Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

FSMO Transfer

Status
Not open for further replies.

deibertine

IS-IT--Management
Jan 28, 2011
4
US
Hi there,

I am being tasked on transferring FSMO roles to remove dependencies on a legacy network.

Basically the goal is to transfer FSMO to this new active directory domain and totally decommission legacy dc controllers.

Here's how the legacy is setup:

- All are in Windows 2003 server standard edition - 3 domain controllers DC1 DC2 DC3

- DC1 = global catalog, schema, domain master, pdc emulator, rid master, infrastucture master

- DC2 and DC3 = global catalog

Here's how the new domain controller is setup:
- Windows 2003 server standard edition - 2 domain controllers DC1new and DC2new

Current Replication Scheme:

- Legacy DC1,DC2,DC3 are replicating from/to New DC1new domain controller

- New DC1new is replicating from/to Legacy DC1,DC2,DC3

- DC2new not setup to anything

Questions:

1. What are pertinent parameters do I need to check before doing a FSMO role transfer?

3. Any issues that I need to be aware of before doing a FSMO transfer for pre-caution?

Here's the output after running a DCdiag on my dc:


Any advise is much appreciated mates.

Cheers!
DB
 
Here's the dcdiag results below.

DC2new is not doing anything right now, not setup for anything. Just a standalone windows 2003 server (local). Planning to make this as a secondary GC after doing the fsmo transfer to DC1new.

Here are the steps I'm going to do:
1. After transferring FSMO roles to DC1new and replication is done from legacy dc's, I will make DC2new as a member server

2. I will make DC2new as an additional global catalog server

3. Shutdown/retire/demote all legacy domain controllers and operate as normal with new DCs (DC1new and DC2new) - Done.

Can you pls tell me if this is the correct path that I should take for DC1new and DC2new domain controllers?

Pls adviso mate if I'm missing steps that I need in order for the new infrastructure to work as normal without affecting current production.

Cheers,
DB

DCDIAG Results:

Command Line: "dcdiag.exe /v /c /d /e /s:dcsrv1.csaa.corp"
Domain Controller Diagnosis

Performing initial setup:
* Connecting to directory service on server dcsrv1.csaa.corp.
dcsrv1.csaa.corp.currentTime = 20110127230651.0Z
dcsrv1.csaa.corp.highestCommittedUSN = 54811029
dcsrv1.csaa.corp.isSynchronized = 1
dcsrv1.csaa.corp.isGlobalCatalogReady = 1
* Collecting site info.
* Identifying all servers.
dcsrv1.currentTime = 20110127230651.0Z
dcsrv1.highestCommittedUSN = 54811029
dcsrv1.isSynchronized = 1
dcsrv1.isGlobalCatalogReady = 1
* Identifying all NC cross-refs.
* Found 6 DC(s). Testing 6 of them.
Done gathering initial info.


===============================================Printing out pDsInfo

GLOBAL:
ulNumServers=6
pszRootDomain=csaa.corp
pszNC=
pszRootDomainFQDN=DC=csaa,DC=corp
pszConfigNc=CN=Configuration,DC=csaa,DC=corp
pszPartitionsDn=CN=Partitions,CN=Configuration,DC=csaa,DC=corp
iSiteOptions=0
dwTombstoneLifeTimeDays=60

dwForestBehaviorVersion=2

HomeServer=1, dcsrv1

SERVER: pServer[0].pszName=BRIT44559vsi001
pServer[0].pszGuidDNSName=9ceb381d-5494-49e0-b3d1-e54992b2b02d._msdcs.csaa.corp
pServer[0].pszDNSName=BRIT44559vsi001.csaa.corp
pServer[0].pszDn=CN=NTDS Settings,CN=BRIT44559vsi001,CN=Servers,CN=London,CN=Sites,CN=Configuration,DC=csaa,DC=corp
pServer[0].pszComputerAccountDn=CN=BRIT44559vsi001,OU=Domain Controllers,DC=csaa,DC=corp
pServer[0].uuidObjectGuid=9ceb381d-5494-49e0-b3d1-e54992b2b02d
pServer[0].uuidInvocationId=c08f02cf-ab74-4630-b08e-da0d6dbefca1
pServer[0].iSite=0 (London)
pServer[0].iOptions=1
pServer[0].ftLocalAcquireTime=00000000 00000000

pServer[0].ftRemoteConnectTime=00000000 00000000

pServer[0].ppszMasterNCs:
ppszMasterNCs[0]=DC=ForestDnsZones,DC=csaa,DC=corp
ppszMasterNCs[1]=DC=DomainDnsZones,DC=csaa,DC=corp
ppszMasterNCs[2]=CN=Schema,CN=Configuration,DC=csaa,DC=corp
ppszMasterNCs[3]=CN=Configuration,DC=csaa,DC=corp
ppszMasterNCs[4]=DC=csaa,DC=corp

SERVER: pServer[1].pszName=dcsrv1
pServer[1].pszGuidDNSName=18f4d083-a97d-48c8-983e-d94a3ebccb04._msdcs.csaa.corp
pServer[1].pszDNSName=dcsrv1.csaa.corp
pServer[1].pszDn=CN=NTDS Settings,CN=dcsrv1,CN=Servers,CN=Brit,CN=Sites,CN=Configuration,DC=csaa,DC=corp
pServer[1].pszComputerAccountDn=CN=dcsrv1,OU=Domain Controllers,DC=csaa,DC=corp
pServer[1].uuidObjectGuid=18f4d083-a97d-48c8-983e-d94a3ebccb04
pServer[1].uuidInvocationId=b9340289-7141-4901-b5f4-a122cf94e416
pServer[1].iSite=1 (Brit)
pServer[1].iOptions=1
pServer[1].ftLocalAcquireTime=e2207f30 01cbbe76

pServer[1].ftRemoteConnectTime=e1913780 01cbbe76

pServer[1].ppszMasterNCs:
ppszMasterNCs[0]=DC=ForestDnsZones,DC=csaa,DC=corp
ppszMasterNCs[1]=DC=DomainDnsZones,DC=csaa,DC=corp
ppszMasterNCs[2]=CN=Schema,CN=Configuration,DC=csaa,DC=corp
ppszMasterNCs[3]=CN=Configuration,DC=csaa,DC=corp
ppszMasterNCs[4]=DC=csaa,DC=corp

SERVER: pServer[2].pszName=dcsrv2
pServer[2].pszGuidDNSName=ec3bb02a-2577-4246-8155-9b5c8a1ad18a._msdcs.csaa.corp
pServer[2].pszDNSName=dcsrv2.csaa.corp
pServer[2].pszDn=CN=NTDS Settings,CN=dcsrv2,CN=Servers,CN=Brit,CN=Sites,CN=Configuration,DC=csaa,DC=corp
pServer[2].pszComputerAccountDn=CN=dcsrv2,OU=Domain Controllers,DC=csaa,DC=corp
pServer[2].uuidObjectGuid=ec3bb02a-2577-4246-8155-9b5c8a1ad18a
pServer[2].uuidInvocationId=cdda76da-fd73-43ee-9e49-1bc810cc0bd8
pServer[2].iSite=1 (Brit)
pServer[2].iOptions=1
pServer[2].ftLocalAcquireTime=00000000 00000000

pServer[2].ftRemoteConnectTime=00000000 00000000

pServer[2].ppszMasterNCs:
ppszMasterNCs[0]=DC=ForestDnsZones,DC=csaa,DC=corp
ppszMasterNCs[1]=DC=DomainDnsZones,DC=csaa,DC=corp
ppszMasterNCs[2]=CN=Schema,CN=Configuration,DC=csaa,DC=corp
ppszMasterNCs[3]=CN=Configuration,DC=csaa,DC=corp
ppszMasterNCs[4]=DC=csaa,DC=corp

SERVER: pServer[3].pszName=dcsrv3
pServer[3].pszGuidDNSName=34bc71dd-43f1-4a63-86d2-8867b5fe9f31._msdcs.csaa.corp
pServer[3].pszDNSName=dcsrv3.csaa.corp
pServer[3].pszDn=CN=NTDS Settings,CN=dcsrv3,CN=Servers,CN=Brit,CN=Sites,CN=Configuration,DC=csaa,DC=corp
pServer[3].pszComputerAccountDn=CN=dcsrv3,OU=Domain Controllers,DC=csaa,DC=corp
pServer[3].uuidObjectGuid=34bc71dd-43f1-4a63-86d2-8867b5fe9f31
pServer[3].uuidInvocationId=a6a829f9-6d1a-40b0-b781-1dd6e1ce7781
pServer[3].iSite=1 (Brit)
pServer[3].iOptions=1
pServer[3].ftLocalAcquireTime=00000000 00000000

pServer[3].ftRemoteConnectTime=00000000 00000000

pServer[3].ppszMasterNCs:
ppszMasterNCs[0]=DC=ForestDnsZones,DC=csaa,DC=corp
ppszMasterNCs[1]=DC=DomainDnsZones,DC=csaa,DC=corp
ppszMasterNCs[2]=CN=Schema,CN=Configuration,DC=csaa,DC=corp
ppszMasterNCs[3]=CN=Configuration,DC=csaa,DC=corp
ppszMasterNCs[4]=DC=csaa,DC=corp

SERVER: pServer[4].pszName=dcitsrv1
pServer[4].pszGuidDNSName=bf475d01-77d0-4a41-9624-7780ac336cf5._msdcs.csaa.corp
pServer[4].pszDNSName=dcitsrv1.csaa.corp
pServer[4].pszDn=CN=NTDS Settings,CN=dcitsrv1,CN=Servers,CN=Italy,CN=Sites,CN=Configuration,DC=csaa,DC=corp
pServer[4].pszComputerAccountDn=CN=dcitsrv1,OU=Domain Controllers,DC=csaa,DC=corp
pServer[4].uuidObjectGuid=bf475d01-77d0-4a41-9624-7780ac336cf5
pServer[4].uuidInvocationId=6efb5269-4de3-44c4-8071-f35f3fd17788
pServer[4].iSite=2 (Italy)
pServer[4].iOptions=1
pServer[4].ftLocalAcquireTime=00000000 00000000

pServer[4].ftRemoteConnectTime=00000000 00000000

pServer[4].ppszMasterNCs:
ppszMasterNCs[0]=DC=ForestDnsZones,DC=csaa,DC=corp
ppszMasterNCs[1]=DC=DomainDnsZones,DC=csaa,DC=corp
ppszMasterNCs[2]=CN=Schema,CN=Configuration,DC=csaa,DC=corp
ppszMasterNCs[3]=CN=Configuration,DC=csaa,DC=corp
ppszMasterNCs[4]=DC=csaa,DC=corp

SERVER: pServer[5].pszName=dcitsrv2
pServer[5].pszGuidDNSName=db60f4f2-0c07-4ef3-b332-36e9f71a70bb._msdcs.csaa.corp
pServer[5].pszDNSName=dcitsrv2.csaa.corp
pServer[5].pszDn=CN=NTDS Settings,CN=dcitsrv2,CN=Servers,CN=Italy,CN=Sites,CN=Configuration,DC=csaa,DC=corp
pServer[5].pszComputerAccountDn=CN=dcitsrv2,OU=Domain Controllers,DC=csaa,DC=corp
pServer[5].uuidObjectGuid=db60f4f2-0c07-4ef3-b332-36e9f71a70bb
pServer[5].uuidInvocationId=91410341-f2be-4948-a760-245c2ba73c5c
pServer[5].iSite=2 (Italy)
pServer[5].iOptions=1
pServer[5].ftLocalAcquireTime=00000000 00000000

pServer[5].ftRemoteConnectTime=00000000 00000000

pServer[5].ppszMasterNCs:
ppszMasterNCs[0]=DC=ForestDnsZones,DC=csaa,DC=corp
ppszMasterNCs[1]=DC=DomainDnsZones,DC=csaa,DC=corp
ppszMasterNCs[2]=CN=Schema,CN=Configuration,DC=csaa,DC=corp
ppszMasterNCs[3]=CN=Configuration,DC=csaa,DC=corp
ppszMasterNCs[4]=DC=csaa,DC=corp

SITES: pSites[0].pszName=London
pSites[0].pszSiteSettings=CN=NTDS Site Settings,CN=London,CN=Sites,CN=Configuration,DC=csaa,DC=corp
pSites[0].pszISTG=CN=NTDS Settings,CN=BRIT44559vsi001,CN=Servers,CN=London,CN=Sites,CN=Configuration,DC=csaa,DC=corp
pSites[0].iSiteOption=0

pSites[0].cServers=1

SITES: pSites[1].pszName=Brit
pSites[1].pszSiteSettings=CN=NTDS Site Settings,CN=Brit,CN=Sites,CN=Configuration,DC=csaa,DC=corp
pSites[1].pszISTG=CN=NTDS Settings,CN=dcsrv3,CN=Servers,CN=Brit,CN=Sites,CN=Configuration,DC=csaa,DC=corp
pSites[1].iSiteOption=0

pSites[1].cServers=3

SITES: pSites[2].pszName=Italy
pSites[2].pszSiteSettings=CN=NTDS Site Settings,CN=Italy,CN=Sites,CN=Configuration,DC=csaa,DC=corp
pSites[2].pszISTG=CN=NTDS Settings,CN=dcitsrv2,CN=Servers,CN=Italy,CN=Sites,CN=Configuration,DC=csaa,DC=corp
pSites[2].iSiteOption=0

pSites[2].cServers=2

NC: pNCs[0].pszName=ForestDnsZones
pNCs[0].pszDn=DC=ForestDnsZones,DC=csaa,DC=corp

pNCs[0].aCrInfo[0].dwFlags=0x00000201
pNCs[0].aCrInfo[0].pszDn=CN=dfa89ea7-bee3-41c5-9da1-09d3da03c42a,CN=Partitions,CN=Configuration,DC=csaa,DC=corp
pNCs[0].aCrInfo[0].pszDnsRoot=ForestDnsZones.csaa.corp
pNCs[0].aCrInfo[0].iSourceServer=1
pNCs[0].aCrInfo[0].pszSourceServer=(null)
pNCs[0].aCrInfo[0].ulSystemFlags=0x00000005
pNCs[0].aCrInfo[0].bEnabled=TRUE
pNCs[0].aCrInfo[0].ftWhenCreated=00000000 00000000 pNCs[0].aCrInfo[0].pszSDReferenceDomain=(null)
pNCs[0].aCrInfo[0].pszNetBiosName=(null)
pNCs[0].aCrInfo[0].cReplicas=-1
pNCs[0].aCrInfo[0].aszReplicas=


