none
Replication access denied RRS feed

  • Question

  • Hi Support,

    We have two Windows 2012 Standard DCs.

    We did not make any recent changes.

    When checked replication today we have seen the below error

    Repadmin: running command /showrepl against full DC localhost

    Default-First-Site-Name\AD1

    DSA Options: IS_GC

    Site Options: (none)

    DSA object GUID: 653b6bb0-39bc-4610-a4a7-b08248b940d6

    DSA invocationID: 86a9e6b9-5f25-47f9-9147-3d8a13a108f1



    DsBindWithCred to localhost failed with status 5 (0x5):

        Access is denied.

    The other DC, AD2 is fine. That dc is having inbound replication from the problematic DC. AD2 is the primary DC.

    Please let me know how do I troubleshoot this.

    Sunday, May 12, 2019 1:11 PM

All replies

  • If you're using older FRS you can follow along here.
    https://support.microsoft.com/en-us/help/290762/using-the-burflags-registry-key-to-reinitialize-file-replication-servi
    or for DFSR follow along here.
    https://support.microsoft.com/en-us/help/2218556/how-to-force-an-authoritative-and-non-authoritative-synchronization-fo

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Sunday, May 12, 2019 1:27 PM
  • Hi,

    Thank you for posting here.

    Just checking in to check if the information Dave provided is helpful.

    Also find an official article providing resolution to "access is denied" error for your reference:

    Active Directory Replication Error 5: Access is denied

    https://support.microsoft.com/en-us/help/2002013/active-directory-replication-error-5-access-is-denied

    Please feel free to reply if there is any update.

    Best regards,

    Lavilian


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, May 14, 2019 7:43 AM
    Moderator
  • Hi,

    Please find the dcdiag result


    Directory Server Diagnosis


    Performing initial setup:

       Trying to find home server...

       Home Server = AD1

       The GUID based DNS Name resolved to several IPs

       (fe80::e082:da8c:a05d:aa88%15, 10.100.1.2), but not all were pingable.

       Replication and other operations may fail if a non-pingable IP is chosen.

       The first pingable IP is 10.100.1.2.
       [AD1] Directory Binding Error 5:

       Access is denied.
       This may limit some of the tests that can be performed.

       * Identified AD Forest.
       Done gathering initial info.


    Doing initial required tests

       
       Testing server: Default-First-Site-Name\AD1

          Starting test: Connectivity

             ......................... AD1 passed test Connectivity



    Doing primary tests

       
       Testing server: Default-First-Site-Name\AD1

          Starting test: Advertising

             ......................... AD1 passed test Advertising

          Starting test: FrsEvent

             The event log File Replication Service on server

             AD1.test1.local could not be queried, error 0x5

             "Access is denied."

             ......................... AD1 failed test FrsEvent

          Starting test: DFSREvent

             ......................... AD1 passed test DFSREvent

          Starting test: SysVolCheck

             ......................... AD1 passed test SysVolCheck

          Starting test: KccEvent

             The event log Directory Service on server AD1.test1.local

             could not be queried, error 0x5 "Access is denied."

             ......................... AD1 failed test KccEvent

          Starting test: KnowsOfRoleHolders

             ......................... AD1 passed test KnowsOfRoleHolders

          Starting test: MachineAccount

             ......................... AD1 passed test MachineAccount

          Starting test: NCSecDesc

             ......................... AD1 passed test NCSecDesc

          Starting test: NetLogons

             ......................... AD1 passed test NetLogons

          Starting test: ObjectsReplicated

             ......................... AD1 passed test ObjectsReplicated

          Starting test: Replications

             ......................... AD1 passed test Replications

          Starting test: RidManager

             ......................... AD1 passed test RidManager

          Starting test: Services

             ......................... AD1 passed test Services

          Starting test: SystemLog

             The event log System on server AD1.test1.local could not

             be queried, error 0x5 "Access is denied."

             ......................... AD1 failed test SystemLog

          Starting test: VerifyReferences

             ......................... AD1 passed test VerifyReferences

       
       
       Running partition tests on : DomainDnsZones

          Starting test: CheckSDRefDom

             ......................... DomainDnsZones passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... DomainDnsZones passed test

             CrossRefValidation

       
       Running partition tests on : ForestDnsZones

          Starting test: CheckSDRefDom

             ......................... ForestDnsZones passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... ForestDnsZones passed test

             CrossRefValidation

       
       Running partition tests on : Schema

          Starting test: CheckSDRefDom

             ......................... Schema passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... Schema passed test CrossRefValidation

