Solved

DCDiag errors on first 2008R2 DC in windows 2003R2 domain

Posted on 2012-03-30
12
488 Views
Last Modified: 2012-04-02
Hello,

Please see the attached DCdiag results I just got from the first 2008R2 DC I introduced into my 2003R2 domain.  I made sure to prep the domain before adding the 08 server, so those steps were covered.  I'm just wondering if this is anything I need to worry about.  I have tested, retested, and tested again, adding user accounts, and adding DNS entries between my DC's and replication works fine.  

Thanks,
dcdiag.txt
0
Comment
Question by:lbtoadmin
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 3
  • 2
12 Comments
 
LVL 17

Assisted Solution

by:Anuroopsundd
Anuroopsundd earned 333 total points
ID: 37788176
do you have some local security software or firewall running?
0
 

Author Comment

by:lbtoadmin
ID: 37788183
Now that you mention it, Kaspersky enpoint security is on there with the firewall enabled; however that local network is trusted.  I'll disable the firewall and run it again.  Good point!
0
 

Author Comment

by:lbtoadmin
ID: 37788209
Here is the new one..is this what I should see from now on?  

Also, should I not have the kasperky or Windows firewall turned on?
dcdiag1002.txt
0
[Live Webinar] The Cloud Skills Gap

As Cloud technologies come of age, business leaders grapple with the impact it has on their team's skills and the gap associated with the use of a cloud platform.

Join experts from 451 Research and Concerto Cloud Services on July 27th where we will examine fact and fiction.

 
LVL 17

Expert Comment

by:Anuroopsundd
ID: 37788227
you missed the screenshot..

if you like to enable firewall on DC then
Enable program exceptions for lsass.exe and ntfrs.exe.exe which are found under %windir%\system32.

Enable port exceptions for ports 53 (TCP and UDP), 88 (TCP and UDP), 123 (UDP), 135 (TCP), 137 (TCP), 389 (UDP), 464 (TCP and UDP) and 636 (TCP).

http://www.windowsnetworking.com/kbase/WindowsTips/Windows2003/AdminTips/Security/EnablingWindowsFirewallondomaincontrollers.html
0
 
LVL 17

Expert Comment

by:Anuroopsundd
ID: 37788236
Got the text file... atleast DC is working better...
0
 
LVL 17

Expert Comment

by:Anuroopsundd
ID: 37788250
errors that are showing are coming from the system log.. as your server was not working properly... all other tests are passing now.

Ones the replication is completed.
clear your logs..reboot your server and keep your security application disabled before reboot.
0
 

Author Comment

by:lbtoadmin
ID: 37788534
It still says the following for the FRSEvent:

    Starting test: FrsEvent

         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems.

And this for the NCSecDesc:
Starting test: NCSecDesc

         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have

            Replicating Directory Changes In Filtered Set
         access rights for the naming context:

         DC=ForestDnsZones,DC=test,DC=lbto,DC=org
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have

            Replicating Directory Changes In Filtered Set
         access rights for the naming context:

         DC=DomainDnsZones,DC=test,DC=lbto,DC=org

Will the FRSevent clear out?  Also, what should I do for the NCSecDesc error?

I do this test on my 2003DC's and the only error I see is the FRSEvent on my 2003DC that does not have any fsmo roles.  The primary that has all of the fsmo roles does not have any errors
0
 
LVL 17

Assisted Solution

by:Anuroopsundd
Anuroopsundd earned 333 total points
ID: 37788551
Please give the system some time to replicate. also a reboot will be good now so that it starts the replication properly. as your server was not able to properly communicate earlier.
Just make sure you disable the security service before reboot and it should not start at startup. else again the issue may come back.
0
 
LVL 17

Expert Comment

by:Anuroopsundd
ID: 37788601
There are warning or error events within the last 24 hours after the

also these can be earlier error from the even viewer.. you have to clear all logs from event viewer.
0
 
LVL 40

Accepted Solution

by:
footech earned 167 total points
ID: 37790717
Just wanted to say that the Windows Firewall should be automatically configured according to the roles that you have set up on the 2008 R2 server, so you shouldn't have to do any manual configuration.  I recommend having it on.

The NCSecDesc errors are expected if you haven't run "adprep /rodcprep".  They can be ignored if you don't plan on adding a RODC to your environment, or you can just run the adprep command so you don't encounter them anymore.
http://support.microsoft.com/kb/967482
0
 
LVL 17

Expert Comment

by:Anuroopsundd
ID: 37790722
as per the Author he already did the adprep.
" I made sure to prep the domain before adding the 08 server."
but offcourse their is no harm incase their are still some errors.
Hopefully most of the things are up as the last dcdiag showed that replication was working and most of the checks were passed.
0
 
LVL 40

Expert Comment

by:footech
ID: 37790804
There are several different adprep commands.  The /rodc switch is not needed to add a 2008 R2 DC, and many people skip it as they don't plan on adding a RODC, but it results in the errors seen when running DCDIAG.
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question