Fixing Replication Security Problems

Applies To: Windows Server 2008

This section provides a description of security problems that you might experience when Active Directory replication is enabled. When security problems cause replication to fail, various event log messages and Repadmin messages contain error codes that identify the problems.

The Dcdiag.exe tool reports on the overall health of replication with respect to Active Directory Domain Services (AD DS). Dcdiag detects common causes of "Access denied" events, "Account unknown" events, and similar events. The Dcdiag security test was introduced in Windows Server 2003 with Service Pack 1 (SP1). It is not available in earlier versions of Windows Server.

The error codes that Dcdiag detects are described in the following table. Error codes that are marked with an asterisk (*) are not always caused by a security problem.

Error code Description


Access is denied.


A required privilege is not held by the client.


Logon failure: unknown user name or bad password.


Logon failure: The target account name is incorrect.


Could not find the domain controller for this domain.


Mutual authentication failed. The server's password is out of date at the domain controller.


There is a time and/or date difference between the client and server.


The remote procedure call (RPC) server is unavailable.


The specified username is invalid.


Replication access was denied.

Use the procedures in An "Access denied" or other security error has caused replication problems to diagnose and fix replication security problems.