none
Dcdiag on RODC shows errors

    Question

  • Hi,

    When i run Dcdiag on RODC i get the error EventID: 0x0000165B and it shows couple of computer accounts which failed authentication.

    please check the log file and suggest.

    C:\>dcdiag

    Directory Server Diagnosis

    Performing initial setup:

       Trying to find home server...

       Home Server = V-UAEDXBURDC01

       * Identified AD Forest.

       Done gathering initial info.

    Doing initial required tests

       Testing server: DXB-UmmRamool\V-UAEDXBURDC01

          Starting test: Connectivity

             ......................... V-UAEDXBURDC01 passed test Connectivity

    Doing primary tests

       Testing server: DXB-UmmRamool\V-UAEDXBURDC01

          Starting test: Advertising

             ......................... V-UAEDXBURDC01 passed test Advertising

          Starting test: FrsEvent

             ......................... V-UAEDXBURDC01 passed test FrsEvent

          Starting test: DFSREvent

             ......................... V-UAEDXBURDC01 passed test DFSREvent

          Starting test: SysVolCheck

             ......................... V-UAEDXBURDC01 passed test SysVolCheck

          Starting test: KccEvent

             ......................... V-UAEDXBURDC01 passed test KccEvent

          Starting test: KnowsOfRoleHolders

             ......................... V-UAEDXBURDC01 passed test

             KnowsOfRoleHolders

          Starting test: MachineAccount

             ......................... V-UAEDXBURDC01 passed test MachineAccount

          Starting test: NCSecDesc

             ......................... V-UAEDXBURDC01 passed test NCSecDesc

          Starting test: NetLogons

             ......................... V-UAEDXBURDC01 passed test NetLogons

          Starting test: ObjectsReplicated

             ......................... V-UAEDXBURDC01 passed test ObjectsReplicated

          Starting test: Replications

             ......................... V-UAEDXBURDC01 passed test Replications

          Starting test: Services

             ......................... V-UAEDXBURDC01 passed test Services

          Starting test: SystemLog

             An error event occurred.  EventID: 0x0000165B

                Time Generated: 05/08/2012   09:15:13

                Event String:

                The session setup from computer 'UAEDXBSODDTP002' failed because th

     security database does not contain a trust account 'UAEDXBSODDTP002$' referenc

    d by the specified computer.

             An error event occurred.  EventID: 0x000016AD

                Time Generated: 05/08/2012   09:18:32

                Event String:

                The session setup from the computer UAEDXBSODDTP002 failed to authe

    ticate. The following error occurred:

             An error event occurred.  EventID: 0x000016AD

                Time Generated: 05/08/2012   09:18:32

                Event String:

                The session setup from the computer UAEDXBSMDTP005 failed to authen

    icate. The following error occurred:

             An error event occurred.  EventID: 0x0000165B

                Time Generated: 05/08/2012   09:23:19

                Event String:

                The session setup from computer 'UAEDXBPEDDTP004' failed because th

     security database does not contain a trust account 'UAEDXBPEDDTP004$' referenc

    d by the specified computer.

             An error event occurred.  EventID: 0x000016AD

                Time Generated: 05/08/2012   09:25:31

                Event String:

                The session setup from the computer UAEDXBPEDDTP004 failed to authe

    ticate. The following error occurred:

             An error event occurred.  EventID: 0x0000165B

                Time Generated: 05/08/2012   09:27:00

                Event String:

                The session setup from computer 'UAEDXBFCTDTP001' failed because th

     security database does not contain a trust account 'UAEDXBFCTDTP001$' referenc

    d by the specified computer.

             An error event occurred.  EventID: 0x000016AD

                Time Generated: 05/08/2012   09:29:00

                Event String:

                The session setup from the computer UAEDXBFCTDTP001 failed to authe

    ticate. The following error occurred:

             An error event occurred.  EventID: 0x000016AD

                Time Generated: 05/08/2012   09:36:20

                Event String:

                The session setup from the computer UAEDXBGSMDTP001 failed to authe

    ticate. The following error occurred:

             An error event occurred.  EventID: 0x0000165B

                Time Generated: 05/08/2012   09:39:05

                Event String:

                The session setup from computer 'UAEDXBMNTDTP005' failed because th

     security database does not contain a trust account 'UAEDXBMNTDTP005$' referenc

    d by the specified computer.

