Solved

Active Directory Forest Trust stops working

Posted on 2013-01-04
6
1,361 Views
Last Modified: 2013-01-24
I have two Windows 2008 R2 Active Directory forests, which I'll call ForestA and ForestB. ForestB trusts ForestA via a one-way external trust. I have file shares and SQL databases in ForestB that are accessed using domain accounts from ForestA.

Everything was working great until ForestA accounts started getting access denied when accessing the ForestB resources. I saw NETLOGON 3210 events on the ForestB domain controllers listing the following:

This computer could not authenticate with \\FORESTA_Domain_Controller_name_here, a Windows domain controller for domain mydomain.com, and therefore this computer might deny logon requests. This inability to authenticate might be caused by another computer on the same network using the same name or the password for this computer account is not recognized. If this message appears again, contact your system administrator.

I also saw the same events on the ForestA domain controllers with the logs listing ForestB DCs in body of the event log message.

I deleted and re-created the trust and everything worked fine again. However, a few weeks later this issue happened again. I've had to delete and re-create the trust a few times now but want to stop this from happening.

Suggestions welcome.

Thanks!
0
Comment
Question by:Julian123
  • 4
6 Comments
 
LVL 61

Expert Comment

by:btan
ID: 38748101
Troubleshooting trust
http://technet.microsoft.com/en-us/library/cc782773(WS.10).aspx

How to configure a firewall for domains and trusts
http://support.microsoft.com/kb/179442

You may also want to check out the section from this article
- "Prerequisites to establish One Way Forest Trust"
- "Trust Limitation

(note - Trusted Domain and Trusting Domain, in your case is ForestA and ForestB respectively)

http://blogs.technet.com/b/mir/archive/2011/06/12/accessing-resources-across-forest-and-achieve-single-sign-on-part1.aspx

Quite a couple of contributing factor but mainly if Netlogon doesn't start, the server (ForestB) will record one of two Netlogon errors: Error 3210 or 5721. Some old msdn below

NetLogon Service Fails When Secure Channel Not Functioning
http://support.microsoft.com/kb/150518

Event ID 3210 and 5722 Appear When Synchronizing Entire Domain
http://support.microsoft.com/kb/142869/EN-US

Nonetheless, for more in depth details, below are good read on the forest trust
http://technet.microsoft.com/en-us/library/cc773178%28WS.10%29.aspx

You may also want to see "Minimum Administrative Credentials for Securing Trusts"
http://technet.microsoft.com/en-us/library/cc755321(v=ws.10).aspx
0
 
LVL 18

Expert Comment

by:sarang_tinguria
ID: 38748613
Can you run dcdiag /v/e on both the DC's
0
 
LVL 61

Expert Comment

by:btan
ID: 38749461
0
 
LVL 12

Author Comment

by:Julian123
ID: 38749547
I've listed the dcidag /v /e output as requested (forest, AD site, and server names have been changed for confidentiality purposes):

Here's the output for the DC in ForestB:


Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   * Verifying that the local machine Server_2, is a Directory Server.
   Home Server = Server_2
   * Connecting to directory service on server Server_2.
   * Identified AD Forest.
   Collecting AD specific global data
   * Collecting site info.
   Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=ForestB,DC=lan,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
   The previous call succeeded
   Iterating through the sites
   Looking at base site object: CN=NTDS Site Settings,CN=ForestB-lan,CN=Sites,CN=Configuration,DC=ForestB,DC=lan
   Getting ISTG and options for the site
   * Identifying all servers.
   Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=ForestB,DC=lan,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
   The previous call succeeded....
   The previous call succeeded
   Iterating through the list of servers
   Getting information for the server CN=NTDS Settings,CN=Server_2,CN=Servers,CN=ForestB-lan,CN=Sites,CN=Configuration,DC=ForestB,DC=lan
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   * Identifying all NC cross-refs.
   * Found 1 DC(s). Testing 1 of them.
   Done gathering initial info.

Doing initial required tests
   
   Testing server: ForestB-lan\Server_2
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         Determining IP4 connectivity
         * Active Directory RPC Services Check
         ......................... Server_2 passed test Connectivity

Doing primary tests
   
   Testing server: ForestB-lan\Server_2
      Starting test: Advertising
         The DC Server_2 is advertising itself as a DC and having a DS.
         The DC Server_2 is advertising as an LDAP server
         The DC Server_2 is advertising as having a writeable directory
         The DC Server_2 is advertising as a Key Distribution Center
         The DC Server_2 is advertising as a time server
         The DS Server_2 is advertising as a GC.
         ......................... Server_2 passed test Advertising
      Test omitted by user request: CheckSecurityError
      Test omitted by user request: CutoffServers
      Starting test: FrsEvent
         * The File Replication Service Event log test
         Skip the test because the server is running DFSR.
         ......................... Server_2 passed test FrsEvent
      Starting test: DFSREvent
         The DFS Replication Event Log.
         ......................... Server_2 passed test DFSREvent
      Starting test: SysVolCheck
         * The File Replication Service SYSVOL ready test
         File Replication Service's SYSVOL is ready
         ......................... Server_2 passed test SysVolCheck
      Starting test: KccEvent
         * The KCC Event log test
         Found no KCC errors in "Directory Service" Event log in the last 15 minutes.
         ......................... Server_2 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         Role Schema Owner = CN=NTDS Settings,CN=Server_2,CN=Servers,CN=ForestB-lan,CN=Sites,CN=Configuration,DC=ForestB,DC=lan
         Role Domain Owner = CN=NTDS Settings,CN=Server_2,CN=Servers,CN=ForestB-lan,CN=Sites,CN=Configuration,DC=ForestB,DC=lan
         Role PDC Owner = CN=NTDS Settings,CN=Server_2,CN=Servers,CN=ForestB-lan,CN=Sites,CN=Configuration,DC=ForestB,DC=lan
         Role Rid Owner = CN=NTDS Settings,CN=Server_2,CN=Servers,CN=ForestB-lan,CN=Sites,CN=Configuration,DC=ForestB,DC=lan
         Role Infrastructure Update Owner = CN=NTDS Settings,CN=Server_2,CN=Servers,CN=ForestB-lan,CN=Sites,CN=Configuration,DC=ForestB,DC=lan
         ......................... Server_2 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         Checking machine account for DC Server_2 on DC Server_2.
         * SPN found :LDAP/Server_2.ForestB.lan/ForestB.lan
         * SPN found :LDAP/Server_2.ForestB.lan
         * SPN found :LDAP/Server_2
         * SPN found :LDAP/Server_2.ForestB.lan/ForestB
         * SPN found :LDAP/42d3c96a-c04b-483e-bc7f-50acfe519ac5._msdcs.ForestB.lan
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/42d3c96a-c04b-483e-bc7f-50acfe519ac5/ForestB.lan
         * SPN found :HOST/Server_2.ForestB.lan/ForestB.lan
         * SPN found :HOST/Server_2.ForestB.lan
         * SPN found :HOST/Server_2
         * SPN found :HOST/Server_2.ForestB.lan/ForestB
         * SPN found :GC/Server_2.ForestB.lan/ForestB.lan
         ......................... Server_2 passed test MachineAccount
      Starting test: NCSecDesc
         * Security Permissions check for all NC's on DC Server_2.
         * Security Permissions Check for
           DC=ForestDnsZones,DC=ForestB,DC=lan
            (NDNC,Version 3)
         * Security Permissions Check for
           DC=DomainDnsZones,DC=ForestB,DC=lan
            (NDNC,Version 3)
         * Security Permissions Check for
           CN=Schema,CN=Configuration,DC=ForestB,DC=lan
            (Schema,Version 3)
         * Security Permissions Check for
           CN=Configuration,DC=ForestB,DC=lan
            (Configuration,Version 3)
         * Security Permissions Check for
           DC=ForestB,DC=lan
            (Domain,Version 3)
         ......................... Server_2 passed test NCSecDesc
      Starting test: NetLogons
         * Network Logons Privileges Check
         Verified share \\Server_2\netlogon
         Verified share \\Server_2\sysvol
         ......................... Server_2 passed test NetLogons
      Starting test: ObjectsReplicated
         Server_2 is in domain DC=ForestB,DC=lan
         Checking for CN=Server_2,OU=Domain Controllers,DC=ForestB,DC=lan in domain DC=ForestB,DC=lan on 1 servers
            Object is up-to-date on all servers.
         Checking for CN=NTDS Settings,CN=Server_2,CN=Servers,CN=ForestB-lan,CN=Sites,CN=Configuration,DC=ForestB,DC=lan in domain CN=Configuration,DC=ForestB,DC=lan on 1 servers
            Object is up-to-date on all servers.
         ......................... Server_2 passed test ObjectsReplicated
      Test omitted by user request: OutboundSecureChannels
      Starting test: Replications
         * Replications Check
         * Replication Latency Check
         ......................... Server_2 passed test Replications
      Starting test: RidManager
         * Available RID Pool for the Domain is 1600 to 1073741823
         * Server_2.ForestB.lan is the RID Master
         * DsBind with RID Master was successful
         * rIDAllocationPool is 1100 to 1599
         * rIDPreviousAllocationPool is 1100 to 1599
         * rIDNextRID: 1161
         ......................... Server_2 passed test RidManager
      Starting test: Services
         * Checking Service: EventSystem
         * Checking Service: RpcSs
         * Checking Service: NTDS
         * Checking Service: DnsCache
            Invalid service type: DnsCache on Server_2, current value
            WIN32_OWN_PROCESS, expected value WIN32_SHARE_PROCESS
         * Checking Service: DFSR
         * Checking Service: IsmServ
         * Checking Service: kdc
         * Checking Service: SamSs
         * Checking Service: LanmanServer
         * Checking Service: LanmanWorkstation
         * Checking Service: w32time
         * Checking Service: NETLOGON
         ......................... Server_2 failed test Services
      Starting test: SystemLog
         * The System Event log test
         Found no errors in "System" Event log in the last 60 minutes.
         ......................... Server_2 passed test SystemLog
      Test omitted by user request: Topology
      Test omitted by user request: VerifyEnterpriseReferences
      Starting test: VerifyReferences
         The system object reference (serverReference)
         CN=Server_2,OU=Domain Controllers,DC=ForestB,DC=lan and backlink on
         CN=Server_2,CN=Servers,CN=ForestB-lan,CN=Sites,CN=Configuration,DC=ForestB,DC=lan
         are correct.
         The system object reference (serverReferenceBL)
         CN=WIN-UEU2M12O60H,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=ForestB,DC=lan
         and backlink on
         CN=NTDS Settings,CN=Server_2,CN=Servers,CN=ForestB-lan,CN=Sites,CN=Configuration,DC=ForestB,DC=lan
         are correct.
         The system object reference (msDFSR-ComputerReferenceBL)
         CN=WIN-UEU2M12O60H,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=ForestB,DC=lan
         and backlink on CN=Server_2,OU=Domain Controllers,DC=ForestB,DC=lan are
         correct.
         ......................... Server_2 passed test VerifyReferences
      Test omitted by user request: VerifyReplicas
   
      Test omitted by user request: DNS
      Test omitted by user request: DNS
   
   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation
   
   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation
   
   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
   
   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
   
   Running partition tests on : ForestB
      Starting test: CheckSDRefDom
         ......................... ForestB passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestB passed test CrossRefValidation
   
   Running enterprise tests on : ForestB.lan
      Test omitted by user request: DNS
      Test omitted by user request: DNS
      Starting test: LocatorCheck
         GC Name: \\Server_2.ForestB.lan
         Locator Flags: 0xe00031fd
         PDC Name: \\Server_2.ForestB.lan
         Locator Flags: 0xe00031fd
         Time Server Name: \\Server_2.ForestB.lan
         Locator Flags: 0xe00031fd
         Preferred Time Server Name: \\Server_2.ForestB.lan
         Locator Flags: 0xe00031fd
         KDC Name: \\Server_2.ForestB.lan
         Locator Flags: 0xe00031fd
         ......................... ForestB.lan passed test LocatorCheck
      Starting test: Intersite
         Skipping site ForestB-lan, this site is outside the scope provided by the
         command line arguments provided.
         ......................... ForestB.lan passed test Intersite






And the output for ForestA:


Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   * Verifying that the local machine DC_2, is a Directory Server.
   Home Server = DC_2
   * Connecting to directory service on server DC_2.
   * Identified AD Forest.
   Collecting AD specific global data
   * Collecting site info.
   Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=DomainA,DC=local,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
   The previous call succeeded
   Iterating through the sites
   Looking at base site object: CN=NTDS Site Settings,CN=SiteA,CN=Sites,CN=Configuration,DC=DomainA,DC=local
   Getting ISTG and options for the site
   Looking at base site object: CN=NTDS Site Settings,CN=Siteb,CN=Sites,CN=Configuration,DC=DomainA,DC=local
   Getting ISTG and options for the site
   Looking at base site object: CN=NTDS Site Settings,CN=SiteC,CN=Sites,CN=Configuration,DC=DomainA,DC=local
   Getting ISTG and options for the site
   Looking at base site object: CN=NTDS Site Settings,CN=SiteD,CN=Sites,CN=Configuration,DC=DomainA,DC=local
   Getting ISTG and options for the site
   * Identifying all servers.
   Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=DomainA,DC=local,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
   The previous call succeeded....
   The previous call succeeded
   Iterating through the list of servers
   Getting information for the server CN=NTDS Settings,CN=DC_1,CN=Servers,CN=SiteA,CN=Sites,CN=Configuration,DC=DomainA,DC=local
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   Getting information for the server CN=NTDS Settings,CN=DC_2,CN=Servers,CN=SiteA,CN=Sites,CN=Configuration,DC=DomainA,DC=local
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   Getting information for the server CN=NTDS Settings,CN=DC_3,CN=Servers,CN=Siteb,CN=Sites,CN=Configuration,DC=DomainA,DC=local
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   Server is an RODC
   All the info for the server collected
   Getting information for the server CN=NTDS Settings,CN=DC_4,CN=Servers,CN=SiteC,CN=Sites,CN=Configuration,DC=DomainA,DC=local
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   * Identifying all NC cross-refs.
   * Found 4 DC(s). Testing 4 of them.
   Done gathering initial info.

Doing initial required tests
   
   Testing server: SiteA\DC_1
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         Determining IP4 connectivity
         Determining IP6 connectivity
         * Active Directory RPC Services Check
         ......................... DC_1 passed test Connectivity
   
   Testing server: SiteA\DC_2
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         Determining IP4 connectivity
         Determining IP6 connectivity
         * Active Directory RPC Services Check
         ......................... DC_2 passed test Connectivity
   
   Testing server: Siteb\DC_3
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         Determining IP4 connectivity
         Determining IP6 connectivity
         * Active Directory RPC Services Check
         ......................... DC_3 passed test Connectivity
   
   Testing server: SiteC\DC_4
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         Determining IP4 connectivity
         Determining IP6 connectivity
         * Active Directory RPC Services Check
         ......................... DC_4 passed test Connectivity

Doing primary tests
   
   Testing server: SiteA\DC_1
      Starting test: Advertising
         The DC DC_1 is advertising itself as a DC and having a DS.
         The DC DC_1 is advertising as an LDAP server
         The DC DC_1 is advertising as having a writeable directory
         The DC DC_1 is advertising as a Key Distribution Center
         The DC DC_1 is advertising as a time server
         The DS DC_1 is advertising as a GC.
         ......................... DC_1 passed test Advertising
      Test omitted by user request: CheckSecurityError
      Test omitted by user request: CutoffServers
      Starting test: FrsEvent
         * The File Replication Service Event log test
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         An Warning Event occurred.  EventID: 0x800034C4
            Time Generated: 01/05/2013   23:53:28
            Event String:
            The File Replication Service is having trouble enabling replication from DC_4 to DC_1 for c:\windows\sysvol\domain using the DNS name DC_4.DomainA.local. FRS will keep retrying.
             Following are some of the reasons you would see this warning.
             
             [1] FRS can not correctly resolve the DNS name DC_4.DomainA.local from this computer.
             [2] FRS is not running on DC_4.DomainA.local.
             [3] The topology information in the Active Directory Domain Services for this replica has not yet replicated to all the Domain Controllers.
             
             This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.
         An Warning Event occurred.  EventID: 0x800034FA
            Time Generated: 01/06/2013   00:30:25
            Event String:
            Following is the summary of warnings and errors encountered by File Replication Service while polling the Domain Controller DC_1.DomainA.local for FRS replica set configuration information.
             
             The nTDSConnection object cn=rodc connection (frs),cn=ntds settings,cn=DC_3,cn=servers,cn=Siteb,cn=sites,cn=configuration,dc=DomainA,dc=local is conflicting with cn=DC_1,cn=ntds settings,cn=DC_3,cn=servers,cn=Siteb,cn=sites,cn=configuration,dc=DomainA,dc=local. Using cn=rodc connection (frs),cn=ntds settings,cn=DC_3,cn=servers,cn=Siteb,cn=sites,cn=configuration,dc=DomainA,dc=local
           
             
           
