Required FSMO Roles to Bring up Domain Controller
I have an unusual situation. Our network team is moving to a new vendor for our WAN circuits and this change which has left our network split. I have 10 domain controllers which can't talk to the other seven domain controllers. This situation
will last about another 2 months.
I have been asked to bring up an RODC domain controller in a location which can't connect to the DC which hosts the FSMO roles, but has communication with seven domain controllers.
Is this possible? What FSMO roles are required to bring up a DC?
Thanks
LRL
In a worse case scenario, replication may fail between domain controllers when a WAN link is re-established:
http://pmeijden.wordpress.com/2011/01/12/domain-replication-has-exceeded-the-tombstone-lifetime/
"This can also happen when your network isn’t working properly or when replication error’s have occurred for to long without anyone noticing them. In large environments it’s possible that a complete site has been disconnected due to unavailable WAN
connections. [...]
The reason why the domain controllers will not continue the replication is because they are protected for so called Lingering Objects. For example, one or more objects that are deleted from Active Directory on all other domain controllers might remain on
the disconnected domain controller. Such objects are called Lingering Objects. Because the domain controller is offline during the entire time that the tombstone is alive, the domain controller never receives replication of the tombstone and therefor doesn’t
know that the object has been deleted."
If your tombstone lifetime is still 60 days (the original default), that is about 2 months.
You can check like this:
http://technet.microsoft.com/en-us/library/cc784932(v=ws.10).aspx
If it is 180 days (new default - I won't go into the details of how and when this changed), you may avoid the worse case scenario. But you still might have problems.
Two months... how much time has already passed?
Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.
Similar Messages
-
Hardware Requirements for a Windows Server 2012 Domain Controller.
Hi,
I have a secondary office with 10 users with a domain controller that has reached its end of life. We like to upgrade the current hardware to serve as a domain controller and potentially as an onsite file server that will sync with head office during
off peak business hours.
Any recommendations for a low cost yet reliable hardware for the above solution ?Hi,
Thanks for your post.
I think you need to meet the requirement for upgrading to windows server 2012r2.
http://technet.microsoft.com/en-us/library/hh994618.aspx#BKMK_SysReqs
And you could refer to the following article about windows server 2012r2 domain controller configuration
Building Your First Domain Controller on 2012 R2
http://social.technet.microsoft.com/wiki/contents/articles/22622.building-your-first-domain-controller-on-2012-r2.aspx
Regards.
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected] -
New Domain controller, DNS client settings before FSMO transfer
I recently promoted a new domain controller. It is the fourth domain controller and third in the site. I plan to decommission the other two domain controllers in the site leaving just the new one. Right now the new domain controller points
its tcp\ip client to the other other domain controller\DNS servers as primary and itself at the bottom. The other domain controllers point to themselves as primary and the newest domain controller on the bottom of the list. Clients on the network
use the original domain controllers as DNS from DHCP first and then the new domain controller DNS. Is it okay to transfer all the FSMO roles to the new domain controller or should I make all the DNS clients point to it first?Hi,
It is possible to first change your FSMO roles and after this is done then point your DNS clients to the new DC. This should not be a problem.
some interesting information about assigning your FSMO Roles: http://www.windowsdevcenter.com/pub/a/windows/2004/06/15/fsmo.html
Hope this helps you out. -
Exchange server-Removing a Domain Controller from the forest
Hi Guys,
I need some help on removing a faulty domain controller from the AD forest. Here is the scenario:
1. The FSMO roles have been seized to a new domain controller already.
2. The old one is non-functional and is down for ever.
I know the steps would be doing a meta-data cleanup And then remove some of the DNS entries related to the old server. But the real issue is:
> I have Exchange 2013 running in one of the machines configured in the Forest, which was migrated from the old Domain controller. I then set Exchange listening to the new domain controller.
So, my doubt is, if I delete the old domain controller and do a metadata cleanup, would it have any effect on the exchange server? The Exchange machine acts as an additional domain controller as well. Its a production environment and any
change that affects Exchange would cause a big loss. Looking forward for your valuable suggestions..
Regards,
NashHi Ed,
I don't have issues with the AD on the Exchange server. Eventhough it is configured as an AD, Exchange is pointed to the main working domain controller, which is a different machine. I just want to remove the traces of an old domain controller from which
I transferred the FSMO roles to the new domain controller. The old domain controller is completely down and hence I can't do a conventional 'dcpromo' on it. So just planning to do a 'metadata clean up' for removing the non-working DC from the forest.
So, In essence, I just want to know that, if I do a metadata cleanup, would it affect the Exchange server in any way?
Regards,
Nash -
Potential Downtime or Damage to Exchange if I remove a second domain controller??
We have a single instance of Exchange 2010 with all roles (minus lync, communications, etc..) on a Server 2008 Standard server.
We also have a primary domain controller and a second domain controller that offers DNS and would be used in case of disaster to the primary controller.
I've noticed in the past that if the secondary domain controller is down for maintenance that the Exchange server starts having problems. A major example of this would be last year the virtual instance of the second domain controller failed and when we rebooted
the exchange server, it lost its association with the domain even though the primary domain controller was readily accessible.
We are in a spot now that we no longer need the secondary domain controller and want to decommission it. I obviously want that to go as smoothly as possible. Is there anything I should do to prevent any unwanted damages to the exchange environment?
Jonathan StraderIt doesn't seem that anyone has responded to this. The short answer is turning off the secondary server will NOT have an effect on the exchange server. HOWEVER, that is the short answer.
It WILL have an effect if:
1) the secondary server is the ONLY DNS server and the exchange server is using the secondary server for DNS queries.
2) The FSMO Roles are on the secondary server
3) The Secondary server is the only global catalog.
I know this is a lot to take in.. but it really isn't that hard. FSMO Roles and global catalog are just a piece of active directory that keeps track of users, rights, settings, that sort of thing. You need to make sure that you seize the FSMO
roles on the first domain controller.
One command you can do on the first server to check fsmo roles is:
netdom query fsmo
On a side note. This is what you can do as well to see if the secondary server has any effect on exchange. Ready? Turn off the secondary server and see if anything bad happens (People don't get their emails..) if something stops working
after you turn off the second server then turn it back again. Everything should be back to normal.
Jerry Suner -
Can you have the same Certificate Authority exist on both boxes while I work to get the 2012 up and running fully? Will it impact the users in any way or cause problems?
> Can you have the same Certificate Authority exist on both boxes while I work to get the 2012 up and running fully?
no. You have to uninstall CA role before you uninstall Domain Controller role from existing server.
this is why it is not recommended to keep CA role on domain controllers.
Vadims Podāns, aka PowerShell CryptoGuy
My weblog: en-us.sysadmins.lv
PowerShell PKI Module: pspki.codeplex.com
PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
Check out new: SSL Certificate Verifier
Check out new:
PowerShell File Checksum Integrity Verifier tool. -
Hi,
I have Windows Server 2008 Enterprise and have
2 Domain Controllers in my Company:
Primary Domain Controller (PDC)
Additional Domain Controller (ADC)
My (PDC) was down due to Hardware failure, but somehow I got a chance to get it up and transferred
(5) FSMO Roles from (PDC) to (ADC).
Now my (PDC) is rectified and UP with same configurations and settings. (I did not install new OS or Domain Controller in existing PDC Server).
Finally I want it to move back the (FSMO Roles) from
(ADC) to (PDC) to get UP and operational my (PDC) as Primary.
(Before Disaster my PDC had 5 FSMO Roles).
Here I want to know the best practice and Microsoft best recommended procedure for the placement of “FSMO Roles both on (PDC) and (ADC)” ?
In case if Primary (DC) fails then automatically other Additional (DC) should take care without any problem in live environment.
Example like (FSMO Roles Distribution between both Servers) should be……. ???
Primary Domain Controller (PDC) Should contains:????
Schema Master
Domain Naming Master
Additional Domain Controller (ADC) Should contains:????
RID
PDC Emulator
Infrastructure Master
Please let me know the best practice and Microsoft best recommended procedure for the placement of “FSMO Roles.
I will be waiting for your valuable comments.
Regards,
Muhammad DaudHere I want to know the best practice
and Microsoft best recommended procedure for the placement of “FSMO Roles both on (PDC) and (ADC)” ?
There is a good article I would like to share with you:http://oreilly.com/pub/a/windows/2004/06/15/fsmo.html
For me, I do not really see a need to have FSMO roles on multiple servers in your case. I would recommend making it simple and have a single DC holding all the FSMO roles.
In case if
Primary (DC) fails then automatically other Additional (DC) should take care without any problem in live environment.
No. This is not true. Each FSMO role is unique and if a DC fails, FSMO roles will not be automatically transferred.
There is two approaches that can be followed when an FSMO roles holder is down:
If the DC can be recovered quickly then I would recommend taking no action
If the DC will be down for a long time or cannot be recovered then I would recommend that you size FSMO roles and do a metadata cleanup
Attention! For (2) the old FSMO holder should never be up and online again if the FSMO roles were sized. Otherwise, your AD may be facing huge impacts and side effects.
This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Get Active Directory User Last Logon
Create an Active Directory test domain similar to the production one
Management of test accounts in an Active Directory production domain - Part I
Management of test accounts in an Active Directory production domain - Part II
Management of test accounts in an Active Directory production domain - Part III
Reset Active Directory user password -
Domain Controller require ADC to sync before DC come online
Hi,
I have an urgent query that my domain controller I think might not working properly. The reason for this if I restart my DC and ADC and when try to open Active Directory console it gives error until the ADC comes online completely. I don't know why DC is
doing such behavior that depend on ADC. The all FSMO roles are on DC and ADC is only DNS and GC.
Kindly suggest what is the cause of this issue.
Please helpHello,
What is the error message says ? what is the error you see in event viewer ?
Thanks
Dishan M. Francis
MVP – Directory Services
Dishan M. Francis www.rebeladmin.com -
Remove Domain Controller role from Exchange 2010 Server
Hi team,
There is a client with Domain Controller (2008 R2) running together with Exchange Server 2010 SP3. However there were some huge problems with Exchange and DC therefore since the best practice is to keep those roles seperately, they are in need of doing so.
Can someone please suggest me the best approach? The server they use right now is with 16GB therefore whatever done, Exchange should be on that machine and DC on the other 6GB.
Option 01.
Both Exchange and DC are together
Install new Exchange on a temporary Server and move everything make that Exchange server the only working primary
Remove exchange from the DC server
Promote new Additional DC and promote it with FSMO and make primary
Demote the old DC from the 16GB server
Install Exchange again on the 16GB server and move everything from the temporary server
Or Option 02
Add new additionall Domain Controller server and make it primary with GC and FSMO
Run dcpromo to demote the old Domain controller role from where the Exchange Server too is installed
Once DC role is removed from the exchange server, set up DNS and perform a restart, so Exchange will identify the new GC and domain controller
Live happily ever after
Thank You,
Cheers!!Adding/Removing the DC-Role while Exchange is installed, is not supported so forget about your Option 2.
Here's what I would do:
1. Install a new GC/DC (move FSMO etc)
2. Install a new temporary server for Exchange and move everthing over
3. Decomission the old Exchange Server
4. Demote the old Domain Controller
5. Install Exchange on a newly freshly installed OS and move everything over from your temp server
Martina Miskovic -
so we currently have three domain controllers set up, two of them on 2012r2 and one of them on 2008r2. prior to any of these domain controllers being added to the domain there was only one, running on 2003r2. the 2003r2 server was up and running when the
first 2012r2 was added and that's when running 'dcdiag /e /c /v' would yield an issue with "_ldap._tcp.9a5f3c17-e7ac-48f7-ab42-bf1ea621a6f5.domains._msdcs.cmedia.local" in the DNS portion of the diagnostics, specifically:
TEST: Records registration (RReg)
Network Adapter [00000010] Microsoft Hyper-V Network Adapter:
Error:
Missing SRV record at DNS server 192.168.22.4:
_ldap._tcp.9a5f3c17-e7ac-48f7-ab42-bf1ea621a6f5.domains._msdcs.cmedia.local
after adding the second 2012r2 to the domain, this issue is still there... adding the 2008r2 server to the domain and running BPA it gives the following:
Title:
This domain controller must register a DNS SRV resource record, which is required for replication to function correctly
Severity:
Error
Date:
7/3/2014 11:24:48 AM
Category:
Configuration
Issue:
The "DcByGuid" DNS service (SRV) resource record that advertises this server as an available domain controller in the domain and ensures correct replication is not registered. All domain controllers (but not RODCs) in the domain must register this record.
Impact:
Other member computers and domain controllers in the domain or forest will not be able to locate this domain controller. This domain controller will not be able to provide a full suite of services.
Resolution:
Ensure that "DcByGuid" is not configured in the "DnsAvoidRegisteredRecords" list, either through Group Policy or through the registry. Restart the Netlogon service. Verify that the DNS service (SRV) resource record "_ldap._tcp.9a5f3c17-e7ac-48f7-ab42-bf1ea621a6f5.domains._msdcs.cmedia.local", pointing to the local domain controller "CM-DC4-NY01.cmedia.local", is registered in DNS.
More information about this best practice and detailed resolution procedures: http://go.microsoft.com/fwlink/?LinkId=126968
I've tried scanning and then re-scanning every single entry in DNS Manager and do not see any reference to this specific GUID mentioned, nor do I see any other domain controllers referenced that should not be in there. The two 2012r2 and the 2008r2 domain
controllers are the only ones listed in DNS Manager... the 2003r2 mentioned earlier failed and was removed.Just to chime in, I noticed that you said you have one 2008 R2 DC, and two 2012 DCs.
I also noticed in the ipconfig /all that all DCs are pointint to themselves for DNS. We usually like to see them point to a partner, then itslelf as the second entry, w hether loopback or by its own IP.
Based on that, what I suggest to level the playing field by choosing the WIndows 2008 R2 DC as the first DNS on all DCs and only administer DNS using that DC. The reason I chose that is because of the least common denominator is what we rather use so we
don't invoke any new features in the newer 2012 DNS console that 2008 R2 may not understand. After that's done, on each DC run (and you can use a PowerShell window to run this):
Rename the system32\config\netlogon.dns and netlogon.dnb files by suffixing ".old" to the file.
ipconfig /registerdns
net stop netlogon
net start netlogon
Then re-run the dcdiag /e /c /v.
Post your results, please.
Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This posting is provided AS-IS with no warranties or guarantees and confers no rights.
I thought the DNS entries were supposed to be the other way around? point to themselves first and a partner as secondary? regardless, as requested, I've changed it to what you've prescribed where they point to the 2008r2 server as the primary with themselves
as the secondary. I've also followed the steps to what seems like refreshing the DNS? on each of the DCs. Here's the output from dcdiag /e /c /v
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
* Verifying that the local machine CM-DC1-NY01, is a Directory Server.
Home Server = CM-DC1-NY01
* Connecting to directory service on server CM-DC1-NY01.
* Identified AD Forest.
Collecting AD specific global data
* Collecting site info.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=cmedia,DC=local,LDAP_SCOPE_SUBTREE,(objectCategory
=ntDSSiteSettings),.......
The previous call succeeded
Iterating through the sites
Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=cmedia
,DC=local
Getting ISTG and options for the site
* Identifying all servers.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=cmedia,DC=local,LDAP_SCOPE_SUBTREE,(objectClass=nt
DSDsa),.......
The previous call succeeded....
The previous call succeeded
Iterating through the list of servers
Getting information for the server CN=NTDS Settings,CN=CM-DC1-NY01,CN=Servers,CN=Default-First-Site-Name,CN=Sites
,CN=Configuration,DC=cmedia,DC=local
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=CM-DC3-NY01,CN=Servers,CN=Default-First-Site-Name,CN=Sites
,CN=Configuration,DC=cmedia,DC=local
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=CM-DC4-NY01,CN=Servers,CN=Default-First-Site-Name,CN=Sites
,CN=Configuration,DC=cmedia,DC=local
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
* Identifying all NC cross-refs.
* Found 3 DC(s). Testing 3 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\CM-DC1-NY01
Starting test: Connectivity
* Active Directory LDAP Services Check
Determining IP4 connectivity
* Active Directory RPC Services Check
......................... CM-DC1-NY01 passed test Connectivity
Testing server: Default-First-Site-Name\CM-DC3-NY01
Starting test: Connectivity
* Active Directory LDAP Services Check
Determining IP4 connectivity
* Active Directory RPC Services Check
......................... CM-DC3-NY01 passed test Connectivity
Testing server: Default-First-Site-Name\CM-DC4-NY01
Starting test: Connectivity
* Active Directory LDAP Services Check
Determining IP4 connectivity
* Active Directory RPC Services Check
......................... CM-DC4-NY01 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\CM-DC1-NY01
Starting test: Advertising
The DC CM-DC1-NY01 is advertising itself as a DC and having a DS.
