Solved

DCDIAG - DOMAIN CONTROLLER ISSUES....FAILED SYSTEMLOG TEST EVENT ID STRING COULD NOT BE FOUND

Posted on 2011-03-22
6
360 Views
Last Modified: 2014-04-09
I recently restarted all 3 of my domain controllers several minutes apart, and we began to see problems with users logging on to shares/exchange server. Prior to the restarts everything was working fine. I have ran dcdiag.exe on all 3 servers and they all have the same failed tests.

I thought it was a problem with DNS but the domain controller can ping both of our DNS servers, and nothing changed in the DNS as far as I can see.

Here are the details from all 3 servers;

C:\Documents and Settings\gleaver>dcdiag /e

Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\NEWSERVICES
      Starting test: Connectivity
         ......................... NEWSERVICES passed test Connectivity

   Testing server: Default-First-Site-Name\BACKUPSERVICES
      Starting test: Connectivity
         ......................... BACKUPSERVICES passed test Connectivity

   Testing server: Default-First-Site-Name\TMA-SERVICES
      Starting test: Connectivity
         ......................... TMA-SERVICES passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\NEWSERVICES
      Starting test: Replications
         ......................... NEWSERVICES passed test Replications
      Starting test: NCSecDesc
         ......................... NEWSERVICES passed test NCSecDesc
      Starting test: NetLogons
         ......................... NEWSERVICES passed test NetLogons
      Starting test: Advertising
         ......................... NEWSERVICES passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... NEWSERVICES passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... NEWSERVICES passed test RidManager
      Starting test: MachineAccount
         ......................... NEWSERVICES passed test MachineAccount
      Starting test: Services
         ......................... NEWSERVICES passed test Services
      Starting test: ObjectsReplicated
         ......................... NEWSERVICES passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... NEWSERVICES passed test frssysvol
      Starting test: frsevent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... NEWSERVICES failed test frsevent
      Starting test: kccevent
         ......................... NEWSERVICES passed test kccevent
      Starting test: systemlog
         An Error Event occured.  EventID: 0xC25A001D
            Time Generated: 03/22/2011   15:44:25
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x000004E6
            Time Generated: 03/22/2011   15:44:43
            (Event String could not be retrieved)
         ......................... NEWSERVICES failed test systemlog
      Starting test: VerifyReferences
         ......................... NEWSERVICES passed test VerifyReferences

   Testing server: Default-First-Site-Name\BACKUPSERVICES
      Starting test: Replications
         ......................... BACKUPSERVICES passed test Replications
      Starting test: NCSecDesc
         ......................... BACKUPSERVICES passed test NCSecDesc
      Starting test: NetLogons
         ......................... BACKUPSERVICES passed test NetLogons
      Starting test: Advertising
         ......................... BACKUPSERVICES passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... BACKUPSERVICES passed test KnowsOfRoleHolders

      Starting test: RidManager
         ......................... BACKUPSERVICES passed test RidManager
      Starting test: MachineAccount
         ......................... BACKUPSERVICES passed test MachineAccount
      Starting test: Services
         ......................... BACKUPSERVICES passed test Services
      Starting test: ObjectsReplicated
         ......................... BACKUPSERVICES passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... BACKUPSERVICES passed test frssysvol
      Starting test: frsevent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... BACKUPSERVICES failed test frsevent
      Starting test: kccevent
         ......................... BACKUPSERVICES passed test kccevent
      Starting test: systemlog
         ......................... BACKUPSERVICES passed test systemlog
      Starting test: VerifyReferences
         ......................... BACKUPSERVICES passed test VerifyReferences

   Testing server: Default-First-Site-Name\TMA-SERVICES
      Starting test: Replications
         ......................... TMA-SERVICES passed test Replications
      Starting test: NCSecDesc
         ......................... TMA-SERVICES passed test NCSecDesc
      Starting test: NetLogons
         ......................... TMA-SERVICES passed test NetLogons
      Starting test: Advertising
         ......................... TMA-SERVICES passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... TMA-SERVICES passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... TMA-SERVICES passed test RidManager
      Starting test: MachineAccount
         ......................... TMA-SERVICES passed test MachineAccount
      Starting test: Services
         ......................... TMA-SERVICES passed test Services
      Starting test: ObjectsReplicated
         ......................... TMA-SERVICES passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... TMA-SERVICES passed test frssysvol
      Starting test: frsevent
         ......................... TMA-SERVICES passed test frsevent
      Starting test: kccevent
         ......................... TMA-SERVICES passed test kccevent
      Starting test: systemlog
         ......................... TMA-SERVICES passed test systemlog
      Starting test: VerifyReferences
         ......................... TMA-SERVICES passed test VerifyReferences

   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom

   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom

   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom

   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom

   Running partition tests on : toomanyamps
      Starting test: CrossRefValidation
         ......................... toomanyamps passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... toomanyamps passed test CheckSDRefDom

   Running enterprise tests on : toomanyamps.local
      Starting test: Intersite
         ......................... toomanyamps.local passed test Intersite
      Starting test: FsmoCheck
         ......................... toomanyamps.local passed test FsmoCheck

Anyone dealt with this before PLEASE HELP! Normally this wouldnt be such an EMERGENCY but I cannot get the exchange store to mount because of this AD/DC problem. Anything is appreciated. Thank You
0
Comment
Question by:gleaver
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 8

Expert Comment

by:ActiveDirectoryman
ID: 35194989

I would check the file replication service log what the failed events are and paste them so we can see why FRS is faiiling.   FRS can fail for different reasons. I would also check the directory service log as well and see if you see any current in there.
0
 

Author Comment

by:gleaver
ID: 35195141
3/22/2011      5:49:34 PM      NtFrs      Warning      None      13509      N/A      TMA-SERVICES      The File Replication Service has enabled replication from NEWSERVICES to TMA-SERVICES for c:\windows\sysvol\domain after repeated retries.
3/22/2011      5:47:44 PM      NtFrs      Warning      None      13508      N/A      TMA-SERVICES      "The File Replication Service is having trouble enabling replication from NEWSERVICES to TMA-SERVICES for c:\windows\sysvol\domain using the DNS name newservices.toomanyamps.local. FRS will keep retrying.
 Following are some of the reasons you would see this warning.
 
 [1] FRS can not correctly resolve the DNS name newservices.toomanyamps.local from this computer.
 [2] FRS is not running on newservices.toomanyamps.local.
 [3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers.
 
 This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established."
3/22/2011      5:46:04 PM      NtFrs      Information      None      13516      N/A      TMA-SERVICES      "The File Replication Service is no longer preventing the computer TMA-SERVICES from becoming a domain controller. The system volume has been successfully initialized and the Netlogon service has been notified that the system volume is now ready to be shared as SYSVOL.
 
Type ""net share"" to check for the SYSVOL share."
3/22/2011      5:46:03 PM      NtFrs      Information      None      13501      N/A      TMA-SERVICES      The File Replication Service is starting.
3/22/2011      5:45:47 PM      NtFrs      Information      None      13503      N/A      TMA-SERVICES      The File Replication Service has stopped.
3/22/2011      5:45:37 PM      NtFrs      Information      None      13502      N/A      TMA-SERVICES      The File Replication Service is stopping.
3/22/2011      4:19:56 PM      NtFrs      Information      None      13516      N/A      TMA-SERVICES      "The File Replication Service is no longer preventing the computer TMA-SERVICES from becoming a domain controller. The system volume has been successfully initialized and the Netlogon service has been notified that the system volume is now ready to be shared as SYSVOL.
 
Type ""net share"" to check for the SYSVOL share."
3/22/2011      4:19:50 PM      NtFrs      Information      None      13501      N/A      TMA-SERVICES      The File Replication Service is starting.
3/22/2011      3:28:25 PM      NtFrs      Information      None      13516      N/A      TMA-SERVICES      "The File Replication Service is no longer preventing the computer TMA-SERVICES from becoming a domain controller. The system volume has been successfully initialized and the Netlogon service has been notified that the system volume is now ready to be shared as SYSVOL.
 
