Domain Controller Diagnosis Performing initial setup: * Verifying that the local machine AD, is a DC. * Connecting to directory service on server AD. * Collecting site info. * Identifying all servers. * Identifying all NC cross-refs. * Found 4 DC(s). Testing 1 of them. Done gathering initial info. Doing initial required tests Testing server: Default-First-Site\AD Starting test: Connectivity * Active Directory LDAP Services Check * Active Directory RPC Services Check ......................... AD passed test Connectivity Doing primary tests Testing server: Default-First-Site\AD Starting test: Replications * Replications Check * Replication Latency Check DC=ForestDnsZones,DC=security,DC=demo Latency information for 1 entries in the vector were ignored. 1 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). CN=Schema,CN=Configuration,DC=security,DC=demo Latency information for 1 entries in the vector were ignored. 1 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). CN=Configuration,DC=security,DC=demo Latency information for 1 entries in the vector were ignored. 1 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). ......................... AD passed test Replications Starting test: Topology * Configuration Topology Integrity Check * Analyzing the connection topology for DC=TAPI3Directory,DC=security,DC=demo. * Performing upstream (of target) analysis. * Performing downstream (of target) analysis. * Analyzing the connection topology for DC=ForestDnsZones,DC=security,DC=demo. * Performing upstream (of target) analysis. * Performing downstream (of target) analysis. * Analyzing the connection topology for DC=DomainDnsZones,DC=security,DC=demo. * Performing upstream (of target) analysis. * Performing downstream (of target) analysis. * Analyzing the connection topology for CN=Schema,CN=Configuration,DC=security,DC=demo. * Performing upstream (of target) analysis. * Performing downstream (of target) analysis. Downstream topology is disconnected for CN=Schema,CN=Configuration,DC=security,DC=demo. These servers can't get changes from home server AD: Default-First-Site/AD1 Default-First-Site/AD3 Default-First-Site/AD2 * Analyzing the connection topology for CN=Configuration,DC=security,DC=demo. * Performing upstream (of target) analysis. * Performing downstream (of target) analysis. Downstream topology is disconnected for CN=Configuration,DC=security,DC=demo. These servers can't get changes from home server AD: Default-First-Site/AD1 Default-First-Site/AD3 Default-First-Site/AD2 * Analyzing the connection topology for DC=security,DC=demo. * Performing upstream (of target) analysis. * Performing downstream (of target) analysis. ......................... AD failed test Topology Starting test: CutoffServers * Configuration Topology Aliveness Check * Analyzing the alive system replication topology for DC=TAPI3Directory,DC=security,DC=demo. * Performing upstream (of target) analysis. * Performing downstream (of target) analysis. * Analyzing the alive system replication topology for DC=ForestDnsZones,DC=security,DC=demo. * Performing upstream (of target) analysis. * Performing downstream (of target) analysis. * Analyzing the alive system replication topology for DC=DomainDnsZones,DC=security,DC=demo. * Performing upstream (of target) analysis. * Performing downstream (of target) analysis. * Analyzing the alive system replication topology for CN=Schema,CN=Configuration,DC=security,DC=demo. * Performing upstream (of target) analysis. * Performing downstream (of target) analysis. * Analyzing the alive system replication topology for CN=Configuration,DC=security,DC=demo. * Performing upstream (of target) analysis. * Performing downstream (of target) analysis. * Analyzing the alive system replication topology for DC=security,DC=demo. * Performing upstream (of target) analysis. * Performing downstream (of target) analysis. ......................... AD passed test CutoffServers Starting test: NCSecDesc * Security Permissions check for all NC's on DC AD. * Security Permissions Check for DC=TAPI3Directory,DC=security,DC=demo (NDNC,Version 2) * Security Permissions Check for DC=ForestDnsZones,DC=security,DC=demo (NDNC,Version 2) * Security Permissions Check for DC=DomainDnsZones,DC=security,DC=demo (NDNC,Version 2) * Security Permissions Check for CN=Schema,CN=Configuration,DC=security,DC=demo (Schema,Version 2) * Security Permissions Check for CN=Configuration,DC=security,DC=demo (Configuration,Version 2) * Security Permissions Check for DC=security,DC=demo (Domain,Version 2) ......................... AD passed test NCSecDesc Starting test: NetLogons * Network Logons Privileges Check Verified share \\AD\netlogon Verified share \\AD\sysvol ......................... AD passed test NetLogons Starting test: Advertising The DC AD is advertising itself as a DC and having a DS. The DC AD is advertising as an LDAP server The DC AD is advertising as having a writeable directory The DC AD is advertising as a Key Distribution Center The DC AD is advertising as a time server The DS AD is advertising as a GC. ......................... AD passed test Advertising Starting test: KnowsOfRoleHolders Role Schema Owner = CN=NTDS Settings,CN=AD,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=security,DC=demo Role Domain Owner = CN=NTDS Settings,CN=AD,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=security,DC=demo Role PDC Owner = CN=NTDS Settings,CN=AD,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=security,DC=demo Role Rid Owner = CN=NTDS