jso1965
asked on
DCDIAG fails Advertising, NCSecDesc, and NetLogons.
I've put a new Domain Controller in our forest and functionally it seems to work fine. It now has the PDC role, Schema Master Role, Domain Naming Master role and RID Master role. I'm not having any problems but I have a potential need to demote the secondary DC and want to insure that the new PDC is fully functional. When running DcDiag I fail Advertising, NCSecDesc, and NetLogons tests. The following is the /q out for DcDiag/fix:
C:\Windows\system32>dcdiag
Warning: DsGetDcName returned information for
\\gps.specialdistribution.
LOGISTICSAD.
SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
......................... LOGISTICSAD failed test Advertising
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=speci
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=speci
......................... LOGISTICSAD failed test NCSecDesc
Unable to connect to the NETLOGON share! (\\LOGISTICSAD\netlogon)
[LOGISTICSAD] An net use or LsaPolicy operation failed with error 67,
The network name cannot be found..
......................... LOGISTICSAD failed test NetLogons
C:\Windows\system32>
C:\Windows\system32>dcdiag
Warning: DsGetDcName returned information for
\\gps.specialdistribution.
LOGISTICSAD.
SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
......................... LOGISTICSAD failed test Advertising
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=speci
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=speci
......................... LOGISTICSAD failed test NCSecDesc
Unable to connect to the NETLOGON share! (\\LOGISTICSAD\netlogon)
[LOGISTICSAD] An net use or LsaPolicy operation failed with error 67,
The network name cannot be found..
......................... LOGISTICSAD failed test NetLogons
C:\Windows\system32>
footech
Have you run "dcdiag /v" and "dcdiag /v /test:dns" for additional info? I would check your _msdcs zone to see if your records are correct. Kind of sounds like you have a record pointing to the "gps" machine where it shouldn't.
ASKER
I did find warnings on the Test:DNS -
Microsoft Windows [Version 6.0.6002]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.
C:\Users\sorr>dcdiag /test:dns
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = LogisticsAD
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\LO
Starting test: Connectivity
......................... LOGISTICSAD passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\LO
Starting test: DNS
DNS Tests are running and not hung. Please wait a few minutes...
......................... LOGISTICSAD passed test DNS
Running partition tests on : ForestDnsZones
Running partition tests on : DomainDnsZones
Running partition tests on : Schema
Running partition tests on : Configuration
Running partition tests on : specialdistribution
Running enterprise tests on : specialdistribution.local
Starting test: DNS
Test results for domain controllers:
DC: LogisticsAD.specialdistrib
Domain: specialdistribution.local
TEST: Basic (Basc)
Warning: The AAAA record for this DC was not found
TEST: Dynamic update (Dyn)
Warning: Failed to delete the test record _dcdiag_test_record
in zone specialdistribution.local
TEST: Records registration (RReg)
Network Adapter
[00000006] Broadcom BCM5716C NetXtreme II GigE (NDIS VBD Clien
t):
Warning:
Missing AAAA record at DNS server 192.168.0.178:
LogisticsAD.specialdistrib
Warning:
Missing AAAA record at DNS server 192.168.0.178:
gc._msdcs.specialdistribut
Warning:
Missing AAAA record at DNS server 192.168.0.97:
LogisticsAD.specialdistrib
Warning:
Missing AAAA record at DNS server 192.168.0.97:
gc._msdcs.specialdistribut
Warning:
Missing AAAA record at DNS server ::1:
LogisticsAD.specialdistrib
Warning:
Missing AAAA record at DNS server ::1:
gc._msdcs.specialdistribut
Warning: Record Registrations not found in some network adapters
LogisticsAD PASS WARN PASS PASS WARN WARN n/a
......................... specialdistribution.local passed test DNS
C:\Users\sorr>
Microsoft Windows [Version 6.0.6002]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.
C:\Users\sorr>dcdiag /test:dns
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = LogisticsAD
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\LO
Starting test: Connectivity
......................... LOGISTICSAD passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\LO
Starting test: DNS
DNS Tests are running and not hung. Please wait a few minutes...
......................... LOGISTICSAD passed test DNS
Running partition tests on : ForestDnsZones
Running partition tests on : DomainDnsZones
Running partition tests on : Schema
Running partition tests on : Configuration
Running partition tests on : specialdistribution
Running enterprise tests on : specialdistribution.local
Starting test: DNS
Test results for domain controllers:
DC: LogisticsAD.specialdistrib
Domain: specialdistribution.local
TEST: Basic (Basc)
Warning: The AAAA record for this DC was not found
TEST: Dynamic update (Dyn)
Warning: Failed to delete the test record _dcdiag_test_record
in zone specialdistribution.local
TEST: Records registration (RReg)
Network Adapter
[00000006] Broadcom BCM5716C NetXtreme II GigE (NDIS VBD Clien
t):
Warning:
Missing AAAA record at DNS server 192.168.0.178:
LogisticsAD.specialdistrib
Warning:
Missing AAAA record at DNS server 192.168.0.178:
gc._msdcs.specialdistribut
Warning:
Missing AAAA record at DNS server 192.168.0.97:
LogisticsAD.specialdistrib
Warning:
Missing AAAA record at DNS server 192.168.0.97:
gc._msdcs.specialdistribut
Warning:
Missing AAAA record at DNS server ::1:
LogisticsAD.specialdistrib
Warning:
Missing AAAA record at DNS server ::1:
gc._msdcs.specialdistribut
Warning: Record Registrations not found in some network adapters
LogisticsAD PASS WARN PASS PASS WARN WARN n/a
......................... specialdistribution.local passed test DNS
C:\Users\sorr>
Well, first thought is that unless you're using IPv6, the registration warnings above shouldn't be causing any problems, though you may want to disable IPv6 on the NIC.
If anything else occurs to me I'll post back.
If anything else occurs to me I'll post back.
Can't believe I forgot about this....regarding the NCSecDesc errors...
This is expected behavior if you haven't run "adprep /rodcprep". This is not a problem if you don't plan on adding any Read-Only domain controllers. You could also run the above command just so you don't see the error anymore when running dcdiag.
Looks like your SYSVOL has not replicated correctly (perhaps due to corruption). Do you have any errors in your Event Logs (check both servers)? You may have to correct through the use of the Burflags registry setting, but I would not be the best one to guide you in this.
This is expected behavior if you haven't run "adprep /rodcprep". This is not a problem if you don't plan on adding any Read-Only domain controllers. You could also run the above command just so you don't see the error anymore when running dcdiag.
Looks like your SYSVOL has not replicated correctly (perhaps due to corruption). Do you have any errors in your Event Logs (check both servers)? You may have to correct through the use of the Burflags registry setting, but I would not be the best one to guide you in this.
ASKER
Your right . . . the adprep /rodcprep corrected the NCSecDesc errors. Thanks.
C:\Windows\system32>dcdiag
Warning: DsGetDcName returned information for
\\gps.specialdistribution.
LOGISTICSAD.
SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
......................... LOGISTICSAD failed test Advertising
Unable to connect to the NETLOGON share! (\\LOGISTICSAD\netlogon)
[LOGISTICSAD] An net use or LsaPolicy operation failed with error 67,
The network name cannot be found..
......................... LOGISTICSAD failed test NetLogons
C:\Windows\system32>
C:\Windows\system32>dcdiag
Warning: DsGetDcName returned information for
\\gps.specialdistribution.
LOGISTICSAD.
SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
......................... LOGISTICSAD failed test Advertising
Unable to connect to the NETLOGON share! (\\LOGISTICSAD\netlogon)
[LOGISTICSAD] An net use or LsaPolicy operation failed with error 67,
The network name cannot be found..
......................... LOGISTICSAD failed test NetLogons
C:\Windows\system32>
Run "net share" on new DC, and make sure that the NETLOGON share appears there. If not, check that the scripts folder is under C:\Windows\SYSVOL\domain\.
ASKER
The following are the results: (I'm assuming that I'm missing somthing in the "Domain" folder?)
C:\Windows\system32>net share
Share name Resource Remark
--------------------------
C$ C:\ Default share
IPC$ Remote IPC
ADMIN$ C:\Windows Remote Admin
The command completed successfully.
C:\Windows\system32>cd..
C:\Windows>cd sysvol
C:\Windows\SYSVOL>cd domain
C:\Windows\SYSVOL\domain>d
Volume in drive C has no label.
Volume Serial Number is F4CB-E998
Directory of C:\Windows\SYSVOL\domain
11/28/2011 03:24 PM <DIR> .
11/28/2011 03:24 PM <DIR> ..
0 File(s) 0 bytes
2 Dir(s) 463,702,847,488 bytes free
C:\Windows\SYSVOL\domain>
C:\Windows\system32>net share
Share name Resource Remark
--------------------------
C$ C:\ Default share
IPC$ Remote IPC
ADMIN$ C:\Windows Remote Admin
The command completed successfully.
C:\Windows\system32>cd..
C:\Windows>cd sysvol
C:\Windows\SYSVOL>cd domain
C:\Windows\SYSVOL\domain>d
Volume in drive C has no label.
Volume Serial Number is F4CB-E998
Directory of C:\Windows\SYSVOL\domain
11/28/2011 03:24 PM <DIR> .
11/28/2011 03:24 PM <DIR> ..
0 File(s) 0 bytes
2 Dir(s) 463,702,847,488 bytes free
C:\Windows\SYSVOL\domain>
If you look at your old domain controller, you will probably see what should be there (2 folders - "Policies" and "scripts"). More evidence that replication isn't working correctly. Please run "repadmin /showreps" on the new DC. Also, it would still be good if you can tell me whether you are seeing any errors in the Event Logs that are related (try under File Replication Service) .
You can trying doing a non-authoritative restore of SYSVOL on the new DC, and if that doesn't work then I would try an authoritative restore. See the following blog post for some guidance (be sure to check out part 2 for the specific instructions).
http://jorgequestforknowledge.wordpress.com/2010/08/12/restoring-the-sysvol-non-authoritatively-when-either-using-ntfrs-or-dfs-r-part-1/
You can trying doing a non-authoritative restore of SYSVOL on the new DC, and if that doesn't work then I would try an authoritative restore. See the following blog post for some guidance (be sure to check out part 2 for the specific instructions).
http://jorgequestforknowledge.wordpress.com/2010/08/12/restoring-the-sysvol-non-authoritatively-when-either-using-ntfrs-or-dfs-r-part-1/
ASKER
Your right . . . there is a replication error in the log. Can you assertain what the problem is by the log description? Also, repadmin results are successful.
C:\Windows\System32>repadm
Default-First-Site-Name\LO
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 65cae0f0-0809-4eb9-a453-76
DSA invocationID: 992de3e9-5faf-46e6-9bf3-f0
==== INBOUND NEIGHBORS ==========================
DC=specialdistribution,DC=
Default-First-Site-Name\GP
DSA object GUID: 449c37d3-39a2-4a6a-8732-f4
Last attempt @ 2011-12-20 16:39:27 was successful.
CN=Configuration,DC=specia
Default-First-Site-Name\GP
DSA object GUID: 449c37d3-39a2-4a6a-8732-f4
Last attempt @ 2011-12-20 16:02:09 was successful.
CN=Schema,CN=Configuration
Default-First-Site-Name\GP
DSA object GUID: 449c37d3-39a2-4a6a-8732-f4
Last attempt @ 2011-12-20 15:50:56 was successful.
DC=DomainDnsZones,DC=speci
Default-First-Site-Name\GP
DSA object GUID: 449c37d3-39a2-4a6a-8732-f4
Last attempt @ 2011-12-20 15:50:56 was successful.
