Dcdiag on RODC shows errors
-
Tuesday, May 08, 2012 6:09 AM
Hi,
When i run Dcdiag on RODC i get the error EventID: 0x0000165B and it shows couple of computer accounts which failed authentication.
please check the log file and suggest.
C:\>dcdiag
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = V-UAEDXBURDC01
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: DXB-UmmRamool\V-UAEDXBURDC01
Starting test: Connectivity
......................... V-UAEDXBURDC01 passed test Connectivity
Doing primary tests
Testing server: DXB-UmmRamool\V-UAEDXBURDC01
Starting test: Advertising
......................... V-UAEDXBURDC01 passed test Advertising
Starting test: FrsEvent
......................... V-UAEDXBURDC01 passed test FrsEvent
Starting test: DFSREvent
......................... V-UAEDXBURDC01 passed test DFSREvent
Starting test: SysVolCheck
......................... V-UAEDXBURDC01 passed test SysVolCheck
Starting test: KccEvent
......................... V-UAEDXBURDC01 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... V-UAEDXBURDC01 passed test
KnowsOfRoleHolders
Starting test: MachineAccount
......................... V-UAEDXBURDC01 passed test MachineAccount
Starting test: NCSecDesc
......................... V-UAEDXBURDC01 passed test NCSecDesc
Starting test: NetLogons
......................... V-UAEDXBURDC01 passed test NetLogons
Starting test: ObjectsReplicated
......................... V-UAEDXBURDC01 passed test ObjectsReplicated
Starting test: Replications
......................... V-UAEDXBURDC01 passed test Replications
Starting test: Services
......................... V-UAEDXBURDC01 passed test Services
Starting test: SystemLog
An error event occurred. EventID: 0x0000165B
Time Generated: 05/08/2012 09:15:13
Event String:
The session setup from computer 'UAEDXBSODDTP002' failed because th
security database does not contain a trust account 'UAEDXBSODDTP002$' referenc
d by the specified computer.
An error event occurred. EventID: 0x000016AD
Time Generated: 05/08/2012 09:18:32
Event String:
The session setup from the computer UAEDXBSODDTP002 failed to authe
ticate. The following error occurred:
An error event occurred. EventID: 0x000016AD
Time Generated: 05/08/2012 09:18:32
Event String:
The session setup from the computer UAEDXBSMDTP005 failed to authen
icate. The following error occurred:
An error event occurred. EventID: 0x0000165B
Time Generated: 05/08/2012 09:23:19
Event String:
The session setup from computer 'UAEDXBPEDDTP004' failed because th
security database does not contain a trust account 'UAEDXBPEDDTP004$' referenc
d by the specified computer.
An error event occurred. EventID: 0x000016AD
Time Generated: 05/08/2012 09:25:31
Event String:
The session setup from the computer UAEDXBPEDDTP004 failed to authe
ticate. The following error occurred:
An error event occurred. EventID: 0x0000165B
Time Generated: 05/08/2012 09:27:00
Event String:
The session setup from computer 'UAEDXBFCTDTP001' failed because th
security database does not contain a trust account 'UAEDXBFCTDTP001$' referenc
d by the specified computer.
An error event occurred. EventID: 0x000016AD
Time Generated: 05/08/2012 09:29:00
Event String:
The session setup from the computer UAEDXBFCTDTP001 failed to authe
ticate. The following error occurred:
An error event occurred. EventID: 0x000016AD
Time Generated: 05/08/2012 09:36:20
Event String:
The session setup from the computer UAEDXBGSMDTP001 failed to authe
ticate. The following error occurred:
An error event occurred. EventID: 0x0000165B
Time Generated: 05/08/2012 09:39:05
Event String:
The session setup from computer 'UAEDXBMNTDTP005' failed because th
security database does not contain a trust account 'UAEDXBMNTDTP005$' referenc
d by the specified computer.
An error event occurred. EventID: 0x000016AD
Time Generated: 05/08/2012 09:41:22
Event String:
The session setup from the computer UAEDXBMNTDTP005 failed to authe
ticate. The following error occurred:
An error event occurred. EventID: 0x000016AD
Time Generated: 05/08/2012 09:45:52
Event String:
The session setup from the computer GEIDXBDC02 failed to authentica
e. The following error occurred:
An error event occurred. EventID: 0x0000165B
Time Generated: 05/08/2012 09:49:17
Event String:
The session setup from computer 'UAEDXBSODNB001' failed because the
security database does not contain a trust account 'UAEDXBSODNB001$' referenced
by the specified computer.
An error event occurred. EventID: 0x0000165B
Time Generated: 05/08/2012 09:50:42
Event String:
The session setup from computer 'GEIDXBDC01' failed because the sec
rity database does not contain a trust account 'gei.com.' referenced by the spe
ified computer.
