Solved

Repadmin /syncall generates a 8453 (0x2105) Error and Fails on replication

Posted on 2008-10-10
7
26,089 Views
Last Modified: 2012-08-14
I created a brand new Windows 2008 Enterprise Domain in a VM Environment with all the latest patches. After promoting the Second DC - I started noticing that servers that were joining the domain would not appear in Users and Computers.  I checked the following:

1. TimeSync with NTP (There was a time issue but it is now resolved - all are sync'ing with nist.gov)
2. DNS has valid entries in the domain in the _msdcs folder
3. Ran repadmin to trouble shoot and saw the following:
 for /syncall run -
CALLBACK MESSAGE: The following replication is in progress:
    From: 26a54e69-1984-4e95-9491-f423da334a8d._msdcs.lss.company.com
    To  : 6068dd17-a0fb-4a57-819a-01d8022ddb55._msdcs.lss.company.com
CALLBACK MESSAGE: Error issuing replication: 8453 (0x2105):
    Replication access was denied.
    From: 26a54e69-1984-4e95-9491-f423da334a8d._msdcs.lss.company.com
    To  : 6068dd17-a0fb-4a57-819a-01d8022ddb55._msdcs.lss.company.com
CALLBACK MESSAGE: SyncAll Finished.

SyncAll reported the following errors:
Error issuing replication: 8453 (0x2105):
    Replication access was denied.
    From: 26a54e69-1984-4e95-9491-f423da334a8d._msdcs.lss.company.com
    To  : 6068dd17-a0fb-4a57-819a-01d8022ddb55._msdcs.lss.company.com

for a /showreps -

C:\Users\swalsh>repadmin /showreps
Default-First-Site-Name\AVAMAR252
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 6068dd17-a0fb-4a57-819a-01d8022ddb55
DSA invocationID: 6068dd17-a0fb-4a57-819a-01d8022ddb55

==== INBOUND NEIGHBORS ======================================

DC=lss,DC=company,DC=com
    Default-First-Site-Name\AVAMAR253 via RPC
        DSA object GUID: 26a54e69-1984-4e95-9491-f423da334a8d
        Last attempt @ 2008-10-10 15:04:00 was successful.

CN=Configuration,DC=lss,DC=company,DC=com
    Default-First-Site-Name\AVAMAR253 via RPC
        DSA object GUID: 26a54e69-1984-4e95-9491-f423da334a8d
        Last attempt @ 2008-10-10 14:56:54 was successful.

CN=Schema,CN=Configuration,DC=lss,DC=company,DC=com
    Default-First-Site-Name\AVAMAR253 via RPC
        DSA object GUID: 26a54e69-1984-4e95-9491-f423da334a8d
        Last attempt @ 2008-10-10 14:56:54 was successful.

DC=DomainDnsZones,DC=lss,DC=company,DC=com
    Default-First-Site-Name\AVAMAR253 via RPC
        DSA object GUID: 26a54e69-1984-4e95-9491-f423da334a8d
        Last attempt @ 2008-10-10 14:56:54 was successful.

DC=ForestDnsZones,DC=lss,DC=company,DC=com
    Default-First-Site-Name\AVAMAR253 via RPC
        DSA object GUID: 26a54e69-1984-4e95-9491-f423da334a8d
        Last attempt @ 2008-10-10 14:56:54 was successful.
DsReplicaGetInfo() failed with status 8453 (0x2105):
    Replication access was denied.
DsReplicaGetInfo() failed with status 8453 (0x2105):
    Replication access was denied.

There is also an 4013 error in DNS that I don't know how to fix and there is no info on Microsoft's site that I have found:
Event Type:      Warning
Event Source:      DNS
Event Category:      None
Event ID:      4013
Date:            10/10/2008
Time:            2:27:14 PM
User:            N/A
Computer:      AVAMAR252.lss.company.com
Description:
The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

I am unsure if these are interrelated. Any guidance greatly appreciated.

- Steve
0
Comment
Question by:walsh_stephen
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 12

Accepted Solution

by:
Gideon7 earned 500 total points
ID: 22690097
The 4013 error is a deadlock problem that is often seen when booting a new DC for the first time that has integrated DNS zones.  DNS is waiting on AD, which is waiting on DNS, which is waiting on AD, which is waiting on DNS, etc.  A chicken-and-egg problem.  For details see http://utools.com/help/dns.asp#integrated.  The solution is to be patient and wait 30-90 minutes.  Eventually AD will recognize the deadlock and proceed anyway without DNS.  Then DNS will come up.

The 2nd DC is somehow confused.  You mentioned possible clock problems.  The shared secret may have timed out, or was not negotiated correctly.  Once DNS is unblocked, I suggest demoting and repromoting the second DC (via DCPROMO.EXE).  This will ensure that the shared secret is correct.  It will probably be faster for you to just demote/promote, rather than to spend hours trying to figure out the original problem.
0
 
LVL 12

Assisted Solution

by:Gideon7
Gideon7 earned 500 total points
ID: 22690121
Use DCPROMO /FORCEREMOVAL.  Then remove the 2nd DC's metadata from the main DC, per http://support.microsoft.com/kb/332199.  Finally promote again.
0
 

Author Comment

by:walsh_stephen
ID: 22690193
So I need to wait the 60-90m before doing the DCPROMO /forceremoval ? How do I know DNS is unblocked ?
0
Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

 
LVL 12

Assisted Solution

by:Gideon7
Gideon7 earned 500 total points
ID: 22690597
Look at the event logs for DNS and Directory Services.
0
 

Author Closing Comment

by:walsh_stephen
ID: 31505153
Still had randon SID Corruption across the DC's. Ended up rebuilding but this was great info in triage. Thanks
0
 

Expert Comment

by:cntboys
ID: 33510067
This happens when you do a repadmin /syncall without an enterprise account.
0
 
LVL 3

Expert Comment

by:Akulsh
ID: 36299132
You must be Enterprise Admin to force replication to remote domains and subdomains.
0

Featured Post

MIM Survival Guide for Service Desk Managers

Major incidents can send mastered service desk processes into disorder. Systems and tools produce the data needed to resolve these incidents, but your challenge is getting that information to the right people fast. Check out the Survival Guide and begin bringing order to chaos.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question