Solved

DCDIAG - DOMAIN CONTROLLER ISSUES....FAILED SYSTEMLOG TEST EVENT ID STRING COULD NOT BE FOUND

Posted on 2011-03-22
6
351 Views
Last Modified: 2014-04-09
I recently restarted all 3 of my domain controllers several minutes apart, and we began to see problems with users logging on to shares/exchange server. Prior to the restarts everything was working fine. I have ran dcdiag.exe on all 3 servers and they all have the same failed tests.

I thought it was a problem with DNS but the domain controller can ping both of our DNS servers, and nothing changed in the DNS as far as I can see.

Here are the details from all 3 servers;

C:\Documents and Settings\gleaver>dcdiag /e

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\NEWSERVICES
      Starting test: Connectivity
         ......................... NEWSERVICES passed test Connectivity

   Testing server: Default-First-Site-Name\BACKUPSERVICES
      Starting test: Connectivity
         ......................... BACKUPSERVICES passed test Connectivity

   Testing server: Default-First-Site-Name\TMA-SERVICES
      Starting test: Connectivity
         ......................... TMA-SERVICES passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\NEWSERVICES
      Starting test: Replications
         ......................... NEWSERVICES passed test Replications
      Starting test: NCSecDesc
         ......................... NEWSERVICES passed test NCSecDesc
      Starting test: NetLogons
         ......................... NEWSERVICES passed test NetLogons
      Starting test: Advertising
         ......................... NEWSERVICES passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... NEWSERVICES passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... NEWSERVICES passed test RidManager
      Starting test: MachineAccount
         ......................... NEWSERVICES passed test MachineAccount
      Starting test: Services
         ......................... NEWSERVICES passed test Services
      Starting test: ObjectsReplicated
         ......................... NEWSERVICES passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... NEWSERVICES passed test frssysvol
      Starting test: frsevent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... NEWSERVICES failed test frsevent
      Starting test: kccevent
         ......................... NEWSERVICES passed test kccevent
      Starting test: systemlog
         An Error Event occured.  EventID: 0xC25A001D
            Time Generated: 03/22/2011   15:44:25
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x000004E6
            Time Generated: 03/22/2011   15:44:43
            (Event String could not be retrieved)
         ......................... NEWSERVICES failed test systemlog
      Starting test: VerifyReferences
         ......................... NEWSERVICES passed test VerifyReferences

   Testing server: Default-First-Site-Name\BACKUPSERVICES
      Starting test: Replications
         ......................... BACKUPSERVICES passed test Replications
      Starting test: NCSecDesc
         ......................... BACKUPSERVICES passed test NCSecDesc
      Starting test: NetLogons
         ......................... BACKUPSERVICES passed test NetLogons
      Starting test: Advertising
         ......................... BACKUPSERVICES passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... BACKUPSERVICES passed test KnowsOfRoleHolders

      Starting test: RidManager
         ......................... BACKUPSERVICES passed test RidManager
      Starting test: MachineAccount
         ......................... BACKUPSERVICES passed test MachineAccount
      Starting test: Services
         ......................... BACKUPSERVICES passed test Services
      Starting test: ObjectsReplicated
         ......................... BACKUPSERVICES passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... BACKUPSERVICES passed test frssysvol
      Starting test: frsevent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... BACKUPSERVICES failed test frsevent
      Starting test: kccevent
         ......................... BACKUPSERVICES passed test kccevent
      Starting test: systemlog
         ......................... BACKUPSERVICES passed test systemlog
      Starting test: VerifyReferences
         ......................... BACKUPSERVICES passed test VerifyReferences

