Windows Server: Troubleshooting Active Directory and DNS Replication

Summary: This article provides information about troubleshooting Active Directory and DNS replication.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Instructions

Table of Contents:

1. Find the Flexible Single Master Operations (FSMO) role holders
2. Narrow down the problem
3. Visually inspect DNS
4. Visually inspect sites and services
5. Use event IDs to narrow troubleshooting
6. Other tools

 

 

Issue 1. Find the Flexible Single Master Operations (FSMO) role holders:

Begin by finding the domain controllers (DCs) in the organization. Focus on the health of your forest root and work your way out.

Find the FSMO role holders by opening an elevated command prompt and typing:

netdom query fsmo

This returns a list of the DCs holding each role:

         Output of netdom query command 

 

 

Issue 2. Narrow down the problem:

To narrow down the problem, you must be systematic. Use the following tools to test various DCs, their connection to the root domain or role holder, their ability to resolve names to IP addresses, open ports, and replication results.

Try to pinpoint a specific server that does not communicate and determine if the source or destination server is the cause. Event logs and replication results are ways to gain additional information.

  • dcdiag /v /c /d /e /s: > c:\dcdiag.txt
  • ipconfig /all (from all DCs and DNS servers)
  • repadmin /showrepl (from each DC)
  • repadmin /replsum
  • dcdiag /test:dns /s: /dnsbasic
  • repadmin /syncall /aped
  • Ping each DC by name and verify that the name resolves to the correct IP address.
  • Use nslookup to test DNS across different DCs.
  • Use tracert to test the routes between servers.
  • repadmin /bind servername - Can the DCs bind to each other?

 

Issue 3. Visually inspect DNS:


Open the DNS console by going to Start -> Administrative Tools -> DNS. Click the DNS server in the left pane.

Review the forward lookup zones and all other zones related to the forest and domain partitions.

Guidance is available from Microsoft TechNet using this link: Troubleshooting DNSThis hyperlink is taking you to a website outside of Dell Technologies.

 

Some things to look for in the DNS console include:

  • Start of authority (properties) - multiple names for servers that do not exist.
  • Records that have incorrect IP addresses.
  • Stale records that have not been deleted.
  • "(Same as parent folder)" host records that do not reference the DCs.
  • Find the start of authority (SOA) and name server (NS) records in the domain forward lookup zone (see image below).
    • Right-click each and select Properties.
    • Verify the name servers and other information are correct.
  • Look in the _msdcs folder.
  • Are there missing entries?

_msdcs folder contents 

You can find more information about the DNS infrastructure from the Microsoft TechNet DNS ServerThis hyperlink is taking you to a website outside of Dell Technologies. page.

 

 

 

Issue 4. Visually inspect sites and services:

 

The Active Directory Sites and Services console contains several items that may help troubleshoot replication failures. Inspect and open every folder and look for the following:

  • Verify that subnets have been created and assigned to the correct sites.
  • Ensure that each site object contains the correct servers.
  • Inspect the NTDS settings to verify the replication connections.
  • Verify that the server names exist.

 

Issue 5. Use event IDs to narrow troubleshooting:

 
AD-related errors can be found in the Event Viewer console. 
The fastest way to get there is to go to Start -> Run and type eventvwr.msc.
Relevant event logs include the System, DNS, Directory Service, and File Replication Service log.

Use the following articles to help determine the next steps, based on errors found in the logs:

 

Issue 6. Other tools:

 

Nltest is a useful command-line tool that can return many kinds of information about an AD domain. 
The metadata cleanup process is used to remove AD references to DCs that were taken offline without being properly demoted.
Lingering objects are AD objects that have been deleted from one DC but remain on another due to a replication failure.
Removing these objects is a necessary step in restoring proper replication.

 

Affected Products

Microsoft Windows Server 2016, Microsoft Windows Server 2019, Microsoft Windows Server 2022, Microsoft Windows Server 2025

Products

C Series, HS Series, Modular Infrastructure, Tower Servers, PowerEdge R240, PowerEdge R250, PowerEdge R260, PowerEdge R340, PowerEdge R350, PowerEdge R360, PowerEdge R440, PowerEdge R450, PowerEdge R470, PowerEdge R540, PowerEdge R550, PowerEdge R570 , PowerEdge R640, PowerEdge R6415, PowerEdge R650, PowerEdge R650xs, PowerEdge R6515, PowerEdge R6525, PowerEdge R660, PowerEdge R660xs, PowerEdge R6615, PowerEdge R6625, PowerEdge R670, PowerEdge R6715, PowerEdge R6725, PowerEdge R740, PowerEdge R740XD, PowerEdge R740XD2, PowerEdge R7415, PowerEdge R7425, PowerEdge R750, PowerEdge R750XA, PowerEdge R750xs, PowerEdge R7515, PowerEdge R7525, PowerEdge R760, PowerEdge R760XA, PowerEdge R760xd2, PowerEdge R760xs, PowerEdge R7615, PowerEdge R7625, PowerEdge R770, PowerEdge R7715, PowerEdge R7725, PowerEdge R840, PowerEdge R860, PowerEdge R940, PowerEdge R940xa, PowerEdge R960 ...
Article Properties
Article Number: 000178954
Article Type: How To
Last Modified: 06 Jun 2025
Version:  8
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.