An error event occurred. EventID: 0x0000165B
Time Generated: 05/08/2012 09:51:00
Event String:
The session setup from computer 'UAEDXBCTEDTP006' failed because th
security database does not contain a trust account 'UAEDXBCTEDTP006$' referenc
d by the specified computer.
An error event occurred. EventID: 0x000016AD
Time Generated: 05/08/2012 09:51:40
Event String:
The session setup from the computer UAEDXBSODNB001 failed to authen
icate. The following error occurred:
An error event occurred. EventID: 0x000016AD
Time Generated: 05/08/2012 09:53:01
Event String:
The session setup from the computer GEIDXBDC01 failed to authentica
e. The following error occurred:
An error event occurred. EventID: 0x000016AD
Time Generated: 05/08/2012 09:53:01
Event String:
The session setup from the computer UAEDXBCTEDTP006 failed to authe
ticate. The following error occurred:
An error event occurred. EventID: 0x0000165B
Time Generated: 05/08/2012 09:54:20
Event String:
The session setup from computer 'UAEDXBHRADTP011' failed because th
security database does not contain a trust account 'UAEDXBHRADTP011$' referenc
d by the specified computer.
An error event occurred. EventID: 0x0000165B
Time Generated: 05/08/2012 09:55:51
Event String:
The session setup from computer 'V-UAEDXBURDC02' failed because the
security database does not contain a trust account 'V-UAEDXBURDC02$' referenced
by the specified computer.
An error event occurred. EventID: 0x0000165B
Time Generated: 05/08/2012 09:56:26
Event String:
The session setup from computer 'UAEDXBGRPDTP006' failed because th
security database does not contain a trust account 'UAEDXBGRPDTP006$' referenc
d by the specified computer.
A warning event occurred. EventID: 0x000016B2
Time Generated: 05/08/2012 09:57:14
Event String:
During the past 4.21 hours, this domain controller has received 200
connections from dual-stack IPv4/IPv6 clients with partial subnet-site mappings
A client has a partial subnet-site mapping if its IPv4 address is mapped to a
ite but its global IPv6 address is not mapped to a site, or vice versa. To ensu
e correct behavior for applications running on member computers and servers tha
rely on subnet-site mappings, dual-stack IPv4/IPv6 clients must have both IPv4
and global IPv6 addresses mapped to the same site. If a partially mapped client
attempts to connect to this domain controller using its unmapped IP address, it
mapped address is used for the client's site mapping.
An error event occurred. EventID: 0x000016AD
Time Generated: 05/08/2012 09:58:22
Event String:
The session setup from the computer V-UAEDXBURDC02 failed to authen
icate. The following error occurred:
An error event occurred. EventID: 0x000016AD
Time Generated: 05/08/2012 09:58:50
Event String:
The session setup from the computer UAEDXBGRPDTP006 failed to authe
ticate. The following error occurred:
......................... V-UAEDXBURDC01 failed test SystemLog
Starting test: VerifyReferences
......................... V-UAEDXBURDC01 passed test VerifyReferences
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : FPG
Starting test: CheckSDRefDom
......................... FPG passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... FPG passed test CrossRefValidation
Running enterprise tests on : FPG.Global
Starting test: LocatorCheck
......................... FPG.Global passed test LocatorCheck
Starting test: Intersite
......................... FPG.Global passed test Intersite
Maqsood Mohammed Senior Systems Engineer MCITP-Enterprise Admin & ITILv3 Foundation Certified
All Replies
-
Tuesday, May 08, 2012 6:21 AM
From dcdiag output the health of RODC is looking good however in system log there are error for the workstation.Check the workstation PC it seems that the secure channel is broken hence you are getting
We experienced the following error on a server: “The session setup for computer xxxcomputer failed because the security database does not contain a trust account “xxcomputer” referenced by the specified computer”.It seems to be dns name resolution issue.The error message indicates that secure channel between the client server and DC is broken.
(1) Check the DNS & WINS entries?
IP configuration on clients and member servers:
-----------------------------------
1. Each workstation/member server should point to local DNS server as primary DNS and other remote DNS servers as secondary.
2. Do not set public DNS server in TCP/IP setting of WS.(2) Check whether the Firewall service is ON of OFF?
Refer link this to diable the firewall:http://technet.microsoft.com/en-us/library/cc766337(WS.10).aspx(3) Check the status of the Browser service?
It should be started.(4) Check the status of the machines account in the AD?(It may be disabled)
If the Machine account is disable enable the same.(5) Remove the server from the domain & readd it to the domain else try using netdom utility to reset the secure channel between the server & the domain controller?
http://support.microsoft.com/kb/260575(6)Also check the DNS console for duplicate record for the host machine and remove the same.