   Testing server: Default-First-Site-Name\TMA-SERVICES
      Starting test: Replications
         ......................... TMA-SERVICES passed test Replications
      Starting test: NCSecDesc
         ......................... TMA-SERVICES passed test NCSecDesc
      Starting test: NetLogons
         ......................... TMA-SERVICES passed test NetLogons
      Starting test: Advertising
         ......................... TMA-SERVICES passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... TMA-SERVICES passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... TMA-SERVICES passed test RidManager
      Starting test: MachineAccount
         ......................... TMA-SERVICES passed test MachineAccount
      Starting test: Services
         ......................... TMA-SERVICES passed test Services
      Starting test: ObjectsReplicated
         ......................... TMA-SERVICES passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... TMA-SERVICES passed test frssysvol
      Starting test: frsevent
         ......................... TMA-SERVICES passed test frsevent
      Starting test: kccevent
         ......................... TMA-SERVICES passed test kccevent
      Starting test: systemlog
         ......................... TMA-SERVICES passed test systemlog
      Starting test: VerifyReferences
         ......................... TMA-SERVICES passed test VerifyReferences

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : toomanyamps
      Starting test: CrossRefValidation
         ......................... toomanyamps passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... toomanyamps passed test CheckSDRefDom

   Running enterprise tests on : toomanyamps.local
      Starting test: Intersite
         ......................... toomanyamps.local passed test Intersite
      Starting test: FsmoCheck
         ......................... toomanyamps.local passed test FsmoCheck

Anyone dealt with this before PLEASE HELP! Normally this wouldnt be such an EMERGENCY but I cannot get the exchange store to mount because of this AD/DC problem. Anything is appreciated. Thank You
0
Comment
Question by:gleaver
  • 3
  • 3
6 Comments
 
LVL 8

Expert Comment

by:ActiveDirectoryman
ID: 35194989

I would check the file replication service log what the failed events are and paste them so we can see why FRS is faiiling.   FRS can fail for different reasons. I would also check the directory service log as well and see if you see any current in there.
0
 

Author Comment

by:gleaver
ID: 35195141
3/22/2011      5:49:34 PM      NtFrs      Warning      None      13509      N/A      TMA-SERVICES      The File Replication Service has enabled replication from NEWSERVICES to TMA-SERVICES for c:\windows\sysvol\domain after repeated retries.
3/22/2011      5:47:44 PM      NtFrs      Warning      None      13508      N/A      TMA-SERVICES      "The File Replication Service is having trouble enabling replication from NEWSERVICES to TMA-SERVICES for c:\windows\sysvol\domain using the DNS name newservices.toomanyamps.local. FRS will keep retrying.
 Following are some of the reasons you would see this warning.
 
 [1] FRS can not correctly resolve the DNS name newservices.toomanyamps.local from this computer.
 [2] FRS is not running on newservices.toomanyamps.local.
 [3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers.
 
 This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established."
3/22/2011      5:46:04 PM      NtFrs      Information      None      13516      N/A      TMA-SERVICES      "The File Replication Service is no longer preventing the computer TMA-SERVICES from becoming a domain controller. The system volume has been successfully initialized and the Netlogon service has been notified that the system volume is now ready to be shared as SYSVOL.
 
Type ""net share"" to check for the SYSVOL share."
3/22/2011      5:46:03 PM      NtFrs      Information      None      13501      N/A      TMA-SERVICES      The File Replication Service is starting.
3/22/2011      5:45:47 PM      NtFrs      Information      None      13503      N/A      TMA-SERVICES      The File Replication Service has stopped.
3/22/2011      5:45:37 PM      NtFrs      Information      None      13502      N/A      TMA-SERVICES      The File Replication Service is stopping.
3/22/2011      4:19:56 PM      NtFrs      Information      None      13516      N/A      TMA-SERVICES      "The File Replication Service is no longer preventing the computer TMA-SERVICES from becoming a domain controller. The system volume has been successfully initialized and the Netlogon service has been notified that the system volume is now ready to be shared as SYSVOL.
 
Type ""net share"" to check for the SYSVOL share."
3/22/2011      4:19:50 PM      NtFrs      Information      None      13501      N/A      TMA-SERVICES      The File Replication Service is starting.
3/22/2011      3:28:25 PM      NtFrs      Information      None      13516      N/A      TMA-SERVICES      "The File Replication Service is no longer preventing the computer TMA-SERVICES from becoming a domain controller. The system volume has been successfully initialized and the Netlogon service has been notified that the system volume is now ready to be shared as SYSVOL.
 
