JSI Tip 9147. When you attempt to replicate Active Directory to a Windows Server 2003 SP1 domain controller, you receive 'access is denied'?

When you perform the subject action, the destination domain controller receives:

access is denied

This behavior will occur if the RestrictRemoteClients Value Name at
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Rpc is set to 2. The possible settings are:

0 - RPC_RESTRICT_REMOTE_CLIENT_NONE causes the system to bypass the new RPC restriction, equivalent to the behavior of previous versions of Windows.

1 - RPC_RESTRICT_REMOTE_CLIENT_DEFAULT is the default value in Windows XP SP2, which restricts access to all RPC interfaces. All remote anonymous calls are rejected by the RPC runtime. If an interface registers a security callback and provides the RPC_IF_ALLOW_CALLBACKS_WITH_NO_AUTH flag, that interface is exempt from this restriction.

2 - RPC_RESTRICT_REMOTE_CLIENT_HIGH is the same as 1, except that RPC_IF_ALLOW_CALLBACKS_WITH_NO_AUTH flag does NOT exempt an interface, preventing the system from receiving remote anonymous calls using RPC.

Active Directory replication fails because a 2 requires that RPC traffic be authenticated. You may also experience problems with other RPC services on this domain controller.

To workaround this difficulty:

1. Start / Run / firewall.cpl / OK.

2. Select the Exceptions tab.

3. Press Add Port.

4. Type TCP 135 into the Name box, because port 135 is block by default on Windows Server 2003 SP1.

5. Type 135 into the Port number box.

6. Press TCP and press OK.

7. Check the box next to the new port and press OK.

. 8. Open a CMD.EXE window.

9. Type one of the following commands and press Enter.

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Rpc" /V RestrictRemoteClients /T REG_DWORD /F /D 0


reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Rpc" /V RestrictRemoteClients /T REG_DWORD /F /D 1

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.