"Replication Access was denied" error message when attempting to synchronize domain controllers

When you use the Active Directory Sites and Services snap-in from a child domain to force replication from a parent domain or another child domain at the same level, you may receive the following error message:

By default, administrators of child domains can only force replication within their own domain. Administrative permissions do not flow down; they need to be assigned. When a child domain is created, the Enterprise Admin global group is added to the built-in Administrators group of the child domain. This allows the administrator of the parent domain to administer and force replication from either the parent domain or the child domain. Administrators of child domains can only force replication within their own domain unless they are granted administrative permissions over the parent domain or another child domain.

To resolve this issue, give the administrator in the child domain permissions to the parent and/or child domain from which you want to force replication.

Note The following steps use the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in from the domain on which you want to grant administrative permissions.

1. Expand the domain.com node within the snap-in.
2. Click the Built-in folder.
3. On the right-hand pane of the snap-in, right-click the Administrators group, and then click Properties.
4. On the Members tab, click Add.
5. In the Select Users, Contacts, Computers, or Groups dialog box, in the Look in box, click the domain that contains the administrator to whom you want to grant permissions.
6. Click the Administrator account, click Add, and then click OK.

Repeat these steps for each domain that you want to assign administrative permissions to.

This behavior is by design.

Keep in mind that parent domains are able to manage all of their child domains but you need to perform the steps described in this article for any child domains that want to manage the parent domain or other child domains on the same level.