Command Line: "dcdiag.exe /v /c /d /e /s:companyname.local"
Domain Controller Diagnosis
Performing initial setup:
* Connecting to directory service on server companyname.local.
companyname.local.currentTime = 20150427062554.0Z
companyname.local.highestCommittedUSN = 21115179
companyname.local.isSynchronized = 1
companyname.local.isGlobalCatalogReady = 1
* Collecting site info.
* Identifying all servers.
CH-DC1-2K8.currentTime = 20150427062554.0Z
CH-DC1-2K8.highestCommittedUSN = 21115179
CH-DC1-2K8.isSynchronized = 1
CH-DC1-2K8.isGlobalCatalogReady = 1
* Identifying all NC cross-refs.
* Found 3 DC(s). Testing 3 of them.
Done gathering initial info.
===============================================Printing out pDsInfo
GLOBAL:
ulNumServers=3
pszRootDomain=companyname.local
pszNC=
pszRootDomainFQDN=DC=companyname,DC=local
pszConfigNc=CN=Configuration,DC=companyname,DC=local
pszPartitionsDn=CN=Partitions,CN=Configuration,DC=companyname,DC=local
iSiteOptions=0
dwTombstoneLifeTimeDays=180
dwForestBehaviorVersion=0
HomeServer=0, CH-DC1-2K8
SERVER: pServer[0].pszName=CH-DC1-2K8
pServer[0].pszGuidDNSName=bfe39346-13d8-455a-a97a-2a33f9e779f5._msdcs.companyname.local
pServer[0].pszDNSName=ch-dc1-2k8.companyname.local
pServer[0].pszDn=CN=NTDS Settings,CN=CH-DC1-2K8,CN=Servers,CN=Cardiff,CN=Sites,CN=Configuration,DC=companyname,DC=local
pServer[0].pszComputerAccountDn=CN=CH-DC1-2K8,OU=Domain Controllers,DC=companyname,DC=local
pServer[0].uuidObjectGuid=bfe39346-13d8-455a-a97a-2a33f9e779f5
pServer[0].uuidInvocationId=bfe39346-13d8-455a-a97a-2a33f9e779f5
pServer[0].iSite=0 (Cardiff)
pServer[0].iOptions=1
pServer[0].ftLocalAcquireTime=03a9b7e0 01d080b3
pServer[0].ftRemoteConnectTime=03808500 01d080b3
pServer[0].ppszMasterNCs:
ppszMasterNCs[0]=CN=Schema,CN=Configuration,DC=companyname,DC=local
ppszMasterNCs[1]=CN=Configuration,DC=companyname,DC=local
ppszMasterNCs[2]=DC=companyname,DC=local
SERVER: pServer[1].pszName=CH-DC2-2K8
pServer[1].pszGuidDNSName=abb03237-e91b-457f-ab16-788d5dc3930e._msdcs.companyname.local
pServer[1].pszDNSName=ch-dc2-2k8.companyname.local
pServer[1].pszDn=CN=NTDS Settings,CN=CH-DC2-2K8,CN=Servers,CN=Cardiff,CN=Sites,CN=Configuration,DC=companyname,DC=local
pServer[1].pszComputerAccountDn=CN=CH-DC2-2K8,OU=Domain Controllers,DC=companyname,DC=local
pServer[1].uuidObjectGuid=abb03237-e91b-457f-ab16-788d5dc3930e
pServer[1].uuidInvocationId=a1d47848-fb4f-497b-a8a2-f11d40b71481
pServer[1].iSite=0 (Cardiff)
pServer[1].iOptions=1
pServer[1].ftLocalAcquireTime=00000000 00000000
pServer[1].ftRemoteConnectTime=00000000 00000000
pServer[1].ppszMasterNCs:
ppszMasterNCs[0]=CN=Schema,CN=Configuration,DC=companyname,DC=local
ppszMasterNCs[1]=CN=Configuration,DC=companyname,DC=local
ppszMasterNCs[2]=DC=companyname,DC=local
SERVER: pServer[2].pszName=NA-DC1-2K8
pServer[2].pszGuidDNSName=2961b38b-570f-4a35-908f-9818a8080c0d._msdcs.companyname.local
pServer[2].pszDNSName=na-dc1-2k8.companyname.local
pServer[2].pszDn=CN=NTDS Settings,CN=NA-DC1-2K8,CN=Servers,CN=Cardiff,CN=Sites,CN=Configuration,DC=companyname,DC=local
pServer[2].pszComputerAccountDn=CN=NA-DC1-2K8,OU=Domain Controllers,DC=companyname,DC=local
pServer[2].uuidObjectGuid=2961b38b-570f-4a35-908f-9818a8080c0d
pServer[2].uuidInvocationId=ccd660df-050c-4206-964f-cc6c0bddaf21
pServer[2].iSite=0 (Cardiff)
pServer[2].iOptions=1
pServer[2].ftLocalAcquireTime=00000000 00000000
pServer[2].ftRemoteConnectTime=00000000 00000000
pServer[2].ppszMasterNCs:
ppszMasterNCs[0]=CN=Schema,CN=Configuration,DC=companyname,DC=local
ppszMasterNCs[1]=CN=Configuration,DC=companyname,DC=local
ppszMasterNCs[2]=DC=companyname,DC=local
SITES: pSites[0].pszName=Cardiff
pSites[0].pszSiteSettings=CN=NTDS Site Settings,CN=Cardiff,CN=Sites,CN=Configuration,DC=companyname,DC=local
pSites[0].pszISTG=CN=NTDS Settings,CN=CH-DC2-2K8,CN=Servers,CN=Cardiff,CN=Sites,CN=Configuration,DC=companyname,DC=local
pSites[0].iSiteOption=0
pSites[0].cServers=3
SITES: pSites[1].pszName=Edinburgh
pSites[1].pszSiteSettings=CN=NTDS Site Settings,CN=Edinburgh,CN=Sites,CN=Configuration,DC=companyname,DC=local
pSites[1].pszISTG=(null)
pSites[1].iSiteOption=0
pSites[1].cServers=0
SITES: pSites[2].pszName=London
pSites[2].pszSiteSettings=CN=NTDS Site Settings,CN=London,CN=Sites,CN=Configuration,DC=companyname,DC=local
pSites[2].pszISTG=(null)
pSites[2].iSiteOption=0
pSites[2].cServers=0
SITES: pSites[3].pszName=Belfast
pSites[3].pszSiteSettings=CN=NTDS Site Settings,CN=Belfast,CN=Sites,CN=Configuration,DC=companyname,DC=local
pSites[3].pszISTG=(null)
pSites[3].iSiteOption=0
pSites[3].cServers=0
NC: pNCs[0].pszName=Schema
pNCs[0].pszDn=CN=Schema,CN=Configuration,DC=companyname,DC=local
pNCs[0].aCrInfo[0].dwFlags=0x00000201
pNCs[0].aCrInfo[0].pszDn=CN=Enterprise Schema,CN=Partitions,CN=Configuration,DC=companyname,DC=local
pNCs[0].aCrInfo[0].pszDnsRoot=companyname.local
pNCs[0].aCrInfo[0].iSourceServer=0
pNCs[0].aCrInfo[0].pszSourceServer=(null)
pNCs[0].aCrInfo[0].ulSystemFlags=0x00000001
pNCs[0].aCrInfo[0].bEnabled=TRUE
pNCs[0].aCrInfo[0].ftWhenCreated=00000000 00000000 pNCs[0].aCrInfo[0].pszSDReferenceDomain=(null)
pNCs[0].aCrInfo[0].pszNetBiosName=(null)
pNCs[0].aCrInfo[0].cReplicas=-1
pNCs[0].aCrInfo[0].aszReplicas=
NC: pNCs[1].pszName=Configuration
pNCs[1].pszDn=CN=Configuration,DC=companyname,DC=local
pNCs[1].aCrInfo[0].dwFlags=0x00000201
pNCs[1].aCrInfo[0].pszDn=CN=Enterprise Configuration,CN=Partitions,CN=Configuration,DC=companyname,DC=local
pNCs[1].aCrInfo[0].pszDnsRoot=companyname.local
pNCs[1].aCrInfo[0].iSourceServer=0
pNCs[1].aCrInfo[0].pszSourceServer=(null)
pNCs[1].aCrInfo[0].ulSystemFlags=0x00000001
pNCs[1].aCrInfo[0].bEnabled=TRUE
pNCs[1].aCrInfo[0].ftWhenCreated=00000000 00000000 pNCs[1].aCrInfo[0].pszSDReferenceDomain=(null)
pNCs[1].aCrInfo[0].pszNetBiosName=(null)
pNCs[1].aCrInfo[0].cReplicas=-1
pNCs[1].aCrInfo[0].aszReplicas=
NC: pNCs[2].pszName=companyname
pNCs[2].pszDn=DC=companyname,DC=local
pNCs[2].aCrInfo[0].dwFlags=0x00000201
pNCs[2].aCrInfo[0].pszDn=CN=companyname,CN=Partitions,CN=Configuration,DC=companyname,DC=local
pNCs[2].aCrInfo[0].pszDnsRoot=companyname.local
pNCs[2].aCrInfo[0].iSourceServer=0
pNCs[2].aCrInfo[0].pszSourceServer=(null)
pNCs[2].aCrInfo[0].ulSystemFlags=0x00000003
pNCs[2].aCrInfo[0].bEnabled=TRUE
pNCs[2].aCrInfo[0].ftWhenCreated=00000000 00000000 pNCs[2].aCrInfo[0].pszSDReferenceDomain=(null)
pNCs[2].aCrInfo[0].pszNetBiosName=(null)
pNCs[2].aCrInfo[0].cReplicas=-1
pNCs[2].aCrInfo[0].aszReplicas=
3 NC TARGETS: Schema, Configuration, companyname,
3 TARGETS: CH-DC1-2K8, CH-DC2-2K8, NA-DC1-2K8,
=============================================Done Printing pDsInfo
Doing initial required tests
Testing server: Cardiff\CH-DC1-2K8
Starting test: Connectivity
* Active Directory LDAP Services Check
Failure Analysis: CH-DC1-2K8 ... OK.
* Active Directory RPC Services Check
......................... CH-DC1-2K8 passed test Connectivity
Testing server: Cardiff\CH-DC2-2K8
Starting test: Connectivity
* Active Directory LDAP Services Check
CH-DC2-2K8.currentTime = 20150427062554.0Z
CH-DC2-2K8.highestCommittedUSN = 20813567
CH-DC2-2K8.isSynchronized = 1
CH-DC2-2K8.isGlobalCatalogReady = 1
Failure Analysis: CH-DC2-2K8 ... OK.
