rsillars
asked on
Schema cache error after upgrading domain from Windows 2000 to Windows 2003 R2
Hi Everyone,
For some time now we have had a dual authentication system setup which has modified the schema. Recently we started installing 2003 R2 domain controllers into our domain (2000 native mode). As soon as the 2003 r2 servers a promoted they start getting the following messages every 5 minutes in the Directory Service event log. The 2000 servers have no errors.
Event Type: Information
Event Source: NTDS General
Event Category: DS Schema
Event ID: 1464
Date: 1/05/2006
Time: 2:44:29 p.m.
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: CHEWBACCA
Description:
While searching for an index, Active Directory detected that a new index is needed for the following attribute.
Attribute:
defender-tokenType
New index name:
INDEX_LP_5B490001_1409
A new index will be automatically created.
Additional Data
Error value:
-1404 JET_errIndexNotFound, No such index
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: NTDS General
Event Category: DS Schema
Event ID: 1136
Date: 1/05/2006
Time: 2:44:30 p.m.
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: CHEWBACCA
Description:
Active Directory failed to create an index for the following attribute.
Attribute identifier:
1531510785
Attribute name:
defender-tokenType
A schema cache update will occur 5 minutes after the logging of this event and will attempt to create an index for the attribute.
Additional Data
Error value:
-1403 JET_errIndexDuplicate, Index is already defined
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Does anyone have any suggestions?
Thanks,
Roger
For some time now we have had a dual authentication system setup which has modified the schema. Recently we started installing 2003 R2 domain controllers into our domain (2000 native mode). As soon as the 2003 r2 servers a promoted they start getting the following messages every 5 minutes in the Directory Service event log. The 2000 servers have no errors.
Event Type: Information
Event Source: NTDS General
Event Category: DS Schema
Event ID: 1464
Date: 1/05/2006
Time: 2:44:29 p.m.
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: CHEWBACCA
Description:
While searching for an index, Active Directory detected that a new index is needed for the following attribute.
Attribute:
defender-tokenType
New index name:
INDEX_LP_5B490001_1409
A new index will be automatically created.
Additional Data
Error value:
-1404 JET_errIndexNotFound, No such index
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: NTDS General
Event Category: DS Schema
Event ID: 1136
Date: 1/05/2006
Time: 2:44:30 p.m.
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: CHEWBACCA
Description:
Active Directory failed to create an index for the following attribute.
Attribute identifier:
1531510785
Attribute name:
defender-tokenType
A schema cache update will occur 5 minutes after the logging of this event and will attempt to create an index for the attribute.
Additional Data
Error value:
-1403 JET_errIndexDuplicate, Index is already defined
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Does anyone have any suggestions?
Thanks,
Roger
ASKER
Hi Jay Jay,
The schema modification is only run once, the first time the application is installed or upgraded if new features are added. The supplier provides a tool that does this for you. The supplier and Microsoft have both setup test networks and get the error message once, but AD sorts itself out and then is happy. Unfortunately this isn't the case in our production environment.
Yes the forestprep worked. The only problem I had was that I had to run it twice as the dcprep tool on the first CDROM isn't the one you use when installing 2003r2 domain controllers. I ran it again from the second CD and it worked perfectly.
Thanks,
Roger
The schema modification is only run once, the first time the application is installed or upgraded if new features are added. The supplier provides a tool that does this for you. The supplier and Microsoft have both setup test networks and get the error message once, but AD sorts itself out and then is happy. Unfortunately this isn't the case in our production environment.
Yes the forestprep worked. The only problem I had was that I had to run it twice as the dcprep tool on the first CDROM isn't the one you use when installing 2003r2 domain controllers. I ran it again from the second CD and it worked perfectly.
Thanks,
Roger
hmm i havent dealt with anything that touches the schema itself besides windows so i will tread lightly :)
does dcdiag through any errors?
does dcdiag through any errors?
It appears this new attribute isn't allowing itself to be indexed. I think there is a setting on the attribute itself that should be set to allow indexing. You might want to contact the vendor to discuss where this is set.
ASKER
Netman66, how do I go about checking if that attribute doesn't allow indexing. The thing that has got me is that the 2000 DCs are fine and that the first message says that a new index is needed and the second message fails creating it because it already existis.
Regarding the DCDIAG errrors, I get the following. The first log is from one of the troubled 2003 r2 servers, it is complaining about "kccevent". The second log is from a 2000 DC and it is happy with the "kccevent" but something looks up with the sysvol. I ran DCDIAG on a couple of domain controllers of each OS and they all get the same results.
Sorry for the long post...
__________________________ __________ __________ __________ __________ __________ _____
Windows 2003 R2 domain controller DCDIAG log:
__________________________ __________ __________ __________ __________ __________ _____
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: Christchurch\VADER
Starting test: Connectivity
......................... VADER passed test Connectivity
Doing primary tests
Testing server: Christchurch\VADER
Starting test: Replications
......................... VADER passed test Replications
Starting test: NCSecDesc
......................... VADER passed test NCSecDesc
Starting test: NetLogons
......................... VADER passed test NetLogons
Starting test: Advertising
......................... VADER passed test Advertising
Starting test: KnowsOfRoleHolders
......................... VADER passed test KnowsOfRoleHolders
Starting test: RidManager
......................... VADER passed test RidManager
Starting test: MachineAccount
......................... VADER passed test MachineAccount
Starting test: Services
......................... VADER passed test Services
Starting test: ObjectsReplicated
......................... VADER passed test ObjectsReplicated
Starting test: frssysvol
......................... VADER passed test frssysvol
Starting test: frsevent
......................... VADER passed test frsevent
Starting test: kccevent
An Error Event occured. EventID: 0xC0000470
Time Generated: 05/01/2006 13:28:14
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC0000470
Time Generated: 05/01/2006 13:28:14
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC0000470
Time Generated: 05/01/2006 13:33:15
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC0000470
Time Generated: 05/01/2006 13:33:15
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC0000470
Time Generated: 05/01/2006 13:38:17
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC0000470
Time Generated: 05/01/2006 13:38:18
(Event String could not be retrieved)
......................... VADER failed test kccevent
Starting test: systemlog
......................... VADER passed test systemlog
Starting test: VerifyReferences
......................... VADER passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : duncot
Starting test: CrossRefValidation
......................... duncot passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... duncot passed test CheckSDRefDom
Running enterprise tests on : duncot.net
Starting test: Intersite
......................... duncot.net passed test Intersite
Starting test: FsmoCheck
......................... duncot.net passed test FsmoCheck
__________________________ __________ __________ __________ __________ __________ _____
Windows 2000 domain controller DCDIAG log:
__________________________ __________ __________ __________ __________ __________ _____
DC Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial non skippeable tests
Testing server: Christchurch\CHEWIE
Starting test: Connectivity
......................... CHEWIE passed test Connectivity
Doing primary tests
Testing server: Christchurch\CHEWIE
Starting test: Replications
......................... CHEWIE passed test Replications
Starting test: NCSecDesc
......................... CHEWIE passed test NCSecDesc
Starting test: NetLogons
......................... CHEWIE passed test NetLogons
Starting test: Advertising
......................... CHEWIE passed test Advertising
Starting test: KnowsOfRoleHolders
......................... CHEWIE passed test KnowsOfRoleHolders
Starting test: RidManager
......................... CHEWIE passed test RidManager
Starting test: MachineAccount
......................... CHEWIE passed test MachineAccount
Starting test: Services
......................... CHEWIE passed test Services
Starting test: ObjectsReplicated
......................... CHEWIE passed test ObjectsReplicated
Starting test: frssysvol
There are errors after the SYSVOL has been shared.
