The replication operation encountered a database error

A public version to sync with SupportArticles-docs-pr - SupportArticles-docs/active-directory-replication-error-8451.md at main · MicrosoftDocs/SupportArticles-docs
title description ms.date author ms.author manager audience ms.topic ms.prod localization_priority ms.reviewer ms.custom ms.technology

Active Directory Replication Error 8451

provides a resolution for Active Directory Replication Error 8451 «The replication operation encountered a database error».

10/19/2020

Deland-Han

delhan

dcscontentpm

itpro

troubleshooting

windows-server

medium

kaushika, toddmax

sap:active-directory-replication, csstroubleshoot

windows-server-active-directory

Active Directory Replication Error 8451: «The replication operation encountered a database error»

This article provides a resolution for Active Directory Replication Error 8451: «The replication operation encountered a database error».

Applies to:   Windows Server 2019, Windows Server 2016, Windows Server 2012 R2
Original KB number:   2645996

[!NOTE]
Home users: This article is intended only for technical support agents and IT professionals. If you’re looking for help to resolve a problem, please ask the Microsoft Community.

Symptoms

This article describes the symptoms and causes of situations in which Active Directory Domain Services (AD DS) operations fail and generate error 8451: «The replication operation encountered a database error.» This article also provides a resolution for this problem.
You might experience one of more of the following symptoms:

  • You see one or more on-screen error messages, logged events, or diagnostic output that identifies a database error. Possible formats for that error include the following.

    Decimal code Hexadecimal code Text code Error message
    8451 0x2103 ERROR_DS_DRA_DB_ERROR The replication operation encountered a database error.
    -1018 0xfffffc06 JET_errReadVerifyFailure Checksum error on a database page.
    -1047 0xfffffbe9 JET_errInvalidBufferSize Data buffer doesn’t match column size.
    -1075 0xfffffbc JET_errOutOfLongValueID Long-value ID counter has reached maximum value (do an offline defragmentation to reclaim free and unused LongValueIDs).
    -1206 0xfffffb4a JET_errDatabaseCorrupted Non database file or corrupted db.
    -1414 0xfffffa7a JET_errSecondaryIndexCorrupted Secondary index is corrupt. The database must be defragmented.
    -1526 0xfffffa0a JET_errLVCorrupted Corruption encountered in long-value tree.
    -1601 0xfffff9bf JET_errRecordNotFound The key was not found.
    -1603 0xfffff9b JET_errNoCurrentRecord Currency not on a record.

  • Dcpromo.exe fails and generates error 8451.
    The user interface displays the following message:

    The operation failed because:

    Active Directory Domain Services could not replicate the directory partition
    <DN path of failing partition> from the remote Active Directory Domain Controller
    <helper DC>.<dns domain name>.<top level domain>.

    The replication operation encountered a database error.

    The Dcpromo.log file contains the following information:

    <date> <time> [INFO] NstdInstall for contoso.com returned 8451
    <date> <time> [INFO] DsRolepInstallDs returned 8451
    <date> <time> [ERROR] Failed to install to Directory Service (8451)
    <date> <time> [INFO] Starting service NETLOGON

  • Repadmin.exe reports that the replication attempt has failed with status 8451. Repadmin.exe commands that commonly cite the 8451 status include but are not limited to:

    • Repadmin /kcc

    • Repadmin /rehost

    • Repadmin /replicate

    • Repadmin /replsum

    • Repadmin /showrepl

    • Repadmin /showreps

    • Repadmin /showutdvec

    • Repadmin /syncall

      For detailed information about how to use Repadmin to troubleshoot replication problems, see Monitoring and Troubleshooting Active Directory Replication Using Repadmin.

      The following sample shows output from the repadmin /showreps command that indicates that inbound replication from CONTOSO-DC2 to CONTOSO-DC1 failed and generated the «replication access was denied» message.

      Default-First-Site-NameCONTOSO-DC1
      DSA Options: IS_GC
      Site Options: (none)
      DSA object GUID: b6dc8589-7e00-4a5d-b688-045aef63ec01
      DSA invocationID: b6dc8589-7e00-4a5d-b688-045aef63ec01
      ==== INBOUND NEIGHBORS ======================================
      DC=contoso,DC=com
      Default-First-Site-NameCONTOSO-DC2 via RPC
      DSA object GUID: 74fbe06c-932c-46b5-831b-af9e31f496b2
      Last attempt @ <date> <time> failed, result 8451 (0x2103):
      The replication operation encountered a database error.
      consecutive failure(s).
      Last success @ <date> <time>.

  • Event Viewer lists one or more events that cite the 8451 error. The following table lists the event sources and Event IDs of common events that cite the 8451 error (in event source + event ID order).

    Event source Event ID Event message
    Microsoft-Windows-ActiveDirectory_DomainService 1039 with extended error 8451 Internal event: Active Directory Domain Services could not process the following object.
    Microsoft-Windows-ActiveDirectory_DomainService 1084 with extended error 8451 Internal event: Active Directory could not update the following object with changes received from the following source domain controller. It is because an error occurred during the application of the changes to Active Directory on the domain controller.
    Microsoft-Windows-ActiveDirectory_DomainService 1308 with extended error 8451 The Knowledge Consistency Checker (KCC) has detected that successive attempt to replicate with the following directory service failed.
    Microsoft-Windows-ActiveDirectory_DomainService 1699 with extended error 8451 The local domain controller failed to retrieve the changes requested for the following directory partition. As a result, it was unable to send the change requests to the domain controller at the following network address.
    NTDS Replication 2108 with extended error 8451 with secondary error value-1075 This event contains REPAIR PROCEDURES for the 1084 event that has previously been logged. This message indicates a specific issue with the consistency of the Active Directory database on this replication destination. A database error occurred while applying replicated changes to the following object. The database had unexpected contents, preventing the change from being made. Object: CN=justintu@contoso.com,OU=marketing,OU=5thWard,OU=Houston,DC=Contoso,DC=com Object GUID: 2843919c-345c-4f57-bc1a-4ed5acbcf9e2 Source domain controller: 173ee10f-4c28-4acd-a2d7-61af8d4d3010._msdcs.Contoso.com User Action If none of these actions succeed and the replication error continues, you should demote this domain controller and promote it again. Additional Data Primary Error value: 8451 The replication operation encountered a database error. Secondary Error value: -1075
    NTDS Replication 2108 with extended error 8451 with secondary error value-1526 This event contains REPAIR PROCEDURES for the 1084 event that has previously been logged. This message indicates a specific issue with the consistency of the Active Directory database on this replication destination. A database error occurred while applying replicated changes to the following object. The database had unexpected contents, preventing the change from being made. Object: CN=justintu@contoso.com,OU=marketing,OU=5thWard,OU=Houston,DC=Contoso,DC=com Object GUID: 2843919c-345c-4f57-bc1a-4ed5acbcf9e2 Source domain controller: 173ee10f-4c28-4acd-a2d7-61af8d4d3010._msdcs.Contoso.com User Action If none of these actions succeed and the replication error continues, you should demote this domain controller and promote it again. Additional Data Primary Error value: 8451 The replication operation encountered a database error. Secondary Error value: -1526
    NTDS Replication 2108 with extended error 8451 with secondary error value -1414 This event contains REPAIR PROCEDURES for the 1084 event that has previously been logged. This message indicates a specific issue with the consistency of the Active Directory database on this replication destination. A database error occurred while applying replicated changes to the following object. The database had unexpected contents, preventing the change from being made. Object: CN=justintu@contoso.com,OU=marketing,OU=5thWard,OU=Houston,DC=Contoso,DC=com Object GUID: 2843919c-345c-4f57-bc1a-4ed5acbcf9e2 Source domain controller: 173ee10f-4c28-4acd-a2d7-61af8d4d3010._msdcs.Contoso.com User Action If none of these actions succeed and the replication error continues, you should demote this domain controller and promote it again. Additional Data Primary Error value: 8451 The replication operation encountered a database error. Secondary Error value: -1414
    NTDS General 1039 with extended error 8451. Internal event: Active Directory could not process the following object.
    NTDS KCC 1925 with extended error 8451 The attempt to establish a replication link for the following writable directory partition failed.
    NTDS Replication 1084 with extended error 8451 Internal event: Active Directory could not update the following object with changes received from the following source domain controller. It is because an error occurred during the application of the changes to Active Directory on the domain controller.
    NTDS Replication 1699 with extended error 8451 The local domain controller failed to retrieve the changes requested for the following directory partition. As a result, it was unable to send the change requests to the domain controller at the following network address.

  • When you increase the NTDS diagnosing logging level on the domain controller, Event Viewer lists additional events that are related to the 8451 error. The following table lists the event sources and Event IDs of events that frequently accompany other events that contain the 8451 error.

