DCDiag Errors when using /e switch

Hello,

we have a parent domain with 14 subdomains, all Windows 2003. If I execute dcdiag /a on any DC, everything is fine. If I use dcdiag /e on any DC, the DCs in the same domain pass all tests, but DCs in other Domains produce the errors below .

The only noticable problems we are experiencing are that DCs take 30-45 min to reboot, maybe due to GPO-Access problems as stated in the event log. That's the reason why I started troubleshooting in the first place, but I have been concentrating on those DCDiag errors. I have been researching for hours for each error message, but I haven't found anything useful. Also looked at the verbose output, but no joy.

Therefore any help would be greatly appreciated!

Please note that I have pasted the verbose output into the failed tests.
Most DCs show these errors:
 
Many thanks in advance!
Testing server: AUG\AUG-DC1
      Starting test: Replications
         ......................... AUG-DC1 passed test Replications
      Starting test: NCSecDesc
         ......................... AUG-DC1 passed test NCSecDesc
      Starting test: NetLogons
         [AUG-DC1] An net use or LsaPolicy operation failed with error 1203, Win32 Error 1203.
          ......................... AUG-DC1 failed test NetLogons
      Starting test: Advertising
         Fatal Error:DsGetDcName (AUG-DC1) call failed, error 1722
         The Locator could not find the server.
         Printing RPC Extended Error Info:
         Error Record 1, ProcessID is 3612 (DcDiag)         
            System Time is: 5/28/2009 8:22:56:65
            Generating component is 2 (RPC runtime)
            Status is 1722: The RPC server is unavailable.
 
            Detection location is 193
         Error Record 2, ProcessID is 3612 (DcDiag)         
            System Time is: 5/28/2009 8:22:56:65
            Generating component is 5 (redirector)
            Status is 2: The system cannot find the file specified.
 
            Detection location is 190
            NumberOfParameters is 2
            Long val: 1441792
            Unicode string: \\AUG-DC1\PIPE\NETLOGON
         ......................... AUG-DC1 failed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... AUG-DC1 passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... AUG-DC1 passed test RidManager
      Starting test: MachineAccount
         Checking machine account for DC AUG-DC1 on DC AUG-DC1.
         Could not open pipe with [AUG-DC1]:failed with 1203: Win32 Error 1203
         Could not get NetBIOSDomainName
         Failed can not test for HOST SPN
         Failed can not test for HOST SPN
         * SPN found :LDAP/AUG-dc1.aug.parentdomain.de/aug.parentdomain.de
         * SPN found :LDAP/AUG-dc1.aug.parentdomain.de
         * SPN found :LDAP/AUG-DC1
         * Missing SPN :(null)
         * SPN found :LDAP/780bac13-0186-4e8a-abcb-1797d9b8b425._msdcs.parentdomain.de
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/780bac13-0186-4e8a-abcb-1797d9b8b425/aug.parentdomain.de
         * SPN found :HOST/AUG-dc1.aug.parentdomain.de/aug.parentdomain.de
         * SPN found :HOST/AUG-dc1.aug.parentdomain.de
         * SPN found :HOST/AUG-DC1
         * Missing SPN :(null)
         * SPN found :GC/AUG-dc1.aug.parentdomain.de/parentdomain.de
        ......................... AUG-DC1 failed test MachineAccount
      Starting test: Services
         Could not open Remote ipc to [AUG-DC1]:failed with 1203: Win32 Error 1203
         ......................... AUG-DC1 failed test Services
      Starting test: ObjectsReplicated
         ......................... AUG-DC1 passed test ObjectsReplicated
      Starting test: frssysvol
         * The File Replication Service SYSVOL ready test 
         [AUG-DC1] An net use or LsaPolicy operation failed with error 1203, Win32 Error 1203.
         The registry lookup failed to determine the state of the SYSVOL.  The
 
         error returned  was 1203 (Win32 Error 1203).  Check the FRS event log
 
         to see if the SYSVOL has successfully been shared. 
         ......................... AUG-DC1 failed test frssysvol
      Starting test: frsevent
         ......................... AUG-DC1 failed test frsevent
      Starting test: kccevent
         Failed to enumerate event log records, error Win32 Error 1203
         ......................... AUG-DC1 failed test kccevent
      Starting test: systemlog
         Failed to enumerate event log records, error Win32 Error 1203
         ......................... AUG-DC1 failed test systemlog
      Starting test: VerifyReferences
         ......................... AUG-DC1 passed test VerifyReferences
 
