Replication errors -Builtin\Administrators doesn't have access ri
- From: "marko_b" <markob@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 19 Aug 2005 09:46:03 -0700
I'm getting NTDS KCC errors 1865, 1311 and 1566 on our domain controllers.
The error message complains about site AGFVSite:
Source: NTDS KCC Event ID: 1865
The Knowledge Consistency Checker (KCC) was unable to form a complete
spanning tree network topology. As a result, the following list of sites
cannot be
reached from the local site.
Sites:
CN=ATGVSite,CN=Sites,CN=Configuration,DC=andrew,DC=com
CN=AMCSite,CN=Sites,CN=Configuration,DC=andrew,DC=com
When I ran DCDIAG, I received the following results. I'm particularly
concerned about the NCSecDesc error - how can that be resolved? What does
DCDIAG /fix do?
====================================================
Domain Controller Diagnosis
Performing initial setup:
* Connecting to directory service on server agfvads1.
* Collecting site info.
* Identifying all servers.
* Identifying all NC cross-refs.
* Found 85 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: AGFVSite\AGFVADS1
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... AGFVADS1 passed test Connectivity
Doing primary tests
Testing server: AGFVSite\AGFVADS1
Starting test: Replications
* Replications Check
* Replication Latency Check
The replications latency check is not available on this DC.
* Replication Site Latency Check
Site CN=NTDS Site
Settings,CN=WABJSite,CN=Sites,CN=Configuration,DC=andrew,DC=com was
skipped because it never had an ISTG running in it.
<snip - bunch of sites that never had an ISTG running or don't have domain
controllers>
REPLICATION-RECEIVED LATENCY WARNING
Source site: CN=NTDS Site
Settings,CN=AMCSite,CN=Sites,CN=Configuration,DC=andrew,DC=com
Current time: 2005-08-19 09:36:51
Last update time: 2001-04-24 08:39:30
Check if source site has an elected ISTG running.
Check replication from source site to this server.
......................... AGFVADS1 passed test Replications
Starting test: Topology
* Configuration Topology Integrity Check
* Analyzing the connection topology for
CN=Schema,CN=Configuration,DC=andrew,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for
CN=Configuration,DC=andrew,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for DC=andrew,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
......................... AGFVADS1 passed test Topology
Starting test: CutoffServers
* Configuration Topology Aliveness Check
* Analyzing the alive system replication topology for
CN=Schema,CN=Configuration,DC=andrew,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for
CN=Configuration,DC=andrew,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for
DC=andrew,DC=com.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
......................... AGFVADS1 passed test CutoffServers
Starting test: NCSecDesc
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=andrew,DC=com
(Schema,Version 2)
* Security Permissions Check for
CN=Configuration,DC=andrew,DC=com
(Configuration,Version 2)
* Security Permissions Check for
DC=andrew,DC=com
(Domain,Version 2)
Error BUILTIN\Administrators doesn't have
Replicating Directory Changes
Replication Synchronization
Manage Replication Topology
access rights for the naming context:
DC=andrew,DC=com
......................... AGFVADS1 failed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
......................... AGFVADS1 passed test NetLogons
Starting test: Advertising
The DC AGFVADS1 is advertising itself as a DC and having a DS.
The DC AGFVADS1 is advertising as an LDAP server
The DC AGFVADS1 is advertising as having a writeable directory
The DC AGFVADS1 is advertising as a Key Distribution Center
The DC AGFVADS1 is advertising as a time server
The DS AGFVADS1 is advertising as a GC.
