複寫錯誤 8453 複寫被存取Replication error 8453 Replication access was denied

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

本主題解釋,包括症狀、原因,以及如何解析 Active Directory 複寫錯誤 8453 複寫被存取。This topic explains symptoms, causes and how to resolve Active Directory replication error 8453 Replication access was denied. 症狀造成解析度 Symptoms Causes Resolutions
症狀 DCDIAG 複寫測試 (DCDIAG//TEST: NCSecDesc) 報告的測試的俠」測試失敗的複寫」的狀態 8453︰ 複寫存取。 Starting test: Replications [Replications Check,<destination DC] A recent replication attempt failed: From <source DC> to <Destination DC Naming Context: <DN path of failing directory partition> The replication generated an error (8453): Replication access was denied. The failure occurred at <date> <time>. The last success occurred at <date> <time>. %#% failures have occurred since the last success. The machine account for the destination <destination DC>. is not configured properly. Check the userAccountControl field. Kerberos Error. The machine account is not present, or does not match on the. destination, source or KDC servers. Verify domain partition of KDC is in sync with rest of enterprise. The tool repadmin/syncall can be used for this purpose. ......................... <DC tested by DCDIAG> failed test Replications DCDIAG NCSecDesc 測試 (DCDIAG//TEST: NCSecDes) 報告 DC 經過 DCDIAG「失敗測驗 NCSecDec」,遺失 NC 標頭的測試 DC 經過 DCDIAG 上的一或多個 directory 磁碟分割上的一或多個權限: Starting test: NCSecDesc Error NT AUTHORITYENTERPRISE DOMAIN CONTROLLERS doesn't have Replicating Directory Changes Replication Synchronization Manage Replication Topology Replicating Directory Changes In Filtered Set access rights for the naming context: DC=contoso,DC=com Error CONTOSODomain Controllers doesn't have Replicating Directory Changes All access rights for the naming context: DC=contoso,DC=com Error CONTOSOEnterprise Read-only Domain Controllers doesn't have Replicating Directory Changes access rights for the naming context: DC=contoso,DC=com ......................... CONTOSO-DC2 failed test NCSecDesc 清單遺失存取權限所需的每個安全性群組可能會根據您的環境而有所不同。 DCDIAG MachineAccount 測試 (DCDIAG//TEST: MachineAccount) 報告 DC 測試 DCDIAG「失敗測驗 MachineAccount」,因為遺失 UserAccountControl 屬性帳號網域控制站的電腦上的「SERVER_TRUST_ACCOUNT」或者「TRUSTED_FOR_DELEGATION「旗標: Starting test: MachineAccount The account CONTOSO-DC2 is not trusted for delegation. It cannot replicate. The account CONTOSO-DC2 is not a DC account. It cannot replicate. Warning: Attribute userAccountControl of CONTOSO-DC2 is: 0x288 = ( HOMEDIR_REQUIRED | ENCRYPTED_TEXT_PASSWORD_ALLOWED | NORMAL_ACCOUNT ) Typical setting for a DC is 0x82000 = ( SERVER_TRUST_ACCOUNT | TRUSTED_FOR_DELEGATION ) This may be affecting replication? ......................... CONTOSO-DC2 failed test MachineAccount DCDIAG KCC 事件登入測試 cites 十六進位相當於 Microsoft-Windows-ActiveDirectory_DomainService 事件 2896 年。 B50 十六進位 = 2896 小數點。這個錯誤可能登入的基礎結構主要網域控制站在每個 60 秒。 Starting test: KccEvent * The KCC Event log test An error event occurred. EventID: 0xC0000B50 Time Generated: 06/25/2010 07:45:07 Event String: A client made a DirSync LDAP request for a directory partition. Access was denied due to the following error. Directory partition: <DN path of directory partition> Error value: 8453 Replication access was denied. User Action The client may not have access for this request. If the client requires it, they should be assigned the control access right "Replicating Directory Changes" on the directory partition in question. REPADMIN。EXE 報告該︰ 複寫失敗 8453 狀態。 REPADMIN 命令通常引用 8453 狀態,包括但不是限於: Symptoms The DCDIAG Replication test (DCDIAG /TEST:NCSecDesc) reports that the tested DC "failed test Replications" with status 8453: Replication access was denied. Starting test: Replications [Replications Check,<destination DC] A recent replication attempt failed: From <source DC> to <Destination DC Naming Context: <DN path of failing directory partition> The replication generated an error (8453): Replication access was denied. The failure occurred at <date> <time>. The last success occurred at <date> <time>. %#% failures have occurred since the last success. The machine account for the destination <destination DC>. is not configured properly. Check the userAccountControl field. Kerberos Error. The machine account is not present, or does not match on the. destination, source or KDC servers. Verify domain partition of KDC is in sync with rest of enterprise. The tool repadmin/syncall can be used for this purpose. ......................... <DC tested by DCDIAG> failed test Replications The DCDIAG NCSecDesc test (DCDIAG /TEST:NCSecDes) reports that the DC tested by DCDIAG "failed test NCSecDec" and that one or more permissions are missing on the NC head of one or more directory partitions on the tested DC tested by DCDIAG: Starting test: NCSecDesc Error NT AUTHORITYENTERPRISE DOMAIN CONTROLLERS doesn't have Replicating Directory Changes Replication Synchronization Manage Replication Topology Replicating Directory Changes In Filtered Set access rights for the naming context: DC=contoso,DC=com Error CONTOSODomain Controllers doesn't have Replicating Directory Changes All access rights for the naming context: DC=contoso,DC=com Error CONTOSOEnterprise Read-only Domain Controllers doesn't have Replicating Directory Changes access rights for the naming context: DC=contoso,DC=com ......................... CONTOSO-DC2 failed test NCSecDesc The list of missing access rights required for each security group could vary depending on your environment. The DCDIAG MachineAccount test (DCDIAG /TEST:MachineAccount) reports that the DC tested by DCDIAG "failed test MachineAccount" because the UserAccountControl attribute on the DCs computer account is missing the "SERVER_TRUST_ACCOUNT" OR "TRUSTED_FOR_DELEGATION" flags: Starting test: MachineAccount The account CONTOSO-DC2 is not trusted for delegation. It cannot replicate. The account CONTOSO-DC2 is not a DC account. It cannot replicate. Warning: Attribute userAccountControl of CONTOSO-DC2 is: 0x288 = ( HOMEDIR_REQUIRED | ENCRYPTED_TEXT_PASSWORD_ALLOWED | NORMAL_ACCOUNT ) Typical setting for a DC is 0x82000 = ( SERVER_TRUST_ACCOUNT | TRUSTED_FOR_DELEGATION ) This may be affecting replication? ......................... CONTOSO-DC2 failed test MachineAccount The DCDIAG KCC Event log test cites the hexadecimal equivalent of Microsoft-Windows-ActiveDirectory_DomainService event 2896. B50 hex = 2896 decimal. This error may be logged every 60 seconds on the infrastructure master domain controller. Starting test: KccEvent * The KCC Event log test An error event occurred. EventID: 0xC0000B50 Time Generated: 06/25/2010 07:45:07 Event String: A client made a DirSync LDAP request for a directory partition. Access was denied due to the following error. Directory partition: <DN path of directory partition> Error value: 8453 Replication access was denied. User Action The client may not have access for this request. If the client requires it, they should be assigned the control access right "Replicating Directory Changes" on the directory partition in question. REPADMIN.EXE reports that replication attempt has failed with status 8453. REPADMIN commands that commonly cite the 8453 status include but are not limited to:
REPADMIN /KCC REPADMIN /REHOST REPADMIN /REPLICATE REPADMIN /REPLSUM REPADMIN /KCC REPADMIN /REHOST REPADMIN /REPLICATE REPADMIN /REPLSUM REPADMIN /SHOWREPL REPADMIN 進行 REPADMIN /SHOWUTDVEC REPADMIN /SYNCALL REPADMIN /SHOWREPL REPADMIN /SHOWREPS REPADMIN /SHOWUTDVEC REPADMIN /SYNCALL
範例輸出從「REPADMIN 進行」描繪輸入的複寫 CONTOSO-DC2 從「複寫無此許可權」錯誤的 CONTOSO lax-dc1 失敗如下所示: Default-First-Site-NameCONTOSO-DC1 DSA Options: IS_GC Site Options: (none) DSA object GUID: b6dc8589-7e00-4a5d-b688-045aef63ec01 DSA invocationID: b6dc8589-7e00-4a5d-b688-045aef63ec01 ==== INBOUND NEIGHBORS ====================================== DC=contoso,DC=com Default-First-Site-NameCONTOSO-DC2 via RPC DSA object GUID: 74fbe06c-932c-46b5-831b-af9e31f496b2 Last attempt @ <date> <time> failed, result 8453 (0x2105): Replication access was denied. <#> consecutive failure(s). Last success @ <date> <time>. 」現在複製」中的命令 Active Directory 網站和服務會傳回」複寫無此許可權。」 連接物件來源俠上按一下滑鼠右鍵,然後選擇 [立即複寫」會失敗,且「複寫被存取。螢幕上的錯誤訊息如下所示: 對話方塊的標題文字:立即複寫 對話方塊的訊息文字:下列時發生嘗試同步命名操作<directory 磁碟分割名稱 %>網域控制站的<來源俠>網域控制站<目的地俠>: 複寫存取 Sample output from "REPADMIN /SHOWREPS" depicting inbound replication from CONTOSO-DC2 to CONTOSO-DC1 failing with the "replication access was denied" error is shown below: Default-First-Site-NameCONTOSO-DC1 DSA Options: IS_GC Site Options: (none) DSA object GUID: b6dc8589-7e00-4a5d-b688-045aef63ec01 DSA invocationID: b6dc8589-7e00-4a5d-b688-045aef63ec01 ==== INBOUND NEIGHBORS ====================================== DC=contoso,DC=com Default-First-Site-NameCONTOSO-DC2 via RPC DSA object GUID: 74fbe06c-932c-46b5-831b-af9e31f496b2 Last attempt @ <date> <time> failed, result 8453 (0x2105): Replication access was denied. <#> consecutive failure(s). Last success @ <date> <time>. The "replicate now" command in Active Directory Sites and Services returns "Replication access was denied." Right-clicking on the connection object from a source DC and choosing "replicate now" fails with "Replication access was denied. The on-screen error message is shown below: Dialog title text: Replicate Now Dialog message text: The following error occurred during the attempt to synchronize naming context <%directory partition name%> from Domain Controller <Source DC> to Domain Controller <Destination DC>: Replication access was denied 將不會繼續操作對話方塊中的按鈕: [確定]NTDS KCC、NTDS 一般或 Microsoft-Windows-ActiveDirectory_DomainService 事件 8453 狀態的登入 directory 服務事件登入。The operation will not continue Buttons in Dialog: OK NTDS KCC, NTDS General or Microsoft-Windows-ActiveDirectory_DomainService events with the 8453 status are logged in the directory service event log. Active Directory 事件通常引用 8453 狀態,包括但不是限於:Active Directory events that commonly cite the 8453 status include but are not limited to:
事件編號Event ID 事件來源Event Source 事件字串Event String
16991699 Microsoft-Windows-ActiveDirectory_DomainServiceMicrosoft-Windows-ActiveDirectory_DomainService 這項服務 directory 無法擷取要求下列 directory 磁碟分割的變更。This directory service failed to retrieve the changes requested for the following directory partition. 如此一來,就無法傳送變更要求下列網路位址,directory 服務。As a result, it was unable to send change requests to the directory service at the following network address.
28962896 Microsoft-Windows-ActiveDirectory_DomainServiceMicrosoft-Windows-ActiveDirectory_DomainService Client 要求 DirSync LDAP directory 磁碟分割。A client made a DirSync LDAP request for a directory partition. 存取是因為下列錯誤。Access was denied due to the following error.
16551655 NTDS 一般NTDS General Active Directory 嘗試使用下列的通用通訊,嘗試已失敗。Active Directory attempted to communicate with the following global catalog and the attempts were unsuccessful.
12651265 NTDS KCCNTDS KCC 嘗試建立複製的參數連結的磁碟分割:<磁碟分割 DN 路徑>來源 DSA DN:<來源俠 NTDS 設定物件 DN>來源 DSA 位址:<來源網域控制站完整 CNAME>台間傳輸(如果有的話):<dn 路徑>失敗,下列狀態:The attempt to establish a replication link with parameters Partition: <partition DN path> Source DSA DN: <DN of source DC NTDS Settings object> Source DSA Address: <source DCs fully qualified CNAME> Inter-site Transport (if any): <dn path> failed with the following status:
19251925 NTDS KCCNTDS KCC 建立下列寫入 directory 磁碟分割的連結︰ 複寫失敗。The attempt to establish a replication link for the following writable directory partition failed.
狀態 8453:「複寫無此許可權」有多個根本原因,包括: 上目的地網域控制站電腦 account UserAccountControl 屬性遺失 SERVER_TRUST_ACCOUNT 或 TRUSTED_FOR_DELEGATION 旗標。 上一或多個 directory 磁碟分割允許排程的複寫不存在預設的權限<?Comment JTH: Ask Arren what does this mean? 2011-08-22T10:58:00Z Id='1?>中的作業系統安全性操作 < 嗎?CommentEnd Id = '1'?>。 上一或多個 directory 磁碟分割,讓使用者觸發臨或使用 DSSITE.MSC->「複製現在」、「repadmin /replicate」、「repadmin /syncall」或類似的命令。 正確相關 directory 磁碟分割上定義特定複寫所需的權限,但使用者成員已任何安全性群組授與複寫 directory 變更權限。 觸發臨複寫使用者IS的所需的安全性群組成員和那些安全性群組已授權」複寫 directory 變更」,但「複寫 directory 變更 [權限授與群組成員資格已移除從使用者的安全性權杖使用者 Account 控制項http://technet.microsoft.com/library/cc772207(WS.10).aspx引進了 Windows Vista 和 Windows Server 2008(分割使用者存取預付碼)功能。 執行混淆使用者 Account 控制項分割權杖安全性功能在 Windows Vista 和 Windows Server 2008 的UserAccountControl定義俠儲存在 Active Directory 中的角色電腦帳號屬性。 RODCPREP 尚未執行中目前主控唯讀網域控制站的網域。 Dc 已加入現有的樹系 Office 通訊伺服器是否已經安裝新執行作業系統版本。 Active Directory 錯誤和一樣徵本主題的一節中所描述事件也會失敗,錯誤 5: [存取]。 套用解析度步驟 5 錯誤:「存取「下列將無法解析目前失敗的錯誤狀態複寫 8453 的電腦上︰ 複寫失敗,反之亦然。常見的根本原因 Active Directory 操作失敗的錯誤 5:「存取「包括: 太多時間傾斜 UDP 格式化 Kerberos 封包中繼裝置無法在網路上的分散 缺少「從網路存取此電腦] 權限。 中斷安全頻道或網域內信任 CrashOnAuditFail = 登錄中的為 2 Causes The status 8453: "Replication Access was denied" has multiple root causes including: The UserAccountControl attribute on the destination domain controller computer account is missing either the SERVER_TRUST_ACCOUNT or TRUSTED_FOR_DELEGATION flags. The default permissions do not exist on one or more directory partitions to allow scheduled replication to occur <?Comment JTH: Ask Arren what does this mean? 2011-08-22T10:58:00Z Id='1?>in the operating system's security context<?CommentEnd Id='1' ?>. The default or custom permissions do not exist on one or more directory partitions to allow users triggering ad-hoc or immediate replication using DSSITE.MSC -> "replicate now", "repadmin /replicate", "repadmin /syncall" or similar commands. The permissions needed to trigger ad-hoc replication is correctly defined on the relevant directory partitions but the user is NOT a member any security groups that have been granted the replication directory changes permission. The user triggering ad-hoc replication IS a member of the required security groups AND those security groups have been granted the "replicating directory changes" permission but membership in the group granting the "replicating directory changes" permission has been removed from the users security token by the User Account Controlhttp://technet.microsoft.com/library/cc772207(WS.10).aspx (split user access token) feature introduced in Windows Vista and Windows Server 2008. Do not confuse the User Account Control split token security feature introduced in Windows Vista and Windows Server 2008 with the UserAccountControl attribute defined on DC role computer accounts stored in Active Directory. RODCPREP has not been run in domains currently hosting read-only domain controllers. DCs running new operating system versions have been added to an existing forest where Office Communication Server has been installed. Active Directory errors and events like those cited in the symptoms section of this topic can also fail with error 5: "Access is denied". Applying the resolution steps for error 5: "access is denied" listed below WILL NOT resolve replication failures on computers that are currently failing replication with error status 8453 and vice versa. Common root causes for Active Directory operations failing with error 5: "access is denied" include: Excessive Time Skew The fragmentation of UDP-formatted Kerberos packets by intermediate devices on the network Missing "access this computer from network" rights. Broken secure channels or intradomain trusts CrashOnAuditFail = 2 in the Registry
解析度 執行 DCDIAG + DCDIAG 健康檢查 /test: CheckSecurityError 」目標 DC」上執行的 DCDIAG 報告 8453 錯誤或事件。 執行 DCDIAG「來源俠」的報告 8453 錯誤或事件俠「從提取。」 執行 DCDIAG//test:「目的地俠」CheckSecurityError 報告 8453 錯誤或事件。 執行 DCDIAG//test: CheckSecurityError「來源俠」的報告 8453 錯誤或事件俠「從提取。」 修正不正確 UserAccountControl UserAccountControl 屬性組成遮罩定義功能及帳號使用者或電腦的狀態。中找到詳細資訊 UserAccountControl 旗標MSKB 305144http://support.microsoft.com/kb/305144MSDNhttp://msdn.microsoft.com/library/ms680832(VS.85).aspx 的一般 UserAccountControl 屬性值為寫入([完整])的網域控制站電腦 account 是 532480 小數點或 82000 十六進位。可能會不同的網域控制站電腦 account UserAccountControl 值,但必須包含 SERVER_TRUST_ACCOUNT 和 TRUSTED_FOR_DELEGATION 旗標如下表所示: Resolutions Perform a health-check with DCDIAG + DCDIAG /test:CheckSecurityError Run DCDIAG on the "destination DC" reporting the 8453 error or event. Run DCDIAG on the "source DC" that the DC reporting the 8453 error or event is "pulling from." Run DCDIAG /test:CheckSecurityError on the "destination DC" reporting the 8453 error or event. Run DCDIAG /test:CheckSecurityError on the "source DC" that the DC reporting the 8453 error or event is "pulling from." Fix Invalid UserAccountControl The UserAccountControl attribute consists of a bitmask that defines the capabilities and the state of a user or computer account. More information on UserAccountControl flags can be found in MSKB 305144http://support.microsoft.com/kb/305144 and MSDNhttp://msdn.microsoft.com/library/ms680832(VS.85).aspx. The typical UserAccountControl attribute value for a writable ("full") domain controller computer account is 532480 decimal or 82000 hex. UserAccountControl values for a domain controller computer account may vary but must contain the SERVER_TRUST_ACCOUNT and TRUSTED_FOR_DELEGATION flags shown in the table below:
屬性旗標Property flag 十六進位值。Hex value Decimal Value
SERVER_TRUST_ACCOUNTSERVER_TRUST_ACCOUNT 0x20000x2000 81928192
TRUSTED_FOR_DELEGATIONTRUSTED_FOR_DELEGATION 0x800000x80000 524288524288
UserAccountControl 值。UserAccountControl Value 0x820000x82000 532480532480
一般 UserAccountControl 屬性值適用於唯讀網域控制站電腦 account 是 83890176 小數點或 5001000 十六進位:The typical UserAccountControl attribute value for a read-only domain controller computer account is 83890176 decimal or 5001000 hex:
屬性旗標Property flag 十六進位值。Hex value Decimal Value
WORKSTATION_TRUST_ACCOUNTWORKSTATION_TRUST_ACCOUNT 0x10000x1000 40964096
TRUSTED_TO_AUTHENTICATE_FOR_DELEGATIONTRUSTED_TO_AUTHENTICATE_FOR_DELEGATION 0x10000000x1000000 1677721616777216
PARTIAL_SECRETS_ACCOUNTPARTIAL_SECRETS_ACCOUNT 0X40000000X4000000 6710886467108864
一般 RODC UserAccountControl 值Typical UserAccountControl Value for RODC 0x50010000x5001000 8389017683890176
目的地 DC UserAccountControl 屬性遺失 SERVER_TRUST_ACCOUNT 旗標 如果 DCDIAG MachineAccount 測試失敗「失敗測驗 MachineAcccount」,測試俠 UserAccountControl 屬性遺失 SERVER_TRUST_ACCOUNT 旗標加入遺失旗標測試網域控制站複本 Active directory 中。 屬性 UserAccountControl 新增 SERVER_TRUST_ACCOUNT 旗標 開始 ADSIEDIT.MSC 俠遺失 SERVER_TRUST_ACCOUNT DCDIAG 回報的主機上。 以滑鼠右鍵按一下Adsi上方 ADSIEDIT.MSC 並選擇 [連接到.... 中連接設定] 對話方塊: 按一下選取知名命名操作及選擇預設命名操作(也就是電腦 account 的網域磁碟分割)。 預設值(網域或伺服器登入) [確定] <<插入 ADDS_ADSIEditConnectionSettings>> 處在網域命名,找出並再以滑鼠右鍵按一下網域控制站電腦帳號,並選擇屬性 按兩下userAccountControl屬性和錄製其值。 開始 Windows 小算盤科學(Windows 2000 或 Windows Server 2003)或 [程式設計師] 模式 (Windows Server 2008 的與更新版本),然後輸入 userAccountControl 值。 轉為相等十六進位值。 0x80000 加入現有的值,然後按 [=」。 新計算的 userAccountControl 值轉換為小數點相等。 輸入新的 Windows 小算盤小數點值userAccountControl中 ADSIEDIT.MSC。按一下[確定]以儲存。 上目的 DC userAccountControl 屬性遺失 TRUSTED_FOR_DELEGATION 旗標 DCDIAG MachineAccount 測試失敗「失敗測驗 MachineAcccount」測試俠 userAccountControl 屬性遺失信任 _FOR_DELEGATION 旗標,如果加入遺失旗標測試網域控制站複本 Active directory 中。 屬性 userAccountControl 新增信任 _FOR_DELEGATION 旗標 [開始] 的話,電腦 (DSA.MSC) DC 經過 DCDIAG 的主機上。 DC 電腦帳號,以滑鼠右鍵按一下,然後按一下屬性 按一下委派] 索引標籤 按一下信任這台電腦的任何服務 (僅限 Kerberos) 委派,然後按一下 [確定]。 <<插入 ADDS_DCDelegationTab>> 修正不正確的預設安全性描述 車載機起始操作 account 安全性層 Active Directory 操作生效。允許預設 Active Directory 磁碟分割上的權限: 群組之間相同森林中的任何網域中的任何俠啟動臨複寫企業系統管理員的成員。 群組成員建的系統管理員啟動臨複寫之間網域控制站在相同的網域。 網域控制站在相同的樹系起始複寫使用個變更的通知或複寫時間表。 或預設 Active Directory 磁碟分割上的權限不允許下列預設,所設計,將會失敗,直到預設的權限群組成員資格經過修改: 一個網域中的系統管理員建群組成員無法初始化臨複寫網域控制站在這個網域中的網域控制站在不同的網域。 的不是系統管理員建群組成員使用者無法起始相同網域或森林中的任何其他俠臨複寫。 (稱為「NC「車頭或命名操作)每個 directory 磁碟分割頂端定義及繼承整個磁碟分割樹權限。請確認明確群組(的使用者直接成員群組)與(那些明確群組巢成員資格)隱含群組有必要的權限,以及 Deny 權限指派給群組隱含或明確不 trumping 必要的權限。 預設 directory 磁碟分割的相關詳細資訊可在預設的安全性設定 Directory 磁碟分割http://technet.microsoft.com/library/cc961739.aspx 請確認」的最上方」與「複寫無此許可權」錯誤失敗每個 directory 磁碟分割中有預設的權限。 臨︰ 複寫失敗網域控制站在不同的網域,或之間網域控制站在相同的網域非網域系統管理員,若看到「...非網域系統管理員權限授與」章節。 如果群組的成員企業系統管理員,專注於 NC 臨複寫請權限授與企業系統管理員」群組。 如果臨︰ 複寫失敗網域管理群組成員,對焦於權限授與系統管理員建安全性群組。 如果車載機起始森林中的網域控制站排程︰ 複寫失敗 8453 與,對焦於權限企業版與企業網域控制站 Read-Only 網域控制站安全性群組。 如果排程的複寫車載機起始網域控制站唯讀網域控制站 (RODC) 失敗的錯誤 8453,請確認企業 Read-only 網域控制站安全性群組授與 NC 標頭的每個 directory 磁碟分割上所需的存取。 下表顯示預設的權限在架構、設定、網域及 DNS 應用程式所定義作業系統版本: The UserAccountControl attribute on the destination DC is missing the SERVER_TRUST_ACCOUNT flag If the DCDIAG MachineAccount test fails with "failed test MachineAcccount" AND the UserAccountControl attribute on the tested DC is missing the SERVER_TRUST_ACCOUNT flag, add the missing flag in the tested DCs copy of Active Directory. To add the SERVER_TRUST_ACCOUNT flag to the UserAccountControl attribute Start ADSIEDIT.MSC on the console of DC missing the SERVER_TRUST_ACCOUNT reported by DCDIAG. Right-click ADSI Edit in the top left pane of ADSIEDIT.MSC and chose Connect to.... Within the Connection Settings dialog: Click Select a well known Naming Context and chose Default naming context (that is, the computer account's domain partition). Click Default (Domain or server that you are logged on to). Click OK. <<Insert ADDS_ADSIEditConnectionSettings>> In the domain naming context, locate and then right-click the domain controller computer account and chose Properties. Double-click the userAccountControl attribute and record its decimal value. Start the Windows calculator in Scientific (Windows 2000 or Windows Server 2003) or Programmer mode (Windows Server 2008 and later) and enter the decimal value for userAccountControl. Convert the decimal value to its hexadecimal equivalent. Add 0x80000 to the existing value and press "=". Convert the new calculated userAccountControl value to its decimal equivalent. Type the new decimal value from the Windows calculator in the userAccountControl attribute in ADSIEDIT.MSC. Click OK twice to save. The userAccountControl attribute on the destination DC is missing the TRUSTED_FOR_DELEGATION flag If the DCDIAG MachineAccount test fails with "failed test MachineAcccount" AND the userAccountControl attribute on the tested DC is missing the TRUSTED _FOR_DELEGATION flag, add the missing flag in the tested DCs copy of Active Directory. To add the TRUSTED _FOR_DELEGATION flag to the userAccountControl attribute Start Active Directory Users and Computers (DSA.MSC) on the console of the DC tested by DCDIAG. Right-click the DC computer account, and then click Properties. Click the Delegation tab. Click Trust this computer for delegation to any service (Kerberos only), and click OK. <<insert ADDS_DCDelegationTab>> Fix Invalid Default Security Descriptors Active Directory operations take place in the security context of the account that initiated the operation. Default permissions on Active Directory partitions allow: Members of the Enterprise Administrators group to initiate ad-hoc replication between any DC in any domain in the same forest. Members of the Built-in Administrators group to initiate ad-hoc replication between domain controllers in the same domain. Domain Controllers in the same forest to initiate replication using either change notification or replication schedule. Default permissions on Active Directory partitions do not allow the following by default and, by design, will fail until default permissions or group memberships are modified: Members of the Built-in Administrators group in one domain cannot initiate ad-hoc replication to DCs in that domain from DCs in different domains. Users that are NOT members of the Built-in administrators group cannot initiate ad-hoc replication from any other DC in the same domain or forest. Permissions are defined on the top of each directory partition (called a naming context or "NC" head) and inherited throughout the partition tree. Verify that explicit groups (groups that the user is direct member of) and implicit groups (those that explicit groups have nested membership of) have the required permissions and that Deny permissions assigned to implicit or explicit groups are not trumping the required permissions. More information about default directory partitions is available at Default Security of the Configuration Directory Partitionhttp://technet.microsoft.com/library/cc961739.aspx. Verify that default permissions exist in the "top" of each directory partition that is failing with the "Replication access was denied" error. If ad-hoc replication is failing between DCs in different domains, or between DCs in the same domain for non-domain administrators, see the "Grant non-domain admins permissions..." section below. If ad-hoc replication for member of the Enterprise Admins group, focus on NC head permissions granted to the Enterprise Admins group. If ad-hoc replication is failing for members of a Domain Admins group, focus on permissions granted to the built-in Administrators security group. If scheduled replication initiated by domain controllers in a forest are failing with 8453, focus on permissions for the Enterprise Domain Controllers and Enterprise Read-Only Domain Controllers security groups. If scheduled replication initiated by domain controllers on a read-only domain controller (RODC) is failing with error 8453, verify that the Enterprise Read-only Domain Controllers security group has been granted the required access on the NC head of each directory partition. The table below shows the default permission defined on the schema, configuration, domain and DNS applications by operating system version:
