In Windows NT 4.0, a new feature was introduced to restrict remote users from
accessing a computer's registry unless the administrator of that computer
explicitly grants the remote user access by setting the permission on a new
registry key. This can prevent directory replication.
When the replication interval passes, the import computer reads the registry of
the export server to determine replication parameters. By default, only the
Administrators group has permission to remotely access the registry. If no other
groups or users were specified in the access control list, or if the registry
path is not specified as an allowed path, the account used for replication is
denied access and replication fails.
WORKAROUND
==========
For Directory Replication to work properly, an explicit user account must be
used. Using the System account will fail. For more information on how to create
an explicit user account for Directory Replication, see the following article in
the Microsoft Knowledge Base:
Q132522 Quick Directory Replication Troubleshooting Tip
WARNING: Using Registry Editor incorrectly can cause serious problems that may
require you to reinstall Windows. Microsoft cannot guarantee that problems
resulting from the incorrect use of Registry Editor can be solved. Use Registry
Editor at your own risk.
For information about how to edit the registry, view the "Changing Keys And
Values" online Help topic in Registry Editor (Regedit.exe) or the "Add and
Delete Information in the Registry" and "Edit Registry Data" online Help topics
in Regedt32.exe. Note that you should back up the registry before you edit it.
1. Start the Windows NT Registry Editor (Regedt32.exe) on the export server.
NOTE: The above registry key is one path; it has been wrapped for readability.
3. Double-click the Machine:REG_MULTI_SZ value and add the following string
under that last entry:
System\CurrentControlSet\Services\Replicator
4. Restart the computer.
Windows NT 4.0 SP3 updates the AllowedPaths key.
For additional information about the purpose and function of the winreg and
AllowedPaths keys, please see the following article in the Microsoft Knowledge
Base:
Q143474 Information Available to Anonymous Logon Users
STATUS
======
Microsoft has confirmed this to be a problem in Windows NT version 4.0. We are
researching this problem and will post new information here in the Microsoft
Knowledge Base as it becomes available.
======================================================================
Keywords : kbnetwork ntdomain kbbug4.00 ntgeneral NTSrvWkst
Version : WinNT:4.0
Platform : winnt
Hardware : ALPHA PPC x86
Issue type : kbbug
=============================================================================
Copyright Microsoft Corporation 1999.
I have had the same problem but the Windows 2000 Server not NT. Replication to another server went south in June. I followed Windows Knowledge Base to correct the problem but now the only way my domain can receive scripts and policies is through the BDC. which also has 2000 server. If that one goes down I am going to be up the creek without a paddle. I believe this one is an OS problem but why all of a sudden when it has been working for 3 years?
DNA_Splitter
1 Message
0
September 8th, 2000 13:00
=====
In Windows NT 4.0, a new feature was introduced to restrict remote users from
accessing a computer's registry unless the administrator of that computer
explicitly grants the remote user access by setting the permission on a new
registry key. This can prevent directory replication.
When the replication interval passes, the import computer reads the registry of
the export server to determine replication parameters. By default, only the
Administrators group has permission to remotely access the registry. If no other
groups or users were specified in the access control list, or if the registry
path is not specified as an allowed path, the account used for replication is
denied access and replication fails.
WORKAROUND
==========
For Directory Replication to work properly, an explicit user account must be
used. Using the System account will fail. For more information on how to create
an explicit user account for Directory Replication, see the following article in
the Microsoft Knowledge Base:
Q132522 Quick Directory Replication Troubleshooting Tip
WARNING: Using Registry Editor incorrectly can cause serious problems that may
require you to reinstall Windows. Microsoft cannot guarantee that problems
resulting from the incorrect use of Registry Editor can be solved. Use Registry
Editor at your own risk.
For information about how to edit the registry, view the "Changing Keys And
Values" online Help topic in Registry Editor (Regedit.exe) or the "Add and
Delete Information in the Registry" and "Edit Registry Data" online Help topics
in Regedt32.exe. Note that you should back up the registry before you edit it.
1. Start the Windows NT Registry Editor (Regedt32.exe) on the export server.
2. Go to the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
\SecurePipeServers\winreg\AllowedPaths
NOTE: The above registry key is one path; it has been wrapped for readability.
3. Double-click the Machine:REG_MULTI_SZ value and add the following string
under that last entry:
System\CurrentControlSet\Services\Replicator
4. Restart the computer.
Windows NT 4.0 SP3 updates the AllowedPaths key.
For additional information about the purpose and function of the winreg and
AllowedPaths keys, please see the following article in the Microsoft Knowledge
Base:
Q143474 Information Available to Anonymous Logon Users
STATUS
======
Microsoft has confirmed this to be a problem in Windows NT version 4.0. We are
researching this problem and will post new information here in the Microsoft
Knowledge Base as it becomes available.
======================================================================
Keywords : kbnetwork ntdomain kbbug4.00 ntgeneral NTSrvWkst
Version : WinNT:4.0
Platform : winnt
Hardware : ALPHA PPC x86
Issue type : kbbug
=============================================================================
Copyright Microsoft Corporation 1999.
sburkett
2 Posts
0
September 28th, 2004 17:00