Solved

DCDIAG errors  2003 and 2008

Posted on 2012-04-04
5
718 Views
Last Modified: 2012-04-05
Hi,
I have an oldish 2003 server acting as a domain controller. About 6 months ago I added a 2008 server as another domain controller, and I don't think they are replicating together properly. Rather than dump too many pages of errors here, I will post the DCDIAG I get on both servers, and if any other info is necessary please let me know - thanks!

Server 2003 fails on frsevent
Server 2008 fails on lots, and its SYSVOL and NETLOGON aren't shared in a NET SHARE.

The other thing to note is that we really do have a one word domain internally ie. MYDOMAIN, not MYDOMAIN.LOCAL

many thanks

Rob

SERVER2K3:


Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests
   
   Testing server: Default-First-Site-Name\SERVER2K3
      Starting test: Connectivity
         ......................... SERVER2K3 passed test Connectivity

Doing primary tests
   
   Testing server: Default-First-Site-Name\SERVER2K3
      Starting test: Replications
         ......................... SERVER2K3 passed test Replications
      Starting test: NCSecDesc
         ......................... SERVER2K3 passed test NCSecDesc
      Starting test: NetLogons
         ......................... SERVER2K3 passed test NetLogons
      Starting test: Advertising
         ......................... SERVER2K3 passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... SERVER2K3 passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... SERVER2K3 passed test RidManager
      Starting test: MachineAccount
         ......................... SERVER2K3 passed test MachineAccount
      Starting test: Services
         ......................... SERVER2K3 passed test Services
      Starting test: ObjectsReplicated
         ......................... SERVER2K3 passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... SERVER2K3 passed test frssysvol
      Starting test: frsevent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... SERVER2K3 failed test frsevent
      Starting test: kccevent
         ......................... SERVER2K3 passed test kccevent
      Starting test: systemlog
         ......................... SERVER2K3 passed test systemlog
      Starting test: VerifyReferences
         ......................... SERVER2K3 passed test VerifyReferences
   
   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
   
   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
   
   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
   
   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
   
   Running partition tests on : MYDOMAIN
      Starting test: CrossRefValidation
         ......................... MYDOMAIN passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... MYDOMAIN passed test CheckSDRefDom
   
   Running enterprise tests on : MYDOMAIN
      Starting test: Intersite
         ......................... MYDOMAIN passed test Intersite
      Starting test: FsmoCheck
         ......................... MYDOMAIN passed test FsmoCheck


SERVER2K8:

Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   Home Server = SERVER2K8

   * Identified AD Forest.
   Done gathering initial info.


Doing initial required tests

   
   Testing server: Default-First-Site-Name\SERVER2K8

      Starting test: Connectivity

         ......................... SERVER2K8 passed test Connectivity



Doing primary tests

   
   Testing server: Default-First-Site-Name\SERVER2K8

      Starting test: Advertising

         Warning: DsGetDcName returned information for \\server2k3.MYDOMAIN,

         when we were trying to reach SERVER2K8.

         SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.

         ......................... SERVER2K8 failed test Advertising

      Starting test: FrsEvent

         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems.
         ......................... SERVER2K8 passed test FrsEvent

      Starting test: DFSREvent

         ......................... SERVER2K8 passed test DFSREvent

      Starting test: SysVolCheck

         ......................... SERVER2K8 passed test SysVolCheck

      Starting test: KccEvent

         ......................... SERVER2K8 passed test KccEvent

      Starting test: KnowsOfRoleHolders

         ......................... SERVER2K8 passed test KnowsOfRoleHolders

      Starting test: MachineAccount

         ......................... SERVER2K8 passed test MachineAccount

      Starting test: NCSecDesc

         ......................... SERVER2K8 passed test NCSecDesc

      Starting test: NetLogons

         Unable to connect to the NETLOGON share! (\\SERVER2K8\netlogon)

         [SERVER2K8] An net use or LsaPolicy operation failed with error 67,

         The network name cannot be found..

         ......................... SERVER2K8 failed test NetLogons

      Starting test: ObjectsReplicated

         ......................... SERVER2K8 passed test ObjectsReplicated

      Starting test: Replications

         ......................... SERVER2K8 passed test Replications

      Starting test: RidManager

         ......................... SERVER2K8 passed test RidManager

      Starting test: Services

         ......................... SERVER2K8 passed test Services

      Starting test: SystemLog

         ......................... SERVER2K8 passed test SystemLog

      Starting test: VerifyReferences

         ......................... SERVER2K8 passed test VerifyReferences

   
   
   Running partition tests on : ForestDnsZones

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : DomainDnsZones

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : Schema

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation

   
   Running partition tests on : Configuration

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidation

   
   Running partition tests on : MYDOMAIN

      Starting test: CheckSDRefDom

         ......................... MYDOMAIN passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... MYDOMAIN passed test CrossRefValidation

   
   Running enterprise tests on : MYDOMAIN

      Starting test: LocatorCheck

         ......................... MYDOMAIN passed test LocatorCheck

      Starting test: Intersite

         ......................... MYDOMAIN passed test Intersite


Other info that may be relevant is:

Server 2003:
C:\Documents and Settings\robs>REPADMIN /SHOWREPS
Default-First-Site-Name\SERVER2K3
DC Options: IS_GC
Site Options: (none)
DC object GUID: a9f8109a-6282-4031-a784-d969d36f1520
DC invocationID: 79fc5276-981c-4f53-ac06-b94fc0853958

==== INBOUND NEIGHBORS ======================================

DC=MYDOMAIN
    Default-First-Site-Name\SERVER2K8 via RPC
        DC object GUID: c799cd65-89ea-4381-a2fb-ee09416a915a
        Last attempt @ 2012-04-04 16:59:32 was successful.

