Something here may help.
https://support.microsoft.com/en-us/help/2022387/active-directory-replication-error-8453-replication-access-was-denied
--please don't forget to Accept as answer if the reply is helpful--
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Migrated to DFSR from FRS. At each step, servers reached consistent state. However, after moving to 'Eliminated' state, dfsrmig /getglobalstate shows:
The following domain controllers have not reached Global State 'Eliminated'
Server1 ('Redirected') - Read-only DC
Server2 ('Redirected') - Read-only DC
repadmin /showrepl gives me (8453) Replication access was denied on both RODCs.
Servers are all Server 2012 R2
Something here may help.
https://support.microsoft.com/en-us/help/2022387/active-directory-replication-error-8453-replication-access-was-denied
--please don't forget to Accept as answer if the reply is helpful--
I have looked over that article. I checked the permissions it suggests in ADSIEdit and they were already set correctly.
I think my problem is with krbtgt_##### account on RODC. On the writable DCs I get constant Event ID 1168 from the RODCs. On the RODCs we get Event 1084 which refers to krbtgt_##### and shows it in a 'Deleted' container. I don't know why it would be deleted unless it gets deleted during the migration.
I noticed after the fact that with RODCs you should run dfsrmig /CreateGlobalObjects during the migration to create objects that RODCs need. The guide I was following during migration did not mention this. I wonder if that is where things went south. Is /createglobalobjects something that can be run after we've reached the 'Eliminated' state or has that ship sailed?
You could also try on the RODC ** Repadmin /SyncAll /AeD** or another option is to demote, reboot, promo them again.
--please don't forget to Accept as answer if the reply is helpful--
Hi,
How is the current status of the migration?If there are any updates , welcome to share here.
Before the demote, reboot, promo action , the following steps for your reference:
Migration stalls at the Eliminating state on a RODC
If AD DS replication takes a long time, RODCs may stall at the Eliminating transition state. This can occur because RODCs must wait for the PDC emulator to modify Active Directory objects on their behalf, taking additional time.
If you notice that migration stalls at the Eliminating transition state, use the following steps to manually delete the AD DS objects for FRS.
To manually delete the Active Directory objects for FRS
Follow the steps in the “Check whether Active Directory objects for FRS still exist” section of Verifying the State of SYSVOL Migration(https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd639789(v=ws.10)) to check if the Active Directory objects for FRS replication were removed for the read-only domain controller.
At a command prompt, type dfsrmig /DeleteRoNtfrsMember domain_controller_name to manually delete any remaining AD DS objects for FRS.
Following link for your reference:Troubleshooting SYSVOL Migration Issues
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd639976(v=ws.10)
Tried all of the following:
dfsrmig /DeleteRoNtfrsMember server_name
This command ran successfully but did not remove the old FRS objects.
repadmin /syncall /AeD
This command was successful on all but the last section: DC=domain,DC=local
For that section it failed with error 8453: Replication access was denied
Verified that the Enterprise Read-only Domain Controllers group had the correct permissions and then ran
repadmin /kcc rodc_server_name
Re-ran repadmin /syncall /AeD
It still failed on the same section