We've had a long, ongoing problem with a child domain of our forest root. The primary DC is a Windows 2003 server, and I added a Windows 2008 (not R2) server to this domain in order to add resiliance, and to prep the domain for a full DC upgrade to 2008.
I added the DC ok, but it's never completed initial replication with the 2003 DC due to an A/D problem in the local domain, always complaining about '8333 Directory object not found'. I've spent countless hours researching this, but have never managed to fix it, so the new DC has just sat there, happily replicating with the root, but never completing replication with it's peer DC.
There are plenty of event log errors similar to;
The local domain controller failed to retrieve the changes requested for the following directory partition. As a result, it was unable to send the change requests to the domain controller at the following network address.
Directory partition:
DC=mydomain,DC=DC=co,DC=uk
Network address:
cb55f4f3-ce92-45d5-a59d-c4b24ebc22e2._msdcs.mydomain.co.uk
Extended request code:
0
Additional Data
Error value:
8333 Directory object not found.
and if I run repadmin /replsum on the 2008 DC, I get the following;
Source DSA largest delta fails/total %% error
2003DC 18m:07s 1 / 9 11 (8333) Directory object not found.
Destination DSA largest delta fails/total %% error
2008DC 19m:11s 1 / 11 9 (8333) Directory object not found.
Interestingly, I think I might now be on to something, because if I run this;
dcdiag /test:ridmanager /v
I get this output <snip>
Starting test: RidManager
* Available RID Pool for the Domain is 2602 to 1073741823
* 2003DC.mydomain.co.uk is the RID Master
* DsBind with RID Master was successful
Warning: attribute rIdSetReferences missing from
CN=2008DC,OU=Domain Controllers,DC=mydomain,DC=co,DC=uk
Could not get Rid set Reference :failed with 8481: Win32 Error 8481
So, I check in ADSIEdit, and sure enough, from the 2008DC there is no 'CN=RID Set' rID Class record when browsing the 2008DC in OU=Domain Controllers. I don't know why, but the obvious solution is now to add this manually, but I can't. If you try to modify the servers rIDSetReferences parameter to add the necessary value, you get the error 'the attribute cannot be modified because it is owned by the system'! After a search, I find there are workarounds to allow this, but neither work for me. Setting the 'Allow System Only Change' registry value doesn't make any difference, or setting the schemaUpgradeInProgress value in LDP just causes an Invalid permission error (yes, I'm connected to the SM with root priviledges).
So, I think I might be onto the problem, but I can't get this record in to try and fix it. Is there anything I can do?