JSI Tip 8282. When you attempt to change the replication scope of an Active Directory integrated DNS zone in Windows Server 2003, you receive 'The replication scope could not be set'?

The complete message you receive when you attempt the subject action is similar to:

The replication scope could not be set.
There was a server failure.

This behavior will occur if the built-in Administrators group does NOT have the SeSecurityPrivilege, (Manage auditing and security log) right.

To resolve this problem:

01. Open the Active Directory Users and Computers snap-in.

02. Right-click the Domain Controllers container and press Properties.

03. Select the Group Policy tab.

04. Press Edit. If GPMC is installed, press Open, right-click the Default Domain Controllers Policy and press Edit.

05. Expand Computer Configuration / Windows Settings / Security Settings / Local Policies / User Rights Assignment.

06. Double-click Manage auditing and security log.

07. Press Add User or Group.

08. Press Browse and press Advanced.

09. Press Find Now.

10. Select Administrators and press OK until you exit the Group Policy Object Editor.

11. Press Exit on the File menu.

12. Press OK.

13. Close the Active Directory Users and Computers snap-in.

You may now change the replication scope of the Active Directory integrated DNS zone.

NOTE: You could use NTRights.exe to do this in batch:

What are the free Windows Server 2003 Resource Kit tools?

What are the free Windows 2000 Resource Kit tools?