Settings,CN=AD,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=security,DC=demo Role Infrastructure Update Owner = CN=NTDS Settings,CN=AD,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=security,DC=demo ......................... AD passed test KnowsOfRoleHolders Starting test: RidManager * Available RID Pool for the Domain is 1605 to 1073741823 * AD.security.demo is the RID Master * DsBind with RID Master was successful * rIDAllocationPool is 1105 to 1604 * rIDPreviousAllocationPool is 1105 to 1604 * rIDNextRID: 1134 ......................... AD passed test RidManager Starting test: MachineAccount Checking machine account for DC AD on DC AD. * SPN found :LDAP/AD.security.demo/security.demo * SPN found :LDAP/AD.security.demo * SPN found :LDAP/AD * SPN found :LDAP/AD.security.demo/SECURITY * SPN found :LDAP/61ab47a4-a496-4571-a04d-d00c037ee1e3._msdcs.security.demo * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/61ab47a4-a496-4571-a04d-d00c037ee1e3/security.demo * SPN found :HOST/AD.security.demo/security.demo * SPN found :HOST/AD.security.demo * SPN found :HOST/AD * SPN found :HOST/AD.security.demo/SECURITY * SPN found :GC/AD.security.demo/security.demo ......................... AD passed test MachineAccount Starting test: Services * Checking Service: Dnscache * Checking Service: NtFrs * Checking Service: IsmServ * Checking Service: kdc * Checking Service: SamSs * Checking Service: LanmanServer * Checking Service: LanmanWorkstation * Checking Service: RpcSs * Checking Service: w32time * Checking Service: NETLOGON ......................... AD passed test Services Starting test: OutboundSecureChannels * The Outbound Secure Channels test ** Did not run Outbound Secure Channels test because /testdomain: was not entered ......................... AD passed test OutboundSecureChannels Starting test: ObjectsReplicated AD is in domain DC=security,DC=demo Checking for CN=AD,OU=Domain Controllers,DC=security,DC=demo in domain DC=security,DC=demo on 1 servers Object is up-to-date on all servers. Checking for CN=NTDS Settings,CN=AD,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=security,DC=demo in domain CN=Configuration,DC=security,DC=demo on 1 servers Object is up-to-date on all servers. ......................... AD passed test ObjectsReplicated Starting test: frssysvol * The File Replication Service SYSVOL ready test File Replication Service's SYSVOL is ready ......................... AD passed test frssysvol Starting test: frsevent * The File Replication Service Event log test ......................... AD passed test frsevent Starting test: kccevent * The KCC Event log test An Warning Event occured. EventID: 0x80000785 Time Generated: 12/01/2008 18:12:08 Event String: The attempt to establish a replication link for the following writable directory partition failed. Directory partition: CN=Configuration,DC=security,DC=demo Source domain controller: CN=NTDS Settings,CN=AD1,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=security,DC=demo Source domain controller address: 987b6610-096e-4853-b724-50ac94d1bcad._msdcs.security.demo Intersite transport (if any): This domain controller will be unable to replicate with the source domain controller until this problem is corrected. User Action Verify if the source domain controller is accessible or network connectivity is available. Additional Data Error value: 8524 The DSA operation is unable to proceed because of a DNS lookup failure. An Warning Event occured. EventID: 0x80000785 Time Generated: 12/01/2008 18:12:08 Event String: The attempt to establish a replication link for the following writable directory partition failed. Directory partition: CN=Configuration,DC=security,DC=demo Source domain controller: CN=NTDS Settings,CN=AD2,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=security,DC=demo Source domain controller address: 7c5f8a42-dabb-4036-95b0-be24e7384f3f._msdcs.security.demo Intersite transport (if any): This domain controller will be unable to replicate with the source domain controller until this problem is corrected. User Action Verify if the source domain controller is accessible or network connectivity is available. Additional Data Error value: 8524 The DSA operation is unable to proceed because of a DNS lookup failure. An Warning Event occured. EventID: 0x80000785 Time Generated: 12/01/2008 18:12:08 Event String: The attempt to establish a replication link for the following writable directory partition failed. Directory partition: CN=Configuration,DC=security,DC=demo Source domain controller: CN=NTDS Settings,CN=AD3,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=security,DC=demo Source domain controller address: 82f22780-957b-42b0-9572-65671c350972._msdcs.security.demo Intersite transport (if any): This domain controller will be unable to replicate with the source domain controller until this problem is corrected. User Action Verify if the source domain controller is accessible or network connectivity is available. Additional Data Error value: 8524 The DSA operation is unable to proceed because of a DNS lookup failure. ......................... AD failed test kccevent Starting test: systemlog * The System Event log test Found no errors in System Event log in the last 60 minutes. ......................... AD passed test systemlog Starting test: VerifyReplicas ......................... AD passed test VerifyReplicas Starting test: VerifyReferences The system object reference (serverReference) CN=AD,OU=Domain Controllers,DC=security,DC=demo and backlink on CN=AD,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=security,DC=demo