GPO's Not Replicating

Discussion:

GPO's Not Replicating

(too old to reply)

tbaze

2010-01-02 17:00:25 UTC

I'm having a great deal of trouble getting GPs to pull over the domain.
I've beaten my head against the wall and just cannot resolve it.

So, currently -

dcdiag turns up no errors on the pdc.
ipv6 is turned off.
domain authentication works perfectly.
I cannot telnet to port 389 on the DC but I can telnet to 23 (after
enabling telnet server). It shows that it is listening on 389 in
netstat.
SYSVOL properties are as they should be.
DC2 replicates/pulls the GP fine. It's everything outside of those 2
that does not.
The PDC/DNS server is using its own IP for DNS.
GPResult reads:
Group Policy Infrastructure failed due to the error listed below.

The network is not present or not started.

Note: Due to the GP Core failure, none of the other Group Policy
components processed their policy. Consequently, status information
for the other components is not available.

I've done a number of other things but cannot remember them all off the
top of my head.

--
tbaze
------------------------------------------------------------------------
tbaze's Profile: http://forums.techarena.in/members/169993.htm
View this thread: http://forums.techarena.in/active-directory/1288776.htm

http://forums.techarena.in

tbaze

2010-01-02 18:28:24 UTC

GPResult from GPUpdate and Group Modeling Report found here -
http://cid-acd77f58b67d0b4a.skydrive.live.com/browse.aspx/.Public

--
tbaze
------------------------------------------------------------------------
tbaze's Profile: http://forums.techarena.in/members/169993.htm
View this thread: http://forums.techarena.in/active-directory/1288776.htm

http://forums.techarena.in

Cary Shultz

2010-01-02 21:15:51 UTC

TBaze,

Two quick things:

1) Windows Firewall turned on?
2) Most people will probably not go to the link that you provided.
Unfortunately, in today's world it is potentially too dangerous to go to a
link that is posted by an 'unknown' person.

What about doing this?

Post an unedited 'ipconfig /all" results
Post an unedited "dcdiag.exe /c /v" results from both Domain Controllers
(dcdiag is part of the Support Tools....you could also do dcdiag /c /e /v,
where the "/e" will do it for all Domain Controllers).
And, my favorite tool - what do you see in the Event Logs? Specifically, in
the Application and in the System?

HTH,

Cary

Post by tbaze
I'm having a great deal of trouble getting GPs to pull over the domain.
I've beaten my head against the wall and just cannot resolve it.
So, currently -
dcdiag turns up no errors on the pdc.
ipv6 is turned off.
domain authentication works perfectly.
I cannot telnet to port 389 on the DC but I can telnet to 23 (after
enabling telnet server). It shows that it is listening on 389 in
netstat.
SYSVOL properties are as they should be.
DC2 replicates/pulls the GP fine. It's everything outside of those 2
that does not.
The PDC/DNS server is using its own IP for DNS.
Group Policy Infrastructure failed due to the error listed below.
The network is not present or not started.
Note: Due to the GP Core failure, none of the other Group Policy
components processed their policy. Consequently, status information
for the other components is not available.
I've done a number of other things but cannot remember them all off the
top of my head.
--
tbaze
------------------------------------------------------------------------
tbaze's Profile: http://forums.techarena.in/members/169993.htm
View this thread: http://forums.techarena.in/active-directory/1288776.htm
http://forums.techarena.in

tbaze

2010-01-02 22:33:41 UTC

Hi Cary.

Here you go:

Windows Firewall Service is disabled.

IPConfig
Windows PowerShell
Copyright (C) 2009 Microsoft Corporation. All rights reserved.

PS C:\Windows\system32> ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : M1CMS001
Primary Dns Suffix . . . . . . . : testadservs.net
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : testadservs.net

Ethernet adapter Local Area Connection 2:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) 82575EB Gigabit Network
Connection
Physical Address. . . . . . . . . : 00-30-48-BC-83-5F
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 172.17.250.51(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.17.250.5
DNS Servers . . . . . . . . . . . : 172.17.250.51
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{563CB7A9-906E-4C07-B724-0D66853F044B}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling
Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

DCDiag:

I was futzing around with FRS today a bit so is likely the cause of a
couple of the event log errors.

Directory Server Diagnosis

Performing initial setup:
Trying to find home server...
* Verifying that the local machine M1CMS001, is a Directory Server.
Home Server = M1CMS001
* Connecting to directory service on server M1CMS001.
* Identified AD Forest.
Collecting AD specific global data
* Collecting site info.
Calling
ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=testadservs,DC=net,LDAP_SCOPE_SUBTREE,(objectCategory=ntDS
SiteSettings),.......
The previous call succeeded
Iterating through the sites
Looking at base site object: CN=NTDS Site
Settings,CN=testadservs,CN=Sites,CN=Configuration,DC=testadservs,DC=net
Getting ISTG and options for the site
* Identifying all servers.
Calling
ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=testadservs,DC=net,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa
),.......
The previous call succeeded....
The previous call succeeded
Iterating through the list of servers
Getting information for the server CN=NTDS
Settings,CN=M1CMS002,CN=Servers,CN=testadservs,CN=Sites,CN=Configuration,DC=ma
hcgss,DC=net
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS
Settings,CN=M1CMS001,CN=Servers,CN=testadservs,CN=Sites,CN=Configuration,DC=ma
hcgss,DC=net
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
* Identifying all NC cross-refs.
* Found 2 DC(s). Testing 1 of them.
Done gathering initial info.

Doing initial required tests

Testing server: testadservs\M1CMS001
Starting test: Connectivity
* Active Directory LDAP Services Check
Determining IP4 connectivity
* Active Directory RPC Services Check
........................ M1CMS001 passed test Connectivity

Doing primary tests

Testing server: testadservs\M1CMS001
Starting test: Advertising
The DC M1CMS001 is advertising itself as a DC and having a
DS.
The DC M1CMS001 is advertising as an LDAP server
The DC M1CMS001 is advertising as having a writeable
directory
The DC M1CMS001 is advertising as a Key Distribution Center
The DC M1CMS001 is advertising as a time server
The DS M1CMS001 is advertising as a GC.
........................ M1CMS001 passed test Advertising
Starting test: CheckSecurityError
* Dr Auth: Beginning security errors check!
Found KDC M1CMS001 for domain testadservs.net in site
testadservs
Checking machine account for DC M1CMS001 on DC M1CMS001.
* SPN found :LDAP/M1CMS001.testadservs.net/testadservs.net
* SPN found :LDAP/M1CMS001.testadservs.net
* SPN found :LDAP/M1CMS001
* SPN found :LDAP/M1CMS001.testadservs.net/testadservs
* SPN found
:LDAP/f32f8b56-d06c-4972-a01c-8f3f8a18f154._msdcs.testadservs.net
* SPN found
:E3514235-4B06-11D1-AB04-00C04FC2DCD2/f32f8b56-d06c-4972-a01c-8f3f8a18f154/testadservs.net
* SPN found :HOST/M1CMS001.testadservs.net/testadservs.net
* SPN found :HOST/M1CMS001.testadservs.net
* SPN found :HOST/M1CMS001
* SPN found :HOST/M1CMS001.testadservs.net/testadservs
* SPN found :GC/M1CMS001.testadservs.net/testadservs.net
[M1CMS001] No security related replication errors were found
on this DC! To target the connection to a
specific source DC use /ReplSource:<DC>.
........................ M1CMS001 passed test
CheckSecurityError
Starting test: CutoffServers
* Configuration Topology Aliveness Check
* Analyzing the alive system replication topology for
DC=ForestDnsZones,DC=testadservs,DC=net.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for
DC=DomainDnsZones,DC=testadservs,DC=net.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for
CN=Schema,CN=Configuration,DC=testadservs,DC=net.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for
CN=Configuration,DC=testadservs,DC=net.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for
DC=testadservs,DC=net.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
........................ M1CMS001 passed test CutoffServers
Starting test: FrsEvent
* The File Replication Service Event log test
There are warning or error events within the last 24 hours
after the SYSVOL has been shared. Failing SYSVOL
replication problems may cause Group Policy problems.
A warning event occurred. EventID: 0x800034CE
Time Generated: 01/02/2010 16:50:21
Event String:
The File Replication Service did not grant the user
"tbazemore" access to the API "Get Internal Information"

Cary Shultz

2010-01-03 01:50:30 UTC

T,

Okay....so, you have two Domain Controllers. I ass/u/me that both are
running Windows Server 2008?

Looks like you do not have a multihomed DC...and that you have your internal
DNS Server IP Address in the DNS settings in the TCP/IP Configuration
settings. That is good.

What did you do with the File Replication Service? And, is it fixed again?
Here is a very simple test that I like to employ for basic FRS replication
testing:

On M1CMS001 in the shared sysvol folder create a simple .txt file (called
something like 'M1CMS001-test.txt') and put some text in it like the
following...."created on M1CMS001 on 2009 JAN 02 at 20:44. This should show
up on 'M1CMS002' shortly." Assuming that this completes successfully, do
the same thing on 'M1CMS002' (or whatever the other Domain Controller is
called). Do both .txt files show up on the 'other' Domain Controller?

Have you ever played with FRSDiag or with FRSUtil?

And, is all of the DCDIAG resultant file included? It seems like it kinda
got chopped off?

And - your account: is it a member of DA?

Cary

Post by tbaze
Hi Cary.
Windows Firewall Service is disabled.
IPConfig
Windows PowerShell
Copyright (C) 2009 Microsoft Corporation. All rights reserved.
PS C:\Windows\system32> ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : M1CMS001
Primary Dns Suffix . . . . . . . : testadservs.net
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : testadservs.net
Description . . . . . . . . . . . : Intel(R) 82575EB Gigabit Network
Connection
Physical Address. . . . . . . . . : 00-30-48-BC-83-5F
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 172.17.250.51(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.17.250.5
DNS Servers . . . . . . . . . . . : 172.17.250.51
NetBIOS over Tcpip. . . . . . . . : Enabled
Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : Teredo Tunneling
Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
I was futzing around with FRS today a bit so is likely the cause of a
couple of the event log errors.
Directory Server Diagnosis
Trying to find home server...
* Verifying that the local machine M1CMS001, is a Directory Server.
Home Server = M1CMS001
* Connecting to directory service on server M1CMS001.
* Identified AD Forest.
Collecting AD specific global data
* Collecting site info.
Calling
ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=testadservs,DC=net,LDAP_SCOPE_SUBTREE,(objectCategory=ntDS
SiteSettings),.......
The previous call succeeded
Iterating through the sites
Looking at base site object: CN=NTDS Site
Settings,CN=testadservs,CN=Sites,CN=Configuration,DC=testadservs,DC=net
Getting ISTG and options for the site
* Identifying all servers.
Calling
ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=testadservs,DC=net,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa
),.......
The previous call succeeded....
The previous call succeeded
Iterating through the list of servers
Getting information for the server CN=NTDS
Settings,CN=M1CMS002,CN=Servers,CN=testadservs,CN=Sites,CN=Configuration,DC=ma
hcgss,DC=net
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS
Settings,CN=M1CMS001,CN=Servers,CN=testadservs,CN=Sites,CN=Configuration,DC=ma
hcgss,DC=net
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
* Identifying all NC cross-refs.
* Found 2 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: testadservs\M1CMS001
Starting test: Connectivity
* Active Directory LDAP Services Check
Determining IP4 connectivity
* Active Directory RPC Services Check
........................ M1CMS001 passed test Connectivity
Doing primary tests
Testing server: testadservs\M1CMS001
Starting test: Advertising
The DC M1CMS001 is advertising itself as a DC and having a
DS.
The DC M1CMS001 is advertising as an LDAP server
The DC M1CMS001 is advertising as having a writeable
directory
The DC M1CMS001 is advertising as a Key Distribution Center
The DC M1CMS001 is advertising as a time server
The DS M1CMS001 is advertising as a GC.
........................ M1CMS001 passed test Advertising
Starting test: CheckSecurityError
* Dr Auth: Beginning security errors check!
Found KDC M1CMS001 for domain testadservs.net in site
testadservs
Checking machine account for DC M1CMS001 on DC M1CMS001.
* SPN found :LDAP/M1CMS001.testadservs.net/testadservs.net
* SPN found :LDAP/M1CMS001.testadservs.net
* SPN found :LDAP/M1CMS001
* SPN found :LDAP/M1CMS001.testadservs.net/testadservs
* SPN found
:LDAP/f32f8b56-d06c-4972-a01c-8f3f8a18f154._msdcs.testadservs.net
* SPN found
:E3514235-4B06-11D1-AB04-00C04FC2DCD2/f32f8b56-d06c-4972-a01c-8f3f8a18f154/testadservs.net
* SPN found :HOST/M1CMS001.testadservs.net/testadservs.net
* SPN found :HOST/M1CMS001.testadservs.net
* SPN found :HOST/M1CMS001
* SPN found :HOST/M1CMS001.testadservs.net/testadservs
* SPN found :GC/M1CMS001.testadservs.net/testadservs.net
[M1CMS001] No security related replication errors were found
on this DC! To target the connection to a
specific source DC use /ReplSource:<DC>.
........................ M1CMS001 passed test
CheckSecurityError
Starting test: CutoffServers
* Configuration Topology Aliveness Check
* Analyzing the alive system replication topology for
DC=ForestDnsZones,DC=testadservs,DC=net.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for
DC=DomainDnsZones,DC=testadservs,DC=net.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for
CN=Schema,CN=Configuration,DC=testadservs,DC=net.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for
CN=Configuration,DC=testadservs,DC=net.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for
DC=testadservs,DC=net.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
........................ M1CMS001 passed test CutoffServers
Starting test: FrsEvent
* The File Replication Service Event log test
There are warning or error events within the last 24 hours
after the SYSVOL has been shared. Failing SYSVOL
replication problems may cause Group Policy problems.
A warning event occurred. EventID: 0x800034CE
Time Generated: 01/02/2010 16:50:21
The File Replication Service did not grant the user
"tbazemore" access to the API "Get Internal Information"

tbaze

2010-01-03 03:50:27 UTC

This post might be inappropriate. Click to display it.

Cary Shultz

2010-01-03 15:00:36 UTC

T,

Let's look at a couple of things first......then let's come back to FRS.

So, we have two Domain Controllers - M1CMS001 and M1CMS002. Here come my
first set of questions:

1) Please verify that the File Replication Service is running on both at
this time (one of the errors in the FRSDiag log is that FRS is not running
on 002)

2) Are both Domain Controllers also DNS Servers? My guess is going to be
that 002 is *NOT* a DNS Server. How about Global Catalog Servers?

3) Please perform some very basic tests (I know, I know....this is all
really basic....but I am HUGE on the basics...lots of things are assumed to
be correct....when they are not):
from 001 ping the following - ping M1CMS002, ping M1CMS002.testadservs.net,
ping 172.17.250.52 (or whatever the IP Address of 002 is). What happens?
from 002 ping the following - ping M1CMS001, ping
M1CMS001.testadservs.net, ping 172.17.250.51. What happens?

4) Take a close look at DNS. Are all of the records that should be there
actually there? Run dcdiag /fix. This is a quick little utility (er, the
"/fix" switch) that might help to resolve some issues.

5)Are you familiar with dnscmd? Open up the Support Tools command prompt
and do a "dnscmd /zoneprint testadservs.net > c:\DNS-testadservs-net.txt".
This will make things easier to see. Somewhere near the very top of that
output file you should see the CNAME entry for each and every Domain
Controller (er, assuming that you have a single domain Forest - like most
people do). You should see - except for in the obvious spots - both 001 and
002. Where will you *NOT* see 002? In the "gc" areas - assuming that 002
is not a GC - and in the "pdc" area, assuming that 001 holds the FSMO Role
of PDC Emulator. DNSLint might also be your friend here.

6) Taking a super quick look at the output, I notice that there are two
other Domain Controller (LENAD01 and LENAD02)? Are these the 'real' names
of M1CMS001 and M1CMS002? Or, are there a total of four Domain Controllers
in your environment? Were the above mentioned two Domain Controllers - if
they no longer exist - possibly not properly removed from AD (read: simply
turned off and unplugged....or wiped and loaded.....or, turned off and stuck
in a closet somewhere)?

7) What do you see in the Event Logs - specifically in the Directory
Services and the File Replication Services?

8) And, for the most obvious of obvious - on each Domain Controller....open
up the command prompt and enter "net share". What do you see? What do you
*NOT* see?

Okay. I know that this is all really super basic.....but I like to
establish the basics before moving on to the fun stuff. Where I work I can
not tell you how many times these super simple basic questions point us to
the root cause...or at least eliminate lots of potential issues. I am not
smart enough to assume anything! ;-)

And, please pardon me if you have already done all of this. Again, I really
like to establish the basics before moving on to 'the hard stuff'!

