Event ID - 2883

Event Id2883
SourceMicrosoft-Windows-ActiveDirectory_DomainService
DescriptionThe following directory service made a replication request to replicate attributes in filtered set that has been denied by the local directory service. The requesting directory service does not have access to replicate attributes in the filtered set. Requesting directory service: %2 Directory partition: %1 User Action If the requesting directory service should get attributes in filtered list, verify that the security descriptor on this directory partition has the correct configuration for the Replication Get Changes In Filtered Set access right. You may also get this message when the attributes in filtered set are different between source and destination DCs because of recent schema change. This message will cease when the schema is in sync between the destination and source DCs. . ;// logging_level: 0
Event InformationAccording to Microsoft :
Cause :
This event is logged when the following directory service made a replication request to replicate attributes in filtered set that has been denied by the local directory service.
Resolution :
Initiate directory replication or disable the schema class or attribute
To perform these procedures, you must have membership in Domain Admins, or you must have been delegated the appropriate authority. Perform all steps on the computer that is logging the event to be resolved.
To initiate directory replication:
  1. Open a command prompt as an administrator. To open a command prompt as an administrator, click Start. In Start Search, type Command Prompt. At the top of the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  2. Run the command repadmin /syncall hostname cn=schema,cn=configuration,dc=ldappath /user:domain\user /pw:password. Substitute the appropriate Lightweight Directory Access Protocol (LDAP) path, domain name, user name, and password for ldappath, domain, user, and password, respectively. The LDAP path should reflect the name components of your domain.
Caution : You can use the /e switch with repadmin to make replication traverse all site links. However, this may cause undesired replication traffic during peak hours.Therefore, you may want to wait for the regular replication cycle or, possibly, enable change notification on the site links.
If there is still an attribute conflict after replication has completed, you may have to disable the conflicting class or attribute.
To disable a conflicting schema class or attribute:
  1. Note the name of a conflicting schema object that appears in the event text.
  2. Open a command prompt as an administrator. To open a command prompt as an administrator, click Start. In Start Search, type Command Prompt. At the top of the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  3. Right-click ADSI Edit, and then click Connect to.
  4. In Select a well known Naming Context, click Schema. The default action of the tool is to connect to the local domain. If you want to connect to another domain or server, you can do that under Computer in the Connection Settings dialog box.
  5. Click OK.
  6. In the console tree, expand Schema.
  7. Click the object name CN=Schema.
  8. In the middle pane, a three-column list of schema attribute and class names, class identifiers, and distinguished names appears. Right-click the class or attribute that is named in the Event Viewer event text in the Name column, and then click Properties.
  9. In the class or attribute properties box, on the Attribute Editor tab, click the isDefunct attribute, and then click Edit.
  10. Click True, and then click OK.
  11. Click OK.
  12. Close ADSI Edit.
Verify :
Perform the following procedure using the domain controller from which you want to verify that Active Directory replication is functioning properly.
To perform this procedure, you must have membership in Domain Admins, or you must have been delegated the appropriate authority.
To verify that Active Directory replication is functioning properly:
  1. Open a command prompt as an administrator. To open a command prompt as an administrator, click Start. In Start Search, type Command Prompt. At the top of the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  2. Run the command repadmin /showrepl. This command puts out reports about the replication status of each partition.
  3. Review the section of the output that begins with CN=Schema,CN=Configuration. The last line of this section of the report indicates whether replication was successful or not. If this line of the report indicates success, the schema is replicating properly.
Reference LinksEvent ID 2883 from Source Microsoft-Windows-ActiveDirectory_DomainService

Catch threats immediately

We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.

See what we caught

Did this information help you to resolve the problem?

Yes: My problem was resolved.
No: The information was not helpful / Partially helpful.