Background
The environment is just built using Windows server 2016. Single forest with root domain as ad.corp.com and child domain org.corp.com. Each domain has two domain controllers
ad.corp.com: RDC01, RDC02
org.corp.com: SDC01, SDC02 (not built yet)
The forest and domain functional level are all set as Windows 2008 R2.
Issues:
On SDC01 which has just been promoted, login as domain admin, then run following command
Repadmin /syncall /d
The result returned the following error
SyncAll reported the following errors:
Error issuing replication: 8453 (0x2105):
Replication access was denied.
From: CN=NTDS Settings,CN=RDC02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=corp,DC=com
To : CN=NTDS Settings,CN=RDC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ad,DC=corp,DC=com
Checking done so
1. It seems except that error, the active directory still working fine. Object creation and deletion could be replicated to all DCs.
2. Run DCDiag on each DC and all DCs are clear. No error detected.
3. Same Repadmin command is executed on the other 2 DCs and none has error returned.
4. Execute Repadmin /replsummary and Repadmin /showrepl on EACH DC, no error is reported.
5. Installed Microsoft Active Directory Replication Status Tool on EACH DC, no error is detected.
6. On the same DC, SDC01, if I logged in using account which is member of "Enterprise Admin", then no error is returned when executing command Repadmin /syncall /d
It is clear to me that the root cause is sub domain administrator doesn't have some permission set properly. I even has tried to uninstall org.ad.corp.com domain and repromote it again using all default value (except the functional level is set as Windows 2008
R2), but still the same issue.
Any suggestions?