The DC CM-DC1-NY01 is advertising as an LDAP server
The DC CM-DC1-NY01 is advertising as having a writeable directory
The DC CM-DC1-NY01 is advertising as a Key Distribution Center
The DC CM-DC1-NY01 is advertising as a time server
The DS CM-DC1-NY01 is advertising as a GC.
......................... CM-DC1-NY01 passed test Advertising
Starting test: CheckSecurityError
* Dr Auth: Beginning security errors check!
Found KDC CM-DC1-NY01 for domain cmedia.local in site Default-First-Site-Name
Checking machine account for DC CM-DC1-NY01 on DC CM-DC1-NY01.
* SPN found :LDAP/CM-DC1-NY01.cmedia.local/cmedia.local
* SPN found :LDAP/CM-DC1-NY01.cmedia.local
* SPN found :LDAP/CM-DC1-NY01
* SPN found :LDAP/CM-DC1-NY01.cmedia.local/cmedia
* SPN found :LDAP/a29d12f1-2869-44bf-8e43-adf7ddf33865._msdcs.cmedia.local
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/a29d12f1-2869-44bf-8e43-adf7ddf33865/cmedia.local
* SPN found :HOST/CM-DC1-NY01.cmedia.local/cmedia.local
* SPN found :HOST/CM-DC1-NY01.cmedia.local
* SPN found :HOST/CM-DC1-NY01
* SPN found :GC/CM-DC1-NY01.cmedia.local/cmedia.local
[CM-DC1-NY01] No security related replication errors were found on this DC! To target the connection to a
specific source DC use /ReplSource:<DC>.
......................... CM-DC1-NY01 passed test CheckSecurityError
Starting test: CutoffServers
* Configuration Topology Aliveness Check
* Analyzing the alive system replication topology for DC=ForestDnsZones,DC=cmedia,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for DC=DomainDnsZones,DC=cmedia,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for CN=Schema,CN=Configuration,DC=cmedia,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for CN=Configuration,DC=cmedia,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for DC=cmedia,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
......................... CM-DC1-NY01 passed test CutoffServers
Starting test: FrsEvent
* The File Replication Service Event log test
......................... CM-DC1-NY01 passed test FrsEvent
Starting test: DFSREvent
The DFS Replication Event Log.
Skip the test because the server is running FRS.
......................... CM-DC1-NY01 passed test DFSREvent
Starting test: SysVolCheck
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... CM-DC1-NY01 passed test SysVolCheck
Starting test: FrsSysVol
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... CM-DC1-NY01 passed test FrsSysVol
Starting test: KccEvent
* The KCC Event log test
Found no KCC errors in "Directory Service" Event log in the last 15 minutes.
......................... CM-DC1-NY01 passed test KccEvent
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings,CN=CM-DC1-NY01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Confi
guration,DC=cmedia,DC=local
Role Domain Owner = CN=NTDS Settings,CN=CM-DC1-NY01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Confi
guration,DC=cmedia,DC=local
Role PDC Owner = CN=NTDS Settings,CN=CM-DC1-NY01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configur
ation,DC=cmedia,DC=local
Role Rid Owner = CN=NTDS Settings,CN=CM-DC1-NY01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configur
ation,DC=cmedia,DC=local
Role Infrastructure Update Owner = CN=NTDS Settings,CN=CM-DC1-NY01,CN=Servers,CN=Default-First-Site-Name,CN
=Sites,CN=Configuration,DC=cmedia,DC=local
......................... CM-DC1-NY01 passed test KnowsOfRoleHolders
Starting test: MachineAccount
Checking machine account for DC CM-DC1-NY01 on DC CM-DC1-NY01.
* SPN found :LDAP/CM-DC1-NY01.cmedia.local/cmedia.local
* SPN found :LDAP/CM-DC1-NY01.cmedia.local
* SPN found :LDAP/CM-DC1-NY01
* SPN found :LDAP/CM-DC1-NY01.cmedia.local/cmedia
* SPN found :LDAP/a29d12f1-2869-44bf-8e43-adf7ddf33865._msdcs.cmedia.local
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/a29d12f1-2869-44bf-8e43-adf7ddf33865/cmedia.local
* SPN found :HOST/CM-DC1-NY01.cmedia.local/cmedia.local
* SPN found :HOST/CM-DC1-NY01.cmedia.local
* SPN found :HOST/CM-DC1-NY01
* SPN found :HOST/CM-DC1-NY01.cmedia.local/cmedia
* SPN found :GC/CM-DC1-NY01.cmedia.local/cmedia.local
......................... CM-DC1-NY01 passed test MachineAccount
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC CM-DC1-NY01.
The forest is not ready for RODC. Will skip checking ERODC ACEs.
* Security Permissions Check for
DC=ForestDnsZones,DC=cmedia,DC=local
(NDNC,Version 3)
* Security Permissions Check for
DC=DomainDnsZones,DC=cmedia,DC=local
(NDNC,Version 3)
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=cmedia,DC=local
(Schema,Version 3)
* Security Permissions Check for
CN=Configuration,DC=cmedia,DC=local
(Configuration,Version 3)
* Security Permissions Check for
DC=cmedia,DC=local
(Domain,Version 3)
......................... CM-DC1-NY01 passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\CM-DC1-NY01\netlogon
Verified share \\CM-DC1-NY01\sysvol
......................... CM-DC1-NY01 passed test NetLogons
Starting test: ObjectsReplicated
CM-DC1-NY01 is in domain DC=cmedia,DC=local
Checking for CN=CM-DC1-NY01,OU=Domain Controllers,DC=cmedia,DC=local in domain DC=cmedia,DC=local o
n 3 servers
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=CM-DC1-NY01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuratio
n,DC=cmedia,DC=local in domain CN=Configuration,DC=cmedia,DC=local on 3 servers
Object is up-to-date on all servers.
......................... CM-DC1-NY01 passed test ObjectsReplicated
Starting test: OutboundSecureChannels
* The Outbound Secure Channels test
** Did not run Outbound Secure Channels test because /testdomain: was not entered
......................... CM-DC1-NY01 passed test OutboundSecureChannels
Starting test: Replications
* Replications Check
* Replication Latency Check
DC=ForestDnsZones,DC=cmedia,DC=local
Latency information for 4 entries in the vector were ignored.
4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's
no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=DomainDnsZones,DC=cmedia,DC=local
Latency information for 4 entries in the vector were ignored.
4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's
no longer replicating this nc. 0 had no latency information (Win2K DC).
CN=Schema,CN=Configuration,DC=cmedia,DC=local
Latency information for 4 entries in the vector were ignored.
4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's
no longer replicating this nc. 0 had no latency information (Win2K DC).
CN=Configuration,DC=cmedia,DC=local
Latency information for 4 entries in the vector were ignored.
4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's
no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=cmedia,DC=local
Latency information for 4 entries in the vector were ignored.
4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's
no longer replicating this nc. 0 had no latency information (Win2K DC).
......................... CM-DC1-NY01 passed test Replications
Starting test: RidManager
* Available RID Pool for the Domain is 16109 to 1073741823
* CM-DC1-NY01.cmedia.local is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 4609 to 5108
* rIDPreviousAllocationPool is 4609 to 5108
* rIDNextRID: 4629
......................... CM-DC1-NY01 passed test RidManager
Starting test: Services
* Checking Service: EventSystem
* Checking Service: RpcSs
* Checking Service: NTDS
* Checking Service: DnsCache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: w32time
* Checking Service: NETLOGON
......................... CM-DC1-NY01 passed test Services
Starting test: SystemLog
* The System Event log test
A warning event occurred. EventID: 0x0000002F
Time Generated: 07/08/2014 13:19:14
Event String:
Time Provider NtpClient: No valid response has been received from manually configured peer 0.ca.pool.ntp.org
after 8 attempts to contact it. This peer will be discarded as a time source and NtpClient will attempt to discover a n
ew peer with this DNS name. The error was: The peer is unreachable.
Found no errors in "System" Event log in the last 60 minutes.
......................... CM-DC1-NY01 passed test SystemLog
Starting test: Topology
* Configuration Topology Integrity Check
* Analyzing the connection topology for DC=ForestDnsZones,DC=cmedia,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for DC=DomainDnsZones,DC=cmedia,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for CN=Schema,CN=Configuration,DC=cmedia,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for CN=Configuration,DC=cmedia,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for DC=cmedia,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
......................... CM-DC1-NY01 passed test Topology
Starting test: VerifyEnterpriseReferences
......................... CM-DC1-NY01 passed test VerifyEnterpriseReferences
Starting test: VerifyReferences
The system object reference (serverReference) CN=CM-DC1-NY01,OU=Domain Controllers,DC=cmedia,DC=local
and backlink on
CN=CM-DC1-NY01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=cmedia,DC=local are
correct.
The system object reference (serverReferenceBL)
CN=CM-DC1-NY01,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=cmedia,D
C=local
and backlink on
CN=NTDS Settings,CN=CM-DC1-NY01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=chiefmed
ia,DC=local
are correct.
The system object reference (frsComputerReferenceBL)
CN=CM-DC1-NY01,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=cmedia,D
C=local
and backlink on CN=CM-DC1-NY01,OU=Domain Controllers,DC=cmedia,DC=local are correct.
......................... CM-DC1-NY01 passed test VerifyReferences
Starting test: VerifyReplicas
......................... CM-DC1-NY01 passed test VerifyReplicas
Testing server: Default-First-Site-Name\CM-DC3-NY01
Starting test: Advertising
The DC CM-DC3-NY01 is advertising itself as a DC and having a DS.
The DC CM-DC3-NY01 is advertising as an LDAP server
The DC CM-DC3-NY01 is advertising as having a writeable directory
The DC CM-DC3-NY01 is advertising as a Key Distribution Center
The DC CM-DC3-NY01 is advertising as a time server
The DS CM-DC3-NY01 is advertising as a GC.
......................... CM-DC3-NY01 passed test Advertising
Starting test: CheckSecurityError
* Dr Auth: Beginning security errors check!
Found KDC CM-DC1-NY01 for domain cmedia.local in site Default-First-Site-Name
Checking machine account for DC CM-DC3-NY01 on DC CM-DC1-NY01.
* SPN found :LDAP/CM-DC3-NY01.cmedia.local/cmedia.local
* SPN found :LDAP/CM-DC3-NY01.cmedia.local
* SPN found :LDAP/CM-DC3-NY01
* SPN found :LDAP/CM-DC3-NY01.cmedia.local/cmedia
* SPN found :LDAP/5e9d1971-39ca-484c-922d-411c2364c96e._msdcs.cmedia.local
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/5e9d1971-39ca-484c-922d-411c2364c96e/cmedia.local
* SPN found :HOST/CM-DC3-NY01.cmedia.local/cmedia.local
* SPN found :HOST/CM-DC3-NY01.cmedia.local
* SPN found :HOST/CM-DC3-NY01
* SPN found :HOST/CM-DC3-NY01.cmedia.local/cmedia
* SPN found :GC/CM-DC3-NY01.cmedia.local/cmedia.local
Checking for CN=CM-DC3-NY01,OU=Domain Controllers,DC=cmedia,DC=local in domain DC=cmedia,DC=local o
n 2 servers
Object is up-to-date on all servers.
[CM-DC3-NY01] No security related replication errors were found on this DC! To target the connection to a
specific source DC use /ReplSource:<DC>.
......................... CM-DC3-NY01 passed test CheckSecurityError
Starting test: CutoffServers
* Configuration Topology Aliveness Check
* Analyzing the alive system replication topology for DC=ForestDnsZones,DC=cmedia,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for DC=DomainDnsZones,DC=cmedia,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for CN=Schema,CN=Configuration,DC=cmedia,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for CN=Configuration,DC=cmedia,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for DC=cmedia,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
......................... CM-DC3-NY01 passed test CutoffServers
Starting test: FrsEvent
* The File Replication Service Event log test
......................... CM-DC3-NY01 passed test FrsEvent
Starting test: DFSREvent
The DFS Replication Event Log.
Skip the test because the server is running FRS.
......................... CM-DC3-NY01 passed test DFSREvent
Starting test: SysVolCheck
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... CM-DC3-NY01 passed test SysVolCheck
Starting test: FrsSysVol
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... CM-DC3-NY01 passed test FrsSysVol
Starting test: KccEvent
* The KCC Event log test
Found no KCC errors in "Directory Service" Event log in the last 15 minutes.
......................... CM-DC3-NY01 passed test KccEvent
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings,CN=CM-DC1-NY01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Confi
guration,DC=cmedia,DC=local
Role Domain Owner = CN=NTDS Settings,CN=CM-DC1-NY01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Confi
guration,DC=cmedia,DC=local
Role PDC Owner = CN=NTDS Settings,CN=CM-DC1-NY01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configur
ation,DC=cmedia,DC=local
Role Rid Owner = CN=NTDS Settings,CN=CM-DC1-NY01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configur
ation,DC=cmedia,DC=local
Role Infrastructure Update Owner = CN=NTDS Settings,CN=CM-DC1-NY01,CN=Servers,CN=Default-First-Site-Name,CN
=Sites,CN=Configuration,DC=cmedia,DC=local
......................... CM-DC3-NY01 passed test KnowsOfRoleHolders
Starting test: MachineAccount
Checking machine account for DC CM-DC3-NY01 on DC CM-DC3-NY01.
* SPN found :LDAP/CM-DC3-NY01.cmedia.local/cmedia.local
* SPN found :LDAP/CM-DC3-NY01.cmedia.local
* SPN found :LDAP/CM-DC3-NY01
* SPN found :LDAP/CM-DC3-NY01.cmedia.local/cmedia
* SPN found :LDAP/5e9d1971-39ca-484c-922d-411c2364c96e._msdcs.cmedia.local
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/5e9d1971-39ca-484c-922d-411c2364c96e/cmedia.local
* SPN found :HOST/CM-DC3-NY01.cmedia.local/cmedia.local
* SPN found :HOST/CM-DC3-NY01.cmedia.local
* SPN found :HOST/CM-DC3-NY01
* SPN found :HOST/CM-DC3-NY01.cmedia.local/cmedia
* SPN found :GC/CM-DC3-NY01.cmedia.local/cmedia.local
......................... CM-DC3-NY01 passed test MachineAccount
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC CM-DC3-NY01.
The forest is not ready for RODC. Will skip checking ERODC ACEs.
* Security Permissions Check for
DC=ForestDnsZones,DC=cmedia,DC=local
(NDNC,Version 3)
* Security Permissions Check for
DC=DomainDnsZones,DC=cmedia,DC=local
(NDNC,Version 3)
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=cmedia,DC=local
(Schema,Version 3)
* Security Permissions Check for
CN=Configuration,DC=cmedia,DC=local
(Configuration,Version 3)
* Security Permissions Check for
DC=cmedia,DC=local
(Domain,Version 3)
......................... CM-DC3-NY01 passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\CM-DC3-NY01\netlogon
Verified share \\CM-DC3-NY01\sysvol
......................... CM-DC3-NY01 passed test NetLogons
Starting test: ObjectsReplicated
CM-DC3-NY01 is in domain DC=cmedia,DC=local
Checking for CN=CM-DC3-NY01,OU=Domain Controllers,DC=cmedia,DC=local in domain DC=cmedia,DC=local o
n 3 servers
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=CM-DC3-NY01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuratio
n,DC=cmedia,DC=local in domain CN=Configuration,DC=cmedia,DC=local on 3 servers
Object is up-to-date on all servers.
......................... CM-DC3-NY01 passed test ObjectsReplicated
Starting test: OutboundSecureChannels
* The Outbound Secure Channels test
** Did not run Outbound Secure Channels test because /testdomain: was not entered
......................... CM-DC3-NY01 passed test OutboundSecureChannels
Starting test: Replications
* Replications Check
* Replication Latency Check
DC=ForestDnsZones,DC=cmedia,DC=local
Latency information for 4 entries in the vector were ignored.
4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's
no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=DomainDnsZones,DC=cmedia,DC=local
Latency information for 4 entries in the vector were ignored.