The SYSVOL can prevent the AD from starting.
......................... CHEWIE passed test frssysvol
Starting test: kccevent
......................... CHEWIE passed test kccevent
Starting test: systemlog
......................... CHEWIE passed test systemlog
Running enterprise tests on : duncot.net
Starting test: Intersite
......................... duncot.net passed test Intersite
Starting test: FsmoCheck
......................... duncot.net passed test FsmoCheck
Regarding the DCDIAG errrors, I get the following. The first log is from one of the troubled 2003 r2 servers, it is complaining about "kccevent". The second log is from a 2000 DC and it is happy with the "kccevent" but something looks up with the sysvol. I ran DCDIAG on a couple of domain controllers of each OS and they all get the same results.
Sorry for the long post...
__________________________
Windows 2003 R2 domain controller DCDIAG log:
__________________________
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: Christchurch\VADER
Starting test: Connectivity
......................... VADER passed test Connectivity
Doing primary tests
Testing server: Christchurch\VADER
Starting test: Replications
......................... VADER passed test Replications
Starting test: NCSecDesc
......................... VADER passed test NCSecDesc
Starting test: NetLogons
......................... VADER passed test NetLogons
Starting test: Advertising
......................... VADER passed test Advertising
Starting test: KnowsOfRoleHolders
......................... VADER passed test KnowsOfRoleHolders
Starting test: RidManager
......................... VADER passed test RidManager
Starting test: MachineAccount
......................... VADER passed test MachineAccount
Starting test: Services
......................... VADER passed test Services
Starting test: ObjectsReplicated
......................... VADER passed test ObjectsReplicated
Starting test: frssysvol
......................... VADER passed test frssysvol
Starting test: frsevent
......................... VADER passed test frsevent
Starting test: kccevent
An Error Event occured. EventID: 0xC0000470
Time Generated: 05/01/2006 13:28:14
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC0000470
Time Generated: 05/01/2006 13:28:14
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC0000470
Time Generated: 05/01/2006 13:33:15
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC0000470
Time Generated: 05/01/2006 13:33:15
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC0000470
Time Generated: 05/01/2006 13:38:17
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC0000470
Time Generated: 05/01/2006 13:38:18
(Event String could not be retrieved)
......................... VADER failed test kccevent
Starting test: systemlog
......................... VADER passed test systemlog
Starting test: VerifyReferences
......................... VADER passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : duncot
Starting test: CrossRefValidation
......................... duncot passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... duncot passed test CheckSDRefDom
Running enterprise tests on : duncot.net
Starting test: Intersite
......................... duncot.net passed test Intersite
Starting test: FsmoCheck
......................... duncot.net passed test FsmoCheck
__________________________
Windows 2000 domain controller DCDIAG log:
__________________________
DC Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial non skippeable tests
Testing server: Christchurch\CHEWIE
Starting test: Connectivity
......................... CHEWIE passed test Connectivity
Doing primary tests
Testing server: Christchurch\CHEWIE
Starting test: Replications
......................... CHEWIE passed test Replications
Starting test: NCSecDesc
......................... CHEWIE passed test NCSecDesc
Starting test: NetLogons
......................... CHEWIE passed test NetLogons
Starting test: Advertising
......................... CHEWIE passed test Advertising
Starting test: KnowsOfRoleHolders
......................... CHEWIE passed test KnowsOfRoleHolders
Starting test: RidManager
......................... CHEWIE passed test RidManager
Starting test: MachineAccount
......................... CHEWIE passed test MachineAccount
Starting test: Services
......................... CHEWIE passed test Services
Starting test: ObjectsReplicated
......................... CHEWIE passed test ObjectsReplicated
Starting test: frssysvol
There are errors after the SYSVOL has been shared.
The SYSVOL can prevent the AD from starting.
......................... CHEWIE passed test frssysvol
Starting test: kccevent
......................... CHEWIE passed test kccevent
Starting test: systemlog
......................... CHEWIE passed test systemlog
Running enterprise tests on : duncot.net
Starting test: Intersite
......................... duncot.net passed test Intersite
Starting test: FsmoCheck
......................... duncot.net passed test FsmoCheck
Which DC holds the FSMO roles?
If you have not yet made one of the R2 servers a Global Catalog, you probably should.
Run the following command on CHEWIE and output to text file to post here:
repadmin /showobjmeta CHEWIE CN=object,CN=Schema,CN=Con figuration ,DC=duncot ,DC=net > C:\chewie.txt
Replace CN=object with the name of your new attribute in the Schema as found in ADSIEdit.msc>Schema.
Run the same command again from VADER (don't forget to replace object with the attribute name):
repadmin /showobjmeta VADER CN=object,CN=Schema,CN=Con figuration ,DC=duncot ,DC=net > C:\vader.txt
Post the outputs here.
If you have not yet made one of the R2 servers a Global Catalog, you probably should.
