Discussion:
NTDS Replication event 2023 error 8589
(too old to reply)
Mr Major Thorburn
2006-01-24 15:16:04 UTC
Permalink
Text from event log entry is:
The local domain controller was unable to replicate changes to the following
remote domain controller for the following directory partition.

Remote domain controller:
881ebe49-647f-46f2-8017-b0a14f94b25a._msdcs.xports.nhs.uk
Directory partition:
DC=ForestDnsZones,DC=xports,DC=nhs,DC=uk

The local domain controller cannot complete demotion.

User Action
Investigate why replication between these two domain controllers cannot be
performed. Then, try to demote this domain controller again.

Additonal Data
Error value:
8589 The DS cannot derive a service principal name (SPN) with which to
mutually authenticate the target server because the corresponding server
object in the local DS database has no serverReference attribute.

It mentions demotion but the source and target servers have never been
demoted.
The problem is with all the servers in this sub-domain.

My question is:
Which server object is it talking about that deos not have a serverreference
attribute?

Any help you can give me with move me onto a solution and the next problem.
Paul Williams [MVP]
2006-01-25 06:17:50 UTC
Permalink
Type:

nslookup -type=cname
881ebe49-647f-46f2-8017-b0a14f94b25a._msdcs.xports.nhs.uk


At a command prompt to resolve the GUID CNAME to an A record.

If it doesn't resolve, that is your problem.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Mr Major Thorburn
2006-01-25 16:32:04 UTC
Permalink
Paul, it resolved to the server name ie

881ebe49-647f-46f2-8017-b0a14f94b25a._msdcs.xports.nhs.uk canonical
name =
sjhdc01.xports.nhs.uk

Regards, Major.
Post by Paul Williams [MVP]
nslookup -type=cname
881ebe49-647f-46f2-8017-b0a14f94b25a._msdcs.xports.nhs.uk
At a command prompt to resolve the GUID CNAME to an A record.
If it doesn't resolve, that is your problem.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Paul Williams [MVP]
2006-01-26 07:47:23 UTC
Permalink
Post by Mr Major Thorburn
Which server object is it talking about that deos not have a
serverreference attribute?
Sorry, misread your question. The corresponding server object is the object
that you see in DSSITE.MSC for the DC.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Mr Major Thorburn
2006-01-26 08:01:02 UTC
Permalink
OK. If I open sites and services and locate the DC that is getting these
events is it that object that does not have a serverreference attribute or
one of its connected servers?

Is it possible to fix this by using for example adsiedit?

Regards, Major.
Post by Paul Williams [MVP]
Post by Mr Major Thorburn
Which server object is it talking about that deos not have a
serverreference attribute?
Sorry, misread your question. The corresponding server object is the object
that you see in DSSITE.MSC for the DC.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Paul Williams [MVP]
2006-01-26 08:31:26 UTC
Permalink
Post by Mr Major Thorburn
Is it possible to fix this by using for example adsiedit?
Yes, it sure is:
-- http://support.microsoft.com/?id=312862
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Mr Major Thorburn
2006-01-26 12:59:02 UTC
Permalink
Paul, you are a star.
Thank you very much for your help.
From you guidance and following the KB article helped me fix the problem.
Regards, Major.
Post by Paul Williams [MVP]
Post by Mr Major Thorburn
Is it possible to fix this by using for example adsiedit?
-- http://support.microsoft.com/?id=312862
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Mr Major Thorburn
2006-01-26 13:21:02 UTC
Permalink
Paul, sorry spoke too soon. Too eager to get this fixed I guess.
The event error came back.
I did use adsiedit to clean up the SYSVOL replication partners.
There were some old DC entries in there.

How do I use adsiedit to select the specific dc that the event error is
talking about ie SJHDC01.
It is not a sysvol replica partner of the DC where the event error is
occuring as it is in the parent domain.

Regards, Major.
Post by Paul Williams [MVP]
Post by Mr Major Thorburn
Is it possible to fix this by using for example adsiedit?
-- http://support.microsoft.com/?id=312862
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Paul Williams [MVP]
2006-01-27 12:24:56 UTC
Permalink
SYSVOL doesn't replicate forest wide. It is a [special] domain-based DFS
root. Can you please clarify what changes have you made, and what errors
are you now getting? Sorry if you've stated some of this, I just want to be
sure where we're at.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Mr Major Thorburn
2006-01-27 13:19:02 UTC
Permalink
The changes I made were in system, file replication. That was waht the KB
article was about.
The error I am getting is the same as before event 2003 error 8589.

The local domain controller was unable to replicate changes to the following
remote domain controller for the following directory partition.

Remote domain controller:
881ebe49-647f-46f2-8017-b0a14f94b25a._msdcs.xports.nhs.uk
Directory partition:
DC=ForestDnsZones,DC=xports,DC=nhs,DC=uk

The local domain controller cannot complete demotion.

User Action
Investigate why replication between these two domain controllers cannot be
performed. Then, try to demote this domain controller again.

Additonal Data
Error value:
8589 The DS cannot derive a service principal name (SPN) with which to
mutually authenticate the target server because the corresponding server
object in the local DS database has no serverReference attribute.

Regards, Major.
Post by Paul Williams [MVP]
SYSVOL doesn't replicate forest wide. It is a [special] domain-based DFS
root. Can you please clarify what changes have you made, and what errors
are you now getting? Sorry if you've stated some of this, I just want to be
sure where we're at.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Paul Williams [MVP]
2006-01-31 20:44:27 UTC
Permalink
Sorry for the delay - I wanted to verify this in one of my customer
environments - they have several domains in a forest. I haven't been able
to yet, as I've been out of the office.

Try adding the necessary NTDS Settings object DN into the serverReference
attribute, regardless of domain. This is like so:

CN=NTDS Settings, CN=<Computer name>, CN=Servers, CN=<Site name>, CN=Sites,
CN=Configuration, DC=<forest root>,DC=com


e.g.

CN=NTDS Settings, CN=LON-MIIS, CN=Servers, CN=Default-First-Site-Name,
CN=Sites, CN=Configuration, DC=fabrikam,DC=com


Note. There appears to be a typo in the DN listed in the KB. The above is
correct - pasted from a VM.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Mr Major Thorburn
2006-02-01 07:20:30 UTC
Permalink
Paul, thanks for getting back to me. ok about delays. I understand how busy
you must be. One of you and lots of us with questions.

The KB article talks about FRS SYSVOL share. The DC referenced in the event
is in a parent domain. I thought that the SYSVOL share was domain specific.
Should there be a CN entry for the server in the event on this DC in
ADSIEDIT under System, File Replication Service, Domain System Volume (SYSVOL
share)?
If not which CN would contain the ServerReference?
Regards, Major.
Post by Paul Williams [MVP]
Sorry for the delay - I wanted to verify this in one of my customer
environments - they have several domains in a forest. I haven't been able
to yet, as I've been out of the office.
Try adding the necessary NTDS Settings object DN into the serverReference
CN=NTDS Settings, CN=<Computer name>, CN=Servers, CN=<Site name>, CN=Sites,
CN=Configuration, DC=<forest root>,DC=com
e.g.
CN=NTDS Settings, CN=LON-MIIS, CN=Servers, CN=Default-First-Site-Name,
CN=Sites, CN=Configuration, DC=fabrikam,DC=com
Note. There appears to be a typo in the DN listed in the KB. The above is
correct - pasted from a VM.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Paul Williams [MVP]
2006-02-01 17:04:14 UTC
Permalink
Post by Mr Major Thorburn
The KB article talks about FRS SYSVOL share. The DC referenced in the
event is in a parent domain. I thought that the SYSVOL share was domain
specific.
It is. That's why the KB threw me. Although I've had a re-think and I
think I know what's going on... (famous last words before hiding away in
shame)
Post by Mr Major Thorburn
Should there be a CN entry for the server in the event on this DC in
ADSIEDIT under System, File Replication Service, Domain System Volume
(SYSVOL share)?
No.
Post by Mr Major Thorburn
If not which CN would contain the ServerReference?
The serverReference attribute should point to the NTDS Settings object for
this DC. Basically, the nTFRSMember object defines what servers are part of
a given FRS replica set. There are several important attributes of these
objects, two of which are fRSComputerReference and serverReference. The
former holds the DN of the FRS member that this object represents. The
latter holds the DN of the connection object for the FRS member that this
object represents. The reason being that SYSVOL uses the same connection
objects as DS replication.

