• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 527
  • Last Modified:

Active Directory Replication

Hello,

I am trying to figure out how to give a specific group that I created in AD rights to replicate in Active Directory sites and services. The group is not a member of Domain admins or administrators of any sort. I have delegated specific permissions to this group to be able to do most administration but not have full access. The only thing I can't figure out is how to allow them to replicate. I have already given this group full permissions in the security access list for every active directory object and also in sites and services.  They seem to have the same permissions as domain admins but just can't replicate. Please help. Thanks.
0
PonyboyCurtis00
Asked:
PonyboyCurtis00
  • 3
  • 2
  • 2
  • +1
1 Solution
 
Jay_Jay70Commented:
Hi PonyboyCurtis00,

whats the error that you get, you may need to add them to the schema admins group
0
 
PonyboyCurtis00Author Commented:
The error is "The following error occured during the attempt to synchronize naming context (domain name) from domain controller (domain controller name) to domain controller (domain controller name). Replication access was denied. The operation will not continue.

I was thinking of trying to add them to the schema admins but I need to make sure that they will not have an administrator priveldges and be able to change permissions in AD.
0
 
Kini pradeepCommented:
never add any members to the schema admins group, they would be able to modify the schema by registering the schmmgmt.dll.

do you get replication access denied when logged in as administrator.
also are all the DC's belonging to the same domain or do you have other domains and child domains in the forest
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
PonyboyCurtis00Author Commented:
No. I don't get replication access denied when logging on as administrator. I am trying to have tiered levels of administration where some groups can do certain most administrative tasks without being an administrator. Everything else works except replication.
0
 
Kini pradeepCommented:
This is what i would do.

----------------------------------------------------------------------------------------------------------------------------------
create a domain local security group say "replication admins group", now this group has to force replication among DC.
so this group has to have permissions on domain NC, configuration and schema of the domain. so iw ould open adsiedit, expand domain Nc right click the Dc=test,dc=com and go to its properties security and under advanced i would add this group."select this object and all child objects". give permissions on read all properties, replicate directory changes, replicating dir changes all, replication sync. do the same on schema and configuration partitions.

---------------------------------------------------------------------------------------------------------------------------------------
step 2.

open dssite.msc
right click the site and select delegate.
add user - select only the following objects in the folder - select only connection objects- give read and writ, which would select a few more properties.
once this is done the users of this group should be able to replicate.

It also gave me "access denied" on domaindnszones and forest dns zones.
right click adsiedit and select connect  connect to dc=domaindnszones,dc=test,dc=com and follow the step 1.
you should be able to achieve it.

0
 
Jay_Jay70Commented:
i am well aware of what schema admins group does

very interested if your solution works, i wasnt aware you could delegate in S&S
0
 
Kini pradeepCommented:

did it work ??????
0
 
ccovellCommented:
I've tried to implement the same solution only I cannot modify the permission of the Schema in ADSI.  No group or user has full control over the Schema so I cannot add myself to the access list despite being an enterprise admin.  Does the solution require the Replication Group be given the three replication permissions on the Schema to work or will the Confirguration and Domain be sufficient?
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 3
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now