Solved

W2K8R2 DCDiag issues, while W2K3 DCs in the same domain ok

Posted on 2014-04-25
14
405 Views
Last Modified: 2014-09-17
Anyone have any idea where I should start with this one?  This is from one W2K8R2 DC, although multiple show the same errors.  Our W2K3 DCs are fine and pass all tests.  FWIW, the RID is running on a W2K8R2 DC right now.
Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   Home Server = NJDC03

   * Identified AD Forest. 
   Done gathering initial info.


Doing initial required tests

   
   Testing server: NJ\NJDC03

      Starting test: Connectivity

         ......................... NJDC03 passed test Connectivity



Doing primary tests

   
   Testing server: NJ\NJDC03

      Starting test: Advertising

         ......................... NJDC03 passed test Advertising

      Starting test: FrsEvent

         ......................... NJDC03 passed test FrsEvent

      Starting test: DFSREvent

         ......................... NJDC03 passed test DFSREvent

      Starting test: SysVolCheck

         ......................... NJDC03 passed test SysVolCheck

      Starting test: KccEvent

         ......................... NJDC03 passed test KccEvent

      Starting test: KnowsOfRoleHolders

         Warning: NJDC03 could not resolve the name for role

         Rid Owner.
         The name error was Not Found.

         ......................... NJDC03 failed test KnowsOfRoleHolders

      Starting test: MachineAccount

         ......................... NJDC03 passed test MachineAccount

      Starting test: NCSecDesc

         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have 

            Replicating Directory Changes In Filtered Set
         access rights for the naming context:

         DC=DomainDnsZones,DC=nba-hq,DC=com
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have 

            Replicating Directory Changes In Filtered Set
         access rights for the naming context:

         DC=ForestDnsZones,DC=nba-hq,DC=com
         ......................... NJDC03 failed test NCSecDesc

      Starting test: NetLogons

         [NJDC03] User credentials does not have permission to perform this

         operation.

         The account used for this test must have network logon privileges

         for this machine's domain.

         ......................... NJDC03 failed test NetLogons

      Starting test: ObjectsReplicated

         ......................... NJDC03 passed test ObjectsReplicated

      Starting test: Replications

         [Replications Check,NJDC03] DsReplicaGetInfo(PENDING_OPS, NULL)

         failed, error 0x2105 "Replication access was denied."

         ......................... NJDC03 failed test Replications

      Starting test: RidManager

         ldap_search_sW of CN=RID Manager$,CN=System,DC=nba-hq,DC=com for FSMO

         Role Owner failed with 2: The system cannot find the file specified.

         ......................... NJDC03 failed test RidManager

      Starting test: Services

            Could not open NTDS Service on NJDC03, error 0x5

            "Access is denied."

         ......................... NJDC03 failed test Services

      Starting test: SystemLog

         ......................... NJDC03 failed test SystemLog

      Starting test: VerifyReferences

         ......................... NJDC03 passed test VerifyReferences

   
   
   Running partition tests on : DomainDnsZones

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : ForestDnsZones

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : Schema

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation

   
   Running partition tests on : Configuration

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidation

   
   Running partition tests on : nba-hq

      Starting test: CheckSDRefDom

         ......................... nba-hq passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... nba-hq passed test CrossRefValidation

   
   Running enterprise tests on : abn-hq.com

      Starting test: LocatorCheck

         ......................... abn-hq.com passed test LocatorCheck

      Starting test: Intersite

         ......................... abn-hq.com passed test Intersite

Open in new window

0
Comment
Question by:seang86s
  • 5
  • 3
14 Comments
 
LVL 7

Accepted Solution

by:
Delete earned 250 total points
Comment Utility
Can you re-run your dcdiag test from an elevated command prompt and post the results?  Right click "Command Prompt" and Run as administrator.
0
 
LVL 34

Assisted Solution

by:Seth Simmons
Seth Simmons earned 250 total points
Comment Utility
NJDC03 failed test NCSecDesc

saw this at my last place...it means when you ran adprep for 2008 R2 on your 2003 servers, you didn't use /rodcprep which means you can't install a read-only domain controller until you do that

if you have no plans to install an RODC you can ignore it

Dcdiag fails for NCSecDesc test on Windows 2008 Domain Controllers
http://support.microsoft.com/kb/967482
0
 
LVL 34

Expert Comment

by:Seth Simmons
Comment Utility
agree with the previous comment on the other errors; try running elevated and see if the access denied and RID messages go away.  i've had similar issues before with dcdiag not running elevated but the NCSecDesc failure is definitely unrelated to that
0
 
LVL 9

Expert Comment

by:VirastaR
Comment Utility
Hi,

This is what i found..

Starting test: KnowsOfRoleHolders

         Warning: NJDC03 could not resolve the name for role

         Rid Owner.
         The name error was Not Found.

         ......................... NJDC03 failed test KnowsOfRoleHolders

Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have

            Replicating Directory Changes In Filtered Set
         access rights for the naming context:

         DC=DomainDnsZones,DC=nba-hq,DC=com
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have

            Replicating Directory Changes In Filtered Set
         access rights for the naming context:

[NJDC03] User credentials does not have permission to perform this

         operation.


         The account used for this test must have network logon privileges

         for this machine's domain.

         ......................... NJDC03 failed test NetLogons

  [Replications Check,NJDC03] DsReplicaGetInfo(PENDING_OPS, NULL)

        failed, error 0x2105 "Replication access was denied."

         ......................... NJDC03 failed test Replications

      Starting test: RidManager

         ldap_search_sW of CN=RID Manager$,CN=System,DC=nba-hq,DC=com for FSMO

         Role Owner failed with 2: The system cannot find the file specified.

         ......................... NJDC03 failed test RidManager


The Simple recomendation from my side is to run the

Microsoft Exchange Best Practices Analyzer v2.8  from W2K8R2 DC.

Follow through the report and perform steps and recomendations as needed.

Hope that helps :)
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 7

Expert Comment

by:Delete
Comment Utility
Netminder - How was my answer not a solution (unless of course the OP stated their issue wasn't fixed)?  The messages being received state accessed denied which can occur if the command is not ran from an elevated prompt.
0
 
LVL 34

Expert Comment

by:Seth Simmons
Comment Utility
Justin - I found 2 issues with this.  1)  I agree where you're coming from and did think of that.  However, the author did not add any comments, answer your question or explain anything which leaves it questionable.  2) The comment I made clearly explains one warning that would occur if adprep with /rodcprep was never done.  If the author could answer your question and post the output of dcdiag when ran elevated then either yours or both of our comments can be considered part of the solution; yours of course being the primary.
0
 
LVL 7

Expert Comment

by:Delete
Comment Utility
I guess my view is that running DCDIAG under an elevated command prompt resolves 6 of the 7 errors that were being received.  You are correct that you did provide an explanation for the NCSecDesc so yes if the OP was asking about that specific error as well then you should get 70 pts.  I guess I just don't see that as worth flagging the question to get it re-opened for an explanation.
0
 
LVL 7

Expert Comment

by:Delete
Comment Utility
Netminder - With all due respect, but right-clicking the command prompt to run as an administrator IS a solution.  Sure my response was in the form of a question simply because I knew the action I provided would resolve majority of the errors and wanted the OP to post the results so that we could provide any further feedback if needed for any of the checks that couldn't run before didn't pass.  So YES my response was still in fact a solution.  And trust me I don't care about the points either.

You can refer here as well: http://www.experts-exchange.com/Software/Server_Software/Active_Directory/Q_27058326.html

You state
The REAL issue here is that the Asker closed this question because he had abandoned it and was locked out of the Question Wizard -- and for no other reason.
.  So I guess my question back to you would be how do you know that an accepted solution by an OP wasn't in fact what solved their issue?
0
 
LVL 7

Expert Comment

by:Delete
Comment Utility
Netminder - I appreciate your time and honesty on this but I don't see where the justification is to revert an accepted solution by the Asker.  When you state that you nor anyone else knows if the answer was truly correct you are exactly right, but that is also why I don't follow the reasoning of automatically assuming the the solution accepted wasn't correct.  Perhaps I could have phrased the solution better (even though there was a method to my madness), but since the answer is within the question my guess is that it would have been flagged regardless.

As for participation from the Asker again I agree, however none of EE's documentation states that it is required for the Asker to provide any kind of response so I guess that's an unwritten rule.  So as a suggestion if EE is going to base their judgment on criteria such as the Asker not providing a response to the accepted solution then perhaps you should make the comment field required when selecting an accepted solution.  I have seen plenty of questions where the first response fixes the Asker's issue and they provide an accepted solution and no comment.  But from what you are saying EE considers all of those incomplete meaning all awarded points should be revoked as well because the solution wasn't validated by the Asker through a comment (I guess I figured an accepted solution was considered validation as I can't find where it states that a comment is required).

As for the points, if any are to be awarded, go ahead and give them to Seth as I will be closing my account and taking my services elsewhere.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

I'm a big fan of Windows' offline folder caching and have used it on my laptops for over a decade.  One thing I don't like about it, however, is how difficult Microsoft has made it for the cache to be moved out of the Windows folder.  Here's how to …
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now