Server 2019 Domain Controller Replication – Unlucky Timing

Posted on Posted in Active Directory, Powershell, Windows Server

Take a domain running multiple versions of Windows domain controllers across multiple AD sites and replicating just fine, add Server 2019 as a DC to the mix, and what do you get? Say it with me now “DCs mostly replicating just fine but KCC re-evaluated connections and one DC is now spamming event 1645 and 1925 every 15 minutes!”

To be fair, it is not exactly a 2019 specific issue but most likely a timing issue if KCC has updated links in the configuration partition prior to the domain partition update and leaves one of the replication partners on an island since it is unaware of the new DC’s service principal name.  However, that Microsoft article left out an important detail – which DC should you run setspn -A on?  The source or destination DC?

Welp, let’s  pinpoint the problem by finding which domain controller is missing the Directory Replication Service principal name of the partner DC:

Look for a blank DRSguid value in the table output, correlate back to the SourceServer column, connect to that domain controller and then if repadmin /showrepl is returning KCC errors run:

After 20 minutes run repadmin /showrepl from the DC that was unable to reach it’s partner and you should see that everything is back in order.