You receive an “access is denied” error message on a domain controller when you try to replicate the Active Directory directory service
When you attempt to replicate the Active Directory directory service, the error “access is denied” appears on a domain controller. This article can assist in fixing the issue.
Symptoms
When you try to replicate the Active Directory directory service to a domain controller that is running Microsoft Windows Server 2003 with Service Pack 1 (SP1) or an x64-based version of Microsoft Windows Server 2003, you receive the following error message on the destination domain controller:
access is denied
Cause
This problem occurs when the value of the RestrictRemoteClients registry entry is 2.
Windows Server 2003 SP1 and x64-based versions of Windows Server 2003 read remote procedure call (RPC) settings from this entry. If the entry has a value of 2, RPC traffic must be authenticated. Therefore, Active Directory replication does not succeed. Other RPC services on the domain controller may also be affected.
Resolution
To resolve this problem, enable port 135 on Windows Firewall, and then use one of the following methods:
- Set the value of the RestrictRemoteClients registry entry to 0 or 1.
- Disable the Restrictions for Unauthenticated RPC Clients Group Policy object.
To do this, follow these steps.
By default, port 135 is blocked in Windows Server 2003 SP1 and in x64-based versions of Windows Server 2003.
- Click Start, click Run, type firewall.cpl, and then click OK.
- Click the Exceptions tab, and then click Add Port.
- In the Name box, type a name for the port.For example, type TCP 135.
- In the Port number box, type 135.
- Click TCP, and then click OK.The new port appears on the Exceptions tab.
- Click to select the check box next to the new port, and then click OK.
- Click Start, click Run, type regedit, and then click OK.
- Use one of the following methods:
- Set the value of the RestrictRemoteClients registry entry to 0 or 1. To do this, follow these steps:
- Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc
- In the right pane, click the RestrictRemoteClients entry.
If this entry does not exist, follow these steps:
-
On the Edit menu, point to New, and then click DWORD Value.
-
Type RestrictRemoteClients , and then press ENTER.
-
- On the Edit menu, click Modify.
- In the Value data box, type 0 or 1, and then click OK.
- Quit Registry Editor.
- Locate and then click the following registry subkey:
- Use Group Policy Object Editor to disable the Restrictions for Unauthenticated RPC Clients Group Policy object. To do this, follow these steps:
- Click Start, click Run, type gpedit.msc, and then click OK.
- In the console tree, double-click Computer Configuration, double-click Administrative Templates, double-click System, and then click Remote Procedure Call.
- Double-click Restrictions for Unauthenticated RPC clients, click Disable, and then click OK.
- Quit Group Policy Object Editor.
Status
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the “Applies to” section.