Replication Issue (Maybe)?

Hello Experts,

Following is a brief description of my Active Directory environment:
-      My Active Directory has two sites, our primary site and a remote site.  In each site there are two domain controllers.  Our primary site has the following domain controllers:  DC2 and DC4.  Our secondary site has the following domain controllers:  DC1 and DC2.
-      DC1 and DC2 are running Windows Server 2008.
-      DC3 and DC4 are running Windows Server 2008.

Over this last weekend our remote site experienced some downtime (several hours due to power issues at the site).  When power was restored and the domain controllers in the remote site were brought back online, replication was tested by creating a user account on DC 2, forcing replication using Active Directory Sites and Services and verifying the account was replicated over to DC1 and 3.  The account replicated as expected and it appeared we were good to go.

This morning I was doing some work on DC1 and wanted to force replication.  To force replication, I ran the following command with elevated rights:  repadmin /syncall /APeD.  I received the following errors:
            SyncAll reported the following errors:
            Error issuing replication: 8453 (0x2105):
                  Replication access was denied.
                  To  :
            Error issuing replication: 8453 (0x2105):
                  Replication access was denied.
                  To  :

I ran the same replication command on DC2 and received the following:
            SyncAll reported the following errors:
            Error issuing replication: 8453 (0x2105):
                  Replication access was denied.
                  To  :
            Error issuing replication: 8453 (0x2105):
                  Replication access was denied.
                  To  :

I ran the same replication command from DC3 and DC4 and did not receive any errors.

In researching the error, there were several posts stating to run the command from an administrative command prompt.  I was already doing that but reran the command after insuring I was running as admin and got the same results.

I found several posts that recommended running dcdiag /q.  I ran that on both DC1 and DC2 and nothing was displayed.

I ran the following command on DC1 and DC2 saw no errors:  repadmin /showrepl
I guess my questions are:
1.      Do I really have a problem?  How can I tell?

Any help would be greatly appreciated.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
Even without the dcdiag results, my gut reaction was that "access denied" would point to an issue with the account you were attempting to run the command under. Then I read that dcdiag is coming back clean. If that's true across all servers then you are very very likely fine as far as replication. You may have an account permissions issue. But that wouldn't impact replication.
Dustin SaundersDirector of OperationsCommented:
Microsoft Support has a detailed article on this:

One of the common 'gotchas' is if the time sync has drifted too far off.  Otherwise:

Run DCDIAG on the destination DC that's reporting the 8453 error or event.
Run DCDIAG on the source domain controller on which the destination domain controller is reporting that the 8453 error or event is occurring.
Run DCDIAG /test:CheckSecurityError on the destination domain controller.
Run DCDIAG /test:CheckSecurityError on the source DC.

Should help you find the source of the problem.  You may meed to trust an account for delegation.

Full details are in the article referenced.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
FibertronTechnical ConsultantCommented:
Does repadmin /replsummary show any fails or is the largest delta time greater than your configured replication interval?  One last thing that I check is sysvol replication, especially after migrating to Server 2008 which is the first year that DFSR can be used in place of FRS for AD replication.  You can update a GPO or create a simple test GPO to test replication of sysvol.
Senior IT System EngineerSenior Systems EngineerCommented:
Please execute the below Powershell script that can be downloaded from:

It will give you the status of which domain controllers are broken.

Follow this guide for troubleshooting the issue with replication:
ndalmolin_13Author Commented:
Hello All,

I hope everyone had a good holiday.  I have done a repadmin /replsummary and it shows no errors.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.