Hello,
as there are lot's of "Access denied" errors assure that you use an elevated command prompt to run all the commands!!!
- "Doing initial required tests" some errors occur and must be checked.
Testing server: AU-Sydney\APACDC02
Starting test: Connectivity
* Active Directory LDAP Services Check
Server APACDC02 resolved to these IP addresses: 10.196.1.21, but none
of the addresses could be reached (pinged). Please check the network.
Error: 0x2b02 "Error due to lack of resources."
This error more often means that the targeted server is shutdown or
disconnected from the network.
Got error while checking LDAP and RPC connectivity. Please check your
firewall settings.
......................... APACDC02 failed test Connectivity
Testing server: SG-Singapore\APACDC05
Starting test: Connectivity
* Active Directory LDAP Services Check
Server APACDC05 resolved to these IP addresses: 10.220.1.5, but none
of the addresses could be reached (pinged). Please check the network.
Error: 0x2b02 "Error due to lack of resources."
This error more often means that the targeted server is shutdown or
disconnected from the network.
Got error while checking LDAP and RPC connectivity. Please check your
firewall settings.
......................... APACDC05 failed test Connectivity
Testing server: DK-CPH-IBC\DKDC04
Starting test: Connectivity
* Active Directory LDAP Services Check
The host 9e48975d-f4e6-413c-a292-dfbccbf27d4f._msdcs.domain.net could
not be resolved to an IP address. Check the DNS server, DHCP, server
name, etc.
Got error while checking LDAP and RPC connectivity. Please check your
firewall settings.
......................... DKDC04 failed test Connectivity
Testing server: US-FL-SARASOTA\AWSUSRODC01
Starting test: Connectivity
* Active Directory LDAP Services Check
Server AWSUSRODC01 resolved to these IP addresses: 10.190.32.4, but
none of the addresses could be reached (pinged). Please check the
network.
Error: 0x2b02 "Error due to lack of resources."
This error more often means that the targeted server is shutdown or
disconnected from the network.
Got error while checking LDAP and RPC connectivity. Please check your
firewall settings.
......................... AWSUSRODC01 failed test Connectivity
Testing server: US-NY-LEXINGTON\USNYLA-DC02
Starting test: Connectivity
* Active Directory LDAP Services Check
Got error while checking LDAP and RPC connectivity. Please check your
firewall settings.
......................... USNYLA-DC02 failed test Connectivity
Testing server: US-NY-MADISON\USNYM-DC01
Starting test: Connectivity
* Active Directory LDAP Services Check
Got error while checking LDAP and RPC connectivity. Please check your
firewall settings.
......................... USNYM-DC01 failed test Connectivity
Testing server: US-AZ-Phoenix\USPCA-DC01
Starting test: Connectivity
* Active Directory LDAP Services Check
Determining IP4 connectivity
Failure Analysis: USPCA-DC01 ... OK.
* Active Directory RPC Services Check
The clock difference between the home server UKDC13 and target server
USPCA-DC01 is greater than one minute. This may cause Kerberos
authentication failures. Please check that the time service is working
properly. You may need to resynchonize the time between these servers.
......................... USPCA-DC01 passed test Connectivity
------------------------------------------------------------------------------------------------------
The FSMO holders in the root domain and the child domains should be different in the 3 domain wide FSMOs BUT equal for the 2 root FSMOs which will be the same on all domains in the forest.
Means you should have always the following 2:
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings,CN=UKROOT03,CN=Servers,CN=UK-London,CN=Sites,CN=Configuration,DC=domain,DC=net
Role Domain Owner = CN=NTDS Settings,CN=UKROOT03,CN=Servers,CN=UK-London,CN=Sites,CN=Configuration,DC=domain,DC=net
And then for each domain the following 3:
Role PDC Owner = CN=NTDS Settings,CN=xxxxx,CN=Servers,CN=xxxxx,CN=Sites,CN=Configuration,DC=domain,DC=net
Role Rid Owner = CN=NTDS Settings,CN=xxxxx,CN=Servers,CN=xxxxx,CN=Sites,CN=Configuration,DC=domain,DC=net
Role Infrastructure Update Owner = CN=NTDS Settings,CN=xxxxx,CN=Servers,CN=xxxxx,CN=Sites,CN=Configuration,DC=domain,DC=net
------------------------------------------------------------------------------------------------------
For the following please check with
http://technet.microsoft.com/en-us/library/cc794759(WS.10).aspx:
[1] Problem: Missing Expected Value
Base Object:
CN=AUROOT01,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=domain,DC=net
Base Object Description: "SYSVOL FRS Member Object"
Value Object Attribute Name: serverReference
Value Object Description: "DC Account Object"
Recommended Action: Check if this server is deleted, and if so
clean up this DCs SYSVOL FRS Member Object.