......................... AGFVADS1 passed test Advertising
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS
Settings,CN=AOPADSNT2,CN=Servers,CN=AOPSite,CN=Sites,CN=Configuration,DC=andrew,DC=com
Role Domain Owner = CN=NTDS
Settings,CN=AOPADSNT1,CN=Servers,CN=AOPSite,CN=Sites,CN=Configuration,DC=andrew,DC=com
Role PDC Owner = CN=NTDS
Settings,CN=AOPADSNT2,CN=Servers,CN=AOPSite,CN=Sites,CN=Configuration,DC=andrew,DC=com
Role Rid Owner = CN=NTDS
Settings,CN=AOPADSNT1,CN=Servers,CN=AOPSite,CN=Sites,CN=Configuration,DC=andrew,DC=com
Role Infrastructure Update Owner = CN=NTDS
Settings,CN=AOPADSNT1,CN=Servers,CN=AOPSite,CN=Sites,CN=Configuration,DC=andrew,DC=com
......................... AGFVADS1 passed test KnowsOfRoleHolders
Starting test: RidManager
* Available RID Pool for the Domain is 121461 to 1073741823
* aopadsnt1.andrew.com is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 82461 to 82960
* rIDNextRID: 82668
* rIDPreviousAllocationPool is 82461 to 82960
......................... AGFVADS1 passed test RidManager
Starting test: MachineAccount
* SPN found :LDAP/agfvads1.andrew.com/andrew.com
* SPN found :LDAP/agfvads1.andrew.com
* SPN found :LDAP/AGFVADS1
* SPN found :LDAP/agfvads1.andrew.com/ANDREW
* SPN found
:LDAP/bd74fe53-75c1-483f-8ee2-d70136cac992._msdcs.andrew.com
* SPN found
:E3514235-4B06-11D1-AB04-00C04FC2DCD2/bd74fe53-75c1-483f-8ee2-d70136cac992/andrew.com
* SPN found :HOST/agfvads1.andrew.com/andrew.com
* SPN found :HOST/agfvads1.andrew.com
* SPN found :HOST/AGFVADS1
* SPN found :HOST/agfvads1.andrew.com/ANDREW
* SPN found :GC/agfvads1.andrew.com/andrew.com
......................... AGFVADS1 passed test MachineAccount
Starting test: Services
* Checking Service: Dnscache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: RpcSs
* Checking Service: w32time
* Checking Service: NETLOGON
......................... AGFVADS1 passed test Services
Starting test: OutboundSecureChannels
* The Outbound Secure Channels test
** Did not run Outbound Secure Channels test
because /testdomain: was not entered
......................... AGFVADS1 passed test OutboundSecureChannels
Starting test: ObjectsReplicated
AGFVADS1 is in domain DC=andrew,DC=com
Checking for CN=AGFVADS1,OU=Domain Controllers,DC=andrew,DC=com in
domain DC=andrew,DC=com on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS
Settings,CN=AGFVADS1,CN=Servers,CN=AGFVSite,CN=Sites,CN=Configuration,DC=andrew,DC=com in domain CN=Configuration,DC=andrew,DC=com on 1 servers
Object is up-to-date on all servers.
......................... AGFVADS1 passed test ObjectsReplicated
Starting test: frssysvol
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... AGFVADS1 passed test frssysvol
Starting test: frsevent
* The File Replication Service Event log test
......................... AGFVADS1 passed test frsevent
Starting test: kccevent
* The KCC Event log test
An Error Event occured. EventID: 0xC000051F
Time Generated: 08/19/2005 09:25:16
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC000051F
Time Generated: 08/19/2005 09:25:16
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC000051F
Time Generated: 08/19/2005 09:29:34
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC000051F
Time Generated: 08/19/2005 09:29:34
(Event String could not be retrieved)
......................... AGFVADS1 failed test kccevent
Starting test: systemlog
* The System Event log test
Found no errors in System Event log in the last 60 minutes.
......................... AGFVADS1 passed test systemlog
Starting test: VerifyReplicas
......................... AGFVADS1 passed test VerifyReplicas
Starting test: VerifyReferences
The system object reference (serverReference)
CN=AGFVADS1,OU=Domain Controllers,DC=andrew,DC=com and backlink on
CN=AGFVADS1,CN=Servers,CN=AGFVSite,CN=Sites,CN=Configuration,DC=andrew,DC=com
are correct.
The system object reference (frsComputerReferenceBL)
CN=AGFVADS1,CN=Domain System Volume (SYSVOL share),CN=File
Replication Service,CN=System,DC=andrew,DC=com
and backlink on CN=AGFVADS1,OU=Domain Controllers,DC=andrew,DC=com
are correct.
The system object reference (serverReferenceBL)
CN=AGFVADS1,CN=Domain System Volume (SYSVOL share),CN=File
Replication Service,CN=System,DC=andrew,DC=com
and backlink on
CN=NTDS
Settings,CN=AGFVADS1,CN=Servers,CN=AGFVSite,CN=Sites,CN=Configuration,DC=andrew,DC=com
are correct.
......................... AGFVADS1 passed test VerifyReferences
Starting test: VerifyEnterpriseReferences
The following problems were found while verifying various important
DN references. Note,
that these problems can be reported because of latency in
replication. So follow up to
resolve the following problems, only if the same problem is
reported on all DCs for a
given domain or if the problem persists after replication has had
reasonable time to
replicate changes.
[1] Problem: Missing Expected Value
Base Object: CN=ARMADS1,OU=Domain Controllers,DC=andrew,DC=com
Base Object Description: "DC Account Object"
Value Object Attribute Name: serverReferenceBL
Value Object Description: "Server Object"
Recommended Action: Check if this server is deleted, and if so
clean up this DCs
Account Object.
[2] Problem: Missing Expected Value
Base Object: CN=AGRVADS1,OU=Domain Controllers,DC=andrew,DC=com
Base Object Description: "DC Account Object"
Value Object Attribute Name: serverReferenceBL
Value Object Description: "Server Object"
Recommended Action: Check if this server is deleted, and if so
clean up this DCs
Account Object.
[3] Problem: Missing Expected Value
Base Object: CN=AGRVADS1,OU=Domain Controllers,DC=andrew,DC=com
Base Object Description: "DC Account Object"
Value Object Attribute Name: frsComputerReferenceBL
Value Object Description: "SYSVOL FRS Member Object"
Recommended Action: See Knowledge Base Article: Q312862
[4] Problem: Missing Expected Value
Base Object:
CN=ARMADS1,CN=Domain System Volume (SYSVOL share),CN=File
Replication Service,CN=System,DC=andrew,DC=com
Base Object Description: "SYSVOL FRS Member Object"
Value Object Attribute Name: serverReference
Value Object Description: "DSA Object"
Recommended Action: Check if this server is deleted, and if so
clean up this DCs
SYSVOL FRS Member Object. Also see Knowledge Base Article
Q312862
[5] Problem: Missing Expected Value
Base Object:
CN=AWPNADS2K1,CN=Domain System Volume (SYSVOL share),CN=File
Replication Service,CN=System,DC=andrew,DC=com
Base Object Description: "SYSVOL FRS Member Object"
Value Object Attribute Name: serverReference
Value Object Description: "DSA Object"
Recommended Action: Check if this server is deleted, and if so
clean up this DCs
SYSVOL FRS Member Object. Also see Knowledge Base Article
Q312862
......................... AGFVADS1 failed test
VerifyEnterpriseReferences
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : andrew
Starting test: CrossRefValidation
......................... andrew passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... andrew passed test CheckSDRefDom
Running enterprise tests on : andrew.com
......................... andrew.com passed test Intersite
Starting test: FsmoCheck
GC Name: \\agfvads1.andrew.com
Locator Flags: 0xe00001fc
PDC Name: \\aopadsnt2.andrew.com
Locator Flags: 0xe000017d
Time Server Name: \\agfvads1.andrew.com
Locator Flags: 0xe00001fc
Preferred Time Server Name: \\agfvads1.andrew.com
Locator Flags: 0xe00001fc
KDC Name: \\agfvads1.andrew.com
Locator Flags: 0xe00001fc
......................... andrew.com passed test FsmoCheck
====================================================
.
- Follow-Ups:
- Re: Replication errors -Builtin\Administrators doesn't have access ri
- From: Ace Fekay [MVP]
- Re: Replication errors -Builtin\Administrators doesn't have access ri
- Prev by Date: RE: AD user Import
- Next by Date: gpo access denied
- Previous by thread: AD user Import
- Next by thread: Re: Replication errors -Builtin\Administrators doesn't have access ri
- Index(es):
Relevant Pages
|
Loading
