question

AnkitPatel-2440 avatar image
0 Votes"
AnkitPatel-2440 asked DaisyZhou-MSFT commented

1203 The directory service could not replicate the following object from the source directory service at the following network address because of an Active Directory Domain Services schema mismatch.

While promoting 2016 domain controller promotion showed success and server restarted. After restart when i logged in and checked dcpromo logs showed Active Directory Domain services will attempt to synchronize the schema before attempting to synchronize the following directory partition DC=xyz, DC=com. FSMO role holder is still a 2012 R2 server with FFL and DFL at 2008R2 and all 2012R2 domain controller has migrated to dfsrstate eliminated. kindly let me know if anyone has come across such scenario.

windows-serverwindows-active-directorywindows-server-migration
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @AnkitPatel-2440,
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.

Best Regards,
Daisy Zhou

0 Votes 0 ·

Hello @AnkitPatel-2440,
I just want to confirm the current situations.
Please feel free to let us know if you need further assistance.


Best Regards,
Daisy Zhou

0 Votes 0 ·
DSPatrick avatar image
0 Votes"
DSPatrick answered AnkitPatel-2440 commented

Something here may help.
https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/schema-mismatch-error-ad-installation-wizard-dcpromo

--please don't forget to Accept as answer if the reply is helpful--





· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks Patrick - Url helped a lot

I think I found the issue but still not clear which commands to run.

One of the object on 2012 R2 server is showing ACl error. error 1450 The security descriptor propagation task could not calculate a new security descriptor for the following object.
Object:
CN=Tom,OU=test,DC=abc,DC=com

So need help to reset the acl for this user. Which command to use.

dsacls "CN=Tom,OU=test,DC=abc,DC=com" /S /T

Should I use both the switch /s and /T or only /S will reset the ACL.

0 Votes 0 ·
DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered AnkitPatel-2440 commented

Hello @AnkitPatel-2440,

Thank you for posting here.

Based on the description "The directory service could not replicate the following object from the source directory service at the following network address because of an Active Directory Domain Services schema mismatch.", do you know the error message occurs between which two DCs (source DC and target DC)?


We can check AD replication status in the AD forest by running commands below on PDC.

repadmin /showrepl >c:\repsum1.txt

repadmin /replsum >c:\repsum2.txt

repadmin /showrepl /csv >c:\repsum.csv

If there is no any error message in all the result, it means AD replication works fine.


Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Daisy,

on my PDC (2012R2) I can see error event ID 1450. The security descriptor propagation task could not calculate a new security descriptor for the following object.
Object:
CN=Tom,OU=test,DC=abc,DC=com

I think if I can clear this error from my existing 2012R2 servers then the initial synchronization on new 2016 domain controllers will be fine.

Another thing which I observed is that the output of the command dfsrmig /getmigrationstate shows pending for new 2016 domain controller.

I had already reached eliminated state for all 2012 R2 DC but after promoting 2016 DC is showing in dfsr state "start" for 2016 server.

Regards,
Ankit

0 Votes 0 ·
AnkitPatel-2440 avatar image
0 Votes"
AnkitPatel-2440 answered

Hi Patrick/Daisy,

I have gone through the uRL - https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/schema-mismatch-error-ad-installation-wizard-dcpromo

I have DC1 and DC2 running on 2012R2 - I promoted a new DC 2016 and everything went fine after promotion server restarted and when I logged in and checked dcpromo.log said Warning NTDS replication / Replication : 1203
The directory service could not replicate the following object from the source directory service at the following network address because of an Active Directory Domain Services schema mismatch.
object:
CN=Tom,OU=test,DC=abc,DC=com.

I also saw event ID 1450 on my PDC for the same object

I didnt see any error while promoting my new 2016 DC. But on my new 2016 DC I see the below events.
Directory service Error event ID 1791 and Warning event ID 1203 referencing the same object.
DNS server Warning event ID 4013

I found the same issue description from this URL - https://blog.markdepalma.com/?p=59

Above URL is asking to reset ACL.

Kindly suggest can I go ahead with this approach.

Regards,
Ankit

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DSPatrick avatar image
0 Votes"
DSPatrick answered

Might work through this one.
https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/replication-error-8418


--please don't forget to Accept as answer if the reply is helpful--





5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.