4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's
no longer replicating this nc. 0 had no latency information (Win2K DC).
CN=Schema,CN=Configuration,DC=cmedia,DC=local
Latency information for 4 entries in the vector were ignored.
4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's
no longer replicating this nc. 0 had no latency information (Win2K DC).
CN=Configuration,DC=cmedia,DC=local
Latency information for 4 entries in the vector were ignored.
4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's
no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=cmedia,DC=local
Latency information for 4 entries in the vector were ignored.
4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's
no longer replicating this nc. 0 had no latency information (Win2K DC).
......................... CM-DC3-NY01 passed test Replications
Starting test: RidManager
* Available RID Pool for the Domain is 16109 to 1073741823
* CM-DC1-NY01.cmedia.local is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 15109 to 15608
* rIDPreviousAllocationPool is 15109 to 15608
* rIDNextRID: 15110
......................... CM-DC3-NY01 passed test RidManager
Starting test: Services
* Checking Service: EventSystem
* Checking Service: RpcSs
* Checking Service: NTDS
* Checking Service: DnsCache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: w32time
* Checking Service: NETLOGON
......................... CM-DC3-NY01 passed test Services
Starting test: SystemLog
* The System Event log test
Found no errors in "System" Event log in the last 60 minutes.
......................... CM-DC3-NY01 passed test SystemLog
Starting test: Topology
* Configuration Topology Integrity Check
* Analyzing the connection topology for DC=ForestDnsZones,DC=cmedia,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for DC=DomainDnsZones,DC=cmedia,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for CN=Schema,CN=Configuration,DC=cmedia,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for CN=Configuration,DC=cmedia,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for DC=cmedia,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
......................... CM-DC3-NY01 passed test Topology
Starting test: VerifyEnterpriseReferences
......................... CM-DC3-NY01 passed test VerifyEnterpriseReferences
Starting test: VerifyReferences
The system object reference (serverReference) CN=CM-DC3-NY01,OU=Domain Controllers,DC=cmedia,DC=local
and backlink on
CN=CM-DC3-NY01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=cmedia,DC=local are
correct.
The system object reference (serverReferenceBL)
CN=CM-DC3-NY01,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=cmedia,D
C=local
and backlink on
CN=NTDS Settings,CN=CM-DC3-NY01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=chiefmed
ia,DC=local
are correct.
The system object reference (frsComputerReferenceBL)
CN=CM-DC3-NY01,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=cmedia,D
C=local
and backlink on CN=CM-DC3-NY01,OU=Domain Controllers,DC=cmedia,DC=local are correct.
......................... CM-DC3-NY01 passed test VerifyReferences
Starting test: VerifyReplicas
......................... CM-DC3-NY01 passed test VerifyReplicas
Testing server: Default-First-Site-Name\CM-DC4-NY01
Starting test: Advertising
The DC CM-DC4-NY01 is advertising itself as a DC and having a DS.
The DC CM-DC4-NY01 is advertising as an LDAP server
The DC CM-DC4-NY01 is advertising as having a writeable directory
The DC CM-DC4-NY01 is advertising as a Key Distribution Center
The DC CM-DC4-NY01 is advertising as a time server
The DS CM-DC4-NY01 is advertising as a GC.
......................... CM-DC4-NY01 passed test Advertising
Starting test: CheckSecurityError
* Dr Auth: Beginning security errors check!
Found KDC CM-DC1-NY01 for domain cmedia.local in site Default-First-Site-Name
Checking machine account for DC CM-DC4-NY01 on DC CM-DC1-NY01.
* SPN found :LDAP/CM-DC4-NY01.cmedia.local/cmedia.local
* SPN found :LDAP/CM-DC4-NY01.cmedia.local
* SPN found :LDAP/CM-DC4-NY01
* SPN found :LDAP/CM-DC4-NY01.cmedia.local/cmedia
* SPN found :LDAP/37830012-1f10-43c9-a0ff-2a0e8a912187._msdcs.cmedia.local
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/37830012-1f10-43c9-a0ff-2a0e8a912187/cmedia.local
* SPN found :HOST/CM-DC4-NY01.cmedia.local/cmedia.local
* SPN found :HOST/CM-DC4-NY01.cmedia.local
* SPN found :HOST/CM-DC4-NY01
* SPN found :HOST/CM-DC4-NY01.cmedia.local/cmedia
* SPN found :GC/CM-DC4-NY01.cmedia.local/cmedia.local
Checking for CN=CM-DC4-NY01,OU=Domain Controllers,DC=cmedia,DC=local in domain DC=cmedia,DC=local o
n 2 servers
Object is up-to-date on all servers.
[CM-DC4-NY01] No security related replication errors were found on this DC! To target the connection to a
specific source DC use /ReplSource:<DC>.
......................... CM-DC4-NY01 passed test CheckSecurityError
Starting test: CutoffServers
* Configuration Topology Aliveness Check
* Analyzing the alive system replication topology for DC=ForestDnsZones,DC=cmedia,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for DC=DomainDnsZones,DC=cmedia,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for CN=Schema,CN=Configuration,DC=cmedia,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for CN=Configuration,DC=cmedia,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for DC=cmedia,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
......................... CM-DC4-NY01 passed test CutoffServers
Starting test: FrsEvent
* The File Replication Service Event log test
......................... CM-DC4-NY01 passed test FrsEvent
Starting test: DFSREvent
The DFS Replication Event Log.
Skip the test because the server is running FRS.
......................... CM-DC4-NY01 passed test DFSREvent
Starting test: SysVolCheck
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... CM-DC4-NY01 passed test SysVolCheck
Starting test: FrsSysVol
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... CM-DC4-NY01 passed test FrsSysVol
Starting test: KccEvent
* The KCC Event log test
Found no KCC errors in "Directory Service" Event log in the last 15 minutes.
......................... CM-DC4-NY01 passed test KccEvent
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings,CN=CM-DC1-NY01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Confi
guration,DC=cmedia,DC=local
Role Domain Owner = CN=NTDS Settings,CN=CM-DC1-NY01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Confi
guration,DC=cmedia,DC=local
Role PDC Owner = CN=NTDS Settings,CN=CM-DC1-NY01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configur
ation,DC=cmedia,DC=local
Role Rid Owner = CN=NTDS Settings,CN=CM-DC1-NY01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configur
ation,DC=cmedia,DC=local
Role Infrastructure Update Owner = CN=NTDS Settings,CN=CM-DC1-NY01,CN=Servers,CN=Default-First-Site-Name,CN
=Sites,CN=Configuration,DC=cmedia,DC=local
......................... CM-DC4-NY01 passed test KnowsOfRoleHolders
Starting test: MachineAccount
Checking machine account for DC CM-DC4-NY01 on DC CM-DC4-NY01.
* SPN found :LDAP/CM-DC4-NY01.cmedia.local/cmedia.local
* SPN found :LDAP/CM-DC4-NY01.cmedia.local
* SPN found :LDAP/CM-DC4-NY01
* SPN found :LDAP/CM-DC4-NY01.cmedia.local/cmedia
* SPN found :LDAP/37830012-1f10-43c9-a0ff-2a0e8a912187._msdcs.cmedia.local
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/37830012-1f10-43c9-a0ff-2a0e8a912187/cmedia.local
* SPN found :HOST/CM-DC4-NY01.cmedia.local/cmedia.local
* SPN found :HOST/CM-DC4-NY01.cmedia.local
* SPN found :HOST/CM-DC4-NY01
* SPN found :HOST/CM-DC4-NY01.cmedia.local/cmedia
* SPN found :GC/CM-DC4-NY01.cmedia.local/cmedia.local
......................... CM-DC4-NY01 passed test MachineAccount
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC CM-DC4-NY01.
The forest is not ready for RODC. Will skip checking ERODC ACEs.
