How to troubleshoot Active Directory replication error 5 "Access is denied" in Windows Server

This article describes the symptoms, cause, and resolution of situations in which Active Directory replication fails with error 5: 
Access is denied

Symptoms

You may encounter one or more of the following symptoms when Active Directory replications fail with error 5.

Symptom 1

The Dcdiag.exe command-line tool reports that the Active Directory replication test fails with error status code (5). The report resembles the following:

Testing server: Site_Name\Destination_DC_Name
Starting test: Replications
* Replications Check
[Replications Check,Destination_DC_Name] A recent replication attempt failed:
From Source_DC to Destination_DC
Naming Context: Directory_Partition_DN_Path
The replication generated an error (5):
Access is denied.
The failure occurred at DateTime.
The last success occurred at DateTime.
Number failures have occurred since the last success.

Symptom 2

The Dcdiag.exe command-line tool reports that the DsBindWithSpnEx function fails with error 5 by running the DCDIAG /test:CHECKSECURITYERROR command.

Symptom 3

The REPADMIN.exe command-line tool reports that the last replication attempt failed with status 5.

The REPADMIN commands that frequently cite the 5 status include but are not limited to the following:
  • REPADMIN /KCC
  • REPADMIN /REPLICATE
  • REPADMIN /REPLSUM
  • REPADMIN /SHOWREPL
  • REPADMIN /SHOWREPS
  • REPADMIN /SYNCALL
Sample output from the REPADMIN /SHOWREPL command follows. This output shows incoming replication from DC_2_Name to DC_1_Name failing with the "Access is denied" error.

Site_Name\DC_1_Name
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: GUID
DSA invocationID: invocationID

==== INBOUND NEIGHBORS======================================
DC=DomainName,DC=com
Site_Name\DC_2_Name via RPC
DSA object GUID: GUID
Last attempt @ DateTime failed, result 5(0x5):
Access is denied.
<#> consecutive failure(s).
Last success @ DateTime.

Symptom 4

NTDS KCC, NTDS General, or Microsoft-Windows-ActiveDirectory_DomainService events with the 5 status are logged in the Directory Services log in Event Viewer.  
 
The following table summarizes Active Directory events that frequently cite the 8524 status.
Event IDSourceEvent string
1655NTDS GeneralActive Directory tried to communicate with the following global catalog and the attempts were unsuccessful.
1925NTDS KCCThe attempt to establish a replication link for the following writable directory partition failed.
1926NTDS KCCThe attempt to establish a replication link to a read-only directory partition with the following parameters failed.

Symptom 5

When you right-click the connection object from a source domain controller in Active Directory Sites and Services and then select Replicate Now, the process fails, and you receive the following error:

Replicate Now

The following error occurred during the attempt to synchronize naming context %directory partition name% from Domain Controller Source DC to Domain Controller Destination DC:
Access is denied.

The operation will not continue.

The following screen shot represents a sample of the error:


Workaround

Use the generic DCDIAG command-line tool to run multiple tests. Use the DCDIAG /TEST:CheckSecurityErrors command-line tool to perform specific tests. (These tests include an SPN registration check.) Run the tests to troubleshoot Active Directory operations replication failing with error 5 and error 8453. However, be aware that this tool does not run as part of the default execution of DCDIAG.

To work around this issue, follow these steps:
  1. At command prompt, run DCDIAG on the destination domain controller.
  2. Run DCDAIG /TEST:CheckSecurityError.
  3. Run NETDIAG.
  4. Resolve any faults that were identified by DCDIAG and NETDIAG.
  5. Retry the previously failing replication operation.
If replications continue to fail, see the "Causes and solutions" section.


Causes and solutions

The following causes may result in error 5. Some of them have solutions.

Cause 1: The RestrictRemoteClients setting in the registry has a value of 2
Cause 2: The CrashOnAuditFail setting in the registry of the destination domain controller has a value of 2
Cause 3: Invalid trust
Cause 4: Excessive time skew
Cause 5: There is an invalid security channel or password mismatch on the source or destination domain controller
Cause 6: The "Access this computer from network" user right is not granted to a user who triggers replication
Cause 7: There is an SMB signing mismatch between the source and destination domain controllers


Cause 8: UDP-formatted Kerberos packet fragmentation
Cause 9: Network adapters have the Large Send Offload feature enabled
Cause 10: Invalid Kerberos realm

Cause 11: There is a LAN Manager Compatibility (LM Compatibility) mismatch between the source and destination domain controllers

Cause 12: Service principal names are either not registered or not present because of simple replication latency or a replication failure

Cause 13: Antivirus software uses a mini-firewall network adapter filter driver on the source or destination domain controller

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

More Information

Active Directory errors and events such as those described in the "Symptoms" section can also fail with error 8453 together with the following, similar error string:
Replication Access was denied.

The following situations can cause Active Directory operations to fail with error 8453. However, these situations do not cause failures with error 5.
  • Naming context (NC) head is not permissioned with the Replicating Directory Changes permission.
  • The security principal starting replication is not a member of a group that is granted the Replicating Directory Changes permission.
  • Flags are missing in the UserAccountControl attribute. These include the SERVER_TRUST_ACCOUNT flag and the TRUSTED_FOR_DELEGATION flag. 
  • The read-only domain controller (RODC) is joined in the domain without the ADPREP /RODCPREP command running first.

Sample output from DCDIAG /TEST:CheckSecurityError


Properties

Article ID: 3073945 - Last Review: Aug 20, 2015 - Revision: 1

Windows Server 2012 R2 Standard, Windows Server 2012 Standard, Windows Server 2012 Standard, Windows Server 2012 Standard, Windows Server 2012 Standard, Windows Server 2008 R2 Standard, Windows Server 2008 Standard, Microsoft Windows Server 2003 R2 Standard x64 Edition, Microsoft Windows Server 2003 R2 Standard Edition (32-bit x86), Microsoft Windows Server 2003, Standard x64 Edition, Microsoft Windows Server 2003, Standard Edition (32-bit x86), Microsoft Windows 2000 Server

Feedback