Re: replication access denied
- From: M W <Matheesha@ugh!spam.gmail.company>
- Date: Wed, 20 Jun 2007 22:14:00 +0000 (UTC)
Hello kfchangmailcom@xxxxxxxxxxxxxxxxxxxxxxxxx,
You are going to have to read the document and the appendices ;-) Both are big and you will learn tons.
'DS-Replication-Manage-Topology' is an extended right which you can see in the Configuration naming context. Assuming your forest root domain is called dc=domain,dc=com then it looks something like CN=Extended-Rights,CN=Configuration,DC=DOMAIN,DC=COM. The displayname is Manage Replication Topology. This is the "english name" of the right thats granted.
You could do this through dsacls at the command line or using the GUI wizard too. For example the above right listed in 2 a. would be done as
dsacls CN=Configuration,DC=Domain,DC=COM /G DOMAIN\ReplicationAdmins:"Manage Replication Topology"
Note that syntax is case sensitive. Especially the ldap displayname of extended-right.
Incidentally I mentioned in the previous post that the perms are defined on the connection object. Thats incorrect. Its actually defined on the objects as defined in that whitepaper. Some of these permissions will be inherited by objects such as connection objects.
Best thing to do would be to setup a little lab (like in a VM based environment) and play with it.
HTH
M@
Hi,
I've checked the setup for the credentials to pull the replication
from child DC to parent DC on the child DC that the Enterprise Admin.
of parent domain has been already delegated.
Second, I read the section titled "Implementing the Replication
Management Admins Role" but I don't understand how to do it.
Especially, I could not find the object called
'DS-Replication-Manage-Topology' in the parent DC. Please advise.
"MW" wrote:
On Jun 20, 7:52 am, k_f_c...@xxxxxxxxx
<kfchangmail...@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
Hi,I believe it depends on the credentials you used to intiate the pull
I've setup the parent domain and the child domain correspondingly,
and I met the error of 'replication access denied' when I pressed
the 'replicate now' button on the child DC to replicate AD stuff
from child DC to parent DC, however, it doesn't happen when I does
the same thing on the parent DC.
--
Raymond
replication. If you used the enterprise admin credentials, then I
wouldn't expect you to see that error. But assuming you were logged
on using the child domain's admin account and tried to pull updates
from the child to the parent you will get an access denied.
To initiate replication you need the relevant permissions defined on
the connection object. There are some control access rights that have
to be defined. The required permissions are defined in AD Delegation
best practices whitepaper and its appendices available here
http://www.microsoft.com/downloads/details.aspx?FamilyID=29dbae88-a21
6-45f9-9739-cb1fb22a0642&DisplayLang=en.
Check the section titled "Implementing the Replication Management
Admins Role"
HTH
M@
.
- Prev by Date: Re: configuration of 2 remote sites
- Next by Date: Re: Replacing a Domain Controller question
- Previous by thread: Re: replication access denied
- Next by thread: Re: replication access denied
- Index(es):