         ......................... DC_1 passed test FrsEvent
      Starting test: DFSREvent
         The DFS Replication Event Log.
         ......................... DC_1 passed test DFSREvent
      Starting test: SysVolCheck
         * The File Replication Service SYSVOL ready test
         File Replication Service's SYSVOL is ready
         ......................... DC_1 passed test SysVolCheck
      Starting test: KccEvent
         * The KCC Event log test
         Found no KCC errors in "Directory Service" Event log in the last 15 minutes.
         ......................... DC_1 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         Role Schema Owner = CN=NTDS Settings,CN=DC_1,CN=Servers,CN=SiteA,CN=Sites,CN=Configuration,DC=DomainA,DC=local
         Role Domain Owner = CN=NTDS Settings,CN=DC_1,CN=Servers,CN=SiteA,CN=Sites,CN=Configuration,DC=DomainA,DC=local
         Role SiteDC Owner = CN=NTDS Settings,CN=DC_1,CN=Servers,CN=SiteA,CN=Sites,CN=Configuration,DC=DomainA,DC=local
         Role Rid Owner = CN=NTDS Settings,CN=DC_1,CN=Servers,CN=SiteA,CN=Sites,CN=Configuration,DC=DomainA,DC=local
         Role Infrastructure USiteDate Owner = CN=NTDS Settings,CN=DC_1,CN=Servers,CN=SiteA,CN=Sites,CN=Configuration,DC=DomainA,DC=local
         ......................... DC_1 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         Checking machine account for DC DC_1 on DC DC_1.
         * SPN found :LDAP/DC_1.DomainA.local/DomainA.local
         * SPN found :LDAP/DC_1.DomainA.local
         * SPN found :LDAP/DC_1
         * SPN found :LDAP/DC_1.DomainA.local/DomainA
         * SPN found :LDAP/317ad8e6-bca1-4433-badf-8b275ed0e298._msdcs.DomainA.local
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/317ad8e6-bca1-4433-badf-8b275ed0e298/DomainA.local
         * SPN found :HOST/DC_1.DomainA.local/DomainA.local
         * SPN found :HOST/DC_1.DomainA.local
         * SPN found :HOST/DC_1
         * SPN found :HOST/DC_1.DomainA.local/DomainA
         * SPN found :GC/DC_1.DomainA.local/DomainA.local
         ......................... DC_1 passed test MachineAccount
      Starting test: NCSecDesc
         * Security Permissions check for all NC's on DC DC_1.
         * Security Permissions Check for
           DC=ForestDnsZones,DC=DomainA,DC=local
            (NDNC,Version 3)
         * Security Permissions Check for
           DC=DomainDnsZones,DC=DomainA,DC=local
            (NDNC,Version 3)
         * Security Permissions Check for
           CN=Schema,CN=Configuration,DC=DomainA,DC=local
            (Schema,Version 3)
         * Security Permissions Check for
           CN=Configuration,DC=DomainA,DC=local
            (Configuration,Version 3)
         * Security Permissions Check for
           DC=DomainA,DC=local
            (Domain,Version 3)
         ......................... DC_1 passed test NCSecDesc
      Starting test: NetLogons
         * Network Logons Privileges Check
         Verified share \\DC_1\netlogon
         Verified share \\DC_1\sysvol
         ......................... DC_1 passed test NetLogons
      Starting test: ObjectsReplicated
         DC_1 is in domain DC=DomainA,DC=local
         Checking for CN=DC_1,OU=Domain Controllers,DC=DomainA,DC=local in domain DC=DomainA,DC=local on 4 servers
            Object is up-to-date on all servers.
         Checking for CN=NTDS Settings,CN=DC_1,CN=Servers,CN=SiteA,CN=Sites,CN=Configuration,DC=DomainA,DC=local in domain CN=Configuration,DC=DomainA,DC=local on 4 servers
            Object is up-to-date on all servers.
         ......................... DC_1 passed test ObjectsReplicated
      Test omitted by user request: OutboundSecureChannels
      Starting test: Replications
         * Replications Check
         * Replication Latency Check
            DC=ForestDnsZones,DC=DomainA,DC=local
               Latency information for 5 entries in the vector were ignored.
                  5 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            DC=DomainDnsZones,DC=DomainA,DC=local
               Latency information for 5 entries in the vector were ignored.
                  5 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            CN=Schema,CN=Configuration,DC=DomainA,DC=local
               Latency information for 5 entries in the vector were ignored.
                  5 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            CN=Configuration,DC=DomainA,DC=local
               Latency information for 5 entries in the vector were ignored.
                  5 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            DC=DomainA,DC=local
               Latency information for 5 entries in the vector were ignored.
                  5 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
         ......................... DC_1 passed test Replications
      Starting test: RidManager
         * Available RID Pool for the Domain is 8104 to 1073741823
         * DC_1.DomainA.local is the RID Master
         * DsBind with RID Master was successful
         * rIDAllocationPool is 7604 to 8103
         * rIDPreviousAllocationPool is 5604 to 6103
         * rIDNextRID: 6027
         * Warning :There is less than 16% available RIDs in the current pool
         ......................... DC_1 passed test RidManager
      Starting test: Services
         * Checking Service: EventSystem
         * Checking Service: RpcSs
         * Checking Service: NTDS
         * Checking Service: DnsCache
         * Checking Service: DFSR
         * Checking Service: IsmServ
         * Checking Service: kdc
         * Checking Service: SamSs
         * Checking Service: LanmanServer
         * Checking Service: LanmanWorkstation
         * Checking Service: w32time
         * Checking Service: NETLOGON
         ......................... DC_1 passed test Services
      Starting test: SystemLog
         * The System Event log test
         Found no errors in "System" Event log in the last 60 minutes.
         ......................... DC_1 passed test SystemLog
      Test omitted by user request: Topology
      Test omitted by user request: VerifyEnterpriseReferences
      Starting test: VerifyReferences
         The system object reference (serverReference)
         CN=DC_1,OU=Domain Controllers,DC=DomainA,DC=local and
         backlink on
         CN=DC_1,CN=Servers,CN=SiteA,CN=Sites,CN=Configuration,DC=DomainA,DC=local
         are correct.
         The system object reference (serverReferenceBL)
         CN=DC_1,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=DomainA,DC=local
         and backlink on
         CN=NTDS Settings,CN=DC_1,CN=Servers,CN=SiteA,CN=Sites,CN=Configuration,DC=DomainA,DC=local
         are correct.
         ......................... DC_1 passed test VerifyReferences
      Test omitted by user request: VerifyReplicas
   
   Testing server: SiteA\DC_2
      Starting test: Advertising
         The DC DC_2 is advertising itself as a DC and having a DS.
         The DC DC_2 is advertising as an LDAP server
         The DC DC_2 is advertising as having a writeable directory
         The DC DC_2 is advertising as a Key Distribution Center
         The DC DC_2 is advertising as a time server
         The DS DC_2 is advertising as a GC.
         ......................... DC_2 passed test Advertising
      Test omitted by user request: CheckSecurityError
      Test omitted by user request: CutoffServers
      Starting test: FrsEvent
         * The File Replication Service Event log test
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         An Warning Event occurred.  EventID: 0x800034C4
            Time Generated: 01/05/2013   23:52:54
            Event String:
            The File Replication Service is having trouble enabling replication from DC_4 to DC_2 for c:\windows\sysvol\domain using the DNS name DC_4.DomainA.local. FRS will keep retrying.
             Following are some of the reasons you would see this warning.
             
             [1] FRS can not correctly resolve the DNS name DC_4.DomainA.local from this computer.
             [2] FRS is not running on DC_4.DomainA.local.
             [3] The topology information in the Active Directory Domain Services for this replica has not yet replicated to all the Domain Controllers.
             
             This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.
         ......................... DC_2 passed test FrsEvent
      Starting test: DFSREvent
         The DFS Replication Event Log.
         ......................... DC_2 passed test DFSREvent
      Starting test: SysVolCheck
         * The File Replication Service SYSVOL ready test
         File Replication Service's SYSVOL is ready
         ......................... DC_2 passed test SysVolCheck
      Starting test: KccEvent
         * The KCC Event log test
         Found no KCC errors in "Directory Service" Event log in the last 15 minutes.
         ......................... DC_2 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         Role Schema Owner = CN=NTDS Settings,CN=DC_1,CN=Servers,CN=SiteA,CN=Sites,CN=Configuration,DC=DomainA,DC=local
         Role Domain Owner = CN=NTDS Settings,CN=DC_1,CN=Servers,CN=SiteA,CN=Sites,CN=Configuration,DC=DomainA,DC=local
         Role SiteDC Owner = CN=NTDS Settings,CN=DC_1,CN=Servers,CN=SiteA,CN=Sites,CN=Configuration,DC=DomainA,DC=local
         Role Rid Owner = CN=NTDS Settings,CN=DC_1,CN=Servers,CN=SiteA,CN=Sites,CN=Configuration,DC=DomainA,DC=local
         Role Infrastructure USiteDate Owner = CN=NTDS Settings,CN=DC_1,CN=Servers,CN=SiteA,CN=Sites,CN=Configuration,DC=DomainA,DC=local
         ......................... DC_2 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         Checking machine account for DC DC_2 on DC DC_2.
         * SPN found :LDAP/DC_2.DomainA.local/DomainA.local
         * SPN found :LDAP/DC_2.DomainA.local
         * SPN found :LDAP/DC_2
         * SPN found :LDAP/DC_2.DomainA.local/DomainA
         * SPN found :LDAP/44b03619-27b4-4046-95b1-c7c53986fba1._msdcs.DomainA.local
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/44b03619-27b4-4046-95b1-c7c53986fba1/DomainA.local
         * SPN found :HOST/DC_2.DomainA.local/DomainA.local
         * SPN found :HOST/DC_2.DomainA.local
         * SPN found :HOST/DC_2
         * SPN found :HOST/DC_2.DomainA.local/DomainA
         * SPN found :GC/DC_2.DomainA.local/DomainA.local
         ......................... DC_2 passed test MachineAccount
      Starting test: NCSecDesc
         * Security Permissions check for all NC's on DC DC_2.
         * Security Permissions Check for
           DC=ForestDnsZones,DC=DomainA,DC=local
            (NDNC,Version 3)
         * Security Permissions Check for
           DC=DomainDnsZones,DC=DomainA,DC=local
            (NDNC,Version 3)
         * Security Permissions Check for
           CN=Schema,CN=Configuration,DC=DomainA,DC=local
            (Schema,Version 3)
         * Security Permissions Check for
           CN=Configuration,DC=DomainA,DC=local
            (Configuration,Version 3)
         * Security Permissions Check for
           DC=DomainA,DC=local
            (Domain,Version 3)
         ......................... DC_2 passed test NCSecDesc
      Starting test: NetLogons
         * Network Logons Privileges Check
         Verified share \\DC_2\netlogon
         Verified share \\DC_2\sysvol
         ......................... DC_2 passed test NetLogons
      Starting test: ObjectsReplicated
         DC_2 is in domain DC=DomainA,DC=local
         Checking for CN=DC_2,OU=Domain Controllers,DC=DomainA,DC=local in domain DC=DomainA,DC=local on 4 servers
            Authoritative attribute lastLogonTimestamp on DC_2 (writeable)
               usnLocalChange = 39638571
               LastOriginatingDsa = DC_1
               usnOriginatingChange = 70015661
               timeLastOriginatingChange = 2013-01-03 17:15:06
               VersionLastOriginatingChange = 90
            Out-of-date attribute lastLogonTimestamp on DC_4 (writeable)
               usnLocalChange = 2314093
               LastOriginatingDsa = DC_4
               usnOriginatingChange = 2314093
               timeLastOriginatingChange = 2012-12-21 20:30:20
               VersionLastOriginatingChange = 89
            Authoritative attribute pwdLastSet on DC_2 (writeable)
               usnLocalChange = 39475478
               LastOriginatingDsa = DC_1
               usnOriginatingChange = 69772114
               timeLastOriginatingChange = 2012-12-28 20:57:36
               VersionLastOriginatingChange = 35
            Out-of-date attribute pwdLastSet on DC_4 (writeable)
               usnLocalChange = 2231123
               LastOriginatingDsa = DC_1
               usnOriginatingChange = 68625986
               timeLastOriginatingChange = 2012-11-28 01:27:02
               VersionLastOriginatingChange = 34
         Checking for CN=NTDS Settings,CN=DC_2,CN=Servers,CN=SiteA,CN=Sites,CN=Configuration,DC=DomainA,DC=local in domain CN=Configuration,DC=DomainA,DC=local on 4 servers
            Object is up-to-date on all servers.
         ......................... DC_2 failed test ObjectsReplicated
      Test omitted by user request: OutboundSecureChannels
      Starting test: Replications
         * Replications Check
         * Replication Latency Check
            DC=ForestDnsZones,DC=DomainA,DC=local
               Latency information for 5 entries in the vector were ignored.
                  5 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            DC=DomainDnsZones,DC=DomainA,DC=local
               Latency information for 5 entries in the vector were ignored.
                  5 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            CN=Schema,CN=Configuration,DC=DomainA,DC=local
               Latency information for 5 entries in the vector were ignored.
                  5 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            CN=Configuration,DC=DomainA,DC=local
               Latency information for 5 entries in the vector were ignored.
                  5 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            DC=DomainA,DC=local
               Latency information for 5 entries in the vector were ignored.
                  5 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
         ......................... DC_2 passed test Replications
      Starting test: RidManager
         * Available RID Pool for the Domain is 8104 to 1073741823
         * DC_1.DomainA.local is the RID Master
         * DsBind with RID Master was successful
         * rIDAllocationPool is 7104 to 7603
         * rIDPreviousAllocationPool is 4604 to 5103
         * rIDNextRID: 4961
         ......................... DC_2 passed test RidManager
      Starting test: Services
         * Checking Service: EventSystem
         * Checking Service: RpcSs
         * Checking Service: NTDS
         * Checking Service: DnsCache
         * Checking Service: DFSR
         * Checking Service: IsmServ
         * Checking Service: kdc
         * Checking Service: SamSs
         * Checking Service: LanmanServer
         * Checking Service: LanmanWorkstation
         * Checking Service: w32time
         * Checking Service: NETLOGON
         ......................... DC_2 passed test Services
      Starting test: SystemLog
         * The System Event log test
         ......................... DC_2 failed test SystemLog
      Test omitted by user request: Topology
      Test omitted by user request: VerifyEnterpriseReferences
      Starting test: VerifyReferences
         The system object reference (serverReference)
         CN=DC_2,OU=Domain Controllers,DC=DomainA,DC=local and
         backlink on
         CN=DC_2,CN=Servers,CN=SiteA,CN=Sites,CN=Configuration,DC=DomainA,DC=local
         are correct.
         The system object reference (serverReferenceBL)
         CN=DC_2,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=DomainA,DC=local
         and backlink on
         CN=NTDS Settings,CN=DC_2,CN=Servers,CN=SiteA,CN=Sites,CN=Configuration,DC=DomainA,DC=local
         are correct.
         ......................... DC_2 passed test VerifyReferences
      Test omitted by user request: VerifyReplicas
   
   Testing server: Siteb\DC_3
      Starting test: Advertising
         The DC DC_3 is advertising itself as a DC and having a DS.
         The DC DC_3 is advertising as an LDAP server
         The DC DC_3 is not advertising as having a writeable directory because it is an RODC
         The DC DC_3 is advertising as a Key Distribution Center
         The DC DC_3 is advertising as a time server
         The DS DC_3 is advertising as a GC.
         ......................... DC_3 passed test Advertising
      Test omitted by user request: CheckSecurityError
      Test omitted by user request: CutoffServers
      Starting test: FrsEvent
         * The File Replication Service Event log test
         ......................... DC_3 passed test FrsEvent
      Starting test: DFSREvent
         The DFS Replication Event Log.
         ......................... DC_3 passed test DFSREvent
      Starting test: SysVolCheck
         * The File Replication Service SYSVOL ready test
         File Replication Service's SYSVOL is ready
         ......................... DC_3 passed test SysVolCheck
      Starting test: KccEvent
         * The KCC Event log test
         Found no KCC errors in "Directory Service" Event log in the last 15 minutes.
         ......................... DC_3 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         Role Schema Owner = CN=NTDS Settings,CN=DC_1,CN=Servers,CN=SiteA,CN=Sites,CN=Configuration,DC=DomainA,DC=local
         Role Domain Owner = CN=NTDS Settings,CN=DC_1,CN=Servers,CN=SiteA,CN=Sites,CN=Configuration,DC=DomainA,DC=local
         Role SiteDC Owner = CN=NTDS Settings,CN=DC_1,CN=Servers,CN=SiteA,CN=Sites,CN=Configuration,DC=DomainA,DC=local
         Role Rid Owner = CN=NTDS Settings,CN=DC_1,CN=Servers,CN=SiteA,CN=Sites,CN=Configuration,DC=DomainA,DC=local
         Role Infrastructure USiteDate Owner = CN=NTDS Settings,CN=DC_1,CN=Servers,CN=SiteA,CN=Sites,CN=Configuration,DC=DomainA,DC=local
         ......................... DC_3 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         Checking machine account for DC DC_3 on DC DC_3.
         * SPN found :LDAP/DC_3.DomainA.local/DomainA.local
         * SPN found :LDAP/DC_3.DomainA.local
         * SPN found :LDAP/DC_3
         * SPN found :LDAP/DC_3.DomainA.local/DomainA
         * SPN found :LDAP/e5ef6b48-fba4-43c7-9030-4ae7ff8dd773._msdcs.DomainA.local
         * SPN found :HOST/DC_3.DomainA.local/DomainA.local
         * SPN found :HOST/DC_3.DomainA.local
         * SPN found :HOST/DC_3
         * SPN found :HOST/DC_3.DomainA.local/DomainA
         * SPN found :GC/DC_3.DomainA.local/DomainA.local
         ......................... DC_3 passed test MachineAccount
      Starting test: NCSecDesc
         * Security Permissions check for all NC's on DC DC_3.
         * Security Permissions Check for
           CN=Schema,CN=Configuration,DC=DomainA,DC=local
            (Schema,Version 3)
         * Security Permissions Check for
           CN=Configuration,DC=DomainA,DC=local
            (Configuration,Version 3)
         * Security Permissions Check for
           DC=DomainA,DC=local
            (Domain,Version 3)
         ......................... DC_3 passed test NCSecDesc
      Starting test: NetLogons
         * Network Logons Privileges Check
         Verified share \\DC_3\netlogon
         Verified share \\DC_3\sysvol
         ......................... DC_3 passed test NetLogons
      Starting test: ObjectsReplicated
         DC_3 is in domain DC=DomainA,DC=local
         Checking for CN=DC_3,OU=Domain Controllers,DC=DomainA,DC=local in domain DC=DomainA,DC=local on 4 servers
            Authoritative attribute lastLogonTimestamp on DC_1 (writeable)
               usnLocalChange = 69842721
               LastOriginatingDsa = DC_1
               usnOriginatingChange = 69842721
               timeLastOriginatingChange = 2012-12-30 14:10:40
               VersionLastOriginatingChange = 70
            Out-of-date attribute lastLogonTimestamp on DC_4 (writeable)
               usnLocalChange = 2278270
               LastOriginatingDsa = DC_1
               usnOriginatingChange = 69088672
               timeLastOriginatingChange = 2012-12-10 13:25:59
               VersionLastOriginatingChange = 68
            Authoritative attribute pwdLastSet on DC_2 (writeable)
               usnLocalChange = 39254844
               LastOriginatingDsa = DC_1
               usnOriginatingChange = 69415453
               timeLastOriginatingChange = 2012-12-19 02:06:11
               VersionLastOriginatingChange = 28
            Out-of-date attribute pwdLastSet on DC_4 (writeable)
               usnLocalChange = 2194439
               LastOriginatingDsa = DC_1
               usnOriginatingChange = 68277479
               timeLastOriginatingChange = 2012-11-18 02:05:56
               VersionLastOriginatingChange = 27
         Checking for CN=NTDS Settings,CN=DC_3,CN=Servers,CN=Siteb,CN=Sites,CN=Configuration,DC=DomainA,DC=local in domain CN=Configuration,DC=DomainA,DC=local on 4 servers
            Object is up-to-date on all servers.
         ......................... DC_3 failed test ObjectsReplicated
      Test omitted by user request: OutboundSecureChannels
      Starting test: Replications
         * Replications Check
         [Replications Check,DC_3] A recent replication attempt failed:
            From DC_2 to DC_3
            Naming Context:
            CN=Schema,CN=Configuration,DC=DomainA,DC=local
            The replication generated an error (1722):
            The RPC server is unavailable.
            The failure occurred at 2013-01-06 17:57:40.
            The last success occurred at 2013-01-05 19:56:27.
            88 failures have occurred since the last success.
            The source DC_2 is responding now.
         [Replications Check,DC_3] A recent replication attempt failed:
            From DC_2 to DC_3
            Naming Context: CN=Configuration,DC=DomainA,DC=local
            The replication generated an error (1722):
            The RPC server is unavailable.
            The failure occurred at 2013-01-06 17:57:19.
            The last success occurred at 2013-01-05 19:56:26.
            88 failures have occurred since the last success.
            The source DC_2 is responding now.
         [Replications Check,DC_3] A recent replication attempt failed:
            From DC_2 to DC_3
            Naming Context: DC=DomainA,DC=local
            The replication generated an error (1722):
            The RPC server is unavailable.
            The failure occurred at 2013-01-06 17:58:02.
            The last success occurred at 2013-01-05 19:56:27.
            88 failures have occurred since the last success.
            The source DC_2 is responding now.
         ......................... DC_3 failed test Replications
      Test skipped for RODC: RidManager
      Starting test: Services
         * Checking Service: EventSystem
         * Checking Service: RpcSs
         * Checking Service: NTDS
         * Checking Service: DnsCache
         * Checking Service: DFSR
         * Checking Service: IsmServ
         * Checking Service: kdc
         * Checking Service: SamSs
         * Checking Service: LanmanServer
         * Checking Service: LanmanWorkstation
         * Checking Service: w32time
            Invalid service startup type: w32time on DC_3, current value
            DEMAND_START, expected value AUTO_START
         * Checking Service: NETLOGON
         ......................... DC_3 failed test Services
      Starting test: SystemLog
         * The System Event log test
         An Warning Event occurred.  EventID: 0x8000001D
            Time Generated: 01/06/2013   17:32:00
            Event String:
            The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.
         An Error Event occurred.  EventID: 0x0000165B
            Time Generated: 01/06/2013   17:51:31
            Event String:
            The session setup from computer 'ALPHA' failed because the security database does not contain a trust account 'colo.lan.' referenced by the specified computer.  
           