* Security Permissions Check for
DC=ForestDnsZones,DC=cmedia,DC=local
(NDNC,Version 3)
* Security Permissions Check for
DC=DomainDnsZones,DC=cmedia,DC=local
(NDNC,Version 3)
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=cmedia,DC=local
(Schema,Version 3)
* Security Permissions Check for
CN=Configuration,DC=cmedia,DC=local
(Configuration,Version 3)
* Security Permissions Check for
DC=cmedia,DC=local
(Domain,Version 3)
......................... CM-DC4-NY01 passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\CM-DC4-NY01\netlogon
Verified share \\CM-DC4-NY01\sysvol
......................... CM-DC4-NY01 passed test NetLogons
Starting test: ObjectsReplicated
CM-DC4-NY01 is in domain DC=cmedia,DC=local
Checking for CN=CM-DC4-NY01,OU=Domain Controllers,DC=cmedia,DC=local in domain DC=cmedia,DC=local o
n 3 servers
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=CM-DC4-NY01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuratio
n,DC=cmedia,DC=local in domain CN=Configuration,DC=cmedia,DC=local on 3 servers
Object is up-to-date on all servers.
......................... CM-DC4-NY01 passed test ObjectsReplicated
Starting test: OutboundSecureChannels
* The Outbound Secure Channels test
** Did not run Outbound Secure Channels test because /testdomain: was not entered
......................... CM-DC4-NY01 passed test OutboundSecureChannels
Starting test: Replications
* Replications Check
* Replication Latency Check
DC=ForestDnsZones,DC=cmedia,DC=local
Latency information for 4 entries in the vector were ignored.
4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's
no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=DomainDnsZones,DC=cmedia,DC=local
Latency information for 4 entries in the vector were ignored.
4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's
no longer replicating this nc. 0 had no latency information (Win2K DC).
CN=Schema,CN=Configuration,DC=cmedia,DC=local
Latency information for 4 entries in the vector were ignored.
4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's
no longer replicating this nc. 0 had no latency information (Win2K DC).
CN=Configuration,DC=cmedia,DC=local
Latency information for 4 entries in the vector were ignored.
4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's
no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=cmedia,DC=local
Latency information for 4 entries in the vector were ignored.
4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's
no longer replicating this nc. 0 had no latency information (Win2K DC).
......................... CM-DC4-NY01 passed test Replications
Starting test: RidManager
* Available RID Pool for the Domain is 16109 to 1073741823
* CM-DC1-NY01.cmedia.local is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 15609 to 16108
* rIDPreviousAllocationPool is 15609 to 16108
* rIDNextRID: 15609
......................... CM-DC4-NY01 passed test RidManager
Starting test: Services
* Checking Service: EventSystem
* Checking Service: RpcSs
* Checking Service: NTDS
* Checking Service: DnsCache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: w32time
* Checking Service: NETLOGON
......................... CM-DC4-NY01 passed test Services
Starting test: SystemLog
* The System Event log test
Found no errors in "System" Event log in the last 60 minutes.
......................... CM-DC4-NY01 passed test SystemLog
Starting test: Topology
* Configuration Topology Integrity Check
* Analyzing the connection topology for DC=ForestDnsZones,DC=cmedia,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for DC=DomainDnsZones,DC=cmedia,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for CN=Schema,CN=Configuration,DC=cmedia,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for CN=Configuration,DC=cmedia,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for DC=cmedia,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
......................... CM-DC4-NY01 passed test Topology
Starting test: VerifyEnterpriseReferences
......................... CM-DC4-NY01 passed test VerifyEnterpriseReferences
Starting test: VerifyReferences
The system object reference (serverReference) CN=CM-DC4-NY01,OU=Domain Controllers,DC=cmedia,DC=local
and backlink on
CN=CM-DC4-NY01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=cmedia,DC=local are
correct.
The system object reference (serverReferenceBL)
CN=CM-DC4-NY01,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=cmedia,D
C=local
and backlink on
CN=NTDS Settings,CN=CM-DC4-NY01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=chiefmed
ia,DC=local
are correct.
The system object reference (frsComputerReferenceBL)
CN=CM-DC4-NY01,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=cmedia,D
C=local
and backlink on CN=CM-DC4-NY01,OU=Domain Controllers,DC=cmedia,DC=local are correct.
......................... CM-DC4-NY01 passed test VerifyReferences
Starting test: VerifyReplicas
......................... CM-DC4-NY01 passed test VerifyReplicas -
Domain controller environment do we required CAL's license ?
Domain controller environment do we required CAL's license?
Do I need any licensing to connect workstations to a domain?
Where we have License for the AD Server (2008 /2012 ) and there License of client os (windows 7/ windows 8 ) still we required the CAL's license DC ?
I have a server running Windows Server 2012. I want to turn this into a domain controller. In order to connect my workstations to my serverHi,
on this link:
http://www.microsoft.com/licensing/about-licensing/windowsserver2012-r2.aspx#tab=4 we have the following:
Client Access Licenses (CALs) are required for each user or device accessed. The Windows Server 2012 related CALs provide entitlement to access and use Windows 2012 R2 functionality.
on th emultiplexing link:
http://www.microsoft.com/licensing/about-licensing/briefs/multiplexing.aspx you can download th ePDF data who is mentioned that:
"Multiplexing does not reduce the number of Microsoft licenses required. Users are required to have the appropriate licenses, regardless of their
direct or indirect connection to the product. Any user or device that accesses the server, files, or data or content provided by the server that is made available through an automated process requires a CAL."
thanks
diramoh -
Sorry if my attempt to be thorough in my description may result in excessive and unnecessary information.
I'm running into some problems with a single server running WS 2012 R2 as a domain controller (AD and DNS) and I’m trying to figure out what the cause is.
The network has ~10 computers on it connected through a cable business gateway (running DHCP) which feeds 2 switches and a wireless router acting as a switch. (I also turned on remote services, but the end users aren’t using that until I get certificates
setup.)
For 6+ months everyone had access to the shared files and databases on each workstation without issue.
In the last month users would occasionally have to re-enter their credentials to get access to shared server folders despite being on a domain account already.
Last week one of the computers intermittently cannot gain access to the shared folders– entering the correct credentials just results in the credentials being requested again and again: There’s an error icon at the bottom saying that “there are currently
no logon servers available to service the logon request”. While access is rejected I’m still able to ping the DC both via its name and IPV4 address.
(Pinging via its name results in an IPv6 address in the response.)
Other network connectivity appears intact (able to browse the web, perform network discovery.)
Things that ‘seem’ to allow access on this computer until the next failure:
Entering a different domain username and password into the windows credentials request has allowed access a couple of times.
Disconnecting and reconnecting the network cable allowed the original username to be used to log on (at least once.)
After removing it from and then rejoining it to the domain (a few hours ago) it experienced the problem once more. Also, logging on with domain credentials created a TEMP user folder instead of the folder with the domain username.
Looking at the event logs, I notice there are quite a few warnings and errors reported regarding DC access on many of the computers; maybe this is normal?
Most Problematic Computer:
Event ID 8016: System failed to register host A or AAAA resource records. (With an unknown Ipv6 and the server’s ipv4 address in the DNS server list.)
Event ID 131: NtpClient unable to set a domain peer to use as a time source because of DNS resolution error on ‘Server.domain.local’
‘No such host is known.”
Event ID 5719: NETLOGON. This computer was not able to setup a secure session with a domain controller in the domain due …..: there are currently no logon servers available to service the logon request.
And then pairs of: Event 1500: The Group Policy settings for the computer were processed successfully. There were no changes detected since the last successful processing of Group Policy. & Event 1054:
The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
Event 1030: The processing of Group Policy failed. Windows attempted to retrieve new Group Policy settings for this user or computer. Look in the details tab for error code and description. Windows will automatically retry this operation
at the next refresh cycle. Computers joined to the domain must have proper name resolution and network connectivity to a domain controller for discovery of new Group Policy objects and settings. An event will be logged when Group Policy is successful.
On the server I’ve run DCDIAG and DCDIAG /test:DNS and those all appeared to pass.