DC=ForestDnsZones,DC=speci
Default-First-Site-Name\GP
DSA object GUID: 449c37d3-39a2-4a6a-8732-f4
Last attempt @ 2011-12-20 15:50:56 was successful.
C:\Windows\System32>
==========================
Log Name: File Replication Service
Source: NtFrs
Date: 12/18/2011 6:36:02 AM
Event ID: 13508
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: LogisticsAD.specialdistrib
Description:
The File Replication Service is having trouble enabling replication from GPS to LOGISTICSAD for c:\windows\sysvol\domain using the DNS name gps.specialdistribution.lo
Following are some of the reasons you would see this warning.
[1] FRS can not correctly resolve the DNS name gps.specialdistribution.lo
[2] FRS is not running on gps.specialdistribution.lo
[3] The topology information in the Active Directory Domain Services for this replica has not yet replicated to all the Domain Controllers.
This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="NtFrs" />
<EventID Qualifiers="32768">13508</
<Level>3</Level>
<Task>0</Task>
<Keywords>0x80000000000000
<TimeCreated SystemTime="2011-12-18T12:
<EventRecordID>87</EventRe
<Channel>File Replication Service</Channel>
<Computer>LogisticsAD.spec
<Security />
</System>
<EventData>
<Data>GPS</Data>
<Data>LOGISTICSAD</Data>
<Data>c:\windows\sysvol\do
<Data>gps.specialdistribut
<Binary>D5040000</Binary>
</EventData>
</Event>
C:\Windows\System32>repadm
Default-First-Site-Name\LO
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 65cae0f0-0809-4eb9-a453-76
DSA invocationID: 992de3e9-5faf-46e6-9bf3-f0
==== INBOUND NEIGHBORS ==========================
DC=specialdistribution,DC=
Default-First-Site-Name\GP
DSA object GUID: 449c37d3-39a2-4a6a-8732-f4
Last attempt @ 2011-12-20 16:39:27 was successful.
CN=Configuration,DC=specia
Default-First-Site-Name\GP
DSA object GUID: 449c37d3-39a2-4a6a-8732-f4
Last attempt @ 2011-12-20 16:02:09 was successful.
CN=Schema,CN=Configuration
Default-First-Site-Name\GP
DSA object GUID: 449c37d3-39a2-4a6a-8732-f4
Last attempt @ 2011-12-20 15:50:56 was successful.
DC=DomainDnsZones,DC=speci
Default-First-Site-Name\GP
DSA object GUID: 449c37d3-39a2-4a6a-8732-f4
Last attempt @ 2011-12-20 15:50:56 was successful.
DC=ForestDnsZones,DC=speci
Default-First-Site-Name\GP
DSA object GUID: 449c37d3-39a2-4a6a-8732-f4
Last attempt @ 2011-12-20 15:50:56 was successful.
C:\Windows\System32>
==========================
Log Name: File Replication Service
Source: NtFrs
Date: 12/18/2011 6:36:02 AM
Event ID: 13508
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: LogisticsAD.specialdistrib
Description:
The File Replication Service is having trouble enabling replication from GPS to LOGISTICSAD for c:\windows\sysvol\domain using the DNS name gps.specialdistribution.lo
Following are some of the reasons you would see this warning.
[1] FRS can not correctly resolve the DNS name gps.specialdistribution.lo
[2] FRS is not running on gps.specialdistribution.lo
[3] The topology information in the Active Directory Domain Services for this replica has not yet replicated to all the Domain Controllers.
This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="NtFrs" />
<EventID Qualifiers="32768">13508</
<Level>3</Level>
<Task>0</Task>
<Keywords>0x80000000000000
<TimeCreated SystemTime="2011-12-18T12:
<EventRecordID>87</EventRe
<Channel>File Replication Service</Channel>
<Computer>LogisticsAD.spec
<Security />
</System>
<EventData>
<Data>GPS</Data>
<Data>LOGISTICSAD</Data>
<Data>c:\windows\sysvol\do
<Data>gps.specialdistribut
<Binary>D5040000</Binary>
</EventData>
</Event>
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.