Back to All Scenarios
PASSEDserver / ad_replication_failure
AD Replication Failure Between Domain Controllers
Active Directory replication between the two domain controllers fails due to a lingering object conflict. Users at the branch office (authenticating against DC-02) see stale group memberships and GPOs. Password changes on DC-01 not replicating to DC-02.
Pattern
ACTIVE_DIRECTORY
Severity
CRITICAL
Confidence
90%
Remediation
Remote Hands
Test Results
| Metric | Expected | Actual | Result |
|---|---|---|---|
| Pattern Recognition | ACTIVE_DIRECTORY | ACTIVE_DIRECTORY | |
| Severity Assessment | CRITICAL | CRITICAL | |
| Incident Correlation | Yes | 22 linked | |
| Cascade Escalation | N/A | No | |
| Remediation | — | Remote Hands — Corax contacts on-site support via call, email, or API |
Scenario Conditions
Two-DC environment: DC-01 (HQ) and DC-02 (Branch). AD replication over VPN. Lingering object detected in CN=Configuration partition. Replication blocked for 48 hours. Strict replication consistency enabled.
Injected Error Messages (2)
AD replication failure — DC-01 to DC-02 replication halted, Event ID 2042: lingering object detected, repadmin /showrepl showing 'replication access was denied' error 8453, CN=Configuration partition last successful replication: 48 hours ago
Active Directory replication blocked on DC-02 — Event ID 1988: lingering objects found in directory partition, strict replication consistency preventing inbound replication, branch users seeing stale group memberships and password sync failure
Neural Engine Root Cause Analysis
The primary domain controller DC-01 is experiencing Active Directory replication failure due to lingering objects (Event ID 2042) and access denied errors (8453). Lingering objects are tombstoned AD objects that should have been garbage collected but remain in the database, causing replication conflicts. The access denied error suggests authentication/authorization issues between domain controllers, possibly due to Kerberos ticket problems, time synchronization issues, or corrupted trust relationships. This has cascaded to affect 12 other systems dependent on AD services.
Remediation Plan
1. Verify time synchronization between DC-01 and DC-02 using 'w32tm /query /status' 2. Check DNS resolution and network connectivity between DCs 3. Run 'repadmin /removelingeringobjects' to clean lingering objects from both DCs 4. Reset secure channel between DCs using 'netdom resetpwd' 5. Force replication sync with 'repadmin /syncall /AdeP' 6. Monitor Event Logs for replication success 7. If issues persist, perform authoritative restore or metadata cleanup of failed DC
Tested: 2026-03-30Monitors: 2 | Incidents: 2Test ID: cmncjidsc01quobqe56uq2ve5