Dcdiag /test:Checksecurityerror is failed

**raju_pitchuka** · 05-02-2009

Hi All,

I have a 2003 DC and an ADC and facing some issues with replication.

when I run DCDIAG /test:Checksecurityerror, the application is getting failed by logging event id 1000.

Description:

Faulting application dcdiag.exe, version 5.2.3790.1830, faulting module msvcrt.dll, version 7.0.3790.2825, fault address 0x000376b4.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

The same command is working fine on ADC and the result is here:

Domain Controller Diagnosis

Performing initial setup:
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\ERIC-ADC1
Starting test: Connectivity
......................... ERIC-ADC1 passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\ERIC-ADC1
Starting test: CheckSecurityError
* Missing SPN :LDAP/ERIC-ADC1.ERICDOM/ERICDOM
* Missing SPN :LDAP/ERIC-ADC1.ERICDOM
* Missing SPN :LDAP/ERIC-ADC1
* Missing SPN :LDAP/ERIC-ADC1.ERICDOM/ERICDOM
* Missing SPN :LDAP/d11d040b-b7f0-457f-bcee-8d091157c8a7._msdcs.ERICDOM

* Missing SPN :HOST/ERIC-ADC1.ERICDOM/ERICDOM
* Missing SPN :HOST/ERIC-ADC1.ERICDOM/ERICDOM
* Missing SPN :GC/ERIC-ADC1.ERICDOM/ERICDOM
Unable to verify the machine account (CN=ERIC-ADC1,OU=Domain Controller
s,DC=ERICDOM) for ERIC-ADC1 on ERIC-PDC.
[ERIC-ADC1] No security related replication errors were found on this D
C! To target the connection to a specific source DC use /ReplSource:<DC>.
......................... ERIC-ADC1 passed test CheckSecurityError

Running partition tests on : Schema

Running partition tests on : Configuration

Running partition tests on : ERICDOM

Running enterprise tests on : ERICDOM

When I run dcdiag /test:CheckSecurityError /s:ERIC-PDC (it is my Primary DC) command on ADC, The same event id 1000 is logged with 4097 id.

As I have issues with replication from DC to ADC, I want to troubleshoot it. I request you to help.

I think it is not the problem either with dcdiag.exe or with

msvcrt.dll, because I am able to execute dcdiag with other parameters successfully except /test:Checksecurityerror.

I feel some security related stuff in DC is stopping to replicate with ADC.

When I checked repadmin /showrepl on ADC, I am getting successful information like below

repadmin running command /showrepl against server localhost

Default-First-Site-Name\ERIC-ADC1
DC Options: IS_GC
Site Options: (none)
DC object GUID: d11d040b-b7f0-457f-bcee-8d091157c8a7
DC invocationID: a2693b56-6caf-4124-951d-ec73a7b8efaf

==== INBOUND NEIGHBORS ======================================

DC=ERICDOM
Default-First-Site-Name\ERIC-PDC via RPC
DC object GUID: d74afdf7-4971-4995-a20e-ce3973c22c91
Last attempt @ 2009-02-05 12:44:52 was successful.
Default-First-Site-Name\ERIC-DC via RPC
DC object GUID: b3dfc45c-71ce-4fae-9c3c-cbda9a6e572d
Last attempt @ 2009-02-05 12:45:22 was successful.

CN=Configuration,DC=ERICDOM
Default-First-Site-Name\ERIC-PDC via RPC
DC object GUID: d74afdf7-4971-4995-a20e-ce3973c22c91
Last attempt @ 2009-02-05 12:44:52 was successful.
Default-First-Site-Name\ERIC-DC via RPC
DC object GUID: b3dfc45c-71ce-4fae-9c3c-cbda9a6e572d
Last attempt @ 2009-02-05 12:44:52 was successful.

CN=Schema,CN=Configuration,DC=ERICDOM
Default-First-Site-Name\ERIC-DC via RPC
DC object GUID: b3dfc45c-71ce-4fae-9c3c-cbda9a6e572d
Last attempt @ 2009-02-05 12:44:52 was successful.
Default-First-Site-Name\ERIC-PDC via RPC
DC object GUID: d74afdf7-4971-4995-a20e-ce3973c22c91
Last attempt @ 2009-02-05 12:44:52 was successful.

When I run the same command on DC (eric-pdc), I am getting the below result.

repadmin running command /showrepl against server localhost

Default-First-Site-Name\ERIC-PDC
DC Options: IS_GC
Site Options: (none)
DC object GUID: d74afdf7-4971-4995-a20e-ce3973c22c91
DC invocationID: 17c9d65c-64c6-48cf-bf1b-0594ea5292db

Source: Default-First-Site-Name\ERIC-ADC1
******* 92 CONSECUTIVE FAILURES since 2009-02-04 14:07:04
Last error: 5 (0x5):
Access is denied.

Naming Context: CN=Configuration,DC=ERICDOM
Source: Default-First-Site-Name\ERIC-ADC1
******* WARNING: KCC could not add this REPLICA LINK due to error.

Naming Context: DC=ERICDOM
Source: Default-First-Site-Name\ERIC-ADC1
******* WARNING: KCC could not add this REPLICA LINK due to error.

Naming Context: CN=Schema,CN=Configuration,DC=ERICDOM
Source: Default-First-Site-Name\ERIC-ADC1
******* WARNING: KCC could not add this REPLICA LINK due to error.

Source: Default-First-Site-Name\ERIC-DC
******* 92 CONSECUTIVE FAILURES since 2009-02-04 14:07:04
Last error: 5 (0x5):
Access is denied.

Naming Context: CN=Configuration,DC=ERICDOM
Source: Default-First-Site-Name\ERIC-DC
******* WARNING: KCC could not add this REPLICA LINK due to error.

Naming Context: DC=ERICDOM
Source: Default-First-Site-Name\ERIC-DC
******* WARNING: KCC could not add this REPLICA LINK due to error.

Naming Context: CN=Schema,CN=Configuration,DC=ERICDOM
Source: Default-First-Site-Name\ERIC-DC
******* WARNING: KCC could not add this REPLICA LINK due to error.

Please ask me if you need more information..

Thanks in advance and apprecite your help and time..

Thanks,

Raju P

**.:MUNDITO:.** · 05-02-2009

Well I only see a partial output from the dcdiag, but enough to determine that at a minimum you probably have some domain controllers in AD that don't exist anymore.

**Spykar** · 05-02-2009

Try to ping from your "failing" DC to the one that has the "PDC-role" (usually the first DC in your AD has this role). Make sure you can ping it using the DNS name and not just the IP address.

What kind of connectivity do you have between the sites? Make sure no firewalls are blocking traffic that they shouldn't.

As well, just to point out, PDC and ADC are Windows NT domain terms, in the AD world there are just DC's with different roles.