Microsoft KB Archive/285836

= Replicating from New Domain Controller to Existing One Returns 'Access Denied'; Log Shows Error 16650 =

Article ID: 285836

Article Last Modified on 2/28/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Datacenter Server

-



This article was previously published under Q285836



SYMPTOMS
When you use Dcpromo.exe to create a new domain controller replica in a forest consisting of a single domain and one existing domain controller, you may receive an &quot;Access Denied&quot; error message when you use Dssite.msc to replicate from the new domain controller to the existing one. In addition, the new domain controller's Directory Service log may record Error 16650.



CAUSE
This behavior can occur when the existing domain controller was previously a Microsoft Windows NT Server 4.0-based primary domain controller (PDC) that was upgraded to be a Windows 2000-based domain controller. In this situation, the &quot;Access this computer from the network&quot; user right is granted only to the following groups:


 * Administrators
 * Backup Operators
 * Domain Users

However, it should also be granted to the Enterprise Admins group.



RESOLUTION
To resolve this behavior, grant the Enterprise Admins group the user right &quot;Access this computer from the network&quot;, and then refresh the security policy. Follow these steps:


 * 1) In Active Directory Users and Computers, click the Domain Controllers object.
 * 2) Right-click the domain controller name, and then click Properties.
 * 3) In the domain controller's Properties dialog box, click the Group Policy tab.
 * 4) Click Default Domain Controllers Policy, and then click Edit.
 * 5) Navigate to Computer Configuration\Windows Settings\Security Settings\Local Policy\User Rights Assignment, and then double-click Access this computer from the network.
 * 6) Add the Enterprise Admins group to the list of groups to be granted this user right.
 * 7) To refresh the security policy, type the following at a command prompt and then press ENTER:

SECEDIT.EXE /refreshpolicy MACHINE_POLICY /ENFORCE

Keywords: kbprb KB285836

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.