所需的每個 directory 分割 DACLDACL required on each directory partition Windows 2000Windows 2000 Windows Server 2003Windows Server 2003 Windows Server 2008 的與更新版本Windows Server 2008 and later
管理複寫拓撲Manage Replication Topology XX XX XX
複製 Directory 變更Replicating Directory Changes XX XX XX
複寫同步Replication Synchronization XX XX XX
複製 Directory 變更所有Replicating Directory Changes All XX XX
複製篩選設定的變更Replicating Changes in Filter Set XX
DCDIAG NcSecDesc 測試可能會回報 false 正錯誤如中所述,以不同的作業系統版本的環境中執行MSKB 829306http://support.microsoft.com/kb/829306 DSACLS 命令可用來傾印使用語法指定的 directory 磁碟分割上的權限」DSACLS <DN 路徑 directory 磁碟分割>]。 C:&gt;dsacls dc=contoso,dc=com 命令鎖定使用語法遠端網域控制站: c:&gt;dsacls \contoso-dc2\dc=contoso,dc=com 小心」DENY」權限在 nc 移除的權限的群組的失敗使用者直接或巢的成員。 新增遺失必要的權限 中 ADSIEDIT.MSC。 ACL 可以」還原」來他們使用的預設設定「DSACLS <DN 路徑 directory 磁碟分割的>/S /T」命令。 複製之間網域控制站在之間網域控制站在不同的網域複寫相同網域或非企業系統管理員權限授與非網域管理員 預設 Active Directory 磁碟分割上的權限不允許下列和將會失敗,等到經過修改 directory 磁碟分割上的權限: 一個網域中的系統管理員建群組成員無法起始臨複寫網域控制站在不同的網域。 的不是建網域管理群組成員使用者無法初始臨複寫之間網域控制站在相同的網域或不同的網域。 有兩種方案此問題: 將使用者新增至已經授與的現有群組複寫 directory 磁碟分割(網域管理員群組複寫相同網域中)或企業系統管理員群組不同網域之間臨複寫必要的權限。 - 建立您自己的群組必要的樹系,directory 磁碟分割上的權限授與該群組,然後將使用者新增到群組。 MSKB 303972 http://support.microsoft.com/kb/303972 描述建立安全性群組、必要的成員加入群組,然後授與群組需要的 DACL Active Directory 磁碟分割上的程序。授與有問題的安全性群組相同的權限表中列出的「修正不正確預設安全性描述] 區段的這篇文章。 相關 content: MSKB 文章 303305 http://support.microsoft.com/kb/303305 :當您使用的 Active Directory 網站和服務工具時,「存取「錯誤訊息 最佳做法委派 Active Directory http://www.microsoft.com/download/en/details.aspx?displaylang=en&id = 21678 驗證中所需的安全性群組群組成員資格 驗證使用者初始化的複寫直接在具有有效成員資格,或是安全性巢群組複寫權限授與正確安全性群組獲得所需的權限 directory 磁碟分割上之後, 是一個其餘的工作。 以帳號臨︰ 複寫失敗使用「複寫無此許可權。」的位置登入 從 CMD 提示 [輸入「WHOAMI /ALL」,並確認已相關 directory 磁碟分割上的「複寫 directory 變更 [權限授與的安全性群組成員資格。 如果使用者加入授與權限的群組修改之後最後使用者登入,再試一次登入,然後再試一次」whoami /all」命令。 「WHOAMI /ALL」仍未顯示成員資格在預期的安全性群組,如果上市提升權限的命令提示字元 (以滑鼠右鍵按一下命令提示字元以系統管理員身分執行) 在本機電腦並執行「WHOAMI /ALL」從提升權限的命令提示字元中。 群組成員資格不同之間 WHOAMI /ALL 輸出由提升權限」及「非提升權限的命令提示時,請參考MSKB 976063http://support.microsoft.com/default.aspx?scid=kb;EN-US;976063 的預期巢的群組成員資格存在於驗證。 如果使用者會取得的權限來執行特定複寫測試的直接獲得複寫權限的群組成員群組成員,請確認巢的群組成員資格鏈結。例如,Microsoft 客服支援已經看過臨 AD︰ 複寫失敗,因為建系統管理員群組已移除網域系統管理員」及企業系統管理員」群組。 RODC 複寫 電腦車載機起始︰ 複寫失敗 Rodc 上,如果您執行的 ADPREP 驗證 /RODCPREP 中指定以MSKB 967482http://support.microsoft.com/kb/967482並該企業 Read-only 網域控制站群組授與每個 NC 車頭」複寫 directory 變更 [權限。 Office 通訊伺服器 注意到 AD 操作失敗的 8453「複寫無此許可權」,在現有的樹系 Office 通訊 Server 2005 或 Office 通訊伺服器 2007 升級或升級到 Windows Server 2008 或 Windows Server 2008 R2 網域控制站後立即執行看到 MSKB 文章: 982020 http://support.microsoft.com/default.aspx?scid=kb;EN-US;982020 : Office 通訊伺服器 2007 R2、OCS 2007 或 LCS 2005 運作不正常之後在您升級到 Windows Server 2008 R2 982021 http://support.microsoft.com/default.aspx?scid=kb;EN-US;982021 :性適用於在 Windows Server 2008 R2 的作業系統上的 Office 通訊伺服器 2007 R2 成員伺服器角色 The DCDIAG NcSecDesc test may report false positive errors when run in environments with mixed operating system versions as documented in MSKB 829306http://support.microsoft.com/kb/829306. The DSACLS command can be used to dump the permissions on a given directory partition using the syntax "DSACLS <DN path of directory partition>". C:&gt;dsacls dc=contoso,dc=com The command can be targeted to a remote domain controller using the syntax: c:&gt;dsacls \contoso-dc2\dc=contoso,dc=com Be wary of "DENY" permission on NC heads removing the permissions for groups that the failing user is a direct or nested member of. Add required permissions that are missing Use the Active Directory ACL editor in ADSIEDIT.MSC to add the missing DACLS. ACLS can be "restored" to their default settings using the "DSACLS <DN path of directory partition> /S /T" command. Grant non-domain admins permissions to replicate between DCs in the same domain or non-enterprise administrators to replicate between DCs in different domains Default permissions on Active Directory partitions do not allow the following and will fail until permissions on directory partitions are modified: Members of the Built-in Administrators group in one domain cannot initiate ad-hoc replication from DCs in different domains. Users that are NOT members of the built-in Domain Admins group