Dcdiag /test:Checksecurityerror is failed
Hi All,
I have a 2003 DC and an ADC and facing some issues with replication.
when I run DCDIAG /test:Checksecurityerror, the application is getting failed by logging event id 1000.
Description:
Faulting application dcdiag.exe, version 5.2.3790.1830, faulting module msvcrt.dll, version 7.0.3790.2825, fault address 0x000376b4.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
The same command is working fine on ADC and the result is here:
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\ERIC-ADC1
Starting test: Connectivity
......................... ERIC-ADC1 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\ERIC-ADC1
Starting test: CheckSecurityError
* Missing SPN :LDAP/ERIC-ADC1.ERICDOM/ERICDOM
* Missing SPN :LDAP/ERIC-ADC1.ERICDOM
* Missing SPN :LDAP/ERIC-ADC1
* Missing SPN :LDAP/ERIC-ADC1.ERICDOM/ERICDOM
* Missing SPN :LDAP/d11d040b-b7f0-457f-bcee-8d091157c8a7._msdcs.ERICDOM
* Missing SPN :HOST/ERIC-ADC1.ERICDOM/ERICDOM
* Missing SPN :HOST/ERIC-ADC1.ERICDOM/ERICDOM
* Missing SPN :GC/ERIC-ADC1.ERICDOM/ERICDOM
Unable to verify the machine account (CN=ERIC-ADC1,OU=Domain Controller
s,DC=ERICDOM) for ERIC-ADC1 on ERIC-PDC.
[ERIC-ADC1] No security related replication errors were found on this D
C! To target the connection to a specific source DC use /ReplSource:<DC>.
......................... ERIC-ADC1 passed test CheckSecurityError
Running partition tests on : Schema
Running partition tests on : Configuration
Running partition tests on : ERICDOM
Running enterprise tests on : ERICDOM
When I run dcdiag /test:CheckSecurityError /s:ERIC-PDC (it is my Primary DC) command on ADC, The same event id 1000 is logged with 4097 id.
As I have issues with replication from DC to ADC, I want to troubleshoot it. I request you to help.
I think it is not the problem either with dcdiag.exe or with
msvcrt.dll, because I am able to execute dcdiag with other parameters successfully except /test:Checksecurityerror.
I feel some security related stuff in DC is stopping to replicate with ADC.
When I checked repadmin /showrepl on ADC, I am getting successful information like below
repadmin running command /showrepl against server localhost
Default-First-Site-Name\ERIC-ADC1
DC Options: IS_GC
Site Options: (none)
DC object GUID: d11d040b-b7f0-457f-bcee-8d091157c8a7
DC invocationID: a2693b56-6caf-4124-951d-ec73a7b8efaf
==== INBOUND NEIGHBORS ======================================
DC=ERICDOM
Default-First-Site-Name\ERIC-PDC via RPC
DC object GUID: d74afdf7-4971-4995-a20e-ce3973c22c91
Last attempt @ 2009-02-05 12:44:52 was successful.
Default-First-Site-Name\ERIC-DC via RPC
DC object GUID: b3dfc45c-71ce-4fae-9c3c-cbda9a6e572d
Last attempt @ 2009-02-05 12:45:22 was successful.
CN=Configuration,DC=ERICDOM
Default-First-Site-Name\ERIC-PDC via RPC
DC object GUID: d74afdf7-4971-4995-a20e-ce3973c22c91
Last attempt @ 2009-02-05 12:44:52 was successful.
Default-First-Site-Name\ERIC-DC via RPC
DC object GUID: b3dfc45c-71ce-4fae-9c3c-cbda9a6e572d
Last attempt @ 2009-02-05 12:44:52 was successful.
CN=Schema,CN=Configuration,DC=ERICDOM
Default-First-Site-Name\ERIC-DC via RPC
DC object GUID: b3dfc45c-71ce-4fae-9c3c-cbda9a6e572d
Last attempt @ 2009-02-05 12:44:52 was successful.
Default-First-Site-Name\ERIC-PDC via RPC
DC object GUID: d74afdf7-4971-4995-a20e-ce3973c22c91
Last attempt @ 2009-02-05 12:44:52 was successful.
When I run the same command on DC (eric-pdc), I am getting the below result.
repadmin running command /showrepl against server localhost
Default-First-Site-Name\ERIC-PDC
DC Options: IS_GC
Site Options: (none)
DC object GUID: d74afdf7-4971-4995-a20e-ce3973c22c91
DC invocationID: 17c9d65c-64c6-48cf-bf1b-0594ea5292db
Source: Default-First-Site-Name\ERIC-ADC1
******* 92 CONSECUTIVE FAILURES since 2009-02-04 14:07:04
Last error: 5 (0x5):
Access is denied.
Naming Context: CN=Configuration,DC=ERICDOM
Source: Default-First-Site-Name\ERIC-ADC1
******* WARNING: KCC could not add this REPLICA LINK due to error.
Naming Context: DC=ERICDOM
Source: Default-First-Site-Name\ERIC-ADC1
******* WARNING: KCC could not add this REPLICA LINK due to error.
Naming Context: CN=Schema,CN=Configuration,DC=ERICDOM
Source: Default-First-Site-Name\ERIC-ADC1
******* WARNING: KCC could not add this REPLICA LINK due to error.
Source: Default-First-Site-Name\ERIC-DC
******* 92 CONSECUTIVE FAILURES since 2009-02-04 14:07:04
Last error: 5 (0x5):
Access is denied.
Naming Context: CN=Configuration,DC=ERICDOM
Source: Default-First-Site-Name\ERIC-DC
******* WARNING: KCC could not add this REPLICA LINK due to error.
Naming Context: DC=ERICDOM
Source: Default-First-Site-Name\ERIC-DC
******* WARNING: KCC could not add this REPLICA LINK due to error.
Naming Context: CN=Schema,CN=Configuration,DC=ERICDOM
Source: Default-First-Site-Name\ERIC-DC
******* WARNING: KCC could not add this REPLICA LINK due to error.
Please ask me if you need more information..
Thanks in advance and apprecite your help and time..
Thanks,
Raju P
Re: Dcdiag /test:Checksecurityerror is failed
Well I only see a partial output from the dcdiag, but enough to determine that at a minimum you probably have some domain controllers in AD that don't exist anymore.
Re: Dcdiag /test:Checksecurityerror is failed
Try to ping from your "failing" DC to the one that has the "PDC-role" (usually the first DC in your AD has this role). Make sure you can ping it using the DNS name and not just the IP address.
What kind of connectivity do you have between the sites? Make sure no firewalls are blocking traffic that they shouldn't.
As well, just to point out, PDC and ADC are Windows NT domain terms, in the AD world there are just DC's with different roles.
