Table of contents
Collapse the table of content
Expand the table of content

Fixing Replication Security Problems

Bill Mathers|Last Updated: 2/10/2017
5 Contributors

Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

This section provides a description of security problems that you might experience when Active Directory replication is enabled. When security problems cause replication to fail, various event log messages and Repadmin messages contain error codes that identify the problems.The Dcdiag.exe tool reports on the overall health of replication with respect to Active Directory Domain Services (AD DS). Dcdiag detects common causes of "Access denied" events, "Account unknown" events, and similar events. The Dcdiag security test was introduced in Windows Server 2003 with Service Pack 1 (SP1). It is not available in earlier versions of Windows Server.The error codes that Dcdiag detects are described in the following table. Error codes that are marked with an asterisk () are not always caused by a security problem.
Error codeDescription
5Access is denied.
1314A required privilege is not held by the client.
1326Logon failure: unknown user name or bad password.
1396Logon failure: The target account name is incorrect.
1908Could not find the domain controller for this domain.
1397Mutual authentication failed. The server's password is out of date at the domain controller.
1398There is a time and/or date difference between the client and server.
1722The remote procedure call (RPC) server is unavailable.
2202The specified username is invalid.
8453Replication access was denied.
Use the procedures in An "Access denied" or other security error has caused replication problems to diagnose and fix replication security problems.
© 2017 Microsoft