Replication Issue (Maybe)?

ndalmolin_13
ndalmolin_13 used Ask the Experts™
on
Hello Experts,

Following is a brief description of my Active Directory environment:
-      My Active Directory has two sites, our primary site and a remote site.  In each site there are two domain controllers.  Our primary site has the following domain controllers:  DC2 and DC4.  Our secondary site has the following domain controllers:  DC1 and DC2.
-      DC1 and DC2 are running Windows Server 2008.
-      DC3 and DC4 are running Windows Server 2008.

Over this last weekend our remote site experienced some downtime (several hours due to power issues at the site).  When power was restored and the domain controllers in the remote site were brought back online, replication was tested by creating a user account on DC 2, forcing replication using Active Directory Sites and Services and verifying the account was replicated over to DC1 and 3.  The account replicated as expected and it appeared we were good to go.

This morning I was doing some work on DC1 and wanted to force replication.  To force replication, I ran the following command with elevated rights:  repadmin /syncall /APeD.  I received the following errors:
            SyncAll reported the following errors:
            Error issuing replication: 8453 (0x2105):
                  Replication access was denied.
                  From: 1850a3f9-f6d6-4159-9e8c-7ee884e3d426._msdcs.myorg.com
                  To  : b6b357c0-4487-4448-a97a-66b4595c642d._msdcs.myorg.com
            Error issuing replication: 8453 (0x2105):
                  Replication access was denied.
                  From: b6b357c0-4487-4448-a97a-66b4595c642d._msdcs.myorg.com
                  To  : 75740dd1-3e87-4c14-8340-f1495c02ac2e._msdcs.myorg.com

I ran the same replication command on DC2 and received the following:
            SyncAll reported the following errors:
            Error issuing replication: 8453 (0x2105):
                  Replication access was denied.
                  From: 7a88d3de-9e0a-4810-819c-a79dc77e77e4._msdcs.myorg.com
                  To  : 75740dd1-3e87-4c14-8340-f1495c02ac2e._msdcs.myorg.com
            Error issuing replication: 8453 (0x2105):
                  Replication access was denied.
                  From: 75740dd1-3e87-4c14-8340-f1495c02ac2e._msdcs.myorg.com
                  To  : b6b357c0-4487-4448-a97a-66b4595c642d._msdcs.myorg.com

I ran the same replication command from DC3 and DC4 and did not receive any errors.

In researching the error, there were several posts stating to run the command from an administrative command prompt.  I was already doing that but reran the command after insuring I was running as admin and got the same results.

I found several posts that recommended running dcdiag /q.  I ran that on both DC1 and DC2 and nothing was displayed.

I ran the following command on DC1 and DC2 saw no errors:  repadmin /showrepl
I guess my questions are:
1.      Do I really have a problem?  How can I tell?

Any help would be greatly appreciated.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2018

Commented:
Even without the dcdiag results, my gut reaction was that "access denied" would point to an issue with the account you were attempting to run the command under. Then I read that dcdiag is coming back clean. If that's true across all servers then you are very very likely fine as far as replication. You may have an account permissions issue. But that wouldn't impact replication.
Co-Founder and Chief Architect
Top Expert 2016
Commented:
Microsoft Support has a detailed article on this:
https://support.microsoft.com/en-us/help/2022387/active-directory-replication-error-8453-replication-access-was-denied

One of the common 'gotchas' is if the time sync has drifted too far off.  Otherwise:

Run DCDIAG on the destination DC that's reporting the 8453 error or event.
Run DCDIAG on the source domain controller on which the destination domain controller is reporting that the 8453 error or event is occurring.
Run DCDIAG /test:CheckSecurityError on the destination domain controller.
Run DCDIAG /test:CheckSecurityError on the source DC.

Should help you find the source of the problem.  You may meed to trust an account for delegation.

Full details are in the article referenced.
FibertronTechnical Consultant

Commented:
Does repadmin /replsummary show any fails or is the largest delta time greater than your configured replication interval?  One last thing that I check is sysvol replication, especially after migrating to Server 2008 which is the first year that DFSR can be used in place of FRS for AD replication.  You can update a GPO or create a simple test GPO to test replication of sysvol.

Commented:
Please execute the below Powershell script that can be downloaded from: https://gallery.technet.microsoft.com/Active-Directory-Health-3ce0e0ea

It will give you the status of which domain controllers are broken.

Follow this guide for troubleshooting the issue with replication: https://www.itprotoday.com/active-directory/identifying-and-solving-active-directory-replication-problems

Author

Commented:
Hello All,

I hope everyone had a good holiday.  I have done a repadmin /replsummary and it shows no errors.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial