Microsoft Knowledge Base Archive

Notice

Home users: This article is only intended for technical support agents and IT professionals. If you're looking for help with a problem, please ask the Microsoft Community.

↑ Back to the top

Diagnosis

A replication destination domain controller cannot contact its source replication partner to get Active Directory updates as a result of one or more security errors occurring on the connection between the two domain controllers.

↑ Back to the top

Resolution

Run the replication security error diagnostic test in Dcdiag.

↑ Back to the top

Test a domain controller for replication security errors

You can test any or all domain controllers in your forest for security errors.

Requirements

Membership in Enterprise Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).
Tool: Dcdiag.exe
Operating system: The replication security test that is used in this procedure is available in versions of Dcdiag that are included with the following operating systems:
- Windows Server 2003 with Service Pack 1 (SP1)
- Windows Server 2003 with Service Pack 2 (SP2)
- Windows Server 2003 R2
- Windows Server 2008
Although you can run the enhanced version of Dcdiag from computers running Windows XP Professional and Windows Server 2003 with no service pack installed, you cannot run the replication security test (/test:CheckSecurityError) from these computers.
Target operating systems:

You can run the Dcdiag replication security tests against domain controllers that are running the following operating systems:
- Windows 2000 Server with Service Pack 3 (SP3)
- Windows 2000 Server with Service Pack 4 (SP4)
- Windows Server 2003
- Windows Server 2003 with Service Pack 1 (SP1)
- Windows Server 2003 R2
- Windows Server 2008

↑ Back to the top

To test a domain controller for replication security errors

Open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, provide Enterprise Admins credentials, if required, and then click Continue.
At the command prompt, type the following command, and then press ENTER:
```
dcdiag /test:CheckSecurityError /s:<DomainControllerName>
```
where <DomainControllerName> is the Domain Name System (DNS) name, network basic input/output system (NetBIOS) name, or distinguished name of the domain controller on which you want to test.

If you do not use the /s: switch, the test is run against the local domain controller. You can also test all domain controllers in the forest by using /e: instead of /s:.
Copy the report into Notepad or an equivalent text editor
Scroll to the Summary table near the bottom of the Dcdiag log file.
Note the names of all domain controllers that reported “Warn” or “Fail” status in the Summary table.
Find the detailed breakout section for the problem domain controller by searching for the string “DC: <DomainControllerName>”.
Make the required configuration changes on the domain controllers.

Rerun Dcdiag /test:CheckSecurityError with the /e: or /s: switch to validate the configuration changes.

↑ Back to the top

Test the connection between two domain controllers for replication security errors

You can test the connection between two domain controllers in your forest for replication security errors. The domain controller that represents the source of the inbound connection does not have to be an existing source to run this test. That is, a connection object from that domain controller does not have to exist on the destination domain controller. This test is useful in the following scenarios:

A connection exists between a source and a destination, and you receive a security error.
A connection should be created automatically by the Knowledge Consistency Checker (KCC), and you want to test why the connection does not exist.
You are trying to create a connection between two domain controllers, and you receive a security error.
You want to determine whether a connection can be created if you want to add one on this destination from the specified source.

Requirements

Membership in Domain Admins, or equivalent, is the minimum required to test the connection between domain controllers in your domain. Membership in Enterprise Admins, or equivalent, is the minimum required to test the connection between domain controllers in different domains. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).
Tool: Dcdiag.exe
Operating system: The replication security test that is used in this procedure is available in versions of Dcdiag that are included with the following operating systems:
- Windows Server 2003 with SP1
- Windows Server 2003 with SP2
- Windows Server 2003 R2
- Windows Server 2008
Although you can run the enhanced version of Dcdiag from computers running Windows XP Professional and Windows Server 2003 with no service pack installed, you cannot run the replication security test (/test:CheckSecurityError) from these computers.
Target operating systems: You can run the Dcdiag replication security tests against domain controllers that are running the following operating systems:
- Windows 2000 Server with SP3
- Windows 2000 Server with SP4
- Windows Server 2003
- Windows Server 2003 with SP1
- Windows Server 2003 R2
- Windows Server 2008

↑ Back to the top

To test the connection between two domain controllers for replication security errors

Open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, provide Enterprise Admins credentials, if required, and then click Continue.

At the command prompt, type the following command, and then press ENTER:

dcdiag /test:CheckSecurityError /ReplSource:<SourceDomainControllerName>

Parameter	Description
/test:CheckSecurityError	Locates security errors or errors that are possibly related to security problems, and performs initial diagnosis of the problem. This command tests the connection between the domain controller on which you run the command and the source replication partner that you specify in <SourceDomainControllerName>.
/ReplSource	Targets a specified replication source domain controller
<SourceDomainControllerName>	The DNS name, NetBIOS name, or distinguished name of the real or potential source ("from") server that is represented by a real or potential connection object that you want to test

Copy the report into Notepad or an equivalent text editor.
Scroll to the Summary table near the bottom of the Dcdiag log file.
Note the names of all domain controllers that reported “Warn” or “Fail” status in the Summary table
Find the detailed breakout section for the problem domain controller by searching for the string “DC: <DomainControllerName>”.
Make the required configuration changes on the domain controllers.
Rerun dcdiag /test:CheckSecurityError /ReplSource:<SourceDomainControllerName> to validate configuration changes.

↑ Back to the top

Article ID	:	4469657
Revision	:	2
Created on	:	12/6/2018
Published on	:	12/6/2018
Exists online	:	False
Views	:	371

Microsoft KB Archive Search

Active Directory Replication Error An "Access denied" or other security error has caused replication problems

Notice

Diagnosis

Resolution

Test a domain controller for replication security errors

To test a domain controller for replication security errors

Test the connection between two domain controllers for replication security errors

To test the connection between two domain controllers for replication security errors

Applies to: