DCDIAG VerifyEnterpriseReferences error cleanup ?

People,

Before promoting my new Domain Controller server, the result from DCDIAG on my existing DC/GC showing as error below:

VerifyEnterpriseReferences section:

CN=DC01-2KS,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=domain,DC=com
.....
CN=W2K3DC01-PROD,OU=Domain Controllers 2k3,OU=Domain Controllers,DC=domain,DC=com
....
there are around 55 lines of the above example.

Do I need to worry or cleanup the entries above before promoting new DC/GC ?

So where can I find and delete those entries if it is not needed?

Thanks,
LVL 11
Senior IT System EngineerIT ProfessionalAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David Johnson, CD, MVPOwnerCommented:
Senior IT System EngineerIT ProfessionalAuthor Commented:
So is that automated or do I have to manually go thorough ADSI edit ?
David Johnson, CD, MVPOwnerCommented:
pretty much automated none of the tools shown use adsiedit
Need More Insight Into What’s Killing Your Network

Flow data analysis from SolarWinds NetFlow Traffic Analyzer (NTA), along with Network Performance Monitor (NPM), can give you deeper visibility into your network’s traffic.

Will SzymkowskiSenior Solution ArchitectCommented:
As stated it is always a good idea to cleanup any warnings or errors that appear in dcdiag or in the logs. This goes for demoting and promoting.

I would also run the below commands as well to ensure consistency..
repadmin /replsum
repadmin /showrepl
repadmin /bridgeheads

netdom query dc
netdom query fsmo

It is also very important to ensure that in DNS under your FQDN zone that the _msdcs.domain.com folder does not have any references to any old DC's. These are where the SRV record info is stored and if there are orphaned entries in there it can create a lot of issues when machines query for specific services.

Will.
Senior IT System EngineerIT ProfessionalAuthor Commented:
Somehow this is the only error that I got so far when running the DCDIAG command in my Schema Master role:

 Starting test: Replications
    REPLICATION-RECEIVED LATENCY WARNING
    PRODDC01-VM:  Current time is 2015-02-27 15:08:19.
       DC=ForestDnsZones,DC=domain,DC=com
          Last replication received from SiteOffice2012DC01 at 2014-08-07 10:47:09
          WARNING:  This latency is over the Tombstone Lifetime of 60 days!
       DC=DomainDnsZones,DC=domain,DC=com
          Last replication received from SiteOffice2012DC01 at 2014-08-07 11:02:42
          WARNING:  This latency is over the Tombstone Lifetime of 60 days!
       CN=Schema,CN=Configuration,DC=domain,DC=com
          Last replication received from SiteOffice2012DC01 at 2014-08-07 10:47:09
          WARNING:  This latency is over the Tombstone Lifetime of 60 days!
       CN=Configuration,DC=domain,DC=com
          Last replication received from SiteOffice2012DC01 at 2014-08-07 10:47:09
          WARNING:  This latency is over the Tombstone Lifetime of 60 days!
       DC=domain,DC=com
          Last replication received from SiteOffice2012DC01 at 2014-08-07 11:04:02
          WARNING:  This latency is over the Tombstone Lifetime of 60 days!
    ......................... PRODDC01-VM passed test Replications

Open in new window


Do I need to worry about it ?

because the server above SiteOffice2012DC01 is running fine with no issue at all.
David Johnson, CD, MVPOwnerCommented:
I would worry about it..

You could try forcing a replication from proddc01 -> siteoffice2012DC01.. Which is your most up to date domain controller?
Howto:
Open Active Directory Sites and Services: On the Start menu, point to Administrative Tools, and then click Active Directory Sites and Services. In the console tree, expand Sites, and then expand the site to which you want to force replication from the updated server. Expand the Servers container to display the list of servers that are currently configured for that site. Expand the server objects and click their NTDS Settings objects to display their connection objects in the details pane. Find a server that has a connection object from the server on which you made the updates. Click NTDS Settings below the server object. In the details pane, right-click the connection object whose From Server is the domain controller that has the updates that you want to replicate, and then click Replicate Now. When the Replicate Now message box appears, review the information, and then click OK. http://bit.ly/1840Kfh
Senior IT System EngineerIT ProfessionalAuthor Commented:
Ok, I have already deleted some of the old computer object which was previously running as Win2003 DC.

But somehow the DCDIAG /V /C /D still showing the following error entries:

[1] Problem: Missing Expected Value

Base Object:
CN=SiteOffice1-2K3-DC01,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=domain,DC=com
Base Object Description: "SYSVOL FRS Member Object"
Value Object Attribute Name: frsComputerReference
Value Object Description: "DSA Object"

Recommended Action: Check if this server is deleted, and if so clean up this DCs SYSVOL FRS Member Object.  
Also see Knowledge Base Article  Q312862

Open in new window


There are still lots of them, but when I search according to the example above "SiteOffice1-2K3-DC01" the computer object is no more available in AD.

So where can I safely delete those entries ? should I use ADSI Edit and go to the container maually one by one deleting the entries which is no longer active in my AD domain ?
David Johnson, CD, MVPOwnerCommented:

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Senior IT System EngineerIT ProfessionalAuthor Commented:
Thanks
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.