Ipconfig/all from the server:
Connection-specific DNS Suffix
Description . . . . . . . . . . . : Intel(R) Ethernet Connection I217-LM
Physical Address. . . . . . . . . : FC-4D-D4-F2-A1-83
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2601:8:a182:1100:b155:a0b0:892d:9ed5(Pref
erred)
Link-local IPv6 Address . . . . . : fe80::b155:a0b0:892d:9ed5%13(Preferred)
IPv4 Address. . . . . . . . . . . : 10.1.10.42(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : fe80::abd:43ff:fe9a:ab47%13
10.1.10.1
DHCPv6 IAID . . . . . . . . . . . : 234638804
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-3F-7D-B9-68-05-CA-24-31-C4
DNS Servers . . . . . . . . . . . : ::1
127.0.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled
Ipconfig/all from the problematic computer:
Wireless LAN adapter Wi-Fi:
Connection-specific DNS Suffix
. : wp.comcast.net
Description . . . . . . . . . . . : Intel(R) Centrino(R) Wireless-N 6150
Physical Address. . . . . . . . . : 40-25-C2-63-C2-B8
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2601:8:a182:1100:8f5:1606:d0a8:6b25(Prefe
rred)
Temporary IPv6 Address. . . . . . : 2601:8:a182:1100:283e:f9e8:4841:6c50(Pref
erred)
Link-local IPv6 Address . . . . . : fe80::8f5:1606:d0a8:6b25%3(Preferred)
IPv4 Address. . . . . . . . . . . : 10.1.10.31(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Tuesday, March 10, 2015 9:19:02 AM
Lease Expires . . . . . . . . . . : Tuesday, March 17, 2015 1:23:15 PM
Default Gateway . . . . . . . . . : fe80::abd:43ff:fe9a:ab47%3
10.1.10.1
DHCP Server . . . . . . . . . . . : 10.1.10.1
DHCPv6 IAID . . . . . . . . . . . : 54535618
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-15-6B-AA-F0-DE-F1-9C-07-D4
DNS Servers . . . . . . . . . . . : 2001:558:feed::1
2001:558:feed::2
10.1.10.42
NetBIOS over Tcpip. . . . . . . . : Enabled
Any thoughts? I was assuming it was a Domain Controller/DNS error, but I don't know where to check next. Could a failing piece of hardware be the culprit?
Thanks,
-JTHi,
According to the error you have posted.
A Netlogon 5719 event indicates that the client component of Netlogon was unable to locate a DC for the domain it was trying to perform an operation against.
Most of the time this is caused by network issues or name resolution (DNS/WINS) issues, you could refer to:
Netlogon 5719 and the Disappearing Domain [Controller]
http://blogs.technet.com/b/instan/archive/2008/09/18/netlogon-5719-and-the-disappearing-domain.aspx
Did you refer to this KB article?
Event ID 5719 is logged when you start a Domain Member
http://support.microsoft.com/kb/938449
Regards.
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected] -
I apologize in advance for the rambling novella, but I tried to include as many details ahead of time as I could.
I guess like most issues, this one's been evolving for a while, it started out with us trying to add a new member
to a replication group that's on a subnet without connectivity to the FSMO roles holder. I'll try to describe the
layout as best as I can up front.
The AD only has one domain & both the forest & domain are at 2008R2 function level. We've got two sites defined in
Sites & Services, Site A is an off-site datacenter with one associated subnet & Site B with 6 associated subnets, A-F.
The two sites are connected by a WAN link from a cable provider. Subnets E & F at Site B have no connectivity to Site A
across that WAN, only what's available through the front side of the datacenter through the public Internet. The network
engineering group involved refuses to route that WAN traffic to those two subnets & we've got no recourse against that
decision; so I'm trying to find a way to accomplish this without that if possible.
The FSMO roles holder is located at Site A. I know that I can define a Site C, add Subnets E & F to that site, & then
configure an SMTP site link between Sites A & C, but that only handles AD replication, correct? That still wouldn't allow me, for example,
to enumerate DFS namespaces from subnets E & F, or to add a fileserver on either of those subnets as a member to an existing
DFS replication group, right? Also, root scalability is enabled on all the namespace shares.
Is there a way to accomplish both of these things without transferring the FSMO roles from the original DC at Site A to, say,
the bridgehead DC at Site B?
When the infrastructure was originally setup by a former analyst, the topology was much more simple & everything was left
under the Default First Site & no sites/subnets were setup until fairly recently to resolve authentication issues on
Subnets E & F... I bring this up just to say, the FSMO roles holder has held them throughout the build out & addition of
all sorts of systems & I'm honestly not sure what, if anything, the transfer of those roles will break.
I definitely don't claim to be an expert in any of this, I'll be the first to say that I'm a work-in-progress on this AD design stuff,
I'm all for R'ing the FM, but frankly I'm dragging bottom at this point in finding the right FM. I've been digging around
on Google, forums, & TechNet for the past week or so as this has evolved, but no resolution yet.
On VMs & machines on subnets E & F when I go to DFS Management -> Namespace -> Add Namespaces to Display..., none show up
automatically & when I click Show Namespaces, after a few seconds I get "The namespaces on DOMAIN cannot be enumerated. The
specified domain either does not exist or could not be contacted". If I run a dfsutil /pktinfo, nothing shows except \sysvol
but I can access the domain-based DFS shares through Windows Explorer with the UNC path \\DOMAIN-FQDN\Share-Name then when
I run a dfsutil /pktinfo it shows all the shares that I've accessed so far.
So either I'm doing something wrong, or, for some random large, multinational company, every sunbet & fileserver one wants
to add to a DFS Namespace has to be able to contact the FSMO roles holder? Or, are those ADs broken down with a child domain
for each Site & a FSMO roles holder for that child domain is located in each site?Hi,
A DC in siteB should helpful. I still not see any article mentioned that a DFS client have to connect to PDC every time trying to access a DFS domain based namespace.
Please see following article. I pasted a part of it below:
http://technet.microsoft.com/en-us/library/cc782417(v=ws.10).aspx
Domain controllers play numerous roles in DFS:
Domain controllers store DFS metadata in Active Directory about domain-based namespaces. DFS metadata consists of information about entire namespace, including the root, root targets, links, link targets, and settings. By default,root servers
that host domain-based namespaces periodically poll the domain controller acting as the primary domain controller (PDC) emulator master to obtain an updated version of the DFS metadata and store this metadata in memory.
So Other DC needs to connect PDC for an updated metadata.
Whenever an administrator makes a change to a domain-based namespace, the
change is made on the domain controller acting as the PDC emulator master and is then replicated (via Active Directory replication) to other domain controllers in the domain.
Domain Name Referral Cache
A domain name referral contains the NetBIOS and DNS names of the local domain, all trusted domains in the forest, and domains in trusted forests. A
DFS client requests a domain name referral from a domain controller to determine the domains in which the clients can access domain-based namespaces.
Domain Controller Referral Cache
A domain controller referral contains the NetBIOS and DNS names of the domain controllers for the list of domains it has cached. A DFS client requests a domain controller referral from a domain controller (in the client’s domain)
to determine which domain controllers can provide a referral for a domain-based namespace.
Domain-based Root Referral Cache
The domain-based root referrals in this memory cache do not store targets in any particular order. The targets are sorted according to the target selection method only when requested from the client. Also, these referrals are based on DFS metadata stored
on the local domain controller, not the PDC emulator master.
Thus it seems to be acceptable to have a disconnect between sites shortly when cache is still working on siteB.
If you have any feedback on our support, please send to [email protected]. -
I apologize in advance for the rambling novella, but I tried to include as many details ahead of time as I could.
I guess like most issues, this one's been evolving for a while, it started out with us trying to add a new member
to a replication group that's on a subnet without connectivity to the FSMO roles holder. I'll try to describe the
layout as best as I can up front.
The AD only has one domain & both the forest & domain are at 2008R2 function level. We've got two sites defined in
Sites & Services, Site A is an off-site datacenter with one associated subnet & Site B with 6 associated subnets, A-F.
The two sites are connected by a WAN link from a cable provider. Subnets E & F at Site B have no connectivity to Site A
across that WAN, only what's available through the front side of the datacenter through the public Internet. The network
engineering group involved refuses to route that WAN traffic to those two subnets & we've got no recourse against that
decision; so I'm trying to find a way to accomplish this without that if possible.
The FSMO roles holder is located at Site A. I know that I can define a Site C, add Subnets E & F to that site, & then
configure an SMTP site link between Sites A & C, but that only handles AD replication, correct? That still wouldn't allow me, for example,
to enumerate DFS namespaces from subnets E & F, or to add a fileserver on either of those subnets as a member to an existing
DFS replication group, right? Also, root scalability is enabled on all the namespace shares.
Is there a way to accomplish both of these things without transferring the FSMO roles from the original DC at Site A to, say,
the bridgehead DC at Site B?
When the infrastructure was originally setup by a former analyst, the topology was much more simple & everything was left
under the Default First Site & no sites/subnets were setup until fairly recently to resolve authentication issues on
Subnets E & F... I bring this up just to say, the FSMO roles holder has held them throughout the build out & addition of
all sorts of systems & I'm honestly not sure what, if anything, the transfer of those roles will break.
