Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.
View products that this article applies to.
This article describes the symptoms and cause of Active Directory replication error 8418: "The replication operation failed because of a schema mismatch between the servers involved." This article also provides general steps to fix the errror.
This problem may be caused by a true schema mismatch or by a specific issue in which the schema mismatch error occurs because of a large security descriptor (SD).
Active Directory replication fails, and you receive the following schema mismatch error messages:
repadmin /replicate server2.contoso.com server1.contoso.com dc=contoso,dc=com
DsReplicaSync() failed with status 8418 (0x20e2):
The replication operation failed because of a schema mismatch between the servers involved.
Additionally, the following events are recorded on the destination domain controller:
Event Type: Warning
Event Source: NTDS Replication
Event Category: Replication
Event ID: 1203
Description: The local domain controller could not replicate the following object from the source domain controller at the following network address because of an Active Directory schema mismatch.
Object:
OU=DeletedOU\0ADEL:5b229c13-4691-40b4-a4c2-60828e4e430f,OU=test1,ou=test2,dc=contoso,dc=com
Network address:
server1.contoso.com
Active Directory will attempt to synchronize the schema before attempting to synchronize the following directory partition.
Directory partition: dc=contoso,dc=com
Event Type: Error
Event Source: NTDS Replication
Event Category: Replication
Event ID: 1791
Description: Replication of Naming Context dc=contoso,dc=com from source 42fd27d1-2bce-4726-92fa-8daefc91dd97 has been aborted. Replication requires consistent schema but last attempt to sync the schema had failed. It is crucial that schema replication functions properly. See previous errors for more diagnostics. If this issue persists, please contact Microsoft Product Support Services for assistance. Error 8418: The replication operation failed because of a schema mismatch between the servers involved..
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
The promotion of a new domain controller may also fail. DCpromo logs information to the Dcpromo.log file at c:\windows\debug. In the event of such a failure, the DCpromo log displays an error entry that resembles the following:
11/12/2019 07:56:54 [INFO] Replicating critical domain information...
11/12/2019 07:56:54 [INFO] EVENTLOG (Warning): NTDS Replication / Replication : 1203
The directory service could not replicate the following object from the source directory service at the following network address because of an Active Directory Domain Services schema mismatch.
Object:
CN=Builtin,DC=contoso,DC=com
Network address:
WIN-PD1KU9I38KK.contoso.com
Active Directory Domain Services will attempt to synchronize the schema before attempting to synchronize the following directory partition.
Directory partition:
DC=contoso,DC=com
11/12/2019 07:56:54 [INFO] EVENTLOG (Warning): NTDS Replication / Replication : 11001
The directory service could not replicate the following object from the source directory service at the following network address because of an Active Directory Domain Services Bad Inheritance ACL.
Object:
CN=Builtin,DC=contoso,DC=com
Network address:
WIN-PD1KU9I38KK.contoso.com
Directory partition:
DC=contoso,DC=com
Please check the Directory Services event log for Event ID 1450 or other ACL related events. You should decrease the ACL size by removing old or duplicate entries.
11/12/2019 07:56:54 [INFO] Error - Active Directory Domain Services could not replicate the directory partition DC=contoso,DC=lab from the remote Active Directory Domain Controller WIN-PD1KU9I38KK.contoso.lab. (8418)
11/12/2019 07:56:54 [INFO] EVENTLOG (Error): NTDS General / Internal Processing : 1168
Internal error: An Active Directory Domain Services error has occurred.
On the source domain controller, you may find logged events from Security Descriptor Propagator that resembles the following:
Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Event ID: 1450
Task Category: Internal Processing
Level: Error
Description:
The security descriptor propagation task could not calculate a new security descriptor for the following object.
Object:
CN=LargeSD_Victim,OU=Large_SD_Repro,DC=contoso,DC=com
This operation will be tried again later.
User Action
If this condition continues, attempt to view the status of this object and manually change the security descriptor.
Additional Data
Error value:
1340 The inherited access control list (ACL) or access control entry (ACE) could not be built.
Another error you may see is:
0x7a (Decimal 122) = "The data area passed to a system call is too small."
This problem occurs because the SD on the problem object has exceeded the maximum size of 65,535 bytes. This is an operating system limitation.
To fix this problem, reduce the size of the security ACL on the affected object. The error event will list the problem object. You must examine the ACLs on the object to determine which of them can be removed. Frequently, tools or scripts add duplicate Access Control Entries (ACEs).
The size also takes into consideration all inherited permissions. Depending on the object, it may be appropriate to clear any selected inherited permissions and remove inherited permissions from the object.
The SD that is written to a certain active object may be successful if it is written locally. However, even if it is successful, the SD can still exceed the system limitation of 65,535 bytes on a replicated instance of the object. Therefore, this error may first surface as a replication problem. This is true also because replication results are often monitored closely.
The error may also occur locally on the originating DC. This is especially true if the object has children because additional explicit ACEs on a child object may cause the total SD size to exceed 65,535 bytes. In these cases, you would also experience SDPROP event 1450.
For the article that discusses other scenarios in which error 8418 may happen, see Troubleshooting AD Replication error 8418: The replication operation failed because of a schema mismatch between the servers involved.