Event ID 2883 — Schema Attribute Definition Replication

Applies To: Windows Server 2008

The schema is the Active Directory component that defines all the objects and attributes that the directory service uses to store data. To ensure data integrity on directory objects, it is imperative that attribute definitions are replicated. Replication between domain controllers requires that the schema be consistent. If the schema is not consistent, replication failures occur for all domain controllers with inconsistent schema versions.

Event Details

Product: Windows Operating System
ID: 2883
Source: Microsoft-Windows-ActiveDirectory_DomainService
Version: 6.0
Symbolic Name: DIRLOG_DRA_REPLICATION_GET_FILTERED_SET_ACCESS_DENIED_DC
Message: The following directory service made a replication request to replicate attributes in filtered set that has been denied by the local directory service. The requesting directory service does not have access to replicate attributes in the filtered set.

Requesting directory service:
%2
Directory partition:
%1

User Action
If the requesting directory service should get attributes in filtered list, verify that the security descriptor on this directory partition has the correct configuration for the Replication Get Changes In Filtered Set access right. You may also get this message when the attributes in filtered set are different between source and destination DCs because of recent schema change. This message will cease when the schema is in sync between the destination and source DCs. . ;// logging_level: 0

Resolve

Initiate directory replication or disable the schema class or attribute

To perform these procedures, you must have membership in Domain Admins, or you must have been delegated the appropriate authority. Perform all steps on the computer that is logging the event to be resolved.

To initiate directory replication:

  1. Open a command prompt as an administrator. To open a command prompt as an administrator, click Start. In Start Search, type Command Prompt. At the top of the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  2. Run the command repadmin /syncall hostname **cn=schema,cn=configuration,dc=**ldappath **/user:**domain\user **/pw:**password. Substitute the appropriate Lightweight Directory Access Protocol (LDAP) path, domain name, user name, and password for ldappath, domain, user, and password, respectively. The LDAP path should reflect the name components of your domain. For example, if the domain name is contoso.com, the LDAP path is DC=contoso,DC=com.

Caution: You can use the /e switch with repadmin to make replication traverse all site links. However, this may cause undesired replication traffic during peak hours. Therefore, you may want to wait for the regular replication cycle or, possibly, enable change notification on the site links. For more information about enabling change notification on site links, see Enable Change Notification on a Site Link (https://go.microsoft.com/fwlink/?LinkId=104918).

If there is still an attribute conflict after replication has completed, you may have to disable the conflicting class or attribute.

To disable a conflicting schema class or attribute:

  1. Note the name of a conflicting schema object that appears in the event text.
  2. Open ADSI Edit. To open ADSI Edit, click Start. In Start Search, type ADSIEdit.msc, and then press ENTER. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  3. Right-click ADSI Edit, and then click Connect to.
  4. In Select a well known Naming Context, click Schema. The default action of the tool is to connect to the local domain. If you want to connect to another domain or server, you can do that under Computer in the Connection Settings dialog box. Click OK.
  5. In the console tree, expand Schema.
  6. Click the object name CN=Schema.
  7. In the middle pane, a three-column list of schema attribute and class names, class identifiers, and distinguished names appears. Right-click the class or attribute that is named in the Event Viewer event text in the Name column, and then click Properties.
  8. In the class or attribute properties box, on the Attribute Editor tab, click the isDefunct attribute, and then click Edit.
  9. Click True, and then click OK twice.
  10. Close ADSI Edit.

For more information about disabling schema classes and attributes, see Disabling Existing Classes and Attributes (https://go.microsoft.com/fwlink/?LinkId=96256).

Verify

Perform the following tasks using the domain controller from which you want to verify that Active Directory replication is functioning properly.

To perform this procedure, you must have membership in Domain Admins, or you must have been delegated the appropriate authority.

To verify that schema attribute definitions are replicating properly:

  1. Open a command prompt as an administrator. To open a command prompt as an administrator, click Start. In Start Search, type Command Prompt. At the top of the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  2. Run the command repadmin /showrepl. This command puts out reports about the replication status of each partition.
  3. Review the section of the output that begins with CN=Schema,CN=Configuration. The last line of this section of the report indicates whether replication was successful or not. If this line of the report indicates success, the schema is replicating properly.

Schema Attribute Definition Replication

Active Directory