DNS Nightmare - Can't create forward zone

  • Thread starter Thread starter BertramWilberforceWooster
  • Start date Start date
Yahoo! I've managed to get somewhere... I've now got a DNS service with
an AD-integrated forward zone set up.

There are still some worrying items in the output from dcdiag though -
I've included the output below in the hope that someone can shed some
light on my (new?) problem.

================

Command Line: "dcdiag.exe /v /d /c"

Domain Controller Diagnosis

Performing initial setup:
* Verifying that the local machine ag-dbsvr, is a DC.
* Connecting to directory service on server ag-dbsvr.
ag-dbsvr.currentTime = 20060505121831.0Z
ag-dbsvr.highestCommittedUSN = 307279
ag-dbsvr.isSynchronized = 1
ag-dbsvr.isGlobalCatalogReady = 1
* Collecting site info.
* Identifying all servers.
AG-DBSVR.currentTime = 20060505121831.0Z
AG-DBSVR.highestCommittedUSN = 307279
AG-DBSVR.isSynchronized = 1
AG-DBSVR.isGlobalCatalogReady = 1
* Identifying all NC cross-refs.
* Found 2 DC(s). Testing 1 of them.
Done gathering initial info.


===============================================Printing out pDsInfo

GLOBAL:
ulNumServers=2
pszRootDomain=mydomain.net
pszNC=
pszRootDomainFQDN=DC=mydomain,DC=net
pszConfigNc=CN=Configuration,DC=mydomain,DC=net
pszPartitionsDn=CN=Partitions,CN=Configuration,DC=mydomain,DC=net
iSiteOptions=0
dwTombstoneLifeTimeDays=60

dwForestBehaviorVersion=0

HomeServer=1, AG-DBSVR

SERVER: pServer[0].pszName=TEMPSVR
pServer[0].pszGuidDNSName=7ae70e6f-3be2-45c3-a013-04661ca67912._msdcs.mydomain.net
pServer[0].pszDNSName=tempsvr.mydomain.net
pServer[0].pszDn=CN=NTDS
Settings,CN=TEMPSVR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net
pServer[0].pszComputerAccountDn=(null)
pServer[0].uuidObjectGuid=7ae70e6f-3be2-45c3-a013-04661ca67912
pServer[0].uuidInvocationId=7ae70e6f-3be2-45c3-a013-04661ca67912
pServer[0].iSite=0 (Default-First-Site-Name)
pServer[0].iOptions=1
pServer[0].ftLocalAcquireTime=00000000 00000000

pServer[0].ftRemoteConnectTime=00000000 00000000

pServer[0].ppszMasterNCs:
ppszMasterNCs[0]=CN=Schema,CN=Configuration,DC=mydomain,DC=net
ppszMasterNCs[1]=CN=Configuration,DC=mydomain,DC=net
ppszMasterNCs[2]=DC=mydomain,DC=net

SERVER: pServer[1].pszName=AG-DBSVR
pServer[1].pszGuidDNSName=1750286d-b0a6-4633-a9d0-63967c9a5fcb._msdcs.mydomain.net
pServer[1].pszDNSName=ag-dbsvr.mydomain.net
pServer[1].pszDn=CN=NTDS
Settings,CN=AG-DBSVR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net
pServer[1].pszComputerAccountDn=CN=AG-DBSVR,OU=Domain
Controllers,DC=mydomain,DC=net
pServer[1].uuidObjectGuid=1750286d-b0a6-4633-a9d0-63967c9a5fcb
pServer[1].uuidInvocationId=45155c5d-16a3-4ddf-952c-325ec78e6707
pServer[1].iSite=0 (Default-First-Site-Name)
pServer[1].iOptions=1
pServer[1].ftLocalAcquireTime=059f5850 01c6703e

pServer[1].ftRemoteConnectTime=058c4580 01c6703e

pServer[1].ppszMasterNCs:
ppszMasterNCs[0]=CN=Schema,CN=Configuration,DC=mydomain,DC=net
ppszMasterNCs[1]=CN=Configuration,DC=mydomain,DC=net
ppszMasterNCs[2]=DC=mydomain,DC=net

SITES: pSites[0].pszName=Default-First-Site-Name
pSites[0].pszSiteSettings=CN=NTDS Site
Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net
pSites[0].pszISTG=CN=NTDS
Settings,CN=AG-DBSVR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net
pSites[0].iSiteOption=0

pSites[0].cServers=2

NC: pNCs[0].pszName=Schema
pNCs[0].pszDn=CN=Schema,CN=Configuration,DC=mydomain,DC=net

pNCs[0].aCrInfo[0].dwFlags=0x00000201
pNCs[0].aCrInfo[0].pszDn=CN=Enterprise
Schema,CN=Partitions,CN=Configuration,DC=mydomain,DC=net
pNCs[0].aCrInfo[0].pszDnsRoot=mydomain.net
pNCs[0].aCrInfo[0].iSourceServer=1
pNCs[0].aCrInfo[0].pszSourceServer=(null)
pNCs[0].aCrInfo[0].ulSystemFlags=0x00000001
pNCs[0].aCrInfo[0].bEnabled=TRUE
pNCs[0].aCrInfo[0].ftWhenCreated=00000000 00000000
pNCs[0].aCrInfo[0].pszSDReferenceDomain=(null)
pNCs[0].aCrInfo[0].pszNetBiosName=(null)
pNCs[0].aCrInfo[0].cReplicas=-1
pNCs[0].aCrInfo[0].aszReplicas=


NC: pNCs[1].pszName=Configuration
pNCs[1].pszDn=CN=Configuration,DC=mydomain,DC=net

pNCs[1].aCrInfo[0].dwFlags=0x00000201
pNCs[1].aCrInfo[0].pszDn=CN=Enterprise
Configuration,CN=Partitions,CN=Configuration,DC=mydomain,DC=net
pNCs[1].aCrInfo[0].pszDnsRoot=mydomain.net
pNCs[1].aCrInfo[0].iSourceServer=1
pNCs[1].aCrInfo[0].pszSourceServer=(null)
pNCs[1].aCrInfo[0].ulSystemFlags=0x00000001
pNCs[1].aCrInfo[0].bEnabled=TRUE
pNCs[1].aCrInfo[0].ftWhenCreated=00000000 00000000
pNCs[1].aCrInfo[0].pszSDReferenceDomain=(null)
pNCs[1].aCrInfo[0].pszNetBiosName=(null)
pNCs[1].aCrInfo[0].cReplicas=-1
pNCs[1].aCrInfo[0].aszReplicas=


NC: pNCs[2].pszName=mydomain
pNCs[2].pszDn=DC=mydomain,DC=net

pNCs[2].aCrInfo[0].dwFlags=0x00000201
pNCs[2].aCrInfo[0].pszDn=CN=IBUSINESS,CN=Partitions,CN=Configuration,DC=mydomain,DC=net
pNCs[2].aCrInfo[0].pszDnsRoot=mydomain.net
pNCs[2].aCrInfo[0].iSourceServer=1
pNCs[2].aCrInfo[0].pszSourceServer=(null)
pNCs[2].aCrInfo[0].ulSystemFlags=0x00000003
pNCs[2].aCrInfo[0].bEnabled=TRUE
pNCs[2].aCrInfo[0].ftWhenCreated=00000000 00000000
pNCs[2].aCrInfo[0].pszSDReferenceDomain=(null)
pNCs[2].aCrInfo[0].pszNetBiosName=(null)
pNCs[2].aCrInfo[0].cReplicas=-1
pNCs[2].aCrInfo[0].aszReplicas=


3 NC TARGETS: Schema, Configuration, mydomain,
1 TARGETS: AG-DBSVR,

=============================================Done Printing pDsInfo

Doing initial required tests

Testing server: Default-First-Site-Name\AG-DBSVR
Starting test: Connectivity
* Active Directory LDAP Services Check
Failure Analysis: AG-DBSVR ... OK.
* Active Directory RPC Services Check
......................... AG-DBSVR passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\AG-DBSVR
Starting test: Replications
* Replications Check
CN=Schema,CN=Configuration,DC=mydomain,DC=net has 2 cursors.
[Replications Check,AG-DBSVR] A recent replication attempt
failed:
From TEMPSVR to AG-DBSVR
Naming Context:
CN=Schema,CN=Configuration,DC=mydomain,DC=net
The replication generated an error (1722):
Win32 Error 1722
The failure occurred at 2006-05-05 12:50:32.
The last success occurred at 2006-04-25 14:58:36.
231 failures have occurred since the last success.
[TEMPSVR] DsBindWithSpnEx() failed with error 1722,
Win32 Error 1722.
Printing RPC Extended Error Info:
Error Record 1, ProcessID is 1128 (DcDiag)
System Time is: 5/5/2006 12:18:52:250
Generating component is 8 (winsock)
Status is 1722: The RPC server is unavailable.

Detection location is 323
Error Record 2, ProcessID is 1128 (DcDiag)
System Time is: 5/5/2006 12:18:52:250
Generating component is 8 (winsock)
Status is 1237: The operation could not be completed. A
retry should be performed.

Detection location is 313
Error Record 3, ProcessID is 1128 (DcDiag)
System Time is: 5/5/2006 12:18:52:250
Generating component is 8 (winsock)
Status is 10060: A connection attempt failed because the
connected party did not properly respond after a period of time, or
established connection failed because connected host has failed to
respond.

Detection location is 311
NumberOfParameters is 3
Long val: 135
Pointer val: 0
Pointer val: 0
Error Record 4, ProcessID is 1128 (DcDiag)
System Time is: 5/5/2006 12:18:52:250
Generating component is 8 (winsock)
Status is 10060: A connection attempt failed because the
connected party did not properly respond after a period of time, or
established connection failed because connected host has failed to
respond.

Detection location is 318
The source remains down. Please check the machine.
CN=Configuration,DC=mydomain,DC=net has 2 cursors.
[Replications Check,AG-DBSVR] A recent replication attempt
failed:
From TEMPSVR to AG-DBSVR
Naming Context: CN=Configuration,DC=mydomain,DC=net
The replication generated an error (1722):
Win32 Error 1722
The failure occurred at 2006-05-05 12:50:11.
The last success occurred at 2006-04-25 15:29:41.
231 failures have occurred since the last success.
The source remains down. Please check the machine.
DC=mydomain,DC=net has 2 cursors.
[Replications Check,AG-DBSVR] A recent replication attempt
failed:
From TEMPSVR to AG-DBSVR
Naming Context: DC=mydomain,DC=net
The replication generated an error (1722):
Win32 Error 1722
The failure occurred at 2006-05-05 12:49:50.
The last success occurred at 2006-04-25 15:28:35.
239 failures have occurred since the last success.
The source remains down. Please check the machine.
* Replication Latency Check
REPLICATION-RECEIVED LATENCY WARNING
AG-DBSVR: Current time is 2006-05-05 13:18:31.
CN=Schema,CN=Configuration,DC=mydomain,DC=net
Last replication recieved from TEMPSVR at 2006-04-25
14:58:36.
CN=Configuration,DC=mydomain,DC=net
Last replication recieved from TEMPSVR at 2006-04-25
15:29:41.
DC=mydomain,DC=net
Last replication recieved from TEMPSVR at 2006-04-25
15:28:35.
* Replication Site Latency Check
Site Settings = CN=NTDS Site
Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net
[0x904de,v=306,t=2006-05-05
12:39:29,g=45155c5d-16a3-4ddf-952c-325ec78e6707,orig=307254,local=307254]
Elapsed time (sec) = 2363
......................... AG-DBSVR passed test Replications
Starting test: Topology
* Configuration Topology Integrity Check
* Analyzing the connection topology for
CN=Schema,CN=Configuration,DC=mydomain,DC=net.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for
CN=Configuration,DC=mydomain,DC=net.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for DC=mydomain,DC=net.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
......................... AG-DBSVR passed test Topology
Starting test: CutoffServers
* Configuration Topology Aliveness Check
* Analyzing the alive system replication topology for
CN=Schema,CN=Configuration,DC=mydomain,DC=net.
* Performing upstream (of target) analysis.
DsReplicaSyncAllW failed with error Win32 Error 8440.
* Performing downstream (of target) analysis.
DsReplicaSyncAllW failed with error Win32 Error 8440.
* Analyzing the alive system replication topology for
CN=Configuration,DC=mydomain,DC=net.
* Performing upstream (of target) analysis.
DsReplicaSyncAllW failed with error Win32 Error 8440.
* Performing downstream (of target) analysis.
DsReplicaSyncAllW failed with error Win32 Error 8440.
* Analyzing the alive system replication topology for
DC=mydomain,DC=net.
* Performing upstream (of target) analysis.
DsReplicaSyncAllW failed with error Win32 Error 8440.
* Performing downstream (of target) analysis.
DsReplicaSyncAllW failed with error Win32 Error 8440.
......................... AG-DBSVR passed test CutoffServers
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC AG-DBSVR.
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=mydomain,DC=net
(Schema,Version 2)
* Security Permissions Check for
CN=Configuration,DC=mydomain,DC=net
(Configuration,Version 2)
* Security Permissions Check for
DC=mydomain,DC=net
(Domain,Version 2)
......................... AG-DBSVR passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\AG-DBSVR\netlogon
Verified share \\AG-DBSVR\sysvol
......................... AG-DBSVR passed test NetLogons
Starting test: Advertising
The DC AG-DBSVR is advertising itself as a DC and having a DS.
The DC AG-DBSVR is advertising as an LDAP server
The DC AG-DBSVR is advertising as having a writeable directory
The DC AG-DBSVR is advertising as a Key Distribution Center
The DC AG-DBSVR is advertising as a time server
The DS AG-DBSVR is advertising as a GC.
......................... AG-DBSVR passed test Advertising
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS
Settings,CN=AG-DBSVR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net
Role Domain Owner = CN=NTDS
Settings,CN=AG-DBSVR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net
Role PDC Owner = CN=NTDS
Settings,CN=AG-DBSVR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net
Role Rid Owner = CN=NTDS
Settings,CN=AG-DBSVR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net
Role Infrastructure Update Owner = CN=NTDS
Settings,CN=AG-DBSVR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net
......................... AG-DBSVR passed test
KnowsOfRoleHolders
Starting test: RidManager
ridManagerReference = CN=RID
Manager$,CN=System,DC=mydomain,DC=net
* Available RID Pool for the Domain is 3863 to 1073741823
fSMORoleOwner = CN=NTDS
Settings,CN=AG-DBSVR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net
* ag-dbsvr.mydomain.net is the RID Master
* DsBind with RID Master was successful
rIDSetReferences = CN=RID Set,CN=AG-DBSVR,OU=Domain
Controllers,DC=mydomain,DC=net
* rIDAllocationPool is 2863 to 3362
* rIDPreviousAllocationPool is 2863 to 3362
* rIDNextRID: 2879
......................... AG-DBSVR passed test RidManager
Starting test: MachineAccount
Checking machine account for DC AG-DBSVR on DC AG-DBSVR.
* SPN found :LDAP/ag-dbsvr.mydomain.net/mydomain.net
* SPN found :LDAP/ag-dbsvr.mydomain.net
* SPN found :LDAP/AG-DBSVR
* SPN found :LDAP/ag-dbsvr.mydomain.net/IBUSINESS
* SPN found
:LDAP/1750286d-b0a6-4633-a9d0-63967c9a5fcb._msdcs.mydomain.net
* SPN found
:E3514235-4B06-11D1-AB04-00C04FC2DCD2/1750286d-b0a6-4633-a9d0-63967c9a5fcb/mydomain.net
* SPN found :HOST/ag-dbsvr.mydomain.net/mydomain.net
* SPN found :HOST/ag-dbsvr.mydomain.net
* SPN found :HOST/AG-DBSVR
* SPN found :HOST/ag-dbsvr.mydomain.net/IBUSINESS
* SPN found :GC/ag-dbsvr.mydomain.net/mydomain.net
......................... AG-DBSVR passed test MachineAccount
Starting test: Services
* Checking Service: Dnscache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: RpcSs
* Checking Service: w32time
* Checking Service: NETLOGON
......................... AG-DBSVR passed test Services
Starting test: OutboundSecureChannels
* The Outbound Secure Channels test
** Did not run Outbound Secure Channels test
because /testdomain: was not entered
......................... AG-DBSVR passed test
OutboundSecureChannels
Starting test: ObjectsReplicated
AG-DBSVR is in domain DC=mydomain,DC=net
Checking for CN=AG-DBSVR,OU=Domain
Controllers,DC=mydomain,DC=net in domain DC=mydomain,DC=net on 1
servers
Object is up-to-date on all servers.
Checking for CN=NTDS
Settings,CN=AG-DBSVR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net
in domain CN=Configuration,DC=mydomain,DC=net on 1 servers
Object is up-to-date on all servers.
......................... AG-DBSVR passed test
ObjectsReplicated
Starting test: frssysvol
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... AG-DBSVR passed test frssysvol
Starting test: frsevent
* The File Replication Service Event log test
There are warning or error events within the last 24 hours
after the

