gnurph
asked on
KCC Errors in Windows Domain
I've had some strange results recently with an inability to perform some functions from my superuser account (a copy of the default Administrator account) which may have begun when we upgraded from a 2003 domain to a 2008 domain. I have 2 DCs (DC1 and DC2), both on the same network. I ran DCDiag on DC1, which is the ISTG for my site (which seems to still have the name "Default-First-Site-Name")
DC2 failed the kccevent test, with a warning event 0x800004c0
DC2 failed the VerifyEnterpriseReferences
DC1 failed the kccevent test, with 3 of the same warning events
DC1 failed the systemlog test, with an error event of 0x00000457
DC1 failed VerifyEnterpriseReferences
It got crabby about not having secure dynamic updates.
And that's it.
So I started looking at KCC errors, and ran repadmin to check a few things.
repadmin /istg lists DC1 as the ISTG for my site.
repadmin /failcache site:default-first-site-na
"DsReplicaGetInfo() failed with stats 8453 (0x2105): Replication Access was denied." on DC2 and
no KCC connection failures or link failures on DC1.
So first question: "default-first-site-name" can't be right - where do I fix that?
second: does this work on Windows 2008 servers that are DCs?
third: do I need to fix anything on DC2 where replication access is denied?
Thanks, Experts!
Lee
DC2 failed the kccevent test, with a warning event 0x800004c0
DC2 failed the VerifyEnterpriseReferences
DC1 failed the kccevent test, with 3 of the same warning events
DC1 failed the systemlog test, with an error event of 0x00000457
DC1 failed VerifyEnterpriseReferences
It got crabby about not having secure dynamic updates.
And that's it.
So I started looking at KCC errors, and ran repadmin to check a few things.
repadmin /istg lists DC1 as the ISTG for my site.
repadmin /failcache site:default-first-site-na
"DsReplicaGetInfo() failed with stats 8453 (0x2105): Replication Access was denied." on DC2 and
no KCC connection failures or link failures on DC1.
So first question: "default-first-site-name" can't be right - where do I fix that?
second: does this work on Windows 2008 servers that are DCs?
third: do I need to fix anything on DC2 where replication access is denied?
Thanks, Experts!
Lee
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You need to create the subnets if you wanted them that way.
ASKER
Update:
I didn't realize that Windows Server 2008 had it's own version of dcdiag. I ran the correct version of DCDiag on DC1, using the /e switch and it discovered numerous errors. Recognizing that some of these appeared to be connection related, I disabled the domain firewall on both DCs and re-ran the tests.
Here's the parts that are failing:
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC BG-DC2.
The forest is not ready for RODC. Will skip checking ERODC ACEs.
* Security Permissions Check for
DC=ForestDnsZones,DC=Burge
(NDNC,Version 3)
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=Burge
* Security Permissions Check for
DC=DomainDnsZones,DC=Burge
(NDNC,Version 3)
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=Burge
* Security Permissions Check for
CN=Schema,CN=Configuration
(Schema,Version 3)
* Security Permissions Check for
CN=Configuration,DC=Burges
(Configuration,Version 3)
* Security Permissions Check for
DC=BurgessGroup,DC=com
(Domain,Version 3)
......................... BG-DC2 failed test NCSecDesc
Starting test: VerifyEnterpriseReferences
The following problems were found while verifying various important DN
references. Note, that these problems can be reported because of
latency in replication. So follow up to resolve the following
problems, only if the same problem is reported on all DCs for a given
domain or if the problem persists after replication has had
reasonable time to replicate changes.
[1] Problem: Missing Expected Value
Base Object:
CN=BG-DC1,OU=Domain Controllers,DC=BurgessGrou
Base Object Description: "DC Account Object"
Value Object Attribute Name: msDFSR-ComputerReferenceBL
Value Object Description: "SYSVOL FRS Member Object"
Recommended Action: See Knowledge Base Article: Q312862
[2] Problem: Missing Expected Value
Base Object:
CN=BG-DC2,OU=Domain Controllers,DC=BurgessGrou
Base Object Description: "DC Account Object"
Value Object Attribute Name: msDFSR-ComputerReferenceBL
Value Object Description: "SYSVOL FRS Member Object"
Recommended Action: See Knowledge Base Article: Q312862
LDAP Error 0x20 (32) - No Such Object.
......................... BG-DC2 failed test
I have a Missing AAAA Record at on both of my DNS servers (I'm unfamiliar with an AAAA record, I'll google it)
Failed to delete the test record (Error 9505)
Summary of DNS test results:
Auth Basc Forw Del Dyn RReg Ext
__________________________
BG-DC2 PASS WARN PASS PASS WARN WARN n/a
BG-DC1 PASS WARN PASS PASS WARN WARN n/a
I didn't realize that Windows Server 2008 had it's own version of dcdiag. I ran the correct version of DCDiag on DC1, using the /e switch and it discovered numerous errors. Recognizing that some of these appeared to be connection related, I disabled the domain firewall on both DCs and re-ran the tests.
Here's the parts that are failing:
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC BG-DC2.