I definitely don't claim to be an expert in any of this, I'll be the first to say that I'm a work-in-progress on this AD design stuff,
I'm all for R'ing the FM, but frankly I'm dragging bottom at this point in finding the right FM. I've been digging around
on Google, forums, & TechNet for the past week or so as this has evolved, but no resolution yet.
On VMs & machines on subnets E & F when I go to DFS Management -> Namespace -> Add Namespaces to Display..., none show up
automatically & when I click Show Namespaces, after a few seconds I get "The namespaces on DOMAIN cannot be enumerated. The
specified domain either does not exist or could not be contacted". If I run a dfsutil /pktinfo, nothing shows except \sysvol
but I can access the domain-based DFS shares through Windows Explorer with the UNC path \\DOMAIN-FQDN\Share-Name then when
I run a dfsutil /pktinfo it shows all the shares that I've accessed so far.
So either I'm doing something wrong, or, for some random large, multinational company, every sunbet & fileserver one wants
to add to a DFS Namespace has to be able to contact the FSMO roles holder? Or, are those ADs broken down with a child domain
for each Site & a FSMO roles holder for that child domain is located in each site?Hi Matthew,
Unfortunately a lot of the intricacies of DFS leave my head as soon as I’m done with a particular design or troubleshooting situation but from memory, having direct connectivity to the PDC emulator for a particular domain is the key to managing domain based
DFS.
Have a read of this article for the differences between “Optimize for consistency” vs “Optimize for scalability”:
http://technet.microsoft.com/en-us/library/cc737400(v=ws.10).aspx
In brief, I’d say they mean:
In consistency mode the namespace servers always poll the PDCe for the latest and greatest information on the namespaces they are hosting.
In scalability mode the namespace servers should poll the closest DC for information on the namespaces they are hosting.
The key piece of information in that article about scalability mode is: “Updates are still made to the namespace object in Active Directory on the PDC emulator, but namespace servers do not discover those changes until the updated namespace object replicates
(using Active Directory replication) to the closest domain controller for each namespace server.”
I read that as saying you can have a server running DFS-N as long as it has connectivity to a DC but if you want to make changes, do them from a box that has direct connectivity to the PDCe. Then let AD replication float those changes out to your other DCs
where the remote DFS-N server will eventually pick them up. Give it a try and see how you get on.
That being said, you may want to double check that you have configured the most appropriate FSMO role placement in your environment's AD design:
http://technet.microsoft.com/en-us/library/cc754889(v=ws.10).aspx
And a DFS response probably wouldn’t be complete without an AskDS link:
http://blogs.technet.com/b/askds/archive/2012/07/24/common-dfsn-configuration-mistakes-and-oversights.aspx
These links may also help:
http://blogs.technet.com/b/filecab/archive/2012/08/26/dfs-namespace-scalability-considerations.aspx
http://blogs.technet.com/b/josebda/archive/2009/12/30/windows-server-dfs-namespaces-reference.aspx
http://blogs.technet.com/b/josebda/archive/2009/06/26/how-many-dfs-n-namespaces-servers-do-you-need.aspx
I hope this helps,
Mark -
Hi,
hummmm...
The client had 1 Server with AD and All Apps, IIS, Terminal Servers (30 device Cal), File Server, SQL2008R2 on it
Task: Install new AD server promote it to DC, bring in 2nd server, Replicate the File Server (DFSR) on these 2 servers, and demote it to standard server.
1) Old AD with name "Server" with OS-2008R2 SP1 and is a DC.
2) Brought in a new server "PrimaryAD", Installed 2008R2, done DC Promo, and added it as Additional Domain controller
3) Transferred roles from old server "Server" to "PrimaryAD"
4) Brought in a new File Server replicating server "Backup-Server"
5) Copied all the data from Server to Backup-server as DFS initial file sync with robocopy
6) here the problem started, after the copy finished, next morning the "Server" server crashed.....
7) thank god the data was backed up on Backup-server. but we didnt get the time to Demote the server "Server" and remove AD from it.
8) Since AD was replicated so "PrimaryAD" was are DC, brought 2nd Server "SecondaryDC" as additional domain controller.
9) we cleaned up the metadata and used ASIEDIT to clean the remaining stuff.
10) the "Server" server was formatted and renamed as "Primary-Server" and OS2008R2 SP1 was installed with rest of required apps
11) so now the PrimaryAD the DC, SecondaryAD the Additional Domain controller, Primary-Server the mail server and File server, the Backup-server, the replicated server.
Now configured DFS Replication from Primary-Server to Backup-server and receive following Event ID 1202
If i Configure DFS Replication as follows
PrimaryAD <<>> SecondaryAD -= Works... no errors...
PrimaryAD <<>> Backup-Server = Creates but Dosent works Event ID 5012, error The DFS Replication service failed to communicate with partner BACKUP-SERVER, Additional Information: Error: 9026 (The connection is invalid)
PrimaryAD <<>> Primary-Server = Dosent creates replication job just hangs,
on primaryad continious Eveni ID 10009, DCOM was unable to communicate with the computer "SERVER" using any of the configured protocols
......something on PrimaryAD is still trying to connect to old corrupt AD server "Server"
No errors with AD replication, SYSVOL & Netlogon shares also working fine and accessible.
DFS Diagnose report says
DNS name: backup-server.mydomain.com
Domain name: mydomain.COM
Reference domain controller: -- (HERE there is NO DOMAIN CONTROLLER mentioned)
IP address: 192.168.1.248,192.168.1.251,::1
Site: Default-First-Site-Name
Forgot to mention, gave full rights with ADSIEDIT to DFSR-LocalSettings for all server to Administrator and read permissions to "Authenticated Users"
DFSRDIAG POLLAD throws following error
c:\Dfsrdiag pollad /verbose
[INFO] Computer Name: BACKUP-SERVER
[INFO] Computer DNS: Backup-Server.mydomain.COM
[INFO] Domain Name: mydomain
[INFO] Domain DNS: mydomain.COM
[INFO] Site Name: Default-First-Site-Name
[INFO] Connected to WMI services on computer: Backup-Server.mydomain.COM
[INFO] Invoke PollDsNow() method on Backup-Server.mydomain.COM
[ERROR] PollDsNow method executed unsuccessfully. ReturnValue: 12 (0xc)
[ERROR] Failed to execute PollAD command Err: -2147217407 (0x80041001)
Can anyone point me to any direction which can lead to resolution of this ERROR and make DFS_R work..
Thanks
bikramHi,
It seems that DCPROMO did its work without complaints, still the DFSR references remained in AD. You could refer to the article below to clean up the DFS Replication object.
How to remove data in Active Directory after an unsuccessful domain controller demotion
http://support.microsoft.com/kb/216498
In additional, please refer to the following thread to troubleshoot the issue:
DFS is not working anymore.
http://social.technet.microsoft.com/Forums/windowsserver/en-US/953be9ef-e9e3-4885-a5c4-47fc475ba562/dfs-is-not-working-anymore?forum=winserverfiles
Regards,
Mandy
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.
Maybe you are looking for
-
Photos will not allow me to set the key picture for the album or event
Photos will not allow me to set the key picture for the album or event - it is set to grey ! Anyone else had this and found why ? new PHOTO app replacing iPhoto bugs/ Problems OTHER PROBLEMS : - no longer has a five star rating system - my keywords f
-
Missing a Formula for ignoring blank cells.
I've made a spreadsheet in Numbers 2.3 for keeping track of FIFA standings for a group. Because the scores are empty, the formulas think it's a 0. This is a problem for the draw column since it thinks that the scores are equal. Is there a function I'
-
Error while configuring application server in Jdev 11g
Hi all, I am trying make connection to application server in Jdev 11g. While testing the connection i am facing the below error. Testing JSR-160 Runtime ... failed. Cannot establish connection. Testing JSR-160 DomainRuntime ... skipped. Testing JSR-8
-
How can I set my content filtering to allow me to access all my email and applications
I got an email and tried to view the information on the link but could not due to content filtering
-
A file association problem exists, which prevents the file you're trying to download from being associated with the correct application by the operating system USING WINDOW 7 IE 11 HOW CAN I FIX???