locked
DCDIAG Test Fails RRS feed

  • Question

  • I just run dcdiag on my 1 of the Domain Controller (Windows 2008 R2) and test has failed with the following data.

    As you can see Forwarders seems invalid because of they cannot be solved by my TMG 2010 server (IP 192.168.0.2)

    Forwarders Information:
                         192.168.0.2 (<name unavailable>) [Invalid (unreachable)]
                         Error: All forwarders in the forwarder list are invalid.

    Other important point is my DC2 (Widnows 2008) not even appearing in this test! But all replications seems ok.

       Running partition tests on : icd
          Test omitted by user request: CheckSDRefDom
          Test omitted by user request: CrossRefValidation
    
       Running enterprise tests on : icd.local
          Starting test: DNS
             Test results for domain controllers:
    
                DC: DC1.icd.local
                Domain: icd.local
    
    
                   TEST: Authentication (Auth)
                      Authentication test: Successfully completed
    
                   TEST: Basic (Basc)
                      The OS Microsoft Windows Server 2008 R2 Enterprise  (Service Pack level: 1.0) is supported.
                      NETLOGON service is running
                      kdc service is running
                      DNSCACHE service is running
                      DNS service is running
                      DC is a DNS server
                      Network adapters information:
                      Adapter [00000015] Microsoft Virtual Network Switch Adapter:
                         MAC address is 00:1E:4F:20:AE:FE
                         IP Address is static
                         IP address: 192.168.0.40, fe80::acaf:2e9d:73b0:a137
                         DNS servers:
                            192.168.0.40 (DC1) [Valid]
                            192.168.0.41 (DC2003) [Valid]
                      The A host record(s) for this DC was found
                      The SOA record for the Active Directory zone was found
                      The Active Directory zone on this DC/DNS server was found primary
                      Root zone on this DC/DNS server was not found
    
                   TEST: Forwarders/Root hints (Forw)
                      Recursion is enabled
                      Forwarders Information:
                         192.168.0.2 (<name unavailable>) [Invalid (unreachable)]
                         Error: All forwarders in the forwarder list are invalid.
                      Root hint Information:
                         Name: a.root-servers.net. IP: 198.41.0.4 [Valid]
                         Name: a.root-servers.net. IP: 2001:503:ba3e::2:30 [Invalid (unreachable)]
                         Name: b.root-servers.net. IP: 192.228.79.201 [Valid]
                         Name: c.root-servers.net. IP: 192.33.4.12 [Valid]
                         Name: d.root-servers.net. IP: 128.8.10.90 [Valid]
                         Name: d.root-servers.net. IP: 2001:500:2d::d [Invalid (unreachable)]
                         Name: e.root-servers.net. IP: 192.203.230.10 [Valid]
                         Name: f.root-servers.net. IP: 192.5.5.241 [Valid]
                         Name: f.root-servers.net. IP: 2001:500:2f::f [Invalid (unreachable)]
                         Name: g.root-servers.net. IP: 192.112.36.4 [Valid]
                         Name: h.root-servers.net. IP: 128.63.2.53 [Valid]
                         Name: h.root-servers.net. IP: 2001:500:1::803f:235 [Invalid (unreachable)]
                         Name: i.root-servers.net. IP: 192.36.148.17 [Valid]
                         Name: i.root-servers.net. IP: 2001:7fe::53 [Invalid (unreachable)]
                         Name: j.root-servers.net. IP: 192.58.128.30 [Valid]
                         Name: j.root-servers.net. IP: 2001:503:c27::2:30 [Invalid (unreachable)]
                         Name: k.root-servers.net. IP: 193.0.14.129 [Valid]
                         Name: k.root-servers.net. IP: 2001:7fd::1 [Invalid (unreachable)]
                         Name: l.root-servers.net. IP: 199.7.83.42 [Valid]
                         Name: l.root-servers.net. IP: 2001:500:3::42 [Invalid (unreachable)]
                         Name: m.root-servers.net. IP: 2001:dc3::35 [Invalid (unreachable)]
                         Name: m.root-servers.net. IP: 202.12.27.33 [Valid]
    
                   TEST: Delegations (Del)
                      Delegation information for the zone: icd.local.
                         Delegated domain name: _msdcs.icd.local.
                            Error: DNS server: DC2003.qld.icd.edu.au. IP:<Unavailable> [Missing glue A record]
                            [Error details: 9714 (Type: Win32 - Description: DNS name does not exist.)]
    
                   TEST: Dynamic update (Dyn)
                      Test record dcdiag-test-record added successfully in zone icd.local
                      Warning: Failed to delete the test record dcdiag-test-record in zone icd.local
                      [Error details: 9005 (Type: Win32 - Description: DNS operation refused.)]
    
                   TEST: Records registration (RReg)
                      Network Adapter [00000015] Microsoft Virtual Network Switch Adapter:
                         Matching CNAME record found at DNS server 192.168.0.40:
                         64e46f05-3760-4914-bd77-7f25e8626a7d._msdcs.icd.local
    
                         Matching A record found at DNS server 192.168.0.40:
                         DC1.icd.local
    
                         Matching  SRV record found at DNS server 192.168.0.40:
                         _ldap._tcp.icd.local
    
                         Matching  SRV record found at DNS server 192.168.0.40:
                         _ldap._tcp.6745f436-824a-4e46-aae6-0af01d54e2e6.domains._msdcs.icd.local
    
                         Matching  SRV record found at DNS server 192.168.0.40:
                         _kerberos._tcp.dc._msdcs.icd.local
    
                         Matching  SRV record found at DNS server 192.168.0.40:
                         _ldap._tcp.dc._msdcs.icd.local
    
                         Matching  SRV record found at DNS server 192.168.0.40:
                         _kerberos._tcp.icd.local
    
                         Matching  SRV record found at DNS server 192.168.0.40:
                         _kerberos._udp.icd.local
    
                         Matching  SRV record found at DNS server 192.168.0.40:
                         _kpasswd._tcp.icd.local
    
                         Matching  SRV record found at DNS server 192.168.0.40:
                         _ldap._tcp.Default-First-Site-Name._sites.icd.local
    
                         Matching  SRV record found at DNS server 192.168.0.40:
                         _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.icd.local
    
                         Matching  SRV record found at DNS server 192.168.0.40:
                         _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.icd.local
    
                         Matching  SRV record found at DNS server 192.168.0.40:
                         _kerberos._tcp.Default-First-Site-Name._sites.icd.local
    
                         Matching  SRV record found at DNS server 192.168.0.40:
                         _ldap._tcp.gc._msdcs.icd.local
    
                         Matching A record found at DNS server 192.168.0.40:
                         gc._msdcs.icd.local
    
                         Matching  SRV record found at DNS server 192.168.0.40:
                         _gc._tcp.Default-First-Site-Name._sites.icd.local
    
                         Matching  SRV record found at DNS server 192.168.0.40:
                         _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.icd.local
    
                         Matching  SRV record found at DNS server 192.168.0.40:
                         _ldap._tcp.pdc._msdcs.icd.local
    
                         Matching CNAME record found at DNS server 192.168.0.41:
                         64e46f05-3760-4914-bd77-7f25e8626a7d._msdcs.icd.local
    
                         Matching A record found at DNS server 192.168.0.41:
                         DC1.icd.local
    
