[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 640
  • Last Modified:

1058 1030 errors every 5 minutes on DC

i have a windows 2003 domain with 2 dc's (dc00 and dc01). dc00 contains all the fsmo roles and dc01 is a global catalogue as well as dc00.

every 5 minutes on dc00 i get a 1030 and 1058 Userenv error as stated in microsoft's article (http://support.microsoft.com/default.aspx?scid=kb;en-us;839499)
    - windows cannot query for the list of group policy objects

I followed microsoft's fix with the default domain policy and registry, unfortunately i didn't have to make any changes as my settings already match microsoft's article. when i run gpupdate /force, it will log the 1030 and 1058 events as well as every 5 minutes ... but only on dc00, not dc01.

when i run rsop.msc and it queries, i get a red x through the user settings, but not the computer settings.

now for the questions / puzzling part --
just for kicks, i changed a setting in the default domain policy mmc on dc00 and then changed it right back ... ran the gpupdate /force and i got the success event 1704 as well as rsop.msc doesn't have any errors. 5 minutes later, it logs both 1030 and 1058 again and any gpupdate /force after that will log them again.

obviously, something is overwriting and i have issue of synchronizing, but i can't figure out where / how -- all articles i find on microsoft seem to have some good ideas for changes that i can make, services to restart, reboots ... but all the suggestions are already the default config on my dc00. dc01 looks identical to dc00 from my persepective, yet it logs no errors in the event log.

let me know what other info you want me to post --  thanks in advance

0
thomye
Asked:
thomye
  • 11
  • 9
1 Solution
 
Rob WilliamsCommented:
Have a look at this MS article as well:
http://support.microsoft.com/default.aspx?scid=kb;en-us;314494

Also, make sure your network adapters are pointing only to your DNS servers and not an ISP's.
0
 
thomyeAuthor Commented:
i came across that article earlier but thought it had more to do with a client than DC ...

i changed the dns from 127.0.0.1 to its network address, ran gpupdate /force and it still logs the 1058 and 1030 error
i also verified that dfs was running --

there is a note on that page which doesn't really make sense to me, can anyone help with what this means?

"Note This issue may also occur if "Everyone" has been removed from the root drive NTFS file system permissions. If "Everyone" has been removed from the root drive NTFS permissions, restore the "Everyone" group's NTFS permissions on the root folder by granting "Everyone" the special Read and Execute NTFS permissions on the root folder only."
0
 
Rob WilliamsCommented:
This is the part that i thought might relate to your issue. They are referring to the root folder or drive of the server, which is likely the C: drive. I assume this only needs to be applied to the windows directory, but I checked 2 servers and it seems to be typical of the dive permissions. The permissions they are referring to are found by opening my computer and right clicking on the drive or folder and choosing properties. Then choose security. You should see the everyone group there. At the bottom of the list of permissions should be a grayed out check mark next to special permissions. If the every one group is there you should be able to choose advanced and under the permissions tab see  Allow  Everyone   .... Highlight this line and choose edit.  It should include the following permissions:
  Traverse Folders/Execute File
  List Folder/Read Data
  Read Extended Attributes
  Read Permissions

If these are not there and you need a hand as to how to change please advise.
Note: if you edit the permissions and are promoted to "copy or replace", make sure you choose copy, or it will reset all permissions for the drive/folder. This could have serious effects on Windows.
0
Veeam and MySQL: How to Perform Backup & Recovery

MySQL and the MariaDB variant are among the most used databases in Linux environments, and many critical applications support their data on them. Watch this recorded webinar to find out how Veeam Backup & Replication allows you to get consistent backups of MySQL databases.

 
thomyeAuthor Commented:
on the C:\ , the security tab has the everyone with the special permissions you listed ... it looks the same as my dc01, which does not log any 1050 or 1038 events -- i've run by the sysvol dir permissions on other forums and verified those as well ...

i'm pulling my hair out over here ... is time to spend the 250$ with microsoft?
0
 
Rob WilliamsCommented:
Well, sounds like that is not the problem. I'm out of ideas. Maybe some others may have something new to offer. Regardless, I will be anxious to hear the ultimate solution........as I'm sure you are.
0
 
thomyeAuthor Commented:
getting warmer i think ... i have an idea but i want your advice first

if i edit the default domain controller policy ... just make a change and set it right back ... then run gpupdate /force -- i get the blue 1704 success event .. followed by some random time, then 5 minute increment of failures again.

conclusion: something is overwriting those settings ("those settings" being the ones listed in KB http://support.microsoft.com/default.aspx?scid=kb;en-us;839499). there is nothing to change because mine matches the kb article .. so all i do is change one of them to a "wrong" setting and then right back ... gpupdate and success

they list these two as needing to be "enabled" ...
     Microsoft Network Server: Digitally Sign Communications (always)
     Microsoft Network Server: Digitally Sign Communications (if client agrees)

these ARE enabled on my "default domain controller policy" but ARE NOT on my "default domain policy" --

is there any reason why the default domain policy settings would overwrite my default domain controller .. if so, is there any reason to not set my default domain and default domain controller policy the same in regards to those 2 objects ENABLED above?

what's your take on that?
0
 
Rob WilliamsCommented:
Perhaps try running the group policy results and see what policies are being applied and what are being filtered. It is included with 2003, just run from the command line. Instructions available at:
http://www.microsoft.com/windowsxp/using/setup/expert/gpresults.mspx
0
 
thomyeAuthor Commented:
here is the result :

***********************************************************************

Microsoft (R) Windows (R) Operating System Group Policy Result tool v2.0
Copyright (C) Microsoft Corp. 1981-2001

Created On 5/19/2006 at 8:20:10 AM


RSOP data for SSI\Administrator on DC00 : Logging Mode
------------------------------------------------------------

OS Type:                     Microsoft(R) Windows(R) Server 2003, Standard Edition
OS Configuration:            Primary Domain Controller
OS Version:                  5.2.3790
Terminal Server Mode:        Remote Administration
Site Name:                   Default-First-Site-Name
Roaming Profile:            
Local Profile:               C:\Documents and Settings\Administrator
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
    CN=DC00,OU=Domain Controllers,DC=,DC=
    Last time Group Policy was applied: 5/19/2006 at 8:18:06 AM
    Group Policy was applied from:      dc00
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        
    Domain Type:                        Windows 2000

    Applied Group Policy Objects
    -----------------------------
        Default Domain Controllers Policy
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The computer is a part of the following security groups
    -------------------------------------------------------
        BUILTIN\Administrators
        Everyone
        BUILTIN\Pre-Windows 2000 Compatible Access
        BUILTIN\Users
        Windows Authorization Access Group
        NT AUTHORITY\NETWORK
        NT AUTHORITY\Authenticated Users
        This Organization
        SSIMSDC00$
        Domain Controllers
        NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS
       

USER SETTINGS
--------------
    CN=Administrator,CN=Users,DC=,DC=
    Last time Group Policy was applied: 5/19/2006 at 6:42:33 AM
    Group Policy was applied from:      dc00
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        
    Domain Type:                        Windows 2000
   
    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)

    The user is a part of the following security groups
    ---------------------------------------------------
        Domain Users
        Everyone
        BUILTIN\Administrators
        BUILTIN\Users
        BUILTIN\Pre-Windows 2000 Compatible Access
        NT AUTHORITY\INTERACTIVE
        NT AUTHORITY\Authenticated Users
        This Organization
        LOCAL
        Group Policy Creator Owners
        Enterprise Admins
        Domain Admins
        Schema Admins

 *************************************************************************

is there any reason i can't set the "default domain policy" to have those smb objects enabled? my thought is that the default domain policy is overwriting the default domain controller policy with those 2 smb objects --  

the results look identical on both machines though, and dc01 is still fine --
0
 
Rob WilliamsCommented:
GPResult looks good.
Shouldn't hurt to make those changes, and might resolve the issue. Make sure you have a couple of "back doors" write down the settings so you can change it back, which I would do if it doesn't make an improvement, and back up the registry first. If not familiar with backing up and restoring the registry information can be found at:
http://support.microsoft.com/kb/322756

I noticed in the article, at the bottom,  specific faults you should see when running dcdiag if those registry settings are a problem. Have tried dcdiag ? If not and you wish to it is available as part of the resource kit or you can get at:
http://www3.ns.sympatico.ca/malagash/Downloads/Net/dcdiag.exe
0
 
thomyeAuthor Commented:
dcdiag output
***************


Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests
   
   Testing server: Default-First-Site-Name\dc00
      Starting test: Connectivity
         ......................... dc00 passed test Connectivity

Doing primary tests
   
   Testing server: Default-First-Site-Name\dc00
      Starting test: Replications
         ......................... dc00 passed test Replications
      Starting test: NCSecDesc
         ......................... dc00 passed test NCSecDesc
      Starting test: NetLogons
         ......................... dc00 passed test NetLogons
      Starting test: Advertising
         ......................... dc00 passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... dc00 passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... dc00 passed test RidManager
      Starting test: MachineAccount
         ......................... dc00 passed test MachineAccount
      Starting test: Services
         ......................... dc00 passed test Services
      Starting test: ObjectsReplicated
         ......................... dc00 passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... dc00 passed test frssysvol
      Starting test: frsevent
         ......................... dc00 passed test frsevent
      Starting test: kccevent
         ......................... dc00 passed test kccevent
      Starting test: systemlog
         An Error Event occured.  EventID: 0xC0000007
            Time Generated: 05/19/2006   19:39:30
            Event String: The Security Account Manager failed a KDC request
         An Error Event occured.  EventID: 0xC0000007
            Time Generated: 05/19/2006   19:39:30
            Event String: The Security Account Manager failed a KDC request
         An Error Event occured.  EventID: 0xC0000007
            Time Generated: 05/19/2006   19:39:32
            Event String: The Security Account Manager failed a KDC request
         An Error Event occured.  EventID: 0xC0000007
            Time Generated: 05/19/2006   19:39:33
            Event String: The Security Account Manager failed a KDC request
         ......................... dc00 failed test systemlog
      Starting test: VerifyReferences
         ......................... dc00 passed test VerifyReferences
   
   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
   
   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
   
   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
   
   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
   
   Running partition tests on : ssi
      Starting test: CrossRefValidation
         ......................... ssi passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... ssi passed test CheckSDRefDom
   
   Running enterprise tests on : mydomain
      Starting test: Intersite
         ......................... mydomain passed test Intersite
      Starting test: FsmoCheck
         ......................... mydomain passed test FsmoCheck


*********

I just rebooted for the first time in a week (first opportunity) and I got a 52538 MSDTC warning in the EVENT log -- think they're related? i fixed it by following this walk through in another forum

52538 : MS DTC could not correctly process a DC Promotion/Demotion event. MS DTC will continue to function and will use the existing security settings. Error Specifics: d:\nt\com\complus\dtc\dtc\adme\uiname.cpp:8751 CmdLine: C:\WINNT\system32\msdtc.exe Pid: <PID>
No Callstack (0).

####
I corrected the error by doing the following:
1. Click Start -> Administrative Tools -> Component Services.
2. Click the "+" next to Component services to expand it.
3. Right click "My Computer" in the right window pane and select Properties.
4. Click the MS DTC Tab.
5. Click the "Security Configuration" button, a dialog box appears. Click "OK".
6. Click "OK" on the "My Computer Properties" box; this will take you back to the console.
7. Right click "My Computer" and select "Stop MS DTC" (this stops the MSDTC service.
8. Again, right click "My Computer" and select "Start MS DTC".
By following the above steps, it appears that this sets the MS DTC defaults resolving the error messages. Check the event log to verify that the problem is gone. You might also want to restart the server to verify this.  
###


any thoughts?
0
 
Rob WilliamsCommented:
I don't know I'm stumped. The errors in the dcdiag output are not similar to those in the Microsoft article, so I assume the registry changes will not help. As for the Component Services updates/changes, I don't see where that would force a change, but I really don't understand those functions so I couldn't say.

Did it help with the 52538 Error? If it didn't, restarting the service would likely have created another error.
Did it help the 1058/1030 error issues at all?
0
 
thomyeAuthor Commented:
since the reboot, i haven't seen the 1058/1030 errors --

the MSDTC error was fixed by that walk through of "component services" --

that's the first time i paid attention to the dcdiag error "Event String: The Security Account Manager failed a KDC request" .. never seen it before and just trying to find something online

thanks for posting back ... can't find anyone else anywhere to help except you
0
 
Rob WilliamsCommented:
>>"can't find anyone else anywhere to help except you"
I'm the bottom of the barrel eh!  :-)

Sorry, it is not an area I am terribly familiar with. I looked for errors pertaining to the "failed a KDC request" and came up with nothing either.

>>"since the reboot, i haven't seen the 1058/1030 errors"
Perhaps you have nailed it.
0
 
thomyeAuthor Commented:
ran a DCDIAG /fix  /v

output:


Domain Controller Diagnosis

Performing initial setup:
   * Verifying that the local machine dc00, is a DC.
   * Connecting to directory service on server dc00.
   * Collecting site info.
   * Identifying all servers.
   * Identifying all NC cross-refs.
   * Found 2 DC(s). Testing 1 of them.
   Done gathering initial info.

Doing initial required tests
   
   Testing server: Default-First-Site-Name\dc00
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         * Active Directory RPC Services Check
         ......................... dc00 passed test Connectivity

Doing primary tests
   
   Testing server: Default-First-Site-Name\dc00
      Starting test: Replications
         * Replications Check
         * Replication Latency Check
            DC=ForestDnsZones,DC=ssi,DC=local
               Latency information for 1 entries in the vector were ignored.
                  1 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            DC=DomainDnsZones,DC=ssi,DC=local
               Latency information for 1 entries in the vector were ignored.
                  1 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            CN=Schema,CN=Configuration,DC=ssi,DC=local
               Latency information for 1 entries in the vector were ignored.
                  1 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            CN=Configuration,DC=ssi,DC=local
               Latency information for 1 entries in the vector were ignored.
                  1 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            DC=ssi,DC=local
               Latency information for 1 entries in the vector were ignored.
                  1 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
         * Replication Site Latency Check
         ......................... dc00 passed test Replications
      Test omitted by user request: Topology
      Test omitted by user request: CutoffServers
      Starting test: NCSecDesc
         * Security Permissions Check for
           DC=ForestDnsZones,DC=ssi,DC=local
            (NDNC,Version 2)
         * Security Permissions Check for
           DC=DomainDnsZones,DC=ssi,DC=local
            (NDNC,Version 2)
         * Security Permissions Check for
           CN=Schema,CN=Configuration,DC=ssi,DC=local
            (Schema,Version 2)
         * Security Permissions Check for
           CN=Configuration,DC=ssi,DC=local
            (Configuration,Version 2)
         * Security Permissions Check for
           DC=ssi,DC=local
            (Domain,Version 2)
         ......................... dc00 passed test NCSecDesc
      Starting test: NetLogons
         * Network Logons Privileges Check
         ......................... dc00 passed test NetLogons
      Starting test: Advertising
         The DC dc00 is advertising itself as a DC and having a DS.
         The DC dc00 is advertising as an LDAP server
         The DC dc00 is advertising as having a writeable directory
         The DC dc00 is advertising as a Key Distribution Center
         The DC dc00 is advertising as a time server
         The DS dc00 is advertising as a GC.
         ......................... dc00 passed test Advertising
      Starting test: KnowsOfRoleHolders
         Role Schema Owner = CN=NTDS Settings,CN=dc00,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ssi,DC=local
         Role Domain Owner = CN=NTDS Settings,CN=dc00,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ssi,DC=local
         Role PDC Owner = CN=NTDS Settings,CN=dc00,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ssi,DC=local
         Role Rid Owner = CN=NTDS Settings,CN=dc00,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ssi,DC=local
         Role Infrastructure Update Owner = CN=NTDS Settings,CN=dc00,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ssi,DC=local
         ......................... dc00 passed test KnowsOfRoleHolders
      Starting test: RidManager
         * Available RID Pool for the Domain is 2603 to 1073741823
         * dc00.mydomain is the RID Master
         * DsBind with RID Master was successful
         * rIDAllocationPool is 1103 to 1602
         * rIDPreviousAllocationPool is 1103 to 1602
         * rIDNextRID: 1197
         ......................... dc00 passed test RidManager
      Starting test: MachineAccount
         * SPN found :LDAP/dc00.mydomain/mydomain
         * SPN found :LDAP/dc00.mydomain
         * SPN found :LDAP/dc00
         * SPN found :LDAP/dc00.mydomain/SSI
         * SPN found :LDAP/7f06b233-334a-460a-ada0-5e44bb189f20._msdcs.mydomain
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/7f06b233-334a-460a-ada0-5e44bb189f20/mydomain
         * SPN found :HOST/dc00.mydomain/mydomain
         * SPN found :HOST/dc00.mydomain
         * SPN found :HOST/dc00
         * SPN found :HOST/dc00.mydomain/SSI
         * SPN found :GC/dc00.mydomain/mydomain
         ......................... dc00 passed test MachineAccount
      Starting test: Services
         * Checking Service: Dnscache
         * Checking Service: NtFrs
         * Checking Service: IsmServ
         * Checking Service: kdc
         * Checking Service: SamSs
         * Checking Service: LanmanServer
         * Checking Service: LanmanWorkstation
         * Checking Service: RpcSs
         * Checking Service: w32time
         * Checking Service: NETLOGON
         ......................... dc00 passed test Services
      Test omitted by user request: OutboundSecureChannels
      Starting test: ObjectsReplicated
         dc00 is in domain DC=ssi,DC=local
         Checking for CN=dc00,OU=Domain Controllers,DC=ssi,DC=local in domain DC=ssi,DC=local on 1 servers
            Object is up-to-date on all servers.
         Checking for CN=NTDS Settings,CN=dc00,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ssi,DC=local in domain CN=Configuration,DC=ssi,DC=local on 1 servers
            Object is up-to-date on all servers.
         ......................... dc00 passed test ObjectsReplicated
      Starting test: frssysvol
         * The File Replication Service SYSVOL ready test
         File Replication Service's SYSVOL is ready
         ......................... dc00 passed test frssysvol
      Starting test: frsevent
         * The File Replication Service Event log test
         ......................... dc00 passed test frsevent
      Starting test: kccevent
         * The KCC Event log test
         Found no KCC errors in Directory Service Event log in the last 15 minutes.
         ......................... dc00 passed test kccevent
      Starting test: systemlog
         * The System Event log test
         Found no errors in System Event log in the last 60 minutes.
         ......................... dc00 passed test systemlog
      Test omitted by user request: VerifyReplicas
      Starting test: VerifyReferences
         The system object reference (serverReference)
         CN=dc00,OU=Domain Controllers,DC=ssi,DC=local and backlink on
         CN=dc00,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ssi,DC=local
         are correct.
         The system object reference (frsComputerReferenceBL)
         CN=dc00,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=ssi,DC=local
         and backlink on CN=dc00,OU=Domain Controllers,DC=ssi,DC=local are
         correct.
         The system object reference (serverReferenceBL)
         CN=dc00,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=ssi,DC=local
         and backlink on
         CN=NTDS Settings,CN=dc00,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=ssi,DC=local
         are correct.
         ......................... dc00 passed test VerifyReferences
      Test omitted by user request: VerifyEnterpriseReferences
   
   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
   
   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
   
   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
   
   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
   
   Running partition tests on : ssi
      Starting test: CrossRefValidation
         ......................... ssi passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... ssi passed test CheckSDRefDom
   
   Running enterprise tests on : mydomain
      Starting test: Intersite
         Skipping site Default-First-Site-Name, this site is outside the scope
         provided by the command line arguments provided.
         ......................... mydomain passed test Intersite
      Starting test: FsmoCheck
         GC Name: \\dc00.mydomain
         Locator Flags: 0xe00003fd
         PDC Name: \\dc00.mydomain
         Locator Flags: 0xe00003fd
         Time Server Name: \\dc00.mydomain
         Locator Flags: 0xe00003fd
         Preferred Time Server Name: \\dc00.mydomain
         Locator Flags: 0xe00003fd
         KDC Name: \\dc00.mydomain
         Locator Flags: 0xe00003fd
         ......................... mydomain passed test FsmoCheck



*****************************************************************************88

then ran dcdiag again :

output:


Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests
   
   Testing server: Default-First-Site-Name\dc00
      Starting test: Connectivity
         ......................... dc00 passed test Connectivity

Doing primary tests
   
   Testing server: Default-First-Site-Name\dc00
      Starting test: Replications
         ......................... dc00 passed test Replications
      Starting test: NCSecDesc
         ......................... dc00 passed test NCSecDesc
      Starting test: NetLogons
         ......................... dc00 passed test NetLogons
      Starting test: Advertising
         ......................... dc00 passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... dc00 passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... dc00 passed test RidManager
      Starting test: MachineAccount
         ......................... dc00 passed test MachineAccount
      Starting test: Services
         ......................... dc00 passed test Services
      Starting test: ObjectsReplicated
         ......................... dc00 passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... dc00 passed test frssysvol
      Starting test: frsevent
         ......................... dc00 passed test frsevent
      Starting test: kccevent
         ......................... dc00 passed test kccevent
      Starting test: systemlog
         ......................... dc00 passed test systemlog
      Starting test: VerifyReferences
         ......................... dc00 passed test VerifyReferences
   
   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
   
   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
   
   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
   
   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
   
   Running partition tests on : ssi
      Starting test: CrossRefValidation
         ......................... ssi passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... ssi passed test CheckSDRefDom
   
   Running enterprise tests on : mydomain
      Starting test: Intersite
         ......................... mydomain passed test Intersite
      Starting test: FsmoCheck
         ......................... mydomain passed test FsmoCheck

**************************************************************************

so that failure is gone now ...

no events posted for 25 minutes now ...

ran gpupdate /force ...  got a 1704 success

error free for 30 minutes ... no warnings either ... light at the end of the tunnel?
0
 
Rob WilliamsCommented:
dcdiag /fix was a good call.
>>"error free for 30 minutes ... no warnings either ... light at the end of the tunnel"
Looking good. Server refreshes policies every 5 minutes so chances are good you have it.
I'm off for the night, or morning I guess, 1:00 am here, but I'll check status in the morning. keep your fingers crossed.
--Rob
0
 
Rob WilliamsCommented:
Still OK ?
--Rob
0
 
thomyeAuthor Commented:
error free for 12 hours on both dc's and exchange ... could it be?

thanks for all your help -- should i close this post now or wait til monday?
0
 
Rob WilliamsCommented:
Glad to here. You are welcome, though I'm not sure how much help I was other than a "sounding board".
If still OK, it should remain so. Replication between servers should be less than 3 hours so you have been through that a few times. As for closing the question, no rush. Don't jinx yourself :-)
Have a great weekend.
--Rob
0
 
thomyeAuthor Commented:
likewise ... i'll close it on monday

thanks again
0
 
Rob WilliamsCommented:
Thanks thomye,
--Rob
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

  • 11
  • 9
Tackle projects and never again get stuck behind a technical roadblock.
Join Now