We recently had a power outage that caused some problems on our network. We have a 2003 domain, single forest & single domain. We have 3 domain controllers on the network, we will call them dc1, dc2, and dc3. The setup is as follows: DC1 2003 Enterprise 32bit, also is a DNS server and Certificate server. It is a virtual machine. DC2 2003 Standard 32 bit, also DNS server and has the RID, PDC and Infrastructure roles. DC3 2003 Standard 64 bit, also DNS server and has the roles of domain name operations and schema master and global catalog. IF DC3 is offline, users cannot logon to network resources, nor can you logon to a domain controller. Once DC3 is online, everything is fine. I have run dcdiag on all 3 domain controllers and they pass all test except the syslog test. That fails because of Terminal Services errors when I connect to the servers. All other tests pass. I have run dcdiag /test:dns and I only get a warning for unsecure updates and a warning for an external DNS forwarding server. If any body has any ideas why the domain is down when dc3 is off, that would be great. Thanks, Dave

Hello Dave, -Consider making all 3 DCs GC -Run a repadmin /showreps from all DCs and post or look for any errors -Also post IP config /all from all DC Isaac Oben MCITP:EA, MCSE

Thanks Isaac. If the global catalog server is down, will that stop the domain from being available?? Here are the results from the repadmin (I changed the names to match my description above), no errors. The IPCONFIG text is below. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++Default-First-Site-Name\dc2 DC Options: (none) Site Options: (none) DC object GUID: a7be936b-a8b2-45bd-9df9-f3f7d90c5c87 DC invocationID: a911ea62-5374-4b71-8be0-78b0bcf112b8 ==== INBOUND NEIGHBORS ====================================== DC=aarkel,DC=com Default-First-Site-Name\dc3 via RPC DC object GUID: 8c55a182-7d57-4497-bb45-3f5f79dda4ef Last attempt @ 2010-04-09 09:54:23 was successful. Default-First-Site-Name\dc1 via RPC DC object GUID: 0237db71-69a1-4fe8-8f3b-861e3fed82e5 Last attempt @ 2010-04-09 09:54:29 was successful. CN=Configuration,DC=aarkel,DC=com Default-First-Site-Name\dc3 via RPC DC object GUID: 8c55a182-7d57-4497-bb45-3f5f79dda4ef Last attempt @ 2010-04-09 09:23:06 was successful. Default-First-Site-Name\dc1 via RPC DC object GUID: 0237db71-69a1-4fe8-8f3b-861e3fed82e5 Last attempt @ 2010-04-09 09:23:06 was successful. CN=Schema,CN=Configuration,DC=aarkel,DC=com Default-First-Site-Name\dc3 via RPC DC object GUID: 8c55a182-7d57-4497-bb45-3f5f79dda4ef Last attempt @ 2010-04-09 09:23:06 was successful. Default-First-Site-Name\dc1 via RPC DC object GUID: 0237db71-69a1-4fe8-8f3b-861e3fed82e5 Last attempt @ 2010-04-09 09:23:06 was successful. DC=DomainDnsZones,DC=aarkel,DC=com Default-First-Site-Name\dc3 via RPC DC object GUID: 8c55a182-7d57-4497-bb45-3f5f79dda4ef Last attempt @ 2010-04-09 09:23:06 was successful. Default-First-Site-Name\dc1 via RPC DC object GUID: 0237db71-69a1-4fe8-8f3b-861e3fed82e5 Last attempt @ 2010-04-09 09:23:06 was successful. DC=ForestDnsZones,DC=aarkel,DC=com Default-First-Site-Name\dc3 via RPC DC object GUID: 8c55a182-7d57-4497-bb45-3f5f79dda4ef Last attempt @ 2010-04-09 09:23:06 was successful. Default-First-Site-Name\dc1 via RPC DC object GUID: 0237db71-69a1-4fe8-8f3b-861e3fed82e5 Last attempt @ 2010-04-09 09:23:06 was successful. ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Here are the IPCONFIGs from the DCs DC1 Windows IP Configuration Host Name . . . . . . . . . . . . : dc1 Primary Dns Suffix . . . . . . . : aarkel.com Node Type . . . . . . . . . . . . : Unknown IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : aarkel.com Ethernet adapter Local Area Connection 2: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Microsoft Virtual Machine Bus Network Adapter Physical Address. . . . . . . . . : 00-15-5D-C8-6F-08 DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 172.22.80.36 Subnet Mask . . . . . . . . . . . : 255.255.248.0 Default Gateway . . . . . . . . . : 172.22.80.5 DNS Servers . . . . . . . . . . . : 172.22.80.36 172.22.80.45 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ DC2 Windows IP Configuration Host Name . . . . . . . . . . . . : dc2 Primary Dns Suffix . . . . . . . : aarkel.com Node Type . . . . . . . . . . . . : Unknown IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : aarkel.com Ethernet adapter Local Area Connection 4: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : TEAM : Team #0 Physical Address. . . . . . . . . : 00-09-6B-A5-E3-4F DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 172.22.80.45 Subnet Mask . . . . . . . . . . . : 255.255.248.0 Default Gateway . . . . . . . . . : 172.22.80.5 DNS Servers . . . . . . . . . . . : 172.22.80.45 172.22.80.36 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++DC3Windows IP Configuration Host Name . . . . . . . . . . . . : dc3 Primary Dns Suffix . . . . . . . : aarkel.com Node Type . . . . . . . . . . . . : Unknown IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : aarkel.com Ethernet adapter Team 1: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : BASP Virtual Adapter Physical Address. . . . . . . . . : 00-13-72-67-C7-0F DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 172.22.80.34 Subnet Mask . . . . . . . . . . . : 255.255.248.0 Default Gateway . . . . . . . . . : 172.22.80.5 DNS Servers . . . . . . . . . . . : 172.22.80.34 172.22.80.45

Hello Repadmin looks good. Can you make sure that the clients/workstations all have dynamic DNS entry and not static to DC3. Since you have a single forest/domain, it is recommended to make all DC as GC as well, try this and see if it helpsIsaac Oben MCITP:EA, MCSE

I have made all the DCs, GCs. I haven't been able to shut anything down yet as it would disrupt our network. Most of our clients are DHCP and have dynamically assigned IP addresses and DNS servers. I am assuming that is what you mean by your first statement. Anything else I should be looking at before I try to shut down dc3? Thanks,Dave

Yes, that is what I meant. Just to be sure, on the DHCP you listed all 3 DC as DNS . So that if one is unavailable the others should kick in Also, if you shutdown dc3 again to test, if you still experience same issue, try doing nslookup on a local machine to one of you existing DC and an external domain name and see what response you get. Isaac Oben MCITP:EA, MCSE

Thanks Isaac, I will try that. All the DNS servers are in the DHCP settings. Dave

Are you running DHCP on one of those DCs? This could potentially be a security vulnerability, just fyi for later.

DHCP is run on different servers. Dave

I was able to do a quick test on Friday. I shut down dc3. Everything was fine as dc1 and dc2 were still online. I rebooted dc1 and dc2. I could not get on the domain. I started dc3 up and then everything was fine. I believe that I didn't describe the problem in enough detail at the start. The problem is when all three DCs shutdown. When the DCs restart, if dc3 is not running the domain is unavailable. The test on Friday was quick and I plan to do more testing on Sunday afternoon. I might not have waited long enough for dc1 or dc2 to be online as a DC. In a test environment, it seemed to take 5 to 10 minutes. I am thinking it is more of a DNS problem when the systems can't find the domain. No more global catalog errors as all 3 are no GCs. If there is anything else I should be considering?? Dave

Dave, Run a dcdiag /test:dns on all three boxes see if any failures or post result. Then run a netdiag /fix as well on all boxes..look for any errorsIsaac Oben MCITP:EA, MCSE

Isaac, I have run the dcdiag /test:dns and the netdiag/fix on all the DCs. The dns gives an error for one of the forwarding DNS servers that we have for DNS queries to the Internet. I am posting the log of one of the netdiag logs, dc2. They are all similar. I didn't see any errors that I thought would have an impact on the domain starting up. I also noticed a errors in the DNS log on the one DC where it had problems enumerating the domain zone. Dave ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Computer Name: dc2 DNS Host Name: ak1syscntr1.aarkel.com System info : Microsoft Windows Server 2003 R2 (Build 3790) Processor : x86 Family 15 Model 2 Stepping 5, GenuineIntel List of installed hotfixes : KB923561 KB924667-v2 KB925398_WMP64 KB925876 KB925902 KB926122 KB926139-v2 KB927891 KB929123 KB930178 KB931784 KB932168 KB933729 KB933854 KB935839 KB935840 KB936021 KB936357 KB936782 KB938127 KB938127-IE7 KB938464 KB938759-v4 KB941202 KB941569 KB941644 KB941693 KB942763 KB942830 KB942831 KB943055 KB943460 KB943485 KB943729 KB944338 KB944653 KB945553 KB946026 KB948496 KB948590 KB949014 KB950759 KB950759-IE7 KB950760 KB950762 KB950974 KB951072-v2 KB951698 KB951746 KB951748 KB952004 KB952069 KB952954 KB954600 KB955069 KB955759 KB955839 KB956572 KB956802 KB956803 KB957097 KB958644 KB958687 KB959426 KB960225 KB960714-IE7 KB960803 KB961063 KB961371-v2 KB961501 KB967715 KB968537 KB969805 KB969897-IE7 KB969947 KB970238 KB970483 KB971468 KB971513 KB971633 KB972270 KB973037 KB973346 KB973687 KB973904 KB973917 KB973917-v2 KB974318 KB974392 KB975560 KB975713 KB977165-v2 KB977290 KB978037 KB978207-IE7 KB978251 KB978262 KB978706 KB979306 Q147222 Netcard queries test . . . . . . . : Passed Per interface results: Adapter : Local Area Connection 4 Netcard queries test . . . : Passed Host Name. . . . . . . . . : dc2 IP Address . . . . . . . . : 172.22.80.45 Subnet Mask. . . . . . . . : 255.255.248.0 Default Gateway. . . . . . : 172.22.80.5 Dns Servers. . . . . . . . : 172.22.80.45 172.22.80.36 AutoConfiguration results. . . . . . : Passed Default gateway test . . . : Passed NetBT name test. . . . . . : Passed [WARNING] At least one of the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names is missing. WINS service test. . . . . : Skipped There are no WINS servers configured for this interface. Global results: Domain membership test . . . . . . : Passed NetBT transports test. . . . . . . : Passed List of NetBt transports currently configured: NetBT_Tcpip_{792A5008-1307-4184-8895-5AAD90567454} 1 NetBt transport currently configured. Autonet address test . . . . . . . : Passed IP loopback ping test. . . . . . . : Passed Default gateway test . . . . . . . : Passed NetBT name test. . . . . . . . . . : Passed [WARNING] You don't have a single interface with the <00> 'WorkStation Service', <03> 'Messenger Service', <20> 'WINS' names defined. Winsock test . . . . . . . . . . . : Passed DNS test . . . . . . . . . . . . . : Passed PASS - All the DNS entries for DC are registered on DNS server '172.22.80.45' and other DCs also have some of the names registered. Redir and Browser test . . . . . . : Passed List of NetBt transports currently bound to the Redir NetBT_Tcpip_{792A5008-1307-4184-8895-5AAD90567454} The redir is bound to 1 NetBt transport. List of NetBt transports currently bound to the browser NetBT_Tcpip_{792A5008-1307-4184-8895-5AAD90567454} The browser is bound to 1 NetBt transport. DC discovery test. . . . . . . . . : Passed DC list test . . . . . . . . . . . : Passed Trust relationship test. . . . . . : Skipped Kerberos test. . . . . . . . . . . : Passed LDAP test. . . . . . . . . . . . . : Passed Bindings test. . . . . . . . . . . : Passed WAN configuration test . . . . . . : Skipped No active remote access connections. Modem diagnostics test . . . . . . : Passed IP Security test . . . . . . . . . : Skipped Note: run "netsh ipsec dynamic show /?" for more detailed information The command completed successfully

Hi If you have only 3 DCs please make all of them GCs as Isaac mentioned earlier and after that please force replication between those 3 DCs to replicate the GC partition also please make sure that you use DNS active directory integrated Please post a result of ( DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log) IPconfig /all form client machine

Hello, All 3 DCs are GCs. I forced replication on them after they were made GCs. DNS is active directory integrated. The first part is the client ipconfig and the second part is the dcdiag. I have been referring to dc1, dc2 and dc3. They match up as follows in the posting below. dc1=ak1certsrv1-v, dc2=ak1syscntr1, dc3=ak2srv1. I am having issues posting the dcdiag info. I am shortening this message and will try to post the dcdiag in another message. Thanks again, Dave ++++++++++++++IPCONFIG from Client++++++++++++++++++++++++ Windows IP Configuration Host Name . . . . . . . . . . . . : SCE-TEST1 Primary Dns Suffix . . . . . . . : aarkel.com Node Type . . . . . . . . . . . . : Unknown IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : aarkel.com Ethernet adapter Local Area Connection 5: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Microsoft Virtual Machine Bus Network Adapter #3 Physical Address. . . . . . . . . : 00-15-5D-51-0E-07 Dhcp Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IP Address. . . . . . . . . . . . : 172.22.83.91 Subnet Mask . . . . . . . . . . . : 255.255.248.0 Default Gateway . . . . . . . . . : 172.22.80.5 DHCP Server . . . . . . . . . . . : 172.22.80.34 DNS Servers . . . . . . . . . . . : 172.22.80.34 172.22.80.45 172.22.80.36 Lease Obtained. . . . . . . . . . : Friday, April 09, 2010 3:26:24 PM Lease Expires . . . . . . . . . . : Wednesday, April 14, 2010 3:31:24 AM

Here is the dcdiag info part 1, Dave +++++++++++DCDIAG++++++++++++++++++++ Command Line: "dcdiag.exe /V /C /D /E /s:ak2srv1" Domain Controller Diagnosis Performing initial setup: * Connecting to directory service on server ak2srv1. ak2srv1.currentTime = 20100411112518.0Z ak2srv1.highestCommittedUSN = 21435983 ak2srv1.isSynchronized = 1 ak2srv1.isGlobalCatalogReady = 1 * Collecting site info. * Identifying all servers. AK2SRV1.currentTime = 20100411112518.0Z AK2SRV1.highestCommittedUSN = 21435983 AK2SRV1.isSynchronized = 1 AK2SRV1.isGlobalCatalogReady = 1 * Identifying all NC cross-refs. * Found 3 DC(s). Testing 3 of them. Done gathering initial info. ===============================================Printing out pDsInfo GLOBAL: ulNumServers=3 pszRootDomain=aarkel.com pszNC= pszRootDomainFQDN=DC=aarkel,DC=com pszConfigNc=CN=Configuration,DC=aarkel,DC=com pszPartitionsDn=CN=Partitions,CN=Configuration,DC=aarkel,DC=com iSiteOptions=0 dwTombstoneLifeTimeDays=60 dwForestBehaviorVersion=2 HomeServer=0, AK2SRV1 SERVER: pServer[0].pszName=AK2SRV1 pServer[0].pszGuidDNSName=8c55a182-7d57-4497-bb45-3f5f79dda4ef._msdcs.aarkel.com pServer[0].pszDNSName=ak2srv1.aarkel.com pServer[0].pszDn=CN=NTDS Settings,CN=AK2SRV1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=aarkel,DC=com pServer[0].pszComputerAccountDn=CN=AK2SRV1,OU=Domain Controllers,DC=aarkel,DC=com pServer[0].uuidObjectGuid=8c55a182-7d57-4497-bb45-3f5f79dda4ef pServer[0].uuidInvocationId=491713be-8f66-4518-a327-57e8826b59ae pServer[0].iSite=0 (Default-First-Site-Name) pServer[0].iOptions=1 pServer[0].ftLocalAcquireTime=aa38c0c0 01cad969 pServer[0].ftRemoteConnectTime=a9f9e300 01cad969 pServer[0].ppszMasterNCs: ppszMasterNCs[0]=DC=ForestDnsZones,DC=aarkel,DC=com ppszMasterNCs[1]=DC=DomainDnsZones,DC=aarkel,DC=com ppszMasterNCs[2]=CN=Schema,CN=Configuration,DC=aarkel,DC=com ppszMasterNCs[3]=CN=Configuration,DC=aarkel,DC=com ppszMasterNCs[4]=DC=aarkel,DC=com SERVER: pServer[1].pszName=AK1CERTSRV1-V pServer[1].pszGuidDNSName=0237db71-69a1-4fe8-8f3b-861e3fed82e5._msdcs.aarkel.com pServer[1].pszDNSName=ak1certsrv1-v.aarkel.com pServer[1].pszDn=CN=NTDS Settings,CN=AK1CERTSRV1-V,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=aarkel,DC=com pServer[1].pszComputerAccountDn=CN=AK1CERTSRV1-V,OU=Domain Controllers,DC=aarkel,DC=com pServer[1].uuidObjectGuid=0237db71-69a1-4fe8-8f3b-861e3fed82e5 pServer[1].uuidInvocationId=634e16b1-0959-48e6-85f6-d36e426591f6 pServer[1].iSite=0 (Default-First-Site-Name) pServer[1].iOptions=1 pServer[1].ftLocalAcquireTime=00000000 00000000 pServer[1].ftRemoteConnectTime=00000000 00000000 pServer[1].ppszMasterNCs: ppszMasterNCs[0]=DC=ForestDnsZones,DC=aarkel,DC=com ppszMasterNCs[1]=DC=DomainDnsZones,DC=aarkel,DC=com ppszMasterNCs[2]=CN=Schema,CN=Configuration,DC=aarkel,DC=com ppszMasterNCs[3]=CN=Configuration,DC=aarkel,DC=com ppszMasterNCs[4]=DC=aarkel,DC=com SERVER: pServer[2].pszName=AK1SYSCNTR1 pServer[2].pszGuidDNSName=a7be936b-a8b2-45bd-9df9-f3f7d90c5c87._msdcs.aarkel.com pServer[2].pszDNSName=ak1syscntr1.aarkel.com pServer[2].pszDn=CN=NTDS Settings,CN=AK1SYSCNTR1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=aarkel,DC=com pServer[2].pszComputerAccountDn=CN=AK1SYSCNTR1,OU=Domain Controllers,DC=aarkel,DC=com pServer[2].uuidObjectGuid=a7be936b-a8b2-45bd-9df9-f3f7d90c5c87 pServer[2].uuidInvocationId=a911ea62-5374-4b71-8be0-78b0bcf112b8 pServer[2].iSite=0 (Default-First-Site-Name) pServer[2].iOptions=1 pServer[2].ftLocalAcquireTime=00000000 00000000 pServer[2].ftRemoteConnectTime=00000000 00000000 pServer[2].ppszMasterNCs: ppszMasterNCs[0]=DC=ForestDnsZones,DC=aarkel,DC=com ppszMasterNCs[1]=DC=DomainDnsZones,DC=aarkel,DC=com ppszMasterNCs[2]=CN=Schema,CN=Configuration,DC=aarkel,DC=com ppszMasterNCs[3]=CN=Configuration,DC=aarkel,DC=com ppszMasterNCs[4]=DC=aarkel,DC=com SITES: pSites[0].pszName=Default-First-Site-Name pSites[0].pszSiteSettings=CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=aarkel,DC=com pSites[0].pszISTG=CN=NTDS Settings,CN=AK1SYSCNTR1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=aarkel,DC=com pSites[0].iSiteOption=0 pSites[0].cServers=3 NC: pNCs[0].pszName=ForestDnsZones pNCs[0].pszDn=DC=ForestDnsZones,DC=aarkel,DC=com pNCs[0].aCrInfo[0].dwFlags=0x00000201 pNCs[0].aCrInfo[0].pszDn=CN=bd4707f4-c946-49c5-8aed-c9a22d633997,CN=Partitions,CN=Configuration,DC=aarkel,DC=com pNCs[0].aCrInfo[0].pszDnsRoot=ForestDnsZones.aarkel.com pNCs[0].aCrInfo[0].iSourceServer=0 pNCs[0].aCrInfo[0].pszSourceServer=(null) pNCs[0].aCrInfo[0].ulSystemFlags=0x00000005 pNCs[0].aCrInfo[0].bEnabled=TRUE pNCs[0].aCrInfo[0].ftWhenCreated=00000000 00000000 pNCs[0].aCrInfo[0].pszSDReferenceDomain=(null) pNCs[0].aCrInfo[0].pszNetBiosName=(null) pNCs[0].aCrInfo[0].cReplicas=-1 pNCs[0].aCrInfo[0].aszReplicas= NC: pNCs[1].pszName=DomainDnsZones pNCs[1].pszDn=DC=DomainDnsZones,DC=aarkel,DC=com pNCs[1].aCrInfo[0].dwFlags=0x00000201 pNCs[1].aCrInfo[0].pszDn=CN=c2ff128f-4621-4411-a114-a8f6979724e7,CN=Partitions,CN=Configuration,DC=aarkel,DC=com pNCs[1].aCrInfo[0].pszDnsRoot=DomainDnsZones.aarkel.com pNCs[1].aCrInfo[0].iSourceServer=0 pNCs[1].aCrInfo[0].pszSourceServer=(null) pNCs[1].aCrInfo[0].ulSystemFlags=0x00000005 pNCs[1].aCrInfo[0].bEnabled=TRUE pNCs[1].aCrInfo[0].ftWhenCreated=00000000 00000000 pNCs[1].aCrInfo[0].pszSDReferenceDomain=(null) pNCs[1].aCrInfo[0].pszNetBiosName=(null) pNCs[1].aCrInfo[0].cReplicas=-1 pNCs[1].aCrInfo[0].aszReplicas= NC: pNCs[2].pszName=Schema pNCs[2].pszDn=CN=Schema,CN=Configuration,DC=aarkel,DC=com pNCs[2].aCrInfo[0].dwFlags=0x00000201 pNCs[2].aCrInfo[0].pszDn=CN=Enterprise Schema,CN=Partitions,CN=Configuration,DC=aarkel,DC=com pNCs[2].aCrInfo[0].pszDnsRoot=aarkel.com pNCs[2].aCrInfo[0].iSourceServer=0 pNCs[2].aCrInfo[0].pszSourceServer=(null) pNCs[2].aCrInfo[0].ulSystemFlags=0x00000001 pNCs[2].aCrInfo[0].bEnabled=TRUE pNCs[2].aCrInfo[0].ftWhenCreated=00000000 00000000 pNCs[2].aCrInfo[0].pszSDReferenceDomain=(null) pNCs[2].aCrInfo[0].pszNetBiosName=(null) pNCs[2].aCrInfo[0].cReplicas=-1 pNCs[2].aCrInfo[0].aszReplicas= NC: pNCs[3].pszName=Configuration pNCs[3].pszDn=CN=Configuration,DC=aarkel,DC=com pNCs[3].aCrInfo[0].dwFlags=0x00000201 pNCs[3].aCrInfo[0].pszDn=CN=Enterprise Configuration,CN=Partitions,CN=Configuration,DC=aarkel,DC=com pNCs[3].aCrInfo[0].pszDnsRoot=aarkel.com pNCs[3].aCrInfo[0].iSourceServer=0 pNCs[3].aCrInfo[0].pszSourceServer=(null) pNCs[3].aCrInfo[0].ulSystemFlags=0x00000001 pNCs[3].aCrInfo[0].bEnabled=TRUE pNCs[3].aCrInfo[0].ftWhenCreated=00000000 00000000 pNCs[3].aCrInfo[0].pszSDReferenceDomain=(null) pNCs[3].aCrInfo[0].pszNetBiosName=(null) pNCs[3].aCrInfo[0].cReplicas=-1 pNCs[3].aCrInfo[0].aszReplicas= NC: pNCs[4].pszName=aarkel pNCs[4].pszDn=DC=aarkel,DC=com pNCs[4].aCrInfo[0].dwFlags=0x00000201 pNCs[4].aCrInfo[0].pszDn=CN=AKE,CN=Partitions,CN=Configuration,DC=aarkel,DC=com pNCs[4].aCrInfo[0].pszDnsRoot=aarkel.com pNCs[4].aCrInfo[0].iSourceServer=0 pNCs[4].aCrInfo[0].pszSourceServer=(null) pNCs[4].aCrInfo[0].ulSystemFlags=0x00000003 pNCs[4].aCrInfo[0].bEnabled=TRUE pNCs[4].aCrInfo[0].ftWhenCreated=00000000 00000000 pNCs[4].aCrInfo[0].pszSDReferenceDomain=(null) pNCs[4].aCrInfo[0].pszNetBiosName=(null) pNCs[4].aCrInfo[0].cReplicas=-1 pNCs[4].aCrInfo[0].aszReplicas= 5 NC TARGETS: ForestDnsZones, DomainDnsZones, Schema, Configuration, aarkel, 3 TARGETS: AK2SRV1, AK1CERTSRV1-V, AK1SYSCNTR1, =============================================Done Printing pDsInfo Doing initial required tests Testing server: Default-First-Site-Name\AK2SRV1 Starting test: Connectivity * Active Directory LDAP Services Check Failure Analysis: AK2SRV1 ... OK. * Active Directory RPC Services Check ......................... AK2SRV1 passed test Connectivity Testing server: Default-First-Site-Name\AK1CERTSRV1-V Starting test: Connectivity * Active Directory LDAP Services Check AK1CERTSRV1-V.currentTime = 20100411112657.0Z AK1CERTSRV1-V.highestCommittedUSN = 24121583 AK1CERTSRV1-V.isSynchronized = 1 AK1CERTSRV1-V.isGlobalCatalogReady = 1 Failure Analysis: AK1CERTSRV1-V ... OK. * Active Directory RPC Services Check The clock difference between the home server AK2SRV1 and target server AK1CERTSRV1-V is greater than one minute. This may cause Kerberos authentication failures. Please check that the time service is working properly. You may need to resynchonize the time between these servers. ......................... AK1CERTSRV1-V passed test Connectivity Testing server: Default-First-Site-Name\AK1SYSCNTR1 Starting test: Connectivity * Active Directory LDAP Services Check AK1SYSCNTR1.currentTime = 20100411112657.0Z AK1SYSCNTR1.highestCommittedUSN = 12721382 AK1SYSCNTR1.isSynchronized = 1 AK1SYSCNTR1.isGlobalCatalogReady = 1 Failure Analysis: AK1SYSCNTR1 ... OK. * Active Directory RPC Services Check The clock difference between the home server AK2SRV1 and target server AK1SYSCNTR1 is greater than one minute. This may cause Kerberos authentication failures. Please check that the time service is working properly. You may need to resynchonize the time between these servers. ......................... AK1SYSCNTR1 passed test Connectivity Doing primary tests Testing server: Default-First-Site-Name\AK2SRV1 Starting test: Replications * Replications Check DC=ForestDnsZones,DC=aarkel,DC=com has 8 cursors. DC=DomainDnsZones,DC=aarkel,DC=com has 8 cursors. CN=Schema,CN=Configuration,DC=aarkel,DC=com has 26 cursors. CN=Configuration,DC=aarkel,DC=com has 26 cursors. DC=aarkel,DC=com has 26 cursors. * Replication Latency Check DC=ForestDnsZones,DC=aarkel,DC=com Latency information for 5 entries in the vector were ignored. 5 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). DC=DomainDnsZones,DC=aarkel,DC=com Latency information for 5 entries in the vector were ignored. 5 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). CN=Schema,CN=Configuration,DC=aarkel,DC=com Latency information for 23 entries in the vector were ignored. 23 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). CN=Configuration,DC=aarkel,DC=com Latency information for 23 entries in the vector were ignored. 23 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). DC=aarkel,DC=com Latency information for 23 entries in the vector were ignored. 23 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). ......................... AK2SRV1 passed test Replications Starting test: Topology * Configuration Topology Integrity Check * Analyzing the connection topology for DC=ForestDnsZones,DC=aarkel,DC=com. * Performing upstream (of target) analysis. * Performing downstream (of target) analysis. * Analyzing the connection topology for DC=DomainDnsZones,DC=aarkel,DC=com. * Performing upstream (of target) analysis. * Performing downstream (of target) analysis. * Analyzing the connection topology for CN=Schema,CN=Configuration,DC=aarkel,DC=com. * Performing upstream (of target) analysis. * Performing downstream (of target) analysis. * Analyzing the connection topology for CN=Configuration,DC=aarkel,DC=com. * Performing upstream (of target) analysis. * Performing downstream (of target) analysis. * Analyzing the connection topology for DC=aarkel,DC=com. * Performing upstream (of target) analysis. * Performing downstream (of target) analysis. ......................... AK2SRV1 passed test Topology Starting test: CutoffServers * Configuration Topology Aliveness Check * Analyzing the alive system replication topology for DC=ForestDnsZones,DC=aarkel,DC=com. * Performing upstream (of target) analysis. * Performing downstream (of target) analysis. * Analyzing the alive system replication topology for DC=DomainDnsZones,DC=aarkel,DC=com. * Performing upstream (of target) analysis. * Performing downstream (of target) analysis. * Analyzing the alive system replication topology for CN=Schema,CN=Configuration,DC=aarkel,DC=com. * Performing upstream (of target) analysis. * Performing downstream (of target) analysis. * Analyzing the alive system replication topology for CN=Configuration,DC=aarkel,DC=com. * Performing upstream (of target) analysis. * Performing downstream (of target) analysis. * Analyzing the alive system replication topology for DC=aarkel,DC=com. * Performing upstream (of target) analysis. * Performing downstream (of target) analysis. ......................... AK2SRV1 passed test CutoffServers Starting test: NCSecDesc * Security Permissions check for all NC's on DC AK2SRV1. * Security Permissions Check for DC=ForestDnsZones,DC=aarkel,DC=com (NDNC,Version 2) * Security Permissions Check for DC=DomainDnsZones,DC=aarkel,DC=com (NDNC,Version 2) * Security Permissions Check for CN=Schema,CN=Configuration,DC=aarkel,DC=com (Schema,Version 2) * Security Permissions Check for CN=Configuration,DC=aarkel,DC=com (Configuration,Version 2) * Security Permissions Check for DC=aarkel,DC=com (Domain,Version 2) ......................... AK2SRV1 passed test NCSecDesc Starting test: NetLogons * Network Logons Privileges Check Verified share \\AK2SRV1\netlogon Verified share \\AK2SRV1\sysvol ......................... AK2SRV1 passed test NetLogons Starting test: Advertising The DC AK2SRV1 is advertising itself as a DC and having a DS. The DC AK2SRV1 is advertising as an LDAP server The DC AK2SRV1 is advertising as having a writeable directory The DC AK2SRV1 is advertising as a Key Distribution Center The DC AK2SRV1 is advertising as a time server The DS AK2SRV1 is advertising as a GC. ......................... AK2SRV1 passed test Advertising Starting test: KnowsOfRoleHolders Role Schema Owner = CN=NTDS Settings,CN=AK2SRV1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=aarkel,DC=com Role Domain Owner = CN=NTDS Settings,CN=AK2SRV1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=aarkel,DC=com Role PDC Owner = CN=NTDS Settings,CN=AK1SYSCNTR1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=aarkel,DC=com Role Rid Owner = CN=NTDS Settings,CN=AK1SYSCNTR1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=aarkel,DC=com Role Infrastructure Update Owner = CN=NTDS Settings,CN=AK1SYSCNTR1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=aarkel,DC=com ......................... AK2SRV1 passed test KnowsOfRoleHolders Starting test: RidManager ridManagerReference = CN=RID Manager$,CN=System,DC=aarkel,DC=com * Available RID Pool for the Domain is 226261 to 1073741823 fSMORoleOwner = CN=NTDS Settings,CN=AK1SYSCNTR1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=aarkel,DC=com * ak1syscntr1.aarkel.com is the RID Master * DsBind with RID Master was successful rIDSetReferences = CN=RID Set,CN=AK2SRV1,OU=Domain Controllers,DC=aarkel,DC=com * rIDAllocationPool is 222761 to 223260 * rIDPreviousAllocationPool is 222761 to 223260 * rIDNextRID: 223001 ......................... AK2SRV1 passed test RidManager Starting test: MachineAccount Checking machine account for DC AK2SRV1 on DC AK2SRV1. * SPN found :LDAP/ak2srv1.aarkel.com/aarkel.com * SPN found :LDAP/ak2srv1.aarkel.com * SPN found :LDAP/AK2SRV1 * SPN found :LDAP/ak2srv1.aarkel.com/AKE * SPN found :LDAP/8c55a182-7d57-4497-bb45-3f5f79dda4ef._msdcs.aarkel.com * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/8c55a182-7d57-4497-bb45-3f5f79dda4ef/aarkel.com * SPN found :HOST/ak2srv1.aarkel.com/aarkel.com * SPN found :HOST/ak2srv1.aarkel.com * SPN found :HOST/AK2SRV1 * SPN found :HOST/ak2srv1.aarkel.com/AKE * SPN found :GC/ak2srv1.aarkel.com/aarkel.com ......................... AK2SRV1 passed test MachineAccount Starting test: Services * Checking Service: Dnscache * Checking Service: NtFrs * Checking Service: IsmServ * Checking Service: kdc * Checking Service: SamSs * Checking Service: LanmanServer * Checking Service: LanmanWorkstation * Checking Service: RpcSs * Checking Service: w32time * Checking Service: NETLOGON ......................... AK2SRV1 passed test Services Starting test: OutboundSecureChannels * The Outbound Secure Channels test ** Did not run Outbound Secure Channels test because /testdomain: was not entered ......................... AK2SRV1 passed test OutboundSecureChannels Starting test: ObjectsReplicated AK2SRV1 is in domain DC=aarkel,DC=com Checking for CN=AK2SRV1,OU=Domain Controllers,DC=aarkel,DC=com in domain DC=aarkel,DC=com on 3 servers Object is up-to-date on all servers. Checking for CN=NTDS Settings,CN=AK2SRV1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=aarkel,DC=com in domain CN=Configuration,DC=aarkel,DC=com on 3 servers Object is up-to-date on all servers. ......................... AK2SRV1 passed test ObjectsReplicated Starting test: frssysvol * The File Replication Service SYSVOL ready test File Replication Service's SYSVOL is ready ......................... AK2SRV1 passed test frssysvol Starting test: frsevent * The File Replication Service Event log test ......................... AK2SRV1 passed test frsevent Starting test: kccevent * The KCC Event log test Found no KCC errors in Directory Service Event log in the last 15 minutes. ......................... AK2SRV1 passed test kccevent Starting test: systemlog * The System Event log test Found no errors in System Event log in the last 60 minutes. ......................... AK2SRV1 passed test systemlog Starting test: VerifyReplicas ......................... AK2SRV1 passed test VerifyReplicas Starting test: VerifyReferences The system object reference (serverReference) CN=AK2SRV1,OU=Domain Controllers,DC=aarkel,DC=com and backlink on CN=AK2SRV1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=aarkel,DC=com are correct. The system object reference (frsComputerReferenceBL) CN=AK2SRV1,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=aarkel,DC=com and backlink on CN=AK2SRV1,OU=Domain Controllers,DC=aarkel,DC=com are correct. The system object reference (serverReferenceBL) CN=AK2SRV1,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=aarkel,DC=com and backlink on CN=NTDS Settings,CN=AK2SRV1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=aarkel,DC=com are correct. ......................... AK2SRV1 passed test VerifyReferences Starting test: VerifyEnterpriseReferences ......................... AK2SRV1 passed test VerifyEnterpriseReferences Starting test: CheckSecurityError * Dr Auth: Beginning security errors check! Found KDC AK2SRV1 for domain aarkel.com in site Default-First-Site-Name Checking machine account for DC AK2SRV1 on DC AK2SRV1. * SPN found :LDAP/ak2srv1.aarkel.com/aarkel.com * SPN found :LDAP/ak2srv1.aarkel.com * SPN found :LDAP/AK2SRV1 * SPN found :LDAP/ak2srv1.aarkel.com/AKE * SPN found :LDAP/8c55a182-7d57-4497-bb45-3f5f79dda4ef._msdcs.aarkel.com * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/8c55a182-7d57-4497-bb45-3f5f79dda4ef/aarkel.com * SPN found :HOST/ak2srv1.aarkel.com/aarkel.com * SPN found :HOST/ak2srv1.aarkel.com * SPN found :HOST/AK2SRV1 * SPN found :HOST/ak2srv1.aarkel.com/AKE * SPN found :GC/ak2srv1.aarkel.com/aarkel.com [AK2SRV1] No security related replication errors were found on this DC! To target the connection to a specific source DC use /ReplSource:<DC>. ......................... AK2SRV1 passed test CheckSecurityError

