I am getting the following error after restoring an original image of DC after a day of running a backup image of the DC.

I have checked the regkey HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters where :

"Dsa Not Writable"=dword:00000004

therefore I did the following on the DC:

Repadmin /options –disable_inbound_repl

Repadmin /options –disable_outbound_repl

afterward, I restarted the AD services but netlogon service failed to start, therefore restarted the DC and netlogon is back but I still get Event ID 2092. What should I do to fix this. Also, users' network drive is also not connecting when using the DC name but works with IP instead.

Also netdom query FSMO gives the following:

C:\Windows\system32>netdom query FSMO
Schema master               CAPRICORNFF.fairfield.ac
Domain naming master        CAPRICORNFF.fairfield.ac
PDC                         CAPRICORNFF.fairfield.ac
RID pool manager            CAPRICORNFF.fairfield.ac
Infrastructure master       CAPRICORNFF.fairfield.ac
The command completed successfully.

This is the output of DCDIAG:

Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   Home Server = CAPRICORNFF

   * Identified AD Forest. 
   Done gathering initial info.


Doing initial required tests


   Testing server: Default-First-Site-Name\CAPRICORNFF

      Starting test: Connectivity

         ......................... CAPRICORNFF passed test Connectivity



Doing primary tests


   Testing server: Default-First-Site-Name\CAPRICORNFF

      Starting test: Advertising

         ......................... CAPRICORNFF passed test Advertising

      Starting test: FrsEvent

         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems. 
         ......................... CAPRICORNFF passed test FrsEvent

      Starting test: DFSREvent

         ......................... CAPRICORNFF passed test DFSREvent

      Starting test: SysVolCheck

         ......................... CAPRICORNFF passed test SysVolCheck

      Starting test: KccEvent

         ......................... CAPRICORNFF passed test KccEvent

      Starting test: KnowsOfRoleHolders

         ......................... CAPRICORNFF passed test KnowsOfRoleHolders

      Starting test: MachineAccount

         ......................... CAPRICORNFF passed test MachineAccount

      Starting test: NCSecDesc

         ......................... CAPRICORNFF passed test NCSecDesc

      Starting test: NetLogons

         ......................... CAPRICORNFF passed test NetLogons

      Starting test: ObjectsReplicated

         ......................... CAPRICORNFF passed test ObjectsReplicated

      Starting test: Replications

         ......................... CAPRICORNFF passed test Replications

      Starting test: RidManager

         ......................... CAPRICORNFF passed test RidManager

      Starting test: Services

         ......................... CAPRICORNFF passed test Services

      Starting test: SystemLog

         An error event occurred.  EventID: 0x40000004

            Time Generated: 10/22/2018   11:14:35

            Event String:

            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server capricornff$. The target name used was DNS/capricornff.fairfield.ac. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (FAIRFIELD.AC) is different from the client domain (FAIRFIELD.AC), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

         An error event occurred.  EventID: 0x0000168F

            Time Generated: 10/22/2018   11:14:35

            Event String:

            The dynamic deletion of the DNS record '_kerberos._tcp.dc._msdcs.fairfield.ac. 600 IN SRV 0 100 88 CAPRICORNFF.fairfield.ac.' failed on the following DNS server:  


         An error event occurred.  EventID: 0x0000168F

            Time Generated: 10/22/2018   11:14:35

            Event String:

            The dynamic deletion of the DNS record '_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.fairfield.ac. 600 IN SRV 0 100 88 CAPRICORNFF.fairfield.ac.' failed on the following DNS server:  


         An error event occurred.  EventID: 0x0000168F

            Time Generated: 10/22/2018   11:14:35

            Event String:

            The dynamic deletion of the DNS record '_kerberos._tcp.fairfield.ac. 600 IN SRV 0 100 88 CAPRICORNFF.fairfield.ac.' failed on the following DNS server:  


         An error event occurred.  EventID: 0x0000168F

            Time Generated: 10/22/2018   11:14:35

            Event String:

            The dynamic deletion of the DNS record '_kerberos._tcp.Default-First-Site-Name._sites.fairfield.ac. 600 IN SRV 0 100 88 CAPRICORNFF.fairfield.ac.' failed on the following DNS server:  


         An error event occurred.  EventID: 0x0000168F

            Time Generated: 10/22/2018   11:14:35

            Event String:

            The dynamic deletion of the DNS record '_kerberos._udp.fairfield.ac. 600 IN SRV 0 100 88 CAPRICORNFF.fairfield.ac.' failed on the following DNS server:  


         An error event occurred.  EventID: 0x0000168F

            Time Generated: 10/22/2018   11:14:35

            Event String:

            The dynamic deletion of the DNS record '_kpasswd._tcp.fairfield.ac. 600 IN SRV 0 100 464 CAPRICORNFF.fairfield.ac.' failed on the following DNS server:  


         An error event occurred.  EventID: 0x0000168F

            Time Generated: 10/22/2018   11:14:35

            Event String:

            The dynamic deletion of the DNS record '_kpasswd._udp.fairfield.ac. 600 IN SRV 0 100 464 CAPRICORNFF.fairfield.ac.' failed on the following DNS server:  


         An error event occurred.  EventID: 0x00000C8A

            Time Generated: 10/22/2018   11:14:39

            Event String:

            This computer could not authenticate with \\Portal.fairfield.ac, a Windows domain controller for domain FAIRFIELD, and therefore this computer might deny logon requests. This inability to authenticate might be caused by another computer on the same network using the same name or the password for this computer account is not recognized. If this message appears again, contact your system administrator.

         A warning event occurred.  EventID: 0x8000001D

            Time Generated: 10/22/2018   11:14:43

            Event String:

            The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.

         A warning event occurred.  EventID: 0x000003F6

            Time Generated: 10/22/2018   11:15:27

            Event String:

            Name resolution for the name fairfield.ac timed out after none of the configured DNS servers responded.

         A warning event occurred.  EventID: 0x80070003

            Time Generated: 10/22/2018   11:22:11

            Event String:

            VMDebug driver (version 7.3.4.7) was not enabled.  This driver is required by the replay debugging feature of VMware Workstation. If you are using other VMware products or not using replay debugging, please ignore this message.

         A warning event occurred.  EventID: 0x8000001D

            Time Generated: 10/22/2018   11:23:12

            Event String:

            The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.

         A warning event occurred.  EventID: 0x000003F6

            Time Generated: 10/22/2018   11:23:45

            Event String:

            Name resolution for the name fairfield.ac timed out after none of the configured DNS servers responded.