       
       Running partition tests on : Configuration

          Starting test: CheckSDRefDom

             ......................... Configuration passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... Configuration passed test CrossRefValidation

       
       Running partition tests on : test1

          Starting test: CheckSDRefDom

             ......................... test1 passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... test1 passed test CrossRefValidation

       
       Running enterprise tests on : test1.local

          Starting test: LocatorCheck

             ......................... test1.local passed test LocatorCheck

          Starting test: Intersite

             ......................... test1.local passed test Intersite

    Tuesday, May 14, 2019 10:53 AM
  • If you need further assistance please run;
    • Dcdiag /v /c /d /e /s:DCName >c:\dcdiag.log
      (please replace DCName with your domain controller's netbios name)
    • repadmin /showrepl >C:\repl.txt
    • ipconfig /all > C:\dc1.txt
    • ipconfig /all > C:\dc2.txt


    then put unzipped text files up on OneDrive and share a link. (do not post logs in forums)

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.


    Tuesday, May 14, 2019 12:54 PM
  • Hi,

    Thank you for your reply.

    We can also see multiple access is denied error from the dcdiag result there.

    Have you checked the resolution to this error provided in the official article in my last reply?

    Best regards,

    Lavilian


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, May 15, 2019 9:34 AM
    Moderator
  • Hi,

    Just checking in to see if the information provided above was helpful. Please let us know if you would like further assistance.

    Best Regards,

    Lavilian


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, May 17, 2019 2:46 AM
    Moderator
  • Please check

    https://onedrive.live.com/?id=B4FD4A8B5C8ED7%21405&cid=B4FD49A8B5C8ED

    Please let me know if the link is accessible by all including the guest?


    • Edited by AadamAdmin Sunday, May 19, 2019 2:01 PM
    Sunday, May 19, 2019 2:00 PM
  • Please check

    https://onedrive.live.com/?id=B4FD4A8B5C8ED7%21405&cid=B4FD49A8B5C8ED

    Please let me know if the link is accessible by all including the guest?


    Nothing accessible at link.

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Sunday, May 19, 2019 2:06 PM
  • Please provide your mail id to give you permission to drive.
    Monday, May 20, 2019 5:40 AM
  • Please provide your mail id to give you permission to drive.

    Easier to change to anyone has the link.

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Monday, May 20, 2019 12:13 PM
  • I am using drive for the first time. I do not really understand your single line answers. Please let me know how to send you the logs.
    Monday, May 20, 2019 1:34 PM
  • Put up on OneDrive and share option Anyone with this link can view this item

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Monday, May 20, 2019 1:39 PM
  • https://1drv.ms/f/s!AteOXIua1E-5gxVx1C4XLCCtVT87

    Wednesday, May 22, 2019 6:22 AM
  • https://1drv.ms/f/s!AteOXIua1E-5gxVx1C4XLCCtVT87


    I'd remove the two invalid DNS server from alrddc02

                                           213.42.20.20
                                           195.229.241.222

    and agree, you should also work through this one.

    https://support.microsoft.com/en-us/help/2002013/active-directory-replication-error-5-access-is-denied

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Wednesday, May 22, 2019 2:06 PM
  • Hi,

    Was your issue resolved?

    If no, please reply and tell us the current situation in order for further analysis.

    Best Regards,

    Lavilian


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, May 24, 2019 3:04 AM
    Moderator
  • Hi,

    Just want to confirm the current situations.

    Please feel free to let us know if you need further assistance.

    Best Regards,

    Lavilian


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, May 27, 2019 2:23 AM
    Moderator
  • I do not see any of the below dns

    213.42.20.20

    195.229.241.222

    I have checked both DC's

    Please let me know where exactly is this.

    Tuesday, May 28, 2019 10:03 AM
  • I do not see any of the below dns

    213.42.20.20

    195.229.241.222

    I have checked both DC's

    Please let me know where exactly is this.

    On the connection properties of alrddc02 check the DC2.txt file you put up.

     

     



    Regards, Dave Patrick ....
    Microsoft Certified Professional
    Microsoft MVP [Windows Server] Datacenter Management

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

    Tuesday, May 28, 2019 12:24 PM
  • Hi,

    If the issue is resolved, please reply and share with us the workaround.

    Please also mark Dave's replies as answers if they are helpful.

    Appreciate your understanding in advance.

    Best Regards,

    Lavilian


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, May 30, 2019 9:20 AM
    Moderator
  • Hi,

    Just checking in to see if the information provided above was helpful. Please let us know if you would like further assistance.

    Best Regards,

    Lavilian


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, June 4, 2019 10:07 AM
    Moderator