 
 
One Server has a slightly different error in the machine account test:
 
   Testing server: ROE\ROE-DC2
      Starting test: Replications
         ......................... ROE-DC2 passed test Replications
      Starting test: NCSecDesc
         ......................... ROE-DC2 passed test NCSecDesc
      Starting test: NetLogons
         [ROE-DC2] An net use or LsaPolicy operation failed with error 1203, Win32 Error 1203.
         ......................... ROE-DC2 failed test NetLogons
      Starting test: Advertising
         Fatal Error:DsGetDcName (ROE-DC2) call failed, error 1722
         The Locator could not find the server.
         ......................... ROE-DC2 failed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... ROE-DC2 passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... ROE-DC2 passed test RidManager
      Starting test: MachineAccount
         Checking machine account for DC ROE-DC2 on DC ROE-DC2.
         Warning:  Attribute userAccountControl of ROE-DC2 is: 0x82020 = ( UF_PASSWD_NOTREQD | UF_SERVER_TRUST_ACCOUNT | UF_TRUSTED_FOR_DELEGATION )
         Typical setting for a DC is 0x82000 = ( UF_SERVER_TRUST_ACCOUNT | UF_TRUSTED_FOR_DELEGATION )
         This may be affecting replication?
         Could not open pipe with [ROE-DC2]:failed with 1203: Win32 Error 1203
         Could not get NetBIOSDomainName
         Failed can not test for HOST SPN
         Failed can not test for HOST SPN
         * SPN found :LDAP/ROE-dc2.roe.parentdomain.de/roe.parentdomain.de
         * SPN found :LDAP/ROE-dc2.roe.parentdomain.de
         * SPN found :LDAP/ROE-DC2
         * Missing SPN :(null)
         * SPN found :LDAP/778d0348-e38b-4a25-b022-990af982e4e2._msdcs.parentdomain.de
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/778d0348-e38b-4a25-b022-990af982e4e2/roe.parentdomain.de
         * SPN found :HOST/ROE-dc2.roe.parentdomain.de/roe.parentdomain.de
         * SPN found :HOST/ROE-dc2.roe.parentdomain.de
         * SPN found :HOST/ROE-DC2
         * Missing SPN :(null)
         * SPN found :GC/ROE-dc2.roe.parentdomain.de/parentdomain.de
         ......................... ROE-DC2 failed test MachineAccount
      Starting test: Services
         Could not open Remote ipc to [ROE-DC2]:failed with 1203: Win32 Error 1203
         ......................... ROE-DC2 failed test Services
      Starting test: ObjectsReplicated
         ......................... ROE-DC2 passed test ObjectsReplicated
      Starting test: frssysvol
         [ROE-DC2] An net use or LsaPolicy operation failed with error 1203, Win32 Error 1203.
         ......................... ROE-DC2 failed test frssysvol
      Starting test: frsevent
         ......................... ROE-DC2 failed test frsevent
      Starting test: kccevent
         Failed to enumerate event log records, error Win32 Error 1203
         ......................... ROE-DC2 failed test kccevent
      Starting test: systemlog
         Failed to enumerate event log records, error Win32 Error 1203
         ......................... ROE-DC2 failed test systemlog
      Starting test: VerifyReferences
         ......................... ROE-DC2 passed test VerifyReferences

Open in new window

avaturaAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ChiefITCommented:
Looks like a problem with DNS records, or time synchronization.

Since both FRS and SPN events are seen, My first guess would be DNS errors. What do  you see in event logs for DNS issues.

I think this article will help you out:
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23356031.html

If not, I would like to give you an article to help you through troubleshooting DNS issues:
http://www.experts-exchange.com/articles/Networking/Protocols/DNS/DNS-Troubleshooting-made-easy.html
0
avaturaAuthor Commented:
Hello,

thanks for your reply and sorry for my late posting back, but I was away until yesterday.

DNS does not seem to make any problems, no errors on any servers in any domain, dnslint runs without error in every domain and a manual check of DNS records reveals nothing strange, either.

DCDiag /test:DNS /e again gives no problems in the same domain, but
               TEST: Authentication (Auth)
                  Error: Authentication failed with specified credentials        
               TEST: Basic (Basc)
                  Error: Open Service Control Manager failed
in all other domains.

Could it have to do with permissions? I am using an Enterprise Admin account when executing dcdiag, but I have once heard that the DC computer accounts might need some kind of permissions for cross-domain access, too?
0
ChiefITCommented:
I had to look up the syntax of DCdiag /a and Dcdiag /e.

DCdiag /a represents all domain controllers on that site or domain.

DCdiag /e is testing DNS for all domain controllers on the forest.

With that said, you should have 14 forward lookup zones that have zone transfers throughout your forest.

Domain1 - 14.

It appears as if you are having a problem with Aug-DC1.

That would appear to be both the RPC service and the DNS records. DNS would certainly knock down RPC services. So, I would make sure that Aug-DC1 has its SRV and host A records registered within DNS. Then, I would make sure the zone transfer is working. Also, you might go to START>>RUN>> and type services.msc to look at Aug-DC1 services to see what the remote procedure call service is set for.

The delay in logging on "30-45 minutes" is often caused by slow connections to domains and services. USUALLY this results in one of a couple things. It results in the preferred DNS servers on the nics are incorrectly configured and it will go to an outside DNS server prior to looking internally for DNS resolution. Another problem is when another networking protocol is enabled. Let's say, for example, Client services for netware is enabled and also is higher in the bind order than Client services for microsoft networks.

Aug-DC1 seems to be having problems, I would also try this on Aug-DC1. Go to the command prompt and type:
IPconfig /flushdns
IPconfig /registerdns
Net Stop Netlogon
Net Start Netlogon

then force replicate your DNS registrations to other DCs within the forest, (if your zone transfers are correct).
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

avaturaAuthor Commented:
Hello ChiefIT,

thank you for your response and sorry again for the late reply, we had a long bank holiday weekend here in Germany.

I'll focus on the DCdiag errors first:
One of my colleagues had a look at the issue and found that if you add A-records for the DCs into the parentdomain.de zone, all tests succeed! In my opinion, that is odd, as the DCs have an FQDN of, say, AUG-DC1.aug.parentdomain.de. If you add them to the parentdomain.de zone, they resolve to AUG-DC1.parentdomain.de. That cannot be right, can it?

You say we should have 14 forward lookup zones with zone transfers. All zones are AD-integrated and on the parentdomain.de DCs there is only one forward zone (parentdomain.de) apart from the _msdcs zone. In it, it has the 14 subdomain folders with the respective subdomain name servers in them. Through those the subdomain DCs should be resolved, shouldn't they? With the new A-records, I can now ping the subdomain DCs without FQDN, but the FQDN it resolves to is wrong, isn't it? (see my last paragraph):

H:\>ping AUG-DC1
Pinging AUG-DC1.parentdomain.de [192.168.169.75] with 32 bytes of data:

Reply from 192.168.169.75: bytes=32 time=20ms TTL=126
Reply from 192.168.169.75: bytes=32 time=14ms TTL=126
Reply from 192.168.169.75: bytes=32 time=14ms TTL=126
Reply from 192.168.169.75: bytes=32 time=15ms TTL=126

In each subdomain, we have the _msdcs.parentdomain.de zone, which is replicated throughout the forest. Apart from that, there is only one forward zone for the subdomain. DNS requests to the parent domain are forwarded to the DNS servers in the parent domain.
After the A-records were added to the parentdomain.de zone, DCdiag /e now succeeds in the subdomains, too!
0
ChiefITCommented:
Is your forest domain controller the only one with an improper FQDN on the forward lookup zone? What about the 14 subdomains.

