"Replication Access Was Denied" Error Messages Occur After You Promote a Server to Domain Controller

After you promote a Windows 2000 Server computer to act as a domain controller, you may experience the following issues:

• The computer account for the new domain controller does appear in the Domain Controllers container when you open that container from another domain controller. However, it may be listed in the Domain Controllers container when you viewed it using its own Active Directory Users and Computers snap-in.
• When you right-click My Computer, click Properties, and then click the Network Identification tab, the following text is not displayed:
  Note: The identification of the computer cannot be changed because:
  - The computer is a domain controller.
• If you run the Repadmin.exe utility (that is available in the Windows 2000 Support Tools) with the /showreps switch, you receive the following output:

  ==== INBOUND NEIGHBORS ======================================
  
  CN=Schema,CN=Configuration,DC=example,DC=com
  
     Site-Name\Server1 via RPC
  
         objectGuid: 0d519219-b957-4a80-9d39-ec4d51e2181e
  
         Last attempt @ <date> <time> failed, result 8453:
  
             Replication access was denied.
  
         Last success @ <date> <time>.
  
         63 consecutive failure(s).
  
  
  CN=Configuration,DC=example,DC=com
  
     Site-Name\Server1 via RPC
  
         objectGuid: 0d519219-b957-4a80-9d39-ec4d51e2181e
  
         Last attempt @ <date> <time> failed, result 8453:
  
             Replication access was denied.
  
         Last success @ <date> <time>.
  
         64 consecutive failure(s).
  
  DC=example,DC=com
  
     Site-Name\Server1 via RPC
  
         objectGuid: 0d519219-b957-4a80-9d39-ec4d51e2181e
  
         Last attempt @ <date> <time> failed, result 8453:
  
             Replication access was denied.
  
         Last success @ <date> <time>.
  
         64 consecutive failure(s).
  						

• If you run the Active Directory Replication Monitor utility (Replmon.exe) (that is available in the Windows 2000 Support Tools), you receive the following output:

  Domain Controller Name:      Server2
  
     Directory Partition:      CN=Schema,CN=Configuration,DC=example,DC=com
  
     Replication Partner:      Site-Name\Server1
  
     Failure Code:             8453
  
     Failure Reason:           Replication access was denied.
  
  
  
  Domain Controller Name:      Server2
  
     Directory Partition:      CN=Configuration,DC=example,DC=com
  
     Replication Partner:      Site-Name\Server1
  
     Failure Code:             8453
  
     Failure Reason:           Replication access was denied.
  
  
  
  Domain Controller Name:      Server2
  
     Directory Partition:      DC=mvlp,DC=local
  
     Replication Partner:      Site-Name\Server1
  
     Failure Code:             8453
  
     Failure Reason:           Replication access was denied.
  						

• If you run the DCdiag.exe utility (that is available in the Windows 2000 Support Tools), you receive a "Replication access was denied" message.
• If you run the Netdiag.exe utility, you receive the following output:

  Trust relationship test. . . . . . : Failed
  
    Test to ensure DomainSid of domain 'EXAMPLE' is correct.
  
    [FATAL] Secure channel to domain 'EXAMPLE' is broken. 
  [ERROR_NO_TRUST_SAM_ACCOUNT]
  						

These issues may occur if the computer account is not updated correctly during the domain controller promotion procedure (Dcpromo).

To resolve this issue, follow these steps.

Step 1: Move the Computer Account to the Domain Controllers Container

1. On a domain controller that is in the "healthy" part of the domain (not the domain controller with which you experience the issue), start the Active Directory Users and Computers snap-in.
2. Expand the domain container, and then click the container in which the computer account with which you experience the issue appears.
3. Right-click the computer account, and then click Move.
4. In the Container to move object to list, click Domain Controllers, and then click OK.
5. Click the Domain Controllers container to verify that the computer object is displayed.
6. Quit the Active Directory Computers and Users snap-in.

Step 2: Verify the userAccountControl Property

WARNING: If you use the ADSI Edit snap-in, the LDP utility, or any other LDAP version 3 client, and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require you to reinstall Microsoft Windows 2000 Server, Microsoft Exchange 2000 Server, or both. Microsoft cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk.

1. On a domain controller that is in the "healthy" part of the domain (not the domain controller with which you experience the issue), install the Windows 2000 Support Tools if they have not already been installed. For additional information about how to install the Windows 2000 Support Tools, click the article number below to view the article in the Microsoft Knowledge Base:
   301423  (http://support.microsoft.com/kb/301423/EN-US/ ) How to Install the Windows 2000 Support Tools to a Windows 2000 Server-Based Computer
2. Start the ADSI Edit snap-in. To do so, click Start, point to Programs, point to Windows 2000 Support Tools, point to Tools, and then click ADSI Edit.
3. Expand Domain NC [server.example.com] (where server is the name of the domain controller and example.com is the name of the domain.
4. Expand DC=example,DC=com.
5. Expand OU=Domain Controllers, right-click CN=ServerName (where ServerName is the domain controller with which you experience the issues that are described in the "Symptoms" section of this article), and then click Properties.
6. Click the Attributes tab (if it is not already selected).
7. In the Select which properties to view list, click Both, and then click userAccountControl in the Select a property to view list.
8. If the Value(s) box does not contain 532480, type 532480 in the Edit Attribute box, and then click Set.
9. Click Apply, click OK, and then quit the ADSI Edit snap-in.

Step 3: Reset the Secure Channel Password

1. On the domain controller with which you experience the issue, install the Windows 2000 Support Tools if they have not already been installed.
2. Click Start, click Run, type cmd, and then click OK.
3. Change to the folder that contains the Nltest.exe utility. By default, this folder is C:\Program Files\Support Tools.
4. Run the following command, where example.com is the name of your domain:
   nltest /sc_change_pwd:example.com
5. Quit the command prompt, and then restart the server.

For additional information about related topics, click the following article numbers to view the articles in the Microsoft Knowledge Base: