Solved

errors after moving fsmo roles from server 2008 r2 to server 2012 r2

Posted on 2014-03-28
11
859 Views
Last Modified: 2014-04-08
After moving my FSMO roles from a 2008 dc to 2012 dc I get the following errors when I run dcdiag.

Windows PowerShell
Copyright (C) 2013 Microsoft Corporation. All rights reserved.

PS C:\Windows\system32> dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = medmod-pdc
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\MEDMOD-PDC
      Starting test: Connectivity
         ......................... MEDMOD-PDC passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\MEDMOD-PDC
      Starting test: Advertising
         ......................... MEDMOD-PDC passed test Advertising
      Starting test: FrsEvent
         ......................... MEDMOD-PDC passed test FrsEvent
      Starting test: DFSREvent
         ......................... MEDMOD-PDC passed test DFSREvent
      Starting test: SysVolCheck
         ......................... MEDMOD-PDC passed test SysVolCheck
      Starting test: KccEvent
         ......................... MEDMOD-PDC passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... MEDMOD-PDC passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... MEDMOD-PDC passed test MachineAccount
      Starting test: NCSecDesc
         ......................... MEDMOD-PDC passed test NCSecDesc
      Starting test: NetLogons
         ......................... MEDMOD-PDC passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... MEDMOD-PDC passed test ObjectsReplicated
      Starting test: Replications
         ......................... MEDMOD-PDC passed test Replications
      Starting test: RidManager
         ......................... MEDMOD-PDC passed test RidManager
      Starting test: Services
         ......................... MEDMOD-PDC passed test Services
      Starting test: SystemLog
         An error event occurred.  EventID: 0x0000166D
            Time Generated: 03/28/2014   09:33:39
            Event String: Netlogon could not register the medmod<1B> name for the following reason:
         An error event occurred.  EventID: 0xC00010E1
            Time Generated: 03/28/2014   09:33:39
            Event String:
            The name "MEDMOD         :1b" could not be registered on the interface with IP address 192.168.168.1. The
mputer with the IP address 192.168.168.21 did not allow the name to be claimed by this computer.
         A warning event occurred.  EventID: 0x0000000C
            Time Generated: 03/28/2014   09:33:39
            Event String:
            Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time sou
, but it is the AD PDC emulator for the domain at the root of the forest, so there is no machine above it in the doma
hierarchy to use as a time source. It is recommended that you either configure a reliable time service in the root do
n, or manually configure the AD PDC to synchronize with an external time source. Otherwise, this machine will functio
s the authoritative time source in the domain hierarchy. If an external time source is not configured or used for thi
omputer, you may choose to disable the NtpClient.
         ......................... MEDMOD-PDC failed test SystemLog
      Starting test: VerifyReferences
         ......................... MEDMOD-PDC passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : medmod
      Starting test: CheckSDRefDom
         ......................... medmod passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... medmod passed test CrossRefValidation

   Running enterprise tests on : medmod.local
      Starting test: LocatorCheck
         ......................... medmod.local passed test LocatorCheck
      Starting test: Intersite
         ......................... medmod.local passed test Intersite
PS C:\Windows\system32>


Any help would e appreciated.  Thanks
0
Comment
Question by:dtw3
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 3
11 Comments
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 39961983
first thing that stands out to me - configure your 2012 R2 box as a time server

How to configure an authoritative time server in Windows Server
http://support.microsoft.com/kb/816042
0
 
LVL 17

Expert Comment

by:Brad Bouchard
ID: 39962034
Ok this isn't a huge deal at all.  Here is why you failed the medmod part of DCDIAG.  Basically when there is an error of a certain level in the SystemLog then you will fail that part of DCDIAG.  So to correct what I think is the issue, here is what I would do.  Go to DNS on the primary DNS server and clear the cache, scavenge stale resource records, then from both servers, do an IPCONFIG/FLUSHDNS, then IPCONFIG/REGISTERDNS.  Also, reset the NIC/adapter on each server after all this.

Wait a few hours, then run DCDIAG again.  If the SystemLog fails, wait a little while longer and run it again.

And also this...
first thing that stands out to me - configure your 2012 R2 box as a time server
0
 

Author Comment

by:dtw3
ID: 39962502
Thanks for the replies.  I was able to clear up the dcdiag on the new server 2012 by following your direction but on the existing dc i get the following when running dcdiag.

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\nexustek>dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = MEDMOD-DC
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\MEDMOD-DC
      Starting test: Connectivity
         ......................... MEDMOD-DC passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\MEDMOD-DC
      Starting test: Advertising
         ......................... MEDMOD-DC passed test Advertising
      Starting test: FrsEvent
         ......................... MEDMOD-DC passed test FrsEvent
      Starting test: DFSREvent
         ......................... MEDMOD-DC passed test DFSREvent
      Starting test: SysVolCheck
         ......................... MEDMOD-DC passed test SysVolCheck
      Starting test: KccEvent
         ......................... MEDMOD-DC passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... MEDMOD-DC passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... MEDMOD-DC passed test MachineAccount
      Starting test: NCSecDesc
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=ForestDnsZones,DC=medmod,DC=local
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=DomainDnsZones,DC=medmod,DC=local
         ......................... MEDMOD-DC failed test NCSecDesc
      Starting test: NetLogons
         ......................... MEDMOD-DC passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... MEDMOD-DC passed test ObjectsReplicated
      Starting test: Replications
         ......................... MEDMOD-DC passed test Replications
      Starting test: RidManager
         ......................... MEDMOD-DC passed test RidManager
      Starting test: Services
         ......................... MEDMOD-DC passed test Services
      Starting test: SystemLog
         ......................... MEDMOD-DC passed test SystemLog
      Starting test: VerifyReferences
         ......................... MEDMOD-DC passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : medmod
      Starting test: CheckSDRefDom
         ......................... medmod passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... medmod passed test CrossRefValidation

   Running enterprise tests on : medmod.local
      Starting test: LocatorCheck
         ......................... medmod.local passed test LocatorCheck
      Starting test: Intersite
         ......................... medmod.local passed test Intersite

Thanks for your help with this guys
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 34

Expert Comment

by:Seth Simmons
ID: 39962524
that happens because adprep /rodcprep wasn't done

Dcdiag fails for NCSecDesc test on Windows 2008 Domain Controllers
http://support.microsoft.com/kb/967482
0
 

Author Comment

by:dtw3
ID: 39962533
So if I'm not going to add a read only dc to the forest I should be ok?

"If you do not plan to add an RODC to the forest, you can disregard this error. If you plan to add an RODC to the forest, you must run adprep /rodcprep. "
0
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 39962542
yes; i saw this issue at my last place where they did a 2003 upgrade and didn't use that switch.  no plans to put in RODC and everything else is fine
0
 
LVL 17

Accepted Solution

by:
Brad Bouchard earned 500 total points
ID: 39966554
I answered his original question and then he asked another question on this same post.  I feel that I should receive the points for this one and if a separate question needs created to address his RODC issue then that should happen and assign the points to Seth Simmons.
0
 
LVL 17

Expert Comment

by:Brad Bouchard
ID: 39966580
I feel that I should receive the points for this one and if a separate question needs created to address his RODC issue then that should happen and assign the points to Seth Simmons.

On a separate question I meant.
0
 

Author Comment

by:dtw3
ID: 39966577
I agree with you Wizard.  I tried using the  "Accept Multiple Solutions" option but I must have done something wrong.  I would like this changed
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
In this Micro Tutorial viewers will learn how to use Windows Server Backup to create full image of their system. Tutorial shows how to install Windows Server Backup Feature on Windows 2012R2 and how to configure scheduled Bare Metal Recovery backup.…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question