Discussion:
replication access denied
(too old to reply)
k_f_chan@gmail.com
2007-06-20 06:52:01 UTC
Permalink
Hi,

I've setup the parent domain and the child domain correspondingly, and I met
the error of 'replication access denied' when I pressed the 'replicate now'
button on the child DC to replicate AD stuff from child DC to parent DC,
however, it doesn't happen when I does the same thing on the parent DC.
--
Raymond
MW
2007-06-20 08:52:18 UTC
Permalink
Post by ***@gmail.com
Hi,
I've setup the parent domain and the child domain correspondingly, and I met
the error of 'replication access denied' when I pressed the 'replicate now'
button on the child DC to replicate AD stuff from child DC to parent DC,
however, it doesn't happen when I does the same thing on the parent DC.
--
Raymond
I believe it depends on the credentials you used to intiate the pull
replication. If you used the enterprise admin credentials, then I
wouldn't expect you to see that error. But assuming you were logged on
using the child domain's admin account and tried to pull updates from
the child to the parent you will get an access denied.

To initiate replication you need the relevant permissions defined on
the connection object. There are some control access rights that have
to be defined. The required permissions are defined in AD Delegation
best practices whitepaper and its appendices available here
http://www.microsoft.com/downloads/details.aspx?FamilyID=29dbae88-a216-45f9-9739-cb1fb22a0642&DisplayLang=en.
Check the section titled "Implementing the Replication Management
Admins Role"

HTH

M@
k_f_chan@gmail.com
2007-06-20 17:48:00 UTC
Permalink
Hi,

I've checked the setup for the credentials to pull the replication from
child DC to parent DC on the child DC that the Enterprise Admin. of parent
domain has been already delegated.

Second, I read the section titled "Implementing the Replication Management
Admins Role" but I don't understand how to do it. Especially, I could not
find the object called 'DS-Replication-Manage-Topology' in the parent DC.
Please advise.
--
Raymond
Post by MW
Post by ***@gmail.com
Hi,
I've setup the parent domain and the child domain correspondingly, and I met
the error of 'replication access denied' when I pressed the 'replicate now'
button on the child DC to replicate AD stuff from child DC to parent DC,
however, it doesn't happen when I does the same thing on the parent DC.
--
Raymond
I believe it depends on the credentials you used to intiate the pull
replication. If you used the enterprise admin credentials, then I
wouldn't expect you to see that error. But assuming you were logged on
using the child domain's admin account and tried to pull updates from
the child to the parent you will get an access denied.
To initiate replication you need the relevant permissions defined on
the connection object. There are some control access rights that have
to be defined. The required permissions are defined in AD Delegation
best practices whitepaper and its appendices available here
http://www.microsoft.com/downloads/details.aspx?FamilyID=29dbae88-a216-45f9-9739-cb1fb22a0642&DisplayLang=en.
Check the section titled "Implementing the Replication Management
Admins Role"
HTH
M W
2007-06-20 22:14:00 UTC
Permalink
Hello ***@discussions.microsoft.com,

You are going to have to read the document and the appendices ;-) Both are
big and you will learn tons.

'DS-Replication-Manage-Topology' is an extended right which you can see in
the Configuration naming context. Assuming your forest root domain is called
dc=domain,dc=com then it looks something like CN=Extended-Rights,CN=Configuration,DC=DOMAIN,DC=COM.
The displayname is Manage Replication Topology. This is the "english name"
of the right thats granted.

You could do this through dsacls at the command line or using the GUI wizard
too. For example the above right listed in 2 a. would be done as

dsacls CN=Configuration,DC=Domain,DC=COM /G DOMAIN\ReplicationAdmins:"Manage
Replication Topology"

Note that syntax is case sensitive. Especially the ldap displayname of extended-right.


Incidentally I mentioned in the previous post that the perms are defined
on the connection object. Thats incorrect. Its actually defined on the objects
as defined in that whitepaper. Some of these permissions will be inherited
by objects such as connection objects.

Best thing to do would be to setup a little lab (like in a VM based environment)
and play with it.

HTH
Post by ***@gmail.com
Hi,
I've checked the setup for the credentials to pull the replication
from child DC to parent DC on the child DC that the Enterprise Admin.
of parent domain has been already delegated.
Second, I read the section titled "Implementing the Replication
Management Admins Role" but I don't understand how to do it.
Especially, I could not find the object called
'DS-Replication-Manage-Topology' in the parent DC. Please advise.
Post by MW
Post by ***@gmail.com
Hi,
I've setup the parent domain and the child domain correspondingly,
and I met the error of 'replication access denied' when I pressed
the 'replicate now' button on the child DC to replicate AD stuff
from child DC to parent DC, however, it doesn't happen when I does
the same thing on the parent DC.
--
Raymond
I believe it depends on the credentials you used to intiate the pull
replication. If you used the enterprise admin credentials, then I
wouldn't expect you to see that error. But assuming you were logged
on using the child domain's admin account and tried to pull updates
from the child to the parent you will get an access denied.
To initiate replication you need the relevant permissions defined on
the connection object. There are some control access rights that have
to be defined. The required permissions are defined in AD Delegation
best practices whitepaper and its appendices available here
http://www.microsoft.com/downloads/details.aspx?FamilyID=29dbae88-a21
6-45f9-9739-cb1fb22a0642&DisplayLang=en.
Check the section titled "Implementing the Replication Management
Admins Role"
HTH
M W
2007-06-20 22:22:28 UTC
Permalink
Hello ***@discussions.microsoft.com,