(7)Take a look at below hotfix too.A secure channel is broken after you change the computer password on a Windows 7 or Windows Server 2008 R2-based client computer
http://support.microsoft.com/kb/979495Hope this helps
Best Regards,
Sandesh Dubey.
MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. -
Tuesday, May 08, 2012 7:33 AM
Hi,
As mentioned, you can check one computer by just removing from domain and re-adding it.
Regards, Mohan R Sr. Administrator - Server Support
-
Tuesday, May 08, 2012 8:48 AMModerator
I presume you have cached the users password login to the RODC site, but did you cache machine account too for the machine login to the RODC site, if not then the machine will first establish secure channel with the RWDC site instead of locally present RODC and another reason will be login will fail during WAN link failure. The reason to cache machine account password too because if you don't then it will use RWDC for establishing secure channel. Also, RODC can't issue kerberos ticket.The machine which is authenticating against RODC are all windows vista and above, if not you need to install RODC compatibility pack.
Is RODC is also a GC and DNS server, if no make it and point RODC sites client to RODC for DNS server in its NIC.
All About (RODC)Read Only Domain Controllers http://awinish.wordpress.com/2011/10/04/rodc-read-only-domain-controller/
The other think which i suspect is sites and subnet configuration, did you verify sites/subnets/site links are configured properly.
Active Directory Sites and Services http://technet.microsoft.com/en-us/library/cc730868.aspx
Awinish Vishwakarma - MVP - Directory Services
My Blog: awinish.wordpress.com Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.- Proposed As Answer by Meinolf WeberMVP Tuesday, May 08, 2012 11:25 AM
- Marked As Answer by Maqsood Mohammed Thursday, May 10, 2012 11:07 AM
-
Tuesday, May 08, 2012 11:27 AM
Thanks Awinish,
I am only caching User Passwords on RODC sites not the computer passwords.
Is it the best practice to also enable Computer Accounts of the site to the Password Replicaiton on RODC?
There was a Subnet missing in the Site.
RODC is GC & DNS.
Regards,
Maqsood
Maqsood Mohammed Senior Systems Engineer MCITP-Enterprise Admin & ITILv3 Foundation Certified
-
Tuesday, May 08, 2012 11:29 AM
Hello,
some more details about your configuration for the RODCs like PRP are notmentioned here. So how is this configured and is the RODC also GC and DNS server?
Also assure that AD sites and services is configured for each subnet and sites.
Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://msmvps.com/blogs/mweber/Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
-
Tuesday, May 08, 2012 11:33 AMModerator
If you want local client in the RODC can login when WAN link is down, you need to cache machine account too. You need to create subnet too. By default, RODC doesn't perform autositecoverage and it only registers site specic records but for the down level OS you have to instal compatibility pack for the rodc. Refer the blog article on RODC i posted earlier and also configure the sites/subnets properly.
Awinish Vishwakarma - MVP - Directory Services
My Blog: awinish.wordpress.com Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.- Proposed As Answer by Prashant Girennavar Tuesday, May 08, 2012 5:09 PM
-
Wednesday, May 09, 2012 3:01 AMModerator
Hi,
If you do not plan to add an RODC to the forest, you can disregard this error. If you plan to add an RODC to the forest, you must run adprep /rodcprep.
http://blogs.technet.com/b/askds/archive/2011/06/14/what-is-the-impact-of-upgrading-the-domain-or-forest-functional-level.aspx
http://blogs.technet.com/b/tunagezer/archive/2011/05/28/active-directory-schema-nedir-forest-n-z-hangi-schema-seviyesinde.aspx
To verify that adprep /rodcprep completed successfully
1. Log on to an administrative workstation that has ADSIEdit installed. ADSIEdit is installed by default on domain controllers that run Windows Server 2008 or Windows Server 2008 R2.
2. Click Start, click Run, type ADSIEdit.msc, and then click OK.
3. Click Action, and then click Connect to.
4. Click Select a well known Naming Context, select Configuration in the list of available naming contexts, and then click OK.
5. Double-click Configuration, and then double-click CN=Configuration,DC=forest_root_domain
where forest_root_domain is the distinguished name of your forest root domain.
6. Double-click CN=ForestUpdates.
7. Right-click CN=ActivedirectoryRodcUpdate, and then click Properties.
8. Confirm that the Revision attribute value is 2, and then click OK.Regards,
Yan Li
If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
Yan Li
TechNet Community Support
- Marked As Answer by Yan Li_Microsoft Contingent Staff, Moderator Monday, May 14, 2012 1:38 AM
.png)
