Windows 2000 SID filtering prevents the replication of schema naming contexts and of configuration naming contexts (840691)


The information in this article applies to:

  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Server

SYMPTOMS

After you perform an in-place upgrade of a Microsoft Windows NT 4.0 domain and join it to an existing Microsoft Windows 2000 forest as a child domain, replication by the Active Directory directory service of the schema naming context and of the configuration naming context may not be completed successfully. Additionally, the following events may be logged on domain controllers in the upgraded domain: 
Event Type:	Warning
Event Source:	NTDS General
Event Category:	Replication 
Event ID:	1080
Description:
Replication warning: Couldn't notify directory DC_Oject_GUID._msdcs.contoso.com with changes to partition Child_Domain_Domain_Name.
Event Type:	Warning
Event Source:	NTDS Replication
Event Category:	Replication 
Event ID:	1061
Description:
Internal error: The directory replication agent (DRA) call returned error 8453 (ERROR_DS_DRA_ACCESS_DENIED).
If you use the repadmin.exe /showreps command to troubleshoot the problem, the following information is returned: 
Naming Context: CN=Schema,CN=Configuration,DC=contoso,DC=net
Source: <Inbound DC>
******* WARNING: KCC could not add this REPLICA LINK due to error.

Naming Context: CN=Configuration,DC=contoso,DC=net
Source: <Inbound DC>
******* WARNING: KCC could not add this REPLICA LINK due to error.
The following corresponding DS event is recorded on the parent-domain domain controller: 
Event Type:	Warning
Event Source:	NTDS Replication
Event Category:	Replication 
Event ID:	1061
Description:
Internal error: The directory replication agent (DRA) call returned error 8453.
Note The parent-domain domain controller is the source of the replication attempt.

CAUSE

This issue may occur if all the following conditions are true:
  • An external trust for a Windows NT 4.0 domain is created in the Windows 2000 Active Directory forest.
  • In the Windows 2000 Active Directory forest, security identifier (SID) filtering is enabled for this external trust.
  • The Windows NT domain is upgraded through an in-place upgrade.
  • The upgraded domain joins the existing Windows 2000 Active Directory forest as a child domain.
  • The flag for SID filtering is retained, even though the external trust is changed to internal.

RESOLUTION

To resolve this issue, use Netdom.exe to disable SID filtering for the child domain on the parent domain. To do this, type the following command at a command prompt:

netdom trust parentDom /D:ChildDom /UD:ChildDom\Administrator /PD: adminpwd /UO:ParentDom\Administrator /PO:adminpwd /filtersids:no

MORE INFORMATION

This issue does not occur with Microsoft Windows Server 2003 parent-domain domain controllers, because Windows Server 2003 includes additional checking for trust attributes.

REFERENCES

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

229896 Using Repadmin.exe to troubleshoot Active Directory replication

Modification Type:MinorLast Reviewed:12/21/2004
Keywords:kbwinservsetup kbActiveDirectoryRepl kbActiveDirectory kbprb KB840691 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.