Problem: Missing Expected Value with dcdiag

Ask a question

Friday, November 05, 2010 3:33 PM

0

Hello all,

I'm hoping someone can help me out here. I am getting a few errors when I run dcdiag on one of my DC's (I have three DC's by the way).

The first error is 'DC-01 failed test NCSecDesc' - bu I know that this is an error related to RODC's, which I don't run on my network. So I believe that this message is irrelevant.

I get a further two errors, I've copied them below. I'm running three W2K8 R2 DC's, yet I only receive this error on one of the domain controllers, which is also my FSMO and Schema Master.

I actually found this error as I was about to prep my AD for Exchange 2010 (this will be our first ever Exchange server). So I don't want to ADprep until I know my AD is working well.

Any thoughts?

C:\Windows\system32>dcdiag /q


         Some objects relating to the DC JWC-DC-01 have problems:
            [1] Problem: Missing Expected Value
             Base Object:
            CN=NTDS Settings,CN=DC01,CN=Servers,CN=EHC,CN=Sites,CN=Configuration,DC=college,DC=CollegeName,DC=ac,DC=uk
             Base Object Description: "DSA Object"
             Value Object Attribute Name: serverReferenceBL
             Value Object Description: "SYSVOL FRS Member Object"
             Recommended Action: See Knowledge Base Article: Q312862

            [1] Problem: Missing Expected Value
             Base Object:CN=DC-01,OU=Domain Controllers,DC=college,DC=CollegeName,DC=ac,DC=uk
             Base Object Description: "DC Account Object"
             Value Object Attribute Name: frsComputerReferenceBL
             Value Object Description: "SYSVOL FRS Member Object"
             Recommended Action: See Knowledge Base Article: Q312862

         ......................... DC-01 failed test VerifyReferences

Thanks

LaszloPuskas
- Reply
- Quote

All Replies

Friday, November 05, 2010 4:04 PM

0

I have also ran the following command -

DCdiag /D C/ V/

Starting test: VerifyEnterpriseReferences
         The following problems were found while verifying various important DN references. Note, that these problems can be reported because of latency in replication. So follow up to resolve the
         following problems, only if the same problem is reported on all DCs for a given domain or if the problem persists after replication has had reasonable time to replicate changes.
            [1] Problem: Missing Expected Value
             Base Object: CN=DC-01,OU=Domain Controllers,DC=college,DC=collegename,DC=ac,DC=uk
             Base Object Description: "DC Account Object"
             Value Object Attribute Name: msDFSR-ComputerReferenceBL
             Value Object Description: "SYSVOL FRS Member Object"
             Recommended Action: See Knowledge Base Article: Q312862

            [2] Problem: Missing Expected Value
             Base Object: CN=DC-02,OU=Domain Controllers,DC=college,DC=collegename,DC=ac,DC=uk
             Base Object Description: "DC Account Object"
             Value Object Attribute Name: msDFSR-ComputerReferenceBL
             Value Object Description: "SYSVOL FRS Member Object"
             Recommended Action: See Knowledge Base Article: Q312862

            [3] Problem: Missing Expected Value
             Base Object: CN=DC-03,OU=Domain Controllers,DC=college,DC=collegename,DC=ac,DC=uk
             Base Object Description: "DC Account Object"
             Value Object Attribute Name: msDFSR-ComputerReferenceBL
             Value Object Description: "SYSVOL FRS Member Object"
             Recommended Action: See Knowledge Base Article: Q312862

            LDAP Error 0x20 (32) - No Such Object.
         ......................... DC-01 failed test VerifyEnterpriseReferences
      Starting test: VerifyReferences
         The system object reference (serverReference) CN=DC-01,OU=Domain Controllers,DC=college,DC=collegename,DC=ac,DC=uk and backlink on
         CN=DC-01,CN=Servers,CN=EHC,CN=Sites,CN=Configuration,DC=college,DC=collegename,DC=ac,DC=uk are correct.
         Some objects relating to the DC DC-01 have problems:
            [1] Problem: Missing Expected Value
             Base Object: CN=NTDS Settings,CN=DC-01,CN=Servers,CN=EHC,CN=Sites,CN=Configuration,DC=college,DC=collegename,DC=ac,DC=uk
             Base Object Description: "DSA Object"
             Value Object Attribute Name: serverReferenceBL
             Value Object Description: "SYSVOL FRS Member Object"
             Recommended Action: See Knowledge Base Article: Q312862

            [1] Problem: Missing Expected Value
             Base Object: CN=DC-01,OU=Domain Controllers,DC=college,DC=collegename,DC=ac,DC=uk
             Base Object Description: "DC Account Object"
             Value Object Attribute Name: frsComputerReferenceBL
             Value Object Description: "SYSVOL FRS Member Object"
             Recommended Action: See Knowledge Base Article: Q312862

         ......................... DC-01 failed test VerifyReferences
      Starting test: VerifyReplicas
         ......................... DC-01 passed test VerifyReplicas

Any ideas anyone?
- Reply
- Quote
Saturday, November 06, 2010 9:51 AM

0
Hello,

did you check with the mentioned article: http://support.microsoft.com/kb/312862 ?
Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
- Marked As Answer by LaszloPuskas Wednesday, November 10, 2010 7:47 PM
- Reply
- Quote
Sunday, November 07, 2010 10:24 PM

0

Hi Meinolf,

Yeah, I've went through the KB article several times. I'm afraid I'm still unsure what my next steps should be. Are you able to point out what section of the article I should concentrate on?

Many thanks

LaszloPuskas
- Reply
- Quote
Monday, November 08, 2010 6:40 AM

0

Hello,

please use the support tools and provide the output files, so we can get a complete overview of the domain:

dcdiag /v /c /d /e /s:dcname >c:\dcdiag.txt
repadmin /showrepl dc* /verbose /all /intersite >c:\repl.txt (if more then one DC exists)
dnslint /ad /s "DCipaddress" (http://support.microsoft.com/kb/321045)

As the output files will become large, DON'T post them into the thread, please use Windows Sky Drive and add the link from it here. Also the /e in dcdiag scans the complete forest, so better run it on COB.
Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
- Reply
- Quote
Monday, November 08, 2010 9:13 AM

Moderator

0
Hi,

I realize that there is a RODC does not run on the network. I would like to confirm if it is temporary disconnect to the network or it is abandoned? If it is abandoned without running dcpromo, you will need to clear the metadata for it. For the detailed steps, please refer to the following Microsoft KB article:

How to remove completely orphaned Domain Controller

http://support.microsoft.com/kb/555846

I would like to confirm that if you ran the Dcdiag.exe utility on a RODC and received the error? If so, please check if the following hotfix apply to the current situation you encounter.

The Dcdiag.exe VerifyReferences test fails on an RODC that is running Windows Server 2008 R2

http://support.microsoft.com/kb/2401600

If the issue persists, please double check “How to detect missing Server-Reference attributes and member objects in SYSVOL replica sets” of the Microsoft KB312862 article. Since the troubleshooting steps are complicated, please be patient and careful to follow and fix the issue. Here is a similar issue which was fixed with the same KB article below:

DCDiag VerifyReferences fails, prevents SYSVOL replication to new DC

http://social.technet.microsoft.com/Forums/en/winserverDS/thread/fd1a2738-f0de-4171-875f-5b5df781a1bf

Regards,
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
- Marked As Answer by LaszloPuskas Wednesday, November 10, 2010 2:26 PM
- Reply
- Quote
Monday, November 08, 2010 9:29 AM

0

Hi Meinof,

Thanks very much for taking the time to assist me with this, I'm very appreciative.

I've ran the commands and I've uploaded them to my Skydrive, you can access them here >

http://cid-a0fe4d96acfeac0b.office.live.com/browse.aspx/Directory%20output%20files?Bsrc=EMSHOO&Bpub=SN.Notifications

Hello Arthur Li,

Many thanks to you as well - it's really appreciated.

I'm 99% certain that we have never installed a RODC into our domain, so I'm hoping that the NCSecDesc errors are red herrings. I've read a MS KB article that stated I can ignore the errors if I don't have a RODC and don't plan to install one into my network.

I think you are right re article 312862, everything is pointing to this being the fix. But the problem I have is that I'm still unsure what part of the article applies to me and what my exact issue is (i.e. deleted object, corrupted object, etc,etc). So I'm relustant to make any changes in case I screw things up further! I will have a look at the link you posted to the similar issue.

LaszloPuskas
- Reply
- Quote
Monday, November 08, 2010 9:59 AM

0

Hello,

as you said if adprep /rodcprep isn't run you have errors listed.

JWC-DC-03 is not in sync with all partitions as the other 2 DCs, any reason for this?

See this article about the missing expected value: http://technet.microsoft.com/en-us/library/cc794759(WS.10).aspx

What about "WIN-OKR7CQF5PIL", should be rejoined to the domain according to the dcdiag output JWC-DC-03. Seems to be in the remote site.

Do not configure the domain internal DNS servers as Forwarder, only external ones should be used. After removing them on nall DC/DNS servers run ipconfig /flushdns and ipconfig registerdns and restart the netlogon service or reboot each.
Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
- Reply
- Quote
Monday, November 08, 2010 1:10 PM

0

Hi Meinolf,

JWC-DC-03 is not in sync with all partitions as the other 2 DCs, any reason for this?
Do you mean the disk partitions? Sorry, I don't know that they are not in sync with each other, is this a problem I should address?

What about "WIN-OKR7CQF5PIL", should be rejoined to the domain according to the dcdiag output JWC-DC-03. Seems to be in the remote site.
I don't have a clue what PC this is. It may have been a VirtualServer that was brought up and demoted as a DC in error, or it may just be an old PC on the network. Should I look to try and clear it?

Do not configure the domain internal DNS servers as Forwarder, only external ones should be used. After removing them on nall DC/DNS servers run ipconfig /flushdns and ipconfig registerdns and restart the netlogon service or reboot each.
Thanks, I've removed the internal DNS forwarders
See this article about the missing expected value: http://technet.microsoft.com/en-us/library/cc794759(WS.10).aspx
I have noticed that there was a reference to a DC that was then renamed in the fRSMemberReference attribute. I have renamed DC-04 to DC-02 and verified it within ADSI Edit.
I don't think I am running DFS as I can't find any reference to DFSR-GlobalSettings within AD.

After rebooting this sever, I received the following entry in the log viewer -
"The File Replication Service is no longer preventing the computer JWC-DC-03 from becoming a domain controller. The system volume has been successfully initialized and the Netlogon service has been notified that the system volume is now ready to be shared as SYSVOL."

I then followed some of the steps in this article posted by ArthurLi -

http://social.technet.microsoft.com/Forums/en/winserverDS/thread/fd1a2738-f0de-4171-875f-5b5df781a1bf

Created the missing FRS member object
Browsed to and right-clicked CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=something,DC=no, picked New | Object...:
Class = nTFRSMember
Value = BGOSRV1
Clicked [More attributes] and opted to view both types.
Modified the following attributes:
frsComputerReference = CN=BGOSRV1,OU=Domain Controllers,DC=something,DC=no
instanceType = 4
serverReference = CN=NTDS Settings,CN=BGOSRV1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=something,DC=no

and inserting the correct domain information into serverReference i.e. CN=DC-01,OU=Domain Controllers,DC=college,DC=collegename,DC=ac,DC=uk - This seemed to work because the next time I ran dcdiag, the error message relating to frsComputerReferenceBL disappeared.

I then moved onto his next step,

Updated the missing fRSMemberReference attribute on the NTFRSSubscriber object
Browsed to CN=Domain System Volume (SYSVOL share),CN=NTFRS Subscriptions,CN=BGOSRV1,OU=Domain Controllers,DC=something,DC=no, right-clicked it and chose Properties.
Modified the following attribute:
fRSMemberReference = CN=BGOSRV1,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=something,DC=no

...and inserting the correct domain information i.e. CN=DC-01,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=college,DC=collegename,DC=ac,DC=uk

However, I still receive the following error when I run dcdiag -

Starting test: VerifyReferences
Some objects relating to the DC JWC-DC-01 have problems:
[1] Problem: Missing Expected Value
Base Object:
CN=NTDS Settings,CN=DC-01,CN=Servers,CN=EHC,CN=Sites,CN=Configuration,DC=college,DC=collegename,DC=ac,DC=uk
Base Object Description: "DSA Object"
Value Object Attribute Name: serverReferenceBL
Value Object Description: "SYSVOL FRS Member Object"
Recommended Action: See Knowledge Base Article: Q312862

Can anyone shed any further light? Should I be doing any of the registry mods that he states (I'm ot sure if this part relates to my issue)?

Many thanks

LaszloPuskas
- Reply
- Quote
Monday, November 08, 2010 1:21 PM

0

Hello,

"Do you mean the disk partitions? Sorry, I don't know that they are not in sync with each other, is this a problem I should address?"

No this are not disk partitions, they belong to active directory and all of them should be in sync, so please run repadmin /syncall on the JWC-DC-03 and check if they update with the other DCs.

"I don't have a clue what PC this is. It may have been a VirtualServer that was brought up and demoted as a DC in error, or it may just be an old PC on the network. Should I look to try and clear it?"

If that machine doesn't exist you should find it and remove it from the AD database if that was a DC, please check with:

http://msmvps.com/blogs/mweber/archive/2010/05/16/active-directory-metadata-cleanup.aspx

"I have noticed that there was a reference to a DC that was then renamed in the fRSMemberReference attribute. I have renamed DC-04 to DC-02 and verified it within ADSI Edit."

If you ever had a DC-04 run metadata cleanup also for that one, then run the support tools again.
Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
- Reply
- Quote
Monday, November 08, 2010 2:44 PM

0
OK, I think I've now got the initial issue sorted out.

I missed a setting in ADSI edit, it was in CN=DC-01,CN=Domain System Volume (SYSVOL share),CN=NTFRS Subscriptions,CN=BGOSRV1,OU=Domain Controllers,DC=something,DC=no

I entered the setting for serverreferenceto be -
CN=NTDS Settings,CN=DC-01,CN=Servers,CN=EHC,CN=Sites,CN=Configuration,DC=college,DC=collegename,DC=ac,DC=uk

I run dcdiag, and the issue has now gone! The linked article was a big help, as I thought the MS KB was difficult to follow.

However, I'll try and clean up the other guff that this exercise has highlighted........

Meinof, in aswer to your last post....

If you ever had a DC-04 run metadata cleanup also for that one, then run the support tools again.
Sorry, can you be more specific about this please?

If that machine doesn't exist you should find it and remove it from the AD database if that was a DC, please check with:
http://msmvps.com/blogs/mweber/archive/2010/05/16/active-directory-metadata-cleanup.aspx

I can't find the object anywhere, it's not in AD Users & Computers and it's not refernced in ADSI edit with the other DCs, so I'm not sure how to locate it, any ideas?

Thanks again.
- Edited by LaszloPuskas Wednesday, November 10, 2010 7:46 PM
- Reply
- Quote
Monday, November 08, 2010 6:04 PM

0

Hello,

nice to hear that you got closer to an error free system.

"I ran repadmin /syncall on the DC-03 and got this>" and so on....

Looks ok, with repadmin /showrepl it should show all in sync on DC-03, also run again the command from the beginning just to check the output your self: repadmin /showrepl dc* /verbose /all /intersite >c:\repl.txt In the textfile you should see all partitions now updated with the same date/time.

For DC-04 check with this article: http://support.microsoft.com/kb/216498 if it is listed in the AD database, or any other NOT existing DC. If some are shown you should remove them. If none is shown your fine. I just mentioned it as you have mentionted DC-04.
Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
- Reply
- Quote
Tuesday, November 09, 2010 9:53 AM

0

Hi Meinolf,

Sorry to be an absolute pain, but I don't think the replication is completely sorted yet!

I ran - repadmin /showrepl dc* /verbose /all /intersite >c:\repl.txt for all three DCs. The time and dates are still not synced. Some are out by a few hours or a day, and some are out by a weeks!

I have uploaded the three txt files to here > http://cid-a0fe4d96acfeac0b.office.live.com/browse.aspx/Showrpl?uc=3

Can you have a look and let me know what you think?

Thanks

LaszloPuskas
- Reply
- Quote
Tuesday, November 09, 2010 10:17 AM

0

Hello,

DC-03 is having update problems. The other ones look ok for me. Do you run any firewall between the sites? WHat kind of connection is between them and is it up and running allways?
Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
- Reply
- Quote
Tuesday, November 09, 2010 11:20 AM

0

Hi Meinolf,

DC-01 and Dc-03 are in the same site and the same vlan, in fact, they are on the same switch and are always on. Neither have their firewalls enabled either, so there doesn't appear to be anything network or software related preventing them from seeing each other.

Do you think this is a network related issue? Is it worth demoting and re-promoting DC-03?
- Reply
- Quote
Tuesday, November 09, 2010 11:31 AM

0

Hello,

please post an unedited ipconfig /all from all DCs.

Demoting and promoting again can help but in my opinion there should be another solution as replication was working and not that long time ago.

Was there a change since the earliest listed date, restore from backup or whatever?
Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
- Reply
- Quote
Tuesday, November 09, 2010 12:04 PM

0

Hi Meinolf,

You can get the files here for the IPconfig results here > http://cid-a0fe4d96acfeac0b.office.live.com/browse.aspx/IPCONFIG?uc=3

One thing of note, the Gateway for DC-03 is showing as

Default Gateway . . . . . . . . . : 0.0.0.0
10.1.30.1

This is quite strange why there is a 0.0.0.0 in the entry first???