         A warning event occurred.  EventID: 0x0000000C

            Time Generated: 10/22/2018   11:24:01

            Event String:

            Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source, but it is the AD PDC emulator for the domain at the root of the forest, so there is no machine above it in the domain hierarchy to use as a time source. It is recommended that you either configure a reliable time service in the root domain, or manually configure the AD PDC to synchronize with an external time source. Otherwise, this machine will function as the authoritative time source in the domain hierarchy. If an external time source is not configured or used for this computer, you may choose to disable the NtpClient.

         An error event occurred.  EventID: 0xC0001B61

            Time Generated: 10/22/2018   11:24:29

            Event String:

            A timeout was reached (30000 milliseconds) while waiting for the Kaspersky Endpoint Security Service service to connect.

         An error event occurred.  EventID: 0xC0001B58

            Time Generated: 10/22/2018   11:24:30

            Event String:

            The Kaspersky Endpoint Security Service service failed to start due to the following error: 


         A warning event occurred.  EventID: 0x00000012

            Time Generated: 10/22/2018   11:27:18

            Event String:

            The Secure Socket Tunneling Protocol service either could not read the SHA256 certificate hash from the registry or the data is invalid. To be valid, the SHA256 certificate hash must be of type REG_BINARY and 32 bytes in length. SSTP might not be able to retrieve the value from the registry due to some other system failure. The detailed error message is provided below. SSTP connections will not be accepted on this server. Correct the problem and try again. 


         An error event occurred.  EventID: 0x00004E8A

            Time Generated: 10/22/2018   11:27:20

            Event String:

            Unable to add the interface {36C8181F-08BE-474A-8C8D-3DA1CACC4D1F} with the Router Manager for the IPV6 protocol. The following error occurred: Cannot complete this function.


         An error event occurred.  EventID: 0x00004E8A

            Time Generated: 10/22/2018   11:27:20

            Event String:

            Unable to add the interface {9039BCB2-5312-4C6C-B0A7-C6FE0A2272D8} with the Router Manager for the IPV6 protocol. The following error occurred: Cannot complete this function.


         A warning event occurred.  EventID: 0x00004EE0

            Time Generated: 10/22/2018   11:27:20

            Event String:

            A certificate could not be found. Connections that use the L2TP protocol over IPsec  require the installation of a machine certificate, also known as a computer  certificate. No L2TP calls will be accepted.

         A warning event occurred.  EventID: 0x00004ECB

            Time Generated: 10/22/2018   11:27:20

            Event String:

            Failed to apply IP Security on port VPN2-2 because of error: A certificate could not be found.  Connections that use the L2TP protocol over IPSec require the installation of a machine certificate, also known as a computer certificate..  No calls will be accepted to this port.

         A warning event occurred.  EventID: 0x00004ECB

            Time Generated: 10/22/2018   11:27:20

            Event String:

            Failed to apply IP Security on port VPN2-1 because of error: A certificate could not be found.  Connections that use the L2TP protocol over IPSec require the installation of a machine certificate, also known as a computer certificate..  No calls will be accepted to this port.

         A warning event occurred.  EventID: 0x00004ECB

            Time Generated: 10/22/2018   11:27:20

            Event String:

            Failed to apply IP Security on port VPN2-0 because of error: A certificate could not be found.  Connections that use the L2TP protocol over IPSec require the installation of a machine certificate, also known as a computer certificate..  No calls will be accepted to this port.

         A warning event occurred.  EventID: 0x00004ECB

            Time Generated: 10/22/2018   11:27:20

            Event String:

            Failed to apply IP Security on port VPN2-9 because of error: A certificate could not be found.  Connections that use the L2TP protocol over IPSec require the installation of a machine certificate, also known as a computer certificate..  No calls will be accepted to this port.

         A warning event occurred.  EventID: 0x00004ECB

            Time Generated: 10/22/2018   11:27:20

            Event String:

            Failed to apply IP Security on port VPN2-8 because of error: A certificate could not be found.  Connections that use the L2TP protocol over IPSec require the installation of a machine certificate, also known as a computer certificate..  No calls will be accepted to this port.

         A warning event occurred.  EventID: 0x00004ECB

            Time Generated: 10/22/2018   11:27:20

            Event String:

            Failed to apply IP Security on port VPN2-7 because of error: A certificate could not be found.  Connections that use the L2TP protocol over IPSec require the installation of a machine certificate, also known as a computer certificate..  No calls will be accepted to this port.

         A warning event occurred.  EventID: 0x00004ECB

            Time Generated: 10/22/2018   11:27:20

            Event String:

            Failed to apply IP Security on port VPN2-6 because of error: A certificate could not be found.  Connections that use the L2TP protocol over IPSec require the installation of a machine certificate, also known as a computer certificate..  No calls will be accepted to this port.

         A warning event occurred.  EventID: 0x00004ECB

            Time Generated: 10/22/2018   11:27:20

            Event String:

            Failed to apply IP Security on port VPN2-5 because of error: A certificate could not be found.  Connections that use the L2TP protocol over IPSec require the installation of a machine certificate, also known as a computer certificate..  No calls will be accepted to this port.

         A warning event occurred.  EventID: 0x00004ECB

            Time Generated: 10/22/2018   11:27:20

            Event String:

            Failed to apply IP Security on port VPN2-4 because of error: A certificate could not be found.  Connections that use the L2TP protocol over IPSec require the installation of a machine certificate, also known as a computer certificate..  No calls will be accepted to this port.

         A warning event occurred.  EventID: 0x00004ECB

            Time Generated: 10/22/2018   11:27:20

            Event String:

            Failed to apply IP Security on port VPN2-3 because of error: A certificate could not be found.  Connections that use the L2TP protocol over IPSec require the installation of a machine certificate, also known as a computer certificate..  No calls will be accepted to this port.

         A warning event occurred.  EventID: 0x000727AA

            Time Generated: 10/22/2018   11:27:20

            Event String:

            The WinRM service failed to create the following SPNs: WSMAN/CAPRICORNFF.fairfield.ac; WSMAN/CAPRICORNFF. 


         A warning event occurred.  EventID: 0x000003F6

            Time Generated: 10/22/2018   11:33:58

            Event String:

            Name resolution for the name fairfield.ac timed out after none of the configured DNS servers responded.

