Active Directory replication error 8464: Synchronization attempt failed...

Symptoms
This article describes the symptoms, cause and resolution for resolving issues where Active Directory replication fails with error 8464:

Synchronization attempt failed because the destination DC is currently waiting to synchronize new partial attributes from source. This condition is normal if a recent schema change modified the partial attribute set. The destination partial attribute set is not a subset of source partial attribute set.

Additionally, event ID 1704 that resembles the following is logged:

Log Name: Directory Service
Event ID: 1704
Event Source: ActiveDirectory_DomainService / NTDS Replication
Task Category: Global Catalog
Event Text:
The global catalog initiated replication of a member of the partial attribute set for the following directory partition from the following domain controller.
Directory partition:
DC=treeroot,DC=fabrikam,DC=com
Domain controller:
xxxxxxxxxx._msdcs.root.contoso.com 

This is a special replication cycle due to the addition of one or more attributes to the partial attribute set.


Note It is perfectly typical to see Active Directory replication status 8464 after you extend the schema or after you add new attributes to the partial attribute set (PAS). This is a message that states replication is delayed temporarily. Active Directory replication status 8464 goes away after the PAS finishes the update process.
Cause
This issue occurs because PAS synchronization is triggered when an attribute is added to the PAS.
For the details, see the "More Information" section.
Resolution
As this is an ordinary part of PAS synchronization, resolution steps are usually not needed. See the More Information" section for troubleshooting steps if this replication status persists in the environment for more than a week. 

More information

The details of the cause for status 8464

The Schema definition for an attribute is stored in the Schema partition as an attributeSchema object. Checking the Replicate this attribute to the Global Catalog check box sets the isMemberOfPartialAttributeSet attribute to TRUE on the attributeSchema object. Any attributeSchema object that has this attribute set to TRUE will cause the corresponding attribute to be included in the Partial Attribute Set.

When PAS synchronization occurs (that results from PAS extension), there is a specialized task in the replication task queue. The DRS_SYNC_PAS flag identifies this specialized task.

An un-optimized Active Directory topology or Active Directory replication failures may result in a significant delay in the PAS update process. It is typical to see Active Directory replication status 8464 during the PAS update process.

How to check Active Directory replication status 8464

The Repadmin commands and other tools that provide an Active Directory replication status report state that a replication attempt is delayed with status 8464.
The following is the Repadmin commands and other tools that typically cite the 8464 status, including but are not limited to:The following isa sample output from "Repadmin /showrepl" that shows incoming replication from DC2 to DC1 being delayed:
Domain\DC2 DSA Options: IS_GC  Site Options: (none) DSA object GUID: <GUID> DSA invocationID: <ID>…DC=child,DC=root,DC=contoso,DC=com    Domain\DC1 via RPC DSA object GUID: <GUID> Last attempt @ 2014-08-28 04:50:44 was delayed for a normal reason, result 8464 (0x2110)
The following is the verbose output of the Repadmin /showrepl command:
Domain\TRDC1 via RPC         DSA object GUID: <GUID>         Address: xxxxxxxxxx._msdcs.root.contoso.com         DSA invocationID: <ID>         SYNC_ON_STARTUP DO_SCHEDULED_SYNCS PARTIAL_ATTRIBUTE_SET         USNs: 0/OU, 234943/PU         Last attempt @ <Date & Time> was delayed for a normal reason, result 8464 (0x2110):     Synchronization attempt failed because the destination DC is currently waiting to synchronize new partial attributes from source. This condition is normal if a recent schema change modified the partial attribute set. The destination partial attribute set is not a subset of source partial attribute set.         Last success @ <Date & Time>.

How to determine the destination domain controller

Note These steps require an understanding of the environment's Active Directory replication topology, correlation of replication status data and temporary modification of Active Directory replication interval or connections.
  1. Identify one destination domain controller for one partition logged Active Directory replication status 8464. Use this domain controller and partition for these steps (do not jump around between partitions and domain controllers).

    Note This step makes you to focus on updating the bridgehead servers and hub-site domain controller first.
  2. Collect the following data. Check replication status results for the destination domain controller and source domain controller. Run the following commands to export the results:
    1. Compare the current PAS synchronization state among all global catalog servers. Run the following command to export the result to a pas_domain.txt file:
      repadmin /showattr gc: <Partition_DN> /gc /atts:partialattributeset >pas_domain.txt
    2. Check replication status results for the destination and source domain controllers. Run the following commands to export the results:
      Repadmin /showrepl <DestinationDC> /verbose >repl_destDC.txt
      Repadmin /showrepl <SourceDC> /verbose >repl_sourceDC.txt
      Repadmin /showrepl * /csv >showrepl.csv

    3. List of all attributes in the PAS. This is useful for determining the current count. Run the following command to export the result to a pas.txt file:
      repadmin /showattr fsmo_schema: ncobj:schema: /filter:"(ismemberofpartialattributeset=TRUE)" /subtree /atts:dn >pas.txt
    4. Check event ID 1704 and 1702 as they indicate the PAS synchronization is complete in the Directory Service event log.
  3. Analyse the data based on the destination domain controller with outdated PAS or source domain controller with outdated PAS.
    • If the destination domain controller does not have the updated PAS, do the following:
      1. Determine whether any source partners have the updated value.
      2. Update destination and any source domain controllers that are out of date to clear the status 8464.
      3. Manually start replication with source domain controllers that are up to date. Or, create and replicate source domain controllers if connections do not exist.
      4. When the destination domain controller is updated, status 8464 will be logged for any source domain controllers that are not updated.
    • If the destination domain controller has the updated PAS, but the source domain controller does not, the status 8464 will not clear until the source is updated. Or, you can update the source domain controller by manually starting replication with a domain controller that is up-to-date.

Pas_domain.txt instructions

The value of interest in the output is listed after the v1.cAttrs = text. This numeric value displays how many attributes are included in the PAS. Compare these values among each global catalog (GC) for each partition. If all GCs display the same value, all GCs are in-sync (they either all have the updated PAS, or they all do not). If all values are the same, compare them with the values from output in other partitions or the dump schema, and count the list of attributes in the PAS.

The following is a sample log, where DC1 has not updated the partial attribute set for the CHILD partition. Also DC2 has completed the PAS update process. No data is logged for ChildDC1, because the partialattributeset attribute has no data due to ChildDC1 containing a full copy of the Child domain partition.
Repadmin: running command /showattr against full DC DC1.root.contoso.comDN: DC=child,DC=root,DC=contoso,DC=com    1> partialAttributeSet: { dwVersion = 1; dwFlag = 0; V1.cAttrs = 196, V1.rgPartialAttr =  0, 3, 4, 6, 7, 8, 9…Repadmin: running command /showattr against full DC ChildDC1.child.root.contoso.comDN: DC=child,DC=root,DC=contoso,DC=comRepadmin: running command /showattr against full DC DC2.root.contoso.comDN: DC=child,DC=root,DC=contoso,DC=com    1> partialAttributeSet: { dwVersion = 1; dwFlag = 0; V1.cAttrs = 203, V1.rgPartialAttr =  0, 3, 4, 6, 7, 8, 9…

Pas.txt Instructions

Identify the list of attributes in the PAS

To see a list of the attributes in the PAS, use repadmin or another tool to query the Schema partition for all attributes where the ismemberofpartialattributeset value is set to TRUE:
repadmin /showattr fsmo_schema: ncobj:schema: /filter:"(ismemberofpartialattributeset=TRUE)" /subtree /atts:dn >pas.txt
Make sure that the word TRUE is in all uppercase text.

You can also use LDIFDE to achieve this data together with the count:
Ldifde -f pas.txt -d "cn=schema,cn=configuration,dc=forestRootDN…" -r "(ismemberofpartialattributeset=TRUE)"…196 entries exported

Identify the count of attributes in the PAS

To achieve a count of the attributes from the repadmin output, follow these steps:
  1. Open the text file in Notepad.
  2. Delete any blank lines at the beginning and end of the file.
  3. Delete the line at the top of the file that begins with "Repadmin: running command /showatt…."
  4. Put your pointer on the last line of text in the file, then press the Ctrl + G keyboard shortcut to open up the Go To Line dialog box. The line number in this window represents the count for attributes in the partial attribute set.

Directory Service event log

Enable diagnostic logging for global catalog events in order to view additional detail about the partial attribute set update cycle. After enabling replication event verbosity, view the Directory Services event log.

To enable diagnostic logging for global catalog events, follow these steps:
  1. Open Regedit.
  2. Locate and then click the following registry key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics
  3. Configure event logging for global catalog:
    1. On the right side of Registry Editor, double-click the 18 Global Catalog entry.
    2. Type 3 in the Value data box, and then click OK.
  4. Close Regedit.
View the following events in the Directory Service event log:

Log Name: Directory Service
Event ID: 1704
Event Source: ActiveDirectory_DomainService / NTDS Replication
Task Category: Global Catalog
Event Text: The global catalog initiated replication of a member of the partial attribute set for the following directory partition from the following domain controller.

Directory partition:
DC=treeroot,DC=fabrikam,DC=com
Domain controller:
xxxxxxxxxx._msdcs.root.contoso.com 

This is a special replication cycle due to the addition of one or more attributes to the partial attribute set.


Event ID: 1702
Event Source: ActiveDirectory_DomainService / NTDS Replication
Task Category: Global Catalog
Event Text: The global catalog completed synchronization of the partial attribute set for the following directory partition from the following domain controller.

Directory partition:
DC=treeroot,DC=fabrikam,DC=com
Domain controller:
xxxxxxxxxxx (TRDC1.treeroot.fabrikam.com) 

This is a special replication cycle due to the addition of one or more attributes to the partial attribute set.

Replication status cycle in partial attribute synchronization

The Active Directory replication status 8464 message is logged when the destination domain controller is waiting to synchronize the updated PAS from the source domain controller.

Note The domain controller that is selected for the PAS_Sync task can move to a different source domain controller on the next replication interval (from the existing set of replica partners).

New attempts to synchronize the PAS are based on the replication schedule. When a different source is selected for the PAS_Sync task, replication will proceed usually with the prior source domain controller. After the PAS is successfully updated, replication for the same partition to the domain controller that is updated will fail from domain controllers without the updated PAS. The same replication status is logged for this scenario.

When the destination domain controller has not updated the PAS, one of the following processes occur:
  • Selects one replica source to update PAS. Then, event 1704 is logged when the sync begins.
  • If source does not have the updated PAS itself, Active Directory replication status 8464 is logged, and event ID 1705 is logged if diagnostic logging is enabled.
  • If the PAS update task failed, and then a new source is selected, event ID 1706 is logged if diagnostic logging is enabled.
  • Replication from other domain controllers for the same partition proceeds as usual (status 0 is logged if there are no failures).

Example of the PAS synchronization cycle

This section is a sample of the PAS synchronization cycle. The following table is the domain controllers in the forest:
Domain ControllersDomain
DC1Root.contoso.com
DC2Root.contoso.com
ChildDC1Child.root.contoso.com
ChildDC2Child.root.contoso.com
TRDC1Treeroot.fabrikam.com
The following is the structure of the forest:
The structure of the forest
Consider the following scenario:
  • 7 new attributes are added to the PAS by using Schema extension. Therefore, the count for attributes in the PAS increases from 196 to 203.
  • This starts PAS synchronization. All GCs must now source the data for these seven attributes in each GC partition.
  • This diagram shows the update of just one partition.
  • The replication interval in this environment is 15 minutes.
  • A pre-existing condition exists that blocks replication from a DC hosting a writable copy of the partition.
In this scenario, the follow processes occur:
  1. When destination domain controller has not updated the PAS:
    1. DC1 selects DC2 for PAS_SYNC. Because DC2 also has the old PAS, Active Directory replication status 8464 is logged.
    2. TRDC1 was not selected for PAS_SYNC and it also has the old PAS, Active Directory replication status 0 (Successful) is logged.
    3. ChildDC1 holds a writable copy of the CHILD partition so that it has all attributes for this partition. However, there is a pre-existing issue that causes Active Directory replication to fail with error 8606.

  2. The destination domain controller selects a new source (TRDC1) for the PAS_SYNC task.
    1. TRDC1 also has the old PAS so replication is delayed, and status 8464 is logged.
    2. DC2 also has the old PAS. However, it is not selected for PAS_Sync on this interval, and replication is completed correctly. Therefore, status 0 is logged.
    3. Active Directory replication still fails with ChildDC1 because of an unrelated lingering objects issue exists (abandoned objects).
  3. PAS_SYNC toggles back to the other outdated replica (DC2).
    1. Meanwhile we correct the replication issue on ChildDC1.
    2. Replication is delayed from DC2, and status 8464 is logged.
    3. Replication proceeds successfully from TRDC1.
    4. Replication proceeds successfully from ChildDC1 (but it is not selected for PAS_Sync on this cycle).
  4. A suitable domain controller is finally selected for PAS_SYNC (ChildDC1).
    1. Replication proceeds as usual from DC2 and TRDC1 (these attempts are completed before PAS_Sync).
    2. Replication proceeds as usual from ChildDC1and PAS_SYNC is complete.
  5. The destination domain controller finally has the updated PAS (from the last interval).
    1. Replication from DC2 and TRDC1 are now both delayed because the source domain controllers are outdated. The same Active Directory replication status is logged for this issue.
    2. Replication is complete successfully from ChildDC1.
  6. In between the previous replication interval and the next one, DC2's copy of the partial attribute set for the CHILD domain is also updated (not pictured though).
    1. Because both the destination domain controller (DC1) and source domain controllers (DC2 and ChildDC1*) have the updated PAS, replication is completed correctly.  
      ChildDC1 has a full set of attributes for the partition (not just the PAS).
    2. Replication is delayed from TRDC1 because it still has the old PAS.
  7. In between the previous replication interval and the next one, TRDC1's copy of the partial attribute set for the CHILD domain is also updated (not pictured though).
    1. Replication is completed correctly from all partners, because the destination domain controller and sources all have the same attributes for the PAS.



Properties

Article ID: 3001248 - Last Review: 12/07/2016 22:15:00 - Revision: 4.0

Windows Server 2016 Datacenter, Windows Server 2016 Essentials, Windows Server 2016 Standard, Windows Server 2012 R2 Datacenter, Windows Server 2012 R2 Standard, Windows Server 2012 R2 Essentials, Windows Server 2012 R2 Foundation, Windows Server 2012 Datacenter, Windows Server 2012 Standard, Windows Server 2012 Essentials, Windows Server 2012 Foundation, Windows Server 2008 R2 Datacenter, Windows Server 2008 R2 Enterprise, Windows Server 2008 R2 Standard, Windows Server 2008 R2 Foundation, Windows Server 2008 Datacenter, Windows Server 2008 Enterprise, Windows Server 2008 Standard, Windows Server 2008 Foundation

  • kberrmsg kbsurveynew kbexpertiseadvanced kbprb kbtshoot KB3001248
Feedback