SYSVOL has been shared. Failing SYSVOL replication problems
may cause

Group Policy problems.
An Warning Event occured. EventID: 0x800034FA
Time Generated: 05/05/2006 12:23:54
(Event String could not be retrieved)
......................... AG-DBSVR failed test frsevent
Starting test: kccevent
* The KCC Event log test
An Warning Event occured. EventID: 0x8025082C
Time Generated: 05/05/2006 13:19:28
(Event String could not be retrieved)
An Warning Event occured. EventID: 0x8025082C
Time Generated: 05/05/2006 13:19:28
(Event String could not be retrieved)
An Warning Event occured. EventID: 0x8025082C
Time Generated: 05/05/2006 13:19:28
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC0000748
Time Generated: 05/05/2006 13:19:28
(Event String could not be retrieved)
An Warning Event occured. EventID: 0x8025082C
Time Generated: 05/05/2006 13:19:28
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC0000748
Time Generated: 05/05/2006 13:19:28
(Event String could not be retrieved)
An Warning Event occured. EventID: 0x8025082C
Time Generated: 05/05/2006 13:19:28
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC0000748
Time Generated: 05/05/2006 13:19:28
(Event String could not be retrieved)
......................... AG-DBSVR failed test kccevent
Starting test: systemlog
* The System Event log test
An Error Event occured. EventID: 0x40000004
Time Generated: 05/05/2006 12:52:19
Event String: The kerberos client received a

KRB_AP_ERR_MODIFIED error from the server

host/ag-dbsvr.mydomain.net. The target name

used was

LDAP/ag-dbsvr.mydomain.net/[email protected].

This indicates that the password used to encrypt

the kerberos service ticket is different than

that on the target server. Commonly, this is due

to identically named machine accounts in the

target realm (mydomain.NET), and the client

realm. Please contact your system

administrator.
An Error Event occured. EventID: 0x40000004
Time Generated: 05/05/2006 12:53:09
Event String: The kerberos client received a

KRB_AP_ERR_MODIFIED error from the server

host/ag-dbsvr.mydomain.net. The target name

used was cifs/ag-dbsvr.mydomain.net. This

indicates that the password used to encrypt the

kerberos service ticket is different than that on

the target server. Commonly, this is due to

identically named machine accounts in the target

realm (mydomain.NET), and the client realm.

Please contact your system administrator.
An Error Event occured. EventID: 0x40000004
Time Generated: 05/05/2006 12:55:37
Event String: The kerberos client received a

KRB_AP_ERR_MODIFIED error from the server

host/ag-dbsvr.mydomain.net. The target name

used was LDAP/AG-DBSVR. This indicates that the

password used to encrypt the kerberos service

ticket is different than that on the target

server. Commonly, this is due to identically

named machine accounts in the target realm

(mydomain.NET), and the client realm.

Please contact your system administrator.
An Error Event occured. EventID: 0x40000004
Time Generated: 05/05/2006 13:05:23
Event String: The kerberos client received a

KRB_AP_ERR_MODIFIED error from the server

host/ag-dbsvr.mydomain.net. The target name

used was

LDAP/ag-dbsvr.mydomain.net/mydomain.net.