Cary

Post by tbaze
C,
Let's see.
Yes, both servers are running 2K8R2.
FRS appears to be fixed - I had to recreate everything in CN=File
Replication Service - I also updated the NTFRS Subscriptions in
OU=Domain Controllers for both DCs.
My account is a member of Dns/Domain/Enterprise/SchemaAdmins and Group
Policy Creators.
I've tried the file creation, gave it an hour, no replication.. !&%(&
------------------------------------------------------------
FRSDiag v1.7 on 1/2/2010 10:49:18 PM
\M1CMS001 on 2010-01-02 at 10.49.18 PM
------------------------------------------------------------
Checking for errors/warnings in FRS Event Log ....
NtFrs 1/2/2010 9:59:30 PM Warning 13518 The File Replication Service
did not grant the user "tbaze" access to the API "Get Internal
Information". Permissions for "Get Internal Information" can be
changed by running regedit. Click on Start, Run, and type
regedit. Expand HKEY_LOCAL_MACHINE, SYSTEM, CurrentControlSet,
Services, NtFrs, Parameters, Access Checks, and highlight "Get Internal
Information". Click on the toolbar option Security and then
Permissions... Access checks can be disabled for "Get Internal
Information". Double click on "Access checks are [Enabled or Disabled]"
and change the string to Disabled.
NtFrs 1/2/2010 9:54:11 PM Warning 13508 The File Replication Service is
having trouble enabling replication from M1CMS002 to M1CMS001 for
c:\windows\sysvol\domain using the DNS name M1CMS002.testadservs.net.
FRS will keep retrying. Following are some of the reasons you would
see this warning. [1] FRS can not correctly resolve the DNS name
M1CMS002.testadservs.net from this computer. [2] FRS is not running
on M1CMS002.testadservs.net. [3] The topology information in the
Active Directory Domain Services for this replica has not yet
replicated to all the Domain Controllers. This event log message
will appear once per connection, After the problem is fixed you will
see another event log message indicating that the connection has been
established.
WARNING: Found Event ID 13508 errors without trailing 13509 ... see
above for (up to) the 3 latest entries!
........ failed 2
Checking for errors in Directory Service Event Log ....
NTDS General 12/29/2009 5:54:43 PM Error 2087 Active Directory Domain
Services could not resolve the following DNS host name of the source
domain controller to an IP address. This error prevents additions,
deletions and changes in Active Directory Domain Services from
replicating between one or more domain controllers in the forest.
Security groups, group policy, users and computers and their passwords
will be inconsistent between domain controllers until this error is
resolved, potentially affecting logon authentication and access to
network resources. Source domain controller: LENAD02
By default, only up to 10 DNS failures are shown for any given 12 hour
period, even if more than 10 failures occur. To log all individual
HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics\22 DS RPC Client
User Action: 1) If the source domain controller is no
longer functioning or its operating system has been reinstalled with a
different computer name or NTDSDSA object GUID, remove the source
domain controller's metadata with ntdsutil.exe, using the steps
outlined in MSKB article 216498. 2) Confirm that the source
domain controller is running Active Directory Domain Services and is
accessible on the network by typing "net view \\<source DC name>" or
"ping <source DC name>". 3) Verify that the source domain
controller is using a valid DNS server for DNS services, and that the
source domain controller's host record and CNAME record are correctly
registered, using the DNS Enhanced version of DCDIAG.EXE available on
http://www.microsoft.com/dns dcdiag /test:dns 4) Verify
that this destination domain controller is using a valid DNS server for
DNS services, by running the DNS Enhanced version of DCDIAG.EXE command
dcdiag /test:dns 5) For further analysis of DNS error failures
see KB 824449: http://support.microsoft.com/?kbid=824449
Additional Data Error value: 11004 The requested name is valid,
but no data of the requested type was found.
NTDS Database 12/29/2009 4:30:59 PM Error 1126 Active Directory Domain
Services was unable to establish a connection with the global catalog.
Additional Data Error value: 8430 The directory service
encountered an internal failure. Internal ID: 3200db0 User
Action: Make sure a global catalog is available in the forest, and is
reachable from this domain controller. You may use the nltest utility
to diagnose this problem.
NTDS Database 12/29/2009 4:30:59 PM Error 1645 Active Directory Domain
Services did not perform an authenticated remote procedure call (RPC) to
another directory server because the desired service principal name
(SPN) for the destination directory server is not registered on the Key
Distribution Center (KDC) domain controller that resolves the SPN.
Action Verify that the names of the destination directory server and
domain are correct. Also, verify that the SPN is registered on the KDC
domain controller. If the destination directory server has been recently
promoted, it will be necessary for the local directory server’s
account data to replicate to the KDC before this directory server can be
authenticated.
NTDS Replication 12/29/2009 10:51:47 AM Error 2087 Active Directory
Domain Services could not resolve the following DNS host name of the
source domain controller to an IP address. This error prevents
additions, deletions and changes in Active Directory Domain Services
from replicating between one or more domain controllers in the forest.
Security groups, group policy, users and computers and their passwords
will be inconsistent between domain controllers until this error is
resolved, potentially affecting logon authentication and access to
network resources. Source domain controller: LENAD02
By default, only up to 10 DNS failures are shown for any given 12 hour
period, even if more than 10 failures occur. To log all individual
HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics\22 DS RPC Client
User Action: 1) If the source domain controller is no
longer functioning or its operating system has been reinstalled with a
different computer name or NTDSDSA object GUID, remove the source
domain controller's metadata with ntdsutil.exe, using the steps
outlined in MSKB article 216498. 2) Confirm that the source
domain controller is running Active Directory Domain Services and is
accessible on the network by typing "net view \\<source DC name>" or
"ping <source DC name>". 3) Verify that the source domain
controller is using a valid DNS server for DNS services, and that the
source domain controller's host record and CNAME record are correctly
registered, using the DNS Enhanced version of DCDIAG.EXE available on
http://www.microsoft.com/dns dcdiag /test:dns 4) Verify
that this destination domain controller is using a valid DNS server for
DNS services, by running the DNS Enhanced version of DCDIAG.EXE command
dcdiag /test:dns 5) For further analysis of DNS error failures
see KB 824449: http://support.microsoft.com/?kbid=824449
Additional Data Error value: 11004 The requested name is valid,
but no data of the requested type was found.
NTDS KCC 12/25/2009 7:12:31 PM Error 1550 The following site has no
CN=USFS,CN=Sites,CN=Configuration,DC=testadservs,DC=net User
Action Create an NTDS Site Settings object for this site.
NTDS General 12/24/2009 7:27:31 PM Error 1550 The following site has no
CN=USFS,CN=Sites,CN=Configuration,DC=testadservs,DC=net User
Action Create an NTDS Site Settings object for this site.
NTDS General 12/24/2009 7:12:31 PM Error 1550 The following site has no
CN=USFS,CN=Sites,CN=Configuration,DC=testadservs,DC=net User
Action Create an NTDS Site Settings object for this site.
NTDS General 12/24/2009 4:15:19 PM Error 1550 The following site has no
CN=USFS,CN=Sites,CN=Configuration,DC=testadservs,DC=net User
Action Create an NTDS Site Settings object for this site.
NTDS General 12/24/2009 4:00:19 PM Error 1550 The following site has no
CN=USFS,CN=Sites,CN=Configuration,DC=testadservs,DC=net User
Action Create an NTDS Site Settings object for this site.
NTDS General 12/24/2009 2:37:08 PM Error 1550 The following site has no
CN=USFS,CN=Sites,CN=Configuration,DC=testadservs,DC=net User
Action Create an NTDS Site Settings object for this site.
NTDS KCC 12/24/2009 12:52:08 PM Error 1550 The following site has no
CN=USFS,CN=Sites,CN=Configuration,DC=testadservs,DC=net User
Action Create an NTDS Site Settings object for this site.
NTDS KCC 12/24/2009 12:37:57 PM Error 1550 The following site has no
CN=USFS,CN=Sites,CN=Configuration,DC=testadservs,DC=net User
Action Create an NTDS Site Settings object for this site.
WARNING: Found Directory Service Errors in the past 15 days! FRS
Depends on AD so Check AD Replication!
........ failed 12
Checking for minimum FRS version requirement ... passed
Checking for errors/warnings in ntfrsutl ds ... passed
Checking for Replica Set configuration triggers... passed
Checking for suspicious file Backlog size...
Unless this is due to your schedule, this is a problem!
failed with 1 error(s) and 0 warning(s)
Checking Overall Disk Space and SYSVOL structure (note: integrity is
not checked)... passed
Checking for suspicious inlog entries ... passed
Checking for suspicious outlog entries ... passed
Checking for appropriate staging area size ... passed
Checking for errors in debug logs ...
9016: 845: S0: 21:59:31> ++ ERROR - API Access check failed
ERROR_ACCESS_DENIED
8612: 2352: S0: 21:59:31> :FK: ERROR - Access Check failed
on System\CurrentControlSet\Services\NtFrs\Parameters\Access Checks\Get
Internal Information; WStatus: ERROR_ACCESS_DENIED
8612: 845: S0: 21:59:31> ++ ERROR - API Access check failed
ERROR_ACCESS_DENIED
ERROR on NtFrs_0004.log : "EPT_S_NOT_REGISTERED(This may indicate that
DNS returns the IP address of the wrong computer. Check DNS records
being returned, Check if FRS is currently running on the target server.
Check if Ntfrs is registered with the End-Point-Mapper on target
server!)" : <SndCsMain: 3728: 883: S0: 17:16:27>
++ ERROR - EXCEPTION (000006d9) : WStatus: EPT_S_NOT_REGISTERED
ERROR on NtFrs_0004.log : "EPT_S_NOT_REGISTERED(This may indicate that
DNS returns the IP address of the wrong computer. Check DNS records
being returned, Check if FRS is currently running on the target server.
Check if Ntfrs is registered with the End-Point-Mapper on target
server!)" : <SndCsMain: 3728: 884: S0: 17:16:27>
:SR: Cmd 003cc090, CxtG 5b985583, WS EPT_S_NOT_REGISTERED, To
M1CMS002.testadservs.net Len: (372) [SndFail - rpc exception]
ERROR on NtFrs_0004.log : "EPT_S_NOT_REGISTERED(This may indicate that
DNS returns the IP address of the wrong computer. Check DNS records
being returned, Check if FRS is currently running on the target server.
Check if Ntfrs is registered with the End-Point-Mapper on target
server!)" : <SndCsMain: 3728: 904: S0: 17:16:27>
:SR: Cmd 003cc090, CxtG 5b985583, WS EPT_S_NOT_REGISTERED, To
M1CMS002.testadservs.net Len: (372) [SndFail - Send Penalty]
ERROR on NtFrs_0004.log : "WS RPC_S_SERVER_TOO_BUSY(The target server
may be overwhelmed, memory or CPU-wise. Is the target server a very busy
17:04:47> :SR: Cmd 003cc510, CxtG 5b985583, WS RPC_S_SERVER_TOO_BUSY, To
M1CMS002.testadservs.net Len: (372) [SndFail - rpc exception]
ERROR on NtFrs_0004.log : "WS RPC_S_SERVER_TOO_BUSY(The target server
may be overwhelmed, memory or CPU-wise. Is the target server a very busy
17:04:47> :SR: Cmd 003cc510, CxtG 5b985583, WS RPC_S_SERVER_TOO_BUSY, To
M1CMS002.testadservs.net Len: (372) [SndFail - Send Penalty]
Found 32 ERROR_ACCESS_DENIED error(s)! Latest ones (up to 3) listed
above
Found 3 EPT_S_NOT_REGISTERED error(s)! Latest ones (up to 3) listed
above
Found 2 WS RPC_S_SERVER_TOO_BUSY error(s)! Latest ones (up to 3)
listed above
........ failed with 37 error entries
Checking NtFrs Service (and dependent services) state...passed
Checking NtFrs related Registry Keys for possible problems...passed
Checking Repadmin Showreps for errors...passed
--
tbaze
------------------------------------------------------------------------
tbaze's Profile: http://forums.techarena.in/members/169993.htm
View this thread: http://forums.techarena.in/active-directory/1288776.htm
http://forums.techarena.in

Cary Shultz

2010-01-03 15:07:07 UTC

Okay....since this is Windows Server 2008 (R2) - let's add one more thing to
the list of questions:

Please make sure that all Domain Controllers have the "AD Service" running
as well.

One more thing that I did not include - Sites and Services:

Q1) Have you properly configured AD Sites and Services?
Q2) Do you have only one Site and all Doman Controllers are in that Site or
do you have Multiple Sites? I ask because of AD Replication (intra-site
replication and inter-site replication work differently) and there might be
issues if your SYSVOL folder is large (I have seen 100MB and larger SYSVOL
folders...) and your WAN connections are slow....

Anyway, just to add to the questions....

Cary

Post by tbaze
C,
Let's see.
Yes, both servers are running 2K8R2.
FRS appears to be fixed - I had to recreate everything in CN=File
Replication Service - I also updated the NTFRS Subscriptions in
OU=Domain Controllers for both DCs.
My account is a member of Dns/Domain/Enterprise/SchemaAdmins and Group
Policy Creators.
I've tried the file creation, gave it an hour, no replication.. !&%(&
------------------------------------------------------------
FRSDiag v1.7 on 1/2/2010 10:49:18 PM
\M1CMS001 on 2010-01-02 at 10.49.18 PM
------------------------------------------------------------
Checking for errors/warnings in FRS Event Log ....
NtFrs 1/2/2010 9:59:30 PM Warning 13518 The File Replication Service
did not grant the user "tbaze" access to the API "Get Internal
Information". Permissions for "Get Internal Information" can be
changed by running regedit. Click on Start, Run, and type
regedit. Expand HKEY_LOCAL_MACHINE, SYSTEM, CurrentControlSet,
Services, NtFrs, Parameters, Access Checks, and highlight "Get Internal
Information". Click on the toolbar option Security and then
Permissions... Access checks can be disabled for "Get Internal
Information". Double click on "Access checks are [Enabled or Disabled]"
and change the string to Disabled.
NtFrs 1/2/2010 9:54:11 PM Warning 13508 The File Replication Service is
having trouble enabling replication from M1CMS002 to M1CMS001 for
c:\windows\sysvol\domain using the DNS name M1CMS002.testadservs.net.
FRS will keep retrying. Following are some of the reasons you would
see this warning. [1] FRS can not correctly resolve the DNS name
M1CMS002.testadservs.net from this computer. [2] FRS is not running
on M1CMS002.testadservs.net. [3] The topology information in the
Active Directory Domain Services for this replica has not yet
replicated to all the Domain Controllers. This event log message
will appear once per connection, After the problem is fixed you will
see another event log message indicating that the connection has been
established.
WARNING: Found Event ID 13508 errors without trailing 13509 ... see
above for (up to) the 3 latest entries!
........ failed 2
Checking for errors in Directory Service Event Log ....
NTDS General 12/29/2009 5:54:43 PM Error 2087 Active Directory Domain
Services could not resolve the following DNS host name of the source
domain controller to an IP address. This error prevents additions,
deletions and changes in Active Directory Domain Services from
replicating between one or more domain controllers in the forest.
Security groups, group policy, users and computers and their passwords
will be inconsistent between domain controllers until this error is
resolved, potentially affecting logon authentication and access to
network resources. Source domain controller: LENAD02
By default, only up to 10 DNS failures are shown for any given 12 hour
period, even if more than 10 failures occur. To log all individual
HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics\22 DS RPC Client
User Action: 1) If the source domain controller is no
longer functioning or its operating system has been reinstalled with a
different computer name or NTDSDSA object GUID, remove the source
domain controller's metadata with ntdsutil.exe, using the steps
outlined in MSKB article 216498. 2) Confirm that the source
domain controller is running Active Directory Domain Services and is
accessible on the network by typing "net view \\<source DC name>" or
"ping <source DC name>". 3) Verify that the source domain
controller is using a valid DNS server for DNS services, and that the
source domain controller's host record and CNAME record are correctly
registered, using the DNS Enhanced version of DCDIAG.EXE available on
http://www.microsoft.com/dns dcdiag /test:dns 4) Verify
that this destination domain controller is using a valid DNS server for
DNS services, by running the DNS Enhanced version of DCDIAG.EXE command
dcdiag /test:dns 5) For further analysis of DNS error failures
see KB 824449: http://support.microsoft.com/?kbid=824449
Additional Data Error value: 11004 The requested name is valid,
but no data of the requested type was found.
NTDS Database 12/29/2009 4:30:59 PM Error 1126 Active Directory Domain
Services was unable to establish a connection with the global catalog.
Additional Data Error value: 8430 The directory service
encountered an internal failure. Internal ID: 3200db0 User
Action: Make sure a global catalog is available in the forest, and is
reachable from this domain controller. You may use the nltest utility
to diagnose this problem.
NTDS Database 12/29/2009 4:30:59 PM Error 1645 Active Directory Domain
Services did not perform an authenticated remote procedure call (RPC) to
another directory server because the desired service principal name
(SPN) for the destination directory server is not registered on the Key
Distribution Center (KDC) domain controller that resolves the SPN.
Action Verify that the names of the destination directory server and
domain are correct. Also, verify that the SPN is registered on the KDC
domain controller. If the destination directory server has been recently
promoted, it will be necessary for the local directory server’s
account data to replicate to the KDC before this directory server can be
authenticated.
NTDS Replication 12/29/2009 10:51:47 AM Error 2087 Active Directory
Domain Services could not resolve the following DNS host name of the
source domain controller to an IP address. This error prevents
additions, deletions and changes in Active Directory Domain Services
from replicating between one or more domain controllers in the forest.
Security groups, group policy, users and computers and their passwords
will be inconsistent between domain controllers until this error is
resolved, potentially affecting logon authentication and access to
network resources. Source domain controller: LENAD02
By default, only up to 10 DNS failures are shown for any given 12 hour
period, even if more than 10 failures occur. To log all individual
HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics\22 DS RPC Client
User Action: 1) If the source domain controller is no
longer functioning or its operating system has been reinstalled with a
different computer name or NTDSDSA object GUID, remove the source
domain controller's metadata with ntdsutil.exe, using the steps
outlined in MSKB article 216498. 2) Confirm that the source
domain controller is running Active Directory Domain Services and is
accessible on the network by typing "net view \\<source DC name>" or
"ping <source DC name>". 3) Verify that the source domain
controller is using a valid DNS server for DNS services, and that the
source domain controller's host record and CNAME record are correctly
registered, using the DNS Enhanced version of DCDIAG.EXE available on
http://www.microsoft.com/dns dcdiag /test:dns 4) Verify
that this destination domain controller is using a valid DNS server for
DNS services, by running the DNS Enhanced version of DCDIAG.EXE command
dcdiag /test:dns 5) For further analysis of DNS error failures
see KB 824449: http://support.microsoft.com/?kbid=824449
Additional Data Error value: 11004 The requested name is valid,
but no data of the requested type was found.
NTDS KCC 12/25/2009 7:12:31 PM Error 1550 The following site has no
CN=USFS,CN=Sites,CN=Configuration,DC=testadservs,DC=net User
Action Create an NTDS Site Settings object for this site.
NTDS General 12/24/2009 7:27:31 PM Error 1550 The following site has no
CN=USFS,CN=Sites,CN=Configuration,DC=testadservs,DC=net User
Action Create an NTDS Site Settings object for this site.
NTDS General 12/24/2009 7:12:31 PM Error 1550 The following site has no
CN=USFS,CN=Sites,CN=Configuration,DC=testadservs,DC=net User
Action Create an NTDS Site Settings object for this site.
NTDS General 12/24/2009 4:15:19 PM Error 1550 The following site has no
CN=USFS,CN=Sites,CN=Configuration,DC=testadservs,DC=net User
Action Create an NTDS Site Settings object for this site.
NTDS General 12/24/2009 4:00:19 PM Error 1550 The following site has no
CN=USFS,CN=Sites,CN=Configuration,DC=testadservs,DC=net User
Action Create an NTDS Site Settings object for this site.
NTDS General 12/24/2009 2:37:08 PM Error 1550 The following site has no
CN=USFS,CN=Sites,CN=Configuration,DC=testadservs,DC=net User
Action Create an NTDS Site Settings object for this site.
NTDS KCC 12/24/2009 12:52:08 PM Error 1550 The following site has no
CN=USFS,CN=Sites,CN=Configuration,DC=testadservs,DC=net User
Action Create an NTDS Site Settings object for this site.
NTDS KCC 12/24/2009 12:37:57 PM Error 1550 The following site has no
CN=USFS,CN=Sites,CN=Configuration,DC=testadservs,DC=net User
Action Create an NTDS Site Settings object for this site.
WARNING: Found Directory Service Errors in the past 15 days! FRS
Depends on AD so Check AD Replication!
........ failed 12
Checking for minimum FRS version requirement ... passed
Checking for errors/warnings in ntfrsutl ds ... passed
Checking for Replica Set configuration triggers... passed
Checking for suspicious file Backlog size...
Unless this is due to your schedule, this is a problem!
failed with 1 error(s) and 0 warning(s)
Checking Overall Disk Space and SYSVOL structure (note: integrity is
not checked)... passed
Checking for suspicious inlog entries ... passed
Checking for suspicious outlog entries ... passed
Checking for appropriate staging area size ... passed
Checking for errors in debug logs ...
9016: 845: S0: 21:59:31> ++ ERROR - API Access check failed
ERROR_ACCESS_DENIED
8612: 2352: S0: 21:59:31> :FK: ERROR - Access Check failed
on System\CurrentControlSet\Services\NtFrs\Parameters\Access Checks\Get
Internal Information; WStatus: ERROR_ACCESS_DENIED
8612: 845: S0: 21:59:31> ++ ERROR - API Access check failed
ERROR_ACCESS_DENIED
ERROR on NtFrs_0004.log : "EPT_S_NOT_REGISTERED(This may indicate that
DNS returns the IP address of the wrong computer. Check DNS records
being returned, Check if FRS is currently running on the target server.
Check if Ntfrs is registered with the End-Point-Mapper on target
server!)" : <SndCsMain: 3728: 883: S0: 17:16:27>
++ ERROR - EXCEPTION (000006d9) : WStatus: EPT_S_NOT_REGISTERED
ERROR on NtFrs_0004.log : "EPT_S_NOT_REGISTERED(This may indicate that
DNS returns the IP address of the wrong computer. Check DNS records
being returned, Check if FRS is currently running on the target server.
Check if Ntfrs is registered with the End-Point-Mapper on target
server!)" : <SndCsMain: 3728: 884: S0: 17:16:27>
:SR: Cmd 003cc090, CxtG 5b985583, WS EPT_S_NOT_REGISTERED, To
M1CMS002.testadservs.net Len: (372) [SndFail - rpc exception]
ERROR on NtFrs_0004.log : "EPT_S_NOT_REGISTERED(This may indicate that
DNS returns the IP address of the wrong computer. Check DNS records
being returned, Check if FRS is currently running on the target server.
Check if Ntfrs is registered with the End-Point-Mapper on target
server!)" : <SndCsMain: 3728: 904: S0: 17:16:27>
:SR: Cmd 003cc090, CxtG 5b985583, WS EPT_S_NOT_REGISTERED, To
M1CMS002.testadservs.net Len: (372) [SndFail - Send Penalty]
ERROR on NtFrs_0004.log : "WS RPC_S_SERVER_TOO_BUSY(The target server
may be overwhelmed, memory or CPU-wise. Is the target server a very busy
17:04:47> :SR: Cmd 003cc510, CxtG 5b985583, WS RPC_S_SERVER_TOO_BUSY, To
M1CMS002.testadservs.net Len: (372) [SndFail - rpc exception]
ERROR on NtFrs_0004.log : "WS RPC_S_SERVER_TOO_BUSY(The target server
may be overwhelmed, memory or CPU-wise. Is the target server a very busy
17:04:47> :SR: Cmd 003cc510, CxtG 5b985583, WS RPC_S_SERVER_TOO_BUSY, To
M1CMS002.testadservs.net Len: (372) [SndFail - Send Penalty]
Found 32 ERROR_ACCESS_DENIED error(s)! Latest ones (up to 3) listed
above
Found 3 EPT_S_NOT_REGISTERED error(s)! Latest ones (up to 3) listed
above
Found 2 WS RPC_S_SERVER_TOO_BUSY error(s)! Latest ones (up to 3)
listed above
........ failed with 37 error entries
Checking NtFrs Service (and dependent services) state...passed
Checking NtFrs related Registry Keys for possible problems...passed
Checking Repadmin Showreps for errors...passed
--
tbaze
------------------------------------------------------------------------
tbaze's Profile: http://forums.techarena.in/members/169993.htm
View this thread: http://forums.techarena.in/active-directory/1288776.htm
http://forums.techarena.in

tbaze

2010-01-03 03:01:48 UTC

This post might be inappropriate. Click to display it.

Ace Fekay [MCT]

2010-01-03 15:13:35 UTC

Post by tbaze
------------------------------------------------------------
FRSDiag v1.7 on 1/2/2010 9:59:41 PM
\M1CMS001 on 2010-01-02 at 9.59.41 PM
------------------------------------------------------------
Checking for errors/warnings in FRS Event Log ....
NtFrs 1/2/2010 9:59:30 PM Warning 13518 The File Replication Service
did not grant the user "tbaze" access to the API "Get Internal
Information". Permissions for "Get Internal Information" can be
changed by running regedit. Click on Start, Run, and type
regedit. Expand HKEY_LOCAL_MACHINE, SYSTEM, CurrentControlSet,
Services, NtFrs, Parameters, Access Checks, and highlight "Get Internal
Information". Click on the toolbar option Security and then
Permissions... Access checks can be disabled for "Get Internal
Information". Double click on "Access checks are [Enabled or Disabled]"
and change the string to Disabled.
NtFrs 1/2/2010 9:54:11 PM Warning 13508 The File Replication Service is
having trouble enabling replication from M1CMS002 to M1CMS001 for
c:\windows\sysvol\domain using the DNS name M1CMS002.testadservs.net.
FRS will keep retrying. Following are some of the reasons you would
see this warning. [1] FRS can not correctly resolve the DNS name
M1CMS002.testadservs.net from this computer. [2] FRS is not running
on M1CMS002.testadservs.net. [3] The topology information in the
Active Directory Domain Services for this replica has not yet
replicated to all the Domain Controllers. This event log message
will appear once per connection, After the problem is fixed you will
see another event log message indicating that the connection has been
established.
WARNING: Found Event ID 13508 errors without trailing 13509 ... see
above for (up to) the 3 latest entries!
........ failed 2
Checking for errors in Directory Service Event Log ....
NTDS General 12/29/2009 5:54:43 PM Error 2087 Active Directory Domain
Services could not resolve the following DNS host name of the source
domain controller to an IP address. This error prevents additions,
deletions and changes in Active Directory Domain Services from
replicating between one or more domain controllers in the forest.
Security groups, group policy, users and computers and their passwords
will be inconsistent between domain controllers until this error is
resolved, potentially affecting logon authentication and access to
network resources. Source domain controller: LENAD02
By default, only up to 10 DNS failures are shown for any given 12 hour
period, even if more than 10 failures occur. To log all individual
HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics\22 DS RPC Client
User Action: 1) If the source domain controller is no
longer functioning or its operating system has been reinstalled with a
different computer name or NTDSDSA object GUID, remove the source
domain controller's metadata with ntdsutil.exe, using the steps
outlined in MSKB article 216498. 2) Confirm that the source
domain controller is running Active Directory Domain Services and is
accessible on the network by typing "net view \\<source DC name>" or
"ping <source DC name>". 3) Verify that the source domain
controller is using a valid DNS server for DNS services, and that the
source domain controller's host record and CNAME record are correctly
registered, using the DNS Enhanced version of DCDIAG.EXE available on
http://www.microsoft.com/dns dcdiag /test:dns 4) Verify
that this destination domain controller is using a valid DNS server for
DNS services, by running the DNS Enhanced version of DCDIAG.EXE command
dcdiag /test:dns 5) For further analysis of DNS error failures
see KB 824449: http://support.microsoft.com/?kbid=824449
Additional Data Error value: 11004 The requested name is valid,
but no data of the requested type was found.
NTDS Database 12/29/2009 4:30:59 PM Error 1126 Active Directory Domain
Services was unable to establish a connection with the global catalog.
Additional Data Error value: 8430 The directory service
encountered an internal failure. Internal ID: 3200db0 User
Action: Make sure a global catalog is available in the forest, and is
reachable from this domain controller. You may use the nltest utility
to diagnose this problem.
NTDS Database 12/29/2009 4:30:59 PM Error 1645 Active Directory Domain
Services did not perform an authenticated remote procedure call (RPC) to
another directory server because the desired service principal name
(SPN) for the destination directory server is not registered on the Key
Distribution Center (KDC) domain controller that resolves the SPN.
Action Verify that the names of the destination directory server and
domain are correct. Also, verify that the SPN is registered on the KDC
domain controller. If the destination directory server has been recently
promoted, it will be necessary for the local directory servers account
data to replicate to the KDC before this directory server can be
authenticated.
NTDS Replication 12/29/2009 10:51:47 AM Error 2087 Active Directory
Domain Services could not resolve the following DNS host name of the
source domain controller to an IP address. This error prevents
additions, deletions and changes in Active Directory Domain Services
from replicating between one or more domain controllers in the forest.
Security groups, group policy, users and computers and their passwords
will be inconsistent between domain controllers until this error is
resolved, potentially affecting logon authentication and access to
network resources. Source domain controller: LENAD02
e2902334-be48-4463-a1be-c27934d7ecea._msdcs.testadservs.net
By default, only up to 10 DNS failures are shown for any given 12 hour
period, even if more than 10 failures occur. To log all individual
HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics\22 DS RPC Client
1) If the source domain controller is no
longer functioning or its operating system has been reinstalled with a
different computer name or NTDSDSA object GUID, remove the source
domain controller's metadata with ntdsutil.exe, using the steps
outlined in MSKB article 216498.
2) Confirm that the source
domain controller is running Active Directory Domain Services and is
accessible on the network by typing "net view \\<source DC name>" or
"ping <source DC name>".
3) Verify that the source domain
controller is using a valid DNS server for DNS services, and that the
source domain controller's host record and CNAME record are correctly
registered, using the DNS Enhanced version of DCDIAG.EXE available on
http://www.microsoft.com/dns dcdiag /test:dns
4) Verify
that this destination domain controller is using a valid DNS server for
DNS services, by running the DNS Enhanced version of DCDIAG.EXE command
dcdiag /test:dns
5) For further analysis of DNS error failures
see KB 824449: http://support.microsoft.com/?kbid=824449
Additional Data Error value: 11004 The requested name is valid,
but no data of the requested type was found.
NTDS KCC 12/25/2009 7:12:31 PM Error 1550 The following site has no
CN=USFS,CN=Sites,CN=Configuration,DC=testadservs,DC=net User
Action Create an NTDS Site Settings object for this site.
NTDS General 12/24/2009 7:27:31 PM Error 1550 The following site has no
CN=USFS,CN=Sites,CN=Configuration,DC=testadservs,DC=net User
Action Create an NTDS Site Settings object for this site.
NTDS General 12/24/2009 7:12:31 PM Error 1550 The following site has no
CN=USFS,CN=Sites,CN=Configuration,DC=testadservs,DC=net User
Action Create an NTDS Site Settings object for this site.
NTDS General 12/24/2009 4:15:19 PM Error 1550 The following site has no
CN=USFS,CN=Sites,CN=Configuration,DC=testadservs,DC=net User
Action Create an NTDS Site Settings object for this site.
NTDS General 12/24/2009 4:00:19 PM Error 1550 The following site has no
CN=USFS,CN=Sites,CN=Configuration,DC=testadservs,DC=net User
Action Create an NTDS Site Settings object for this site.
NTDS General 12/24/2009 2:37:08 PM Error 1550 The following site has no
CN=USFS,CN=Sites,CN=Configuration,DC=testadservs,DC=net User
Action Create an NTDS Site Settings object for this site.
NTDS KCC 12/24/2009 12:52:08 PM Error 1550 The following site has no
CN=USFS,CN=Sites,CN=Configuration,DC=testadservs,DC=net User
Action Create an NTDS Site Settings object for this site.
NTDS KCC 12/24/2009 12:37:57 PM Error 1550 The following site has no
CN=USFS,CN=Sites,CN=Configuration,DC=testadservs,DC=net User
Action Create an NTDS Site Settings object for this site.
WARNING: Found Directory Service Errors in the past 15 days! FRS
Depends on AD so Check AD Replication!
........ failed 12
Checking for minimum FRS version requirement ... passed
Checking for errors/warnings in ntfrsutl ds ... passed
Checking for Replica Set configuration triggers... passed
Checking for suspicious file Backlog size...
Unless this is due to your schedule, this is a problem!
failed with 1 error(s) and 0 warning(s)
Checking Overall Disk Space and SYSVOL structure (note: integrity is
not checked)... passed
Checking for suspicious inlog entries ... passed
Checking for suspicious outlog entries ... passed
Checking for appropriate staging area size ... passed
Checking for errors in debug logs ...
9016: 845: S0: 21:59:31> ++ ERROR - API Access check failed
ERROR_ACCESS_DENIED
8612: 2352: S0: 21:59:31> :FK: ERROR - Access Check failed
on System\CurrentControlSet\Services\NtFrs\Parameters\Access Checks\Get
Internal Information; WStatus: ERROR_ACCESS_DENIED
8612: 845: S0: 21:59:31> ++ ERROR - API Access check failed
ERROR_ACCESS_DENIED
ERROR on NtFrs_0004.log : "EPT_S_NOT_REGISTERED(This may indicate that
DNS returns the IP address of the wrong computer. Check DNS records
being returned, Check if FRS is currently running on the target server.
Check if Ntfrs is registered with the End-Point-Mapper on target
server!)" : <SndCsMain: 3728: 883: S0: 17:16:27>
++ ERROR - EXCEPTION (000006d9) : WStatus: EPT_S_NOT_REGISTERED
ERROR on NtFrs_0004.log : "EPT_S_NOT_REGISTERED(This may indicate that
DNS returns the IP address of the wrong computer. Check DNS records
being returned, Check if FRS is currently running on the target server.
Check if Ntfrs is registered with the End-Point-Mapper on target
server!)" : <SndCsMain: 3728: 884: S0: 17:16:27>
:SR: Cmd 003cc090, CxtG 5b985583, WS EPT_S_NOT_REGISTERED, To
M1CMS002.testadservs.net Len: (372) [SndFail - rpc exception]
ERROR on NtFrs_0004.log : "EPT_S_NOT_REGISTERED(This may indicate that
DNS returns the IP address of the wrong computer. Check DNS records
being returned, Check if FRS is currently running on the target server.
Check if Ntfrs is registered with the End-Point-Mapper on target
server!)" : <SndCsMain: 3728: 904: S0: 17:16:27>
:SR: Cmd 003cc090, CxtG 5b985583, WS EPT_S_NOT_REGISTERED, To
M1CMS002.testadservs.net Len: (372) [SndFail - Send Penalty]
ERROR on NtFrs_0004.log : "WS RPC_S_SERVER_TOO_BUSY(The target server
may be overwhelmed, memory or CPU-wise. Is the target server a very busy
17:04:47> :SR: Cmd 003cc510, CxtG 5b985583, WS RPC_S_SERVER_TOO_BUSY, To
M1CMS002.testadservs.net Len: (372) [SndFail - rpc exception]
ERROR on NtFrs_0004.log : "WS RPC_S_SERVER_TOO_BUSY(The target server
may be overwhelmed, memory or CPU-wise. Is the target server a very busy
17:04:47> :SR: Cmd 003cc510, CxtG 5b985583, WS RPC_S_SERVER_TOO_BUSY, To
M1CMS002.testadservs.net Len: (372) [SndFail - Send Penalty]
Found 32 ERROR_ACCESS_DENIED error(s)! Latest ones (up to 3) listed
above
Found 3 EPT_S_NOT_REGISTERED error(s)! Latest ones (up to 3) listed
above
Found 2 WS RPC_S_SERVER_TOO_BUSY error(s)! Latest ones (up to 3)
listed above
........ failed with 37 error entries
Checking NtFrs Service (and dependent services) state...passed
Checking NtFrs related Registry Keys for possible problems...passed
Checking Repadmin Showreps for errors...passed
Final Result = failed with 52 error(s)
--
tbaze

Hi tbaze,

The dcdiag output seems to have become one big text file with no breaks,
making it difficult read. It may be due to how techarena handles a
copy/paste or posts it. We usually recommend posting directly to the
newsgroups (which is where techarena pull/pushes ALL of their posts to and
from) instead of using techarena to avoid the shortcomings associated with
techarena. I suggest to use your OS built-in newsreader, Outlook Express
(XP) or Windows Mail (Vista or 7), servername: news.microsoft.com, newsgroup
name: microsoft.public.windows.server.active_directory. It's free, no
username required, no logging in, you can remain anonymous, etc.

Can you provide a brief history as to the installation of the two DCs,
please?

Was a DC removed, renamed, reinstalled, upgraded, was a previous DC the same
name, demoted or removed and reinstalled wiht the same name, or are you
using imaging software (Ghost, or any others)?

This whole thing could be based on resolution issues based on EventID 13508
showing up. The warning message that states, the Event ID 13508 errors
without trailing 13509, is what I am basing my assumption on. See the
following for more info:
http://eventid.net/display.asp?eventid=13508&eventno=6585&source=FRS&phase=1

Does this record exist? Check both DCs' zones.
e2902334-be48-4463-a1be-c27934d7ecea._msdcs.testadservs.net

If this record does not exist, create the record (CNAME) providing LENAD02's
IP address, then run "dcdiag /v /fix" then re-run FRSDiag.

If you look in the Frs-Staging folder on the failed target machine, do you
see any duplicates or conflicting entries?

Try using portqry to insure that the necessary ports are listening. Telnet
is not the best tool to test DC communications..

Download details: PortQry Command Line Port Scanner Version 2.0Download
PortQryV2.exe, a command-line utility that you can use to help troubleshoot
TCP/IP connectivity issues. Portqry.exe runs on Windows 2000-based ...
http://www.microsoft.com/downloads/details.aspx?FamilyID=89811747-C74B-4638-A2D5-AC828BDC6983

Download details: PortQryUI - User Interface for the PortQry ...Aug 2, 2004
... Download PortQryUI.exe, an add on User Interface utility for PortQry.
http://www.microsoft.com/downloads/details.aspx?familyid=8355E537-1EA6-4569-AABB-F248F4BD91D0&displaylang=en
--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.

Ace Fekay [MCT]

2010-01-03 15:17:44 UTC

"tbaze" <***@DoNotSpam.com> wrote in message news:***@DoNotSpam.com...
One more question, are both DCs GCs? If not, it is recommended in a single
domain forest, that all DCs are configured to be GCs.

