Microsoft KB Archive/262795

= &quot;Replication Access was denied&quot; error message when attempting to synchronize domain controllers =

Article ID: 262795

Article Last Modified on 3/1/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server

-



This article was previously published under Q262795





SYMPTOMS
When you use the Active Directory Sites and Services snap-in from a child domain to force replication from a parent domain or another child domain at the same level, you may receive the following error message:

The following error occurred during the attempt to synchronize the Domain Controllers: Replication Access was denied



CAUSE
By default, administrators of child domains can only force replication within their own domain. Administrative permissions do not flow down; they need to be assigned. When a child domain is created, the Enterprise Admin global group is added to the built-in Administrators group of the child domain. This allows the administrator of the parent domain to administer and force replication from either the parent domain or the child domain. Administrators of child domains can only force replication within their own domain unless they are granted administrative permissions over the parent domain or another child domain.



RESOLUTION
To resolve this issue, give the administrator in the child domain permissions to the parent and/or child domain from which you want to force replication.

Note The following steps use the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in from the domain on which you want to grant administrative permissions.
 * 1) Expand the domain.com node within the snap-in.
 * 2) Click the Built-in folder.
 * 3) On the right-hand pane of the snap-in, right-click the Administrators group, and then click Properties.
 * 4) On the Members tab, click Add.
 * 5) In the Select Users, Contacts, Computers, or Groups dialog box, in the Look in box, click the domain that contains the administrator to whom you want to grant permissions.
 * 6) Click the Administrator account, click Add, and then click OK.

Repeat these steps for each domain that you want to assign administrative permissions to.



STATUS
This behavior is by design.



MORE INFORMATION
Keep in mind that parent domains are able to manage all of their child domains but you need to perform the steps described in this article for any child domains that want to manage the parent domain or other child domains on the same level.

Additional query words: replicate now force

Keywords: kbacl kbactivedirectoryrepl kbenv kberrmsg kbprb kbsecconfiged KB262795

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.