Hi everyone, been over to another school in the area for the past couple of days and although we've solved a few of the issues so far, there's one that is still plaguing us and that is the replication between the two new domain controllers. They have recently been promoted, and the old Server 2003 DCs demoted, but now there are a number of things that have been left not working. In terms of replication, we're all finding it a bit odd. If a file is created on DC1, it is replicated to DC2. If it is created on DC2, it is replicated to DC1. Same goes for deleting it. If we change the contents of a file on DC1, changes are then replicated to DC2 however if the changes are made on DC2, they are not replicated to DC1. This is causing a massive headache as, as far as we can tell, everything looks right with the exception of the following:
Running the dcdiag command on both servers results in this appearing in the output and I assume this is the cause of the problem, but I can't see why that would be.
Starting test: NCSecDesc
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have Replicating Directory Changes In Filtered Set access rights for the naming context:DC=DomainDnsZones,DC=localdomain,DC=local
Now, we found this which suggests to make changes to permissions in ADSIEdit for the domain's own naming context; does that mean that the DC=DomainDnsZones,DC=localdomain,DC=local is just a representation of that or should I be looking for that specifically? We've checked the permissions in ADSIEdit as they are and the ENTERPRISE DOMAIN CONTROLLERS group has the Replicating Directory Changes In Filtered Sets access rights, so we are left somewhat confused by this.
If anyone can help point us in the right direction, I would be grateful as solving this would leave us with a much smaller list of things to do. Cheers.
From what you're saying, the problem appears to be with DC2. If they're on the same domain, I would try demoting DC2 and then re-promoting it.
If they're on different domains (with a trust), then I suggest you re-promote your 2003 server, unless you've raised the functional level to 2008? There is little to gain from raising it from 2003 to 2008.
In theory demoting and re-promoting DC2 should do the trick. Keep us posted