"Access Denied' issues with new Windows Server 2008 R2 domain controller

sepparker used Ask the Experts™
I have a single domain with 3 domain controllers (all Server 2003).  We added a new Server 2008 server to the domain and promoted it to a Domain Controller and everything seemed to go well with no errors.  We transferred all FSMO roles to the new server.

After a couple of days -- we noticed that replication wasn't happening completely between the original servers and the new one.  Also, there is nothing in the SYSVOL folder on this server.
-DNS is setup and running on the 2008 server but fails when testing recursive queries.  
-When we try to do a 'replicate now' from AD Sites and Services - we get 'Access Denied' error
-DCDIAG commands show "<servername> directory binding error - Access Denied" also we get an error "DsBindwithSpnEx failed with error 5".
-Repadmin /showrepl commands results in "DsBindwithCred to localhost failed with status 5.

What is causing this and how can we get this DC fully functioning?  
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Manjunath SulladTechnical Consultant

1.     Check the time skew between domain controllers

2.     Ensure the Kerberos Key Distribution Center (KDC) service is started.

3.     Ensure the Trust computer for delegation check box is selected on the General tab of the domain controller Properties dialog box in Active Directory Users and Computers.

4.     Using Adsiedit or Ldp (both included in the Windows Support Tools), confirm that the userAccountControl attribute is set to 532480. To check this, perform the following steps

1)    Type adsiedit.msc from Start, and then click Run.

2)    Expand the Domain NC container.

3)    Expand the object below, i.e. DC=Contoso, DC=COM

4)    Expand OU=Domain Controllers

5)    Right-click CN=<domain_controller>, and select Properties

6)    Under Select a property to view, select userAccountControl and verify the value is 532480

There might be issue with local disk, Please perform chkdisk, also verify local group policy file has not been corrupted or not.

Manjunath S
Sandesh DubeyTechnical Lead
Top Expert 2011

For sysvol replication you need to perfrom non authorative restore of sysvol(d2) on new DC where sysvol data is missing.Refer below link:http://support.microsoft.com/kb/290762

Ensure correct dns setting on DCs as this http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/

You are getting access denied ensure you are using domain admin account to force the replication.If still issue persist reset the secure channel of DC and checks.http://sandeshdubey.wordpress.com/2011/10/02/secure-channel-between-the-dcs-broken/.

First fix replication issue then perform non authorative restore of sysvol.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Top Expert 2012

silly but mandatory ..have you opened command prompt in Run As "administrator"


Thanks for the responses.  Thanks especially to WyoComputers as the first link provided was the solution:


I disabled those RPC policies on the DC and rebooted and it immediately began replicating and communicating.

DNS still fails to do recursive queries --so that is still an issue but our big issue is resolved.  Thanks.


Thanks.  The first link resolved our main issue.  I disabled the two RPC policies that were set in the local policy of the server and after a reboot it began replicating.  Sweet!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial