Hey kj, hopefully this will help some: Please let me know... Thanks
again...





Domain Controller Diagnosis

Performing initial setup:
* Verifying that the local machine SERVER1-DC, is a DC.
* Connecting to directory service on server SERVER1-DC.
* Collecting site info.
* Identifying all servers.
* Identifying all NC cross-refs.
* Found 6 DC(s). Testing 6 of them.
Done gathering initial info.

Doing initial required tests

Testing server: SiteName\DC-1
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... DC-1 passed test Connectivity

Testing server: SiteName\DC-1-02
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... DC-1-02 passed test Connectivity

Testing server: SiteName2\DC-2
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... DC-2 passed test Connectivity

Testing server: SiteName3\SERVER1-DC
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... SERVER1-DC passed test Connectivity

Testing server: SiteName4\DC-3
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... DC-3 passed test Connectivity

Testing server: SiteName2\DC-2-02
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... DC-2-02 passed test Connectivity

Doing primary tests

Testing server: SiteName\DC-1
Starting test: Replications
* Replications Check
* Replication Latency Check
DC=ForestDnsZones,DC=domainname,DC=com
Latency information for 4 entries in the vector were
ignored.
4 were retired Invocations. 0 were either: read-only
replicas and are not verifiably latent, or dc's no longer replicating
this nc. 0 had no latency information (Win2K DC).
DC=DomainDnsZones,DC=domainname,DC=com
Latency information for 4 entries in the vector were
ignored.
4 were retired Invocations. 0 were either: read-only
replicas and are not verifiably latent, or dc's no longer replicating
this nc. 0 had no latency information (Win2K DC).
CN=Schema,CN=Configuration,DC=domainname,DC=com
Latency information for 7 entries in the vector were
ignored.
7 were retired Invocations. 0 were either: read-only
replicas and are not verifiably latent, or dc's no longer replicating
this nc. 0 had no latency information (Win2K DC).
CN=Configuration,DC=domainname,DC=com
Latency information for 7 entries in the vector were
ignored.
7 were retired Invocations. 0 were either: read-only
replicas and are not verifiably latent, or dc's no longer replicating
this nc. 0 had no latency information (Win2K DC).
DC=domainname,DC=com
Latency information for 7 entries in the vector were
ignored.
7 were retired Invocations. 0 were either: read-only
replicas and are not verifiably latent, or dc's no longer replicating
this nc. 0 had no latency information (Win2K DC).
* Replication Site Latency Check
......................... DC-1 passed test Replications
Starting test: Topology
* Configuration Topology Integrity Check
* Analyzing the connection topology for
DC=ForestDnsZones,DC=domainname,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for
DC=DomainDnsZones,DC=domainname,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for
CN=Schema,CN=Configuration,DC=domainname,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for
CN=Configuration,DC=domainname,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for DC=domainname,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
......................... DC-1 passed test Topology
Starting test: CutoffServers
* Configuration Topology Aliveness Check
* Analyzing the alive system replication topology for
DC=ForestDnsZones,DC=domainname,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for
DC=DomainDnsZones,DC=domainname,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for
CN=Schema,CN=Configuration,DC=domainname,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for
CN=Configuration,DC=domainname,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for
DC=domainname,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
......................... DC-1 passed test CutoffServers
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC DC-1.
* Security Permissions Check for
DC=ForestDnsZones,DC=domainname,DC=com
(NDNC,Version 2)
* Security Permissions Check for
DC=DomainDnsZones,DC=domainname,DC=com
(NDNC,Version 2)
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=domainname,DC=com
(Schema,Version 2)
* Security Permissions Check for
CN=Configuration,DC=domainname,DC=com
(Configuration,Version 2)
* Security Permissions Check for
DC=domainname,DC=com
(Domain,Version 2)
......................... DC-1 passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\DC-1\netlogon
Verified share \\DC-1\sysvol
......................... DC-1 passed test NetLogons
Starting test: Advertising
The DC DC-1 is advertising itself as a DC and having a DS.
The DC DC-1 is advertising as an LDAP server
The DC DC-1 is advertising as having a writeable directory
The DC DC-1 is advertising as a Key Distribution Center
The DC DC-1 is advertising as a time server
The DS DC-1 is advertising as a GC.
......................... DC-1 passed test Advertising
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS
Settings,CN=DC-1,CN=Servers,CN=SiteName,CN=Sites,CN=Configuration,DC=domainname,DC=com
Role Domain Owner = CN=NTDS
Settings,CN=DC-1,CN=Servers,CN=SiteName,CN=Sites,CN=Configuration,DC=domainname,DC=com
Role PDC Owner = CN=NTDS
Settings,CN=DC-1,CN=Servers,CN=SiteName,CN=Sites,CN=Configuration,DC=domainname,DC=com
Role Rid Owner = CN=NTDS
Settings,CN=DC-1,CN=Servers,CN=SiteName,CN=Sites,CN=Configuration,DC=domainname,DC=com
Role Infrastructure Update Owner = CN=NTDS
Settings,CN=DC-1,CN=Servers,CN=SiteName,CN=Sites,CN=Configuration,DC=domainname,DC=com
......................... DC-1 passed test KnowsOfRoleHolders
Starting test: RidManager
* Available RID Pool for the Domain is 8105 to 1073741823
* DC-1.domainname.com is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 1605 to 2104
* rIDPreviousAllocationPool is 1105 to 1604
* rIDNextRID: 1537
* Warning :There is less than 14% available RIDs in the
current pool
......................... DC-1 passed test RidManager
Starting test: MachineAccount
Checking machine account for DC DC-1 on DC DC-1.
* SPN found :LDAP/DC-1.domainname.com/domainname.com
* SPN found :LDAP/DC-1.domainname.com
* SPN found :LDAP/DC-1
* SPN found :LDAP/DC-1.domainname.com/DOMAINNAME
* SPN found
:LDAP/a791ff61-e006-4c80-9cc0-9003b39dcb11._msdcs.domainname.com
* SPN found
:E3514235-4B06-11D1-AB04-00C04FC2DCD2/a791ff61-e006-4c80-9cc0-9003b39dcb11/domainname.com
* SPN found :HOST/DC-1.domainname.com/domainname.com
* SPN found :HOST/DC-1.domainname.com
* SPN found :HOST/DC-1
* SPN found :HOST/DC-1.domainname.com/DOMAINNAME
* SPN found :GC/DC-1.domainname.com/domainname.com
......................... DC-1 passed test MachineAccount
Starting test: Services
* Checking Service: Dnscache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: RpcSs
* Checking Service: w32time
* Checking Service: NETLOGON
......................... DC-1 passed test Services
Starting test: OutboundSecureChannels
* The Outbound Secure Channels test
** Did not run Outbound Secure Channels test
because /testdomain: was not entered
......................... DC-1 passed test
OutboundSecureChannels
Starting test: ObjectsReplicated
DC-1 is in domain DC=domainname,DC=com
Checking for CN=DC-1,OU=Domain
Controllers,DC=domainname,DC=com in domain DC=domainname,DC=com on 6
servers
Object is up-to-date on all servers.
Checking for CN=NTDS
Settings,CN=DC-1,CN=Servers,CN=SiteName,CN=Sites,CN=Configuration,DC=domainname,DC=com
in domain CN=Configuration,DC=domainname,DC=com on 6 servers
Object is up-to-date on all servers.
......................... DC-1 passed test ObjectsReplicated
Starting test: frssysvol
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... DC-1 passed test frssysvol
Starting test: frsevent
* The File Replication Service Event log test
There are warning or error events within the last 24 hours
after the
SYSVOL has been shared. Failing SYSVOL replication problems
may cause
Group Policy problems.
An Warning Event occured. EventID: 0x800034C4
Time Generated: 04/06/2006 15:36:17
(Event String could not be retrieved)
......................... DC-1 failed test frsevent
Starting test: kccevent
* The KCC Event log test
Found no KCC errors in Directory Service Event log in the last
15 minutes.
......................... DC-1 passed test kccevent
Starting test: systemlog
* The System Event log test
Found no errors in System Event log in the last 60 minutes.
......................... DC-1 passed test systemlog
Starting test: VerifyReplicas
......................... DC-1 passed test VerifyReplicas
Starting test: VerifyReferences
The system object reference (serverReference)
CN=DC-1,OU=Domain Controllers,DC=domainname,DC=com and
backlink
on

