EPFL > VPSI > IT > EXAPP - Site d'information: WinAD (Windows Active Directory)
 

  Affiche tous les articles

 Mode d'emploi du moteur de recherche  Rechercher : 
Moteur de recherche
Home page
Accréditation
Activation MS
AD c'est quoi ?
AD PowerShell
Authentifications
Autorisations DHCP
bugs
Conseils AD
DCs Sécurité
Délégations OUs
Domaine SC
Gaspar
GPO
Grp-Staff
KMS
Migrations
Outils
· Enable the Disk Cleanup tool 2012R2
· Rearming Sysprep
· Apply Images Using DISM
· Désactiver la couche 6to4 (IPV6) sur Windows 7 ,8 ,2008 ,2012
· Check MachineConf
· AD Users & Computers : afficher l'onglet "additional account info" sur OS 64 bits
· CMD for AD 2000/3/8 Dsget
· ShellRunas for VISTA
· Déléguer la gestion des services
· Mise à jour automatique avec Software Update Services pour Windows 2000, XP et 2003
· SUBINACL modifier les permissions & permuter les SID
· ADMT-V2 (Active Directory Migration Toll)
· How-to Migration NT4-2000 with ADMT V2 by Philippe Chammartin(IC-ISC)
· Outils pour la gestion de l'Active Directory (support tools)
· "Replication Access Was Denied"
· LES INDISPENSABLES Outils de support Active Directory
· commandes de Windows 2000
· NETDOM Déplacer des comptes machines d'un domaine à un autre
· MOVETREE pour déplacer des USERS d'un domaine2000 à un autre
· Installation des outils de support de Windows 2000 sur un ordinateur Windows 2000 Server
· Outils de migration de Domaines et OU
Procès verbaux
Profiles Itinérants
PWAD
Règles de nommage
Restaurations DC Fac
ServerAD2003
ServerAD2008
Seven
Students
synchro
toto1
Trucs et Astuces
Win 8.1
WinAD
Windows 10
Windows 8
Windows Server
Wins
Work Shop
  Afficher une version imprimable de ce document dans une nouvelle fenêtre
 
"Replication Access Was Denied"
 

SYMPTOMS

After you promote a Windows 2000 Server computer to act as a domain controller, you may experience the following issues:
  • The computer account for the new domain controller does appear in the Domain Controllers container when you open that container from another domain controller. However, it may be listed in the Domain Controllers container when you viewed it using its own Active Directory Users and Computers snap-in.
  • When you right-click My Computer, click Properties, and then click the Network Identification tab, the following text is not displayed:
    Note: The identification of the computer cannot be changed because:
    - The computer is a domain controller.

  • If you run the Repadmin.exe utility (that is available in the Windows 2000 Support Tools) with the /showreps switch, you receive the following output:
    ==== INBOUND NEIGHBORS ======================================
    
    CN=Schema,CN=Configuration,DC=example,DC=com
    
       Site-Name\Server1 via RPC
    
           objectGuid: 0d519219-b957-4a80-9d39-ec4d51e2181e
    
           Last attempt @ <date> <time> failed, result 8453:
    
               Replication access was denied.
    
           Last success @ <date> <time>.
    
           63 consecutive failure(s).
    
    
    CN=Configuration,DC=example,DC=com
    
       Site-Name\Server1 via RPC
    
           objectGuid: 0d519219-b957-4a80-9d39-ec4d51e2181e
    
           Last attempt @ <date> <time> failed, result 8453:
    
               Replication access was denied.
    
           Last success @ <date> <time>.
    
           64 consecutive failure(s).
    
    DC=example,DC=com
    
       Site-Name\Server1 via RPC
    
           objectGuid: 0d519219-b957-4a80-9d39-ec4d51e2181e
    
           Last attempt @ <date> <time> failed, result 8453:
    
               Replication access was denied.
    
           Last success @ <date> <time>.
    
           64 consecutive failure(s).
    						

  • If you run the Active Directory Replication Monitor utility (Replmon.exe) (that is available in the Windows 2000 Support Tools), you receive the following output:
    Domain Controller Name:      Server2
    
       Directory Partition:      CN=Schema,CN=Configuration,DC=example,DC=com
    
       Replication Partner:      Site-Name\Server1
    
       Failure Code:             8453
    
       Failure Reason:           Replication access was denied.
    
    
    
    Domain Controller Name:      Server2
    
       Directory Partition:      CN=Configuration,DC=example,DC=com
    
       Replication Partner:      Site-Name\Server1
    
       Failure Code:             8453
    
       Failure Reason:           Replication access was denied.
    
    
    
    Domain Controller Name:      Server2
    
       Directory Partition:      DC=mvlp,DC=local
    
       Replication Partner:      Site-Name\Server1
    
       Failure Code:             8453
    
       Failure Reason:           Replication access was denied.
    						

  • If you run the DCdiag.exe utility (that is available in the Windows 2000 Support Tools), you receive a "Replication access was denied" message.
  • If you run the Netdiag.exe utility, you receive the following output:
    Trust relationship test. . . . . . : Failed
    
      Test to ensure DomainSid of domain 'EXAMPLE' is correct.
    
      [FATAL] Secure channel to domain 'EXAMPLE' is broken. 
    [ERROR_NO_TRUST_SAM_ACCOUNT]
    						

CAUSE

These issues may occur if the computer account is not updated correctly during the domain controller promotion procedure (Dcpromo).

RESOLUTION

To resolve this issue, follow these steps.

Step 1: Move the Computer Account to the Domain Controllers Container

  1. On a domain controller that is in the "healthy" part of the domain (not the domain controller with which you experience the issue), start the Active Directory Users and Computers snap-in.
  2. Expand the domain container, and then click the container in which the computer account with which you experience the issue appears.
  3. Right-click the computer account, and then click Move.
  4. In the Container to move object to list, click Domain Controllers, and then click OK.
  5. Click the Domain Controllers container to verify that the computer object is displayed.
  6. Quit the Active Directory Computers and Users snap-in.

Step 2: Verify the userAccountControl Property

WARNING: If you use the ADSI Edit snap-in, the LDP utility, or any other LDAP version 3 client, and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require you to reinstall Microsoft Windows 2000 Server, Microsoft Exchange 2000 Server, or both. Microsoft cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk.
  1. On a domain controller that is in the "healthy" part of the domain (not the domain controller with which you experience the issue), install the Windows 2000 Support Tools if they have not already been installed. For additional information about how to install the Windows 2000 Support Tools, click the article number below to view the article in the Microsoft Knowledge Base:
    301423 How to Install the Windows 2000 Support Tools to a Windows 2000 Server-Based Computer

  2. Start the ADSI Edit snap-in. To do so, click Start, point to Programs, point to Windows 2000 Support Tools, point to Tools, and then click ADSI Edit.
  3. Expand Domain NC [server.example.com] (where server is the name of the domain controller and example.com is the name of the domain.
  4. Expand DC=example,DC=com.
  5. Expand OU=Domain Controllers, right-click CN=ServerName (where ServerName is the domain controller with which you experience the issues that are described in the "Symptoms" section of this article), and then click Properties.
  6. Click the Attributes tab (if it is not already selected).
  7. In the Select which properties to view list, click Both, and then click userAccountControl in the Select a property to view list.
  8. If the Value(s) box does not contain 532480, type 532480 in the Edit Attribute box, and then click Set.
  9. Click Apply, click OK, and then quit the ADSI Edit snap-in.

Step 3: Reset the Secure Channel Password

  1. On the domain controller with which you experience the issue, install the Windows 2000 Support Tools if they have not already been installed.
  2. Click Start, click Run, type cmd, and then click OK.
  3. Change to the folder that contains the Nltest.exe utility. By default, this folder is C:\Program Files\Support Tools.
  4. Run the following command, where example.com is the name of your domain:
    nltest /sc_change_pwd:example.com

  5. Quit the command prompt, and then restart the server.

MORE INFORMATION

For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
156684 How to Use NLTEST to Force a New Secure Channel


232072 Initiating Replication Between Active Directory Direct Replication Partners


229896 Using Repadmin.exe to Troubleshoot Active Directory Replication


301423 HOW TO: Install the Windows 2000 Support Tools to a Windows 2000 Server-Based Computer

Article N° 57, du 03.06.2003, par Alain Gremaud
URL de cet article : http://winad.epfl.ch/?article=57

© 2017 VPSI - EXAPP - TC