Run the following command on CHEWIE and output to text file to post here:
repadmin /showobjmeta CHEWIE CN=object,CN=Schema,CN=Con
Replace CN=object with the name of your new attribute in the Schema as found in ADSIEdit.msc>Schema.
Run the same command again from VADER (don't forget to replace object with the attribute name):
repadmin /showobjmeta VADER CN=object,CN=Schema,CN=Con
Post the outputs here.
ASKER
CHEWIE (Windows 2000) used to be the FSMO role holder and is currently a GC
VADER (Windows 2003r2) now holds all FSMO roles and is also a GC
The syntax of the command for 2000 is slightly different but hopefuly this provides what you are after:
__________________________ __________ __________ __________ __________ __________ _____
VADER log - Windows 2003r2 domain controller (and FSMO role holder)
__________________________ __________ __________ __________ __________ __________ _____
17 entries.
Loc.USN Originating DC Org.USN Org.Time/Date Ver Attribute
======= =============== ========= ============= === =========
6355 aa570d04-4b27-4d6a-a989-57 7e75676c0b 2826488 2005-04-02 16:28:02 1 objectClass
6355 Christchurch\VADER 6355 2006-04-14 14:10:25 1 cn
6355 aa570d04-4b27-4d6a-a989-57 7e75676c0b 2826488 2005-04-02 16:28:02 1 instanceType
6355 aa570d04-4b27-4d6a-a989-57 7e75676c0b 2826488 2005-04-02 16:28:02 1 whenCreated
6355 aa570d04-4b27-4d6a-a989-57 7e75676c0b 2826488 2005-04-02 16:28:02 1 attributeID
6355 aa570d04-4b27-4d6a-a989-57 7e75676c0b 2826488 2005-04-02 16:28:02 1 attributeSyntax
6355 aa570d04-4b27-4d6a-a989-57 7e75676c0b 2826488 2005-04-02 16:28:02 1 isSingleValued
6355 aa570d04-4b27-4d6a-a989-57 7e75676c0b 2826488 2005-04-02 16:28:02 1 showInAdvancedViewOnly
6355 aa570d04-4b27-4d6a-a989-57 7e75676c0b 2826488 2005-04-02 16:28:02 1 adminDisplayName
6355 aa570d04-4b27-4d6a-a989-57 7e75676c0b 2826488 2005-04-02 16:28:02 1 oMSyntax
6355 aa570d04-4b27-4d6a-a989-57 7e75676c0b 2826488 2005-04-02 16:28:02 1 nTSecurityDescriptor
80787 Christchurch\VADER 80787 2006-04-27 08:15:36 3 searchFlags
6355 aa570d04-4b27-4d6a-a989-57 7e75676c0b 2826488 2005-04-02 16:28:02 1 lDAPDisplayName
6355 aa570d04-4b27-4d6a-a989-57 7e75676c0b 2826488 2005-04-02 16:28:02 1 name
6355 aa570d04-4b27-4d6a-a989-57 7e75676c0b 2826488 2005-04-02 16:28:02 1 schemaIDGUID
6355 aa570d04-4b27-4d6a-a989-57 7e75676c0b 2826488 2005-04-02 16:28:02 1 isMemberOfPartialAttribute Set
6355 aa570d04-4b27-4d6a-a989-57 7e75676c0b 2826488 2005-04-02 16:28:02 1 objectCategory
0 entries.
Type Attribute Last Mod Time Originating DC Loc.USN Org.USN Ver
======= ============ ============= ================= ======= ======= ===
Distinguished Name
========================== ===
__________________________ __________ __________ __________ __________ __________ _____
CHEWIE log - Windows 2000 domain controller
__________________________ __________ __________ __________ __________ __________ _____
17 entries.
Loc.USN Originating DSA Org.USN Org.Time/Date Ver Attribute
======= =============== ======= ============= === =========
1199003 aa570d04-4b27-4d6a-a989-57 7e75676c0b 2826488 2005-04-02 16:28.02 1 objectClass
1199003 Christchurch\CHEWIE 1199003 2005-04-02 16:28.33 1 cn
1199003 aa570d04-4b27-4d6a-a989-57 7e75676c0b 2826488 2005-04-02 16:28.02 1 instanceType
1199003 aa570d04-4b27-4d6a-a989-57 7e75676c0b 2826488 2005-04-02 16:28.02 1 whenCreated
1199003 aa570d04-4b27-4d6a-a989-57 7e75676c0b 2826488 2005-04-02 16:28.02 1 attributeID
1199003 aa570d04-4b27-4d6a-a989-57 7e75676c0b 2826488 2005-04-02 16:28.02 1 attributeSyntax
1199003 aa570d04-4b27-4d6a-a989-57 7e75676c0b 2826488 2005-04-02 16:28.02 1 isSingleValued
1199003 aa570d04-4b27-4d6a-a989-57 7e75676c0b 2826488 2005-04-02 16:28.02 1 showInAdvancedViewOnly
1199003 aa570d04-4b27-4d6a-a989-57 7e75676c0b 2826488 2005-04-02 16:28.02 1 adminDisplayName
1199003 aa570d04-4b27-4d6a-a989-57 7e75676c0b 2826488 2005-04-02 16:28.02 1 oMSyntax
1199003 aa570d04-4b27-4d6a-a989-57 7e75676c0b 2826488 2005-04-02 16:28.02 1 nTSecurityDescriptor
13336970 Christchurch\VADER 80787 2006-04-27 08:15.36 3 searchFlags
1199003 aa570d04-4b27-4d6a-a989-57 7e75676c0b 2826488 2005-04-02 16:28.02 1 lDAPDisplayName
1199003 aa570d04-4b27-4d6a-a989-57 7e75676c0b 2826488 2005-04-02 16:28.02 1 name
1199003 aa570d04-4b27-4d6a-a989-57 7e75676c0b 2826488 2005-04-02 16:28.02 1 schemaIDGUID
1199003 aa570d04-4b27-4d6a-a989-57 7e75676c0b 2826488 2005-04-02 16:28.02 1 isMemberOfPartialAttribute Set
1199003 aa570d04-4b27-4d6a-a989-57 7e75676c0b 2826488 2005-04-02 16:28.02 1 objectCategory
VADER (Windows 2003r2) now holds all FSMO roles and is also a GC
The syntax of the command for 2000 is slightly different but hopefuly this provides what you are after:
__________________________
VADER log - Windows 2003r2 domain controller (and FSMO role holder)
__________________________
17 entries.