Sorry the command had a typo. Its

dsacls CN=Configuration,DC=Domain,DC=COM /G DOMAIN\ReplicationAdmins:CA;"Manage
Replication Topology"

CA is used as we are granting a control access right (extended right). the
"Manage Replication Topology" is case sensitive and must be typed as is.
You can find the relevant value for each extended right by querying the displayname
attribute. I.e. CN=DS-Replication-Manage-Topology,CN=Extended-Rights,CN=Configuration,DC=<FOREST-ROOT>
has a displayname attribute of "Manage Replication Topology". We use quotes
in that command as there are spaces in the name.

HTH
Post by ***@gmail.com
Hi,
I've checked the setup for the credentials to pull the replication
from child DC to parent DC on the child DC that the Enterprise Admin.
of parent domain has been already delegated.
Second, I read the section titled "Implementing the Replication
Management Admins Role" but I don't understand how to do it.
Especially, I could not find the object called
'DS-Replication-Manage-Topology' in the parent DC. Please advise.
Post by MW
Post by ***@gmail.com
Hi,
I've setup the parent domain and the child domain correspondingly,
and I met the error of 'replication access denied' when I pressed
the 'replicate now' button on the child DC to replicate AD stuff
from child DC to parent DC, however, it doesn't happen when I does
the same thing on the parent DC.
--
Raymond
I believe it depends on the credentials you used to intiate the pull
replication. If you used the enterprise admin credentials, then I
wouldn't expect you to see that error. But assuming you were logged
on using the child domain's admin account and tried to pull updates
from the child to the parent you will get an access denied.
To initiate replication you need the relevant permissions defined on
the connection object. There are some control access rights that have
to be defined. The required permissions are defined in AD Delegation
best practices whitepaper and its appendices available here
http://www.microsoft.com/downloads/details.aspx?FamilyID=29dbae88-a21
6-45f9-9739-cb1fb22a0642&DisplayLang=en.
Check the section titled "Implementing the Replication Management
Admins Role"
HTH
k_f_chan@gmail.com
2007-06-21 04:51:00 UTC
Permalink
Hi,

I've used the AD Sites and Services tool and Adsiedit.msc to check and add
the domain admins of child domain, but still got the error message and I
don't know what's the exact meaning for:

It shows 'The following error occured during the attempt to synchronize
naming context Configuration from domain controller <source DC> to domain
controller <destination DC>. Replication access was denied'

Very strange, it happened on the child domain controller only instead of on
the parent domain controller (since both replication doing on the parent DC
is okay).

Second, both DCs also got the error from the event log that 'Source:NTDS
General'; 'Catagory:Global Catalog'; 'Event ID:1126'; 'User:SYSTEM', and to
describe AD was unable to establish connection with the global catalog.

Is it any wrong in DNS settings? And are these errors related?
--
Raymond
Post by M W
Sorry the command had a typo. Its
dsacls CN=Configuration,DC=Domain,DC=COM /G DOMAIN\ReplicationAdmins:CA;"Manage
Replication Topology"
CA is used as we are granting a control access right (extended right). the
"Manage Replication Topology" is case sensitive and must be typed as is.
You can find the relevant value for each extended right by querying the displayname
attribute. I.e. CN=DS-Replication-Manage-Topology,CN=Extended-Rights,CN=Configuration,DC=<FOREST-ROOT>
has a displayname attribute of "Manage Replication Topology". We use quotes
in that command as there are spaces in the name.
HTH
Post by ***@gmail.com
Hi,
I've checked the setup for the credentials to pull the replication
from child DC to parent DC on the child DC that the Enterprise Admin.
of parent domain has been already delegated.
Second, I read the section titled "Implementing the Replication
Management Admins Role" but I don't understand how to do it.
Especially, I could not find the object called
'DS-Replication-Manage-Topology' in the parent DC. Please advise.
Post by MW
Post by ***@gmail.com
Hi,
I've setup the parent domain and the child domain correspondingly,
and I met the error of 'replication access denied' when I pressed
the 'replicate now' button on the child DC to replicate AD stuff
from child DC to parent DC, however, it doesn't happen when I does
the same thing on the parent DC.
--
Raymond
I believe it depends on the credentials you used to intiate the pull
replication. If you used the enterprise admin credentials, then I
wouldn't expect you to see that error. But assuming you were logged
on using the child domain's admin account and tried to pull updates
from the child to the parent you will get an access denied.
To initiate replication you need the relevant permissions defined on
the connection object. There are some control access rights that have
to be defined. The required permissions are defined in AD Delegation
best practices whitepaper and its appendices available here
http://www.microsoft.com/downloads/details.aspx?FamilyID=29dbae88-a21
6-45f9-9739-cb1fb22a0642&DisplayLang=en.
Check the section titled "Implementing the Replication Management
Admins Role"
HTH
Continue reading on narkive:
Loading...