In the process of migrating DCs to new hardware. I have 2 - Windows 2008R2 DCs on older servers, 1 - 2012R2 VM DC on HyperV, and 1 - Windows 2012R2 DC on a new server. All was working well for several weeks. Four days ago, after a network outage on the new DC I started getting replication errors. I noticed DNS on the new server was not populating and the server was in the wrong time zone - we don't use DST. I corrected the time zona, reset that machines password using - netdom resetpwd and rebooted. DNS is now working but replication is not. Ran DCDiag and everything passes except for:
From GoodDC02 to BadDC3
Naming Context: DC=ourdomain,DC=com
The replication generated an error (8453):
Replication access was denied.
The failure occurred at 2018-11-13 09:46:03.
The last success occurred at 2018-11-09 09:59:37.
98 failures have occurred since the last success.
The machine account for the destination BadDC3.
is not configured properly.
Check the userAccountControl field.
Kerberos Error.
The machine account is not present, or does not match on the.
destination, source or KDC servers.
Verify domain partition of KDC is in sync with rest of enterprise.
The tool repadmin/syncall can be used for this purpose.
REPLICATION LATENCY WARNING
ERROR: Expected notification link is missing.
Source GoodDC02
Replication of new changes along this path will be delayed.
This problem should self-correct on the next periodic sync.
I can ping between all DCs using IP address, Name, or GUID. When I run repadmin /showreps all the other DCs are replicating but the BadDC3 shows "KCC could not add this Replica Link due to error" and "error 8453 Access was denied". I followed the ADSI edit articles and the BadDC3 has delegation, DNS is set the same as the other DCs, UserAccountControl shows 0X82000 (Server_Trust_Anchor|Trusted_For_Delegation) on all servers. AD Sites and Services I see 2 connectors between each domain controller - GoodDC01 connected to GoodDC03 and BadDC3, GoodDC02 connected to GoodDC03 and BadDC3, GoodDC03 connected to GoodDC01 and GoodDC02, except for BadDC3 which is connected to GoodDC01, GoodDC02, and GoodDC03. After two days I do not know what to look for?
Thoughts
eburch@lasertel.com
