Active Directory

You receive an “access is denied” error message on a domain controller when you try to replicate the Active Directory directory service

active-directory-replication-error-repadminexe-returns

When you attempt to replicate the Active Directory directory service, the error “access is denied” appears on a domain controller. This article can assist in fixing the issue.

Symptoms

When you try to replicate the Active Directory directory service to a domain controller that is running Microsoft Windows Server 2003 with Service Pack 1 (SP1) or an x64-based version of Microsoft Windows Server 2003, you receive the following error message on the destination domain controller:

access is denied

Cause

This problem occurs when the value of the RestrictRemoteClients registry entry is 2.

Windows Server 2003 SP1 and x64-based versions of Windows Server 2003 read remote procedure call (RPC) settings from this entry. If the entry has a value of 2, RPC traffic must be authenticated. Therefore, Active Directory replication does not succeed. Other RPC services on the domain controller may also be affected.

Resolution

To resolve this problem, enable port 135 on Windows Firewall, and then use one of the following methods:

  • Set the value of the RestrictRemoteClients registry entry to 0 or 1.
  • Disable the Restrictions for Unauthenticated RPC Clients Group Policy object.

To do this, follow these steps.

By default, port 135 is blocked in Windows Server 2003 SP1 and in x64-based versions of Windows Server 2003.
  1. Click Start, click Run, type firewall.cpl, and then click OK.
  2. Click the Exceptions tab, and then click Add Port.
  3. In the Name box, type a name for the port.For example, type TCP 135.
  4. In the Port number box, type 135.
  5. Click TCP, and then click OK.The new port appears on the Exceptions tab.
  6. Click to select the check box next to the new port, and then click OK.
  7. Click Start, click Run, type regedit, and then click OK.
  8. Use one of the following methods:
  • Set the value of the RestrictRemoteClients registry entry to 0 or 1. To do this, follow these steps:
    1. Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc
    2. In the right pane, click the RestrictRemoteClients entry.
      If this entry does not exist, follow these steps:
      • On the Edit menu, point to New, and then click DWORD Value.
      • Type RestrictRemoteClients , and then press ENTER.
    3. On the Edit menu, click Modify.
    4. In the Value data box, type 0 or 1, and then click OK.
    5. Quit Registry Editor.
  • Use Group Policy Object Editor to disable the Restrictions for Unauthenticated RPC Clients Group Policy object. To do this, follow these steps:
    1. Click Start, click Run, type gpedit.msc, and then click OK.
    2. In the console tree, double-click Computer Configuration, double-click Administrative Templates, double-click System, and then click Remote Procedure Call.
    3. Double-click Restrictions for Unauthenticated RPC clients, click Disable, and then click OK.
    4. Quit Group Policy Object Editor.

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the “Applies to” section.

How useful was this post?

Click on a star to rate it!

As you found this post useful...

Follow us on social media!

Was this article helpful?
YesNo

Vipan Kumar

He is an Active Directory Engineer. He has been working in IT industry for more than 10 years. He is dedicated and enthusiastic information technology expert who always ready to resolve any technical problem. If you guys need any further help on subject matters, feel free to contact us on admin@windowstechno.com Please subscribe our Facebook page as well website for latest article. https://www.facebook.com/windowstechno

Leave a Reply

Back to top button