* Active Directory RPC Services Check
......................... CH-DC2-2K8 passed test Connectivity
Testing server: Cardiff\NA-DC1-2K8
Starting test: Connectivity
* Active Directory LDAP Services Check
NA-DC1-2K8.currentTime = 20150427062554.0Z
NA-DC1-2K8.highestCommittedUSN = 5812470
NA-DC1-2K8.isSynchronized = 1
NA-DC1-2K8.isGlobalCatalogReady = 1
Failure Analysis: NA-DC1-2K8 ... OK.
* Active Directory RPC Services Check
......................... NA-DC1-2K8 passed test Connectivity
Doing primary tests
Testing server: Cardiff\CH-DC1-2K8
Starting test: Replications
* Replications Check
CN=Schema,CN=Configuration,DC=companyname,DC=local has 7 cursors.
CN=Configuration,DC=companyname,DC=local has 7 cursors.
DC=companyname,DC=local has 7 cursors.
* Replication Latency Check
CN=Schema,CN=Configuration,DC=companyname,DC=local
Latency information for 4 entries in the vector were ignored.
4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency
information (Win2K DC).
CN=Configuration,DC=companyname,DC=local
Latency information for 4 entries in the vector were ignored.
4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency
information (Win2K DC).
DC=companyname,DC=local
Latency information for 4 entries in the vector were ignored.
4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency
information (Win2K DC).
* Replication Site Latency Check
Site Settings = CN=NTDS Site Settings,CN=Cardiff,CN=Sites,CN=Configuration,DC=companyname,DC=local
[0x904de,v=62271,t=2015-04-27 06:53:19,g=a1d47848-fb4f-497b-a8a2-f11d40b71481,orig=20812365,local=21113816]
Elapsed time (sec) = 1955
Site Settings = CN=NTDS Site Settings,CN=Edinburgh,CN=Sites,CN=Configuration,DC=companyname,DC=local
Site CN=NTDS Site Settings,CN=Edinburgh,CN=Sites,CN=Configuration,DC=companyname,DC=local was skipped
because it never had an ISTG running in it.
Site Settings = CN=NTDS Site Settings,CN=London,CN=Sites,CN=Configuration,DC=companyname,DC=local
Site CN=NTDS Site Settings,CN=London,CN=Sites,CN=Configuration,DC=companyname,DC=local was skipped because
it never had an ISTG running in it.
Site Settings = CN=NTDS Site Settings,CN=Belfast,CN=Sites,CN=Configuration,DC=companyname,DC=local
Site CN=NTDS Site Settings,CN=Belfast,CN=Sites,CN=Configuration,DC=companyname,DC=local was skipped
because it never had an ISTG running in it.
......................... CH-DC1-2K8 passed test Replications
Starting test: Topology
* Configuration Topology Integrity Check
* Analyzing the connection topology for CN=Schema,CN=Configuration,DC=companyname,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for CN=Configuration,DC=companyname,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for DC=companyname,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
......................... CH-DC1-2K8 passed test Topology
Starting test: CutoffServers
* Configuration Topology Aliveness Check
* Analyzing the alive system replication topology for CN=Schema,CN=Configuration,DC=companyname,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for CN=Configuration,DC=companyname,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for DC=companyname,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
......................... CH-DC1-2K8 passed test CutoffServers
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC CH-DC1-2K8.
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=companyname,DC=local
(Schema,Version 2)
* Security Permissions Check for
CN=Configuration,DC=companyname,DC=local
(Configuration,Version 2)
* Security Permissions Check for
DC=companyname,DC=local
(Domain,Version 2)
......................... CH-DC1-2K8 passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\CH-DC1-2K8\netlogon
Verified share \\CH-DC1-2K8\sysvol
......................... CH-DC1-2K8 passed test NetLogons
Starting test: Advertising
The DC CH-DC1-2K8 is advertising itself as a DC and having a DS.
The DC CH-DC1-2K8 is advertising as an LDAP server
The DC CH-DC1-2K8 is advertising as having a writeable directory
The DC CH-DC1-2K8 is advertising as a Key Distribution Center
The DC CH-DC1-2K8 is advertising as a time server
The DS CH-DC1-2K8 is advertising as a GC.
......................... CH-DC1-2K8 passed test Advertising
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings,CN=CH-DC1-2K8,CN=Servers,CN=Cardiff,CN=Sites,CN=Configuration,DC=companyname,DC=local
Role Domain Owner = CN=NTDS Settings,CN=CH-DC1-2K8,CN=Servers,CN=Cardiff,CN=Sites,CN=Configuration,DC=companyname,DC=local
Role PDC Owner = CN=NTDS Settings,CN=CH-DC1-2K8,CN=Servers,CN=Cardiff,CN=Sites,CN=Configuration,DC=companyname,DC=local
Role Rid Owner = CN=NTDS Settings,CN=CH-DC1-2K8,CN=Servers,CN=Cardiff,CN=Sites,CN=Configuration,DC=companyname,DC=local
Role Infrastructure Update Owner = CN=NTDS Settings,CN=CH-DC1-2K8,CN=Servers,CN=Cardiff,CN=Sites,CN=Configuration,DC=companyname,DC=local
......................... CH-DC1-2K8 passed test KnowsOfRoleHolders
Starting test: RidManager
ridManagerReference = CN=RID Manager$,CN=System,DC=companyname,DC=local
* Available RID Pool for the Domain is 12100 to 1073741823
fSMORoleOwner = CN=NTDS Settings,CN=CH-DC1-2K8,CN=Servers,CN=Cardiff,CN=Sites,CN=Configuration,DC=companyname,DC=local
* ch-dc1-2k8.companyname.local is the RID Master
* DsBind with RID Master was successful
rIDSetReferences = CN=RID Set,CN=CH-DC1-2K8,OU=Domain Controllers,DC=companyname,DC=local
* rIDAllocationPool is 10600 to 11099
* rIDPreviousAllocationPool is 10600 to 11099
* rIDNextRID: 10619
......................... CH-DC1-2K8 passed test RidManager
Starting test: MachineAccount
Checking machine account for DC CH-DC1-2K8 on DC CH-DC1-2K8.
