KCC Errors in Windows Domain

I've had some strange results recently with an inability to perform some functions from my superuser account (a copy of the default Administrator account) which may have begun when we upgraded from a 2003 domain to a 2008 domain.  I have 2 DCs (DC1 and DC2), both on the same network.  I ran DCDiag on DC1, which is the ISTG for my site (which seems to still have the name "Default-First-Site-Name") and ran into several items which might be driving my problems:

DC2 failed the kccevent test, with a warning event 0x800004c0
DC2 failed the VerifyEnterpriseReferences test.  Per DCDiag, I need to "clean up this DCs SYSVOL FRS Member Object KB article Q312862"

DC1 failed the kccevent test, with 3 of the same warning events
DC1 failed the systemlog test, with an error event of 0x00000457
DC1 failed VerifyEnterpriseReferences (same as above)

It got crabby about not having secure dynamic updates.

And that's it.

So I started looking at KCC errors, and ran repadmin to check a few things.

repadmin /istg lists DC1 as the ISTG for my site.

repadmin /failcache site:default-first-site-name resulted in
"DsReplicaGetInfo() failed with stats 8453 (0x2105):  Replication Access was denied."  on DC2 and
no KCC connection failures or link failures on DC1.

So first question:  "default-first-site-name" can't be right - where do I fix that?
second:  does this work on Windows 2008 servers that are DCs?
third:  do I need to fix anything on DC2 where replication access is denied?

Thanks, Experts!

Lee
gnurphAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Darius GhassemCommented:
Depending on what Site you want the DCs to be in Default Site is fine. If you look in AD sites and services you will see your current topology.

Make sure that you are pointing to internal DNS servers only in the TCP\IP properties of the DCs.

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23506274.html
0
gnurphAuthor Commented:
Darius:

Does that site name matter - or if I change it, will that impact anything?  I notice that there are 4 networks listed in "Subnets" under "Sites" - but it doesn't list all of the subnets in the network; I'm guessing that's dynamically created/updated.

The 2 DCs are also DNS servers - each points to itself as the primary DNS and the other as the secondary DNS.
0
Darius GhassemCommented:
You need to create the subnets if you wanted them that way.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

gnurphAuthor Commented:
Update:

I didn't realize that Windows Server 2008 had it's own version of dcdiag.  I ran the correct version of DCDiag on DC1, using the /e switch and it discovered numerous errors.  Recognizing that some of these appeared to be connection related, I disabled the domain firewall on both DCs and re-ran the tests.

Here's the parts that are failing:

Starting test: NCSecDesc

         * Security Permissions check for all NC's on DC BG-DC2.
         The forest is not ready for RODC. Will skip checking ERODC ACEs.
         * Security Permissions Check for

           DC=ForestDnsZones,DC=BurgessGroup,DC=com
            (NDNC,Version 3)
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have

            Replicating Directory Changes In Filtered Set
         access rights for the naming context:

         DC=ForestDnsZones,DC=BurgessGroup,DC=com
         * Security Permissions Check for

           DC=DomainDnsZones,DC=BurgessGroup,DC=com
            (NDNC,Version 3)
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have

            Replicating Directory Changes In Filtered Set
         access rights for the naming context:

         DC=DomainDnsZones,DC=BurgessGroup,DC=com
         * Security Permissions Check for

           CN=Schema,CN=Configuration,DC=BurgessGroup,DC=com
            (Schema,Version 3)
         * Security Permissions Check for

           CN=Configuration,DC=BurgessGroup,DC=com
            (Configuration,Version 3)
         * Security Permissions Check for

           DC=BurgessGroup,DC=com
            (Domain,Version 3)
         ......................... BG-DC2 failed test NCSecDesc

Starting test: VerifyEnterpriseReferences

         The following problems were found while verifying various important DN

         references.  Note, that  these problems can be reported because of

         latency in replication.  So follow up to resolve the following

         problems, only if the same problem is reported on all DCs for a given

         domain or if  the problem persists after replication has had

         reasonable time to replicate changes.
            [1] Problem: Missing Expected Value

             Base Object:

            CN=BG-DC1,OU=Domain Controllers,DC=BurgessGroup,DC=com

             Base Object Description: "DC Account Object"

             Value Object Attribute Name: msDFSR-ComputerReferenceBL

             Value Object Description: "SYSVOL FRS Member Object"

             Recommended Action: See Knowledge Base Article: Q312862

             
            [2] Problem: Missing Expected Value

             Base Object:

            CN=BG-DC2,OU=Domain Controllers,DC=BurgessGroup,DC=com

             Base Object Description: "DC Account Object"

             Value Object Attribute Name: msDFSR-ComputerReferenceBL

             Value Object Description: "SYSVOL FRS Member Object"

             Recommended Action: See Knowledge Base Article: Q312862

             
            LDAP Error 0x20 (32) - No Such Object.
         ......................... BG-DC2 failed test

I have a Missing AAAA Record at on both of my DNS servers (I'm unfamiliar with an AAAA record, I'll google it)
Failed to delete the test record (Error 9505)

Summary of DNS test results:

         
                                            Auth Basc Forw Del  Dyn  RReg Ext
            _________________________________________________________________
               BG-DC2                       PASS WARN PASS PASS WARN WARN n/a  
               BG-DC1                       PASS WARN PASS PASS WARN WARN n/a  
         
0
Darius GhassemCommented:
Disable IPv6 by unchecking in TCP\IP properties run ipconfig /flushdns, ipconfig /registerdns and dcdiag /fix since AAAA is a IPv6 record.

NCSecDesc error is common it is stating that you haven't prepared your domain for RODC servers.


You are having replication problems.

http://support.microsoft.com/kb/312862
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
gnurphAuthor Commented:
IPv6 was already disabled on both DCs; I flushed and registered DNS, ran dcdiag /fix on both DCs.

I was looking at the KB noted above, am in ADSIEdit and have a device that is lacking a settings reference.  I believe it's a DC from some time ago that was (apparently improperly) taken out of service.

I am following step 1 of the null server-reference attribute, but am thoroughly confused by "In LDP or ADSIedit, copy the DN path of the NTDS Settings object from the Configuration container in the root domain of the forest to Clipboard."

I can't even get to the "root domain of the forest"; the connection point is the "well known Naming Context" - which is the default one - and the default computer.

At that point, the top level is the DC=company, DC=com with a number of CN and OU objects.  So I don't think I'm in the root domain of the forest and I certainly don't see a configuration container.  ???
0
gnurphAuthor Commented:
Update:

I have located the additional item in the File Replication Service - a device which is no longer a DC.  

Can I just delete it?
0
gnurphAuthor Commented:
http://support.microsoft.com/kb/555846 had part of the solution.

I'm still fuzzy on whether the "Default-First-Site-Name" can be changed with no impact.

dcdiag now shows only one kcc error.
0
gnurphAuthor Commented:
Didn't provide quite as much detail as I'd like - while I don't mind solving problems myself, it would have been nice to have a little more detail.
0
Darius GhassemCommented:
Run metadata cleanup on AD to check for any other non existing DCs so you can delete them as well.

If you want to rename your Default Site you can.

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/2000/Q_21076966.html

http://www.windowsitpro.com/article/john-savills-windows-faqs/how-do-i-rename-a-site-.aspx
0
Darius GhassemCommented:
I wasn't done.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.