Active Directory Services Best Practices Analyzer Cannot Collect ....

Trying to clean up AD.. DCDIAG /v /e /c and DNSLint come up clean. DNS BPA is fine, but the best practices analyzer for AD DS keeps showing at least 15 items like "The AD DS BPA should be able to collect data about..."
ranging from number of domain controllers, # of GCs, connectivity of RID Master, domain name of various DNS SRV records.
I have confirmed the SRV records are there and the DC has permissions to read them. I tried running the BPA powershell file and it returns this:
WARNING: Cannot collect the list of DCs in current domain
FullyQualifiedErrorId:
ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,Microsoft.ActiveDirectory.Manage
ment.Commands.GetADDomainController
ScriptLineNumber: 2342
OffsetInLine: 13
ScriptLine:             Get-ADDomainController -Filter $filter -Server $computer

Exception:
Type: Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException
Message: Directory object not found
InnerException:
Type:
System.ServiceModel.FaultException`1[[schemas.microsoft.com._2008._1.ActiveDirectory.CustomActions.GetADDomainControlle
rFault, Microsoft.ActiveDirectory.Management, Version=6.3.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]]
Message: Active Directory returned an error processing the operation.
InnerException: N/A


Mixture of 2008 R2 , 2012 and 2012 R2 DCs- at 2008 domain functional level and 2003 FFL (planning on updating both to 2008 R2 real soon)
LVL 1
mcburn13Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

compdigit44Commented:
Which OS are your running the BPA from?
0
mcburn13Author Commented:
Was able to recreate from any number of our 2008 R2, 2012 or 2013 R2 DCs
0
compdigit44Commented:
I know you mentioned that you ran dcdiag but did you run:   repadmin /showrepl

Also the following article talks about permissions problems regarding the "Access this computer from network right."

http://technet.microsoft.com/en-us/library/ff646935%28v=ws.10%29.aspx
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

mcburn13Author Commented:
Unfortunately I've done all the normal diagnostics (repadmin, dcdiag, dnslint etc.) Did an extensive search and anything I found that even looked like it may fit the symptom ended up going no where.  I found something about Unresolved SIDs in GPOs and have taken them off all of the built in groups, but not sure if there are there somewhere based on membership or nested membership that would affect this.  Also have a decent amount of SIDHistory on objects (not built in groups obviously) but haven't totally ruled that out yet.
0
compdigit44Commented:
Have you checked the suggestion in this article though?
http://technet.microsoft.com/en-us/library/ff646935%28v=ws.10%29.aspx
0
mcburn13Author Commented:
Yeah I'm sure every article you find I have already perused - but keep 'em coming I'm sort of running out of ideas on this. Going to look more at process monitor and network capture activity while running the BPA powershell.
0
mcburn13Author Commented:
Turns out the root cause is we have Riverbed devices that set themselves up as RODCs in AD.  One of these I actually worked with Microsoft on a while back when they caused W2012 R2 Group Policy Mgmt Console to crash (when clicking on top level of domain in console).
They had us add the RODC to a site in AD Sites/Services.  It is the existence of the serverReference backlink attribute on the CN=SERVER,CN=SERVERS,CN=SITE,CN=CONFIGURATION,DC=DOMAIN,DC=COM.  I removed that and the BPA worked as expected.  BUT now the 2012 R2 GP Console crashes!
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mcburn13Author Commented:
No one else had anything constructive to offer
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.