?
Solved

errors after moving fsmo roles from server 2008 r2 to server 2012 r2

Posted on 2014-03-28
11
Medium Priority
?
892 Views
Last Modified: 2014-04-08
After moving my FSMO roles from a 2008 dc to 2012 dc I get the following errors when I run dcdiag.

Windows PowerShell
Copyright (C) 2013 Microsoft Corporation. All rights reserved.

PS C:\Windows\system32> dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = medmod-pdc
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\MEDMOD-PDC
      Starting test: Connectivity
         ......................... MEDMOD-PDC passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\MEDMOD-PDC
      Starting test: Advertising
         ......................... MEDMOD-PDC passed test Advertising
      Starting test: FrsEvent
         ......................... MEDMOD-PDC passed test FrsEvent
      Starting test: DFSREvent
         ......................... MEDMOD-PDC passed test DFSREvent
      Starting test: SysVolCheck
         ......................... MEDMOD-PDC passed test SysVolCheck
      Starting test: KccEvent
         ......................... MEDMOD-PDC passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... MEDMOD-PDC passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... MEDMOD-PDC passed test MachineAccount
      Starting test: NCSecDesc
         ......................... MEDMOD-PDC passed test NCSecDesc
      Starting test: NetLogons
         ......................... MEDMOD-PDC passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... MEDMOD-PDC passed test ObjectsReplicated
      Starting test: Replications
         ......................... MEDMOD-PDC passed test Replications
      Starting test: RidManager
         ......................... MEDMOD-PDC passed test RidManager
      Starting test: Services
         ......................... MEDMOD-PDC passed test Services
      Starting test: SystemLog
         An error event occurred.  EventID: 0x0000166D
            Time Generated: 03/28/2014   09:33:39
            Event String: Netlogon could not register the medmod<1B> name for the following reason:
         An error event occurred.  EventID: 0xC00010E1
            Time Generated: 03/28/2014   09:33:39
            Event String:
            The name "MEDMOD         :1b" could not be registered on the interface with IP address 192.168.168.1. The
mputer with the IP address 192.168.168.21 did not allow the name to be claimed by this computer.
         A warning event occurred.  EventID: 0x0000000C
            Time Generated: 03/28/2014   09:33:39
            Event String:
            Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time sou
, but it is the AD PDC emulator for the domain at the root of the forest, so there is no machine above it in the doma
hierarchy to use as a time source. It is recommended that you either configure a reliable time service in the root do
n, or manually configure the AD PDC to synchronize with an external time source. Otherwise, this machine will functio
s the authoritative time source in the domain hierarchy. If an external time source is not configured or used for thi
omputer, you may choose to disable the NtpClient.
         ......................... MEDMOD-PDC failed test SystemLog
      Starting test: VerifyReferences
         ......................... MEDMOD-PDC passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : medmod
      Starting test: CheckSDRefDom
         ......................... medmod passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... medmod passed test CrossRefValidation

   Running enterprise tests on : medmod.local
      Starting test: LocatorCheck
         ......................... medmod.local passed test LocatorCheck
      Starting test: Intersite
         ......................... medmod.local passed test Intersite
PS C:\Windows\system32>


Any help would e appreciated.  Thanks
0
Comment
Question by:dtw3
  • 3
  • 3
  • 3
9 Comments
 
LVL 36

Expert Comment

by:Seth Simmons
ID: 39961983
first thing that stands out to me - configure your 2012 R2 box as a time server

How to configure an authoritative time server in Windows Server
http://support.microsoft.com/kb/816042
0
 
LVL 17

Expert Comment

by:Brad Bouchard
ID: 39962034
Ok this isn't a huge deal at all.  Here is why you failed the medmod part of DCDIAG.  Basically when there is an error of a certain level in the SystemLog then you will fail that part of DCDIAG.  So to correct what I think is the issue, here is what I would do.  Go to DNS on the primary DNS server and clear the cache, scavenge stale resource records, then from both servers, do an IPCONFIG/FLUSHDNS, then IPCONFIG/REGISTERDNS.  Also, reset the NIC/adapter on each server after all this.

Wait a few hours, then run DCDIAG again.  If the SystemLog fails, wait a little while longer and run it again.

And also this...
first thing that stands out to me - configure your 2012 R2 box as a time server
0
 

Author Comment

by:dtw3
ID: 39962502
Thanks for the replies.  I was able to clear up the dcdiag on the new server 2012 by following your direction but on the existing dc i get the following when running dcdiag.

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\nexustek>dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = MEDMOD-DC
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\MEDMOD-DC
      Starting test: Connectivity
         ......................... MEDMOD-DC passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\MEDMOD-DC
      Starting test: Advertising
         ......................... MEDMOD-DC passed test Advertising
      Starting test: FrsEvent
         ......................... MEDMOD-DC passed test FrsEvent
      Starting test: DFSREvent
         ......................... MEDMOD-DC passed test DFSREvent
      Starting test: SysVolCheck
         ......................... MEDMOD-DC passed test SysVolCheck
      Starting test: KccEvent
         ......................... MEDMOD-DC passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... MEDMOD-DC passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... MEDMOD-DC passed test MachineAccount
      Starting test: NCSecDesc
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=ForestDnsZones,DC=medmod,DC=local
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=DomainDnsZones,DC=medmod,DC=local
         ......................... MEDMOD-DC failed test NCSecDesc
      Starting test: NetLogons
         ......................... MEDMOD-DC passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... MEDMOD-DC passed test ObjectsReplicated
      Starting test: Replications
         ......................... MEDMOD-DC passed test Replications
      Starting test: RidManager
         ......................... MEDMOD-DC passed test RidManager
      Starting test: Services
         ......................... MEDMOD-DC passed test Services
      Starting test: SystemLog
         ......................... MEDMOD-DC passed test SystemLog
      Starting test: VerifyReferences
         ......................... MEDMOD-DC passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : medmod
      Starting test: CheckSDRefDom
         ......................... medmod passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... medmod passed test CrossRefValidation

   Running enterprise tests on : medmod.local
      Starting test: LocatorCheck
         ......................... medmod.local passed test LocatorCheck
      Starting test: Intersite
         ......................... medmod.local passed test Intersite

Thanks for your help with this guys
0
Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

 
LVL 36

Expert Comment

by:Seth Simmons
ID: 39962524
that happens because adprep /rodcprep wasn't done

Dcdiag fails for NCSecDesc test on Windows 2008 Domain Controllers
http://support.microsoft.com/kb/967482
0
 

Author Comment

by:dtw3
ID: 39962533
So if I'm not going to add a read only dc to the forest I should be ok?

"If you do not plan to add an RODC to the forest, you can disregard this error. If you plan to add an RODC to the forest, you must run adprep /rodcprep. "
0
 
LVL 36

Expert Comment

by:Seth Simmons
ID: 39962542
yes; i saw this issue at my last place where they did a 2003 upgrade and didn't use that switch.  no plans to put in RODC and everything else is fine
0
 
LVL 17

Accepted Solution

by:
Brad Bouchard earned 2000 total points
ID: 39966554
I answered his original question and then he asked another question on this same post.  I feel that I should receive the points for this one and if a separate question needs created to address his RODC issue then that should happen and assign the points to Seth Simmons.
0
 
LVL 17

Expert Comment

by:Brad Bouchard
ID: 39966580
I feel that I should receive the points for this one and if a separate question needs created to address his RODC issue then that should happen and assign the points to Seth Simmons.

On a separate question I meant.
0
 

Author Comment

by:dtw3
ID: 39966577
I agree with you Wizard.  I tried using the  "Accept Multiple Solutions" option but I must have done something wrong.  I would like this changed
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let's recap what we learned from yesterday's Skyport Systems webinar.
Measuring Server's processing rate with a simple powershell command. The differences in processing rate also was recorded in different use-cases, when a server in free and busy states.
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question