Re: replication access denied

Hi,

I've used the AD Sites and Services tool and Adsiedit.msc to check and add
the domain admins of child domain, but still got the error message and I
don't know what's the exact meaning for:

It shows 'The following error occured during the attempt to synchronize
naming context Configuration from domain controller <source DC> to domain
controller <destination DC>. Replication access was denied'

Very strange, it happened on the child domain controller only instead of on
the parent domain controller (since both replication doing on the parent DC
is okay).

Second, both DCs also got the error from the event log that 'Source:NTDS
General'; 'Catagory:Global Catalog'; 'Event ID:1126'; 'User:SYSTEM', and to
describe AD was unable to establish connection with the global catalog.

Is it any wrong in DNS settings? And are these errors related?

--
Raymond


"M W" wrote:

Hello kfchangmailcom@xxxxxxxxxxxxxxxxxxxxxxxxx,


Sorry the command had a typo. Its

dsacls CN=Configuration,DC=Domain,DC=COM /G DOMAIN\ReplicationAdmins:CA;"Manage
Replication Topology"

CA is used as we are granting a control access right (extended right). the
"Manage Replication Topology" is case sensitive and must be typed as is.
You can find the relevant value for each extended right by querying the displayname
attribute. I.e. CN=DS-Replication-Manage-Topology,CN=Extended-Rights,CN=Configuration,DC=<FOREST-ROOT>
has a displayname attribute of "Manage Replication Topology". We use quotes
in that command as there are spaces in the name.

HTH

M@


Hi,

I've checked the setup for the credentials to pull the replication
from child DC to parent DC on the child DC that the Enterprise Admin.
of parent domain has been already delegated.

Second, I read the section titled "Implementing the Replication
Management Admins Role" but I don't understand how to do it.
Especially, I could not find the object called
'DS-Replication-Manage-Topology' in the parent DC. Please advise.

"MW" wrote:

On Jun 20, 7:52 am, k_f_c...@xxxxxxxxx
<kfchangmail...@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
Hi,

I've setup the parent domain and the child domain correspondingly,
and I met the error of 'replication access denied' when I pressed
the 'replicate now' button on the child DC to replicate AD stuff
from child DC to parent DC, however, it doesn't happen when I does
the same thing on the parent DC.

--
Raymond
I believe it depends on the credentials you used to intiate the pull
replication. If you used the enterprise admin credentials, then I
wouldn't expect you to see that error. But assuming you were logged
on using the child domain's admin account and tried to pull updates
from the child to the parent you will get an access denied.

To initiate replication you need the relevant permissions defined on

the connection object. There are some control access rights that have

to be defined. The required permissions are defined in AD Delegation

best practices whitepaper and its appendices available here

http://www.microsoft.com/downloads/details.aspx?FamilyID=29dbae88-a21
6-45f9-9739-cb1fb22a0642&DisplayLang=en.

Check the section titled "Implementing the Replication Management

Admins Role"

HTH

M@




.

Loading