Microsoft KB Archive/840691

= Windows 2000 SID filtering prevents the replication of schema naming contexts and of configuration naming contexts =

Article ID: 840691

Article Last Modified on 10/30/2006

-

APPLIES TO


 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Server

-





SYMPTOMS
After you perform an in-place upgrade of a Microsoft Windows NT 4.0 domain and join it to an existing Microsoft Windows 2000 forest as a child domain, replication by the Active Directory directory service of the schema naming context and of the configuration naming context may not be completed successfully. Additionally, the following events may be logged on domain controllers in the upgraded domain: Event Type: Warning Event Source:  NTDS General Event Category: Replication Event ID:  1080 Description: Replication warning: Couldn't notify directory DC_Oject_GUID._msdcs.contoso.com with changes to partition Child_Domain_Domain_Name. Event Type:  Warning Event Source:  NTDS Replication Event Category: Replication Event ID:  1061 Description: Internal error: The directory replication agent (DRA) call returned error 8453 (ERROR_DS_DRA_ACCESS_DENIED). If you use the repadmin.exe /showreps command to troubleshoot the problem, the following information is returned: Naming Context: CN=Schema,CN=Configuration,DC=contoso,DC=net Source: 
 * WARNING: KCC could not add this REPLICA LINK due to error.

Naming Context: CN=Configuration,DC=contoso,DC=net Source:  The following corresponding DS event is recorded on the parent-domain domain controller: Event Type:   Warning Event Source:  NTDS Replication Event Category: Replication Event ID:  1061 Description: Internal error: The directory replication agent (DRA) call returned error 8453. Note The parent-domain domain controller is the source of the replication attempt.
 * WARNING: KCC could not add this REPLICA LINK due to error.



CAUSE
This issue may occur if all the following conditions are true:
 * An external trust for a Windows NT 4.0 domain is created in the Windows 2000 Active Directory forest.
 * In the Windows 2000 Active Directory forest, security identifier (SID) filtering is enabled for this external trust.
 * The Windows NT domain is upgraded through an in-place upgrade.
 * The upgraded domain joins the existing Windows 2000 Active Directory forest as a child domain.
 * The flag for SID filtering is retained, even though the external trust is changed to internal.



RESOLUTION
To resolve this issue, use Netdom.exe to disable SID filtering for the child domain on the parent domain. To do this, type the following command at a command prompt:

netdom trust parentDom /D:ChildDom /UD:ChildDom\Administrator /PD: adminpwd /UO:ParentDom\Administrator /PO:adminpwd /filtersids:no



MORE INFORMATION
This issue does not occur with Microsoft Windows Server 2003 parent-domain domain controllers, because Windows Server 2003 includes additional checking for trust attributes.

