Solved

Active Directory Replication question

Posted on 2013-01-22
8
1,457 Views
Last Modified: 2013-01-22
Every now and then I'll run a repadmin /showreps to see how our replication is doing on our DCs. This last time I did it, I got this error at the end of the log.

DsReplicaGetInfo() failed with status 8453 (0x2105):
    Replication access was denied.
DsReplicaGetInfo() failed with status 8453 (0x2105):
    Replication access was denied.

Every one of my dc's that had windows 2008 server installed had this, whereas my windows 2003 dc's didn't. I also ran a repadmin /replsummary and got this

Source DSA          largest delta    fails/total %%   error
 ENG-DC1                   21m:22s    0 /  18    0
 ENG-DC2                   14m:54s    0 /  17    0
 ENG-DCA                   14m:54s    0 /  18    0
 RTC-ENG-DCA               21m:22s    0 /  17    0

Destination DSA     largest delta    fails/total %%   error
 ENG-DC1                   13m:40s    0 /  19    0
 ENG-DC2                   13m:28s    0 /  15    0
 ENG-DCA                   02m:23s    0 /  19    0
 RTC-ENG-DCA               29m:54s    0 /  15    0

The other three DC's had similar results of no fails or errors in their /replsummary log.
 
I did some googling on the "Replication access was denied" message and it sent me down the path to verify if my USN numbers matched up to see if I had a USN rollback. I've attached a screen capture of my 4 domain controllers and how they matched up with each other. I compared them all against the DC in the middle, and highlighted in red the discrepancies.

USN discrepancies between DCs
I'm at a loss for what to do at this point, the summary showed no errors, but clearly there's a discrepancy between the domain controllers on the USN numbers.

We have about 10 users added and close to that number disabled or removed every day, I have backups for each DC, but I don't know which ones I should restore or if I should restore at all. The other option that was stated if I had a rollback occur was to demote then re-promote all my DCs.

Any suggestions down which path I should go?
0
Comment
Question by:labops
  • 3
  • 3
8 Comments
 
LVL 16

Expert Comment

by:choward16980
ID: 38806316
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 500 total points
ID: 38806353
What events are you seeing in your log?  Did you see this article

http://support.microsoft.com/kb/2022387

Are these DCs in the same site or different site?  The largest delta denotes the longest replication gap amongst all replication links for a particular domain controller.   If they are in different sites that is not horrible and no fails is a good thing

Thanks

Mike
0
 
LVL 2

Author Comment

by:labops
ID: 38806408
Hi Mike,

They are indeed in different sites, I just didn't know if the size of the delta was something to be concerned with. I'll look through the link you provided to do some more testing.
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 
LVL 57

Expert Comment

by:Mike Kline
ID: 38806419
also look at the repadmin whitepaper

http://www.microsoft.com/en-us/download/details.aspx?id=9028

notice their deltas in the screenshots.

Thanks

Mike
0
 
LVL 2

Author Comment

by:labops
ID: 38806445
Mike,

Using your link, I started down the path of checking with dcdiag, I got some errors pointing to the same problem, so I searched for that string in google. The result that I got on the first try said "run your command prompt with elevated privileges and try again"

I did and didn't get a single error.

This is me smacking my forehead, how many times has not running the cmd prompt in elevated mode bit me.

Thanks for getting me on the right track.
0
 
LVL 2

Author Comment

by:labops
ID: 38806765
I've requested that this question be closed as follows:

Accepted answer: 500 points for mkline71's comment #a38806353
Assisted answer: 0 points for labops's comment #a38806445

for the following reason:

Always remember to run your cmd in elevated privileges.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 38806759
excellent, glad you are good to go...clean replication :)
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now