cannot initiate ad-hoc replication between DCs in the same domain or different domain. There are two solutions to this problem: Add users to existing groups that have already been the granted the required permissions to replicate directory partitions (Domain Admins groups for replication in the same domain or the Enterprise Admins group to trigger ad-hoc replication between different domains). -Or- Create your own group, grant that group the required permissions on directory partitions throughout the forest, and then add users to those groups. MSKB 303972 http://support.microsoft.com/kb/303972 describes the process of creating a security group, adding the required members to those groups, then granting the group the required DACLS on Active Directory partitions. Grant the security group in question the same permissions listed in the table of the "Fix Invalid Default Security Descriptors" section this article. Related content: MSKB article 303305 http://support.microsoft.com/kb/303305 : "Access Denied" Error Message When You Use the Active Directory Sites and Services Tool Best Practices for delegating Active Directory http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=21678 Verify group membership in the required security groups Once the right security groups have been granted the required permissions on directory partitions, the last remaining task is to verify that users initiating replication have effective membership in direct or nested security groups being granted replication permissions. Log on with the user account where ad-hoc replication is failing with "replication access was denied." From a CMD prompt type "WHOAMI /ALL" and verify membership in the security groups that have been granted the "replicating directory changes" permissions on the relevant directory partitions. If the user was added to the permissioned group modified after the last user logon, log on again and retry the "whoami /all" command. If "WHOAMI /ALL" still does not show membership in the expected security groups, launch an elevated CMD prompt (right-click Command Prompt and click Run as Administrator) on the local machine and run the "WHOAMI /ALL" from inside the elevated CMD prompt. If the group membership is different between the WHOAMI /ALL output generated by elevated and non-elevated CMD prompts, refer to MSKB 976063http://support.microsoft.com/default.aspx?scid=kb;EN-US;976063. Verify that the expected nested group memberships exist. If a user is obtaining the permissions to perform ad-hoc replication by being a member of a tested group that is a member of group that has been directly granted replication permissions, verify the nested group membership chain. For example, Microsoft CSS has seen ad-hoc AD Replication fail because Domain Admins and Enterprise Admins groups were removed from the Built-in Administrators groups. RODC Replication If computer-initiated replication is failing on RODCs, verify that you have run ADPREP /RODCPREP as specified in MSKB 967482http://support.microsoft.com/kb/967482 AND that the Enterprise Read-only Domain Controllers group has been granted "replicate directory changes" right on each NC head. Office Communication Server If you notice AD operations failing with 8453 "replication access was denied", in an existing forest running either Office Communication Server 2005 or Office Communication Server 2007 immediately after the promotion of, or upgrade to Windows Server 2008 or Windows Server 2008 R2 domain controllers, see MSKB articles: 982020 http://support.microsoft.com/default.aspx?scid=kb;EN-US;982020 : Office Communications Server 2007 R2, OCS 2007 or LCS 2005 does not work correctly after you upgrade to Windows Server 2008 R2 982021 http://support.microsoft.com/default.aspx?scid=kb;EN-US;982021 : Supportability is available for Office Communications Server 2007 R2 member server role on a Windows Server 2008 R2 operating system
疑難排解 Active Directory 操作失敗的錯誤 8453:「複寫無此許可權。」 http://support.microsoft.com/kb/2022387 Troubleshooting Active Directory operations that fail with error 8453: "Replication access was denied." http://support.microsoft.com/kb/2022387