Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2482
  • Last Modified:

Schema cache error after upgrading domain from Windows 2000 to Windows 2003 R2

Hi Everyone,

For some time now we have had a dual authentication system setup which has modified the schema.  Recently we started installing 2003 R2 domain controllers into our domain (2000 native mode).  As soon as the 2003 r2 servers a promoted they start getting the following messages every 5 minutes in the Directory Service event log.  The 2000 servers have no errors.

Event Type:      Information
Event Source:      NTDS General
Event Category:      DS Schema
Event ID:      1464
Date:            1/05/2006
Time:            2:44:29 p.m.
User:            NT AUTHORITY\ANONYMOUS LOGON
Computer:      CHEWBACCA
Description:
While searching for an index, Active Directory detected that a new index is needed for the following attribute.
 
Attribute:
defender-tokenType
New index name:
INDEX_LP_5B490001_1409
 
A new index will be automatically created.
 
Additional Data
Error value:
-1404 JET_errIndexNotFound, No such index

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.



Event Type:      Error
Event Source:      NTDS General
Event Category:      DS Schema
Event ID:      1136
Date:            1/05/2006
Time:            2:44:30 p.m.
User:            NT AUTHORITY\ANONYMOUS LOGON
Computer:      CHEWBACCA
Description:
Active Directory failed to create an index for the following attribute.
 
Attribute identifier:
1531510785
Attribute name:
defender-tokenType
 
A schema cache update will occur 5 minutes after the logging of this event and will attempt to create an index for the attribute.
 
Additional Data
Error value:
-1403 JET_errIndexDuplicate, Index is already defined

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Does anyone have any suggestions?

Thanks,
Roger
0
rsillars
Asked:
rsillars
  • 12
  • 11
  • 2
1 Solution
 
Jay_Jay70Commented:
Hi rsillars,

what do you hae running that mods the schema????

did all the forestprep tools work originally for R2  -  no errors

Cheers!
0
 
rsillarsAuthor Commented:
Hi Jay Jay,

The schema modification is only run once, the first time the application is installed or upgraded if new features are added.  The supplier provides a tool that does this for you.  The supplier and Microsoft have both setup test networks and get the error message once, but AD sorts itself out and then is happy.  Unfortunately this isn't the case in our production environment.

Yes the forestprep worked.  The only problem I had was that I had to run it twice as the dcprep tool on the first CDROM isn't the one you use when installing 2003r2 domain controllers.  I ran it again from the second CD and it worked perfectly.

Thanks,
Roger
0
 
Jay_Jay70Commented:
hmm i havent dealt with anything that touches the schema itself besides windows so i will tread lightly :)

does dcdiag through any errors?
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 
Netman66Commented:
It appears this new attribute isn't allowing itself to be indexed.  I think there is a setting on the attribute itself that should be set to allow indexing.  You might want to contact the vendor to discuss where this is set.

0
 
rsillarsAuthor Commented:
Netman66, how do I go about checking if that attribute doesn't allow indexing.  The thing that has got me is that the 2000 DCs are fine and that the first message says that a new index is needed and the second message fails creating it because it already existis.

Regarding the DCDIAG errrors, I get the following.  The first log is from one of the troubled 2003 r2 servers, it is complaining about "kccevent".  The second log is from a 2000 DC and it is happy with the "kccevent" but something looks up with the sysvol.  I ran DCDIAG on a couple of domain controllers of each OS and they all get the same results.

Sorry for the long post...

_________________________________________________________________________________
Windows 2003 R2 domain controller DCDIAG log:
_________________________________________________________________________________
Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests
   
   Testing server: Christchurch\VADER
      Starting test: Connectivity
         ......................... VADER passed test Connectivity

Doing primary tests
   
   Testing server: Christchurch\VADER
      Starting test: Replications
         ......................... VADER passed test Replications
      Starting test: NCSecDesc
         ......................... VADER passed test NCSecDesc
      Starting test: NetLogons
         ......................... VADER passed test NetLogons
      Starting test: Advertising
         ......................... VADER passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... VADER passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... VADER passed test RidManager
      Starting test: MachineAccount
         ......................... VADER passed test MachineAccount
      Starting test: Services
         ......................... VADER passed test Services
      Starting test: ObjectsReplicated
         ......................... VADER passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... VADER passed test frssysvol
      Starting test: frsevent
         ......................... VADER passed test frsevent
      Starting test: kccevent
         An Error Event occured.  EventID: 0xC0000470
            Time Generated: 05/01/2006   13:28:14
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC0000470
            Time Generated: 05/01/2006   13:28:14
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC0000470
            Time Generated: 05/01/2006   13:33:15
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC0000470
            Time Generated: 05/01/2006   13:33:15
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC0000470
            Time Generated: 05/01/2006   13:38:17
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC0000470
            Time Generated: 05/01/2006   13:38:18
            (Event String could not be retrieved)
         ......................... VADER failed test kccevent
      Starting test: systemlog
         ......................... VADER passed test systemlog
      Starting test: VerifyReferences
         ......................... VADER passed test VerifyReferences
   
   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
   
   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
   
   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
   
   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
   
   Running partition tests on : duncot
      Starting test: CrossRefValidation
         ......................... duncot passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... duncot passed test CheckSDRefDom
   
   Running enterprise tests on : duncot.net
      Starting test: Intersite
         ......................... duncot.net passed test Intersite
      Starting test: FsmoCheck
         ......................... duncot.net passed test FsmoCheck

_________________________________________________________________________________
Windows 2000 domain controller DCDIAG log:
_________________________________________________________________________________


DC Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial non skippeable tests
   
   Testing server: Christchurch\CHEWIE
      Starting test: Connectivity
         ......................... CHEWIE passed test Connectivity

Doing primary tests
   
   Testing server: Christchurch\CHEWIE
      Starting test: Replications
         ......................... CHEWIE passed test Replications
      Starting test: NCSecDesc
         ......................... CHEWIE passed test NCSecDesc
      Starting test: NetLogons
         ......................... CHEWIE passed test NetLogons
      Starting test: Advertising
         ......................... CHEWIE passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... CHEWIE passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... CHEWIE passed test RidManager
      Starting test: MachineAccount
         ......................... CHEWIE passed test MachineAccount
      Starting test: Services
         ......................... CHEWIE passed test Services
      Starting test: ObjectsReplicated
         ......................... CHEWIE passed test ObjectsReplicated
      Starting test: frssysvol
         There are errors after the SYSVOL has been shared.
         The SYSVOL can prevent the AD from starting.
         ......................... CHEWIE passed test frssysvol
      Starting test: kccevent
         ......................... CHEWIE passed test kccevent
      Starting test: systemlog
         ......................... CHEWIE passed test systemlog
   
   Running enterprise tests on : duncot.net
      Starting test: Intersite
         ......................... duncot.net passed test Intersite
      Starting test: FsmoCheck
         ......................... duncot.net passed test FsmoCheck
0
 
Netman66Commented:
Which DC holds the FSMO roles?

If you have not yet made one of the R2 servers a Global Catalog, you probably should.


Run the following command on CHEWIE and output to text file to post here:

repadmin /showobjmeta CHEWIE CN=object,CN=Schema,CN=Configuration,DC=duncot,DC=net > C:\chewie.txt

Replace CN=object with the name of your new attribute in the Schema as found in ADSIEdit.msc>Schema.

Run the same command again from VADER (don't forget to replace object with the attribute name):

repadmin /showobjmeta VADER CN=object,CN=Schema,CN=Configuration,DC=duncot,DC=net > C:\vader.txt

Post the outputs here.

0
 
rsillarsAuthor Commented:
CHEWIE (Windows 2000) used to be the FSMO role holder and is currently a GC
VADER (Windows 2003r2) now holds all FSMO roles and is also a GC

The syntax of the command for 2000 is slightly different but hopefuly this provides what you are after:

_________________________________________________________________________________
VADER log - Windows 2003r2 domain controller (and FSMO role holder)
_________________________________________________________________________________


17 entries.

Loc.USN                          Originating DC   Org.USN  Org.Time/Date        Ver Attribute

=======                          =============== ========= =============        === =========

   6355     aa570d04-4b27-4d6a-a989-577e75676c0b   2826488 2005-04-02 16:28:02    1 objectClass

   6355                       Christchurch\VADER      6355 2006-04-14 14:10:25    1 cn

   6355     aa570d04-4b27-4d6a-a989-577e75676c0b   2826488 2005-04-02 16:28:02    1 instanceType

   6355     aa570d04-4b27-4d6a-a989-577e75676c0b   2826488 2005-04-02 16:28:02    1 whenCreated

   6355     aa570d04-4b27-4d6a-a989-577e75676c0b   2826488 2005-04-02 16:28:02    1 attributeID

   6355     aa570d04-4b27-4d6a-a989-577e75676c0b   2826488 2005-04-02 16:28:02    1 attributeSyntax

   6355     aa570d04-4b27-4d6a-a989-577e75676c0b   2826488 2005-04-02 16:28:02    1 isSingleValued

   6355     aa570d04-4b27-4d6a-a989-577e75676c0b   2826488 2005-04-02 16:28:02    1 showInAdvancedViewOnly

   6355     aa570d04-4b27-4d6a-a989-577e75676c0b   2826488 2005-04-02 16:28:02    1 adminDisplayName

   6355     aa570d04-4b27-4d6a-a989-577e75676c0b   2826488 2005-04-02 16:28:02    1 oMSyntax

   6355     aa570d04-4b27-4d6a-a989-577e75676c0b   2826488 2005-04-02 16:28:02    1 nTSecurityDescriptor

  80787                       Christchurch\VADER     80787 2006-04-27 08:15:36    3 searchFlags

   6355     aa570d04-4b27-4d6a-a989-577e75676c0b   2826488 2005-04-02 16:28:02    1 lDAPDisplayName

   6355     aa570d04-4b27-4d6a-a989-577e75676c0b   2826488 2005-04-02 16:28:02    1 name

   6355     aa570d04-4b27-4d6a-a989-577e75676c0b   2826488 2005-04-02 16:28:02    1 schemaIDGUID

   6355     aa570d04-4b27-4d6a-a989-577e75676c0b   2826488 2005-04-02 16:28:02    1 isMemberOfPartialAttributeSet

   6355     aa570d04-4b27-4d6a-a989-577e75676c0b   2826488 2005-04-02 16:28:02    1 objectCategory

0 entries.

Type    Attribute     Last Mod Time                             Originating DC  Loc.USN Org.USN Ver

======= ============  =============                           ================= ======= ======= ===

        Distinguished Name

        =============================

_________________________________________________________________________________
CHEWIE log - Windows 2000 domain controller
_________________________________________________________________________________

17 entries.

Loc.USN                      Originating DSA Org.USN       Org.Time/Date  Ver Attribute
=======                      =============== =======       =============  === =========
1199003 aa570d04-4b27-4d6a-a989-577e75676c0b 2826488 2005-04-02 16:28.02    1 objectClass
1199003                  Christchurch\CHEWIE 1199003 2005-04-02 16:28.33    1 cn
1199003 aa570d04-4b27-4d6a-a989-577e75676c0b 2826488 2005-04-02 16:28.02    1 instanceType
1199003 aa570d04-4b27-4d6a-a989-577e75676c0b 2826488 2005-04-02 16:28.02    1 whenCreated
1199003 aa570d04-4b27-4d6a-a989-577e75676c0b 2826488 2005-04-02 16:28.02    1 attributeID
1199003 aa570d04-4b27-4d6a-a989-577e75676c0b 2826488 2005-04-02 16:28.02    1 attributeSyntax
1199003 aa570d04-4b27-4d6a-a989-577e75676c0b 2826488 2005-04-02 16:28.02    1 isSingleValued
1199003 aa570d04-4b27-4d6a-a989-577e75676c0b 2826488 2005-04-02 16:28.02    1 showInAdvancedViewOnly
1199003 aa570d04-4b27-4d6a-a989-577e75676c0b 2826488 2005-04-02 16:28.02    1 adminDisplayName
1199003 aa570d04-4b27-4d6a-a989-577e75676c0b 2826488 2005-04-02 16:28.02    1 oMSyntax
1199003 aa570d04-4b27-4d6a-a989-577e75676c0b 2826488 2005-04-02 16:28.02    1 nTSecurityDescriptor
13336970                   Christchurch\VADER   80787 2006-04-27 08:15.36    3 searchFlags
1199003 aa570d04-4b27-4d6a-a989-577e75676c0b 2826488 2005-04-02 16:28.02    1 lDAPDisplayName
1199003 aa570d04-4b27-4d6a-a989-577e75676c0b 2826488 2005-04-02 16:28.02    1 name
1199003 aa570d04-4b27-4d6a-a989-577e75676c0b 2826488 2005-04-02 16:28.02    1 schemaIDGUID
1199003 aa570d04-4b27-4d6a-a989-577e75676c0b 2826488 2005-04-02 16:28.02    1 isMemberOfPartialAttributeSet
1199003 aa570d04-4b27-4d6a-a989-577e75676c0b 2826488 2005-04-02 16:28.02    1 objectCategory
0
 
rsillarsAuthor Commented:
Hi Netman66,

Is the following line from the CHEWIE server OK?  I am not sure why it has VADER in there as I ran it on the CHEWIE server and pointed the repadmin command against itself (repadmin /showmeta CN=defender-tokenType,CN=Schema,CN=Configuration,DC=duncot,DC=net CHEWIE >c:\chewie.txt)

13336970                   Christchurch\VADER   80787 2006-04-27 08:15.36    3 searchFlags

I asume this is because it is the FSMO role holder, perhaps schema master?

Thanks,
Roger
0
 
Netman66Commented:
Ok, well the object is consistent on both servers and appears to have been created properly.

Now, let's look at the SYSVOL issue - if you compare SYSVOL on both VADER and CHEWIE are they consistent?

Did you ever have other servers that were DCs that no longer exist?  Are there any Journal Wrap errors on any DC?

0
 
Netman66Commented:
That line is ok.  It points back to the Schema and the USN numbers match.

0
 
Netman66Commented:
The following 2 articles discuss this problem:

http://support.microsoft.com/default.aspx?scid=kb;en-us;307323

http://support.microsoft.com/kb/307219/EN-US/

...however, what's puzzling is that you are experiencing this now.  Was the 2000 server at (at least) SP3 before you ran ADPREP and/or made the Schema changes that your product did?

Something tells me you may need to re-run the setup or contact the vendor to figure out how to reapply the Schema changes - perhaps 2003 is not supported by this app?  Just theorizing.

0
 
rsillarsAuthor Commented:
I did a windiff on the two directories and they are identical, no issues there.

Regarding DCs that no longer exist - this is a bit more complicated.
- There used to be a server called VADER which was a 2000 DC
- This server was demoted to a member server, all details were replicated to all other DCs
- This server was then removed from the domain, again nothing was done until all replication was done
- A new server was created called VADER, this is the Windows 2003r2 server
- The new VADER was promoted to a DC

No Journal Wrap errors from what I can find.

All Windows 2000 servers are SP4 and have been for longer than the Schema changes were made.

I have re-run the schema update but my suspicion is that since it is already in the schema then it doesn't do anything.

Both the supplier and Microsoft have setup test networks.  They appear to get the error once and then get the following:
Attribute:
defender-tokenType
New index name:
INDEX_LP_331F0001_0809

A new index will be automatically created.

Additional Data
Error value:
-1404 JET_errIndexNotFound, No such index

This makes sense but we get "-1403 JET_errIndexDuplicate, Index is already defined".

We're not getting any other errors, we are getting a few warning message regarding FRS and a couple of other DCs.  I will do some research on these before posting anything.

Do you have any suggestions on what to try next?
My thought process was this:
Create a DC in VMWARE
Remove from the network & take a copy
In this VM seize all the FSMO roles & remove other DCs
See what happens with the errors
Try upgrading domain to 2003 Native mode
Try renaming the stuff in the Schema (am I correct in thinking you can't delete stuff?) & then reinstall and see what happens.
... any other suggestions would be good
0
 
Netman66Commented:
That's going to be a lot of work - and I'm not sure you will be able to repro the problem - however, it will be the same Schema so you might.

It seems that the Jet engine is seeing a duplicate index and the NTFRS engine thinks it needs to re-index.  I'm really unsure as to why this is happening.

It might be that the old VADER was not removed completely from AD before reusing the name.  Beside demoting it, you need to remove it from AD Sites and Services - this doesn't seem to happen on it's own when you demote a server.  This may explain the KCC errors - although the name is the same, the SIDs for the object are not.

How hard would it be to stand up another server (YODA - hehe...!) and transfer the roles and make it a GC then demote and remove VADER completely - from AD S&S and do a MetaData cleanup the next morning.  If the errors stop, then you can surmise that the old servername was a lingering object that the new server was somehow colliding with.

I think (if it was me), I would do just that.  Stand up YODA, transfer the roles, make it a GC and install DNS and let it replicate in the zones.  Demote VADER and do the metadata cleanup the next AM.  Let it run for a day or two then rebuild and redeploy the server hardware that VADER was on.

Here's how to do the Metadata cleanup:

http://support.microsoft.com/kb/216498/en-us

What are your thoughts?



0
 
rsillarsAuthor Commented:
Its not that much work as we already have a server in a VMware session so all I have to do is shut it down, copy the files to another machine, start it up with host-only networking and I have a standalone DC.  Virtual servers are fantasic!

Do you think we are we talking about two seperate issues?

We cant use YODA but I can use CHEWBACCA as it is already a 2003r2 DC.  Then I should be able to demote VADER with few issues.  I have to be careful as VADER is our main file & print server.  In fact if I transfer the roles to CHEWBACCA now, then I don't have to seize them when I take a copy of it.  It is already a DC & DNS server so we should be sweet.

Before I do all this i'm going to give MOM a go with the AD and DNS packs.  It may pickup some stuff I have missed.

I really apreciate your help!
0
 
Netman66Commented:
No problem.  We need to rule out the fact the VADER is what is causing this problem - it's possible the old object for VADER was never cleaned out of AD completely before you used the name again.  This would explain the KCC errors.  It *might* also explain the Schema problem also if it is somehow interfering with complete convergence.

0
 
rsillarsAuthor Commented:
Thanks for all your help.  It will take me a few days to give these things a go.
0
 
Netman66Commented:
It looks fairly benign, but it won't hurt to get to the bottom of things.

As long as the application works, then you have some experiment time.

0
 
rsillarsAuthor Commented:
Hi.  We tracked down that if we set the searchflags to 0 in the Schema it deletes the cache and the errors disappear.  It has some limitations with the app we are using but it should be OK.  I am still not happy about it though as I really don't think it should be doing this.

I moved all the FSMO roles over to CHEWBACCA and demoted VADER.  I then deleted the details of VADER from sites and services.  I ended up having to premote VADER again afterwards due to some other issues with DNS (AD integrated).

I am still getting those KCCEVENT messages when I run DCDIAG.  Any ideas on what to do next?

Thanks,
Roger
0
 
Netman66Commented:
How about another complete set of logs:

DCDIAG /V > C:\DCDIAG.TXT

Post the contents of DCDIAG.TXT.

Also, post the Event Log entries for the KCC event - make sure you tell me what server you are getting them from.



0
 
rsillarsAuthor Commented:
This is interesting...

I ran the DCDIAG and everything was fine so I thought I would give setting the searchFlags back to 3.  I got the same errors again.  I then ran the DCDIAG and got the KCCEVENT errors.  Below DCDIAG is from CHEWBACCA (FSMO role holder and 2003r2).

I also noted that when I set the first searchFlag to 3 on CHEWBACCA the second DC (VADER) noted the errors in the event log.  However CHEWBACCA didn't display anything until I set the second searchFlag to 3 and then it started seeing the same errors as VADER.

It appears the issues are related after all. There are no event log errors other than the original schema cache error.

I have set the searchFlags back to 0 and after about 10 minutes the kccevent messages start disappearing.



Domain Controller Diagnosis

Performing initial setup:
   * Verifying that the local machine chewbacca, is a DC.
   * Connecting to directory service on server chewbacca.
   * Collecting site info.
   * Identifying all servers.
   * Identifying all NC cross-refs.
   * Found 8 DC(s). Testing 1 of them.
   Done gathering initial info.

Doing initial required tests
   
   Testing server: Christchurch\CHEWBACCA
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         * Active Directory RPC Services Check
         ......................... CHEWBACCA passed test Connectivity

Doing primary tests
   
   Testing server: Christchurch\CHEWBACCA
      Starting test: Replications
         * Replications Check
         * Replication Latency Check
            CN=Schema,CN=Configuration,DC=duncot,DC=net
               Latency information for 18 entries in the vector were ignored.
                  17 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  1 had no latency information (Win2K DC).  
            CN=Configuration,DC=duncot,DC=net
               Latency information for 18 entries in the vector were ignored.
                  17 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  1 had no latency information (Win2K DC).  
            DC=duncot,DC=net
               Latency information for 18 entries in the vector were ignored.
                  17 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  1 had no latency information (Win2K DC).  
            DC=ForestDnsZones,DC=duncot,DC=net
               Latency information for 2 entries in the vector were ignored.
                  2 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            DC=DomainDnsZones,DC=duncot,DC=net
               Latency information for 2 entries in the vector were ignored.
                  2 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
         * Replication Site Latency Check
         ......................... CHEWBACCA passed test Replications
      Test omitted by user request: Topology
      Test omitted by user request: CutoffServers
      Starting test: NCSecDesc
         * Security Permissions check for all NC's on DC CHEWBACCA.
         * Security Permissions Check for
           DC=ForestDnsZones,DC=duncot,DC=net
            (NDNC,Version 2)
         * Security Permissions Check for
           DC=DomainDnsZones,DC=duncot,DC=net
            (NDNC,Version 2)
         * Security Permissions Check for
           CN=Schema,CN=Configuration,DC=duncot,DC=net
            (Schema,Version 2)
         * Security Permissions Check for
           CN=Configuration,DC=duncot,DC=net
            (Configuration,Version 2)
         * Security Permissions Check for
           DC=duncot,DC=net
            (Domain,Version 2)
         ......................... CHEWBACCA passed test NCSecDesc
      Starting test: NetLogons
         * Network Logons Privileges Check
         Verified share \\CHEWBACCA\netlogon
         Verified share \\CHEWBACCA\sysvol
         ......................... CHEWBACCA passed test NetLogons
      Starting test: Advertising
         The DC CHEWBACCA is advertising itself as a DC and having a DS.
         The DC CHEWBACCA is advertising as an LDAP server
         The DC CHEWBACCA is advertising as having a writeable directory
         The DC CHEWBACCA is advertising as a Key Distribution Center
         The DC CHEWBACCA is advertising as a time server
         ......................... CHEWBACCA passed test Advertising
      Starting test: KnowsOfRoleHolders
         Role Schema Owner = CN=NTDS Settings,CN=CHEWBACCA,CN=Servers,CN=Christchurch,CN=Sites,CN=Configuration,DC=duncot,DC=net
         Role Domain Owner = CN=NTDS Settings,CN=CHEWBACCA,CN=Servers,CN=Christchurch,CN=Sites,CN=Configuration,DC=duncot,DC=net
         Role PDC Owner = CN=NTDS Settings,CN=CHEWBACCA,CN=Servers,CN=Christchurch,CN=Sites,CN=Configuration,DC=duncot,DC=net
         Role Rid Owner = CN=NTDS Settings,CN=CHEWBACCA,CN=Servers,CN=Christchurch,CN=Sites,CN=Configuration,DC=duncot,DC=net
         Role Infrastructure Update Owner = CN=NTDS Settings,CN=CHEWBACCA,CN=Servers,CN=Christchurch,CN=Sites,CN=Configuration,DC=duncot,DC=net
         ......................... CHEWBACCA passed test KnowsOfRoleHolders
      Starting test: RidManager
         * Available RID Pool for the Domain is 15331 to 1073741823
         * chewbacca.duncot.net is the RID Master
         * DsBind with RID Master was successful
         * rIDAllocationPool is 14331 to 14830
         * rIDPreviousAllocationPool is 14331 to 14830
         * rIDNextRID: 14333
         ......................... CHEWBACCA passed test RidManager
      Starting test: MachineAccount
         Checking machine account for DC CHEWBACCA on DC CHEWBACCA.
         * SPN found :LDAP/chewbacca.duncot.net/duncot.net
         * SPN found :LDAP/chewbacca.duncot.net
         * SPN found :LDAP/CHEWBACCA
         * SPN found :LDAP/chewbacca.duncot.net/DUNCOT
         * SPN found :LDAP/100d6db6-bc50-4497-a7ad-9ddfa5f5812e._msdcs.duncot.net
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/100d6db6-bc50-4497-a7ad-9ddfa5f5812e/duncot.net
         * SPN found :HOST/chewbacca.duncot.net/duncot.net
         * SPN found :HOST/chewbacca.duncot.net
         * SPN found :HOST/CHEWBACCA
         * SPN found :HOST/chewbacca.duncot.net/DUNCOT
         * SPN found :GC/chewbacca.duncot.net/duncot.net
         ......................... CHEWBACCA passed test MachineAccount
      Starting test: Services
         * Checking Service: Dnscache
         * Checking Service: NtFrs
         * Checking Service: IsmServ
         * Checking Service: kdc
         * Checking Service: SamSs
         * Checking Service: LanmanServer
         * Checking Service: LanmanWorkstation
         * Checking Service: RpcSs
         * Checking Service: w32time
         * Checking Service: NETLOGON
         ......................... CHEWBACCA passed test Services
      Test omitted by user request: OutboundSecureChannels
      Starting test: ObjectsReplicated
         CHEWBACCA is in domain DC=duncot,DC=net
         Checking for CN=CHEWBACCA,OU=Domain Controllers,DC=duncot,DC=net in domain DC=duncot,DC=net on 1 servers
            Object is up-to-date on all servers.
         Checking for CN=NTDS Settings,CN=CHEWBACCA,CN=Servers,CN=Christchurch,CN=Sites,CN=Configuration,DC=duncot,DC=net in domain CN=Configuration,DC=duncot,DC=net on 1 servers
            Object is up-to-date on all servers.
         ......................... CHEWBACCA passed test ObjectsReplicated
      Starting test: frssysvol
         * The File Replication Service SYSVOL ready test
         File Replication Service's SYSVOL is ready
         ......................... CHEWBACCA passed test frssysvol
      Starting test: frsevent
         * The File Replication Service Event log test
         ......................... CHEWBACCA passed test frsevent
      Starting test: kccevent
         * The KCC Event log test
         An Error Event occured.  EventID: 0xC0000470
            Time Generated: 05/09/2006   10:15:27
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC0000470
            Time Generated: 05/09/2006   10:15:30
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC0000470
            Time Generated: 05/09/2006   10:15:30
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC0000470
            Time Generated: 05/09/2006   10:16:04
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC0000470
            Time Generated: 05/09/2006   10:16:27
            (Event String could not be retrieved)
         ......................... CHEWBACCA failed test kccevent
      Starting test: systemlog
         * The System Event log test
         Found no errors in System Event log in the last 60 minutes.
         ......................... CHEWBACCA passed test systemlog
      Test omitted by user request: VerifyReplicas
      Starting test: VerifyReferences
         The system object reference (serverReference)
         CN=CHEWBACCA,OU=Domain Controllers,DC=duncot,DC=net and backlink on
         CN=CHEWBACCA,CN=Servers,CN=Christchurch,CN=Sites,CN=Configuration,DC=duncot,DC=net
         are correct.
         The system object reference (frsComputerReferenceBL)
         CN=CHEWBACCA,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=duncot,DC=net
         and backlink on CN=CHEWBACCA,OU=Domain Controllers,DC=duncot,DC=net
         are correct.
         The system object reference (serverReferenceBL)
         CN=CHEWBACCA,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=duncot,DC=net
         and backlink on
         CN=NTDS Settings,CN=CHEWBACCA,CN=Servers,CN=Christchurch,CN=Sites,CN=Configuration,DC=duncot,DC=net
         are correct.
         ......................... CHEWBACCA passed test VerifyReferences
      Test omitted by user request: VerifyEnterpriseReferences
      Test omitted by user request: CheckSecurityError
   
   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
   
   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
   
   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
   
   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
   
   Running partition tests on : duncot
      Starting test: CrossRefValidation
         ......................... duncot passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... duncot passed test CheckSDRefDom
   
   Running enterprise tests on : duncot.net
      Starting test: Intersite
         Skipping site Christchurch, this site is outside the scope provided by
         the command line arguments provided.
         Skipping site Sydney, this site is outside the scope provided by the
         command line arguments provided.
         Skipping site Wellington, this site is outside the scope provided by
         the command line arguments provided.
         Skipping site Auckland, this site is outside the scope provided by the
         command line arguments provided.
         Skipping site Nelson, this site is outside the scope provided by the
         command line arguments provided.
         ......................... duncot.net passed test Intersite
      Starting test: FsmoCheck
         GC Name: \\chewie.duncot.net
         Locator Flags: 0xe00003fc
         PDC Name: \\chewbacca.duncot.net
         Locator Flags: 0xe00001f9
         Time Server Name: \\chewbacca.duncot.net
         Locator Flags: 0xe00001f9
         Preferred Time Server Name: \\chewie.duncot.net
         Locator Flags: 0xe00003fc
         KDC Name: \\chewbacca.duncot.net
         Locator Flags: 0xe00001f9
         ......................... duncot.net passed test FsmoCheck
      Test omitted by user request: DNS
      Test omitted by user request: DNS
0
 
Netman66Commented:
Those KCC errors look a lot like time issues.  Are you certain these servers are within 5 minutes of each other and in the correct time zones with Daylight Savings time setting set properly?

0
 
rsillarsAuthor Commented:
Yes, the times on all DCs are within seconds of each other.  The KCC errors have disappeared now that the searchFlags are set to 0.

Should I bother looking at this if our APP is OK?
0
 
Netman66Commented:
Probably not, but it was related to making the attribute searchable (or not in this case).

I guess the Schema isn't particularly impressed with the way the attribute was added.  I still think that the vendor should be the people fixing this issue since it's related to an extension needed by the application.

Was the domain upgraded after the extension or was it always a 2003 schema?  (Not sure if I asked this already).

0
 
rsillarsAuthor Commented:
The extension was added to the domain when it was 2000.

Thanks for all your help, I really apreciate your effort and time.
0
 
Netman66Commented:
OK, this makes more sense - the schema was extended before the upgrade to 2003.  When Forestprep was run it relays a csv file for the schema updates.  Since your update is non-standard, it never made the version transition to 3.0.

My bet is you'll see errors in the adprep log file that were ignored.

0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

  • 12
  • 11
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now