Replication Failure - Access Denied

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I currently have a Win2K AD in native mode with 4 local DC and 2 at another
site. I have one server in the site with 4 DC that cannot replicate to the
other three and vice-versa. The error I get is that Access is Denied. I
looked at the article regarding this on Microsoft's site but there are a
couple of steps I am not sure how to check on and I have done the steps noted
and it does not resolve the issue. Can someone direct me to how to resolve
this? I even tried to demote the server with the intention to promote it and
it would not let me demote it because of the same error.

This is the article I have been working from;

http://www.microsoft.com/technet/pr...irectory/maintain/opsguide/part1/adogd12.mspx

The steps in the process that Microsoft outlines that I need help with are
as follows;

"Confirm that the Enterprise Domain Controllers group contains the "access
this computer from network" right."

There is a Domain Controllers group in AD but not an Enterprise DC group and
I cannot find that right to check on in the DC group anywhere.

The other piece that I canont find is;

Synchronize the domain naming context of the replication partner with the
PDC emulator.

How is this done? I verified that the Kerberos entries in the DNS on both
the PDC and the server in question are the same but is there more than this?

Also, this server is holding the Global Catalog role though there is another
in the domain that also has the role.

Any suggestions would be appreciated.

Thanks,
 
I currently have a Win2K AD in native mode with 4 local DC and
2 at another
site. I have one server in the site with 4 DC that cannot
replicate to the
other three and vice-versa. The error I get is that Access is
Denied. I
looked at the article regarding this on Microsoft's site but
there are a
couple of steps I am not sure how to check on and I have done
the steps noted
and it does not resolve the issue. Can someone direct me to
how to resolve
this? I even tried to demote the server with the intention to
promote it and
it would not let me demote it because of the same error.

This is the article I have been working from;

http://www.microsoft.com/technet/pr...irectory/maintain/opsguide/part1/adogd12.mspx

The steps in the process that Microsoft outlines that I need
help with are
as follows;

"Confirm that the Enterprise Domain Controllers group contains
the "access
this computer from network" right."

There is a Domain Controllers group in AD but not an
Enterprise DC group and
I cannot find that right to check on in the DC group anywhere.

The other piece that I canont find is;

Synchronize the domain naming context of the replication
partner with the
PDC emulator.

How is this done? I verified that the Kerberos entries in the
DNS on both
the PDC and the server in question are the same but is there
more than this?

Also, this server is holding the Global Catalog role though
there is another
in the domain that also has the role.

Any suggestions would be appreciated.

Thanks,
Click to expand...

what are the event ids in the logs>

what does DCDIAG /V say?
 
Hello,

You have 4 DCs in 1 site and 1 DC is not replicating with the other 3 DCs in
this same site.
From the problem, can you do start->run->\\FQDN of a good DC (preferably
PDC)-> this will be successful I believe
From a good DC, if you do start->run->\\FQDN of bad DC ->you will most
probably see access is denied
This is because AD replication is pull replication and when a good DC is
trying to pull from a bad DC, it cannot verify the credentials of the bad DC
and gives access denied. This is caused when the secure channel gets broken
between DCs.
First u should check for DNS. Are all DCs running DNS in this site? If yes,
then point the PDC emulator to itself for preferred DNS and to any other DC
that is running DNS as alternate. On the other DCs, point for preferred DNS
to the PDC and for alternate, point to themselves.
Open up DNSmgmt.msc and expand the forward lookup zone. If u have AD
integrated zone, then expand the _msdcs folder and on the right hand side u
will see the DC's Guided records.
Please copy the GUID of the problem DC and from the PDC try to do : ping
GUID_of_problem_DC._msdcs.domain_name->if this is successful then DNS is
working fine for AD replication to work fine
If this fails, then we may have to concentrate on resolving name resolution
issues
Let's assume this is successful
Then we have to reset the secure channel between this problem DC and the PDC
We can do this with netdom command.....this is available with Windows
support tools
On the problem DC, we have to run the nwtdom command
So on this DC, go to services.msc and stop the KDC service and set it to
manual
Then from the command prompt, run the following command :

netdom resetpwd /server:IP_address_of_PDC
/userd:netbios_domain_name\administrator /passwordd:* and press enter
This will ask you to type in the administrator password->please type it in
and press enter
This will give u the message : machine account password for machine has been
successfully reset
Then restart this DC where u ran the command
After it reboots, please restart the KDC service and set it to automatic
Then try doing a replication with repadmin /syncall domain_name->it should
be successful
Please e-mail me at (e-mail address removed) for any queries or
concerns.
 
Back
Top