Solved

DCDIAG errors  2003 and 2008

Posted on 2012-04-04
5
697 Views
Last Modified: 2012-04-05
Hi,
I have an oldish 2003 server acting as a domain controller. About 6 months ago I added a 2008 server as another domain controller, and I don't think they are replicating together properly. Rather than dump too many pages of errors here, I will post the DCDIAG I get on both servers, and if any other info is necessary please let me know - thanks!

Server 2003 fails on frsevent
Server 2008 fails on lots, and its SYSVOL and NETLOGON aren't shared in a NET SHARE.

The other thing to note is that we really do have a one word domain internally ie. MYDOMAIN, not MYDOMAIN.LOCAL

many thanks

Rob

SERVER2K3:


Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests
   
   Testing server: Default-First-Site-Name\SERVER2K3
      Starting test: Connectivity
         ......................... SERVER2K3 passed test Connectivity

Doing primary tests
   
   Testing server: Default-First-Site-Name\SERVER2K3
      Starting test: Replications
         ......................... SERVER2K3 passed test Replications
      Starting test: NCSecDesc
         ......................... SERVER2K3 passed test NCSecDesc
      Starting test: NetLogons
         ......................... SERVER2K3 passed test NetLogons
      Starting test: Advertising
         ......................... SERVER2K3 passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... SERVER2K3 passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... SERVER2K3 passed test RidManager
      Starting test: MachineAccount
         ......................... SERVER2K3 passed test MachineAccount
      Starting test: Services
         ......................... SERVER2K3 passed test Services
      Starting test: ObjectsReplicated
         ......................... SERVER2K3 passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... SERVER2K3 passed test frssysvol
      Starting test: frsevent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... SERVER2K3 failed test frsevent
      Starting test: kccevent
         ......................... SERVER2K3 passed test kccevent
      Starting test: systemlog
         ......................... SERVER2K3 passed test systemlog
      Starting test: VerifyReferences
         ......................... SERVER2K3 passed test VerifyReferences
   
   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
   
   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
   
   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
   
   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
   
   Running partition tests on : MYDOMAIN
      Starting test: CrossRefValidation
         ......................... MYDOMAIN passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... MYDOMAIN passed test CheckSDRefDom
   
   Running enterprise tests on : MYDOMAIN
      Starting test: Intersite
         ......................... MYDOMAIN passed test Intersite
      Starting test: FsmoCheck
         ......................... MYDOMAIN passed test FsmoCheck


SERVER2K8:

Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   Home Server = SERVER2K8

   * Identified AD Forest.
   Done gathering initial info.


Doing initial required tests

   
   Testing server: Default-First-Site-Name\SERVER2K8

      Starting test: Connectivity

         ......................... SERVER2K8 passed test Connectivity



Doing primary tests

   
   Testing server: Default-First-Site-Name\SERVER2K8

      Starting test: Advertising

         Warning: DsGetDcName returned information for \\server2k3.MYDOMAIN,

         when we were trying to reach SERVER2K8.

         SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.

         ......................... SERVER2K8 failed test Advertising

      Starting test: FrsEvent

         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems.
         ......................... SERVER2K8 passed test FrsEvent

      Starting test: DFSREvent

         ......................... SERVER2K8 passed test DFSREvent

      Starting test: SysVolCheck

         ......................... SERVER2K8 passed test SysVolCheck

      Starting test: KccEvent

         ......................... SERVER2K8 passed test KccEvent

      Starting test: KnowsOfRoleHolders

         ......................... SERVER2K8 passed test KnowsOfRoleHolders

      Starting test: MachineAccount

         ......................... SERVER2K8 passed test MachineAccount

      Starting test: NCSecDesc

         ......................... SERVER2K8 passed test NCSecDesc

      Starting test: NetLogons

         Unable to connect to the NETLOGON share! (\\SERVER2K8\netlogon)

         [SERVER2K8] An net use or LsaPolicy operation failed with error 67,

         The network name cannot be found..

         ......................... SERVER2K8 failed test NetLogons

      Starting test: ObjectsReplicated

         ......................... SERVER2K8 passed test ObjectsReplicated

      Starting test: Replications

         ......................... SERVER2K8 passed test Replications

      Starting test: RidManager

         ......................... SERVER2K8 passed test RidManager

      Starting test: Services

         ......................... SERVER2K8 passed test Services

      Starting test: SystemLog

         ......................... SERVER2K8 passed test SystemLog

      Starting test: VerifyReferences

         ......................... SERVER2K8 passed test VerifyReferences

   
   
   Running partition tests on : ForestDnsZones

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : DomainDnsZones

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : Schema

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation

   
   Running partition tests on : Configuration

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidation

   
   Running partition tests on : MYDOMAIN

      Starting test: CheckSDRefDom

         ......................... MYDOMAIN passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... MYDOMAIN passed test CrossRefValidation

   
   Running enterprise tests on : MYDOMAIN

      Starting test: LocatorCheck

         ......................... MYDOMAIN passed test LocatorCheck

      Starting test: Intersite

         ......................... MYDOMAIN passed test Intersite


Other info that may be relevant is:

Server 2003:
C:\Documents and Settings\robs>REPADMIN /SHOWREPS
Default-First-Site-Name\SERVER2K3
DC Options: IS_GC
Site Options: (none)
DC object GUID: a9f8109a-6282-4031-a784-d969d36f1520
DC invocationID: 79fc5276-981c-4f53-ac06-b94fc0853958

==== INBOUND NEIGHBORS ======================================

DC=MYDOMAIN
    Default-First-Site-Name\SERVER2K8 via RPC
        DC object GUID: c799cd65-89ea-4381-a2fb-ee09416a915a
        Last attempt @ 2012-04-04 16:59:32 was successful.

