MICROSOFT REPLICATION ISSUE

After you promote a Windows 2000 Server computer to act as a domain controller, you may experience the following issues:

The computer account for the new domain controller does appear in the Domain Controllers container when you open that container from another domain controller. However, it may be listed in the Domain Controllers container when you viewed it using its own Active Directory Users and Computers snap-in.

When you right-click My Computer, click Properties, and then click the Network Identification tab, the following text is not displayed: Note: The identification of the computer cannot be changed because: - The computer is a domain controller.

If you run the Repadmin.exe utility (that is available in the Windows 2000 Support Tools) with the /showreps switch, you receive the following output:

==== INBOUND NEIGHBORS ====================================== CN=Schema,CN=Configuration,DC=example,DC=com CN=Configuration,DC=example,DC=com Site-Name\Server1 via RPC 63 consecutive failure(s). Last success @ <date> <time>. Replication access was denied. Last attempt @ <date> <time> failed, result 8453: objectGuid: 0d519219-b957-4a80-9d39-ec4d51e2181e Site-Name\Server1 via RPC

 DC=example,DC=com 64 consecutive failure(s). Last success @ <date> <time>. Replication access was denied. Last attempt @ <date> <time> failed, result 8453: objectGuid: 0d519219-b957-4a80-9d39-ec4d51e2181e Site-Name\Server1 via RPC 64 consecutive failure(s). Last success @ <date> <time>. Replication access was denied. Last attempt @ <date> <time> failed, result 8453: objectGuid: 0d519219-b957-4a80-9d39-ec4d51e2181e

If you run the Active Directory Replication Monitor utility (Replmon.exe) (that is available in the Windows 2000 Support Tools), you receive the following output:

Domain Controller Name: Failure Code: Replication Partner: Directory Partition:

Server2

CN=Schema,CN=Configuration,DC=example,DC=com

Site-Name\Server1

8453

Failure Reason:

Replication access was denied.

Domain Controller Name: Domain Controller Name: Failure Reason: Failure Code: Replication Partner: Directory Partition: Failure Reason: Failure Code: Replication Partner: Directory Partition:

Server2

CN=Configuration,DC=example,DC=com

Site-Name\Server1

8453

Replication access was denied.

Server2

DC=mvlp,DC=local

Site-Name\Server1

8453

Replication access was denied.

If you run the DCdiag.exe utility (that is available in the Windows 2000 Support Tools), you receive a "Replication access was denied" message. If you run the Netdiag.exe utility, you receive the following output:

Trust relationship test. . . . . . : Failed

Test to ensure DomainSid of domain 'EXAMPLE' is correct.

[FATAL] Secure channel to domain 'EXAMPLE' is broken.

[ERROR_NO_TRUST_SAM_ACCOUNT]

Back to the top CAUSE

These issues may occur if the computer account is not updated correctly during the domain controller promotion procedure (Dcpromo). Back to the top RESOLUTION

To resolve this issue, follow these steps. Back to the top

Step 1: Move the Computer Account to the Domain Controllers Container

1. On a domain controller that is in the "healthy" part of the domain (not the domain controller with which you experience the issue), start the Active Directory Users and Computers snap-in. 2. Expand the domain container, and then click the container in which the computer account with which you experience the issue appears. 3. 4. 5. 6. Right-click the computer account, and then click Move. In the Container to move object to list, click Domain Controllers, and then click OK. Click the Domain Controllers container to verify that the computer object is displayed. Quit the Active Directory Computers and Users snap-in.

Back to the top

Step 2: Verify the userAccountControl Property

WARNING: If you use the ADSI Edit snap-in, the LDP utility, or any other LDAP version 3 client, and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require you to reinstall Microsoft Windows 2000 Server, Microsoft Exchange 2000 Server, or both. Microsoft cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk. 1. On a domain controller that is in the "healthy" part of the domain (not the domain controller with which you experience the issue), install the Windows 2000 Support Tools if they have not already been installed. For additional information about how to install the Windows 2000 Support Tools, click the article number below to view the article in the Microsoft Knowledge Base:

301423 How to Install the Windows 2000 Support Tools to a Windows 2000 Server-Based Computer 2. Start the ADSI Edit snap-in. To do so, click Start, point to Programs, point to Windows 2000 Support Tools, point to Tools, and then click ADSI Edit. 3. Expand Domain NC [server.example.com] (where server is the name of the domain controller and example.com is the name of the domain. 4. 5. Expand DC=example,DC=com. Expand OU=Domain Controllers, right-click CN=ServerName (where ServerName is the domain controller with which you experience the issues that are described in the "Symptoms" section of this article), and then click Properties. 6. 7. Click the Attributes tab (if it is not already selected). In the Select which properties to view list, click Both, and then click userAccountControl in the Select a property to view list. 8. 9. If the Value(s) box does not contain 532480, type 532480 in the Edit Attribute box, and then click Set. Click Apply, click OK, and then quit the ADSI Edit snap-in.

Back to the top

Step 3: Reset the Secure Channel Password

1. On the domain controller with which you experience the issue, install the Windows 2000 Support Tools if they have not already been installed. 2. 3. Click Start, click Run, type cmd, and then click OK. Change to the folder that contains the Nltest.exe utility. By default, this folder is C:\Program Files\Support Tools. 4. Run the following command, where example.com is the name of your domain: nltest /sc_change_pwd:example.com 5. Quit the command prompt, and then restart the server.