Last night I came across a problem with AD that I have never seen before. Normally, Active Directory Domain Services is an extremely robust application that will continue to work, regardless of not implementing best practices, or misconfiguration. However, I promoted a new domain controller and was surprised to see that it was not able to replicate with any other DCs.
Everything appeared to be configured properly. This seemed like the millionth domain controller I’ve created throughout my career, so I was accustomed to the process.
When clicking “Check Replication Topology” within Sites and Services, I received this error:
The active Directory property cannot be found in the cache
The problem was caused by a missing cname record in the _msdcs.<domain name>.<tld> forward lookup zone:
When a domain controller registers its name with another DNS server, it needs to create a CNAME record in this zone, which is then used by other domain controllers to locate replication partners. This is what the zone looks like normally:
There should be a CNAME record for each domain controller, mapping the DSA GUID to the FQDN of the domain controller. The newly promoted domain controller did not automatically create this CNAME record. After manually creating it, and waiting a little while, I was able to replicate all partitions throughout the domain.
To create this record, first obtain the DSA Guid. Open a cmd prompt on the problematic domain controller and type in:
Then open DNS on another (working) domain controller and create a CNAME record in the _msdcs.<domain name>.<tld> forward lookup zone.
Also verify that the new domain controller is listed as a name server for the zone.
Just wait a little while, and then try to replicate all partitions.