So, you need to verify that both servers point to themselves, or rather,
their own connection object. The parent DCs member object should have its
own NTDS Settings object as its serverReference attribute, and the other DC
in question should have it's own.

As an example, you have four DCs - two per domain. We'll focus on one from
each domain. In this example there are two nTFRSMember objects that we're
concerned with (one in each domain):

CN=PDC01, CN=Domain System Volume (SYSVOL), CN=File Replication Service,
CN=System, DC=forest-root, DC=com

CN=CDC01, CN=Domain System Volume (SYSVOL), CN=File Replication Service,
CN=System, DC=child-domain, DC=forest-root, DC=com


These should have a serverReference attribute that points to something like
this:

CN=NTDS Settings, CN=PDC01, CN=Servers, CN=ParentDomainSite, CN=Sites,
CN=Configuration, DC=forest-root, DC=com

CN=NTDS Settings, CN=CDC01, CN=Servers, CN=ChildDomainSite, CN=Sites,
CN=Configuration, DC=child-domain, DC=forest-root, DC=com


Hope that makes sense.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Mr Major Thorburn
2006-02-02 08:10:26 UTC
Permalink
Paul, thanks for the excellent explanation which I followed with no problem.
I checked the serverReference and the field is correct for all the DCs in
all the domains.
The confusion for me is that the event log entry is referring to a server
that is not in this domain. On this particvular DC it is for a DC from the
parent domain. If I look on the parent domain it has the same event but for
this DC.
It looks like there is a link missing.

I should have pointed out earlier that this ActiveDirectory setup has been
established via an Active Directory disaster recovery exercise, following all
the good guidelines from MS, and is all running on virtual systems.
It was established because we do not have a test facility.
I have carried out things like installation of SP1, promotions, demotions,
move of DCs, rename of DCs and raising the forest to run in native mode and
all has been successful.
What I am now trying to achieve now is a domain rename and this event error
is what is stopping me do that.

We have an opertunity here to do what we like.
if we want to experiment in something I will take a backup of all the images
and we can do anything we like as we would have a full recovery available.

Regards, Major.
Post by Paul Williams [MVP]
Post by Mr Major Thorburn
The KB article talks about FRS SYSVOL share. The DC referenced in the
event is in a parent domain. I thought that the SYSVOL share was domain
specific.
It is. That's why the KB threw me. Although I've had a re-think and I
think I know what's going on... (famous last words before hiding away in
shame)
Post by Mr Major Thorburn
Should there be a CN entry for the server in the event on this DC in
ADSIEDIT under System, File Replication Service, Domain System Volume
(SYSVOL share)?
No.
Post by Mr Major Thorburn
If not which CN would contain the ServerReference?
The serverReference attribute should point to the NTDS Settings object for
this DC. Basically, the nTFRSMember object defines what servers are part of
a given FRS replica set. There are several important attributes of these
objects, two of which are fRSComputerReference and serverReference. The
former holds the DN of the FRS member that this object represents. The
latter holds the DN of the connection object for the FRS member that this
object represents. The reason being that SYSVOL uses the same connection
objects as DS replication.
So, you need to verify that both servers point to themselves, or rather,
their own connection object. The parent DCs member object should have its
own NTDS Settings object as its serverReference attribute, and the other DC
in question should have it's own.
As an example, you have four DCs - two per domain. We'll focus on one from
each domain. In this example there are two nTFRSMember objects that we're
CN=PDC01, CN=Domain System Volume (SYSVOL), CN=File Replication Service,
CN=System, DC=forest-root, DC=com
CN=CDC01, CN=Domain System Volume (SYSVOL), CN=File Replication Service,
CN=System, DC=child-domain, DC=forest-root, DC=com
These should have a serverReference attribute that points to something like
CN=NTDS Settings, CN=PDC01, CN=Servers, CN=ParentDomainSite, CN=Sites,
CN=Configuration, DC=forest-root, DC=com
CN=NTDS Settings, CN=CDC01, CN=Servers, CN=ChildDomainSite, CN=Sites,
CN=Configuration, DC=child-domain, DC=forest-root, DC=com
Hope that makes sense.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Paul Williams [MVP]
2006-02-03 10:55:23 UTC
Permalink
This is looking more and more like the only issue is with replicating that
app partition rather than an issue with FRS.

Delete all the connection objects for each server object in DSSITE.MSC and
go and get yourself a cup of coffee. After you've drank it, fire up REPLMON
and force replication between DCs in the same domain and across domains (the
enterprise and app partitions).

Rescan the event logs.

Also, run DCDIAG /V /C /E and post any errors or warnings.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Mr Major Thorburn
2006-02-06 07:35:34 UTC
Permalink
Paul, thanks for your help so far.
The links were all regenerated automatically, eventually. Sorry for the delay.
I am still getting the event error but for a different server same domain.
I have checked replmon for this link and it completed successfully last time.
I ran DCDIAG on one of the servers that is getting the event error and the
output is posted below:
Regards, Major.

Domain Controller Diagnosis

Performing initial setup:
* Verifying that the local machine phcntsjhdc01, is a DC.
* Connecting to directory service on server phcntsjhdc01.
* Collecting site info.
* Identifying all servers.
* Identifying all NC cross-refs.
* Found 8 DC(s). Testing 8 of them.
Done gathering initial info.

Doing initial required tests

Testing server: virtual\SJHDC01
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... SJHDC01 passed test Connectivity

Testing server: virtual\SMHDC01
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... SMHDC01 passed test Connectivity

Testing server: virtual\PHCNTSJHDC01
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... PHCNTSJHDC01 passed test Connectivity

Testing server: virtual\PHTSMHDC01
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... PHTSMHDC01 passed test Connectivity

Testing server: virtual\PHTQAHDC01
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... PHTQAHDC01 passed test Connectivity

Testing server: virtual\VIRTDC04
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... VIRTDC04 passed test Connectivity

Testing server: virtual\QAHDC01
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... QAHDC01 passed test Connectivity

Testing server: virtual\PHTQAHDC04
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... PHTQAHDC04 passed test Connectivity