This indicates that the password used to encrypt

the kerberos service ticket is different than

that on the target server. Commonly, this is due

to identically named machine accounts in the

target realm (mydomain.NET), and the client

realm. Please contact your system

administrator.
An Error Event occured. EventID: 0x40000004
Time Generated: 05/05/2006 13:05:23
Event String: The kerberos client received a

KRB_AP_ERR_MODIFIED error from the server

host/ag-dbsvr.mydomain.net. The target name

used was

LDAP/ag-dbsvr.mydomain.net/IBUSINESS. This

indicates that the password used to encrypt the

kerberos service ticket is different than that on

the target server. Commonly, this is due to

identically named machine accounts in the target

realm (mydomain.NET), and the client realm.

Please contact your system administrator.
An Error Event occured. EventID: 0x40000004
Time Generated: 05/05/2006 13:18:52
Event String: The kerberos client received a

KRB_AP_ERR_MODIFIED error from the server

host/ag-dbsvr.mydomain.net. The target name

used was

LDAP/1750286d-b0a6-4633-a9d0-63967c9a5fcb._msdcs.mydomain.net.

This indicates that the password used to encrypt

the kerberos service ticket is different than

that on the target server. Commonly, this is due

to identically named machine accounts in the

target realm (mydomain.NET), and the client

realm. Please contact your system

administrator.
An Error Event occured. EventID: 0x40000004
Time Generated: 05/05/2006 13:22:01
Event String: The kerberos client received a

KRB_AP_ERR_MODIFIED error from the server

host/ag-dbsvr.mydomain.net. The target name

used was cifs/AG-DBSVR. This indicates that the

password used to encrypt the kerberos service

ticket is different than that on the target

server. Commonly, this is due to identically

named machine accounts in the target realm

(mydomain.NET), and the client realm.

Please contact your system administrator.
......................... AG-DBSVR failed test systemlog
Starting test: VerifyReplicas
......................... AG-DBSVR passed test VerifyReplicas
Starting test: VerifyReferences
The system object reference (serverReference)

CN=AG-DBSVR,OU=Domain Controllers,DC=mydomain,DC=net and
backlink

on


CN=AG-DBSVR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net

are correct.
The system object reference (frsComputerReferenceBL)

CN=AG-DBSVR,CN=Domain System Volume (SYSVOL share),CN=File
Replication Service,CN=System,DC=mydomain,DC=net

and backlink on

CN=AG-DBSVR,OU=Domain Controllers,DC=mydomain,DC=net are
correct.
The system object reference (serverReferenceBL)

CN=AG-DBSVR,CN=Domain System Volume (SYSVOL share),CN=File
Replication Service,CN=System,DC=mydomain,DC=net

and backlink on

CN=NTDS
Settings,CN=AG-DBSVR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net

are correct.
......................... AG-DBSVR passed test
VerifyReferences
Starting test: VerifyEnterpriseReferences
The following problems were found while verifying various
important DN

references. Note, that these problems can be reported
because of

latency in replication. So follow up to resolve the following

problems, only if the same problem is reported on all DCs for
a given

domain or if the problem persists after replication has had

reasonable time to replicate changes.
[1] Problem: Missing Expected Value

Base Object:


CN=TEMPSVR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net

Base Object Description: "Server Object"

Value Object Attribute: serverReference

Value Object Description: "DC Account Object"

Recommended Action: This could hamper authentication (and
thus

replication, etc). Check if this server is deleted, and
if so

clean up this DCs Account Object. If the problem persists
and

this is not a deleted DC, authoratively restore the DSA
object from

a good copy, for example the DSA on the DSA's home server.


[2] Problem: Missing Expected Value

Base Object:

CN=NTSERVER,OU=Domain Controllers,DC=mydomain,DC=net

Base Object Description: "DC Account Object"

Value Object Attribute Name: serverReferenceBL

Value Object Description: "Server Object"

Recommended Action: Check if this server is deleted, and
if so

clean up this DCs Account Object.


[3] Problem: Missing Expected Value

Base Object:

CN=NTSERVER,OU=Domain Controllers,DC=mydomain,DC=net

Base Object Description: "DC Account Object"

Value Object Attribute Name: frsComputerReferenceBL

Value Object Description: "SYSVOL FRS Member Object"

Recommended Action: See Knowledge Base Article: Q312862


[4] Problem: Missing Expected Value

Base Object:

CN=TEMPSVR,CN=Domain System Volume (SYSVOL share),CN=File
Replication Service,CN=System,DC=mydomain,DC=net

Base Object Description: "SYSVOL FRS Member Object"

Value Object Attribute Name: frsComputerReference

Value Object Description: "DC Account Object"

Recommended Action: Check if this server is deleted, and
if so

clean up this DCs SYSVOL FRS Member Object. Also see
Knowledge

Base Article: Q312862


......................... AG-DBSVR failed test
VerifyEnterpriseReferences
Starting test: CheckSecurityError
* Dr Auth: Beginning security errors check!
DcDiag: uncaught exception raised, continuing search


===============

Specifically, why on earth is the PDC role not working? I had hoped
that all of these issues would magically disappear once the DNS issue
was rectified!

Thanks again for all your help, and thanks in advance for the help I
hope you're going to give with this one! ;-)

Berty
 
the server "TMPSVR" wasn't demoted gracefully. You need do perform a
metadata cleanup. Also your current DC doesn't look like the PDC owner
( I know you've check once, but please double check). It doesn't hurt
to seize it again.

Q216498
Q255504
 
Hi strongline,

I have performed the steps outlined in the KB's you mentioned - things
are looking a bit more positive, however I get the following error when
running dcdiag:


==========
Starting test: FsmoCheck
Warning: DcGetDcName(PDC_REQUIRED) call failed, error 1355
A Primary Domain Controller could not be located.
The server holding the PDC role is down.
.......................... mydomain.net failed test FsmoCheck

====================

This server is in fact the holder of the PDC role, which I have
verified using ntdsutil.

Any suggestions?

Oh, and for some as-yet unknown reason my DNS zone disappeared again
when I rebooted. Resetting teh kerberos password, and restarting
netlogon/DNS brought it back again.

If anyone has any suggestions for me to try over the weekend (God bless
Remote Desktop and VPNs!) please let me know!
 
Hi again...

Please answer This question:

1 - In your first post after the first test for dcdiag, you said that you
finally got the Dns working with AD integrated right? Please tell us what
did you changed to achive that ?


Now:

1- Remove any references to "tempsvr.mydomain.net" i believe this was the
old server.
use this link:
How to remove data in Active Directory after an unsuccessful domain
controller demotion

http://support.microsoft.com/?scid=kb;en-us;216498&x=6&y=11#XSLTH3140121122120121120120


After this Use the Active Directory Sites and Services MMC snap-in to remove
the server "tempsvr.mydomain.net" object.
VERY IMPORTANT - Next go to the Dns and remove any references to this
server. Or you can delete the dns zone and recreate it again, using the
steps that i already gave you in previous posts, deleting the netlogon
files, etc...

Reboot the server twice.

Run the tests again..


--
I hop that helps

Good Luck
Jorge Silva
MCSA
Systems Administrator





Bertram said:
Yahoo! I've managed to get somewhere... I've now got a DNS service with
an AD-integrated forward zone set up.

There are still some worrying items in the output from dcdiag though -
I've included the output below in the hope that someone can shed some
light on my (new?) problem.

================

Command Line: "dcdiag.exe /v /d /c"

Domain Controller Diagnosis

Performing initial setup:
* Verifying that the local machine ag-dbsvr, is a DC.
* Connecting to directory service on server ag-dbsvr.
ag-dbsvr.currentTime = 20060505121831.0Z
ag-dbsvr.highestCommittedUSN = 307279
ag-dbsvr.isSynchronized = 1
ag-dbsvr.isGlobalCatalogReady = 1
* Collecting site info.
* Identifying all servers.
AG-DBSVR.currentTime = 20060505121831.0Z
AG-DBSVR.highestCommittedUSN = 307279
AG-DBSVR.isSynchronized = 1
AG-DBSVR.isGlobalCatalogReady = 1
* Identifying all NC cross-refs.
* Found 2 DC(s). Testing 1 of them.
Done gathering initial info.


===============================================Printing out pDsInfo

GLOBAL:
ulNumServers=2
pszRootDomain=mydomain.net
pszNC=
pszRootDomainFQDN=DC=mydomain,DC=net
pszConfigNc=CN=Configuration,DC=mydomain,DC=net
pszPartitionsDn=CN=Partitions,CN=Configuration,DC=mydomain,DC=net
iSiteOptions=0
dwTombstoneLifeTimeDays=60

dwForestBehaviorVersion=0

HomeServer=1, AG-DBSVR

SERVER: pServer[0].pszName=TEMPSVR
pServer[0].pszGuidDNSName=7ae70e6f-3be2-45c3-a013-04661ca67912._msdcs.mydomain.net
pServer[0].pszDNSName=tempsvr.mydomain.net
pServer[0].pszDn=CN=NTDS
Settings,CN=TEMPSVR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net
pServer[0].pszComputerAccountDn=(null)
pServer[0].uuidObjectGuid=7ae70e6f-3be2-45c3-a013-04661ca67912
pServer[0].uuidInvocationId=7ae70e6f-3be2-45c3-a013-04661ca67912
pServer[0].iSite=0 (Default-First-Site-Name)
pServer[0].iOptions=1
pServer[0].ftLocalAcquireTime=00000000 00000000

pServer[0].ftRemoteConnectTime=00000000 00000000

pServer[0].ppszMasterNCs:
ppszMasterNCs[0]=CN=Schema,CN=Configuration,DC=mydomain,DC=net
ppszMasterNCs[1]=CN=Configuration,DC=mydomain,DC=net
ppszMasterNCs[2]=DC=mydomain,DC=net

SERVER: pServer[1].pszName=AG-DBSVR
pServer[1].pszGuidDNSName=1750286d-b0a6-4633-a9d0-63967c9a5fcb._msdcs.mydomain.net
pServer[1].pszDNSName=ag-dbsvr.mydomain.net
pServer[1].pszDn=CN=NTDS
Settings,CN=AG-DBSVR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net
pServer[1].pszComputerAccountDn=CN=AG-DBSVR,OU=Domain
Controllers,DC=mydomain,DC=net
pServer[1].uuidObjectGuid=1750286d-b0a6-4633-a9d0-63967c9a5fcb
pServer[1].uuidInvocationId=45155c5d-16a3-4ddf-952c-325ec78e6707
pServer[1].iSite=0 (Default-First-Site-Name)
pServer[1].iOptions=1
pServer[1].ftLocalAcquireTime=059f5850 01c6703e

pServer[1].ftRemoteConnectTime=058c4580 01c6703e

pServer[1].ppszMasterNCs:
ppszMasterNCs[0]=CN=Schema,CN=Configuration,DC=mydomain,DC=net
ppszMasterNCs[1]=CN=Configuration,DC=mydomain,DC=net
ppszMasterNCs[2]=DC=mydomain,DC=net

SITES: pSites[0].pszName=Default-First-Site-Name
pSites[0].pszSiteSettings=CN=NTDS Site
Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net
pSites[0].pszISTG=CN=NTDS
Settings,CN=AG-DBSVR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net
pSites[0].iSiteOption=0

pSites[0].cServers=2

NC: pNCs[0].pszName=Schema
pNCs[0].pszDn=CN=Schema,CN=Configuration,DC=mydomain,DC=net

pNCs[0].aCrInfo[0].dwFlags=0x00000201
pNCs[0].aCrInfo[0].pszDn=CN=Enterprise
Schema,CN=Partitions,CN=Configuration,DC=mydomain,DC=net
pNCs[0].aCrInfo[0].pszDnsRoot=mydomain.net
pNCs[0].aCrInfo[0].iSourceServer=1
pNCs[0].aCrInfo[0].pszSourceServer=(null)
pNCs[0].aCrInfo[0].ulSystemFlags=0x00000001
pNCs[0].aCrInfo[0].bEnabled=TRUE
pNCs[0].aCrInfo[0].ftWhenCreated=00000000 00000000
pNCs[0].aCrInfo[0].pszSDReferenceDomain=(null)
pNCs[0].aCrInfo[0].pszNetBiosName=(null)
pNCs[0].aCrInfo[0].cReplicas=-1
pNCs[0].aCrInfo[0].aszReplicas=


NC: pNCs[1].pszName=Configuration
pNCs[1].pszDn=CN=Configuration,DC=mydomain,DC=net

pNCs[1].aCrInfo[0].dwFlags=0x00000201
pNCs[1].aCrInfo[0].pszDn=CN=Enterprise
Configuration,CN=Partitions,CN=Configuration,DC=mydomain,DC=net
pNCs[1].aCrInfo[0].pszDnsRoot=mydomain.net
pNCs[1].aCrInfo[0].iSourceServer=1
pNCs[1].aCrInfo[0].pszSourceServer=(null)
pNCs[1].aCrInfo[0].ulSystemFlags=0x00000001
pNCs[1].aCrInfo[0].bEnabled=TRUE
pNCs[1].aCrInfo[0].ftWhenCreated=00000000 00000000
pNCs[1].aCrInfo[0].pszSDReferenceDomain=(null)
pNCs[1].aCrInfo[0].pszNetBiosName=(null)
pNCs[1].aCrInfo[0].cReplicas=-1
pNCs[1].aCrInfo[0].aszReplicas=


