seang86s
asked on
W2K8R2 DCDiag issues, while W2K3 DCs in the same domain ok
Anyone have any idea where I should start with this one? This is from one W2K8R2 DC, although multiple show the same errors. Our W2K3 DCs are fine and pass all tests. FWIW, the RID is running on a W2K8R2 DC right now.
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = NJDC03
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: NJ\NJDC03
Starting test: Connectivity
......................... NJDC03 passed test Connectivity
Doing primary tests
Testing server: NJ\NJDC03
Starting test: Advertising
......................... NJDC03 passed test Advertising
Starting test: FrsEvent
......................... NJDC03 passed test FrsEvent
Starting test: DFSREvent
......................... NJDC03 passed test DFSREvent
Starting test: SysVolCheck
......................... NJDC03 passed test SysVolCheck
Starting test: KccEvent
......................... NJDC03 passed test KccEvent
Starting test: KnowsOfRoleHolders
Warning: NJDC03 could not resolve the name for role
Rid Owner.
The name error was Not Found.
......................... NJDC03 failed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... NJDC03 passed test MachineAccount
Starting test: NCSecDesc
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=nba-hq,DC=com
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=nba-hq,DC=com
......................... NJDC03 failed test NCSecDesc
Starting test: NetLogons
[NJDC03] User credentials does not have permission to perform this
operation.
The account used for this test must have network logon privileges
for this machine's domain.
......................... NJDC03 failed test NetLogons
Starting test: ObjectsReplicated
......................... NJDC03 passed test ObjectsReplicated
Starting test: Replications
[Replications Check,NJDC03] DsReplicaGetInfo(PENDING_OPS, NULL)
failed, error 0x2105 "Replication access was denied."
......................... NJDC03 failed test Replications
Starting test: RidManager
ldap_search_sW of CN=RID Manager$,CN=System,DC=nba-hq,DC=com for FSMO
Role Owner failed with 2: The system cannot find the file specified.
......................... NJDC03 failed test RidManager
Starting test: Services
Could not open NTDS Service on NJDC03, error 0x5
"Access is denied."
......................... NJDC03 failed test Services
Starting test: SystemLog
......................... NJDC03 failed test SystemLog
Starting test: VerifyReferences
......................... NJDC03 passed test VerifyReferences
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : nba-hq
Starting test: CheckSDRefDom
......................... nba-hq passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... nba-hq passed test CrossRefValidation
Running enterprise tests on : abn-hq.com
Starting test: LocatorCheck
......................... abn-hq.com passed test LocatorCheck
Starting test: Intersite
......................... abn-hq.com passed test Intersite
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
agree with the previous comment on the other errors; try running elevated and see if the access denied and RID messages go away. i've had similar issues before with dcdiag not running elevated but the NCSecDesc failure is definitely unrelated to that
Hi,
This is what i found..
Starting test: KnowsOfRoleHolders
Warning: NJDC03 could not resolve the name for role
Rid Owner.
The name error was Not Found.
......................... NJDC03 failed test KnowsOfRoleHolders
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=nba-h q,DC=com
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
[NJDC03] User credentials does not have permission to perform this
operation.
The account used for this test must have network logon privileges
for this machine's domain.
......................... NJDC03 failed test NetLogons
[Replications Check,NJDC03] DsReplicaGetInfo(PENDING_O PS, NULL)
failed, error 0x2105 "Replication access was denied."
......................... NJDC03 failed test Replications
Starting test: RidManager
ldap_search_sW of CN=RID Manager$,CN=System,DC=nba- hq,DC=com for FSMO
Role Owner failed with 2: The system cannot find the file specified.
......................... NJDC03 failed test RidManager
The Simple recomendation from my side is to run the
Microsoft Exchange Best Practices Analyzer v2.8 from W2K8R2 DC.
Follow through the report and perform steps and recomendations as needed.
Hope that helps :)
This is what i found..
Starting test: KnowsOfRoleHolders
Warning: NJDC03 could not resolve the name for role
Rid Owner.
The name error was Not Found.
......................... NJDC03 failed test KnowsOfRoleHolders
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=nba-h
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
[NJDC03] User credentials does not have permission to perform this
operation.
The account used for this test must have network logon privileges
for this machine's domain.
......................... NJDC03 failed test NetLogons
[Replications Check,NJDC03] DsReplicaGetInfo(PENDING_O
failed, error 0x2105 "Replication access was denied."
......................... NJDC03 failed test Replications
Starting test: RidManager
ldap_search_sW of CN=RID Manager$,CN=System,DC=nba-
Role Owner failed with 2: The system cannot find the file specified.
......................... NJDC03 failed test RidManager
The Simple recomendation from my side is to run the
Microsoft Exchange Best Practices Analyzer v2.8 from W2K8R2 DC.
Follow through the report and perform steps and recomendations as needed.
Hope that helps :)
Netminder - How was my answer not a solution (unless of course the OP stated their issue wasn't fixed)? The messages being received state accessed denied which can occur if the command is not ran from an elevated prompt.
Justin - I found 2 issues with this. 1) I agree where you're coming from and did think of that. However, the author did not add any comments, answer your question or explain anything which leaves it questionable. 2) The comment I made clearly explains one warning that would occur if adprep with /rodcprep was never done. If the author could answer your question and post the output of dcdiag when ran elevated then either yours or both of our comments can be considered part of the solution; yours of course being the primary.
I guess my view is that running DCDIAG under an elevated command prompt resolves 6 of the 7 errors that were being received. You are correct that you did provide an explanation for the NCSecDesc so yes if the OP was asking about that specific error as well then you should get 70 pts. I guess I just don't see that as worth flagging the question to get it re-opened for an explanation.
Netminder - With all due respect, but right-clicking the command prompt to run as an administrator IS a solution. Sure my response was in the form of a question simply because I knew the action I provided would resolve majority of the errors and wanted the OP to post the results so that we could provide any further feedback if needed for any of the checks that couldn't run before didn't pass. So YES my response was still in fact a solution. And trust me I don't care about the points either.
You can refer here as well: https://www.experts-exchange.com/questions/27058326/dcdiag-errors.html
You state
You can refer here as well: https://www.experts-exchange.com/questions/27058326/dcdiag-errors.html
You state
The REAL issue here is that the Asker closed this question because he had abandoned it and was locked out of the Question Wizard -- and for no other reason.. So I guess my question back to you would be how do you know that an accepted solution by an OP wasn't in fact what solved their issue?
Netminder - I appreciate your time and honesty on this but I don't see where the justification is to revert an accepted solution by the Asker. When you state that you nor anyone else knows if the answer was truly correct you are exactly right, but that is also why I don't follow the reasoning of automatically assuming the the solution accepted wasn't correct. Perhaps I could have phrased the solution better (even though there was a method to my madness), but since the answer is within the question my guess is that it would have been flagged regardless.
As for participation from the Asker again I agree, however none of EE's documentation states that it is required for the Asker to provide any kind of response so I guess that's an unwritten rule. So as a suggestion if EE is going to base their judgment on criteria such as the Asker not providing a response to the accepted solution then perhaps you should make the comment field required when selecting an accepted solution. I have seen plenty of questions where the first response fixes the Asker's issue and they provide an accepted solution and no comment. But from what you are saying EE considers all of those incomplete meaning all awarded points should be revoked as well because the solution wasn't validated by the Asker through a comment (I guess I figured an accepted solution was considered validation as I can't find where it states that a comment is required).
As for the points, if any are to be awarded, go ahead and give them to Seth as I will be closing my account and taking my services elsewhere.
As for participation from the Asker again I agree, however none of EE's documentation states that it is required for the Asker to provide any kind of response so I guess that's an unwritten rule. So as a suggestion if EE is going to base their judgment on criteria such as the Asker not providing a response to the accepted solution then perhaps you should make the comment field required when selecting an accepted solution. I have seen plenty of questions where the first response fixes the Asker's issue and they provide an accepted solution and no comment. But from what you are saying EE considers all of those incomplete meaning all awarded points should be revoked as well because the solution wasn't validated by the Asker through a comment (I guess I figured an accepted solution was considered validation as I can't find where it states that a comment is required).
As for the points, if any are to be awarded, go ahead and give them to Seth as I will be closing my account and taking my services elsewhere.