Changes that are made to security groups or to distribution groups are not replicated to destination domain controllers when you use link value replication in a Windows Server 2003 environment
- Changes to the security group or distribution group that exists on the source domain controller are not replicated to the destination domain controllers. You experience this symptom when the group membership change is initiated either by an administrator or by a program.
- When you run the repadmin /showreps command, you receive a message that states that a Windows Server 2008-based or Windows Server 2003-based destination domain controller cannot replicate inbound changes to a directory partition from one or more source domain controllers. In this situation, you also receive a Win32 error 8451.
Note Win32 error 8451 corresponds to the "ERROR_DS_DRA_DB_ERROR" error and to the following description:The replication operation encountered a database error.The affected Windows Server 2008-based or Windows Server 2003-based destination domain controller may not replicate inbound changes that are made to read-only partitions from global catalogs or from domain controllers that are hosting writable directory partitions.
- Windows Server 2008-based and Windows Server 2003-based destination domain controllers log the following event in the Directory Service log:
Event Type: Warning.Notes
Event Source: NTDS
General Event Category: Internal Processing
Event ID: 1173
User: NT AUTHORITY\ANONYMOUS LOGON
Description: Internal event: Active Directory has encountered the following exception and associated parameters. Exception: e0010004 Parameter: 0
Additional Data Error value: -1603 Internal ID: 2050344
- NTDS general event 1173 indicates a generic replication failure.
- The additional data error value “-1603” maps to a “currently not on a record” jet error and to the symbolic name “errNoCurrentRecord.”
- Exception “e0010004” corresponds to error DSA_DB_EXCEPTION.
- Internal ID 2050344 corresponds to a function in the database layer code of NTDS. This number depends on the operating system, on the service pack, and on the patching revisions.
- Windows Server 2008-based and Windows Server 2003-based destination domain controllers log the Directory Service event 1692, as follows:Note This event is logged when you enable diagnostic logging and set the value for the 5 Replication Events registry entry to 1 or greater.
Log Name: Directory Service
Date: MM/DD/YYYY HH:MM:SS AM|PM
Event ID: 1692
Task Category: Replication
User: ANONYMOUS LOGON
Computer: Destination DC
Internal event: Active Directory Domain Services cannot apply an incoming attribute value change during replication because the following object is not present in the local Active Directory Domain Services database.
Object GUID:object GUID of the group modified on the source DC
Attribute value:DN path of user whose membership is being modified
For more information about NTDS diagnostic logging, click the following article number to view the article in the Microsoft Knowledge Base:314980 How to configure Active Directory diagnostic event logging in Windows Server 2003 and in Windows 2000 Server
Specifically, this issue may occur if the following conditions are true:
- Membership changes that are made to lingering security or distribution groups on source domain controllers are outbound-replicated by using link value replication (LVR) to destination domain controllers that do not have an instance of the group that is being modified. For example, this issue may occur when an object is deleted, and the lifetime of the tombstone objects has expired from the local copy of Active Directory.
- The forest functional level is set to Windows Server 2003 Interim mode or a later version.
- The lingering security or distribution groups reside on either read-only or writable partitions of Windows Server 2003-based or Windows Server 2008-based source domain controllers, and replication stops between the source and destination domain controllers.
- Run the following repadmin command on the primary domain controller (PDC) to create a .csv file that contains the list of destination domain controllers:repadmin /showrepl * /csv >showrepl.csv
- Open the .csv file in Microsoft Excel, and then identify replication failures on destination domain controllers that have failed the incoming replication process and that display Win32 error 8451.
- On the domain controllers that log the "Win32 error 8451" error message, make sure that diagnostic logging for the 5 Replication Events registry entry is set to a value of 1. To do this, follow these steps:
- Click Start, and then click Run.
- In the Open box, type regedit, and then click OK.
- Locate and then click the following registry key:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics
- In the details pane, double-click 5 Replication Events, type 1 in the Value data box, and then click OK.
- Close Registry Editor.
- On the destination domain controllers, verify that Directory Service event 1692 is logged in the Directory Service log. The event displays changes to the “member” attribute of the security group or to other LVR-replicated attributes and to the lingering object GUIDs.
- Remove the lingering objects from the Windows Server 2008-based or Windows Server 2003-based destination domain controllers by using the repadmin /removelingeringobjects command.
Disabling strict replication consistency functionality in the registry of Windows Server 2008-based or Windows Server 2003-based destination domain controllers does not resume replication. You must not set the value of the Strict Replication Consistency registry entry to 0 to unblock replication of directory partitions.
Do not force replication of directory partitions on source domain controllers by using the repadmin /sync command or an equivalent command together with the /force switch.
Article ID: 958838 - Last Review: 12/04/2008 00:35:30 - Revision: 1.0
- kbevent kberrmsg kbtshoot kbexpertiseadvanced kbprb KB958838