Domain Controller Auto-Enrollment Issue
I recently noticed one of our domain controllers is not auto enrolling its Domain Controller certificate with our AD CS server.
We have 2 DC's and one auto-enrolls just fine and the other one doesn't. The one that auto-enrolls fine is a Server 2008 R2 domain controller and the one that doesn't is a Server 2012 R2 domain controller (the schema has been updated to accommodate this
domain controller). The CA is on the Server 2008 R2 DC (I noticed this issue as I am planning on migrating off the CA from the DC to its own dedicated DC).
I see three errors in the event log:
Event ID 6: Automatic certificate enrollment for local system failed (0x800706ba) The RPC server is unavailable.
Event ID 13: Certificate enrollment for Local system failed to enroll for a DomainController certificate with request ID N/A from DC
FQDN\CA Name (The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)).
Event ID 82: Certificate enrollment for Local system failed in authentication to all urls for enrollment server associated with policy id: {61B8511A-9BFE-46A8-90D5-FB1709DADB2D} (The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)).
Failed to enroll for template: DomainController
In a packet capture, I am seeing this error: Expert Info (Note/Response): Fault: nca_s_fault_access_denied
I did notice the "Certificate Service DCOM Access" group had no members, so I added the Authenticated Users group into it (I have a newly stood up development domain and notice Authenticated Users was in this group by default). Still not having
any success. I tried stopping the CA service and starting it up after this group change and had no success either. I haven't rebooted any of the servers yet...didn't think I needed too.
I tried the "certutil -config - -ping" command and it found the proper CA and once I selected it, I was able to connect to the CA just fine and says its alive.
Not to sure where to look at from here as I am out of ideas.
Ok I got this working, but not sure what finally kicked it in.
I followed this article first: http://support.microsoft.com/kb/947237 After performing what that article mentions, I still had the same errors. It only mentions Vista, so didn't think it applied. Not entirely sure what the certutil
-setreg SetupStatus -SETUP_DCOM_SECURITY_UPDATED_FLAG does. I think it added permissions to my DCOM COM Security for Access and Launch/Activation permissions?
Initially testing this, it failed with the same errors. After a few minutes, I tried again to see if the packet capture was showing the same authentication error, and it finally succeeded.
Similar Messages
-
Auto enrollment issue - in AD user object certificate is missing
In our environment , we are publishing User certificate and SMIME certificate through auto enrollment, both are been pushed through same Group policy. We identified that few of the user (around 200+ users) AD object is not having SMIME certificate
but user certificate is available . In the Issuing CA and users local store we can able to find the certificate . We revoked 2 or 3 user certificate and when the user next logging in , the certificate has been successfully generated, we dont know what is causing
the issue. Please help on this.
We have checked the group policy its applying properly.
We have checked few of the user machine and found that the error Eventid # 6 has been generated every 8 hours once. (Automatic server enrollment failed. the specified server can not perform the requested operation)
The working users and affected users all are part of same OU.Dear All,
Thanks for your inputs. We found solution on this. we assume issue with attribute modification conflicts
We are having two different issuing CA in our environment and both are in same site, in the site is having 4 domain controller.
- We ran the network monitor in both the Issuing CA's and found the communication between Issuing CA and domain controllers for each user certificate (success and failure also)
- we can able to see there is difference between both the certificate generation is less than 8 seconds
- The first (SMIME) certificate has been published in the AD object through Domain controller A and second certificate is reaching Domain controller B for publish the second (USER) certificate in few seconds.
- When replication is happening between Domain controller A and Domain controller B, the highest version value is winning
- We ran the command repadmin /showobjmeta "users distinguish name" for success user and failure user
- found success users certificate version is 2 and failure user certificate version is 1.
Solution: We are planning to make single Issuing CA for both certificate enrollment.
Not sure what are the impacts on this -
Anyconnect SCEP Auto-enrollment Issue
Hello Everyone,
I have been trying to configure cisco`s any connect client with SCEP Auto-enrollment with no success. I followed all the steps necessary to complete the configuration but still no success. What happens to me is, enrollment happens fine, certificate is downloaded according to what it should be but when I try to use it to authenticate and connect to my VPN it seems the certificate is not valid and not forwarded to the ASA, every time I reconnect the Anyconnect enrolls me to a new certificate, which means that if I repeat the process a 1000 times I`ll most likely have 1000 new certificates. Being trying for a while now and nothing seems to work with it. Can anyone tell me anything that could help me?
I am using windows 2k12 with NDES module installed, the certificate template being used is a custom IPSEC Offline request template, the asa sends the enrollment request according to what it should be and the enrollment happens fine, the problem is that I cannot match the certificate for some reason.
Anyone that can help me?Scep-proxy was not integrated into the ASA until 8.4
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/access_certs.html#wp1318578
If you want to do legacy scep, this should work. Your Anyconnect version is ok, but we always suggest the latest in the 3.0/3.1 line for the most up-to-date bug fixes. -
Domain Controller password changing issues
Hello!
Having a strange issue where certain users cannot change their password once they expire and it will just prompt that the password does not meet the complexity requirements (when it does).
Also there seems to be a higher than usual amount of call regarding AD account that have become locked.
We have multiple DC's at different main sites, we have a mix of 2003 and 2012 DC's so I'm thinking this could be a Kerberos issues between the 2003 & 2012 ? We are currently in the process of migrating systems off the 2003 and point them at the 2012 but we have a lot and it will take some time.
The event logs don't show anything obviously and also DC DIAG on the 2012 servers comes back as being healthy.
Many Thanks for any suggestions!
This topic first appeared in the Spiceworks CommunityHello!
Having a strange issue where certain users cannot change their password once they expire and it will just prompt that the password does not meet the complexity requirements (when it does).
Also there seems to be a higher than usual amount of call regarding AD account that have become locked.
We have multiple DC's at different main sites, we have a mix of 2003 and 2012 DC's so I'm thinking this could be a Kerberos issues between the 2003 & 2012 ? We are currently in the process of migrating systems off the 2003 and point them at the 2012 but we have a lot and it will take some time.
The event logs don't show anything obviously and also DC DIAG on the 2012 servers comes back as being healthy.
Many Thanks for any suggestions!
This topic first appeared in the Spiceworks Community -
I have racked my brain and done everything that I know to do for about two weeks now. I am setting up a new system at our fire department and I am having the worst luck with getting the workstations to login to the domain controller with roaming
profiles. It keeps telling me that the roaming profile could not be loaded because of a slow connection. These are workstations that are connected directly to the switch that the DC is connected to. I have tried multiple connections regarding
the layout (DC into the router, router into the switch). The router is a Cisco RV220W. I have two VLANS, one for public and one for private domain. The Private VLAN has DHCP turned off since I am providing it through the DC. I currently
have a connection from the Private VLAN going to the unmanaged switch that the workstations and server are plugged into.
The server is a Dell PowerEdge R420 that has 6 NIC ports (1 dual port and 1 quad port). I have a virtual switch setup on Hyper-V for an external port (let's say Card 2 Port 3) that is assigned to the WS 2012R2 Domain Controller. The DC can see
the internet fine and the workstations can connect to the shared folders on the server. I can retrieve files by just using the computer name or FQDN. The DC is also running DNS and DHCP. The DNS has the _msdcs setup from when I installed
the active directory role. I have attempted to assign static IP addresses to the workstations:
IP: 10.0.0.80
Subnet: 255.255.255.0
IPV4 Gateway: 10.0.0.1
IPV4 DNS: 10.0.0.12
I've attempted "append the specific DNS suffix", I've "registered the connection in DNS", I've used "use this connections suffix in DNS registration".
The server is assigned:
IP: 10.0.0.12
Subnet: 255.255.255.0
IPV4 Gateway: 10.0.0.1
IPV4 DNS: 10.0.0.12
The DNS entries have forwarders that forward to my ISP DNS servers for lookup
I've enabled and disabled DHCP, I've installed a new VM just to create another DC to make sure that I didn't goof up when I created it.
I've lost my patience with this project and am sinking fast. Can someone please offer some advice as to what I've done wrong? I've created this exact scenario at work many times but, I've never done it with Windows Server 2012. Is this
possibly something to do with the Dell PowerEdge server (Generation 12) with the SR-IOV? I am going to attempt to work on it some more tomorrow when I get over there. I think there may be an issue with the SR-IOV not being enabled on the machine
through the Dell Bios. Would the SR-IOV really cause the workstations to report a slow connection? When I login at the domain controller the roaming profiles and folder redirection work fine so, I know the GPO settings are correct. I don't
have "ignore slow connections" or any of those GPO's set. I need to get it working the correct way so, I didn't want to fool the server when there is another underlying problem. Any help that someone can offer, I am more than willing
to listen. If you need more information, please ask.
Thanks,
JaySo, I've managed to research this some more since Thursday and I've come to the conclusion that Hyper-V does a horrible job of supporting Qualcomm NIC cards. That's the only thing I can conclude as far as where the issue is originating. I've read many
post and walkthroughs but nothing that has helped. The issue wasn't with any settings in the domain controller. The issue was that there really is a slow connection originating at the domain controller that is a VM and has network connectivity through the
virtual switch from Hyper-V. So, next question is, how do I get the DC to have better connectivity through the NIC that Hyper-V won't give it? If hyper-v would allow passthrough, this would be so much simpler. VM-ware is looking really good at this point.
Im disappointed in MS right now. -
Hi
I accidentally removed one of our domain controller's hyper-v image (DC-02) from the hyper-v manager and to bring it back online launched a new virtual machine using the same virtual hard drive. This brought back the domain controller machine and I set the
original IP address to the same assuming that everything would just working fine.
Sadly, that wasn't the case as when I tried to open the group policy manager on that machine I started getting "Access is denied" error. I was then presented with an option to open the group policy manager with the first available DC which I did
and was able to open it with showing the same machine as the baseline domain controller under the status tab (DC-01 is actually the baseline DC). I then clicked Detect now and noticed it was showing 1 DC under replication in progress with problems in GPO version.
I then did the same thing on the primary DC (DC-01) and even there it was showing this only (images attached).
So I started exploring over the internet going through various articles but couldn't find a solution which I could apply without worrying about corrupting something somewhere. I also went to the SYSVOL folder on both the DC's to check the version number
in GPT.ini files which are mentioned below:
\\CC-DC01\sysvol\cloudchowk.lab\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}
[General]
Version=3
\\CC-DC01\sysvol\cloudchowk.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}
[General]
Version=5439513
\\cc-dc02\SYSVOL\cloudchowk.lab\Policies\{6AC1786C-016F-11D2-945F-00C04fB984F9}
[General]
Version=3
\\cc-dc02\SYSVOL\cloudchowk.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}
[General]
Version=5308439
Could anyone please help me sort this out? I am no system admin and whatever knowledge I have of setting up DC, AD etc is from following one article or the other over the internet.
Regards
Sajat JainHi
Apologies for responding late. I followed through all the points mentioned by Frank and even did a non-authoritative restore synchronization but still no luck.
I am attaching the output from the dcdiag /q and the from the event viewer after doing to non-authoritative restore synchronization.
DCDIAG /Q
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... CC-DC03 failed test DFSREvent
Unable to connect to the NETLOGON share! (\\CC-DC03\netlogon)
[CC-DC03] An net use or LsaPolicy operation failed with error 67,
The network name cannot be found..
......................... CC-DC03 failed test NetLogons
An error event occurred. EventID: 0x0000164A
Time Generated: 01/18/2015 17:52:17
Event String:
The Netlogon service could not create server share C:\Windows\SYSVOL\sysvol\cloudchowk.lab\SCRIPTS. The following error occurred:
An error event occurred. EventID: 0x0000164A
Time Generated: 01/18/2015 17:54:12
Event String:
The Netlogon service could not create server share C:\Windows\SYSVOL\sysvol\cloudchowk.lab\SCRIPTS. The following error occurred:
An error event occurred. EventID: 0x00000422
Time Generated: 01/18/2015 17:54:41
Event String:
The processing of Group Policy failed. Windows attempted to read the file \\cloudchowk.lab\sysvol\cloudchowk.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
An error event occurred. EventID: 0x00000422
Time Generated: 01/18/2015 17:55:42
Event String:
The processing of Group Policy failed. Windows attempted to read the file \\cloudchowk.lab\sysvol\cloudchowk.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
An error event occurred. EventID: 0x00000422
Time Generated: 01/18/2015 17:59:41
Event String:
The processing of Group Policy failed. Windows attempted to read the file \\cloudchowk.lab\sysvol\cloudchowk.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
An error event occurred. EventID: 0x00000422
Time Generated: 01/18/2015 18:04:42
Event String:
The processing of Group Policy failed. Windows attempted to read the file \\cloudchowk.lab\sysvol\cloudchowk.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
An error event occurred. EventID: 0x0000164A
Time Generated: 01/18/2015 18:05:10
Event String:
The Netlogon service could not create server share C:\Windows\SYSVOL\sysvol\cloudchowk.lab\SCRIPTS. The following error occurred:
An error event occurred. EventID: 0x00000422
Time Generated: 01/18/2015 18:09:42
Event String:
The processing of Group Policy failed. Windows attempted to read the file \\cloudchowk.lab\sysvol\cloudchowk.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
An error event occurred. EventID: 0x00000422
Time Generated: 01/18/2015 18:14:42
Event String:
The processing of Group Policy failed. Windows attempted to read the file \\cloudchowk.lab\sysvol\cloudchowk.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
An error event occurred. EventID: 0x00000422
Time Generated: 01/18/2015 18:19:43
Event String:
The processing of Group Policy failed. Windows attempted to read the file \\cloudchowk.lab\sysvol\cloudchowk.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
An error event occurred. EventID: 0x00000422
Time Generated: 01/18/2015 18:24:43
Event String:
The processing of Group Policy failed. Windows attempted to read the file \\cloudchowk.lab\sysvol\cloudchowk.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
......................... CC-DC03 failed test SystemLog
EVENT VIEWER LOGS
The DFS Replication service initialized SYSVOL at local path C:\Windows\SYSVOL\domain and is waiting to perform initial replication. The replicated folder will remain in the initial synchronization state until it has replicated with its partner CC-DC01.cloudchowk.lab. If the server was in the process of being promoted to a domain controller, the domain controller will not advertize and function as a domain controller until this issue is resolved. This can occur if the specified partner is also in the initial synchronization state, or if sharing violations are encountered on this server or the synchronization partner. If this event occurred during the migration of SYSVOL from File Replication service (FRS) to DFS Replication, changes will not replicate out until this issue is resolved. This can cause the SYSVOL folder on this server to become out of sync with other domain controllers.
Additional Information:
Replicated Folder Name: SYSVOL Share
Replicated Folder ID: 4689406D-D6D8-49E0-8079-2B1D4AE61BC6
Replication Group Name: Domain System Volume
Replication Group ID: 6B162096-2EFA-4D4C-BF13-62CC5B112B97
Member ID: 566943F9-D2FB-4304-823D-10DC972F831A
Read-Only: 0
Should I just start over again by removing DC03 and setting up another DC?
Regards
Sajat Jain -
Sorry if my attempt to be thorough in my description may result in excessive and unnecessary information.
I'm running into some problems with a single server running WS 2012 R2 as a domain controller (AD and DNS) and I’m trying to figure out what the cause is.
The network has ~10 computers on it connected through a cable business gateway (running DHCP) which feeds 2 switches and a wireless router acting as a switch. (I also turned on remote services, but the end users aren’t using that until I get certificates
setup.)
For 6+ months everyone had access to the shared files and databases on each workstation without issue.
In the last month users would occasionally have to re-enter their credentials to get access to shared server folders despite being on a domain account already.
Last week one of the computers intermittently cannot gain access to the shared folders– entering the correct credentials just results in the credentials being requested again and again: There’s an error icon at the bottom saying that “there are currently
no logon servers available to service the logon request”. While access is rejected I’m still able to ping the DC both via its name and IPV4 address.
(Pinging via its name results in an IPv6 address in the response.)
Other network connectivity appears intact (able to browse the web, perform network discovery.)
Things that ‘seem’ to allow access on this computer until the next failure:
Entering a different domain username and password into the windows credentials request has allowed access a couple of times.
Disconnecting and reconnecting the network cable allowed the original username to be used to log on (at least once.)
After removing it from and then rejoining it to the domain (a few hours ago) it experienced the problem once more. Also, logging on with domain credentials created a TEMP user folder instead of the folder with the domain username.