[1] Problem: Missing Expected Value
Base Object:
CN=UKDC11,OU=Domain Controllers,DC=UK,DC=domain,DC=net
Base Object Description: "DC Account Object"
Value Object Attribute Name: msDFSR-ComputerReferenceBL
Value Object Description: "SYSVOL FRS Member Object"
Recommended Action: See Knowledge Base Article: Q312862
[2] Problem: Missing Expected Value
Base Object:
CN=UKDC13,OU=Domain Controllers,DC=UK,DC=domain,DC=net
Base Object Description: "DC Account Object"
Value Object Attribute Name: msDFSR-ComputerReferenceBL
Value Object Description: "SYSVOL FRS Member Object"
Recommended Action: See Knowledge Base Article: Q312862
[3] Problem: Missing Expected Value
Base Object:
CN=UKDC12,OU=Domain Controllers,DC=UK,DC=domain,DC=net
Base Object Description: "DC Account Object"
Value Object Attribute Name: msDFSR-ComputerReferenceBL
Value Object Description: "SYSVOL FRS Member Object"
Recommended Action: See Knowledge Base Article: Q312862
[4] Problem: Missing Expected Value
Base Object:
CN=USUKDC03,OU=Domain Controllers,DC=UK,DC=domain,DC=net
Base Object Description: "DC Account Object"
Value Object Attribute Name: msDFSR-ComputerReferenceBL
Value Object Description: "SYSVOL FRS Member Object"
Recommended Action: See Knowledge Base Article: Q312862
[5] Problem: Missing Expected Value
Base Object:
CN=UKDC15,OU=Domain Controllers,DC=UK,DC=domain,DC=net
Base Object Description: "DC Account Object"
Value Object Attribute Name: msDFSR-ComputerReferenceBL
Value Object Description: "SYSVOL FRS Member Object"
Recommended Action: See Knowledge Base Article: Q312862
[6] Problem: Missing Expected Value
Base Object:
CN=UKDC16,OU=Domain Controllers,DC=UK,DC=domain,DC=net
Base Object Description: "DC Account Object"
Value Object Attribute Name: msDFSR-ComputerReferenceBL
Value Object Description: "SYSVOL FRS Member Object"
----------------------------------------------------------------------------------------------
If any of the listed DCs in the output files don't exist anymore please run metadata cleanup as described within
http://blogs.msmvps.com/mweber/2010/05/16/active-directory-metadata-cleanup/ and assure all references to them is also removed from the DNS zones and DNS Server properties and AD sites and services.
-----------------------------------------------------------------------------------------------
Assure that firewalls are configured according to
https://technet.microsoft.com/en-us/library/dd772723%28WS.10%29.aspx?f=255&MSPPError=-2147217396 so all DCs can replicate.
------------------------------------------------------------------------------------------------
Often there are FORWARDERS listed that are domain internal DNS servers. Assure that you don't create some kind of loop and they are not able to resolve correctly. If the Forwarders are used to connect the domain with the internet you should use external
one instead.
------------------------------------------------------------------------------------------------
Replication errors shown with the following:
Doing intersite inbound replication test on site US-NY-WHITE-PLAINS:
Locating & Contacting Intersite Topology Generator (ISTG) ...
*** ERROR: The home server UKDC13 is not in sync with
CN=NTDS Settings\0ADEL:9a4d72ec-2b85-4d39-ba1d-ae2d1c89da4f,CN=USWP-DC02\0ADEL:ecd9e147-8215-481d-ad5d-176cb755477c,CN=Servers,CN=US-NY-WHITE-PLAINS,CN=Sites,CN=Configuration,DC=domain,DC=net,
unable to proceed. Suggest you run:
dcdiag
/s:CN=NTDS Settings\0ADEL:9a4d72ec-2b85-4d39-ba1d-ae2d1c89da4f,CN=USWP-DC02\0ADEL:ecd9e147-8215-481d-ad5d-176cb755477c,CN=Servers,CN=US-NY-WHITE-PLAINS,CN=Sites,CN=Configuration,DC=domain,DC=net
<options>
Must be checked and the mentioned DCs must be removed from the domain if they no longer exist. The highlighted
0ADEL: belong normally to not longer existing objects in the domain.
Please assure that AD sites and services reflects your required environment and that all subnets belong to the correct site containing the correct DCs.