Type ""net share"" to check for the SYSVOL share."
3/22/2011      3:28:20 PM      NtFrs      Information      None      13501      N/A      TMA-SERVICES      The File Replication Service is starting.
3/22/2011      2:34:26 PM      NtFrs      Warning      None      13509      N/A      TMA-SERVICES      The File Replication Service has enabled replication from NEWSERVICES to TMA-SERVICES for c:\windows\sysvol\domain after repeated retries.
3/22/2011      2:34:26 PM      NtFrs      Warning      None      13509      N/A      TMA-SERVICES      The File Replication Service has enabled replication from BACKUPSERVICES to TMA-SERVICES for c:\windows\sysvol\domain after repeated retries.
3/22/2011      1:57:36 PM      NtFrs      Warning      None      13508      N/A      TMA-SERVICES      "The File Replication Service is having trouble enabling replication from BACKUPSERVICES to TMA-SERVICES for c:\windows\sysvol\domain using the DNS name backupservices.toomanyamps.local. FRS will keep retrying.
 Following are some of the reasons you would see this warning.
 
 [1] FRS can not correctly resolve the DNS name backupservices.toomanyamps.local from this computer.
 [2] FRS is not running on backupservices.toomanyamps.local.
 [3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers.
 
 This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established."
3/22/2011      1:57:36 PM      NtFrs      Warning      None      13508      N/A      TMA-SERVICES      "The File Replication Service is having trouble enabling replication from NEWSERVICES to TMA-SERVICES for c:\windows\sysvol\domain using the DNS name newservices.toomanyamps.local. FRS will keep retrying.
 Following are some of the reasons you would see this warning.
 
 [1] FRS can not correctly resolve the DNS name newservices.toomanyamps.local from this computer.
 [2] FRS is not running on newservices.toomanyamps.local.
 [3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers.
 
 This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established."
3/22/2011      1:55:56 PM      NtFrs      Information      None      13516      N/A      TMA-SERVICES      "The File Replication Service is no longer preventing the computer TMA-SERVICES from becoming a domain controller. The system volume has been successfully initialized and the Netlogon service has been notified that the system volume is now ready to be shared as SYSVOL.
 
Type ""net share"" to check for the SYSVOL share."
3/22/2011      1:55:17 PM      NtFrs      Information      None      13501      N/A      TMA-SERVICES      The File Replication Service is starting.
3/22/2011      12:24:57 PM      NtFrs      Warning      None      13508      N/A      TMA-SERVICES      "The File Replication Service is having trouble enabling replication from BACKUPSERVICES to TMA-SERVICES for c:\windows\sysvol\domain using the DNS name backupservices.toomanyamps.local. FRS will keep retrying.
 Following are some of the reasons you would see this warning.
 
 [1] FRS can not correctly resolve the DNS name backupservices.toomanyamps.local from this computer.
 [2] FRS is not running on backupservices.toomanyamps.local.
 [3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers.
 
 This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established."
3/22/2011      12:24:57 PM      NtFrs      Warning      None      13508      N/A      TMA-SERVICES      "The File Replication Service is having trouble enabling replication from NEWSERVICES to TMA-SERVICES for c:\windows\sysvol\domain using the DNS name newservices.toomanyamps.local. FRS will keep retrying.
 Following are some of the reasons you would see this warning.
 
 [1] FRS can not correctly resolve the DNS name newservices.toomanyamps.local from this computer.
 [2] FRS is not running on newservices.toomanyamps.local.
 [3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers.
 
 This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established."
3/22/2011      12:23:17 PM      NtFrs      Information      None      13516      N/A      TMA-SERVICES      "The File Replication Service is no longer preventing the computer TMA-SERVICES from becoming a domain controller. The system volume has been successfully initialized and the Netlogon service has been notified that the system volume is now ready to be shared as SYSVOL.
 
Type ""net share"" to check for the SYSVOL share."
3/22/2011      12:22:39 PM      NtFrs      Information      None      13501      N/A      TMA-SERVICES      The File Replication Service is starting.
3/21/2011      8:56:01 PM      NtFrs      Warning      None      13508      N/A      TMA-SERVICES      "The File Replication Service is having trouble enabling replication from BACKUPSERVICES to TMA-SERVICES for c:\windows\sysvol\domain using the DNS name backupservices.toomanyamps.local. FRS will keep retrying.
 Following are some of the reasons you would see this warning.
 
