none
Replication error 8453 (0x2105)

    Question

  • Hi folks,

    I know this error has already been posted a few times here, and I went through all the posts and tried a few suggestions but I am still stuck.

    We have 2 domain controllers. They worked fine until they lost the replication functionality this week. We noticed the issue the last time we created user accounts: They were not replicated to the secondary DC. Strangely though, when we tried to create them manually on the second DC, an error message was saying that they were already there, but we can't see them in the users list.

    I checked the DFS replication log and found errors (http://pastebin.com/fgEQtM4v), but I don't think the root cause is there.

    I checked the system log and found a kerberos error (http://pastebin.com/mmFuMbAc)

    "The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server cr-amz-dc$. The target name used was DNS/dc.company.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using."

    I suspect a Kerberos issue here which refrains the controllers from replicating.. It's the first time I am troubleshooting a ADDS replication issue and I am not quite sure what to do with that error message.

    I checked my spn settings on the primary domain controller (http://pastebin.com/wNiTgbe7) and on the secondary domain controller (pasting here cause pastebin isn't working) :

    setspn -L DC2

    Registered ServicePrincipalNames for CN=DC2,OU=Domain Controllers,DC=company,DC=local:

            NtFrs-88f5d2bd-b646-11d2-a6d3-00c04fc9b232/DC2.company.local

            TERMSRV/DC2.company.local

            TERMSRV/DC2

            Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/DC2.company.local

            DNS/DC2.company.local

            GC/DC2.company.local/company.local

            HOST/DC2.company.local/company.local

            HOST/DC2.company.local/company

            ldap/3967f85a-8781-498c-b86e-134fa02165a5._msdcs.company.local

            ldap/DC2.company.local/company

            ldap/DC2

            ldap/DC2.company.local

            ldap/DC2.company.local/ForestDnsZones.company.local

            ldap/DC2.company.local/DomainDnsZones.company.local

            ldap/DC2.company.local/company.local

            E3514235-4B06-11D1-AB04-00C04FC2DCD2/3967f85a-8781-498c-b86e-134fa02165a5/company.local

            HOST/DC2

            HOST/DC2.company.local

    ==========================================================================================

    I've tried to run repadmin to get more information :

    repadmin /kcc

    Repadmin: running command /kcc against full DC localhost
    Default-First-Site-Name
    Current Site Options: (none)
    DsReplicaConsistencyCheck() failed with status 8453 (0x2105):
        Replication access was denied.

    repadmin /showrep


    Repadmin: running command /showrepl against full DC localhost

    Default-First-Site-Name\DC2

    DSA Options: IS_GC 

    Site Options: (none)

    DSA object GUID: 3967f85a-8781-498c-b86e-134fa02165a5

    DSA invocationID: 76cb87a2-fe9d-438e-8d39-5dc34a635ba0



    ==== INBOUND NEIGHBORS ======================================



    DC=company,DC=local

        Default-First-Site-Name\DC via RPC

            DSA object GUID: e1a3dcb1-4e5f-469d-9c32-b4ef0845b376

            Last attempt @ 2012-05-17 14:48:42 failed, result -2146893022 (0x80090322):

                The target principal name is incorrect.

            4554 consecutive failure(s).

            Last success @ 2012-04-18 17:06:42.



    CN=Configuration,DC=company,DC=local

        Default-First-Site-Name\DC via RPC

            DSA object GUID: e1a3dcb1-4e5f-469d-9c32-b4ef0845b376

            Last attempt @ 2012-05-17 14:46:33 failed, result -2146893022 (0x80090322):

                The target principal name is incorrect.

            698 consecutive failure(s).

            Last success @ 2012-04-18 15:54:12.



    CN=Schema,CN=Configuration,DC=company,DC=local

        Default-First-Site-Name\DC via RPC

            DSA object GUID: e1a3dcb1-4e5f-469d-9c32-b4ef0845b376

            Last attempt @ 2012-05-17 14:46:33 failed, result -2146893022 (0x80090322):

                The target principal name is incorrect.

            692 consecutive failure(s).

            Last success @ 2012-04-18 15:54:12.



    DC=DomainDnsZones,DC=company,DC=local

        Default-First-Site-Name\DC via RPC

            DSA object GUID: e1a3dcb1-4e5f-469d-9c32-b4ef0845b376

            Last attempt @ 2012-05-17 14:46:33 failed, result 1256 (0x4e8):

                The remote system is not available. For information about network troubleshooting, see Windows Help.

            3429 consecutive failure(s).

            Last success @ 2012-04-18 17:07:01.

    DC=ForestDnsZones,DC=company,DC=local

        Default-First-Site-Name\DC via RPC

            DSA object GUID: e1a3dcb1-4e5f-469d-9c32-b4ef0845b376

            Last attempt @ 2012-05-17 14:46:33 failed, result 1256 (0x4e8):

                The remote system is not available. For information about network troubleshooting, see Windows Help.

            693 consecutive failure(s).

            Last success @ 2012-04-18 17:06:58.

    DsReplicaGetInfo() failed with status 8453 (0x2105):

        Replication access was denied.

    DsReplicaGetInfo() failed with status 8453 (0x2105):

        Replication access was denied.

    ===========================

    Any help would be greatly appreciated

    Cheers

    Thursday, May 17, 2012 1:52 PM

Answers

All replies