Active Directory replication between subdomains fails


  • Hi there, it seems, I have a lack of understanding, or a real challenge here, as I can't find any hint to a conclusion. Any help and discussion appreciated:

    I have an Active Directory forest that contains a root domain (root.tld) and several subdomains (sub1.root.tld, sub2.root.tld, ...). From a networking point of view we have a star topology, i.e. every DC of a subdomain can connect to DCs of the root domain, but not to any DC in any other subdomain. The AD sites & services represents that topology correctly, KCC has automatically created the correct replication connections.

    Now we encountered a problem, that the root domain DCs report replication errors (8606) for all subdomains. Looking further into the details you can see, that the partitions raising the replication error are the read-only copies of the subdomains. More specifically, each subdomain DC reports failure to replicate the domain partition of each other subdomain.

    Example: The DCs of sub1.root.tld report error 8606 for partitions sub2, sub3, sub4, .... The DCs of sub2.root.tld report the same error for sub1, sub3, sub4. Sub3.root.tld reports for sub1, sub2, sub4, and so forth.

    Replication between root and subX always succeed and is in sync. As 8606 says, we got lingering objects in the reported replication partition, I would need to use repadmin to sync each partition out of sync against its writable copy, that is located in each subdomain. But as the network topology doesn't allow for that connection, I can't remove the lingering objects or relocate the read-only partition.

    Except for having the firewall reconfigured so that each DC in each domain/subdomain can contact each other, I don't have any clue, how to fix the issue.

    Any ideas?

    Best regards,


    Thursday, March 23, 2017 7:43 AM

