"Replication Access Was Denied"
After you promote a Windows 2000 Server computer to act as a domain controller, you may experience the following issues:
CAUSEThese issues may occur if the computer account is not updated correctly during the domain controller promotion procedure (Dcpromo).
To resolve this issue, follow these steps.
Step 1: Move the Computer Account to the Domain Controllers Container
- On a domain controller that is in the "healthy" part of the domain (not the domain controller with which you experience the issue), start the Active Directory Users and Computers snap-in.
- Expand the domain container, and then click the container in which the computer account with which you experience the issue appears.
- Right-click the computer account, and then click Move.
- In the Container to move object to list, click Domain Controllers, and then click OK.
- Click the Domain Controllers container to verify that the computer object is displayed.
- Quit the Active Directory Computers and Users snap-in.
Step 2: Verify the userAccountControl PropertyWARNING
: If you use the ADSI Edit snap-in, the LDP utility, or any other LDAP version 3 client, and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require you to reinstall Microsoft Windows 2000 Server, Microsoft Exchange 2000 Server, or both. Microsoft cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk.
- On a domain controller that is in the "healthy" part of the domain (not the domain controller with which you experience the issue), install the Windows 2000 Support Tools if they have not already been installed. For additional information about how to install the Windows 2000 Support Tools, click the article number below to view the article in the Microsoft Knowledge Base:
How to Install the Windows 2000 Support Tools to a Windows 2000 Server-Based Computer
- Start the ADSI Edit snap-in. To do so, click Start, point to Programs, point to Windows 2000 Support Tools, point to Tools, and then click ADSI Edit.
- Expand Domain NC [server.example.com] (where server is the name of the domain controller and example.com is the name of the domain.
- Expand DC=example,DC=com.
- Expand OU=Domain Controllers, right-click CN=ServerName (where ServerName is the domain controller with which you experience the issues that are described in the "Symptoms" section of this article), and then click Properties.
- Click the Attributes tab (if it is not already selected).
- In the Select which properties to view list, click Both, and then click userAccountControl in the Select a property to view list.
- If the Value(s) box does not contain 532480, type 532480 in the Edit Attribute box, and then click Set.
- Click Apply, click OK, and then quit the ADSI Edit snap-in.
Step 3: Reset the Secure Channel Password
- On the domain controller with which you experience the issue, install the Windows 2000 Support Tools if they have not already been installed.
- Click Start, click Run, type cmd, and then click OK.
- Change to the folder that contains the Nltest.exe utility. By default, this folder is C:\Program Files\Support Tools.
- Run the following command, where example.com is the name of your domain:
- Quit the command prompt, and then restart the server.
For additional information, click the following article numbers to view the articles in the Microsoft Knowledge Base:
How to Use NLTEST to Force a New Secure Channel
Initiating Replication Between Active Directory Direct Replication Partners
Using Repadmin.exe to Troubleshoot Active Directory Replication
HOW TO: Install the Windows 2000 Support Tools to a Windows 2000 Server-Based Computer
Article N° 57, du 03.06.2003, par Alain Gremaud
URL de cet article : http://winad.epfl.ch/?article=57