                         Matching  SRV record found at DNS server 192.168.0.41:
                         _ldap._tcp.icd.local
    
                         Matching  SRV record found at DNS server 192.168.0.41:
                         _ldap._tcp.6745f436-824a-4e46-aae6-0af01d54e2e6.domains._msdcs.icd.local
    
                         Matching  SRV record found at DNS server 192.168.0.41:
                         _kerberos._tcp.dc._msdcs.icd.local
    
                         Matching  SRV record found at DNS server 192.168.0.41:
                         _ldap._tcp.dc._msdcs.icd.local
    
                         Matching  SRV record found at DNS server 192.168.0.41:
                         _kerberos._tcp.icd.local
    
                         Matching  SRV record found at DNS server 192.168.0.41:
                         _kerberos._udp.icd.local
    
                         Matching  SRV record found at DNS server 192.168.0.41:
                         _kpasswd._tcp.icd.local
    
                         Matching  SRV record found at DNS server 192.168.0.41:
                         _ldap._tcp.Default-First-Site-Name._sites.icd.local
    
                         Matching  SRV record found at DNS server 192.168.0.41:
                         _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.icd.local
    
                         Matching  SRV record found at DNS server 192.168.0.41:
                         _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.icd.local
    
                         Matching  SRV record found at DNS server 192.168.0.41:
                         _kerberos._tcp.Default-First-Site-Name._sites.icd.local
    
                         Matching  SRV record found at DNS server 192.168.0.41:
                         _ldap._tcp.gc._msdcs.icd.local
    
                         Matching A record found at DNS server 192.168.0.41:
                         gc._msdcs.icd.local
    
                         Matching  SRV record found at DNS server 192.168.0.41:
                         _gc._tcp.Default-First-Site-Name._sites.icd.local
    
                         Matching  SRV record found at DNS server 192.168.0.41:
                         _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.icd.local
    
                         Matching  SRV record found at DNS server 192.168.0.41:
                         _ldap._tcp.pdc._msdcs.icd.local
    
    
             Summary of test results for DNS servers used by the above domain controllers:
    
                DNS server: 192.168.0.2 (<name unavailable>)
                   1 test failure on this DNS server
                   PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.168.0.2               [Error details: 1460 (Typ
    e: Win32 - Description: This operation returned because the timeout period expired.)]
    
                DNS server: 2001:500:1::803f:235 (h.root-servers.net.)
                   1 test failure on this DNS server
                   PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 20
    01:500:1::803f:235               [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired
    .)]
    
                DNS server: 2001:500:2d::d (d.root-servers.net.)
                   1 test failure on this DNS server
                   PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 20
    01:500:2d::d               [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
    
                DNS server: 2001:500:2f::f (f.root-servers.net.)
                   1 test failure on this DNS server
                   PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 20
    01:500:2f::f               [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
    
                DNS server: 2001:500:3::42 (l.root-servers.net.)
                   1 test failure on this DNS server
                   PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 20
    01:500:3::42               [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
    
                DNS server: 2001:503:ba3e::2:30 (a.root-servers.net.)
                   1 test failure on this DNS server
                   PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 20
    01:503:ba3e::2:30               [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.
    )]
    
                DNS server: 2001:503:c27::2:30 (j.root-servers.net.)
                   1 test failure on this DNS server
                   PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 20
    01:503:c27::2:30               [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)
    ]
    
                DNS server: 2001:7fd::1 (k.root-servers.net.)
                   1 test failure on this DNS server
                   PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 20
    01:7fd::1               [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
    
                DNS server: 2001:7fe::53 (i.root-servers.net.)
                   1 test failure on this DNS server
                   PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 20
    01:7fe::53               [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
    
                DNS server: 2001:dc3::35 (m.root-servers.net.)
                   1 test failure on this DNS server
                   PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 20
    01:dc3::35               [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
    
                DNS server: 128.63.2.53 (h.root-servers.net.)
                   All tests passed on this DNS server
    
                DNS server: 128.8.10.90 (d.root-servers.net.)
                   All tests passed on this DNS server
    
                DNS server: 192.112.36.4 (g.root-servers.net.)
                   All tests passed on this DNS server
    
                DNS server: 192.168.0.40 (DC1)
                   All tests passed on this DNS server
                   Name resolution is functional._ldap._tcp SRV record for the forest root domain is registered
    
                DNS server: 192.168.0.41 (DC2003)
                   All tests passed on this DNS server
                   Name resolution is functional._ldap._tcp SRV record for the forest root domain is registered
    
                DNS server: 192.203.230.10 (e.root-servers.net.)
                   All tests passed on this DNS server
    
                DNS server: 192.228.79.201 (b.root-servers.net.)
                   All tests passed on this DNS server
    
                DNS server: 192.33.4.12 (c.root-servers.net.)
                   All tests passed on this DNS server
    
                DNS server: 192.36.148.17 (i.root-servers.net.)
                   All tests passed on this DNS server
    
                DNS server: 192.5.5.241 (f.root-servers.net.)
                   All tests passed on this DNS server
    
                DNS server: 192.58.128.30 (j.root-servers.net.)
                   All tests passed on this DNS server
    
                DNS server: 193.0.14.129 (k.root-servers.net.)
                   All tests passed on this DNS server
    
                DNS server: 198.41.0.4 (a.root-servers.net.)
                   All tests passed on this DNS server
    
                DNS server: 199.7.83.42 (l.root-servers.net.)
                   All tests passed on this DNS server
    
                DNS server: 202.12.27.33 (m.root-servers.net.)
                   All tests passed on this DNS server
    
             Summary of DNS test results:
    
                                                Auth Basc Forw Del  Dyn  RReg Ext
                _________________________________________________________________
                Domain: icd.local
                   DC1                     PASS PASS FAIL FAIL WARN PASS n/a
    
             ......................... icd.local failed test DNS
          Test omitted by user request: LocatorCheck
          Test omitted by user request: Intersite
    
    C:\>


    Monday, December 17, 2012 5:37 AM

Answers

  • Leave the records as it is there is no need to delete the same. The grayed out one is a delegation saying to go look on this server for the _.msdcs. icd.localzone. This zone replication is set forest wide and has info for the whole forest on where the root is and what DCs are GCs.

    Two _mscds folders in DNS, one is greyed out ?
    http://www.wiredbox.net/forum2/Thread14390_Two__mscds_folders_in_DNS_one_is_greyed_out_.aspx

    See this similar topic(Ace's comments) where is it not recommended to delete the same.
    http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/838df738-18d2-4b5a-9460-0337399986bf/

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Sandesh, I see you quoted my post word for word from an old Microsoft Newsgroup thread. At least you referenced the link where you got it. Next time when you quote something from me, please put quotes around it, such as:

    "Leave the records as it is there is no need to delete the same. The grayed out one is a delegation saying to go look on this server for the _.msdcs. icd.localzone. This zone replication is set forest wide and has info for the whole forest on where the root is and what DCs are GCs."

    Above quoted from Ace from:

    Windows Server - Two _mscds folders in DNS, one is greyed out ?http://www.windows-server-answers.com/microsoft/Windows-Server-DNS/29958392/two-mscds-folders-in-dns-one-is-greyed-out-.aspx

    and
    Two _mscds folders in DNS, one is greyed out ?
    http://www.windows-server-answers.com/microsoft/Windows-Server-DNS/29958392/two-mscds-folders-in-dns-one-is-greyed-out-.aspx

    .