CN=Configuration,DC=MYDOMAIN
    Default-First-Site-Name\SERVER2K8 via RPC
        DC object GUID: c799cd65-89ea-4381-a2fb-ee09416a915a
        Last attempt @ 2012-04-04 16:59:32 was successful.

CN=Schema,CN=Configuration,DC=MYDOMAIN
    Default-First-Site-Name\SERVER2K8 via RPC
        DC object GUID: c799cd65-89ea-4381-a2fb-ee09416a915a
        Last attempt @ 2012-04-04 16:59:32 was successful.

DC=DomainDnsZones,DC=MYDOMAIN
    Default-First-Site-Name\SERVER2K8 via RPC
        DC object GUID: c799cd65-89ea-4381-a2fb-ee09416a915a
        Last attempt @ 2012-04-04 16:59:32 was successful.

DC=ForestDnsZones,DC=MYDOMAIN
    Default-First-Site-Name\SERVER2K8 via RPC
        DC object GUID: c799cd65-89ea-4381-a2fb-ee09416a915a
        Last attempt @ 2012-04-04 16:59:32 was successful.


SERVER 2008:

D:\>REPADMIN /SHOWREPS
Default-First-Site-Name\SERVER2K8
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: c799cd65-89ea-4381-a2fb-ee09416a915a
DSA invocationID: 2ecf0131-14a2-42fc-8436-df64286e9846

==== INBOUND NEIGHBORS ======================================

DC=MYDOMAIN
    Default-First-Site-Name\SERVER2K3 via RPC
        DSA object GUID: a9f8109a-6282-4031-a784-d969d36f1520
        Last attempt @ 2012-04-04 17:42:03 was successful.

CN=Configuration,DC=MYDOMAIN
    Default-First-Site-Name\SERVER2K3 via RPC
        DSA object GUID: a9f8109a-6282-4031-a784-d969d36f1520
        Last attempt @ 2012-04-04 16:53:35 was successful.

CN=Schema,CN=Configuration,DC=MYDOMAIN
    Default-First-Site-Name\SERVER2K3 via RPC
        DSA object GUID: a9f8109a-6282-4031-a784-d969d36f1520
        Last attempt @ 2012-04-04 16:53:36 was successful.

DC=DomainDnsZones,DC=MYDOMAIN
    Default-First-Site-Name\SERVER2K3 via RPC
        DSA object GUID: a9f8109a-6282-4031-a784-d969d36f1520
        Last attempt @ 2012-04-04 16:53:36 was successful.

DC=ForestDnsZones,DC=MYDOMAIN
    Default-First-Site-Name\SERVER2K3 via RPC
        DSA object GUID: a9f8109a-6282-4031-a784-d969d36f1520
        Last attempt @ 2012-04-04 16:53:36 was successful.
0
Comment
Question by:robathome
  • 2
  • 2
5 Comments
 
LVL 59

Accepted Solution

by:
Darius Ghassem earned 500 total points
Comment Utility
Alright lets try the burflag method first then if this doesn't work since it has been a while since you promoted we will demote then go through this process again.


Take backup of the policies and script folders from both the servers from c:\Windows\Sysvol\domain
Stop NTFRS service on both DCs.

Make one of the DC authoritative server by modifying registry setting : Navigate to registry HKLM\System\CCS\Services\NTFRS\Parameters\CumlativeReplicaSets and Set the Burflags value to D4. This should be done with server which has the Updated information available or correct data.

Go to other DC and make that Non-authoritative by navigating to same registry location HKLM\System\CCS\Services\NTFRS\Parameters\CumlativeReplicaSets and Set the Burflags value to D2.

Restart Ntfrs service on both servers and force replication to see event 13516 in event viewer for FRS.
0
 
LVL 10

Expert Comment

by:Prashant Girennavar
Comment Utility
Seems , Sysvol folder is not shared on your new Domain controller. In this scenario you can go ahead and do a non- authorative restore on DC where sysvol is not shared.

Refer below article which discusses this behaviour and resolution for this .

http://social.technet.microsoft.com/wiki/contents/articles/8548.sysvol-and-netlogon-share-importance-in-active-directory.aspx

Hope this helps.

Regards,

_Prashant_
0
 

Author Comment

by:robathome
Comment Utility
Can I just ask a basic question regarding ntfrs restores - if I do the scenario where I am changing the "working" one to 2 and the backup to 4... just where are they restoring from?  Their own AD backup or each other?

many thanks for the replies so far
Rob
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
You need to select the DC that is working properly which is 2003. You then put the other Burflag on 2008 server which is not correct. The Windows 2003 will then replicate the data over to the 2008 server which should have happen when you promoted.

I have done this fix and recommended this fix tons on this site and almost 99% the problem is fixed
0
 

Author Comment

by:robathome
Comment Utility
OK I grabbed the bull by the horns and put the BURFLAGS=D2 on the 2008 server which didn't have sysvol.
I restarted NTFRS and so far so good - there is now SYSVOL and NETLOGON in shares.

Now to look at all the other errors in a logical method.

One other thing to clarify is that I burflags appears in  places:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup\BurFlags
and
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Cumulatice Replica Sets\GUID

having studied the documents I put it in the latter, but am wondering when you would use the other option

thanks for the help so far
Rob
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Occasionally you run into the website or two that will not resolve properly using your own DNS servers.  Some people simply set up global forwarders for their DNS server.  I don’t recommend doing this because it can cause problems resolving addresse…
I've written instructions for one router type, but this principle may be useful for others of the same brand and even other brands of router. Problem: I had an issue especially with mobile devices that refused to use DNS information supplied via…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now