    Event source Event ID Event message
    Internal Processing 1481 with error-1601 Internal error: The operation on the object failed. Additional Data: Error value: 2 000020EF: NameErr: DSID-032500E8, problem 2001 (NO_OBJECT), data -1601, best match of: «
    Internal Processing 1173 with error-1075 Internal event: Active Directory has encountered the following exception and associated parameters. Exception: e0010004 Parameter: 0 Additional Data Error value: -1075 Internal ID: 205086d
    Internal Processing 1173 with error-1526 Internal event: Active Directory has encountered the following exception and associated parameters. Exception: e0010004 Parameter: 0 Additional Data Error value: -1526 Internal ID: 205036b
    Internal Processing 1173 with error-1603 Internal event: Active Directory has encountered the following exception and associated parameters. Exception: e0010004 Parameter: 0 Additional Data Error value: -1603 Internal ID: 2050344
    NTDS ISAM 474 with error-1018 The database page read from the file ‘E:NTDSDatantds.dit’ at offset 3846455296 (0x00000000e5444000) for 8192 (0x00002000) bytes failed verification due to a page checksum mismatch. The expected checksum was 323677604 (0x134aeda4) and the actual checksum was 2081515684 (0x7c1168a4). The read operation will fail with error -1018 (0xfffffc06). If this condition persists, restore the database from a previous backup. This problem is likely due to faulty hardware. Contact your hardware vendor for further assistance diagnosing the problem.
    NTDS ISAM 488 NTDS (396) NTDSA: Data inconsistency detected in table datatable of database C:WINDOWSNTDSntds.dit (4621,7905).

  • When you run the Dcdiag.exe utility, it produces output that resembles as:

    Starting test: Replications

    * Replications Check
    [Replications Check,<DC Name>] A recent replication attempt
    failed:
    From <source DC> to <destination DC>
    Naming Context: <DN path of failing naming context>
    The replication generated an error (8451):
    The replication operation encountered a database error

  • In Active Directory Sites and Services, when you right-click the connection object of a source DC and select Replicate now, the command fails and generates a message that resembles as:

    The following error occurred during the attempt to synchronize naming context <%directory partition name%> from Domain Controller <Source DC> to Domain Controller <Destination DC>:
    «The replication operation encountered a database error.»
    The operation will not continue.

How to decode error codes

You can use Microsoft Exchange Server Error Code Lookup to decode the error codes that are described in this article. Decoding the error codes that relate to the 8451 error and accompanying errors produces the following information:

C:>err 8451
for decimal 8451 / hex 0x2103 :
ERROR_DS_DRA_DB_ERROR               winerror.h
The replication operation encountered a database error.
2 matches found for «8451»

C:>err -1414
for decimal -1414 / hex 0xfffffa7a :
JET_errSecondaryIndexCorrupted            esent98.h
/Secondary index is corrupt. The database must be
defragmented/
1 matches found for «-1414»

C:>err -1526
for decimal -1526 / hex 0xfffffa0a :
JET_errLVCorrupted                  esent98.h
/Corruption encountered in long-value tree/
1 matches found for «-1526»

C:>err -1603
for decimal -1603 / hex 0xfffff9bd :
JET_errNoCurrentRecord                esent98.h
/Currency not on a record/
1 matches found for «-1603»

C:>err -1075
for decimal -1075 / hex 0xfffffbcd :
JET_errOutOfLongValueIDs               esent98.h
/Long-value ID counter has reached maximum value.
(perform offline defrag to reclaim free/unused
LongValueIDs)/
1 matches found for «-1075»

C:>err -1601
for decimal -1601 / hex 0xfffff9bf :
JET_errRecordNotFound                 esent98.h
/The key was not found/
1 matches found for «-1601»

C:>err -1047
for decimal -1047 / hex 0xfffffbe9 :
JET_errInvalidBufferSize                  esent98.h
/Data buffer doesn’t match column size/
1 matches found for «-1047»

C:>err -1018
for decimal -1018 / hex 0xfffffc06 :
JET_errReadVerifyFailure                  ese.h
/Checksum error on a database page/
JET_errReadVerifyFailure                  esent98.h
/* Checksum error on a database page */
2 matches found for «-1018»

C:>err -1206
for decimal -1206 / hex 0xfffffb4a :
JET_errDatabaseCorrupted                  esent98.h
/Non database file or corrupted db/
1 matches found for «-1206»

Cause

The status 8451: «The replication operation encountered a database error» has multiple root causes, including the following ones:

  • The Active Directory database or Active Directory database index might be corrupted. It may be caused by the following reasons:
    • Failing hardware:
      • Disk
      • Controller
      • Controller cache
    • Outdated drivers:
      • Controller
    • Outdated firmware:
      • Computer BIOS
      • Controller
      • Disk
    • Sudden power loss.
    • Lingering objects.
    • The long-value ID counter has reached its maximum value:
      • The ESE column types JET_coltypLongTextand JET_coltypLongBinary are called long value column types. These columns are large string and large binary objects that may be stored in separate B+ trees away from the primary index. When long values are stored separately from the primary record, they are internally keyed on a long value ID (LID).
    • Invalid security descriptor in the msExchSecurityDescriptor attribute.

Resolution

[!Important]
Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, back up the registry for restoration in case problems occur.

How to resolve a single occurrence of the problem

If the error occurs on only one domain controller and appears to be an isolated problem, the best and quickest resolution is to do offline defragmentation of the database on the affected server. For information about how to do it, see How to perform offline defragmentation of the Active Directory database.

If offline defragmentation does not correct the issue, demote and then repromote the affected domain controller. For information about how to do it, see Demoting Domain Controllers and Domains.

How to resolve a recurring problem

If the problem recurs, collect some diagnostic data.

  1. Enable NTDS diagnostic logging for Replication Events and Internal Processing at a level of 5.

    To increase NTDS diagnostic logging, change the following REG_DWORD values in the registry of the destination domain controller under the following registry subkey:
    HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNTDSDiagnostics

    Set the value of the following entries to 5:

    • Replication Events
    • Internal Processing

    [!Note]
    Level-5 logging is extremely verbose. The values of both keys should be restored to the default of 0 after the problem is resolved. Filtering the Directory Services event log should be done to isolate and identify these events.

    For more information about the standard terminology that is used to describe Microsoft software updates, see the following Knowledge Base article:

  2. Review the event logs for the new events that were generated from the increased logging for error values that will give a definitive view of the original 8451 error. For example, an Internal Processing Event ID 1173 that has an error value of -1526 would indicate that we have a corruption in long-value tree.

  3. Based on the additional information from the increased logging, refer to the following table for a potential resolution.

    Decimal code Hex code Text code Error message Potential resolutions
    -1018 0xfffffc06 JET_errReadVerifyFailure Checksum error on a database page Check hardware, firmware, and drivers. Restore from backup.Demote/promote.
    -1047 0xfffffbe9 JET_errInvalidBufferSize Data buffer doesn’t match column size 832851 Inbound Replication Fails on Domain Controllers with Event ID: 1699, Error 8451 or jet error -1601 Note: This hotfix is no longer available.
    -1075 0xfffffbcd JET_errOutOfLongValueIDs Long-value ID counter has reached maximum value. (do offline defragmentation to reclaim free or unusedLongValueIDs) Do offline defragmentation.
    -1206 0xfffffb4a JET_errDatabaseCorrupted Non-database file or corrupted db Check hardware, firmware, and drivers.Run the Esentutl/k command. Run the Ntdsutil file integrity and semantic database analysis (SDA) commands, and then do offline defragmentation.Otherwise restore from backup or demote/promote.
    -1414 0xfffffa7a JET_errSecondaryIndexCorrupted Secondary index is corrupt. The database must be defragmented. Do offline defragmentation.
    -1526 0xfffffa0a JET_errLVCorrupted Corruption encountered in long-value tree Check hardware, firmware, and drivers.Run the Esentutl /k command. Run the Ntdsutil** file integrity and SDA commands, and then do offline defragmentation. Otherwise, restore from backup or demote and promote.
    -1601 0xfffff9bf JET_errRecordNotFound The key was not found Check hardware, firmware, and drivers.Run the Esentutl /k command. Run the Ntdsutil file integrity and SDA commands, and then do offline defragmentation​​​​​​​.​​​​​​​Otherwise restore from backup or demote and promote.
    -1603 0xfffff9bd JET_errNoCurrentRecord Currency not on a record Check hardware, firmware, and drivers.Run the Esentutl /k command. Run the Ntdsutil file integrity and SDA commands, and then do offline defragmentation​​​​​​​.​​​​​​​Otherwise restore from backup or demote and promote.
    8451 0x2103 ERROR_DS_DRA_DB_ERROR The replication operation encountered a database error Check hardware, firmware, and drivers.Run the Esentutl /k command. Run the Ntdsutil file integrity and SDA commands, and then do offline defragmentation. Otherwise restore from backup or demote/promote.

  4. If all these methods fail, restore the domain controller from a backup, or demote it and then repromote.

More information

Verify the vertical jet database stack from the bottom up (proceeding up to the next layer only after the underlying layer is graded as «good»), the same as you do for TCP.