Also, I've tracked the logs on DC-03, this server was promoted as a DC on the 11th of October. This is the same date that the repadmin /showrepl dc* /verbose /all /intersite command shows as the last time the Schema and ForestZones were replicated. This appears to say that it has only ever synced successfully once??
- Reply
- Quote
Tuesday, November 09, 2010 12:29 PM

0

Hello,

on DC-02 remove the loopback ip address 127.0.0.1, you use already the real one whcih is always the recommended one.

On DC-03, can you remove the 0.0.0.0 as DG or is only the correct one listed if you open the NIC properties? Check also the Advanced TCP/IP settings, Default gateways. If everything looks normal i suggest to remove the complete ip configuration, reboot and reconfigure it to see if this brings it back to normal view. Keep in mind to do that if necessary at close of business time.

That kind of view i have never seen before on a DG output in ipconfig.
Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
- Reply
- Quote
Tuesday, November 09, 2010 4:43 PM

0

Hi Meinolf,

I've removed the loopback on DC02 and I've swicted over to the secondary NIC on DC03. Switching to the new NIC has removed the 0.0.0.0 address. However, the problem still exists.

I'm really confused about this because when I run a repadmin /showrepl on all of the three DCs, they show that replication was recent (i.e. today). It's only when I run 'repadmin /showrepl dc* /verbose /all /intersite' do I see that DC-03 only ran on the 11th and 18th of November. It's as if this is looking at an older log file or something....

Proper confused!

I tried taking DC-03 off the network for 20 minutes to see what would happen. AD only replicated from DC-02 to DC-01, it stopped replicating from DC-01 to DC-02. Could this be the route of the problem? Is there something within AD sites and services that I should look at?
- Reply
- Quote
Wednesday, November 10, 2010 8:34 AM

0

Hello,

switching between the NICs, does it mean you use more then one NIC on the DCs or was this just to test and all other NICs are disabled which is recommended?

Please post the output from repadmin /showrepl of each DC here, it's not that large so sky drive is not necessary.

How are the NTDS settings in AD sites and services set on each DC, all to automatically created or manual and which are shown on the DCs?
Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
- Reply
- Quote
Wednesday, November 10, 2010 9:05 AM

0

Hi,

I only use one NIC, but there are two in the server. The one I don't use is disabled.

I tried pasting the repadmin iutput but the formatting was crazy, so I'vE uploaded it again - it will be easier on the eye.
http://cid-a0fe4d96acfeac0b.office.live.com/browse.aspx/Repadmin-Wed?uc=3

The NTDS settings are automatically created, I haven't created any manual ones -

NTDS settings -

Site>EHC>Servers>JWC-DC-01>NTDS Settings =
From Server - DC-02 (Site EEC)
From Server - DC-03 (Site EHC)

Site>EEC>Servers>JWC-DC-02>NTDS Settings =
From Server - DC-03 (Site EHC)

Site>EHC>Servers>JWC-DC-03>NTDS Settings =
From Server - DC-01 (Site EHC)
- Reply
- Quote
Wednesday, November 10, 2010 9:49 AM

0

Hello,

as you can see if DC-03 is shutdwon only DC-01 replicates from DC-02 which is correct according to the output you have posted. DC-02 only get replications from DC-03.
Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
- Reply
- Quote
Wednesday, November 10, 2010 10:08 AM

0

Hi Meinolf,

OK thanks I will create a connection from DC01 to DC02.

I realise that this thread is growing arms and legs, so I'll try and bring it to an end soon. Did you manage to have a look at the 'repadmin /showrepl' for the DC's? Do you think there is still a replicating issue? It all looks good to me, it's only when I do a verbose output, do I see that DC-03 hasn't been replicated the schema (and one other) for a month, but there are never any errors. Also, the 'repadmin /showrepl' for all DC's show that the replication has succeeded for all of the DCs.

Confused?!?!?! Do I really have any replication issues?
- Reply
- Quote
Wednesday, November 10, 2010 11:36 AM

0

Hello,

i can confirm that the /verbose output is a different also in my domains for some partitions but only for some hours, against which the /showrepl confirms all is up to date.

With that in mind i would say the replication should be ok if /showrepl states all is replicated in your domain.
Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
- Reply
- Quote
Wednesday, November 10, 2010 1:39 PM

0

Meinolf,

OK, sounds good then - I'll try the schema update at the weekend.

Thanks very much for all your help, knowledge and perseverance on these issues - I'm extremely grateful for it all.

LaszloPuskas
- Reply
- Quote
Tuesday, August 21, 2012 6:08 AM

0

Hotfix http://support.microsoft.com/kb/2618669 from kb2618669 helps me!
- Reply
- Quote

Problem: Missing Expected Value with dcdiag

All Replies

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support by product

Other support links

Not an IT pro?