CN=DC-1,CN=Servers,CN=SiteName,CN=Sites,CN=Configuration,DC=domainname,DC=com
are correct.
The system object reference (frsComputerReferenceBL)
CN=DC-1,CN=Domain System Volume (SYSVOL share),CN=File
Replication Service,CN=System,DC=domainname,DC=com
and backlink on
CN=DC-1,OU=Domain Controllers,DC=domainname,DC=com are
correct.
The system object reference (serverReferenceBL)
CN=DC-1,CN=Domain System Volume (SYSVOL share),CN=File
Replication Service,CN=System,DC=domainname,DC=com
and backlink on
CN=NTDS
Settings,CN=DC-1,CN=Servers,CN=SiteName,CN=Sites,CN=Configuration,DC=domainname,DC=com
are correct.
......................... DC-1 passed test VerifyReferences
Starting test: VerifyEnterpriseReferences
The following problems were found while verifying various
important DN
references. Note, that these problems can be reported
because of
latency in replication. So follow up to resolve the following
problems, only if the same problem is reported on all DCs for
a given
domain or if the problem persists after replication has had
reasonable time to replicate changes.
[1] Problem: Missing Expected Value
Base Object:
CN=DC-KV,CN=Domain System Volume (SYSVOL share),CN=File
Replication Service,CN=System,DC=domainname,DC=com
Base Object Description: "SYSVOL FRS Member Object"
Value Object Attribute Name: frsComputerReference
Value Object Description: "DC Account Object"
Recommended Action: Check if this server is deleted, and
if so
clean up this DCs SYSVOL FRS Member Object. Also see
Knowledge
Base Article: Q312862

