LrdKanien
asked on
dcdiag error with Active Directory 2003 & 2008
I have 1 forest and 2 domains. I have 5 DC's and 3 of them are located in remote offices. Do I need 389 open to every office from the main DC?
Also,
One of my remote DC's is giving this error from DC diag. I don't know why it says the DomainDnsZone failed to get completely created. How do I resolve this?
Also,
One of my remote DC's is giving this error from DC diag. I don't know why it says the DomainDnsZone failed to get completely created. How do I resolve this?
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = AD5
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: KansasCity9800\AD5
Starting test: Connectivity
......................... AD5 passed test Connectivity
Doing primary tests
Testing server: KansasCity9800\AD5
Starting test: Advertising
......................... AD5 passed test Advertising
Starting test: FrsEvent
......................... AD5 passed test FrsEvent
Starting test: DFSREvent
......................... AD5 passed test DFSREvent
Starting test: SysVolCheck
......................... AD5 passed test SysVolCheck
Starting test: KccEvent
......................... AD5 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... AD5 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... AD5 passed test MachineAccount
Starting test: NCSecDesc
Error Enterprise Read Only Domain Controllers doesn't have
Replicating Directory Changes
access rights for the naming context:
CN=Configuration,DC=abacus-corp,DC=com
......................... AD5 failed test NCSecDesc
Starting test: NetLogons
......................... AD5 passed test NetLogons
Starting test: ObjectsReplicated
......................... AD5 passed test ObjectsReplicated
Starting test: Replications
......................... AD5 passed test Replications
Starting test: RidManager
......................... AD5 passed test RidManager
Starting test: Services
......................... AD5 passed test Services
Starting test: SystemLog
......................... AD5 passed test SystemLog
Starting test: VerifyReferences
......................... AD5 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : abacus-corp
Starting test: CheckSDRefDom
......................... abacus-corp passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... abacus-corp passed test CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
This cross-ref has a non-standard dNSRoot attribute.
Cross-ref DN:
CN=72502b55-ef5c-4cea-a7af-2563b748787d,CN=Partitions,CN=Configuration,
DC=abacus-corp,DC=com
nCName attribute (Partition name):
DC=DomainDnsZones,DC=abacus-winhost,DC=com
Bad dNSRoot attribute: ADAM.abacus-winhost.com
Check with your network administrator to make sure this dNSRoot
attribute is correct, and if not please change the attribute to the
value below.
dNSRoot should be: DomainDnsZones.abacus-winhost.com
It appears this partition
(DC=DomainDnsZones,DC=abacus-winhost,DC=com) failed to get
completely created. This cross-ref
(CN=72502b55-ef5c-4cea-a7af-2563b748787d,CN=Partitions,CN=Configurat
ion,DC=abacus-corp,DC=com)
is dead and should be removed from the directory.
......................... DomainDnsZones failed test
CrossRefValidation
Running enterprise tests on : abacus-corp.com
Starting test: LocatorCheck
......................... abacus-corp.com passed test LocatorCheck
Starting test: Intersite
......................... abacus-corp.com passed test Intersite
Last Comment
ASKER
Yes I have firewalls and yes I have 389 open from all DC's to the main 2.
ASKER
if I try and run netdiag /v /fix I get a popup from netdiag.exe that says entry point not found, the procedure entry point dnsgetprimarydomainname_ut
ASKER
BTW..This is a 2008 DC, not 2003.
ok, so no netdiag on there
ASKER
when I attempt to add a DC or remove a DC from the non root domain I received this error. Why doesn't the full domain show instead of just .com?
dcpromo-com.jpg
dcpromo-com.jpg
Do you have a zone that is listed with just a "."
Is all this Active direcotry integrated DNS?
Is all this Active direcotry integrated DNS?
ASKER
no zones with just a . and yes it is AD integrated dns.
I have two domains. domain.com and domain2.com and domain.com is the forest root and domain2.com is a separate Domain in the same forest.
I have two domains. domain.com and domain2.com and domain.com is the forest root and domain2.com is a separate Domain in the same forest.
ASKER
I think what went wrong is that I wanted to recreate the domain2.com zone and I removed the DNS role, readded the DNS role and restarted netlogon to regenerate all of the AD records. I now think that the domain.com doesn't have matching ID's for domain2.com and is not authorizing it. I don't know how to prove this or fix it though.
ASKER
take a look at the attached repadmin
C:\Users\davidf>repadmin /showreps
WinHost\ADAM
DSA Options: IS_GC
Site Options: IS_INTER_SITE_AUTO_TOPOLOGY_DISABLED
DSA object GUID: 4ce6ac13-98b9-48c2-a911-5ed22c33018c
DSA invocationID: a3502141-943f-4c51-b03e-d1b058b73b03
==== INBOUND NEIGHBORS ======================================
CN=Configuration,DC=abacus-corp,DC=com
SanDiego\AD2 via RPC
DSA object GUID: 098a94ad-bbcc-4625-b604-53f572384c5f
Last attempt @ 2009-01-27 22:30:59 was successful.
CN=Schema,CN=Configuration,DC=abacus-corp,DC=com
SanDiego\AD2 via RPC
DSA object GUID: 098a94ad-bbcc-4625-b604-53f572384c5f
Last attempt @ 2009-01-27 22:30:59 was successful.
DC=ForestDnsZones,DC=abacus-corp,DC=com
SanDiego\AD2 via RPC
DSA object GUID: 098a94ad-bbcc-4625-b604-53f572384c5f
Last attempt @ 2009-01-27 22:30:59 was successful.
DC=abacus-corp,DC=com
SanDiego\AD2 via RPC
DSA object GUID: 098a94ad-bbcc-4625-b604-53f572384c5f
Last attempt @ 2009-01-27 22:30:59 was successful.
C:\Users\davidf>repadmin /syncall
CALLBACK MESSAGE: Error contacting server 4ce6ac13-98b9-48c2-a911-5ed22c33018c._
msdcs.abacus-corp.com (network error): 5 (0x5):
Access is denied.
SyncAll exited with fatal Win32 error: 8440 (0x20f8):
The naming context specified for this replication operation is invalid.
C:\Users\davidf>
Check your SRV records:
http://support.microsoft.com/kb/816587
You might have a stub zone of itself within DNS. In that case it might be easiest to remove the fwd lookup zone and rebuild it.
Do you have more than one server that you can replicate from?
http://support.microsoft.com/kb/816587
You might have a stub zone of itself within DNS. In that case it might be easiest to remove the fwd lookup zone and rebuild it.
Do you have more than one server that you can replicate from?
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
mmkline71 - Do you mean load up ADSI edit and look in system/microsoft dns? or what exactly do you want me to do?
woke up this morning and was told by a co worker that the abacus-corp.com forest root AD integrated zone was deleted.
I recreated the zone, restarted dns/netlogon, and it is rebuilding itself. I am also having to register dns across the domain to get the records back for each machine.
woke up this morning and was told by a co worker that the abacus-corp.com forest root AD integrated zone was deleted.
I recreated the zone, restarted dns/netlogon, and it is rebuilding itself. I am also having to register dns across the domain to get the records back for each machine.
ASKER
mmkline71 - I understand what you are asking now. yes I do have DomainDnsZones and yes it has the A records for every DNS server in the domain.
I'm interested in the ForestDnsZones. In the abacus-corp.com (forest root) it has this folder, but in the abacus-winhost.com it does not have it. I am not sure if every forward lookup zone has to have this ForestDnsZone though. Does it?
Also, abacus-winhost.com doesn't have any records in the _msdcs folder, they are all in the abacus-corp.com _msdcs.
ad-dns.jpg
I'm interested in the ForestDnsZones. In the abacus-corp.com (forest root) it has this folder, but in the abacus-winhost.com it does not have it. I am not sure if every forward lookup zone has to have this ForestDnsZone though. Does it?
Also, abacus-winhost.com doesn't have any records in the _msdcs folder, they are all in the abacus-corp.com _msdcs.
ad-dns.jpg
ASKER
going to close this as this is the last thing I'll add...
everything seems to be back to normal after recreating the AD structure, however I'm back to my original error of
Starting test: NCSecDesc
Error Enterprise Read Only Domain Controllers doesn't have
Replicating Directory Changes
access rights for the naming context:
CN=Configuration,DC=abacus
......................... ADAM failed test NCSecDesc
everything seems to be back to normal after recreating the AD structure, however I'm back to my original error of
Starting test: NCSecDesc
Error Enterprise Read Only Domain Controllers doesn't have
Replicating Directory Changes
access rights for the naming context:
CN=Configuration,DC=abacus
......................... ADAM failed test NCSecDesc
Did you run 'adprep /rodcprep' before deploying the 2008 DC's? Do you have and RODCs?
If you don't it looks like you can ignore that error
http://social.technet.micr
I'm more troubled by the call from your co-worker. Not sure how that got deleted.
If you don't it looks like you can ignore that error
http://social.technet.micr
I'm more troubled by the call from your co-worker. Not sure how that got deleted.
ASKER
I ran across that same article and I don't have any RODC's and yes I recently ran adprep /rodcprep, but I still receive the error.
Starting test: NCSecDesc
Error Enterprise Read Only Domain Controllers doesn't have
Replicating Directory Changes
access rights for the naming context:
DC=abacus-winhost,DC=com
Error Enterprise Read Only Domain Controllers doesn't have
Replicating Directory Changes
Replicating Directory Changes All
Replicating Directory Changes In Filtered Set
access rights for the naming context:
CN=Schema,CN=Configuration,DC=abacus-corp,DC=com
Error Enterprise Read Only Domain Controllers doesn't have
Replicating Directory Changes
access rights for the naming context:
CN=Configuration,DC=abacus-corp,DC=com
Error Enterprise Read Only Domain Controllers doesn't have
Replicating Directory Changes
access rights for the naming context:
DC=abacus-corp,DC=com
......................... ADAM failed test NCSecDesc
Active Directory
Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.
86K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
Still looking into the second error;