"Access Denied' issues with new Windows Server 2008 R2 domain controller

I have a single domain with 3 domain controllers (all Server 2003).  We added a new Server 2008 server to the domain and promoted it to a Domain Controller and everything seemed to go well with no errors.  We transferred all FSMO roles to the new server.

After a couple of days -- we noticed that replication wasn't happening completely between the original servers and the new one.  Also, there is nothing in the SYSVOL folder on this server.
-DNS is setup and running on the 2008 server but fails when testing recursive queries.  
-When we try to do a 'replicate now' from AD Sites and Services - we get 'Access Denied' error
-DCDIAG commands show "<servername> directory binding error - Access Denied" also we get an error "DsBindwithSpnEx failed with error 5".
-Repadmin /showrepl commands results in "DsBindwithCred to localhost failed with status 5.

What is causing this and how can we get this DC fully functioning?  
Thanks.
sepparkerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Manjunath SulladTechnical ConsultantCommented:
1.     Check the time skew between domain controllers

2.     Ensure the Kerberos Key Distribution Center (KDC) service is started.

3.     Ensure the Trust computer for delegation check box is selected on the General tab of the domain controller Properties dialog box in Active Directory Users and Computers.

4.     Using Adsiedit or Ldp (both included in the Windows Support Tools), confirm that the userAccountControl attribute is set to 532480. To check this, perform the following steps

 
1)    Type adsiedit.msc from Start, and then click Run.

2)    Expand the Domain NC container.

3)    Expand the object below, i.e. DC=Contoso, DC=COM

4)    Expand OU=Domain Controllers

5)    Right-click CN=<domain_controller>, and select Properties

6)    Under Select a property to view, select userAccountControl and verify the value is 532480


There might be issue with local disk, Please perform chkdisk, also verify local group policy file has not been corrupted or not.

Regards,
Manjunath S
1
SandeshdubeySenior Server EngineerCommented:
For sysvol replication you need to perfrom non authorative restore of sysvol(d2) on new DC where sysvol data is missing.Refer below link:http://support.microsoft.com/kb/290762

Ensure correct dns setting on DCs as this http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/

You are getting access denied ensure you are using domain admin account to force the replication.If still issue persist reset the secure channel of DC and checks.http://sandeshdubey.wordpress.com/2011/10/02/secure-channel-between-the-dcs-broken/.

First fix replication issue then perform non authorative restore of sysvol.
0
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

Life1430Commented:
silly but mandatory ..have you opened command prompt in Run As "administrator"
0
sepparkerAuthor Commented:
Thanks for the responses.  Thanks especially to WyoComputers as the first link provided was the solution:

http://blogs.technet.com/b/askds/archive/2011/04/08/restrictions-for-unauthenticated-rpc-clients-the-group-policy-that-punches-your-domain-in-the-face.aspx

I disabled those RPC policies on the DC and rebooted and it immediately began replicating and communicating.

DNS still fails to do recursive queries --so that is still an issue but our big issue is resolved.  Thanks.
0
sepparkerAuthor Commented:
Thanks.  The first link resolved our main issue.  I disabled the two RPC policies that were set in the local policy of the server and after a reboot it began replicating.  Sweet!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.