Here is dcdiag part 2, Dave +++++++++++++++++++++++++++++++++++++ Testing server: Default-First-Site-Name\AK1CERTSRV1-V Starting test: Replications * Replications Check DC=ForestDnsZones,DC=aarkel,DC=com has 8 cursors. DC=DomainDnsZones,DC=aarkel,DC=com has 8 cursors. CN=Schema,CN=Configuration,DC=aarkel,DC=com has 26 cursors. CN=Configuration,DC=aarkel,DC=com has 26 cursors. DC=aarkel,DC=com has 26 cursors. * Replication Latency Check DC=ForestDnsZones,DC=aarkel,DC=com Latency information for 5 entries in the vector were ignored. 5 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). DC=DomainDnsZones,DC=aarkel,DC=com Latency information for 5 entries in the vector were ignored. 5 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). CN=Schema,CN=Configuration,DC=aarkel,DC=com Latency information for 23 entries in the vector were ignored. 23 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). CN=Configuration,DC=aarkel,DC=com Latency information for 23 entries in the vector were ignored. 23 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). DC=aarkel,DC=com Latency information for 23 entries in the vector were ignored. 23 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). ......................... AK1CERTSRV1-V passed test Replications Starting test: Topology * Configuration Topology Integrity Check * Analyzing the connection topology for DC=ForestDnsZones,DC=aarkel,DC=com. * Performing upstream (of target) analysis. * Performing downstream (of target) analysis. * Analyzing the connection topology for DC=DomainDnsZones,DC=aarkel,DC=com. * Performing upstream (of target) analysis. * Performing downstream (of target) analysis. * Analyzing the connection topology for CN=Schema,CN=Configuration,DC=aarkel,DC=com. * Performing upstream (of target) analysis. * Performing downstream (of target) analysis. * Analyzing the connection topology for CN=Configuration,DC=aarkel,DC=com. * Performing upstream (of target) analysis. * Performing downstream (of target) analysis. * Analyzing the connection topology for DC=aarkel,DC=com. * Performing upstream (of target) analysis. * Performing downstream (of target) analysis. ......................... AK1CERTSRV1-V passed test Topology Starting test: CutoffServers * Configuration Topology Aliveness Check * Analyzing the alive system replication topology for DC=ForestDnsZones,DC=aarkel,DC=com. * Performing upstream (of target) analysis. * Performing downstream (of target) analysis. * Analyzing the alive system replication topology for DC=DomainDnsZones,DC=aarkel,DC=com. * Performing upstream (of target) analysis. * Performing downstream (of target) analysis. * Analyzing the alive system replication topology for CN=Schema,CN=Configuration,DC=aarkel,DC=com. * Performing upstream (of target) analysis. * Performing downstream (of target) analysis. * Analyzing the alive system replication topology for CN=Configuration,DC=aarkel,DC=com. * Performing upstream (of target) analysis. * Performing downstream (of target) analysis. * Analyzing the alive system replication topology for DC=aarkel,DC=com. * Performing upstream (of target) analysis. * Performing downstream (of target) analysis. ......................... AK1CERTSRV1-V passed test CutoffServers Starting test: NCSecDesc * Security Permissions check for all NC's on DC AK1CERTSRV1-V. * Security Permissions Check for DC=ForestDnsZones,DC=aarkel,DC=com (NDNC,Version 2) * Security Permissions Check for DC=DomainDnsZones,DC=aarkel,DC=com (NDNC,Version 2) * Security Permissions Check for CN=Schema,CN=Configuration,DC=aarkel,DC=com (Schema,Version 2) * Security Permissions Check for CN=Configuration,DC=aarkel,DC=com (Configuration,Version 2) * Security Permissions Check for DC=aarkel,DC=com (Domain,Version 2) ......................... AK1CERTSRV1-V passed test NCSecDesc Starting test: NetLogons * Network Logons Privileges Check Verified share \\AK1CERTSRV1-V\netlogon Verified share \\AK1CERTSRV1-V\sysvol ......................... AK1CERTSRV1-V passed test NetLogons Starting test: Advertising The DC AK1CERTSRV1-V is advertising itself as a DC and having a DS. The DC AK1CERTSRV1-V is advertising as an LDAP server The DC AK1CERTSRV1-V is advertising as having a writeable directory The DC AK1CERTSRV1-V is advertising as a Key Distribution Center The DC AK1CERTSRV1-V is advertising as a time server The DS AK1CERTSRV1-V is advertising as a GC. ......................... AK1CERTSRV1-V passed test Advertising Starting test: KnowsOfRoleHolders Role Schema Owner = CN=NTDS Settings,CN=AK2SRV1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=aarkel,DC=com Role Domain Owner = CN=NTDS Settings,CN=AK2SRV1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=aarkel,DC=com Role PDC Owner = CN=NTDS Settings,CN=AK1SYSCNTR1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=aarkel,DC=com Role Rid Owner = CN=NTDS Settings,CN=AK1SYSCNTR1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=aarkel,DC=com Role Infrastructure Update Owner = CN=NTDS Settings,CN=AK1SYSCNTR1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=aarkel,DC=com ......................... AK1CERTSRV1-V passed test KnowsOfRoleHolders Starting test: RidManager ridManagerReference = CN=RID Manager$,CN=System,DC=aarkel,DC=com * Available RID Pool for the Domain is 226261 to 1073741823 fSMORoleOwner = CN=NTDS Settings,CN=AK1SYSCNTR1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=aarkel,DC=com * ak1syscntr1.aarkel.com is the RID Master * DsBind with RID Master was successful rIDSetReferences = CN=RID Set,CN=AK1CERTSRV1-V,OU=Domain Controllers,DC=aarkel,DC=com * rIDAllocationPool is 225761 to 226260 * rIDPreviousAllocationPool is 225761 to 226260 * rIDNextRID: 225769 ......................... AK1CERTSRV1-V passed test RidManager Starting test: MachineAccount Checking machine account for DC AK1CERTSRV1-V on DC AK1CERTSRV1-V. * SPN found :LDAP/ak1certsrv1-v.aarkel.com/aarkel.com * SPN found :LDAP/ak1certsrv1-v.aarkel.com * SPN found :LDAP/AK1CERTSRV1-V * SPN found :LDAP/ak1certsrv1-v.aarkel.com/AKE * SPN found :LDAP/0237db71-69a1-4fe8-8f3b-861e3fed82e5._msdcs.aarkel.com * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/0237db71-69a1-4fe8-8f3b-861e3fed82e5/aarkel.com * SPN found :HOST/ak1certsrv1-v.aarkel.com/aarkel.com * SPN found :HOST/ak1certsrv1-v.aarkel.com * SPN found :HOST/AK1CERTSRV1-V * SPN found :HOST/ak1certsrv1-v.aarkel.com/AKE * SPN found :GC/ak1certsrv1-v.aarkel.com/aarkel.com ......................... AK1CERTSRV1-V passed test MachineAccount Starting test: Services * Checking Service: Dnscache * Checking Service: NtFrs * Checking Service: IsmServ * Checking Service: kdc * Checking Service: SamSs * Checking Service: LanmanServer * Checking Service: LanmanWorkstation * Checking Service: RpcSs * Checking Service: w32time * Checking Service: NETLOGON ......................... AK1CERTSRV1-V passed test Services Starting test: OutboundSecureChannels * The Outbound Secure Channels test ** Did not run Outbound Secure Channels test because /testdomain: was not entered ......................... AK1CERTSRV1-V passed test OutboundSecureChannels Starting test: ObjectsReplicated AK1CERTSRV1-V is in domain DC=aarkel,DC=com Checking for CN=AK1CERTSRV1-V,OU=Domain Controllers,DC=aarkel,DC=com in domain DC=aarkel,DC=com on 3 servers Object is up-to-date on all servers. Checking for CN=NTDS Settings,CN=AK1CERTSRV1-V,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=aarkel,DC=com in domain CN=Configuration,DC=aarkel,DC=com on 3 servers Object is up-to-date on all servers. ......................... AK1CERTSRV1-V passed test ObjectsReplicated Starting test: frssysvol * The File Replication Service SYSVOL ready test File Replication Service's SYSVOL is ready ......................... AK1CERTSRV1-V passed test frssysvol Starting test: frsevent * The File Replication Service Event log test ......................... AK1CERTSRV1-V passed test frsevent Starting test: kccevent * The KCC Event log test Found no KCC errors in Directory Service Event log in the last 15 minutes. ......................... AK1CERTSRV1-V passed test kccevent Starting test: systemlog * The System Event log test Found no errors in System Event log in the last 60 minutes. ......................... AK1CERTSRV1-V passed test systemlog Starting test: VerifyReplicas ......................... AK1CERTSRV1-V passed test VerifyReplicas Starting test: VerifyReferences The system object reference (serverReference) CN=AK1CERTSRV1-V,OU=Domain Controllers,DC=aarkel,DC=com and backlink on CN=AK1CERTSRV1-V,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=aarkel,DC=com are correct. The system object reference (frsComputerReferenceBL) CN=AK1CERTSRV1-V,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=aarkel,DC=com and backlink on CN=AK1CERTSRV1-V,OU=Domain Controllers,DC=aarkel,DC=com are correct. The system object reference (serverReferenceBL) CN=AK1CERTSRV1-V,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=aarkel,DC=com and backlink on CN=NTDS Settings,CN=AK1CERTSRV1-V,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=aarkel,DC=com are correct. ......................... AK1CERTSRV1-V passed test VerifyReferences Starting test: VerifyEnterpriseReferences ......................... AK1CERTSRV1-V passed test VerifyEnterpriseReferences Starting test: CheckSecurityError * Dr Auth: Beginning security errors check! Found KDC AK2SRV1 for domain aarkel.com in site Default-First-Site-Name Checking machine account for DC AK1CERTSRV1-V on DC AK2SRV1. * SPN found :LDAP/ak1certsrv1-v.aarkel.com/aarkel.com * SPN found :LDAP/ak1certsrv1-v.aarkel.com * SPN found :LDAP/AK1CERTSRV1-V * SPN found :LDAP/ak1certsrv1-v.aarkel.com/AKE * SPN found :LDAP/0237db71-69a1-4fe8-8f3b-861e3fed82e5._msdcs.aarkel.com * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/0237db71-69a1-4fe8-8f3b-861e3fed82e5/aarkel.com * SPN found :HOST/ak1certsrv1-v.aarkel.com/aarkel.com * SPN found :HOST/ak1certsrv1-v.aarkel.com * SPN found :HOST/AK1CERTSRV1-V * SPN found :HOST/ak1certsrv1-v.aarkel.com/AKE * SPN found :GC/ak1certsrv1-v.aarkel.com/aarkel.com Checking for CN=AK1CERTSRV1-V,OU=Domain Controllers,DC=aarkel,DC=com in domain DC=aarkel,DC=com on 2 servers Object is up-to-date on all servers. [AK1CERTSRV1-V] No security related replication errors were found on this DC! To target the connection to a specific source DC use /ReplSource:<DC>. ......................... AK1CERTSRV1-V passed test CheckSecurityError