are correct. The system object reference (frsComputerReferenceBL) CN=TAMESSO,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=security,DC=demo and backlink on CN=AD,OU=Domain Controllers,DC=security,DC=demo are correct. The system object reference (serverReferenceBL) CN=TAMESSO,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=security,DC=demo and backlink on CN=NTDS Settings,CN=AD,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=security,DC=demo are correct. ......................... AD passed test VerifyReferences Starting test: VerifyEnterpriseReferences The following problems were found while verifying various important DN references. Note, that these problems can be reported because of latency in replication. So follow up to resolve the following problems, only if the same problem is reported on all DCs for a given domain or if the problem persists after replication has had reasonable time to replicate changes. [1] Problem: Missing Expected Value Base Object: CN=AD1,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=security,DC=demo Base Object Description: "Server Object" Value Object Attribute: serverReference Value Object Description: "DC Account Object" Recommended Action: This could hamper authentication (and thus replication, etc). Check if this server is deleted, and if so clean up this DCs Account Object. If the problem persists and this is not a deleted DC, authoratively restore the DSA object from a good copy, for example the DSA on the DSA's home server. [2] Problem: Missing Expected Value Base Object: CN=AD3,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=security,DC=demo Base Object Description: "Server Object" Value Object Attribute: serverReference Value Object Description: "DC Account Object" Recommended Action: This could hamper authentication (and thus replication, etc). Check if this server is deleted, and if so clean up this DCs Account Object. If the problem persists and this is not a deleted DC, authoratively restore the DSA object from a good copy, for example the DSA on the DSA's home server. [3] Problem: Missing Expected Value Base Object: CN=AD2,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=security,DC=demo Base Object Description: "Server Object" Value Object Attribute: serverReference Value Object Description: "DC Account Object" Recommended Action: This could hamper authentication (and thus replication, etc). Check if this server is deleted, and if so clean up this DCs Account Object. If the problem persists and this is not a deleted DC, authoratively restore the DSA object from a good copy, for example the DSA on the DSA's home server. A domain cross-ref has no SID in it's nCName attribute. Cross-ref DN: CN=LYON,CN=Partitions,CN=Configuration,DC=security,DC=demo nCName attribute (Partition name): DC=lyon,DC=security,DC=demo The SID has not replicated into this DC. Check that replication is succeeding between the first DC in the Domain who's SID is missing and this DC. If the Domain was created with a Windows 2000 DC and all member DCs of the domain are unable to replicate outbound because of Schema Mismatch errors, then all member DCs will need to have Window's re-installed and the Domain will need to be manually removed using meta data cleanup in ntdsutil.exe. If the Domain was created with a Windows 2000 DC, then replication can be blocked from one DC to another with "Replication Access Denied". If replication isn't succeeding between the first DC in the Domain who's SID is missing and this DC due to a different domain cross-ref missing a domain SID in it's nCName somewhere else in the forest, then you may need to manually reconfigure the topology to bypass the blocking replication. A domain cross-ref has no SID in it's nCName attribute. Cross-ref DN: CN=PARIS,CN=Partitions,CN=Configuration,DC=security,DC=demo nCName attribute (Partition name): DC=paris,DC=security,DC=demo The SID has not replicated into this DC. Check that replication is succeeding between the first DC in the Domain who's SID is missing and this DC. If the Domain was created with a Windows 2000 DC and all member DCs of the domain are unable to replicate outbound because of Schema Mismatch errors, then all member DCs will need to have Window's re-installed and the Domain will need to be manually removed using meta data cleanup in ntdsutil.exe. If the Domain was created with a Windows 2000 DC, then replication can be blocked from one DC to another with "Replication Access Denied". If replication isn't succeeding between the first DC in the Domain who's SID is missing and this DC due to a different domain cross-ref missing a domain SID in it's nCName somewhere else in the forest, then you may need to manually reconfigure the topology to bypass the blocking replication. A domain cross-ref has no SID in it's nCName attribute. Cross-ref DN: CN=TOKYO,CN=Partitions,CN=Configuration,DC=security,DC=demo nCName attribute (Partition name): DC=tokyo,DC=security,DC=demo The SID has not replicated into this DC. Check that replication is succeeding between the first DC in the Domain who's SID is missing and this DC. If the Domain was created with a Windows 2000 DC and all member DCs of the domain are unable to replicate outbound because of Schema Mismatch errors, then all member DCs will need to have Window's re-installed and the Domain will need to be manually removed using meta data cleanup in ntdsutil.exe. If the Domain was created with a Windows 2000 DC, then replication can be blocked from one DC t