After you upgrade to Windows 2000 and promote your domain controllers, replication may fail?
When you run DCDIAG /test:Replications on a domain controller, your output is similar to:
Testing server: <DomainName>\<ServerName1>
Starting test: Replications
* Replications Check
\[Replications Check,<ServerName1>\] A recent replication attempt failed:
From <ServerName2> to <ServerName1>
Naming Context: CN=Schema,CN=Configuration,DC=<DomainName>,DC=com
The replication generated an error (5):
Access is denied.
The failure occurred at 2002-03-27 13:54.10.
The last success occurred at 2002-03-26 23:19.51.
7 failures have occurred since the last success.
You will probably receive other error messages as a result of this failure.
It is likely that the computer account for a domain controller does NOT have the right to access the computer from the network. If you removed the Everyone group from the Access this computer from the network right prior to the upgrade, you will experience this failure because the Windows 2000 domain controller computer account does NOT receive the Authenticated Users group SID.
If you haven't upgraded yet, use User Manager for Domains to grant the Everyone group the Access this computer from the network right, prior to upgrading.
If you have already upgraded and are experiencing this failure:
1. Open the Active Directory Users and Computers snap-in.
2. Right-click the Domain Controllers container and press Properties.
3. Press Group Policy / Default Domain Controllers Policy / Edit.
4. Navigate to Computer Configuration / Windows Settings / Security Settings / Local Policies / User Rights Assignment.
5. Double-click Access this computer from the network
6. Add the ENTERPRISE DOMAIN CONTROLLERS group.
NOTE: You could have added the Everyone group, or any other group that contains domain controller computer accounts. DO NOT add the Domain Controllers global group as it can NOT contain domain controllers from other domains in your forest.
NOTE: See Windows 2000 Group Policy refresh.