         ......................... CAPRICORNFF failed test SystemLog

      Starting test: VerifyReferences

         ......................... CAPRICORNFF passed test VerifyReferences



   Running partition tests on : ForestDnsZones

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test

         CrossRefValidation


   Running partition tests on : DomainDnsZones

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test

         CrossRefValidation


   Running partition tests on : Schema

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation


   Running partition tests on : Configuration

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidation


   Running partition tests on : fairfield

      Starting test: CheckSDRefDom

         ......................... fairfield passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... fairfield passed test CrossRefValidation


   Running enterprise tests on : fairfield.ac

      Starting test: LocatorCheck

         ......................... fairfield.ac passed test LocatorCheck

      Starting test: Intersite

         ......................... fairfield.ac passed test Intersite

Hi,

We have 3 2008 R2 DCs. We have only one domain. We are going to move two of them to another location, meaning two of them will be unavailable for about a couple of days. Should I move all FSMO roles to the one that will be available during the moving and transfer back when they are available?   

Please advise!

Thanks in advance!

Grace

I am using the Get-addomain -identity my.domain.local (its a domain in a forest) | select-object -property *

However the results are limited and cannot see all the attributes.

Or if that is not possible. I can see the name in the properties, but I dont know if changing the name would have any effect on the domain and it's children any effect at all

Thank you for your assistance 

hi all,

my environment consists of 2 domain controllers (dc1 and dc2)

and exchange 2010 that consists of 4 servers:

2 HUB/CAS servers (srvhc01,srvhc02)

2 mailbox servers (MBx01,MBX02)  all of these servers reside in the same site.

one of the admin in active directory decided to set the " log on to computers " for each user to contain the user's computer

only .but that makes users can't access the outlook web access mail ,so beside adding the users computers to "log on to computers" ,he added (srvhc01,srvhc02) 

but I noticed that outlook client keeps prompting for user name and password  for a shorter period of time 

so I added DC1 and DC2 to" log on to computers" in each user  the solution still under test.

so the question what servers shall I add in the "log on to computers"  so that I can not disturb logging to exchange services

is my conclusion right "the reason for being outlook keeps prompting for user name and password because the user logs to active directory through the hub/cas server "

please  help me because my manager insist for applying this 

To whom it may concern,

I'm trying to get the Active Directory Web Services installed in my Windows Server 2008 box. The update is Windows6.0-KB968934-x64, and I keep getting the error message stated in the title. After researching, it seems that a next rollup is needed, but I can't find it. It seems that maybe I need to ask the Micorsoft people directly. Any help would greatly be appreciated. I know updating to a newer version of Windows will probably solve this problem, but I'm not ready to do so yet.

Regards,

We are using Windows Server 2012 R2, and user account management audit is enabled.

We are using Windows 10 client PC, joined to the domain. Is there any event log generated on the local PC (not in the DC) when the user is changing their password from ctrl+alt+delete for their Active Directory account? (not local account)

Please advise how can we track this event ID from the client PC

Hi everyone,

i locked a user yesterday because of problematic traffic and kicked him out of VPN.

Today i inspected his notebook after reenabling the user and everything was fine. So i though...

After lunch he called and said he cannot login because his account is disabled. In AD his account was enabled in the morning.

So we are stuck at the login screen. He has no possibility to go to an office. We have a dummy user that can login and start a VPN session. So i though - runas user and then the client would save the unlocked state of this user.

Well it did not. How to reenable a remote worker after he got disabled?

My next approach is "Switch user" i hope this will work. But what is best practice here?

<h3>Regards Stephan</h3>

I have a weird problem. when I do a nslookup on this particular domain name, it shows timed out on my Windows 10 client and I can't access this website, but if I log onto the DC/name server, DC02, it works just fine. 

All other websites work just fine.

Any suggestion as why this is happening and how to resolve this?

On the client: 

C:\Users\JSMITH>nslookup p2energysolutions-my.sharepoint.com
Server:  dc02.company.com
Address:  172.16.9.212

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to  dc02.company.com timed-out

On the DC02

Hi,

what is wrong :) I delegate permission for aminis group. Give more than you need permissions. And still can`t manage members of the groups. If I delegate full permission - it works :) 

what's wrong?

Hi,

I have a forest with 1 domain which has 3x domain controllers running on 2008 forest\domain functional levels.

I need to have a two way trust with another forest with 1 domain which has 1x domain controller running on 2012R2 forest\domain functional levels.

I have set up all the DNS, everything is pingable.

When I try to set up the two way forest trust I get the following error at the end of the wizard:

Cannot Continue

The trust relationship cannot be created because the following error occurred:

The operation failed. The error is: The request is not support.

Any ideas what could be wrong?

Thanks

I am using Server 2012 R2. I have configured a policy on a user OU for blocking certain application say 'firefox'. Tested it, it was working fine. Then requirement came for blocking another application say 'chrome'. I created another similar policy to block 'chrome' and applied on the same OU. But when I see resultant set of policy, earlier blocked application was removed and only 'chrome' was present in the list of blocked applications. I was also able to run 'firefox' while I had blocked it using previous policy.

Kindly help me with the correct configuration of the policy. I am using 'Don't run specified Windows applications' settings. Does configuring multiple policies with same type of settings create problems?

Hi All

I have a windows 2008 R2 Domain controller , There was request to check on the security event logs for a user id which was supposed to disabled but was found enabled, Using logparser tracked the eventid 4725 / 4722, but found that Ad_connect_srv has done the changes for RENAME of the id for example userid Alex which was there i renamed the Alex to x_alex for security purpose and disabled the id now i see its renamed back to Alex.

Can some one shed light here as i m going round and round .....!!!

Hi

we deployed server and domain name is same as email server name (email is hosted to cloud)

not users are not able to access email via web access. outlook working only with POP3 and SMTP ip address 

if mention server name in outlook that is also not working.

e.g   our domain name is abc.com and email also abc.com:8880 

pop3 - mail.abc.com

smtp - mail.abc.com

now where need to update any record or any thing.

kindly guide 

Arvind

Hello ,

we have to deploy a new active directory in Remote Site .in Remote site, we have a Vlan for users and Wifi and Servers .
Should i declare all theses subnets (Vlans) In My active directory sites  . If not , what notmally should be declared in my case .

Regards 

I am trying to join a just installed 2016 standard server to an existing 2012 R2 domain.  When I enter the user name for someone authorized to join the domain, it fails with the message the account is not authorized to login from this station.  What do I need to do to make this work?

Thanks,

jtb

jtb

Hi,

I am having an issue right now. The server has been up and running fine for years and all of a sudden, I got this error message while trying to add a user through the security tab to allow him to access a folder.