Type ""net share"" to check for the SYSVOL share."
3/22/2011      3:28:20 PM      NtFrs      Information      None      13501      N/A      TMA-SERVICES      The File Replication Service is starting.
3/22/2011      2:34:26 PM      NtFrs      Warning      None      13509      N/A      TMA-SERVICES      The File Replication Service has enabled replication from NEWSERVICES to TMA-SERVICES for c:\windows\sysvol\domain after repeated retries.
3/22/2011      2:34:26 PM      NtFrs      Warning      None      13509      N/A      TMA-SERVICES      The File Replication Service has enabled replication from BACKUPSERVICES to TMA-SERVICES for c:\windows\sysvol\domain after repeated retries.
3/22/2011      1:57:36 PM      NtFrs      Warning      None      13508      N/A      TMA-SERVICES      "The File Replication Service is having trouble enabling replication from BACKUPSERVICES to TMA-SERVICES for c:\windows\sysvol\domain using the DNS name backupservices.toomanyamps.local. FRS will keep retrying.
 Following are some of the reasons you would see this warning.
 
 [1] FRS can not correctly resolve the DNS name backupservices.toomanyamps.local from this computer.
 [2] FRS is not running on backupservices.toomanyamps.local.
 [3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers.
 
 This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established."
3/22/2011      1:57:36 PM      NtFrs      Warning      None      13508      N/A      TMA-SERVICES      "The File Replication Service is having trouble enabling replication from NEWSERVICES to TMA-SERVICES for c:\windows\sysvol\domain using the DNS name newservices.toomanyamps.local. FRS will keep retrying.
 Following are some of the reasons you would see this warning.
 
 [1] FRS can not correctly resolve the DNS name newservices.toomanyamps.local from this computer.
 [2] FRS is not running on newservices.toomanyamps.local.
 [3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers.
 
 This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established."
3/22/2011      1:55:56 PM      NtFrs      Information      None      13516      N/A      TMA-SERVICES      "The File Replication Service is no longer preventing the computer TMA-SERVICES from becoming a domain controller. The system volume has been successfully initialized and the Netlogon service has been notified that the system volume is now ready to be shared as SYSVOL.
 
Type ""net share"" to check for the SYSVOL share."
3/22/2011      1:55:17 PM      NtFrs      Information      None      13501      N/A      TMA-SERVICES      The File Replication Service is starting.
3/22/2011      12:24:57 PM      NtFrs      Warning      None      13508      N/A      TMA-SERVICES      "The File Replication Service is having trouble enabling replication from BACKUPSERVICES to TMA-SERVICES for c:\windows\sysvol\domain using the DNS name backupservices.toomanyamps.local. FRS will keep retrying.
 Following are some of the reasons you would see this warning.
 
 [1] FRS can not correctly resolve the DNS name backupservices.toomanyamps.local from this computer.
 [2] FRS is not running on backupservices.toomanyamps.local.
 [3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers.
 
 This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established."
3/22/2011      12:24:57 PM      NtFrs      Warning      None      13508      N/A      TMA-SERVICES      "The File Replication Service is having trouble enabling replication from NEWSERVICES to TMA-SERVICES for c:\windows\sysvol\domain using the DNS name newservices.toomanyamps.local. FRS will keep retrying.
 Following are some of the reasons you would see this warning.
 
 [1] FRS can not correctly resolve the DNS name newservices.toomanyamps.local from this computer.
 [2] FRS is not running on newservices.toomanyamps.local.
 [3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers.
 
 This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established."
3/22/2011      12:23:17 PM      NtFrs      Information      None      13516      N/A      TMA-SERVICES      "The File Replication Service is no longer preventing the computer TMA-SERVICES from becoming a domain controller. The system volume has been successfully initialized and the Netlogon service has been notified that the system volume is now ready to be shared as SYSVOL.
 
Type ""net share"" to check for the SYSVOL share."
3/22/2011      12:22:39 PM      NtFrs      Information      None      13501      N/A      TMA-SERVICES      The File Replication Service is starting.
3/21/2011      8:56:01 PM      NtFrs      Warning      None      13508      N/A      TMA-SERVICES      "The File Replication Service is having trouble enabling replication from BACKUPSERVICES to TMA-SERVICES for c:\windows\sysvol\domain using the DNS name backupservices.toomanyamps.local. FRS will keep retrying.
 Following are some of the reasons you would see this warning.
 