             An error event occurred.  EventID: 0x000016AD

                Time Generated: 05/08/2012   09:41:22

                Event String:

                The session setup from the computer UAEDXBMNTDTP005 failed to authe

    ticate. The following error occurred:

             An error event occurred.  EventID: 0x000016AD

                Time Generated: 05/08/2012   09:45:52

                Event String:

                The session setup from the computer GEIDXBDC02 failed to authentica

    e. The following error occurred:

             An error event occurred.  EventID: 0x0000165B

                Time Generated: 05/08/2012   09:49:17

                Event String:

                The session setup from computer 'UAEDXBSODNB001' failed because the

    security database does not contain a trust account 'UAEDXBSODNB001$' referenced

    by the specified computer.

             An error event occurred.  EventID: 0x0000165B

                Time Generated: 05/08/2012   09:50:42

                Event String:

                The session setup from computer 'GEIDXBDC01' failed because the sec

    rity database does not contain a trust account 'gei.com.' referenced by the spe

    ified computer.

             An error event occurred.  EventID: 0x0000165B

                Time Generated: 05/08/2012   09:51:00

                Event String:

                The session setup from computer 'UAEDXBCTEDTP006' failed because th

     security database does not contain a trust account 'UAEDXBCTEDTP006$' referenc

    d by the specified computer.

             An error event occurred.  EventID: 0x000016AD

                Time Generated: 05/08/2012   09:51:40

                Event String:

                The session setup from the computer UAEDXBSODNB001 failed to authen

    icate. The following error occurred:

             An error event occurred.  EventID: 0x000016AD

                Time Generated: 05/08/2012   09:53:01

                Event String:

                The session setup from the computer GEIDXBDC01 failed to authentica

    e. The following error occurred:

             An error event occurred.  EventID: 0x000016AD

                Time Generated: 05/08/2012   09:53:01

                Event String:

                The session setup from the computer UAEDXBCTEDTP006 failed to authe

    ticate. The following error occurred:

             An error event occurred.  EventID: 0x0000165B

                Time Generated: 05/08/2012   09:54:20

                Event String:

                The session setup from computer 'UAEDXBHRADTP011' failed because th

     security database does not contain a trust account 'UAEDXBHRADTP011$' referenc

    d by the specified computer.

             An error event occurred.  EventID: 0x0000165B

                Time Generated: 05/08/2012   09:55:51

                Event String:

                The session setup from computer 'V-UAEDXBURDC02' failed because the

    security database does not contain a trust account 'V-UAEDXBURDC02$' referenced

    by the specified computer.

             An error event occurred.  EventID: 0x0000165B

                Time Generated: 05/08/2012   09:56:26

                Event String:

                The session setup from computer 'UAEDXBGRPDTP006' failed because th

     security database does not contain a trust account 'UAEDXBGRPDTP006$' referenc

    d by the specified computer.

             A warning event occurred.  EventID: 0x000016B2

                Time Generated: 05/08/2012   09:57:14

                Event String:

                During the past 4.21 hours, this domain controller has received 200

    connections from dual-stack IPv4/IPv6 clients with partial subnet-site mappings

     A client has a partial subnet-site mapping if its IPv4 address is mapped to a

    ite but its global IPv6 address is not mapped to a site, or vice versa. To ensu

    e correct behavior for applications running on member computers and servers tha

     rely on subnet-site mappings, dual-stack IPv4/IPv6 clients must have both IPv4

    and global IPv6 addresses mapped to the same site. If a partially mapped client

    attempts to connect to this domain controller using its unmapped IP address, it

     mapped address is used for the client's site mapping.

             An error event occurred.  EventID: 0x000016AD

                Time Generated: 05/08/2012   09:58:22

                Event String:

                The session setup from the computer V-UAEDXBURDC02 failed to authen

    icate. The following error occurred:

             An error event occurred.  EventID: 0x000016AD

                Time Generated: 05/08/2012   09:58:50

                Event String:

                The session setup from the computer UAEDXBGRPDTP006 failed to authe

    ticate. The following error occurred:

             ......................... V-UAEDXBURDC01 failed test SystemLog

          Starting test: VerifyReferences

             ......................... V-UAEDXBURDC01 passed test VerifyReferences

       Running partition tests on : DomainDnsZones

          Starting test: CheckSDRefDom

             ......................... DomainDnsZones passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... DomainDnsZones passed test

             CrossRefValidation

       Running partition tests on : ForestDnsZones

          Starting test: CheckSDRefDom

             ......................... ForestDnsZones passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... ForestDnsZones passed test

             CrossRefValidation

       Running partition tests on : Schema

          Starting test: CheckSDRefDom

             ......................... Schema passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... Schema passed test CrossRefValidation

       Running partition tests on : Configuration

          Starting test: CheckSDRefDom

             ......................... Configuration passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... Configuration passed test CrossRefValidation

       Running partition tests on : FPG

          Starting test: CheckSDRefDom

             ......................... FPG passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... FPG passed test CrossRefValidation

       Running enterprise tests on : FPG.Global

          Starting test: LocatorCheck

             ......................... FPG.Global passed test LocatorCheck

          Starting test: Intersite

             ......................... FPG.Global passed test Intersite



    Maqsood Mohammed Senior Systems Engineer MCITP-Enterprise Admin & ITILv3 Foundation Certified

    Tuesday, May 08, 2012 6:09 AM

Answers

  • I presume you have cached the users password login to the RODC site, but did you cache machine account too for the machine login to the RODC site, if not then the machine will first establish secure channel with the RWDC site instead of locally present RODC and another reason will be login will fail during WAN link failure. The reason to cache machine account password too because if you don't then it will use RWDC for establishing secure channel. Also, RODC can't issue kerberos ticket.The machine which is authenticating against RODC are all windows vista and above, if not you need to install RODC compatibility pack.

    Is RODC is also a GC and DNS server, if no make it and point RODC sites client to RODC for DNS server in its NIC.

    All About (RODC)Read Only Domain Controllers  http://awinish.wordpress.com/2011/10/04/rodc-read-only-domain-controller/

    The other think which i suspect is sites and subnet configuration, did you verify sites/subnets/site links are configured properly.

    Active Directory Sites and Services  http://technet.microsoft.com/en-us/library/cc730868.aspx


    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Tuesday, May 08, 2012 8:48 AM
    Moderator
  • Hi,

    If you do not plan to add an RODC to the forest, you can disregard this error. If you plan to add an RODC to the forest, you must run adprep /rodcprep.

    http://blogs.technet.com/b/askds/archive/2011/06/14/what-is-the-impact-of-upgrading-the-domain-or-forest-functional-level.aspx 
    http://blogs.technet.com/b/tunagezer/archive/2011/05/28/active-directory-schema-nedir-forest-n-z-hangi-schema-seviyesinde.aspx

    To verify that adprep /rodcprep completed successfully
    1. Log on to an administrative workstation that has ADSIEdit installed. ADSIEdit is installed by default on domain controllers that run Windows Server 2008 or Windows Server 2008 R2.
    2. Click Start, click Run, type ADSIEdit.msc, and then click OK.
    3. Click Action, and then click Connect to.
    4. Click Select a well known Naming Context, select Configuration in the list of available naming contexts, and then click OK.
    5. Double-click Configuration, and then double-click CN=Configuration,DC=forest_root_domain
    where forest_root_domain is the distinguished name of your forest root domain.
    6. Double-click CN=ForestUpdates.
    7. Right-click CN=ActivedirectoryRodcUpdate, and then click Properties.
    8. Confirm that the Revision attribute value is 2, and then click OK.

    Regards,

    Yan Li

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Yan Li

    TechNet Community Support

    Wednesday, May 09, 2012 3:01 AM
    Moderator

All replies

  • From dcdiag output the health of RODC is looking good however in system log there are error for the workstation.Check the workstation PC it seems that the secure channel is broken hence you are getting
    We experienced the following error on a server: “The session setup for computer xxxcomputer failed because the security database does not contain a trust account “xxcomputer” referenced by the specified computer”.

    It seems to be dns name resolution issue.The error message indicates that secure channel between the client server and DC is broken.
    (1) Check the DNS & WINS entries?
     IP configuration on clients and member servers:
    -----------------------------------
    1. Each workstation/member server should point to local DNS server as primary DNS and other remote DNS servers as secondary.
    2. Do not set public DNS server in TCP/IP setting of WS.

    (2) Check whether the Firewall service is ON of OFF?
    Refer link this to diable the firewall:http://technet.microsoft.com/en-us/library/cc766337(WS.10).aspx

    (3) Check the status of the Browser service?
    It should be started.

    (4) Check the status of the machines account in the AD?(It may be disabled)
    If the Machine account is disable enable the same.

    (5) Remove the server from the domain & readd it to the domain else try using netdom utility to reset the secure channel between the server & the domain controller?
    http://support.microsoft.com/kb/260575

    (6)Also check the DNS console for duplicate record for the host machine and remove the same.

    (7)Take a look at below hotfix too.A secure channel is broken after you change the computer password on a Windows 7 or Windows Server 2008 R2-based client computer
    http://support.microsoft.com/kb/979495

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Tuesday, May 08, 2012 6:21 AM
  • Hi,

    As mentioned, you can check one computer by just removing from domain and re-adding it.


    Regards, Mohan R Sr. Administrator - Server Support

    Tuesday, May 08, 2012 7:33 AM
  • I presume you have cached the users password login to the RODC site, but did you cache machine account too for the machine login to the RODC site, if not then the machine will first establish secure channel with the RWDC site instead of locally present RODC and another reason will be login will fail during WAN link failure. The reason to cache machine account password too because if you don't then it will use RWDC for establishing secure channel. Also, RODC can't issue kerberos ticket.The machine which is authenticating against RODC are all windows vista and above, if not you need to install RODC compatibility pack.

    Is RODC is also a GC and DNS server, if no make it and point RODC sites client to RODC for DNS server in its NIC.

    All About (RODC)Read Only Domain Controllers  http://awinish.wordpress.com/2011/10/04/rodc-read-only-domain-controller/

    The other think which i suspect is sites and subnet configuration, did you verify sites/subnets/site links are configured properly.

    Active Directory Sites and Services  http://technet.microsoft.com/en-us/library/cc730868.aspx


    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Tuesday, May 08, 2012 8:48 AM
    Moderator
  • Thanks Awinish,

    I am only caching User Passwords on RODC sites not the computer passwords.

    Is it the best practice to also enable Computer Accounts of the site to the Password Replicaiton on RODC?

    There was a Subnet missing in the Site.

    RODC is GC & DNS.

    Regards,

    Maqsood


    Maqsood Mohammed Senior Systems Engineer MCITP-Enterprise Admin & ITILv3 Foundation Certified

    Tuesday, May 08, 2012 11:27 AM
  • Hello,

    some more details about your configuration for the RODCs like PRP are notmentioned here. So how is this configured and is the RODC also GC and DNS server?

    Also assure that AD sites and services is configured for each subnet and sites.


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Tuesday, May 08, 2012 11:29 AM
  • If you want local client in the RODC can login when WAN link is down, you need to cache machine account too. You need to create subnet too. By default, RODC doesn't perform autositecoverage and it only registers site specic records but for the down level OS you have to instal compatibility pack for the rodc. Refer the blog article on RODC i posted earlier and also configure the sites/subnets properly.


    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Tuesday, May 08, 2012 11:33 AM
    Moderator
  • Hi,

    If you do not plan to add an RODC to the forest, you can disregard this error. If you plan to add an RODC to the forest, you must run adprep /rodcprep.

    http://blogs.technet.com/b/askds/archive/2011/06/14/what-is-the-impact-of-upgrading-the-domain-or-forest-functional-level.aspx 
    http://blogs.technet.com/b/tunagezer/archive/2011/05/28/active-directory-schema-nedir-forest-n-z-hangi-schema-seviyesinde.aspx

    To verify that adprep /rodcprep completed successfully
    1. Log on to an administrative workstation that has ADSIEdit installed. ADSIEdit is installed by default on domain controllers that run Windows Server 2008 or Windows Server 2008 R2.
    2. Click Start, click Run, type ADSIEdit.msc, and then click OK.
    3. Click Action, and then click Connect to.
    4. Click Select a well known Naming Context, select Configuration in the list of available naming contexts, and then click OK.
    5. Double-click Configuration, and then double-click CN=Configuration,DC=forest_root_domain
    where forest_root_domain is the distinguished name of your forest root domain.
    6. Double-click CN=ForestUpdates.
    7. Right-click CN=ActivedirectoryRodcUpdate, and then click Properties.
    8. Confirm that the Revision attribute value is 2, and then click OK.

    Regards,

    Yan Li

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.


    Yan Li

    TechNet Community Support

    Wednesday, May 09, 2012 3:01 AM
    Moderator