Solved

Active Directory Services Best Practices Analyzer Cannot Collect ....

Posted on 2014-10-01
9
1,494 Views
Last Modified: 2014-10-26
Trying to clean up AD.. DCDIAG /v /e /c and DNSLint come up clean. DNS BPA is fine, but the best practices analyzer for AD DS keeps showing at least 15 items like "The AD DS BPA should be able to collect data about..."
ranging from number of domain controllers, # of GCs, connectivity of RID Master, domain name of various DNS SRV records.
I have confirmed the SRV records are there and the DC has permissions to read them. I tried running the BPA powershell file and it returns this:
WARNING: Cannot collect the list of DCs in current domain
FullyQualifiedErrorId:
ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException,Microsoft.ActiveDirectory.Manage
ment.Commands.GetADDomainController
ScriptLineNumber: 2342
OffsetInLine: 13
ScriptLine:             Get-ADDomainController -Filter $filter -Server $computer

Exception:
Type: Microsoft.ActiveDirectory.Management.ADIdentityNotFoundException
Message: Directory object not found
InnerException:
Type:
System.ServiceModel.FaultException`1[[schemas.microsoft.com._2008._1.ActiveDirectory.CustomActions.GetADDomainControlle
rFault, Microsoft.ActiveDirectory.Management, Version=6.3.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35]]
Message: Active Directory returned an error processing the operation.
InnerException: N/A


Mixture of 2008 R2 , 2012 and 2012 R2 DCs- at 2008 domain functional level and 2003 FFL (planning on updating both to 2008 R2 real soon)
0
Comment
Question by:mcburn13
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
9 Comments
 
LVL 20

Expert Comment

by:compdigit44
ID: 40362610
Which OS are your running the BPA from?
0
 
LVL 1

Author Comment

by:mcburn13
ID: 40362618
Was able to recreate from any number of our 2008 R2, 2012 or 2013 R2 DCs
0
 
LVL 20

Expert Comment

by:compdigit44
ID: 40363707
I know you mentioned that you ran dcdiag but did you run:   repadmin /showrepl

Also the following article talks about permissions problems regarding the "Access this computer from network right."

http://technet.microsoft.com/en-us/library/ff646935%28v=ws.10%29.aspx
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 1

Author Comment

by:mcburn13
ID: 40364750
Unfortunately I've done all the normal diagnostics (repadmin, dcdiag, dnslint etc.) Did an extensive search and anything I found that even looked like it may fit the symptom ended up going no where.  I found something about Unresolved SIDs in GPOs and have taken them off all of the built in groups, but not sure if there are there somewhere based on membership or nested membership that would affect this.  Also have a decent amount of SIDHistory on objects (not built in groups obviously) but haven't totally ruled that out yet.
0
 
LVL 20

Expert Comment

by:compdigit44
ID: 40364897
Have you checked the suggestion in this article though?
http://technet.microsoft.com/en-us/library/ff646935%28v=ws.10%29.aspx
0
 
LVL 1

Author Comment

by:mcburn13
ID: 40365904
Yeah I'm sure every article you find I have already perused - but keep 'em coming I'm sort of running out of ideas on this. Going to look more at process monitor and network capture activity while running the BPA powershell.
0
 
LVL 1

Accepted Solution

by:
mcburn13 earned 0 total points
ID: 40395333
Turns out the root cause is we have Riverbed devices that set themselves up as RODCs in AD.  One of these I actually worked with Microsoft on a while back when they caused W2012 R2 Group Policy Mgmt Console to crash (when clicking on top level of domain in console).
They had us add the RODC to a site in AD Sites/Services.  It is the existence of the serverReference backlink attribute on the CN=SERVER,CN=SERVERS,CN=SITE,CN=CONFIGURATION,DC=DOMAIN,DC=COM.  I removed that and the BPA worked as expected.  BUT now the 2012 R2 GP Console crashes!
0
 
LVL 1

Author Closing Comment

by:mcburn13
ID: 40404659
No one else had anything constructive to offer
0

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

628 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question