Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

W2K8R2 DCDiag issues, while W2K3 DCs in the same domain ok

Posted on 2014-04-25
14
Medium Priority
?
430 Views
Last Modified: 2014-09-17
Anyone have any idea where I should start with this one?  This is from one W2K8R2 DC, although multiple show the same errors.  Our W2K3 DCs are fine and pass all tests.  FWIW, the RID is running on a W2K8R2 DC right now.
Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   Home Server = NJDC03

   * Identified AD Forest. 
   Done gathering initial info.


Doing initial required tests

   
   Testing server: NJ\NJDC03

      Starting test: Connectivity

         ......................... NJDC03 passed test Connectivity



Doing primary tests

   
   Testing server: NJ\NJDC03

      Starting test: Advertising

         ......................... NJDC03 passed test Advertising

      Starting test: FrsEvent

         ......................... NJDC03 passed test FrsEvent

      Starting test: DFSREvent

         ......................... NJDC03 passed test DFSREvent

      Starting test: SysVolCheck

         ......................... NJDC03 passed test SysVolCheck

      Starting test: KccEvent

         ......................... NJDC03 passed test KccEvent

      Starting test: KnowsOfRoleHolders

         Warning: NJDC03 could not resolve the name for role

         Rid Owner.
         The name error was Not Found.

         ......................... NJDC03 failed test KnowsOfRoleHolders

      Starting test: MachineAccount

         ......................... NJDC03 passed test MachineAccount

      Starting test: NCSecDesc

         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have 

            Replicating Directory Changes In Filtered Set
         access rights for the naming context:

         DC=DomainDnsZones,DC=nba-hq,DC=com
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have 

            Replicating Directory Changes In Filtered Set
         access rights for the naming context:

         DC=ForestDnsZones,DC=nba-hq,DC=com
         ......................... NJDC03 failed test NCSecDesc

      Starting test: NetLogons

         [NJDC03] User credentials does not have permission to perform this

         operation.

         The account used for this test must have network logon privileges

         for this machine's domain.

         ......................... NJDC03 failed test NetLogons

      Starting test: ObjectsReplicated

         ......................... NJDC03 passed test ObjectsReplicated

      Starting test: Replications

         [Replications Check,NJDC03] DsReplicaGetInfo(PENDING_OPS, NULL)

         failed, error 0x2105 "Replication access was denied."

         ......................... NJDC03 failed test Replications

      Starting test: RidManager

         ldap_search_sW of CN=RID Manager$,CN=System,DC=nba-hq,DC=com for FSMO

         Role Owner failed with 2: The system cannot find the file specified.

         ......................... NJDC03 failed test RidManager

      Starting test: Services

            Could not open NTDS Service on NJDC03, error 0x5

            "Access is denied."

         ......................... NJDC03 failed test Services

      Starting test: SystemLog

         ......................... NJDC03 failed test SystemLog

      Starting test: VerifyReferences

         ......................... NJDC03 passed test VerifyReferences

   
   
   Running partition tests on : DomainDnsZones

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : ForestDnsZones

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : Schema

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation

   
   Running partition tests on : Configuration

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidation

   
   Running partition tests on : nba-hq

      Starting test: CheckSDRefDom

         ......................... nba-hq passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... nba-hq passed test CrossRefValidation

   
   Running enterprise tests on : abn-hq.com

      Starting test: LocatorCheck

         ......................... abn-hq.com passed test LocatorCheck

      Starting test: Intersite

         ......................... abn-hq.com passed test Intersite

Open in new window

0
Comment
Question by:seang86s
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
14 Comments
 
LVL 7

Accepted Solution

by:
Delete earned 1000 total points
ID: 40023587
Can you re-run your dcdiag test from an elevated command prompt and post the results?  Right click "Command Prompt" and Run as administrator.
0
 
LVL 35

Assisted Solution

by:Seth Simmons
Seth Simmons earned 1000 total points
ID: 40024017
NJDC03 failed test NCSecDesc

saw this at my last place...it means when you ran adprep for 2008 R2 on your 2003 servers, you didn't use /rodcprep which means you can't install a read-only domain controller until you do that

if you have no plans to install an RODC you can ignore it

Dcdiag fails for NCSecDesc test on Windows 2008 Domain Controllers
http://support.microsoft.com/kb/967482
0
 
LVL 35

Expert Comment

by:Seth Simmons
ID: 40024021
agree with the previous comment on the other errors; try running elevated and see if the access denied and RID messages go away.  i've had similar issues before with dcdiag not running elevated but the NCSecDesc failure is definitely unrelated to that
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 9

Expert Comment

by:VirastaR
ID: 40025836
Hi,

This is what i found..

Starting test: KnowsOfRoleHolders

         Warning: NJDC03 could not resolve the name for role

         Rid Owner.
         The name error was Not Found.

         ......................... NJDC03 failed test KnowsOfRoleHolders

Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have

            Replicating Directory Changes In Filtered Set
         access rights for the naming context:

         DC=DomainDnsZones,DC=nba-hq,DC=com
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have

            Replicating Directory Changes In Filtered Set
         access rights for the naming context:

[NJDC03] User credentials does not have permission to perform this

         operation.


         The account used for this test must have network logon privileges

         for this machine's domain.

         ......................... NJDC03 failed test NetLogons

  [Replications Check,NJDC03] DsReplicaGetInfo(PENDING_OPS, NULL)

        failed, error 0x2105 "Replication access was denied."

         ......................... NJDC03 failed test Replications

      Starting test: RidManager

         ldap_search_sW of CN=RID Manager$,CN=System,DC=nba-hq,DC=com for FSMO

         Role Owner failed with 2: The system cannot find the file specified.

         ......................... NJDC03 failed test RidManager


The Simple recomendation from my side is to run the

Microsoft Exchange Best Practices Analyzer v2.8  from W2K8R2 DC.

Follow through the report and perform steps and recomendations as needed.

Hope that helps :)
0
 
LVL 7

Expert Comment

by:Delete
ID: 40326650
Netminder - How was my answer not a solution (unless of course the OP stated their issue wasn't fixed)?  The messages being received state accessed denied which can occur if the command is not ran from an elevated prompt.
0
 
LVL 35

Expert Comment

by:Seth Simmons
ID: 40326680
Justin - I found 2 issues with this.  1)  I agree where you're coming from and did think of that.  However, the author did not add any comments, answer your question or explain anything which leaves it questionable.  2) The comment I made clearly explains one warning that would occur if adprep with /rodcprep was never done.  If the author could answer your question and post the output of dcdiag when ran elevated then either yours or both of our comments can be considered part of the solution; yours of course being the primary.
0
 
LVL 7

Expert Comment

by:Delete
ID: 40326717
I guess my view is that running DCDIAG under an elevated command prompt resolves 6 of the 7 errors that were being received.  You are correct that you did provide an explanation for the NCSecDesc so yes if the OP was asking about that specific error as well then you should get 70 pts.  I guess I just don't see that as worth flagging the question to get it re-opened for an explanation.
0
 
LVL 7

Expert Comment

by:Delete
ID: 40327129
Netminder - With all due respect, but right-clicking the command prompt to run as an administrator IS a solution.  Sure my response was in the form of a question simply because I knew the action I provided would resolve majority of the errors and wanted the OP to post the results so that we could provide any further feedback if needed for any of the checks that couldn't run before didn't pass.  So YES my response was still in fact a solution.  And trust me I don't care about the points either.

You can refer here as well: http://www.experts-exchange.com/Software/Server_Software/Active_Directory/Q_27058326.html

You state
The REAL issue here is that the Asker closed this question because he had abandoned it and was locked out of the Question Wizard -- and for no other reason.
.  So I guess my question back to you would be how do you know that an accepted solution by an OP wasn't in fact what solved their issue?
0
 
LVL 7

Expert Comment

by:Delete
ID: 40329482
Netminder - I appreciate your time and honesty on this but I don't see where the justification is to revert an accepted solution by the Asker.  When you state that you nor anyone else knows if the answer was truly correct you are exactly right, but that is also why I don't follow the reasoning of automatically assuming the the solution accepted wasn't correct.  Perhaps I could have phrased the solution better (even though there was a method to my madness), but since the answer is within the question my guess is that it would have been flagged regardless.

As for participation from the Asker again I agree, however none of EE's documentation states that it is required for the Asker to provide any kind of response so I guess that's an unwritten rule.  So as a suggestion if EE is going to base their judgment on criteria such as the Asker not providing a response to the accepted solution then perhaps you should make the comment field required when selecting an accepted solution.  I have seen plenty of questions where the first response fixes the Asker's issue and they provide an accepted solution and no comment.  But from what you are saying EE considers all of those incomplete meaning all awarded points should be revoked as well because the solution wasn't validated by the Asker through a comment (I guess I figured an accepted solution was considered validation as I can't find where it states that a comment is required).

As for the points, if any are to be awarded, go ahead and give them to Seth as I will be closing my account and taking my services elsewhere.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question