The forest is not ready for RODC. Will skip checking ERODC ACEs.
* Security Permissions Check for
DC=ForestDnsZones,DC=Burge
(NDNC,Version 3)
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=Burge
* Security Permissions Check for
DC=DomainDnsZones,DC=Burge
(NDNC,Version 3)
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=Burge
* Security Permissions Check for
CN=Schema,CN=Configuration
(Schema,Version 3)
* Security Permissions Check for
CN=Configuration,DC=Burges
(Configuration,Version 3)
* Security Permissions Check for
DC=BurgessGroup,DC=com
(Domain,Version 3)
......................... BG-DC2 failed test NCSecDesc
Starting test: VerifyEnterpriseReferences
The following problems were found while verifying various important DN
references. Note, that these problems can be reported because of
latency in replication. So follow up to resolve the following
problems, only if the same problem is reported on all DCs for a given
domain or if the problem persists after replication has had
reasonable time to replicate changes.
[1] Problem: Missing Expected Value
Base Object:
CN=BG-DC1,OU=Domain Controllers,DC=BurgessGrou
Base Object Description: "DC Account Object"
Value Object Attribute Name: msDFSR-ComputerReferenceBL
Value Object Description: "SYSVOL FRS Member Object"
Recommended Action: See Knowledge Base Article: Q312862
[2] Problem: Missing Expected Value
Base Object:
CN=BG-DC2,OU=Domain Controllers,DC=BurgessGrou
Base Object Description: "DC Account Object"
Value Object Attribute Name: msDFSR-ComputerReferenceBL
Value Object Description: "SYSVOL FRS Member Object"
Recommended Action: See Knowledge Base Article: Q312862
LDAP Error 0x20 (32) - No Such Object.
......................... BG-DC2 failed test
I have a Missing AAAA Record at on both of my DNS servers (I'm unfamiliar with an AAAA record, I'll google it)
Failed to delete the test record (Error 9505)
Summary of DNS test results:
Auth Basc Forw Del Dyn RReg Ext
__________________________
BG-DC2 PASS WARN PASS PASS WARN WARN n/a
BG-DC1 PASS WARN PASS PASS WARN WARN n/a
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
IPv6 was already disabled on both DCs; I flushed and registered DNS, ran dcdiag /fix on both DCs.
I was looking at the KB noted above, am in ADSIEdit and have a device that is lacking a settings reference. I believe it's a DC from some time ago that was (apparently improperly) taken out of service.
I am following step 1 of the null server-reference attribute, but am thoroughly confused by "In LDP or ADSIedit, copy the DN path of the NTDS Settings object from the Configuration container in the root domain of the forest to Clipboard."
I can't even get to the "root domain of the forest"; the connection point is the "well known Naming Context" - which is the default one - and the default computer.
At that point, the top level is the DC=company, DC=com with a number of CN and OU objects. So I don't think I'm in the root domain of the forest and I certainly don't see a configuration container. ???
I was looking at the KB noted above, am in ADSIEdit and have a device that is lacking a settings reference. I believe it's a DC from some time ago that was (apparently improperly) taken out of service.
I am following step 1 of the null server-reference attribute, but am thoroughly confused by "In LDP or ADSIedit, copy the DN path of the NTDS Settings object from the Configuration container in the root domain of the forest to Clipboard."
I can't even get to the "root domain of the forest"; the connection point is the "well known Naming Context" - which is the default one - and the default computer.
At that point, the top level is the DC=company, DC=com with a number of CN and OU objects. So I don't think I'm in the root domain of the forest and I certainly don't see a configuration container. ???
ASKER
Update:
I have located the additional item in the File Replication Service - a device which is no longer a DC.
Can I just delete it?
I have located the additional item in the File Replication Service - a device which is no longer a DC.
Can I just delete it?
ASKER
http://support.microsoft.com/kb/555846 had part of the solution.
I'm still fuzzy on whether the "Default-First-Site-Name" can be changed with no impact.
dcdiag now shows only one kcc error.
I'm still fuzzy on whether the "Default-First-Site-Name" can be changed with no impact.
dcdiag now shows only one kcc error.
ASKER
Didn't provide quite as much detail as I'd like - while I don't mind solving problems myself, it would have been nice to have a little more detail.
Run metadata cleanup on AD to check for any other non existing DCs so you can delete them as well.
If you want to rename your Default Site you can.
https://www.experts-exchange.com/questions/21076966/Default-First-Site-Name.html
http://www.windowsitpro.com/article/john-savills-windows-faqs/how-do-i-rename-a-site-.aspx
If you want to rename your Default Site you can.
https://www.experts-exchange.com/questions/21076966/Default-First-Site-Name.html
http://www.windowsitpro.com/article/john-savills-windows-faqs/how-do-i-rename-a-site-.aspx
I wasn't done.
ASKER
Does that site name matter - or if I change it, will that impact anything? I notice that there are 4 networks listed in "Subnets" under "Sites" - but it doesn't list all of the subnets in the network; I'm guessing that's dynamically created/updated.
The 2 DCs are also DNS servers - each points to itself as the primary DNS and the other as the secondary DNS.