lbtoadmin
asked on
DCDiag errors on first 2008R2 DC in windows 2003R2 domain
Hello,
Please see the attached DCdiag results I just got from the first 2008R2 DC I introduced into my 2003R2 domain. I made sure to prep the domain before adding the 08 server, so those steps were covered. I'm just wondering if this is anything I need to worry about. I have tested, retested, and tested again, adding user accounts, and adding DNS entries between my DC's and replication works fine.
Thanks,
dcdiag.txt
Please see the attached DCdiag results I just got from the first 2008R2 DC I introduced into my 2003R2 domain. I made sure to prep the domain before adding the 08 server, so those steps were covered. I'm just wondering if this is anything I need to worry about. I have tested, retested, and tested again, adding user accounts, and adding DNS entries between my DC's and replication works fine.
Thanks,
dcdiag.txt
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Here is the new one..is this what I should see from now on?
Also, should I not have the kasperky or Windows firewall turned on?
dcdiag1002.txt
Also, should I not have the kasperky or Windows firewall turned on?
dcdiag1002.txt
you missed the screenshot..
if you like to enable firewall on DC then
Enable program exceptions for lsass.exe and ntfrs.exe.exe which are found under %windir%\system32.
Enable port exceptions for ports 53 (TCP and UDP), 88 (TCP and UDP), 123 (UDP), 135 (TCP), 137 (TCP), 389 (UDP), 464 (TCP and UDP) and 636 (TCP).
http://www.windowsnetworking.com/kbase/WindowsTips/Windows2003/AdminTips/Security/EnablingWindowsFirewallondomaincontrollers.html
if you like to enable firewall on DC then
Enable program exceptions for lsass.exe and ntfrs.exe.exe which are found under %windir%\system32.
Enable port exceptions for ports 53 (TCP and UDP), 88 (TCP and UDP), 123 (UDP), 135 (TCP), 137 (TCP), 389 (UDP), 464 (TCP and UDP) and 636 (TCP).
http://www.windowsnetworking.com/kbase/WindowsTips/Windows2003/AdminTips/Security/EnablingWindowsFirewallondomaincontrollers.html
Got the text file... atleast DC is working better...
errors that are showing are coming from the system log.. as your server was not working properly... all other tests are passing now.
Ones the replication is completed.
clear your logs..reboot your server and keep your security application disabled before reboot.
Ones the replication is completed.
clear your logs..reboot your server and keep your security application disabled before reboot.
ASKER
It still says the following for the FRSEvent:
Starting test: FrsEvent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
And this for the NCSecDesc:
Starting test: NCSecDesc
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=test, DC=lbto,DC =org
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=test, DC=lbto,DC =org
Will the FRSevent clear out? Also, what should I do for the NCSecDesc error?
I do this test on my 2003DC's and the only error I see is the FRSEvent on my 2003DC that does not have any fsmo roles. The primary that has all of the fsmo roles does not have any errors
Starting test: FrsEvent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
And this for the NCSecDesc:
Starting test: NCSecDesc
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=test,
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=test,
Will the FRSevent clear out? Also, what should I do for the NCSecDesc error?
I do this test on my 2003DC's and the only error I see is the FRSEvent on my 2003DC that does not have any fsmo roles. The primary that has all of the fsmo roles does not have any errors
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
There are warning or error events within the last 24 hours after the
also these can be earlier error from the even viewer.. you have to clear all logs from event viewer.
also these can be earlier error from the even viewer.. you have to clear all logs from event viewer.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
as per the Author he already did the adprep.
" I made sure to prep the domain before adding the 08 server."
but offcourse their is no harm incase their are still some errors.
Hopefully most of the things are up as the last dcdiag showed that replication was working and most of the checks were passed.
" I made sure to prep the domain before adding the 08 server."
but offcourse their is no harm incase their are still some errors.
Hopefully most of the things are up as the last dcdiag showed that replication was working and most of the checks were passed.
There are several different adprep commands. The /rodc switch is not needed to add a 2008 R2 DC, and many people skip it as they don't plan on adding a RODC, but it results in the errors seen when running DCDIAG.
ASKER