Looking at the event logs, I notice there are quite a few warnings and errors reported regarding DC access on many of the computers; maybe this is normal?
Most Problematic Computer:
Event ID 8016: System failed to register host A or AAAA resource records. (With an unknown Ipv6 and the server’s ipv4 address in the DNS server list.)
Event ID 131: NtpClient unable to set a domain peer to use as a time source because of DNS resolution error on ‘Server.domain.local’
‘No such host is known.”
Event ID 5719: NETLOGON. This computer was not able to setup a secure session with a domain controller in the domain due …..: there are currently no logon servers available to service the logon request.
And then pairs of: Event 1500: The Group Policy settings for the computer were processed successfully. There were no changes detected since the last successful processing of Group Policy. & Event 1054:
The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
Event 1030: The processing of Group Policy failed. Windows attempted to retrieve new Group Policy settings for this user or computer. Look in the details tab for error code and description. Windows will automatically retry this operation
at the next refresh cycle. Computers joined to the domain must have proper name resolution and network connectivity to a domain controller for discovery of new Group Policy objects and settings. An event will be logged when Group Policy is successful.
On the server I’ve run DCDIAG and DCDIAG /test:DNS and those all appeared to pass.
Ipconfig/all from the server:
Connection-specific DNS Suffix
Description . . . . . . . . . . . : Intel(R) Ethernet Connection I217-LM
Physical Address. . . . . . . . . : FC-4D-D4-F2-A1-83
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2601:8:a182:1100:b155:a0b0:892d:9ed5(Pref
erred)
Link-local IPv6 Address . . . . . : fe80::b155:a0b0:892d:9ed5%13(Preferred)
IPv4 Address. . . . . . . . . . . : 10.1.10.42(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : fe80::abd:43ff:fe9a:ab47%13
10.1.10.1
DHCPv6 IAID . . . . . . . . . . . : 234638804
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-3F-7D-B9-68-05-CA-24-31-C4
DNS Servers . . . . . . . . . . . : ::1
127.0.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled
Ipconfig/all from the problematic computer:
Wireless LAN adapter Wi-Fi:
Connection-specific DNS Suffix
. : wp.comcast.net
Description . . . . . . . . . . . : Intel(R) Centrino(R) Wireless-N 6150
Physical Address. . . . . . . . . : 40-25-C2-63-C2-B8
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2601:8:a182:1100:8f5:1606:d0a8:6b25(Prefe
rred)
Temporary IPv6 Address. . . . . . : 2601:8:a182:1100:283e:f9e8:4841:6c50(Pref
erred)
Link-local IPv6 Address . . . . . : fe80::8f5:1606:d0a8:6b25%3(Preferred)
IPv4 Address. . . . . . . . . . . : 10.1.10.31(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Tuesday, March 10, 2015 9:19:02 AM
Lease Expires . . . . . . . . . . : Tuesday, March 17, 2015 1:23:15 PM
Default Gateway . . . . . . . . . : fe80::abd:43ff:fe9a:ab47%3
10.1.10.1
DHCP Server . . . . . . . . . . . : 10.1.10.1
DHCPv6 IAID . . . . . . . . . . . : 54535618
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-15-6B-AA-F0-DE-F1-9C-07-D4
DNS Servers . . . . . . . . . . . : 2001:558:feed::1
2001:558:feed::2
10.1.10.42
NetBIOS over Tcpip. . . . . . . . : Enabled
Any thoughts? I was assuming it was a Domain Controller/DNS error, but I don't know where to check next. Could a failing piece of hardware be the culprit?
Thanks,
-JTHi,
According to the error you have posted.
A Netlogon 5719 event indicates that the client component of Netlogon was unable to locate a DC for the domain it was trying to perform an operation against.
Most of the time this is caused by network issues or name resolution (DNS/WINS) issues, you could refer to:
Netlogon 5719 and the Disappearing Domain [Controller]
http://blogs.technet.com/b/instan/archive/2008/09/18/netlogon-5719-and-the-disappearing-domain.aspx
Did you refer to this KB article?
Event ID 5719 is logged when you start a Domain Member
http://support.microsoft.com/kb/938449
Regards.
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected] -
Can I move a Virtual Domain Controller from one host(Win Server 2008 R2) to another (Win Server 2012 R2) ? Are there any issues?
I also had this error: "Setup cannot continue. Your computer will now restart, and your previous version of Windows will be restored."
trying to do a in-place upgrade of a Domain Controller Windows 2008 R2 to Windows 2012 R2.
The problem was the separated System Reserved Partition. After I removed using this instructions:
http://jacobackerman.blogspot.com/2012/12/how-to-remove-system-reserved-partition.html
The upgrade ran ok, and now have my DC as Windows 2012 R2.
Hope that helps!. -
Domain Controller cannot access \\domain\netlogon causing Auth issues
Hi everyone, I have been spent all day trying to figure out what is going on here, I have a Domain controller (only DC in the environment) that is acting funny
I first noticed when I was attempting to RDP into a server in my domain I was getting "access denied" (but I could log in as a local admin). So when I looked at the Domain Controller, I ran a DCDiag DNS test and got some an AUTH error, but am not
able to figure out how to fix this.
Another thing I notice is when I am signed into the domain Controller (GP2010-a), I cannot browse to
\\contoso.com\netlogon or any similar share.
Here is the kicker, other servers on this domain, server3, server4, server5 etc... THEY CAN access
\\contoso.com\netlogon It is ONLY the Domain controller and Server2 that CANNOT access this share. The other servers also allow me to RDP into them fine, it is only 1 server that is affected by this strange behavior.
I have checked for no IP conflicts and as far as I can tell all the DNS records are correct.
Regarding the DYNAMIC ip warning, we have a reservation that assigns the IP
thanks for any input here as i'm really stuck,
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = GP2010-A
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\GP2010-A
Starting test: Connectivity
......................... GP2010-A passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\GP2010-A
Starting test: DNS
DNS Tests are running and not hung. Please wait a few minutes...
......................... GP2010-A passed test DNS
Running partition tests on : ForestDnsZones
Running partition tests on : DomainDnsZones
Running partition tests on : Schema
Running partition tests on : Configuration
Running partition tests on : contoso
Running enterprise tests on : contoso.com
Starting test: DNS
Test results for domain controllers:
DC: GP2010-A.contoso.com
Domain: contoso.com
TEST: Authentication (Auth)
Error: Authentication failed with specified credentials
TEST: Basic (Basc)
Warning: Adapter 00:0D:3A:00:0D:01 has dynamic IP address
(can be a misconfiguration)
Summary of test results for DNS servers used by the above domain
controllers:
DNS server: 128.8.10.90 (d.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 128.8.10.90
DNS server: 2001:500:1::803f:235 (h.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:1::803f:235
DNS server: 2001:500:2::c (c.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:2::c
DNS server: 2001:500:2d::d (d.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:2d::d
DNS server: 2001:500:2f::f (f.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:2f::f
DNS server: 2001:500:3::42 (l.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:3::42
DNS server: 2001:500:84::b (b.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:500:84::b
DNS server: 2001:503:ba3e::2:30 (a.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:503:ba3e::2:30
DNS server: 2001:503:c27::2:30 (j.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:503:c27::2:30
DNS server: 2001:7fd::1 (k.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:7fd::1
DNS server: 2001:7fe::53 (i.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:7fe::53
DNS server: 2001:dc3::35 (m.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 2001:dc3::35
Summary of DNS test results:
Auth Basc Forw Del Dyn RReg Ext
Domain: contoso.com
GP2010-A FAIL WARN PASS PASS PASS PASS n/a
......................... contoso.com failed test DNSHi,
TEST: Basic (Basc)
Warning: Adapter 00:0D:3A:00:0D:01 has dynamic IP address
(can be a misconfiguration)
Do you have any NIC conifgured to get dynamic IP on your DC which is having issue? If yes, please disable that NIC. Also, please provide me the result of the below
1) On your DC which is having issue, run "ipconfig /all"
2) Repadmin /showrepl
Thanks,
Umesh.S.K
Thanks, there is only 1 nic card. It is getting a dhcp address because this is an AZURE Hyper-v machine and I have set an IP reservation for it. I have no way to hardcode the IP because it gets shut off/on all the time
C:\Users\Administrator>repadmin /showrepl
Repadmin: running command /showrepl against full DC localhost
Default-First-Site-Name\GP2010-A
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 007c755c-f56c-4e51-a211-fd4431f63927
DSA invocationID: 007c755c-f56c-4e51-a211-fd4431f63927 -
Problematic issues in installing backup domain controller on Virtual Machine
Hello,<o:p></o:p>
I have a physical domain controller - windows Server 2012 R2 Standard installed
in my domain environment and this is a first root domain controller.
I have also Hyper-V Server 2012 R2 installed and joined in that domain.
Now I want to install an additional (Backup) domain controller as a virtual
machine hosted on Hyper-V Server. So while promoting VM as a DC all actions and
steps go well but the problem arise when I press the install button at the end
of the promotion - installation gets stuck in the process of writing some
configuration files on first DC and also in the process of replication. Unfortunately
VM does not promote as a DC and it goes to restart.
The error event log with - NETLOGON source is logged on the virtual machine as
well.
Do you have some suggestions with this issue, or experience how to resolve this..
Thanks a lot in advance,
GMG
<o:p></o:p>Now I want to install an additional (Backup) domain controller
There is no backup DC. All DCs are RW except RODCs.
I would recommend first checking the health status of the existing DC using
dcdiag command. Also, please check the IP settings in use: Please make sure that the existing DC has its primary IP address in use and that public DNS servers are set as forwarders and not in IP settings of the DC. For the new DC, please make sure
that it points to the existing DC as primary DNS server and once promoted you can see the recommendations here to update the configuration: http://social.technet.microsoft.com/wiki/contents/articles/18513.active-directory-replication-issues-basic-troubleshooting-steps-single-ad-domain-in-a-single-ad-forest.aspx
Please also disable temporary all security software in use on the DCs and make sure that needed ports for AD replication and authentication are not blocked or filtered between the DCs.
This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Get Active Directory User Last Logon
Create an Active Directory test domain similar to the production one
Management of test accounts in an Active Directory production domain - Part I
Management of test accounts in an Active Directory production domain - Part II
Management of test accounts in an Active Directory production domain - Part III
Reset Active Directory user password -
Issue with Installing Oracle 10g R2 on a Windows 2008 Domain Controller
I'm assigned a evaluation task for my company. The task invoke to install oracle in my Domain Controller Server.
I got "ORA-12560: TNS:protocol adapter error" when I installed ORACLE 10g R2 for Win2K8 on my Windows 2008 (a Domain Controller Server). It happened in the create predefined database period.
I tried to google and noted that there are some RUMOS say "We cannot deploy ORACLE on a Domain Controller, It's impossible"
Is this true? Please, Please advise!
Thansk,This is a link to a same issue
Creating instance oracle 10.2.0.4 on Windows 2008 32bit -
so we currently have three domain controllers set up, two of them on 2012r2 and one of them on 2008r2. prior to any of these domain controllers being added to the domain there was only one, running on 2003r2. the 2003r2 server was up and running when the
first 2012r2 was added and that's when running 'dcdiag /e /c /v' would yield an issue with "_ldap._tcp.9a5f3c17-e7ac-48f7-ab42-bf1ea621a6f5.domains._msdcs.cmedia.local" in the DNS portion of the diagnostics, specifically:
TEST: Records registration (RReg)
Network Adapter [00000010] Microsoft Hyper-V Network Adapter:
Error:
Missing SRV record at DNS server 192.168.22.4:
_ldap._tcp.9a5f3c17-e7ac-48f7-ab42-bf1ea621a6f5.domains._msdcs.cmedia.local
after adding the second 2012r2 to the domain, this issue is still there... adding the 2008r2 server to the domain and running BPA it gives the following:
Title:
This domain controller must register a DNS SRV resource record, which is required for replication to function correctly
Severity:
Error
Date:
7/3/2014 11:24:48 AM
Category:
Configuration
Issue:
The "DcByGuid" DNS service (SRV) resource record that advertises this server as an available domain controller in the domain and ensures correct replication is not registered. All domain controllers (but not RODCs) in the domain must register this record.
Impact:
Other member computers and domain controllers in the domain or forest will not be able to locate this domain controller. This domain controller will not be able to provide a full suite of services.
Resolution:
Ensure that "DcByGuid" is not configured in the "DnsAvoidRegisteredRecords" list, either through Group Policy or through the registry. Restart the Netlogon service. Verify that the DNS service (SRV) resource record "_ldap._tcp.9a5f3c17-e7ac-48f7-ab42-bf1ea621a6f5.domains._msdcs.cmedia.local", pointing to the local domain controller "CM-DC4-NY01.cmedia.local", is registered in DNS.
More information about this best practice and detailed resolution procedures: http://go.microsoft.com/fwlink/?LinkId=126968
I've tried scanning and then re-scanning every single entry in DNS Manager and do not see any reference to this specific GUID mentioned, nor do I see any other domain controllers referenced that should not be in there. The two 2012r2 and the 2008r2 domain
controllers are the only ones listed in DNS Manager... the 2003r2 mentioned earlier failed and was removed.Just to chime in, I noticed that you said you have one 2008 R2 DC, and two 2012 DCs.
I also noticed in the ipconfig /all that all DCs are pointint to themselves for DNS. We usually like to see them point to a partner, then itslelf as the second entry, w hether loopback or by its own IP.
Based on that, what I suggest to level the playing field by choosing the WIndows 2008 R2 DC as the first DNS on all DCs and only administer DNS using that DC. The reason I chose that is because of the least common denominator is what we rather use so we
don't invoke any new features in the newer 2012 DNS console that 2008 R2 may not understand. After that's done, on each DC run (and you can use a PowerShell window to run this):
Rename the system32\config\netlogon.dns and netlogon.dnb files by suffixing ".old" to the file.
ipconfig /registerdns
net stop netlogon
net start netlogon
Then re-run the dcdiag /e /c /v.
Post your results, please.
Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This posting is provided AS-IS with no warranties or guarantees and confers no rights.
I thought the DNS entries were supposed to be the other way around? point to themselves first and a partner as secondary? regardless, as requested, I've changed it to what you've prescribed where they point to the 2008r2 server as the primary with themselves
as the secondary. I've also followed the steps to what seems like refreshing the DNS? on each of the DCs. Here's the output from dcdiag /e /c /v
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
* Verifying that the local machine CM-DC1-NY01, is a Directory Server.
Home Server = CM-DC1-NY01
* Connecting to directory service on server CM-DC1-NY01.
* Identified AD Forest.
Collecting AD specific global data
* Collecting site info.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=cmedia,DC=local,LDAP_SCOPE_SUBTREE,(objectCategory
=ntDSSiteSettings),.......
The previous call succeeded
Iterating through the sites
Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=cmedia
,DC=local
Getting ISTG and options for the site
* Identifying all servers.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=cmedia,DC=local,LDAP_SCOPE_SUBTREE,(objectClass=nt
DSDsa),.......
The previous call succeeded....
The previous call succeeded
Iterating through the list of servers
Getting information for the server CN=NTDS Settings,CN=CM-DC1-NY01,CN=Servers,CN=Default-First-Site-Name,CN=Sites
,CN=Configuration,DC=cmedia,DC=local
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=CM-DC3-NY01,CN=Servers,CN=Default-First-Site-Name,CN=Sites
,CN=Configuration,DC=cmedia,DC=local
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=CM-DC4-NY01,CN=Servers,CN=Default-First-Site-Name,CN=Sites
,CN=Configuration,DC=cmedia,DC=local
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
* Identifying all NC cross-refs.
* Found 3 DC(s). Testing 3 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\CM-DC1-NY01
Starting test: Connectivity
* Active Directory LDAP Services Check
Determining IP4 connectivity
* Active Directory RPC Services Check
......................... CM-DC1-NY01 passed test Connectivity
Testing server: Default-First-Site-Name\CM-DC3-NY01
Starting test: Connectivity
* Active Directory LDAP Services Check
Determining IP4 connectivity
* Active Directory RPC Services Check
......................... CM-DC3-NY01 passed test Connectivity
Testing server: Default-First-Site-Name\CM-DC4-NY01
Starting test: Connectivity
* Active Directory LDAP Services Check
Determining IP4 connectivity
* Active Directory RPC Services Check
......................... CM-DC4-NY01 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\CM-DC1-NY01
Starting test: Advertising
The DC CM-DC1-NY01 is advertising itself as a DC and having a DS.
