Article ID: 168464
Article Last Modified on 11/1/2006
APPLIES TO
- Microsoft Windows NT Workstation 4.0 Developer Edition
- Microsoft Windows NT Server 4.0 Standard Edition
This article was previously published under Q168464
IMPORTANT: This article contains information about editing the registry. Before you edit the registry, make sure you understand how to restore it if an issue occurs. For information on how to do this, view the "Restoring the Registry" online Help topic in Regedit.exe or the "Restoring a Registry Key" online Help topic in Regedt32.exe.
SYMPTOMS
Directory Replication fails to replicate to import servers. An export server will successfully replicate to itself, even though it may report errors.
The Windows NT Event Log on the export server records the following event:
The Windows NT Event Log on the import server may record one or both of the following events:
CAUSE
In Windows NT 4.0, a new feature was introduced to restrict remote users from accessing a computer's registry unless the administrator of that computer explicitly grants the remote user access by setting the permission on a new registry key. This can prevent directory replication.
When the replication interval passes, the import computer reads the registry of the export server to determine replication parameters. By default, only the Administrators group has permission to remotely access the registry. If no other groups or users were specified in the access control list, or if the registry path is not specified as an allowed path, the account used for replication is denied access and replication fails.
WORKAROUND
For Directory Replication to work properly, an explicit user account must be used. Using the System account will fail. For more information on how to create an explicit user account for Directory Replication, see the following article in the Microsoft Knowledge Base:
132522 Quick Directory Replication Troubleshooting Tip
WARNING: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall Windows. Microsoft cannot guarantee that issues resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.
For information about how to edit the registry, view the "Changing Keys And Values" online Help topic in Registry Editor (Regedit.exe) or the "Add and Delete Information in the Registry" and "Edit Registry Data" online Help topics in Regedt32.exe. Note that you should back up the registry before you edit it.
- Start the Windows NT Registry Editor (Regedt32.exe) on the export server.
Go to the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control \SecurePipeServers\winreg\AllowedPaths
NOTE: The above registry key is one path; it has been wrapped for readability.Double-click the Machine:REG_MULTI_SZ value and add the following string under that last entry:
System\CurrentControlSet\Services\Replicator- Restart the computer.
An alternative solution is to give Read permission to the Replicator local group for the following key (read or write for Windows 4.0):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
\SecurePipeServers\winreg\
Verify that the Replicator group has at least Read permissions to the above key.
NOTE: The above registry key is one path; it has been wrapped for readability. It may also be neccessary to delete the Tmpfile.re$ from the Import directory on each backup domain controller (BDC).
Windows NT 4.0 SP3 updates the AllowedPaths key.
For additional information about the purpose and function of the winreg and AllowedPaths keys, please see the following article in the Microsoft Knowledge Base:
143474 Information Available to Anonymous Logon Users
STATUS
Microsoft has confirmed this to be a problem in Windows NT version 4.0. We are researching this problem and will post new information here in the Microsoft Knowledge Base as it becomes available.
Keywords: kbbug kbnetwork KB168464