NC: pNCs[2].pszName=mydomain
pNCs[2].pszDn=DC=mydomain,DC=net

pNCs[2].aCrInfo[0].dwFlags=0x00000201
pNCs[2].aCrInfo[0].pszDn=CN=IBUSINESS,CN=Partitions,CN=Configuration,DC=mydomain,DC=net
pNCs[2].aCrInfo[0].pszDnsRoot=mydomain.net
pNCs[2].aCrInfo[0].iSourceServer=1
pNCs[2].aCrInfo[0].pszSourceServer=(null)
pNCs[2].aCrInfo[0].ulSystemFlags=0x00000003
pNCs[2].aCrInfo[0].bEnabled=TRUE
pNCs[2].aCrInfo[0].ftWhenCreated=00000000 00000000
pNCs[2].aCrInfo[0].pszSDReferenceDomain=(null)
pNCs[2].aCrInfo[0].pszNetBiosName=(null)
pNCs[2].aCrInfo[0].cReplicas=-1
pNCs[2].aCrInfo[0].aszReplicas=


3 NC TARGETS: Schema, Configuration, mydomain,
1 TARGETS: AG-DBSVR,

=============================================Done Printing pDsInfo

Doing initial required tests

Testing server: Default-First-Site-Name\AG-DBSVR
Starting test: Connectivity
* Active Directory LDAP Services Check
Failure Analysis: AG-DBSVR ... OK.
* Active Directory RPC Services Check
......................... AG-DBSVR passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\AG-DBSVR
Starting test: Replications
* Replications Check
CN=Schema,CN=Configuration,DC=mydomain,DC=net has 2 cursors.
[Replications Check,AG-DBSVR] A recent replication attempt
failed:
From TEMPSVR to AG-DBSVR
Naming Context:
CN=Schema,CN=Configuration,DC=mydomain,DC=net
The replication generated an error (1722):
Win32 Error 1722
The failure occurred at 2006-05-05 12:50:32.
The last success occurred at 2006-04-25 14:58:36.
231 failures have occurred since the last success.
[TEMPSVR] DsBindWithSpnEx() failed with error 1722,
Win32 Error 1722.
Printing RPC Extended Error Info:
Error Record 1, ProcessID is 1128 (DcDiag)
System Time is: 5/5/2006 12:18:52:250
Generating component is 8 (winsock)
Status is 1722: The RPC server is unavailable.

Detection location is 323
Error Record 2, ProcessID is 1128 (DcDiag)
System Time is: 5/5/2006 12:18:52:250
Generating component is 8 (winsock)
Status is 1237: The operation could not be completed. A
retry should be performed.

Detection location is 313
Error Record 3, ProcessID is 1128 (DcDiag)
System Time is: 5/5/2006 12:18:52:250
Generating component is 8 (winsock)
Status is 10060: A connection attempt failed because the
connected party did not properly respond after a period of time, or
established connection failed because connected host has failed to
respond.

Detection location is 311
NumberOfParameters is 3
Long val: 135
Pointer val: 0
Pointer val: 0
Error Record 4, ProcessID is 1128 (DcDiag)
System Time is: 5/5/2006 12:18:52:250
Generating component is 8 (winsock)
Status is 10060: A connection attempt failed because the
connected party did not properly respond after a period of time, or
established connection failed because connected host has failed to
respond.

