Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Repadmin /syncall generates a 8453 (0x2105) Error and Fails on replication

Posted on 2008-10-10
7
Medium Priority
?
28,280 Views
Last Modified: 2012-08-14
I created a brand new Windows 2008 Enterprise Domain in a VM Environment with all the latest patches. After promoting the Second DC - I started noticing that servers that were joining the domain would not appear in Users and Computers.  I checked the following:

1. TimeSync with NTP (There was a time issue but it is now resolved - all are sync'ing with nist.gov)
2. DNS has valid entries in the domain in the _msdcs folder
3. Ran repadmin to trouble shoot and saw the following:
 for /syncall run -
CALLBACK MESSAGE: The following replication is in progress:
    From: 26a54e69-1984-4e95-9491-f423da334a8d._msdcs.lss.company.com
    To  : 6068dd17-a0fb-4a57-819a-01d8022ddb55._msdcs.lss.company.com
CALLBACK MESSAGE: Error issuing replication: 8453 (0x2105):
    Replication access was denied.
    From: 26a54e69-1984-4e95-9491-f423da334a8d._msdcs.lss.company.com
    To  : 6068dd17-a0fb-4a57-819a-01d8022ddb55._msdcs.lss.company.com
CALLBACK MESSAGE: SyncAll Finished.

SyncAll reported the following errors:
Error issuing replication: 8453 (0x2105):
    Replication access was denied.
    From: 26a54e69-1984-4e95-9491-f423da334a8d._msdcs.lss.company.com
    To  : 6068dd17-a0fb-4a57-819a-01d8022ddb55._msdcs.lss.company.com

for a /showreps -

C:\Users\swalsh>repadmin /showreps
Default-First-Site-Name\AVAMAR252
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 6068dd17-a0fb-4a57-819a-01d8022ddb55
DSA invocationID: 6068dd17-a0fb-4a57-819a-01d8022ddb55

==== INBOUND NEIGHBORS ======================================

DC=lss,DC=company,DC=com
    Default-First-Site-Name\AVAMAR253 via RPC
        DSA object GUID: 26a54e69-1984-4e95-9491-f423da334a8d
        Last attempt @ 2008-10-10 15:04:00 was successful.

CN=Configuration,DC=lss,DC=company,DC=com
    Default-First-Site-Name\AVAMAR253 via RPC
        DSA object GUID: 26a54e69-1984-4e95-9491-f423da334a8d
        Last attempt @ 2008-10-10 14:56:54 was successful.

CN=Schema,CN=Configuration,DC=lss,DC=company,DC=com
    Default-First-Site-Name\AVAMAR253 via RPC
        DSA object GUID: 26a54e69-1984-4e95-9491-f423da334a8d
        Last attempt @ 2008-10-10 14:56:54 was successful.

DC=DomainDnsZones,DC=lss,DC=company,DC=com
    Default-First-Site-Name\AVAMAR253 via RPC
        DSA object GUID: 26a54e69-1984-4e95-9491-f423da334a8d
        Last attempt @ 2008-10-10 14:56:54 was successful.

DC=ForestDnsZones,DC=lss,DC=company,DC=com
    Default-First-Site-Name\AVAMAR253 via RPC
        DSA object GUID: 26a54e69-1984-4e95-9491-f423da334a8d
        Last attempt @ 2008-10-10 14:56:54 was successful.
DsReplicaGetInfo() failed with status 8453 (0x2105):
    Replication access was denied.
DsReplicaGetInfo() failed with status 8453 (0x2105):
    Replication access was denied.

There is also an 4013 error in DNS that I don't know how to fix and there is no info on Microsoft's site that I have found:
Event Type:      Warning
Event Source:      DNS
Event Category:      None
Event ID:      4013
Date:            10/10/2008
Time:            2:27:14 PM
User:            N/A
Computer:      AVAMAR252.lss.company.com
Description:
The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

I am unsure if these are interrelated. Any guidance greatly appreciated.

- Steve
0
Comment
Question by:walsh_stephen
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 12

Accepted Solution

by:
Gideon7 earned 2000 total points
ID: 22690097
The 4013 error is a deadlock problem that is often seen when booting a new DC for the first time that has integrated DNS zones.  DNS is waiting on AD, which is waiting on DNS, which is waiting on AD, which is waiting on DNS, etc.  A chicken-and-egg problem.  For details see http://utools.com/help/dns.asp#integrated.  The solution is to be patient and wait 30-90 minutes.  Eventually AD will recognize the deadlock and proceed anyway without DNS.  Then DNS will come up.

The 2nd DC is somehow confused.  You mentioned possible clock problems.  The shared secret may have timed out, or was not negotiated correctly.  Once DNS is unblocked, I suggest demoting and repromoting the second DC (via DCPROMO.EXE).  This will ensure that the shared secret is correct.  It will probably be faster for you to just demote/promote, rather than to spend hours trying to figure out the original problem.
0
 
LVL 12

Assisted Solution

by:Gideon7
Gideon7 earned 2000 total points
ID: 22690121
Use DCPROMO /FORCEREMOVAL.  Then remove the 2nd DC's metadata from the main DC, per http://support.microsoft.com/kb/332199.  Finally promote again.
0
 

Author Comment

by:walsh_stephen
ID: 22690193
So I need to wait the 60-90m before doing the DCPROMO /forceremoval ? How do I know DNS is unblocked ?
0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 12

Assisted Solution

by:Gideon7
Gideon7 earned 2000 total points
ID: 22690597
Look at the event logs for DNS and Directory Services.
0
 

Author Closing Comment

by:walsh_stephen
ID: 31505153
Still had randon SID Corruption across the DC's. Ended up rebuilding but this was great info in triage. Thanks
0
 

Expert Comment

by:cntboys
ID: 33510067
This happens when you do a repadmin /syncall without an enterprise account.
0
 
LVL 3

Expert Comment

by:Akulsh
ID: 36299132
You must be Enterprise Admin to force replication to remote domains and subdomains.
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question