Howto: Delegate “replicate now” without “Replication Access was denied”

Howto: Delegate “replicate now” without “Replication Access was denied”
Howto: Delegate “replicate now” without “Replication Access was denied”
Posted in Allgemein, IT-News

Howto: Delegate “replicate now” without “Replication Access was denied”

We’ve been asked by a customer how they could delegate the “replicate now” function used through Active Directory Sites and Services to a dedicated group.They already tried the “Delegation of Control” wizard of Active Directory but it did not work, they always received the message:

The following error occurred during the attempt to synchronize naminc context domain.tld from Domain Controller DC1 to Domain Controller DC2: Replication Access was denied. This Operation will not continue.

So we figured out which rights are necessary to use that function on a delegated group:

  1. Open Adsiedit
  2. Connect to the following five partitions
    DC=ForestDnsZones,DC=domain,DC=tld
    DC=DomainDnsZones,DC=domain,DC=tld
    CN=Schema,CN=Configuration,DC=domain,DC=tld
    CN=Configuration,DC=domain,DC=tld
    DC=domain,DC=tld
    (We used an account that was Domain Admin, Enterprise Admin and Schema Admin)
  3. At each of this partitions do a right klick at the root and open Properties
  4. At security -> advanced klick add, type in the group that should get the delegated right and klick OK
  5. Ensure that “Apply to” is set to “This object and all descendant objects”
  6. Search for “Replication synchronization” at the list below and
  7. Klick OK twice

You are done if you did this in five three mentioned partitions!

Tags:, , ,