Doing primary tests

Testing server: virtual\SJHDC01
Starting test: Replications
* Replications Check
[Replications Check,SJHDC01] DsReplicaGetInfoW(PENDING_OPS) failed
with error 8453,
Replication access was denied..
......................... SJHDC01 failed test Replications
Starting test: Topology
* Configuration Topology Integrity Check
* Analyzing the connection topology for
DC=ForestDnsZones,DC=xports,DC=nhs,DC=uk.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for
DC=DomainDnsZones,DC=xports,DC=nhs,DC=uk.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for
CN=Schema,CN=Configuration,DC=xports,DC=nhs,DC=uk.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for
CN=Configuration,DC=xports,DC=nhs,DC=uk.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for DC=xports,DC=nhs,DC=uk.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
......................... SJHDC01 passed test Topology
Starting test: CutoffServers
* Configuration Topology Aliveness Check
* Analyzing the alive system replication topology for
DC=ForestDnsZones,DC=xports,DC=nhs,DC=uk.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for
DC=DomainDnsZones,DC=xports,DC=nhs,DC=uk.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for
CN=Schema,CN=Configuration,DC=xports,DC=nhs,DC=uk.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for
CN=Configuration,DC=xports,DC=nhs,DC=uk.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for
DC=xports,DC=nhs,DC=uk.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
......................... SJHDC01 passed test CutoffServers
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC SJHDC01.
* Security Permissions Check for
DC=ForestDnsZones,DC=xports,DC=nhs,DC=uk
(NDNC,Version 2)
* Security Permissions Check for
DC=DomainDnsZones,DC=xports,DC=nhs,DC=uk
(NDNC,Version 2)
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=xports,DC=nhs,DC=uk
(Schema,Version 2)
* Security Permissions Check for
CN=Configuration,DC=xports,DC=nhs,DC=uk
(Configuration,Version 2)
* Security Permissions Check for
DC=xports,DC=nhs,DC=uk
(Domain,Version 2)
......................... SJHDC01 passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\SJHDC01\netlogon
Verified share \\SJHDC01\sysvol
[SJHDC01] User credentials does not have permission to perform this
operation.
The account used for this test must have network logon privileges
for this machine's domain.
......................... SJHDC01 failed test NetLogons
Starting test: Advertising
The DC SJHDC01 is advertising itself as a DC and having a DS.
The DC SJHDC01 is advertising as an LDAP server
The DC SJHDC01 is advertising as having a writeable directory
The DC SJHDC01 is advertising as a Key Distribution Center
Warning: SJHDC01 is not advertising as a time server.
......................... SJHDC01 failed test Advertising
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS
Settings,CN=SJHDC01,CN=Servers,CN=virtual,CN=Sites,CN=Configuration,DC=xports,DC=nhs,DC=uk
Role Domain Owner = CN=NTDS
Settings,CN=SMHDC01,CN=Servers,CN=virtual,CN=Sites,CN=Configuration,DC=xports,DC=nhs,DC=uk
Role PDC Owner = CN=NTDS
Settings,CN=SJHDC01,CN=Servers,CN=virtual,CN=Sites,CN=Configuration,DC=xports,DC=nhs,DC=uk
Role Rid Owner = CN=NTDS
Settings,CN=SJHDC01,CN=Servers,CN=virtual,CN=Sites,CN=Configuration,DC=xports,DC=nhs,DC=uk
Role Infrastructure Update Owner = CN=NTDS
Settings,CN=SJHDC01,CN=Servers,CN=virtual,CN=Sites,CN=Configuration,DC=xports,DC=nhs,DC=uk
......................... SJHDC01 passed test KnowsOfRoleHolders
Starting test: RidManager
* Available RID Pool for the Domain is 5603 to 1073741823
* sjhdc01.xports.nhs.uk is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 4603 to 5102
* rIDPreviousAllocationPool is 4603 to 5102
* rIDNextRID: 4604
......................... SJHDC01 passed test RidManager
Starting test: MachineAccount
Checking machine account for DC SJHDC01 on DC SJHDC01.
* SPN found :LDAP/sjhdc01.xports.nhs.uk/xports.nhs.uk
* SPN found :LDAP/sjhdc01.xports.nhs.uk
* SPN found :LDAP/SJHDC01
* SPN found :LDAP/sjhdc01.xports.nhs.uk/PORTS
* SPN found
:LDAP/881ebe49-647f-46f2-8017-b0a14f94b25a._msdcs.xports.nhs.uk
* SPN found
:E3514235-4B06-11D1-AB04-00C04FC2DCD2/881ebe49-647f-46f2-8017-b0a14f94b25a/xports.nhs.uk
* SPN found :HOST/sjhdc01.xports.nhs.uk/xports.nhs.uk
* SPN found :HOST/sjhdc01.xports.nhs.uk
* SPN found :HOST/SJHDC01
* SPN found :HOST/sjhdc01.xports.nhs.uk/PORTS
* SPN found :GC/sjhdc01.xports.nhs.uk/xports.nhs.uk
......................... SJHDC01 passed test MachineAccount
Starting test: Services
Could not open Service Control Manager on [SJHDC01]:failed with 5:
Access is denied.
......................... SJHDC01 failed test Services
Starting test: OutboundSecureChannels
* The Outbound Secure Channels test
** Did not run Outbound Secure Channels test
because /testdomain: was not entered
......................... SJHDC01 passed test OutboundSecureChannels
Starting test: ObjectsReplicated
SJHDC01 is in domain DC=xports,DC=nhs,DC=uk
Checking for CN=SJHDC01,OU=Domain
Controllers,DC=xports,DC=nhs,DC=uk in domain DC=xports,DC=nhs,DC=uk on 6
servers
Object is up-to-date on all servers.
Checking for CN=NTDS
Settings,CN=SJHDC01,CN=Servers,CN=virtual,CN=Sites,CN=Configuration,DC=xports,DC=nhs,DC=uk in domain CN=Configuration,DC=xports,DC=nhs,DC=uk on 8 servers
Object is up-to-date on all servers.
......................... SJHDC01 passed test ObjectsReplicated
Starting test: frssysvol
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... SJHDC01 passed test frssysvol
Starting test: frsevent
* The File Replication Service Event log test
Error 5 accessing FRS eventlog: Access is denied.
......................... SJHDC01 failed test frsevent
Starting test: kccevent
* The KCC Event log test
Error 5 accessing FRS eventlog: Access is denied.
Failed to enumerate event log records, error Access is denied.
......................... SJHDC01 failed test kccevent
Starting test: systemlog
* The System Event log test
Error 5 accessing FRS eventlog: Access is denied.
Failed to enumerate event log records, error Access is denied.
......................... SJHDC01 failed test systemlog
Starting test: VerifyReplicas
......................... SJHDC01 passed test VerifyReplicas
Starting test: VerifyReferences
The system object reference (serverReference)
CN=SJHDC01,OU=Domain Controllers,DC=xports,DC=nhs,DC=uk and backlink
on

CN=SJHDC01,CN=Servers,CN=virtual,CN=Sites,CN=Configuration,DC=xports,DC=nhs,DC=uk
are correct.
The system object reference (frsComputerReferenceBL)
CN=SJHDC01,CN=Domain System Volume (SYSVOL share),CN=File
Replication Service,CN=System,DC=xports,DC=nhs,DC=uk
and backlink on
CN=SJHDC01,OU=Domain Controllers,DC=xports,DC=nhs,DC=uk are correct.
The system object reference (serverReferenceBL)
CN=SJHDC01,CN=Domain System Volume (SYSVOL share),CN=File
Replication Service,CN=System,DC=xports,DC=nhs,DC=uk
and backlink on
CN=NTDS
Settings,CN=SJHDC01,CN=Servers,CN=virtual,CN=Sites,CN=Configuration,DC=xports,DC=nhs,DC=uk
are correct.
......................... SJHDC01 passed test VerifyReferences
Starting test: VerifyEnterpriseReferences
......................... SJHDC01 passed test
VerifyEnterpriseReferences
Starting test: CheckSecurityError
* Dr Auth: Beginning security errors check!
Found KDC QAHDC01 for domain xports.nhs.uk in site virtual
Checking machine account for DC SJHDC01 on DC QAHDC01.
* SPN found :LDAP/sjhdc01.xports.nhs.uk/xports.nhs.uk
* SPN found :LDAP/sjhdc01.xports.nhs.uk
* SPN found :LDAP/SJHDC01
* SPN found :LDAP/sjhdc01.xports.nhs.uk/PORTS
* SPN found
:LDAP/881ebe49-647f-46f2-8017-b0a14f94b25a._msdcs.xports.nhs.uk
* SPN found
:E3514235-4B06-11D1-AB04-00C04FC2DCD2/881ebe49-647f-46f2-8017-b0a14f94b25a/xports.nhs.uk
* SPN found :HOST/sjhdc01.xports.nhs.uk/xports.nhs.uk
* SPN found :HOST/sjhdc01.xports.nhs.uk
* SPN found :HOST/SJHDC01
* SPN found :HOST/sjhdc01.xports.nhs.uk/PORTS
* SPN found :GC/sjhdc01.xports.nhs.uk/xports.nhs.uk
Checking for CN=SJHDC01,OU=Domain
Controllers,DC=xports,DC=nhs,DC=uk in domain DC=xports,DC=nhs,DC=uk on 2
servers
Object is up-to-date on all servers.
[SJHDC01] DsReplicaGetInfo(KCC_DS_CONNECT_FAILURES) failed with
error 8453,
Replication access was denied..
[SJHDC01] Unable to query the list of KCC connection failures.
Continuing...
[SJHDC01] No security related replication errors were found on this
DC! To target the connection to a specific source DC use /ReplSource:<DC>.
......................... SJHDC01 passed test CheckSecurityError

Testing server: virtual\SMHDC01
Starting test: Replications
* Replications Check
REPLICATION LATENCY WARNING
SMHDC01: This replication path was preempted by higher priority work.
from PHTSMHDC01 to SMHDC01
Reason: Synchronization attempt failed because the destination
DC is currently waiting to synchronize new partial attributes from source.
This condition is normal if a recent schema change modified the partial
attribute set. The destination partial attribute set is not a subset of
source partial attribute set.
The last success occurred at 2006-02-06 07:22:10.
Replication of new changes along this path will be delayed.
REPLICATION LATENCY WARNING
SMHDC01: This replication path was preempted by higher priority work.
from PHTSMHDC01 to SMHDC01
Reason: Synchronization attempt failed because the destination
DC is currently waiting to synchronize new partial attributes from source.
This condition is normal if a recent schema change modified the partial
attribute set. The destination partial attribute set is not a subset of
source partial attribute set.
The last success occurred at 2006-02-06 05:57:24.
Replication of new changes along this path will be delayed.
[Replications Check,SMHDC01] DsReplicaGetInfoW(PENDING_OPS) failed
with error 8453,
Replication access was denied..
......................... SMHDC01 failed test Replications
Starting test: Topology
* Configuration Topology Integrity Check
* Analyzing the connection topology for
DC=ForestDnsZones,DC=xports,DC=nhs,DC=uk.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for
DC=DomainDnsZones,DC=xports,DC=nhs,DC=uk.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for
CN=Schema,CN=Configuration,DC=xports,DC=nhs,DC=uk.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for
CN=Configuration,DC=xports,DC=nhs,DC=uk.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for DC=xports,DC=nhs,DC=uk.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for
DC=pht-master,DC=xports,DC=nhs,DC=uk.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for
DC=pha,DC=xports,DC=nhs,DC=uk.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for
DC=phcnt,DC=xports,DC=nhs,DC=uk.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
......................... SMHDC01 passed test Topology
Starting test: CutoffServers
* Configuration Topology Aliveness Check
* Analyzing the alive system replication topology for
DC=ForestDnsZones,DC=xports,DC=nhs,DC=uk.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for
DC=DomainDnsZones,DC=xports,DC=nhs,DC=uk.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for
CN=Schema,CN=Configuration,DC=xports,DC=nhs,DC=uk.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for
CN=Configuration,DC=xports,DC=nhs,DC=uk.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for
DC=xports,DC=nhs,DC=uk.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for
DC=pht-master,DC=xports,DC=nhs,DC=uk.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for
DC=pha,DC=xports,DC=nhs,DC=uk.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for
DC=phcnt,DC=xports,DC=nhs,DC=uk.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
......................... SMHDC01 passed test CutoffServers
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC SMHDC01.
* Security Permissions Check for
DC=ForestDnsZones,DC=xports,DC=nhs,DC=uk
(NDNC,Version 2)
* Security Permissions Check for
DC=DomainDnsZones,DC=xports,DC=nhs,DC=uk
(NDNC,Version 2)
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=xports,DC=nhs,DC=uk
(Schema,Version 2)
* Security Permissions Check for
CN=Configuration,DC=xports,DC=nhs,DC=uk
(Configuration,Version 2)
* Security Permissions Check for
DC=xports,DC=nhs,DC=uk
(Domain,Version 2)
* Security Permissions Check for
DC=pht-master,DC=xports,DC=nhs,DC=uk
(Domain,Version 2)
* Security Permissions Check for
DC=pha,DC=xports,DC=nhs,DC=uk
(Domain,Version 2)
* Security Permissions Check for
DC=phcnt,DC=xports,DC=nhs,DC=uk
(Domain,Version 2)
......................... SMHDC01 passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\SMHDC01\netlogon
Verified share \\SMHDC01\sysvol
[SMHDC01] User credentials does not have permission to perform this
