Run Repadmin First
Before looking at individual event IDs, get the full picture:
# Overall replication summary — shows failures at a glance repadmin /replsummary # Show all replication partners and last successful replication time repadmin /showrepl # Show replication queue (backlog of changes waiting) repadmin /queue # Export failures to CSV for review repadmin /showrepl * /csv > repl-report.csv
The replsummary output tells you which DC is failing, which partner, how long it's been failing, and the error code. Start there before reading event logs.
Event 1864 — Replication Latency
Event 1864 fires when a DC has not replicated in 8+ days. After 60 days, tombstone lifetime can expire and manual intervention is required.
# Check when a DC last replicated repadmin /showrepl DC01 /verbose # Check tombstone lifetime for your forest (Get-ADObject -Identity (Get-ADRootDSE).configurationNamingContext ` -Properties tombstoneLifetime).tombstoneLifetime
# After resolving the underlying error, force sync repadmin /syncall /AdeP
Error 8606 — Lingering Objects
An object was deleted on one DC but another DC that was offline missed the deletion and still holds a copy. When replication resumes, the DCs disagree about whether the object exists.
# Detect lingering objects — advisory mode first (no changes) repadmin /removelingeringobjects DC02 DC01 "DC=corp,DC=local" /advisory_mode
Review the output, then remove for real:
repadmin /removelingeringobjects DC02 DC01 "DC=corp,DC=local" repadmin /removelingeringobjects DC02 DC01 "CN=Configuration,DC=corp,DC=local" repadmin /removelingeringobjects DC02 DC01 "CN=Schema,CN=Configuration,DC=corp,DC=local"
Error 1722 — RPC Server Unavailable
RPC 1722 means the source DC is unreachable or RPC ports are blocked. This is almost always a firewall or network issue.
# Test RPC connectivity Test-NetConnection -ComputerName DC01 -Port 135 Test-NetConnection -ComputerName DC01 -Port 49152 # Start of dynamic port range
AD replication uses port 135 plus dynamic ports 49152–65535. To pin replication to a specific port:
# Set a static RPC port for AD replication reg add HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters /v "TCP/IP Port" /t REG_DWORD /d 50000 /f net stop netlogon && net start netlogon
Error 8524 — DNS Lookup Failed
The source DC can't be resolved by name. Replication requires DCs to find each other via DNS SRV records.
# Verify the source DC resolves
Resolve-DnsName DC01.corp.local
# Check _msdcs zone exists
Get-DnsServerZone | Where-Object {$_.ZoneName -like "*msdcs*"}
# Re-register DC DNS records
ipconfig /registerdns
net stop netlogon && net start netlogon
Error 1753 — Endpoint Mapper Failed
RPC port 135 is reachable but the service being called is not registered. Usually caused by AD DS not fully starting.
# Check if AD services are healthy on the source DC Get-Service NTDS, ADWS, Netlogon, DNS, KDC | Select Name, Status # Restart the AD DS service if it's stopped or degraded net stop NTDS && net start NTDS
Force Replication After Fixing
# Force replication of a specific partition repadmin /replicate DC02 DC01 "DC=corp,DC=local" # Force sync of all partitions across all DCs repadmin /syncall /AdeP # Verify it worked repadmin /showrepl | findstr /i "error|fail|last attempt"
repadmin /replsummary again after forcing. The failure count and last error time should reset. If they don't, the underlying issue isn't fully resolved.