Domain Controller Diagnosis Performing initial setup: * Verifying that the local machine server-backup, is a DC. * Connecting to directory service on server server-backup. * Collecting site info. * Identifying all servers. * Identifying all NC cross-refs. * Found 3 DC(s). Testing 3 of them. Done gathering initial info. Doing initial required tests Testing server: Default-First-Site-Name\SERVER-BACKUP Starting test: Connectivity * Active Directory LDAP Services Check * Active Directory RPC Services Check ......................... SERVER-BACKUP passed test Connectivity Testing server: Default-First-Site-Name\SERVER-PAMIR Starting test: Connectivity * Active Directory LDAP Services Check The host aface639-9d36-4454-b850-ecdc0d8b24b6._msdcs.aso.net could not be resolved to an IP address. Check the DNS server, DHCP, server name, etc Although the Guid DNS name (aface639-9d36-4454-b850-ecdc0d8b24b6._msdcs.aso.net) couldn't be resolved, the server name (server-pamir.aso.net) resolved to the IP address (192.168.1.4) and was pingable. Check that the IP address is registered correctly with the DNS server. ......................... SERVER-PAMIR failed test Connectivity Testing server: Default-First-Site-Name\DC-WS2012R2 Starting test: Connectivity * Active Directory LDAP Services Check * Active Directory RPC Services Check ......................... DC-WS2012R2 passed test Connectivity Doing primary tests Testing server: Default-First-Site-Name\SERVER-BACKUP Starting test: Replications * Replications Check * Replication Latency Check DC=ForestDnsZones,DC=aso,DC=net Latency information for 23 entries in the vector were ignored. 23 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). DC=DomainDnsZones,DC=aso,DC=net Latency information for 23 entries in the vector were ignored. 23 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). CN=Schema,CN=Configuration,DC=aso,DC=net Latency information for 27 entries in the vector were ignored. 27 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). CN=Configuration,DC=aso,DC=net Latency information for 27 entries in the vector were ignored. 27 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). DC=aso,DC=net Latency information for 28 entries in the vector were ignored. 28 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). ......................... SERVER-BACKUP passed test Replications Test omitted by user request: Topology Test omitted by user request: CutoffServers Starting test: NCSecDesc * Security Permissions check for all NC's on DC SERVER-BACKUP. * Security Permissions Check for DC=ForestDnsZones,DC=aso,DC=net (NDNC,Version 2) * Security Permissions Check for DC=DomainDnsZones,DC=aso,DC=net (NDNC,Version 2) * Security Permissions Check for CN=Schema,CN=Configuration,DC=aso,DC=net (Schema,Version 2) * Security Permissions Check for CN=Configuration,DC=aso,DC=net (Configuration,Version 2) * Security Permissions Check for DC=aso,DC=net (Domain,Version 2) ......................... SERVER-BACKUP passed test NCSecDesc Starting test: NetLogons * Network Logons Privileges Check Verified share \\SERVER-BACKUP\netlogon Verified share \\SERVER-BACKUP\sysvol ......................... SERVER-BACKUP passed test NetLogons Starting test: Advertising The DC SERVER-BACKUP is advertising itself as a DC and having a DS. The DC SERVER-BACKUP is advertising as an LDAP server The DC SERVER-BACKUP is advertising as having a writeable directory The DC SERVER-BACKUP is advertising as a Key Distribution Center The DC SERVER-BACKUP is advertising as a time server ......................... SERVER-BACKUP passed test Advertising Starting test: KnowsOfRoleHolders Role Schema Owner = CN=NTDS Settings,CN=DC-WS2012R2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=aso,DC=net Role Domain Owner = CN=NTDS Settings,CN=DC-WS2012R2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=aso,DC=net Role PDC Owner = CN=NTDS Settings,CN=DC-WS2012R2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=aso,DC=net Role Rid Owner = CN=NTDS Settings,CN=DC-WS2012R2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=aso,DC=net Role Infrastructure Update Owner = CN=NTDS Settings,CN=DC-WS2012R2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=aso,DC=net ......................... SERVER-BACKUP passed test KnowsOfRoleHolders Starting test: RidManager * Available RID Pool for the Domain is 11105 to 1073741823 * DC-WS2012R2.aso.net is the RID Master * DsBind with RID Master was successful * rIDAllocationPool is 8105 to 8604 * rIDPreviousAllocationPool is 8105 to 8604 * rIDNextRID: 8126 ......................... SERVER-BACKUP passed test RidManager Starting test: MachineAccount Checking machine account for DC SERVER-BACKUP on DC SERVER-BACKUP. * SPN found :LDAP/server-backup.aso.net/aso.net * SPN found :LDAP/server-backup.aso.net * SPN found :LDAP/SERVER-BACKUP * SPN found :LDAP/server-backup.aso.net/ASO * SPN found :LDAP/642147ca-df10-4f4c-ba9a-2f5df4555d4f._msdcs.aso.net * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/642147ca-df10-4f4c-ba9a-2f5df4555d4f/aso.net * SPN found :HOST/server-backup.aso.net/aso.net * SPN found :HOST/server-backup.aso.net * SPN found :HOST/SERVER-BACKUP * SPN found :HOST/server-backup.aso.net/ASO * SPN found :GC/server-backup.aso.net/aso.net ......................... SERVER-BACKUP passed test MachineAccount Starting test: Services * Checking Service: Dnscache * Checking Service: NtFrs * Checking Service: IsmServ * Checking Service: kdc * Checking Service: SamSs * Checking Service: LanmanServer * Checking Service: LanmanWorkstation * Checking Service: RpcSs * Checking Service: w32time * Checking Service: NETLOGON ......................... SERVER-BACKUP passed test Services Test omitted by user request: OutboundSecureChannels Starting test: ObjectsReplicated SERVER-BACKUP is in domain DC=aso,DC=net Checking for CN=SERVER-BACKUP,OU=Domain Controllers,DC=aso,DC=net in domain DC=aso,DC=net on 2 servers Object is up-to-date on all servers. Checking for CN=NTDS Settings,CN=SERVER-BACKUP,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=aso,DC=net in domain CN=Configuration,DC=aso,DC=net on 2 servers Object is up-to-date on all servers. ......................... SERVER-BACKUP passed test ObjectsReplicated Starting test: frssysvol * The File Replication Service SYSVOL ready test File Replication Service's SYSVOL is ready ......................... SERVER-BACKUP passed test frssysvol Starting test: frsevent * The File Replication Service Event log test ......................... SERVER-BACKUP passed test frsevent Starting test: kccevent * The KCC Event log test Found no KCC errors in Directory Service Event log in the last 15 minutes. ......................... SERVER-BACKUP passed test kccevent Starting test: systemlog * The System Event log test Found no errors in System Event log in the last 60 minutes. ......................... SERVER-BACKUP passed test systemlog Test omitted by user request: VerifyReplicas Starting test: VerifyReferences The system object reference (serverReference) CN=SERVER-BACKUP,OU=Domain Controllers,DC=aso,DC=net and backlink on CN=SERVER-BACKUP,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=aso,DC=net are correct. The system object reference (frsComputerReferenceBL) CN=SERVER-BACKUP,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=aso,DC=net and backlink on CN=SERVER-BACKUP,OU=Domain Controllers,DC=aso,DC=net are correct. The system object reference (serverReferenceBL) CN=SERVER-BACKUP,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=aso,DC=net and backlink on CN=NTDS Settings,CN=SERVER-BACKUP,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=aso,DC=net are correct. ......................... SERVER-BACKUP passed test VerifyReferences Test omitted by user request: VerifyEnterpriseReferences Test omitted by user request: CheckSecurityError Testing server: Default-First-Site-Name\SERVER-PAMIR Skipping all tests, because server SERVER-PAMIR is not responding to directory service requests Test omitted by user request: Topology Test omitted by user request: CutoffServers Test omitted by user request: OutboundSecureChannels Test omitted by user request: VerifyReplicas Test omitted by user request: VerifyEnterpriseReferences Test omitted by user request: CheckSecurityError Testing server: Default-First-Site-Name\DC-WS2012R2 Starting test: Replications * Replications Check * Replication Latency Check DC=ForestDnsZones,DC=aso,DC=net Latency information for 23 entries in the vector were ignored. 23 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). DC=DomainDnsZones,DC=aso,DC=net Latency information for 23 entries in the vector were ignored. 23 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). CN=Schema,CN=Configuration,DC=aso,DC=net Latency information for 27 entries in the vector were ignored. 27 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). CN=Configuration,DC=aso,DC=net Latency information for 27 entries in the vector were ignored. 27 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). DC=aso,DC=net Latency information for 28 entries in the vector were ignored. 28 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). ......................... DC-WS2012R2 passed test Replications Test omitted by user request: Topology Test omitted by user request: CutoffServers Starting test: NCSecDesc * Security Permissions check for all NC's on DC DC-WS2012R2. * Security Permissions Check for DC=ForestDnsZones,DC=aso,DC=net (NDNC,Version 2) * Security Permissions Check for DC=DomainDnsZones,DC=aso,DC=net (NDNC,Version 2) * Security Permissions Check for CN=Schema,CN=Configuration,DC=aso,DC=net (Schema,Version 2) * Security Permissions Check for CN=Configuration,DC=aso,DC=net (Configuration,Version 2) * Security Permissions Check for DC=aso,DC=net (Domain,Version 2) ......................... DC-WS2012R2 passed test NCSecDesc Starting test: NetLogons * Network Logons Privileges Check Verified share \\DC-WS2012R2\netlogon Verified share \\DC-WS2012R2\sysvol ......................... DC-WS2012R2 passed test NetLogons Starting test: Advertising The DC DC-WS2012R2 is advertising itself as a DC and having a DS. The DC DC-WS2012R2 is advertising as an LDAP server The DC DC-WS2012R2 is advertising as having a writeable directory The DC DC-WS2012R2 is advertising as a Key Distribution Center The DC DC-WS2012R2 is advertising as a time server The DS DC-WS2012R2 is advertising as a GC. ......................... DC-WS2012R2 passed test Advertising Starting test: KnowsOfRoleHolders Role Schema Owner = CN=NTDS Settings,CN=DC-WS2012R2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=aso,DC=net Role Domain Owner = CN=NTDS Settings,CN=DC-WS2012R2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=aso,DC=net Role PDC Owner = CN=NTDS Settings,CN=DC-WS2012R2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=aso,DC=net Role Rid Owner = CN=NTDS Settings,CN=DC-WS2012R2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=aso,DC=net Role Infrastructure Update Owner = CN=NTDS Settings,CN=DC-WS2012R2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=aso,DC=net ......................... DC-WS2012R2 passed test KnowsOfRoleHolders Starting test: RidManager * Available RID Pool for the Domain is 11105 to 1073741823 * DC-WS2012R2.aso.net is the RID Master * DsBind with RID Master was successful * rIDAllocationPool is 10605 to 11104 * rIDPreviousAllocationPool is 10605 to 11104 * rIDNextRID: 10609 ......................... DC-WS2012R2 passed test RidManager Starting test: MachineAccount Checking machine account for DC DC-WS2012R2 on DC DC-WS2012R2. * SPN found :LDAP/DC-WS2012R2.aso.net/aso.net * SPN found :LDAP/DC-WS2012R2.aso.net * SPN found :LDAP/DC-WS2012R2 * SPN found :LDAP/DC-WS2012R2.aso.net/ASO * SPN found :LDAP/f5c75d6b-6133-42f8-87a7-37857ee430da._msdcs.aso.net * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/f5c75d6b-6133-42f8-87a7-37857ee430da/aso.net * SPN found :HOST/DC-WS2012R2.aso.net/aso.net * SPN found :HOST/DC-WS2012R2.aso.net * SPN found :HOST/DC-WS2012R2 * SPN found :HOST/DC-WS2012R2.aso.net/ASO * SPN found :GC/DC-WS2012R2.aso.net/aso.net ......................... DC-WS2012R2 passed test MachineAccount Starting test: Services * Checking Service: Dnscache * Checking Service: NtFrs * Checking Service: IsmServ * Checking Service: kdc * Checking Service: SamSs * Checking Service: LanmanServer * Checking Service: LanmanWorkstation * Checking Service: RpcSs * Checking Service: w32time * Checking Service: NETLOGON ......................... DC-WS2012R2 passed test Services Test omitted by user request: OutboundSecureChannels Starting test: ObjectsReplicated DC-WS2012R2 is in domain DC=aso,DC=net Checking for CN=DC-WS2012R2,OU=Domain Controllers,DC=aso,DC=net in domain DC=aso,DC=net on 2 servers Object is up-to-date on all servers. Checking for CN=NTDS Settings,CN=DC-WS2012R2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=aso,DC=net in domain CN=Configuration,DC=aso,DC=net on 2 servers Object is up-to-date on all servers. ......................... DC-WS2012R2 passed test ObjectsReplicated Starting test: frssysvol * The File Replication Service SYSVOL ready test File Replication Service's SYSVOL is ready ......................... DC-WS2012R2 passed test frssysvol Starting test: frsevent * The File Replication Service Event log test ......................... DC-WS2012R2 passed test frsevent Starting test: kccevent * The KCC Event log test Found no KCC errors in Directory Service Event log in the last 15 minutes. ......................... DC-WS2012R2 passed test kccevent Starting test: systemlog * The System Event log test Found no errors in System Event log in the last 60 minutes. ......................... DC-WS2012R2 passed test systemlog Test omitted by user request: VerifyReplicas Starting test: VerifyReferences The system object reference (serverReference) CN=DC-WS2012R2,OU=Domain Controllers,DC=aso,DC=net and backlink on CN=DC-WS2012R2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=aso,DC=net are correct. The system object reference (frsComputerReferenceBL) CN=DC-WS2012R2,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=aso,DC=net and backlink on CN=DC-WS2012R2,OU=Domain Controllers,DC=aso,DC=net are correct. The system object reference (serverReferenceBL) CN=DC-WS2012R2,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=aso,DC=net and backlink on CN=NTDS Settings,CN=DC-WS2012R2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=aso,DC=net are correct. ......................... DC-WS2012R2 passed test VerifyReferences Test omitted by user request: VerifyEnterpriseReferences Test omitted by user request: CheckSecurityError Running partition tests on : ForestDnsZones Starting test: CrossRefValidation ......................... ForestDnsZones passed test CrossRefValidation Starting test: CheckSDRefDom ......................... ForestDnsZones passed test CheckSDRefDom Running partition tests on : DomainDnsZones Starting test: CrossRefValidation ......................... DomainDnsZones passed test CrossRefValidation Starting test: CheckSDRefDom ......................... DomainDnsZones passed test CheckSDRefDom Running partition tests on : Schema Starting test: CrossRefValidation ......................... Schema passed test CrossRefValidation Starting test: CheckSDRefDom ......................... Schema passed test CheckSDRefDom Running partition tests on : Configuration Starting test: CrossRefValidation ......................... Configuration passed test CrossRefValidation Starting test: CheckSDRefDom ......................... Configuration passed test CheckSDRefDom Running partition tests on : aso Starting test: CrossRefValidation ......................... aso passed test CrossRefValidation Starting test: CheckSDRefDom ......................... aso passed test CheckSDRefDom Running enterprise tests on : aso.net Starting test: Intersite Skipping site Default-First-Site-Name, this site is outside the scope provided by the command line arguments provided. ......................... aso.net passed test Intersite Starting test: FsmoCheck GC Name: \\DC-WS2012R2.aso.net Locator Flags: 0xe000f3fd PDC Name: \\DC-WS2012R2.aso.net Locator Flags: 0xe000f3fd Time Server Name: \\server-backup.aso.net Locator Flags: 0xe00001f8 Preferred Time Server Name: \\DC-WS2012R2.aso.net Locator Flags: 0xe000f3fd KDC Name: \\server-backup.aso.net Locator Flags: 0xe00001f8 ......................... aso.net passed test FsmoCheck Test omitted by user request: DNS Test omitted by user request: DNS