After migration from FRS to DFSR, RODCs have not reached consistent state.

asked 2020-08-31T18:05:21.107+00:00
Adam Saunders 1 Reputation point

Migrated to DFSR from FRS. At each step, servers reached consistent state. However, after moving to 'Eliminated' state, dfsrmig /getglobalstate shows:

The following domain controllers have not reached Global State 'Eliminated'

Server1 ('Redirected') - Read-only DC
Server2 ('Redirected') - Read-only DC

repadmin /showrepl gives me (8453) Replication access was denied on both RODCs.

Servers are all Server 2012 R2

Windows Server 2012
Windows Server 2012
A Microsoft server operating system that supports enterprise-level management, data storage, applications, and communications.
1,121 questions
{count} votes

6 answers

Sort by: Most helpful
  1. answered 2020-08-31T18:24:24.937+00:00
    Dave Patrick 328.6K Reputation points Microsoft MVP

    Something here may help.
    https://support.microsoft.com/en-us/help/2022387/active-directory-replication-error-8453-replication-access-was-denied

    --please don't forget to Accept as answer if the reply is helpful--

    No comments

  2. answered 2020-08-31T22:06:16.797+00:00
    Adam Saunders 1 Reputation point

    I have looked over that article. I checked the permissions it suggests in ADSIEdit and they were already set correctly.

    I think my problem is with krbtgt_##### account on RODC. On the writable DCs I get constant Event ID 1168 from the RODCs. On the RODCs we get Event 1084 which refers to krbtgt_##### and shows it in a 'Deleted' container. I don't know why it would be deleted unless it gets deleted during the migration.

    I noticed after the fact that with RODCs you should run dfsrmig /CreateGlobalObjects during the migration to create objects that RODCs need. The guide I was following during migration did not mention this. I wonder if that is where things went south. Is /createglobalobjects something that can be run after we've reached the 'Eliminated' state or has that ship sailed?

    No comments

  3. answered 2020-08-31T22:28:44.41+00:00
    Dave Patrick 328.6K Reputation points Microsoft MVP

    You could also try on the RODC ** Repadmin /SyncAll /AeD** or another option is to demote, reboot, promo them again.

    --please don't forget to Accept as answer if the reply is helpful--

    No comments

  4. answered 2020-09-01T05:39:29.13+00:00
    Fan Fan 15,041 Reputation points

    Hi,
    How is the current status of the migration?If there are any updates , welcome to share here.
    Before the demote, reboot, promo action , the following steps for your reference:

    Migration stalls at the Eliminating state on a RODC
    If AD DS replication takes a long time, RODCs may stall at the Eliminating transition state. This can occur because RODCs must wait for the PDC emulator to modify Active Directory objects on their behalf, taking additional time.

    If you notice that migration stalls at the Eliminating transition state, use the following steps to manually delete the AD DS objects for FRS.

    To manually delete the Active Directory objects for FRS

    Follow the steps in the “Check whether Active Directory objects for FRS still exist” section of Verifying the State of SYSVOL Migration(https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd639789(v=ws.10)) to check if the Active Directory objects for FRS replication were removed for the read-only domain controller.

    At a command prompt, type dfsrmig /DeleteRoNtfrsMember domain_controller_name to manually delete any remaining AD DS objects for FRS.

    Following link for your reference:Troubleshooting SYSVOL Migration Issues
    https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd639976(v=ws.10)


  5. answered 2020-09-15T19:32:51.517+00:00
    Adam Saunders 1 Reputation point

    Tried all of the following:

    dfsrmig /DeleteRoNtfrsMember server_name
    This command ran successfully but did not remove the old FRS objects.

    repadmin /syncall /AeD
    This command was successful on all but the last section: DC=domain,DC=local
    For that section it failed with error 8453: Replication access was denied

    Verified that the Enterprise Read-only Domain Controllers group had the correct permissions and then ran

    repadmin /kcc rodc_server_name

    Re-ran repadmin /syncall /AeD
    It still failed on the same section

    No comments