Consider the following scenario. In a Windows Server 2003 environment, you set the forest functional level in the forest to Windows Server 2003 or to a later version of Windows. You do this to apply link value replication (LVR) changes to group membership on LVR-enabled attributes. In this scenario, you may experience the following symptoms:
Changes to the security group or distribution group that exists on the source domain controller are not replicated to the destination domain controllers. You experience this symptom when the group membership change is initiated either by an administrator or by a program.
When you run the repadmin /showreps command, you receive a message that states that a Windows Server 2008-based or Windows Server 2003-based destination domain controller cannot replicate inbound changes to a directory partition from one or more source domain controllers. In this situation, you also receive a Win32 error 8451.
Note Win32 error 8451 corresponds to the "ERROR_DS_DRA_DB_ERROR" error and to the following description:
The replication operation encountered a database error.
The affected Windows Server 2008-based or Windows Server 2003-based destination domain controller may not replicate inbound changes that are made to read-only partitions from global catalogs or from domain controllers that are hosting writable directory partitions.
Windows Server 2008-based and Windows Server 2003-based destination domain controllers log the following event in the Directory Service log:
Event Type: Warning. Event Source: NTDS General Event Category: Internal Processing Event ID: 1173 User: NT AUTHORITY\ANONYMOUS LOGON Description: Internal event: Active Directory has encountered the following exception and associated parameters. Exception: e0010004 Parameter: 0 Additional Data Error value: -1603 Internal ID: 2050344
NTDS general event 1173 indicates a generic replication failure.
The additional data error value “-1603” maps to a “currently not on a record” jet error and to the symbolic name “errNoCurrentRecord.”
Exception “e0010004” corresponds to error DSA_DB_EXCEPTION.
Internal ID 2050344 corresponds to a function in the database layer code of NTDS. This number depends on the operating system, on the service pack, and on the patching revisions.
Windows Server 2008-based and Windows Server 2003-based destination domain controllers log the Directory Service event 1692, as follows:
Log Name: Directory Service Source: Microsoft-Windows-ActiveDirectory_DomainService Date: MM/DD/YYYY HH:MM:SS AM|PM Event ID: 1692 Task Category: Replication Level: Information Keywords: Classic User: ANONYMOUS LOGON Computer: Destination DC Description: Internal event: Active Directory Domain Services cannot apply an incoming attribute value change during replication because the following object is not present in the local Active Directory Domain Services database. Object GUID:object GUID of the group modified on the source DC Attribute:member Attribute value:DN path of user whose membership is being modified
Note This event is logged when you enable diagnostic logging and set the value for the 5 Replication Events registry entry to 1 or greater.
For more information about NTDS diagnostic logging, click the following article number to view the article in the Microsoft Knowledge Base:
314980 How to configure Active Directory diagnostic event logging in Windows Server 2003 and in Windows 2000 Server
These symptoms may occur when changes are made to any LVR-replicated object class that has forward links. (These changes to the LVR-replicated object class are in addition to the changes that are made to security and distribution groups.)
This issue occurs if Windows Server 2008-based or Windows Server 2003-based destination domain controllers stop inbound replication when they receive LVR updates of objects that do not exist in their local copies of Active Directory.
Specifically, this issue may occur if the following conditions are true:
Membership changes that are made to lingering security or distribution groups on source domain controllers are outbound-replicated by using link value replication (LVR) to destination domain controllers that do not have an instance of the group that is being modified. For example, this issue may occur when an object is deleted, and the lifetime of the tombstone objects has expired from the local copy of Active Directory.
The forest functional level is set to Windows Server 2003 Interim mode or a later version.
The lingering security or distribution groups reside on either read-only or writable partitions of Windows Server 2003-based or Windows Server 2008-based source domain controllers, and replication stops between the source and destination domain controllers.
Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756 How to back up and restore the registry in Windows
To resolve this issue, follow these steps:
Run the following repadmin command on the primary domain controller (PDC) to create a .csv file that contains the list of destination domain controllers:
repadmin /showrepl * /csv >showrepl.csv
Open the .csv file in Microsoft Excel, and then identify replication failures on destination domain controllers that have failed the incoming replication process and that display Win32 error 8451.
On the domain controllers that log the "Win32 error 8451" error message, make sure that diagnostic logging for the 5 Replication Events registry entry is set to a value of 1. To do this, follow these steps:
In the details pane, double-click 5 Replication Events, type 1 in the Value data box, and then click OK.
Close Registry Editor.
On the destination domain controllers, verify that Directory Service event 1692 is logged in the Directory Service log. The event displays changes to the “member” attribute of the security group or to other LVR-replicated attributes and to the lingering object GUIDs.
Remove the lingering objects from the Windows Server 2008-based or Windows Server 2003-based destination domain controllers by using the repadmin /removelingeringobjects command.
For more information about the Repadmin /removelingeringobjects command, click the following article number to view the article in the Microsoft Knowledge Base:
870695 Outdated Active Directory objects generate event ID 1988 in Windows Server 2003
Disabling strict replication consistency functionality in the registry of Windows Server 2008-based or Windows Server 2003-based destination domain controllers does not resume replication. You must not set the value of the Strict Replication Consistency registry entry to 0 to unblock replication of directory partitions.
Do not force replication of directory partitions on source domain controllers by using the repadmin /sync command or an equivalent command together with the /force switch.