Ace

tbaze

2010-01-03 23:11:10 UTC

Hey C,

Before I address each of those, might you answer or guide me wit
regards to this : "What is the signifance of:

COMPUTER SETTINGS
------------------
CN=M1CMS003,CN=Computers,DC=testadservs,DC=net
Last time Group Policy was applied: 1/2/2010 at 6:20:45 PM
Group Policy was applied from: LENAD02.testadservs.net
Group Policy slow link threshold: 500 kbps
Domain Name: M1CMS003
Domain Type: <Local Computer>

Applied Group Policy Objects

"Group Policy was applied from: " is pointing at the wrong server
Where is it getting that from?"

I blew away the entire AD environment today, formatted the servers, an
the above still persists. The new AD environment has never seen tha
server name so it must be residual on the clients somewhere

--
tbaz
-----------------------------------------------------------------------
tbaze's Profile: http://forums.techarena.in/members/169993.ht
View this thread: http://forums.techarena.in/active-directory/1288776.ht

http://forums.techarena.i

Ace Fekay [MCT]

2010-01-04 01:28:30 UTC

Post by tbaze
Hey C,
Before I address each of those, might you answer or guide me with
COMPUTER SETTINGS
------------------
CN=M1CMS003,CN=Computers,DC=testadservs,DC=net
Last time Group Policy was applied: 1/2/2010 at 6:20:45 PM
Group Policy was applied from: LENAD02.testadservs.net
Group Policy slow link threshold: 500 kbps
Domain Name: M1CMS003
Domain Type: <Local Computer>
Applied Group Policy Objects
"Group Policy was applied from: " is pointing at the wrong server.
Where is it getting that from?"
I blew away the entire AD environment today, formatted the servers, and
the above still persists. The new AD environment has never seen that
server name so it must be residual on the clients somewhere?
--
tbaze

You blew away the whole AD environment and created a whole new AD Forest and
domain? If so, did you disjoin then join the client to the new domain?

Clients locate DCs by DNS, specifically the SRV records. If you see a DC
that doesn't exist in the logs, it may be from DNS. Assuming you kept the
same DNS name, did you delete the old zones and allow dcpromo to create new
ones during promotion?

Ace

tbaze

2010-01-04 04:22:13 UTC

Hello Ace,

Yes, that's precisely what I did. DCPromo'd the secondary, removed
DCPromo'd the primary, removed/deleted domain. I did not perform an
manual deletion of DNS zones, etc. I subsequently re-installed Window
Server 2008 (Windows first instance was moved to Windows.old).

I thought maybe there was a caching issue on old servers so I stood u
a new VM and tried a GPUpdate there which resulted in a domain name tha
we've never had, at all. I checked all the SRV records in DNS and sa
no mention of either the old domain servers or the new "domain". Goin
to \\testadservs.net\sysvol works without issue... I'm *this* close t
calling Microsoft. :(

On new server:

COMPUTER SETTINGS
------------------
CN=TMPENT2K8,CN=Computers,DC=testadservs,DC=net
Last time Group Policy was applied: 1/3/2010 at 11:16:33 PM
* Group Policy was applied from: N/A
Group Policy slow link threshold: 500 kbps
Domain Name: 37L4247D25-07 (no idea wher
this is from)
Domain Type: WindowsNT 4*

FRSDiag -

------------------------------------------------------------
FRSDiag v1.7 on 1/3/2010 8:46:10 PM
.\M1CMS001 on 2010-01-03 at 8.46.10 PM
------------------------------------------------------------

Checking for errors/warnings in FRS Event Log ....
NtFrs 1/3/2010 5:58:42 PM Warning 13566 File Replication Service i
scanning the data in the system volume. Computer M1CMS001 cannot becom
a domain controller until this process is complete. The system volum
will then be shared as SYSVOL. To check for the SYSVOL share, a
the command prompt, type: net share When File Replicatio
Service completes the scanning process, the SYSVOL share will appear.
The initialization of the system volume can take some time. Th
time is dependent on the amount of data in the system volume.
........ failed 1
Checking for errors in Directory Service Event Log .... passed
Checking for minimum FRS version requirement ... passed
Checking for errors/warnings in ntfrsutl ds ... passed
Checking for Replica Set configuration triggers... passed
Checking for suspicious file Backlog size... passed
Checking Overall Disk Space and SYSVOL structure (note: integrity i
not checked)... passed
Checking for suspicious inlog entries ... passed
Checking for suspicious outlog entries ... passed
Checking for appropriate staging area size ... passed
Checking for errors in debug logs ... passed
Checking NtFrs Service (and dependent services) state...passed
Checking NtFrs related Registry Keys for possible problems...passed
Checking Repadmin Showreps for errors...passed

DCDiag /v -

Directory Server Diagnosis

Performing initial setup:
Trying to find home server...
* Verifying that the local machine M1CMS001, is a Directory Server.
Home Server = M1CMS001
* Connecting to directory service on server M1CMS001.
* Identified AD Forest.
Collecting AD specific global data
* Collecting site info.
Callin
ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=testadservs,DC=net,LDAP_SCOPE_SUBTREE,(objectCategory=ntDS
SiteSettings),.......
The previous call succeeded
Iterating through the sites
Looking at base site object: CN=NTDS Sit
Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=testadservs,DC
=net
Getting ISTG and options for the site
* Identifying all servers.
Callin
ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=testadservs,DC=net,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa
),.......
The previous call succeeded....
The previous call succeeded
Iterating through the list of servers
Getting information for the server CN=NTD
Settings,CN=M1CMS001,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Con
figuration,DC=testadservs,DC=net
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
* Identifying all NC cross-refs.
* Found 1 DC(s). Testing 1 of them.
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\M1CMS001
Starting test: Connectivity
* Active Directory LDAP Services Check
Determining IP4 connectivity
* Active Directory RPC Services Check
........................ M1CMS001 passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\M1CMS001
Starting test: Advertising
The DC M1CMS001 is advertising itself as a DC and having a
DS.
The DC M1CMS001 is advertising as an LDAP server
The DC M1CMS001 is advertising as having a writeable
directory
The DC M1CMS001 is advertising as a Key Distribution Center
The DC M1CMS001 is advertising as a time server
The DS M1CMS001 is advertising as a GC.
........................ M1CMS001 passed test Advertising
Test omitted by user request: CheckSecurityError
Test omitted by user request: CutoffServers
Starting test: FrsEvent
* The File Replication Service Event log test
There are warning or error events within the last 24 hours
after the SYSVOL has been shared. Failing SYSVOL
replication problems may cause Group Policy problems.
A warning event occurred. EventID: 0x800034FE
Time Generated: 01/03/2010 17:58:42
Event String:
File Replication Service is scanning the data in the system
volume. Computer M1CMS001 cannot become a domain
controller until this process is complete. The system volume will then
be shared as SYSVOL.

To check for the SYSVOL share, at the command prompt,
type:
net share

When File Replication Service completes the scanning
process, the SYSVOL share will appear.

The initialization of the system volume can take some time.
The time is dependent on the amount of data in t
he system volume.
........................ M1CMS001 passed test FrsEvent
Starting test: DFSREvent
The DFS Replication Event Log.
Skip the test because the server is running FRS.
........................ M1CMS001 passed test DFSREvent
Starting test: SysVolCheck
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
........................ M1CMS001 passed test SysVolCheck
Starting test: KccEvent
* The KCC Event log test
Found no KCC errors in "Directory Service" Event log in the
last 15 minutes.
........................ M1CMS001 passed test KccEvent
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS
Settings,CN=M1CMS001,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuratio
n,DC=testadservs,DC=net
Role Domain Owner = CN=NTDS
Settings,CN=M1CMS001,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuratio
n,DC=testadservs,DC=net
Role PDC Owner = CN=NTDS
Settings,CN=M1CMS001,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,D
C=testadservs,DC=net
Role Rid Owner = CN=NTDS
Settings,CN=M1CMS001,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,D
C=testadservs,DC=net
Role Infrastructure Update Owner = CN=NTDS
Settings,CN=M1CMS001,CN=Servers,CN=Default-First-Site-Name,CN=Sites,
CN=Configuration,DC=testadservs,DC=net
........................ M1CMS001 passed test
KnowsOfRoleHolders
Starting test: MachineAccount
Checking machine account for DC M1CMS001 on DC M1CMS001.
* SPN found :LDAP/M1CMS001.testadservs.net/testadservs.net
* SPN found :LDAP/M1CMS001.testadservs.net
* SPN found :LDAP/M1CMS001
* SPN found :LDAP/M1CMS001.testadservs.net/testadservs
* SPN found
:LDAP/c9ba306f-70cc-468b-bde0-6c4433308fc0._msdcs.testadservs.net
* SPN found
:E3514235-4B06-11D1-AB04-00C04FC2DCD2/c9ba306f-70cc-468b-bde0-6c4433308fc0/testadservs.net
* SPN found :HOST/M1CMS001.testadservs.net/testadservs.net
* SPN found :HOST/M1CMS001.testadservs.net
* SPN found :HOST/M1CMS001
* SPN found :HOST/M1CMS001.testadservs.net/testadservs
* SPN found :GC/M1CMS001.testadservs.net/testadservs.net
........................ M1CMS001 passed test MachineAccount
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC M1CMS001.
* Security Permissions Check for
DC=ForestDnsZones,DC=testadservs,DC=net
(NDNC,Version 3)
* Security Permissions Check for
DC=DomainDnsZones,DC=testadservs,DC=net
(NDNC,Version 3)
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=testadservs,DC=net
(Schema,Version 3)
* Security Permissions Check for
CN=Configuration,DC=testadservs,DC=net
(Configuration,Version 3)
* Security Permissions Check for
DC=testadservs,DC=net
(Domain,Version 3)
........................ M1CMS001 passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\M1CMS001\netlogon
Verified share \\M1CMS001\sysvol
........................ M1CMS001 passed test NetLogons
Starting test: ObjectsReplicated
M1CMS001 is in domain DC=testadservs,DC=net
Checking for CN=M1CMS001,OU=Domain
Controllers,DC=testadservs,DC=net in domain DC=testadservs,DC=net on 1
servers
Object is up-to-date on all servers.
Checking for CN=NTDS
Settings,CN=M1CMS001,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=te
stadservs,DC=net in domain CN=Configuration,DC=testadservs,DC=net on 1
servers
Object is up-to-date on all servers.
........................ M1CMS001 passed test
ObjectsReplicated
Test omitted by user request: OutboundSecureChannels
Starting test: Replications
* Replications Check
* Replication Latency Check
........................ M1CMS001 passed test Replications
Starting test: RidManager
* Available RID Pool for the Domain is 1600 to 1073741823
* M1CMS001.testadservs.net is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 1100 to 1599
* rIDPreviousAllocationPool is 1100 to 1599
* rIDNextRID: 1140
........................ M1CMS001 passed test RidManager
Starting test: Services
* Checking Service: EventSystem
* Checking Service: RpcSs
* Checking Service: NTDS
* Checking Service: DnsCache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: w32time
* Checking Service: NETLOGON
........................ M1CMS001 passed test Services
Starting test: SystemLog
* The System Event log test
Found no errors in "System" Event log in the last 60 minutes.
........................ M1CMS001 passed test SystemLog
Test omitted by user request: Topology
Test omitted by user request: VerifyEnterpriseReferences
Starting test: VerifyReferences
The system object reference (serverReference)
CN=M1CMS001,OU=Domain Controllers,DC=testadservs,DC=net and backlink
on
CN=M1CMS001,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=testadservs,DC=net
are correct.
The system object reference (serverReferenceBL)
CN=M1CMS001,CN=Domain System Volume (SYSVOL share),CN=File
Replication Service,CN=System,DC=testadservs,DC=net and
backlink on
CN=NTDS
Settings,CN=M1CMS001,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=testadservs,DC=net
are correct.
The system object reference (frsComputerReferenceBL)
CN=M1CMS001,CN=Domain System Volume (SYSVOL share),CN=File
Replication Service,CN=System,DC=testadservs,DC=net and
backlink on CN=M1CMS001,OU=Domain
Controllers,DC=testadservs,DC=net are correct.
........................ M1CMS001 passed test
VerifyReferences
Test omitted by user request: VerifyReplicas