Layer Ntdsutil command Esentutl command
(1) Physical consistency no equivalent Esentutl /k
(2) Extensible Storage Engine (ESE) logical consistency Ntdsutil, files, integrity Esentutl /g
(3) Application logical consistency Ntdsutil, semantic database analysis + Ntdsutil, compact no equivalent for SDA + Esentutl /d
Источник
  • Remove From My Forums

  • Question

  • "The operation failed because:
Active Directory Domain Services could not replicate the directory partition 
<DN path of failing partition> from the remote Active Directory Domain Controller 
<helper DC>.<dns domain name>.<top level domain>.
"The replication operation encountered a database error."
    I tried the solution given in technet.microsoft.com. Try given solution like
    Enable NTDS diagnostic logging for Replication Events and Internal Processing at a level of 5.
    To increase NTDS diagnostic logging, change the following REG_DWORD values in the registry of the destination domain controller under the following registry key:
    HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNTDSDiagnostics
    Set the value of the following subkeys to 5:
    • 5 Replication Events
    • 9 Internal Processing
    noteNota
    Level
 5 logging is extremely verbose and the values of both subkeys should be set back to the default of 0 after the problem is resolved. Filtering the Directory Services event log should be performed to isolate and identify these events
    but still problem persists. please give some solution for this. Thank you...
    • Moved by

      Tuesday, July 16, 2013 6:28 PM
      Move to more appropriate forum

Answers

  • i think the problem may be in the Active Directory Sites and Services. I found some DC which seems to be zombie. i deleted entire site and created new site. Then linked all the dc’s to there. Problem Solved.. 

    Thank You…

    • Marked as answer by
      Vivian_Wang
      Tuesday, July 23, 2013 11:44 AM

Источник

Содержание

  1. Troubleshoot common Active Directory replication errors
  2. Error codes
  3. Event IDs
  4. Устранение распространенных ошибок репликации Active Directory
  5. Коды ошибок
  6. ИД событий

Troubleshoot common Active Directory replication errors

This article contains information and links to help you troubleshoot Active Directory Replication errors. It is intended to provide Active Directory administrators with a method to diagnose replication failures and to determine where those failures are occurring.

Applies to: В Windows Server 2019, Windows Server 2016, Windows Server 2012 R2
Original KB number: В 3108513

Home users: This article is only intended for technical support agents and IT professionals. If you’re looking for help with a problem, ask the Microsoft Community.

Error codes

To troubleshoot specific errors, refer to the following table.

Replication error code Cause Related Knowledge Base article
8464 This issue occurs because partial attribute set (PAS) synchronization is triggered when an attribute is added to the PAS. Active Directory replication error 8464: Synchronization attempt failed
8477 This code is informational and represents a regular Active Directory replication operation. It indicates that replication is currently in progress from the source and has not yet been applied to the destination domain controller’s database replica. Troubleshooting AD Replication error 8477: The replication request has been posted; waiting for reply
8418 Attempts to replicate Active Directory when schema information is not consistent between the domain controller partners that are involved result in a Schema Mismatch error status. This symptom manifests itself in several ways. The underlying cause of the error may vary. Troubleshooting AD Replication error 8418: The replication operation failed because of a schema mismatch between the servers involved
1908 This error has two primary causes:

  • The destination domain controller can’t contact a key distribution center (KDC).
  • The computer is experiencing Kerberos-related errors.
 Troubleshooting AD Replication error 1908: Could not find the domain controller for this domain
8333 This error has multiple causes. They include the following:

  • Database corruption, with additional associated errors that are logged in the event log of the source domain controller
  • Lingering objects that have associated errors logged
  • Conflict objects
  • A third-party process
 Troubleshooting AD Replication error 8333: Directory Object Not Found
8589 This error most commonly occurs on a domain controller after a replication partner has Active Directory forcibly removed and then is re-promoted before end-to-end replication can complete. This error can also occur when you rename a domain controller and the serverReference attribute is not updated. Troubleshooting AD Replication error 8589: The DS cannot derive a service principal name (SPN)
1818 The issue occurs when the destination domain controller that is performing incoming replication does not receive replication changes within the number of seconds that is specified in the RPC Replication Timeout registry key. Troubleshooting AD Replication error 1818: The remote procedure call was cancelled
8446 This error can occur when the Active Directory replication engine cannot allocate memory to run Active Directory replication. Troubleshooting AD Replication error 8446: The replication operation failed to allocate memory
8240 This error indicates that the specific object could not be found in the directory. This error may be encountered in the following situations:

  • During AD replication
  • Reported 8240 in 1126 Event (NTDS)
 Troubleshooting AD Replication error 8240: There is no such object on the server
8451 Status 8451: The replication operation encountered a database error has multiple causes. Refer to the related Knowledge Base article in the third column. Active Directory Replication Error 8451: The replication operation encountered a database error
1256 This error is logged because of a connectivity failure. Active Directory Replication Error 1256: The remote system is not available.
1396 Known causes of this error include the following:

  • The service principal name (SPN) does not exist on the global catalog that is searched by the Kerberos Key Distribution Center (KDC) on behalf of the client that is trying to authenticate by using the Kerberos protocol.
  • The user or service account that should contain the SPN that is being looked up does not exist on the global catalog that is searched by the KDC on behalf of the destination domain controller that is trying to replicate.
  • The destination domain controller lacks a Local Security Authority (LSA) secret for the source domain controller’s domain.
  • The SPN that is being looked up exists on the account of a different computer than the source domain controller.
 Active Directory Replication Error 1396: Logon Failure: The target account name is incorrect.
1722 Remote Procedure Call (RPC) is an intermediate layer between the network transport and the application protocol. RPC itself has no special insight into failures. However, it tries to map lower-layer protocol failures into an error at the RPC layer. Active Directory replication error 1722: The RPC server is unavailable
-2146893022 This error code is not returned by Active Directory. However, it may be returned by lower-layer components. These include RPC, the Kerberos protocol, Secure Sockets Layer (SSL), LSA, and NT LAN Manager (NTLM). The code is returned for various reasons. Active Directory replication error -2146893022: The target principal name is incorrect
1753 Specific causes of this error include the following:

  • The server app never started.
  • The server app started. However, there was a failure during initialization that prevented the server app from registering with the RPC Endpoint Mapper.
  • The server app started but later died.
  • The server app manually unregistered its endpoints. (This resembled the previous cause, but its occurrence was intentional. You are unlikely to receive this error for this reason. However, we include it for completeness.)
  • The RPC client (that is, the destination domain controller) contacted a different RPC server than the intended one because of a name-to-IP mapping error in DNS, WINS, or the host / lmhosts file.
 Active Directory Replication Error 1753: There are no more endpoints available from the endpoint mapper
8606 Error 8606 is logged when the following conditions are true:

  • A source domain controller sends an update to an object (instead of sending an originating object create request) that was already created, deleted, and then reclaimed by garbage collection from a destination domain controller’s copy of Active Directory.
  • The destination domain controller was configured to run in strict replication consistency.
 Active Directory Replication Error 8606: Insufficient attributes were given to create an object
1127 Error 8606 is logged when the following conditions are true:

  • A source domain controller sends an update to an object (instead of sending an originating object create request) that was already created, deleted, and then reclaimed by garbage collection from a destination domain controller’s copy of Active Directory.
  • The destination domain controller was configured to run in strict replication consistency. duplication of above?
 Active Directory Replication Error 1127: While accessing the hard disk, a disk operation failed even after retries
8452 This error most frequently occurs when the replication topology in a domain controller that is starting replication differs from the replication topology that is defined in the destination domain controller’s copy of Active Directory. The naming context is in the process of being removed or is not replicated from the specified server
8456 or 8457 Incoming or outgoing replication was automatically disabled by the operating system because of multiple root causes. 2023007
8453 This Replication Access was denied error has multiple causes. Active Directory replication error 8453: Replication access was denied
8524 This is a catch-all error for all possible DNS failures that affect Active Directory on post-Windows Server 2003 SP1-based domain controllers. Active Directory Replication Error 8524: The DSA operation is unable to proceed because of a DNS lookup failure
8614 Causes of this error (and for NTDS Replication Event 2042) include the following:

  • The destination domain controller that is logging the 8614 error did not inbound-replicate a directory partition from one or more source domain controllers for Tombstone lifetime number of days.
  • System time on the destination domain controller moved, or jumped, Tombstone lifetime one or more days into the future after the last successful replication.
 Troubleshoot Active Directory replication error 8614
8545 This Active Directory replication error is logged when the source domain controller tries to send changes for a recently migrated object when the destination domain controller has the object present in a different partition. Active Directory replication error 8545: Replication update could not be applied
5 This Active Directory replication error has multiple causes. Active Directory replication error 5 — Access is denied

Event IDs

To troubleshoot specific event IDs, refer to the following table:

Источник

Устранение распространенных ошибок репликации Active Directory

В этой статье содержатся сведения и ссылки, которые помогут устранить ошибки репликации Active Directory. Он предназначен для предоставления администраторам Active Directory метода диагностики сбоев репликации и определения места возникновения этих сбоев.

Применимо к: Windows Server 2019, Windows Server 2016, Windows Server 2012 R2
Исходный номер базы знаний: 3108513

Домашние пользователи: эта статья предназначена только для агентов технической поддержки и ИТ-специалистов. Если вам нужна помощь в устранении проблемы, обратитесь к сообществу Майкрософт.

Коды ошибок

Сведения об устранении определенных ошибок см. в следующей таблице.

Код ошибки репликации Причина Статья о связанной базе знаний
8464 Эта проблема возникает из-за того, что синхронизация частичного набора атрибутов (PAS) активируется при добавлении атрибута в PAS. Ошибка репликации Active Directory 8464: не удалось выполнить синхронизацию
8477 Этот код является информационным и представляет обычную операцию репликации Active Directory. Он указывает, что репликация выполняется из источника и еще не применена к реплике базы данных контроллера домена назначения. Устранение ошибки репликации AD 8477: запрос на репликацию опубликован; ожидание ответа
8418 Попытки реплицировать Active Directory, если сведения о схеме не согласованы между участвующими партнерами контроллера домена, приводит к ошибке несоответствия схемы . Этот симптом проявляется несколькими способами. Базовая причина ошибки может отличаться. Устранение ошибки репликации AD 8418: сбой операции репликации из-за несоответствия схемы между задействованными серверами
1908 Эта ошибка имеет две основные причины:

  • Конечному контроллеру домена не удается связаться с центром распространения ключей (KDC).
  • На компьютере возникают ошибки, связанные с Kerberos.
 Устранение ошибки репликации AD 1908: не удалось найти контроллер домена для этого домена
8333 Эта ошибка имеет несколько причин. Некоторые из этих факторов:

  • Повреждение базы данных с дополнительными связанными ошибками, которые регистрируются в журнале событий исходного контроллера домена
  • Устаревшие объекты, у которых зарегистрированы связанные ошибки
  • Объекты конфликтов
  • Сторонний процесс
 Устранение ошибки репликации AD 8333: объект каталога не найден
8589 Эта ошибка чаще всего возникает на контроллере домена после принудительного удаления Active Directory партнером репликации, а затем повторно повышается до завершения сквозной репликации. Эта ошибка также может возникать при переименовании контроллера домена и при этом атрибут serverReference не обновляется. Устранение ошибки репликации AD 8589: служба DS не может получить имя субъекта-службы (SPN)
1818 Проблема возникает, когда конечный контроллер домена, выполняюющий входящую репликацию, не получает изменения репликации в течение нескольких секунд, указанного в разделе реестра времени ожидания репликации RPC. Устранение ошибки репликации AD 1818: удаленный вызов процедуры отменен
8446 Эта ошибка может возникать, если подсистеме репликации Active Directory не удается выделить память для выполнения репликации Active Directory. Устранение ошибки репликации AD 8446: операции репликации не удалось выделить память
8240 Эта ошибка указывает, что определенный объект не найден в каталоге. Эта ошибка может возникнуть в следующих ситуациях:

  • Во время репликации AD
  • 8240 в событии 1126 (NTDS)
 Устранение ошибки репликации AD 8240: на сервере нет такого объекта
8451 Состояние 8451: операция репликации обнаружила ошибку базы данных по нескольким причинам. См. связанную статью базы знаний в третьем столбце. Ошибка репликации Active Directory 8451: операция репликации обнаружила ошибку базы данных
1256 Эта ошибка регистрируется из-за сбоя подключения. Ошибка репликации Active Directory 1256: удаленная система недоступна.
1396 Известные причины этой ошибки:

  • Имя субъекта-службы (SPN) не существует в глобальном каталоге, который выполняет поиск в центре распространения ключей Kerberos (KDC) от имени клиента, который пытается выполнить проверку подлинности с помощью протокола Kerberos.
  • Учетная запись пользователя или службы, которая должна содержать имя субъекта-службы, для которого выполняется поиск, не существует в глобальном каталоге, который выполняет поиск по KDC от имени целевого контроллера домена, который пытается реплицировать.
  • В конечном контроллере домена отсутствует секрет локального центра безопасности (LSA) для домена исходного контроллера домена.
  • Имя субъекта-службы, которое выполняется поиск, существует на учетной записи компьютера, отличного от исходного контроллера домена.
 Ошибка репликации Active Directory 1396: сбой входа: неверное имя целевой учетной записи.
1722 Удаленный вызов процедуры (RPC) — это промежуточный уровень между сетевым транспортом и протоколом приложения. Сама по себе RPC не имеет специальной информации о сбоях. Однако он пытается сопоставить сбои протоколов нижнего уровня с ошибкой на уровне RPC. Ошибка репликации Active Directory 1722: RPC-сервер недоступен
-2146893022 Этот код ошибки не возвращается Active Directory. Однако он может быть возвращен компонентами нижнего слоя. К ним относятся RPC, протокол Kerberos, протокол SSL, LSA и NT LAN Manager (NTLM). Код возвращается по различным причинам. Ошибка репликации Active Directory —2146893022: неверное имя целевого субъекта
1753 К конкретным причинам этой ошибки относятся следующие:

  • Серверные приложения никогда не запускались.
  • Запущено серверного приложения. Однако во время инициализации возникла ошибка, из-за которой серверное приложение не было зарегистрировано в сопоставитель конечных точек RPC.
  • Серверная версия приложения запущена, но позже была запущена.
  • Серверное приложение вручную отменяет регистрацию своих конечных точек. (Это похоже на предыдущую причину, но ее возникновение было преднамеренным. По этой причине вы вряд ли получите эту ошибку. Однако мы включаем его для полноты.)
  • Клиент RPC (то есть конечный контроллер домена) обращается к серверу RPC, отличному от предполагаемого, из-за ошибки сопоставления имени с IP-адресом в DNS, WINS или файле узла или lmhosts.
 Ошибка репликации Active Directory 1753: больше нет конечных точек, доступных из модуля сопоставления конечных точек
8606 Ошибка 8606 регистрируется при выполнении следующих условий:

  • Исходный контроллер домена отправляет обновление объекту (вместо отправки исходного запроса на создание объекта), который уже был создан, удален, а затем освобожден при сборке мусора из копии Active Directory контроллера домена назначения.
  • Конечный контроллер домена настроен для выполнения в строгой согласованности репликации.
 Ошибка репликации Active Directory 8606: недостаточно атрибутов для создания объекта
1127 Ошибка 8606 регистрируется при выполнении следующих условий:

  • Исходный контроллер домена отправляет обновление объекту (вместо отправки исходного запроса на создание объекта), который уже был создан, удален, а затем освобожден при сборке мусора из копии Active Directory контроллера домена назначения.
  • Конечный контроллер домена настроен для выполнения в строгой согласованности репликации. дубликат выше?
 Ошибка репликации Active Directory 1127: при доступе к жесткому диску не удалось выполнить операцию диска даже после повторных попыток.
8452 Эта ошибка чаще всего возникает, когда топология репликации в контроллере домена, который запускает репликацию, отличается от топологии репликации, определенной в копии Active Directory контроллера домена назначения. Контекст именования удаляется или не реплицируется с указанного сервера.
8456 или 8457 Входящая или исходящая репликация была автоматически отключена операционной системой по нескольким причинам. 2023007
8453 Эта ошибка «Отказано в доступе к репликации » имеет несколько причин. Ошибка репликации Active Directory 8453: доступ к репликации запрещен
8524 Эта ошибка является перехватываемой для всех возможных сбоев DNS, которые влияют на Active Directory на контроллерах домена на основе Windows Server 2003 с пакетом обновления 1 (SP1). Ошибка репликации Active Directory 8524: операция DSA не может быть продолжена из-за сбоя поиска DNS
8614 Причины этой ошибки (и для события репликации NTDS 2042) включают следующие:

  • Конечный контроллер домена, который записывает в журнал ошибку 8614, не реплицирует секцию каталога из одного или нескольких исходных контроллеров домена в течение времени существования Tombstone в днях.
  • Системное время на конечном контроллере домена перемещено или перейти к времени существования Отметки удаления на один или несколько дней в будущем после последней успешной репликации.
 Устранение ошибки репликации Active Directory 8614
8545 Эта ошибка репликации Active Directory регистрируется, когда исходный контроллер домена пытается отправить изменения для недавно перенесенного объекта, если целевой контроллер домена содержит объект в другой секции. Ошибка репликации Active Directory 8545: не удалось применить обновление репликации
5 Эта ошибка репликации Active Directory имеет несколько причин. Ошибка репликации Active Directory 5. Доступ запрещен

ИД событий

Сведения об устранении неполадок с определенными идентификаторами событий см. в следующей таблице:

Источник

Источник

Issue:
———

DC1 and DC2 are two domain controllers for the domain Domain.com.

DC1 -> DC2 replication working fine but the reverse DC2 -> DC1 doesn’t seem to work. Below are the commands and event ids which generated for the replication.

============================
C:Windowsntds>repadmin /replicate DC2 DC1 DC=Domain,DC=com
Sync from DC1 to DC2 completed successfully.

C:Windowsntds>repadmin /replicate DC1 DC2 DC=Domain,DC=om
DsReplicaSync() failed with status 8451 (0x2103):
The replication operation encountered a database error.
============================

Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Event ID: 2108
Task Category: Replication
Level: Error
Computer: DC1.Domain.com
Description:
This event contains REPAIR PROCEDURES for the 1084 event which has previously been logged. This message indicates a specific issue with the consistency of the Active Directory Domain Services database on this replication destination. A database error occurred while applying replicated changes to the following object. The database had unexpected contents, preventing the change from being made.

