New server 2019 domain contorllers have issues with first Schema sync due to problem user accounts

D R S 88 6 Reputation points
2020-12-10T02:41:27.163+00:00

Hi,

I've added 2x new 2019 domain controllers to an existed setup consisting of 2012 and an 2008 DC. The schema version is consistent and everything looks good minus the initial schema sync.

The schema sync appears to get held up by certain AD objects, eg user accounts or groups. I've been googling the error codes which refer to corrupt ACL's on accounts will refuse to sync with the latest Schema version . I found some success by disabling inheritance then reapplying default permissions to the problem user account, once this change is synced around the environment the schema continues syncing, until it hits the next problem user account.

the event viewer only shows me 1-2 problem user accounts at a time for me to fix, then I have to wait for the next sync to see the next problem accounts.

The reoccurring event log entries are:

Warning 1203 - This warning actually tells me the problem user account at the time.

Microsoft-Windows-ActiveDirectory_DomainService 1203 The directory service could not replicate the following object from the source directory service at the following network address because of an Active Directory Domain Services schema mismatch.

Then the warning actually states the user account or group which is at fault and stopping the Schema sync.

Also Error 1791

It appears as though I have many user accounts and groups where the ACLs arent compatible with 2019's schema. (according to this article https://blog.markdepalma.com/?p=59 )

This article describes the issue well and the fix of resetting ACL permissions, but doing these one at a time could take weeks/months, and there's also no indication of how many accounts the schema has an issue with.

Thanks

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,744 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,523 questions
0 comments No comments
{count} vote

5 answers

Sort by: Most helpful
  1. Anonymous
    2020-12-10T03:17:21.887+00:00

    The two prerequisites to introducing the first 2019 domain controller are that domain functional level needs to be 2008 or higher and older sysvol FRS replication needs to have been migrated to DFSR
    https://techcommunity.microsoft.com/t5/Storage-at-Microsoft/Streamlined-Migration-of-FRS-to-DFSR-SYSVOL/ba-p/425405

    I'd use dcdiag / repadmin tools to verify health correcting all errors found before starting any operations. Then stand up the new 2019, patch it fully, license it, join existing domain, add active directory domain services, promote it also making it a GC (recommended), transfer FSMO roles over (optional), transfer pdc emulator role (optional), use dcdiag / repadmin tools to again verify health, when all is good you can decommission / demote old one.

    From the issues / problems you described I suspect domain was not healthy to begin with. May want to remove the 2019 DCs, fix any /all issues, and try again.

    --please don't forget to Accept as answer if the reply is helpful--

    0 comments No comments

  2. D R S 88 6 Reputation points
    2020-12-10T04:03:00.31+00:00

    Hi Patrick,
    You've actually just described the process I've already gone through.
    I now have an issue with the initial Schema sync due to some apparent problem user accounts (described above).
    There were no issues until the Schema level was raised when adding server 2019.

    0 comments No comments

  3. Anonymous
    2020-12-10T04:07:17.14+00:00

    Sounds good, I'd suggest starting a case here with product support.
    https://support.serviceshub.microsoft.com/supportforbusiness

    --please don't forget to Accept as answer if the reply is helpful--

    0 comments No comments

  4. Vicky Wang 2,731 Reputation points
    2020-12-15T09:34:20.243+00:00

    Hi,

    Just checking in to see if the information provided was helpful.

    Please let us know if you would like further assistance.

    Best Regards,
    Vicky

    0 comments No comments

  5. Vicky Wang 2,731 Reputation points
    2020-12-17T09:37:06.253+00:00

    Hi,

    Just checking in to see if the information provided was helpful.

    Please let us know if you would like further assistance.

    Best Regards,
    Vicky

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.