DNS Nightmare - Can't create forward zone
in [Active Directory]
|
From: Bertram on 5 May 2006 08:27 Yahoo! I've managed to get somewhere... I've now got a DNS service with an AD-integrated forward zone set up. There are still some worrying items in the output from dcdiag though - I've included the output below in the hope that someone can shed some light on my (new?) problem. ================ Command Line: "dcdiag.exe /v /d /c" Domain Controller Diagnosis Performing initial setup: * Verifying that the local machine ag-dbsvr, is a DC. * Connecting to directory service on server ag-dbsvr. ag-dbsvr.currentTime = 20060505121831.0Z ag-dbsvr.highestCommittedUSN = 307279 ag-dbsvr.isSynchronized = 1 ag-dbsvr.isGlobalCatalogReady = 1 * Collecting site info. * Identifying all servers. AG-DBSVR.currentTime = 20060505121831.0Z AG-DBSVR.highestCommittedUSN = 307279 AG-DBSVR.isSynchronized = 1 AG-DBSVR.isGlobalCatalogReady = 1 * Identifying all NC cross-refs. * Found 2 DC(s). Testing 1 of them. Done gathering initial info. ===============================================Printing out pDsInfo GLOBAL: ulNumServers=2 pszRootDomain=mydomain.net pszNC= pszRootDomainFQDN=DC=mydomain,DC=net pszConfigNc=CN=Configuration,DC=mydomain,DC=net pszPartitionsDn=CN=Partitions,CN=Configuration,DC=mydomain,DC=net iSiteOptions=0 dwTombstoneLifeTimeDays=60 dwForestBehaviorVersion=0 HomeServer=1, AG-DBSVR SERVER: pServer[0].pszName=TEMPSVR pServer[0].pszGuidDNSName=7ae70e6f-3be2-45c3-a013-04661ca67912._msdcs.mydomain.net pServer[0].pszDNSName=tempsvr.mydomain.net pServer[0].pszDn=CN=NTDS Settings,CN=TEMPSVR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net pServer[0].pszComputerAccountDn=(null) pServer[0].uuidObjectGuid=7ae70e6f-3be2-45c3-a013-04661ca67912 pServer[0].uuidInvocationId=7ae70e6f-3be2-45c3-a013-04661ca67912 pServer[0].iSite=0 (Default-First-Site-Name) pServer[0].iOptions=1 pServer[0].ftLocalAcquireTime=00000000 00000000 pServer[0].ftRemoteConnectTime=00000000 00000000 pServer[0].ppszMasterNCs: ppszMasterNCs[0]=CN=Schema,CN=Configuration,DC=mydomain,DC=net ppszMasterNCs[1]=CN=Configuration,DC=mydomain,DC=net ppszMasterNCs[2]=DC=mydomain,DC=net SERVER: pServer[1].pszName=AG-DBSVR pServer[1].pszGuidDNSName=1750286d-b0a6-4633-a9d0-63967c9a5fcb._msdcs.mydomain.net pServer[1].pszDNSName=ag-dbsvr.mydomain.net pServer[1].pszDn=CN=NTDS Settings,CN=AG-DBSVR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net pServer[1].pszComputerAccountDn=CN=AG-DBSVR,OU=Domain Controllers,DC=mydomain,DC=net pServer[1].uuidObjectGuid=1750286d-b0a6-4633-a9d0-63967c9a5fcb pServer[1].uuidInvocationId=45155c5d-16a3-4ddf-952c-325ec78e6707 pServer[1].iSite=0 (Default-First-Site-Name) pServer[1].iOptions=1 pServer[1].ftLocalAcquireTime=059f5850 01c6703e pServer[1].ftRemoteConnectTime=058c4580 01c6703e pServer[1].ppszMasterNCs: ppszMasterNCs[0]=CN=Schema,CN=Configuration,DC=mydomain,DC=net ppszMasterNCs[1]=CN=Configuration,DC=mydomain,DC=net ppszMasterNCs[2]=DC=mydomain,DC=net SITES: pSites[0].pszName=Default-First-Site-Name pSites[0].pszSiteSettings=CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net pSites[0].pszISTG=CN=NTDS Settings,CN=AG-DBSVR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net pSites[0].iSiteOption=0 pSites[0].cServers=2 NC: pNCs[0].pszName=Schema pNCs[0].pszDn=CN=Schema,CN=Configuration,DC=mydomain,DC=net pNCs[0].aCrInfo[0].dwFlags=0x00000201 pNCs[0].aCrInfo[0].pszDn=CN=Enterprise Schema,CN=Partitions,CN=Configuration,DC=mydomain,DC=net pNCs[0].aCrInfo[0].pszDnsRoot=mydomain.net pNCs[0].aCrInfo[0].iSourceServer=1 pNCs[0].aCrInfo[0].pszSourceServer=(null) pNCs[0].aCrInfo[0].ulSystemFlags=0x00000001 pNCs[0].aCrInfo[0].bEnabled=TRUE pNCs[0].aCrInfo[0].ftWhenCreated=00000000 00000000 pNCs[0].aCrInfo[0].pszSDReferenceDomain=(null) pNCs[0].aCrInfo[0].pszNetBiosName=(null) pNCs[0].aCrInfo[0].cReplicas=-1 pNCs[0].aCrInfo[0].aszReplicas= NC: pNCs[1].pszName=Configuration pNCs[1].pszDn=CN=Configuration,DC=mydomain,DC=net pNCs[1].aCrInfo[0].dwFlags=0x00000201 pNCs[1].aCrInfo[0].pszDn=CN=Enterprise Configuration,CN=Partitions,CN=Configuration,DC=mydomain,DC=net pNCs[1].aCrInfo[0].pszDnsRoot=mydomain.net pNCs[1].aCrInfo[0].iSourceServer=1 pNCs[1].aCrInfo[0].pszSourceServer=(null) pNCs[1].aCrInfo[0].ulSystemFlags=0x00000001 pNCs[1].aCrInfo[0].bEnabled=TRUE pNCs[1].aCrInfo[0].ftWhenCreated=00000000 00000000 pNCs[1].aCrInfo[0].pszSDReferenceDomain=(null) pNCs[1].aCrInfo[0].pszNetBiosName=(null) pNCs[1].aCrInfo[0].cReplicas=-1 pNCs[1].aCrInfo[0].aszReplicas= NC: pNCs[2].pszName=mydomain pNCs[2].pszDn=DC=mydomain,DC=net pNCs[2].aCrInfo[0].dwFlags=0x00000201 pNCs[2].aCrInfo[0].pszDn=CN=IBUSINESS,CN=Partitions,CN=Configuration,DC=mydomain,DC=net pNCs[2].aCrInfo[0].pszDnsRoot=mydomain.net pNCs[2].aCrInfo[0].iSourceServer=1 pNCs[2].aCrInfo[0].pszSourceServer=(null) pNCs[2].aCrInfo[0].ulSystemFlags=0x00000003 pNCs[2].aCrInfo[0].bEnabled=TRUE pNCs[2].aCrInfo[0].ftWhenCreated=00000000 00000000 pNCs[2].aCrInfo[0].pszSDReferenceDomain=(null) pNCs[2].aCrInfo[0].pszNetBiosName=(null) pNCs[2].aCrInfo[0].cReplicas=-1 pNCs[2].aCrInfo[0].aszReplicas= 3 NC TARGETS: Schema, Configuration, mydomain, 1 TARGETS: AG-DBSVR, =============================================Done Printing pDsInfo Doing initial required tests Testing server: Default-First-Site-Name\AG-DBSVR Starting test: Connectivity * Active Directory LDAP Services Check Failure Analysis: AG-DBSVR ... OK. * Active Directory RPC Services Check ......................... AG-DBSVR passed test Connectivity Doing primary tests Testing server: Default-First-Site-Name\AG-DBSVR Starting test: Replications * Replications Check CN=Schema,CN=Configuration,DC=mydomain,DC=net has 2 cursors. [Replications Check,AG-DBSVR] A recent replication attempt failed: From TEMPSVR to AG-DBSVR Naming Context: CN=Schema,CN=Configuration,DC=mydomain,DC=net The replication generated an error (1722): Win32 Error 1722 The failure occurred at 2006-05-05 12:50:32. The last success occurred at 2006-04-25 14:58:36. 231 failures have occurred since the last success. [TEMPSVR] DsBindWithSpnEx() failed with error 1722, Win32 Error 1722. Printing RPC Extended Error Info: Error Record 1, ProcessID is 1128 (DcDiag) System Time is: 5/5/2006 12:18:52:250 Generating component is 8 (winsock) Status is 1722: The RPC server is unavailable. Detection location is 323 Error Record 2, ProcessID is 1128 (DcDiag) System Time is: 5/5/2006 12:18:52:250 Generating component is 8 (winsock) Status is 1237: The operation could not be completed. A retry should be performed. Detection location is 313 Error Record 3, ProcessID is 1128 (DcDiag) System Time is: 5/5/2006 12:18:52:250 Generating component is 8 (winsock) Status is 10060: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. Detection location is 311 NumberOfParameters is 3 Long val: 135 Pointer val: 0 Pointer val: 0 Error Record 4, ProcessID is 1128 (DcDiag) System Time is: 5/5/2006 12:18:52:250 Generating component is 8 (winsock) Status is 10060: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. Detection location is 318 The source remains down. Please check the machine. CN=Configuration,DC=mydomain,DC=net has 2 cursors. [Replications Check,AG-DBSVR] A recent replication attempt failed: From TEMPSVR to AG-DBSVR Naming Context: CN=Configuration,DC=mydomain,DC=net The replication generated an error (1722): Win32 Error 1722 The failure occurred at 2006-05-05 12:50:11. The last success occurred at 2006-04-25 15:29:41. 231 failures have occurred since the last success. The source remains down. Please check the machine. DC=mydomain,DC=net has 2 cursors. [Replications Check,AG-DBSVR] A recent replication attempt failed: From TEMPSVR to AG-DBSVR Naming Context: DC=mydomain,DC=net The replication generated an error (1722): Win32 Error 1722 The failure occurred at 2006-05-05 12:49:50. The last success occurred at 2006-04-25 15:28:35. 239 failures have occurred since the last success. The source remains down. Please check the machine. * Replication Latency Check REPLICATION-RECEIVED LATENCY WARNING AG-DBSVR: Current time is 2006-05-05 13:18:31. CN=Schema,CN=Configuration,DC=mydomain,DC=net Last replication recieved from TEMPSVR at 2006-04-25 14:58:36. CN=Configuration,DC=mydomain,DC=net Last replication recieved from TEMPSVR at 2006-04-25 15:29:41. DC=mydomain,DC=net Last replication recieved from TEMPSVR at 2006-04-25 15:28:35. * Replication Site Latency Check Site Settings = CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net [0x904de,v=306,t=2006-05-05 12:39:29,g=45155c5d-16a3-4ddf-952c-325ec78e6707,orig=307254,local=307254] Elapsed time (sec) = 2363 ......................... AG-DBSVR passed test Replications Starting test: Topology * Configuration Topology Integrity Check * Analyzing the connection topology for CN=Schema,CN=Configuration,DC=mydomain,DC=net. * Performing upstream (of target) analysis. * Performing downstream (of target) analysis. * Analyzing the connection topology for CN=Configuration,DC=mydomain,DC=net. * Performing upstream (of target) analysis. * Performing downstream (of target) analysis. * Analyzing the connection topology for DC=mydomain,DC=net. * Performing upstream (of target) analysis. * Performing downstream (of target) analysis. ......................... AG-DBSVR passed test Topology Starting test: CutoffServers * Configuration Topology Aliveness Check * Analyzing the alive system replication topology for CN=Schema,CN=Configuration,DC=mydomain,DC=net. * Performing upstream (of target) analysis. DsReplicaSyncAllW failed with error Win32 Error 8440. * Performing downstream (of target) analysis. DsReplicaSyncAllW failed with error Win32 Error 8440. * Analyzing the alive system replication topology for CN=Configuration,DC=mydomain,DC=net. * Performing upstream (of target) analysis. DsReplicaSyncAllW failed with error Win32 Error 8440. * Performing downstream (of target) analysis. DsReplicaSyncAllW failed with error Win32 Error 8440. * Analyzing the alive system replication topology for DC=mydomain,DC=net. * Performing upstream (of target) analysis. DsReplicaSyncAllW failed with error Win32 Error 8440. * Performing downstream (of target) analysis. DsReplicaSyncAllW failed with error Win32 Error 8440. ......................... AG-DBSVR passed test CutoffServers Starting test: NCSecDesc * Security Permissions check for all NC's on DC AG-DBSVR. * Security Permissions Check for CN=Schema,CN=Configuration,DC=mydomain,DC=net (Schema,Version 2) * Security Permissions Check for CN=Configuration,DC=mydomain,DC=net (Configuration,Version 2) * Security Permissions Check for DC=mydomain,DC=net (Domain,Version 2) ......................... AG-DBSVR passed test NCSecDesc Starting test: NetLogons * Network Logons Privileges Check Verified share \\AG-DBSVR\netlogon Verified share \\AG-DBSVR\sysvol ......................... AG-DBSVR passed test NetLogons Starting test: Advertising The DC AG-DBSVR is advertising itself as a DC and having a DS. The DC AG-DBSVR is advertising as an LDAP server The DC AG-DBSVR is advertising as having a writeable directory The DC AG-DBSVR is advertising as a Key Distribution Center The DC AG-DBSVR is advertising as a time server The DS AG-DBSVR is advertising as a GC. ......................... AG-DBSVR passed test Advertising Starting test: KnowsOfRoleHolders Role Schema Owner = CN=NTDS Settings,CN=AG-DBSVR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net Role Domain Owner = CN=NTDS Settings,CN=AG-DBSVR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net Role PDC Owner = CN=NTDS Settings,CN=AG-DBSVR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net Role Rid Owner = CN=NTDS Settings,CN=AG-DBSVR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net Role Infrastructure Update Owner = CN=NTDS Settings,CN=AG-DBSVR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net ......................... AG-DBSVR passed test KnowsOfRoleHolders Starting test: RidManager ridManagerReference = CN=RID Manager$,CN=System,DC=mydomain,DC=net * Available RID Pool for the Domain is 3863 to 1073741823 fSMORoleOwner = CN=NTDS Settings,CN=AG-DBSVR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net * ag-dbsvr.mydomain.net is the RID Master * DsBind with RID Master was successful rIDSetReferences = CN=RID Set,CN=AG-DBSVR,OU=Domain Controllers,DC=mydomain,DC=net * rIDAllocationPool is 2863 to 3362 * rIDPreviousAllocationPool is 2863 to 3362 * rIDNextRID: 2879 ......................... AG-DBSVR passed test RidManager Starting test: MachineAccount Checking machine account for DC AG-DBSVR on DC AG-DBSVR. * SPN found :LDAP/ag-dbsvr.mydomain.net/mydomain.net * SPN found :LDAP/ag-dbsvr.mydomain.net * SPN found :LDAP/AG-DBSVR * SPN found :LDAP/ag-dbsvr.mydomain.net/IBUSINESS * SPN found :LDAP/1750286d-b0a6-4633-a9d0-63967c9a5fcb._msdcs.mydomain.net * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/1750286d-b0a6-4633-a9d0-63967c9a5fcb/mydomain.net * SPN found :HOST/ag-dbsvr.mydomain.net/mydomain.net * SPN found :HOST/ag-dbsvr.mydomain.net * SPN found :HOST/AG-DBSVR * SPN found :HOST/ag-dbsvr.mydomain.net/IBUSINESS * SPN found :GC/ag-dbsvr.mydomain.net/mydomain.net ......................... AG-DBSVR passed test MachineAccount Starting test: Services * Checking Service: Dnscache * Checking Service: NtFrs * Checking Service: IsmServ * Checking Service: kdc * Checking Service: SamSs * Checking Service: LanmanServer * Checking Service: LanmanWorkstation * Checking Service: RpcSs * Checking Service: w32time * Checking Service: NETLOGON ......................... AG-DBSVR passed test Services Starting test: OutboundSecureChannels * The Outbound Secure Channels test ** Did not run Outbound Secure Channels test because /testdomain: was not entered ......................... AG-DBSVR passed test OutboundSecureChannels Starting test: ObjectsReplicated AG-DBSVR is in domain DC=mydomain,DC=net Checking for CN=AG-DBSVR,OU=Domain Controllers,DC=mydomain,DC=net in domain DC=mydomain,DC=net on 1 servers Object is up-to-date on all servers. Checking for CN=NTDS Settings,CN=AG-DBSVR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net in domain CN=Configuration,DC=mydomain,DC=net on 1 servers Object is up-to-date on all servers. ......................... AG-DBSVR passed test ObjectsReplicated Starting test: frssysvol * The File Replication Service SYSVOL ready test File Replication Service's SYSVOL is ready ......................... AG-DBSVR passed test frssysvol Starting test: frsevent * The File Replication Service Event log test There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL replication problems may cause Group Policy problems. An Warning Event occured. EventID: 0x800034FA Time Generated: 05/05/2006 12:23:54 (Event String could not be retrieved) ......................... AG-DBSVR failed test frsevent Starting test: kccevent * The KCC Event log test An Warning Event occured. EventID: 0x8025082C Time Generated: 05/05/2006 13:19:28 (Event String could not be retrieved) An Warning Event occured. EventID: 0x8025082C Time Generated: 05/05/2006 13:19:28 (Event String could not be retrieved) An Warning Event occured. EventID: 0x8025082C Time Generated: 05/05/2006 13:19:28 (Event String could not be retrieved) An Error Event occured. EventID: 0xC0000748 Time Generated: 05/05/2006 13:19:28 (Event String could not be retrieved) An Warning Event occured. EventID: 0x8025082C Time Generated: 05/05/2006 13:19:28 (Event String could not be retrieved) An Error Event occured. EventID: 0xC0000748 Time Generated: 05/05/2006 13:19:28 (Event String could not be retrieved) An Warning Event occured. EventID: 0x8025082C Time Generated: 05/05/2006 13:19:28 (Event String could not be retrieved) An Error Event occured. EventID: 0xC0000748 Time Generated: 05/05/2006 13:19:28 (Event String could not be retrieved) ......................... AG-DBSVR failed test kccevent Starting test: systemlog * The System Event log test An Error Event occured. EventID: 0x40000004 Time Generated: 05/05/2006 12:52:19 Event String: The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/ag-dbsvr.mydomain.net. The target name used was LDAP/ag-dbsvr.mydomain.net/mydomain.net(a)mydomain.net. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (mydomain.NET), and the client realm. Please contact your system administrator. An Error Event occured. EventID: 0x40000004 Time Generated: 05/05/2006 12:53:09 Event String: The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/ag-dbsvr.mydomain.net. The target name used was cifs/ag-dbsvr.mydomain.net. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (mydomain.NET), and the client realm. Please contact your system administrator. An Error Event occured. EventID: 0x40000004 Time Generated: 05/05/2006 12:55:37 Event String: The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/ag-dbsvr.mydomain.net. The target name used was LDAP/AG-DBSVR. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (mydomain.NET), and the client realm. Please contact your system administrator. An Error Event occured. EventID: 0x40000004 Time Generated: 05/05/2006 13:05:23 Event String: The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/ag-dbsvr.mydomain.net. The target name used was LDAP/ag-dbsvr.mydomain.net/mydomain.net. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (mydomain.NET), and the client realm. Please contact your system administrator. An Error Event occured. EventID: 0x40000004 Time Generated: 05/05/2006 13:05:23 Event String: The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/ag-dbsvr.mydomain.net. The target name used was LDAP/ag-dbsvr.mydomain.net/IBUSINESS. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (mydomain.NET), and the client realm. Please contact your system administrator. An Error Event occured. EventID: 0x40000004 Time Generated: 05/05/2006 13:18:52 Event String: The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/ag-dbsvr.mydomain.net. The target name used was LDAP/1750286d-b0a6-4633-a9d0-63967c9a5fcb._msdcs.mydomain.net. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (mydomain.NET), and the client realm. Please contact your system administrator. An Error Event occured. EventID: 0x40000004 Time Generated: 05/05/2006 13:22:01 Event String: The kerberos client received a KRB_AP_ERR_MODIFIED error from the server host/ag-dbsvr.mydomain.net. The target name used was cifs/AG-DBSVR. This indicates that the password used to encrypt the kerberos service ticket is different than that on the target server. Commonly, this is due to identically named machine accounts in the target realm (mydomain.NET), and the client realm. Please contact your system administrator. ......................... AG-DBSVR failed test systemlog Starting test: VerifyReplicas ......................... AG-DBSVR passed test VerifyReplicas Starting test: VerifyReferences The system object reference (serverReference) CN=AG-DBSVR,OU=Domain Controllers,DC=mydomain,DC=net and backlink on CN=AG-DBSVR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net are correct. The system object reference (frsComputerReferenceBL) CN=AG-DBSVR,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=mydomain,DC=net and backlink on CN=AG-DBSVR,OU=Domain Controllers,DC=mydomain,DC=net are correct. The system object reference (serverReferenceBL) CN=AG-DBSVR,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=mydomain,DC=net and backlink on CN=NTDS Settings,CN=AG-DBSVR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net are correct. ......................... AG-DBSVR passed test VerifyReferences Starting test: VerifyEnterpriseReferences The following problems were found while verifying various important DN references. Note, that these problems can be reported because of latency in replication. So follow up to resolve the following problems, only if the same problem is reported on all DCs for a given domain or if the problem persists after replication has had reasonable time to replicate changes. [1] Problem: Missing Expected Value Base Object: CN=TEMPSVR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net Base Object Description: "Server Object" Value Object Attribute: serverReference Value Object Description: "DC Account Object" Recommended Action: This could hamper authentication (and thus replication, etc). Check if this server is deleted, and if so clean up this DCs Account Object. If the problem persists and this is not a deleted DC, authoratively restore the DSA object from a good copy, for example the DSA on the DSA's home server. [2] Problem: Missing Expected Value Base Object: CN=NTSERVER,OU=Domain Controllers,DC=mydomain,DC=net Base Object Description: "DC Account Object" Value Object Attribute Name: serverReferenceBL Value Object Description: "Server Object" Recommended Action: Check if this server is deleted, and if so clean up this DCs Account Object. [3] Problem: Missing Expected Value Base Object: CN=NTSERVER,OU=Domain Controllers,DC=mydomain,DC=net Base Object Description: "DC Account Object" Value Object Attribute Name: frsComputerReferenceBL Value Object Description: "SYSVOL FRS Member Object" Recommended Action: See Knowledge Base Article: Q312862 [4] Problem: Missing Expected Value Base Object: CN=TEMPSVR,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=mydomain,DC=net Base Object Description: "SYSVOL FRS Member Object" Value Object Attribute Name: frsComputerReference Value Object Description: "DC Account Object" Recommended Action: Check if this server is deleted, and if so clean up this DCs SYSVOL FRS Member Object. Also see Knowledge Base Article: Q312862 ......................... AG-DBSVR failed test VerifyEnterpriseReferences Starting test: CheckSecurityError * Dr Auth: Beginning security errors check! DcDiag: uncaught exception raised, continuing search =============== Specifically, why on earth is the PDC role not working? I had hoped that all of these issues would magically disappear once the DNS issue was rectified! Thanks again for all your help, and thanks in advance for the help I hope you're going to give with this one! ;-) Berty
From: strongline on 5 May 2006 08:59 the server "TMPSVR" wasn't demoted gracefully. You need do perform a metadata cleanup. Also your current DC doesn't look like the PDC owner ( I know you've check once, but please double check). It doesn't hurt to seize it again. Q216498 Q255504
From: Bertram on 5 May 2006 12:43 Hi strongline, I have performed the steps outlined in the KB's you mentioned - things are looking a bit more positive, however I get the following error when running dcdiag: ========== Starting test: FsmoCheck Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355 A Primary Domain Controller could not be located. The server holding the PDC role is down. .......................... mydomain.net failed test FsmoCheck ==================== This server is in fact the holder of the PDC role, which I have verified using ntdsutil. Any suggestions? Oh, and for some as-yet unknown reason my DNS zone disappeared again when I rebooted. Resetting teh kerberos password, and restarting netlogon/DNS brought it back again. If anyone has any suggestions for me to try over the weekend (God bless Remote Desktop and VPNs!) please let me know!
From: Jorge Silva on 5 May 2006 14:24 Hi again... Please answer This question: 1 - In your first post after the first test for dcdiag, you said that you finally got the Dns working with AD integrated right? Please tell us what did you changed to achive that ? Now: 1- Remove any references to "tempsvr.mydomain.net" i believe this was the old server. use this link: How to remove data in Active Directory after an unsuccessful domain controller demotion http://support.microsoft.com/?scid=kb%3Ben-us%3B216498&x=6&y=11#XSLTH3140121122120121120120 After this Use the Active Directory Sites and Services MMC snap-in to remove the server "tempsvr.mydomain.net" object. VERY IMPORTANT - Next go to the Dns and remove any references to this server. Or you can delete the dns zone and recreate it again, using the steps that i already gave you in previous posts, deleting the netlogon files, etc... Reboot the server twice. Run the tests again.. -- I hop that helps Good Luck Jorge Silva MCSA Systems Administrator "Bertram" <BertramWilberforceWooster(a)gmail.com> wrote in message news:1146832027.844673.197680(a)e56g2000cwe.googlegroups.com... > Yahoo! I've managed to get somewhere... I've now got a DNS service with > an AD-integrated forward zone set up. > > There are still some worrying items in the output from dcdiag though - > I've included the output below in the hope that someone can shed some > light on my (new?) problem. > > ================ > > Command Line: "dcdiag.exe /v /d /c" > > Domain Controller Diagnosis > > Performing initial setup: > * Verifying that the local machine ag-dbsvr, is a DC. > * Connecting to directory service on server ag-dbsvr. > ag-dbsvr.currentTime = 20060505121831.0Z > ag-dbsvr.highestCommittedUSN = 307279 > ag-dbsvr.isSynchronized = 1 > ag-dbsvr.isGlobalCatalogReady = 1 > * Collecting site info. > * Identifying all