 [1] FRS can not correctly resolve the DNS name backupservices.toomanyamps.local from this computer.
 [2] FRS is not running on backupservices.toomanyamps.local.
 [3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers.
 
 This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established."
3/21/2011      8:56:01 PM      NtFrs      Warning      None      13508      N/A      TMA-SERVICES      "The File Replication Service is having trouble enabling replication from NEWSERVICES to TMA-SERVICES for c:\windows\sysvol\domain using the DNS name newservices.toomanyamps.local. FRS will keep retrying.
 Following are some of the reasons you would see this warning.
 
 [1] FRS can not correctly resolve the DNS name newservices.toomanyamps.local from this computer.
 [2] FRS is not running on newservices.toomanyamps.local.
 [3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers.
 
 This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established."
3/21/2011      8:54:21 PM      NtFrs      Information      None      13516      N/A      TMA-SERVICES      "The File Replication Service is no longer preventing the computer TMA-SERVICES from becoming a domain controller. The system volume has been successfully initialized and the Netlogon service has been notified that the system volume is now ready to be shared as SYSVOL.
 
Type ""net share"" to check for the SYSVOL share."
3/21/2011      8:53:41 PM      NtFrs      Information      None      13501      N/A      TMA-SERVICES      The File Replication Service is starting.
3/10/2011      9:05:01 AM      NtFrs      Information      None      13516      N/A      TMA-SERVICES      "The File Replication Service is no longer preventing the computer TMA-SERVICES from becoming a domain controller. The system volume has been successfully initialized and the Netlogon service has been notified that the system volume is now ready to be shared as SYSVOL.
 
Type ""net share"" to check for the SYSVOL share."
3/10/2011      9:04:55 AM      NtFrs      Information      None      13501      N/A      TMA-SERVICES      The File Replication Service is starting.
3/8/2011      11:04:07 AM      NtFrs      Warning      None      13509      N/A      TMA-SERVICES      The File Replication Service has enabled replication from NEWSERVICES to TMA-SERVICES for c:\windows\sysvol\domain after repeated retries.
0
 

Author Comment

by:gleaver
ID: 35195264
But why after a restart do I notice the problem.....the logs are filled with all types of file & directory issues on all 3 domain controllers.....what a mess....

any good method to rule out a dns problem?
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 8

Expert Comment

by:ActiveDirectoryman
ID: 35195298

It looks like what happend was that frs was stopped on different servers which can cause replication problems like journal wrap.   Is the netlogon and sysvol shared on each domain controller.

What needs to be determined is why frs service is stopping.

go to the command prompt and type net share and see if the sysvol is listed and netlogon folder is listed.
Also, can you post the logs in this directory if possible
%Systemroot%\Debug folder. The file names are listed from NtFrs_001.log to NtFrs_005.log.
0
 
LVL 8

Accepted Solution

by:
ActiveDirectoryman earned 500 total points
ID: 35195557

it does not appear to be a dns problem.   When you restart your domain controllers do you wait for one fully load before restarting others?   like restart dc1, wait for dc1 to come back up, login to dc1, wait two minutes and then restart the next one?   You should always have one dc that is up and running.  How are you restarting them?
0
 

Author Comment

by:gleaver
ID: 35208770
Thanks for your help....I did get it working finally. I used ipconfig /registerdns on all three of the domain controllers and then restarted file replication services. I didnt post all the logs but I found some log entries stating that the dns pointing back the primary domain controller could not be resolved. And the primary domain controller is also the GC server so I couldn't get exchange to mount. Never figured out why or how the DNS was out of sync but I stopped looking after things went back online.

0

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

by Batuhan Cetin In this article I will be guiding through the process of removing a failed DC metadata from Active Directory (hereafter, AD) using the ntdsutil tool in a Windows Server 2003 environment. These steps are not necessary in a Win…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now