icedcool
asked on
Expert active directory admins only
I started getting errors that nothing could access the active directory. I tried opening Domain security policy and it says that configuration information could not be read from the domain controller, either because the machine is unavailable, or access has been denied. I tried adding a computer to the domain, and it says "Logon Failure: target name is incorrect". The dns server also can't access the active directory according to the errors generated. The dns server is pointing to the dc,and nslookup is registering everything fine. I tried reseting a machine through the active directory gui and now I cant log onto the users that were associated with the domain on the comp. I can use the Active directory gui, but have to get access back to the active directory. Bigbox (the server) is a DC also.
Any help is apreciated.
Dcdiag:
Domain Controller Diagnosis
Performing initial setup:
* Verifying that the local machine bigbox, is a DC.
* Connecting to directory service on server bigbox.
* Collecting site info.
* Identifying all servers.
* Identifying all NC cross-refs.
* Found 1 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\BI
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... BIGBOX passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\BI
Starting test: Replications
* Replications Check
* Replication Latency Check
* Replication Site Latency Check
......................... BIGBOX passed test Replications
Starting test: Topology
* Configuration Topology Integrity Check
* Analyzing the connection topology for DC=ForestDnsZones,DC=offic
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for DC=DomainDnsZones,DC=offic
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for CN=Schema,CN=Configuration
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for CN=Configuration,DC=office
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for DC=office,DC=gastonia,DC=w
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
......................... BIGBOX passed test Topology
Starting test: CutoffServers
* Configuration Topology Aliveness Check
* Analyzing the alive system replication topology for DC=ForestDnsZones,DC=offic
* Performing upstream (of target) analysis.
DsReplicaSyncAllW failed with error The naming context specified for this replication operation is invalid..
* Performing downstream (of target) analysis.
DsReplicaSyncAllW failed with error The naming context specified for this replication operation is invalid..
* Analyzing the alive system replication topology for DC=DomainDnsZones,DC=offic
* Performing upstream (of target) analysis.
DsReplicaSyncAllW failed with error The naming context specified for this replication operation is invalid..
* Performing downstream (of target) analysis.
DsReplicaSyncAllW failed with error The naming context specified for this replication operation is invalid..
* Analyzing the alive system replication topology for CN=Schema,CN=Configuration
* Performing upstream (of target) analysis.
DsReplicaSyncAllW failed with error The naming context specified for this replication operation is invalid..
* Performing downstream (of target) analysis.
DsReplicaSyncAllW failed with error The naming context specified for this replication operation is invalid..
* Analyzing the alive system replication topology for CN=Configuration,DC=office
* Performing upstream (of target) analysis.
DsReplicaSyncAllW failed with error The naming context specified for this replication operation is invalid..
* Performing downstream (of target) analysis.
DsReplicaSyncAllW failed with error The naming context specified for this replication operation is invalid..
* Analyzing the alive system replication topology for DC=office,DC=gastonia,DC=w
* Performing upstream (of target) analysis.
DsReplicaSyncAllW failed with error The naming context specified for this replication operation is invalid..
* Performing downstream (of target) analysis.
DsReplicaSyncAllW failed with error The naming context specified for this replication operation is invalid..
......................... BIGBOX passed test CutoffServers
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC BIGBOX.
* Security Permissions Check for
DC=ForestDnsZones,DC=offic
(NDNC,Version 2)
* Security Permissions Check for
DC=DomainDnsZones,DC=offic
(NDNC,Version 2)
* Security Permissions Check for
CN=Schema,CN=Configuration
(Schema,Version 2)
* Security Permissions Check for
CN=Configuration,DC=office
(Configuration,Version 2)
* Security Permissions Check for
DC=office,DC=gastonia,DC=w
(Domain,Version 2)
......................... BIGBOX passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\BIGBOX\netlogon
Verified share \\BIGBOX\sysvol
......................... BIGBOX passed test NetLogons
Starting test: Advertising
The DC BIGBOX is advertising itself as a DC and having a DS.
The DC BIGBOX is advertising as an LDAP server
The DC BIGBOX is advertising as having a writeable directory
The DC BIGBOX is advertising as a Key Distribution Center
The DC BIGBOX is advertising as a time server
The DS BIGBOX is advertising as a GC.