 [1] FRS can not correctly resolve the DNS name backupservices.toomanyamps.local from this computer.
 [2] FRS is not running on backupservices.toomanyamps.local.
 [3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers.
 
 This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established."
3/21/2011      8:56:01 PM      NtFrs      Warning      None      13508      N/A      TMA-SERVICES      "The File Replication Service is having trouble enabling replication from NEWSERVICES to TMA-SERVICES for c:\windows\sysvol\domain using the DNS name newservices.toomanyamps.local. FRS will keep retrying.
 Following are some of the reasons you would see this warning.
 
 [1] FRS can not correctly resolve the DNS name newservices.toomanyamps.local from this computer.
 [2] FRS is not running on newservices.toomanyamps.local.
 [3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers.
 
 This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established."
3/21/2011      8:54:21 PM      NtFrs      Information      None      13516      N/A      TMA-SERVICES      "The File Replication Service is no longer preventing the computer TMA-SERVICES from becoming a domain controller. The system volume has been successfully initialized and the Netlogon service has been notified that the system volume is now ready to be shared as SYSVOL.
 
Type ""net share"" to check for the SYSVOL share."
3/21/2011      8:53:41 PM      NtFrs      Information      None      13501      N/A      TMA-SERVICES      The File Replication Service is starting.
3/10/2011      9:05:01 AM      NtFrs      Information      None      13516      N/A      TMA-SERVICES      "The File Replication Service is no longer preventing the computer TMA-SERVICES from becoming a domain controller. The system volume has been successfully initialized and the Netlogon service has been notified that the system volume is now ready to be shared as SYSVOL.
 
Type ""net share"" to check for the SYSVOL share."
3/10/2011      9:04:55 AM      NtFrs      Information      None      13501      N/A      TMA-SERVICES      The File Replication Service is starting.
3/8/2011      11:04:07 AM      NtFrs      Warning      None      13509      N/A      TMA-SERVICES      The File Replication Service has enabled replication from NEWSERVICES to TMA-SERVICES for c:\windows\sysvol\domain after repeated retries.
0
 

Author Comment

by:gleaver
ID: 35195264
But why after a restart do I notice the problem.....the logs are filled with all types of file & directory issues on all 3 domain controllers.....what a mess....

any good method to rule out a dns problem?
0
Major Incident Management Communications

Major incidents and IT service outages cost companies millions. Often the solution to minimizing damage is automated communication. Find out more in our Major Incident Management Communications infographic.

 
LVL 8

Expert Comment

by:ActiveDirectoryman
ID: 35195298

It looks like what happend was that frs was stopped on different servers which can cause replication problems like journal wrap.   Is the netlogon and sysvol shared on each domain controller.

What needs to be determined is why frs service is stopping.

go to the command prompt and type net share and see if the sysvol is listed and netlogon folder is listed.
Also, can you post the logs in this directory if possible
%Systemroot%\Debug folder. The file names are listed from NtFrs_001.log to NtFrs_005.log.
0
 
LVL 8

Accepted Solution

by:
ActiveDirectoryman earned 500 total points
ID: 35195557

it does not appear to be a dns problem.   When you restart your domain controllers do you wait for one fully load before restarting others?   like restart dc1, wait for dc1 to come back up, login to dc1, wait two minutes and then restart the next one?   You should always have one dc that is up and running.  How are you restarting them?
0
 

Author Comment

by:gleaver
ID: 35208770
Thanks for your help....I did get it working finally. I used ipconfig /registerdns on all three of the domain controllers and then restarted file replication services. I didnt post all the logs but I found some log entries stating that the dns pointing back the primary domain controller could not be resolved. And the primary domain controller is also the GC server so I couldn't get exchange to mount. Never figured out why or how the DNS was out of sync but I stopped looking after things went back online.

0

Featured Post

MIM Survival Guide for Service Desk Managers

Major incidents can send mastered service desk processes into disorder. Systems and tools produce the data needed to resolve these incidents, but your challenge is getting that information to the right people fast. Check out the Survival Guide and begin bringing order to chaos.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I guess it is not common knowledge to most Wintel engineers/administrators: If you have an SNMP-based monitoring system in your environment (and it's common to have SNMP or Syslog) it's reasonably easy to enable monitoring of the Windows Event logs,…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question