Hi all,

I need to prepare my root domain in order to add windows 2012 r2 rodc.

The domain prep complete without success.

Adprep completed with errors. Not all partitions are updated. See the ADPrep.log in the C:\Windows\debug\adprep\logs\20150828085044 directory for more information.
To successfully update all partititions, the specified user needs to be a member of Enterprise Admins group.  If that is not the case, please correct the problem, and then restart Adprep.

Looking this log I have error

Adprep found partition DC=DomainDnsZones,DC=solfrance-fr,DC=solworld,DC=com, and is about to update the permissions.
[2015/08/28:08:50:49.661]
Adprep was about to call the following LDAP API. ldap_search_s(). The base entry to start the search is DC=DomainDnsZones,DC=solfrance-fr,DC=solworld,DC=com.
[2015/08/28:08:50:49.708]
LDAP API ldap_search_s() finished, return code is 0xa
[2015/08/28:08:50:49.723]
Adprep was unable to modify the security descriptor on object DC=DomainDnsZones,DC=solfrance-fr,DC=solworld,DC=com.

[Status/Consequence]

ADPREP was unable to merge the existing security descriptor with the new access control entry (ACE).

[User Action]

Check the log file ADPrep.log in the C:\Windows\debug\adprep\logs\20150828085044 directory for more information.
[2015/08/28:08:50:49.723]
Adprep encountered an LDAP error.

Error code: 0xa. Server extended error code: 0x202b, Server error message: 0000202B: RefErr: DSID-03100742, data 0, 1 access points
    ref 1: 'DomainDnsZones.solfrance-fr.solworld.com'



DSID Info:
DSID: 0x180e0a08
ldap error = 0xa
NT BUILD: 9600
NT BUILD: 16384

[2015/08/28:08:50:49.739]
Adprep failed the operation on partition DC=DomainDnsZones,DC=solfrance-fr,DC=solworld,DC=com. Skipping to next partition.

==============================================================================
[2015/08/28:08:50:49.739]
Adprep encountered an LDAP error.

Error code: 0xa. Server extended error code: 0x202b, Server error message: 0000202B: RefErr: DSID-03100742, data 0, 1 access points
    ref 1: 'DomainDnsZones.solfrance-fr.solworld.com'



DSID Info:
DSID: 0x180e0a08
ldap error = 0xa
NT BUILD: 9600
NT BUILD: 16384

[2015/08/28:08:50:49.754]

I also run a dcdiag and I have some error regarding my child domain solfrance-fr.solworld.com

Into this child domain I am also not able to create dns ad integrated zone and I have this error on two of the 4 domain controller of this child domain into dns event viewer:

The DNS server encountered error 9002 attempting to load zone . from Active Directory. The DNS server will attempt to load this zone again on the next timeout cycle. This can be caused by high Active Directory load and may be a transient condition.

Thanks to all,

Best regards,

Manuel

I am trying to set up DNS for a Remote Computer called win7.

I do not think it has a {same as parent folder} or a WS2012R2 win-123456.

What am I missing?

DNS Manager

Forward Lookup Zone
mysite.com
{same as parent folder}     Host(A)     192.168.1.1
win-123456                  Host(A)     192.168.1.1
win7                        Host(A)     192.168.1.2

Reverse Lookup Zone
1.168.192.in-addr.arpa
1-253
192.168.1.1       Pointer(PTR)     win-123456.mysite.com
192.168.1.2       Pointer(PTR)     win7.mysite.com

Hi Team,

I have 2008 R2 DC environment with domain and forrest functional level is 2008

I plan to install additional domain Win 2012 R2, before that, we must run aprep command and change schema version from 44 to 69

is there any impact with this action (adprep) in my existing environment ? I keep domain and forrest functional level to 2008

I still have old product like SQL 2005 and others

please tell me the TechNet link :)

Regards

Hi guys,

recently I'm trying to delegate permissions for the Active Directory administration in our company. It all works great so far except for one thing.

I'm able to delegate the right to remove 'Protection Against Accidental Deletion' if its set, but somehow I can't find a way to delegate the right to initially set it. I already tried to grant Full Control for Computer Objects to the Group I want to delegate the rights to, but that didn't help.

I need this especially for Computer Objects but a general answer would be great either.

Hope someone can help me with this.

Thanks in advance.

Greetings

I have searched a number of forums to find the answer to this.

My CA is based on Windows Server 2008 SP2.

I have found many answers which state that you need to edit the registry in order to get the CA to issue SHA256 certificates, but if this is the case then why is there a Hashing Algorithm setting on the Cryptography tab of the Certificate templates.

This does not appear to do anything.

Any ideas anyone?

Thanks

JF

Hi,

Is there a way of logging verbosely what Adamsync is doing?    I use the /log command line,  but this only gives summary information by the look of it.

The problem I have is that Adamsync is not importing all the data that I expect it to...

If I run this command against the domain controller that Adamsync normally talks to,  

csvde -f data4.csv -s b06721 -d "dc=xxxx,dc=root,dc=local"
 -p subtree -v -l "DN, userPrincipalName" -r "(&(objectClass=User)(objectCategor
y=person))"

then the export has about 3500 entries,   and includes the user that I'm interested in.

The AD LDS instance has this configuration file

<?xml version="1.0"?>
<doc>    
 <configuration>        
  <description>sample Adamsync configuration file</description>        
  <security-mode>object</security-mode>            
  <source-ad-name>xxxx.root.local</source-ad-name>        
  <source-ad-partition>dc=xxxx,dc=root,dc=local</source-ad-partition>
  <source-ad-account>servicenowldap</source-ad-account>                
  <account-domain>xxxx-ad</account-domain>
  <target-dn>dc=xxxx,dc=co,dc=uk</target-dn>        
  <query>            
   <base-dn>dc=xxxx,dc=root,dc=local</base-dn>
   <object-filter>(&amp;(objectClass=User)(objectCategory=person))</object-filter>            
   <attributes>                
     <include>objectSID</include>
     <include>userPrincipalName</include>
     <include>sAMAccountName</include>
     <include>displayName</include>
     <include>givenName</include>
     <include>sn</include>
     <include>physicalDeliveryOfficeName</include>
     <include>telephoneNumber</include>
     <include>mail</include>
     <include>title</include>
     <include>department</include>
     <include>manager</include>
     <include>mobile</include>
     <include>company</include>
     <exclude></exclude>                
   </attributes>        
  </query>        
  <schedule>            
   <aging>                
    <frequency>0</frequency>                
    <num-objects>0</num-objects>            
   </aging>            
   <schtasks-cmd></schtasks-cmd>        
  </schedule>
  <user-proxy>
  <source-object-class>user</source-object-class>
  <target-object-class>userProxyFull</target-object-class>
  </user-proxy>    
 </configuration>    
 <synchronizer-state>        
  <dirsync-cookie></dirsync-cookie>        
  <status></status>        
  <authoritative-adam-instance></authoritative-adam-instance>        
  <configuration-file-guid></configuration-file-guid>        
  <last-sync-attempt-time></last-sync-attempt-time>        
  <last-sync-success-time></last-sync-success-time>        
  <last-sync-error-time></last-sync-error-time>        
  <last-sync-error-string></last-sync-error-string>        
  <consecutive-sync-failures></consecutive-sync-failures>        
  <user-credentials></user-credentials>        
  <runs-since-last-object-update></runs-since-last-object-update>        
  <runs-since-last-full-sync></runs-since-last-full-sync>    
 </synchronizer-state>
</doc>

When I run the sync command, 

adamsync /sync v0153 "dc=xxxx,dc=co,dc=uk" /log sync1.log

The import runs successfully without any ldap errors,  and will produce the summary output such as

Updating the configuration file DirSync cookie with a new value.



Beginning processing of deferred dn references.

Finished processing of deferred dn references.



Finished (successful) synchronization run.

Number of entries processed via dirSync: 19

Number of entries processed via ldap: 2

Processing took 0 seconds (0, 0).

Number of object additions: 2

Number of object modifications: 17

Number of object deletions: 0

Number of object renames: 2

Number of references processed / dropped: 0, 0

Maximum number of attributes seen on a single object: 12

Maximum number of values retrieved via range syntax: 0



Beginning aging run.

Aging requested every 0 runs. We last aged 2 runs ago.

Saving Configuration File on DC=xxxx,DC=co,DC=uk

Saved configuration file.

But the new user I need is missing from AD LDS instance.    There are no replication issues on the source AD,  and the csvde command proves that the data I need can be found.   I'm using the same ldap filter for both the csvde command and adamsync.

Any suggestions would be very welcome.    The AD LDS instance is running on a Windows 2008 R2 server,  and is importing from a  Windows 2003 domain.

Regards,

John

Hi All,

Few Days Back we just migrate from Google Apps to Office365.Every things seems to be working fine except Offline Address Book.Offiline Address Book is not able to download just going in send and receive process and produce timeout error.

We just raised Service Request to Microsoft and below is their findings which they send on email.

Issue Definition:

Your users are not able to download Offline Address Book from Outlook. OWA is not affected. The Autodiscover Test from Microsoft Remote Connectivity Analyzer is successful. With a domain user logged on a domain joined machine, the issue can be reproduced from local network and from outside. With a machine not joined to the domain, the OAB can be downloaded without any problems. The issue is present for all users. For troubleshooting reasons we chose user:osama.mansoor@crescent.com.pk

Steps performed so far:

We ran again the Autodiscover testfrom Microsoft Remote Connectivity Analyzer and was successful.

We made the AutoConfiguration test from Outlook 2013. Test was successful and provided the same URL for OAB:https://outlook.office365.com/OAB/df3bf201-d31f-4a69-e51dcf5daa09/

We tested in the IE the OAB link: https://outlook.office365.com/OAB/df3bf201-d31f-4a69-e51dcf5daa09/OAB.xml. We were able to access the XML after entering the affected user’s credentials.

In Outlook Web App the issue is not present.

We started the ETL logging for Outlook 2013 and ran the Fiddler Trace Application to capture the HTTPS traffic decoded.

With Fiddler Trace running the issue was solved. Fiddler Trace application installed a certificate for decoding the HTTPS traffic. After removing the Fiddler Trace certificate the issue came back.

Steps to be performed:

Please send me by email the files collected in our LMI session.

We conclude that issue is not Office 365 related. Please check the following in your internal network:

1. verify the certificate installed for users from local AD.
2. if you have proxy, check if the OAB request is allowed to pass.
3. check that the Background Intelligence Transfer Service (BITS) service is running on the affected machine: http://blogs.technet.com/b/ehlro/archive/2014/03/21/oab-download-and-bits-service.aspx
4. please be sure BITS service is not blocked at proxy / firewall level.
5. please check local AD policies that can be related with BITS and certificates.

MY Question :

Can someone help me how can I check is localAD certificate having this problem or not ?

I am seeking help for a curious problem we have in our German office. I have previously posted this issue in the Security TechNet forums and was advised to post here. Apologies for long post.

This problem was noticed about a month ago shortly after this branch decommissioned their windows 2003 domain controllers.

All new rolled out machines fail to enrol a client certificate. The error is:

Certificate enrolment for Local system failed in authentication to enrolment serverFQN of our Root CA\Name of Enterprise Root CA (The RPC server is unavailable. 0x800706ba (WIN32: 1722))

I have also seen on one of the problem machines.

Certificate enrolment for Local system could not enrol for a Workstation certificate. A valid certification authority cannot be found to issue this template.

Only our Germany branch is experiencing this problem every other branch Auto enrolment works fine using the same SCCM rollout method.

Strangely if the machine is joined to a workgroup then re-joined to the domain it enrols a Machine certificate on reboot as it should.

The machines are joined to the domain during the rollout process (we use SCCM 2007). Inspection of the Setupact.log form the panther directory on the client machines show there isn’t any issue joining the domain and the clients always appear in the correct OU specified by the build process.

The same SCCM build is used by for other countries on the same domain and those machines enrol certificates without issue.

Below is a list of what I have already tested.

I run certutil diagnosis from a problem machine (using the local computer account) I get.

C:\Windows\system32>certutil -ping -config FQN of our Root CA\Name of Enterprise Root CA

Connecting to FQN of our Root CA\Name of Enterprise Root CA

Server " Name of Enterprise Root CA" ICertRequest2 interface is alive

CertUtil: -ping command completed successfully.

So the client machine can talk to the certificate server interface using the enrolment tool.

--------------------------------------------------------------------------------------------------------

Ran Port query tool from problem machines to our root CA on port 135 (RPC) this is a success (listening)

the certserv.exe service on our Root CA is  using port 1072 this too is successfully queried using port query tool.

--------------------------------------------------------------------------------------------------------

Machine certificates are deployed via Group policy, according to GP Result the problem machines do receive this policy.

--------------------------------------------------------------------------------------------------------

DNS name resolution works both ways (from client to servers and server to client however I can resolution is fine from  the event viewer).

--------------------------------------------------------------------------------------------------------

Time is correct on all the relevant machines (Root-CA, Domain Controllers and Client machines).

--------------------------------------------------------------------------------------------------------

Manually requesting the certificate via the certificates snap-in in MMC results in the same problem, the enrolment fails with the same RPC error appearing in the event log.

--------------------------------------------------------------------------------------------------------

I have checked the enrolment permissions for the Workstation certificate template on our Root CA Domain machines have Read, Enrol and Autoenroll.

-------------------------------------------------------------------------------------------------------

If I run Test-ComputerSecureChannel  from one of the problem machines the result isTrue I have tried resetting the machines account using this command but it didn’t make any difference to the problem, enrollment still fails. I have also used the NLtest.exe utility which doesn't find any secure channel related problems.

------------------------------------------------------------------------------------------------------

Other factors to consider.

We have only one enterprise root CA server, its running server 2003

The 2003 r2 DC that did service is this branch were properly decommissioned.

Replication between all our domain controllers  is healthy according to Replmon.

It doesn't matter which 2012 domain controller the machines uses to join the domain, the problem is the same.

The domain controllers are Windows Server 2012  in the German Branch in our other branches (that don’t have a problem  use 2008 R2 and some 2003 R2 servers).

There is only one domain.

The problem occurs when rolling out windows 7 and windows 8 machines it doesn’t matter if it’s x86 or x64. As I have mentioned the same build works fine in other branches using the same SCCM server.

I’m starting to run out of ideas, can anyone make any suggestions.

What looks like a simple Firewall port communication / certificates permissions issue obviously isn’t?

I suspect that the there is something wrong when the machine account is created using theDJOIN.EXE process although I don’t have any evidence of this, it’s strange that when the  machine is rejoined to the domain (thus creating a brand new security token) the whole certificate enrollment process works fine.

I would be extremely grateful for any suggestion,  input or advice. Thanks in advance.

Please see same question posted in Security forum here:

https://social.technet.microsoft.com/Forums/windowsserver/en-US/90541aa3-3060-457b-a959-7839012c7cdc/strange-problem-with-client-machine-certificate-enrolment-the-rpc-server-is-unavailable?forum=winserversecurity

I am a domain administrator for my domain and I'm having a weird problem when I try to access the "member of" tab for my user account.  It also happens when I try to access the "member of" tab for the user account of the other domain administrator we have.  I get an error that says "the specified domain either does not exist or could not be contacted".  As far as I can tell I am able to access the "member of" tab for any other user account in the directory.

Any ideas as to why this would happen only for these two user accounts?  Pretty sure I used to be able to do this without any problems.

Hello,

I have been facing issue with Advanced group policy settings.We have created a policy (Audit-WS) and it just contains Advanced Audit policy.

This Audit-WS GPO has been linked to Worksations OU and the settings are not applying to any work stations

I can see audit.csv in following location C:\Windows\System32\GroupPolicy\Machine\microsoft\windows nt\Audit and C:\Windows\Security. I did delete them.The file was recreated on C:\Windows\Security after a gpupdate,reboot, but not on another location.Audit.csv contains the settings defined on Audit-WS policy.

If I run the command auditpol /get /category:* , It says No Auditing on all settings

I have blocked the inheritance and tried gpupdate.Suddenly the same settings defined on Audit-WS started applying.

Further to troubleshooting Default Domain Policy is preventing from applying the Advanced audit policy.

Default domain policy does not have advanced Audit policy settings enabled.

Let me know if you encountered similar issue and solution

 Thanks,

Adding a Remote Computer to the Server.

I have a Windows 7Remote Computer that I selected a Domain:mysite.com rebooted the Local PC.

It then has shown in Users and Computers as Lab/computers/win7. 

In DNS Manager I have assigned an IP Address and win7.mysite.com

I have added Powershell 4.0 to win7 and ran "Enable-PSRemoting".

What else do I have to do to get the Remote win7 Computer Online so I can use it in RD?

Windows 7 Pro 64 bit computer working normally or recently rebooted. User tries to logon and the access denied message displays. I try to logon with local admin account and get the same error. Sometimes rebooting the pc will allow you to logon correctly but we have had to boot into safe mode and choose "active directory repair" on several machines. This has happened on several windows 7 desktops and one 2008 r2 server running Terminal Services. We have about 80 user computers and so far 10 have had this issue over the last month.

Our 2 DC servers are Windows 2008 R2. I couldn't find any AD errors.

To "fix" the pc we had to:

1.Boot into Safe Mode with Command Prompt
2.At the DOS prompt (Cmd) window, type MSCONFIG and press Enter
3.When MSCONFIG opens click the "Boot Options" tab
4.Click the option for "Active Directory Repair"
5.Exit MSCONFIG, and reboot the PC
The PC will boot into Safe Mode regardless of what you choose (e.g. "Start Windows Normally")
You may need to reboot more than once for the repair to be completed, mine needed 2 times.

When a computer has the issue I cannot logon with the domain credentials or the local admin user credentials. Unplugging the network cable doesn't help. The only way to "fix" the issue is to boot into safe mode, login with local admin account and run msconfig, safe boot, active directory repair.

Does anyone know what Safeboot Active Directory repair does? I reboot into this mode and then I reboot again normally and the issue is resolved. If I knew what exactly happens when I boot into safe mode with active directory repair checked then maybe I can understand the problem more.

Hi all,

I am moving, renaming and generally reorganizing an AD domain that has really not been touched in a couple decades.  I've got a bunch of questions so I don't mess it up:

1) can I move user or computer or groups "live" during the day?  That is, if someone is logged in when I move their user object, when the object is "refreshed" (I know that group policy is refreshed during the day), will this cause a problem for the user?  Likewise for a server or a computer (I would like to move the servers out of the general "computers" container into their own container so that some group policy items are not applied to them).  And then the same for groups - can they be moved live without affecting the security on the network.

2) the previous admin put all user security groups within the OU that holds the users.  But I don't see any reason to do that and would rather have the groups out where they are more visible (at the root of the domain in their own OU).  I figure that security groups do not need policy applied to them because they are not a user or computer object.  Is this a correct assumption?

3) the domain has the default "users" container off the root.  Can I a) rename this or b) can I move groups that I use a lot (e.g. "Domain Users", "Domain Admins", "Domain Computers" and the user object "Administrator") out of this container and will AD find these objects e.g. I assume when a computer is added to the domain the process finds "Domain Computers" and adds the computer as a member of that group.  I want to just make it easier for admins to find the groups we need so I am going to have a "User Groups" container at the root (and also an "Admin Groups" and "System Groups" off the root).

The last question is more just - any comments on the above strategy?  I am trying to divide up the objects in a better way so that as group policy is applied, I can just apply it to different OU's.  Same goes for applying delegation to different OU's.  Right now most of the group policy is applied to the "default domain policy" policy object and sometimes it has to be blocked further down.

Thanks for any comments!

Albert

Hello,

Apparently the Schema extensions in Active Directory by SCCM (SMS) have been changed.

Executing query (&(ObjectCategory=MSSMSRoamingBoundaryRange)(|(&(MSSMSRangedIPLow<=174742319)(MSSMSRangedIPHigh>=174742319))))
Executing query (&(ObjectCategory=mSSMSSite)(|(mSSMSRoamingBoundaries=10.106.80.0)(mSSMSRoamingBoundaries=RRH)(mSSMSSiteCode=SRV)))
LSGetAssignedSiteFromAD 

How could I do:

- List of extensions used by SMS

- Last Modified Date

Thanks,
Dom

System Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 / Forefront Client Security / Forefront Identity Manager

Hello everybody,

Can I perform authoritative restore without doing non-authoritative restore?! suppose I have 2 scenarios: the first I have only one DC, and second scenario I have one PDC and some additional DCs. So can I achieve this or not.

Thanks

Regards

 The Microsoft Key Distribution Service is not starting on my DC (kdssvc.dll) and when I look at the event log under Microsoft\Kdssvc, I see the events:

Event ID 4001 Group Key Distribution Service failed to start. Status 0x80070020.

Event ID 4007
Group Key Distribution Service cannot connect to the domain controller on local host. Status 0x80070020. Group Key Distribution Service cannot be started because of the error. Please contact administrators to resolve the issue.

The error 0x80070020 indicates a file lock of some type.

Does anyone know how I can fix this error? Troubleshooting on the net for this is a bit sparse and is confused with the KDC.

For clarification: This question is not about Kerberos, instead it's about the service account that handles Group Managed Service Accounts (gMSA), Bitlocker, and Windows Activation Services in a corporate environment.

I have two Windows Server 2008R2 DCs in production environment that are not replicating properly.  Users cannot access some network resources including Exchage 2010 server.  Digging into the problem I found that the DCs are not replicating the SYSVOL correctly (EventID:6804 "The DFS Replication service has detected that no connections are configured for replication group Domain System Volume. No data is being replicated for this replication group.").  Looking in DFS Management at the Sysvol on main DC shows only itself in replication group, looking on the secondary dc, shows both DCs correctly.  Looking in ADSIEdit, I see that the msDFSR-Member AD object is not present on main DC.  Can I simply recreate the object to solve this issue, or what should I do?

DCDIAG FROM MAIN DC to SECONDARY DC

C:\Users\Administrator>dcdiag /s:SEC-DC

Directory Server Diagnosis

Performing initial setup:  * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests
   Testing server: Default-First-Site-Name\SEC-DC
      Starting test: Connectivity
         The GUID based DNS Name resolved to several Ips
         (fdb9:22ce:b0f5:510d:ccbf:5a4:13d0:c83d, 192.168.10.10), but not all
         were pingable. Replication and other operations may fail if a
         non-pingable IP is chosen. The first pingable IP is 192.168.10.10......................... SEC-DC passed test Connectivity

Doing primary tests
   Testing server: Default-First-Site-Name\SEC-DC
      Starting test: Advertising ......................... SEC-DC passed test Advertising
      Starting test: FrsEvent. ......................... SEC-DC passed test FrsEvent
      Starting test: DFSREvent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared. Failing SYSVOL replication problems may cause
      Group Policy problems. ......................... SEC-DC passed test DFSREvent
      Starting test: SysVolCheck......................... SEC-DC passed test SysVolCheck
      Starting test: KccEvent ......................... SEC-DC passed test KccEvent
      Starting test: KnowsOfRoleHolders ......................... SEC-DC passed test KnowsOfRoleHolders
      Starting test: MachineAccount ......................... SEC-DC passed test MachineAccount
      Starting test: NCSecDesc ......................... SEC-DC passed test NCSecDesc
      Starting test: NetLogons......................... SEC-DC passed test NetLogons
      Starting test: ObjectsReplicated......................... SEC-DC passed test ObjectsReplicated
      Starting test: Replications......................... SEC-DC passed test Replications
      Starting test: RidManager ......................... SEC-DC passed test RidManager
      Starting test: Services ......................... SEC-DC passed test Services
      Starting test: SystemLog ......................... SEC-DC passed test SystemLog
      Starting test: VerifyReferences......................... SEC-DC passed test VerifyReferences

  Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation ......................... ForestDnsZones passed test CrossRefValidation

  Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation........................ DomainDnsZones passed test CrossRefValidation

  Running partition tests on : Schema
      Starting test: CheckSDRefDom ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation ......................... Schema passed test CrossRefValidation

  Running partition tests on : Configuration
      Starting test: CheckSDRefDom ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation ......................... Configuration passed test CrossRefValidation

  Running partition tests on : DOMAIN
      Starting test: CheckSDRefDom......................... DOMAIN passed test CheckSDRefDom
      Starting test: CrossRefValidation ......................... DOMAIN passed test CrossRefValidation

  Running enterprise tests on : DOMAIN.LOCAL
      Starting test: LocatorCheck ......................... DOMAIN.LOCAL passed test LocatorCheck
      Starting test: Intersite ......................... DOMAIN.LOCAL passed test Intersite

DCDIAG FROM SECONDARY TO PRIMARY

C:\Windows\system32>dcdiag /s:PRI-DC

Directory Server Diagnosis

Performing initial setup:
   * Identified AD Forest.
   Done gathering initial info.
Doing initial required tests

  Testing server: Default-First-Site-Name\PRI-DC
      Starting test: Connectivity ......................... PRI-DC passed test Connectivity

Doing primary tests
   Testing server: Default-First-Site-Name\PRI-DC
      Starting test: Advertising ......................... PRI-DC passed test Advertising
      Starting test: FrsEvent ......................... PRI-DC passed test FrsEvent
      Starting test: DFSREvent
         The event log DFS Replication on server PRI-DC.DOMAIN.LOCAL could
         not be queried, error 0x6ba "The RPC server is unavailable." ......................... PRI-DC failed test DFSREvent
      Starting test: SysVolCheck ......................... PRI-DC passed test SysVolCheck
      Starting test: KccEvent
         The event log Directory Service on server PRI-DC.DOMAIN.LOCAL
         could not be queried, error 0x6ba "The RPC server is unavailable." ......................... PRI-DC failed test KccEvent
      Starting test: KnowsOfRoleHolders ......................... PRI-DC passed test KnowsOfRoleHolders
      Starting test: MachineAccount ......................... PRI-DC passed test MachineAccount
      Starting test: NCSecDesc......................... PRI-DC passed test NCSecDesc
      Starting test: NetLogons ......................... PRI-DC passed test NetLogons
      Starting test: ObjectsReplicated......................... PRI-DC passed test ObjectsReplicated
      Starting test: Replications ......................... PRI-DC passed test Replications
      Starting test: RidManager......................... PRI-DC passed test RidManager
      Starting test: Services ......................... PRI-DC passed test Services
      Starting test: SystemLog 
         The event log System on server PRI-DC.DOMAIN.LOCAL could not be
         queried, error 0x6ba "The RPC server is unavailable." ......................... PRI-DC failed test SystemLog
      Starting test: VerifyReferences ......................... PRI-DC passed test VerifyReferences

  Running partition tests on : ForestDnsZones

     Starting test: CheckSDRefDom  ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation......................... ForestDnsZones passed test CrossRefValidation

  Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation ......................... DomainDnsZones passed test CrossRefValidation

  Running partition tests on : Schema
      Starting test: CheckSDRefDom ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation ......................... Schema passed test CrossRefValidation

  Running partition tests on : Configuration
      Starting test: CheckSDRefDom......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation......................... Configuration passed test CrossRefValidation

  Running partition tests on : DOMAIN
      Starting test: CheckSDRefDom ......................... DOMAIN passed test CheckSDRefDom
      Starting test: CrossRefValidation ......................... DOMAIN passed test CrossRefValidation
   Running enterprise tests on : DOMAIN.LOCAL
      Starting test: LocatorCheck ......................... DOMAIN.LOCAL passed test LocatorCheck
      Starting test: Intersite ......................... DOMAIN.LOCAL passed test Intersite

Hi

This is on Windows2012R2

I am trying to modify the "manager" property, to add a value but I keep getting:

"0: 000020B5: DSID-03152C47, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 15000a (manager)"

I am not sure if that is a constrain at schema level.

Any tips on how to do this?

I would like to use the default properties before creating new ones.

thanks!

hi for all i have errors on dcdiag command please anyone can help me how to fix it

                     _kerberos._tcp.Default-First-Site-Name._sites.uecc-.com

                     Matching  SRV record found at DNS server 10.0.1.251:
                     _ldap._tcp.gc._msdcs.uecc-.com

                     Matching A record found at DNS server 10.0.1.251:
                     gc._msdcs.uecc-eg.com

                     Matching  SRV record found at DNS server 10.0.1.251:
                     _gc._tcp.Default-First-Site-Name._sites.uecc-eg.com

                     Matching  SRV record found at DNS server 10.0.1.251:
                     _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.uecc-eg
.com

                     Matching CNAME record found at DNS server 10.0.1.250:
                     294f2120-0240-4803-9842-7082a26fc8e2._msdcs.uecc-eg.com

                     Matching A record found at DNS server 10.0.1.250:
                     DC-HQ.uecc-eg.com

                     Matching  SRV record found at DNS server 10.0.1.250:
                     _ldap._tcp.uecc-eg.com

                     Matching  SRV record found at DNS server 10.0.1.250:
                     _ldap._tcp.ce1c381e-d5e7-4fb7-9b55-57e937757d7c.domains._ms
dcs.uecc-eg.com

                     Matching  SRV record found at DNS server 10.0.1.250:
                     _kerberos._tcp.dc._msdcs.uecc-eg.com

                     Matching  SRV record found at DNS server 10.0.1.250:
                     _ldap._tcp.dc._msdcs.uecc-eg.com

                     Matching  SRV record found at DNS server 10.0.1.250:
                     _kerberos._tcp.uecc-eg.com