If I search for his name, it says it doesn't exist. I searched for several username including mine and I get the same message. It was working less than 2 weeks ago.

If I click on Advanced, I get: The advanced page cannot be opened because of following error: The server is not operational.

We run windows server 2008 r2 as the domain controller.

I tried running different tools but I can't pinpoint the error

Dcdiag

Command Line: "dcdiag.exe 
/V /C /D /E /s:server0"

Directory Server Diagnosis


Performing initial setup:

   * Connecting to directory service on server server0.

   server0.currentTime = 20181030133017.0Z

   server0.highestCommittedUSN = 277292665

   server0.isSynchronized = 1

   server0.isGlobalCatalogReady = 1

   * Identified AD Forest. 
   Collecting AD specific global data 
   * Collecting site info.

   Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=D****N,DC=LOCAL,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
   The previous call succeeded 
   Iterating through the sites 
   Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=D****N,DC=LOCAL
   Getting ISTG and options for the site
   * Identifying all servers.

   Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=D****N,DC=LOCAL,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
   The previous call succeeded....
   The previous call succeeded
   Iterating through the list of servers 
   Getting information for the server CN=NTDS Settings,CN=SERVER0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=D****N,DC=LOCAL 
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   Getting information for the server CN=NTDS Settings,CN=HASERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=D****N,DC=LOCAL 
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   SERVER0.currentTime = 20181030133017.0Z

   SERVER0.highestCommittedUSN = 277292665

   SERVER0.isSynchronized = 1

   SERVER0.isGlobalCatalogReady = 1

   * Identifying all NC cross-refs.

   HASERVER.currentTime = 20181030133017.0Z

   HASERVER.highestCommittedUSN = 42709294

   HASERVER.isSynchronized = 1

   HASERVER.isGlobalCatalogReady = 1

   * Found 2 DC(s). Testing 2 of them.

GLOBAL:
ulNumServers=2
pszRootDomain=D****N.LOCAL
pszNC=
pszRootDomainFQDN=DC=D****N,DC=LOCAL
pszConfigNc=CN=Configuration,DC=D****N,DC=LOCAL
pszPartitionsDn=CN=Partitions,CN=Configuration,DC=D****N,DC=LOCAL
fAdam=0
iSiteOptions=20
dwTombstoneLifeTimeDays=60

dwForestBehaviorVersion=4

HomeServer=0, SERVER0

SERVER: pServer[0].pszName=SERVER0
pServer[0].pszGuidDNSName (binding str)=b83914e3-011f-454b-95d6-445316e81a68._msdcs.D****N.LOCAL
pServer[0].pszDNSName=SERVER0.D****N.LOCAL
pServer[0].pszLdapPort=(null)
pServer[0].pszSslPort=(null)
pServer[0].pszDn=CN=NTDS Settings,CN=SERVER0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=D****N,DC=LOCAL
pServer[0].pszComputerAccountDn=CN=SERVER0,OU=Domain Controllers,DC=D****N,DC=LOCAL
pServer[0].uuidObjectGuid=b83914e3-011f-454b-95d6-445316e81a68
pServer[0].uuidInvocationId=5e8dc5ad-71c0-461f-9f51-8ed505c7edbf
pServer[0].iSite=0 (Default-First-Site-Name)
pServer[0].iOptions=1
pServer[0].ftLocalAcquireTime=b23e5420 01d47054 

pServer[0].ftRemoteConnectTime=b2357a80 01d47054 

pServer[0].ppszMaster/FullReplicaNCs:
ppszMaster/FullReplicaNCs[0]=DC=ForestDnsZones,DC=D****N,DC=LOCAL
ppszMaster/FullReplicaNCs[1]=DC=DomainDnsZones,DC=D****N,DC=LOCAL
ppszMaster/FullReplicaNCs[2]=CN=Schema,CN=Configuration,DC=D****N,DC=LOCAL
ppszMaster/FullReplicaNCs[3]=CN=Configuration,DC=D****N,DC=LOCAL
ppszMaster/FullReplicaNCs[4]=DC=D****N,DC=LOCAL

SERVER: pServer[1].pszName=HASERVER
pServer[1].pszGuidDNSName (binding str)=4b8065a5-d659-480f-98b5-522fb5b9e995._msdcs.D****N.LOCAL
pServer[1].pszDNSName=haserver.D****N.LOCAL
pServer[1].pszLdapPort=(null)
pServer[1].pszSslPort=(null)
pServer[1].pszDn=CN=NTDS Settings,CN=HASERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=D****N,DC=LOCAL
pServer[1].pszComputerAccountDn=CN=HASERVER,OU=Domain Controllers,DC=D****N,DC=LOCAL
pServer[1].uuidObjectGuid=4b8065a5-d659-480f-98b5-522fb5b9e995
pServer[1].uuidInvocationId=9ca36f44-d1e8-4b61-b762-06640ae3138d
pServer[1].iSite=0 (Default-First-Site-Name)
pServer[1].iOptions=1
pServer[1].ftLocalAcquireTime=b240c520 01d47054 

pServer[1].ftRemoteConnectTime=b2357a80 01d47054 

pServer[1].ppszMaster/FullReplicaNCs:
ppszMaster/FullReplicaNCs[0]=DC=ForestDnsZones,DC=D****N,DC=LOCAL
ppszMaster/FullReplicaNCs[1]=DC=DomainDnsZones,DC=D****N,DC=LOCAL
ppszMaster/FullReplicaNCs[2]=CN=Schema,CN=Configuration,DC=D****N,DC=LOCAL
ppszMaster/FullReplicaNCs[3]=CN=Configuration,DC=D****N,DC=LOCAL
ppszMaster/FullReplicaNCs[4]=DC=D****N,DC=LOCAL

SITES:  pSites[0].pszName=Default-First-Site-Name
pSites[0].pszSiteSettings=CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=D****N,DC=LOCAL
pSites[0].pszISTG=CN=NTDS Settings,CN=SERVER0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=D****N,DC=LOCAL
pSites[0].iSiteOption=20

pSites[0].cServers=2

NC:     pNCs[0].pszName=ForestDnsZones
pNCs[0].pszDn=DC=ForestDnsZones,DC=D****N,DC=LOCAL

pNCs[0].aCrInfo[0].dwFlags=0x00000201
pNCs[0].aCrInfo[0].pszDn=CN=f97ad8b4-af98-4a0f-a6f0-71715f2521b9,CN=Partitions,CN=Configuration,DC=D****N,DC=LOCAL
pNCs[0].aCrInfo[0].pszDnsRoot=ForestDnsZones.D****N.LOCAL
pNCs[0].aCrInfo[0].iSourceServer=0
pNCs[0].aCrInfo[0].pszSourceServer=(null)
pNCs[0].aCrInfo[0].ulSystemFlags=0x00000005
pNCs[0].aCrInfo[0].bEnabled=TRUE
pNCs[0].aCrInfo[0].ftWhenCreated=00000000 00000000pNCs[0].aCrInfo[0].pszSDReferenceDomain=(null)
pNCs[0].aCrInfo[0].pszNetBiosName=(null)
pNCs[0].aCrInfo[0].cReplicas=-1
pNCs[0].aCrInfo[0].aszReplicas=


NC:     pNCs[1].pszName=DomainDnsZones
pNCs[1].pszDn=DC=DomainDnsZones,DC=D****N,DC=LOCAL

pNCs[1].aCrInfo[0].dwFlags=0x00000201
pNCs[1].aCrInfo[0].pszDn=CN=84202c77-24c4-48af-b728-d9717efa0c7f,CN=Partitions,CN=Configuration,DC=D****N,DC=LOCAL
pNCs[1].aCrInfo[0].pszDnsRoot=DomainDnsZones.D****N.LOCAL
pNCs[1].aCrInfo[0].iSourceServer=0
pNCs[1].aCrInfo[0].pszSourceServer=(null)
pNCs[1].aCrInfo[0].ulSystemFlags=0x00000005
pNCs[1].aCrInfo[0].bEnabled=TRUE
pNCs[1].aCrInfo[0].ftWhenCreated=00000000 00000000pNCs[1].aCrInfo[0].pszSDReferenceDomain=(null)
pNCs[1].aCrInfo[0].pszNetBiosName=(null)
pNCs[1].aCrInfo[0].cReplicas=-1
pNCs[1].aCrInfo[0].aszReplicas=


NC:     pNCs[2].pszName=Schema
pNCs[2].pszDn=CN=Schema,CN=Configuration,DC=D****N,DC=LOCAL

pNCs[2].aCrInfo[0].dwFlags=0x00000201
pNCs[2].aCrInfo[0].pszDn=CN=Enterprise Schema,CN=Partitions,CN=Configuration,DC=D****N,DC=LOCAL
pNCs[2].aCrInfo[0].pszDnsRoot=D****N.LOCAL
pNCs[2].aCrInfo[0].iSourceServer=0
pNCs[2].aCrInfo[0].pszSourceServer=(null)
pNCs[2].aCrInfo[0].ulSystemFlags=0x00000001
pNCs[2].aCrInfo[0].bEnabled=TRUE
pNCs[2].aCrInfo[0].ftWhenCreated=00000000 00000000pNCs[2].aCrInfo[0].pszSDReferenceDomain=(null)
pNCs[2].aCrInfo[0].pszNetBiosName=(null)
pNCs[2].aCrInfo[0].cReplicas=-1
pNCs[2].aCrInfo[0].aszReplicas=


NC:     pNCs[3].pszName=Configuration
pNCs[3].pszDn=CN=Configuration,DC=D****N,DC=LOCAL

pNCs[3].aCrInfo[0].dwFlags=0x00000201
pNCs[3].aCrInfo[0].pszDn=CN=Enterprise Configuration,CN=Partitions,CN=Configuration,DC=D****N,DC=LOCAL
pNCs[3].aCrInfo[0].pszDnsRoot=D****N.LOCAL
pNCs[3].aCrInfo[0].iSourceServer=0
pNCs[3].aCrInfo[0].pszSourceServer=(null)
pNCs[3].aCrInfo[0].ulSystemFlags=0x00000001
pNCs[3].aCrInfo[0].bEnabled=TRUE
pNCs[3].aCrInfo[0].ftWhenCreated=00000000 00000000pNCs[3].aCrInfo[0].pszSDReferenceDomain=(null)
pNCs[3].aCrInfo[0].pszNetBiosName=(null)
pNCs[3].aCrInfo[0].cReplicas=-1
pNCs[3].aCrInfo[0].aszReplicas=


NC:     pNCs[4].pszName=D****N
pNCs[4].pszDn=DC=D****N,DC=LOCAL

pNCs[4].aCrInfo[0].dwFlags=0x00000201
pNCs[4].aCrInfo[0].pszDn=CN=D****N,CN=Partitions,CN=Configuration,DC=D****N,DC=LOCAL
pNCs[4].aCrInfo[0].pszDnsRoot=D****N.LOCAL
pNCs[4].aCrInfo[0].iSourceServer=0
pNCs[4].aCrInfo[0].pszSourceServer=(null)
pNCs[4].aCrInfo[0].ulSystemFlags=0x00000003
pNCs[4].aCrInfo[0].bEnabled=TRUE
pNCs[4].aCrInfo[0].ftWhenCreated=00000000 00000000pNCs[4].aCrInfo[0].pszSDReferenceDomain=(null)
pNCs[4].aCrInfo[0].pszNetBiosName=(null)
pNCs[4].aCrInfo[0].cReplicas=-1
pNCs[4].aCrInfo[0].aszReplicas=


5 NC TARGETS: ForestDnsZones, DomainDnsZones, Schema, Configuration, D****N, 
2 TARGETS: SERVER0, HASERVER, 

   Testing server: Default-First-Site-Name\SERVER0

      Starting test: Connectivity

         * Active Directory LDAP Services Check
         Determining IP4 connectivity 
         Failure Analysis: SERVER0 ... OK.
         * Active Directory RPC Services Check
         ......................... SERVER0 passed test Connectivity


   Testing server: Default-First-Site-Name\HASERVER

      Starting test: Connectivity

         * Active Directory LDAP Services Check
         Determining IP4 connectivity 
         Failure Analysis: HASERVER ... OK.
         * Active Directory RPC Services Check
         ......................... HASERVER passed test Connectivity

   Testing server: Default-First-Site-Name\SERVER0

      Starting test: Advertising

         The DC SERVER0 is advertising itself as a DC and having a DS.
         The DC SERVER0 is advertising as an LDAP server
         The DC SERVER0 is advertising as having a writeable directory
         The DC SERVER0 is advertising as a Key Distribution Center
         The DC SERVER0 is advertising as a time server
         The DS SERVER0 is advertising as a GC.
         ......................... SERVER0 passed test Advertising

