Hi,
I have excact the same issue, like it was discussed in https://social.technet.microsoft.com/Forums/office/en-US/7fe92204-b931-42e9-9ae6-21552602b092/rodc-replicate-single-object-dns-partition-access-denied?forum=winserverDS&prof=required
But I was asked to start a new topic for that, so I am writing this question:
I have a 2008 R2 RODC that is logging Event 4015 in the DNS Server logs every 3 minutes -Event 4015 -
The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "00002105: SvcErr: DSID-03210BEB, problem 5012 (DIR_ERROR), data 0". The event data contains the error
----------------------
The writeable DC the RODC is attempting to replicate single object with has the following errors -
Event 2883 -
The following directory service made a replication request to replicate attributes in filtered set that has been denied by the local directory service. The requesting directory service does not have access to replicate attributes in the filtered set.
Requesting directory service: xxxx-xxxx-xxxx-xxxx (xxxx.DC.COM)
Directory partition: DC=DomainDnsZones,DC=DC,DC=COM
User Action
If the requesting directory service should get attributes in filtered list, verify that the security descriptor on this directory partition has the correct configuration for the Replication Get Changes In Filtered Set access right. You may also get this message when the attributes in filtered set are different between source and destination DCs because of recent schema change. This message will cease when the schema is in sync between the destination and source DCs.
--------------------
Event 1699 -
This directory service failed to retrieve the changes requested for the following directory partition. As a result, it was unable to send change requests to the directory service at the following network address.
Directory partition: DC=xxxx,DC=DC.COM,cn=MicrosoftDNS,DC=DomainDnsZones,DC=DC,DC=COM
Network address: xxxx-xxxx-xxxx-xxxx._msdcs.DC.COM
Extended request code: 6
Additional Data Error value: 8453 Replication access was denied.
------------------
No other tests I have run fail, all other aspects of replication are working including the replication of the DNS partition and replicate single object for other partitions.
Running Repadmin /replsingleobj for a DNS object causes the same error.
I am at a loss to find what can be causing the RODC to be denied access to only replicate single object on the DNS partition.
Thank you and best regards,
Sven