......................... BIGBOX passed test Advertising
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings,CN=BIGBOX,CN=Serv
Role Domain Owner = CN=NTDS Settings,CN=BIGBOX,CN=Serv
Role PDC Owner = CN=NTDS Settings,CN=BIGBOX,CN=Serv
Role Rid Owner = CN=NTDS Settings,CN=BIGBOX,CN=Serv
Role Infrastructure Update Owner = CN=NTDS Settings,CN=BIGBOX,CN=Serv
......................... BIGBOX passed test KnowsOfRoleHolders
Starting test: RidManager
* Available RID Pool for the Domain is 1610 to 1073741823
* bigbox.office.gastonia.wat
* DsBind with RID Master was successful
* rIDAllocationPool is 1110 to 1609
* rIDPreviousAllocationPool is 1110 to 1609
* rIDNextRID: 1153
......................... BIGBOX passed test RidManager
Starting test: MachineAccount
Checking machine account for DC BIGBOX on DC BIGBOX.
The account BIGBOX is not a DC account. It cannot replicate.
Warning: Attribute userAccountControl of BIGBOX is: 0x81000 = ( UF_WORKSTATION_TRUST_ACCOU
Typical setting for a DC is 0x82000 = ( UF_SERVER_TRUST_ACCOUNT | UF_TRUSTED_FOR_DELEGATION )
This may be affecting replication?
* SPN found :LDAP/bigbox.office.gaston
* SPN found :LDAP/bigbox.office.gaston
* SPN found :LDAP/BIGBOX
* SPN found :LDAP/bigbox.office.gaston
* SPN found :LDAP/ace3522f-ef35-454f-9
* SPN found :E3514235-4B06-11D1-AB04-0
* SPN found :HOST/bigbox.office.gaston
* SPN found :HOST/bigbox.office.gaston
* SPN found :HOST/BIGBOX
* SPN found :HOST/bigbox.office.gaston
* SPN found :GC/bigbox.office.gastonia
......................... BIGBOX failed test MachineAccount
Starting test: Services
* Checking Service: Dnscache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: RpcSs
* Checking Service: w32time
* Checking Service: NETLOGON
......................... BIGBOX passed test Services
Starting test: OutboundSecureChannels
* The Outbound Secure Channels test
** Did not run Outbound Secure Channels test
because /testdomain: was not entered
......................... BIGBOX passed test OutboundSecureChannels
Starting test: ObjectsReplicated
BIGBOX is in domain DC=office,DC=gastonia,DC=w
Checking for CN=BIGBOX,OU=Domain Controllers,DC=office,DC=g
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=BIGBOX,CN=Serv
Object is up-to-date on all servers.
......................... BIGBOX passed test ObjectsReplicated
Starting test: frssysvol
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... BIGBOX passed test frssysvol
Starting test: frsevent
* The File Replication Service Event log test
......................... BIGBOX passed test frsevent
Starting test: kccevent
* The KCC Event log test
Found no KCC errors in Directory Service Event log in the last 15 minutes.
......................... BIGBOX passed test kccevent
Starting test: systemlog
* The System Event log test
An Error Event occured. EventID: 0x40000004
Time Generated: 04/26/2006 17:05:45
Event String: The kerberos client received a
KRB_AP_ERR_MODIFIED error from the server
host/bigbox.office.gastoni
target name used was
LDAP/ace3522f-ef35-454f-90
This indicates that the password used to encrypt
the kerberos service ticket is different than
that on the target server. Commonly, this is due
to identically named machine accounts in the
target realm (OFFICE.GASTONIA.WATERSTON
the client realm. Please contact your system
administrator.
......................... BIGBOX failed test systemlog
Starting test: VerifyReplicas
For the partition
(DC=ForestDnsZones,DC=offi
encountered the following error retrieving the cross-ref's
(CN=bb371fd5-2ed4-444f-858
information:
LDAP Error 0x2095 (8341).
For the partition
(DC=DomainDnsZones,DC=offi
encountered the following error retrieving the cross-ref's
(CN=40e3ad6a-2636-4f76-b33
information:
LDAP Error 0x2095 (8341).
......................... BIGBOX failed test VerifyReplicas
Starting test: VerifyReferences
The system object reference (serverReference)
CN=BIGBOX,OU=Domain Controllers,DC=office,DC=g
and backlink on
CN=BIGBOX,CN=Servers,CN=De
are correct.
The system object reference (frsComputerReferenceBL)
CN=BIGBOX,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=offic
and backlink on
CN=BIGBOX,OU=Domain Controllers,DC=office,DC=g
are correct.
The system object reference (serverReferenceBL)
CN=BIGBOX,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=offic
and backlink on
CN=NTDS Settings,CN=BIGBOX,CN=Serv
are correct.
......................... BIGBOX passed test VerifyReferences
Starting test: VerifyEnterpriseReferences
Can't determine the age of the cross-ref
CN=40e3ad6a-2636-4f76-b33f
for the partition
DC=DomainDnsZones,DC=offic
following errors relating to this cross-ref/partition may disappear
after replication coalesces. Please ensure that replication is
working from the Domain Naming FSMO to this DC, and retry this test to
see if errors continue.
Can't determine the age of the cross-ref
CN=bb371fd5-2ed4-444f-8589
for the partition
DC=ForestDnsZones,DC=offic
following errors relating to this cross-ref/partition may disappear
after replication coalesces. Please ensure that replication is
working from the Domain Naming FSMO to this DC, and retry this test to
see if errors continue.
Can't determine the age of the cross-ref
CN=Enterprise Configuration,CN=Partition
for the partition
CN=Configuration,DC=office
following errors relating to this cross-ref/partition may disappear
after replication coalesces. Please ensure that replication is
working from the Domain Naming FSMO to this DC, and retry this test to
see if errors continue.
Can't determine the age of the cross-ref
CN=Enterprise Schema,CN=Partitions,CN=Co
for the partition
CN=Schema,CN=Configuration
so following errors relating to this cross-ref/partition may disappear
after replication coalesces. Please ensure that replication is
working from the Domain Naming FSMO to this DC, and retry this test to
see if errors continue.
Can't determine the age of the cross-ref
CN=OFFICE,CN=Partitions,CN
for the partition DC=office,DC=gastonia,DC=w
following errors relating to this cross-ref/partition may disappear
after replication coalesces. Please ensure that replication is
working from the Domain Naming FSMO to this DC, and retry this test to
see if errors continue.
......................... BIGBOX failed test VerifyEnterpriseReferences
Starting test: CheckSecurityError
* Dr Auth: Beginning security errors check!
Found KDC BIGBOX for domain office.gastonia.waterstone
Checking machine account for DC BIGBOX on DC BIGBOX.
The account BIGBOX is not a DC account. It cannot replicate.
Warning: Attribute userAccountControl of BIGBOX is: 0x81000 = ( UF_WORKSTATION_TRUST_ACCOU
Typical setting for a DC is 0x82000 = ( UF_SERVER_TRUST_ACCOUNT | UF_TRUSTED_FOR_DELEGATION )
This may be affecting replication?
* SPN found :LDAP/bigbox.office.gaston
* SPN found :LDAP/bigbox.office.gaston
* SPN found :LDAP/BIGBOX
* SPN found :LDAP/bigbox.office.gaston
* SPN found :LDAP/ace3522f-ef35-454f-9
* SPN found :E3514235-4B06-11D1-AB04-0
* SPN found :HOST/bigbox.office.gaston
* SPN found :HOST/bigbox.office.gaston
* SPN found :HOST/BIGBOX
* SPN found :HOST/bigbox.office.gaston
* SPN found :GC/bigbox.office.gastonia
Unable to verify the machine account (CN=BIGBOX,OU=Domain Controllers,DC=office,DC=g
[BIGBOX] No security related replication errors were found on this DC! To target the connection to a specific source DC use /ReplSource:<DC>.
......................... BIGBOX passed test CheckSecurityError
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
For the partition
(DC=ForestDnsZones,DC=offi
encountered the following error retrieving the cross-ref's
(CN=bb371fd5-2ed4-444f-858
information:
LDAP Error 0x2095 (8341).
......................... ForestDnsZones failed test CrossRefValidation
Starting test: CheckSDRefDom
For the partition
(DC=ForestDnsZones,DC=offi
encountered the following error retrieving the cross-ref's
(CN=bb371fd5-2ed4-444f-858
information:
LDAP Error 0x2095 (8341).
......................... ForestDnsZones failed test CheckSDRefDom
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
For the partition
(DC=DomainDnsZones,DC=offi
encountered the following error retrieving the cross-ref's
(CN=40e3ad6a-2636-4f76-b33
information:
LDAP Error 0x2095 (8341).
......................... DomainDnsZones failed test CrossRefValidation
Starting test: CheckSDRefDom
For the partition
(DC=DomainDnsZones,DC=offi
encountered the following error retrieving the cross-ref's
(CN=40e3ad6a-2636-4f76-b33
information:
LDAP Error 0x2095 (8341).
......................... DomainDnsZones failed test CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
For the partition
(CN=Schema,CN=Configuratio
we encountered the following error retrieving the cross-ref's
(CN=Enterprise Schema,CN=Partitions,CN=Co
information:
LDAP Error 0x2095 (8341).
......................... Schema failed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
For the partition
(CN=Configuration,DC=offic
encountered the following error retrieving the cross-ref's
(CN=Enterprise Configuration,CN=Partition
information:
LDAP Error 0x2095 (8341).
......................... Configuration failed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : office
Starting test: CrossRefValidation
For the partition (DC=office,DC=gastonia,DC=
encountered the following error retrieving the cross-ref's
(CN=OFFICE,CN=Partitions,C
information:
LDAP Error 0x2095 (8341).
......................... office failed test CrossRefValidation
Starting test: CheckSDRefDom
......................... office passed test CheckSDRefDom
Running enterprise tests on : office.gastonia.waterstone
Starting test: Intersite
Skipping site Default-First-Site-Name, this site is outside the scope
provided by the command line arguments provided.
......................... office.gastonia.waterstone
Starting test: FsmoCheck
GC Name: \\bigbox.office.gastonia.w
Locator Flags: 0xe00003fd
PDC Name: \\bigbox.office.gastonia.w
Locator Flags: 0xe00003fd
Time Server Name: \\bigbox.office.gastonia.w
Locator Flags: 0xe00003fd
Preferred Time Server Name: \\bigbox.office.gastonia.w
Locator Flags: 0xe00003fd
KDC Name: \\bigbox.office.gastonia.w
Locator Flags: 0xe00003fd
......................... office.gastonia.waterstone
Starting test: DNS
Test results for domain controllers:
DC: bigbox.office.gastonia.wat
Domain: office.gastonia.waterstone
TEST: Authentication (Auth)
Authentication test: Successfully completed
TEST: Basic (Basc)
Microsoft(R) Windows(R) Server 2003, Standard Edition (Service Pack level: 1.0) is supported
NETLOGON service is running
kdc service is running
DNSCACHE service is running
DNS service is running
DC is a DNS server
Network adapters information:
Adapter [00000009] Intel(R) PRO/1000 MT Network Connection:
MAC address is 00:11:43:F1:42:38
IP address is static
IP address: 192.168.1.1
DNS servers:
192.168.1.1 (<name unavailable>) [Valid]
Adapter [00000010] Intel(R) PRO/1000 MT Network Connection:
MAC address is 00:11:43:F1:42:39
IP address is static
IP address: x.x.x.x
DNS servers:
192.168.1.1 (<name unavailable>) [Valid]
The A record for this DC was found
The SOA record for the Active Directory zone was found
The Active Directory zone on this DC/DNS server was found (primary)
Root zone on this DC/DNS server was not found
TEST: Forwarders/Root hints (Forw)
Recursion is enabled
Forwarders Information:
66.255.85.8 (<name unavailable>) [Valid]
66.255.85.9 (<name unavailable>) [Valid]
TEST: Delegations (Del)
No delegations were found in this zone on this DNS server
TEST: Dynamic update (Dyn)
Warning: Dynamic update is enabled on the zone but not secure office.gastonia.waterstone
Test record _dcdiag_test_record added successfully in zone office.gastonia.waterstone
Test record _dcdiag_test_record deleted successfully in zone office.gastonia.waterstone
TEST: Records registration (RReg)
Network Adapter [00000009] Intel(R) PRO/1000 MT Network Connection:
Matching A record found at DNS server 192.168.1.1:
bigbox.office.gastonia.wat
Matching CNAME record found at DNS server 192.168.1.1:
ace3522f-ef35-454f-90eb-e4
Matching DC SRV record found at DNS server 192.168.1.1:
_ldap._tcp.dc._msdcs.offic
Matching GC SRV record found at DNS server 192.168.1.1:
_ldap._tcp.gc._msdcs.offic
Matching PDC SRV record found at DNS server 192.168.1.1:
_ldap._tcp.pdc._msdcs.offi
Network Adapter [00000010] Intel(R) PRO/1000 MT Network Connection:
Matching A record found at DNS server 192.168.1.1:
bigbox.office.gastonia.wat
Matching CNAME record found at DNS server 192.168.1.1:
ace3522f-ef35-454f-90eb-e4
Matching DC SRV record found at DNS server 192.168.1.1:
_ldap._tcp.dc._msdcs.offic
Matching GC SRV record found at DNS server 192.168.1.1:
_ldap._tcp.gc._msdcs.offic
Matching PDC SRV record found at DNS server 192.168.1.1:
_ldap._tcp.pdc._msdcs.offi
Summary of test results for DNS servers used by the above domain controllers:
DNS server: 192.168.1.1 (<name unavailable>)
All tests passed on this DNS server
This is a valid DNS server.
Name resolution is funtional. _ldap._tcp SRV record for the forest root domain is registered
DNS server: 66.255.85.8 (<name unavailable>)
All tests passed on this DNS server
This is a valid DNS server.
DNS server: 66.255.85.9 (<name unavailable>)
All tests passed on this DNS server
This is a valid DNS server.
Summary of DNS test results:
Auth Basc Forw Del Dyn RReg Ext
__________________________
Domain: office.gastonia.waterstone
bigbox PASS PASS PASS PASS WARN PASS n/a
......................... office.gastonia.waterstone
Any help is apreciated.
Dcdiag:
Domain Controller Diagnosis
Performing initial setup:
* Verifying that the local machine bigbox, is a DC.
