access denied during replication

[Mike]

Hello,

I am working on a project to install Win2003 Server on a few Win2000
advanced servers, and has required me to begin to take my primary
Win2000 server out of the mix slowly.

After demoting a Win2000 DC in an environment with now 2 AD DCs
remaining replication doesn't occur between those 2 any longer. I
cannot force it, and get a consistent error of "Access is Denied".
Using ntdsutil I can see that DC2 and DC3 think they are the schema
master and domain naming master. This is what has led me to try to
force replication. I have tried turning the KDC service off on one of
the servers, but that did not help.

I must have had some permissions problem when demoting DC1 and this
may have not propogated the demotion to all DCs properly. I was logged
on as 'me' an admin account, but missing schema rights I believe
(now). The administrator account has been altered (by employees before
me that left in a bad way), and therefore I suspect that possibly it
is not correct either.

Any tips or information would be greatly appreciated.

Thanks

mike

 

[Tim Hines [MSFT]]

The following links should help
http://www.microsoft.com/technet/pr...de/part1/adogd12.mspx#XSLTsection124121120120
http://www.microsoft.com/technet/pr...addeploy/addch11.mspx#XSLTsection125121120120

--
--
Tim Hines, MCSE, MCSA
Windows 2000 Directory Services

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Mike]

I have worked down various paths over the weekend and today tried
following the instructions contained in those links, but consistantly
get stuck with an error of:

repadmin /add bbdomain bbbackup.bbdomain.bootbarn.com
bbpostal.bbdomain.bootbarn.com /u:bbdomain\administrator /pw:*
DsReplicaAdd failed with status 8440 (0x20f8):
The naming context specified for this replication operation is
invalid.

Is there a simple syntax wrong here or something else that should jump
out at me in order to continue?

Thanks

 

[Mike]

hello,

When I try to run the repadmin /add I get the following error. Any thoughts?

repadmin /add bbdomain bbbackup.bbdomain.bootb
arn.com bbpostal.bbdomain.bootbarn.com /u:bbdomain\administrator /pw:novation
DsReplicaAdd failed with status 8440 (0x20f8):
The naming context specified for this replication operation is invalid.

Thanks

 

[Mike]

Tim,

When I run the /sync command, in the directions, I get the following
error, which is consistent.

C:\>repadmin /sync DC=bbdomain,DC=bootbarn,DC=com bbbackup
(***GUID***)
DsReplicaSync failed with status 5 (0x5):
Access is denied.

Mike

 

[Tim Hines [MSFT]]

The first link had a series of steps that you should try. One of the main
steps was step 6 when you reset the secure channel password. The steps are
listed in the following article
http://support.microsoft.com/default.aspx?scid=kb;en-us;288167 .

--
--
Tim Hines, MCSE, MCSA
Windows 2000 Directory Services

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Mike]

Tim,

Thanks for your help. I was able to complete most of the steps
eventually, but still had access denied errors. The 2 remaining DCs
(DC2 & DC3) both believed themselves to be the schema and domain
naming masters and the only way around that was to blow one of them
away. So my solution was:

shutdown DC3
On DC2 use ntdsutil to remove all of DC3 from DC2s AD
Clean out the DNS on DC2 of all references to DC3
Boot DC3 connected to just a hub not on the LAN
dcpromo using the /forceremoval switch
Then pointed DC3s DNS to DC2
rebooted DC3 and joined to the domain as a file server
tested OK with a quick review of the event logs
dcpromo (promoted) DC3 as a member DC. again.
tested replication, everything functioning.

Thanks for your help, and hope this helps someone else.

mike