I've had some strange results recently with an inability to perform some functions from my superuser account (a copy of the default Administrator account) which may have begun when we upgraded from a 2003 domain to a 2008 domain. I have 2 DCs (DC1 and DC2), both on the same network. I ran DCDiag on DC1, which is the ISTG for my site (which seems to still have the name "Default-First-Site-Name") and ran into several items which might be driving my problems:
DC2 failed the kccevent test, with a warning event 0x800004c0
DC2 failed the VerifyEnterpriseReferences test. Per DCDiag, I need to "clean up this DCs SYSVOL FRS Member Object KB article Q312862"
DC1 failed the kccevent test, with 3 of the same warning events
DC1 failed the systemlog test, with an error event of 0x00000457
DC1 failed VerifyEnterpriseReferences (same as above)
It got crabby about not having secure dynamic updates.
And that's it.
So I started looking at KCC errors, and ran repadmin to check a few things.
repadmin /istg lists DC1 as the ISTG for my site.
repadmin /failcache site:default-first-site-name resulted in
"DsReplicaGetInfo() failed with stats 8453 (0x2105): Replication Access was denied." on DC2 and
no KCC connection failures or link failures on DC1.
So first question: "default-first-site-name" can't be right - where do I fix that?
second: does this work on Windows 2008 servers that are DCs?
third: do I need to fix anything on DC2 where replication access is denied?