The DC CM-DC1-NY01 is advertising as an LDAP server
The DC CM-DC1-NY01 is advertising as having a writeable directory
The DC CM-DC1-NY01 is advertising as a Key Distribution Center
The DC CM-DC1-NY01 is advertising as a time server
The DS CM-DC1-NY01 is advertising as a GC.
......................... CM-DC1-NY01 passed test Advertising
Starting test: CheckSecurityError
* Dr Auth: Beginning security errors check!
Found KDC CM-DC1-NY01 for domain cmedia.local in site Default-First-Site-Name
Checking machine account for DC CM-DC1-NY01 on DC CM-DC1-NY01.
* SPN found :LDAP/CM-DC1-NY01.cmedia.local/cmedia.local
* SPN found :LDAP/CM-DC1-NY01.cmedia.local
* SPN found :LDAP/CM-DC1-NY01
* SPN found :LDAP/CM-DC1-NY01.cmedia.local/cmedia
* SPN found :LDAP/a29d12f1-2869-44bf-8e43-adf7ddf33865._msdcs.cmedia.local
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/a29d12f1-2869-44bf-8e43-adf7ddf33865/cmedia.local
* SPN found :HOST/CM-DC1-NY01.cmedia.local/cmedia.local
* SPN found :HOST/CM-DC1-NY01.cmedia.local
* SPN found :HOST/CM-DC1-NY01
* SPN found :GC/CM-DC1-NY01.cmedia.local/cmedia.local
[CM-DC1-NY01] No security related replication errors were found on this DC! To target the connection to a
specific source DC use /ReplSource:<DC>.
......................... CM-DC1-NY01 passed test CheckSecurityError
Starting test: CutoffServers
* Configuration Topology Aliveness Check
* Analyzing the alive system replication topology for DC=ForestDnsZones,DC=cmedia,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for DC=DomainDnsZones,DC=cmedia,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for CN=Schema,CN=Configuration,DC=cmedia,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for CN=Configuration,DC=cmedia,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for DC=cmedia,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
......................... CM-DC1-NY01 passed test CutoffServers
Starting test: FrsEvent
* The File Replication Service Event log test
......................... CM-DC1-NY01 passed test FrsEvent
Starting test: DFSREvent
The DFS Replication Event Log.
Skip the test because the server is running FRS.
......................... CM-DC1-NY01 passed test DFSREvent
Starting test: SysVolCheck
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... CM-DC1-NY01 passed test SysVolCheck
Starting test: FrsSysVol
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... CM-DC1-NY01 passed test FrsSysVol
Starting test: KccEvent
* The KCC Event log test
Found no KCC errors in "Directory Service" Event log in the last 15 minutes.
......................... CM-DC1-NY01 passed test KccEvent
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings,CN=CM-DC1-NY01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Confi
guration,DC=cmedia,DC=local
Role Domain Owner = CN=NTDS Settings,CN=CM-DC1-NY01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Confi
guration,DC=cmedia,DC=local
Role PDC Owner = CN=NTDS Settings,CN=CM-DC1-NY01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configur
ation,DC=cmedia,DC=local
Role Rid Owner = CN=NTDS Settings,CN=CM-DC1-NY01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configur
ation,DC=cmedia,DC=local
Role Infrastructure Update Owner = CN=NTDS Settings,CN=CM-DC1-NY01,CN=Servers,CN=Default-First-Site-Name,CN
=Sites,CN=Configuration,DC=cmedia,DC=local
......................... CM-DC1-NY01 passed test KnowsOfRoleHolders
Starting test: MachineAccount
Checking machine account for DC CM-DC1-NY01 on DC CM-DC1-NY01.
* SPN found :LDAP/CM-DC1-NY01.cmedia.local/cmedia.local
* SPN found :LDAP/CM-DC1-NY01.cmedia.local
* SPN found :LDAP/CM-DC1-NY01
* SPN found :LDAP/CM-DC1-NY01.cmedia.local/cmedia
* SPN found :LDAP/a29d12f1-2869-44bf-8e43-adf7ddf33865._msdcs.cmedia.local
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/a29d12f1-2869-44bf-8e43-adf7ddf33865/cmedia.local
* SPN found :HOST/CM-DC1-NY01.cmedia.local/cmedia.local
* SPN found :HOST/CM-DC1-NY01.cmedia.local
* SPN found :HOST/CM-DC1-NY01
* SPN found :HOST/CM-DC1-NY01.cmedia.local/cmedia
* SPN found :GC/CM-DC1-NY01.cmedia.local/cmedia.local
......................... CM-DC1-NY01 passed test MachineAccount
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC CM-DC1-NY01.
The forest is not ready for RODC. Will skip checking ERODC ACEs.
* Security Permissions Check for
DC=ForestDnsZones,DC=cmedia,DC=local
(NDNC,Version 3)
* Security Permissions Check for
DC=DomainDnsZones,DC=cmedia,DC=local
(NDNC,Version 3)
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=cmedia,DC=local
(Schema,Version 3)
* Security Permissions Check for
CN=Configuration,DC=cmedia,DC=local
(Configuration,Version 3)
* Security Permissions Check for
DC=cmedia,DC=local
(Domain,Version 3)
......................... CM-DC1-NY01 passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\CM-DC1-NY01\netlogon
Verified share \\CM-DC1-NY01\sysvol
......................... CM-DC1-NY01 passed test NetLogons
Starting test: ObjectsReplicated
CM-DC1-NY01 is in domain DC=cmedia,DC=local
Checking for CN=CM-DC1-NY01,OU=Domain Controllers,DC=cmedia,DC=local in domain DC=cmedia,DC=local o
n 3 servers
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=CM-DC1-NY01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuratio
n,DC=cmedia,DC=local in domain CN=Configuration,DC=cmedia,DC=local on 3 servers
Object is up-to-date on all servers.
......................... CM-DC1-NY01 passed test ObjectsReplicated
Starting test: OutboundSecureChannels
* The Outbound Secure Channels test
** Did not run Outbound Secure Channels test because /testdomain: was not entered
......................... CM-DC1-NY01 passed test OutboundSecureChannels
Starting test: Replications
* Replications Check
* Replication Latency Check
DC=ForestDnsZones,DC=cmedia,DC=local
Latency information for 4 entries in the vector were ignored.
4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's
no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=DomainDnsZones,DC=cmedia,DC=local
Latency information for 4 entries in the vector were ignored.
4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's
no longer replicating this nc. 0 had no latency information (Win2K DC).
CN=Schema,CN=Configuration,DC=cmedia,DC=local
Latency information for 4 entries in the vector were ignored.
4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's
no longer replicating this nc. 0 had no latency information (Win2K DC).
CN=Configuration,DC=cmedia,DC=local
Latency information for 4 entries in the vector were ignored.
4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's
no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=cmedia,DC=local
Latency information for 4 entries in the vector were ignored.
4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's
no longer replicating this nc. 0 had no latency information (Win2K DC).
......................... CM-DC1-NY01 passed test Replications
Starting test: RidManager
* Available RID Pool for the Domain is 16109 to 1073741823
* CM-DC1-NY01.cmedia.local is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 4609 to 5108
* rIDPreviousAllocationPool is 4609 to 5108
* rIDNextRID: 4629
......................... CM-DC1-NY01 passed test RidManager
Starting test: Services
* Checking Service: EventSystem
* Checking Service: RpcSs
* Checking Service: NTDS
* Checking Service: DnsCache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: w32time
* Checking Service: NETLOGON
......................... CM-DC1-NY01 passed test Services
Starting test: SystemLog
* The System Event log test
A warning event occurred. EventID: 0x0000002F
Time Generated: 07/08/2014 13:19:14
Event String:
Time Provider NtpClient: No valid response has been received from manually configured peer 0.ca.pool.ntp.org
after 8 attempts to contact it. This peer will be discarded as a time source and NtpClient will attempt to discover a n
ew peer with this DNS name. The error was: The peer is unreachable.
Found no errors in "System" Event log in the last 60 minutes.
......................... CM-DC1-NY01 passed test SystemLog
Starting test: Topology
* Configuration Topology Integrity Check
* Analyzing the connection topology for DC=ForestDnsZones,DC=cmedia,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for DC=DomainDnsZones,DC=cmedia,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for CN=Schema,CN=Configuration,DC=cmedia,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for CN=Configuration,DC=cmedia,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for DC=cmedia,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
......................... CM-DC1-NY01 passed test Topology
Starting test: VerifyEnterpriseReferences
......................... CM-DC1-NY01 passed test VerifyEnterpriseReferences
Starting test: VerifyReferences
The system object reference (serverReference) CN=CM-DC1-NY01,OU=Domain Controllers,DC=cmedia,DC=local
and backlink on
CN=CM-DC1-NY01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=cmedia,DC=local are
correct.
The system object reference (serverReferenceBL)
CN=CM-DC1-NY01,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=cmedia,D
C=local
and backlink on
CN=NTDS Settings,CN=CM-DC1-NY01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=chiefmed
ia,DC=local
are correct.
The system object reference (frsComputerReferenceBL)
CN=CM-DC1-NY01,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=cmedia,D
C=local
and backlink on CN=CM-DC1-NY01,OU=Domain Controllers,DC=cmedia,DC=local are correct.
......................... CM-DC1-NY01 passed test VerifyReferences
Starting test: VerifyReplicas
......................... CM-DC1-NY01 passed test VerifyReplicas
Testing server: Default-First-Site-Name\CM-DC3-NY01
Starting test: Advertising
The DC CM-DC3-NY01 is advertising itself as a DC and having a DS.
The DC CM-DC3-NY01 is advertising as an LDAP server
The DC CM-DC3-NY01 is advertising as having a writeable directory
The DC CM-DC3-NY01 is advertising as a Key Distribution Center
The DC CM-DC3-NY01 is advertising as a time server
The DS CM-DC3-NY01 is advertising as a GC.
......................... CM-DC3-NY01 passed test Advertising
Starting test: CheckSecurityError
* Dr Auth: Beginning security errors check!
Found KDC CM-DC1-NY01 for domain cmedia.local in site Default-First-Site-Name
Checking machine account for DC CM-DC3-NY01 on DC CM-DC1-NY01.
* SPN found :LDAP/CM-DC3-NY01.cmedia.local/cmedia.local
* SPN found :LDAP/CM-DC3-NY01.cmedia.local
* SPN found :LDAP/CM-DC3-NY01
* SPN found :LDAP/CM-DC3-NY01.cmedia.local/cmedia
* SPN found :LDAP/5e9d1971-39ca-484c-922d-411c2364c96e._msdcs.cmedia.local
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/5e9d1971-39ca-484c-922d-411c2364c96e/cmedia.local
* SPN found :HOST/CM-DC3-NY01.cmedia.local/cmedia.local
* SPN found :HOST/CM-DC3-NY01.cmedia.local
* SPN found :HOST/CM-DC3-NY01
* SPN found :HOST/CM-DC3-NY01.cmedia.local/cmedia
* SPN found :GC/CM-DC3-NY01.cmedia.local/cmedia.local
Checking for CN=CM-DC3-NY01,OU=Domain Controllers,DC=cmedia,DC=local in domain DC=cmedia,DC=local o
n 2 servers
Object is up-to-date on all servers.
[CM-DC3-NY01] No security related replication errors were found on this DC! To target the connection to a
specific source DC use /ReplSource:<DC>.
......................... CM-DC3-NY01 passed test CheckSecurityError
Starting test: CutoffServers
* Configuration Topology Aliveness Check
* Analyzing the alive system replication topology for DC=ForestDnsZones,DC=cmedia,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for DC=DomainDnsZones,DC=cmedia,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for CN=Schema,CN=Configuration,DC=cmedia,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for CN=Configuration,DC=cmedia,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for DC=cmedia,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
......................... CM-DC3-NY01 passed test CutoffServers
Starting test: FrsEvent
* The File Replication Service Event log test
......................... CM-DC3-NY01 passed test FrsEvent
Starting test: DFSREvent
The DFS Replication Event Log.
Skip the test because the server is running FRS.
......................... CM-DC3-NY01 passed test DFSREvent
Starting test: SysVolCheck
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... CM-DC3-NY01 passed test SysVolCheck
Starting test: FrsSysVol
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... CM-DC3-NY01 passed test FrsSysVol
Starting test: KccEvent
* The KCC Event log test
Found no KCC errors in "Directory Service" Event log in the last 15 minutes.
......................... CM-DC3-NY01 passed test KccEvent
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings,CN=CM-DC1-NY01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Confi
guration,DC=cmedia,DC=local
Role Domain Owner = CN=NTDS Settings,CN=CM-DC1-NY01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Confi
guration,DC=cmedia,DC=local
Role PDC Owner = CN=NTDS Settings,CN=CM-DC1-NY01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configur
ation,DC=cmedia,DC=local
Role Rid Owner = CN=NTDS Settings,CN=CM-DC1-NY01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configur
ation,DC=cmedia,DC=local
Role Infrastructure Update Owner = CN=NTDS Settings,CN=CM-DC1-NY01,CN=Servers,CN=Default-First-Site-Name,CN
=Sites,CN=Configuration,DC=cmedia,DC=local
......................... CM-DC3-NY01 passed test KnowsOfRoleHolders
Starting test: MachineAccount
Checking machine account for DC CM-DC3-NY01 on DC CM-DC3-NY01.
* SPN found :LDAP/CM-DC3-NY01.cmedia.local/cmedia.local
* SPN found :LDAP/CM-DC3-NY01.cmedia.local
* SPN found :LDAP/CM-DC3-NY01
* SPN found :LDAP/CM-DC3-NY01.cmedia.local/cmedia
* SPN found :LDAP/5e9d1971-39ca-484c-922d-411c2364c96e._msdcs.cmedia.local
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/5e9d1971-39ca-484c-922d-411c2364c96e/cmedia.local
* SPN found :HOST/CM-DC3-NY01.cmedia.local/cmedia.local
* SPN found :HOST/CM-DC3-NY01.cmedia.local
* SPN found :HOST/CM-DC3-NY01
* SPN found :HOST/CM-DC3-NY01.cmedia.local/cmedia
* SPN found :GC/CM-DC3-NY01.cmedia.local/cmedia.local
......................... CM-DC3-NY01 passed test MachineAccount
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC CM-DC3-NY01.
The forest is not ready for RODC. Will skip checking ERODC ACEs.
* Security Permissions Check for
DC=ForestDnsZones,DC=cmedia,DC=local
(NDNC,Version 3)
* Security Permissions Check for
DC=DomainDnsZones,DC=cmedia,DC=local
(NDNC,Version 3)
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=cmedia,DC=local
(Schema,Version 3)
* Security Permissions Check for
CN=Configuration,DC=cmedia,DC=local
(Configuration,Version 3)
* Security Permissions Check for
DC=cmedia,DC=local
(Domain,Version 3)
......................... CM-DC3-NY01 passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\CM-DC3-NY01\netlogon
Verified share \\CM-DC3-NY01\sysvol
......................... CM-DC3-NY01 passed test NetLogons
Starting test: ObjectsReplicated
CM-DC3-NY01 is in domain DC=cmedia,DC=local
Checking for CN=CM-DC3-NY01,OU=Domain Controllers,DC=cmedia,DC=local in domain DC=cmedia,DC=local o
n 3 servers
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=CM-DC3-NY01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuratio
n,DC=cmedia,DC=local in domain CN=Configuration,DC=cmedia,DC=local on 3 servers
Object is up-to-date on all servers.
......................... CM-DC3-NY01 passed test ObjectsReplicated
Starting test: OutboundSecureChannels
* The Outbound Secure Channels test
** Did not run Outbound Secure Channels test because /testdomain: was not entered
......................... CM-DC3-NY01 passed test OutboundSecureChannels
Starting test: Replications
* Replications Check
* Replication Latency Check
DC=ForestDnsZones,DC=cmedia,DC=local
Latency information for 4 entries in the vector were ignored.
4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's
no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=DomainDnsZones,DC=cmedia,DC=local
Latency information for 4 entries in the vector were ignored.
4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's
no longer replicating this nc. 0 had no latency information (Win2K DC).
CN=Schema,CN=Configuration,DC=cmedia,DC=local
Latency information for 4 entries in the vector were ignored.
4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's
no longer replicating this nc. 0 had no latency information (Win2K DC).
CN=Configuration,DC=cmedia,DC=local
Latency information for 4 entries in the vector were ignored.
4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's
no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=cmedia,DC=local
Latency information for 4 entries in the vector were ignored.
4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's
no longer replicating this nc. 0 had no latency information (Win2K DC).
......................... CM-DC3-NY01 passed test Replications
Starting test: RidManager
* Available RID Pool for the Domain is 16109 to 1073741823
* CM-DC1-NY01.cmedia.local is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 15109 to 15608
* rIDPreviousAllocationPool is 15109 to 15608
* rIDNextRID: 15110
......................... CM-DC3-NY01 passed test RidManager
Starting test: Services
* Checking Service: EventSystem
* Checking Service: RpcSs
* Checking Service: NTDS
* Checking Service: DnsCache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: w32time
* Checking Service: NETLOGON
......................... CM-DC3-NY01 passed test Services
Starting test: SystemLog
* The System Event log test
Found no errors in "System" Event log in the last 60 minutes.
......................... CM-DC3-NY01 passed test SystemLog
Starting test: Topology
* Configuration Topology Integrity Check
* Analyzing the connection topology for DC=ForestDnsZones,DC=cmedia,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for DC=DomainDnsZones,DC=cmedia,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for CN=Schema,CN=Configuration,DC=cmedia,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for CN=Configuration,DC=cmedia,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for DC=cmedia,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
......................... CM-DC3-NY01 passed test Topology
Starting test: VerifyEnterpriseReferences
......................... CM-DC3-NY01 passed test VerifyEnterpriseReferences
Starting test: VerifyReferences
The system object reference (serverReference) CN=CM-DC3-NY01,OU=Domain Controllers,DC=cmedia,DC=local
and backlink on
CN=CM-DC3-NY01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=cmedia,DC=local are
correct.
The system object reference (serverReferenceBL)
CN=CM-DC3-NY01,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=cmedia,D
C=local
and backlink on
CN=NTDS Settings,CN=CM-DC3-NY01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=chiefmed
ia,DC=local
are correct.
The system object reference (frsComputerReferenceBL)
CN=CM-DC3-NY01,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=cmedia,D
C=local
and backlink on CN=CM-DC3-NY01,OU=Domain Controllers,DC=cmedia,DC=local are correct.
......................... CM-DC3-NY01 passed test VerifyReferences
Starting test: VerifyReplicas
......................... CM-DC3-NY01 passed test VerifyReplicas
Testing server: Default-First-Site-Name\CM-DC4-NY01
Starting test: Advertising
The DC CM-DC4-NY01 is advertising itself as a DC and having a DS.
The DC CM-DC4-NY01 is advertising as an LDAP server
The DC CM-DC4-NY01 is advertising as having a writeable directory
The DC CM-DC4-NY01 is advertising as a Key Distribution Center
The DC CM-DC4-NY01 is advertising as a time server
The DS CM-DC4-NY01 is advertising as a GC.
......................... CM-DC4-NY01 passed test Advertising
Starting test: CheckSecurityError
* Dr Auth: Beginning security errors check!
Found KDC CM-DC1-NY01 for domain cmedia.local in site Default-First-Site-Name
Checking machine account for DC CM-DC4-NY01 on DC CM-DC1-NY01.
* SPN found :LDAP/CM-DC4-NY01.cmedia.local/cmedia.local
* SPN found :LDAP/CM-DC4-NY01.cmedia.local
* SPN found :LDAP/CM-DC4-NY01
* SPN found :LDAP/CM-DC4-NY01.cmedia.local/cmedia
* SPN found :LDAP/37830012-1f10-43c9-a0ff-2a0e8a912187._msdcs.cmedia.local
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/37830012-1f10-43c9-a0ff-2a0e8a912187/cmedia.local
* SPN found :HOST/CM-DC4-NY01.cmedia.local/cmedia.local
* SPN found :HOST/CM-DC4-NY01.cmedia.local
* SPN found :HOST/CM-DC4-NY01
* SPN found :HOST/CM-DC4-NY01.cmedia.local/cmedia
* SPN found :GC/CM-DC4-NY01.cmedia.local/cmedia.local
Checking for CN=CM-DC4-NY01,OU=Domain Controllers,DC=cmedia,DC=local in domain DC=cmedia,DC=local o
n 2 servers
Object is up-to-date on all servers.
[CM-DC4-NY01] No security related replication errors were found on this DC! To target the connection to a
specific source DC use /ReplSource:<DC>.
......................... CM-DC4-NY01 passed test CheckSecurityError
Starting test: CutoffServers
* Configuration Topology Aliveness Check
* Analyzing the alive system replication topology for DC=ForestDnsZones,DC=cmedia,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for DC=DomainDnsZones,DC=cmedia,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for CN=Schema,CN=Configuration,DC=cmedia,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for CN=Configuration,DC=cmedia,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for DC=cmedia,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
......................... CM-DC4-NY01 passed test CutoffServers
Starting test: FrsEvent
* The File Replication Service Event log test
......................... CM-DC4-NY01 passed test FrsEvent
Starting test: DFSREvent
The DFS Replication Event Log.
Skip the test because the server is running FRS.
......................... CM-DC4-NY01 passed test DFSREvent
Starting test: SysVolCheck
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... CM-DC4-NY01 passed test SysVolCheck
Starting test: FrsSysVol
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... CM-DC4-NY01 passed test FrsSysVol
Starting test: KccEvent
* The KCC Event log test
Found no KCC errors in "Directory Service" Event log in the last 15 minutes.
......................... CM-DC4-NY01 passed test KccEvent
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings,CN=CM-DC1-NY01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Confi
guration,DC=cmedia,DC=local
Role Domain Owner = CN=NTDS Settings,CN=CM-DC1-NY01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Confi
guration,DC=cmedia,DC=local
Role PDC Owner = CN=NTDS Settings,CN=CM-DC1-NY01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configur
ation,DC=cmedia,DC=local
Role Rid Owner = CN=NTDS Settings,CN=CM-DC1-NY01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configur
ation,DC=cmedia,DC=local
Role Infrastructure Update Owner = CN=NTDS Settings,CN=CM-DC1-NY01,CN=Servers,CN=Default-First-Site-Name,CN
=Sites,CN=Configuration,DC=cmedia,DC=local
......................... CM-DC4-NY01 passed test KnowsOfRoleHolders
Starting test: MachineAccount
Checking machine account for DC CM-DC4-NY01 on DC CM-DC4-NY01.
* SPN found :LDAP/CM-DC4-NY01.cmedia.local/cmedia.local
* SPN found :LDAP/CM-DC4-NY01.cmedia.local
* SPN found :LDAP/CM-DC4-NY01
* SPN found :LDAP/CM-DC4-NY01.cmedia.local/cmedia
* SPN found :LDAP/37830012-1f10-43c9-a0ff-2a0e8a912187._msdcs.cmedia.local
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/37830012-1f10-43c9-a0ff-2a0e8a912187/cmedia.local
* SPN found :HOST/CM-DC4-NY01.cmedia.local/cmedia.local
* SPN found :HOST/CM-DC4-NY01.cmedia.local
* SPN found :HOST/CM-DC4-NY01
* SPN found :HOST/CM-DC4-NY01.cmedia.local/cmedia
* SPN found :GC/CM-DC4-NY01.cmedia.local/cmedia.local
......................... CM-DC4-NY01 passed test MachineAccount
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC CM-DC4-NY01.
The forest is not ready for RODC. Will skip checking ERODC ACEs.
* Security Permissions Check for
DC=ForestDnsZones,DC=cmedia,DC=local
(NDNC,Version 3)
* Security Permissions Check for
DC=DomainDnsZones,DC=cmedia,DC=local
(NDNC,Version 3)
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=cmedia,DC=local
(Schema,Version 3)
* Security Permissions Check for
CN=Configuration,DC=cmedia,DC=local
(Configuration,Version 3)
* Security Permissions Check for
DC=cmedia,DC=local
(Domain,Version 3)
......................... CM-DC4-NY01 passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\CM-DC4-NY01\netlogon
Verified share \\CM-DC4-NY01\sysvol
......................... CM-DC4-NY01 passed test NetLogons
Starting test: ObjectsReplicated
CM-DC4-NY01 is in domain DC=cmedia,DC=local
Checking for CN=CM-DC4-NY01,OU=Domain Controllers,DC=cmedia,DC=local in domain DC=cmedia,DC=local o
n 3 servers
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=CM-DC4-NY01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuratio
n,DC=cmedia,DC=local in domain CN=Configuration,DC=cmedia,DC=local on 3 servers
Object is up-to-date on all servers.
