Event ID 1977 — Replication Changes

Applies To: Windows Server 2008 R2

The replication process in Active Directory Domain Services (AD DS) ensures that domain controllers are able to maintain a consistent and updated Active Directory database. Because the Active Directory database holds essential information about user, group, and computer accounts, as well as other resources and services and the network configuration, keeping this information consistent on all the domain controllers is important. Failure of the Active Directory replication process can result in the following problems:

  • Failure of applications that rely on consistent Active Directory information to function properly
  • Logon rejections
  • Password change failures
  • Network service failures
  • Incorrect or outdated information retrieval

For more information, see How Active Directory Replication Topology Works (https://go.microsoft.com/fwlink/?LinkID=93526).

Event Details

Product: Windows Operating System
ID: 1977
Source: Microsoft-Windows-ActiveDirectory_DomainService
Version: 6.0
Symbolic Name: DIRLOG_DRA_REPLICATION_ALL_ACCESS_DENIED_DC
Message: The following directory service made a replication request for a writable directory partition that has been denied by the local directory service. The requesting directory service does not have access to a writable copy of this directory partition.

Requesting directory service:
%2
Directory partition:
%1

User Action
If the requesting directory service must have a writable copy of this partition, verify that the security descriptor on this directory partition has the correct configuration for the Replication Get Changes All access right. You may also get this message during the transition period after a child partition has been removed. This message will cease when knowledge of the child partition removal has replicated throughout the forest. .

Resolve

Ensure that the security descriptors are set correctly on the directory partition

To perform this procedure, you must have membership in Domain Admins, or you must have been delegated the appropriate authority.

To ensure that the security descriptor is set correctly on the directory partition:

  1. On any domain controller in the domain, open ADSI Edit. To open ADSI Edit, click Start. In Start Search, type ADSIEdit.msc, and then press ENTER. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  2. If the directory partition from the error message does not appear, in the console tree, right-click ADSI Edit, and then click Connect to. In Connection Point, type the Lightweight Directory Access Protocol (LDAP) path of the partition from the error message into Select or type a Distinguished Name or Naming Context (for example, DC=cpandl,DC=com), and then click OK.

  3. In the console tree, expand the object that represents the naming context of the partition from the error message. You should see another object with the LDAP path (for example, DC=cpandl,DC=com) that was identified in the event message text.

  4. Right-click the object that has the name of the LDAP path from the event message text, and then click Properties.

  5. On the Security tab, in the Group or user names box, click Enterprise Read-only Domain Controllers. If the Enterprise Read-only Domain Controllers group, or any other group that is mentioned in the following steps, does not appear in the Group or user names box, click Add. Type the name of the group, and then click OK.

  6. In Permissions for Enterprise Read-only Domain Controllers, ensure that the Allow check box is selected for the permission Replicating directory changes. If you are configuring permissions on the Schema partition, also ensure that the Allow check box is selected for the permissions Replicating Directory Changes In and Replicating directory changes all.

  7. In Group or user names, click ENTERPRISE DOMAIN CONTROLLERS.

  8. In Permissions for ENTERPRISE DOMAIN CONTROLLERS, ensure that the Allow check box is selected for the following permissions: Replicating directory changes, Replicating Directory Changes In, Replicating directory changes all, and Replication synchronization.

    If you are configuring a domain partition, proceed with the next step. If you are not configuring a domain partition, you may skip the next two steps.

  9. In the Group or user names box, click Domain Controllers.

  10. In Permissions for Domain Controllers, ensure that the Allow check box is selected for the permission Replicating directory changes all.

  11. Click OK.

  12. Close ADSI Edit.

Note: In ADSI Edit, the permission "Replicating Directory Changes All"** **may be missing the final letter in the word "All." The permission Replicating Directory Changes In, should be Replicating Directory Changes In Filtered Set, as it appears correctly in other interfaces.

Verify

Perform the following tasks using the domain controller from which you want to verify that Active Directory replication is functioning properly.

To perform this procedure, you must have membership in Domain Admins, or you must have been delegated the appropriate authority.

To verify that Active Directory replication is functioning properly:

  1. Open a command prompt as an administrator. To open a command prompt as an administrator, click Start. In Start Search, type Command Prompt. At the top of the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  2. Run the command repadmin /showrepl. This command displays the status reports on all replication links for the domain controller. Active Directory replication is functioning properly on this domain controller if all status messages report that the last replication attempt was successful.

If there are any indications of failure or error in the status report following the last replication attempt, Active Directory replication on the domain controller is not functioning properly. If the repadmin command reports that replication was delayed for a normal reason, wait and try repadmin again in a few minutes.

Replication Changes

Active Directory