CN=Configuration,DC=MYDOMAIN
    Default-First-Site-Name\SERVER2K8 via RPC
        DC object GUID: c799cd65-89ea-4381-a2fb-ee09416a915a
        Last attempt @ 2012-04-04 16:59:32 was successful.

CN=Schema,CN=Configuration,DC=MYDOMAIN
    Default-First-Site-Name\SERVER2K8 via RPC
        DC object GUID: c799cd65-89ea-4381-a2fb-ee09416a915a
        Last attempt @ 2012-04-04 16:59:32 was successful.

DC=DomainDnsZones,DC=MYDOMAIN
    Default-First-Site-Name\SERVER2K8 via RPC
        DC object GUID: c799cd65-89ea-4381-a2fb-ee09416a915a
        Last attempt @ 2012-04-04 16:59:32 was successful.

DC=ForestDnsZones,DC=MYDOMAIN
    Default-First-Site-Name\SERVER2K8 via RPC
        DC object GUID: c799cd65-89ea-4381-a2fb-ee09416a915a
        Last attempt @ 2012-04-04 16:59:32 was successful.


SERVER 2008:

D:\>REPADMIN /SHOWREPS
Default-First-Site-Name\SERVER2K8
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: c799cd65-89ea-4381-a2fb-ee09416a915a
DSA invocationID: 2ecf0131-14a2-42fc-8436-df64286e9846

==== INBOUND NEIGHBORS ======================================

DC=MYDOMAIN
    Default-First-Site-Name\SERVER2K3 via RPC
        DSA object GUID: a9f8109a-6282-4031-a784-d969d36f1520
        Last attempt @ 2012-04-04 17:42:03 was successful.

CN=Configuration,DC=MYDOMAIN
    Default-First-Site-Name\SERVER2K3 via RPC
        DSA object GUID: a9f8109a-6282-4031-a784-d969d36f1520
        Last attempt @ 2012-04-04 16:53:35 was successful.

CN=Schema,CN=Configuration,DC=MYDOMAIN
    Default-First-Site-Name\SERVER2K3 via RPC
        DSA object GUID: a9f8109a-6282-4031-a784-d969d36f1520
        Last attempt @ 2012-04-04 16:53:36 was successful.

DC=DomainDnsZones,DC=MYDOMAIN
    Default-First-Site-Name\SERVER2K3 via RPC
        DSA object GUID: a9f8109a-6282-4031-a784-d969d36f1520
        Last attempt @ 2012-04-04 16:53:36 was successful.

DC=ForestDnsZones,DC=MYDOMAIN
    Default-First-Site-Name\SERVER2K3 via RPC
        DSA object GUID: a9f8109a-6282-4031-a784-d969d36f1520
        Last attempt @ 2012-04-04 16:53:36 was successful.
0
Comment
Question by:robathome
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 59

Accepted Solution

by:
Darius Ghassem earned 500 total points
ID: 37807338
Alright lets try the burflag method first then if this doesn't work since it has been a while since you promoted we will demote then go through this process again.


Take backup of the policies and script folders from both the servers from c:\Windows\Sysvol\domain
Stop NTFRS service on both DCs.

Make one of the DC authoritative server by modifying registry setting : Navigate to registry HKLM\System\CCS\Services\NTFRS\Parameters\CumlativeReplicaSets and Set the Burflags value to D4. This should be done with server which has the Updated information available or correct data.

Go to other DC and make that Non-authoritative by navigating to same registry location HKLM\System\CCS\Services\NTFRS\Parameters\CumlativeReplicaSets and Set the Burflags value to D2.

Restart Ntfrs service on both servers and force replication to see event 13516 in event viewer for FRS.
0
 
LVL 10

Expert Comment

by:Prashant Girennavar
ID: 37809403
Seems , Sysvol folder is not shared on your new Domain controller. In this scenario you can go ahead and do a non- authorative restore on DC where sysvol is not shared.

Refer below article which discusses this behaviour and resolution for this .

http://social.technet.microsoft.com/wiki/contents/articles/8548.sysvol-and-netlogon-share-importance-in-active-directory.aspx

Hope this helps.

Regards,

_Prashant_
0
 

Author Comment

by:robathome
ID: 37809933
Can I just ask a basic question regarding ntfrs restores - if I do the scenario where I am changing the "working" one to 2 and the backup to 4... just where are they restoring from?  Their own AD backup or each other?

many thanks for the replies so far
Rob
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 37810740
You need to select the DC that is working properly which is 2003. You then put the other Burflag on 2008 server which is not correct. The Windows 2003 will then replicate the data over to the 2008 server which should have happen when you promoted.

I have done this fix and recommended this fix tons on this site and almost 99% the problem is fixed
0
 

Author Comment

by:robathome
ID: 37811564
OK I grabbed the bull by the horns and put the BURFLAGS=D2 on the 2008 server which didn't have sysvol.
I restarted NTFRS and so far so good - there is now SYSVOL and NETLOGON in shares.

Now to look at all the other errors in a logical method.

One other thing to clarify is that I burflags appears in  places:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup\BurFlags
and
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Cumulatice Replica Sets\GUID

having studied the documents I put it in the latter, but am wondering when you would use the other option

thanks for the help so far
Rob
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article outlines the process to identify and resolve account lockout in an Active Directory environment.
A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question