windowswideopen.com

In some situations Active Directory replication may failed with an Access denied error message as shown below:

Event ID 1265

The attempt to establish a replication link with parameters

Partition: DC=domain,DC=enterprise,DC=com

Source DSA DN: CN=NTDS Settings,CN=HubDC,CN=Servers,CN=HubSite,CN=Sites,

CN=Configuration,DC=company,DC=com

Source DSA Address: 62d85225-76bf-4b46-b929-25a1bb295f51._msdcs.enterprise.com

Inter-site Transport (if any): CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=enterprise,DC=com

failed with the following status:

Access is denied.

The record data is the status code. This operation will be retried.

This error occurs when the local DC failed to authenticate against it’s replication partner when creating the replication link or when trying to replicate over it (if it already exists). This typically happens when it’s been disconnected from the rest of the network for a long time and it’s computer account password is not synchronized with what is stored in the Active Directory of it’s replication partner.

To recover from the error attempt to do the following steps:

On the local DC :

· Stop the KDC using :

net stop KDC

If the KDC cannot stop, set it’s startup state to “disable” and reboot.

· Purge the ticket cache using :

krbtest /callpackage:purge:

Deleting tickets: (null)\(null)

If Kerbtest returns :

Deleting tickets: (null)\(null)

token failed: 0xc00000fe, 0x 7803bbb0

then set the KDC service startup state to “disable” and reboot the DC. Then re-run kerbtest.

· Reset the computer account’s password on the PDC emulator by running on the local DC:

netdom resetpwd /server:<PDC emulator name> /userd:<domain>\administrator

/password:*

On the replication partner:

Synchronize the Domain NC of the replication partner with the PDC emulator by running on the replication partner to have the computer account replicated:

repadmin /sync DC=domain,DC=enterprise,DC=com <hub_server> <Guid of the “NTDS Settings” object of the PDC emulator>

The Guid of the “NTDS Settings” object of the PDC emulator can be found in the output (as “ObjectGuid) of : “

repadmin/showreps <name of the PDC emulator>

If the replication partner on the local DC is not itself a replication partner of the PDC emulator, this command will fail. In this case, a replication link can be created between the replication partner of the local DC and the PDC emulator with :

repadmin /add <Domain NC> <Replication partner FQDN> <PDC Emulator FQDN> /u:<domain>\administrator /pw:*

For example :

repadmin /add DC=dom1,DC=company,DC=com HubDC.domain.enterprise.com PDC.domain.enterprise.com/u:dom1\administrator /pw:*

The creation of this replication link will trigger automatically the replication of the Domain naming context between the PDC emulator and the replication partner.

To verify that the problem is fixed check the Directory services log for the following event:

Event ID 1264 :

A replication link for the partition CN=Configuration,DC=company,DC=com from server CN=NTDS Settings,CN=HUBDC,CN=Servers,CN=HubSite,CN=Sites,CN=Configuration,DC=company,DC=com has been added.

access is denied Active Directory directory replication replication partneraccess is denied Active Directory directory replication replication partner