Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 1864 Source: NTDS Replication

This is the replication status for the following directory partition on the local domain controller.

Directory partition: CN=Schema,CN=Configuration,DC=uu,DC=local

The local domain controller has not recently received replication information from a number of domain controllers. The count of domain controllers is shown, divided into the following intervals.

More than 24 hours: <value>
More than a week: <value>
More than one month: <value>
More than two months: <value>
More than a tombstone lifetime: <value>
Tombstone lifetime (days): 60

Domain controllers that do not replicate in a timely manner may encounter errors. It may miss password changes and be unable to authenticate. A DC that has not replicated in a tombstone lifetime may have missed the deletion of some objects, and may be automatically blocked from future replication until it is reconciled.

To identify the domain controllers by name, install the support tools included on the installation CD and run dcdiag.exe. You can also use the support tool repadmin.exe to display the replication latencies of the domain controllers in the forest. The command is "repadmin /showvector /latency <partition-dn>".
I found the non replicating items by using the tool "ADFIND". See EV100064 for more information.
In our case, AD replication was not working between 2 DCs in one site. After lot of troubleshooting the issue got resolved by installing the update in ME948496. This update turns off default SNP features that were changed with SP2.
See this link to "It has been too long since this machine replicated" for instructions on how to re-initiate NTDS replication after the tombstone time period has passed.
See ME899148 if you have installed Service Pack 1 for Windows Server 2003.
From a newsgroup post: "This error can occur if the DC has been offline for more than 60 days, has not replicated with another DC for more than 60 days or if the time on your servers is not set correctly. This server has therefore passed the tombstone lifetime of 60 days and will need to be reinstalled. You should try running dcpromo with the /forceremoval switch and then do a metadata cleanup on AD to remove all traces of that DC. Once this is done, it can be re-promoted if desired. See ME216993 for details on the Active Directory backup useful life.
See ME332199 for details on running the “dcpromo /forceremoval” command.
See ME216498 for details on how to remove data in Active Directory after an unsuccessful domain controller demotion".

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to



Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.