      Starting test: CheckSecurityError

         * Dr Auth:  Beginning security errors check!
         Found KDC SERVER0 for domain D****N.LOCAL in site Default-First-Site-Name
         Checking machine account for DC SERVER0 on DC SERVER0.
         * SPN found :LDAP/SERVER0.D****N.LOCAL/D****N.LOCAL
         * SPN found :LDAP/SERVER0.D****N.LOCAL
         * SPN found :LDAP/SERVER0
         * SPN found :LDAP/SERVER0.D****N.LOCAL/D****N
         * SPN found :LDAP/b83914e3-011f-454b-95d6-445316e81a68._msdcs.D****N.LOCAL
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/b83914e3-011f-454b-95d6-445316e81a68/D****N.LOCAL
         * SPN found :HOST/SERVER0.D****N.LOCAL/D****N.LOCAL
         * SPN found :HOST/SERVER0.D****N.LOCAL
         * SPN found :HOST/SERVER0
         * SPN found :HOST/SERVER0.D****N.LOCAL/D****N
         * SPN found :GC/SERVER0.D****N.LOCAL/D****N.LOCAL
         [SERVER0] No security related replication errors were found on this

         DC!  To target the connection to a specific source DC use

         /ReplSource:<DC>.

         ......................... SERVER0 passed test CheckSecurityError

      Starting test: CutoffServers

         * Configuration Topology Aliveness Check
         * Analyzing the alive system replication topology for DC=ForestDnsZones,DC=D****N,DC=LOCAL.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the alive system replication topology for DC=DomainDnsZones,DC=D****N,DC=LOCAL.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the alive system replication topology for CN=Schema,CN=Configuration,DC=D****N,DC=LOCAL.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the alive system replication topology for CN=Configuration,DC=D****N,DC=LOCAL.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the alive system replication topology for DC=D****N,DC=LOCAL.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         ......................... SERVER0 passed test CutoffServers

      Starting test: FrsEvent

         * The File Replication Service Event log test 
         Skip the test because the server is running DFSR.

         ......................... SERVER0 passed test FrsEvent

      Starting test: DFSREvent

         The DFS Replication Event Log. 
         ......................... SERVER0 passed test DFSREvent

      Starting test: SysVolCheck

         * The File Replication Service SYSVOL ready test 
         File Replication Service's SYSVOL is ready 
         ......................... SERVER0 passed test SysVolCheck

      Starting test: FrsSysVol

         * The File Replication Service SYSVOL ready test 
         File Replication Service's SYSVOL is ready 
         ......................... SERVER0 passed test FrsSysVol

      Starting test: KccEvent

         * The KCC Event log test
         Found no KCC errors in "Directory Service" Event log in the last 15 minutes.
         ......................... SERVER0 passed test KccEvent

      Starting test: KnowsOfRoleHolders

         Role Schema Owner = CN=NTDS Settings,CN=SERVER0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=D****N,DC=LOCAL
         Role Domain Owner = CN=NTDS Settings,CN=SERVER0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=D****N,DC=LOCAL
         Role PDC Owner = CN=NTDS Settings,CN=SERVER0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=D****N,DC=LOCAL
         Role Rid Owner = CN=NTDS Settings,CN=SERVER0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=D****N,DC=LOCAL
         Role Infrastructure Update Owner = CN=NTDS Settings,CN=SERVER0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=D****N,DC=LOCAL
         ......................... SERVER0 passed test KnowsOfRoleHolders

      Starting test: MachineAccount

         Checking machine account for DC SERVER0 on DC SERVER0.
         * SPN found :LDAP/SERVER0.D****N.LOCAL/D****N.LOCAL
         * SPN found :LDAP/SERVER0.D****N.LOCAL
         * SPN found :LDAP/SERVER0
         * SPN found :LDAP/SERVER0.D****N.LOCAL/D****N
         * SPN found :LDAP/b83914e3-011f-454b-95d6-445316e81a68._msdcs.D****N.LOCAL
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/b83914e3-011f-454b-95d6-445316e81a68/D****N.LOCAL
         * SPN found :HOST/SERVER0.D****N.LOCAL/D****N.LOCAL
         * SPN found :HOST/SERVER0.D****N.LOCAL
         * SPN found :HOST/SERVER0
         * SPN found :HOST/SERVER0.D****N.LOCAL/D****N
         * SPN found :GC/SERVER0.D****N.LOCAL/D****N.LOCAL
         ......................... SERVER0 passed test MachineAccount

      Starting test: NCSecDesc

         * Security Permissions check for all NC's on DC SERVER0.
         The forest is not ready for RODC. Will skip checking ERODC ACEs.
         * Security Permissions Check for

           DC=ForestDnsZones,DC=D****N,DC=LOCAL
            (NDNC,Version 3)
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have 

            Replicating Directory Changes In Filtered Set
         access rights for the naming context:

         DC=ForestDnsZones,DC=D****N,DC=LOCAL
         * Security Permissions Check for

           DC=DomainDnsZones,DC=D****N,DC=LOCAL
            (NDNC,Version 3)
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have 

            Replicating Directory Changes In Filtered Set
         access rights for the naming context:

         DC=DomainDnsZones,DC=D****N,DC=LOCAL
         * Security Permissions Check for

           CN=Schema,CN=Configuration,DC=D****N,DC=LOCAL
            (Schema,Version 3)
         * Security Permissions Check for

           CN=Configuration,DC=D****N,DC=LOCAL
            (Configuration,Version 3)
         * Security Permissions Check for

           DC=D****N,DC=LOCAL
            (Domain,Version 3)
         ......................... SERVER0 failed test NCSecDesc

      Starting test: NetLogons

         * Network Logons Privileges Check
         Verified share \\SERVER0\netlogon
         Verified share \\SERVER0\sysvol
         ......................... SERVER0 passed test NetLogons

      Starting test: ObjectsReplicated

         SERVER0 is in domain DC=D****N,DC=LOCAL
         Checking for CN=SERVER0,OU=Domain Controllers,DC=D****N,DC=LOCAL in domain DC=D****N,DC=LOCAL on 2 servers
            Object is up-to-date on all servers.
         Checking for CN=NTDS Settings,CN=SERVER0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=D****N,DC=LOCAL in domain CN=Configuration,DC=D****N,DC=LOCAL on 2 servers
            Object is up-to-date on all servers.
         ......................... SERVER0 passed test ObjectsReplicated

