jpolisher's IT-wiki

Resolution
Check the value for DSA not writable.

For each domain controller that is logging the 8456 or 8457 error, determine whether one of the three triggering events automatically disabled incoming or outgoing Active Directory Replication by reading the value for " DSA not writable" from the local registry.

When replication is automatically disabled, the operating system writes one of four possible values to DSA not writable:

Path: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
Setting: DSA not writable
Type: Reg_dword
Values:
#define DSA_WRITABLE_GEN 1
#define DSA_WRITABLE_NO_SPACE 2
#define DSA_WRITABLE_USNROLLBCK 4
#define DSA_WRITABLE_CORRUPT_UTDV 8
A value of 1 can be written only when the forest version is incompatible with the OS (for example, the W2K DC is promoted into a Windows Server 2003 forest functional level forest or the like).

A value of 2 means that the physical or virtual drive that is hosting the Active Directory database or log files lacks sufficient free disk space.

A value of 4 means that a USN rollback occurred because the Active Directory database was incorrectly rolled back in time. Operations that are known to cause a USN rollback include the following:

The booting from previously saved virtual machine snapshots of domain controller role computers on Hyper-V or VMWARE hosts.
Incorrect physical-to-virtual (P2V) conversions in forests that contain more than one domain controller.
Restoring DC role computers by using imaging products such as Ghost.
Rolling the contents of a partition that is hosting the active directory database back in time by using an advanced disk subsystem.
A value of 8 indicates that the up-to-dateness-vector is corrupted on the local DC.

Technically, DSA not writable could consist of multiple values. For example, a registry value of 10 would indicate insufficient disk space and a corrupted UTD. Typically, a single value is written to DSA not writable.