    .

    For ICBL:

    As for the _msdcs zone, as what's already been recommended to you, you do NOT want to delete that grayed out folder. I'm curious why you believe you have to delete it? That's a required entry.

    As everyone's been pointing out, it's called a DELEGATION. Please don't delete it.

    If Awinish's recommendation to restart the netlogon service doesn't do the trick (it should), then here are the manual steps to help straighten it out:

    • Right-click the _msdcs.icd.local zone, choose properties.
    • Under the NameServer tab, if you haven't already done so, please remove any external server entries, such as the icb21.qld.icd.edu.au entry.
    • Now add the names and IP addresses of all your domain controllers in your forest. This is because the _msdcs zone is replicated forest wide, hence the reason this zone is purposely created in the ForestDnsZones replication scope in AD, so it is available to all DCs in a forest.

    .

    .

    Re-run dcdiag /v, and let's see the output. This time, due to the large size of the outpu file, please post the output to your free www.skydrive.com account, and post a link to the file.

    Thank you.

    .


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    • Marked as answer by ICBL Wednesday, December 19, 2012 8:22 PM
    Wednesday, December 19, 2012 5:52 PM
  • The output looks clean & you can sleep now. You can also find more info on DCdiag.

    What does DCDIAG actually… do?  http://blogs.technet.com/b/askds/archive/2011/03/22/what-does-dcdiag-actually-do.aspx


    Awinish Vishwakarma - MVP

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    • Marked as answer by ICBL Thursday, December 20, 2012 10:36 AM
    Thursday, December 20, 2012 10:08 AM

All replies

  • Ensuer that correct dns setting and dns forwarders are configured in DNS.See this for more details:

    Best practices for DNS client settings on DC and domain members.
    http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/

    Also post the dcdiag /q ,repadmin /replsum and ipconfig /all details of DC's if the issue persists.

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Monday, December 17, 2012 5:54 AM
  • what is the swicth for dcdiag /q?

    readmin /replsum gives no fail!

    I am 100% sure my DC ip settings are correct.

    Have you noticed the TMG?


    I just run the test with admin right so there are some changes.

       Running partition tests on : icb
          Test omitted by user request: CheckSDRefDom
          Test omitted by user request: CrossRefValidation
    
       Running enterprise tests on : icd.local
          Starting test: DNS
             Test results for domain controllers:
    
                DC: DC1.icd.local
                Domain: icd.local
    
    
                   TEST: Authentication (Auth)
                      Authentication test: Successfully completed
    
                   TEST: Basic (Basc)
                      The OS Microsoft Windows Server 2008 R2 Enterprise  (Service Pack level: 1.0) is supported.
                      NETLOGON service is running
                      kdc service is running
                      DNSCACHE service is running
                      DNS service is running
                      DC is a DNS server
                      Network adapters information:
                      Adapter [00000015] Microsoft Virtual Network Switch Adapter:
                         MAC address is 00:1E:4F:20:AE:FE
                         IP Address is static
                         IP address: 192.168.0.40, fe80::acaf:2e9d:73b0:a137
                         DNS servers:
                            192.168.0.40 (DC1) [Valid]
                            192.168.0.41 (<name unavailable>) [Valid]
                      The A host record(s) for this DC was found
                      The SOA record for the Active Directory zone was found
                      The Active Directory zone on this DC/DNS server was found primary
                      Root zone on this DC/DNS server was not found
    
                   TEST: Forwarders/Root hints (Forw)
                      Recursion is enabled
                      Forwarders Information:
                         192.168.0.2 (<name unavailable>) [Invalid (unreachable)]
                         Error: All forwarders in the forwarder list are invalid.
                      Root hint Information:
                         Name: a.root-servers.net. IP: 198.41.0.4 [Valid]
                         Name: a.root-servers.net. IP: 2001:503:ba3e::2:30 [Invalid (unreachable)]
                         Name: b.root-servers.net. IP: 192.228.79.201 [Valid]
                         Name: c.root-servers.net. IP: 192.33.4.12 [Valid]
                         Name: d.root-servers.net. IP: 128.8.10.90 [Valid]
                         Name: d.root-servers.net. IP: 2001:500:2d::d [Invalid (unreachable)]
                         Name: e.root-servers.net. IP: 192.203.230.10 [Valid]
                         Name: f.root-servers.net. IP: 192.5.5.241 [Valid]
                         Name: f.root-servers.net. IP: 2001:500:2f::f [Invalid (unreachable)]
                         Name: g.root-servers.net. IP: 192.112.36.4 [Valid]
                         Name: h.root-servers.net. IP: 128.63.2.53 [Valid]
                         Name: h.root-servers.net. IP: 2001:500:1::803f:235 [Invalid (unreachable)]
                         Name: i.root-servers.net. IP: 192.36.148.17 [Valid]
                         Name: i.root-servers.net. IP: 2001:7fe::53 [Invalid (unreachable)]
                         Name: j.root-servers.net. IP: 192.58.128.30 [Valid]
                         Name: j.root-servers.net. IP: 2001:503:c27::2:30 [Invalid (unreachable)]
                         Name: k.root-servers.net. IP: 193.0.14.129 [Valid]
                         Name: k.root-servers.net. IP: 2001:7fd::1 [Invalid (unreachable)]
                         Name: l.root-servers.net. IP: 199.7.83.42 [Valid]
                         Name: l.root-servers.net. IP: 2001:500:3::42 [Invalid (unreachable)]
                         Name: m.root-servers.net. IP: 2001:dc3::35 [Invalid (unreachable)]
                         Name: m.root-servers.net. IP: 202.12.27.33 [Valid]
    
                   TEST: Delegations (Del)
                      Delegation information for the zone: icd.local.
                         Delegated domain name: _msdcs.icd.local.
                            Error: DNS server: icb21.qld.icd.edu.au. IP:<Unavailable> [Missing glue A record]
                            [Error details: 9714 (Type: Win32 - Description: DNS name does not exist.)]
    
