1203 The directory service could not replicate the following object from the source directory service at the following network address because of an Active Directory Domain Services schema mismatch.

Question

1203 The directory service could not replicate the following object from the source directory service at the following network address because of an Active Directory Domain Services schema mismatch.

Ankit Patel 6

While promoting 2016 domain controller promotion showed success and server restarted. After restart when i logged in and checked dcpromo logs showed Active Directory Domain services will attempt to synchronize the schema before attempting to synchronize the following directory partition DC=xyz, DC=com. FSMO role holder is still a 2012 R2 server with FFL and DFL at 2008R2 and all 2012R2 domain controller has migrated to dfsrstate eliminated. kindly let me know if anyone has come across such scenario.

Anonymous

2021-03-17T03:44:16.923+00:00

Hello @Ankit Patel ,
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.

Best Regards,
Daisy Zhou
Anonymous

2021-03-29T05:53:14.92+00:00

Hello @Ankit Patel ,
I just want to confirm the current situations.
Please feel free to let us know if you need further assistance.

Best Regards,
Daisy Zhou

4 answers

Your answer

Anonymous

2021-03-17T03:44:16.923+00:00

Hello @Ankit Patel ,
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.

Best Regards,
Daisy Zhou
Anonymous

2021-03-29T05:53:14.92+00:00

Hello @Ankit Patel ,
I just want to confirm the current situations.
Please feel free to let us know if you need further assistance.

Best Regards,
Daisy Zhou

Answer 1

Hi Patrick/Daisy,

I have gone through the uRL - https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/schema-mismatch-error-ad-installation-wizard-dcpromo

I have DC1 and DC2 running on 2012R2 - I promoted a new DC 2016 and everything went fine after promotion server restarted and when I logged in and checked dcpromo.log said Warning NTDS replication / Replication : 1203
The directory service could not replicate the following object from the source directory service at the following network address because of an Active Directory Domain Services schema mismatch.
object:
CN=Tom,OU=test,DC=abc,DC=com.

I also saw event ID 1450 on my PDC for the same object

I didnt see any error while promoting my new 2016 DC. But on my new 2016 DC I see the below events.
Directory service Error event ID 1791 and Warning event ID 1203 referencing the same object.
DNS server Warning event ID 4013

I found the same issue description from this URL - https://blog.markdepalma.com/?p=59

Above URL is asking to reset ACL.

Kindly suggest can I go ahead with this approach.

Regards,
Ankit

Marian MATEI 1 Reputation point

2022-05-29T08:24:06.337+00:00

For Event ID 4013:
Change the "DNS" service startup type from "Automatic" to "Automatic (Delayed Start)":
sc config DNS start= delayed-auto
Bronyrafon 6 Reputation points

2023-08-12T09:40:38.68+00:00

Spot on!!

Answer 2

Anonymous

Something here may help.
https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/schema-mismatch-error-ad-installation-wizard-dcpromo

--please don't forget to Accept as answer if the reply is helpful--

Ankit Patel 6 Reputation points

2021-03-11T07:02:54.897+00:00

Thanks Patrick - Url helped a lot

I think I found the issue but still not clear which commands to run.

One of the object on 2012 R2 server is showing ACl error. error 1450 The security descriptor propagation task could not calculate a new security descriptor for the following object.
Object:
CN=Tom,OU=test,DC=abc,DC=com

So need help to reset the acl for this user. Which command to use.

dsacls "CN=Tom,OU=test,DC=abc,DC=com" /S /T

Should I use both the switch /s and /T or only /S will reset the ACL.

Answer 3

Anonymous

Hello @Ankit Patel ,

Thank you for posting here.

Based on the description "The directory service could not replicate the following object from the source directory service at the following network address because of an Active Directory Domain Services schema mismatch.", do you know the error message occurs between which two DCs (source DC and target DC)?

We can check AD replication status in the AD forest by running commands below on PDC.

repadmin /showrepl >c:\repsum1.txt

repadmin /replsum >c:\repsum2.txt

repadmin /showrepl /csv >c:\repsum.csv

If there is no any error message in all the result, it means AD replication works fine.

Hope the information above is helpful.

Should you have any question or concern, please feel free to let us know.

Best Regards,
Daisy Zhou

Ankit Patel 6 Reputation points

2021-03-11T07:09:47.113+00:00

Hi Daisy,

on my PDC (2012R2) I can see error event ID 1450. The security descriptor propagation task could not calculate a new security descriptor for the following object.
Object:
CN=Tom,OU=test,DC=abc,DC=com

I think if I can clear this error from my existing 2012R2 servers then the initial synchronization on new 2016 domain controllers will be fine.

Another thing which I observed is that the output of the command dfsrmig /getmigrationstate shows pending for new 2016 domain controller.

I had already reached eliminated state for all 2012 R2 DC but after promoting 2016 DC is showing in dfsr state "start" for 2016 server.

Regards,
Ankit

Answer 4

Anonymous

Might work through this one.
https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/replication-error-8418

--please don't forget to Accept as answer if the reply is helpful--

Share via

1203 The directory service could not replicate the following object from the source directory service at the following network address because of an Active Directory Domain Services schema mismatch.

4 answers

Your answer