asked on

DCDIAG errors 2003 and 2008

Hi,
I have an oldish 2003 server acting as a domain controller. About 6 months ago I added a 2008 server as another domain controller, and I don't think they are replicating together properly. Rather than dump too many pages of errors here, I will post the DCDIAG I get on both servers, and if any other info is necessary please let me know - thanks!

Server 2003 fails on frsevent
Server 2008 fails on lots, and its SYSVOL and NETLOGON aren't shared in a NET SHARE.

The other thing to note is that we really do have a one word domain internally ie. MYDOMAIN, not MYDOMAIN.LOCAL

many thanks

Rob

SERVER2K3:

Domain Controller Diagnosis

Performing initial setup:
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\SERVER2K3
Starting test: Connectivity
......................... SERVER2K3 passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\SERVER2K3
Starting test: Replications
......................... SERVER2K3 passed test Replications
Starting test: NCSecDesc
......................... SERVER2K3 passed test NCSecDesc
Starting test: NetLogons
......................... SERVER2K3 passed test NetLogons
Starting test: Advertising
......................... SERVER2K3 passed test Advertising
Starting test: KnowsOfRoleHolders
......................... SERVER2K3 passed test KnowsOfRoleHolders
Starting test: RidManager
......................... SERVER2K3 passed test RidManager
Starting test: MachineAccount
......................... SERVER2K3 passed test MachineAccount
Starting test: Services
......................... SERVER2K3 passed test Services
Starting test: ObjectsReplicated
......................... SERVER2K3 passed test ObjectsReplicated
Starting test: frssysvol
......................... SERVER2K3 passed test frssysvol
Starting test: frsevent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... SERVER2K3 failed test frsevent
Starting test: kccevent
......................... SERVER2K3 passed test kccevent
Starting test: systemlog
......................... SERVER2K3 passed test systemlog
Starting test: VerifyReferences
......................... SERVER2K3 passed test VerifyReferences

Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom

Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom

Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom

Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom

Running partition tests on : MYDOMAIN
Starting test: CrossRefValidation
......................... MYDOMAIN passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... MYDOMAIN passed test CheckSDRefDom

Running enterprise tests on : MYDOMAIN
Starting test: Intersite
......................... MYDOMAIN passed test Intersite
Starting test: FsmoCheck
......................... MYDOMAIN passed test FsmoCheck

SERVER2K8:

Directory Server Diagnosis

Performing initial setup:

Trying to find home server...

Home Server = SERVER2K8

* Identified AD Forest.
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\SERVER2K8

Starting test: Connectivity

......................... SERVER2K8 passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\SERVER2K8

Starting test: Advertising

Warning: DsGetDcName returned information for \\server2k3.MYDOMAIN,

when we were trying to reach SERVER2K8.

SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.

......................... SERVER2K8 failed test Advertising

Starting test: FrsEvent

There are warning or error events within the last 24 hours after the

SYSVOL has been shared. Failing SYSVOL replication problems may cause

Group Policy problems.
......................... SERVER2K8 passed test FrsEvent

Starting test: DFSREvent

......................... SERVER2K8 passed test DFSREvent

Starting test: SysVolCheck

......................... SERVER2K8 passed test SysVolCheck

Starting test: KccEvent

......................... SERVER2K8 passed test KccEvent

Starting test: KnowsOfRoleHolders

......................... SERVER2K8 passed test KnowsOfRoleHolders

Starting test: MachineAccount

......................... SERVER2K8 passed test MachineAccount

Starting test: NCSecDesc

......................... SERVER2K8 passed test NCSecDesc

Starting test: NetLogons

Unable to connect to the NETLOGON share! (\\SERVER2K8\netlogon)

[SERVER2K8] An net use or LsaPolicy operation failed with error 67,

The network name cannot be found..

......................... SERVER2K8 failed test NetLogons

Starting test: ObjectsReplicated

......................... SERVER2K8 passed test ObjectsReplicated

Starting test: Replications

......................... SERVER2K8 passed test Replications

Starting test: RidManager

......................... SERVER2K8 passed test RidManager

Starting test: Services

......................... SERVER2K8 passed test Services

Starting test: SystemLog

......................... SERVER2K8 passed test SystemLog

Starting test: VerifyReferences

......................... SERVER2K8 passed test VerifyReferences

Running partition tests on : ForestDnsZones

Starting test: CheckSDRefDom

......................... ForestDnsZones passed test CheckSDRefDom

Starting test: CrossRefValidation

......................... ForestDnsZones passed test

CrossRefValidation

Running partition tests on : DomainDnsZones

Starting test: CheckSDRefDom

......................... DomainDnsZones passed test CheckSDRefDom

Starting test: CrossRefValidation

......................... DomainDnsZones passed test

CrossRefValidation

Running partition tests on : Schema

Starting test: CheckSDRefDom

......................... Schema passed test CheckSDRefDom

Starting test: CrossRefValidation

......................... Schema passed test CrossRefValidation

Running partition tests on : Configuration

Starting test: CheckSDRefDom

......................... Configuration passed test CheckSDRefDom

Starting test: CrossRefValidation

......................... Configuration passed test CrossRefValidation

Running partition tests on : MYDOMAIN

Starting test: CheckSDRefDom

......................... MYDOMAIN passed test CheckSDRefDom

Starting test: CrossRefValidation

......................... MYDOMAIN passed test CrossRefValidation

Running enterprise tests on : MYDOMAIN

Starting test: LocatorCheck

......................... MYDOMAIN passed test LocatorCheck

Starting test: Intersite

......................... MYDOMAIN passed test Intersite

Other info that may be relevant is:

Server 2003:
C:\Documents and Settings\robs>REPADMIN /SHOWREPS
Default-First-Site-Name\SERVER2K3
DC Options: IS_GC
Site Options: (none)
DC object GUID: a9f8109a-6282-4031-a784-d969d36f1520
DC invocationID: 79fc5276-981c-4f53-ac06-b94fc0853958

==== INBOUND NEIGHBORS ======================================

DC=MYDOMAIN
Default-First-Site-Name\SERVER2K8 via RPC
DC object GUID: c799cd65-89ea-4381-a2fb-ee09416a915a
Last attempt @ 2012-04-04 16:59:32 was successful.

CN=Configuration,DC=MYDOMAIN
Default-First-Site-Name\SERVER2K8 via RPC
DC object GUID: c799cd65-89ea-4381-a2fb-ee09416a915a
Last attempt @ 2012-04-04 16:59:32 was successful.

CN=Schema,CN=Configuration,DC=MYDOMAIN
Default-First-Site-Name\SERVER2K8 via RPC
DC object GUID: c799cd65-89ea-4381-a2fb-ee09416a915a
Last attempt @ 2012-04-04 16:59:32 was successful.

DC=DomainDnsZones,DC=MYDOMAIN
Default-First-Site-Name\SERVER2K8 via RPC
DC object GUID: c799cd65-89ea-4381-a2fb-ee09416a915a
Last attempt @ 2012-04-04 16:59:32 was successful.

DC=ForestDnsZones,DC=MYDOMAIN
Default-First-Site-Name\SERVER2K8 via RPC
DC object GUID: c799cd65-89ea-4381-a2fb-ee09416a915a
Last attempt @ 2012-04-04 16:59:32 was successful.

SERVER 2008:

D:\>REPADMIN /SHOWREPS
Default-First-Site-Name\SERVER2K8
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: c799cd65-89ea-4381-a2fb-ee09416a915a
DSA invocationID: 2ecf0131-14a2-42fc-8436-df64286e9846

==== INBOUND NEIGHBORS ======================================

DC=MYDOMAIN
Default-First-Site-Name\SERVER2K3 via RPC
DSA object GUID: a9f8109a-6282-4031-a784-d969d36f1520
Last attempt @ 2012-04-04 17:42:03 was successful.

CN=Configuration,DC=MYDOMAIN
Default-First-Site-Name\SERVER2K3 via RPC
DSA object GUID: a9f8109a-6282-4031-a784-d969d36f1520
Last attempt @ 2012-04-04 16:53:35 was successful.

CN=Schema,CN=Configuration,DC=MYDOMAIN
Default-First-Site-Name\SERVER2K3 via RPC
DSA object GUID: a9f8109a-6282-4031-a784-d969d36f1520
Last attempt @ 2012-04-04 16:53:36 was successful.

DC=DomainDnsZones,DC=MYDOMAIN
Default-First-Site-Name\SERVER2K3 via RPC
DSA object GUID: a9f8109a-6282-4031-a784-d969d36f1520
Last attempt @ 2012-04-04 16:53:36 was successful.

DC=ForestDnsZones,DC=MYDOMAIN
Default-First-Site-Name\SERVER2K3 via RPC
DSA object GUID: a9f8109a-6282-4031-a784-d969d36f1520
Last attempt @ 2012-04-04 16:53:36 was successful.

ASKER CERTIFIED SOLUTION

Darius Ghassem

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

Prashant Girennavar

Seems , Sysvol folder is not shared on your new Domain controller. In this scenario you can go ahead and do a non- authorative restore on DC where sysvol is not shared.

Refer below article which discusses this behaviour and resolution for this .

http://social.technet.microsoft.com/wiki/contents/articles/8548.sysvol-and-netlogon-share-importance-in-active-directory.aspx

Hope this helps.

Regards,

_Prashant_

robathome

ASKER

Can I just ask a basic question regarding ntfrs restores - if I do the scenario where I am changing the "working" one to 2 and the backup to 4... just where are they restoring from? Their own AD backup or each other?

many thanks for the replies so far
Rob

Darius Ghassem

You need to select the DC that is working properly which is 2003. You then put the other Burflag on 2008 server which is not correct. The Windows 2003 will then replicate the data over to the 2008 server which should have happen when you promoted.

I have done this fix and recommended this fix tons on this site and almost 99% the problem is fixed

robathome

ASKER

OK I grabbed the bull by the horns and put the BURFLAGS=D2 on the 2008 server which didn't have sysvol.
I restarted NTFRS and so far so good - there is now SYSVOL and NETLOGON in shares.

Now to look at all the other errors in a logical method.

One other thing to clarify is that I burflags appears in places:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup\BurFlags
and
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Cumulatice Replica Sets\GUID

having studied the documents I put it in the latter, but am wondering when you would use the other option

thanks for the help so far
Rob