Summary

For AIP2016R2SP1 or later, backup in multiple domain controller environments is supported.
If you have multiple domain controllers configured with Windows Server 2016, running “authoritative restore” may cause the database not to be replicated to other domain controllers.

When this occurs, the following error is output on the domain controller of the replication destination.

Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Event ID: 1481
Task Category: Internal Processing

Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Event ID: 1084
Task Category: Replication

Log Name: Directory Service
Source: Microsoft-Windows-ActiveDirectory_DomainService
Event ID: 2108
Task Category: Replication

Cause

It is based on Windows Server 2016 specifications.

Please see below for the details.
https://support.microsoft.com/en-us/help/4046675/ad-replication-fails-with-error-8409-after-you-restore-or-undelete-ad

Resolution

If this error occurs, you need to wait at the most 6 hours.

More information

How to check the time to start replication.
e.g. 06/05/2018 10:12:27 Restart the replication destination domain controller.
       06/05/2018 11:13    Perform “authoritative restore” on FSMO domain controller.

06/05/2018 10:12:27    Kernel-General    12
The operating system started at system time 2018-06-05T01:12:27.489258900Z.

06/05/2018 10:12:41    ActiveDirectory_DomainService    2406    Internal Configuration
This Active Directory Domain Services server is disabling support for the “Recycle Bin Feature” optional feature.

—–> Pause replication.

06/05/2018 16:11:11    ActiveDirectory_DomainService    1084    Replication
Internal event: Active Directory Domain Services could not update the following object with changes received from the following source directory service.
This is because an error occurred during the application of the changes to Active Directory Domain Services on the directory service.
 
Additional Data
Error value:
8409 A database error has occurred.

06/05/2018 16:11:11    ActiveDirectory_DomainService    1360    Replication
Internal event: The ReplicaSync operation completed with the following status.
Status:
8409

—–> 06/05/2018 11:13  After that, although replication is being done, Error 8409 has occurred, and replication has not been done.

—– Elapsed 6 hours —–
06/05/2018 16:12:42    ActiveDirectory_DomainService    2405    Internal Configuration
This Active Directory Domain Services server does not support the “Recycle Bin Feature” optional feature.

—–> Pause replication is finished and replication does start.

06/05/2018 16:16:15    ActiveDirectory_DomainService    1360    Replication
Internal event: The ReplicaSync operation completed with the following status.
Status:
0

06/05/2018 16:16:15    ActiveDirectory_DomainService    1060    Replication
Internal event: The directory replication agent request was successfully completed.

—–> Replication completed event.

In this way, replication is performed when 6 hours has elapsed after destination domain controller started.
It is not the elapsed time since performing “authoritative restore”.

Target Products

– ActiveImage Protector 2016R2SP1 or later