none
Insane AD replication problem

    Question

  • We've recently deployed a 2012 R2 RODC to a branch office. Connectivity to the home site is over IPSEC VPN, and the tunnel is working perfectly. Internal DC replication is working fine too. The big problem is sporadic replication between the main site DC's and the RODC. Sometimes it works for brief periods, then it stops. Always, every time, the error is '1722 RPC server not available'. There are no drops on the VPN at all to account for this. When it does replicate, it works ok, then it just stops again. Even more strangely, one of the main office DC's replicates fine with the RODC - it's never had a problem.

    Things I've ruled out;

    Firewalls
    DNS (SRV and _msdcs records are fine)
    Network issues (inc routing)
    Remote office power issues

    If the problem was continuous, it might be easier to troubleshoot, but it's not. It might work for a couple of hours, then fail for the next 12. Ping times between sites are a consistent 40ms. All DC's are patched and have been rebooted to clear any potential issues. Even when it won't replicate, ping works, DNS is fine etc. In fact, of the 6 local DC's at the main site, 4 have replication links to the RODC. Of those four, two replicate ok, two fail randomly.

    If you do a repadmin /showreps on the RODC though, it thinks everything is replicating fine. No errors at all for INBOUND Neighbors, so the RODC is replicating ok. The DS event log on the local DC's just continually report DirectoryServices event ID 1308 - "The KCC has detected that successive attempts to replicate with the following directory service has failed".

    dcdiag just reports the same 'RPC server unavailable' error. repadmin /replsum shows a 40% failure rate replicating to the RODC.

    So, this problem is crazy mad, with no logical explanation. Can anyone assist?

    Monday, December 12, 2016 5:50 PM

All replies

  • Hi

     also you should discover the possible reasons,just recommend you that start with firewall rules,first configure full permission then enable rules one by one with verfiy.If you couldn't find any error on FW then analyse the network connectivity.These are show you the way i think.


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Monday, December 12, 2016 6:59 PM