DCDiag errors on first 2008R2 DC in windows 2003R2 domain


Please see the attached DCdiag results I just got from the first 2008R2 DC I introduced into my 2003R2 domain.  I made sure to prep the domain before adding the 08 server, so those steps were covered.  I'm just wondering if this is anything I need to worry about.  I have tested, retested, and tested again, adding user accounts, and adding DNS entries between my DC's and replication works fine.  

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

do you have some local security software or firewall running?
lbtoadminAuthor Commented:
Now that you mention it, Kaspersky enpoint security is on there with the firewall enabled; however that local network is trusted.  I'll disable the firewall and run it again.  Good point!
lbtoadminAuthor Commented:
Here is the new one..is this what I should see from now on?  

Also, should I not have the kasperky or Windows firewall turned on?
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

you missed the screenshot..

if you like to enable firewall on DC then
Enable program exceptions for lsass.exe and ntfrs.exe.exe which are found under %windir%\system32.

Enable port exceptions for ports 53 (TCP and UDP), 88 (TCP and UDP), 123 (UDP), 135 (TCP), 137 (TCP), 389 (UDP), 464 (TCP and UDP) and 636 (TCP).

Got the text file... atleast DC is working better...
errors that are showing are coming from the system log.. as your server was not working properly... all other tests are passing now.

Ones the replication is completed.
clear your logs..reboot your server and keep your security application disabled before reboot.
lbtoadminAuthor Commented:
It still says the following for the FRSEvent:

    Starting test: FrsEvent

         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems.

And this for the NCSecDesc:
Starting test: NCSecDesc


            Replicating Directory Changes In Filtered Set
         access rights for the naming context:


            Replicating Directory Changes In Filtered Set
         access rights for the naming context:


Will the FRSevent clear out?  Also, what should I do for the NCSecDesc error?

I do this test on my 2003DC's and the only error I see is the FRSEvent on my 2003DC that does not have any fsmo roles.  The primary that has all of the fsmo roles does not have any errors
Please give the system some time to replicate. also a reboot will be good now so that it starts the replication properly. as your server was not able to properly communicate earlier.
Just make sure you disable the security service before reboot and it should not start at startup. else again the issue may come back.
There are warning or error events within the last 24 hours after the

also these can be earlier error from the even viewer.. you have to clear all logs from event viewer.
Just wanted to say that the Windows Firewall should be automatically configured according to the roles that you have set up on the 2008 R2 server, so you shouldn't have to do any manual configuration.  I recommend having it on.

The NCSecDesc errors are expected if you haven't run "adprep /rodcprep".  They can be ignored if you don't plan on adding a RODC to your environment, or you can just run the adprep command so you don't encounter them anymore.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
as per the Author he already did the adprep.
" I made sure to prep the domain before adding the 08 server."
but offcourse their is no harm incase their are still some errors.
Hopefully most of the things are up as the last dcdiag showed that replication was working and most of the checks were passed.
There are several different adprep commands.  The /rodc switch is not needed to add a 2008 R2 DC, and many people skip it as they don't plan on adding a RODC, but it results in the errors seen when running DCDIAG.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.