Microsoft KB Archive/297716

= Replication Does Not Work When the Error &quot;Replication Access Was Denied&quot; Is Logged =

Article ID: 297716

Article Last Modified on 2/28/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server

-



This article was previously published under Q297716



SYMPTOMS
The following errors may be logged in the Directory Services log:

Event Type: Warning

Event Source: NTDS General

Event Category: Global Catalog

Event ID: 1655

Description: The attempt to communicate with global catalog \\gc.domain.com failed with the following status:

Replication access was denied.

The operation in progress might be unable to continue. The directory service will use the locator to try find an available global catalog server for the next operation that requires one.

-or-

Event Type: Warning

Event Source: NTDS KCC Event

Category: Knowledge Consistency Checker

Event ID: 1265

Description: The attempt to establish a replication link with parameters

Partition: DC=domain,DC=com

Source DSA DN: CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=com

Source DSA Address: 7b7fa657-1925-457a-9e8c-ae167e40b669._msdcs.domain.com

Inter-site Transport (if any): CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=domain,DC=com

failed with the following status:

Replication access was denied.



CAUSE
This behavior occurs because the Kerberos tickets in the domain controller are not valid on other domain controllers in the domain.



RESOLUTION
To resolve this behavior:  Set the Startup type for the Kerberos Key Distribution Center service on the affected domain controller to Disabled. Restart the affected domain controller. Log on to the domain controller, and then force the replication with its replication partners by using the Active Directory Sites and Services snap-in. Check the replication status by typing the following command line from a command prompt:

repadmin /showreps

Repadmin is available in Windows 2000 Support Tools. If replication is now successful, set Startup type for the Kerberos Key Distribution Center service on the affected domain controller back to Automatic. Restart the Kerberos Key Distribution Center service.</li></ol>

<div class="moreinformation_section">

MORE INFORMATION
Because every Windows 2000 domain controller is a Kerberos Key Distribution Center (KDC), domain controllers request Kerberos tickets from themselves. If a domain controller is not in synchronization with the rest of the domain, the computer account password (which is critical to the Kerberos ticket) for the domain controller may not be the same on the affected domain controller as it is on the other domain controllers in the domain. By disabling the Kerberos KDC service on the affected domain controller and then restarting it forces the domain controller to request Kerberos tickets from another KDC, which are valid for authentication and which allow replication to occur.

After replication has completed successfully, you can restart the local Kerberos KDC service on the domain controller.

You may also experience the behavior described in the Symptoms section of this article due to the absence of the &quot;Everyone&quot; group and &quot;Authenticated Users&quot; from the &quot;Access this computer from the network&quot; portion of the &quot;Domain controller security policy&quot;. If this is the case, perform the following steps to resolve this behavior: <ol> Click Start, point to Programs, click Administrative Tools, and then click Active Directory Users and Computers.</li> Right click the Domain Controls OU and then click Properties.</li> Click the Group Policy tab, click to highlight Domain Controller Security Policy, and then click Edit.</li> Click the plus sign (+) to expand Computer Configuration, expand Windows Settings, expand Security Setting, expand Local Security Policy, and then click to highlight User Rights Assignments.</li> Click the Access This Computer From The Network policy, add the &quot;Everyone&quot; and &quot;Authenticated Users&quot; groups, and then close the snap-in.</li> To refresh is policy run the following command from the command line:

secedit /refreshpolicy machine_policy /enforce

</li></ol>

Keywords: kbenv kberrmsg kbprb KB297716

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.