DCDIAG part 3, Dave +++++++++++++++++++++++++++++++++++++ Testing server: Default-First-Site-Name\AK1SYSCNTR1 Starting test: Replications * Replications Check DC=ForestDnsZones,DC=aarkel,DC=com has 8 cursors. DC=DomainDnsZones,DC=aarkel,DC=com has 8 cursors. CN=Schema,CN=Configuration,DC=aarkel,DC=com has 26 cursors. CN=Configuration,DC=aarkel,DC=com has 26 cursors. DC=aarkel,DC=com has 26 cursors. * Replication Latency Check DC=ForestDnsZones,DC=aarkel,DC=com Latency information for 5 entries in the vector were ignored. 5 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). DC=DomainDnsZones,DC=aarkel,DC=com Latency information for 5 entries in the vector were ignored. 5 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). CN=Schema,CN=Configuration,DC=aarkel,DC=com Latency information for 23 entries in the vector were ignored. 23 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). CN=Configuration,DC=aarkel,DC=com Latency information for 23 entries in the vector were ignored. 23 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). DC=aarkel,DC=com Latency information for 23 entries in the vector were ignored. 23 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). ......................... AK1SYSCNTR1 passed test Replications Starting test: Topology * Configuration Topology Integrity Check * Analyzing the connection topology for DC=ForestDnsZones,DC=aarkel,DC=com. * Performing upstream (of target) analysis. * Performing downstream (of target) analysis. * Analyzing the connection topology for DC=DomainDnsZones,DC=aarkel,DC=com. * Performing upstream (of target) analysis. * Performing downstream (of target) analysis. * Analyzing the connection topology for CN=Schema,CN=Configuration,DC=aarkel,DC=com. * Performing upstream (of target) analysis. * Performing downstream (of target) analysis. * Analyzing the connection topology for CN=Configuration,DC=aarkel,DC=com. * Performing upstream (of target) analysis. * Performing downstream (of target) analysis. * Analyzing the connection topology for DC=aarkel,DC=com. * Performing upstream (of target) analysis. * Performing downstream (of target) analysis. ......................... AK1SYSCNTR1 passed test Topology Starting test: CutoffServers * Configuration Topology Aliveness Check * Analyzing the alive system replication topology for DC=ForestDnsZones,DC=aarkel,DC=com. * Performing upstream (of target) analysis. * Performing downstream (of target) analysis. * Analyzing the alive system replication topology for DC=DomainDnsZones,DC=aarkel,DC=com. * Performing upstream (of target) analysis. * Performing downstream (of target) analysis. * Analyzing the alive system replication topology for CN=Schema,CN=Configuration,DC=aarkel,DC=com. * Performing upstream (of target) analysis. * Performing downstream (of target) analysis. * Analyzing the alive system replication topology for CN=Configuration,DC=aarkel,DC=com. * Performing upstream (of target) analysis. * Performing downstream (of target) analysis. * Analyzing the alive system replication topology for DC=aarkel,DC=com. * Performing upstream (of target) analysis. * Performing downstream (of target) analysis. ......................... AK1SYSCNTR1 passed test CutoffServers Starting test: NCSecDesc * Security Permissions check for all NC's on DC AK1SYSCNTR1. * Security Permissions Check for DC=ForestDnsZones,DC=aarkel,DC=com (NDNC,Version 2) * Security Permissions Check for DC=DomainDnsZones,DC=aarkel,DC=com (NDNC,Version 2) * Security Permissions Check for CN=Schema,CN=Configuration,DC=aarkel,DC=com (Schema,Version 2) * Security Permissions Check for CN=Configuration,DC=aarkel,DC=com (Configuration,Version 2) * Security Permissions Check for DC=aarkel,DC=com (Domain,Version 2) ......................... AK1SYSCNTR1 passed test NCSecDesc Starting test: NetLogons * Network Logons Privileges Check Verified share \\AK1SYSCNTR1\netlogon Verified share \\AK1SYSCNTR1\sysvol ......................... AK1SYSCNTR1 passed test NetLogons Starting test: Advertising The DC AK1SYSCNTR1 is advertising itself as a DC and having a DS. The DC AK1SYSCNTR1 is advertising as an LDAP server The DC AK1SYSCNTR1 is advertising as having a writeable directory The DC AK1SYSCNTR1 is advertising as a Key Distribution Center The DC AK1SYSCNTR1 is advertising as a time server The DS AK1SYSCNTR1 is advertising as a GC. ......................... AK1SYSCNTR1 passed test Advertising Starting test: KnowsOfRoleHolders Role Schema Owner = CN=NTDS Settings,CN=AK2SRV1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=aarkel,DC=com Role Domain Owner = CN=NTDS Settings,CN=AK2SRV1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=aarkel,DC=com Role PDC Owner = CN=NTDS Settings,CN=AK1SYSCNTR1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=aarkel,DC=com Role Rid Owner = CN=NTDS Settings,CN=AK1SYSCNTR1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=aarkel,DC=com Role Infrastructure Update Owner = CN=NTDS Settings,CN=AK1SYSCNTR1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=aarkel,DC=com ......................... AK1SYSCNTR1 passed test KnowsOfRoleHolders Starting test: RidManager ridManagerReference = CN=RID Manager$,CN=System,DC=aarkel,DC=com * Available RID Pool for the Domain is 226261 to 1073741823 fSMORoleOwner = CN=NTDS Settings,CN=AK1SYSCNTR1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=aarkel,DC=com * ak1syscntr1.aarkel.com is the RID Master * DsBind with RID Master was successful rIDSetReferences = CN=RID Set,CN=AK1SYSCNTR1,OU=Domain Controllers,DC=aarkel,DC=com * rIDAllocationPool is 225261 to 225760 * rIDPreviousAllocationPool is 225261 to 225760 * rIDNextRID: 225395 ......................... AK1SYSCNTR1 passed test RidManager Starting test: MachineAccount Checking machine account for DC AK1SYSCNTR1 on DC AK1SYSCNTR1. * SPN found :LDAP/ak1syscntr1.aarkel.com/aarkel.com * SPN found :LDAP/ak1syscntr1.aarkel.com * SPN found :LDAP/AK1SYSCNTR1 * SPN found :LDAP/ak1syscntr1.aarkel.com/AKE * SPN found :LDAP/a7be936b-a8b2-45bd-9df9-f3f7d90c5c87._msdcs.aarkel.com * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/a7be936b-a8b2-45bd-9df9-f3f7d90c5c87/aarkel.com * SPN found :HOST/ak1syscntr1.aarkel.com/aarkel.com * SPN found :HOST/ak1syscntr1.aarkel.com * SPN found :HOST/AK1SYSCNTR1 * SPN found :HOST/ak1syscntr1.aarkel.com/AKE * SPN found :GC/ak1syscntr1.aarkel.com/aarkel.com ......................... AK1SYSCNTR1 passed test MachineAccount Starting test: Services * Checking Service: Dnscache * Checking Service: NtFrs * Checking Service: IsmServ * Checking Service: kdc * Checking Service: SamSs * Checking Service: LanmanServer * Checking Service: LanmanWorkstation * Checking Service: RpcSs * Checking Service: w32time * Checking Service: NETLOGON ......................... AK1SYSCNTR1 passed test Services Starting test: OutboundSecureChannels * The Outbound Secure Channels test ** Did not run Outbound Secure Channels test because /testdomain: was not entered ......................... AK1SYSCNTR1 passed test OutboundSecureChannels Starting test: ObjectsReplicated AK1SYSCNTR1 is in domain DC=aarkel,DC=com Checking for CN=AK1SYSCNTR1,OU=Domain Controllers,DC=aarkel,DC=com in domain DC=aarkel,DC=com on 3 servers Object is up-to-date on all servers. Checking for CN=NTDS Settings,CN=AK1SYSCNTR1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=aarkel,DC=com in domain CN=Configuration,DC=aarkel,DC=com on 3 servers Object is up-to-date on all servers. ......................... AK1SYSCNTR1 passed test ObjectsReplicated Starting test: frssysvol * The File Replication Service SYSVOL ready test File Replication Service's SYSVOL is ready ......................... AK1SYSCNTR1 passed test frssysvol Starting test: frsevent * The File Replication Service Event log test ......................... AK1SYSCNTR1 passed test frsevent Starting test: kccevent * The KCC Event log test Found no KCC errors in Directory Service Event log in the last 15 minutes. ......................... AK1SYSCNTR1 passed test kccevent Starting test: systemlog * The System Event log test Found no errors in System Event log in the last 60 minutes. ......................... AK1SYSCNTR1 passed test systemlog Starting test: VerifyReplicas ......................... AK1SYSCNTR1 passed test VerifyReplicas Starting test: VerifyReferences The system object reference (serverReference) CN=AK1SYSCNTR1,OU=Domain Controllers,DC=aarkel,DC=com and backlink on CN=AK1SYSCNTR1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=aarkel,DC=com are correct. The system object reference (frsComputerReferenceBL) CN=AK1SYSCNTR1,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=aarkel,DC=com and backlink on CN=AK1SYSCNTR1,OU=Domain Controllers,DC=aarkel,DC=com are correct. The system object reference (serverReferenceBL) CN=AK1SYSCNTR1,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=aarkel,DC=com and backlink on CN=NTDS Settings,CN=AK1SYSCNTR1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=aarkel,DC=com are correct. ......................... AK1SYSCNTR1 passed test VerifyReferences Starting test: VerifyEnterpriseReferences ......................... AK1SYSCNTR1 passed test VerifyEnterpriseReferences Starting test: CheckSecurityError * Dr Auth: Beginning security errors check! Found KDC AK2SRV1 for domain aarkel.com in site Default-First-Site-Name Checking machine account for DC AK1SYSCNTR1 on DC AK2SRV1. * SPN found :LDAP/ak1syscntr1.aarkel.com/aarkel.com * SPN found :LDAP/ak1syscntr1.aarkel.com * SPN found :LDAP/AK1SYSCNTR1 * SPN found :LDAP/ak1syscntr1.aarkel.com/AKE * SPN found :LDAP/a7be936b-a8b2-45bd-9df9-f3f7d90c5c87._msdcs.aarkel.com * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/a7be936b-a8b2-45bd-9df9-f3f7d90c5c87/aarkel.com * SPN found :HOST/ak1syscntr1.aarkel.com/aarkel.com * SPN found :HOST/ak1syscntr1.aarkel.com * SPN found :HOST/AK1SYSCNTR1 * SPN found :HOST/ak1syscntr1.aarkel.com/AKE * SPN found :GC/ak1syscntr1.aarkel.com/aarkel.com Checking for CN=AK1SYSCNTR1,OU=Domain Controllers,DC=aarkel,DC=com in domain DC=aarkel,DC=com on 2 servers Object is up-to-date on all servers. [AK1SYSCNTR1] No security related replication errors were found on this DC! To target the connection to a specific source DC use /ReplSource:<DC>. ......................... AK1SYSCNTR1 passed test CheckSecurityError