0
ChiefITCommented:
You can run this and it should provide input on how to fix this issue:

netdiag /test:dsgetdc /d:DomainName /v
0
avaturaAuthor Commented:
Thanks for your quick reply!

AUG-DC1 is a DC in a subdomain. The improper FQDN results from my manually adding the A-records to the parentdomain.de zone. As I have added records for all subdomain DCs to this zone, so they all have this FQDN. Of course, they have also always had their correct FQDN:

H:\>ping AUG-DC1.aug.parentdomain.de
Pinging AUG-DC1.aug.parentdomain.de [192.168.169.75] with 32 bytes of data:

Reply from 192.168.169.75: bytes=32 time=20ms TTL=126
Reply from 192.168.169.75: bytes=32 time=14ms TTL=126
Reply from 192.168.169.75: bytes=32 time=14ms TTL=126
Reply from 192.168.169.75: bytes=32 time=15ms TTL=126

But only with the improper FQDN DCdiag /e does not fail!
0
avaturaAuthor Commented:
netdiag /test:dsgetdc /d:DomainName /v does not give me any errors, neither in the parent nor subdomain
0
avaturaAuthor Commented:
I checked on another customer's system and they do not need A-records for subdomain-DCs in their parentdomain zone. So I think this cannot be the correct solution (although it seems to fix the errors). I might try recreating the delegations on the parent domain DNS server.

Or do you have any other idea?
0
ChiefITCommented:
Let me ask you if every subdomain DC is a GC and active directory integrated DNS server??
0
avaturaAuthor Commented:
Yes they are.
0
avaturaAuthor Commented:
So do you think there should be A-records of the subdomain DCs in the parentdomain.de zone?
0
Glen KnightCommented:
Do you have Global Catalogue servers defined in each site in Active Directory Sites and Services?  Under the server name there is an NTDS link right click and ensure the Global Catalogue is selected on at least 1 domain controller in each site.

Make sre the DC's are in the correcy sites

Do you have inter-site connectors defined for each site?  Make sure they are correct, they should correspond to the physical links in your site.

Do you have your subnets correctly assigned to the correct sites in Active Directory Sites & Services?
0
avaturaAuthor Commented:
Hello demazter, thanks for your answer!

Yes the settings are all fine. Just to summarize the issue:

The reason why DCdiag /e seems to fail is because although it can resolve the FQDN of the DC, some tests seem to test just for the hostname without the FQDN, i.e. ping AUG-DC1 does not work.

If I add the A-record AUG-DC1 to the parentdomain.de zone, ping AUG-DC1 works because obviously it gets an IP-address back for it. To me it seems wrong though to have an A-Record for a host in a zone it does not reside in (it belongs to aug.parentdomain.de).
0
Glen KnightCommented:
do you have the DNS suffix in the DNS properties of the NIC?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
avaturaAuthor Commented:
You're a star, I think that's it!! :-) Need to do some more testing but it makes sense.

So is this the way it should be set up? Why is it not done automatically when the subdomain is set up?
0
Glen KnightCommented:
Because it can be set differently for different purposes.
Glad I could help
0
avaturaAuthor Commented:
I spoke to MS Support the other day regarding a different case and mentioned this issue to him. He says that those dcdiag /e errors had no relevance as netbios was not needed for Active Directory (obviously). So all the worry for nothing. Why does dcdiag flag them then in the first place???
0
BrentDevOpsCommented:
This is just for the record.  I just spend 9 hours researching this.  I am going to get a drink now that i know i was chasing a ghost.
Its actually funny that this would be the case though.  If i add the child domain servers in the hosts file, bam no errors on dcdiag /e ( Why would they have a tool used to check directory replication unable to search with FQDNs for some tests? )
<irritated>
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.