NC: pNCs[1].pszName=DomainDnsZones
pNCs[1].pszDn=DC=DomainDnsZones,DC=csaa,DC=corp

pNCs[1].aCrInfo[0].dwFlags=0x00000201
pNCs[1].aCrInfo[0].pszDn=CN=8277eb8d-7a43-4416-8489-5d68f911d6da,CN=Partitions,CN=Configuration,DC=csaa,DC=corp
pNCs[1].aCrInfo[0].pszDnsRoot=DomainDnsZones.csaa.corp
pNCs[1].aCrInfo[0].iSourceServer=1
pNCs[1].aCrInfo[0].pszSourceServer=(null)
pNCs[1].aCrInfo[0].ulSystemFlags=0x00000005
pNCs[1].aCrInfo[0].bEnabled=TRUE
pNCs[1].aCrInfo[0].ftWhenCreated=00000000 00000000 pNCs[1].aCrInfo[0].pszSDReferenceDomain=(null)
pNCs[1].aCrInfo[0].pszNetBiosName=(null)
pNCs[1].aCrInfo[0].cReplicas=-1
pNCs[1].aCrInfo[0].aszReplicas=


NC: pNCs[2].pszName=Schema
pNCs[2].pszDn=CN=Schema,CN=Configuration,DC=csaa,DC=corp

pNCs[2].aCrInfo[0].dwFlags=0x00000201
pNCs[2].aCrInfo[0].pszDn=CN=Enterprise Schema,CN=Partitions,CN=Configuration,DC=csaa,DC=corp
pNCs[2].aCrInfo[0].pszDnsRoot=csaa.corp
pNCs[2].aCrInfo[0].iSourceServer=1
pNCs[2].aCrInfo[0].pszSourceServer=(null)
pNCs[2].aCrInfo[0].ulSystemFlags=0x00000001
pNCs[2].aCrInfo[0].bEnabled=TRUE
pNCs[2].aCrInfo[0].ftWhenCreated=00000000 00000000 pNCs[2].aCrInfo[0].pszSDReferenceDomain=(null)
pNCs[2].aCrInfo[0].pszNetBiosName=(null)
pNCs[2].aCrInfo[0].cReplicas=-1
pNCs[2].aCrInfo[0].aszReplicas=


NC: pNCs[3].pszName=Configuration
pNCs[3].pszDn=CN=Configuration,DC=csaa,DC=corp

pNCs[3].aCrInfo[0].dwFlags=0x00000201
pNCs[3].aCrInfo[0].pszDn=CN=Enterprise Configuration,CN=Partitions,CN=Configuration,DC=csaa,DC=corp
pNCs[3].aCrInfo[0].pszDnsRoot=csaa.corp
pNCs[3].aCrInfo[0].iSourceServer=1
pNCs[3].aCrInfo[0].pszSourceServer=(null)
pNCs[3].aCrInfo[0].ulSystemFlags=0x00000001
pNCs[3].aCrInfo[0].bEnabled=TRUE
pNCs[3].aCrInfo[0].ftWhenCreated=00000000 00000000 pNCs[3].aCrInfo[0].pszSDReferenceDomain=(null)
pNCs[3].aCrInfo[0].pszNetBiosName=(null)
pNCs[3].aCrInfo[0].cReplicas=-1
pNCs[3].aCrInfo[0].aszReplicas=


NC: pNCs[4].pszName=csaa
pNCs[4].pszDn=DC=csaa,DC=corp

pNCs[4].aCrInfo[0].dwFlags=0x00000201
pNCs[4].aCrInfo[0].pszDn=CN=csaa,CN=Partitions,CN=Configuration,DC=csaa,DC=corp
pNCs[4].aCrInfo[0].pszDnsRoot=csaa.corp
pNCs[4].aCrInfo[0].iSourceServer=1
pNCs[4].aCrInfo[0].pszSourceServer=(null)
pNCs[4].aCrInfo[0].ulSystemFlags=0x00000003
pNCs[4].aCrInfo[0].bEnabled=TRUE
pNCs[4].aCrInfo[0].ftWhenCreated=00000000 00000000 pNCs[4].aCrInfo[0].pszSDReferenceDomain=(null)
pNCs[4].aCrInfo[0].pszNetBiosName=(null)
pNCs[4].aCrInfo[0].cReplicas=-1
pNCs[4].aCrInfo[0].aszReplicas=


5 NC TARGETS: ForestDnsZones, DomainDnsZones, Schema, Configuration, csaa,
6 TARGETS: BRIT44559vsi001, dcsrv1, dcsrv2, dcsrv3, dcitsrv1, dcitsrv2,

=============================================Done Printing pDsInfo

Doing initial required tests

Testing server: London\BRIT44559vsi001
Starting test: Connectivity
* Active Directory LDAP Services Check
BRIT44559vsi001.currentTime = 20110127230652.0Z
BRIT44559vsi001.highestCommittedUSN = 12983695
BRIT44559vsi001.isSynchronized = 1
BRIT44559vsi001.isGlobalCatalogReady = 1
Failure Analysis: BRIT44559vsi001 ... OK.
* Active Directory RPC Services Check
......................... BRIT44559vsi001 passed test Connectivity

Testing server: Brit\dcsrv1
Starting test: Connectivity
* Active Directory LDAP Services Check
Failure Analysis: dcsrv1 ... OK.
* Active Directory RPC Services Check
......................... dcsrv1 passed test Connectivity

Testing server: Brit\dcsrv2
Starting test: Connectivity
* Active Directory LDAP Services Check
dcsrv2.currentTime = 20110127230652.0Z
dcsrv2.highestCommittedUSN = 52469186
dcsrv2.isSynchronized = 1
dcsrv2.isGlobalCatalogReady = 1
Failure Analysis: dcsrv2 ... OK.
* Active Directory RPC Services Check
......................... dcsrv2 passed test Connectivity

Testing server: Brit\dcsrv3
Starting test: Connectivity
* Active Directory LDAP Services Check
dcsrv3.currentTime = 20110127230652.0Z
dcsrv3.highestCommittedUSN = 43961339
dcsrv3.isSynchronized = 1
dcsrv3.isGlobalCatalogReady = 1
Failure Analysis: dcsrv3 ... OK.
* Active Directory RPC Services Check
......................... dcsrv3 passed test Connectivity

Testing server: Italy\dcitsrv1
Starting test: Connectivity
* Active Directory LDAP Services Check
dcitsrv1.currentTime = 20110127230653.0Z
dcitsrv1.highestCommittedUSN = 4479172
dcitsrv1.isSynchronized = 1
dcitsrv1.isGlobalCatalogReady = 1
Failure Analysis: dcitsrv1 ... OK.
* Active Directory RPC Services Check
......................... dcitsrv1 passed test Connectivity

Testing server: Italy\dcitsrv2
Starting test: Connectivity
* Active Directory LDAP Services Check
dcitsrv2.currentTime = 20110127230654.0Z
dcitsrv2.highestCommittedUSN = 3894030
dcitsrv2.isSynchronized = 1
dcitsrv2.isGlobalCatalogReady = 1
Failure Analysis: dcitsrv2 ... OK.
* Active Directory RPC Services Check
......................... dcitsrv2 passed test Connectivity

Doing primary tests

Testing server: London\BRIT44559vsi001
Starting test: Replications
* Replications Check
DC=ForestDnsZones,DC=csaa,DC=corp has 11 cursors.
DC=DomainDnsZones,DC=csaa,DC=corp has 12 cursors.
CN=Schema,CN=Configuration,DC=csaa,DC=corp has 12 cursors.
CN=Configuration,DC=csaa,DC=corp has 12 cursors.
DC=csaa,DC=corp has 12 cursors.
* Replication Latency Check
DC=ForestDnsZones,DC=csaa,DC=corp
Latency information for 5 entries in the vector were ignored.
5 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=DomainDnsZones,DC=csaa,DC=corp
Latency information for 6 entries in the vector were ignored.
6 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
CN=Schema,CN=Configuration,DC=csaa,DC=corp
Latency information for 6 entries in the vector were ignored.
6 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
CN=Configuration,DC=csaa,DC=corp
Latency information for 6 entries in the vector were ignored.
6 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=csaa,DC=corp
Latency information for 6 entries in the vector were ignored.
6 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
......................... BRIT44559vsi001 passed test Replications
Starting test: Topology
* Configuration Topology Integrity Check
* Analyzing the connection topology for DC=ForestDnsZones,DC=csaa,DC=corp.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for DC=DomainDnsZones,DC=csaa,DC=corp.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for CN=Schema,CN=Configuration,DC=csaa,DC=corp.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for CN=Configuration,DC=csaa,DC=corp.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for DC=csaa,DC=corp.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
......................... BRIT44559vsi001 passed test Topology
Starting test: CutoffServers
* Configuration Topology Aliveness Check
* Analyzing the alive system replication topology for DC=ForestDnsZones,DC=csaa,DC=corp.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for DC=DomainDnsZones,DC=csaa,DC=corp.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for CN=Schema,CN=Configuration,DC=csaa,DC=corp.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for CN=Configuration,DC=csaa,DC=corp.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for DC=csaa,DC=corp.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
......................... BRIT44559vsi001 passed test CutoffServers
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC BRIT44559vsi001.
* Security Permissions Check for
DC=ForestDnsZones,DC=csaa,DC=corp
(NDNC,Version 2)
* Security Permissions Check for
DC=DomainDnsZones,DC=csaa,DC=corp
(NDNC,Version 2)
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=csaa,DC=corp
(Schema,Version 2)
* Security Permissions Check for
CN=Configuration,DC=csaa,DC=corp
(Configuration,Version 2)
* Security Permissions Check for
DC=csaa,DC=corp
(Domain,Version 2)
......................... BRIT44559vsi001 passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\BRIT44559vsi001\netlogon
Verified share \\BRIT44559vsi001\sysvol
......................... BRIT44559vsi001 passed test NetLogons
Starting test: Advertising
The DC BRIT44559vsi001 is advertising itself as a DC and having a DS.
The DC BRIT44559vsi001 is advertising as an LDAP server
The DC BRIT44559vsi001 is advertising as having a writeable directory
The DC BRIT44559vsi001 is advertising as a Key Distribution Center
The DC BRIT44559vsi001 is advertising as a time server
The DS BRIT44559vsi001 is advertising as a GC.
......................... BRIT44559vsi001 passed test Advertising
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings,CN=dcsrv1,CN=Servers,CN=Brit,CN=Sites,CN=Configuration,DC=csaa,DC=corp
Role Domain Owner = CN=NTDS Settings,CN=dcsrv1,CN=Servers,CN=Brit,CN=Sites,CN=Configuration,DC=csaa,DC=corp
Role PDC Owner = CN=NTDS Settings,CN=dcsrv1,CN=Servers,CN=Brit,CN=Sites,CN=Configuration,DC=csaa,DC=corp
Role Rid Owner = CN=NTDS Settings,CN=dcsrv1,CN=Servers,CN=Brit,CN=Sites,CN=Configuration,DC=csaa,DC=corp
Role Infrastructure Update Owner = CN=NTDS Settings,CN=dcsrv2,CN=Servers,CN=Brit,CN=Sites,CN=Configuration,DC=csaa,DC=corp
......................... BRIT44559vsi001 passed test KnowsOfRoleHolders
Starting test: RidManager
ridManagerReference = CN=RID Manager$,CN=System,DC=csaa,DC=corp
* Available RID Pool for the Domain is 14830 to 1073741823
fSMORoleOwner = CN=NTDS Settings,CN=dcsrv1,CN=Servers,CN=Brit,CN=Sites,CN=Configuration,DC=csaa,DC=corp
* dcsrv1.csaa.corp is the RID Master
* DsBind with RID Master was successful
rIDSetReferences = CN=RID Set,CN=BRIT44559vsi001,OU=Domain Controllers,DC=csaa,DC=corp
* rIDAllocationPool is 8330 to 8829
* rIDPreviousAllocationPool is 8330 to 8829
* rIDNextRID: 8338
......................... BRIT44559vsi001 passed test RidManager
Starting test: MachineAccount
Checking machine account for DC BRIT44559vsi001 on DC BRIT44559vsi001.
* SPN found :LDAP/BRIT44559vsi001.csaa.corp/csaa.corp
* SPN found :LDAP/BRIT44559vsi001.csaa.corp
* SPN found :LDAP/BRIT44559vsi001
* SPN found :LDAP/BRIT44559vsi001.csaa.corp/csaa
* SPN found :LDAP/9ceb381d-5494-49e0-b3d1-e54992b2b02d._msdcs.csaa.corp
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/9ceb381d-5494-49e0-b3d1-e54992b2b02d/csaa.corp
* SPN found :HOST/BRIT44559vsi001.csaa.corp/csaa.corp
* SPN found :HOST/BRIT44559vsi001.csaa.corp
* SPN found :HOST/BRIT44559vsi001
* SPN found :HOST/BRIT44559vsi001.csaa.corp/csaa
* SPN found :GC/BRIT44559vsi001.csaa.corp/csaa.corp
......................... BRIT44559vsi001 passed test MachineAccount
Starting test: Services
* Checking Service: Dnscache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: RpcSs
* Checking Service: w32time
* Checking Service: NETLOGON
......................... BRIT44559vsi001 passed test Services
Starting test: OutboundSecureChannels
* The Outbound Secure Channels test
** Did not run Outbound Secure Channels test
because /testdomain: was not entered
......................... BRIT44559vsi001 passed test OutboundSecureChannels
Starting test: ObjectsReplicated
BRIT44559vsi001 is in domain DC=csaa,DC=corp
Checking for CN=BRIT44559vsi001,OU=Domain Controllers,DC=csaa,DC=corp in domain DC=csaa,DC=corp on 6 servers
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=BRIT44559vsi001,CN=Servers,CN=London,CN=Sites,CN=Configuration,DC=csaa,DC=corp in domain CN=Configuration,DC=csaa,DC=corp on 6 servers
Object is up-to-date on all servers.
......................... BRIT44559vsi001 passed test ObjectsReplicated
Starting test: frssysvol
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... BRIT44559vsi001 passed test frssysvol
Starting test: frsevent
* The File Replication Service Event log test
There are warning or error events within the last 24 hours after the

SYSVOL has been shared. Failing SYSVOL replication problems may cause

Group Policy problems.
An Warning Event occured. EventID: 0x800034C4
Time Generated: 01/26/2011 17:20:30
(Event String could not be retrieved)
An Warning Event occured. EventID: 0x800034C4
Time Generated: 01/26/2011 22:24:35
(Event String could not be retrieved)
......................... BRIT44559vsi001 failed test frsevent
Starting test: kccevent
* The KCC Event log test
An Warning Event occured. EventID: 0x8000061E
Time Generated: 01/27/2011 14:57:47
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC000051F
Time Generated: 01/27/2011 14:57:47
(Event String could not be retrieved)
An Warning Event occured. EventID: 0x80000749
Time Generated: 01/27/2011 14:57:47
(Event String could not be retrieved)
An Warning Event occured. EventID: 0x8000061E
Time Generated: 01/27/2011 14:57:47
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC000051F
Time Generated: 01/27/2011 14:57:47
(Event String could not be retrieved)
An Warning Event occured. EventID: 0x80000749
Time Generated: 01/27/2011 14:57:47
(Event String could not be retrieved)
An Warning Event occured. EventID: 0x8000061E
Time Generated: 01/27/2011 14:57:47
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC000051F
Time Generated: 01/27/2011 14:57:47
(Event String could not be retrieved)
An Warning Event occured. EventID: 0x80000749
Time Generated: 01/27/2011 14:57:47
(Event String could not be retrieved)
An Warning Event occured. EventID: 0x8000061E
Time Generated: 01/27/2011 14:57:47
(Event String could not be retrieved)
An Error Event occured. EventID: 0xC000051F
Time Generated: 01/27/2011 14:57:47
(Event String could not be retrieved)
An Warning Event occured. EventID: 0x80000749
Time Generated: 01/27/2011 14:57:47
(Event String could not be retrieved)
An Warning Event occured. EventID: 0x80000785
Time Generated: 01/27/2011 14:57:48
(Event String could not be retrieved)
An Warning Event occured. EventID: 0x80000785
Time Generated: 01/27/2011 14:57:49
(Event String could not be retrieved)
......................... BRIT44559vsi001 failed test kccevent
Starting test: systemlog
* The System Event log test
Found no errors in System Event log in the last 60 minutes.
......................... BRIT44559vsi001 passed test systemlog
Starting test: VerifyReplicas
......................... BRIT44559vsi001 passed test VerifyReplicas
Starting test: VerifyReferences
The system object reference (serverReference)

CN=BRIT44559vsi001,OU=Domain Controllers,DC=csaa,DC=corp and

backlink on

CN=BRIT44559vsi001,CN=Servers,CN=London,CN=Sites,CN=Configuration,DC=csaa,DC=corp

are correct.
The system object reference (frsComputerReferenceBL)

CN=BRIT44559vsi001,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=csaa,DC=corp

and backlink on

CN=BRIT44559vsi001,OU=Domain Controllers,DC=csaa,DC=corp are

correct.
The system object reference (serverReferenceBL)

CN=BRIT44559vsi001,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=csaa,DC=corp

and backlink on

CN=NTDS Settings,CN=BRIT44559vsi001,CN=Servers,CN=London,CN=Sites,CN=Configuration,DC=csaa,DC=corp

are correct.
......................... BRIT44559vsi001 passed test VerifyReferences
Starting test: VerifyEnterpriseReferences
The following problems were found while verifying various important DN

references. Note, that these problems can be reported because of

latency in replication. So follow up to resolve the following

problems, only if the same problem is reported on all DCs for a given

domain or if the problem persists after replication has had

reasonable time to replicate changes.
[1] Problem: Missing Expected Value

Base Object:

CN=SECOND,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=csaa,DC=corp

Base Object Description: "SYSVOL FRS Member Object"

Value Object Attribute Name: frsComputerReference

Value Object Description: "DC Account Object"

Recommended Action: Check if this server is deleted, and if so

clean up this DCs SYSVOL FRS Member Object. Also see Knowledge

Base Article: Q312862


[2] Problem: Missing Expected Value

Base Object:

CN=SECOND,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=csaa,DC=corp

Base Object Description: "SYSVOL FRS Member Object"

Value Object Attribute Name: serverReference

Value Object Description: "DSA Object"

Recommended Action: Check if this server is deleted, and if so

clean up this DCs SYSVOL FRS Member Object. Also see Knowledge

Base Article Q312862


......................... BRIT44559vsi001 failed test VerifyEnterpriseReferences
Starting test: CheckSecurityError
* Dr Auth: Beginning security errors check!
Found KDC BRIT44559vsi001 for domain csaa.corp in site London
Checking machine account for DC BRIT44559vsi001 on DC BRIT44559vsi001.
* SPN found :LDAP/BRIT44559vsi001.csaa.corp/csaa.corp
* SPN found :LDAP/BRIT44559vsi001.csaa.corp
* SPN found :LDAP/BRIT44559vsi001
* SPN found :LDAP/BRIT44559vsi001.csaa.corp/csaa
* SPN found :LDAP/9ceb381d-5494-49e0-b3d1-e54992b2b02d._msdcs.csaa.corp
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/9ceb381d-5494-49e0-b3d1-e54992b2b02d/csaa.corp
* SPN found :HOST/BRIT44559vsi001.csaa.corp/csaa.corp
* SPN found :HOST/BRIT44559vsi001.csaa.corp
* SPN found :HOST/BRIT44559vsi001
* SPN found :HOST/BRIT44559vsi001.csaa.corp/csaa
* SPN found :GC/BRIT44559vsi001.csaa.corp/csaa.corp
Source DC dcitsrv2 has possible security error (1722). Diagnosing...
Found KDC dcitsrv1 for domain csaa.corp in site Italy
Checking time skew between servers:
dcitsrv2
dcitsrv1
BRIT44559vsi001
Getting time for \\dcitsrv2.csaa.corp
Time is 1296169671 on \\dcitsrv2.csaa.corp
Getting time for \\dcitsrv1.csaa.corp
Time is 1296169672 on \\dcitsrv1.csaa.corp
Getting time for \\BRIT44559vsi001.csaa.corp
Time is 1296169672 on \\BRIT44559vsi001.csaa.corp
Time is in sync: 1 seconds different.
Checking machine account for DC dcitsrv2 on DC dcitsrv1.
* SPN found :LDAP/dcitsrv2.csaa.corp/csaa.corp
* SPN found :LDAP/dcitsrv2.csaa.corp
* SPN found :LDAP/dcitsrv2
* SPN found :LDAP/dcitsrv2.csaa.corp/csaa
* SPN found :LDAP/db60f4f2-0c07-4ef3-b332-36e9f71a70bb._msdcs.csaa.corp
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/db60f4f2-0c07-4ef3-b332-36e9f71a70bb/csaa.corp
* SPN found :HOST/dcitsrv2.csaa.corp/csaa.corp
* SPN found :HOST/dcitsrv2.csaa.corp
* SPN found :HOST/dcitsrv2
* SPN found :HOST/dcitsrv2.csaa.corp/csaa
* SPN found :GC/dcitsrv2.csaa.corp/csaa.corp
Checking for CN=dcitsrv2,OU=Domain Controllers,DC=csaa,DC=corp in domain DC=csaa,DC=corp on 2 servers
Object is up-to-date on all servers.
* Security Permissions check for all NC's on DC dcitsrv2.
* Security Permissions Check for
DC=ForestDnsZones,DC=csaa,DC=corp
(NDNC,Version 2)
* Security Permissions Check for
DC=DomainDnsZones,DC=csaa,DC=corp
(NDNC,Version 2)
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=csaa,DC=corp
(Schema,Version 2)
* Security Permissions Check for
CN=Configuration,DC=csaa,DC=corp
(Configuration,Version 2)
* Security Permissions Check for
DC=csaa,DC=corp
(Domain,Version 2)
* Network Logons Privileges Check
Verified share \\dcitsrv2\netlogon
Verified share \\dcitsrv2\sysvol
Checking for CN=dcitsrv2,OU=Domain Controllers,DC=csaa,DC=corp in domain DC=csaa,DC=corp on 6 servers
Object is up-to-date on all servers.
[dcitsrv2] Unable to diagnose problem for this source. See any errors reported in attempting tests.
Source DC dcitsrv1 has possible security error (1722). Diagnosing...
Found KDC dcitsrv1 for domain csaa.corp in site Italy
Checking time skew between servers:
dcitsrv1
BRIT44559vsi001
Getting time for \\dcitsrv1.csaa.corp
Time is 1296169679 on \\dcitsrv1.csaa.corp
Getting time for \\BRIT44559vsi001.csaa.corp
Time is 1296169679 on \\BRIT44559vsi001.csaa.corp
Time is in sync: 0 seconds different.
Checking machine account for DC dcitsrv1 on DC dcitsrv1.
* SPN found :LDAP/dcitsrv1.csaa.corp/csaa.corp
* SPN found :LDAP/dcitsrv1.csaa.corp
* SPN found :LDAP/dcitsrv1
* SPN found :LDAP/dcitsrv1.csaa.corp/csaa
* SPN found :LDAP/bf475d01-77d0-4a41-9624-7780ac336cf5._msdcs.csaa.corp
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/bf475d01-77d0-4a41-9624-7780ac336cf5/csaa.corp
* SPN found :HOST/dcitsrv1.csaa.corp/csaa.corp
* SPN found :HOST/dcitsrv1.csaa.corp
* SPN found :HOST/dcitsrv1
* SPN found :HOST/dcitsrv1.csaa.corp/csaa
* SPN found :GC/dcitsrv1.csaa.corp/csaa.corp
* Security Permissions check for all NC's on DC dcitsrv1.
* Security Permissions Check for
DC=ForestDnsZones,DC=csaa,DC=corp
(NDNC,Version 2)
* Security Permissions Check for
DC=DomainDnsZones,DC=csaa,DC=corp
(NDNC,Version 2)
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=csaa,DC=corp
(Schema,Version 2)
* Security Permissions Check for
CN=Configuration,DC=csaa,DC=corp
(Configuration,Version 2)
* Security Permissions Check for
DC=csaa,DC=corp
(Domain,Version 2)
* Network Logons Privileges Check
Verified share \\dcitsrv1\netlogon
Verified share \\dcitsrv1\sysvol
Checking for CN=dcitsrv1,OU=Domain Controllers,DC=csaa,DC=corp in domain DC=csaa,DC=corp on 6 servers
Object is up-to-date on all servers.
[dcitsrv1] Unable to diagnose problem for this source. See any errors reported in attempting tests.
......................... BRIT44559vsi001 passed test CheckSecurityError

Testing server: Brit\dcsrv1
Starting test: Replications
* Replications Check
DC=ForestDnsZones,DC=csaa,DC=corp has 11 cursors.
DC=DomainDnsZones,DC=csaa,DC=corp has 12 cursors.
CN=Schema,CN=Configuration,DC=csaa,DC=corp has 12 cursors.
CN=Configuration,DC=csaa,DC=corp has 12 cursors.
DC=csaa,DC=corp has 12 cursors.
* Replication Latency Check
DC=ForestDnsZones,DC=csaa,DC=corp
Latency information for 5 entries in the vector were ignored.
5 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=DomainDnsZones,DC=csaa,DC=corp
Latency information for 6 entries in the vector were ignored.
6 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
CN=Schema,CN=Configuration,DC=csaa,DC=corp
Latency information for 6 entries in the vector were ignored.
6 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
CN=Configuration,DC=csaa,DC=corp
Latency information for 6 entries in the vector were ignored.
6 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=csaa,DC=corp
Latency information for 6 entries in the vector were ignored.
6 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
......................... dcsrv1 passed test Replications
Starting test: Topology
* Configuration Topology Integrity Check
* Analyzing the connection topology for DC=ForestDnsZones,DC=csaa,DC=corp.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for DC=DomainDnsZones,DC=csaa,DC=corp.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for CN=Schema,CN=Configuration,DC=csaa,DC=corp.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for CN=Configuration,DC=csaa,DC=corp.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for DC=csaa,DC=corp.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
......................... dcsrv1 passed test Topology
Starting test: CutoffServers
* Configuration Topology Aliveness Check
* Analyzing the alive system replication topology for DC=ForestDnsZones,DC=csaa,DC=corp.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for DC=DomainDnsZones,DC=csaa,DC=corp.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for CN=Schema,CN=Configuration,DC=csaa,DC=corp.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for CN=Configuration,DC=csaa,DC=corp.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for DC=csaa,DC=corp.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
......................... dcsrv1 passed test CutoffServers
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC dcsrv1.
* Security Permissions Check for
DC=ForestDnsZones,DC=csaa,DC=corp
(NDNC,Version 2)
* Security Permissions Check for
DC=DomainDnsZones,DC=csaa,DC=corp
(NDNC,Version 2)
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=csaa,DC=corp
(Schema,Version 2)
* Security Permissions Check for
CN=Configuration,DC=csaa,DC=corp
(Configuration,Version 2)
* Security Permissions Check for
DC=csaa,DC=corp
(Domain,Version 2)
......................... dcsrv1 passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\dcsrv1\netlogon
Verified share \\dcsrv1\sysvol
......................... dcsrv1 passed test NetLogons
Starting test: Advertising
The DC dcsrv1 is advertising itself as a DC and having a DS.
The DC dcsrv1 is advertising as an LDAP server
The DC dcsrv1 is advertising as having a writeable directory
The DC dcsrv1 is advertising as a Key Distribution Center
The DC dcsrv1 is advertising as a time server
The DS dcsrv1 is advertising as a GC.
......................... dcsrv1 passed test Advertising
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings,CN=dcsrv1,CN=Servers,CN=Brit,CN=Sites,CN=Configuration,DC=csaa,DC=corp
Role Domain Owner = CN=NTDS Settings,CN=dcsrv1,CN=Servers,CN=Brit,CN=Sites,CN=Configuration,DC=csaa,DC=corp
Role PDC Owner = CN=NTDS Settings,CN=dcsrv1,CN=Servers,CN=Brit,CN=Sites,CN=Configuration,DC=csaa,DC=corp
Role Rid Owner = CN=NTDS Settings,CN=dcsrv1,CN=Servers,CN=Brit,CN=Sites,CN=Configuration,DC=csaa,DC=corp
Role Infrastructure Update Owner = CN=NTDS Settings,CN=dcsrv2,CN=Servers,CN=Brit,CN=Sites,CN=Configuration,DC=csaa,DC=corp
......................... dcsrv1 passed test KnowsOfRoleHolders
Starting test: RidManager
ridManagerReference = CN=RID Manager$,CN=System,DC=csaa,DC=corp
* Available RID Pool for the Domain is 14830 to 1073741823
fSMORoleOwner = CN=NTDS Settings,CN=dcsrv1,CN=Servers,CN=Brit,CN=Sites,CN=Configuration,DC=csaa,DC=corp
* dcsrv1.csaa.corp is the RID Master
* DsBind with RID Master was successful
rIDSetReferences = CN=RID Set,CN=dcsrv1,OU=Domain Controllers,DC=csaa,DC=corp
* rIDAllocationPool is 13330 to 13829
* rIDPreviousAllocationPool is 9830 to 10329
* rIDNextRID: 10309
* Warning :There is less than 5% available RIDs in the current pool
......................... dcsrv1 passed test RidManager
Starting test: MachineAccount
Checking machine account for DC dcsrv1 on DC dcsrv1.
* SPN found :LDAP/dcsrv1.csaa.corp/csaa.corp
* SPN found :LDAP/dcsrv1.csaa.corp
* SPN found :LDAP/dcsrv1
* SPN found :LDAP/dcsrv1.csaa.corp/csaa
* SPN found :LDAP/18f4d083-a97d-48c8-983e-d94a3ebccb04._msdcs.csaa.corp
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/18f4d083-a97d-48c8-983e-d94a3ebccb04/csaa.corp
* SPN found :HOST/dcsrv1.csaa.corp/csaa.corp
* SPN found :HOST/dcsrv1.csaa.corp
* SPN found :HOST/dcsrv1
* SPN found :HOST/dcsrv1.csaa.corp/csaa
* SPN found :GC/dcsrv1.csaa.corp/csaa.corp
......................... dcsrv1 passed test MachineAccount
Starting test: Services
* Checking Service: Dnscache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: RpcSs
* Checking Service: w32time
* Checking Service: NETLOGON
......................... dcsrv1 passed test Services
Starting test: OutboundSecureChannels
* The Outbound Secure Channels test
** Did not run Outbound Secure Channels test
because /testdomain: was not entered
......................... dcsrv1 passed test OutboundSecureChannels
Starting test: ObjectsReplicated
dcsrv1 is in domain DC=csaa,DC=corp
Checking for CN=dcsrv1,OU=Domain Controllers,DC=csaa,DC=corp in domain DC=csaa,DC=corp on 6 servers
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=dcsrv1,CN=Servers,CN=Brit,CN=Sites,CN=Configuration,DC=csaa,DC=corp in domain CN=Configuration,DC=csaa,DC=corp on 6 servers
Object is up-to-date on all servers.
......................... dcsrv1 passed test ObjectsReplicated
Starting test: frssysvol
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... dcsrv1 passed test frssysvol
Starting test: frsevent
* The File Replication Service Event log test
......................... dcsrv1 passed test frsevent
Starting test: kccevent
* The KCC Event log test
Found no KCC errors in Directory Service Event log in the last 15 minutes.
......................... dcsrv1 passed test kccevent
Starting test: systemlog
* The System Event log test
Found no errors in System Event log in the last 60 minutes.
......................... dcsrv1 passed test systemlog
Starting test: VerifyReplicas
......................... dcsrv1 passed test VerifyReplicas
Starting test: VerifyReferences
The system object reference (serverReference)

CN=dcsrv1,OU=Domain Controllers,DC=csaa,DC=corp and backlink on

CN=dcsrv1,CN=Servers,CN=Brit,CN=Sites,CN=Configuration,DC=csaa,DC=corp

are correct.
The system object reference (frsComputerReferenceBL)

CN=dcsrv1,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=csaa,DC=corp

and backlink on CN=dcsrv1,OU=Domain Controllers,DC=csaa,DC=corp

are correct.
The system object reference (serverReferenceBL)

CN=dcsrv1,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=csaa,DC=corp

and backlink on

CN=NTDS Settings,CN=dcsrv1,CN=Servers,CN=Brit,CN=Sites,CN=Configuration,DC=csaa,DC=corp

are correct.
......................... dcsrv1 passed test VerifyReferences
Starting test: VerifyEnterpriseReferences
The following problems were found while verifying various important DN

references. Note, that these problems can be reported because of

latency in replication. So follow up to resolve the following

problems, only if the same problem is reported on all DCs for a given

domain or if the problem persists after replication has had

reasonable time to replicate changes.
[1] Problem: Missing Expected Value

Base Object:

CN=SECOND,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=csaa,DC=corp

Base Object Description: "SYSVOL FRS Member Object"

Value Object Attribute Name: frsComputerReference

Value Object Description: "DC Account Object"

Recommended Action: Check if this server is deleted, and if so

clean up this DCs SYSVOL FRS Member Object. Also see Knowledge

Base Article: Q312862


[2] Problem: Missing Expected Value

Base Object:

CN=SECOND,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=csaa,DC=corp

Base Object Description: "SYSVOL FRS Member Object"

Value Object Attribute Name: serverReference

Value Object Description: "DSA Object"

Recommended Action: Check if this server is deleted, and if so

clean up this DCs SYSVOL FRS Member Object. Also see Knowledge

Base Article Q312862


......................... dcsrv1 failed test VerifyEnterpriseReferences
Starting test: CheckSecurityError
* Dr Auth: Beginning security errors check!
Found KDC dcsrv3 for domain csaa.corp in site Brit
Checking machine account for DC dcsrv1 on DC dcsrv3.
* SPN found :LDAP/dcsrv1.csaa.corp/csaa.corp
* SPN found :LDAP/dcsrv1.csaa.corp
* SPN found :LDAP/dcsrv1
* SPN found :LDAP/dcsrv1.csaa.corp/csaa
* SPN found :LDAP/18f4d083-a97d-48c8-983e-d94a3ebccb04._msdcs.csaa.corp
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/18f4d083-a97d-48c8-983e-d94a3ebccb04/csaa.corp
* SPN found :HOST/dcsrv1.csaa.corp/csaa.corp
* SPN found :HOST/dcsrv1.csaa.corp
* SPN found :HOST/dcsrv1
* SPN found :HOST/dcsrv1.csaa.corp/csaa
* SPN found :GC/dcsrv1.csaa.corp/csaa.corp
Checking for CN=dcsrv1,OU=Domain Controllers,DC=csaa,DC=corp in domain DC=csaa,DC=corp on 2 servers
Object is up-to-date on all servers.
[dcsrv1] No security related replication errors were found on this DC! To target the connection to a specific source DC use /ReplSource:<DC>.
......................... dcsrv1 passed test CheckSecurityError

Testing server: Brit\dcsrv2
Starting test: Replications
* Replications Check
DC=ForestDnsZones,DC=csaa,DC=corp has 11 cursors.
DC=DomainDnsZones,DC=csaa,DC=corp has 12 cursors.
CN=Schema,CN=Configuration,DC=csaa,DC=corp has 12 cursors.
CN=Configuration,DC=csaa,DC=corp has 12 cursors.
DC=csaa,DC=corp has 12 cursors.
* Replication Latency Check
DC=ForestDnsZones,DC=csaa,DC=corp
Latency information for 5 entries in the vector were ignored.
5 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=DomainDnsZones,DC=csaa,DC=corp
Latency information for 6 entries in the vector were ignored.
6 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
CN=Schema,CN=Configuration,DC=csaa,DC=corp
Latency information for 6 entries in the vector were ignored.
6 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
CN=Configuration,DC=csaa,DC=corp
Latency information for 6 entries in the vector were ignored.
6 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=csaa,DC=corp
Latency information for 6 entries in the vector were ignored.
6 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
......................... dcsrv2 passed test Replications
Starting test: Topology
* Configuration Topology Integrity Check
* Analyzing the connection topology for DC=ForestDnsZones,DC=csaa,DC=corp.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for DC=DomainDnsZones,DC=csaa,DC=corp.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for CN=Schema,CN=Configuration,DC=csaa,DC=corp.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for CN=Configuration,DC=csaa,DC=corp.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for DC=csaa,DC=corp.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
......................... dcsrv2 passed test Topology
Starting test: CutoffServers
* Configuration Topology Aliveness Check
* Analyzing the alive system replication topology for DC=ForestDnsZones,DC=csaa,DC=corp.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for DC=DomainDnsZones,DC=csaa,DC=corp.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for CN=Schema,CN=Configuration,DC=csaa,DC=corp.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for CN=Configuration,DC=csaa,DC=corp.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for DC=csaa,DC=corp.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
......................... dcsrv2 passed test CutoffServers
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC dcsrv2.
* Security Permissions Check for
DC=ForestDnsZones,DC=csaa,DC=corp
(NDNC,Version 2)
* Security Permissions Check for
DC=DomainDnsZones,DC=csaa,DC=corp
(NDNC,Version 2)
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=csaa,DC=corp
(Schema,Version 2)
* Security Permissions Check for
CN=Configuration,DC=csaa,DC=corp
(Configuration,Version 2)
* Security Permissions Check for
DC=csaa,DC=corp
(Domain,Version 2)
......................... dcsrv2 passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\dcsrv2\netlogon
Verified share \\dcsrv2\sysvol
......................... dcsrv2 passed test NetLogons
Starting test: Advertising
The DC dcsrv2 is advertising itself as a DC and having a DS.
The DC dcsrv2 is advertising as an LDAP server
The DC dcsrv2 is advertising as having a writeable directory
The DC dcsrv2 is advertising as a Key Distribution Center
The DC dcsrv2 is advertising as a time server
The DS dcsrv2 is advertising as a GC.
......................... dcsrv2 passed test Advertising
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings,CN=dcsrv1,CN=Servers,CN=Brit,CN=Sites,CN=Configuration,DC=csaa,DC=corp
Role Domain Owner = CN=NTDS Settings,CN=dcsrv1,CN=Servers,CN=Brit,CN=Sites,CN=Configuration,DC=csaa,DC=corp
Role PDC Owner = CN=NTDS Settings,CN=dcsrv1,CN=Servers,CN=Brit,CN=Sites,CN=Configuration,DC=csaa,DC=corp
Role Rid Owner = CN=NTDS Settings,CN=dcsrv1,CN=Servers,CN=Brit,CN=Sites,CN=Configuration,DC=csaa,DC=corp
Role Infrastructure Update Owner = CN=NTDS Settings,CN=dcsrv2,CN=Servers,CN=Brit,CN=Sites,CN=Configuration,DC=csaa,DC=corp
......................... dcsrv2 passed test KnowsOfRoleHolders
Starting test: RidManager
ridManagerReference = CN=RID Manager$,CN=System,DC=csaa,DC=corp
* Available RID Pool for the Domain is 14830 to 1073741823
fSMORoleOwner = CN=NTDS Settings,CN=dcsrv1,CN=Servers,CN=Brit,CN=Sites,CN=Configuration,DC=csaa,DC=corp
* dcsrv1.csaa.corp is the RID Master
* DsBind with RID Master was successful
rIDSetReferences = CN=RID Set,CN=dcsrv2,OU=Domain Controllers,DC=csaa,DC=corp
* rIDAllocationPool is 14330 to 14829
* rIDPreviousAllocationPool is 10330 to 10829
* rIDNextRID: 10592
......................... dcsrv2 passed test RidManager
Starting test: MachineAccount
Checking machine account for DC dcsrv2 on DC dcsrv2.
* SPN found :LDAP/dcsrv2.csaa.corp/csaa.corp
* SPN found :LDAP/dcsrv2.csaa.corp
* SPN found :LDAP/dcsrv2
* SPN found :LDAP/dcsrv2.csaa.corp/csaa
* SPN found :LDAP/ec3bb02a-2577-4246-8155-9b5c8a1ad18a._msdcs.csaa.corp
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/ec3bb02a-2577-4246-8155-9b5c8a1ad18a/csaa.corp
* SPN found :HOST/dcsrv2.csaa.corp/csaa.corp
* SPN found :HOST/dcsrv2.csaa.corp
* SPN found :HOST/dcsrv2
* SPN found :HOST/dcsrv2.csaa.corp/csaa
* SPN found :GC/dcsrv2.csaa.corp/csaa.corp
......................... dcsrv2 passed test MachineAccount
Starting test: Services
* Checking Service: Dnscache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: RpcSs
* Checking Service: w32time
* Checking Service: NETLOGON
......................... dcsrv2 passed test Services
Starting test: OutboundSecureChannels
* The Outbound Secure Channels test
** Did not run Outbound Secure Channels test
because /testdomain: was not entered
......................... dcsrv2 passed test OutboundSecureChannels
Starting test: ObjectsReplicated
dcsrv2 is in domain DC=csaa,DC=corp
Checking for CN=dcsrv2,OU=Domain Controllers,DC=csaa,DC=corp in domain DC=csaa,DC=corp on 6 servers
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=dcsrv2,CN=Servers,CN=Brit,CN=Sites,CN=Configuration,DC=csaa,DC=corp in domain CN=Configuration,DC=csaa,DC=corp on 6 servers
Object is up-to-date on all servers.
......................... dcsrv2 passed test ObjectsReplicated
Starting test: frssysvol
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... dcsrv2 passed test frssysvol
Starting test: frsevent
* The File Replication Service Event log test
......................... dcsrv2 passed test frsevent
Starting test: kccevent
* The KCC Event log test
Found no KCC errors in Directory Service Event log in the last 15 minutes.
......................... dcsrv2 passed test kccevent
Starting test: systemlog
* The System Event log test
Found no errors in System Event log in the last 60 minutes.
......................... dcsrv2 passed test systemlog
Starting test: VerifyReplicas
......................... dcsrv2 passed test VerifyReplicas
Starting test: VerifyReferences
The system object reference (serverReference)

CN=dcsrv2,OU=Domain Controllers,DC=csaa,DC=corp and backlink on

CN=dcsrv2,CN=Servers,CN=Brit,CN=Sites,CN=Configuration,DC=csaa,DC=corp

are correct.
The system object reference (frsComputerReferenceBL)

CN=dcsrv2,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=csaa,DC=corp

and backlink on CN=dcsrv2,OU=Domain Controllers,DC=csaa,DC=corp

are correct.
The system object reference (serverReferenceBL)

CN=dcsrv2,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=csaa,DC=corp

and backlink on

CN=NTDS Settings,CN=dcsrv2,CN=Servers,CN=Brit,CN=Sites,CN=Configuration,DC=csaa,DC=corp

are correct.
......................... dcsrv2 passed test VerifyReferences
Starting test: VerifyEnterpriseReferences
The following problems were found while verifying various important DN

references. Note, that these problems can be reported because of

latency in replication. So follow up to resolve the following

problems, only if the same problem is reported on all DCs for a given

domain or if the problem persists after replication has had

reasonable time to replicate changes.
[1] Problem: Missing Expected Value

Base Object:

CN=SECOND,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=csaa,DC=corp

Base Object Description: "SYSVOL FRS Member Object"

Value Object Attribute Name: frsComputerReference

Value Object Description: "DC Account Object"

Recommended Action: Check if this server is deleted, and if so

clean up this DCs SYSVOL FRS Member Object. Also see Knowledge

Base Article: Q312862


[2] Problem: Missing Expected Value

Base Object:

CN=SECOND,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=csaa,DC=corp

Base Object Description: "SYSVOL FRS Member Object"

Value Object Attribute Name: serverReference

Value Object Description: "DSA Object"

Recommended Action: Check if this server is deleted, and if so

clean up this DCs SYSVOL FRS Member Object. Also see Knowledge

Base Article Q312862


......................... dcsrv2 failed test VerifyEnterpriseReferences
Starting test: CheckSecurityError
* Dr Auth: Beginning security errors check!
Found KDC dcsrv3 for domain csaa.corp in site Brit
Checking machine account for DC dcsrv2 on DC dcsrv3.
* SPN found :LDAP/dcsrv2.csaa.corp/csaa.corp
* SPN found :LDAP/dcsrv2.csaa.corp
* SPN found :LDAP/dcsrv2
* SPN found :LDAP/dcsrv2.csaa.corp/csaa
* SPN found :LDAP/ec3bb02a-2577-4246-8155-9b5c8a1ad18a._msdcs.csaa.corp
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/ec3bb02a-2577-4246-8155-9b5c8a1ad18a/csaa.corp
* SPN found :HOST/dcsrv2.csaa.corp/csaa.corp
* SPN found :HOST/dcsrv2.csaa.corp
* SPN found :HOST/dcsrv2
* SPN found :HOST/dcsrv2.csaa.corp/csaa
* SPN found :GC/dcsrv2.csaa.corp/csaa.corp
Checking for CN=dcsrv2,OU=Domain Controllers,DC=csaa,DC=corp in domain DC=csaa,DC=corp on 2 servers
Object is up-to-date on all servers.
 
I'd add the second DC first, ensure it's working correctly, replication is good, DNS is good, etc. THEN I would transfer the FSMO roles. That's a five minute task. The DC replication and initial tasks take longer.

See my FAQ on this site: faq1674-7371

Pat Richard MVP
Plan for performance, and capacity takes care of itself. Plan for capacity, and suffer poor performance.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top