servers. > AG-DBSVR.currentTime = 20060505121831.0Z > AG-DBSVR.highestCommittedUSN = 307279 > AG-DBSVR.isSynchronized = 1 > AG-DBSVR.isGlobalCatalogReady = 1 > * Identifying all NC cross-refs. > * Found 2 DC(s). Testing 1 of them. > Done gathering initial info. > > > ===============================================Printing out pDsInfo > > GLOBAL: > ulNumServers=2 > pszRootDomain=mydomain.net > pszNC= > pszRootDomainFQDN=DC=mydomain,DC=net > pszConfigNc=CN=Configuration,DC=mydomain,DC=net > pszPartitionsDn=CN=Partitions,CN=Configuration,DC=mydomain,DC=net > iSiteOptions=0 > dwTombstoneLifeTimeDays=60 > > dwForestBehaviorVersion=0 > > HomeServer=1, AG-DBSVR > > SERVER: pServer[0].pszName=TEMPSVR > pServer[0].pszGuidDNSName=7ae70e6f-3be2-45c3-a013-04661ca67912._msdcs.mydomain.net > pServer[0].pszDNSName=tempsvr.mydomain.net > pServer[0].pszDn=CN=NTDS > Settings,CN=TEMPSVR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net > pServer[0].pszComputerAccountDn=(null) > pServer[0].uuidObjectGuid=7ae70e6f-3be2-45c3-a013-04661ca67912 > pServer[0].uuidInvocationId=7ae70e6f-3be2-45c3-a013-04661ca67912 > pServer[0].iSite=0 (Default-First-Site-Name) > pServer[0].iOptions=1 > pServer[0].ftLocalAcquireTime=00000000 00000000 > > pServer[0].ftRemoteConnectTime=00000000 00000000 > > pServer[0].ppszMasterNCs: > ppszMasterNCs[0]=CN=Schema,CN=Configuration,DC=mydomain,DC=net > ppszMasterNCs[1]=CN=Configuration,DC=mydomain,DC=net > ppszMasterNCs[2]=DC=mydomain,DC=net > > SERVER: pServer[1].pszName=AG-DBSVR > pServer[1].pszGuidDNSName=1750286d-b0a6-4633-a9d0-63967c9a5fcb._msdcs.mydomain.net > pServer[1].pszDNSName=ag-dbsvr.mydomain.net > pServer[1].pszDn=CN=NTDS > Settings,CN=AG-DBSVR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net > pServer[1].pszComputerAccountDn=CN=AG-DBSVR,OU=Domain > Controllers,DC=mydomain,DC=net > pServer[1].uuidObjectGuid=1750286d-b0a6-4633-a9d0-63967c9a5fcb > pServer[1].uuidInvocationId=45155c5d-16a3-4ddf-952c-325ec78e6707 > pServer[1].iSite=0 (Default-First-Site-Name) > pServer[1].iOptions=1 > pServer[1].ftLocalAcquireTime=059f5850 01c6703e > > pServer[1].ftRemoteConnectTime=058c4580 01c6703e > > pServer[1].ppszMasterNCs: > ppszMasterNCs[0]=CN=Schema,CN=Configuration,DC=mydomain,DC=net > ppszMasterNCs[1]=CN=Configuration,DC=mydomain,DC=net > ppszMasterNCs[2]=DC=mydomain,DC=net > > SITES: pSites[0].pszName=Default-First-Site-Name > pSites[0].pszSiteSettings=CN=NTDS Site > Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net > pSites[0].pszISTG=CN=NTDS > Settings,CN=AG-DBSVR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net > pSites[0].iSiteOption=0 > > pSites[0].cServers=2 > > NC: pNCs[0].pszName=Schema > pNCs[0].pszDn=CN=Schema,CN=Configuration,DC=mydomain,DC=net > > pNCs[0].aCrInfo[0].dwFlags=0x00000201 > pNCs[0].aCrInfo[0].pszDn=CN=Enterprise > Schema,CN=Partitions,CN=Configuration,DC=mydomain,DC=net > pNCs[0].aCrInfo[0].pszDnsRoot=mydomain.net > pNCs[0].aCrInfo[0].iSourceServer=1 > pNCs[0].aCrInfo[0].pszSourceServer=(null) > pNCs[0].aCrInfo[0].ulSystemFlags=0x00000001 > pNCs[0].aCrInfo[0].bEnabled=TRUE > pNCs[0].aCrInfo[0].ftWhenCreated=00000000 00000000 > pNCs[0].aCrInfo[0].pszSDReferenceDomain=(null) > pNCs[0].aCrInfo[0].pszNetBiosName=(null) > pNCs[0].aCrInfo[0].cReplicas=-1 > pNCs[0].aCrInfo[0].aszReplicas= > > > NC: pNCs[1].pszName=Configuration > pNCs[1].pszDn=CN=Configuration,DC=mydomain,DC=net > > pNCs[1].aCrInfo[0].dwFlags=0x00000201 > pNCs[1].aCrInfo[0].pszDn=CN=Enterprise > Configuration,CN=Partitions,CN=Configuration,DC=mydomain,DC=net > pNCs[1].aCrInfo[0].pszDnsRoot=mydomain.net > pNCs[1].aCrInfo[0].iSourceServer=1 > pNCs[1].aCrInfo[0].pszSourceServer=(null) > pNCs[1].aCrInfo[0].ulSystemFlags=0x00000001 > pNCs[1].aCrInfo[0].bEnabled=TRUE > pNCs[1].aCrInfo[0].ftWhenCreated=00000000 00000000 > pNCs[1].aCrInfo[0].pszSDReferenceDomain=(null) > pNCs[1].aCrInfo[0].pszNetBiosName=(null) > pNCs[1].aCrInfo[0].cReplicas=-1 > pNCs[1].aCrInfo[0].aszReplicas= > > > NC: pNCs[2].pszName=mydomain > pNCs[2].pszDn=DC=mydomain,DC=net > > pNCs[2].aCrInfo[0].dwFlags=0x00000201 > pNCs[2].aCrInfo[0].pszDn=CN=IBUSINESS,CN=Partitions,CN=Configuration,DC=mydomain,DC=net > pNCs[2].aCrInfo[0].pszDnsRoot=mydomain.net > pNCs[2].aCrInfo[0].iSourceServer=1 > pNCs[2].aCrInfo[0].pszSourceServer=(null) > pNCs[2].aCrInfo[0].ulSystemFlags=0x00000003 > pNCs[2].aCrInfo[0].bEnabled=TRUE > pNCs[2].aCrInfo[0].ftWhenCreated=00000000 00000000 > pNCs[2].aCrInfo[0].pszSDReferenceDomain=(null) > pNCs[2].aCrInfo[0].pszNetBiosName=(null) > pNCs[2].aCrInfo[0].cReplicas=-1 > pNCs[2].aCrInfo[0].aszReplicas= > > > 3 NC TARGETS: Schema, Configuration, mydomain, > 1 TARGETS: AG-DBSVR, > > =============================================Done Printing pDsInfo > > Doing initial required tests > > Testing server: Default-First-Site-Name\AG-DBSVR > Starting test: Connectivity > * Active Directory LDAP Services Check > Failure Analysis: AG-DBSVR ... OK. > * Active Directory RPC Services Check > ......................... AG-DBSVR passed test Connectivity > > Doing primary tests > > Testing server: Default-First-Site-Name\AG-DBSVR > Starting test: Replications > * Replications Check > CN=Schema,CN=Configuration,DC=mydomain,DC=net has 2 cursors. > [Replications Check,AG-DBSVR] A recent replication attempt > failed: > From TEMPSVR to AG-DBSVR > Naming Context: > CN=Schema,CN=Configuration,DC=mydomain,DC=net > The replication generated an error (1722): > Win32 Error 1722 > The failure occurred at 2006-05-05 12:50:32. > The last success occurred at 2006-04-25 14:58:36. > 231 failures have occurred since the last success. > [TEMPSVR] DsBindWithSpnEx() failed with error 1722, > Win32 Error 1722. > Printing RPC Extended Error Info: > Error Record 1, ProcessID is 1128 (DcDiag) > System Time is: 5/5/2006 12:18:52:250 > Generating component is 8 (winsock) > Status is 1722: The RPC server is unavailable. > > Detection location is 323 > Error Record 2, ProcessID is 1128 (DcDiag) > System Time is: 5/5/2006 12:18:52:250 > Generating component is 8 (winsock) > Status is 1237: The operation could not be completed. A > retry should be performed. > > Detection location is 313 > Error Record 3, ProcessID is 1128 (DcDiag) > System Time is: 5/5/2006 12:18:52:250 > Generating component is 8 (winsock) > Status is 10060: A connection attempt failed because the > connected party did not properly respond after a period of time, or > established connection failed because connected host has failed to > respond. > > Detection location is 311 > NumberOfParameters is 3 > Long val: 135 > Pointer val: 0 > Pointer val: 0 > Error Record 4, ProcessID is 1128 (DcDiag) > System Time is: 5/5/2006 12:18:52:250 > Generating component is 8 (winsock) > Status is 10060: A connection attempt failed because the > connected party did not properly respond after a period of time, or > established connection failed because connected host has failed to > respond. > > Detection location is 318 > The source remains down. Please check the machine. > CN=Configuration,DC=mydomain,DC=net has 2 cursors. > [Replications Check,AG-DBSVR] A recent replication attempt > failed: > From TEMPSVR to AG-DBSVR > Naming Context: CN=Configuration,DC=mydomain,DC=net > The replication generated an error (1722): > Win32 Error 1722 > The failure occurred at 2006-05-05 12:50:11. > The last success occurred at 2006-04-25 15:29:41. > 231 failures have occurred since the last success. > The source remains down. Please check the machine. > DC=mydomain,DC=net has 2 cursors. > [Replications Check,AG-DBSVR] A recent replication attempt > failed: > From TEMPSVR to AG-DBSVR > Naming Context: DC=mydomain,DC=net > The replication generated an error (1722): > Win32 Error 1722 > The failure occurred at 2006-05-05 12:49:50. > The last success occurred at 2006-04-25 15:28:35. > 239 failures have occurred since the last success. > The source remains down. Please check the machine. > * Replication Latency Check > REPLICATION-RECEIVED LATENCY WARNING > AG-DBSVR: Current time is 2006-05-05 13:18:31. > CN=Schema,CN=Configuration,DC=mydomain,DC=net > Last replication recieved from TEMPSVR at 2006-04-25 > 14:58:36. > CN=Configuration,DC=mydomain,DC=net > Last replication recieved from TEMPSVR at 2006-04-25 > 15:29:41. > DC=mydomain,DC=net > Last replication recieved from TEMPSVR at 2006-04-25 > 15:28:35. > * Replication Site Latency Check > Site Settings = CN=NTDS Site > Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net > [0x904de,v=306,t=2006-05-05 > 12:39:29,g=45155c5d-16a3-4ddf-952c-325ec78e6707,orig=307254,local=307254] > Elapsed time (sec) = 2363 > ......................... AG-DBSVR passed test Replications > Starting test: Topology > * Configuration Topology Integrity Check > * Analyzing the connection topology for > CN=Schema,CN=Configuration,DC=mydomain,DC=net. > * Performing upstream (of target) analysis. > * Performing downstream (of target) analysis. > * Analyzing the connection topology for > CN=Configuration,DC=mydomain,DC=net. > * Performing upstream (of target) analysis. > * Performing downstream (of target) analysis. > * Analyzing the connection topology for DC=mydomain,DC=net. > * Performing upstream (of target) analysis. > * Performing downstream (of target) analysis. > ......................... AG-DBSVR passed test Topology > Starting test: CutoffServers > * Configuration Topology Aliveness Check > * Analyzing the alive system replication topology for > CN=Schema,CN=Configuration,DC=mydomain,DC=net. > * Performing upstream (of target) analysis. > DsReplicaSyncAllW failed with error Win32 Error 8440. > * Performing downstream (of target) analysis. > DsReplicaSyncAllW failed with error Win32 Error 8440. > * Analyzing the alive system replication topology for > CN=Configuration,DC=mydomain,DC=net. > * Performing upstream (of target) analysis. > DsReplicaSyncAllW failed with error Win32 Error 8440. > * Performing downstream (of target) analysis. > DsReplicaSyncAllW failed with error Win32 Error 8440. > * Analyzing the alive system replication topology for > DC=mydomain,DC=net. > * Performing upstream (of target) analysis. > DsReplicaSyncAllW failed with error Win32 Error 8440. > * Performing downstream (of target) analysis. > DsReplicaSyncAllW failed with error Win32 Error 8440. > ......................... AG-DBSVR passed test CutoffServers > Starting test: NCSecDesc > * Security Permissions check for all NC's on DC AG-DBSVR. > * Security Permissions Check for > CN=Schema,CN=Configuration,DC=mydomain,DC=net > (Schema,Version 2) > * Security Permissions Check for > CN=Configuration,DC=mydomain,DC=net > (Configuration,Version 2) > * Security Permissions Check for > DC=mydomain,DC=net > (Domain,Version 2) > ......................... AG-DBSVR passed test NCSecDesc > Starting test: NetLogons > * Network Logons Privileges Check > Verified share \\AG-DBSVR\netlogon > Verified share \\AG-DBSVR\sysvol > ......................... AG-DBSVR passed test NetLogons > Starting test: Advertising > The DC AG-DBSVR is advertising itself as a DC and having a DS. > The DC AG-DBSVR is advertising as an LDAP server > The DC AG-DBSVR is advertising as having a writeable directory > The DC AG-DBSVR is advertising as a Key Distribution Center > The DC AG-DBSVR is advertising as a time server > The DS AG-DBSVR is advertising as a GC. > ......................... AG-DBSVR passed test Advertising > Starting test: KnowsOfRoleHolders > Role Schema Owner = CN=NTDS > Settings,CN=AG-DBSVR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net > Role Domain Owner = CN=NTDS > Settings,CN=AG-DBSVR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net > Role PDC Owner = CN=NTDS > Settings,CN=AG-DBSVR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net > Role Rid Owner = CN=NTDS > Settings,CN=AG-DBSVR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net > Role Infrastructure Update Owner = CN=NTDS > Settings,CN=AG-DBSVR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net > ......................... AG-DBSVR passed test > KnowsOfRoleHolders > Starting test: RidManager > ridManagerReference = CN=RID > Manager$,CN=System,DC=mydomain,DC=net > * Available RID Pool for the Domain is 3863 to 1073741823 > fSMORoleOwner = CN=NTDS > Settings,CN=AG-DBSVR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net > * ag-dbsvr.mydomain.net is the RID Master > * DsBind with RID Master was successful > rIDSetReferences = CN=RID Set,CN=AG-DBSVR,OU=Domain > Controllers,DC=mydomain,DC=net > * rIDAllocationPool is 2863 to 3362 > * rIDPreviousAllocationPool is 2863 to 3362 > * rIDNextRID: 