Detection location is 318
The source remains down. Please check the machine.
CN=Configuration,DC=mydomain,DC=net has 2 cursors.
[Replications Check,AG-DBSVR] A recent replication attempt
failed:
From TEMPSVR to AG-DBSVR
Naming Context: CN=Configuration,DC=mydomain,DC=net
The replication generated an error (1722):
Win32 Error 1722
The failure occurred at 2006-05-05 12:50:11.
The last success occurred at 2006-04-25 15:29:41.
231 failures have occurred since the last success.
The source remains down. Please check the machine.
DC=mydomain,DC=net has 2 cursors.
[Replications Check,AG-DBSVR] A recent replication attempt
failed:
From TEMPSVR to AG-DBSVR
Naming Context: DC=mydomain,DC=net
The replication generated an error (1722):
Win32 Error 1722
The failure occurred at 2006-05-05 12:49:50.
The last success occurred at 2006-04-25 15:28:35.
239 failures have occurred since the last success.
The source remains down. Please check the machine.
* Replication Latency Check
REPLICATION-RECEIVED LATENCY WARNING
AG-DBSVR: Current time is 2006-05-05 13:18:31.
CN=Schema,CN=Configuration,DC=mydomain,DC=net
Last replication recieved from TEMPSVR at 2006-04-25
14:58:36.
CN=Configuration,DC=mydomain,DC=net
Last replication recieved from TEMPSVR at 2006-04-25
15:29:41.
DC=mydomain,DC=net
Last replication recieved from TEMPSVR at 2006-04-25
15:28:35.
* Replication Site Latency Check
Site Settings = CN=NTDS Site
Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net
[0x904de,v=306,t=2006-05-05
12:39:29,g=45155c5d-16a3-4ddf-952c-325ec78e6707,orig=307254,local=307254]
Elapsed time (sec) = 2363
......................... AG-DBSVR passed test Replications
Starting test: Topology
* Configuration Topology Integrity Check
* Analyzing the connection topology for
CN=Schema,CN=Configuration,DC=mydomain,DC=net.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for
CN=Configuration,DC=mydomain,DC=net.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for DC=mydomain,DC=net.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
......................... AG-DBSVR passed test Topology
Starting test: CutoffServers
* Configuration Topology Aliveness Check
* Analyzing the alive system replication topology for
CN=Schema,CN=Configuration,DC=mydomain,DC=net.
* Performing upstream (of target) analysis.
DsReplicaSyncAllW failed with error Win32 Error 8440.
* Performing downstream (of target) analysis.
DsReplicaSyncAllW failed with error Win32 Error 8440.
* Analyzing the alive system replication topology for
CN=Configuration,DC=mydomain,DC=net.
* Performing upstream (of target) analysis.
DsReplicaSyncAllW failed with error Win32 Error 8440.
* Performing downstream (of target) analysis.
DsReplicaSyncAllW failed with error Win32 Error 8440.
* Analyzing the alive system replication topology for
DC=mydomain,DC=net.
* Performing upstream (of target) analysis.
DsReplicaSyncAllW failed with error Win32 Error 8440.
* Performing downstream (of target) analysis.
DsReplicaSyncAllW failed with error Win32 Error 8440.
......................... AG-DBSVR passed test CutoffServers
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC AG-DBSVR.
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=mydomain,DC=net
(Schema,Version 2)
* Security Permissions Check for
CN=Configuration,DC=mydomain,DC=net
(Configuration,Version 2)
* Security Permissions Check for
DC=mydomain,DC=net
(Domain,Version 2)
......................... AG-DBSVR passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\AG-DBSVR\netlogon
Verified share \\AG-DBSVR\sysvol
......................... AG-DBSVR passed test NetLogons
Starting test: Advertising
The DC AG-DBSVR is advertising itself as a DC and having a DS.
The DC AG-DBSVR is advertising as an LDAP server
The DC AG-DBSVR is advertising as having a writeable directory
The DC AG-DBSVR is advertising as a Key Distribution Center
The DC AG-DBSVR is advertising as a time server
The DS AG-DBSVR is advertising as a GC.
......................... AG-DBSVR passed test Advertising
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS
Settings,CN=AG-DBSVR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net
Role Domain Owner = CN=NTDS
Settings,CN=AG-DBSVR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net
Role PDC Owner = CN=NTDS
Settings,CN=AG-DBSVR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net
Role Rid Owner = CN=NTDS
Settings,CN=AG-DBSVR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net
Role Infrastructure Update Owner = CN=NTDS
Settings,CN=AG-DBSVR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net
......................... AG-DBSVR passed test
KnowsOfRoleHolders
Starting test: RidManager
ridManagerReference = CN=RID
Manager$,CN=System,DC=mydomain,DC=net
* Available RID Pool for the Domain is 3863 to 1073741823
fSMORoleOwner = CN=NTDS
Settings,CN=AG-DBSVR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net
* ag-dbsvr.mydomain.net is the RID Master
* DsBind with RID Master was successful
rIDSetReferences = CN=RID Set,CN=AG-DBSVR,OU=Domain
Controllers,DC=mydomain,DC=net
* rIDAllocationPool is 2863 to 3362
* rIDPreviousAllocationPool is 2863 to 3362
* rIDNextRID: 2879
......................... AG-DBSVR passed test RidManager
Starting test: MachineAccount
Checking machine account for DC AG-DBSVR on DC AG-DBSVR.
* SPN found :LDAP/ag-dbsvr.mydomain.net/mydomain.net
* SPN found :LDAP/ag-dbsvr.mydomain.net
* SPN found :LDAP/AG-DBSVR
* SPN found :LDAP/ag-dbsvr.mydomain.net/IBUSINESS
* SPN found
:LDAP/1750286d-b0a6-4633-a9d0-63967c9a5fcb._msdcs.mydomain.net
* SPN found
:E3514235-4B06-11D1-AB04-00C04FC2DCD2/1750286d-b0a6-4633-a9d0-63967c9a5fcb/mydomain.net
* SPN found :HOST/ag-dbsvr.mydomain.net/mydomain.net
* SPN found :HOST/ag-dbsvr.mydomain.net
* SPN found :HOST/AG-DBSVR
* SPN found :HOST/ag-dbsvr.mydomain.net/IBUSINESS
* SPN found :GC/ag-dbsvr.mydomain.net/mydomain.net
......................... AG-DBSVR passed test MachineAccount
Starting test: Services
* Checking Service: Dnscache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: RpcSs
* Checking Service: w32time
* Checking Service: NETLOGON
......................... AG-DBSVR passed test Services
Starting test: OutboundSecureChannels
* The Outbound Secure Channels test
** Did not run Outbound Secure Channels test
because /testdomain: was not entered
......................... AG-DBSVR passed test
OutboundSecureChannels
Starting test: ObjectsReplicated
AG-DBSVR is in domain DC=mydomain,DC=net
Checking for CN=AG-DBSVR,OU=Domain
Controllers,DC=mydomain,DC=net in domain DC=mydomain,DC=net on 1
servers
Object is up-to-date on all servers.
Checking for CN=NTDS
Settings,CN=AG-DBSVR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net
in domain CN=Configuration,DC=mydomain,DC=net on 1 servers
Object is up-to-date on all servers.
......................... AG-DBSVR passed test
ObjectsReplicated
Starting test: frssysvol
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... AG-DBSVR passed test frssysvol
Starting test: frsevent
* The File Replication Service Event log test
There are warning or error events within the last 24 hours
after the

SYSVOL has been shared. Failing SYSVOL replication problems
may cause

Group Policy problems.
An Warning Event occured. EventID: 0x800034FA
Time Generated: 05/05/2006 12:23:54
(Event String could not be retrieved)
......................... AG-DBSVR failed test frsevent
Starting test: kccevent
* The KCC Event log test
An Warning Event occured. EventID: 0x8025082C
Time Generated: 05/05/2006 13:19:28
(Event String could not be retrieved)
An Warning Event occured. EventID: 0x8025082C
Time Generated: 05/05/2006 13:19:28
(Event String could not be retrieved)
An Warning Event occured. EventID: 0x8025082C
Time Generated: 05/05/2006 13:19:28
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC0000748
Time Generated: 05/05/2006 13:19:28
(Event String could not be retrieved)
An Warning Event occured. EventID: 0x8025082C
Time Generated: 05/05/2006 13:19:28
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC0000748
Time Generated: 05/05/2006 13:19:28
(Event String could not be retrieved)
An Warning Event occured. EventID: 0x8025082C
Time Generated: 05/05/2006 13:19:28
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC0000748
Time Generated: 05/05/2006 13:19:28
(Event String could not be retrieved)
......................... AG-DBSVR failed test kccevent
Starting test: systemlog
* The System Event log test
An Error Event occured. EventID: 0x40000004
Time Generated: 05/05/2006 12:52:19
Event String: The kerberos client received a

KRB_AP_ERR_MODIFIED error from the server

host/ag-dbsvr.mydomain.net. The target name

used was

LDAP/ag-dbsvr.mydomain.net/[email protected].

This indicates that the password used to encrypt

the kerberos service ticket is different than

that on the target server. Commonly, this is due

to identically named machine accounts in the

target realm (mydomain.NET), and the client

realm. Please contact your system

administrator.
An Error Event occured. EventID: 0x40000004
Time Generated: 05/05/2006 12:53:09
Event String: The kerberos client received a

KRB_AP_ERR_MODIFIED error from the server

host/ag-dbsvr.mydomain.net. The target name

used was cifs/ag-dbsvr.mydomain.net. This

indicates that the password used to encrypt the

kerberos service ticket is different than that on

the target server. Commonly, this is due to

identically named machine accounts in the target

realm (mydomain.NET), and the client realm.

Please contact your system administrator.
An Error Event occured. EventID: 0x40000004
Time Generated: 05/05/2006 12:55:37
Event String: The kerberos client received a

KRB_AP_ERR_MODIFIED error from the server

host/ag-dbsvr.mydomain.net. The target name

used was LDAP/AG-DBSVR. This indicates that the

password used to encrypt the kerberos service

ticket is different than that on the target

server. Commonly, this is due to identically

named machine accounts in the target realm

(mydomain.NET), and the client realm.

Please contact your system administrator.
An Error Event occured. EventID: 0x40000004
Time Generated: 05/05/2006 13:05:23
Event String: The kerberos client received a

KRB_AP_ERR_MODIFIED error from the server

host/ag-dbsvr.mydomain.net. The target name

used was

LDAP/ag-dbsvr.mydomain.net/mydomain.net.