* SPN found :LDAP/ch-dc1-2k8.companyname.local/companyname.local
* SPN found :LDAP/ch-dc1-2k8.companyname.local
* SPN found :LDAP/CH-DC1-2K8
* SPN found :LDAP/ch-dc1-2k8.companyname.local/companyname
* SPN found :LDAP/bfe39346-13d8-455a-a97a-2a33f9e779f5._msdcs.companyname.local
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/bfe39346-13d8-455a-a97a-2a33f9e779f5/companyname.local
* SPN found :HOST/ch-dc1-2k8.companyname.local/companyname.local
* SPN found :HOST/ch-dc1-2k8.companyname.local
* SPN found :HOST/CH-DC1-2K8
* SPN found :HOST/ch-dc1-2k8.companyname.local/companyname
* SPN found :GC/ch-dc1-2k8.companyname.local/companyname.local
......................... CH-DC1-2K8 passed test MachineAccount
Starting test: Services
* Checking Service: Dnscache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: RpcSs
* Checking Service: w32time
* Checking Service: NETLOGON
......................... CH-DC1-2K8 passed test Services
Starting test: OutboundSecureChannels
* The Outbound Secure Channels test
** Did not run Outbound Secure Channels test
because /testdomain: was not entered
......................... CH-DC1-2K8 passed test OutboundSecureChannels
Starting test: ObjectsReplicated
CH-DC1-2K8 is in domain DC=companyname,DC=local
Checking for CN=CH-DC1-2K8,OU=Domain Controllers,DC=companyname,DC=local in domain DC=companyname,DC=local on 3 servers
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=CH-DC1-2K8,CN=Servers,CN=Cardiff,CN=Sites,CN=Configuration,DC=companyname,DC=local in domain CN=Configuration,DC=companyname,DC=local on 3 servers
Object is up-to-date on all servers.
......................... CH-DC1-2K8 passed test ObjectsReplicated
Starting test: frssysvol
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... CH-DC1-2K8 passed test frssysvol
Starting test: frsevent
* The File Replication Service Event log test
There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
An Warning Event occured. EventID: 0x800034C4
Time Generated: 04/26/2015 20:22:44
Event String: The File Replication Service is having trouble enabling replication from CH-DC2-2K8 to CH-DC1-2K8 for c:\windows\sysvol\domain using the DNS name ch-dc2-2k8.companyname.local.
FRS will keep retrying. Following are some of the reasons you would see this warning. [1] FRS can not correctly resolve the DNS name ch-dc2-2k8.companyname.local from this computer. [2] FRS is not running on
ch-dc2-2k8.companyname.local. [3] The topology information in the Active Directory Domain Services for this replica has not yet replicated to all the Domain Controllers. This event log message will appear once per connection,
After the problem is fixed you will see another event log message indicating that the connection has been established.
April 27th, 2015 2:37am
An Warning Event occured. EventID: 0x800034C4
Time Generated: 04/26/2015 20:26:57
Event String: The File Replication Service is having trouble enabling replication from NA-DC1-2K8 to CH-DC1-2K8 for c:\windows\sysvol\domain using the DNS name na-dc1-2k8.companyname.local.
FRS will keep retrying. Following are some of the reasons you would see this warning. [1] FRS can not correctly resolve the DNS name na-dc1-2k8.companyname.local from this computer. [2] FRS is not running on
na-dc1-2k8.companyname.local. [3] The topology information in the Active Directory Domain Services for this replica has not yet replicated to all the Domain Controllers. This event log message will appear once per connection,
After the problem is fixed you will see another event log message indicating that the connection has been established.
......................... CH-DC1-2K8 failed test frsevent
Starting test: kccevent
* The KCC Event log test
Found no KCC errors in Directory Service Event log in the last 15 minutes.
......................... CH-DC1-2K8 passed test kccevent
Starting test: systemlog
* The System Event log test
An Error Event occured. EventID: 0x40000004
Time Generated: 04/27/2015 07:16:26
Event String: The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server Administrator. The target name used was companyname\CH-DC2-2K8$. This indicates that the target server
failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered
on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that
the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (companyname.LOCAL) is different from the client domain (companyname.LOCAL), check if there are identically
named server accounts in these two domains, or use the fully-qualified name to identify the server.
An Error Event occured. EventID: 0x40000004
Time Generated: 04/27/2015 07:16:26
Event String: The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server Administrator. The target name used was companyname\NA-DC1-2K8$. This indicates that the target server
failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered
on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that
the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (companyname.LOCAL) is different from the client domain (companyname.LOCAL), check if there are identically
named server accounts in these two domains, or use the fully-qualified name to identify the server.
......................... CH-DC1-2K8 failed test systemlog
Starting test: VerifyReplicas
......................... CH-DC1-2K8 passed test VerifyReplicas
Starting test: VerifyReferences
The system object reference (serverReference) CN=CH-DC1-2K8,OU=Domain Controllers,DC=companyname,DC=local and
backlink on CN=CH-DC1-2K8,CN=Servers,CN=Cardiff,CN=Sites,CN=Configuration,DC=companyname,DC=local are correct.
The system object reference (frsComputerReferenceBL) CN=CH-DC1-2K8,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=companyname,DC=local
and backlink on CN=CH-DC1-2K8,OU=Domain Controllers,DC=companyname,DC=local are correct.
The system object reference (serverReferenceBL) CN=CH-DC1-2K8,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=companyname,DC=local
and backlink on CN=NTDS Settings,CN=CH-DC1-2K8,CN=Servers,CN=Cardiff,CN=Sites,CN=Configuration,DC=companyname,DC=local are correct.
......................... CH-DC1-2K8 passed test VerifyReferences
Starting test: VerifyEnterpriseReferences
......................... CH-DC1-2K8 passed test VerifyEnterpriseReferences
Starting test: CheckSecurityError
* Dr Auth: Beginning security errors check!
Found KDC CH-DC1-2K8 for domain companyname.local in site Cardiff
Checking machine account for DC CH-DC1-2K8 on DC CH-DC1-2K8.
* SPN found :LDAP/ch-dc1-2k8.companyname.local/companyname.local
* SPN found :LDAP/ch-dc1-2k8.companyname.local
* SPN found :LDAP/CH-DC1-2K8
* SPN found :LDAP/ch-dc1-2k8.companyname.local/companyname
* SPN found :LDAP/bfe39346-13d8-455a-a97a-2a33f9e779f5._msdcs.companyname.local
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/bfe39346-13d8-455a-a97a-2a33f9e779f5/companyname.local
* SPN found :HOST/ch-dc1-2k8.companyname.local/companyname.local
* SPN found :HOST/ch-dc1-2k8.companyname.local
* SPN found :HOST/CH-DC1-2K8
* SPN found :HOST/ch-dc1-2k8.companyname.local/companyname
* SPN found :GC/ch-dc1-2k8.companyname.local/companyname.local
[CH-DC1-2K8] No security related replication errors were found on this DC! To target the connection to a specific source DC use /ReplSource:<DC>.
......................... CH-DC1-2K8 passed test CheckSecurityError
Testing server: Cardiff\CH-DC2-2K8
Starting test: Replications
* Replications Check
CN=Schema,CN=Configuration,DC=companyname,DC=local has 7 cursors.
CN=Configuration,DC=companyname,DC=local has 7 cursors.
DC=companyname,DC=local has 7 cursors.
* Replication Latency Check
CN=Schema,CN=Configuration,DC=companyname,DC=local
Latency information for 4 entries in the vector were ignored.
4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency
information (Win2K DC).
CN=Configuration,DC=companyname,DC=local
Latency information for 4 entries in the vector were ignored.
4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency
information (Win2K DC).
DC=companyname,DC=local
Latency information for 4 entries in the vector were ignored.
4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency
information (Win2K DC).
* Replication Site Latency Check
Site Settings = CN=NTDS Site Settings,CN=Cardiff,CN=Sites,CN=Configuration,DC=companyname,DC=local
[0x904de,v=62271,t=2015-04-27 06:53:19,g=a1d47848-fb4f-497b-a8a2-f11d40b71481,orig=20812365,local=20812365]
Elapsed time (sec) = 1956
Site Settings = CN=NTDS Site Settings,CN=Edinburgh,CN=Sites,CN=Configuration,DC=companyname,DC=local
Site CN=NTDS Site Settings,CN=Edinburgh,CN=Sites,CN=Configuration,DC=companyname,DC=local was skipped
because it never had an ISTG running in it.
Site Settings = CN=NTDS Site Settings,CN=London,CN=Sites,CN=Configuration,DC=companyname,DC=local
Site CN=NTDS Site Settings,CN=London,CN=Sites,CN=Configuration,DC=companyname,DC=local was skipped because
it never had an ISTG running in it.
Site Settings = CN=NTDS Site Settings,CN=Belfast,CN=Sites,CN=Configuration,DC=companyname,DC=local
Site CN=NTDS Site Settings,CN=Belfast,CN=Sites,CN=Configuration,DC=companyname,DC=local was skipped
because it never had an ISTG running in it.
......................... CH-DC2-2K8 passed test Replications
Starting test: Topology
* Configuration Topology Integrity Check
* Analyzing the connection topology for CN=Schema,CN=Configuration,DC=companyname,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for CN=Configuration,DC=companyname,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for DC=companyname,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
......................... CH-DC2-2K8 passed test Topology
Starting test: CutoffServers
* Configuration Topology Aliveness Check
* Analyzing the alive system replication topology for CN=Schema,CN=Configuration,DC=companyname,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for CN=Configuration,DC=companyname,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for DC=companyname,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
......................... CH-DC2-2K8 passed test CutoffServers
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC CH-DC2-2K8.
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=companyname,DC=local
(Schema,Version 2)
* Security Permissions Check for
CN=Configuration,DC=companyname,DC=local
(Configuration,Version 2)
* Security Permissions Check for
DC=companyname,DC=local
(Domain,Version 2)
......................... CH-DC2-2K8 passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\CH-DC2-2K8\netlogon
Verified share \\CH-DC2-2K8\sysvol
......................... CH-DC2-2K8 passed test NetLogons
Starting test: Advertising
The DC CH-DC2-2K8 is advertising itself as a DC and having a DS.
The DC CH-DC2-2K8 is advertising as an LDAP server
The DC CH-DC2-2K8 is advertising as having a writeable directory
The DC CH-DC2-2K8 is advertising as a Key Distribution Center
The DC CH-DC2-2K8 is advertising as a time server
The DS CH-DC2-2K8 is advertising as a GC.
......................... CH-DC2-2K8 passed test Advertising
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings,CN=CH-DC1-2K8,CN=Servers,CN=Cardiff,CN=Sites,CN=Configuration,DC=companyname,DC=local
Role Domain Owner = CN=NTDS Settings,CN=CH-DC1-2K8,CN=Servers,CN=Cardiff,CN=Sites,CN=Configuration,DC=companyname,DC=local
Role PDC Owner = CN=NTDS Settings,CN=CH-DC1-2K8,CN=Servers,CN=Cardiff,CN=Sites,CN=Configuration,DC=companyname,DC=local
Role Rid Owner = CN=NTDS Settings,CN=CH-DC1-2K8,CN=Servers,CN=Cardiff,CN=Sites,CN=Configuration,DC=companyname,DC=local
Role Infrastructure Update Owner = CN=NTDS Settings,CN=CH-DC1-2K8,CN=Servers,CN=Cardiff,CN=Sites,CN=Configuration,DC=companyname,DC=local
......................... CH-DC2-2K8 passed test KnowsOfRoleHolders
Starting test: RidManager
ridManagerReference = CN=RID Manager$,CN=System,DC=companyname,DC=local
* Available RID Pool for the Domain is 12100 to 1073741823
fSMORoleOwner = CN=NTDS Settings,CN=CH-DC1-2K8,CN=Servers,CN=Cardiff,CN=Sites,CN=Configuration,DC=companyname,DC=local
* ch-dc1-2k8.companyname.local is the RID Master
* DsBind with RID Master was successful
rIDSetReferences = CN=RID Set,CN=CH-DC2-2K8,OU=Domain Controllers,DC=companyname,DC=local
* rIDAllocationPool is 11100 to 11599
* rIDPreviousAllocationPool is 9100 to 9599
* rIDNextRID: 9427
......................... CH-DC2-2K8 passed test RidManager
Starting test: MachineAccount
Checking machine account for DC CH-DC2-2K8 on DC CH-DC2-2K8.
* SPN found :LDAP/ch-dc2-2k8.companyname.local/companyname.local
* SPN found :LDAP/ch-dc2-2k8.companyname.local
* SPN found :LDAP/CH-DC2-2K8
* SPN found :LDAP/ch-dc2-2k8.companyname.local/companyname
* SPN found :LDAP/abb03237-e91b-457f-ab16-788d5dc3930e._msdcs.companyname.local
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/abb03237-e91b-457f-ab16-788d5dc3930e/companyname.local
* SPN found :HOST/ch-dc2-2k8.companyname.local/companyname.local
* SPN found :HOST/ch-dc2-2k8.companyname.local
* SPN found :HOST/CH-DC2-2K8
* SPN found :HOST/ch-dc2-2k8.companyname.local/companyname
* SPN found :GC/ch-dc2-2k8.companyname.local/companyname.local
......................... CH-DC2-2K8 passed test MachineAccount
Starting test: Services
* Checking Service: Dnscache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: RpcSs
* Checking Service: w32time
* Checking Service: NETLOGON
......................... CH-DC2-2K8 passed test Services
Starting test: OutboundSecureChannels
* The Outbound Secure Channels test
** Did not run Outbound Secure Channels test
because /testdomain: was not entered
......................... CH-DC2-2K8 passed test OutboundSecureChannels
Starting test: ObjectsReplicated
CH-DC2-2K8 is in domain DC=companyname,DC=local
Checking for CN=CH-DC2-2K8,OU=Domain Controllers,DC=companyname,DC=local in domain DC=companyname,DC=local on 3 servers
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=CH-DC2-2K8,CN=Servers,CN=Cardiff,CN=Sites,CN=Configuration,DC=companyname,DC=local in domain CN=Configuration,DC=companyname,DC=local on 3 servers
Object is up-to-date on all servers.
......................... CH-DC2-2K8 passed test ObjectsReplicated
Starting test: frssysvol
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... CH-DC2-2K8 passed test frssysvol
Starting test: frsevent
* The File Replication Service Event log test
There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
An Warning Event occured. EventID: 0x800034C4
Time Generated: 04/26/2015 19:55:52
Event String: The File Replication Service is having trouble enabling replication from NA-DC1-2K8 to CH-DC2-2K8 for c:\windows\sysvol\domain using the DNS name na-dc1-2k8.companyname.local.
FRS will keep retrying. Following are some of the reasons you would see this warning. [1] FRS can not correctly resolve the DNS name na-dc1-2k8.companyname.local from this computer. [2] FRS is not running on
na-dc1-2k8.companyname.local. [3] The topology information in the Active Directory Domain Services for this replica has not yet replicated to all the Domain Controllers. This event log message will appear once per connection,
After the problem is fixed you will see another event log message indicating that the connection has been established.
An Warning Event occured. EventID: 0x800034C4
Time Generated: 04/26/2015 20:18:20
Event String: The File Replication Service is having trouble enabling replication from CH-DC1-2K8 to CH-DC2-2K8 for c:\windows\sysvol\domain using the DNS name ch-dc1-2k8.companyname.local.
FRS will keep retrying. Following are some of the reasons you would see this warning. [1] FRS can not correctly resolve the DNS name ch-dc1-2k8.companyname.local from this computer. [2] FRS is not running on
ch-dc1-2k8.companyname.local. [3] The topology information in the Active Directory Domain Services for this replica has not yet replicated to all the Domain Controllers. This event log message will appear once per connection,
After the problem is fixed you will see another event log message indicating that the connection has been established.
......................... CH-DC2-2K8 failed test frsevent
Starting test: kccevent
* The KCC Event log test
Found no KCC errors in Directory Service Event log in the last 15 minutes.
......................... CH-DC2-2K8 passed test kccevent
Starting test: systemlog
* The System Event log test
An Error Event occured. EventID: 0x40000004
Time Generated: 04/27/2015 06:50:31
Event String: The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server Administrator. The target name used was ch-dc1-2k8$. This indicates that the target server failed to decrypt
the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered on, the account
used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that the service on the
server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (companyname.LOCAL) is different from the client domain (companyname.LOCAL), check if there are identically named server accounts
in these two domains, or use the fully-qualified name to identify the server.
An Error Event occured. EventID: 0x40000004
Time Generated: 04/27/2015 07:15:20
Event String: The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server Administrator. The target name used was companyname\CH-DC1-2K8$. This indicates that the target server
failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered
on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that
the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (companyname.LOCAL) is different from the client domain (companyname.LOCAL), check if there are identically
named server accounts in these two domains, or use the fully-qualified name to identify the server.
An Error Event occured. EventID: 0x40000004
Time Generated: 04/27/2015 07:15:20
Event String: The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server Administrator. The target name used was companyname\NA-DC1-2K8$. This indicates that the target server
failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please ensure that the target SPN is registered on, and only registered
on, the account used by the server. This error can also happen when the target service is using a different password for the target service account than what the Kerberos Key Distribution Center (KDC) has for the target service account. Please ensure that
the service on the server and the KDC are both updated to use the current password. If the server name is not fully qualified, and the target domain (companyname.LOCAL) is different from the client domain (companyname.LOCAL), check if there are identically
named server accounts in these two domains, or use the fully-qualified name to identify the server.
......................... CH-DC2-2K8 failed test systemlog
Starting test: VerifyReplicas
......................... CH-DC2-2K8 passed test VerifyReplicas
Starting test: VerifyReferences
The system object reference (serverReference) CN=CH-DC2-2K8,OU=Domain Controllers,DC=companyname,DC=local and
backlink on CN=CH-DC2-2K8,CN=Servers,CN=Cardiff,CN=Sites,CN=Configuration,DC=companyname,DC=local are correct.
The system object reference (frsComputerReferenceBL) CN=CH-DC2-2K8,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=companyname,DC=local
and backlink on CN=CH-DC2-2K8,OU=Domain Controllers,DC=companyname,DC=local are correct.
The system object reference (serverReferenceBL) CN=CH-DC2-2K8,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=companyname,DC=local
and backlink on CN=NTDS Settings,CN=CH-DC2-2K8,CN=Servers,CN=Cardiff,CN=Sites,CN=Configuration,DC=companyname,DC=local are correct.
......................... CH-DC2-2K8 passed test VerifyReferences
Starting test: VerifyEnterpriseReferences
......................... CH-DC2-2K8 passed test VerifyEnterpriseReferences
Starting test: CheckSecurityError
* Dr Auth: Beginning security errors check!
Found KDC CH-DC1-2K8 for domain companyname.local in site Cardiff
Checking machine account for DC CH-DC2-2K8 on DC CH-DC1-2K8.
* SPN found :LDAP/ch-dc2-2k8.companyname.local/companyname.local
* SPN found :LDAP/ch-dc2-2k8.companyname.local
* SPN found :LDAP/CH-DC2-2K8
* SPN found :LDAP/ch-dc2-2k8.companyname.local/companyname
* SPN found :LDAP/abb03237-e91b-457f-ab16-788d5dc3930e._msdcs.companyname.local
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/abb03237-e91b-457f-ab16-788d5dc3930e/companyname.local
* SPN found :HOST/ch-dc2-2k8.companyname.local/companyname.local
* SPN found :HOST/ch-dc2-2k8.companyname.local
* SPN found :HOST/CH-DC2-2K8
* SPN found :HOST/ch-dc2-2k8.companyname.local/companyname
* SPN found :GC/ch-dc2-2k8.companyname.local/companyname.local
Checking for CN=CH-DC2-2K8,OU=Domain Controllers,DC=companyname,DC=local in domain DC=companyname,DC=local on 2 servers
Object is up-to-date on all servers.
[CH-DC2-2K8] No security related replication errors were found on this DC! To target the connection to a specific source DC use /ReplSource:<DC>.
......................... CH-DC2-2K8 passed test CheckSecurityError
Testing server: Cardiff\NA-DC1-2K8
Starting test: Replications
* Replications Check
CN=Schema,CN=Configuration,DC=companyname,DC=local has 7 cursors.
CN=Configuration,DC=companyname,DC=local has 7 cursors.
DC=companyname,DC=local has 7 cursors.
* Replication Latency Check
CN=Schema,CN=Configuration,DC=companyname,DC=local
Latency information for 4 entries in the vector were ignored.
4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency
information (Win2K DC).
CN=Configuration,DC=companyname,DC=local
Latency information for 4 entries in the vector were ignored.
4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency
information (Win2K DC).
DC=companyname,DC=local
Latency information for 4 entries in the vector were ignored.
4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency
information (Win2K DC).
* Replication Site Latency Check
Site Settings = CN=NTDS Site Settings,CN=Edinburgh,CN=Sites,CN=Configuration,DC=companyname,DC=local
Site CN=NTDS Site Settings,CN=Edinburgh,CN=Sites,CN=Configuration,DC=companyname,DC=local was skipped
because it never had an ISTG running in it.
Site Settings = CN=NTDS Site Settings,CN=London,CN=Sites,CN=Configuration,DC=companyname,DC=local
Site CN=NTDS Site Settings,CN=London,CN=Sites,CN=Configuration,DC=companyname,DC=local was skipped because
it never had an ISTG running in it.
Site Settings = CN=NTDS Site Settings,CN=Belfast,CN=Sites,CN=Configuration,DC=companyname,DC=local
Site CN=NTDS Site Settings,CN=Belfast,CN=Sites,CN=Configuration,DC=companyname,DC=local was skipped
because it never had an ISTG running in it.
Site Settings = CN=NTDS Site Settings,CN=Cardiff,CN=Sites,CN=Configuration,DC=companyname,DC=local
[0x904de,v=62271,t=2015-04-27 06:53:19,g=a1d47848-fb4f-497b-a8a2-f11d40b71481,orig=20812365,local=5811333]
Elapsed time (sec) = 1957
......................... NA-DC1-2K8 passed test Replications
Starting test: Topology
* Configuration Topology Integrity Check
* Analyzing the connection topology for CN=Schema,CN=Configuration,DC=companyname,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for CN=Configuration,DC=companyname,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for DC=companyname,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
......................... NA-DC1-2K8 passed test Topology
Starting test: CutoffServers
* Configuration Topology Aliveness Check
* Analyzing the alive system replication topology for CN=Schema,CN=Configuration,DC=companyname,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for CN=Configuration,DC=companyname,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for DC=companyname,DC=local.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
......................... NA-DC1-2K8 passed test CutoffServers
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC NA-DC1-2K8.
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=companyname,DC=local
(Schema,Version 2)
* Security Permissions Check for
CN=Configuration,DC=companyname,DC=local
(Configuration,Version 2)
* Security Permissions Check for
DC=companyname,DC=local
(Domain,Version 2)
......................... NA-DC1-2K8 passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\NA-DC1-2K8\netlogon
Verified share \\NA-DC1-2K8\sysvol
......................... NA-DC1-2K8 passed test NetLogons
Starting test: Advertising
The DC NA-DC1-2K8 is advertising itself as a DC and having a DS.
The DC NA-DC1-2K8 is advertising as an LDAP server
The DC NA-DC1-2K8 is advertising as having a writeable directory
The DC NA-DC1-2K8 is advertising as a Key Distribution Center
The DC NA-DC1-2K8 is advertising as a time server
The DS NA-DC1-2K8 is advertising as a GC.
......................... NA-DC1-2K8 passed test Advertising
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings,CN=CH-DC1-2K8,CN=Servers,CN=Cardiff,CN=Sites,CN=Configuration,DC=companyname,DC=local
Role Domain Owner = CN=NTDS Settings,CN=CH-DC1-2K8,CN=Servers,CN=Cardiff,CN=Sites,CN=Configuration,DC=companyname,DC=local
Role PDC Owner = CN=NTDS Settings,CN=CH-DC1-2K8,CN=Servers,CN=Cardiff,CN=Sites,CN=Configuration,DC=companyname,DC=local
Role Rid Owner = CN=NTDS Settings,CN=CH-DC1-2K8,CN=Servers,CN=Cardiff,CN=Sites,CN=Configuration,DC=companyname,DC=local
Role Infrastructure Update Owner = CN=NTDS Settings,CN=CH-DC1-2K8,CN=Servers,CN=Cardiff,CN=Sites,CN=Configuration,DC=companyname,DC=local
......................... NA-DC1-2K8 passed test KnowsOfRoleHolders
Starting test: RidManager
ridManagerReference = CN=RID Manager$,CN=System,DC=companyname,DC=local
* Available RID Pool for the Domain is 12100 to 1073741823
fSMORoleOwner = CN=NTDS Settings,CN=CH-DC1-2K8,CN=Servers,CN=Cardiff,CN=Sites,CN=Configuration,DC=companyname,DC=local
* ch-dc1-2k8.companyname.local is the RID Master
* DsBind with RID Master was successful
rIDSetReferences = CN=RID Set,CN=NA-DC1-2K8,OU=Domain Controllers,DC=companyname,DC=local
* rIDAllocationPool is 11600 to 12099
* rIDPreviousAllocationPool is 11600 to 12099
* rIDNextRID: 11673
......................... NA-DC1-2K8 passed test RidManager
Starting test: MachineAccount
Checking machine account for DC NA-DC1-2K8 on DC NA-DC1-2K8.
* SPN found :LDAP/na-dc1-2k8.companyname.local/companyname.local
* SPN found :LDAP/na-dc1-2k8.companyname.local
* SPN found :LDAP/NA-DC1-2K8
* SPN found :LDAP/na-dc1-2k8.companyname.local/companyname
* SPN found :LDAP/2961b38b-570f-4a35-908f-9818a8080c0d._msdcs.companyname.local
April 27th, 2015 2:39am