Test omitted by user request: DNS
Test omitted by user request: DNS

Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
........................ ForestDnsZones passed test
CheckSDRefDom
Starting test: CrossRefValidation
........................ ForestDnsZones passed test
CrossRefValidation

Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
........................ DomainDnsZones passed test
CheckSDRefDom
Starting test: CrossRefValidation
........................ DomainDnsZones passed test
CrossRefValidation

Running partition tests on : Schema
Starting test: CheckSDRefDom
........................ Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
........................ Schema passed test
CrossRefValidation

Running partition tests on : Configuration
Starting test: CheckSDRefDom
........................ Configuration passed test
CheckSDRefDom
Starting test: CrossRefValidation
........................ Configuration passed test
CrossRefValidation

Running partition tests on : testadservs
Starting test: CheckSDRefDom
........................ testadservs passed test
CheckSDRefDom
Starting test: CrossRefValidation
........................ testadservs passed test
CrossRefValidation

Running enterprise tests on : testadservs.net
Test omitted by user request: DNS
Test omitted by user request: DNS
Starting test: LocatorCheck
GC Name: \\M1CMS001.testadservs.net
Locator Flags: 0xe00031fd
PDC Name: \\M1CMS001.testadservs.net
Locator Flags: 0xe00031fd
Time Server Name: \\M1CMS001.testadservs.net
Locator Flags: 0xe00031fd
Preferred Time Server Name: \\M1CMS001.testadservs.net
Locator Flags: 0xe00031fd
KDC Name: \\M1CMS001.testadservs.net
Locator Flags: 0xe00031fd
........................ testadservs.net passed test
LocatorCheck
Starting test: Intersite
Skipping site Default-First-Site-Name, this site is outside
the scope provided by the command line arguments
provided.
........................ testadservs.net passed test
Intersite

--
tbaze
------------------------------------------------------------------------
tbaze's Profile: http://forums.techarena.in/members/169993.htm
View this thread: http://forums.techarena.in/active-directory/1288776.htm

http://forums.techarena.in

Ace Fekay [MCT]

2010-01-04 14:25:24 UTC

Post by tbaze
Hello Ace,
Yes, that's precisely what I did. DCPromo'd the secondary, removed -
DCPromo'd the primary, removed/deleted domain. I did not perform any
manual deletion of DNS zones, etc. I subsequently re-installed Windows
Server 2008 (Windows first instance was moved to Windows.old).
I thought maybe there was a caching issue on old servers so I stood up
a new VM and tried a GPUpdate there which resulted in a domain name that
we've never had, at all. I checked all the SRV records in DNS and saw
no mention of either the old domain servers or the new "domain". Going
to \\testadservs.net\sysvol works without issue... I'm *this* close to
calling Microsoft. :(
COMPUTER SETTINGS
------------------
CN=TMPENT2K8,CN=Computers,DC=testadservs,DC=net
Last time Group Policy was applied: 1/3/2010 at 11:16:33 PM
* Group Policy was applied from: N/A
Group Policy slow link threshold: 500 kbps
Domain Name: 37L4247D25-07 (no idea where
this is from)
Domain Type: WindowsNT 4*

<snipped>

Post by tbaze
--
tbaze

Caching issue on the old servers? I assume you mean member servers and not
the DCs? If you are referring to the member servers, that's not likely as
long as you've disjoined the member servers from the old domain, restarted,
then joined them to the new domain and restarted.

You renamed the Windows folder to windows.old then installed the new
instance? I thought you blew away the machine, reformatted from scratch,
which is really what's recommended in such scenarios. My feeling it may have
found the old sysvol installation during promotion, but I can't see why it
would have done that. Either way, whenever installing a new server for a DC,
always blow it away and reformat prior to reinstallation. That's a general
rule of thumb.

As for "37L4247D25-07," that appears to be an OEM generated NetBIOS name.
What NetBIOS name for the domain did you supply dcpromo? Does that name show
up in DNS anywhere? You are not using WINS, otherwise I would have suggested
to look in the WINS database, too.

Is there a hosts or lmhosts file configured?

According to the dcdiag, there's only one DC, M1CMS001. Is that correct?

Please provide an updated ipconfig /all and all Eventlog errors.

Read the following regarding FRS. Honestly if it was reinstalled from
scratch, I can't see why you would be getting any errors at all. It seems we
are missing something basic here.

Recovering missing FRS objects and FRS attributes in Active Directory
http://support.microsoft.com/kb/312862

Ace

tbaze

2010-01-04 17:53:40 UTC

;4753625'
Caching issue on the old servers? I assume you mean member servers an
no
the DCs? If you are referring to the member servers, that's not likel
a
long as you've disjoined the member servers from the old domain
restarted
then joined them to the new domain and restarted

I meant member servers and I assumed as much but that doesn't seem t
be the case if a brand new server had a OEM NetBIOS name and the ol
member servers still have old DC names. I suspect it means they're no
actually pulling from SYSVOL or wherever they should come from

You renamed the Windows folder to windows.old then installed the ne
instance? I thought you blew away the machine, reformatted fro
scratch
which is really what's recommended in such scenarios. My feeling it ma
hav
found the old sysvol installation during promotion, but I can't see wh
i
would have done that. Either way, whenever installing a new server fo
a DC
always blow it away and reformat prior to reinstallation. That's
genera
rule of thumb

That was my intent but Windows installation did not give me that optio
and I didn't have a great deal of time

As for "37L4247D25-07," that appears to be an OEM generated NetBIO
name
What NetBIOS name for the domain did you supply dcpromo? Does that nam
sho
up in DNS anywhere? You are not using WINS, otherwise I would hav
suggeste
to look in the WINS database, too

I provided dcpromo with testadservs.net. I am not using WINS

Is there a hosts or lmhosts file configured

Nope and nope

According to the dcdiag, there's only one DC, M1CMS001. Is tha
correct

That is correct

Please provide an updated ipconfig /all and all Eventlog errors

Member server:

Windows IP Configuratio

Host Name . . . . . . . . . . . . : M1CMS00
Primary Dns Suffix . . . . . . . : testadservs.ne
Node Type . . . . . . . . . . . . : Hybri
IP Routing Enabled. . . . . . . . : N
WINS Proxy Enabled. . . . . . . . : N
DNS Suffix Search List. . . . . . : testadservs.ne

Ethernet adapter Local Area Connection

Connection-specific DNS Suffix .
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Networ
Connectio
Physical Address. . . . . . . . . : 00-50-56-B7-40-4
DHCP Enabled. . . . . . . . . . . : N
Autoconfiguration Enabled . . . . : Ye
IPv4 Address. . . . . . . . . . . : 172.17.250.54(Preferred
Subnet Mask . . . . . . . . . . . : 255.255.255.
Default Gateway . . . . . . . . . : 172.17.250.
DNS Servers . . . . . . . . . . . : 172.17.250.5
NetBIOS over Tcpip. . . . . . . . : Enable

Tunnel adapter isatap.{1E843648-B173-48C1-AA85-E78E9D35E425}

Media State . . . . . . . . . . . : Media disconnecte
Connection-specific DNS Suffix .
Description . . . . . . . . . . . : Microsoft ISATAP Adapte
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E
DHCP Enabled. . . . . . . . . . . : N
Autoconfiguration Enabled . . . . : Ye

Tunnel adapter Teredo Tunneling Pseudo-Interface

Connection-specific DNS Suffix .
Description . . . . . . . . . . . : Teredo Tunnelin
Pseudo-Interfac
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E
DHCP Enabled. . . . . . . . . . . : N
Autoconfiguration Enabled . . . . : Ye
IPv6 Address. . . . . . . . . . .
2001:0:4137:9e50:24a5:2611:53ee:5c9(Preferred
Link-local IPv6 Address . . . . .
fe80::24a5:2611:53ee:5c9%13(Preferred
Default Gateway . . . . . . . . . : :
NetBIOS over Tcpip. . . . . . . . : Disable

Domain controller:

Windows IP Configuratio

Host Name . . . . . . . . . . . . : M1CMS00
Primary Dns Suffix . . . . . . . : testadservs.ne
Node Type . . . . . . . . . . . . : Hybri
IP Routing Enabled. . . . . . . . : N
WINS Proxy Enabled. . . . . . . . : N
DNS Suffix Search List. . . . . . : testadservs.ne

Ethernet adapter Local Area Connection

Connection-specific DNS Suffix .
Description . . . . . . . . . . . : Intel(R) 82575EB Gigabit Networ
Connectio
Physical Address. . . . . . . . . : 00-30-48-BC-83-5
DHCP Enabled. . . . . . . . . . . : N
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 172.17.250.51(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.17.250.5
DNS Servers . . . . . . . . . . . : 172.17.250.51
NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{1C71CFD9-263D-42F3-8C59-2A644F33B7A2}:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Teredo Tunneling
Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes

The one eventlog error:

- System

- Provider

[ Name] Microsoft-Windows-GroupPolicy
[ Guid] {AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}

EventID 1129

Version 0

Level 2

Task 0

Opcode 0

Keywords 0x8000000000000000

- TimeCreated

[ SystemTime] 2010-01-04T17:32:20.621911000Z

EventRecordID 8799

- Correlation

[ ActivityID] {55236415-B0FA-4EC2-956E-4BCD1B6F7EBB}

- Execution

[ ProcessID] 792
[ ThreadID] 1568

Channel System

Computer M1CMS004.testadservs.net

- Security

[ UserID] S-1-5-18

- EventData

SupportInfo1 1
SupportInfo2 1254
ProcessingMode 0
ProcessingTimeInMilliseconds 1546
ErrorCode 1222
ErrorDescription The network is not present or not started.

Read the following regarding FRS. Honestly if it was reinstalled from
scratch, I can't see why you would be getting any errors at all. It seems we
are missing something basic here.
Recovering missing FRS objects and FRS attributes in Active Directory
http://support.microsoft.com/kb/312862
Ace

I did, fairly extensively before reinstallation of Win2K8. I was still
getting errors so I decided to clean the slate. The one FRS error I got
yesterday was that it was essentially the start-up warning and it would,
if it righted itself, report so in the eventlog, which it did. FRSDiag
now reports 0 errors:

------------------------------------------------------------
FRSDiag v1.7 on 1/4/2010 1:06:29 PM
.\M1CMS001 on 2010-01-04 at 1.06.29 PM
------------------------------------------------------------

Checking for errors/warnings in FRS Event Log .... passed
Checking for errors in Directory Service Event Log .... passed
Checking for minimum FRS version requirement ... passed
Checking for errors/warnings in ntfrsutl ds ... passed
Checking for Replica Set configuration triggers... passed
Checking for suspicious file Backlog size... passed
Checking Overall Disk Space and SYSVOL structure (note: integrity is
not checked)... passed
Checking for suspicious inlog entries ... passed
Checking for suspicious outlog entries ... passed
Checking for appropriate staging area size ... passed
Checking for errors in debug logs ... passed
Checking NtFrs Service (and dependent services) state...passed
Checking NtFrs related Registry Keys for possible problems...passed
Checking Repadmin Showreps for errors...passed

Final Result = passed

--
tbaze
------------------------------------------------------------------------
tbaze's Profile: http://forums.techarena.in/members/169993.htm
View this thread: http://forums.techarena.in/active-directory/1288776.htm

http://forums.techarena.in

Ace Fekay [MCT]

2010-01-04 19:18:44 UTC

;4753625']
Caching issue on the old servers? I assume you mean member servers and not
the DCs? If you are referring to the member servers, that's not likely as
long as you've disjoined the member servers from the old domain, restarted,
then joined them to the new domain and restarted.

I meant member servers and I assumed as much but that doesn't seem to
be the case if a brand new server had a OEM NetBIOS name and the old
member servers still have old DC names. I suspect it means they're not
actually pulling from SYSVOL or wherever they should come from.

You renamed the Windows folder to windows.old then installed the new
instance? I thought you blew away the machine, reformatted from scratch,
which is really what's recommended in such scenarios. My feeling it may have
found the old sysvol installation during promotion, but I can't see why it
would have done that. Either way, whenever installing a new server for a DC,
always blow it away and reformat prior to reinstallation. That's a general
rule of thumb.

That was my intent but Windows installation did not give me that option
and I didn't have a great deal of time.

As for "37L4247D25-07," that appears to be an OEM generated NetBIOS name.
What NetBIOS name for the domain did you supply dcpromo? Does that name show
up in DNS anywhere? You are not using WINS, otherwise I would have suggested
to look in the WINS database, too.

I provided dcpromo with testadservs.net. I am not using WINS.

Is there a hosts or lmhosts file configured?

Nope and nope.

According to the dcdiag, there's only one DC, M1CMS001. Is that correct?

That is correct.

Please provide an updated ipconfig /all and all Eventlog errors.

Windows IP Configuration
Host Name . . . . . . . . . . . . : M1CMS004
Primary Dns Suffix . . . . . . . : testadservs.net
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : testadservs.net
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network
Connection
Physical Address. . . . . . . . . : 00-50-56-B7-40-4C
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 172.17.250.54(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.17.250.5
DNS Servers . . . . . . . . . . . : 172.17.250.51
NetBIOS over Tcpip. . . . . . . . : Enabled
Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Description . . . . . . . . . . . : Teredo Tunneling
Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
2001:0:4137:9e50:24a5:2611:53ee:5c9(Preferred)
fe80::24a5:2611:53ee:5c9%13(Preferred)
NetBIOS over Tcpip. . . . . . . . : Disabled
Windows IP Configuration
Host Name . . . . . . . . . . . . : M1CMS001
Primary Dns Suffix . . . . . . . : testadservs.net
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : testadservs.net
Description . . . . . . . . . . . : Intel(R) 82575EB Gigabit Network
Connection
Physical Address. . . . . . . . . : 00-30-48-BC-83-5E
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 172.17.250.51(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.17.250.5
DNS Servers . . . . . . . . . . . : 172.17.250.51
NetBIOS over Tcpip. . . . . . . . : Enabled
Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Media State . . . . . . . . . . . : Media disconnected
Description . . . . . . . . . . . : Teredo Tunneling
Pseudo-Interface
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
- System
- Provider
[ Name] Microsoft-Windows-GroupPolicy
[ Guid] {AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}
EventID 1129
Version 0
Level 2
Task 0
Opcode 0
Keywords 0x8000000000000000
- TimeCreated
[ SystemTime] 2010-01-04T17:32:20.621911000Z
EventRecordID 8799
- Correlation
[ ActivityID] {55236415-B0FA-4EC2-956E-4BCD1B6F7EBB}
- Execution
[ ProcessID] 792
[ ThreadID] 1568
Channel System
Computer M1CMS004.testadservs.net
- Security
[ UserID] S-1-5-18
- EventData
SupportInfo1 1
SupportInfo2 1254
ProcessingMode 0
ProcessingTimeInMilliseconds 1546
ErrorCode 1222
ErrorDescription The network is not present or not started.

Read the following regarding FRS. Honestly if it was reinstalled from
scratch, I can't see why you would be getting any errors at all. It seems we
are missing something basic here.
Recovering missing FRS objects and FRS attributes in Active Directory
http://support.microsoft.com/kb/312862
Ace

I did, fairly extensively before reinstallation of Win2K8. I was still
getting errors so I decided to clean the slate. The one FRS error I got
yesterday was that it was essentially the start-up warning and it would,
if it righted itself, report so in the eventlog, which it did. FRSDiag
------------------------------------------------------------
FRSDiag v1.7 on 1/4/2010 1:06:29 PM
\M1CMS001 on 2010-01-04 at 1.06.29 PM
------------------------------------------------------------
Checking for errors/warnings in FRS Event Log .... passed
Checking for errors in Directory Service Event Log .... passed
Checking for minimum FRS version requirement ... passed
Checking for errors/warnings in ntfrsutl ds ... passed
Checking for Replica Set configuration triggers... passed
Checking for suspicious file Backlog size... passed
Checking Overall Disk Space and SYSVOL structure (note: integrity is
not checked)... passed
Checking for suspicious inlog entries ... passed
Checking for suspicious outlog entries ... passed
Checking for appropriate staging area size ... passed
Checking for errors in debug logs ... passed
Checking NtFrs Service (and dependent services) state...passed
Checking NtFrs related Registry Keys for possible problems...passed
Checking Repadmin Showreps for errors...passed
Final Result = passed

So it appears to have cleaned itself up. That's good. As for the EventID
1129, it's a transient message, possibly appearing before FRS and everything
getting straightened out.
http://eventid.net/display.asp?eventid=1129&eventno=10004&source=Microsoft-Windows-GroupPolicy&phase=1

It may all have come down to patience. :-)

Ace

tbaze

2010-01-04 22:54:54 UTC

So it'd have you believe. :(

Still fails, same Eventlog error.

Modeling from the GPMC succeeds, no errors.

GPResults still results in:

Group Policy Infrastructure failed due to the error listed below.

The network is not present or not started.

Note: Due to the GP Core failure, none of the other Group Polic
components processed their policy. Consequently, status information fo
the other components is not available.

Additional information may have been logged. Review the Policy Event
tab in the console or the application event log for events betwee
1/4/2010 5:51:14 PM and 1/4/2010 5:51:17 PM.

Note, it's had this error the entire time

--
tbaz
-----------------------------------------------------------------------
tbaze's Profile: http://forums.techarena.in/members/169993.ht
View this thread: http://forums.techarena.in/active-directory/1288776.ht

http://forums.techarena.i

Ace Fekay [MCT]

2010-01-04 23:38:26 UTC

Post by tbaze
So it'd have you believe. :(
Still fails, same Eventlog error.
Modeling from the GPMC succeeds, no errors.
Group Policy Infrastructure failed due to the error listed below.
The network is not present or not started.
Note: Due to the GP Core failure, none of the other Group Policy
components processed their policy. Consequently, status information for
the other components is not available.
Additional information may have been logged. Review the Policy Events
tab in the console or the application event log for events between
1/4/2010 5:51:14 PM and 1/4/2010 5:51:17 PM.
Note, it's had this error the entire time.

That's quite unfortunate. Was EventID 1129 the only error in any of the logs
on the DC?

Let's disable IPv6, as well as the RSS TCP Chimney feature. There are known
issues with both. The following should assist you in this task, as well as
explain what it is.

TCP Chimney and RSS Features May Cause Slow File Transfers or Cause
Connectivity Problems
http://msmvps.com/blogs/acefekay/archive/2009/08/20/tcp-chimney-and-rss-features-may-cause-slow-file-transfers-or-cause-connectivity-problems.aspx

Paul Bergson : Disabling IPv6 on Windows 2008Mar 19, 2009 ... I have run
into nothing but trouble with IPv6. Not that there is anything in particular
that is wrong, but not all apps understand and can ...
http://blogs.dirteam.com/blogs/paulbergson/archive/2009/03/19/disabling-ipv6-on-windows-2008.aspx

Ace

Ace Fekay [MCT]

2010-01-04 23:47:49 UTC

Post by tbaze
So it'd have you believe. :(
Still fails, same Eventlog error.
Modeling from the GPMC succeeds, no errors.
Group Policy Infrastructure failed due to the error listed below.
The network is not present or not started.
Note: Due to the GP Core failure, none of the other Group Policy
components processed their policy. Consequently, status information for
the other components is not available.
Additional information may have been logged. Review the Policy Events
tab in the console or the application event log for events between
1/4/2010 5:51:14 PM and 1/4/2010 5:51:17 PM.
Note, it's had this error the entire time.

Also, please run the following and post the results. Keep in mind, you must
go into your _msdcs. and your testadservs.net zones properties, Zone
transfers, and allow zone transfers for the commands to run. You can turn
this off after you've completed the run

c:\nslookup

Post by tbaze
ls -t srv _msdcs.testadservs.net

(hit enter and copy/paste results)

Post by tbaze
ls -d testadservs.net

(hit enter and copy/paste results)

Ace

19 Replies
106 Views
Permalink to this page
Disable enhanced parsing

Thread Navigation

tbaze 2010-01-02 17:00:25 UTC

tbaze 2010-01-02 18:28:24 UTC

Cary Shultz 2010-01-02 21:15:51 UTC

tbaze 2010-01-02 22:33:41 UTC

Cary Shultz 2010-01-03 01:50:30 UTC

tbaze 2010-01-03 03:50:27 UTC

Cary Shultz 2010-01-03 15:00:36 UTC

Cary Shultz 2010-01-03 15:07:07 UTC

tbaze 2010-01-03 03:01:48 UTC

Ace Fekay [MCT] 2010-01-03 15:13:35 UTC

Ace Fekay [MCT] 2010-01-03 15:17:44 UTC

tbaze 2010-01-03 23:11:10 UTC

Ace Fekay [MCT] 2010-01-04 01:28:30 UTC

tbaze 2010-01-04 04:22:13 UTC

Ace Fekay [MCT] 2010-01-04 14:25:24 UTC

tbaze 2010-01-04 17:53:40 UTC

Ace Fekay [MCT] 2010-01-04 19:18:44 UTC

tbaze 2010-01-04 22:54:54 UTC

Ace Fekay [MCT] 2010-01-04 23:38:26 UTC

Ace Fekay [MCT] 2010-01-04 23:47:49 UTC

about - legalese

Loading...