2879 > ......................... AG-DBSVR passed test RidManager > Starting test: MachineAccount > Checking machine account for DC AG-DBSVR on DC AG-DBSVR. > * SPN found :LDAP/ag-dbsvr.mydomain.net/mydomain.net > * SPN found :LDAP/ag-dbsvr.mydomain.net > * SPN found :LDAP/AG-DBSVR > * SPN found :LDAP/ag-dbsvr.mydomain.net/IBUSINESS > * SPN found > :LDAP/1750286d-b0a6-4633-a9d0-63967c9a5fcb._msdcs.mydomain.net > * SPN found > :E3514235-4B06-11D1-AB04-00C04FC2DCD2/1750286d-b0a6-4633-a9d0-63967c9a5fcb/mydomain.net > * SPN found :HOST/ag-dbsvr.mydomain.net/mydomain.net > * SPN found :HOST/ag-dbsvr.mydomain.net > * SPN found :HOST/AG-DBSVR > * SPN found :HOST/ag-dbsvr.mydomain.net/IBUSINESS > * SPN found :GC/ag-dbsvr.mydomain.net/mydomain.net > ......................... AG-DBSVR passed test MachineAccount > Starting test: Services > * Checking Service: Dnscache > * Checking Service: NtFrs > * Checking Service: IsmServ > * Checking Service: kdc > * Checking Service: SamSs > * Checking Service: LanmanServer > * Checking Service: LanmanWorkstation > * Checking Service: RpcSs > * Checking Service: w32time > * Checking Service: NETLOGON > ......................... AG-DBSVR passed test Services > Starting test: OutboundSecureChannels > * The Outbound Secure Channels test > ** Did not run Outbound Secure Channels test > because /testdomain: was not entered > ......................... AG-DBSVR passed test > OutboundSecureChannels > Starting test: ObjectsReplicated > AG-DBSVR is in domain DC=mydomain,DC=net > Checking for CN=AG-DBSVR,OU=Domain > Controllers,DC=mydomain,DC=net in domain DC=mydomain,DC=net on 1 > servers > Object is up-to-date on all servers. > Checking for CN=NTDS > Settings,CN=AG-DBSVR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net > in domain CN=Configuration,DC=mydomain,DC=net on 1 servers > Object is up-to-date on all servers. > ......................... AG-DBSVR passed test > ObjectsReplicated > Starting test: frssysvol > * The File Replication Service SYSVOL ready test > File Replication Service's SYSVOL is ready > ......................... AG-DBSVR passed test frssysvol > Starting test: frsevent > * The File Replication Service Event log test > There are warning or error events within the last 24 hours > after the > > SYSVOL has been shared. Failing SYSVOL replication problems > may cause > > Group Policy problems. > An Warning Event occured. EventID: 0x800034FA > Time Generated: 05/05/2006 12:23:54 > (Event String could not be retrieved) > ......................... AG-DBSVR failed test frsevent > Starting test: kccevent > * The KCC Event log test > An Warning Event occured. EventID: 0x8025082C > Time Generated: 05/05/2006 13:19:28 > (Event String could not be retrieved) > An Warning Event occured. EventID: 0x8025082C > Time Generated: 05/05/2006 13:19:28 > (Event String could not be retrieved) > An Warning Event occured. EventID: 0x8025082C > Time Generated: 05/05/2006 13:19:28 > (Event String could not be retrieved) > An Error Event occured. EventID: 0xC0000748 > Time Generated: 05/05/2006 13:19:28 > (Event String could not be retrieved) > An Warning Event occured. EventID: 0x8025082C > Time Generated: 05/05/2006 13:19:28 > (Event String could not be retrieved) > An Error Event occured. EventID: 0xC0000748 > Time Generated: 05/05/2006 13:19:28 > (Event String could not be retrieved) > An Warning Event occured. EventID: 0x8025082C > Time Generated: 05/05/2006 13:19:28 > (Event String could not be retrieved) > An Error Event occured. EventID: 0xC0000748 > Time Generated: 05/05/2006 13:19:28 > (Event String could not be retrieved) > ......................... AG-DBSVR failed test kccevent > Starting test: systemlog > * The System Event log test > An Error Event occured. EventID: 0x40000004 > Time Generated: 05/05/2006 12:52:19 > Event String: The kerberos client received a > > KRB_AP_ERR_MODIFIED error from the server > > host/ag-dbsvr.mydomain.net. The target name > > used was > > LDAP/ag-dbsvr.mydomain.net/mydomain.net(a)mydomain.net. > > This indicates that the password used to encrypt > > the kerberos service ticket is different than > > that on the target server. Commonly, this is due > > to identically named machine accounts in the > > target realm (mydomain.NET), and the client > > realm. Please contact your system > > administrator. > An Error Event occured. EventID: 0x40000004 > Time Generated: 05/05/2006 12:53:09 > Event String: The kerberos client received a > > KRB_AP_ERR_MODIFIED error from the server > > host/ag-dbsvr.mydomain.net. The target name > > used was cifs/ag-dbsvr.mydomain.net. This > > indicates that the password used to encrypt the > > kerberos service ticket is different than that on > > the target server. Commonly, this is due to > > identically named machine accounts in the target > > realm (mydomain.NET), and the client realm. > > Please contact your system administrator. > An Error Event occured. EventID: 0x40000004 > Time Generated: 05/05/2006 12:55:37 > Event String: The kerberos client received a > > KRB_AP_ERR_MODIFIED error from the server > > host/ag-dbsvr.mydomain.net. The target name > > used was LDAP/AG-DBSVR. This indicates that the > > password used to encrypt the kerberos service > > ticket is different than that on the target > > server. Commonly, this is due to identically > > named machine accounts in the target realm > > (mydomain.NET), and the client realm. > > Please contact your system administrator. > An Error Event occured. EventID: 0x40000004 > Time Generated: 05/05/2006 13:05:23 > Event String: The kerberos client received a > > KRB_AP_ERR_MODIFIED error from the server > > host/ag-dbsvr.mydomain.net. The target name > > used was > > LDAP/ag-dbsvr.mydomain.net/mydomain.net. > > This indicates that the password used to encrypt > > the kerberos service ticket is different than > > that on the target server. Commonly, this is due > > to identically named machine accounts in the > > target realm (mydomain.NET), and the client > > realm. Please contact your system > > administrator. > An Error Event occured. EventID: 0x40000004 > Time Generated: 05/05/2006 13:05:23 > Event String: The kerberos client received a > > KRB_AP_ERR_MODIFIED error from the server > > host/ag-dbsvr.mydomain.net. The target name > > used was > > LDAP/ag-dbsvr.mydomain.net/IBUSINESS. This > > indicates that the password used to encrypt the > > kerberos service ticket is different than that on > > the target server. Commonly, this is due to > > identically named machine accounts in the target > > realm (mydomain.NET), and the client realm. > > Please contact your system administrator. > An Error Event occured. EventID: 0x40000004 > Time Generated: 05/05/2006 13:18:52 > Event String: The kerberos client received a > > KRB_AP_ERR_MODIFIED error from the server > > host/ag-dbsvr.mydomain.net. The target name > > used was > > LDAP/1750286d-b0a6-4633-a9d0-63967c9a5fcb._msdcs.mydomain.net. > > This indicates that the password used to encrypt > > the kerberos service ticket is different than > > that on the target server. Commonly, this is due > > to identically named machine accounts in the > > target realm (mydomain.NET), and the client > > realm. Please contact your system > > administrator. > An Error Event occured. EventID: 0x40000004 > Time Generated: 05/05/2006 13:22:01 > Event String: The kerberos client received a > > KRB_AP_ERR_MODIFIED error from the server > > host/ag-dbsvr.mydomain.net. The target name > > used was cifs/AG-DBSVR. This indicates that the > > password used to encrypt the kerberos service > > ticket is different than that on the target > > server. Commonly, this is due to identically > > named machine accounts in the target realm > > (mydomain.NET), and the client realm. > > Please contact your system administrator. > ......................... AG-DBSVR failed test systemlog > Starting test: VerifyReplicas > ......................... AG-DBSVR passed test VerifyReplicas > Starting test: VerifyReferences > The system object reference (serverReference) > > CN=AG-DBSVR,OU=Domain Controllers,DC=mydomain,DC=net and > backlink > > on > > > CN=AG-DBSVR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net > > are correct. > The system object reference (frsComputerReferenceBL) > > CN=AG-DBSVR,CN=Domain System Volume (SYSVOL share),CN=File > Replication Service,CN=System,DC=mydomain,DC=net > > and backlink on > > CN=AG-DBSVR,OU=Domain Controllers,DC=mydomain,DC=net are > correct. > The system object reference (serverReferenceBL) > > CN=AG-DBSVR,CN=Domain System Volume (SYSVOL share),CN=File > Replication Service,CN=System,DC=mydomain,DC=net > > and backlink on > > CN=NTDS > Settings,CN=AG-DBSVR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net > > are correct. > ......................... AG-DBSVR passed test > VerifyReferences > Starting test: VerifyEnterpriseReferences > The following problems were found while verifying various > important DN > > references. Note, that these problems can be reported > because of > > latency in replication. So follow up to resolve the following > > problems, only if the same problem is reported on all DCs for > a given > > domain or if the problem persists after replication has had > > reasonable time to replicate changes. > [1] Problem: Missing Expected Value > > Base Object: > > > CN=TEMPSVR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net > > Base Object Description: "Server Object" > > Value Object Attribute: serverReference > > Value Object Description: "DC Account Object" > > Recommended Action: This could hamper authentication (and > thus > > replication, etc). Check if this server is deleted, and > if so > > clean up this DCs Account Object. If the problem persists > and > > this is not a deleted DC, authoratively restore the DSA > object from > > a good copy, for example the DSA on the DSA's home server. > > > [2] Problem: Missing Expected Value > > Base Object: > > CN=NTSERVER,OU=Domain Controllers,DC=mydomain,DC=net > > Base Object Description: "DC Account Object" > > Value Object Attribute Name: serverReferenceBL > > Value Object Description: "Server Object" > > Recommended Action: Check if this server is deleted, and > if so > > clean up this DCs Account Object. > > > [3] Problem: Missing Expected Value > > Base Object: > > CN=NTSERVER,OU=Domain Controllers,DC=mydomain,DC=net > > Base Object Description: "DC Account Object" > > Value Object Attribute Name: frsComputerReferenceBL > > Value Object Description: "SYSVOL FRS Member Object" > > Recommended Action: See Knowledge Base Article: Q312862 > > > [4] Problem: Missing Expected Value > > Base Object: > > CN=TEMPSVR,CN=Domain System Volume (SYSVOL share),CN=File > Replication Service,CN=System,DC=mydomain,DC=net > > Base Object Description: "SYSVOL FRS Member Object" > > Value Object Attribute Name: frsComputerReference > > Value Object Description: "DC Account Object" > > Recommended Action: Check if this server is deleted, and > if so > > clean up this DCs SYSVOL FRS Member Object. Also see > Knowledge > > Base Article: Q312862 > > > ......................... AG-DBSVR failed test > VerifyEnterpriseReferences > Starting test: CheckSecurityError > * Dr Auth: Beginning security errors check! > DcDiag: uncaught exception raised, continuing search > > > =============== > > Specifically, why on earth is the PDC role not working? I had hoped > that all of these issues would magically disappear once the DNS issue > was rectified! > > Thanks again for all your help, and thanks in advance for the help I > hope you're going to give with this one! ;-) > > Berty >
From: Bertram on 8 May 2006 06:39
Hi again! What finally resolved the DNS issue appears to be resetting the Kerberos password by running netdom resetpasswd. Upon rebooting the machine, then starting and stopping netlogon and DNS, the correct forward zone entries were automatically created. The problem is not entirely resolved, as I have actually had to do this again over the weekend, as the problem reared it's ugly head again. I have followed your instructions and removed any references to tmpserver - I will reboot it twice shortly. Apropos the kerberos problem... do you think this is related to the references to tmpserver? Should it be permanently resolved now that these references have been removed? Your help and persistence with this problem are enormously appreciated - you've saved me pulling out a lot of my hair. You are a credit and example to this newgroup and the internet in general. Thanks again, Berty |