Fixing Replication Security Problems

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

When security problems cause replication to fail, various event log messages and Repadmin messages contain error codes that identify the problems.

The version of Dcdiag.exe that is included with Windows Support Tools in Windows Server 2003 Service Pack 1 (SP1) provides new functionality that reports on the overall health of replication with respect to Active Directory. Dcdiag is modified to detect common causes of "Access denied" events, "Account unknown" events, and similar events.

The error codes that Dcdiag detects are described in the following table. Error codes that are marked with an asterisk (*) are not always caused by a security problem.

Error code Description


Access is denied.


A required privilege is not held by the client.


Logon failure: unknown user name or bad password.


Logon failure: The target account name is incorrect.


Could not find the domain controller for this domain.


Mutual authentication failed. The server's password is out of date at the domain controller.


There is a time and/or date difference between the client and server.


The remote procedure call (RPC) server is unavailable.


The specified username is invalid.


Replication access was denied.

Use the procedures in An "Access denied" or other security error has caused replication problems to diagnose and fix replication security problems.