            USER ACTION  
            If this is the first occurrence of this event for the specified computer and account, this may be a transient issue that doesn't require any action at this time.  If this is a Read-Only Domain Controller and 'colo.lan.' is a legitimate machine account for the computer 'ALPHA' then 'ALPHA' should be marked cacheable for this location if appropriate or otherwise ensure connectivity to a domain controller  capable of servicing the request (for example a writable domain controller).  Otherwise, the following steps may be taken to resolve this problem:  
           
            If 'colo.lan.' is a legitimate machine account for the computer 'ALPHA', then 'ALPHA' should be rejoined to the domain.  
           
            If 'colo.lan.' is a legitimate interdomain trust account, then the trust should be recreated.  
           
            Otherwise, assuming that 'colo.lan.' is not a legitimate account, the following action should be taken on 'ALPHA':  
           
            If 'ALPHA' is a Domain Controller, then the trust associated with 'colo.lan.' should be deleted.  
           
            If 'ALPHA' is not a Domain Controller, it should be disjoined from the domain.
         ......................... DC_3 failed test SystemLog
      Test omitted by user request: Topology
      Test omitted by user request: VerifyEnterpriseReferences
      Starting test: VerifyReferences
         The system object reference (serverReference)
         CN=DC_3,OU=Domain Controllers,DC=DomainA,DC=local and
         backlink on
         CN=DC_3,CN=Servers,CN=Siteb,CN=Sites,CN=Configuration,DC=DomainA,DC=local
         are correct.
         The system object reference (serverReferenceBL)
         CN=DC_3,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=DomainA,DC=local
         and backlink on
         CN=NTDS Settings,CN=DC_3,CN=Servers,CN=Siteb,CN=Sites,CN=Configuration,DC=DomainA,DC=local
         are correct.
         ......................... DC_3 passed test VerifyReferences
      Test omitted by user request: VerifyReplicas
   
   Testing server: SiteC\DC_4
      Starting test: Advertising
         The DC DC_4 is advertising itself as a DC and having a DS.
         The DC DC_4 is advertising as an LDAP server
         The DC DC_4 is advertising as having a writeable directory
         The DC DC_4 is advertising as a Key Distribution Center
         The DC DC_4 is advertising as a time server
         The DS DC_4 is advertising as a GC.
         ......................... DC_4 passed test Advertising
      Test omitted by user request: CheckSecurityError
      Test omitted by user request: CutoffServers
      Starting test: FrsEvent
         * The File Replication Service Event log test
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         An Warning Event occurred.  EventID: 0x800034C4
            Time Generated: 01/05/2013   19:15:34
            Event String:
            The File Replication Service is having trouble enabling replication from DC_1 to DC_4 for c:\windows\sysvol\domain using the DNS name DC_1.DomainA.local. FRS will keep retrying.
             Following are some of the reasons you would see this warning.
             
             [1] FRS can not correctly resolve the DNS name DC_1.DomainA.local from this computer.
             [2] FRS is not running on DC_1.DomainA.local.
             [3] The topology information in the Active Directory Domain Services for this replica has not yet replicated to all the Domain Controllers.
             
             This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.
         An Warning Event occurred.  EventID: 0x800034FA
            Time Generated: 01/06/2013   07:52:22
            Event String:
            Following is the summary of warnings and errors encountered by File Replication Service while polling the Domain Controller DC_4.DomainA.local for FRS replica set configuration information.
             
             Could not bind to a Domain Controller. Will try again at next polling cycle.
           
             
           
         An Warning Event occurred.  EventID: 0x800034C4
            Time Generated: 01/06/2013   16:51:07
            Event String:
            The File Replication Service is having trouble enabling replication from DC_2 to DC_4 for c:\windows\sysvol\domain using the DNS name DC_2.DomainA.local. FRS will keep retrying.
             Following are some of the reasons you would see this warning.
             
             [1] FRS can not correctly resolve the DNS name DC_2.DomainA.local from this computer.
             [2] FRS is not running on DC_2.DomainA.local.
             [3] The topology information in the Active Directory Domain Services for this replica has not yet replicated to all the Domain Controllers.
             
             This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.
         ......................... DC_4 passed test FrsEvent
      Starting test: DFSREvent
         The DFS Replication Event Log.
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         An Warning Event occurred.  EventID: 0x800004B4
            Time Generated: 01/05/2013   22:18:02
            Event String:
            The DFS Replication service failed to contact domain controller  to access configuration information. The service will continue to replicate using previously downloaded configuration and will try again during the next configuration polling cycle, which will occur in 60 minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues.
             
            Additional Information:
            Error: 160 (One or more arguments are not correct.)
         An Warning Event occurred.  EventID: 0x800004B4
            Time Generated: 01/06/2013   06:18:18
            Event String:
            The DFS Replication service failed to contact domain controller  to access configuration information. The service will continue to replicate using previously downloaded configuration and will try again during the next configuration polling cycle, which will occur in 60 minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues.
             
            Additional Information:
            Error: 160 (One or more arguments are not correct.)
         An Warning Event occurred.  EventID: 0x800004B4
            Time Generated: 01/06/2013   14:18:33
            Event String:
            The DFS Replication service failed to contact domain controller  to access configuration information. The service will continue to replicate using previously downloaded configuration and will try again during the next configuration polling cycle, which will occur in 60 minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues.
             
            Additional Information:
            Error: 160 (One or more arguments are not correct.)
         ......................... DC_4 passed test DFSREvent
      Starting test: SysVolCheck
         * The File Replication Service SYSVOL ready test
         File Replication Service's SYSVOL is ready
         ......................... DC_4 passed test SysVolCheck
      Starting test: KccEvent
         * The KCC Event log test
         An Warning Event occurred.  EventID: 0x8000061E
            Time Generated: 01/06/2013   18:04:17
            Event String:
            All directory servers in the following site that can replicate the directory partition over this transport are currently unavailable.
             
            Site:
            CN=SiteA,CN=Sites,CN=Configuration,DC=DomainA,DC=local
            Directory partition:
            DC=DomainA,DC=local
            Transport:
            CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=DomainA,DC=local
         An Error Event occurred.  EventID: 0xC000051F
            Time Generated: 01/06/2013   18:04:17
            Event String:
            The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
             
            Directory partition:
            DC=DomainA,DC=local
             
            There is insufficient site connectivity information for the KCC to create a spanning tree replication topology. Or, one or more directory servers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible directory servers.
             
            User Action
            Perform one of the following actions:
            - Publish sufficient site connectivity information so that the KCC can determine a route by which this directory partition can reach this site. This is the preferred option.
            - Add a Connection object to a directory service that contains the directory partition in this site from a directory service that contains the same directory partition in another site.
             
            If neither of the tasks correct this condition, see previous events logged by the KCC that identify the inaccessible directory servers.
         An Warning Event occurred.  EventID: 0x80000749
            Time Generated: 01/06/2013   18:04:17
            Event String:
            The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. As a result, the following list of sites cannot be reached from the local site.
             
            Sites:
            CN=SiteA,CN=Sites,CN=Configuration,DC=DomainA,DC=local
             
             
             
             
             
             
           
         An Warning Event occurred.  EventID: 0x8000061E
            Time Generated: 01/06/2013   18:04:17
            Event String:
            All directory servers in the following site that can replicate the directory partition over this transport are currently unavailable.
             
            Site:
            CN=SiteA,CN=Sites,CN=Configuration,DC=DomainA,DC=local
            Directory partition:
            DC=DomainDnsZones,DC=DomainA,DC=local
            Transport:
            CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=DomainA,DC=local
         An Error Event occurred.  EventID: 0xC000051F
            Time Generated: 01/06/2013   18:04:17
            Event String:
            The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
             
            Directory partition:
            DC=DomainDnsZones,DC=DomainA,DC=local
             
            There is insufficient site connectivity information for the KCC to create a spanning tree replication topology. Or, one or more directory servers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible directory servers.
             
            User Action
            Perform one of the following actions:
            - Publish sufficient site connectivity information so that the KCC can determine a route by which this directory partition can reach this site. This is the preferred option.
            - Add a Connection object to a directory service that contains the directory partition in this site from a directory service that contains the same directory partition in another site.
             
            If neither of the tasks correct this condition, see previous events logged by the KCC that identify the inaccessible directory servers.
         An Warning Event occurred.  EventID: 0x80000749
            Time Generated: 01/06/2013   18:04:17
            Event String:
            The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. As a result, the following list of sites cannot be reached from the local site.
             
            Sites:
            CN=SiteA,CN=Sites,CN=Configuration,DC=DomainA,DC=local
             
             
             
             
             
             
           
         An Warning Event occurred.  EventID: 0x8000061E
            Time Generated: 01/06/2013   18:04:17
            Event String:
            All directory servers in the following site that can replicate the directory partition over this transport are currently unavailable.
             
            Site:
            CN=SiteA,CN=Sites,CN=Configuration,DC=DomainA,DC=local
            Directory partition:
            DC=ForestDnsZones,DC=DomainA,DC=local
            Transport:
            CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=DomainA,DC=local
         An Error Event occurred.  EventID: 0xC000051F
            Time Generated: 01/06/2013   18:04:17
            Event String:
            The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
             
            Directory partition:
            DC=ForestDnsZones,DC=DomainA,DC=local
             
            There is insufficient site connectivity information for the KCC to create a spanning tree replication topology. Or, one or more directory servers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible directory servers.
             
            User Action
            Perform one of the following actions:
            - Publish sufficient site connectivity information so that the KCC can determine a route by which this directory partition can reach this site. This is the preferred option.
            - Add a Connection object to a directory service that contains the directory partition in this site from a directory service that contains the same directory partition in another site.
             
            If neither of the tasks correct this condition, see previous events logged by the KCC that identify the inaccessible directory servers.
         An Warning Event occurred.  EventID: 0x80000749
            Time Generated: 01/06/2013   18:04:17
            Event String:
            The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. As a result, the following list of sites cannot be reached from the local site.
             
            Sites:
            CN=SiteA,CN=Sites,CN=Configuration,DC=DomainA,DC=local
             
             
             
             
             
             
           
         An Warning Event occurred.  EventID: 0x8000061E
            Time Generated: 01/06/2013   18:04:17
            Event String:
            All directory servers in the following site that can replicate the directory partition over this transport are currently unavailable.
             
            Site:
            CN=SiteA,CN=Sites,CN=Configuration,DC=DomainA,DC=local
            Directory partition:
            CN=Configuration,DC=DomainA,DC=local
            Transport:
            CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=DomainA,DC=local
         An Error Event occurred.  EventID: 0xC000051F
            Time Generated: 01/06/2013   18:04:17
            Event String:
            The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.
             
            Directory partition:
            CN=Configuration,DC=DomainA,DC=local
             
            There is insufficient site connectivity information for the KCC to create a spanning tree replication topology. Or, one or more directory servers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible directory servers.
             
            User Action
            Perform one of the following actions:
            - Publish sufficient site connectivity information so that the KCC can determine a route by which this directory partition can reach this site. This is the preferred option.
            - Add a Connection object to a directory service that contains the directory partition in this site from a directory service that contains the same directory partition in another site.
             
            If neither of the tasks correct this condition, see previous events logged by the KCC that identify the inaccessible directory servers.
         An Warning Event occurred.  EventID: 0x80000749
            Time Generated: 01/06/2013   18:04:17
            Event String:
            The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. As a result, the following list of sites cannot be reached from the local site.
             
            Sites:
            CN=SiteA,CN=Sites,CN=Configuration,DC=DomainA,DC=local
             
             
             
             
             
             
           
         ......................... DC_4 failed test KccEvent
      Starting test: KnowsOfRoleHolders
         Role Schema Owner = CN=NTDS Settings,CN=DC_1,CN=Servers,CN=SiteA,CN=Sites,CN=Configuration,DC=DomainA,DC=local
         Role Domain Owner = CN=NTDS Settings,CN=DC_1,CN=Servers,CN=SiteA,CN=Sites,CN=Configuration,DC=DomainA,DC=local
         Role SiteDC Owner = CN=NTDS Settings,CN=DC_1,CN=Servers,CN=SiteA,CN=Sites,CN=Configuration,DC=DomainA,DC=local
         Role Rid Owner = CN=NTDS Settings,CN=DC_1,CN=Servers,CN=SiteA,CN=Sites,CN=Configuration,DC=DomainA,DC=local
         Role Infrastructure USiteDate Owner = CN=NTDS Settings,CN=DC_1,CN=Servers,CN=SiteA,CN=Sites,CN=Configuration,DC=DomainA,DC=local
         ......................... DC_4 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         Checking machine account for DC DC_4 on DC DC_4.
         * SPN found :LDAP/DC_4.DomainA.local/DomainA.local
         * SPN found :LDAP/DC_4.DomainA.local
         * SPN found :LDAP/DC_4
         * SPN found :LDAP/DC_4.DomainA.local/DomainA
         * SPN found :LDAP/8377db93-69b5-4022-97d1-84a35d324725._msdcs.DomainA.local
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/8377db93-69b5-4022-97d1-84a35d324725/DomainA.local
         * SPN found :HOST/DC_4.DomainA.local/DomainA.local
         * SPN found :HOST/DC_4.DomainA.local
         * SPN found :HOST/DC_4
         * SPN found :HOST/DC_4.DomainA.local/DomainA
         * SPN found :GC/DC_4.DomainA.local/DomainA.local
         ......................... DC_4 passed test MachineAccount
      Starting test: NCSecDesc
         * Security Permissions check for all NC's on DC DC_4.
         * Security Permissions Check for
           DC=ForestDnsZones,DC=DomainA,DC=local
            (NDNC,Version 3)
         * Security Permissions Check for
           DC=DomainDnsZones,DC=DomainA,DC=local
            (NDNC,Version 3)
         * Security Permissions Check for
           CN=Schema,CN=Configuration,DC=DomainA,DC=local
            (Schema,Version 3)
         * Security Permissions Check for
           CN=Configuration,DC=DomainA,DC=local
            (Configuration,Version 3)
         * Security Permissions Check for
           DC=DomainA,DC=local
            (Domain,Version 3)
         ......................... DC_4 passed test NCSecDesc
      Starting test: NetLogons
         * Network Logons Privileges Check
         Verified share \\DC_4\netlogon
         Verified share \\DC_4\sysvol
         ......................... DC_4 passed test NetLogons
      Starting test: ObjectsReplicated
         DC_4 is in domain DC=DomainA,DC=local
         Checking for CN=DC_4,OU=Domain Controllers,DC=DomainA,DC=local in domain DC=DomainA,DC=local on 4 servers
            Object is up-to-date on all servers.
         Checking for CN=NTDS Settings,CN=DC_4,CN=Servers,CN=SiteC,CN=Sites,CN=Configuration,DC=DomainA,DC=local in domain CN=Configuration,DC=DomainA,DC=local on 4 servers
            Object is up-to-date on all servers.
         ......................... DC_4 passed test ObjectsReplicated
      Test omitted by user request: OutboundSecureChannels
      Starting test: Replications
         * Replications Check
         [Replications Check,DC_4] A recent replication attempt failed:
            From DC_1 to DC_4
            Naming Context: DC=ForestDnsZones,DC=DomainA,DC=local
            The replication generated an error (1256):
            The remote system is not available. For information about network troubleshooting, see Windows Help.
           
            The failure occurred at 2013-01-06 17:58:38.
            The last success occurred at 2012-12-16 23:41:55.
            1993 failures have occurred since the last success.
         [Replications Check,DC_4] A recent replication attempt failed:
            From DC_2 to DC_4
            Naming Context: DC=ForestDnsZones,DC=DomainA,DC=local
            The replication generated an error (1256):
            The remote system is not available. For information about network troubleshooting, see Windows Help.
           
            The failure occurred at 2013-01-06 17:58:38.
            The last success occurred at 2012-12-16 23:41:55.
            1993 failures have occurred since the last success.
         [Replications Check,DC_4] A recent replication attempt failed:
            From DC_1 to DC_4
            Naming Context: DC=DomainDnsZones,DC=DomainA,DC=local
            The replication generated an error (1256):
            The remote system is not available. For information about network troubleshooting, see Windows Help.
           
            The failure occurred at 2013-01-06 17:58:38.
            The last success occurred at 2012-12-16 23:41:55.
            1993 failures have occurred since the last success.
         [Replications Check,DC_4] A recent replication attempt failed:
            From DC_2 to DC_4
            Naming Context: DC=DomainDnsZones,DC=DomainA,DC=local
            The replication generated an error (1256):
            The remote system is not available. For information about network troubleshooting, see Windows Help.
           
            The failure occurred at 2013-01-06 17:58:38.
            The last success occurred at 2012-12-16 23:41:55.
            1993 failures have occurred since the last success.
         [Replications Check,DC_4] A recent replication attempt failed:
            From DC_1 to DC_4
            Naming Context:
            CN=Schema,CN=Configuration,DC=DomainA,DC=local
            The replication generated an error (1722):
            The RPC server is unavailable.
            The failure occurred at 2013-01-06 17:58:38.
            The last success occurred at 2012-12-16 23:41:55.
            1993 failures have occurred since the last success.
            The source DC_1 is responding now.
         [Replications Check,DC_4] A recent replication attempt failed:
            From DC_2 to DC_4
            Naming Context:
            CN=Schema,CN=Configuration,DC=DomainA,DC=local
            The replication generated an error (1722):
            The RPC server is unavailable.
            The failure occurred at 2013-01-06 17:58:38.
            The last success occurred at 2012-12-16 23:41:55.
            1993 failures have occurred since the last success.
            The source DC_2 is responding now.
         [Replications Check,DC_4] A recent replication attempt failed:
            From DC_1 to DC_4
            Naming Context: CN=Configuration,DC=DomainA,DC=local
            The replication generated an error (1722):
            The RPC server is unavailable.
            The failure occurred at 2013-01-06 17:58:38.
            The last success occurred at 2012-12-16 23:41:55.
            1993 failures have occurred since the last success.
            The source DC_1 is responding now.
         [Replications Check,DC_4] A recent replication attempt failed:
            From DC_2 to DC_4
            Naming Context: CN=Configuration,DC=DomainA,DC=local
            The replication generated an error (1722):
            The RPC server is unavailable.
            The failure occurred at 2013-01-06 17:58:38.
            The last success occurred at 2012-12-16 23:41:55.
            1993 failures have occurred since the last success.
            The source DC_2 is responding now.
         [Replications Check,DC_4] A recent replication attempt failed:
            From DC_1 to DC_4
            Naming Context: DC=DomainA,DC=local
            The replication generated an error (1722):
            The RPC server is unavailable.
            The failure occurred at 2013-01-06 17:58:38.
            The last success occurred at 2012-12-16 23:41:54.
            1993 failures have occurred since the last success.
            The source DC_1 is responding now.
         [Replications Check,DC_4] A recent replication attempt failed:
            From DC_2 to DC_4
            Naming Context: DC=DomainA,DC=local
            The replication generated an error (1722):
            The RPC server is unavailable.
            The failure occurred at 2013-01-06 17:58:38.
            The last success occurred at 2012-12-16 23:41:55.
            1993 failures have occurred since the last success.
            The source DC_2 is responding now.
         ......................... DC_4 failed test Replications
      Starting test: RidManager
         * Available RID Pool for the Domain is 8104 to 1073741823
         * DC_1.DomainA.local is the RID Master
         * DsBind with RID Master was successful
         * rIDAllocationPool is 6604 to 7103
         * rIDPreviousAllocationPool is 6604 to 7103
         * rIDNextRID: 6607
         ......................... DC_4 passed test RidManager
      Starting test: Services
         * Checking Service: EventSystem
         * Checking Service: RpcSs
         * Checking Service: NTDS
         * Checking Service: DnsCache
         * Checking Service: DFSR
         * Checking Service: IsmServ
         * Checking Service: kdc
         * Checking Service: SamSs
         * Checking Service: LanmanServer
         * Checking Service: LanmanWorkstation
         * Checking Service: w32time
            Invalid service startup type: w32time on DC_4, current value
            DEMAND_START, expected value AUTO_START
         * Checking Service: NETLOGON
         ......................... DC_4 failed test Services
      Starting test: SystemLog
         * The System Event log test
         An Error Event occurred.  EventID: 0x0000041E
            Time Generated: 01/06/2013   17:15:45
            Event String:
            The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
         An Error Event occurred.  EventID: 0x0000041E
            Time Generated: 01/06/2013   17:20:46
            Event String:
            The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
         An Error Event occurred.  EventID: 0x0000041E
            Time Generated: 01/06/2013   17:25:47
            Event String:
            The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
         An Error Event occurred.  EventID: 0x0000041E
            Time Generated: 01/06/2013   17:30:48
            Event String:
            The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
         An Error Event occurred.  EventID: 0x0000041E
            Time Generated: 01/06/2013   17:35:49
            Event String:
            The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
         An Error Event occurred.  EventID: 0x0000041E
            Time Generated: 01/06/2013   17:40:50
            Event String:
            The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
         An Error Event occurred.  EventID: 0x0000041E
            Time Generated: 01/06/2013   17:45:16
            Event String:
            The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
         An Error Event occurred.  EventID: 0x0000041E
            Time Generated: 01/06/2013   17:45:51
            Event String:
            The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
         An Error Event occurred.  EventID: 0x0000041E
            Time Generated: 01/06/2013   17:50:53
            Event String:
            The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
         An Error Event occurred.  EventID: 0x0000041E
            Time Generated: 01/06/2013   17:55:54
            Event String:
            The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
         An Error Event occurred.  EventID: 0x0000168E
            Time Generated: 01/06/2013   17:59:44
            Event String:
            The dynamic registration of the DNS record '_gc._tcp.DomainA.local. 600 IN SRV 0 100 3268 DC_4.DomainA.local.' failed on the following DNS server:  
           
            DNS server IP address: 10.100.0.60
            Returned Response Code (RCODE): 5
            Returned Status Code: 10055  
           
            For computers and users to locate this domain controller, this record must be registered in DNS.  
           
            USER ACTION  
            Determine what might have caused this failure, resolve the problem, and initiate registration of the DNS records by the domain controller. To determine what might have caused this failure, run DCDiag.exe. To learn more about DCDiag.exe, see Help and Support Center. To initiate registration of the DNS records by this domain  controller, run 'nltest.exe /dsregdns' from the command prompt on the domain controller or restart Net Logon service.
              Or, you can manually add this record to DNS, but it is not recommended.  
           
            ADDITIONAL DATA
            Error Value: An operation on a socket could not be performed because the system lacked sufficient buffer space or because a queue was full.
         An Error Event occurred.  EventID: 0x0000168E
            Time Generated: 01/06/2013   17:59:47
            Event String:
            The dynamic registration of the DNS record '_gc._tcp.SiteC._sites.DomainA.local. 600 IN SRV 0 100 3268 DC_4.DomainA.local.' failed on the following DNS server:  
           
            DNS server IP address: 10.100.0.60
            Returned Response Code (RCODE): 5
            Returned Status Code: 10055  
           
            For computers and users to locate this domain controller, this record must be registered in DNS.  
           
            USER ACTION  
            Determine what might have caused this failure, resolve the problem, and initiate registration of the DNS records by the domain controller. To determine what might have caused this failure, run DCDiag.exe. To learn more about DCDiag.exe, see Help and Support Center. To initiate registration of the DNS records by this domain  controller, run 'nltest.exe /dsregdns' from the command prompt on the domain controller or restart Net Logon service.
              Or, you can manually add this record to DNS, but it is not recommended.  
           
            ADDITIONAL DATA
            Error Value: An operation on a socket could not be performed because the system lacked sufficient buffer space or because a queue was full.
         An Error Event occurred.  EventID: 0x0000168E
            Time Generated: 01/06/2013   17:59:47
            Event String:
            The dynamic registration of the DNS record '_ldap._tcp.DomainDnsZones.DomainA.local. 600 IN SRV 0 100 389 DC_4.DomainA.local.' failed on the following DNS server:  
           
            DNS server IP address: 10.100.0.60
            Returned Response Code (RCODE): 5
            Returned Status Code: 10055  
           
            For computers and users to locate this domain controller, this record must be registered in DNS.  
           
            USER ACTION  
            Determine what might have caused this failure, resolve the problem, and initiate registration of the DNS records by the domain controller. To determine what might have caused this failure, run DCDiag.exe. To learn more about DCDiag.exe, see Help and Support Center. To initiate registration of the DNS records by this domain  controller, run 'nltest.exe /dsregdns' from the command prompt on the domain controller or restart Net Logon service.
              Or, you can manually add this record to DNS, but it is not recommended.  
           
            ADDITIONAL DATA
            Error Value: An operation on a socket could not be performed because the system lacked sufficient buffer space or because a queue was full.
         An Error Event occurred.  EventID: 0x0000168E
            Time Generated: 01/06/2013   17:59:47
            Event String:
            The dynamic registration of the DNS record '_ldap._tcp.SiteC._sites.DomainDnsZones.DomainA.local. 600 IN SRV 0 100 389 DC_4.DomainA.local.' failed on the following DNS server:  
           
            DNS server IP address: 10.100.0.60
            Returned Response Code (RCODE): 5
            Returned Status Code: 10055  
           
            For computers and users to locate this domain controller, this record must be registered in DNS.  
           
            USER ACTION  
            Determine what might have caused this failure, resolve the problem, and initiate registration of the DNS records by the domain controller. To determine what might have caused this failure, run DCDiag.exe. To learn more about DCDiag.exe, see Help and Support Center. To initiate registration of the DNS records by this domain  controller, run 'nltest.exe /dsregdns' from the command prompt on the domain controller or restart Net Logon service.
              Or, you can manually add this record to DNS, but it is not recommended.  
           
            ADDITIONAL DATA
            Error Value: An operation on a socket could not be performed because the system lacked sufficient buffer space or because a queue was full.
         An Error Event occurred.  EventID: 0x0000168E
            Time Generated: 01/06/2013   17:59:47
            Event String:
            The dynamic registration of the DNS record '_ldap._tcp.ForestDnsZones.DomainA.local. 600 IN SRV 0 100 389 DC_4.DomainA.local.' failed on the following DNS server:  
           
            DNS server IP address: 10.100.0.60
            Returned Response Code (RCODE): 5
            Returned Status Code: 10055  
           
            For computers and users to locate this domain controller, this record must be registered in DNS.  
           
            USER ACTION  
            Determine what might have caused this failure, resolve the problem, and initiate registration of the DNS records by the domain controller. To determine what might have caused this failure, run DCDiag.exe. To learn more about DCDiag.exe, see Help and Support Center. To initiate registration of the DNS records by this domain  controller, run 'nltest.exe /dsregdns' from the command prompt on the domain controller or restart Net Logon service.
              Or, you can manually add this record to DNS, but it is not recommended.  
           
            ADDITIONAL DATA
            Error Value: An operation on a socket could not be performed because the system lacked sufficient buffer space or because a queue was full.
         An Error Event occurred.  EventID: 0x0000168E
            Time Generated: 01/06/2013   17:59:59
            Event String:
            The dynamic registration of the DNS record '_ldap._tcp.SiteC._sites.ForestDnsZones.DomainA.local. 600 IN SRV 0 100 389 DC_4.DomainA.local.' failed on the following DNS server:  
           
            DNS server IP address: 10.100.0.60
            Returned Response Code (RCODE): 5
            Returned Status Code: 10055  
           
            For computers and users to locate this domain controller, this record must be registered in DNS.  
           
            USER ACTION  
            Determine what might have caused this failure, resolve the problem, and initiate registration of the DNS records by the domain controller. To determine what might have caused this failure, run DCDiag.exe. To learn more about DCDiag.exe, see Help and Support Center. To initiate registration of the DNS records by this domain  controller, run 'nltest.exe /dsregdns' from the command prompt on the domain controller or restart Net Logon service.
              Or, you can manually add this record to DNS, but it is not recommended.  
           
            ADDITIONAL DATA
            Error Value: An operation on a socket could not be performed because the system lacked sufficient buffer space or because a queue was full.
         An Error Event occurred.  EventID: 0x0000168E
            Time Generated: 01/06/2013   18:00:11
            Event String:
            The dynamic registration of the DNS record '_kerberos._tcp.DomainA.local. 600 IN SRV 0 100 88 DC_4.DomainA.local.' failed on the following DNS server:  
           
            DNS server IP address: 10.100.0.60
            Returned Response Code (RCODE): 5
            Returned Status Code: 10055  
           
            For computers and users to locate this domain controller, this record must be registered in DNS.  
           
            USER ACTION  
            Determine what might have caused this failure, resolve the problem, and initiate registration of the DNS records by the domain controller. To determine what might have caused this failure, run DCDiag.exe. To learn more about DCDiag.exe, see Help and Support Center. To initiate registration of the DNS records by this domain  controller, run 'nltest.exe /dsregdns' from the command prompt on the domain controller or restart Net Logon service.
              Or, you can manually add this record to DNS, but it is not recommended.  
           
            ADDITIONAL DATA
            Error Value: An operation on a socket could not be performed because the system lacked sufficient buffer space or because a queue was full.
         An Error Event occurred.  EventID: 0x0000168E
            Time Generated: 01/06/2013   18:00:11
            Event String:
            The dynamic registration of the DNS record '_kerberos._tcp.SiteC._sites.DomainA.local. 600 IN SRV 0 100 88 DC_4.DomainA.local.' failed on the following DNS server:  
           
            DNS server IP address: 10.100.0.60
            Returned Response Code (RCODE): 5
            Returned Status Code: 10055  
           
            For computers and users to locate this domain controller, this record must be registered in DNS.  
           
            USER ACTION  
            Determine what might have caused this failure, resolve the problem, and initiate registration of the DNS records by the domain controller. To determine what might have caused this failure, run DCDiag.exe. To learn more about DCDiag.exe, see Help and Support Center. To initiate registration of the DNS records by this domain  controller, run 'nltest.exe /dsregdns' from the command prompt on the domain controller or restart Net Logon service.
              Or, you can manually add this record to DNS, but it is not recommended.  
           
            ADDITIONAL DATA
            Error Value: An operation on a socket could not be performed because the system lacked sufficient buffer space or because a queue was full.
         An Error Event occurred.  EventID: 0x0000168E
            Time Generated: 01/06/2013   18:00:11
            Event String:
            The dynamic registration of the DNS record '_kerberos._udp.DomainA.local. 600 IN SRV 0 100 88 DC_4.DomainA.local.' failed on the following DNS server:  
           
            DNS server IP address: 10.100.0.60
            Returned Response Code (RCODE): 5
            Returned Status Code: 10055  
           
            For computers and users to locate this domain controller, this record must be registered in DNS.  
           
            USER ACTION  
            Determine what might have caused this failure, resolve the problem, and initiate registration of the DNS records by the domain controller. To determine what might have caused this failure, run DCDiag.exe. To learn more about DCDiag.exe, see Help and Support Center. To initiate registration of the DNS records by this domain  controller, run 'nltest.exe /dsregdns' from the command prompt on the domain controller or restart Net Logon service.
              Or, you can manually add this record to DNS, but it is not recommended.  
           
            ADDITIONAL DATA
            Error Value: An operation on a socket could not be performed because the system lacked sufficient buffer space or because a queue was full.
         An Error Event occurred.  EventID: 0x0000168E
            Time Generated: 01/06/2013   18:00:11
            Event String:
            The dynamic registration of the DNS record '_kpasswd._tcp.DomainA.local. 600 IN SRV 0 100 464 DC_4.DomainA.local.' failed on the following DNS server:  
           
            DNS server IP address: 10.100.0.60
            Returned Response Code (RCODE): 5
            Returned Status Code: 10055  
           
            For computers and users to locate this domain controller, this record must be registered in DNS.  
           
            USER ACTION  
            Determine what might have caused this failure, resolve the problem, and initiate registration of the DNS records by the domain controller. To determine what might have caused this failure, run DCDiag.exe. To learn more about DCDiag.exe, see Help and Support Center. To initiate registration of the DNS records by this domain  controller, run 'nltest.exe /dsregdns' from the command prompt on the domain controller or restart Net Logon service.
              Or, you can manually add this record to DNS, but it is not recommended.  
           
            ADDITIONAL DATA
            Error Value: An operation on a socket could not be performed because the system lacked sufficient buffer space or because a queue was full.
         An Error Event occurred.  EventID: 0x0000168E
            Time Generated: 01/06/2013   18:00:19
            Event String:
            The dynamic registration of the DNS record '_kpasswd._udp.DomainA.local. 600 IN SRV 0 100 464 DC_4.DomainA.local.' failed on the following DNS server:  
           
            DNS server IP address: 10.100.0.60
            Returned Response Code (RCODE): 5
            Returned Status Code: 10055  
           
            For computers and users to locate this domain controller, this record must be registered in DNS.  
           
            USER ACTION  
            Determine what might have caused this failure, resolve the problem, and initiate registration of the DNS records by the domain controller. To determine what might have caused this failure, run DCDiag.exe. To learn more about DCDiag.exe, see Help and Support Center. To initiate registration of the DNS records by this domain  controller, run 'nltest.exe /dsregdns' from the command prompt on the domain controller or restart Net Logon service.
              Or, you can manually add this record to DNS, but it is not recommended.  
           
            ADDITIONAL DATA
            Error Value: An operation on a socket could not be performed because the system lacked sufficient buffer space or because a queue was full.
         An Error Event occurred.  EventID: 0x0000041E
            Time Generated: 01/06/2013   18:00:55
            Event String:
            The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
         An Error Event occurred.  EventID: 0x0000041E
            Time Generated: 01/06/2013   18:05:56
            Event String:
            The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
         An Error Event occurred.  EventID: 0x0000041E
            Time Generated: 01/06/2013   18:10:57
            Event String:
            The processing of Group Policy failed. Windows could not obtain the name of a domain controller. This could be caused by a name resolution failure. Verify your Domain Name System (DNS) is configured and working correctly.
         ......................... DC_4 failed test SystemLog
      Test omitted by user request: Topology
      Test omitted by user request: VerifyEnterpriseReferences
      Starting test: VerifyReferences
         The system object reference (serverReference)
         CN=DC_4,OU=Domain Controllers,DC=DomainA,DC=local and
         backlink on
         CN=DC_4,CN=Servers,CN=SiteC,CN=Sites,CN=Configuration,DC=DomainA,DC=local
         are correct.
         The system object reference (serverReferenceBL)
         CN=DC_4,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=DomainA,DC=local
         and backlink on
         CN=NTDS Settings,CN=DC_4,CN=Servers,CN=SiteC,CN=Sites,CN=Configuration,DC=DomainA,DC=local
         are correct.
         ......................... DC_4 passed test VerifyReferences
      Test omitted by user request: VerifyReplicas
   
      Test omitted by user request: DNS
      Test omitted by user request: DNS
   
      Test omitted by user request: DNS
      Test omitted by user request: DNS
   
      Test omitted by user request: DNS
      Test omitted by user request: DNS
   
      Test omitted by user request: DNS
      Test omitted by user request: DNS
   
   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation
   
   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation
   
   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
   
   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
   
   Running partition tests on : DomainA
      Starting test: CheckSDRefDom
         ......................... DomainA passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainA passed test
         CrossRefValidation
   
   Running enterprise tests on : DomainA.local
      Test omitted by user request: DNS
      Test omitted by user request: DNS
      Starting test: LocatorCheck
         GC Name: \\DC_2.DomainA.local
         Locator Flags: 0xe00013fc
         SiteDC Name: \\DC_1.DomainA.local
         Locator Flags: 0xe00013fd
         Time Server Name: \\DC_2.DomainA.local
         Locator Flags: 0xe00013fc
         Preferred Time Server Name: \\DC_2.DomainA.local
         Locator Flags: 0xe00013fc
         KDC Name: \\DC_2.DomainA.local
         Locator Flags: 0xe00013fc
         ......................... DomainA.local passed test
         LocatorCheck
      Starting test: Intersite
         Doing intersite inbound replication test on site SiteA:
            Locating & Contacting Intersite Topology Generator (ISTG) ...
               The ISTG for site SiteA is: DC_1.
            Checking for down bridgeheads ...
               Bridghead SiteC\DC_4 is up and replicating fine.
               Bridghead SiteA\DC_2 is up and replicating fine.
               Bridghead SiteA\DC_1 is up and replicating fine.
            Doing in depth site analysis ...
               All expected sites and bridgeheads are replicating into site
               SiteA.
         Doing intersite inbound replication test on site Siteb:
            Locating & Contacting Intersite Topology Generator (ISTG) ...
         Doing intersite inbound replication test on site SiteC:
            Locating & Contacting Intersite Topology Generator (ISTG) ...
               The ISTG for site SiteC is: DC_4.
            Checking for down bridgeheads ...
               *Warning: Remote bridgehead SiteA\DC_2 is not eligible
               as a bridgehead due to too many failures.  Replication may be
               disrupted into the local site SiteC.
               Bridghead SiteC\DC_4 is up and replicating fine.
               *Warning: Remote bridgehead SiteA\DC_1 is not eligible as
               a bridgehead due to too many failures.  Replication may be
               disrupted into the local site SiteC.
            Doing in depth site analysis ...
               Remote site SiteA is replicating to the local site
               SiteC the writeable NC ForestDnsZones correctly.
               Remote site SiteA is replicating to the local site
               SiteC the writeable NC DomainDnsZones correctly.
               Remote site SiteA is replicating to the local site
               SiteC the writeable NC Schema correctly.
               Remote site SiteA is replicating to the local site
               SiteC the writeable NC Configuration correctly.
               Remote site SiteA is replicating to the local site
               SiteC the writeable NC DomainA correctly.
         Skipping site SiteD, this site is outside the scope provided by the
         command line arguments provided.
         ......................... DomainA.local passed test Intersite
0
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
ID: 38750804
I saw there is actually more errors from Forest A instead. Some of it as below

E.g. EventID: 0x0000165B - This message indicates that the computer referred to in the message has not joined the domain properly or the account is corrupted. Rejoin the domain. Consider deleting the computer object in Active Directory users and computers in-between to delete any sub-components of the computer object.

E.g. Replication warning 0x800034C4 -  You may want to catch this
http://social.technet.microsoft.com/Forums/en/winserverDS/thread/6f1a4e5e-d35b-4fe3-9684-74c065640c0a

E.g. Eventid 0x0000041E - According to Microsoft, this event occurs because the domain from which the group policy should be downloaed either does not exist or could not be contacted. After ensuring that the network connectivity to the domain controller has been reestablished, refresh the Group Policy on the computer

E.g. Event ID 0x0000168E -  "DNS RR set that ought not exist, does exist.". If you have a CName (or other record) for the same hostname that was manually entered and is preventing a dynamic host registration then you need to remove the manual record.
1. Rename Netlogon.dnb and Netlogon.dns on the machine that registers the 5774 event
2. Delete Netlogon.dnb and Netlogon.dns on the same machine
3. Reboot Computer
4. Check system log for the error"

Ultimately for the error on starting NETLOGON in ForestB, i suspecting it can failed to start if DNS service is absent or not properly configured. NETLOGON can be configured to be independent of DNS service, see below.

http://social.technet.microsoft.com/Forums/en/windowsserver2008r2general/thread/95e01e6e-a2f7-49c2-91e3-4dd8f23a1126

Alternatively, we can run dcdiag /TEST:DNS /e to validate DNS health
http://technet.microsoft.com/en-us/library/cc776854(v=ws.10).aspx
0
 
LVL 61

Expert Comment

by:btan
ID: 38750819
MSDN has a Checklist: Creating a forest trust and DNS check is part of it

http://technet.microsoft.com/en-us/library/cc756852(v=ws.10).aspx
0

Join & Write a Comment

I had a question today where the user wanted to know how to delete an SSL Certificate, so I thought that I would quickly add this How to! Article for your reference. WHY WOULD YOU WANT TO DELETE A CERTIFICATE? 1. If an incorrect certificate was …
Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now