......................... CM-DC4-NY01 passed test ObjectsReplicated
Starting test: OutboundSecureChannels
* The Outbound Secure Channels test
** Did not run Outbound Secure Channels test because /testdomain: was not entered
......................... CM-DC4-NY01 passed test OutboundSecureChannels
Starting test: Replications
* Replications Check
* Replication Latency Check
DC=ForestDnsZones,DC=cmedia,DC=local
Latency information for 4 entries in the vector were ignored.
4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's
no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=DomainDnsZones,DC=cmedia,DC=local
Latency information for 4 entries in the vector were ignored.
4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's
no longer replicating this nc. 0 had no latency information (Win2K DC).
CN=Schema,CN=Configuration,DC=cmedia,DC=local
Latency information for 4 entries in the vector were ignored.
4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's
no longer replicating this nc. 0 had no latency information (Win2K DC).
CN=Configuration,DC=cmedia,DC=local
Latency information for 4 entries in the vector were ignored.
4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's
no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=cmedia,DC=local
Latency information for 4 entries in the vector were ignored.
4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's
no longer replicating this nc. 0 had no latency information (Win2K DC).
......................... CM-DC4-NY01 passed test Replications
Starting test: RidManager
* Available RID Pool for the Domain is 16109 to 1073741823
* CM-DC1-NY01.cmedia.local is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 15609 to 16108
* rIDPreviousAllocationPool is 15609 to 16108
* rIDNextRID: 15609
......................... CM-DC4-NY01 passed test RidManager
Starting test: Services
* Checking Service: EventSystem
* Checking Service: RpcSs
* Checking Service: NTDS
* Checking Service: DnsCache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: w32time
* Checking Service: NETLOGON
......................... CM-DC4-NY01 passed test Services
Starting test: SystemLog
* The System Event log test
Found no errors in "System" Event log in the last 60 minutes.
......................... CM-DC4-NY01 passed test SystemLog
Starting test: Topology
* Configuration Topology Integrity Check
* Analyzing the connection topology for DC=ForestDnsZones,DC=cmedia,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for DC=DomainDnsZones,DC=cmedia,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for CN=Schema,CN=Configuration,DC=cmedia,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for CN=Configuration,DC=cmedia,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for DC=cmedia,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
......................... CM-DC4-NY01 passed test Topology
Starting test: VerifyEnterpriseReferences
......................... CM-DC4-NY01 passed test VerifyEnterpriseReferences
Starting test: VerifyReferences
The system object reference (serverReference) CN=CM-DC4-NY01,OU=Domain Controllers,DC=cmedia,DC=local
and backlink on
CN=CM-DC4-NY01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=cmedia,DC=local are
correct.
The system object reference (serverReferenceBL)
CN=CM-DC4-NY01,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=cmedia,D
C=local
and backlink on
CN=NTDS Settings,CN=CM-DC4-NY01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=chiefmed
ia,DC=local
are correct.
The system object reference (frsComputerReferenceBL)
CN=CM-DC4-NY01,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=cmedia,D
C=local
and backlink on CN=CM-DC4-NY01,OU=Domain Controllers,DC=cmedia,DC=local are correct.
......................... CM-DC4-NY01 passed test VerifyReferences
Starting test: VerifyReplicas
......................... CM-DC4-NY01 passed test VerifyReplicas -
Are there any known issues with a 2003 server authenticating to a 2012 domain controller
I am trying to get off of these 2003 domain controllers. But I still have a couple of 2003 servers that will be decommissioned by early next year. If I change my environment and get rid of the two 2003 dc's, and promote two 2012 dc's. Will I have any issues
with the 2003 servers authenticating? I have a very small maintenance window, and do not have time to test on my own. I was hoping someone else has tried this before, and knows the results.Hi,
I am not aware of any issues with 2012 as domain controller role. There was an issue with 2012 R2 as domain controller role related to the AES encryption for computer password, but MS issued a hotfix and a rollup (covers many other issues along).
https://support.microsoft.com/kb/910205?wa=wsignin1.0
Once you upgrade your schema to support 2012 domain controllers you can start promoting those and eliminate 2003 ones.
I have been running this in our environment and I see no issues. In fact i am using 2012 R2 DC which were problematic.
Here is another good link to upgrade from 2003 to 2012 or 2012 R2.
http://blogs.msmvps.com/mweber/2012/07/30/upgrading-an-active-directory-domain-from-windows-server-2003-or-windows-server-2003-r2-to-windows-server-2012/
Hope it helps.
Regards,
Calin -
Strange issues with domain controller/DNS server
Our domain controller/DNS server was working fine this morning. Then suddenly we stopped being able to access certain things on it. I could ping it, RDP into it, and access some files on it, but I couldn't run any applications hosted on it, accessing shared
network files was slow, and different people around the office were getting access denied errors to files and folders they had full control of in NTFS (and in shared permissions).
At first I noticed an NTP error so I registered w32tm and started the service and that got rid of the error but didn't fix anything.
Oddly, machines still had internet access.
We tried rebooting everything, restarting services, nothing has helped.
When I accessed the server directly through the console I could access everything, could connect to any machine in the office, nothing seemed to be wrong with it.
Any ideas?Is there any recent changes in your network or firewall or antivirus? Is there any change/updates performed in the AD side? I would suggest find out changes being done at the AD or Network/FIrewall level. You can run various diagnostic test within your AD
environment to find the overall health of the AD infra.
What does DCDIAG actually… do?
Active Directory Replication Status Tool Released
http://msmvps.com/blogs/ad/archive/2008/06/03/active-directory-health-checks-for-domain-controllers.aspx
Awinish Vishwakarma - MVP
My Blog: awinish.wordpress.com
Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights. -
Server 2012 Domain Controller / DNS Issue
If you did ipconfig /registerdns, I'm assuming you did ipconfig /flushdns prior to that correct? Just want to make sure...
Once you are sure you did both, go ahead and type in nslookup in the command prompt. What does it display as the current DNS server? Once you type that in, you can type in the IP address of your new DC and see what it resolves to. Please get back to us with those results when possible.We had a domain controller go down in a multi domain controller environment. We set a new one up and promoted it to the domain. Assigned it all the necessary roles and joined it to the domain. It has been 4 days since we did this and we cannot ping it by host name. We can ping it by IP address. I have forced replication, which allowed me to ping it by host name for a few hours, but then it stopped working. I have tried to change the DNS primary to a different DC, making the host a secondary DNS, that didn't fix it. I am looking for any suggestions on how to fix it. I have done a ipconfig /registerdns , restarted DNS services but still not able to ping host name of DC on a consistent basis.
Any suggestions ?
[email protected]
This topic first appeared in the Spiceworks Community
Maybe you are looking for
-
Weirdest Problem I have ever had
Ok, so this is really weird and I can't figure it out. I have a WRT54GS wireless router. I have one computer directly connected to the router with ethernet cable, an Xbox 360 connected with ethernet cable, and then one computer that connects wireless
-
I use aperature 3. For the past 2 days, I have been unable to open the aperature application. The icon does not even bounce in the dock. I keep my aperature library on a 2 tb external hard drive. I have never had this problem. Any thoughts? Than
-
Can't open files created in CS3 with CS4
When I try to open a file that was created in CS3 I get this message: Cannot open the file "OpenEnrollSample.indd". Adobe InDesign may not suport the file format, a plug-in that supports the file format may be issing, or the file may be open in anoth
-
ITS VERY URGENT MY PROJECT SUBMISSION IS NEARER
Hi any one can help me iam using java wireless toolkit i developed a program to upload a video into the server which i created buy iam getting error like " Msgjava.lang.SecurityException: Application not authorized to access the restricted API " plea
-
Finding the form number - Simple Q !
I am trying to process the form values inside a PL/SQL block on that page. I get the values and after processing I insert the values into a table. I have created a PL/SQL block.. and I am sure the block is called properly because everything is proces