[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Windows Server 2008 dcdiag errors

Posted on 2009-04-22
19
Medium Priority
?
3,317 Views
Last Modified: 2012-05-06
originally, i had a single domain environment with 2 win2k DC's.  I followed instructions to add 2 Windows Server 2008 DC's (forestprep, domainprep, dcpromo).

i also transferred the FSMO roles to one of the new DC's without issues.

I am seeing the following error on the first 2008 DC:
###########
Log Name:      Directory Service
Source:        Microsoft-Windows-ActiveDirectory_DomainService
Date:          4/22/2009 4:28:08 PM
Event ID:      1925
Task Category: Knowledge Consistency Checker
Level:         Warning
Keywords:      Classic
User:          ANONYMOUS LOGON
Computer:      uswal1-IMGSDC1.tmsinet.com
Description:
The attempt to establish a replication link for the following writable directory partition failed.
 
Directory partition:
CN=Configuration,DC=tmsinet,DC=com
Source directory service:
CN=NTDS Settings,CN=USWAL1-IMGSDC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=tmsinet,DC=com
Source directory service address:
2f6f11a8-dae0-49b9-8ba0-bf2b68ce52ef._msdcs.tmsinet.com
Intersite transport (if any):
 
 
This directory service will be unable to replicate with the source directory service until this problem is corrected.
 
User Action
Verify if the source directory service is accessible or network connectivity is available.
 
Additional Data
Error value:
8524 The DSA operation is unable to proceed because of a DNS lookup failure.
############

So take it this is a DNS issue, but i can ping the 2nd 2008 DC by name with no problem.

I ran a dcdiag and this was the initial error from the output:
############
Doing initial required tests

   Testing server: Default-First-Site-Name\USWAL1-IMGSDC1
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         The host a5681079-2780-432c-9fbc-1dfa28fe0abc._msdcs.tmsinet.com could
         not be resolved to an IP address. Check the DNS server, DHCP, server
         name, etc.
         ......................... USWAL1-IMGSDC1 failed test Connectivity
###########

I looked in DNS and i don't see an entry for the host a5681079-2780-432c-9fbc-1dfa28fe0abc._msdcs.tmsinet.com ,  but i do see 2 similar entries that refer to the original 2 win2k DC's.

not sure where to go from here?

0
Comment
Question by:imagitastech
  • 8
  • 7
  • 4
19 Comments
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 24209879
You can add the record above to the DNS server then try to get replication going. Run a dcdiag /fix on all servers. Make sure the servers point to themselves for DNS in the TCP\IP properties make sure you aren't using 127.0.0.1 for the DNS server in your TCP\IP settings. Also, there should be no external DNS servers listed in the TCP\IP properties.
0
 
LVL 49

Expert Comment

by:Akhater
ID: 24209905
1) try an Nslookup a5681079-2780-432c-9fbc-1dfa28fe0abc._msdcs.tmsinet.com

2) find who's DC is really a5681079-2780-432c-9fbc-1dfa28fe0abc._msdcs.tmsinet.com and check why it is not registered in the DNS

to do this open active directory sites and services

locate your Domain controllers, right click properties on NTDS settings and check which one is a5681079-2780-432c-9fbc-1dfa28fe0abc._msdcs.tmsinet.com
0
 

Author Comment

by:imagitastech
ID: 24228175
thank you. I put entiries in DNS for both DC's and replication seems to be working now. dcdiag now shows this warning on both new DC's:
###########
An Warning Event occurred.  EventID: 0x0000168D
Time Generated: 04/24/2009   14:28:05
Event String:
The following DNS server that is authoritative for the DNS domain controller locator records of this domain controller does not support dynamic DNS updates:
##########

On new DC #2 dcdiag reports the following warnings:
##########
Starting test: Advertising

         Warning: USWAL1-IMGSDC2 is not advertising as a time server.

         ......................... USWAL1-IMGSDC2 failed test Advertising
##########
Starting test: LocatorCheck

         Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355

         A Primary Domain Controller could not be located.

         The server holding the PDC role is down.

         ......................... tmsinet.com failed test LocatorCheck
##########

All other test passed.
Should both dc's be setup as time servers?

thank!
0
NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 24228653
The PDC emulator should be the time server. What server is holding that role?
0
 
LVL 49

Expert Comment

by:Akhater
ID: 24228750
is it a new setup or you inherited it from someone ?

it seems that a5681079-2780-432c-9fbc-1dfa28fe0abc._msdcs.tmsinet.com is the PDC emulator and is down


if you open ADUC right click on the domain name operation master who is it ilsting as PDC emulator ?

0
 

Author Comment

by:imagitastech
ID: 24229002
Thanks for helping me guys!

a5681079-2780-432c-9fbc-1dfa28fe0abc._msdcs.tmsinet.com is uswal1-imgsdc1.imagitas.com.

This DC is defined as the RID, PDC and Infrastructure operations master.  Te dcdiag on this machine states that it is serving time.

This machine is up and running.

This was an existing win2k AD setup.  I am running the dcdiags to make sure that all is well with the 2 new Windows Server 2008 DC's before i demote the old win2k DC's.



0
 
LVL 49

Expert Comment

by:Akhater
ID: 24229046
do you have firewall on on the windows 2008 machine ?
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 24229122
Have you forced replication between the servers yet? Disable IPv6 on the Sever 2008 machines and post ipconfig /all for them as well.
0
 

Author Comment

by:imagitastech
ID: 24229780
Yes. both 2008 DC's have firewall and McAfee enabled.
0
 

Author Comment

by:imagitastech
ID: 24229822
Here are the ipconfigs for the 2 windows 2008 DC's:

C:\>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : uswal1-IMGSDC1
   Primary Dns Suffix  . . . . . . . : tmsinet.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : tmsinet.com

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II GigE (NDISVBD Client)
   Physical Address. . . . . . . . . : 00-13-72-FA-05-DF
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.4.20.9(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.4.20.1
   DNS Servers . . . . . . . . . . . : 10.4.20.9
                                                 10.4.21.9
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Local Area Connection* 8:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : isatap.{566C6A52-3B89-4CA6-B820-65C5A9E1B9EA}
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

#################################

C:\>ipconfig /all

Windows IP Configuration

   Host Name . . . . . . . . . . . . : uswal1-IMGSDC2
   Primary Dns Suffix  . . . . . . . : tmsinet.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : tmsinet.com

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom BCM5708C NetXtreme II GigE (NDIS VBD Client)
   Physical Address. . . . . . . . . : 00-13-72-FA-33-21
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.4.21.9(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.4.21.1
   DNS Servers . . . . . . . . . . . : 10.4.21.9
                                                 10.4.20.9
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Local Area Connection* 8:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : isatap.{BAAE5085-6A36-4311-AF63-B6F12680ABEB}
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes


thanks!
0
 

Author Comment

by:imagitastech
ID: 24229829
I have not forced replication yet.  From which DC would I force replication?
0
 
LVL 49

Expert Comment

by:Akhater
ID: 24230843
what are 10.4.21.9 & 10.4 20.9 ?

0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 24236040
So, You have these two DCs on different subnets is that correct?
0
 

Author Comment

by:imagitastech
ID: 24240932
Those are the ips of the 2 new windows 2008 DC's.

yes, they are on 2 different subnets separated by a router, not a firewall.

0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 24245703
Run a Dcdiag and post.
0
 

Author Comment

by:imagitastech
ID: 24250029
Here is dcdiag from windows 2008 server dc1:
##########
Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   Home Server = uswal1-IMGSDC1

   * Identified AD Forest.
   Done gathering initial info.


Doing initial required tests

   
   Testing server: Default-First-Site-Name\USWAL1-IMGSDC1

      Starting test: Connectivity

         ......................... USWAL1-IMGSDC1 passed test Connectivity



Doing primary tests

   
   Testing server: Default-First-Site-Name\USWAL1-IMGSDC1

      Starting test: Advertising

         ......................... USWAL1-IMGSDC1 passed test Advertising

      Starting test: FrsEvent

         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems.
         ......................... USWAL1-IMGSDC1 passed test FrsEvent

      Starting test: DFSREvent

         ......................... USWAL1-IMGSDC1 passed test DFSREvent

      Starting test: SysVolCheck

         ......................... USWAL1-IMGSDC1 passed test SysVolCheck

      Starting test: KccEvent

         ......................... USWAL1-IMGSDC1 passed test KccEvent

      Starting test: KnowsOfRoleHolders

         ......................... USWAL1-IMGSDC1 passed test

         KnowsOfRoleHolders

      Starting test: MachineAccount

         ......................... USWAL1-IMGSDC1 passed test MachineAccount

      Starting test: NCSecDesc

         ......................... USWAL1-IMGSDC1 passed test NCSecDesc

      Starting test: NetLogons

         ......................... USWAL1-IMGSDC1 passed test NetLogons

      Starting test: ObjectsReplicated

         ......................... USWAL1-IMGSDC1 passed test ObjectsReplicated

      Starting test: Replications

         ......................... USWAL1-IMGSDC1 passed test Replications

      Starting test: RidManager

         ......................... USWAL1-IMGSDC1 passed test RidManager

      Starting test: Services

         ......................... USWAL1-IMGSDC1 passed test Services

      Starting test: SystemLog

         An Warning Event occurred.  EventID: 0x0000168D

            Time Generated: 04/28/2009   07:31:04

            Event String:

            The following DNS server that is authoritative for the DNS domain controller locator records of this domain controller does not support dynamic DNS updates:  


         ......................... USWAL1-IMGSDC1 passed test SystemLog

      Starting test: VerifyReferences

         ......................... USWAL1-IMGSDC1 passed test VerifyReferences

   
   
   Running partition tests on : ForestDnsZones

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : DomainDnsZones

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : Schema

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation

   
   Running partition tests on : Configuration

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidation

   
   Running partition tests on : tmsinet

      Starting test: CheckSDRefDom

         ......................... tmsinet passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... tmsinet passed test CrossRefValidation

   
   Running enterprise tests on : tmsinet.com

      Starting test: LocatorCheck

         ......................... tmsinet.com passed test LocatorCheck

      Starting test: Intersite

         ......................... tmsinet.com passed test Intersite
#########

dcdiag from windows 2008 dc2:

##########
Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   Home Server = uswal1-IMGSDC2

   * Identified AD Forest.
   Done gathering initial info.


Doing initial required tests

   
   Testing server: Default-First-Site-Name\USWAL1-IMGSDC2

      Starting test: Connectivity

         ......................... USWAL1-IMGSDC2 passed test Connectivity



Doing primary tests

   
   Testing server: Default-First-Site-Name\USWAL1-IMGSDC2

      Starting test: Advertising

         Warning: USWAL1-IMGSDC2 is not advertising as a time server.

         ......................... USWAL1-IMGSDC2 failed test Advertising

      Starting test: FrsEvent

         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems.
         ......................... USWAL1-IMGSDC2 passed test FrsEvent

      Starting test: DFSREvent

         ......................... USWAL1-IMGSDC2 passed test DFSREvent

      Starting test: SysVolCheck

         ......................... USWAL1-IMGSDC2 passed test SysVolCheck

      Starting test: KccEvent

         ......................... USWAL1-IMGSDC2 passed test KccEvent

      Starting test: KnowsOfRoleHolders

         ......................... USWAL1-IMGSDC2 passed test

         KnowsOfRoleHolders

      Starting test: MachineAccount

         ......................... USWAL1-IMGSDC2 passed test MachineAccount

      Starting test: NCSecDesc

         ......................... USWAL1-IMGSDC2 passed test NCSecDesc

      Starting test: NetLogons

         ......................... USWAL1-IMGSDC2 passed test NetLogons

      Starting test: ObjectsReplicated

         ......................... USWAL1-IMGSDC2 passed test ObjectsReplicated

      Starting test: Replications

         ......................... USWAL1-IMGSDC2 passed test Replications

      Starting test: RidManager

         ......................... USWAL1-IMGSDC2 passed test RidManager

      Starting test: Services

         ......................... USWAL1-IMGSDC2 passed test Services

      Starting test: SystemLog

         An Warning Event occurred.  EventID: 0x0000168D

            Time Generated: 04/28/2009   07:27:06

            Event String:

            The following DNS server that is authoritative for the DNS domain controller locator records of this domain controller does not support dynamic DNS updates:  


         ......................... USWAL1-IMGSDC2 passed test SystemLog

      Starting test: VerifyReferences

         ......................... USWAL1-IMGSDC2 passed test VerifyReferences

   
   
   Running partition tests on : ForestDnsZones

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : DomainDnsZones

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : Schema

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation

   
   Running partition tests on : Configuration

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidation

   
   Running partition tests on : tmsinet

      Starting test: CheckSDRefDom

         ......................... tmsinet passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... tmsinet passed test CrossRefValidation

   
   Running enterprise tests on : tmsinet.com

      Starting test: LocatorCheck

         Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355

         A Primary Domain Controller could not be located.

         The server holding the PDC role is down.

         ......................... tmsinet.com failed test LocatorCheck

      Starting test: Intersite

         ......................... tmsinet.com passed test Intersite
############

not sure why i would see the PDC error on DC2.  DC1 has the PDC role and is up and running.
here is output from netdom query fsmo run on DC2:

Schema master               uswal1-IMGSDC1.tmsinet.com
Domain naming master        uswal1-IMGSDC1.tmsinet.com
PDC                         uswal1-IMGSDC1.tmsinet.com
RID pool manager            uswal1-IMGSDC1.tmsinet.com
Infrastructure master       uswal1-IMGSDC1.tmsinet.com

I assume the FRS error on DC1 has to do with the fact that the functional level is still at 2000. At what point would I raise that to 2008?

thanks!
0
 
LVL 59

Accepted Solution

by:
Darius Ghassem earned 2000 total points
ID: 24255327
The FRS errors have nothing to do with the forest level you are having problems with replication. Have you demoted the old servers yet?

Make sure your servers allow dynamic updates. Right-click your DNS zone then go to properties on the General tab make sure you have Dynamics updates set to non-secure and secure.
0
 

Author Comment

by:imagitastech
ID: 24260369
I have not demoted the old servers yet.  

I have now set my DNS zones to secure and nonsecure dynamic updates. Some zones were secure only, and some were not setup for dynamic updates.

0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 24261113
This should fix that problem
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Suggested Courses

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question