* Connecting to directory service on server bigbox.
* Collecting site info.
* Identifying all servers.
* Identifying all NC cross-refs.
* Found 1 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\BI
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... BIGBOX passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\BI
Starting test: Replications
* Replications Check
* Replication Latency Check
* Replication Site Latency Check
......................... BIGBOX passed test Replications
Starting test: Topology
* Configuration Topology Integrity Check
* Analyzing the connection topology for DC=ForestDnsZones,DC=offic
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for DC=DomainDnsZones,DC=offic
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for CN=Schema,CN=Configuration
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for CN=Configuration,DC=office
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for DC=office,DC=gastonia,DC=w
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
......................... BIGBOX passed test Topology
Starting test: CutoffServers
* Configuration Topology Aliveness Check
* Analyzing the alive system replication topology for DC=ForestDnsZones,DC=offic
* Performing upstream (of target) analysis.
DsReplicaSyncAllW failed with error The naming context specified for this replication operation is invalid..
* Performing downstream (of target) analysis.
DsReplicaSyncAllW failed with error The naming context specified for this replication operation is invalid..
* Analyzing the alive system replication topology for DC=DomainDnsZones,DC=offic
* Performing upstream (of target) analysis.
DsReplicaSyncAllW failed with error The naming context specified for this replication operation is invalid..
* Performing downstream (of target) analysis.
DsReplicaSyncAllW failed with error The naming context specified for this replication operation is invalid..
* Analyzing the alive system replication topology for CN=Schema,CN=Configuration
* Performing upstream (of target) analysis.
DsReplicaSyncAllW failed with error The naming context specified for this replication operation is invalid..
* Performing downstream (of target) analysis.
DsReplicaSyncAllW failed with error The naming context specified for this replication operation is invalid..
* Analyzing the alive system replication topology for CN=Configuration,DC=office
* Performing upstream (of target) analysis.
DsReplicaSyncAllW failed with error The naming context specified for this replication operation is invalid..
* Performing downstream (of target) analysis.
DsReplicaSyncAllW failed with error The naming context specified for this replication operation is invalid..
* Analyzing the alive system replication topology for DC=office,DC=gastonia,DC=w
* Performing upstream (of target) analysis.
DsReplicaSyncAllW failed with error The naming context specified for this replication operation is invalid..
* Performing downstream (of target) analysis.
DsReplicaSyncAllW failed with error The naming context specified for this replication operation is invalid..
......................... BIGBOX passed test CutoffServers
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC BIGBOX.
* Security Permissions Check for
DC=ForestDnsZones,DC=offic
(NDNC,Version 2)
* Security Permissions Check for
DC=DomainDnsZones,DC=offic
(NDNC,Version 2)
* Security Permissions Check for
CN=Schema,CN=Configuration
(Schema,Version 2)
* Security Permissions Check for
CN=Configuration,DC=office
(Configuration,Version 2)
* Security Permissions Check for
DC=office,DC=gastonia,DC=w
(Domain,Version 2)
......................... BIGBOX passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\BIGBOX\netlogon
Verified share \\BIGBOX\sysvol
......................... BIGBOX passed test NetLogons
Starting test: Advertising
The DC BIGBOX is advertising itself as a DC and having a DS.
The DC BIGBOX is advertising as an LDAP server
The DC BIGBOX is advertising as having a writeable directory
The DC BIGBOX is advertising as a Key Distribution Center
The DC BIGBOX is advertising as a time server
The DS BIGBOX is advertising as a GC.
......................... BIGBOX passed test Advertising
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings,CN=BIGBOX,CN=Serv
Role Domain Owner = CN=NTDS Settings,CN=BIGBOX,CN=Serv
Role PDC Owner = CN=NTDS Settings,CN=BIGBOX,CN=Serv
Role Rid Owner = CN=NTDS Settings,CN=BIGBOX,CN=Serv
Role Infrastructure Update Owner = CN=NTDS Settings,CN=BIGBOX,CN=Serv
......................... BIGBOX passed test KnowsOfRoleHolders
Starting test: RidManager
* Available RID Pool for the Domain is 1610 to 1073741823
* bigbox.office.gastonia.wat
* DsBind with RID Master was successful
* rIDAllocationPool is 1110 to 1609
* rIDPreviousAllocationPool is 1110 to 1609
* rIDNextRID: 1153
......................... BIGBOX passed test RidManager
Starting test: MachineAccount
Checking machine account for DC BIGBOX on DC BIGBOX.
The account BIGBOX is not a DC account. It cannot replicate.
Warning: Attribute userAccountControl of BIGBOX is: 0x81000 = ( UF_WORKSTATION_TRUST_ACCOU
Typical setting for a DC is 0x82000 = ( UF_SERVER_TRUST_ACCOUNT | UF_TRUSTED_FOR_DELEGATION )
This may be affecting replication?
* SPN found :LDAP/bigbox.office.gaston
* SPN found :LDAP/bigbox.office.gaston
* SPN found :LDAP/BIGBOX
* SPN found :LDAP/bigbox.office.gaston
* SPN found :LDAP/ace3522f-ef35-454f-9
* SPN found :E3514235-4B06-11D1-AB04-0
* SPN found :HOST/bigbox.office.gaston
* SPN found :HOST/bigbox.office.gaston
* SPN found :HOST/BIGBOX
* SPN found :HOST/bigbox.office.gaston
* SPN found :GC/bigbox.office.gastonia
......................... BIGBOX failed test MachineAccount
Starting test: Services
* Checking Service: Dnscache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: RpcSs
* Checking Service: w32time
* Checking Service: NETLOGON
......................... BIGBOX passed test Services
Starting test: OutboundSecureChannels
* The Outbound Secure Channels test
** Did not run Outbound Secure Channels test
because /testdomain: was not entered
......................... BIGBOX passed test OutboundSecureChannels
Starting test: ObjectsReplicated
BIGBOX is in domain DC=office,DC=gastonia,DC=w
Checking for CN=BIGBOX,OU=Domain Controllers,DC=office,DC=g
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=BIGBOX,CN=Serv
Object is up-to-date on all servers.
......................... BIGBOX passed test ObjectsReplicated
Starting test: frssysvol
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... BIGBOX passed test frssysvol
Starting test: frsevent
* The File Replication Service Event log test
......................... BIGBOX passed test frsevent
Starting test: kccevent
* The KCC Event log test
Found no KCC errors in Directory Service Event log in the last 15 minutes.
......................... BIGBOX passed test kccevent
Starting test: systemlog
* The System Event log test
An Error Event occured. EventID: 0x40000004
Time Generated: 04/26/2006 17:05:45
Event String: The kerberos client received a
KRB_AP_ERR_MODIFIED error from the server
host/bigbox.office.gastoni
target name used was
LDAP/ace3522f-ef35-454f-90
This indicates that the password used to encrypt
the kerberos service ticket is different than
that on the target server. Commonly, this is due
to identically named machine accounts in the
target realm (OFFICE.GASTONIA.WATERSTON
the client realm. Please contact your system
administrator.
......................... BIGBOX failed test systemlog
Starting test: VerifyReplicas
For the partition
(DC=ForestDnsZones,DC=offi
encountered the following error retrieving the cross-ref's
(CN=bb371fd5-2ed4-444f-858
information:
LDAP Error 0x2095 (8341).
For the partition
(DC=DomainDnsZones,DC=offi
encountered the following error retrieving the cross-ref's
(CN=40e3ad6a-2636-4f76-b33
information:
LDAP Error 0x2095 (8341).
......................... BIGBOX failed test VerifyReplicas
Starting test: VerifyReferences
The system object reference (serverReference)
CN=BIGBOX,OU=Domain Controllers,DC=office,DC=g
and backlink on
CN=BIGBOX,CN=Servers,CN=De
are correct.
The system object reference (frsComputerReferenceBL)
CN=BIGBOX,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=offic
and backlink on
CN=BIGBOX,OU=Domain Controllers,DC=office,DC=g
are correct.
The system object reference (serverReferenceBL)
CN=BIGBOX,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=offic
and backlink on
CN=NTDS Settings,CN=BIGBOX,CN=Serv
are correct.
......................... BIGBOX passed test VerifyReferences
Starting test: VerifyEnterpriseReferences
Can't determine the age of the cross-ref
CN=40e3ad6a-2636-4f76-b33f
for the partition
DC=DomainDnsZones,DC=offic
following errors relating to this cross-ref/partition may disappear
after replication coalesces. Please ensure that replication is
working from the Domain Naming FSMO to this DC, and retry this test to
see if errors continue.
Can't determine the age of the cross-ref
CN=bb371fd5-2ed4-444f-8589
for the partition
DC=ForestDnsZones,DC=offic
following errors relating to this cross-ref/partition may disappear
after replication coalesces. Please ensure that replication is
working from the Domain Naming FSMO to this DC, and retry this test to
see if errors continue.
Can't determine the age of the cross-ref
CN=Enterprise Configuration,CN=Partition
for the partition
CN=Configuration,DC=office
following errors relating to this cross-ref/partition may disappear
after replication coalesces. Please ensure that replication is
working from the Domain Naming FSMO to this DC, and retry this test to
see if errors continue.
Can't determine the age of the cross-ref
CN=Enterprise Schema,CN=Partitions,CN=Co
for the partition
CN=Schema,CN=Configuration
so following errors relating to this cross-ref/partition may disappear
after replication coalesces. Please ensure that replication is
working from the Domain Naming FSMO to this DC, and retry this test to
see if errors continue.
Can't determine the age of the cross-ref
CN=OFFICE,CN=Partitions,CN
for the partition DC=office,DC=gastonia,DC=w
following errors relating to this cross-ref/partition may disappear
after replication coalesces. Please ensure that replication is
working from the Domain Naming FSMO to this DC, and retry this test to
see if errors continue.
......................... BIGBOX failed test VerifyEnterpriseReferences
Starting test: CheckSecurityError
* Dr Auth: Beginning security errors check!
Found KDC BIGBOX for domain office.gastonia.waterstone
Checking machine account for DC BIGBOX on DC BIGBOX.
The account BIGBOX is not a DC account. It cannot replicate.
Warning: Attribute userAccountControl of BIGBOX is: 0x81000 = ( UF_WORKSTATION_TRUST_ACCOU
Typical setting for a DC is 0x82000 = ( UF_SERVER_TRUST_ACCOUNT | UF_TRUSTED_FOR_DELEGATION )
This may be affecting replication?
* SPN found :LDAP/bigbox.office.gaston
* SPN found :LDAP/bigbox.office.gaston
* SPN found :LDAP/BIGBOX
* SPN found :LDAP/bigbox.office.gaston
* SPN found :LDAP/ace3522f-ef35-454f-9
* SPN found :E3514235-4B06-11D1-AB04-0
* SPN found :HOST/bigbox.office.gaston
* SPN found :HOST/bigbox.office.gaston
* SPN found :HOST/BIGBOX
* SPN found :HOST/bigbox.office.gaston
* SPN found :GC/bigbox.office.gastonia
Unable to verify the machine account (CN=BIGBOX,OU=Domain Controllers,DC=office,DC=g
[BIGBOX] No security related replication errors were found on this DC! To target the connection to a specific source DC use /ReplSource:<DC>.
......................... BIGBOX passed test CheckSecurityError
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
For the partition
(DC=ForestDnsZones,DC=offi
encountered the following error retrieving the cross-ref's
(CN=bb371fd5-2ed4-444f-858
information:
LDAP Error 0x2095 (8341).
......................... ForestDnsZones failed test CrossRefValidation
Starting test: CheckSDRefDom
For the partition
(DC=ForestDnsZones,DC=offi
encountered the following error retrieving the cross-ref's
(CN=bb371fd5-2ed4-444f-858
information:
LDAP Error 0x2095 (8341).
......................... ForestDnsZones failed test CheckSDRefDom
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
For the partition
(DC=DomainDnsZones,DC=offi
encountered the following error retrieving the cross-ref's
(CN=40e3ad6a-2636-4f76-b33
information:
LDAP Error 0x2095 (8341).
......................... DomainDnsZones failed test CrossRefValidation
Starting test: CheckSDRefDom
For the partition
(DC=DomainDnsZones,DC=offi
encountered the following error retrieving the cross-ref's
(CN=40e3ad6a-2636-4f76-b33
information:
LDAP Error 0x2095 (8341).
......................... DomainDnsZones failed test CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
For the partition
(CN=Schema,CN=Configuratio
we encountered the following error retrieving the cross-ref's
(CN=Enterprise Schema,CN=Partitions,CN=Co
information:
LDAP Error 0x2095 (8341).
......................... Schema failed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
For the partition
(CN=Configuration,DC=offic
encountered the following error retrieving the cross-ref's
(CN=Enterprise Configuration,CN=Partition
information:
LDAP Error 0x2095 (8341).
......................... Configuration failed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : office
Starting test: CrossRefValidation
For the partition (DC=office,DC=gastonia,DC=
encountered the following error retrieving the cross-ref's
(CN=OFFICE,CN=Partitions,C
information:
LDAP Error 0x2095 (8341).
......................... office failed test CrossRefValidation
Starting test: CheckSDRefDom
......................... office passed test CheckSDRefDom
Running enterprise tests on : office.gastonia.waterstone
Starting test: Intersite
Skipping site Default-First-Site-Name, this site is outside the scope
provided by the command line arguments provided.
......................... office.gastonia.waterstone
Starting test: FsmoCheck
GC Name: \\bigbox.office.gastonia.w
Locator Flags: 0xe00003fd
PDC Name: \\bigbox.office.gastonia.w
Locator Flags: 0xe00003fd
Time Server Name: \\bigbox.office.gastonia.w
Locator Flags: 0xe00003fd
Preferred Time Server Name: \\bigbox.office.gastonia.w
Locator Flags: 0xe00003fd
KDC Name: \\bigbox.office.gastonia.w
Locator Flags: 0xe00003fd
......................... office.gastonia.waterstone
Starting test: DNS
Test results for domain controllers:
DC: bigbox.office.gastonia.wat
Domain: office.gastonia.waterstone
TEST: Authentication (Auth)
Authentication test: Successfully completed
TEST: Basic (Basc)
Microsoft(R) Windows(R) Server 2003, Standard Edition (Service Pack level: 1.0) is supported
NETLOGON service is running
kdc service is running
DNSCACHE service is running
DNS service is running
DC is a DNS server
Network adapters information:
Adapter [00000009] Intel(R) PRO/1000 MT Network Connection:
MAC address is 00:11:43:F1:42:38
IP address is static
IP address: 192.168.1.1
DNS servers:
192.168.1.1 (<name unavailable>) [Valid]
Adapter [00000010] Intel(R) PRO/1000 MT Network Connection:
MAC address is 00:11:43:F1:42:39
IP address is static
IP address: x.x.x.x
DNS servers:
192.168.1.1 (<name unavailable>) [Valid]
The A record for this DC was found
The SOA record for the Active Directory zone was found
The Active Directory zone on this DC/DNS server was found (primary)
Root zone on this DC/DNS server was not found
TEST: Forwarders/Root hints (Forw)
Recursion is enabled
Forwarders Information:
66.255.85.8 (<name unavailable>) [Valid]
66.255.85.9 (<name unavailable>) [Valid]
TEST: Delegations (Del)
No delegations were found in this zone on this DNS server
TEST: Dynamic update (Dyn)
Warning: Dynamic update is enabled on the zone but not secure office.gastonia.waterstone
Test record _dcdiag_test_record added successfully in zone office.gastonia.waterstone
Test record _dcdiag_test_record deleted successfully in zone office.gastonia.waterstone
TEST: Records registration (RReg)
Network Adapter [00000009] Intel(R) PRO/1000 MT Network Connection:
Matching A record found at DNS server 192.168.1.1:
bigbox.office.gastonia.wat
Matching CNAME record found at DNS server 192.168.1.1:
ace3522f-ef35-454f-90eb-e4
Matching DC SRV record found at DNS server 192.168.1.1:
_ldap._tcp.dc._msdcs.offic
Matching GC SRV record found at DNS server 192.168.1.1:
_ldap._tcp.gc._msdcs.offic
Matching PDC SRV record found at DNS server 192.168.1.1:
_ldap._tcp.pdc._msdcs.offi
Network Adapter [00000010] Intel(R) PRO/1000 MT Network Connection:
Matching A record found at DNS server 192.168.1.1:
bigbox.office.gastonia.wat
Matching CNAME record found at DNS server 192.168.1.1:
ace3522f-ef35-454f-90eb-e4
Matching DC SRV record found at DNS server 192.168.1.1:
_ldap._tcp.dc._msdcs.offic
Matching GC SRV record found at DNS server 192.168.1.1:
_ldap._tcp.gc._msdcs.offic
Matching PDC SRV record found at DNS server 192.168.1.1:
_ldap._tcp.pdc._msdcs.offi
Summary of test results for DNS servers used by the above domain controllers:
DNS server: 192.168.1.1 (<name unavailable>)
All tests passed on this DNS server
This is a valid DNS server.
Name resolution is funtional. _ldap._tcp SRV record for the forest root domain is registered
DNS server: 66.255.85.8 (<name unavailable>)
All tests passed on this DNS server
This is a valid DNS server.
DNS server: 66.255.85.9 (<name unavailable>)
All tests passed on this DNS server
This is a valid DNS server.
Summary of DNS test results:
Auth Basc Forw Del Dyn RReg Ext
__________________________
Domain: office.gastonia.waterstone
bigbox PASS PASS PASS PASS WARN PASS n/a
......................... office.gastonia.waterstone
ASKER
This is the only DC. This server runs the DNS the AD and it is in the Domain controller OU. Should I go ahead with the ADSIEdit?
Yes, let me know what the value is before you change it.
ASKER
The value is 528384. I'm changing it back to 532480.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
It worked!
Brilliant!
You doubted me??? :o)
Glad to assist.
NM
You doubted me??? :o)
Glad to assist.
NM
It looks like some of the Directory information is bad or missing.
Is this the only DC?
Open ADSIEdit.msc and find this entry: userAccountControl
This is an attribute on the server object. It should be under: Domain>DC=.....>OU=Domain Controllers
>right click the CN=BIGBOX and select Properties.
>scroll down to the userAccountControl
>the value should be 0x82000 (532480)
>correct it if it's wrong
>reboot.
Advise before you go into ADSIEdit.