Server 2012R2 AD access and replication problems

Occasional Contributor

I have a Server 2012R2 which has several symptoms related to AD access and replication.  Here are some examples and some related event log descriptions:

GPMC cannot connect to the AD.

DFRS replication fails - Error: 1726 (The remote procedure call failed.)

SMB outbound connections sometimes fail - The Kerberos client received a KRB_AP_ERR_MODIFIED error from the target server.

Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology.

DNS - The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly.


The server is a 2012R2 Hyper-V guest, it was hosted on a Fujitsu server 2012R2.  It has been moved (VHD only) to a Dell server 2016 host, with a new vNIC and Hyper-V switch.  The problems described show no change both before and after the move.  The SYSVOL share seems to be normal.  The Windows firewall has been disabled.  SFC /SCANNOW and DISM healthchecks and restores have been completed.


Some help would be appreciated!



11 Replies

You can run;

Dcdiag /v /c /d /e /s:DCName >c:\dcdiag.log

(please replace DCName with your domain controller's netbios name)

ipconfig /all > C:\dc1.txt

then put files up on OneDrive and share a link.





The most immediate problem appears to be connectivity with LGNAD2 If this domain controller has been forcefully removed or no longer available then you can seize roles (if needed)

and perform cleanup.




I agree that the most immediate problem appears to be connectivity with LGNAD2, however LGNAD2 is in a AD site with no local issues, LGNAD4 was added to the same site very recently with no problems.  I am unable to add another DC to the problem site alongside LGNAD1.


For comparison I have added dcdiag2.txt and dc2.txt to the same OneDrive share.


Thanks again,



There may be routing issues between the two networks.

Dave, your diagnosis has been similar to mine and I have also suspected a routing problem between the sites but extended pings look good, SMB file transfers are normal for the cross site shares which are available, and we are keeping routing as a potential cause.

However I do not understand how a site connection issue would affect AD operation within the one LGNAD1 site, GPMC will not load since it cannot connect and I cannot add a second DC.

Best Response confirmed by Bob Smith (Occasional Contributor)

The dcdiag you ran from LGNAD1 is totally unaware of the new DC (LGNAD4) you added in other network plus it cannot connect to LGNAD2. I don't know how long ago this might have happened. Seems there is some blocking going on. One method would be to use PortQryUI tool to check domains and trusts ports.

tool does not install anything, just extract and run it. I'd try between two on the network so you know what to expect, then run from LGNAD1 --> LGNAD2 and LGNAD2-->LGNAD1




Thanks, The portqryui tool is new to me and the results are in the OneDrive already shared.


Running the tool at the AD1 site locally gave what looked like good results to LDAP queries, TCP port 389, UDP port 389, TCP port 636, and TCP port 3268; NETBIOS UDP port 137 but no others.  The inter site tests looked to be completely failing.


The inter site tests looked to be completely failing.

I'd agree. I'd get in touch with your inter-site network support group.





Dave, an MTU adjustment was required on the VPN appliances and replication is looking much better.


Thanks for your help!




Glad to hear.