Jaa


An "Access denied" or other security error has caused replication problems

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Replication problems that have security causes can be tested and diagnosed by using the version of Dcdiag.exe that is included with Windows Support Tools in Windows Server 2003 Service Pack 1 (SP1).

Cause

A replication destination domain controller cannot contact its source replication partner to get Active Directory updates as a result of one or more security errors occurring on the connection between the two domain controllers.

Solution

Run the replication security error diagnostic test that is available in the version of Dcdiag in Windows Support Tools that is included in Windows Server 2003 SP1.

Test a Domain Controller for Replication Security Errors

You can test any or all domain controllers in your forest for security errors.

Requirements

  • Administrative credentials: To complete this procedure, you must be a member of the Domain Admins group to test a domain controller in your domain or a member of the Enterprise Admins group to test a domain controller in another domain.

  • Tool: Dcdiag.exe (Windows Support Tools) in Windows Server 2003 SP1

  • Operating system:

    • Although you can run the enhanced version of Dcdiag on computers running Windows XP Professional and Windows Server 2003 with no service pack installed, to run the new replication security test (/test:CheckSecurityError), you must run Dcdiag on a domain controller running Windows Server 2003 with SP1.

    • You can run the new Dcdiag replication security tests against domain controllers that are running the following operating systems:

      Windows 2000 Server with Service Pack 3 (SP3)

      Windows 2000 Server with Service Pack 4 (SP4)

      Windows Server 2003

      Windows Server 2003 with SP1

To test a domain controller for replication security errors

  1. At a command prompt, type the following command, and then press ENTER:

    **dcdiag /test:CheckSecurityError /s:**DomainControllerName

    where DomainControllerName is the Domain Name System (DNS) name, network basic input/output system (NetBIOS) name, or distinguished name of the domain controller on which you want to test.

    If you do not use the /s: switch, the test is run against the local domain controller. You can also test all domain controllers in the forest by using /e: instead of /s:.

  2. Copy the report into Notepad or an equivalent text editor

  3. Scroll to the Summary table near the bottom of the Dcdiag log file.

  4. Note the names of all domain controllers that reported “Warn” or “Fail” status in the Summary table.

  5. Find the detailed breakout section for the problem domain controller by searching on the string “DC: DomainControllerName”.

  6. Make the required configuration changes on the domain controllers.

    Rerun Dcdiag /test:CheckSecurityError with the /e: or /s: switch to validate the configuration changes.

Test the Connection Between Two Domain Controllers for Replication Security Errors

You can test the connection between two domain controllers in your forest for replication security errors. The domain controller that represents the source of the inbound connection does not have to be an existing source to run this test; that is, a connection object from that domain controller does not have to exist on the destination domain controller. The test is useful in the following scenarios:

  • A connection exists between a source and a destination, and you receive a security error.

  • A connection should be created automatically by the Knowledge Consistency Checker (KCC) and you want to test why the connection does not exist.

  • You are trying to create a connection between two domain controllers and you receive a security error.

  • You want to determine whether a connection could be created if you wanted to add one on this destination from the specified source.

Requirements

  • Administrative credentials: To complete this procedure, you must be a member of the Domain Admins group to test the connection between domain controllers in your domain or a member of the Enterprise Admins group to test the connection between domain controllers in different domains.

  • Tool: Dcdiag.exe (Windows Support Tools) included in Windows Server 2003 SP1

  • Operating system:

    • Although you can run the enhanced version of Dcdiag on computers that are running Windows XP Professional and Windows Server 2003 with no service pack installed, to run the new replication security test (/test:CheckSecurityError), you must run Dcdiag on a domain controller running Windows Server 2003 with SP1.

    • You can run the new Dcdiag replication security tests against domain controllers running the following operating systems:

      Windows 2000 Server with SP3

      Windows 2000 Server with SP4

      Windows Server 2003

      Windows Server 2003 with SP1

To test the connection between two domain controllers for replication security errors

  1. At a command prompt, type the following command, and then press ENTER:

    **dcdiag /test:CheckSecurityError /ReplSource:**SourceDomainControllerName

    where SourceDomainControllerName is the DNS name, NetBIOS name, or distinguished name of the real or potential "from" server that is represented by a real or potential connection object that you want to test. This command tests the connection between the domain controller on which you run the command and the source domain controller.

  2. Copy the report into Notepad or an equivalent text editor.

  3. Scroll to the Summary table near the bottom of the Dcdiag log file.

  4. Note the names of all domain controllers that reported “Warn” or “Fail” status in the Summary table

  5. Find the detailed breakout section for the problem domain controller by searching on the string “DC: DomainControllerName”.

  6. Make the required configuration changes on the domain controllers.

  7. Rerun **Dcdiag /test:CheckSecurityError /ReplSource:**SourceDomainControllerName to validate configuration changes.