Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Active Directory Replication question

Posted on 2013-01-22
8
Medium Priority
?
2,147 Views
Last Modified: 2013-01-22
Every now and then I'll run a repadmin /showreps to see how our replication is doing on our DCs. This last time I did it, I got this error at the end of the log.

DsReplicaGetInfo() failed with status 8453 (0x2105):
    Replication access was denied.
DsReplicaGetInfo() failed with status 8453 (0x2105):
    Replication access was denied.

Every one of my dc's that had windows 2008 server installed had this, whereas my windows 2003 dc's didn't. I also ran a repadmin /replsummary and got this

Source DSA          largest delta    fails/total %%   error
 ENG-DC1                   21m:22s    0 /  18    0
 ENG-DC2                   14m:54s    0 /  17    0
 ENG-DCA                   14m:54s    0 /  18    0
 RTC-ENG-DCA               21m:22s    0 /  17    0

Destination DSA     largest delta    fails/total %%   error
 ENG-DC1                   13m:40s    0 /  19    0
 ENG-DC2                   13m:28s    0 /  15    0
 ENG-DCA                   02m:23s    0 /  19    0
 RTC-ENG-DCA               29m:54s    0 /  15    0

The other three DC's had similar results of no fails or errors in their /replsummary log.
 
I did some googling on the "Replication access was denied" message and it sent me down the path to verify if my USN numbers matched up to see if I had a USN rollback. I've attached a screen capture of my 4 domain controllers and how they matched up with each other. I compared them all against the DC in the middle, and highlighted in red the discrepancies.

USN discrepancies between DCs
I'm at a loss for what to do at this point, the summary showed no errors, but clearly there's a discrepancy between the domain controllers on the USN numbers.

We have about 10 users added and close to that number disabled or removed every day, I have backups for each DC, but I don't know which ones I should restore or if I should restore at all. The other option that was stated if I had a rollback occur was to demote then re-promote all my DCs.

Any suggestions down which path I should go?
0
Comment
Question by:labops
  • 3
  • 3
7 Comments
 
LVL 16

Expert Comment

by:Chris H
ID: 38806316
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 2000 total points
ID: 38806353
What events are you seeing in your log?  Did you see this article

http://support.microsoft.com/kb/2022387

Are these DCs in the same site or different site?  The largest delta denotes the longest replication gap amongst all replication links for a particular domain controller.   If they are in different sites that is not horrible and no fails is a good thing

Thanks

Mike
0
 
LVL 2

Author Comment

by:labops
ID: 38806408
Hi Mike,

They are indeed in different sites, I just didn't know if the size of the delta was something to be concerned with. I'll look through the link you provided to do some more testing.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
LVL 57

Expert Comment

by:Mike Kline
ID: 38806419
also look at the repadmin whitepaper

http://www.microsoft.com/en-us/download/details.aspx?id=9028

notice their deltas in the screenshots.

Thanks

Mike
0
 
LVL 2

Author Comment

by:labops
ID: 38806445
Mike,

Using your link, I started down the path of checking with dcdiag, I got some errors pointing to the same problem, so I searched for that string in google. The result that I got on the first try said "run your command prompt with elevated privileges and try again"

I did and didn't get a single error.

This is me smacking my forehead, how many times has not running the cmd prompt in elevated mode bit me.

Thanks for getting me on the right track.
0
 
LVL 2

Author Comment

by:labops
ID: 38806765
I've requested that this question be closed as follows:

Accepted answer: 500 points for mkline71's comment #a38806353
Assisted answer: 0 points for labops's comment #a38806445

for the following reason:

Always remember to run your cmd in elevated privileges.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 38806759
excellent, glad you are good to go...clean replication :)
0

Featured Post

Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

877 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question