Wednesday, July 2, 2008

Replication is not working receiving “Access Denied”

One of our domain controllers in our DMZ start not replication and we start getting "Access Denied" message on the problem domain controller. After increasing the diagnostic login on the problem domain controller with following key, we found out the problem and the quick fix.

  • CurrentControlSet
  • Services
  • NTDS
  • Diagnostics.

We identified the NTP source was statically defined on the problem domain controller. To see the NTP setting issue following command from CMD,

  • net time /querysntp

Kerberos security is essentially dependent upon all computers being sync-- five minutes by default in an Active Directory domain. This is not only true/valid for the user authentication but also true for AD replication service. This was the initial problem we had, the problem DC was behind 7 minutes to the PDC, and it was configured to sync with external time source, for unknown reason. (I did not do it, believe me). To see the current setting we issues following command from CMD

  • net time /querysntp
  • net time /setsntp:server,server,etc

Issuing net time /setsntp and empty no server name, reset the problem DC time to begin to sync with PDC, and after rebooting the problems DC, deleting all replication objects and clicking on "Check Replication topology" re-establish the connections and replication start happening.

Well, I lost a lunch to Paul Yu (Microsoft) for troubleshooting the problem, and LaRosa, Enrique. I also have to admit having Jason Weaver around is feels like to have insurance, since one would never know when the deathly accident would occurs.


Oz ozugurlu

MVP (Exchange)


MCSE 2003, M+, S+, MCDST

Security+, Project +, Server +


No comments: