avatura
asked on
DCDiag Errors when using /e switch
Hello,
we have a parent domain with 14 subdomains, all Windows 2003. If I execute dcdiag /a on any DC, everything is fine. If I use dcdiag /e on any DC, the DCs in the same domain pass all tests, but DCs in other Domains produce the errors below .
The only noticable problems we are experiencing are that DCs take 30-45 min to reboot, maybe due to GPO-Access problems as stated in the event log. That's the reason why I started troubleshooting in the first place, but I have been concentrating on those DCDiag errors. I have been researching for hours for each error message, but I haven't found anything useful. Also looked at the verbose output, but no joy.
Therefore any help would be greatly appreciated!
Please note that I have pasted the verbose output into the failed tests.
Most DCs show these errors:
Many thanks in advance!
we have a parent domain with 14 subdomains, all Windows 2003. If I execute dcdiag /a on any DC, everything is fine. If I use dcdiag /e on any DC, the DCs in the same domain pass all tests, but DCs in other Domains produce the errors below .
The only noticable problems we are experiencing are that DCs take 30-45 min to reboot, maybe due to GPO-Access problems as stated in the event log. That's the reason why I started troubleshooting in the first place, but I have been concentrating on those DCDiag errors. I have been researching for hours for each error message, but I haven't found anything useful. Also looked at the verbose output, but no joy.
Therefore any help would be greatly appreciated!
Please note that I have pasted the verbose output into the failed tests.
Most DCs show these errors:
Many thanks in advance!
Testing server: AUG\AUG-DC1
Starting test: Replications
......................... AUG-DC1 passed test Replications
Starting test: NCSecDesc
......................... AUG-DC1 passed test NCSecDesc
Starting test: NetLogons
[AUG-DC1] An net use or LsaPolicy operation failed with error 1203, Win32 Error 1203.
......................... AUG-DC1 failed test NetLogons
Starting test: Advertising
Fatal Error:DsGetDcName (AUG-DC1) call failed, error 1722
The Locator could not find the server.
Printing RPC Extended Error Info:
Error Record 1, ProcessID is 3612 (DcDiag)
System Time is: 5/28/2009 8:22:56:65
Generating component is 2 (RPC runtime)
Status is 1722: The RPC server is unavailable.
Detection location is 193
Error Record 2, ProcessID is 3612 (DcDiag)
System Time is: 5/28/2009 8:22:56:65
Generating component is 5 (redirector)
Status is 2: The system cannot find the file specified.
Detection location is 190
NumberOfParameters is 2
Long val: 1441792
Unicode string: \\AUG-DC1\PIPE\NETLOGON
......................... AUG-DC1 failed test Advertising
Starting test: KnowsOfRoleHolders
......................... AUG-DC1 passed test KnowsOfRoleHolders
Starting test: RidManager
......................... AUG-DC1 passed test RidManager
Starting test: MachineAccount
Checking machine account for DC AUG-DC1 on DC AUG-DC1.
Could not open pipe with [AUG-DC1]:failed with 1203: Win32 Error 1203
Could not get NetBIOSDomainName
Failed can not test for HOST SPN
Failed can not test for HOST SPN
* SPN found :LDAP/AUG-dc1.aug.parentdomain.de/aug.parentdomain.de
* SPN found :LDAP/AUG-dc1.aug.parentdomain.de
* SPN found :LDAP/AUG-DC1
* Missing SPN :(null)
* SPN found :LDAP/780bac13-0186-4e8a-abcb-1797d9b8b425._msdcs.parentdomain.de
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/780bac13-0186-4e8a-abcb-1797d9b8b425/aug.parentdomain.de
* SPN found :HOST/AUG-dc1.aug.parentdomain.de/aug.parentdomain.de
* SPN found :HOST/AUG-dc1.aug.parentdomain.de
* SPN found :HOST/AUG-DC1
* Missing SPN :(null)
* SPN found :GC/AUG-dc1.aug.parentdomain.de/parentdomain.de
......................... AUG-DC1 failed test MachineAccount
Starting test: Services
Could not open Remote ipc to [AUG-DC1]:failed with 1203: Win32 Error 1203
......................... AUG-DC1 failed test Services
Starting test: ObjectsReplicated
......................... AUG-DC1 passed test ObjectsReplicated
Starting test: frssysvol
* The File Replication Service SYSVOL ready test
[AUG-DC1] An net use or LsaPolicy operation failed with error 1203, Win32 Error 1203.
The registry lookup failed to determine the state of the SYSVOL. The
error returned was 1203 (Win32 Error 1203). Check the FRS event log
to see if the SYSVOL has successfully been shared.
......................... AUG-DC1 failed test frssysvol
Starting test: frsevent
......................... AUG-DC1 failed test frsevent
Starting test: kccevent
Failed to enumerate event log records, error Win32 Error 1203
......................... AUG-DC1 failed test kccevent
Starting test: systemlog
Failed to enumerate event log records, error Win32 Error 1203
......................... AUG-DC1 failed test systemlog
Starting test: VerifyReferences
......................... AUG-DC1 passed test VerifyReferences
One Server has a slightly different error in the machine account test:
Testing server: ROE\ROE-DC2
Starting test: Replications
......................... ROE-DC2 passed test Replications
Starting test: NCSecDesc
......................... ROE-DC2 passed test NCSecDesc
Starting test: NetLogons
[ROE-DC2] An net use or LsaPolicy operation failed with error 1203, Win32 Error 1203.
......................... ROE-DC2 failed test NetLogons
Starting test: Advertising
Fatal Error:DsGetDcName (ROE-DC2) call failed, error 1722
The Locator could not find the server.
......................... ROE-DC2 failed test Advertising
Starting test: KnowsOfRoleHolders
......................... ROE-DC2 passed test KnowsOfRoleHolders
Starting test: RidManager
......................... ROE-DC2 passed test RidManager
Starting test: MachineAccount
Checking machine account for DC ROE-DC2 on DC ROE-DC2.
Warning: Attribute userAccountControl of ROE-DC2 is: 0x82020 = ( UF_PASSWD_NOTREQD | UF_SERVER_TRUST_ACCOUNT | UF_TRUSTED_FOR_DELEGATION )
Typical setting for a DC is 0x82000 = ( UF_SERVER_TRUST_ACCOUNT | UF_TRUSTED_FOR_DELEGATION )
This may be affecting replication?
Could not open pipe with [ROE-DC2]:failed with 1203: Win32 Error 1203
Could not get NetBIOSDomainName
Failed can not test for HOST SPN
Failed can not test for HOST SPN
* SPN found :LDAP/ROE-dc2.roe.parentdomain.de/roe.parentdomain.de
* SPN found :LDAP/ROE-dc2.roe.parentdomain.de
* SPN found :LDAP/ROE-DC2
* Missing SPN :(null)
* SPN found :LDAP/778d0348-e38b-4a25-b022-990af982e4e2._msdcs.parentdomain.de
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/778d0348-e38b-4a25-b022-990af982e4e2/roe.parentdomain.de
* SPN found :HOST/ROE-dc2.roe.parentdomain.de/roe.parentdomain.de
* SPN found :HOST/ROE-dc2.roe.parentdomain.de
* SPN found :HOST/ROE-DC2
* Missing SPN :(null)
* SPN found :GC/ROE-dc2.roe.parentdomain.de/parentdomain.de
......................... ROE-DC2 failed test MachineAccount
Starting test: Services
Could not open Remote ipc to [ROE-DC2]:failed with 1203: Win32 Error 1203
......................... ROE-DC2 failed test Services
Starting test: ObjectsReplicated
......................... ROE-DC2 passed test ObjectsReplicated
Starting test: frssysvol
[ROE-DC2] An net use or LsaPolicy operation failed with error 1203, Win32 Error 1203.
......................... ROE-DC2 failed test frssysvol
Starting test: frsevent
......................... ROE-DC2 failed test frsevent
Starting test: kccevent
Failed to enumerate event log records, error Win32 Error 1203
......................... ROE-DC2 failed test kccevent
Starting test: systemlog
Failed to enumerate event log records, error Win32 Error 1203
......................... ROE-DC2 failed test systemlog
Starting test: VerifyReferences
......................... ROE-DC2 passed test VerifyReferences
ASKER
Hello,
thanks for your reply and sorry for my late posting back, but I was away until yesterday.
DNS does not seem to make any problems, no errors on any servers in any domain, dnslint runs without error in every domain and a manual check of DNS records reveals nothing strange, either.
DCDiag /test:DNS /e again gives no problems in the same domain, but
TEST: Authentication (Auth)
Error: Authentication failed with specified credentials
TEST: Basic (Basc)
Error: Open Service Control Manager failed
in all other domains.
Could it have to do with permissions? I am using an Enterprise Admin account when executing dcdiag, but I have once heard that the DC computer accounts might need some kind of permissions for cross-domain access, too?
thanks for your reply and sorry for my late posting back, but I was away until yesterday.
DNS does not seem to make any problems, no errors on any servers in any domain, dnslint runs without error in every domain and a manual check of DNS records reveals nothing strange, either.
DCDiag /test:DNS /e again gives no problems in the same domain, but
TEST: Authentication (Auth)
Error: Authentication failed with specified credentials
TEST: Basic (Basc)
Error: Open Service Control Manager failed
in all other domains.
Could it have to do with permissions? I am using an Enterprise Admin account when executing dcdiag, but I have once heard that the DC computer accounts might need some kind of permissions for cross-domain access, too?
I had to look up the syntax of DCdiag /a and Dcdiag /e.
DCdiag /a represents all domain controllers on that site or domain.
DCdiag /e is testing DNS for all domain controllers on the forest.
With that said, you should have 14 forward lookup zones that have zone transfers throughout your forest.
Domain1 - 14.
It appears as if you are having a problem with Aug-DC1.
That would appear to be both the RPC service and the DNS records. DNS would certainly knock down RPC services. So, I would make sure that Aug-DC1 has its SRV and host A records registered within DNS. Then, I would make sure the zone transfer is working. Also, you might go to START>>RUN>> and type services.msc to look at Aug-DC1 services to see what the remote procedure call service is set for.
The delay in logging on "30-45 minutes" is often caused by slow connections to domains and services. USUALLY this results in one of a couple things. It results in the preferred DNS servers on the nics are incorrectly configured and it will go to an outside DNS server prior to looking internally for DNS resolution. Another problem is when another networking protocol is enabled. Let's say, for example, Client services for netware is enabled and also is higher in the bind order than Client services for microsoft networks.
Aug-DC1 seems to be having problems, I would also try this on Aug-DC1. Go to the command prompt and type:
IPconfig /flushdns
IPconfig /registerdns
Net Stop Netlogon
Net Start Netlogon
then force replicate your DNS registrations to other DCs within the forest, (if your zone transfers are correct).
DCdiag /a represents all domain controllers on that site or domain.
DCdiag /e is testing DNS for all domain controllers on the forest.
With that said, you should have 14 forward lookup zones that have zone transfers throughout your forest.
Domain1 - 14.
It appears as if you are having a problem with Aug-DC1.
That would appear to be both the RPC service and the DNS records. DNS would certainly knock down RPC services. So, I would make sure that Aug-DC1 has its SRV and host A records registered within DNS. Then, I would make sure the zone transfer is working. Also, you might go to START>>RUN>> and type services.msc to look at Aug-DC1 services to see what the remote procedure call service is set for.
The delay in logging on "30-45 minutes" is often caused by slow connections to domains and services. USUALLY this results in one of a couple things. It results in the preferred DNS servers on the nics are incorrectly configured and it will go to an outside DNS server prior to looking internally for DNS resolution. Another problem is when another networking protocol is enabled. Let's say, for example, Client services for netware is enabled and also is higher in the bind order than Client services for microsoft networks.
Aug-DC1 seems to be having problems, I would also try this on Aug-DC1. Go to the command prompt and type:
IPconfig /flushdns
IPconfig /registerdns
Net Stop Netlogon
Net Start Netlogon
then force replicate your DNS registrations to other DCs within the forest, (if your zone transfers are correct).
ASKER
Hello ChiefIT,
thank you for your response and sorry again for the late reply, we had a long bank holiday weekend here in Germany.
I'll focus on the DCdiag errors first:
One of my colleagues had a look at the issue and found that if you add A-records for the DCs into the parentdomain.de zone, all tests succeed! In my opinion, that is odd, as the DCs have an FQDN of, say, AUG-DC1.aug.parentdomain.d
You say we should have 14 forward lookup zones with zone transfers. All zones are AD-integrated and on the parentdomain.de DCs there is only one forward zone (parentdomain.de) apart from the _msdcs zone. In it, it has the 14 subdomain folders with the respective subdomain name servers in them. Through those the subdomain DCs should be resolved, shouldn't they? With the new A-records, I can now ping the subdomain DCs without FQDN, but the FQDN it resolves to is wrong, isn't it? (see my last paragraph):
H:\>ping AUG-DC1
Pinging AUG-DC1.parentdomain.de [192.168.169.75] with 32 bytes of data:
Reply from 192.168.169.75: bytes=32 time=20ms TTL=126
Reply from 192.168.169.75: bytes=32 time=14ms TTL=126
Reply from 192.168.169.75: bytes=32 time=14ms TTL=126
Reply from 192.168.169.75: bytes=32 time=15ms TTL=126
In each subdomain, we have the _msdcs.parentdomain.de zone, which is replicated throughout the forest. Apart from that, there is only one forward zone for the subdomain. DNS requests to the parent domain are forwarded to the DNS servers in the parent domain.
After the A-records were added to the parentdomain.de zone, DCdiag /e now succeeds in the subdomains, too!
thank you for your response and sorry again for the late reply, we had a long bank holiday weekend here in Germany.
I'll focus on the DCdiag errors first:
One of my colleagues had a look at the issue and found that if you add A-records for the DCs into the parentdomain.de zone, all tests succeed! In my opinion, that is odd, as the DCs have an FQDN of, say, AUG-DC1.aug.parentdomain.d
You say we should have 14 forward lookup zones with zone transfers. All zones are AD-integrated and on the parentdomain.de DCs there is only one forward zone (parentdomain.de) apart from the _msdcs zone. In it, it has the 14 subdomain folders with the respective subdomain name servers in them. Through those the subdomain DCs should be resolved, shouldn't they? With the new A-records, I can now ping the subdomain DCs without FQDN, but the FQDN it resolves to is wrong, isn't it? (see my last paragraph):
H:\>ping AUG-DC1
Pinging AUG-DC1.parentdomain.de [192.168.169.75] with 32 bytes of data:
Reply from 192.168.169.75: bytes=32 time=20ms TTL=126
Reply from 192.168.169.75: bytes=32 time=14ms TTL=126
Reply from 192.168.169.75: bytes=32 time=14ms TTL=126
Reply from 192.168.169.75: bytes=32 time=15ms TTL=126
In each subdomain, we have the _msdcs.parentdomain.de zone, which is replicated throughout the forest. Apart from that, there is only one forward zone for the subdomain. DNS requests to the parent domain are forwarded to the DNS servers in the parent domain.
After the A-records were added to the parentdomain.de zone, DCdiag /e now succeeds in the subdomains, too!
Is your forest domain controller the only one with an improper FQDN on the forward lookup zone? What about the 14 subdomains.
You can run this and it should provide input on how to fix this issue:
netdiag /test:dsgetdc /d:DomainName /v
netdiag /test:dsgetdc /d:DomainName /v
ASKER
Thanks for your quick reply!
AUG-DC1 is a DC in a subdomain. The improper FQDN results from my manually adding the A-records to the parentdomain.de zone. As I have added records for all subdomain DCs to this zone, so they all have this FQDN. Of course, they have also always had their correct FQDN:
H:\>ping AUG-DC1.aug.parentdomain.d
Pinging AUG-DC1.aug.parentdomain.d
Reply from 192.168.169.75: bytes=32 time=20ms TTL=126
Reply from 192.168.169.75: bytes=32 time=14ms TTL=126
Reply from 192.168.169.75: bytes=32 time=14ms TTL=126
Reply from 192.168.169.75: bytes=32 time=15ms TTL=126
But only with the improper FQDN DCdiag /e does not fail!