Object:
DC=DC1,DC=Domain.com,CN=MicrosoftDNS,CN=System,DC=barrylevin,DC=com
Object GUID:
27709216-a6eb-4e13-a614-36becd89756b
Source domain controller:
cfaf2018-03a3-441c-834e-4d86f8c8c7ba._msdcs.barrylevin.com

User Action

Please consult KB article 837932, http://support.microsoft.com/?id=837932. A subset of its repair procedures are listed here.
1. Confirm that sufficient free disk space resides on the volumes hosting the Active Directory Domain Services database then retry the operation. Confirm that the physical drives hosting the NTDS.DIT and log files do not reside on drives where NTFS compression is enabled. Also check for anti-virus software accessing these volumes.
2. It may be of benefit to force the Security Descriptor Propagator to rebuild the object container ancestry in the database. This may be done by following the instructions in KB article 251343, http://support.microsoft.com/?id=251343.
3. The problem may be related to the object’s parent on this domain controller. On the source domain controller, move the object to have a different parent.
4. If this machine is a global catalog and the error occurs in one of the read-only partitions, you should demote the machine as a global catalog using the Global Catalog checkbox in the Sites & Services user interface. If the error is occurring in an application partition, you can stop the application partition from being hosted on this replica. This may be changed using the ntdsutil.exe command.
5. Obtain the most recent ntdsutil.exe by installing the latest service pack for your operating system. Prior to booting into Directory Services Restore Mode (DSRM), verify that the DSRM password is known. Otherwise reset it prior to restarting the system.
6. In DSRM, run the NT CMD prompt, run “ntdsutil files integrity”. If corruption is found and other replicas exist, then demote replica and check your hardware. If no replicas are present, restore a system state backup and repeat this verification.
7. Perform an offline defragmentation using the “ntdsutil files compact” function.
8. The “ntdsutil semantic database analysis” should also be performed. If errors are found, they may be corrected using the “go fixup” function. Note that this should not be confused with the database maintenance function called “ESE repair”, which should not be used, since it causes data loss for Active Directory Domain Services Databases.

If none of these actions succeed and the replication error continues, you should demote this domain controller and promote it again.

Additional Data
Primary Error value:
8451 The replication operation encountered a database error.
Secondary Error value:
-1414 JET_errSecondaryIndexCorrupted, Secondary index is corrupt. The database must be defragmented

============================

Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Event ID: 1084
Task Category: Replication
Level: Error
Computer: DC1.Domain.com
Description:
Internal event: Active Directory Domain Services could not update the following object with changes received from the following source directory service. This is because an error occurred during the application of the changes to Active Directory Domain Services on the directory service.

Object:
DC=DC1,DC=Domain.com,CN=MicrosoftDNS,CN=System,DC=barrylevin,DC=com
Object GUID:
27709216-a6eb-4e13-a614-36becd89756b
Source directory service:
cfaf2018-03a3-441c-834e-4d86f8c8c7ba._msdcs.barrylevin.com

Synchronization of the directory service with the source directory service is blocked until this update problem is corrected.

This operation will be tried again at the next scheduled replication.

User Action
Restart the local computer if this condition appears to be related to low system resources (for example, low physical or virtual memory).

Additional Data
Error value:
8451 The replication operation encountered a database error.

============================

Cause:
———

Additional Data
Primary Error value:
8451 The replication operation encountered a database error.
Secondary Error value:
-1414 JET_errSecondaryIndexCorrupted, Secondary index is corrupt. The database must be defragmented

Above details indicate that the database should be defragemented on DC1..

Resolution:
—————-

Take a backup of ntds.dit file under c:windowsntds if anything goes wrong. If ntds.dit file is not available under default location, you should take backup from where you published the NTDS Database.

Open command prompt and navigate to c:windowsntds and perform below sequence of commands.

  1. net stop ntds
  2. Physical consistency check by using below command and it is passed. Go to Step 4 if its failed.
    esentutl /K ntds.dit
  3. Logical consistency check by using below command and it failed.
    ntds>esentutl /G ntds.dit

    ============================
    Checking database integrity.
    Scanning Status (% complete)

    0 10 20 30 40 50 60 70 80 90 100
    |—-|—-|—-|—-|—-|—-|—-|—-|—-|—-|
    …………………………………………
    Integrity check completed.
    Database is CORRUPTED, the last full backup of this database was on 10/25/2014 14:00:22

    Operation terminated with error -1206 (JET_errDatabaseCorrupted, Non database file or corrupted db) after 13.712 seconds.
    ============================

  4. Performed offline Defrag by using below command. Contact Microsoft if in case it is failed.
    esentutl /D ntds.dit
  5. Again performed Logical consistency check by using below command and it was successful..
    ntds>esentutl /G ntds.dit
  6. net start ntds

Replication start working again. Thats it.

Reference:
—————

http://support2.microsoft.com/kb/837932
http://support2.microsoft.com/kb/2645996/en-gb

Источник

One of the domain controllers in the network was failing and was reporting numerous errors with replication, active directory object updates and several other problems. The SYSVOL replication was encountering problems as well.

The event log for Active Directory Domain Services was loaded with errors. The DC was logging event IDs 467, 1173, 1084, 2108, 2042, 1925, 1645, and several others.

DC Event IDs

These logged errors included several issues. Event ID 467 clearly showed that the NTDS database was corrupt.

Event ID 467:

NTDS (584) NTDSA: Database C:WindowsNTDSntds.dit: Index DRA_USN_index of table datatable is corrupted (0).

The event ID 1645 indicated that the SPN for the DC in question was not registered on the Key Distribution Center.

Event ID 1645:

Active Directory Domain Services did not perform an authenticated remote procedure call (RPC) to another directory server because the desired service principal name (SPN) for the destination directory server is not registered on the Key Distribution Center (KDC) domain controller that resolves the SPN.

Destination directory server:
60dcff58-4d57-4da6-9be1-33c4c3604d39._msdcs.domain
SPN:
E3514235-4B06-11D1-AB04-00C04FC2DCD2/60dcff58-4d57-4da6-9be1-33c4c3604d39/domain@domain

User Action
Verify that the names of the destination directory server and domain are correct. Also, verify that the SPN is registered on the KDC domain controller. If the destination directory server has been recently promoted, it will be necessary for the local directory server’s account data to replicate to the KDC before this directory server can be authenticated.

The error 1084 showed that the server was unable to replicate AD objects.

Event ID 1084:

Internal event: Active Directory Domain Services could not update the following object with changes received from the following source directory service. This is because an error occurred during the application of the changes to Active Directory Domain Services on the directory service.

Object:
CN=%OBJNAME%,OU=%OU1%,OU=%OU2%,OU=%OU3%,DC=%DC1%,DC=%DC2%,DC=%DC3%
Object GUID:
396a9042-be32-4aa2-a6b7-255fb3f67348
Source directory service:
d33dce76-e290-4c8e-85cb-57a9f18ddcde._msdcs.domain

Synchronization of the directory service with the source directory service is blocked until this update problem is corrected.

This operation will be tried again at the next scheduled replication.

User Action
Restart the local computer if this condition appears to be related to low system resources (for example, low physical or virtual memory).

Additional Data
Error value:
8451 The replication operation encountered a database error.

Attempting to replicate the server using repadmin fails as well.

Repadmin Error

And a lengthy logged event that ultimately provided the solution. Event ID 2108 shows repair procedures that can be attempted to resolve the issues at hand.

Event ID 2108:

This event contains REPAIR PROCEDURES for the 1084 event which has previously been logged. This message indicates a specific issue with the consistency of the Active Directory Domain Services database on this replication destination. A database error occurred while applying replicated changes to the following object. The database had unexpected contents, preventing the change from being made.

Object:
CN=%OBJNAME%,OU=%OU1%,OU=%OU2%,OU=%OU3%,DC=%DC1%,DC=%DC2%,DC=%DC3%
Object GUID:
396a9042-be32-4aa2-a6b7-255fb3f67348
Source domain controller:
d33dce76-e290-4c8e-85cb-57a9f18ddcde._msdcs.domain

User Action

Please consult KB article 837932. A subset of its repair procedures are listed here.
1. Confirm that sufficient free disk space resides on the volumes hosting the Active Directory Domain Services database then retry the operation. Confirm that the physical drives hosting the NTDS.DIT and log files do not reside on drives where NTFS compression is enabled. Also check for anti-virus software accessing these volumes.
2. It may be of benefit to force the Security Descriptor Propagator to rebuild the object container ancestry in the database. This may be done by following the instructions in KB article 251343.
3. The problem may be related to the object’s parent on this domain controller. On the source domain controller, move the object to have a different parent.
4. If this machine is a global catalog and the error occurs in one of the read-only partitions, you should demote the machine as a global catalog using the Global Catalog checkbox in the Sites & Services user interface.   If the error is occurring in an application partition, you can stop the application partition from being hosted on this replica. This may be changed using the ntdsutil.exe command.
5. Obtain the most recent ntdsutil.exe by installing the latest service pack for your operating system. Prior to booting into Directory Services Restore Mode (DSRM), verify that the DSRM password is known. Otherwise reset it prior to restarting the system.
6. In DSRM, run the NT CMD prompt, run “ntdsutil files integrity”. If corruption is found and other replicas exist, then demote replica and check your hardware. If no replicas are present, restore a system state backup and repeat this verification.
7. Perform an offline defragmentation using the “ntdsutil files compact” function.
8. The “ntdsutil semantic database analysis” should also be performed. If errors are found, they may be corrected using the “go fixup” function.  Note that this should not be confused with the database maintenance function called “ESE repair”, which should not be used, since it causes data loss for Active Directory Domain Services Databases.

If none of these actions succeed and the replication error continues, you should demote this domain controller and promote it again.

Additional Data
Primary Error value:
8451 The replication operation encountered a database error.
Secondary Error value:
-1414 JET_errSecondaryIndexCorrupted, Secondary index is corrupt. The database must be defragmented

The final lines of this event ID showed the problem this DC was facing. The server was having database errors with indexes being corrupted and indicating that it must be defragmented. Step number 8 was attempted first to check for errors though none were found. The operation needs to be performed when the AD DS service is not running so the first step is to stop the service. Doing so will automatically stop its dependents which are the Kerberos KDC, DFS Replication, DNS Server and Intersite Messaging services . The semantic database analysis was then ran by starting ntdsutil, activating instance NTDS, entering semantic database analysis and issuing go.

Semantic DB Analysis

With no errors being shown with the analysis, the offline defragmentation was executed and a new NTDS.dit file was generated. A full backup was taken and the current NTDS DB was replaced with the newly defragmented file.

Defrag NTDS DB

All the stopped services were restarted. Following the defragmentation, the DC recovered from all the errors and was able to resume normal operations.

Success Event IDs

The SYSVOL DFSR replication was also in an error state. Event IDs 2212, 2213 and 6804 were being logged. ID 2213 provided the solution as well to resume the DFS replication by running the following command from an elevated prompt. Take care of the notice in this Microsoft KB when resuming DFS replication.

wmic /namespace:\rootmicrosoftdfs path dfsrVolumeConfig where volumeGuid=”GUID” call ResumeReplication

DFS replication resumed, however, additional errors were soon logged, most notably event ID 6016.

Event ID 6016:

The DFS Replication service failed to update configuration in Active Directory Domain Services. The service will retry this operation periodically.

Additional Information:
Object Category: msDFSR-Subscription
Object DN: CN=56c779af-e088-4cdf-a87e-afaf34c8daa2,CN=0c3e30a1-22f5-4d82-b5f1-39a610bfef89,CN=DFSR-LocalSettings,CN=DC,OU=Domain Controllers,DC=domain
Error: 5 (Access is denied.)
Domain Controller: dc.domain
Polling Cycle: 60

The DC was unable to update its configuration in ADDS due to an access denied error. ADSIEdit was launched to check the permissions settings for this configuration entry. The permissions for the computer object belonging to this domain controller were missing. Full control permissions were added back for the computer object.

ADSI DC

The DFS Replication service was restarted and the server was able to successfully resume replication.

DFSR DC Log

Isn’t it great when the logged events themselves provide the needed solutions !

Источник

Event ID 5722 is logged on your Windows Server-based domain controller

My Original error –

DC=DomainDnsZones,DC=<domain>,DC=co,DC=uk
Default-First-Site-Name<DC> via RPC
DSA object GUID: eecaebcb-34ce-4ea0-8966-65a6a6bd7699
Last attempt @ 2017-01-06 10:49:52 failed, result 8451 (0x2103):
The replication operation encountered a database error.
793 consecutive failure(s).
Last success @ 2016-12-30 19:48:26.

The following saved me from a demote and re promote on Windows Server 2016 Domain controllers

  • For Windows Server 2008 and later versions
    Take one of the following actions:

    • Stop the “Active Directory Domain Services” or LDS instance.
    • Start “msconfig,” and go to the boot pane. Select the OS installation that you want to configure. Select Safe Boot in the Boot options section, and also select the Active Directory repair item. After you click OK, the tool asks you to restart. Restart the computer.
  • Log on to the administrator account by using the password that is defined for the local administrator account in the Directory Service Restore Mode SAM. For more information about how to use the offline SAM database, click the following article number to view the article in the Microsoft Knowledge Base:

    223301 Protection of the administrator account in the offline SAM

  • Click Start, point to Programs, point to Accessories, and then click Command Prompt.
  • At the command prompt, type cmd, and then press Enter.
  • NTDSUTIL uses the TEMP and TMP environment variables to create a temporary database during defragmentation. If the free space on your standard volume used is less than the size of the compacted database, you receive the following error:

    file maintenance: compact to d:compactDB
    Initiating DEFRAGMENTATION mode…
    Source Database: D:windowsNTDSntds.dit
    Target Database: d:compactDBntds.ditDefragmentation  Status (% complete)0    10   20   30   40   50   60   70   80   90  100

    |—-|—-|—-|—-|—-|—-|—-|—-|—-|—-|

    ……………………..Operation terminated with error -1808( JET_errDiskFull, No space left on disk ).

    In the Application log, you see an event that resembles the following:

    Log Name:      Application
    Source:        ESENT
    Event ID:      482
    Task Category: General
    Level:         Error
    Keywords:      Classic
    Description:NTDS (12852) An attempt to write to the file “C:UsersadministratorAppDataLocalTemptmp.edb” at offset 49315536896 (0x0000000b7b6f6000) for 0 (0x00000000) bytes failed after 0.015 seconds with system error 112 (0x00000070): “There is not enough space on the disk. “.  The write operation will fail with error -1808 (0xfffff8f0).  If this error persists then the file may be damaged and may need to be restored from a previous backup.

    In this case, set the environment variables TMP and TEMP to a volume that has enough free space for the task. For example, use the following settings:

    Md d:temp

    Set tmp=d:temp

    Set temp=d:temp

    Note This problem can also occur during an integrity check of the database.

  • Run NTDSUTIL.

  • For Windows 2008 and later versions
    Type activate instance ntds to select the Active Directory database instance.  Use the LDS instance name if you want to compact an LDS database.
  • Type files, and then press Enter.
  • Type info, and then press Enter. This displays current information about the path and size of the Active Directory database and its log files. Note the path.
  • Establish a location that has sufficient drive space for the compacted database to be stored.
  • Type compact to drive:directory, and then press Enter. Note, in this command, the placeholders drive and directory represent the path of the location that you established in the previous step.Note You must specify a directory path. If the path contains any spaces, the whole path must be enclosed in quotation marks. For example, type:

    compact to “c:new folder”

  • A new database that is named Ntds.dit or AdamNtds.dit is created in the path that you specified.
  • Type quit, and then press Enter. Type quit again to return to the command prompt.
  • If defragmentation succeeds without errors, follow the Ntdsutil.exe on-screen instructions. Delete all the log files in the log directory by typing the following command:

    del drive : pathToLogFiles *.log

    Copy the new Ntds.dit or AdamNtds.dit file over the old database file in the current database path that you noted in step 5.

    Note You do not have delete the Edb.chk file.

Источник

Disclaimer

I am writing this blog  and others to explain how things work and some ways deployment and operational tasks can be handled. In other words, these postings are for demonstration purposes only. Since I am not familiar with your organization or environment I do not know if these steps are applicable to your environment or are even safe to perform in your environment. It is recommended that you contact Microsoft Support prior to making changes in your environment to ensure that these steps are applicable to your environment, and are safe to perform in your environment. By writing this blog I am in no way recommending that you perform these steps in your own environment. If you choose to follow the steps outlined in this or other blog postings on this site, you are assuming the risk for your actions.

1.1                 Repadmin.exe

Repadmin is a tool for checking replication status and troubleshooting replication issue.  Below is a table highlighting commonly used syntax of the repadmin tool.

Syntax Usage
Repadmin /replsummary The replsummary operation quickly and concisely summarizes the replication state and relative health of a forest.
Repadmin /replsummary /bysrc /bydest /sort: delta The replsummary operation quickly and concisely summarizes the replication state and relative health of a forest.
Repadmin /showrepl <DC Name> Displays the replication partners for each directory partition on the specified domain controller. Helps the administrator build a visual representation of the replication topology and see the role of each domain controller in the replication process.
Repadmin /showutdvec Displays the highest Update Sequence Number (USN) for the specified domain controller. This information shows how up-to-date a replica is with its replication partners.
Repadmin /showobjmeta <DC> <DN of object> Displays the replication metadata for a specified object stored in Active Directory, such as attribute ID, version number, originating and local Update Sequence Number (USN), and originating server’s GUID and Date and Time stamp. By comparing the replication metadata for the same object on different domain controllers, an administrator can determine whether replication has taken place.
Repadmin /showconn Displays the connection objects for a specified domain controller. Default is local site.
Repadmin /replsingleobj <DC List> <Source DSA Name> <Object DN> Replicates a single object between any two domain controllers that have partitions in common. The two domain controllers do not have a replication agreement. Replication agreements can be shown by using the Repadmin /showrepl command.
Repadmin /replicate <Destination_DC_List> <Naming Context> Starts a replication event for the specified directory partition between the source and destination domain controllers. The source UUID can be determined when viewing the replication partners by using the Repadmin showrepl operation.
Repadmin /syncall <DC> Synchronizes a specified domain controller with all replication partners.
Repadmin /queue Displays tasks waiting in the replication queue.
Repadmin /showmsg <Error> Displays the error message for a given error number.
Repadmin /viewlist <DC_List> Displays a list of domain controllers.
Repadmin /showctx <DC_List> Displays a list of computers that have opened sessions with a specified domain controller.
Repadmin /showcert Displays the server certificates loaded on a specified domain controller.
Repadmin /removelingeringobjects <Dest_DC_List> <Source DC GUID> <NC> [/ADVISORY_MODE] Uses an authoritative domain controller to compare the directory of a domain controller (destination) that is suspected of having lingering objects against the directory of a domain controller (source) that is designated as a reference source for up-to-date values for the domain of the destination. When the advisory mode parameter is used, this command provides a list of found lingering objects. When the advisory mode parameter is not used, this command removes lingering objects from the destination domain controller.