[2] Problem: Missing Expected Value
Base Object:
CN=DC-KV,CN=Domain System Volume (SYSVOL share),CN=File
Replication Service,CN=System,DC=domainname,DC=com
Base Object Description: "SYSVOL FRS Member Object"
Value Object Attribute Name: serverReference
Value Object Description: "DSA Object"
Recommended Action: Check if this server is deleted, and
if so
clean up this DCs SYSVOL FRS Member Object. Also see
Knowledge
Base Article Q312862

......................... DC-1 failed test
VerifyEnterpriseReferences
Starting test: CheckSecurityError
* Dr Auth: Beginning security errors check!
Found KDC DC-1 for domain domainname.com in site SiteName
Checking machine account for DC DC-1 on DC DC-1.
* SPN found :LDAP/DC-1.domainname.com/domainname.com
* SPN found :LDAP/DC-1.domainname.com
* SPN found :LDAP/DC-1
* SPN found :LDAP/DC-1.domainname.com/DOMAINNAME
* SPN found
:LDAP/a791ff61-e006-4c80-9cc0-9003b39dcb11._msdcs.domainname.com
* SPN found
:E3514235-4B06-11D1-AB04-00C04FC2DCD2/a791ff61-e006-4c80-9cc0-9003b39dcb11/domainname.com
* SPN found :HOST/DC-1.domainname.com/domainname.com
* SPN found :HOST/DC-1.domainname.com
* SPN found :HOST/DC-1
* SPN found :HOST/DC-1.domainname.com/DOMAINNAME
* SPN found :GC/DC-1.domainname.com/domainname.com
[DC-1] No security related replication errors were found on
this DC! To target the connection to a specific source DC use
/ReplSource:<DC>.
......................... DC-1 passed test CheckSecurityError

Testing server: SiteName\DC-1-02
Starting test: Replications
* Replications Check
* Replication Latency Check
CN=Schema,CN=Configuration,DC=domainname,DC=com
Latency information for 7 entries in the vector were
ignored.
7 were retired Invocations. 0 were either: read-only
replicas and are not verifiably latent, or dc's no longer replicating
this nc. 0 had no latency information (Win2K DC).
CN=Configuration,DC=domainname,DC=com
Latency information for 7 entries in the vector were
ignored.
7 were retired Invocations. 0 were either: read-only
replicas and are not verifiably latent, or dc's no longer replicating
this nc. 0 had no latency information (Win2K DC).
DC=domainname,DC=com
Latency information for 7 entries in the vector were
ignored.
7 were retired Invocations. 0 were either: read-only
replicas and are not verifiably latent, or dc's no longer replicating
this nc. 0 had no latency information (Win2K DC).
* Replication Site Latency Check
......................... DC-1-02 passed test Replications
Starting test: Topology
* Configuration Topology Integrity Check
* Analyzing the connection topology for
CN=Schema,CN=Configuration,DC=domainname,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for
CN=Configuration,DC=domainname,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for DC=domainname,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
......................... DC-1-02 passed test Topology
Starting test: CutoffServers
* Configuration Topology Aliveness Check
* Analyzing the alive system replication topology for
CN=Schema,CN=Configuration,DC=domainname,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for
CN=Configuration,DC=domainname,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for
DC=domainname,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
......................... DC-1-02 passed test CutoffServers
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC DC-1-02.
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=domainname,DC=com
(Schema,Version 2)
* Security Permissions Check for
CN=Configuration,DC=domainname,DC=com
(Configuration,Version 2)
* Security Permissions Check for
DC=domainname,DC=com
(Domain,Version 2)
......................... DC-1-02 passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\DC-1-02\netlogon
Verified share \\DC-1-02\sysvol
......................... DC-1-02 passed test NetLogons
Starting test: Advertising
The DC DC-1-02 is advertising itself as a DC and having a DS.
The DC DC-1-02 is advertising as an LDAP server
The DC DC-1-02 is advertising as having a writeable directory
The DC DC-1-02 is advertising as a Key Distribution Center
The DC DC-1-02 is advertising as a time server
The DS DC-1-02 is advertising as a GC.
......................... DC-1-02 passed test Advertising
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS
Settings,CN=DC-1,CN=Servers,CN=SiteName,CN=Sites,CN=Configuration,DC=domainname,DC=com
Role Domain Owner = CN=NTDS
Settings,CN=DC-1,CN=Servers,CN=SiteName,CN=Sites,CN=Configuration,DC=domainname,DC=com