dcdiag part 4, Dave ++++++++++++++++++++++= DNS Tests are running and not hung. Please wait a few minutes... Running partition tests on : ForestDnsZones Starting test: CrossRefValidation ......................... ForestDnsZones passed test CrossRefValidation Starting test: CheckSDRefDom ......................... ForestDnsZones passed test CheckSDRefDom Running partition tests on : DomainDnsZones Starting test: CrossRefValidation ......................... DomainDnsZones passed test CrossRefValidation Starting test: CheckSDRefDom ......................... DomainDnsZones passed test CheckSDRefDom Running partition tests on : Schema Starting test: CrossRefValidation ......................... Schema passed test CrossRefValidation Starting test: CheckSDRefDom ......................... Schema passed test CheckSDRefDom Running partition tests on : Configuration Starting test: CrossRefValidation ......................... Configuration passed test CrossRefValidation Starting test: CheckSDRefDom ......................... Configuration passed test CheckSDRefDom Running partition tests on : aarkel Starting test: CrossRefValidation ......................... aarkel passed test CrossRefValidation Starting test: CheckSDRefDom ......................... aarkel passed test CheckSDRefDom Running enterprise tests on : aarkel.com Starting test: Intersite Skipping site Default-First-Site-Name, this site is outside the scope provided by the command line arguments provided. ......................... aarkel.com passed test Intersite Starting test: FsmoCheck GC Name: \\ak2srv1.aarkel.com Locator Flags: 0xe00001fc PDC Name: \\ak1syscntr1.aarkel.com Locator Flags: 0xe00003fd Time Server Name: \\ak2srv1.aarkel.com Locator Flags: 0xe00001fc Preferred Time Server Name: \\ak1syscntr1.aarkel.com Locator Flags: 0xe00003fd KDC Name: \\ak2srv1.aarkel.com Locator Flags: 0xe00001fc ......................... aarkel.com passed test FsmoCheck Starting test: DNS Test results for domain controllers: DC: ak1syscntr1.aarkel.com Domain: aarkel.com TEST: Authentication (Auth) Authentication test: Successfully completed TEST: Basic (Basc) Microsoft(R) Windows(R) Server 2003, Enterprise Edition (Service Pack level: 2.0) is supported NETLOGON service is running kdc service is running DNSCACHE service is running DNS service is running DC is a DNS server Network adapters information: Adapter [00000010] Intel(R) Advanced Network Services Virtual Adapter: MAC address is 00:09:6B:A5:E3:4F IP address is static IP address: 172.22.80.45 DNS servers: 172.22.80.45 (<name unavailable>) [Valid] 172.22.80.36 (<name unavailable>) [Valid] The A record for this DC was found The SOA record for the Active Directory zone was found The Active Directory zone on this DC/DNS server was found (primary) Root zone on this DC/DNS server was not found TEST: Forwarders/Root hints (Forw) Recursion is enabled Forwarders Information: 198.235.216.130 (<name unavailable>) [Valid] 198.235.216.131 (<name unavailable>) [Invalid] 209.216.133.2 (<name unavailable>) [Valid] TEST: Delegations (Del) No delegations were found in this zone on this DNS server TEST: Dynamic update (Dyn) Warning: Dynamic update is enabled on the zone but not secure aarkel.com. Test record _dcdiag_test_record added successfully in zone aarkel.com. Test record _dcdiag_test_record deleted successfully in zone aarkel.com. TEST: Records registration (RReg) Network Adapter [00000010] Intel(R) Advanced Network Services Virtual Adapter: Matching A record found at DNS server 172.22.80.45: ak1syscntr1.aarkel.com Matching CNAME record found at DNS server 172.22.80.45: a7be936b-a8b2-45bd-9df9-f3f7d90c5c87._msdcs.aarkel.com Matching DC SRV record found at DNS server 172.22.80.45: _ldap._tcp.dc._msdcs.aarkel.com Matching GC SRV record found at DNS server 172.22.80.45: _ldap._tcp.gc._msdcs.aarkel.com Matching PDC SRV record found at DNS server 172.22.80.45: _ldap._tcp.pdc._msdcs.aarkel.com Matching A record found at DNS server 172.22.80.36: ak1syscntr1.aarkel.com Matching CNAME record found at DNS server 172.22.80.36: a7be936b-a8b2-45bd-9df9-f3f7d90c5c87._msdcs.aarkel.com Matching DC SRV record found at DNS server 172.22.80.36: _ldap._tcp.dc._msdcs.aarkel.com Matching GC SRV record found at DNS server 172.22.80.36: _ldap._tcp.gc._msdcs.aarkel.com Matching PDC SRV record found at DNS server 172.22.80.36: _ldap._tcp.pdc._msdcs.aarkel.com Total query time:0 min. 0 sec.. Total RPC connection time:0 min. 0 sec. Total WMI connection time:0 min. 42 sec. Total Netuse connection time:0 min. 0 sec. DC: ak2srv1.aarkel.com Domain: aarkel.com TEST: Authentication (Auth) Authentication test: Successfully completed TEST: Basic (Basc) Microsoft(R) Windows(R) Server 2003 Standard x64 Edition (Service Pack level: 2.0) is supported NETLOGON service is running kdc service is running DNSCACHE service is running DNS service is running DC is a DNS server Network adapters information: Adapter [00000009] BASP Virtual Adapter: MAC address is 00:13:72:67:C7:0F IP address is static IP address: 172.22.80.34 DNS servers: 172.22.80.34 (<name unavailable>) [Valid] 172.22.80.45 (<name unavailable>) [Valid] The A record for this DC was found The SOA record for the Active Directory zone was found The Active Directory zone on this DC/DNS server was found (primary) Root zone on this DC/DNS server was not found TEST: Forwarders/Root hints (Forw) Recursion is enabled Forwarders Information: 198.235.216.130 (<name unavailable>) [Valid] 198.235.216.131 (<name unavailable>) [Invalid] 209.216.133.2 (<name unavailable>) [Valid] TEST: Delegations (Del) No delegations were found in this zone on this DNS server TEST: Dynamic update (Dyn) Warning: Dynamic update is enabled on the zone but not secure aarkel.com. Test record _dcdiag_test_record added successfully in zone aarkel.com. Test record _dcdiag_test_record deleted successfully in zone aarkel.com. TEST: Records registration (RReg) Network Adapter [00000009] BASP Virtual Adapter: Matching A record found at DNS server 172.22.80.34: ak2srv1.aarkel.com Matching CNAME record found at DNS server 172.22.80.34: 8c55a182-7d57-4497-bb45-3f5f79dda4ef._msdcs.aarkel.com Matching DC SRV record found at DNS server 172.22.80.34: _ldap._tcp.dc._msdcs.aarkel.com Matching GC SRV record found at DNS server 172.22.80.34: _ldap._tcp.gc._msdcs.aarkel.com Total query time:0 min. 0 sec.. Total RPC connection time:0 min. 0 sec. Total WMI connection time:0 min. 42 sec. Total Netuse connection time:0 min. 0 sec. DC: ak1certsrv1-v.aarkel.com Domain: aarkel.com TEST: Authentication (Auth) Authentication test: Successfully completed TEST: Basic (Basc) Microsoft(R) Windows(R) Server 2003, Enterprise Edition (Service Pack level: 2.0) is supported NETLOGON service is running kdc service is running DNSCACHE service is running DNS service is running DC is a DNS server Network adapters information: Adapter [00000008] Microsoft Virtual Machine Bus Network Adapter: MAC address is 00:15:5D:C8:6F:08 IP address is static IP address: 172.22.80.36 DNS servers: 172.22.80.36 (<name unavailable>) [Valid] 172.22.80.45 (<name unavailable>) [Valid] The A record for this DC was found The SOA record for the Active Directory zone was found The Active Directory zone on this DC/DNS server was found (primary) Root zone on this DC/DNS server was not found TEST: Forwarders/Root hints (Forw) Recursion is enabled Forwarders Information: 198.235.216.130 (<name unavailable>) [Valid] 198.235.216.131 (<name unavailable>) [Invalid] 209.216.133.2 (<name unavailable>) [Valid] TEST: Delegations (Del) No delegations were found in this zone on this DNS server TEST: Dynamic update (Dyn) Warning: Dynamic update is enabled on the zone but not secure aarkel.com. Test record _dcdiag_test_record added successfully in zone aarkel.com. Test record _dcdiag_test_record deleted successfully in zone aarkel.com. TEST: Records registration (RReg) Network Adapter [00000008] Microsoft Virtual Machine Bus Network Adapter: Matching A record found at DNS server 172.22.80.36: ak1certsrv1-v.aarkel.com Matching CNAME record found at DNS server 172.22.80.36: 0237db71-69a1-4fe8-8f3b-861e3fed82e5._msdcs.aarkel.com Matching DC SRV record found at DNS server 172.22.80.36: _ldap._tcp.dc._msdcs.aarkel.com Matching GC SRV record found at DNS server 172.22.80.36: _ldap._tcp.gc._msdcs.aarkel.com Total query time:0 min. 0 sec.. Total RPC connection time:0 min. 0 sec. Total WMI connection time:0 min. 42 sec. Total Netuse connection time:0 min. 0 sec. Summary of test results for DNS servers used by the above domain controllers: DNS server: 198.235.216.131 (<name unavailable>) 3 test failures on this DNS server This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 198.235.216.131 [Error details: 9003 (Type: Win32 - Description: DNS name does not exist.)] Total query time:0 min. 0 sec., Total WMI connection time:0 min. 42 sec. DNS server: 172.22.80.34 (<name unavailable>) All tests passed on this DNS server This is a valid DNS server. Name resolution is funtional. _ldap._tcp SRV record for the forest root domain is registered Total query time:0 min. 0 sec., Total WMI connection time:0 min. 0 sec. DNS server: 172.22.80.36 (<name unavailable>) All tests passed on this DNS server This is a valid DNS server. Name resolution is funtional. _ldap._tcp SRV record for the forest root domain is registered Total query time:0 min. 0 sec., Total WMI connection time:0 min. 0 sec. DNS server: 172.22.80.45 (<name unavailable>) All tests passed on this DNS server This is a valid DNS server. Name resolution is funtional. _ldap._tcp SRV record for the forest root domain is registered Total query time:0 min. 0 sec., Total WMI connection time:0 min. 0 sec. DNS server: 198.235.216.130 (<name unavailable>) All tests passed on this DNS server This is a valid DNS server. Total query time:0 min. 0 sec., Total WMI connection time:0 min. 42 sec. DNS server: 209.216.133.2 (<name unavailable>) All tests passed on this DNS server This is a valid DNS server. Total query time:0 min. 0 sec., Total WMI connection time:0 min. 42 sec. Summary of DNS test results: Auth Basc Forw Del Dyn RReg Ext ________________________________________________________________ Domain: aarkel.com ak1syscntr1 PASS PASS PASS PASS WARN PASS n/a ak2srv1 PASS PASS PASS PASS WARN PASS n/a ak1certsrv1-v PASS PASS PASS PASS WARN PASS n/a Total Time taken to test all the DCs:2 min. 7 sec. ......................... aarkel.com passed test DNS

HI I think your configurations are correct all you need to do is make every DC point to another one as preferred DNS server instead of point to himself and in the secondary DNS put the IP of the DNS and please make sure that you have created the reverse lookup zone correctly

Thanks Sameh, I will try that. I am going to be doing some testing this afternoon. Is there a way to test the reverse lookup zone? I didn't create it, my colleague did. Also, after further digging through the logs, dc2 has DNS Log event id 4004 when dc3 is off and dc2 boots. Is this related to the DNS configuration?? Dave

Hello, "The clock difference between the home server AK2SRV1 and target server AK1SYSCNTR1 is greater than one minute. This may cause Kerberos authentication failures. Please check that the time service is working properly. You may need to resynchonize the time between these servers." Was there a change in the FSMO roles and the PDCEmulator is moved to another DC, did you reconfigure the time settings for this? Do you use reverse lookup zones in the domain? The Forwarder 198.235.216.131 isn't reachable, so consider removing it. Was there a restore before from one of the DCs?Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.

Thanks Meinolf. I will look into the time service. I believe there was a change in the PDC emulator. What time settings needs reconfiguring?? I didn't do the move. We have a reverse lookup zone in our domain. None of the DCs was restored. When I have dc3 down, which I just tried, any computer that has it as its primary dns fails nslookup. The computers do not use the secondary dns value. Aren't they supposed to use the secondary value?? Dave

Hello, for the time services, current PDCEmulator: w32tm /config /manualpeerlist:PEERS /syncfromflags:manual /reliable:yes /update With "PEERS" you can set the time source, either DNS name (time.windows.com) or an ip address from a reliable hardware time source. Here you can find some of them:http://www.pool.ntp.org/ -------------------------------------------------------------------Reconfigure the previous PDCEmulator 2003: w32tm /config /syncfromflags:domhier /reliable:no /update After that run:net stop w32timenet start w32time------------------------------------------------------------------- Having other DNS servers as secondary on the NIC doesn't mean clients use them automatically when the primary is down. If you are already connected to the domain using the primary DNS all other ones are ignored. You can force the use of another DNS server with a reboot for example. See here about "DNS Processes and Interactions" and the client side resolving: http://technet.microsoft.com/en-us/library/cc772774(WS.10).aspxBest regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.

I think things are working properly now. Not sure which item did it. Probably all the little things throughout the thread. I had dc3 and dc1 off. Rebooted dc2 and after about 11 minutes, the domain was available. When all DCs are off, how long should it take to bring the domain online?? I know there are probably many factors to consider, but is 11 minutes a reasonable amount of time?? Dave

Hello, the problem without any other DNS server is, that you have the egg and the hen problem, AD cannot start without DNS and if the DNS server service isn't started when configured to use itself as primary for the domain..................... then it result in long waiting time until the domain is up and running.Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights.