated SystemTime="2010-10-16T16:59:11.079812100Z" />
    <Correlation />
    <Execution ProcessID="492" ThreadID="2256" />
    <Channel>Directory Service</Channel>
    <Security UserID="S-1-5-7" />
    <Data>The requested name is valid, but no data of the requested type was found.</Data>
    <Data>22 DS RPC Client</Data>

Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
If it's in a diffrent Site check you settings, 3 hours sounds like the default of a site link.
Adam BrownSenior Systems Admin
Top Expert 2010
The default replication time frame is actually 5 minutes, so three hours is very much too long. has information on how you can change/check the settings on each DC. If there isn't a lot of bandwidth between sites, it may have been configured with a longer interval. You can actually force replication to occur to help in your troubleshooting (info here: ).

With all that said, having the RPC ports closed (particularly the end mapper port) can cause this to fail. You very obviously don't want to open *all* of ports 1024-65535 since that will be like having no firewall at all. However, explains how to shrink this down to just a few ports. Make that change on the domain controllers in both sites (just pick any range of ports, but more than just 1 or 2. Try 20 or so), open the firewall for those ports and port 135. You won't need the WINS replication port unless you're using WINS for name resolution instead of DNS (in which case...STOP THAT! :D)


It was the default sitelink. Someone set it to 120 min replication time. Fixed. Thxs

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial