Re: dcdiag show access denied when run on the child dc

Tech-Archive recommends: Fix windows errors by optimizing your registry

---

• From: "Jorge de Almeida Pinto [MVP - DS]" <SubstituteThisWithMyFullNameSeparatedByDots@xxxxxxxxx>
• Date: Tue, 20 May 2008 23:01:25 +0200

---

it is a permissions thing. in this case nothing to worry about. if I'm not mistaken an admin can only do that for the NCs in his own domain.

admin in forest root have permissions all over the place (through enterprise admins group) and will not experience the problem

If I'm not mistaken you need to "Monitor Active Directory Replication" right to that for a certain NC

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"study" <study@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:15F92C38-7DFE-42FD-B623-F4076A669160@xxxxxxxxxxxxxxxx

Hello
I have setup 2 2003 domains, one parent (DC is the domain controller) and
child (DC2 is the domain controller).
When dcdiag is run on the child domain's DC, there are numerous access
denied errors when it's testing the parent domain's dc but when run on the
parent domain's DC, I don't see those errors.
1. I'm assuming it's because the domain admin in the child domain who runs
dcdiag on the child domain's dc doesn't have neccesary privileges for the
parent' domain?
2. Between parent and child domains, what are they replicating with each
other if only the parent domain's DC is the GC? I thought the active
directory is replicated between the dcs in the same domain only...


C:\Program Files\Support Tools>dcdiag /a

Domain Controller Diagnosis

Performing initial setup:
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\DC
Starting test: Connectivity
......................... DC passed test Connectivity

Testing server: Default-First-Site-Name\DC2
Starting test: Connectivity
......................... DC2 passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\DC
Starting test: Replications
[Replications Check,DC] DsReplicaGetInfoW(PENDING_OPS) failed with
erro
r 8453,
Replication access was denied..
......................... DC failed test Replications
Starting test: NCSecDesc
......................... DC passed test NCSecDesc
Starting test: NetLogons
[DC] User credentials does not have permission to perform this
operatio
n.
The account used for this test must have network logon privileges
for this machine's domain.
......................... DC failed test NetLogons
Starting test: Advertising
......................... DC passed test Advertising
Starting test: KnowsOfRoleHolders
......................... DC passed test KnowsOfRoleHolders
Starting test: RidManager
......................... DC passed test RidManager
Starting test: MachineAccount
......................... DC passed test MachineAccount
Starting test: Services
Could not open Service Control Manager on [DC]:failed with 5:
Access is
denied.
......................... DC failed test Services
Starting test: ObjectsReplicated
......................... DC passed test ObjectsReplicated
Starting test: frssysvol
......................... DC failed test frssysvol
Starting test: frsevent
Error 5 opening FRS eventlog \\DC:File Replication Service:
Access is denied.
......................... DC failed test frsevent
Starting test: kccevent
Error 5 opening FRS eventlog \\DC:Directory Service:
Access is denied.
Failed to enumerate event log records, error Access is denied.
......................... DC failed test kccevent
Starting test: systemlog
Error 5 opening FRS eventlog \\DC:System:
Access is denied.
Failed to enumerate event log records, error Access is denied.
......................... DC failed test systemlog
Starting test: VerifyReferences
......................... DC passed test VerifyReferences

Testing server: Default-First-Site-Name\DC2
Starting test: Replications
......................... DC2 passed test Replications
Starting test: NCSecDesc
......................... DC2 passed test NCSecDesc
Starting test: NetLogons
......................... DC2 passed test NetLogons
Starting test: Advertising
......................... DC2 passed test Advertising
Starting test: KnowsOfRoleHolders
......................... DC2 passed test KnowsOfRoleHolders
Starting test: RidManager
......................... DC2 passed test RidManager
Starting test: MachineAccount
......................... DC2 passed test MachineAccount
Starting test: Services
......................... DC2 passed test Services
Starting test: ObjectsReplicated
......................... DC2 passed test ObjectsReplicated
Starting test: frssysvol
......................... DC2 passed test frssysvol
Starting test: frsevent
......................... DC2 passed test frsevent
Starting test: kccevent
......................... DC2 passed test kccevent
Starting test: systemlog
An Error Event occured. EventID: 0x00000010
Time Generated: 05/19/2008 08:27:23
(Event String could not be retrieved)
......................... DC2 failed test systemlog
Starting test: VerifyReferences
......................... DC2 passed test VerifyReferences

.

---

• References:
  • dcdiag show access denied when run on the child dc
    • From: study

• Prev by Date: Re: Migrating AD 2000 to AD 2003 and 2008
• Next by Date: Re: Using NTDSUTIL to restore accounts - Help
• Previous by thread: Re: dcdiag show access denied when run on the child dc
• Next by thread: Using NTDSUTIL to restore accounts - Help
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: replication access denied ... The displayname is Manage Replication Topology. ... Incidentally I mentioned in the previous post that the perms are defined on the connection object. ... from child DC to parent DC on the child DC that the Enterprise Admin. ... (microsoft.public.windows.server.active_directory) Re: Can not replicate Parent/Child DCs and can not raise forest functional level to 2008 ... parent, 1 child. ... until a change was made on parent DC. ... Now replication will not occur. ... Microsoft MVP - Group Policy ... (microsoft.public.windows.server.active_directory) Re: replication access denied ... it happened on the child domain controller only instead of on ... the parent domain controller (since both replication doing on the parent DC ... If you used the enterprise admin credentials, ... (microsoft.public.windows.server.active_directory) Re: issue with Child and Parent Domains ... Should the child be GC also? ... I am not sure I am being clear about the resources of a parent. ... and assigning those users from parent to that domain local group. ... Does AD replication occur between PD and CD. ... (microsoft.public.windows.server.active_directory) Re: DHCP Server ... I had to log in to the child DC as the Parent DC admin ... > and then I could authorize. ... (microsoft.public.windows.server.networking)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.active_directory  > 2008-05