This indicates that the password used to encrypt

the kerberos service ticket is different than

that on the target server. Commonly, this is due

to identically named machine accounts in the

target realm (mydomain.NET), and the client

realm. Please contact your system

administrator.
An Error Event occured. EventID: 0x40000004
Time Generated: 05/05/2006 13:05:23
Event String: The kerberos client received a

KRB_AP_ERR_MODIFIED error from the server

host/ag-dbsvr.mydomain.net. The target name

used was

LDAP/ag-dbsvr.mydomain.net/IBUSINESS. This

indicates that the password used to encrypt the

kerberos service ticket is different than that on

the target server. Commonly, this is due to

identically named machine accounts in the target

realm (mydomain.NET), and the client realm.

Please contact your system administrator.
An Error Event occured. EventID: 0x40000004
Time Generated: 05/05/2006 13:18:52
Event String: The kerberos client received a

KRB_AP_ERR_MODIFIED error from the server

host/ag-dbsvr.mydomain.net. The target name

used was

LDAP/1750286d-b0a6-4633-a9d0-63967c9a5fcb._msdcs.mydomain.net.

This indicates that the password used to encrypt

the kerberos service ticket is different than

that on the target server. Commonly, this is due

to identically named machine accounts in the

target realm (mydomain.NET), and the client

realm. Please contact your system

administrator.
An Error Event occured. EventID: 0x40000004
Time Generated: 05/05/2006 13:22:01
Event String: The kerberos client received a

KRB_AP_ERR_MODIFIED error from the server

host/ag-dbsvr.mydomain.net. The target name

used was cifs/AG-DBSVR. This indicates that the

password used to encrypt the kerberos service

ticket is different than that on the target

server. Commonly, this is due to identically

named machine accounts in the target realm

(mydomain.NET), and the client realm.

Please contact your system administrator.
......................... AG-DBSVR failed test systemlog
Starting test: VerifyReplicas
......................... AG-DBSVR passed test VerifyReplicas
Starting test: VerifyReferences
The system object reference (serverReference)

CN=AG-DBSVR,OU=Domain Controllers,DC=mydomain,DC=net and
backlink

on


CN=AG-DBSVR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net

are correct.
The system object reference (frsComputerReferenceBL)

CN=AG-DBSVR,CN=Domain System Volume (SYSVOL share),CN=File
Replication Service,CN=System,DC=mydomain,DC=net

and backlink on

CN=AG-DBSVR,OU=Domain Controllers,DC=mydomain,DC=net are
correct.
The system object reference (serverReferenceBL)

CN=AG-DBSVR,CN=Domain System Volume (SYSVOL share),CN=File
Replication Service,CN=System,DC=mydomain,DC=net

and backlink on

CN=NTDS
Settings,CN=AG-DBSVR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net

are correct.
......................... AG-DBSVR passed test
VerifyReferences
Starting test: VerifyEnterpriseReferences
The following problems were found while verifying various
important DN

references. Note, that these problems can be reported
because of

latency in replication. So follow up to resolve the following

problems, only if the same problem is reported on all DCs for
a given

domain or if the problem persists after replication has had

reasonable time to replicate changes.
[1] Problem: Missing Expected Value

Base Object:


CN=TEMPSVR,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=mydomain,DC=net

Base Object Description: "Server Object"

Value Object Attribute: serverReference

Value Object Description: "DC Account Object"

Recommended Action: This could hamper authentication (and
thus

replication, etc). Check if this server is deleted, and
if so

clean up this DCs Account Object. If the problem persists
and

this is not a deleted DC, authoratively restore the DSA
object from

a good copy, for example the DSA on the DSA's home server.


[2] Problem: Missing Expected Value

Base Object:

CN=NTSERVER,OU=Domain Controllers,DC=mydomain,DC=net

Base Object Description: "DC Account Object"

Value Object Attribute Name: serverReferenceBL

Value Object Description: "Server Object"

Recommended Action: Check if this server is deleted, and
if so

clean up this DCs Account Object.


[3] Problem: Missing Expected Value

Base Object:

CN=NTSERVER,OU=Domain Controllers,DC=mydomain,DC=net

Base Object Description: "DC Account Object"

Value Object Attribute Name: frsComputerReferenceBL

Value Object Description: "SYSVOL FRS Member Object"

Recommended Action: See Knowledge Base Article: Q312862


[4] Problem: Missing Expected Value

Base Object:

CN=TEMPSVR,CN=Domain System Volume (SYSVOL share),CN=File
Replication Service,CN=System,DC=mydomain,DC=net

Base Object Description: "SYSVOL FRS Member Object"

Value Object Attribute Name: frsComputerReference

Value Object Description: "DC Account Object"

Recommended Action: Check if this server is deleted, and
if so

clean up this DCs SYSVOL FRS Member Object. Also see
Knowledge

Base Article: Q312862


......................... AG-DBSVR failed test
VerifyEnterpriseReferences
Starting test: CheckSecurityError
* Dr Auth: Beginning security errors check!
DcDiag: uncaught exception raised, continuing search


===============

Specifically, why on earth is the PDC role not working? I had hoped
that all of these issues would magically disappear once the DNS issue
was rectified!

Thanks again for all your help, and thanks in advance for the help I
hope you're going to give with this one! ;-)

Berty
Click to expand...
 
Hi again!

What finally resolved the DNS issue appears to be resetting the
Kerberos password by running netdom resetpasswd. Upon rebooting the
machine, then starting and stopping netlogon and DNS, the correct
forward zone entries were automatically created.

The problem is not entirely resolved, as I have actually had to do this
again over the weekend, as the problem reared it's ugly head again.

I have followed your instructions and removed any references to
tmpserver - I will reboot it twice shortly.

Apropos the kerberos problem... do you think this is related to the
references to tmpserver? Should it be permanently resolved now that
these references have been removed?

Your help and persistence with this problem are enormously appreciated
- you've saved me pulling out a lot of my hair. You are a credit and
example to this newgroup and the internet in general.

Thanks again,

Berty
 
Hi

What problems are you having now?

DNS problem is soved?



--
I hop that helps

Good Luck
Jorge Silva
MCSA
Systems Administrator
 
Hi Jorge,

Sorry for the delay in replying, I've been away from the office. The
DNS problem I initially reported has been resolved, thanks for your
help with that. I'm having another problem which is probably best left
for another thread... hope to see you there! :-)

Thanks,

Berty
 
Any time.

Can you share with us how do you solved?

--
I hop that helps

Good Luck
Jorge Silva
MCSA
Systems Administrator
 
okay this is long shot but I have this exact same problem and I read far enough on how to "maybe" fix this. Once I made a new install of windows server 2008 r2, the problem was right there even with a clean format. I just need to know how exactly did you reset the kerberos because I can not find any useful information on it and how to do it.
 
Back
Top