Event ID - 1964

Event Id	1964
Source	Microsoft-Windows-ActiveDirectory_DomainService
Description	The local directory service has denied a replication attempt on the following directory partition. The following directory service requested to replicate one or more objects from an unauthorized directory partition and the attempt failed. directory service: %1 Directory partition: %2 This might pose a security risk.
Event Information	According to Microsoft : Cause : This event is logged when the local directory service has denied a replication attempt on the following directory partition. Resolution : Ensure that the SPNs are correct If the domain controller that is identified in the message is not a legitimate domain controller for the domain, determine why the domain controller that is reporting this issue is attempting to communicate with that computer. This situation can occur when a domain controller or domain is renamed. Also, this could occur if a domain controller was removed, but its metadata was not properly cleaned up from the database. To perform this procedure, you must have membership in Domain Admins, or you must have been delegated the appropriate authority. Perform the following tasks on the domain controllers that host the partition that cannot be replicated: Open a command prompt as an administrator. To open a command prompt as an administrator, click Start. In Start Search, type Command Prompt. At the top of the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue. Run the command setspn -l hostname, where hostname is the actual host name of the domain controller. This command displays the SPNs that the domain controller has registered. Ensure that the domain name in each SPN listing is correct. If the SPNs are not correct, run the command repadmin /syncall domainname, where domainname is the name of the domain of the domain controller. Wait 15 minutes, and then run the setspn -l hostname command again and review the registered SPNs. If the SPNs not corrected automatically after the domain has fully replicated, correct the SPNs manually. Verify : Perform the following procedure using the domain controller from which you want to verify that Active Directory replication is functioning properly. To perform this procedure, you must have membership in Domain Admins, or you must have been delegated the appropriate authority. To verify that Active Directory replication is functioning properly: Open a command prompt as an administrator. To open a command prompt as an administrator, click Start. In Start Search, type Command Prompt. At the top of the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue. Run the command repadmin /showrepl.This command displays the status reports on all outbound replication links for the domain controller. Active Directory replication is functioning properly on that domain controller if all status messages report that the last replication attempt was successful. If there are any indications of failure or error in the status report following the last replication attempt, Active Directory replication on the domain controller is not functioning properly. If the repadmin command reports that replication was delayed for a normal reason, wait and try repadmin again in a few minutes.
Reference Links	Event ID 1964 from Source Microsoft-Windows-ActiveDirectory_DomainService

Catch threats immediately

We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.

See what we caught