Loc.USN Originating DC Org.USN Org.Time/Date Ver Attribute
======= =============== ========= ============= === =========
6355 aa570d04-4b27-4d6a-a989-57
6355 Christchurch\VADER 6355 2006-04-14 14:10:25 1 cn
6355 aa570d04-4b27-4d6a-a989-57
6355 aa570d04-4b27-4d6a-a989-57
6355 aa570d04-4b27-4d6a-a989-57
6355 aa570d04-4b27-4d6a-a989-57
6355 aa570d04-4b27-4d6a-a989-57
6355 aa570d04-4b27-4d6a-a989-57
6355 aa570d04-4b27-4d6a-a989-57
6355 aa570d04-4b27-4d6a-a989-57
6355 aa570d04-4b27-4d6a-a989-57
80787 Christchurch\VADER 80787 2006-04-27 08:15:36 3 searchFlags
6355 aa570d04-4b27-4d6a-a989-57
6355 aa570d04-4b27-4d6a-a989-57
6355 aa570d04-4b27-4d6a-a989-57
6355 aa570d04-4b27-4d6a-a989-57
6355 aa570d04-4b27-4d6a-a989-57
0 entries.
Type Attribute Last Mod Time Originating DC Loc.USN Org.USN Ver
======= ============ ============= ================= ======= ======= ===
Distinguished Name
==========================
__________________________
CHEWIE log - Windows 2000 domain controller
__________________________
17 entries.
Loc.USN Originating DSA Org.USN Org.Time/Date Ver Attribute
======= =============== ======= ============= === =========
1199003 aa570d04-4b27-4d6a-a989-57
1199003 Christchurch\CHEWIE 1199003 2005-04-02 16:28.33 1 cn
1199003 aa570d04-4b27-4d6a-a989-57
1199003 aa570d04-4b27-4d6a-a989-57
1199003 aa570d04-4b27-4d6a-a989-57
1199003 aa570d04-4b27-4d6a-a989-57
1199003 aa570d04-4b27-4d6a-a989-57
1199003 aa570d04-4b27-4d6a-a989-57
1199003 aa570d04-4b27-4d6a-a989-57
1199003 aa570d04-4b27-4d6a-a989-57
1199003 aa570d04-4b27-4d6a-a989-57
13336970 Christchurch\VADER 80787 2006-04-27 08:15.36 3 searchFlags
1199003 aa570d04-4b27-4d6a-a989-57
1199003 aa570d04-4b27-4d6a-a989-57
1199003 aa570d04-4b27-4d6a-a989-57
1199003 aa570d04-4b27-4d6a-a989-57
1199003 aa570d04-4b27-4d6a-a989-57
ASKER
Hi Netman66,
Is the following line from the CHEWIE server OK? I am not sure why it has VADER in there as I ran it on the CHEWIE server and pointed the repadmin command against itself (repadmin /showmeta CN=defender-tokenType,CN=S chema,CN=C onfigurati on,DC=dunc ot,DC=net CHEWIE >c:\chewie.txt)
13336970 Christchurch\VADER 80787 2006-04-27 08:15.36 3 searchFlags
I asume this is because it is the FSMO role holder, perhaps schema master?
Thanks,
Roger
Is the following line from the CHEWIE server OK? I am not sure why it has VADER in there as I ran it on the CHEWIE server and pointed the repadmin command against itself (repadmin /showmeta CN=defender-tokenType,CN=S
13336970 Christchurch\VADER 80787 2006-04-27 08:15.36 3 searchFlags
I asume this is because it is the FSMO role holder, perhaps schema master?
Thanks,
Roger
Ok, well the object is consistent on both servers and appears to have been created properly.
Now, let's look at the SYSVOL issue - if you compare SYSVOL on both VADER and CHEWIE are they consistent?
Did you ever have other servers that were DCs that no longer exist? Are there any Journal Wrap errors on any DC?
Now, let's look at the SYSVOL issue - if you compare SYSVOL on both VADER and CHEWIE are they consistent?
Did you ever have other servers that were DCs that no longer exist? Are there any Journal Wrap errors on any DC?
That line is ok. It points back to the Schema and the USN numbers match.
The following 2 articles discuss this problem:
http://support.microsoft.com/default.aspx?scid=kb;en-us;307323
http://support.microsoft.com/kb/307219/EN-US/
...however, what's puzzling is that you are experiencing this now. Was the 2000 server at (at least) SP3 before you ran ADPREP and/or made the Schema changes that your product did?
Something tells me you may need to re-run the setup or contact the vendor to figure out how to reapply the Schema changes - perhaps 2003 is not supported by this app? Just theorizing.
http://support.microsoft.com/default.aspx?scid=kb;en-us;307323
http://support.microsoft.com/kb/307219/EN-US/
...however, what's puzzling is that you are experiencing this now. Was the 2000 server at (at least) SP3 before you ran ADPREP and/or made the Schema changes that your product did?
Something tells me you may need to re-run the setup or contact the vendor to figure out how to reapply the Schema changes - perhaps 2003 is not supported by this app? Just theorizing.
ASKER
I did a windiff on the two directories and they are identical, no issues there.
Regarding DCs that no longer exist - this is a bit more complicated.
- There used to be a server called VADER which was a 2000 DC
- This server was demoted to a member server, all details were replicated to all other DCs
- This server was then removed from the domain, again nothing was done until all replication was done
- A new server was created called VADER, this is the Windows 2003r2 server
- The new VADER was promoted to a DC
No Journal Wrap errors from what I can find.
All Windows 2000 servers are SP4 and have been for longer than the Schema changes were made.
I have re-run the schema update but my suspicion is that since it is already in the schema then it doesn't do anything.
Both the supplier and Microsoft have setup test networks. They appear to get the error once and then get the following:
Attribute:
defender-tokenType
New index name:
INDEX_LP_331F0001_0809
A new index will be automatically created.
Additional Data
Error value:
-1404 JET_errIndexNotFound, No such index
This makes sense but we get "-1403 JET_errIndexDuplicate, Index is already defined".
We're not getting any other errors, we are getting a few warning message regarding FRS and a couple of other DCs. I will do some research on these before posting anything.
Do you have any suggestions on what to try next?
My thought process was this:
Create a DC in VMWARE
Remove from the network & take a copy
In this VM seize all the FSMO roles & remove other DCs
See what happens with the errors
Try upgrading domain to 2003 Native mode
Try renaming the stuff in the Schema (am I correct in thinking you can't delete stuff?) & then reinstall and see what happens.
... any other suggestions would be good
Regarding DCs that no longer exist - this is a bit more complicated.
- There used to be a server called VADER which was a 2000 DC
- This server was demoted to a member server, all details were replicated to all other DCs
- This server was then removed from the domain, again nothing was done until all replication was done
- A new server was created called VADER, this is the Windows 2003r2 server
- The new VADER was promoted to a DC
No Journal Wrap errors from what I can find.
All Windows 2000 servers are SP4 and have been for longer than the Schema changes were made.
I have re-run the schema update but my suspicion is that since it is already in the schema then it doesn't do anything.
Both the supplier and Microsoft have setup test networks. They appear to get the error once and then get the following:
Attribute:
defender-tokenType
New index name:
INDEX_LP_331F0001_0809
A new index will be automatically created.
Additional Data
Error value:
-1404 JET_errIndexNotFound, No such index
This makes sense but we get "-1403 JET_errIndexDuplicate, Index is already defined".
We're not getting any other errors, we are getting a few warning message regarding FRS and a couple of other DCs. I will do some research on these before posting anything.
Do you have any suggestions on what to try next?
My thought process was this:
Create a DC in VMWARE
Remove from the network & take a copy
In this VM seize all the FSMO roles & remove other DCs
See what happens with the errors
Try upgrading domain to 2003 Native mode
Try renaming the stuff in the Schema (am I correct in thinking you can't delete stuff?) & then reinstall and see what happens.
... any other suggestions would be good
That's going to be a lot of work - and I'm not sure you will be able to repro the problem - however, it will be the same Schema so you might.
It seems that the Jet engine is seeing a duplicate index and the NTFRS engine thinks it needs to re-index. I'm really unsure as to why this is happening.
It might be that the old VADER was not removed completely from AD before reusing the name. Beside demoting it, you need to remove it from AD Sites and Services - this doesn't seem to happen on it's own when you demote a server. This may explain the KCC errors - although the name is the same, the SIDs for the object are not.
How hard would it be to stand up another server (YODA - hehe...!) and transfer the roles and make it a GC then demote and remove VADER completely - from AD S&S and do a MetaData cleanup the next morning. If the errors stop, then you can surmise that the old servername was a lingering object that the new server was somehow colliding with.
I think (if it was me), I would do just that. Stand up YODA, transfer the roles, make it a GC and install DNS and let it replicate in the zones. Demote VADER and do the metadata cleanup the next AM. Let it run for a day or two then rebuild and redeploy the server hardware that VADER was on.
Here's how to do the Metadata cleanup:
http://support.microsoft.com/kb/216498/en-us
What are your thoughts?
It seems that the Jet engine is seeing a duplicate index and the NTFRS engine thinks it needs to re-index. I'm really unsure as to why this is happening.
It might be that the old VADER was not removed completely from AD before reusing the name. Beside demoting it, you need to remove it from AD Sites and Services - this doesn't seem to happen on it's own when you demote a server. This may explain the KCC errors - although the name is the same, the SIDs for the object are not.
How hard would it be to stand up another server (YODA - hehe...!) and transfer the roles and make it a GC then demote and remove VADER completely - from AD S&S and do a MetaData cleanup the next morning. If the errors stop, then you can surmise that the old servername was a lingering object that the new server was somehow colliding with.
I think (if it was me), I would do just that. Stand up YODA, transfer the roles, make it a GC and install DNS and let it replicate in the zones. Demote VADER and do the metadata cleanup the next AM. Let it run for a day or two then rebuild and redeploy the server hardware that VADER was on.
Here's how to do the Metadata cleanup:
http://support.microsoft.com/kb/216498/en-us
What are your thoughts?
ASKER
Its not that much work as we already have a server in a VMware session so all I have to do is shut it down, copy the files to another machine, start it up with host-only networking and I have a standalone DC. Virtual servers are fantasic!
Do you think we are we talking about two seperate issues?
We cant use YODA but I can use CHEWBACCA as it is already a 2003r2 DC. Then I should be able to demote VADER with few issues. I have to be careful as VADER is our main file & print server. In fact if I transfer the roles to CHEWBACCA now, then I don't have to seize them when I take a copy of it. It is already a DC & DNS server so we should be sweet.
Before I do all this i'm going to give MOM a go with the AD and DNS packs. It may pickup some stuff I have missed.
I really apreciate your help!
Do you think we are we talking about two seperate issues?
We cant use YODA but I can use CHEWBACCA as it is already a 2003r2 DC. Then I should be able to demote VADER with few issues. I have to be careful as VADER is our main file & print server. In fact if I transfer the roles to CHEWBACCA now, then I don't have to seize them when I take a copy of it. It is already a DC & DNS server so we should be sweet.
Before I do all this i'm going to give MOM a go with the AD and DNS packs. It may pickup some stuff I have missed.
I really apreciate your help!
No problem. We need to rule out the fact the VADER is what is causing this problem - it's possible the old object for VADER was never cleaned out of AD completely before you used the name again. This would explain the KCC errors. It *might* also explain the Schema problem also if it is somehow interfering with complete convergence.
ASKER
Thanks for all your help. It will take me a few days to give these things a go.
It looks fairly benign, but it won't hurt to get to the bottom of things.
As long as the application works, then you have some experiment time.
As long as the application works, then you have some experiment time.
ASKER
Hi. We tracked down that if we set the searchflags to 0 in the Schema it deletes the cache and the errors disappear. It has some limitations with the app we are using but it should be OK. I am still not happy about it though as I really don't think it should be doing this.
I moved all the FSMO roles over to CHEWBACCA and demoted VADER. I then deleted the details of VADER from sites and services. I ended up having to premote VADER again afterwards due to some other issues with DNS (AD integrated).
I am still getting those KCCEVENT messages when I run DCDIAG. Any ideas on what to do next?
Thanks,
Roger
I moved all the FSMO roles over to CHEWBACCA and demoted VADER. I then deleted the details of VADER from sites and services. I ended up having to premote VADER again afterwards due to some other issues with DNS (AD integrated).
I am still getting those KCCEVENT messages when I run DCDIAG. Any ideas on what to do next?
Thanks,
Roger
How about another complete set of logs:
DCDIAG /V > C:\DCDIAG.TXT
Post the contents of DCDIAG.TXT.
Also, post the Event Log entries for the KCC event - make sure you tell me what server you are getting them from.
DCDIAG /V > C:\DCDIAG.TXT
Post the contents of DCDIAG.TXT.
Also, post the Event Log entries for the KCC event - make sure you tell me what server you are getting them from.
ASKER
This is interesting...
I ran the DCDIAG and everything was fine so I thought I would give setting the searchFlags back to 3. I got the same errors again. I then ran the DCDIAG and got the KCCEVENT errors. Below DCDIAG is from CHEWBACCA (FSMO role holder and 2003r2).
I also noted that when I set the first searchFlag to 3 on CHEWBACCA the second DC (VADER) noted the errors in the event log. However CHEWBACCA didn't display anything until I set the second searchFlag to 3 and then it started seeing the same errors as VADER.
It appears the issues are related after all. There are no event log errors other than the original schema cache error.
I have set the searchFlags back to 0 and after about 10 minutes the kccevent messages start disappearing.
Domain Controller Diagnosis
Performing initial setup:
* Verifying that the local machine chewbacca, is a DC.
* Connecting to directory service on server chewbacca.
* Collecting site info.
* Identifying all servers.
* Identifying all NC cross-refs.
* Found 8 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Christchurch\CHEWBACCA
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... CHEWBACCA passed test Connectivity
Doing primary tests
Testing server: Christchurch\CHEWBACCA
Starting test: Replications
* Replications Check
* Replication Latency Check
CN=Schema,CN=Configuration ,DC=duncot ,DC=net
Latency information for 18 entries in the vector were ignored.
17 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 1 had no latency information (Win2K DC).
CN=Configuration,DC=duncot ,DC=net
Latency information for 18 entries in the vector were ignored.
17 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 1 had no latency information (Win2K DC).
DC=duncot,DC=net
Latency information for 18 entries in the vector were ignored.
17 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 1 had no latency information (Win2K DC).
DC=ForestDnsZones,DC=dunco t,DC=net
Latency information for 2 entries in the vector were ignored.
2 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=DomainDnsZones,DC=dunco t,DC=net
Latency information for 2 entries in the vector were ignored.
2 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
* Replication Site Latency Check
......................... CHEWBACCA passed test Replications
Test omitted by user request: Topology
Test omitted by user request: CutoffServers
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC CHEWBACCA.
* Security Permissions Check for
DC=ForestDnsZones,DC=dunco t,DC=net
(NDNC,Version 2)
* Security Permissions Check for
DC=DomainDnsZones,DC=dunco t,DC=net
(NDNC,Version 2)
* Security Permissions Check for
CN=Schema,CN=Configuration ,DC=duncot ,DC=net
(Schema,Version 2)
* Security Permissions Check for
CN=Configuration,DC=duncot ,DC=net
(Configuration,Version 2)
* Security Permissions Check for
DC=duncot,DC=net
(Domain,Version 2)
......................... CHEWBACCA passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\CHEWBACCA\netlogon
Verified share \\CHEWBACCA\sysvol
......................... CHEWBACCA passed test NetLogons
Starting test: Advertising
The DC CHEWBACCA is advertising itself as a DC and having a DS.
The DC CHEWBACCA is advertising as an LDAP server
The DC CHEWBACCA is advertising as having a writeable directory
The DC CHEWBACCA is advertising as a Key Distribution Center
The DC CHEWBACCA is advertising as a time server
......................... CHEWBACCA passed test Advertising
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings,CN=CHEWBACCA,CN=S ervers,CN= Christchur ch,CN=Site s,CN=Confi guration,D C=duncot,D C=net
Role Domain Owner = CN=NTDS Settings,CN=CHEWBACCA,CN=S ervers,CN= Christchur ch,CN=Site s,CN=Confi guration,D C=duncot,D C=net
Role PDC Owner = CN=NTDS Settings,CN=CHEWBACCA,CN=S ervers,CN= Christchur ch,CN=Site s,CN=Confi guration,D C=duncot,D C=net
Role Rid Owner = CN=NTDS Settings,CN=CHEWBACCA,CN=S ervers,CN= Christchur ch,CN=Site s,CN=Confi guration,D C=duncot,D C=net
Role Infrastructure Update Owner = CN=NTDS Settings,CN=CHEWBACCA,CN=S ervers,CN= Christchur ch,CN=Site s,CN=Confi guration,D C=duncot,D C=net
......................... CHEWBACCA passed test KnowsOfRoleHolders
Starting test: RidManager
* Available RID Pool for the Domain is 15331 to 1073741823
* chewbacca.duncot.net is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 14331 to 14830
* rIDPreviousAllocationPool is 14331 to 14830
* rIDNextRID: 14333
......................... CHEWBACCA passed test RidManager
Starting test: MachineAccount
Checking machine account for DC CHEWBACCA on DC CHEWBACCA.
* SPN found :LDAP/chewbacca.duncot.net /duncot.ne t
* SPN found :LDAP/chewbacca.duncot.net
* SPN found :LDAP/CHEWBACCA
* SPN found :LDAP/chewbacca.duncot.net /DUNCOT
* SPN found :LDAP/100d6db6-bc50-4497-a 7ad-9ddfa5 f5812e._ms dcs.duncot .net
* SPN found :E3514235-4B06-11D1-AB04-0 0C04FC2DCD 2/100d6db6 -bc50-4497 -a7ad-9ddf a5f5812e/d uncot.net
* SPN found :HOST/chewbacca.duncot.net /duncot.ne t
* SPN found :HOST/chewbacca.duncot.net
* SPN found :HOST/CHEWBACCA
* SPN found :HOST/chewbacca.duncot.net /DUNCOT
* SPN found :GC/chewbacca.duncot.net/d uncot.net
......................... CHEWBACCA passed test MachineAccount
Starting test: Services
* Checking Service: Dnscache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: RpcSs
* Checking Service: w32time
* Checking Service: NETLOGON
......................... CHEWBACCA passed test Services
Test omitted by user request: OutboundSecureChannels
Starting test: ObjectsReplicated
CHEWBACCA is in domain DC=duncot,DC=net
Checking for CN=CHEWBACCA,OU=Domain Controllers,DC=duncot,DC=n et in domain DC=duncot,DC=net on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=CHEWBACCA,CN=S ervers,CN= Christchur ch,CN=Site s,CN=Confi guration,D C=duncot,D C=net in domain CN=Configuration,DC=duncot ,DC=net on 1 servers
Object is up-to-date on all servers.
......................... CHEWBACCA passed test ObjectsReplicated
Starting test: frssysvol
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... CHEWBACCA passed test frssysvol
Starting test: frsevent
* The File Replication Service Event log test
......................... CHEWBACCA passed test frsevent
Starting test: kccevent
* The KCC Event log test
An Error Event occured. EventID: 0xC0000470
Time Generated: 05/09/2006 10:15:27
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC0000470
Time Generated: 05/09/2006 10:15:30
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC0000470
Time Generated: 05/09/2006 10:15:30
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC0000470
Time Generated: 05/09/2006 10:16:04
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC0000470
Time Generated: 05/09/2006 10:16:27
(Event String could not be retrieved)
......................... CHEWBACCA failed test kccevent
Starting test: systemlog
* The System Event log test
Found no errors in System Event log in the last 60 minutes.
......................... CHEWBACCA passed test systemlog
Test omitted by user request: VerifyReplicas
Starting test: VerifyReferences
The system object reference (serverReference)
CN=CHEWBACCA,OU=Domain Controllers,DC=duncot,DC=n et and backlink on
CN=CHEWBACCA,CN=Servers,CN =Christchu rch,CN=Sit es,CN=Conf iguration, DC=duncot, DC=net
are correct.
The system object reference (frsComputerReferenceBL)
CN=CHEWBACCA,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=dunco t,DC=net
and backlink on CN=CHEWBACCA,OU=Domain Controllers,DC=duncot,DC=n et
are correct.
The system object reference (serverReferenceBL)
CN=CHEWBACCA,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=dunco t,DC=net
and backlink on
CN=NTDS Settings,CN=CHEWBACCA,CN=S ervers,CN= Christchur ch,CN=Site s,CN=Confi guration,D C=duncot,D C=net
are correct.
......................... CHEWBACCA passed test VerifyReferences
Test omitted by user request: VerifyEnterpriseReferences
Test omitted by user request: CheckSecurityError
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : duncot
Starting test: CrossRefValidation
......................... duncot passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... duncot passed test CheckSDRefDom
Running enterprise tests on : duncot.net
Starting test: Intersite
Skipping site Christchurch, this site is outside the scope provided by
the command line arguments provided.
Skipping site Sydney, this site is outside the scope provided by the
command line arguments provided.
Skipping site Wellington, this site is outside the scope provided by
the command line arguments provided.
Skipping site Auckland, this site is outside the scope provided by the
command line arguments provided.
Skipping site Nelson, this site is outside the scope provided by the
command line arguments provided.
......................... duncot.net passed test Intersite
Starting test: FsmoCheck
GC Name: \\chewie.duncot.net
Locator Flags: 0xe00003fc
PDC Name: \\chewbacca.duncot.net
Locator Flags: 0xe00001f9
Time Server Name: \\chewbacca.duncot.net
Locator Flags: 0xe00001f9
Preferred Time Server Name: \\chewie.duncot.net
Locator Flags: 0xe00003fc
KDC Name: \\chewbacca.duncot.net
Locator Flags: 0xe00001f9
......................... duncot.net passed test FsmoCheck
Test omitted by user request: DNS
Test omitted by user request: DNS
I ran the DCDIAG and everything was fine so I thought I would give setting the searchFlags back to 3. I got the same errors again. I then ran the DCDIAG and got the KCCEVENT errors. Below DCDIAG is from CHEWBACCA (FSMO role holder and 2003r2).
I also noted that when I set the first searchFlag to 3 on CHEWBACCA the second DC (VADER) noted the errors in the event log. However CHEWBACCA didn't display anything until I set the second searchFlag to 3 and then it started seeing the same errors as VADER.
It appears the issues are related after all. There are no event log errors other than the original schema cache error.
I have set the searchFlags back to 0 and after about 10 minutes the kccevent messages start disappearing.
Domain Controller Diagnosis
Performing initial setup:
* Verifying that the local machine chewbacca, is a DC.
* Connecting to directory service on server chewbacca.
* Collecting site info.
* Identifying all servers.
* Identifying all NC cross-refs.
* Found 8 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Christchurch\CHEWBACCA
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... CHEWBACCA passed test Connectivity
Doing primary tests
Testing server: Christchurch\CHEWBACCA
Starting test: Replications
* Replications Check
* Replication Latency Check
CN=Schema,CN=Configuration
Latency information for 18 entries in the vector were ignored.
17 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 1 had no latency information (Win2K DC).
CN=Configuration,DC=duncot
Latency information for 18 entries in the vector were ignored.
17 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 1 had no latency information (Win2K DC).
DC=duncot,DC=net
Latency information for 18 entries in the vector were ignored.
17 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 1 had no latency information (Win2K DC).
DC=ForestDnsZones,DC=dunco
Latency information for 2 entries in the vector were ignored.
2 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=DomainDnsZones,DC=dunco
Latency information for 2 entries in the vector were ignored.
2 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
* Replication Site Latency Check
......................... CHEWBACCA passed test Replications
Test omitted by user request: Topology
Test omitted by user request: CutoffServers
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC CHEWBACCA.
* Security Permissions Check for
DC=ForestDnsZones,DC=dunco
(NDNC,Version 2)
* Security Permissions Check for
DC=DomainDnsZones,DC=dunco
(NDNC,Version 2)
* Security Permissions Check for
CN=Schema,CN=Configuration
(Schema,Version 2)
* Security Permissions Check for
CN=Configuration,DC=duncot
(Configuration,Version 2)
* Security Permissions Check for
DC=duncot,DC=net
(Domain,Version 2)
......................... CHEWBACCA passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\CHEWBACCA\netlogon
Verified share \\CHEWBACCA\sysvol
......................... CHEWBACCA passed test NetLogons
Starting test: Advertising
The DC CHEWBACCA is advertising itself as a DC and having a DS.
The DC CHEWBACCA is advertising as an LDAP server
The DC CHEWBACCA is advertising as having a writeable directory
The DC CHEWBACCA is advertising as a Key Distribution Center
The DC CHEWBACCA is advertising as a time server
......................... CHEWBACCA passed test Advertising
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings,CN=CHEWBACCA,CN=S
Role Domain Owner = CN=NTDS Settings,CN=CHEWBACCA,CN=S
Role PDC Owner = CN=NTDS Settings,CN=CHEWBACCA,CN=S
Role Rid Owner = CN=NTDS Settings,CN=CHEWBACCA,CN=S
Role Infrastructure Update Owner = CN=NTDS Settings,CN=CHEWBACCA,CN=S
......................... CHEWBACCA passed test KnowsOfRoleHolders
Starting test: RidManager
* Available RID Pool for the Domain is 15331 to 1073741823
* chewbacca.duncot.net is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 14331 to 14830
* rIDPreviousAllocationPool is 14331 to 14830
* rIDNextRID: 14333
......................... CHEWBACCA passed test RidManager
Starting test: MachineAccount
Checking machine account for DC CHEWBACCA on DC CHEWBACCA.
* SPN found :LDAP/chewbacca.duncot.net
* SPN found :LDAP/chewbacca.duncot.net
* SPN found :LDAP/CHEWBACCA
* SPN found :LDAP/chewbacca.duncot.net
* SPN found :LDAP/100d6db6-bc50-4497-a
* SPN found :E3514235-4B06-11D1-AB04-0
* SPN found :HOST/chewbacca.duncot.net
* SPN found :HOST/chewbacca.duncot.net
* SPN found :HOST/CHEWBACCA
* SPN found :HOST/chewbacca.duncot.net
* SPN found :GC/chewbacca.duncot.net/d
......................... CHEWBACCA passed test MachineAccount
Starting test: Services
* Checking Service: Dnscache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: RpcSs
* Checking Service: w32time
* Checking Service: NETLOGON
......................... CHEWBACCA passed test Services
Test omitted by user request: OutboundSecureChannels
Starting test: ObjectsReplicated
CHEWBACCA is in domain DC=duncot,DC=net
Checking for CN=CHEWBACCA,OU=Domain Controllers,DC=duncot,DC=n
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=CHEWBACCA,CN=S
Object is up-to-date on all servers.
......................... CHEWBACCA passed test ObjectsReplicated
Starting test: frssysvol
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... CHEWBACCA passed test frssysvol
Starting test: frsevent
* The File Replication Service Event log test
......................... CHEWBACCA passed test frsevent
Starting test: kccevent
* The KCC Event log test
An Error Event occured. EventID: 0xC0000470
Time Generated: 05/09/2006 10:15:27
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC0000470
Time Generated: 05/09/2006 10:15:30
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC0000470
Time Generated: 05/09/2006 10:15:30
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC0000470
Time Generated: 05/09/2006 10:16:04
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC0000470
Time Generated: 05/09/2006 10:16:27
(Event String could not be retrieved)
......................... CHEWBACCA failed test kccevent
Starting test: systemlog
* The System Event log test
Found no errors in System Event log in the last 60 minutes.
......................... CHEWBACCA passed test systemlog
Test omitted by user request: VerifyReplicas
Starting test: VerifyReferences
The system object reference (serverReference)
CN=CHEWBACCA,OU=Domain Controllers,DC=duncot,DC=n
CN=CHEWBACCA,CN=Servers,CN
are correct.
The system object reference (frsComputerReferenceBL)
CN=CHEWBACCA,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=dunco
and backlink on CN=CHEWBACCA,OU=Domain Controllers,DC=duncot,DC=n
are correct.
The system object reference (serverReferenceBL)
CN=CHEWBACCA,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=dunco
and backlink on
CN=NTDS Settings,CN=CHEWBACCA,CN=S
are correct.
......................... CHEWBACCA passed test VerifyReferences
Test omitted by user request: VerifyEnterpriseReferences
Test omitted by user request: CheckSecurityError
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : duncot
Starting test: CrossRefValidation
......................... duncot passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... duncot passed test CheckSDRefDom
Running enterprise tests on : duncot.net
Starting test: Intersite
Skipping site Christchurch, this site is outside the scope provided by
the command line arguments provided.
Skipping site Sydney, this site is outside the scope provided by the
command line arguments provided.
Skipping site Wellington, this site is outside the scope provided by
the command line arguments provided.
Skipping site Auckland, this site is outside the scope provided by the
command line arguments provided.
Skipping site Nelson, this site is outside the scope provided by the
command line arguments provided.
......................... duncot.net passed test Intersite
Starting test: FsmoCheck
GC Name: \\chewie.duncot.net
Locator Flags: 0xe00003fc
PDC Name: \\chewbacca.duncot.net
Locator Flags: 0xe00001f9
Time Server Name: \\chewbacca.duncot.net
Locator Flags: 0xe00001f9
Preferred Time Server Name: \\chewie.duncot.net
Locator Flags: 0xe00003fc
KDC Name: \\chewbacca.duncot.net
Locator Flags: 0xe00001f9
......................... duncot.net passed test FsmoCheck
Test omitted by user request: DNS
Test omitted by user request: DNS
Those KCC errors look a lot like time issues. Are you certain these servers are within 5 minutes of each other and in the correct time zones with Daylight Savings time setting set properly?
ASKER
Yes, the times on all DCs are within seconds of each other. The KCC errors have disappeared now that the searchFlags are set to 0.
Should I bother looking at this if our APP is OK?
Should I bother looking at this if our APP is OK?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
The extension was added to the domain when it was 2000.
Thanks for all your help, I really apreciate your effort and time.
Thanks for all your help, I really apreciate your effort and time.
OK, this makes more sense - the schema was extended before the upgrade to 2003. When Forestprep was run it relays a csv file for the schema updates. Since your update is non-standard, it never made the version transition to 3.0.
My bet is you'll see errors in the adprep log file that were ignored.
My bet is you'll see errors in the adprep log file that were ignored.
what do you hae running that mods the schema????
did all the forestprep tools work originally for R2 - no errors
Cheers!