8453 Replication access was denied

Hi,

I have two 2008 R2 DC's at Headquaters and one 2008 R2 RODC (with DNS, File (DFS),  Print, DHCP) at our branch office.

After the installing the RODC we are having constant DS erros (1699, 2883) on the writable DC's (not RODC). Still things seem to work OK.

1. EventID 1699

Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          21.5.2013 11:39:27
Event ID:      1699
Task Category: Replication
Level:         Error
Keywords:      Classic
User:          DOMAINNAME\RODC-SERVERNAME$
Computer:      DC-SERVERNAME.domainname.com
Description:
This directory service failed to retrieve the changes requested for the following directory partition. As a result, it was unable to send change requests to the directory service at the following network address.
 
Directory partition:
DC=Temp-Sync,DC=domainname.com,cn=MicrosoftDNS,DC=DomainDnsZones,DC=domainname,DC=com
Network address:
f0de69f4-486f-4599-8ca6-9338495981cf._msdcs.domainname.com
Extended request code:
6
 
Additional Data
Error value:
8453 Replication access was denied.

===

2. EventID 2883

Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          21.5.2013 11:39:27
Event ID:      2883
Task Category: Replication
Level:         Error
Keywords:      Classic
User:          DOMAINNAME\RODC-SERVERNAME$
Computer:      DC-ServerName.domainname.com
Description:
The following directory service made a replication request to replicate attributes in filtered set that has been denied by the local directory service. The requesting directory service does not have access to replicate attributes in the filtered set.
 
Requesting directory service:
f0de69f4-486f-4599-8ca6-9338495981cf (RODC-SERVERNAME.domainname.com)
Directory partition:
DC=DomainDnsZones,DC=domainname,DC=com
 
User Action
If the requesting directory service should get attributes in filtered list, verify that the security descriptor on this directory partition has the correct configuration for the Replication Get Changes In Filtered Set access right.  You may also get this message when the attributes in filtered set are different between source and destination DCs because of recent schema change. This message will cease when the schema is in sync between the destination and source DCs.

DCDIAG

I have run dcdiag.exe but the failing test seems to just refer to the event logs with the above error messages:

- Starting test: DFSREvent

         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems.
         ......................... DC-SERVERNAME failed test DFSREvent

-  ......................... DC-SERVERNAME failed test KccEvent

Any idea how to fix this?

Regards

lakend