                     Matching  SRV record found at DNS server 10.0.1.250:
                     _kerberos._udp.uecc-eg.com

                     Matching  SRV record found at DNS server 10.0.1.250:
                     _kpasswd._tcp.uecc-eg.com

                     Matching  SRV record found at DNS server 10.0.1.250:
                     _ldap._tcp.Default-First-Site-Name._sites.uecc-eg.com

                     Matching  SRV record found at DNS server 10.0.1.250:
                     _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.uec
c-eg.com

                     Matching  SRV record found at DNS server 10.0.1.250:
                     _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.uecc-eg
.com

                     Matching  SRV record found at DNS server 10.0.1.250:
                     _kerberos._tcp.Default-First-Site-Name._sites.uecc-eg.com

                     Matching  SRV record found at DNS server 10.0.1.250:
                     _ldap._tcp.gc._msdcs.uecc-eg.com

                     Matching A record found at DNS server 10.0.1.250:
                     gc._msdcs.uecc-eg.com

                     Matching  SRV record found at DNS server 10.0.1.250:
                     _gc._tcp.Default-First-Site-Name._sites.uecc-eg.com

                     Matching  SRV record found at DNS server 10.0.1.250:
                     _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.uecc-eg
.com


               TEST: External name resolution (Ext)
                  Internet name www.microsoft.com was resolved successfully


            DC: hq.uecc-eg.com
            Domain: uecc-eg.com


               TEST: Authentication (Auth)
                  Authentication test: Successfully completed

               TEST: Basic (Basc)
                  The OS
                  Microsoft Windows Server 2008 R2 Enterprise  (Service Pack lev
el: 0.0)
                  is supported.
                  NETLOGON service is running
                  kdc service is running
                  DNSCACHE service is running
                  DNS service is running
                  DC is a DNS server
                  Network adapters information:
                  Adapter
                  [00000007] Intel(R) 82566DM-2 Gigabit Network Connection:
                     MAC address is 00:1E:4F:F5:42:33
                     IP Address is static
                     IP address: 10.0.1.250
                     DNS servers:
                        10.0.1.250 (hq.uecc-eg.com.) [Valid]
                  The A host record(s) for this DC was found
                  The SOA record for the Active Directory zone was found
                  The Active Directory zone on this DC/DNS server was found prim
ary
                  Root zone on this DC/DNS server was not found

               TEST: Forwarders/Root hints (Forw)
                  Recursion is enabled
                  Forwarders Information:
                     62.240.110.197 (<name unavailable>) [Valid]
                     62.240.110.198 (<name unavailable>) [Valid]
                     8.8.8.8 (<name unavailable>) [Valid]

               TEST: Delegations (Del)
                  Delegation information for the zone: uecc-eg.com.
                     Delegated domain name: _msdcs.uecc-eg.com.
                        DNS server: hq.uecc-eg.com. IP:10.0.1.250 [Valid]
                     Delegated domain name: uecc-eg.com.uecc-eg.com.
                        Warning: Delegation of DNS server dc-hq.uecc-eg.com. is
broken on IP:10.0.1.251
                        Error: DNS server: dc-hq.uecc-eg.com. IP:10.0.1.251
                        [Broken delegation]
                        Warning: Delegation of DNS server hq.uecc-eg.com. is bro
ken on IP:10.0.1.250
                        Error: DNS server: hq.uecc-eg.com. IP:10.0.1.250
                        [Broken delegation]

               TEST: Dynamic update (Dyn)
                  Test record dcdiag-test-record added successfully in zone uecc
-eg.com
                  Test record dcdiag-test-record deleted successfully in zone ue
cc-eg.com

               TEST: Records registration (RReg)
                  Network Adapter
                  [00000007] Intel(R) 82566DM-2 Gigabit Network Connection:
                     Matching CNAME record found at DNS server 10.0.1.250:
                     c5275d2d-8a61-4ca6-806a-8cdffe7f6325._msdcs.uecc-eg.com

                     Matching A record found at DNS server 10.0.1.250:
                     hq.uecc-eg.com

                     Matching  SRV record found at DNS server 10.0.1.250:
                     _ldap._tcp.uecc-eg.com

                     Matching  SRV record found at DNS server 10.0.1.250:
                     _ldap._tcp.ce1c381e-d5e7-4fb7-9b55-57e937757d7c.domains._ms
dcs.uecc-eg.com

                     Matching  SRV record found at DNS server 10.0.1.250:
                     _kerberos._tcp.dc._msdcs.uecc-eg.com

                     Matching  SRV record found at DNS server 10.0.1.250:
                     _ldap._tcp.dc._msdcs.uecc-eg.com

                     Matching  SRV record found at DNS server 10.0.1.250:
                     _kerberos._tcp.uecc-eg.com

                     Matching  SRV record found at DNS server 10.0.1.250:
                     _kerberos._udp.uecc-eg.com

                     Matching  SRV record found at DNS server 10.0.1.250:
                     _kpasswd._tcp.uecc-eg.com

                     Matching  SRV record found at DNS server 10.0.1.250:
                     _ldap._tcp.Default-First-Site-Name._sites.uecc-eg.com

                     Matching  SRV record found at DNS server 10.0.1.250:
                     _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.uec
c-eg.com

                     Matching  SRV record found at DNS server 10.0.1.250:
                     _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.uecc-eg
.com

                     Matching  SRV record found at DNS server 10.0.1.250:
                     _kerberos._tcp.Default-First-Site-Name._sites.uecc-eg.com

                     Matching  SRV record found at DNS server 10.0.1.250:
                     _ldap._tcp.gc._msdcs.uecc.com

                     Matching A record found at DNS server 10.0.1.250:
                     gc._msdcs.uecc.com

                     Matching  SRV record found at DNS server 10.0.1.250:
                     _gc._tcp.Default-First-Site-Name._sites.uecc.com

                     Matching  SRV record found at DNS server 10.0.1.250:
                     _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.uecc
.com

                     Matching  SRV record found at DNS server 10.0.1.250:
                     _ldap._tcp.pdc._msdcs.uecc.com


               TEST: External name resolution (Ext)
                  Internet name www.microsoft.com was resolved successfully

         Summary of test results for DNS servers used by the above domain
         controllers:

            DNS server: 10.0.1.250 (hq.uecc.com.)
               2 test failure on this DNS server
               Name resolution is functional._ldap._tcp SRV record for the fores
t root domain is registered
               DNS delegation for the domain  _msdcs.uecc.com. is operational
 on IP 10.0.1.250

               DNS delegation for the domain uecc.com.uecc.com. is broken
on IP 10.0.1.250

               [Error details: 9003 (Type: Win32 - Description: DNS name does no
t exist.)]

            DNS server: 10.0.1.251 (dc-hq.uecc.com.)
               2 test failure on this DNS server
               Name resolution is functional._ldap._tcp SRV record for the fores
t root domain is registered
               DNS delegation for the domain uecc.com.uecc.com. is broken
on IP 10.0.1.251

               [Error details: 9003 (Type: Win32 - Description: DNS name does no
t exist.)]

            DNS server: 128.8.10.90 (d.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 128.8.10.90               [Error details: 1460 (Type: Win32 - Descripti
on: This operation returned because the timeout period expired.)]

            DNS server: 163.121.128.134 (<name unavailable>)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 163.121.128.134               [Error details: 1460 (Type: Win32 - Descr
iption: This operation returned because the timeout period expired.)]

            DNS server: 163.121.128.135 (<name unavailable>)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 163.121.128.135               [Error details: 1460 (Type: Win32 - Descr
iption: This operation returned because the timeout period expired.)]

            DNS server: 128.63.2.53 (h.root-servers.net.)
               All tests passed on this DNS server

            DNS server: 192.112.36.4 (g.root-servers.net.)
               All tests passed on this DNS server

            DNS server: 192.203.230.10 (e.root-servers.net.)
               All tests passed on this DNS server

            DNS server: 192.228.79.201 (b.root-servers.net.)
               All tests passed on this DNS server

            DNS server: 192.33.4.12 (c.root-servers.net.)
               All tests passed on this DNS server

            DNS server: 192.36.148.17 (i.root-servers.net.)
               All tests passed on this DNS server

            DNS server: 192.5.5.241 (f.root-servers.net.)
               All tests passed on this DNS server

            DNS server: 192.58.128.30 (j.root-servers.net.)
               All tests passed on this DNS server

            DNS server: 193.0.14.129 (k.root-servers.net.)
               All tests passed on this DNS server

            DNS server: 198.41.0.4 (a.root-servers.net.)
               All tests passed on this DNS server

            DNS server: 199.7.83.42 (l.root-servers.net.)
               All tests passed on this DNS server

            DNS server: 202.12.27.33 (m.root-servers.net.)
               All tests passed on this DNS server

            DNS server: 62.240.110.197 (<name unavailable>)
               All tests passed on this DNS server

            DNS server: 62.240.110.198 (<name unavailable>)
               All tests passed on this DNS server

            DNS server: 8.8.8.8 (<name unavailable>)
               All tests passed on this DNS server

         Summary of DNS test results:

                                            Auth Basc Forw Del  Dyn  RReg Ext
            _________________________________________________________________
            Domain: uecc.com
               DC-HQ                        PASS PASS FAIL FAIL PASS PASS PASS
               hq                           PASS PASS PASS FAIL PASS PASS PASS

         ......................... uecc.com failed test DNS
      Test omitted by user request: LocatorCheck
      Test omitted by user request: Intersite

C:\Users\Administrator>

no comment

Hi All,

I am writing a code to perform active directory health check. When I perform dcdiag /s:<server name> /test:kccevent i get results for 80% of servers. While on few Domain controller it shows failed with RPC error. While the same test is passed locally. All  other results except FRSevent, KCCevent and DFSRevent are fine.

I want to be more prepared before i reach to the network guy to open port (135) for few sites where issue is occurring. Can you guys tell me the if anything else can cause this? 

Also if I will appreciate, any suggestion on any other important test result to be added here, except dcdiag?

Thanks - Alok