                   TEST: Dynamic update (Dyn)
                      Test record dcdiag-test-record added successfully in zone icd.local
                      Test record dcdiag-test-record deleted successfully in zone icd.local
    
                   TEST: Records registration (RReg)
                      Network Adapter [00000015] Microsoft Virtual Network Switch Adapter:
                         Matching CNAME record found at DNS server 192.168.0.40:
                         64e46f05-3760-4914-bd77-7f25e8626a7d._msdcs.icd.local
    
                         Matching A record found at DNS server 192.168.0.40:
                         DC1.icd.local
    
                         Matching  SRV record found at DNS server 192.168.0.40:
                         _ldap._tcp.icd.local
    
                         Matching  SRV record found at DNS server 192.168.0.40:
                         _ldap._tcp.6745f436-824a-4e46-aae6-0af01d54e2e6.domains._msdcs.icd.local
    
                         Matching  SRV record found at DNS server 192.168.0.40:
                         _kerberos._tcp.dc._msdcs.icd.local
    
                         Matching  SRV record found at DNS server 192.168.0.40:
                         _ldap._tcp.dc._msdcs.icd.local
    
                         Matching  SRV record found at DNS server 192.168.0.40:
                         _kerberos._tcp.icd.local
    
                         Matching  SRV record found at DNS server 192.168.0.40:
                         _kerberos._udp.icd.local
    
                         Matching  SRV record found at DNS server 192.168.0.40:
                         _kpasswd._tcp.icd.local
    
                         Matching  SRV record found at DNS server 192.168.0.40:
                         _ldap._tcp.Default-First-Site-Name._sites.icd.local
    
                         Matching  SRV record found at DNS server 192.168.0.40:
                         _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.icd.local
    
                         Matching  SRV record found at DNS server 192.168.0.40:
                         _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.icd.local
    
                         Matching  SRV record found at DNS server 192.168.0.40:
                         _kerberos._tcp.Default-First-Site-Name._sites.icd.local
    
                         Matching  SRV record found at DNS server 192.168.0.40:
                         _ldap._tcp.gc._msdcs.icd.local
    
                         Matching A record found at DNS server 192.168.0.40:
                         gc._msdcs.icd.local
    
                         Matching  SRV record found at DNS server 192.168.0.40:
                         _gc._tcp.Default-First-Site-Name._sites.icd.local
    
                         Matching  SRV record found at DNS server 192.168.0.40:
                         _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.icd.local
    
                         Matching  SRV record found at DNS server 192.168.0.40:
                         _ldap._tcp.pdc._msdcs.icd.local
    
                         Matching CNAME record found at DNS server 192.168.0.41:
                         64e46f05-3760-4914-bd77-7f25e8626a7d._msdcs.icd.local
    
                         Matching A record found at DNS server 192.168.0.41:
                         DC1.icd.local
    
                         Matching  SRV record found at DNS server 192.168.0.41:
                         _ldap._tcp.icd.local
    
                         Matching  SRV record found at DNS server 192.168.0.41:
                         _ldap._tcp.6745f436-824a-4e46-aae6-0af01d54e2e6.domains._msdcs.icd.local
    
                         Matching  SRV record found at DNS server 192.168.0.41:
                         _kerberos._tcp.dc._msdcs.icd.local
    
                         Matching  SRV record found at DNS server 192.168.0.41:
                         _ldap._tcp.dc._msdcs.icd.local
    
                         Matching  SRV record found at DNS server 192.168.0.41:
                         _kerberos._tcp.icd.local
    
                         Matching  SRV record found at DNS server 192.168.0.41:
                         _kerberos._udp.icd.local
    
                         Matching  SRV record found at DNS server 192.168.0.41:
                         _kpasswd._tcp.icd.local
    
                         Matching  SRV record found at DNS server 192.168.0.41:
                         _ldap._tcp.Default-First-Site-Name._sites.icd.local
    
                         Matching  SRV record found at DNS server 192.168.0.41:
                         _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.icd.local
    
                         Matching  SRV record found at DNS server 192.168.0.41:
                         _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.icd.local
    
                         Matching  SRV record found at DNS server 192.168.0.41:
                         _kerberos._tcp.Default-First-Site-Name._sites.icd.local
    
                         Matching  SRV record found at DNS server 192.168.0.41:
                         _ldap._tcp.gc._msdcs.icd.local
    
                         Matching A record found at DNS server 192.168.0.41:
                         gc._msdcs.icd.local
    
                         Matching  SRV record found at DNS server 192.168.0.41:
                         _gc._tcp.Default-First-Site-Name._sites.icd.local
    
                         Matching  SRV record found at DNS server 192.168.0.41:
                         _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.icd.local
    
                         Matching  SRV record found at DNS server 192.168.0.41:
                         _ldap._tcp.pdc._msdcs.icd.local
    
    
             Summary of test results for DNS servers used by the above domain controllers:
    
                DNS server: 192.168.0.2 (<name unavailable>)
                   1 test failure on this DNS server
                   PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.168.0.2               [Error details: 1460 (Typ
    e: Win32 - Description: This operation returned because the timeout period expired.)]
    
                DNS server: 2001:500:1::803f:235 (h.root-servers.net.)
                   1 test failure on this DNS server
                   PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 20
    01:500:1::803f:235               [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired
    .)]
    
                DNS server: 2001:500:2d::d (d.root-servers.net.)
                   1 test failure on this DNS server
                   PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 20
    01:500:2d::d               [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
    
                DNS server: 2001:500:2f::f (f.root-servers.net.)
                   1 test failure on this DNS server
                   PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 20
    01:500:2f::f               [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
    
                DNS server: 2001:500:3::42 (l.root-servers.net.)
                   1 test failure on this DNS server
                   PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 20
    01:500:3::42               [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
    
                DNS server: 2001:503:ba3e::2:30 (a.root-servers.net.)
                   1 test failure on this DNS server
                   PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 20
    01:503:ba3e::2:30               [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.
    )]
    
                DNS server: 2001:503:c27::2:30 (j.root-servers.net.)
                   1 test failure on this DNS server
                   PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 20
    01:503:c27::2:30               [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)
    ]
    
                DNS server: 2001:7fd::1 (k.root-servers.net.)
                   1 test failure on this DNS server
                   PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 20
    01:7fd::1               [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
    
                DNS server: 2001:7fe::53 (i.root-servers.net.)
                   1 test failure on this DNS server
                   PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 20
    01:7fe::53               [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
    
                DNS server: 2001:dc3::35 (m.root-servers.net.)
                   1 test failure on this DNS server
                   PTR record query for the 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa failed on the DNS server 20
    01:dc3::35               [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
    
                DNS server: 128.63.2.53 (h.root-servers.net.)
                   All tests passed on this DNS server
    
                DNS server: 128.8.10.90 (d.root-servers.net.)
                   All tests passed on this DNS server
    
                DNS server: 192.112.36.4 (g.root-servers.net.)
                   All tests passed on this DNS server
    
                DNS server: 192.168.0.40 (DC1)
                   All tests passed on this DNS server
                   Name resolution is functional._ldap._tcp SRV record for the forest root domain is registered
    
                DNS server: 192.168.0.41 (<name unavailable>)
                   All tests passed on this DNS server
                   Name resolution is functional._ldap._tcp SRV record for the forest root domain is registered
    
                DNS server: 192.203.230.10 (e.root-servers.net.)
                   All tests passed on this DNS server
    
                DNS server: 192.228.79.201 (b.root-servers.net.)
                   All tests passed on this DNS server
    
                DNS server: 192.33.4.12 (c.root-servers.net.)
                   All tests passed on this DNS server
    
                DNS server: 192.36.148.17 (i.root-servers.net.)
                   All tests passed on this DNS server
    
                DNS server: 192.5.5.241 (f.root-servers.net.)
                   All tests passed on this DNS server
    
                DNS server: 192.58.128.30 (j.root-servers.net.)
                   All tests passed on this DNS server
    
                DNS server: 193.0.14.129 (k.root-servers.net.)
                   All tests passed on this DNS server
    
                DNS server: 198.41.0.4 (a.root-servers.net.)
                   All tests passed on this DNS server
    
                DNS server: 199.7.83.42 (l.root-servers.net.)
                   All tests passed on this DNS server
    
