Active Directory Replication error 8545: The replication update could not be applied ...


Symptoms


Active Directory replication fails for one or more partitions with error 8545, “The replication update could not be applied because either the source or the destination has not yet received information regarding a recent cross-domain move operation.” 

The following error is logged in the Directory Service event log on the destination DC:


Microsoft-Windows-ActiveDirectory_DomainService Event ID 1084

Internal event: Active Directory Domain Services could not update the following object with changes received from the following source directory service. This is because an error occurred during the application of the changes to Active Directory Domain Services on the directory service.

Object:

CN=<User>,OU=Users,OU=Boulder,DC=na,DC=contoso,DC=com
Object GUID:
33555323-8e42-42dd-ab95-51693b54281f

Source directory service:
1126750c-e8ac-4355-8412-ccb287e48c23._msdcs.contoso.com

Synchronization of the directory service with the source directory service is blocked until this update problem is corrected. 
This operation will be tried again at the next scheduled replication.

User Action
Restart the local computer if this condition appears to be related to low system resources (for example, low physical or virtual memory).

Additional Data
Error value:
8545 The replication update could not be applied because either the source or the destination has not yet received information regarding a recent cross-domain move operation.

Cause


The object listed in event 1084 was migrated from one domain to another domain in the same forest.  The destination DC doesn’t learn of the object’s new location (partition).  As a result, the object is still present in the old partition on the destination DC.

The source DC does know of the objects migration and has it present in the object’s new location.

 AD replication error 8545 is logged when the source DC attempts to send changes for this recently migrated object when the destination DC has the object present in a different partition than.

Resolution


As a preventative measure, consider installing MSKB 2682997 on all DCs still running Windows Server 2008 or Windows Server 2008 R2 DC’s

  1. Determine the distinguished name (DN) of the naming context (NC) / partition where the object was migrated from.  See the More Information section for more detail on this step.
  2. On the destination DC: Unhost this partition
    1. Repadmin /unhost DestinationDC <DNofObject’sOldLocation>
    2. Eg. If the destination DC is DC1 and the DN for the partition where the object was migrated from is dc=corp,dc=contoso,dc=com, the command would be:
    3. Repadmin /unhost DC1 dc=corp,dc=contoso,dc=com
    4. Note: Monitor the Directory Service event log on the DC for event ID 1660 –Review the event text to ensure that it says the DC no longer host the CORP NC.
    5. Event ID 1659 indicates the status of the un-host operation. Do not re-add the partition until after you successfully sync the other partition.
  3. On the destination DC: Trigger replication with the source DC (the one that was failing)
  4. Rehost the partition from a DC that has a good read/write copy of the partition

Repadmin /add DNobObject’sOldLocation DestinationDC GoodSourceDC /readonly

Eg. If the destination DC is DC1 and the partition you un-hosted is dc=corp,dc=contoso,dc=com and a DC that has a read/write copy of the Corp partition is CorpDC1.corp.contoso.com, the command would be:

Repadmin /add dc=corp,dc=contoso,dc=com dc1 CorpDC1.corp.contoso.com /readonly

See the More Information section for additional detail and data collection steps for this specific scenario.

 

More Information


 

This scenario can be confusing.  Use the following table style to document the all of the points of data needed to resolve this issue.

Determine if it is the source or destination DC that has a copy of the object in the old location (the location where the object was migrated from).

 

Object DN

CN=JUSTINTU,OU=Users,OU=BOULDER,DC=na,DC=contoso,DC=com

ObjectGUID

33555323-8e42-42dd-ab95-51693b54281f

Parent Object DN

OU=Users,OU=BOULDER,DC=na,DC=contoso,DC=com

Old Source Domain (DN)

Which domain was the object in?

Dc=corp,dc=contoso,dc=com

Target domain (DN)

Which domain was the object migrated to?

Dc=na,dc=contoso,dc=com

Identify all DCs with object(s) (replication metadata)

Repadmin /showobjmeta * "<GUID=33555323-8e42-42dd-ab95-51693b54281f>" >JUSTINTUObjmeta.txt

 

Important:

For any DCs we fail to obtain data from:

1.       Connect to each DC we didn’t get data from

2.       rerun the command and substitute the DC name in place of the asterisk

Example: repadmin /showobjmeta DC004 “<GUID=33555323-8e42-42dd-ab95-51693b54281f>” >LCTXDC004_JUSTINTUObjmeta.txt

Identify all DCs with object(s) (attribute values)

Repadmin /showattr * "<GUID=33555323-8e42-42dd-ab95-51693b54281f>" /gc >JUSTINTUattr.txt

 

Important:

For any DCs we fail to obtain data from:

1.            Connect to each DC we didn’t get data from

2.            rerun the command and substitute the DC name in place of the asterisk

Example: repadmin /showobjattr LCTXDC004 "<GUID=33555323-8e42-42dd-ab95-51693b54281f>" /gc >LCTXDC004_JUSTINTUAttr.txt

Identify all DCs in forest

Repadmin /viewlist * >allDCs.txt

Identify the DSA_GUID for all DCs

Repadmin /showattr DCNAME NCOBJ:Config: /filter:"(Objectclass=NTDSDSA)" /atts:objectGUID /subtree >ntdsa.txt

 

The above two commands

DC in source domain without object in NA partition- name

DC in source domain without object in NA partition DSA_GUID

 

Replication status for forest

Repadmin /showrepl * /csv >showrepl.csv

 To identify current location of the object in the database

1.       Dump the database of one of the destination DCs.

2.       Open up the database dump and search for the objectGUID reported in the event 1084.

3.       Grab the DNT and PDNT and build the object hierarchy by copying the pertinent values into a table:

DNT

PDNT

RDN

ObjectGUID

61001

45020

Justintu

33555323-8e42-42dd-ab95-51693b54281f

45020

20005

LostAndFound

 

6931

1752

Corp

 

1751

20003

Contoso

 

1750

2

com

 

 

Using the database dump, we can see this object’s current location in the database on this DC is:

CN=LostAndFound,DC=Corp,DC=Contoso,DC=com

 

As you can see, the object was present in the LostAndFound container in the corp.contoso.com NC.  As you know, replication is blocked on this object but for the NA.contoso.com NC.  Since this object is already present in the db (but in the wrong / old NC), we needed to remove this partition from this DC in order to get rid of the old object.

Example Scenario action plan

Configuration Object was migrated from the Corp partition to the NA partition.

The NA partition fails to replicate from NADC1.na.contoso.com to DC1.la.contoso.com with error 8545

Destination DC: DC1.la.contoso.com

Source DC: NADC1.na.contoso.com

 

1.       As a preventative measure, consider installing MSKB 2682997 on all DCs still running Windows Server 2008 or Windows Server 2008 R2 DC’s

To resolve this, you will need to

2.       Unhost the Corp partition on the DC, replicate the NA partition and then re-add the CORP partition from a known good source.

a.       Unhost the partition from the GC

                                                               i.      Repadmin /options the DC +disable_ntdsconn_xlate

                                                             ii.      Repadmin /unhost the DC dc=corp,dc=contoso,dc=com

                                                           iii.      Monitor the Directory Service event log on the DC for event ID 1660 –Review the event text to ensure that it says the DC no longer host the CORP NC.

1.       Event ID 1659 indicates the status of the un-host operation. Do not re-add the partition until after we successfully sync the NA partition.

b.       Replicate the NA partition

                                                               i.      After the partition is successfully removed from the database: Initiate replication from CORPDC.na.contoso.com

                                                             ii.      Repadmin /replicate the DC1.la.contoso.com NADC1.na.contoso.com DC=na,DC=bayer,DC=cnb

c.        Re-add the CORP NC back to this DC by using repadmin /add

                                                               i.      Repadmin /add dc=corp,dc=contoso,dc=com DC1.la.contoso.com CorpDC1.corp.contoso.com /readonly

                                                             ii.      Repadmin /options the DC -disable_ntdsconn_xlate