Replication Does Not Work When the Error "Replication Access Was Denied" Is Logged (297716)

SYMPTOMS

The following errors may be logged in the Directory Services log:

Event Type: Warning
Event Source: NTDS General
Event Category: Global Catalog
Event ID: 1655
Description: The attempt to communicate with global catalog \\gc.domain.com failed with the following status:

Replication access was denied.

The operation in progress might be unable to continue. The directory service will use the locator to try find an available global catalog server for the next operation that requires one.

-or-

Event Type: Warning
Event Source: NTDS KCC Event
Category: Knowledge Consistency Checker
Event ID: 1265
Description: The attempt to establish a replication link with parameters
Partition: DC=domain,DC=com
Source DSA DN: CN=NTDS Settings,CN=DC01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=com
Source DSA Address: 7b7fa657-1925-457a-9e8c-ae167e40b669._msdcs.domain.com
Inter-site Transport (if any): CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=domain,DC=com
failed with the following status:

Replication access was denied.

RESOLUTION

To resolve this behavior:

Set the Startup type for the Kerberos Key Distribution Center service on the affected domain controller to Disabled.
Restart the affected domain controller.
Log on to the domain controller, and then force the replication with its replication partners by using the Active Directory Sites and Services snap-in.
Check the replication status by typing the following command line from a command prompt:
repadmin /showreps
Repadmin is available in Windows 2000 Support Tools.
If replication is now successful, set Startup type for the Kerberos Key Distribution Center service on the affected domain controller back to Automatic.
Restart the Kerberos Key Distribution Center service.

MORE INFORMATION

Because every Windows 2000 domain controller is a Kerberos Key Distribution Center (KDC), domain controllers request Kerberos tickets from themselves. If a domain controller is not in synchronization with the rest of the domain, the computer account password (which is critical to the Kerberos ticket) for the domain controller may not be the same on the affected domain controller as it is on the other domain controllers in the domain. By disabling the Kerberos KDC service on the affected domain controller and then restarting it forces the domain controller to request Kerberos tickets from another KDC, which are valid for authentication and which allow replication to occur.

After replication has completed successfully, you can restart the local Kerberos KDC service on the domain controller.

You may also experience the behavior described in the Symptoms section of this article due to the absence of the "Everyone" group and "Authenticated Users" from the "Access this computer from the network" portion of the "Domain controller security policy". If this is the case, perform the following steps to resolve this behavior:

Click Start, point to Programs, click Administrative Tools, and then click Active Directory Users and Computers.
Right click the Domain Controls OU and then click Properties.
Click the Group Policy tab, click to highlight Domain Controller Security Policy, and then click Edit.
Click the plus sign (+) to expand Computer Configuration, expand Windows Settings, expand Security Setting, expand Local Security Policy, and then click to highlight User Rights Assignments.
Click the Access This Computer From The Network policy, add the "Everyone" and "Authenticated Users" groups, and then close the snap-in.
To refresh is policy run the following command from the command line:
secedit /refreshpolicy machine_policy /enforce

Replication Does Not Work When the Error "Replication Access Was Denied" Is Logged (297716)

SYMPTOMS

CAUSE

RESOLUTION

MORE INFORMATION