Okay, okay, I realise that I may be labouring the point somewhat. I’ve already written two blog entries (here and here) about UAC in Windows Server 2008 and this is the third and (probably) last.
When you check DC replication using the repadmin /showreps command from a privileged command window you might see something like this:
SITE1\DC1
DSA Options: IS_GCSite Options: (none)
DSA object GUID: 0f28ec82-687f-4a16-81fb-bc7dc6b67fa9
DSA invocationID: 498ceb24-0a84-40a9-b8cb-63b1ff9a8ed1
==== INBOUND NEIGHBORS ======================================
DC=MYCO,DC=COM
SITE0\DC2 via RPC
DSA object GUID: 04f70cfc-c73d-4e3c-9c8f-42c3ad146bb2
Last attempt @ 2009-02-04 13:48:49 was successful.
CN=Configuration,DC=MYCO,DC=COM
SITE0\DC2 via RPC
DSA object GUID: 04f70cfc-c73d-4e3c-9c8f-42c3ad146bb2
Last attempt @ 2009-02-04 13:48:49 was successful.
CN=Schema,CN=Configuration,DC=MYCO,DC=COM
SITE0\DC2 via RPC
DSA object GUID: 04f70cfc-c73d-4e3c-9c8f-42c3ad146bb2
Last attempt @ 2009-02-04 13:48:49 was successful.
DC=ForestDnsZones,DC=MYCO,DC=COM
SITE0\DC2 via RPC
DSA object GUID: 04f70cfc-c73d-4e3c-9c8f-42c3ad146bb2
Last attempt @ 2009-02-04 13:48:49 was successful.
DC=DomainDnsZones,DC=MYCO,DC=COM
SITE0\DC2 via RPC
DSA object GUID: 04f70cfc-c73d-4e3c-9c8f-42c3ad146bb2
Last attempt @ 2009-02-04 13:48:49 was successful.
Howerver, when you run the same command from an unprivileged command window, you might see the error shown below.
SITE1\DC1
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 0f28ec82-687f-4a16-81fb-bc7dc6b67fa9
DSA invocationID: 498ceb24-0a84-40a9-b8cb-63b1ff9a8ed1
==== INBOUND NEIGHBORS ======================================
DC=MYCO,DC=COM
SITE0\DC2 via RPC
DSA object GUID: 04f70cfc-c73d-4e3c-9c8f-42c3ad146bb2
Last attempt @ 2009-02-04 13:48:49 was successful.
CN=Configuration,DC=MYCO,DC=COM
SITE0\DC2 via RPC
DSA object GUID: 04f70cfc-c73d-4e3c-9c8f-42c3ad146bb2
Last attempt @ 2009-02-04 13:48:49 was successful.
CN=Schema,CN=Configuration,DC=MYCO,DC=COM
SITE0\DC2 via RPC
DSA object GUID: 04f70cfc-c73d-4e3c-9c8f-42c3ad146bb2
Last attempt @ 2009-02-04 13:48:49 was successful.
DC=ForestDnsZones,DC=MYCO,DC=COM
SITE0\DC2 via RPC
DSA object GUID: 04f70cfc-c73d-4e3c-9c8f-42c3ad146bb2
Last attempt @ 2009-02-04 13:48:49 was successful.
DC=DomainDnsZones,DC=MYCO,DC=COM
SITE0\DC2 via RPC
DSA object GUID: 04f70cfc-c73d-4e3c-9c8f-42c3ad146bb2
Last attempt @ 2009-02-04 13:48:49 was successful.
DsReplicaGetInfo() failed with status 8453 (0x2105):
Replication access was denied.
DsReplicaGetInfo() failed with status 8453 (0x2105):
Replication access was denied.
Note that the information returned is identical. The only difference is that you see the errors at the end when running in an unprivileged window. I believe the errors relate to a missing “Monitor Replication Topology” extended right at the root of each of the directory naming contexts (partitions).
As with other UAC annoyances, the errors can potentially be confusing. I guess the moral of the story with Windows Server 2008 is to always be aware of when you need to run commands with full privileges. In my case it clearly takes some getting used to. 🙂
Excellent tips! UAC in the ‘real world’ of a production MS enterprise can be tricky and, as you point out, complicated by obscure and unobvious errors/indications.
I had a case where running LDP w/out elevation returned odd query results but elevation ‘fixed’ the issue.
Thanx for the tip. Was pulling my hair off here… damn UAC 😐
Thanx for the tip. Was pulling my hair off here… damn UAC 😐
Excellent, the information was very helpful
Hi
I was facing the same issues but I am continuously facing the same issues while performing the replication my org structure
Site 1 : Site1\Administrator
Site 2 : Site2\Administrator (Child DC)
Server : Windows Server 2008R2,Windows Server 2012R2
When I am trying to perform replication
Site1 to Site2 its working but when I am doing it from
Site2 to Site1 its giving Access denied Error issuing replication: 8453 (0x2105)
Reason Permission issue
1. You must be belongs to Enterprise Admin
2. Perform Replication using Run as Admin