operation.
The account used for this test must have network logon privileges
for this machine's domain.
......................... SMHDC01 failed test NetLogons
Starting test: Advertising
The DC SMHDC01 is advertising itself as a DC and having a DS.
The DC SMHDC01 is advertising as an LDAP server
The DC SMHDC01 is advertising as having a writeable directory
The DC SMHDC01 is advertising as a Key Distribution Center
Warning: SMHDC01 is not advertising as a time server.
The DS SMHDC01 is advertising as a GC.
......................... SMHDC01 failed test Advertising
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS
Settings,CN=SJHDC01,CN=Servers,CN=virtual,CN=Sites,CN=Configuration,DC=xports,DC=nhs,DC=uk
Role Domain Owner = CN=NTDS
Settings,CN=SMHDC01,CN=Servers,CN=virtual,CN=Sites,CN=Configuration,DC=xports,DC=nhs,DC=uk
Role PDC Owner = CN=NTDS
Settings,CN=SJHDC01,CN=Servers,CN=virtual,CN=Sites,CN=Configuration,DC=xports,DC=nhs,DC=uk
Role Rid Owner = CN=NTDS
Settings,CN=SJHDC01,CN=Servers,CN=virtual,CN=Sites,CN=Configuration,DC=xports,DC=nhs,DC=uk
Role Infrastructure Update Owner = CN=NTDS
Settings,CN=SJHDC01,CN=Servers,CN=virtual,CN=Sites,CN=Configuration,DC=xports,DC=nhs,DC=uk
......................... SMHDC01 passed test KnowsOfRoleHolders
Starting test: RidManager
* Available RID Pool for the Domain is 5603 to 1073741823
* sjhdc01.xports.nhs.uk is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 4103 to 4602
* rIDPreviousAllocationPool is 4103 to 4602
* rIDNextRID: 4103
......................... SMHDC01 passed test RidManager
Starting test: MachineAccount
Checking machine account for DC SMHDC01 on DC SMHDC01.
* SPN found :LDAP/smhdc01.xports.nhs.uk/xports.nhs.uk
* SPN found :LDAP/smhdc01.xports.nhs.uk
* SPN found :LDAP/SMHDC01
* SPN found :LDAP/smhdc01.xports.nhs.uk/PORTS
* SPN found
:LDAP/1dc26881-4ba8-42f7-bbc7-ed9f1ed16e0b._msdcs.xports.nhs.uk
* SPN found
:E3514235-4B06-11D1-AB04-00C04FC2DCD2/1dc26881-4ba8-42f7-bbc7-ed9f1ed16e0b/xports.nhs.uk
* SPN found :HOST/smhdc01.xports.nhs.uk/xports.nhs.uk
* SPN found :HOST/smhdc01.xports.nhs.uk
* SPN found :HOST/SMHDC01
* SPN found :HOST/smhdc01.xports.nhs.uk/PORTS
* SPN found :GC/smhdc01.xports.nhs.uk/xports.nhs.uk
......................... SMHDC01 passed test MachineAccount
Starting test: Services
Could not open Service Control Manager on [SMHDC01]:failed with 5:
Access is denied.
......................... SMHDC01 failed test Services
Starting test: OutboundSecureChannels
* The Outbound Secure Channels test
** Did not run Outbound Secure Channels test
because /testdomain: was not entered
......................... SMHDC01 passed test OutboundSecureChannels
Starting test: ObjectsReplicated
SMHDC01 is in domain DC=xports,DC=nhs,DC=uk
Checking for CN=SMHDC01,OU=Domain
Controllers,DC=xports,DC=nhs,DC=uk in domain DC=xports,DC=nhs,DC=uk on 6
servers
Object is up-to-date on all servers.
Checking for CN=NTDS
Settings,CN=SMHDC01,CN=Servers,CN=virtual,CN=Sites,CN=Configuration,DC=xports,DC=nhs,DC=uk in domain CN=Configuration,DC=xports,DC=nhs,DC=uk on 8 servers
Object is up-to-date on all servers.
......................... SMHDC01 passed test ObjectsReplicated
Starting test: frssysvol
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... SMHDC01 passed test frssysvol
Starting test: frsevent
* The File Replication Service Event log test
Error 5 accessing FRS eventlog: Access is denied.
......................... SMHDC01 failed test frsevent
Starting test: kccevent
* The KCC Event log test
Error 5 accessing FRS eventlog: Access is denied.
Failed to enumerate event log records, error Access is denied.
......................... SMHDC01 failed test kccevent
Starting test: systemlog
* The System Event log test
Error 5 accessing FRS eventlog: Access is denied.
Failed to enumerate event log records, error Access is denied.
......................... SMHDC01 failed test systemlog
Starting test: VerifyReplicas
Post by Paul Williams [MVP]
This is looking more and more like the only issue is with replicating that
app partition rather than an issue with FRS.
Delete all the connection objects for each server object in DSSITE.MSC and
go and get yourself a cup of coffee. After you've drank it, fire up REPLMON
and force replication between DCs in the same domain and across domains (the
enterprise and app partitions).
Rescan the event logs.
Also, run DCDIAG /V /C /E and post any errors or warnings.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Mr Major Thorburn
2006-02-07 14:08:28 UTC
Permalink
Paul, further to my previous response I have removed two DCs that I had added
(was trying to force the regerneration of the links). Nw ow back to the
original 8 (2 per domain, 1 paernt 3 children)
The dcdiag still shows errors but most of them seem to be for access denied.
The id I am using to run the command is a domain admin in the sub domain and
the server it is concerned about is in the parent domain.
I tried to 'manage' the server in the parent domain and when I tried to open
the services I got access denied. When I tried the same on the live
production system it worked fine.
What access rights are required for a domain administrator of a child domain
to open services on a DC in a partent domain?
Regards, Major.
Post by Paul Williams [MVP]
This is looking more and more like the only issue is with replicating that
app partition rather than an issue with FRS.
Delete all the connection objects for each server object in DSSITE.MSC and
go and get yourself a cup of coffee. After you've drank it, fire up REPLMON
and force replication between DCs in the same domain and across domains (the
enterprise and app partitions).
Rescan the event logs.
Also, run DCDIAG /V /C /E and post any errors or warnings.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Paul Williams [MVP]
2006-02-10 08:32:51 UTC
Permalink
You'll need to be administrator in that domain. Which means you need to be
a member of the built-in\administrators group (or EA).
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Mr Major Thorburn
2006-02-10 13:26:29 UTC
Permalink
Paul, thanks for staying with me on this.
I have put the domain admins group of each sub domain into the enterprise
admins group.
I reran the dcdiag and I am still getting access denied errors.
Regards, Major.

Domain Controller Diagnosis

Performing initial setup:
* Verifying that the local machine phcntsjhdc01, is a DC.
* Connecting to directory service on server phcntsjhdc01.
* Collecting site info.
* Identifying all servers.
* Identifying all NC cross-refs.
* Found 6 DC(s). Testing 6 of them.
Done gathering initial info.

Doing initial required tests

Testing server: virtual\SJHDC01
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... SJHDC01 passed test Connectivity

Testing server: virtual\SMHDC01
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... SMHDC01 passed test Connectivity

Testing server: virtual\PHCNTSJHDC01
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... PHCNTSJHDC01 passed test Connectivity

Testing server: virtual\PHTSMHDC01
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... PHTSMHDC01 passed test Connectivity

Testing server: virtual\PHTQAHDC01
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... PHTQAHDC01 passed test Connectivity

Testing server: virtual\VIRTDC04
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... VIRTDC04 passed test Connectivity

Doing primary tests

Testing server: virtual\SJHDC01
Starting test: Replications
* Replications Check
[Replications Check,SJHDC01] DsReplicaGetInfoW(PENDING_OPS) failed
with error 8453,
Replication access was denied..
......................... SJHDC01 failed test Replications
Starting test: Topology
* Configuration Topology Integrity Check
* Analyzing the connection topology for
DC=ForestDnsZones,DC=xports,DC=nhs,DC=uk.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for
DC=DomainDnsZones,DC=xports,DC=nhs,DC=uk.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for
CN=Schema,CN=Configuration,DC=xports,DC=nhs,DC=uk.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for
CN=Configuration,DC=xports,DC=nhs,DC=uk.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for DC=xports,DC=nhs,DC=uk.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
......................... SJHDC01 passed test Topology
Starting test: CutoffServers
* Configuration Topology Aliveness Check
* Analyzing the alive system replication topology for
DC=ForestDnsZones,DC=xports,DC=nhs,DC=uk.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for
DC=DomainDnsZones,DC=xports,DC=nhs,DC=uk.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for
CN=Schema,CN=Configuration,DC=xports,DC=nhs,DC=uk.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for
CN=Configuration,DC=xports,DC=nhs,DC=uk.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for
DC=xports,DC=nhs,DC=uk.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
......................... SJHDC01 passed test CutoffServers
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC SJHDC01.
* Security Permissions Check for
DC=ForestDnsZones,DC=xports,DC=nhs,DC=uk
(NDNC,Version 2)
* Security Permissions Check for
DC=DomainDnsZones,DC=xports,DC=nhs,DC=uk
(NDNC,Version 2)
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=xports,DC=nhs,DC=uk
(Schema,Version 2)
* Security Permissions Check for
CN=Configuration,DC=xports,DC=nhs,DC=uk
(Configuration,Version 2)
* Security Permissions Check for
DC=xports,DC=nhs,DC=uk
(Domain,Version 2)
......................... SJHDC01 passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\SJHDC01\netlogon
Verified share \\SJHDC01\sysvol
[SJHDC01] User credentials does not have permission to perform this
operation.
The account used for this test must have network logon privileges
for this machine's domain.
......................... SJHDC01 failed test NetLogons
Starting test: Advertising
The DC SJHDC01 is advertising itself as a DC and having a DS.
The DC SJHDC01 is advertising as an LDAP server
The DC SJHDC01 is advertising as having a writeable directory
The DC SJHDC01 is advertising as a Key Distribution Center
Warning: SJHDC01 is not advertising as a time server.
......................... SJHDC01 failed test Advertising
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS
Settings,CN=SJHDC01,CN=Servers,CN=virtual,CN=Sites,CN=Configuration,DC=xports,DC=nhs,DC=uk
Role Domain Owner = CN=NTDS
Settings,CN=SMHDC01,CN=Servers,CN=virtual,CN=Sites,CN=Configuration,DC=xports,DC=nhs,DC=uk
Role PDC Owner = CN=NTDS
Settings,CN=SJHDC01,CN=Servers,CN=virtual,CN=Sites,CN=Configuration,DC=xports,DC=nhs,DC=uk
Role Rid Owner = CN=NTDS
Settings,CN=SJHDC01,CN=Servers,CN=virtual,CN=Sites,CN=Configuration,DC=xports,DC=nhs,DC=uk
Role Infrastructure Update Owner = CN=NTDS
Settings,CN=SJHDC01,CN=Servers,CN=virtual,CN=Sites,CN=Configuration,DC=xports,DC=nhs,DC=uk
......................... SJHDC01 passed test KnowsOfRoleHolders
Starting test: RidManager
* Available RID Pool for the Domain is 5603 to 1073741823
* sjhdc01.xports.nhs.uk is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 4603 to 5102
* rIDPreviousAllocationPool is 4603 to 5102
* rIDNextRID: 4604
......................... SJHDC01 passed test RidManager
Starting test: MachineAccount
Checking machine account for DC SJHDC01 on DC SJHDC01.
* SPN found :LDAP/sjhdc01.xports.nhs.uk/xports.nhs.uk
* SPN found :LDAP/sjhdc01.xports.nhs.uk
* SPN found :LDAP/SJHDC01
* SPN found :LDAP/sjhdc01.xports.nhs.uk/PORTS
* SPN found
:LDAP/881ebe49-647f-46f2-8017-b0a14f94b25a._msdcs.xports.nhs.uk
* SPN found
:E3514235-4B06-11D1-AB04-00C04FC2DCD2/881ebe49-647f-46f2-8017-b0a14f94b25a/xports.nhs.uk
* SPN found :HOST/sjhdc01.xports.nhs.uk/xports.nhs.uk
* SPN found :HOST/sjhdc01.xports.nhs.uk
* SPN found :HOST/SJHDC01
* SPN found :HOST/sjhdc01.xports.nhs.uk/PORTS
* SPN found :GC/sjhdc01.xports.nhs.uk/xports.nhs.uk
......................... SJHDC01 passed test MachineAccount
Starting test: Services
Could not open Service Control Manager on [SJHDC01]:failed with 5:
Access is denied.
......................... SJHDC01 failed test Services
Starting test: OutboundSecureChannels
* The Outbound Secure Channels test
** Did not run Outbound Secure Channels test
because /testdomain: was not entered
......................... SJHDC01 passed test OutboundSecureChannels
Starting test: ObjectsReplicated
SJHDC01 is in domain DC=xports,DC=nhs,DC=uk
Checking for CN=SJHDC01,OU=Domain
Controllers,DC=xports,DC=nhs,DC=uk in domain DC=xports,DC=nhs,DC=uk on 5
servers
Object is up-to-date on all servers.
Checking for CN=NTDS
Settings,CN=SJHDC01,CN=Servers,CN=virtual,CN=Sites,CN=Configuration,DC=xports,DC=nhs,DC=uk in domain CN=Configuration,DC=xports,DC=nhs,DC=uk on 6 servers
Object is up-to-date on all servers.
......................... SJHDC01 passed test ObjectsReplicated
Starting test: frssysvol
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... SJHDC01 passed test frssysvol
Starting test: frsevent
* The File Replication Service Event log test
Error 5 accessing FRS eventlog: Access is denied.
......................... SJHDC01 failed test frsevent
Starting test: kccevent
* The KCC Event log test
Error 5 accessing FRS eventlog: Access is denied.
Failed to enumerate event log records, error Access is denied.
......................... SJHDC01 failed test kccevent
Starting test: systemlog
* The System Event log test
Error 5 accessing FRS eventlog: Access is denied.
Failed to enumerate event log records, error Access is denied.
......................... SJHDC01 failed test systemlog
Starting test: VerifyReplicas
......................... SJHDC01 passed test VerifyReplicas
Starting test: VerifyReferences
The system object reference (serverReference)
CN=SJHDC01,OU=Domain Controllers,DC=xports,DC=nhs,DC=uk and backlink
on

CN=SJHDC01,CN=Servers,CN=virtual,CN=Sites,CN=Configuration,DC=xports,DC=nhs,DC=uk
are correct.
The system object reference (frsComputerReferenceBL)
CN=SJHDC01,CN=Domain System Volume (SYSVOL share),CN=File
Replication Service,CN=System,DC=xports,DC=nhs,DC=uk
and backlink on
CN=SJHDC01,OU=Domain Controllers,DC=xports,DC=nhs,DC=uk are correct.
The system object reference (serverReferenceBL)
CN=SJHDC01,CN=Domain System Volume (SYSVOL share),CN=File
Replication Service,CN=System,DC=xports,DC=nhs,DC=uk
and backlink on
CN=NTDS
Settings,CN=SJHDC01,CN=Servers,CN=virtual,CN=Sites,CN=Configuration,DC=xports,DC=nhs,DC=uk
are correct.
......................... SJHDC01 passed test VerifyReferences
Starting test: VerifyEnterpriseReferences
......................... SJHDC01 passed test
VerifyEnterpriseReferences
Starting test: CheckSecurityError
* Dr Auth: Beginning security errors check!
Found KDC SJHDC01 for domain xports.nhs.uk in site virtual
Checking machine account for DC SJHDC01 on DC SJHDC01.
* SPN found :LDAP/sjhdc01.xports.nhs.uk/xports.nhs.uk
* SPN found :LDAP/sjhdc01.xports.nhs.uk
* SPN found :LDAP/SJHDC01
* SPN found :LDAP/sjhdc01.xports.nhs.uk/PORTS
* SPN found
:LDAP/881ebe49-647f-46f2-8017-b0a14f94b25a._msdcs.xports.nhs.uk
* SPN found
:E3514235-4B06-11D1-AB04-00C04FC2DCD2/881ebe49-647f-46f2-8017-b0a14f94b25a/xports.nhs.uk
* SPN found :HOST/sjhdc01.xports.nhs.uk/xports.nhs.uk
* SPN found :HOST/sjhdc01.xports.nhs.uk
* SPN found :HOST/SJHDC01
* SPN found :HOST/sjhdc01.xports.nhs.uk/PORTS
* SPN found :GC/sjhdc01.xports.nhs.uk/xports.nhs.uk
[SJHDC01] DsReplicaGetInfo(KCC_DS_CONNECT_FAILURES) failed with
error 8453,
Replication access was denied..
[SJHDC01] Unable to query the list of KCC connection failures.
Continuing...
[SJHDC01] No security related replication errors were found on this
DC! To target the connection to a specific source DC use /ReplSource:<DC>.
......................... SJHDC01 passed test CheckSecurityError

Testing server: virtual\SMHDC01
Starting test: Replications
* Replications Check
REPLICATION LATENCY WARNING
SMHDC01: This replication path was preempted by higher priority work.
from PHTSMHDC01 to SMHDC01
Reason: Synchronization attempt failed because the destination
DC is currently waiting to synchronize new partial attributes from source.
This condition is normal if a recent schema change modified the partial
attribute set. The destination partial attribute set is not a subset of
source partial attribute set.
The last success occurred at 2006-02-10 11:58:28.
Replication of new changes along this path will be delayed.
REPLICATION LATENCY WARNING
SMHDC01: This replication path was preempted by higher priority work.
from PHTSMHDC01 to SMHDC01
Reason: Synchronization attempt failed because the destination
DC is currently waiting to synchronize new partial attributes from source.
This condition is normal if a recent schema change modified the partial
attribute set. The destination partial attribute set is not a subset of
source partial attribute set.
The last success occurred at 2006-02-10 11:58:28.
Replication of new changes along this path will be delayed.
[Replications Check,SMHDC01] DsReplicaGetInfoW(PENDING_OPS) failed
with error 8453,
Replication access was denied..
......................... SMHDC01 failed test Replications
Starting test: Topology
* Configuration Topology Integrity Check
* Analyzing the connection topology for
DC=ForestDnsZones,DC=xports,DC=nhs,DC=uk.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for
DC=DomainDnsZones,DC=xports,DC=nhs,DC=uk.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for
CN=Schema,CN=Configuration,DC=xports,DC=nhs,DC=uk.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for
CN=Configuration,DC=xports,DC=nhs,DC=uk.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for DC=xports,DC=nhs,DC=uk.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for
DC=pht-master,DC=xports,DC=nhs,DC=uk.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for
DC=pha,DC=xports,DC=nhs,DC=uk.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for
DC=phcnt,DC=xports,DC=nhs,DC=uk.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
......................... SMHDC01 passed test Topology
Starting test: CutoffServers
* Configuration Topology Aliveness Check
* Analyzing the alive system replication topology for
DC=ForestDnsZones,DC=xports,DC=nhs,DC=uk.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for
DC=DomainDnsZones,DC=xports,DC=nhs,DC=uk.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for
CN=Schema,CN=Configuration,DC=xports,DC=nhs,DC=uk.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for
CN=Configuration,DC=xports,DC=nhs,DC=uk.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for
DC=xports,DC=nhs,DC=uk.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for
DC=pht-master,DC=xports,DC=nhs,DC=uk.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for
DC=pha,DC=xports,DC=nhs,DC=uk.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for
DC=phcnt,DC=xports,DC=nhs,DC=uk.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
......................... SMHDC01 passed test CutoffServers
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC SMHDC01.
* Security Permissions Check for
DC=ForestDnsZones,DC=xports,DC=nhs,DC=uk
(NDNC,Version 2)
* Security Permissions Check for
DC=DomainDnsZones,DC=xports,DC=nhs,DC=uk
(NDNC,Version 2)
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=xports,DC=nhs,DC=uk
(Schema,Version 2)
* Security Permissions Check for
CN=Configuration,DC=xports,DC=nhs,DC=uk
(Configuration,Version 2)
* Security Permissions Check for
DC=xports,DC=nhs,DC=uk
(Domain,Version 2)
* Security Permissions Check for
DC=pht-master,DC=xports,DC=nhs,DC=uk
(Domain,Version 2)
* Security Permissions Check for
DC=pha,DC=xports,DC=nhs,DC=uk
(Domain,Version 2)
* Security Permissions Check for
DC=phcnt,DC=xports,DC=nhs,DC=uk
(Domain,Version 2)
......................... SMHDC01 passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\SMHDC01\netlogon
Verified share \\SMHDC01\sysvol
[SMHDC01] User credentials does not have permission to perform this
operation.
The account used for this test must have network logon privileges
for this machine's domain.
......................... SMHDC01 failed test NetLogons
Starting test: Advertising
The DC SMHDC01 is advertising itself as a DC and having a DS.
The DC SMHDC01 is advertising as an LDAP server
The DC SMHDC01 is advertising as having a writeable directory
The DC SMHDC01 is advertising as a Key Distribution Center
Warning: SMHDC01 is not advertising as a time server.
The DS SMHDC01 is advertising as a GC.
......................... SMHDC01 failed test Advertising
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS
Settings,CN=SJHDC01,CN=Servers,CN=virtual,CN=Sites,CN=Configuration,DC=xports,DC=nhs,DC=uk
Role Domain Owner = CN=NTDS
Settings,CN=SMHDC01,CN=Servers,CN=virtual,CN=Sites,CN=Configuration,DC=xports,DC=nhs,DC=uk
Role PDC Owner = CN=NTDS
Settings,CN=SJHDC01,CN=Servers,CN=virtual,CN=Sites,CN=Configuration,DC=xports,DC=nhs,DC=uk
Role Rid Owner = CN=NTDS
Settings,CN=SJHDC01,CN=Servers,CN=virtual,CN=Sites,CN=Configuration,DC=xports,DC=nhs,DC=uk
Role Infrastructure Update Owner = CN=NTDS
Settings,CN=SJHDC01,CN=Servers,CN=virtual,CN=Sites,CN=Configuration,DC=xports,DC=nhs,DC=uk
......................... SMHDC01 passed test KnowsOfRoleHolders
Starting test: RidManager
* Available RID Pool for the Domain is 5603 to 1073741823
* sjhdc01.xports.nhs.uk is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 4103 to 4602
* rIDPreviousAllocationPool is 4103 to 4602
* rIDNextRID: 4103
......................... SMHDC01 passed test RidManager
Starting test: MachineAccount
Checking machine account for DC SMHDC01 on DC SMHDC01.
* SPN found :LDAP/smhdc01.xports.nhs.uk/xports.nhs.uk
* SPN found :LDAP/smhdc01.xports.nhs.uk
* SPN found :LDAP/SMHDC01
* SPN found :LDAP/smhdc01.xports.nhs.uk/PORTS
* SPN found
:LDAP/1dc26881-4ba8-42f7-bbc7-ed9f1ed16e0b._msdcs.xports.nhs.uk
* SPN found
:E3514235-4B06-11D1-AB04-00C04FC2DCD2/1dc26881-4ba8-42f7-bbc7-ed9f1ed16e0b/xports.nhs.uk
* SPN found :HOST/smhdc01.xports.nhs.uk/xports.nhs.uk
* SPN found :HOST/smhdc01.xports.nhs.uk
* SPN found :HOST/SMHDC01
* SPN found :HOST/smhdc01.xports.nhs.uk/PORTS
* SPN found :GC/smhdc01.xports.nhs.uk/xports.nhs.uk
......................... SMHDC01 passed test MachineAccount
Starting test: Services
Could not open Service Control Manager on [SMHDC01]:failed with 5:
Access is denied.
......................... SMHDC01 failed test Services
Starting test: OutboundSecureChannels
* The Outbound Secure Channels test
** Did not run Outbound Secure Channels test
because /testdomain: was not entered
......................... SMHDC01 passed test OutboundSecureChannels
Starting test: ObjectsReplicated
SMHDC01 is in domain DC=xports,DC=nhs,DC=uk
Checking for CN=SMHDC01,OU=Domain
Controllers,DC=xports,DC=nhs,DC=uk in domain DC=xports,DC=nhs,DC=uk on 5
servers
Object is up-to-date on all servers.
Checking for CN=NTDS
Settings,CN=SMHDC01,CN=Servers,CN=virtual,CN=Sites,CN=Configuration,DC=xports,DC=nhs,DC=uk in domain CN=Configuration,DC=xports,DC=nhs,DC=uk on 6 servers
Object is up-to-date on all servers.
......................... SMHDC01 passed test ObjectsReplicated
Starting test: frssysvol
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... SMHDC01 passed test frssysvol
Starting test: frsevent
* The File Replication Service Event log test
Error 5 accessing FRS eventlog: Access is denied.
......................... SMHDC01 failed test frsevent
Starting test: kccevent
* The KCC Event log test
Error 5 accessing FRS eventlog: Access is denied.
Failed to enumerate event log records, error Access is denied.
......................... SMHDC01 failed test kccevent
Starting test: systemlog
* The System Event log test
Error 5 accessing FRS eventlog: Access is denied.
Failed to enumerate event log records, error Access is denied.
......................... SMHDC01 failed test systemlog
Starting test: VerifyReplicas
Post by Paul Williams [MVP]
You'll need to be administrator in that domain. Which means you need to be
a member of the built-in\administrators group (or EA).
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Paul Williams [MVP]
2006-03-21 20:52:56 UTC
Permalink
This is strange. All of those errors are accessed denied. Are these DCs
still members of the Domain Controllers group?
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Mr Major Thorburn
2006-03-22 07:50:31 UTC
Permalink
Paul, thanks for getting back to me. I have been working on other things
since the last post so any delay has not been a problem. I'm just glad of
your response.

All the DCs are in the appropriate domain controllers grooup and the domains
are intact because I can promote a new server as a DC in each of them without
any problems.
I am able to do some more diagnosis now as my other work is complete.
Regards, Major.
Post by Paul Williams [MVP]
This is strange. All of those errors are accessed denied. Are these DCs
still members of the Domain Controllers group?
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Mr Major Thorburn
2006-02-11 11:15:26 UTC
Permalink
Paul, I have just noticed that dcdiag failed to complete.
The text in the event log was

Faulting application dcdiag.exe, version 5.2.3790.1830, faulting module
dcdiag.exe, version 5.2.3790.1830, fault address 0x0004a66c.

Any suggestions for that?

Regards, Major.
Post by Paul Williams [MVP]
You'll need to be administrator in that domain. Which means you need to be
a member of the built-in\administrators group (or EA).
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Paul Williams [MVP]
2006-03-21 20:47:39 UTC
Permalink
Sorry for the delay. This post is a long way down...

I would try the newest version. The support tools ship newer versions with
the SPs, but don't install as part of the SP. You can also download the
latest versions.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Mr Major Thorburn
2006-03-22 07:59:02 UTC
Permalink
Paul, dont worry about the delay, I was doing other things.
Did you want me to start a new thread?
The version of dcdiag I was using is 5.2.3790.1830. Is that the latest?

The DS errors have changed a bit.
On the root domain DCs I am getting
Active Directory failed to construct a mutual authentication service
principal name (SPN) for the following domain controller.

Domain controller:
1201a128-9b81-4adf-b2cf-2fab2180c3b0._msdcs.xports.nhs.uk

The call was denied. Communication with this domain controller might be
affected.

Additional Data
Error value:
8419 The DSA object could not be found.

And on the sub domain DCs
The local domain controller was unable to replicate changes to the following
remote domain controller for the following directory partition.

Remote domain controller:
84741a6c-b847-42bc-9c0f-a9fe7b6de218._msdcs.xports.nhs.uk
Directory partition:
DC=ForestDnsZones,DC=xports,DC=nhs,DC=uk

The local domain controller cannot complete demotion.

User Action
Investigate why replication between these two domain controllers cannot be
performed. Then, try to demote this domain controller again.

Additonal Data
Error value:
8419 The DSA object could not be found.

Regards, Major.
Post by Paul Williams [MVP]
Sorry for the delay. This post is a long way down...
I would try the newest version. The support tools ship newer versions with
the SPs, but don't install as part of the SP. You can also download the
latest versions.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Paul Williams [MVP]
2006-05-25 16:48:22 UTC
Permalink
That looks like there are still DCs in AD that aren't there. Or, there are
stale CNAME records in DNS. Delete _msdcs and restart NETLOGON on the DCs
(this is a test lab if I remember correctly).

Follow kb216498 to be sure you've not left anything in there that shouldn't
be.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Mr Major Thorburn
2006-02-15 14:51:29 UTC
Permalink
Paul, I have subsequently run dcdiag /v /c on each DC.
Some of them, particualarly in the sub domains, have downstream topology is
disconnected messages.
Any hints for this?
Regards, Major.
Post by Paul Williams [MVP]
You'll need to be administrator in that domain. Which means you need to be
a member of the built-in\administrators group (or EA).
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Paul Williams [MVP]
2006-05-25 16:45:12 UTC
Permalink
Clutching at straws here, as it gets tricky without being there:
-- http://support.microsoft.com/?id=320063


This still looks like its DNS related.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Mr Major Thorburn
2006-05-26 09:07:02 UTC
Permalink
Paul, I have created a new post for the same setup.
I did a DC demotion/promotion and that seemd to resolve this particular issue.

I would appreciate your help with the new problem in the new post if that is
ok with you.

I may get back to this sort of problem when i attempt another domain rename.

At the moment I am trying to do an exchange 2003 installation and the AD
replication problems are stopping that which is in the new post.

Thanks for you help on this one.

Regards, Major.
Post by Paul Williams [MVP]
-- http://support.microsoft.com/?id=320063
This still looks like its DNS related.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
Mr Major Thorburn
2006-01-31 08:16:27 UTC
Permalink
Anyone any other thoughts on this?
I realise you are all very busy looking after your own systems and helping
other users but if you could give me a hint on where to look I will go and
look there.
Any help you can give will help me loads.
Thanks.
Regards, Major.
Post by Mr Major Thorburn
The local domain controller was unable to replicate changes to the following
remote domain controller for the following directory partition.
881ebe49-647f-46f2-8017-b0a14f94b25a._msdcs.xports.nhs.uk
DC=ForestDnsZones,DC=xports,DC=nhs,DC=uk
The local domain controller cannot complete demotion.
User Action
Investigate why replication between these two domain controllers cannot be
performed. Then, try to demote this domain controller again.
Additonal Data
8589 The DS cannot derive a service principal name (SPN) with which to
mutually authenticate the target server because the corresponding server
object in the local DS database has no serverReference attribute.
It mentions demotion but the source and target servers have never been
demoted.
The problem is with all the servers in this sub-domain.
Which server object is it talking about that deos not have a serverreference
attribute?
Any help you can give me with move me onto a solution and the next problem.
Loading...