AUG-DC1 is a DC in a subdomain. The improper FQDN results from my manually adding the A-records to the parentdomain.de zone. As I have added records for all subdomain DCs to this zone, so they all have this FQDN. Of course, they have also always had their correct FQDN:
H:\>ping AUG-DC1.aug.parentdomain.d
Pinging AUG-DC1.aug.parentdomain.d
Reply from 192.168.169.75: bytes=32 time=20ms TTL=126
Reply from 192.168.169.75: bytes=32 time=14ms TTL=126
Reply from 192.168.169.75: bytes=32 time=14ms TTL=126
Reply from 192.168.169.75: bytes=32 time=15ms TTL=126
But only with the improper FQDN DCdiag /e does not fail!
ASKER
netdiag /test:dsgetdc /d:DomainName /v does not give me any errors, neither in the parent nor subdomain
ASKER
I checked on another customer's system and they do not need A-records for subdomain-DCs in their parentdomain zone. So I think this cannot be the correct solution (although it seems to fix the errors). I might try recreating the delegations on the parent domain DNS server.
Or do you have any other idea?
Or do you have any other idea?
Let me ask you if every subdomain DC is a GC and active directory integrated DNS server??
ASKER
Yes they are.
ASKER
So do you think there should be A-records of the subdomain DCs in the parentdomain.de zone?
Do you have Global Catalogue servers defined in each site in Active Directory Sites and Services? Under the server name there is an NTDS link right click and ensure the Global Catalogue is selected on at least 1 domain controller in each site.
Make sre the DC's are in the correcy sites
Do you have inter-site connectors defined for each site? Make sure they are correct, they should correspond to the physical links in your site.
Do you have your subnets correctly assigned to the correct sites in Active Directory Sites & Services?
Make sre the DC's are in the correcy sites
Do you have inter-site connectors defined for each site? Make sure they are correct, they should correspond to the physical links in your site.
Do you have your subnets correctly assigned to the correct sites in Active Directory Sites & Services?
ASKER
Hello demazter, thanks for your answer!
Yes the settings are all fine. Just to summarize the issue:
The reason why DCdiag /e seems to fail is because although it can resolve the FQDN of the DC, some tests seem to test just for the hostname without the FQDN, i.e. ping AUG-DC1 does not work.
If I add the A-record AUG-DC1 to the parentdomain.de zone, ping AUG-DC1 works because obviously it gets an IP-address back for it. To me it seems wrong though to have an A-Record for a host in a zone it does not reside in (it belongs to aug.parentdomain.de).
Yes the settings are all fine. Just to summarize the issue:
The reason why DCdiag /e seems to fail is because although it can resolve the FQDN of the DC, some tests seem to test just for the hostname without the FQDN, i.e. ping AUG-DC1 does not work.
If I add the A-record AUG-DC1 to the parentdomain.de zone, ping AUG-DC1 works because obviously it gets an IP-address back for it. To me it seems wrong though to have an A-Record for a host in a zone it does not reside in (it belongs to aug.parentdomain.de).
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
You're a star, I think that's it!! :-) Need to do some more testing but it makes sense.
So is this the way it should be set up? Why is it not done automatically when the subdomain is set up?
So is this the way it should be set up? Why is it not done automatically when the subdomain is set up?
Because it can be set differently for different purposes.
Glad I could help
Glad I could help
ASKER
I spoke to MS Support the other day regarding a different case and mentioned this issue to him. He says that those dcdiag /e errors had no relevance as netbios was not needed for Active Directory (obviously). So all the worry for nothing. Why does dcdiag flag them then in the first place???
This is just for the record. I just spend 9 hours researching this. I am going to get a drink now that i know i was chasing a ghost.
Its actually funny that this would be the case though. If i add the child domain servers in the hosts file, bam no errors on dcdiag /e ( Why would they have a tool used to check directory replication unable to search with FQDNs for some tests? )
<irritated>
Its actually funny that this would be the case though. If i add the child domain servers in the hosts file, bam no errors on dcdiag /e ( Why would they have a tool used to check directory replication unable to search with FQDNs for some tests? )
<irritated>
Since both FRS and SPN events are seen, My first guess would be DNS errors. What do you see in event logs for DNS issues.
I think this article will help you out:
https://www.experts-exchange.com/questions/23356031/There-are-currently-no-logon-servers-available-to-service-the-logon-request.html
If not, I would like to give you an article to help you through troubleshooting DNS issues:
https://www.experts-exchange.com/articles/Networking/Protocols/DNS/DNS-Troubleshooting-made-easy.html