Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Repadmin /syncall generates a 8453 (0x2105) Error and Fails on replication

Posted on 2008-10-10
7
Medium Priority
?
28,995 Views
Last Modified: 2012-08-14
I created a brand new Windows 2008 Enterprise Domain in a VM Environment with all the latest patches. After promoting the Second DC - I started noticing that servers that were joining the domain would not appear in Users and Computers.  I checked the following:

1. TimeSync with NTP (There was a time issue but it is now resolved - all are sync'ing with nist.gov)
2. DNS has valid entries in the domain in the _msdcs folder
3. Ran repadmin to trouble shoot and saw the following:
 for /syncall run -
CALLBACK MESSAGE: The following replication is in progress:
    From: 26a54e69-1984-4e95-9491-f423da334a8d._msdcs.lss.company.com
    To  : 6068dd17-a0fb-4a57-819a-01d8022ddb55._msdcs.lss.company.com
CALLBACK MESSAGE: Error issuing replication: 8453 (0x2105):
    Replication access was denied.
    From: 26a54e69-1984-4e95-9491-f423da334a8d._msdcs.lss.company.com
    To  : 6068dd17-a0fb-4a57-819a-01d8022ddb55._msdcs.lss.company.com
CALLBACK MESSAGE: SyncAll Finished.

SyncAll reported the following errors:
Error issuing replication: 8453 (0x2105):
    Replication access was denied.
    From: 26a54e69-1984-4e95-9491-f423da334a8d._msdcs.lss.company.com
    To  : 6068dd17-a0fb-4a57-819a-01d8022ddb55._msdcs.lss.company.com

for a /showreps -

C:\Users\swalsh>repadmin /showreps
Default-First-Site-Name\AVAMAR252
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 6068dd17-a0fb-4a57-819a-01d8022ddb55
DSA invocationID: 6068dd17-a0fb-4a57-819a-01d8022ddb55

==== INBOUND NEIGHBORS ======================================

DC=lss,DC=company,DC=com
    Default-First-Site-Name\AVAMAR253 via RPC
        DSA object GUID: 26a54e69-1984-4e95-9491-f423da334a8d
        Last attempt @ 2008-10-10 15:04:00 was successful.

CN=Configuration,DC=lss,DC=company,DC=com
    Default-First-Site-Name\AVAMAR253 via RPC
        DSA object GUID: 26a54e69-1984-4e95-9491-f423da334a8d
        Last attempt @ 2008-10-10 14:56:54 was successful.

CN=Schema,CN=Configuration,DC=lss,DC=company,DC=com
    Default-First-Site-Name\AVAMAR253 via RPC
        DSA object GUID: 26a54e69-1984-4e95-9491-f423da334a8d
        Last attempt @ 2008-10-10 14:56:54 was successful.

DC=DomainDnsZones,DC=lss,DC=company,DC=com
    Default-First-Site-Name\AVAMAR253 via RPC
        DSA object GUID: 26a54e69-1984-4e95-9491-f423da334a8d
        Last attempt @ 2008-10-10 14:56:54 was successful.

DC=ForestDnsZones,DC=lss,DC=company,DC=com
    Default-First-Site-Name\AVAMAR253 via RPC
        DSA object GUID: 26a54e69-1984-4e95-9491-f423da334a8d
        Last attempt @ 2008-10-10 14:56:54 was successful.
DsReplicaGetInfo() failed with status 8453 (0x2105):
    Replication access was denied.
DsReplicaGetInfo() failed with status 8453 (0x2105):
    Replication access was denied.

There is also an 4013 error in DNS that I don't know how to fix and there is no info on Microsoft's site that I have found:
Event Type:      Warning
Event Source:      DNS
Event Category:      None
Event ID:      4013
Date:            10/10/2008
Time:            2:27:14 PM
User:            N/A
Computer:      AVAMAR252.lss.company.com
Description:
The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

I am unsure if these are interrelated. Any guidance greatly appreciated.

- Steve
0
Comment
Question by:walsh_stephen
7 Comments
 
LVL 12

Accepted Solution

by:
Gideon7 earned 2000 total points
ID: 22690097
The 4013 error is a deadlock problem that is often seen when booting a new DC for the first time that has integrated DNS zones.  DNS is waiting on AD, which is waiting on DNS, which is waiting on AD, which is waiting on DNS, etc.  A chicken-and-egg problem.  For details see http://utools.com/help/dns.asp#integrated.  The solution is to be patient and wait 30-90 minutes.  Eventually AD will recognize the deadlock and proceed anyway without DNS.  Then DNS will come up.

The 2nd DC is somehow confused.  You mentioned possible clock problems.  The shared secret may have timed out, or was not negotiated correctly.  Once DNS is unblocked, I suggest demoting and repromoting the second DC (via DCPROMO.EXE).  This will ensure that the shared secret is correct.  It will probably be faster for you to just demote/promote, rather than to spend hours trying to figure out the original problem.
0
 
LVL 12

Assisted Solution

by:Gideon7
Gideon7 earned 2000 total points
ID: 22690121
Use DCPROMO /FORCEREMOVAL.  Then remove the 2nd DC's metadata from the main DC, per http://support.microsoft.com/kb/332199.  Finally promote again.
0
 

Author Comment

by:walsh_stephen
ID: 22690193
So I need to wait the 60-90m before doing the DCPROMO /forceremoval ? How do I know DNS is unblocked ?
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 12

Assisted Solution

by:Gideon7
Gideon7 earned 2000 total points
ID: 22690597
Look at the event logs for DNS and Directory Services.
0
 

Author Closing Comment

by:walsh_stephen
ID: 31505153
Still had randon SID Corruption across the DC's. Ended up rebuilding but this was great info in triage. Thanks
0
 

Expert Comment

by:cntboys
ID: 33510067
This happens when you do a repadmin /syncall without an enterprise account.
0
 
LVL 3

Expert Comment

by:Akulsh
ID: 36299132
You must be Enterprise Admin to force replication to remote domains and subdomains.
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question