• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 11154
  • Last Modified:

"Access Denied' issues with new Windows Server 2008 R2 domain controller

I have a single domain with 3 domain controllers (all Server 2003).  We added a new Server 2008 server to the domain and promoted it to a Domain Controller and everything seemed to go well with no errors.  We transferred all FSMO roles to the new server.

After a couple of days -- we noticed that replication wasn't happening completely between the original servers and the new one.  Also, there is nothing in the SYSVOL folder on this server.
-DNS is setup and running on the 2008 server but fails when testing recursive queries.  
-When we try to do a 'replicate now' from AD Sites and Services - we get 'Access Denied' error
-DCDIAG commands show "<servername> directory binding error - Access Denied" also we get an error "DsBindwithSpnEx failed with error 5".
-Repadmin /showrepl commands results in "DsBindwithCred to localhost failed with status 5.

What is causing this and how can we get this DC fully functioning?  
1 Solution
Manjunath SulladTechnical ConsultantCommented:
1.     Check the time skew between domain controllers

2.     Ensure the Kerberos Key Distribution Center (KDC) service is started.

3.     Ensure the Trust computer for delegation check box is selected on the General tab of the domain controller Properties dialog box in Active Directory Users and Computers.

4.     Using Adsiedit or Ldp (both included in the Windows Support Tools), confirm that the userAccountControl attribute is set to 532480. To check this, perform the following steps

1)    Type adsiedit.msc from Start, and then click Run.

2)    Expand the Domain NC container.

3)    Expand the object below, i.e. DC=Contoso, DC=COM

4)    Expand OU=Domain Controllers

5)    Right-click CN=<domain_controller>, and select Properties

6)    Under Select a property to view, select userAccountControl and verify the value is 532480

There might be issue with local disk, Please perform chkdisk, also verify local group policy file has not been corrupted or not.

Manjunath S
SandeshdubeySenior Server EngineerCommented:
For sysvol replication you need to perfrom non authorative restore of sysvol(d2) on new DC where sysvol data is missing.Refer below link:http://support.microsoft.com/kb/290762

Ensure correct dns setting on DCs as this http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/

You are getting access denied ensure you are using domain admin account to force the replication.If still issue persist reset the secure channel of DC and checks.http://sandeshdubey.wordpress.com/2011/10/02/secure-channel-between-the-dcs-broken/.

First fix replication issue then perform non authorative restore of sysvol.
Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

Sarang TinguriaSr EngineerCommented:
silly but mandatory ..have you opened command prompt in Run As "administrator"
sepparkerAuthor Commented:
Thanks for the responses.  Thanks especially to WyoComputers as the first link provided was the solution:


I disabled those RPC policies on the DC and rebooted and it immediately began replicating and communicating.

DNS still fails to do recursive queries --so that is still an issue but our big issue is resolved.  Thanks.
sepparkerAuthor Commented:
Thanks.  The first link resolved our main issue.  I disabled the two RPC policies that were set in the local policy of the server and after a reboot it began replicating.  Sweet!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now