                DNS server: 202.12.27.33 (m.root-servers.net.)
                   All tests passed on this DNS server
    
             Summary of DNS test results:
    
                                                Auth Basc Forw Del  Dyn  RReg Ext
                _________________________________________________________________
                Domain: icd.local
                   DC1                     PASS PASS FAIL FAIL PASS PASS n/a
    
             ......................... icd.local failed test DNS
          Test omitted by user request: LocatorCheck
          Test omitted by user request: Intersite
    
    C:\Windows\system32>

    • Edited by ICBL Monday, December 17, 2012 6:38 AM
    Monday, December 17, 2012 6:19 AM
  • Have you created the appropriate rules on TMG to allow your DNS Server to forward?
    http://elmajdal.net/ISAServer/Internal_DNS_Forwarding.aspx

    Make sure that you have configured the TMG NIC correctly:http://blog.msfirewall.org.uk/2008/06/isa-servers-recommeded-network-card.html
    http://technet.microsoft.com/en-us/library/cc995245.aspx

    Windows Server 2008 introduces a DNS block feature that may affect the ISA Server automatic discovery mechanism when implementing WPAD using a Windows Server 2008 DNS Serverhttp://blogs.technet.com/b/isablog/archive/2008/02/19/windows-server-2008-dns-block-feature.aspx


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Monday, December 17, 2012 6:40 AM
  • Have you created the appropriate rules on TMG to allow your DNS Server to forward?
    http://elmajdal.net/ISAServer/Internal_DNS_Forwarding.aspx

    Make sure that you have configured the TMG NIC correctly:http://blog.msfirewall.org.uk/2008/06/isa-servers-recommeded-network-card.html
    http://technet.microsoft.com/en-us/library/cc995245.aspx

    Windows Server 2008 introduces a DNS block feature that may affect the ISA Server automatic discovery mechanism when implementing WPAD using a Windows Server 2008 DNS Serverhttp://blogs.technet.com/b/isablog/archive/2008/02/19/windows-server-2008-dns-block-feature.aspx


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Hi Sandesh,

    At the moment my TMG don't have DNS forwarding rule. I thought ANY-ANY rule also was including this as all servers defined in ANY-ANY rule. Do I still have to create DNS forwarding?

    Monday, December 17, 2012 6:57 AM
  • I see failures when trying to contact the root hints.

    There is no forwarding configuration to be done on the TMG side. And, TMG Forefront is a firewall / Proxy server. If you set a rule to allow traffic from any network to any one then you are not protected and I don't see the reason of its use. You should allow ONLY authorized traffic from external networks and not all ones.

    On your DNS servers, please make sure that you don't have public DNS servers configured in IP settings of your DCs. Please use your ISP DNS servers as forwarders on your DNS servers. This is how to configure it: http://technet.microsoft.com/en-us/library/cc773370(v=ws.10).aspx

    Once done, make sure that you have no security software or firewall which is blocking or filtering DNS traffic from internal to external networks.


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Monday, December 17, 2012 11:13 AM
  • When a query received from the internal client & you local DNS server can't resolve the query using local DNS server, it uses Roothints & forwarder to resolve it. What i can understand from the logs posted that TMG is configured as a forwarder to perform the queries & report back to the local DNS server & finally to the clients.

    There is any-any rule from TMG to DC, but can TMG send the external domain names queries outside & resolve back to the local dns server? Also, why not use free portquery tool to verify the necessary ports are allowed on the firewall.

    How DNS Support for Active Directory Works: Active Directory  http://technet.microsoft.com/en-us/library/cc759550%28v=ws.10%29.aspx

    What does DCDIAG actually… do?  http://blogs.technet.com/b/askds/archive/2011/03/22/what-does-dcdiag-actually-do.aspx

    One more, try to add public DNS server to the local DNS server's forwarder field directly & see if that works.


    Awinish Vishwakarma - MVP

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Monday, December 17, 2012 11:35 AM
  • I just have noticed that the record you see in the screen shot is not relevant to anything. There is no such domain or something else. I don't know why it's here. I think guy who installed made some mistake here. How can I fix that? Is it safe to delete and put Domain Controller IPs here?

    Monday, December 17, 2012 8:56 PM
  • I just have noticed that the record you see in the screen shot is not relevant to anything. There is no such domain or something else. I don't know why it's here. I think guy who installed made some mistake here. How can I fix that? Is it safe to delete and put Domain Controller IPs here?


    Remove the _msdcs container (The one in Gray). Once done, run ipconfog /registerdns and restart netlogon to be sure that DNS records were registered properly in _msdcs.icd.local DNS zone.

    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Monday, December 17, 2012 10:12 PM
  • Hi,

    I have removed the container (the one greyed out) and followed the steps but folder never appeared again. What should I do?


    • Edited by ICBL Monday, December 17, 2012 11:26 PM
    Monday, December 17, 2012 11:11 PM
  • msdcs container (The one in Gray) is delegation and same should be not deleted you can recreate the same by right-click icd.local, choose New Delegation.See Ace comments step by step is given how to create the same:
    http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/838df738-18d2-4b5a-9460-0337399986bf/

    I would recommend to enter the ISP public IP address in dns instead of TMG server IP address and rerun the test.Also ensure that required port are open:http://msmvps.com/blogs/acefekay/archive/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple.aspx

    You can also run tracert coammnd to ISP public ip address to check is someting blocking.


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Tuesday, December 18, 2012 6:57 AM
  • Hi,

    I have removed the container (the one greyed out) and followed the steps but folder never appeared again. What should I do?



    As long as you have the _msdcs.icd.local DNS zone, it should be fine. And the folder will not appear automatically again as this is a normal behavior.

    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Tuesday, December 18, 2012 8:41 AM
  • Thanks very much guys. I have updated forwarders to the ISP instead of TMG. I have notcied more responsive internet. I am about the delete the _msdcs container (The one in Gray) from the production environment but I would like to confirm one last thing then I will consider this long topic has been solved by your help.

    _msdcs container (The one in Gray) represents a delegation. Since I have single site domain with 3 DCs do I really need that record? Looks like someone mistakenly put it there previously.

    Wednesday, December 19, 2012 12:09 AM
  • Leave the records as it is there is no need to delete the same. The grayed out one is a delegation saying to go look on this server for the _.msdcs. icd.localzone. This zone replication is set forest wide and has info for the whole forest on where the root is and what DCs are GCs.

    Two _mscds folders in DNS, one is greyed out ?
    http://www.wiredbox.net/forum2/Thread14390_Two__mscds_folders_in_DNS_one_is_greyed_out_.aspx

    See this similar topic(Ace's comments) where is it not recommended to delete the same.
    http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/838df738-18d2-4b5a-9460-0337399986bf/

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Wednesday, December 19, 2012 4:18 AM
  • Little confused :) OK  am not going to delete but I still could not understand because how this wrong record with non relavant domain name is can contain DCs or GCs?
    Wednesday, December 19, 2012 7:06 AM
  • Little confused :) OK  am not going to delete but I still could not understand because how this wrong record with non relavant domain name is can contain DCs or GCs?

    Even though, you delete all the _msdcs folder completely, restarting DNS & netlogon service creates it back & i have done it numerous times. Sometime when DC is demoted gracefully or forcefully all the remnants are not removed & few required to be cleaned manually. I have got an article, which might help you to remove the references.