Additional information on Repadmin.exe is available here: https://technet.microsoft.com/en-us/library/cc736571(v=ws.10).aspx

1.2                 Repadmin /replsummary

As seen in the screenshot below repadmin /replsummary will give statistics for replication with replication partners.  The output also lists any errors that were encountered with replication. This is useful for getting an overview of any replication issues the DC is having.

You can also sort the output.  In the example below, the output is sorted by the largest delta since last replication.

1.3                 Repadmin /showrepl

As seen below repadmin /showrepl shows the replication status with all of the DCs replication partners and is sorted by the Naming Context that is being replicated.

One trick that can be used to get a more manageable output is to use repadmin to send its output to a CSV and the use PowerShell to convert the CSV to a GridView.  The command to do this is repadmin /showrepl * /csv | ConvertFrom-CSV | Out-GridView

The resulting output is in a manageable GUI.

In GridView you can sort and filter.  Below is an example of filtering on Number of Failures, so that I can easily see what failed.

1.4                 Repadmin /showutdvec

Replications changes are tracked through incrementing numbers called USNs.  There are times where you will want to know what knowledge each DC has about other DCs current state.  The up-to-dateness vector is the knowledge that a DC as about the current state of other DCs.  This information can be useful when trying to troubleshoot replication issues such as USN Rollback.  USN Rollback is when a DC is restored from an unsupported method such as a snapshot.  In that case the up-to-dateness vector would be much larger than the actual USN of the DC. Since, there is going to be some delay in replication you will notice some differences but the numbers should be relatively close.  For example, if you compare the up-to-dateness vector for DC01 across DCs you will notice the following: for itself DC01 has USN of 17347, DC02 has a USN of 17346 for DC01, and DC03 has a USN of 17346 for DC01.  So, we can see the numbers are relatively close and that DC01 potentially has one change that it needs to replicate to DC02 and DC03.

1.5                 Repadmin /showobjmeta

The /showobjmeta switch shows detailed information for attributes of an object.  It is most commonly used when comparing the output of the command from 2 DCs to see if they are in sync and the current status of the attributes.  Differences can be used to identify replication problems.

1.6                 Repadmin /syncall

Repadmin /syncall is used to force replication between domain controllers.  You can easily view options for the /syncall switch with the following command: repadmin /syncall /?

A normal use of repadmin /syncall is with the /AeP switch

1.7                 Repadmin /showmsg

The /showmsg switch is used to convert an error message you may receive as the result of a repadmin command and converts it to human readable text.

1.8                 Repadmin /viewlist

Repadmin /viewlist is used to get a list of domain controllers.

1.9                 PowerShell

PowerShell is an object oriented scripting language that allows enterprises to automate IT tasks.

Below is a conversion table that shows the PowerShell command that can be used in place of the Repadmin command.  So, why would you choose to use PowerShell?  The output of PowerShell commands are objects those objects can be filtered with properties, piped through other PowerShell commands and manipulated to many useful things including great control in how the data is presented to the user.

Command PowerShell Cmdlet
Repadmin /FailCache Get-ADReplicationFailure
Repadmin /Queue Get-ADReplicationQueueOperation
Repadmin /ReplSingleObj Sync-ADObject
Repadmin /ShowConn Get-ADReplicationConnection
Repadmin /ShowObjMeta Get-ADReplicationAttributeMetadata
Repadmin /ReplSummary Get-ADReplicationPartnerMetadata
Repadmin /Showutdvec Get-ADReplicationUpToDatenessVectorTable
Repadmin /SiteOptions Set-ADReplicationSite
Repadmin /ShowAttr Get-ADObject
Repadmin /Set Attr Set-ADObject

Get-ADReplicationParnerMetadata is very similar to running repadmin /showrepl.  Without passing the output through another cmdlet the formatting is a bit different then to what you get with repadmin.

However, the advantage is that the output of the command are objects.  You can constrain your views to certain properties.

The other advantage is that you can pass objects through other cmdlets.  As seen here I am passing the output of Get-ADReplicationPartnerMetadata through Output-GridView.

Once in GridView you have the ability to sort and filter the data.

Here is another example of the usefulness of using PowerShell over repadmin.  In this example I take the output of Get-ADReplicationPartnerMetadata then passing it through Select-Object so that we can then limit what objects are presented in GridView.

Here we see the output of that command.

1.10             Replication Errors

Here is a list of replication errors you may come across in either the Directory Services event log or while running repadmin.

Event ID Replication Error Issue
1388 Lingering Objects
1988 Lingering Objects
2042 Lingering Objects
1925 DNS Lookup Issues or Connectivity Problems
2087 DNS Lookup Issues
2088 DNS Lookup Issues
1311 Replication Topology Issues
8614 Tombstone lifetime exceeded
8524 DNS Lookup failure
8456 Server is currently rejecting replication requests
8457 Server is currently rejecting replication requests
8453 Access was denied
8452 The naming context is in the process of being removed or is not replicated from the specified server
5 Access is denied
-21468930222 The target principal name is incorrect
1753 There are no more endpoints available from the endpoint mapper
1722 The RPC server is unavailable
1396 Logon Failure The Target account name is incorrect
1256 The remote system is not available
1127 While accessing the hard disk, a disk operation failed even afer retries
8451 The replication operation encountered a database error
8606 Insufficient attributes were given to create an object

2              Troubleshooting Steps for Common Replication Issues

2.1                 Troubleshooting -21468930222  (The target principal name is incorrect)

On the DC that is the cause of the error, perform the following steps:

Step 1: Open Services.msc

Step 2: Configure KDC Service for Manual

Step 3: Stop the Service

Step 4: Restart the Domain Controller

Step 5: Open PowerShell as an Administrator

Step 6: Run: $cred = Get-Credential

Step 7: Enter Credentials and click OK

Step 8: Run, Reset-ComputerMachinePassword –Server <ServerName> -Credential $cred

Step 9: Restart the server

Step 10: Set the KDC service to Automatic, Start the service and click OK.

2.2                 Troubleshoot Replication Error 8606, Event ID 1388, and Event ID 1988

These issues are caused by lingering objects.  Lingering objects can be caused when a domain controller is taken offline for an extended period of time, does not replicate for longer than the tombstone lifetime, or is restored from a backup that is older than the tombstone lifetime. 

When an object is deleted it is put in a tombstone state.  After the tombstone lifetime passes (typically 180 days), DC run garbage collection and those tombstone objects are deleted.  If a DC was offline for the entire TSL and then were brought back online they may have objects that have since been deleted, tombstoned, and garbage collected.  Any objects that were deleted will still exist on that DC.  These objects go unnoticed until a change is made to that object then the DC attempts to replicate that object, and at that point that is where it is either re-introduced into the environment or if strict replication consistency is enabled, blocked. 

2.2.1   How to Determine TSL

Run the following command: dsquery * “cn=directory service,cn=windows nt,cn=services,cn=configuration,<Forest DN>” –scope base –attr tombstonelifetime

2.2.2   How to Remove Lingering Objects

2.2.2.1          Repadmin /removelingeringobjects

One way to remove lingering objects is to user repadmin with the /removelingeringobjects switch.  First you must identify a clean source of the partition.  The syntax of the command is repadmin /removelingeringobjects <Dest DC Name> <Source DC Guid> <Naming Context>.  So, in other words you need to identify the source DCs guid and the Naming Context you want to clean.  The naming context will be available in the Event 1388 or 1988 you receive in the event long.  Once you find a clean source you can obtain the guid by opening DNS Manager and opening up the _msdcs Zone and obtaining the CName record for the DC in question.

Below is an example of running the repadmin /removelingeringobjects command

You will receive an Event 1937 when the removal of lingering objects begins.

You will then receive an Event 1939 when removal completes.

2.2.2.2          Repadmin /rehost

An alternative to using repadmin /removelingeringobjects command is to unhost the partition so that the domain controller no longer has that partition and then rehosting the entire partition with a good source.

The repadmin syntax for unhosting the partition is repadmin /unhost <DC Name> <Partition Name>

You will receive an event an event 1658 when the removal begins.

You will receive an event 1660 when the removal completes

The syntax for rehosting the partition is: repadmin /rehost <Dest DC Name> <Partition> <Source DC Name>

2.3                 Troubleshooting Event ID 2042

Review event log for any 1988 or 1388 errors.  If found use the previous section to remove the lingering objects from the domain controller. 

Option 1: Re-hosting the partition that has not replicated

If the partition is a GC partition consider unhosting and rehosting the partition. Instructions for unhosting and rehosting are in the previous section called Repadmin /rehost

Option 2: Removing and then re-adding the domain controller to Active Directory

Another option is removing the DC from Active Directory and Re-promoting the Domain Controller

Step 1: Run Import-Module ADDSDeployment

Step 2: Run: Uninstall-ADDSDomainController –DemoteOperationMasterRole:$true –Force:$true

Step 3: Enter and confirm the new local password

Step 4:  Next you will need to run the Install –ADDSDomainController cmdlet.  Below is a sample that you can use.  You will need to modify the template to meet the requirements of your environment. 

Install-ADDSDomainController –NoGlobalCatalog:$false –CreateDnsDelegation:$false –CriticalReplicationOnly:$false –DatabasePath “C:WindowsNTDS” –DomianName “fabrikam.com” –InstallDNS:$true –LogPath “C:WindowsNTDS” –ReBootOnCompletion:$false –ReplicationSourceDC “DC01.fabrikam.com” –SiteName “Default-First-Site-Name” –SysvolPath “C:WindowsSYSVOL” –Force:$true

Option 3: Enabling Replication with Divergent and Corrupt Partner

Due to the risk of adding lingering objects to Active Directory the final consideration should be enabling the following setting: Allow Replication With Divergent and Corrupt Partner. 

Step 1: To enable this setting run the following command on the domain controller:

repadmin /regkey <hostname> +allowDivergent

Step 2: Let replication complete

Step 3: Disable the setting with the following command: repadmin /regkey <hostname> -allowDivergent

2.4                 Troubleshooting Event ID 1311

Event 1311 is caused when there is not complete connectivity between domain controllers. There are a number of reasons there may not be complete connectivity. 

2.4.1   ISTG

The Inter-Site Topology Generator (ITSG) is responsible for building the replication topology.  So to determine what the scope of the connectivity issues it is important to identify the ISTGs that are logging 1311. 

To find the ISTGs in your environment you need to use ldp.exe

Below are the steps for locating the ISTGs:

Step 1: Launch ldp.exe

Step 2: When LDP opens, select Connection and then Connect…

Step 3: In the Connect dialog box, enter the name of a Domain Controller for the Server you want to connect to and then click OK

Step 4: Click on Connection and then click Bind…

Step 5: In the Bind dialog box, click OK

Step 6: Select the Browse menu and then select Search

Step 7: In the search enter the following:

Base DN: CN=Sites,CN=Configuration,<DN of Forest Root> (example: CN=Sites,CN=Configuration,DC=fabrikam,DC=com)

Filter: (CN=NTDS Site Settings)

Scope: Subtree

Attributes: Append the following to the attributes that are already listed: ;interSiteTopologyGenerator

Step 8: Click Run

Step 9: For each site you will then need to look for interSiteTopologyGenerator to determine the ITSG for each site.

2.4.2   BASL

By default, Bridge All Site Links (BASL) is enabled in Active Directory.  If your environment is not fully routed, then you will want to disable BASL.  By fully routed we mean each site can contact every other site.  If BASL is configured on a network which is not fully routed, the KCC will generate site bridges that cannot actually be reached. To determine if BASL is enabled launch Active Directory Sites and Services (dssite.msc). 

Expand Sites, then Inter-site Transports.

Right-click on IP and select Properties from the context menu

If Bridge all site links is enabled, there will be a check box next to it.  To disable BASL, uncheck the checkbox and click OK.

2.4.3   Site Link Bridges

If you disable BASL you can still bridge site links.  You would do that if you wanted two spoke sites to communicate directly if they could not communicate with the hub site.  In a hub and spoke configuration the cost of crossing to site links (bridging a site link) will typically be a higher then just connecting directly to the hub site.  So, ordinarily you would not have to worry about the Site Link Bridge being used instead of a direct site link.  That being said, there are not a whole lot of scenarios where you would need to create Site Link bridges.

The following steps will allow you to bridge two site links.

Step 1: Open the Active Directory Sites and Services MMC.

Step 2: Expand Sites and then expand Inter-site Transports

Step 3: Select New Site Link Bridge… from the context menu

Add at least two sites to the Site Link Bridge, give it a Name, and click OK

And the Site Link Bridge has been completed.

2.4.4   Verify that all Sites are in a Site Link

Step 1: Run the following command in a PowerShell Console: Get-ADObject –LDAPFilter ‘(objectClass=site)’ –SearchBase (Get-ADRootDSE).ConfigurationNamingContext –Property Name | Format-Table Name

Step 2: In another PowerShell Console run: Get-ADObject –LDAPFilter ‘(objectClass=sitelink)’ –SearchBase (Get-ADRootDSE).ConfigurationNamingContext –Property Name, Cost, Description, Sitelist | Format-List Name, Sitelist

Step 3: Verify that each site that was listed in Step 1 exists in one of the site lists returned in Step 2

If not all sites are contained in a site link that you need to determine what site link that site needs to be added to or if a new site link needs to be created.

And that is all I have for replication troubleshooting for today.

-Chris

Источник
repadmin /syncall /AePdq

Error issuing replication : 8451 (0x2103)

The replication operation encountered a database error.

image

Press F8 on Boot.  (If its on VMware enter bios menu . Then exit and press F8)

image

Check if Database is corrupted. if its corrupted . please proceed with next steps.

C:WindowsNTDS>

C:WindowsNTDS>ESENTUTL /g C:windowsNTDSntds.dit /!10240 /8 /o

Initiating INTEGRITY mode...

Database: C:windowsNTDSntds.dit

Temp. Database: .TEMPINTEG4820.EDB

Checking database integrity.

The database is not up-to-date. This operation may find that

this database is corrupt because data from the log files has

yet to be placed in the database.

To ensure the database is up-to-date please use the 'Recovery' operation.

Scanning Status (% complete)

0    10   20   30   40   50   60   70   80   90  100

|----|----|----|----|----|----|----|----|----|----|

...................................................

Integrity check completed.

Database is CORRUPTED, the last full backup of this database was on 04/20/2019 1

2:31:03

Operation terminated with error -1206 (JET_errDatabaseCorrupted, Non database fi

le or corrupted db) after 7.93 seconds.

C:WindowsNTDS>NTDSUTIL

NTDSUTIL: active instance ntds

Error parsing Input - Invalid Syntax.

NTDSUTIL: activate instance ntds

Active instance set to "ntds".

NTDSUTIL: files

file maintenance: info

Drive Information:

C: NTFS (Fixed Drive  ) free(40.5 Gb) total(59.6 Gb)

DS Path Information:

Database   : C:WindowsNTDSntds.dit - 314.1 Mb

Backup dir : C:WindowsNTDSdsadata.bak

Working dir: C:WindowsNTDS

Log dir    : C:WindowsNTDS - 80.0 Mb total

edbtmp.log - 10.0 Mb

edbres00002.jrs - 10.0 Mb

edbres00001.jrs - 10.0 Mb

edb07737.log - 10.0 Mb

edb07736.log - 10.0 Mb

edb07735.log - 10.0 Mb

edb07734.log - 10.0 Mb

edb.log - 10.0 Mb

file maintenance: Recover

Initiating RECOVERY mode...

Log files: C:WindowsNTDS.

System files: C:WindowsNTDS.

Performing soft recovery...

Database recovery is successful.

It is recommended you run semantic database analysis

to ensure semantic database consistency as well.

file maintenance: quit

NTDSUTIL: ESENTUTL /ml c:windowsntdsedb

C:WindowsNTDS>

C:WindowsNTDS>ESENTUTL /ml c:windowsntdsedb

Extensible Storage Engine Utilities for Microsoft(R) Windows(R)

Version 6.3

Copyright (C) Microsoft Corporation. All Rights Reserved.

Initiating FILE DUMP mode...

Verifying log files...

Base name: edb

Log file: c:windowsntdsedb07734.log - OK

Log file: c:windowsntdsedb07735.log - OK

Log file: c:windowsntdsedb07736.log - OK

Log file: c:windowsntdsedb07737.log - OK

Log file: c:windowsntdsedb.log - OK

No damaged log files were found.

Operation completed successfully in 0.453 seconds.

C:WindowsNTDS>ESENTUTL /g C:windowsNTDSntds.dit /!10240 /8 /o

Initiating INTEGRITY mode...

Database: C:windowsNTDSntds.dit

Temp. Database: .TEMPINTEG3496.EDB

Checking database integrity.

Scanning Status (% complete)

0    10   20   30   40   50   60   70   80   90  100

|----|----|----|----|----|----|----|----|----|----|

...................................................

Integrity check successful.

Operation completed successfully in 20.156 seconds.

C:WindowsNTDS>ntdsutil

ntdsutil: activate instance ntds

Active instance set to "ntds".

ntdsutil: semantic database analysis

semantic checker: go

Fixup mode is turned off

......Done.

Writing summary into log file dsdit.dmp.0

SDs scanned:           3475

Records scanned:      27034

Processing records..Done. Elapsed time 7 seconds.

semantic checker: quit

ntdsutil: quit

C:WindowsNTDS>

if semantic database find any errors. you can use go fix.

Satheshwaran Manoharan

Satheshwaran Manoharanhttps://www.azure365pro.com

Specialized in Microsoft Azure — Office 365 / Microsoft Exchange; conducted numerous projects worldwide in designing, supporting, and implementing messaging and virtualization infrastructure for medium-sized and large enterprises. Further, I am a Cloud Architect and Technical Advisor for various start-ups.

Источник

Понравилась статья? Поделить с друзьями:
  • The operation couldn t be completed undefined error 0
  • The replication generated an error 1256
  • The removal of the assignment of application from policy failed the error was 2
  • The operation couldn t be completed osstatus error 50
  • The remote server returned an error 550 file unavailable