      Starting test: OutboundSecureChannels

         * The Outbound Secure Channels test
         ** Did not run Outbound Secure Channels test because /testdomain: was

         not entered

         ......................... SERVER0 passed test OutboundSecureChannels

      Starting test: Replications

         * Replications Check
         DC=ForestDnsZones,DC=D****N,DC=LOCAL has 6 cursors.
         DC=DomainDnsZones,DC=D****N,DC=LOCAL has 6 cursors.
         CN=Schema,CN=Configuration,DC=D****N,DC=LOCAL has 6 cursors.
         CN=Configuration,DC=D****N,DC=LOCAL has 6 cursors.
         DC=D****N,DC=LOCAL has 6 cursors.
         * Replication Latency Check
            DC=ForestDnsZones,DC=D****N,DC=LOCAL
               Latency information for 4 entries in the vector were ignored.
                  4 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            DC=DomainDnsZones,DC=D****N,DC=LOCAL
               Latency information for 4 entries in the vector were ignored.
                  4 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            CN=Schema,CN=Configuration,DC=D****N,DC=LOCAL
               Latency information for 4 entries in the vector were ignored.
                  4 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            CN=Configuration,DC=D****N,DC=LOCAL
               Latency information for 4 entries in the vector were ignored.
                  4 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            DC=D****N,DC=LOCAL
               Latency information for 4 entries in the vector were ignored.
                  4 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
         ......................... SERVER0 passed test Replications

      Starting test: RidManager

         ridManagerReference = CN=RID Manager$,CN=System,DC=D****N,DC=LOCAL
         * Available RID Pool for the Domain is 4607 to 1073741823
         fSMORoleOwner = CN=NTDS Settings,CN=SERVER0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=D****N,DC=LOCAL
         * SERVER0.D****N.LOCAL is the RID Master
         * DsBind with RID Master was successful
         rIDSetReferences = CN=RID Set,CN=SERVER0,OU=Domain Controllers,DC=D****N,DC=LOCAL
         * rIDAllocationPool is 4107 to 4606
         * rIDPreviousAllocationPool is 4107 to 4606
         * rIDNextRID: 4176
         ......................... SERVER0 passed test RidManager

      Starting test: Services

         * Checking Service: EventSystem
         * Checking Service: RpcSs
         * Checking Service: NTDS
         * Checking Service: DnsCache
         * Checking Service: DFSR
         * Checking Service: IsmServ
         * Checking Service: kdc
         * Checking Service: SamSs
         * Checking Service: LanmanServer
         * Checking Service: LanmanWorkstation
         * Checking Service: w32time
         * Checking Service: NETLOGON
         ......................... SERVER0 passed test Services

      Starting test: SystemLog

         * The System Event log test
         An error event occurred.  EventID: 0xC0001B61

            Time Generated: 10/30/2018   08:36:50

            Event String:

            A timeout was reached (30000 milliseconds) while waiting for the spiceworks service to connect.

         An error event occurred.  EventID: 0xC0001B58

            Time Generated: 10/30/2018   08:36:50

            Event String:

            The spiceworks service failed to start due to the following error: 

            The service did not respond to the start or control request in a timely fashion.

         An error event occurred.  EventID: 0xC0002719

            Time Generated: 10/30/2018   09:22:05

            Event String:

            DCOM was unable to communicate with the computer 205.171.2.26 using any of the configured protocols.

         An error event occurred.  EventID: 0xC0002719

            Time Generated: 10/30/2018   09:22:09

            Event String:

            DCOM was unable to communicate with the computer 205.171.3.26 using any of the configured protocols.

         An error event occurred.  EventID: 0xC0002719

            Time Generated: 10/30/2018   09:22:31

            Event String:

            DCOM was unable to communicate with the computer 216.136.95.2 using any of the configured protocols.

         An error event occurred.  EventID: 0xC0002719

            Time Generated: 10/30/2018   09:22:53

            Event String:

            DCOM was unable to communicate with the computer 64.132.94.250 using any of the configured protocols.

         An error event occurred.  EventID: 0xC0002719

            Time Generated: 10/30/2018   09:23:16

            Event String:

            DCOM was unable to communicate with the computer 8.20.247.20 using any of the configured protocols.

         An error event occurred.  EventID: 0xC0002719

            Time Generated: 10/30/2018   09:23:39

            Event String:

            DCOM was unable to communicate with the computer 8.26.56.26 using any of the configured protocols.

         ......................... SERVER0 failed test SystemLog

      Starting test: Topology

         * Configuration Topology Integrity Check
         * Analyzing the connection topology for DC=ForestDnsZones,DC=D****N,DC=LOCAL.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the connection topology for DC=DomainDnsZones,DC=D****N,DC=LOCAL.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the connection topology for CN=Schema,CN=Configuration,DC=D****N,DC=LOCAL.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the connection topology for CN=Configuration,DC=D****N,DC=LOCAL.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the connection topology for DC=D****N,DC=LOCAL.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         ......................... SERVER0 passed test Topology

      Starting test: VerifyEnterpriseReferences

         ......................... SERVER0 passed test

         VerifyEnterpriseReferences

      Starting test: VerifyReferences

         The system object reference (serverReference)

         CN=SERVER0,OU=Domain Controllers,DC=D****N,DC=LOCAL and backlink on

         CN=SERVER0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=D****N,DC=LOCAL

         are correct. 
         The system object reference (serverReferenceBL)

         CN=SERVER0,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=D****N,DC=LOCAL

         and backlink on

         CN=NTDS Settings,CN=SERVER0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=D****N,DC=LOCAL

         are correct. 
         The system object reference (msDFSR-ComputerReferenceBL)

         CN=SERVER0,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=D****N,DC=LOCAL

         and backlink on CN=SERVER0,OU=Domain Controllers,DC=D****N,DC=LOCAL

         are correct. 
         ......................... SERVER0 passed test VerifyReferences

      Starting test: VerifyReplicas

         ......................... SERVER0 passed test VerifyReplicas


   Testing server: Default-First-Site-Name\HASERVER

      Starting test: Advertising

         The DC HASERVER is advertising itself as a DC and having a DS.
         The DC HASERVER is advertising as an LDAP server
         The DC HASERVER is advertising as having a writeable directory
         The DC HASERVER is advertising as a Key Distribution Center
         The DC HASERVER is advertising as a time server
         The DS HASERVER is advertising as a GC.
         ......................... HASERVER passed test Advertising

      Starting test: CheckSecurityError

         * Dr Auth:  Beginning security errors check!
         Found KDC SERVER0 for domain D****N.LOCAL in site Default-First-Site-Name
         Checking machine account for DC HASERVER on DC SERVER0.
         * SPN found :LDAP/haserver.D****N.LOCAL/D****N.LOCAL
         * SPN found :LDAP/haserver.D****N.LOCAL
         * SPN found :LDAP/HASERVER
         * SPN found :LDAP/haserver.D****N.LOCAL/D****N
         * SPN found :LDAP/4b8065a5-d659-480f-98b5-522fb5b9e995._msdcs.D****N.LOCAL
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/4b8065a5-d659-480f-98b5-522fb5b9e995/D****N.LOCAL
         * SPN found :HOST/haserver.D****N.LOCAL/D****N.LOCAL
         * SPN found :HOST/haserver.D****N.LOCAL
         * SPN found :HOST/HASERVER
         * SPN found :HOST/haserver.D****N.LOCAL/D****N
         * SPN found :GC/haserver.D****N.LOCAL/D****N.LOCAL
         Checking for CN=HASERVER,OU=Domain Controllers,DC=D****N,DC=LOCAL in domain DC=D****N,DC=LOCAL on 2 servers
            Object is up-to-date on all servers.
         [HASERVER] No security related replication errors were found on this

         DC!  To target the connection to a specific source DC use

         /ReplSource:<DC>.

         ......................... HASERVER passed test CheckSecurityError

      Starting test: CutoffServers

         * Configuration Topology Aliveness Check
         * Analyzing the alive system replication topology for DC=ForestDnsZones,DC=D****N,DC=LOCAL.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the alive system replication topology for DC=DomainDnsZones,DC=D****N,DC=LOCAL.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the alive system replication topology for CN=Schema,CN=Configuration,DC=D****N,DC=LOCAL.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the alive system replication topology for CN=Configuration,DC=D****N,DC=LOCAL.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the alive system replication topology for DC=D****N,DC=LOCAL.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         ......................... HASERVER passed test CutoffServers

      Starting test: FrsEvent

         * The File Replication Service Event log test 
         Skip the test because the server is running DFSR.

         ......................... HASERVER passed test FrsEvent

      Starting test: DFSREvent

         The DFS Replication Event Log. 
         ......................... HASERVER passed test DFSREvent

      Starting test: SysVolCheck

         * The File Replication Service SYSVOL ready test 
         File Replication Service's SYSVOL is ready 
         ......................... HASERVER passed test SysVolCheck

      Starting test: FrsSysVol

         * The File Replication Service SYSVOL ready test 
         File Replication Service's SYSVOL is ready 
         ......................... HASERVER passed test FrsSysVol

      Starting test: KccEvent

         * The KCC Event log test
         Found no KCC errors in "Directory Service" Event log in the last 15 minutes.
         ......................... HASERVER passed test KccEvent

      Starting test: KnowsOfRoleHolders

         Role Schema Owner = CN=NTDS Settings,CN=SERVER0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=D****N,DC=LOCAL
         Role Domain Owner = CN=NTDS Settings,CN=SERVER0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=D****N,DC=LOCAL
         Role PDC Owner = CN=NTDS Settings,CN=SERVER0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=D****N,DC=LOCAL
         Role Rid Owner = CN=NTDS Settings,CN=SERVER0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=D****N,DC=LOCAL
         Role Infrastructure Update Owner = CN=NTDS Settings,CN=SERVER0,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=D****N,DC=LOCAL
         ......................... HASERVER passed test KnowsOfRoleHolders

      Starting test: MachineAccount

         Checking machine account for DC HASERVER on DC HASERVER.
         * SPN found :LDAP/haserver.D****N.LOCAL/D****N.LOCAL
         * SPN found :LDAP/haserver.D****N.LOCAL
         * SPN found :LDAP/HASERVER
         * SPN found :LDAP/haserver.D****N.LOCAL/D****N
         * SPN found :LDAP/4b8065a5-d659-480f-98b5-522fb5b9e995._msdcs.D****N.LOCAL
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/4b8065a5-d659-480f-98b5-522fb5b9e995/D****N.LOCAL
         * SPN found :HOST/haserver.D****N.LOCAL/D****N.LOCAL
         * SPN found :HOST/haserver.D****N.LOCAL
         * SPN found :HOST/HASERVER
         * SPN found :HOST/haserver.D****N.LOCAL/D****N
         * SPN found :GC/haserver.D****N.LOCAL/D****N.LOCAL
         ......................... HASERVER passed test MachineAccount

      Starting test: NCSecDesc

         * Security Permissions check for all NC's on DC HASERVER.
         The forest is not ready for RODC. Will skip checking ERODC ACEs.
         * Security Permissions Check for

           DC=ForestDnsZones,DC=D****N,DC=LOCAL
            (NDNC,Version 3)
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have 

            Replicating Directory Changes In Filtered Set
         access rights for the naming context:

         DC=ForestDnsZones,DC=D****N,DC=LOCAL
         * Security Permissions Check for

           DC=DomainDnsZones,DC=D****N,DC=LOCAL
            (NDNC,Version 3)
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have 

            Replicating Directory Changes In Filtered Set
         access rights for the naming context:

         DC=DomainDnsZones,DC=D****N,DC=LOCAL
         * Security Permissions Check for

           CN=Schema,CN=Configuration,DC=D****N,DC=LOCAL
            (Schema,Version 3)
         * Security Permissions Check for

           CN=Configuration,DC=D****N,DC=LOCAL
            (Configuration,Version 3)
         * Security Permissions Check for

           DC=D****N,DC=LOCAL
            (Domain,Version 3)
         ......................... HASERVER failed test NCSecDesc

      Starting test: NetLogons

         * Network Logons Privileges Check
         Verified share \\HASERVER\netlogon
         Verified share \\HASERVER\sysvol
         ......................... HASERVER passed test NetLogons

      Starting test: ObjectsReplicated

         HASERVER is in domain DC=D****N,DC=LOCAL
         Checking for CN=HASERVER,OU=Domain Controllers,DC=D****N,DC=LOCAL in domain DC=D****N,DC=LOCAL on 2 servers
            Object is up-to-date on all servers.
         Checking for CN=NTDS Settings,CN=HASERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=D****N,DC=LOCAL in domain CN=Configuration,DC=D****N,DC=LOCAL on 2 servers
            Object is up-to-date on all servers.
         ......................... HASERVER passed test ObjectsReplicated

So what am I missing?

Hi ,