    Remove References of a Failed DC/Domain Or Perform Metadata Cleanup 

    http://awinish.wordpress.com/2011/05/08/metadata-cleanup-of-a-domain-controller/

    Secondly, the greyed out _msdcs folder represent delegation. Consider, you got a parent child domain & you want child domain to resolve request to send to him locally instead of parent domain doing it, you configure delegation of the dns, so child domain handle request for its own domain & vice versa for parent domain. The location of _msdcs folder is changed with windows 2003 R2.

    http://www.minasi.com/forum/topic.asp?TOPIC_ID=18902

    Awinish Vishwakarma - MVP

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Wednesday, December 19, 2012 8:30 AM
  • Thanks very much guys. I have updated forwarders to the ISP instead of TMG. I have notcied more responsive internet. I am about the delete the _msdcs container (The one in Gray) from the production environment but I would like to confirm one last thing then I will consider this long topic has been solved by your help.

    _msdcs container (The one in Gray) represents a delegation. Since I have single site domain with 3 DCs do I really need that record? Looks like someone mistakenly put it there previously.

    You can safely remove it (Especially that it holds a wrong record). As long as the _msdcs.icd.local DNS zone exist and it is available for your clients and servers for DNS resolution, there should be no problems.

    We have already removed it in our production environment and we have no failures because of this.


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    • Edited by Mr XMVP Wednesday, December 19, 2012 8:57 AM
    Wednesday, December 19, 2012 8:55 AM
  • Leave the records as it is there is no need to delete the same. The grayed out one is a delegation saying to go look on this server for the _.msdcs. icd.localzone. This zone replication is set forest wide and has info for the whole forest on where the root is and what DCs are GCs.

    Two _mscds folders in DNS, one is greyed out ?
    http://www.wiredbox.net/forum2/Thread14390_Two__mscds_folders_in_DNS_one_is_greyed_out_.aspx

    See this similar topic(Ace's comments) where is it not recommended to delete the same.
    http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/838df738-18d2-4b5a-9460-0337399986bf/

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Sandesh, I see you quoted my post word for word from an old Microsoft Newsgroup thread. At least you referenced the link where you got it. Next time when you quote something from me, please put quotes around it, such as:

    "Leave the records as it is there is no need to delete the same. The grayed out one is a delegation saying to go look on this server for the _.msdcs. icd.localzone. This zone replication is set forest wide and has info for the whole forest on where the root is and what DCs are GCs."

    Above quoted from Ace from:

    Windows Server - Two _mscds folders in DNS, one is greyed out ?http://www.windows-server-answers.com/microsoft/Windows-Server-DNS/29958392/two-mscds-folders-in-dns-one-is-greyed-out-.aspx

    and
    Two _mscds folders in DNS, one is greyed out ?
    http://www.windows-server-answers.com/microsoft/Windows-Server-DNS/29958392/two-mscds-folders-in-dns-one-is-greyed-out-.aspx

    .

    .

    For ICBL:

    As for the _msdcs zone, as what's already been recommended to you, you do NOT want to delete that grayed out folder. I'm curious why you believe you have to delete it? That's a required entry.

    As everyone's been pointing out, it's called a DELEGATION. Please don't delete it.

    If Awinish's recommendation to restart the netlogon service doesn't do the trick (it should), then here are the manual steps to help straighten it out:

    • Right-click the _msdcs.icd.local zone, choose properties.
    • Under the NameServer tab, if you haven't already done so, please remove any external server entries, such as the icb21.qld.icd.edu.au entry.
    • Now add the names and IP addresses of all your domain controllers in your forest. This is because the _msdcs zone is replicated forest wide, hence the reason this zone is purposely created in the ForestDnsZones replication scope in AD, so it is available to all DCs in a forest.

    .

    .

    Re-run dcdiag /v, and let's see the output. This time, due to the large size of the outpu file, please post the output to your free www.skydrive.com account, and post a link to the file.

    Thank you.

    .


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBook Twitter LinkedIn

    • Marked as answer by ICBL Wednesday, December 19, 2012 8:22 PM
    Wednesday, December 19, 2012 5:52 PM
  • Hi Ace,

    Thanks very much for clearification. As you said I have removed wrong entry from the _msdcs container (The one in Gray) and entered my all 3 DCs and have run the dcdiag /v. Results are as follow. Seems everything OK now. Thanks very much.

    C:\Windows\system32>dcdiag /v
    
    Directory Server Diagnosis
    
    Performing initial setup:
       Trying to find home server...
       * Verifying that the local machine DC2, is a Directory Server.
       Home Server = DC2
       * Connecting to directory service on server DC2.
       * Identified AD Forest.
       Collecting AD specific global data
       * Collecting site info.
       Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=icd,DC=local,L
    DAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
       The previous call succeeded
       Iterating through the sites
       Looking at base site object: CN=NTDS Site Settings,CN=icd,CN=Sites,CN=Configu
    ration,DC=icd,DC=local
       Getting ISTG and options for the site
       Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name
    ,CN=Sites,CN=Configuration,DC=icd,DC=local
       Getting ISTG and options for the site
       * Identifying all servers.
       Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=icd,DC=local,L
    DAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
       The previous call succeeded....
       The previous call succeeded
       Iterating through the list of servers
       Getting information for the server CN=NTDS Settings,CN=icd21,CN=Servers,CN=De
    fault-First-Site-Name,CN=Sites,CN=Configuration,DC=icd,DC=local
       objectGuid obtained
       InvocationID obtained
       dnsHostname obtained
       site info obtained
       All the info for the server collected
       Getting information for the server CN=NTDS Settings,CN=DC1,CN=Servers,CN
    =Default-First-Site-Name,CN=Sites,CN=Configuration,DC=icd,DC=local
       objectGuid obtained
       InvocationID obtained
       dnsHostname obtained
       site info obtained
       All the info for the server collected
       Getting information for the server CN=NTDS Settings,CN=DC2,CN=Servers,CN
    =Default-First-Site-Name,CN=Sites,CN=Configuration,DC=icd,DC=local
       objectGuid obtained
       InvocationID obtained
       dnsHostname obtained
       site info obtained
       All the info for the server collected
       * Identifying all NC cross-refs.
       * Found 3 DC(s). Testing 1 of them.
       Done gathering initial info.
    
