Trying to determine how to clear a replication issue. Have a multi domain/multi forest configuration. Trying to standup a new dc/gc in an existing domain and getting errors which is preventing it from completing replication of the PAS and becoming a GC. The replication seems to be isolated at one particular site. At the site, there are currently 2 DC's/GC's. (DC1.firstdomain.contoso.com and DC2.firstdomain.contoso.com). In AD sites and services, I see the auto generated connections. DC2 has one connection to DC1. DC1 has two connections. One to DC2 and another to a DC in a neighboring site (NDC1.firstdomain.contoso.com). If I chose replicate now on the connection between DC1 and DC2, I get the following error:
Synchronization attempt failed because the destination DC is currently waiting to synchronize new partial attributes from source. This condition is normal if a recent schema change modified the partial attribute set. The destination partial attribute set is not a subset of source partial attribute set. The operation will not continue.
There have been no schema changes to my knowledge. If I try and replicate now on the connection between DC1 and NDC1, I get the following error: The following error occured during the attempt to synchronize naming context seconddomain.contoso.com from Domain Controller NDC1 to Domain Controller DC1: The naming context is in the process of being removed or is not replicated from the specified server. The operation will not continue.
I can ping/resolve with no issues between the two boxes. The following are items of interest during a dcdiag:
Starting test: MachineAccount
Warning: Attribute userAccountControl of DC1 is: 0x82020 = (PASSWD_NOTREQD | SERVER_TRUST_ACCOUNT | TRUSTED_FOR_DELEGATION)
Typical setting for a DC is: 0x82000 = (SERVER_TRUST_ACCOUNT | TRUSTED_FOR_DELEGATION)
This may be affecting replication?
................................DC1 passed test MachineAccount
Starting test: Replications
[Replications Check, DC1] A recent replication attempt failed:
From DC2 to DC1
Naming Context: DC=seconddomain,DC=contoso,DC=com
The replication generated an error(8464): Synchronization attempt failed because the destination DC is currently waiting to synchronize new partial attributes from source. This condition is normal if a recent schema change modified the partial attribute
set. The destination partial attribute set is not a subset of source partial attribute set.
The failure occured at 2012-11-17 08:00:00.
The last success occured at 2012-10-09 23:00:00
1 failures have occured since the last success.
Try synchronizing the Schema partition on all servers in the forest.
When running repadmin /showrepl, there is this entry:
Naming context: DC=seconddomain,DC=contoso,DC=com
Source: SITE1\NDC1
***Warning: KCC could not add this REPLICA LINK due to error.
In the Directory Service event log, I'm seeing event 1864: This is the replication status for the following directory partition of this directory server.
Directory partition:
DC=seconddomain,DC=contoso,DC=com
This directory server has not recently recieved replication information from a number of directory servers. The count of directory servers is shown, diveded into the following intervals.
More than 24 hours:
32
More than a week:
32
More than one month:
32
More than two months:
0
More than a tombstone lifetime:
0
Tombstone lifetime (days):
180
Directory servers that do not replicate in a timely manner may encounter errors. They may miss password changes and be unable to authenticate. A DC that has not replicated in a tombstone lifetime may have missed the deletion of some objects, and may be automatically blocked from future replication until it is reconciled.
What started this investigation was people from the site where DC1/DC2 are located were complaining that GPO's were not being applied successfully which makes sense given the fact that there are replication issues.
Any ideas?