ad health check
Posted on 2012-09-13
I am having a few issues with Active Directory health check..
sporadic latency in running some network-dependent programs,
spur-of-the-moment loss and subsequent reconnection of DFS-named connections,
scanning for 3 IPs and getting 56 devices with Angry IP scanner
Anything I should check...
Found some things as follows:
I have four DCs in the environment.
All FSMO roles are on one server -- In windows 2008, does it matter anymore about have some of the FSMO roles on a Global Catalog Server
All Servers are Global Catalog servers
The PDC syncs time with external time source.
DNS forwarders to go resolverx.opendns.org
Getting error on each resolverx.opendns.org
DCOM was unable to communicate with the computer 18.104.22.168 using any of the configured protocols. An Error Event occurred. EventID: 0xC0002719
Each ADS server has IPV6 enabled, and I am getting
Missing AAAA record at DNS server
Is it safe to Disable IPv6 on a DC? any issues? gotchas?
After Disabling, does it automatically removal IPV6 from DNS
Missing Expected Value
Base Object Description: "DC Account Object"
Value Object Attribute Name: msDFSR-ComputerReferenceBL
Value Object Description: "SYSVOL FRS Member Object"
Recommended Action: See Knowledge Base Article: Q312862
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC DC-02.
The forest is not ready for RODC. Will skip checking ERODC ACEs.
* Security Permissions Check for
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have Replicating Directory Changes In Filtered Set
Figure I need to Adprep /rodc
Also found that inside ADUC there is a Domain controller OU
Inside that OU is the normal DCs, but someone placed all the other servers inside this ou too.
Is the default domain controller GPO good to place on these servers too. dont seem right to me.
Found 1 ADS server has WINS enabled, but not the others, doesnt appear like anyone is using this, and that server gets errors.
WINS encountered a database error. This may or may not be a serious error. WINS will try to recover from it. You can check the database error events under 'Application Log' category of the Event Viewer for the Exchange Component, ESENT, source to find out more details about database errors. If you continue to see a large number of these errors consistently over time (a span of few hours), you may want to restore the WINS database from a backup. The error number is in the second DWORD of the data section.
The DHCP service has detected that it is running on a DC and has no credentials configured for use with Dynamic DNS registrations initiated by the DHCP service. This is not a recommended security configuration. Credentials for Dynamic DNS registrations may be configured using the command line "netsh dhcp server set dnscredentials" or via the DHCP Administrative tool.
Whats this mean?
The WinRM service failed to create the following SPNs: WSMAN/DC-02.thedomain.com; WSMAN/DC-02.
The error received was 8344: %%8344.
The SPNs can be created by an administrator using setspn.exe utility.
Windows Remote Management ID: 10154
DsBindWithCred to * failed with status 1722 (0x6ba):
The RPC server is unavailable.
The winlogon notification subscriber <TrustedInstaller> failed a critical notification event.
A provider, WmiPerfClass, has been registered in the Windows Management Instrumentation namespace root\cimv2 to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.
Getting these errors:
Failed to connect to DNS server because: the connection attempt timed out. Please make sure the DNS service is running. (both DNS server and Client are running on server and set to Automatic)