    Doing initial required tests
    
       Testing server: Default-First-Site-Name\DC2
          Starting test: Connectivity
             * Active Directory LDAP Services Check
             Determining IP4 connectivity
             * Active Directory RPC Services Check
             ......................... DC2 passed test Connectivity
    
    Doing primary tests
    
       Testing server: Default-First-Site-Name\DC2
          Starting test: Advertising
             The DC DC2 is advertising itself as a DC and having a DS.
             The DC DC2 is advertising as an LDAP server
             The DC DC2 is advertising as having a writeable directory
             The DC DC2 is advertising as a Key Distribution Center
             The DC DC2 is advertising as a time server
             The DS DC2 is advertising as a GC.
             ......................... DC2 passed test Advertising
          Test omitted by user request: CheckSecurityError
          Test omitted by user request: CutoffServers
          Starting test: FrsEvent
             * The File Replication Service Event log test
             ......................... DC2 passed test FrsEvent
          Starting test: DFSREvent
             The DFS Replication Event Log.
             Skip the test because the server is running FRS.
             ......................... DC2 passed test DFSREvent
          Starting test: SysVolCheck
             * The File Replication Service SYSVOL ready test
             File Replication Service's SYSVOL is ready
             ......................... DC2 passed test SysVolCheck
          Starting test: KccEvent
             * The KCC Event log test
             Found no KCC errors in "Directory Service" Event log in the last 15 min
    utes.
             ......................... DC2 passed test KccEvent
          Starting test: KnowsOfRoleHolders
             Role Schema Owner = CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-
    First-Site-Name,CN=Sites,CN=Configuration,DC=icd,DC=local
             Role Domain Owner = CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-
    First-Site-Name,CN=Sites,CN=Configuration,DC=icd,DC=local
             Role PDC Owner = CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-Fir
    st-Site-Name,CN=Sites,CN=Configuration,DC=icd,DC=local
             Role Rid Owner = CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-Fir
    st-Site-Name,CN=Sites,CN=Configuration,DC=icd,DC=local
             Role Infrastructure Update Owner = CN=NTDS Settings,CN=DC1,CN=Serv
    ers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=icd,DC=local
             ......................... DC2 passed test KnowsOfRoleHolders
          Starting test: MachineAccount
             Checking machine account for DC DC2 on DC DC2.
             * SPN found :LDAP/DC2.icdlocal/icdlocal
             * SPN found :LDAP/DC2.icdlocal
             * SPN found :LDAP/DC2
             * SPN found :LDAP/DC2.icdlocal/ICDNET
             * SPN found :LDAP/a6c4ebad-8d65-4313-8dbe-b4304e95d0d1._msdcs.icdlocal
    
             * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/a6c4ebad-8d65-4313-8d
    be-b4304e95d0d1/icdlocal
             * SPN found :HOST/DC2.icdlocal/icdlocal
             * SPN found :HOST/DC2.icdlocal
             * SPN found :HOST/DC2
             * SPN found :HOST/DC2.icdlocal/ICDNET
             * SPN found :GC/DC2.icdlocal/icdlocal
             ......................... DC2 passed test MachineAccount
          Starting test: NCSecDesc
             * Security Permissions check for all NC's on DC DC2.
             * Security Permissions Check for
               DC=ForestDnsZones,DC=icd,DC=local
                (NDNC,Version 3)
             * Security Permissions Check for
               DC=DomainDnsZones,DC=icd,DC=local
                (NDNC,Version 3)
             * Security Permissions Check for
               CN=Schema,CN=Configuration,DC=icd,DC=local
                (Schema,Version 3)
             * Security Permissions Check for
               CN=Configuration,DC=icd,DC=local
                (Configuration,Version 3)
             * Security Permissions Check for
               DC=icd,DC=local
                (Domain,Version 3)
             ......................... DC2 passed test NCSecDesc
          Starting test: NetLogons
             * Network Logons Privileges Check
             Verified share \\DC2\netlogon
             Verified share \\DC2\sysvol
             ......................... DC2 passed test NetLogons
          Starting test: ObjectsReplicated
             DC2 is in domain DC=icd,DC=local
             Checking for CN=DC2,OU=Domain Controllers,DC=icd,DC=local in domai
    n DC=icd,DC=local on 1 servers
                Object is up-to-date on all servers.
             Checking for CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-S
    ite-Name,CN=Sites,CN=Configuration,DC=icd,DC=local in domain CN=Configuration,DC
    =icd,DC=local on 1 servers
                Object is up-to-date on all servers.
             ......................... DC2 passed test ObjectsReplicated
          Test omitted by user request: OutboundSecureChannels
          Starting test: Replications
             * Replications Check
             * Replication Latency Check
                DC=ForestDnsZones,DC=icd,DC=local
                   Latency information for 12 entries in the vector were ignored.
                      12 were retired Invocations.  0 were either: read-only replica
    s and are not verifiably latent, or dc's no longer replicating this nc.  0 had n
    o latency information (Win2K DC).
                DC=DomainDnsZones,DC=icd,DC=local
                   Latency information for 12 entries in the vector were ignored.
                      12 were retired Invocations.  0 were either: read-only replica
    s and are not verifiably latent, or dc's no longer replicating this nc.  0 had n
    o latency information (Win2K DC).
                CN=Schema,CN=Configuration,DC=icd,DC=local
                   Latency information for 11 entries in the vector were ignored.
                      11 were retired Invocations.  0 were either: read-only replica
    s and are not verifiably latent, or dc's no longer replicating this nc.  0 had n
    o latency information (Win2K DC).
                CN=Configuration,DC=icd,DC=local
                   Latency information for 11 entries in the vector were ignored.
                      11 were retired Invocations.  0 were either: read-only replica
    s and are not verifiably latent, or dc's no longer replicating this nc.  0 had n
    o latency information (Win2K DC).
                DC=icd,DC=local
                   Latency information for 12 entries in the vector were ignored.
                      12 were retired Invocations.  0 were either: read-only replica
    s and are not verifiably latent, or dc's no longer replicating this nc.  0 had n
    o latency information (Win2K DC).
             ......................... DC2 passed test Replications
          Starting test: RidManager
             * Available RID Pool for the Domain is 7103 to 1073741823
             * DC1.icdlocal is the RID Master
             * DsBind with RID Master was successful
             * rIDAllocationPool is 5103 to 5602
             * rIDPreviousAllocationPool is 5103 to 5602
             * rIDNextRID: 5273
             ......................... DC2 passed test RidManager
          Starting test: Services
             * Checking Service: EventSystem
             * Checking Service: RpcSs
             * Checking Service: NTDS
             * Checking Service: DnsCache
             * Checking Service: NtFrs
             * Checking Service: IsmServ
             * Checking Service: kdc
             * Checking Service: SamSs
             * Checking Service: LanmanServer
             * Checking Service: LanmanWorkstation
             * Checking Service: w32time
             * Checking Service: NETLOGON
             ......................... DC2 passed test Services
          Starting test: SystemLog
             * The System Event log test
             An error event occurred.  EventID: 0xC0002719
                Time Generated: 12/20/2012   06:12:48
                Event String:
                DCOM was unable to communicate with the computer 139.130.4.4 using a
    ny of the configured protocols.
             An error event occurred.  EventID: 0xC0002719
                Time Generated: 12/20/2012   06:13:09
                Event String:
                DCOM was unable to communicate with the computer 203.50.2.71 using a
    ny of the configured protocols.
             ......................... DC2 failed test SystemLog
          Test omitted by user request: Topology
          Test omitted by user request: VerifyEnterpriseReferences
          Starting test: VerifyReferences
             The system object reference (serverReference)
             CN=DC2,OU=Domain Controllers,DC=icd,DC=local and backlink on
             CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configura
    tion,DC=icd,DC=local
             are correct.
             The system object reference (serverReferenceBL)
             CN=DC2,CN=Domain System Volume (SYSVOL share),CN=File Replication
    Service,CN=System,DC=icd,DC=local
             and backlink on
             CN=NTDS Settings,CN=DC2,CN=Servers,CN=Default-First-Site-Name,CN=S
    ites,CN=Configuration,DC=icd,DC=local
             are correct.
             The system object reference (frsComputerReferenceBL)
             CN=DC2,CN=Domain System Volume (SYSVOL share),CN=File Replication
    Service,CN=System,DC=icd,DC=local
             and backlink on CN=DC2,OU=Domain Controllers,DC=icd,DC=local are
             correct.
             ......................... DC2 passed test VerifyReferences
          Test omitted by user request: VerifyReplicas
    
          Test omitted by user request: DNS
          Test omitted by user request: DNS
    
       Running partition tests on : ForestDnsZones
          Starting test: CheckSDRefDom
             ......................... ForestDnsZones passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... ForestDnsZones passed test
             CrossRefValidation
    
       Running partition tests on : DomainDnsZones
          Starting test: CheckSDRefDom
             ......................... DomainDnsZones passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... DomainDnsZones passed test
             CrossRefValidation
    
       Running partition tests on : Schema
          Starting test: CheckSDRefDom
             ......................... Schema passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... Schema passed test CrossRefValidation
    
       Running partition tests on : Configuration
          Starting test: CheckSDRefDom
             ......................... Configuration passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... Configuration passed test CrossRefValidation
    
       Running partition tests on : icd
          Starting test: CheckSDRefDom
             ......................... icd passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... icd passed test CrossRefValidation
    
       Running enterprise tests on : icdlocal
          Test omitted by user request: DNS
          Test omitted by user request: DNS
          Starting test: LocatorCheck
             GC Name: \\DC2.icdlocal
             Locator Flags: 0xe00031fc
             PDC Name: \\DC1.icdlocal
             Locator Flags: 0xe00031fd
             Time Server Name: \\DC2.icdlocal
             Locator Flags: 0xe00031fc
             Preferred Time Server Name: \\DC2.icdlocal
             Locator Flags: 0xe00031fc
             KDC Name: \\DC2.icdlocal
             Locator Flags: 0xe00031fc
             ......................... icdlocal passed test LocatorCheck
          Starting test: Intersite
             Skipping site icd, this site is outside the scope provided by the
             command line arguments provided.
             Skipping site Default-First-Site-Name, this site is outside the scope
             provided by the command line arguments provided.
             ......................... icdlocal passed test Intersite
    
    C:\Windows\system32>

    Wednesday, December 19, 2012 8:21 PM
  • Hi Ace,

    Thanks very much for clearification. As you said I have removed wrong entry from the _msdcs container (The one in Gray) and entered my all 3 DCs and have run the dcdiag /v. Results are as follow. Seems everything OK now. Thanks very much.

    My pleasure for the help.

    As for the dcdiag, I see some replication latency issues. Run the following on all three DCs, and post the results from each one, please:

    • repadmin /replsum > c:\rep-replsummary.txt
    • repadmin /showreps > c:\rep-showreps.txt

    .

    On all three DCs, please check and post any Event log errors including the Windows Logs - the App & System logs, and under Application and Services Logs, if applicable - the AD Web services, DFS Replication, Directory Services, DNS Server & File Replication Server logs. You can use the copy/paste feature.

    .


    Ace Fekay
    MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/

    This post is provided AS-IS with no warranties or guarantees and confers no rights.

    FaceBookTwitterLinkedIn


    • Edited by Ace Fekay [MCT] Thursday, December 20, 2012 4:59 AM - corrected repadmin command
    Thursday, December 20, 2012 4:58 AM
  • Hi,

    Thanks very much for follwoing up, much appreciated. Please find the results below.

    Replication Summary Start Time: 2012-12-20 19:49:46
    Beginning data collection for replication summary, this may take awhile:
      ......
    Source DSA          largest delta    fails/total %%   error
     ICD21                	     56m:25s    0 /  10    0  
     DC2                         50m:04s    0 /  10    0  
     DC1                         56m:25s    0 /  10    0  
    
    Destination DSA     largest delta    fails/total %%   error
    
     ICD21                       02m:31s    0 /  10    0  
     DC2                         56m:25s    0 /  10    0  
     DC1                         50m:04s    0 /  10    0  
    

    Default-First-Site-Name\DC1
    
    DSA Options: IS_GC 
    Site Options: (none)
    DSA object GUID: 64e46f05-3760-4914-bd77-7f25e8626a7d
    DSA invocationID: cade975f-5cda-489a-8fd4-7f096865244d
    ==== INBOUND NEIGHBORS ======================================
    DC=icd,DC=local
        Default-First-Site-Name\DC2 via RPC
            DSA object GUID: a6c4ebad-8d65-4313-8dbe-b4304e95d0d1
            Last attempt @ 2012-12-20 19:47:33 was successful.
    
        Default-First-Site-Name\icd21 via RPC
    
            DSA object GUID: 739332e8-3a7f-4363-8445-f5bcc91bb434
    
            Last attempt @ 2012-12-20 19:49:16 was successful.
    
    CN=Configuration,DC=icd,DC=local
        Default-First-Site-Name\icd21 via RPC
            DSA object GUID: 739332e8-3a7f-4363-8445-f5bcc91bb434
            Last attempt @ 2012-12-20 18:59:42 was successful.
    
        Default-First-Site-Name\DC2 via RPC
            DSA object GUID: a6c4ebad-8d65-4313-8dbe-b4304e95d0d1
            Last attempt @ 2012-12-20 18:59:42 was successful.
    
    CN=Schema,CN=Configuration,DC=icd,DC=local
        Default-First-Site-Name\icd21 via RPC
            DSA object GUID: 739332e8-3a7f-4363-8445-f5bcc91bb434
            Last attempt @ 2012-12-20 18:59:42 was successful.
    
        Default-First-Site-Name\DC2 via RPC
            DSA object GUID: a6c4ebad-8d65-4313-8dbe-b4304e95d0d1
            Last attempt @ 2012-12-20 18:59:42 was successful.
    
    DC=DomainDnsZones,DC=icd,DC=local
    
        Default-First-Site-Name\DC2 via RPC
            DSA object GUID: a6c4ebad-8d65-4313-8dbe-b4304e95d0d1
            Last attempt @ 2012-12-20 18:59:42 was successful.
    
        Default-First-Site-Name\icd21 via RPC
            DSA object GUID: 739332e8-3a7f-4363-8445-f5bcc91bb434
            Last attempt @ 2012-12-20 18:59:42 was successful.
    
    DC=ForestDnsZones,DC=icd,DC=local
        Default-First-Site-Name\icd21 via RPC
            DSA object GUID: 739332e8-3a7f-4363-8445-f5bcc91bb434
            Last attempt @ 2012-12-20 18:59:42 was successful.
    
        Default-First-Site-Name\DC2 via RPC
    
            DSA object GUID: a6c4ebad-8d65-4313-8dbe-b4304e95d0d1
            Last attempt @ 2012-12-20 18:59:42 was successful.
    
    

    Thursday, December 20, 2012 9:58 AM
  • The output looks clean & you can sleep now. You can also find more info on DCdiag.

    What does DCDIAG actually… do?  http://blogs.technet.com/b/askds/archive/2011/03/22/what-does-dcdiag-actually-do.aspx


    Awinish Vishwakarma - MVP

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    • Marked as answer by ICBL Thursday, December 20, 2012 10:36 AM
    Thursday, December 20, 2012 10:08 AM