none
Some failures in DCdiag.exe RRS feed

  • 질문

  • So, I'm apparently a domain administrator now, and I have a lot to learn apparently.  The following is a dcdiag.exe results that have been sanitized and someone explain to me what I'm seeing and what may be going on?

    C:\Users\USERNAME>dcdiag

    Directory Server Diagnosis

    Performing initial setup:
       Trying to find home server...
       Home Server = SERVERNAME
       * Identified AD Forest.
       Done gathering initial info.

    Doing initial required tests

       Testing server: Default-First-Site-Name\SERVERNAME
          Starting test: Connectivity
             ......................... SERVERNAME passed test Connectivity

    Doing primary tests

       Testing server: Default-First-Site-Name\SERVERNAME
          Starting test: Advertising
             ......................... SERVERNAME passed test Advertising
          Starting test: FrsEvent
             ......................... SERVERNAME passed test FrsEvent
          Starting test: DFSREvent
             ......................... SERVERNAME passed test DFSREvent
          Starting test: SysVolCheck
             ......................... SERVERNAME passed test SysVolCheck
          Starting test: KccEvent
             ......................... SERVERNAME passed test KccEvent
          Starting test: KnowsOfRoleHolders
             ......................... SERVERNAME passed test KnowsOfRoleHolders
          Starting test: MachineAccount
             ......................... SERVERNAME passed test MachineAccount
          Starting test: NCSecDesc
             ......................... SERVERNAME passed test NCSecDesc
          Starting test: NetLogons
             [SERVERNAME] User credentials does not have permission to perform
             this operation.
             The account used for this test must have network logon privileges
             for this machine's domain.
             ......................... SERVERNAME failed test NetLogons
          Starting test: ObjectsReplicated
             ......................... SERVERNAME passed test ObjectsReplicated
          Starting test: Replications
             [Replications Check,SERVERNAME] DsReplicaGetInfo(PENDING_OPS, NULL)
             failed, error 0x2105 "Replication access was denied."
             ......................... SERVERNAME failed test Replications
          Starting test: RidManager
             ......................... SERVERNAME passed test RidManager
          Starting test: Services
                Could not open NTDS Service on SERVERNAME, error 0x5
                "Access is denied."
             ......................... SERVERNAME failed test Services
          Starting test: SystemLog
             ......................... SERVERNAME passed test SystemLog
          Starting test: VerifyReferences
             ......................... SERVERNAME passed test VerifyReferences


       Running partition tests on : ForestDnsZones
          Starting test: CheckSDRefDom
             ......................... ForestDnsZones passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... ForestDnsZones passed test
             CrossRefValidation

       Running partition tests on : DomainDnsZones
          Starting test: CheckSDRefDom
             ......................... DomainDnsZones passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... DomainDnsZones passed test
             CrossRefValidation

       Running partition tests on : Schema
          Starting test: CheckSDRefDom
             ......................... Schema passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... Schema passed test CrossRefValidation

       Running partition tests on : Configuration
          Starting test: CheckSDRefDom
             ......................... Configuration passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... Configuration passed test CrossRefValidation

       Running partition tests on : domainName
          Starting test: CheckSDRefDom
             ......................... domainName passed test CheckSDRefDom
          Starting test: CrossRefValidation
             ......................... domainName passed test CrossRefValidation

       Running enterprise tests on : domainName.MyDomain.org
          Starting test: LocatorCheck
             ......................... domainName.MyDomain.org passed test
             LocatorCheck
          Starting test: Intersite
             ......................... domainName.MyDomain.org passed test
             Intersite

    C:\Users\USERNAME>

    2012년 5월 10일 목요일 오후 11:33

답변

  • Hello,

    From the logs, I am able to see some Access denied Messages

    Starting test: Replications
             [Replications Check,SERVERNAME] DsReplicaGetInfo(PENDING_OPS, NULL)
             failed, error 0x2105 "Replication access was denied."
            

                Starting test: Services
                Could not open NTDS Service on SERVERNAME, error 0x5
                "Access is denied."

                SERVERNAME] User credentials does not have permission to perform
             this operation.
             The account used for this test must have network logon privileges
             for this machine's domain.
             ......................... SERVERNAME failed test NetLogons
          Starting test: ObjectsReplicated

    These are not an error messages. It only states that you are not having sufficient previlage to run this queries.

    Please make sure that you run Dcdiag test using Domain administrator creadentials.

    i.e Right click on command prompt ---->Run as diffferent user--->Put your domain administrator credentials and run Dcdiag command let

    Hope this helps

    Regards,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    2012년 5월 10일 목요일 오후 11:44
  • From the dcdiag output the health of DC seems to be ok except that netlogon and FRS test failed since you did not executed the command correctly with sufficient permission.

    To use dcdiag in Win2008, you must run the dcdiag command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

    Please run the command again as mentioned and post the log if the error persist.


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    2012년 5월 11일 금요일 오전 1:32
  • You need to go though the below article for the DCDIAG usage. Also, is UAC is enabled, if yes you have to run cmd using elevated privileges.

    What does DCDIAG actually… do?

    http://blogs.technet.com/b/askds/archive/2011/03/22/what-does-dcdiag-actually-do.aspx


    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    2012년 5월 11일 금요일 오전 11:01
    중재자

모든 응답

  • Hello,

    From the logs, I am able to see some Access denied Messages

    Starting test: Replications
             [Replications Check,SERVERNAME] DsReplicaGetInfo(PENDING_OPS, NULL)
             failed, error 0x2105 "Replication access was denied."
            

                Starting test: Services
                Could not open NTDS Service on SERVERNAME, error 0x5
                "Access is denied."

                SERVERNAME] User credentials does not have permission to perform
             this operation.
             The account used for this test must have network logon privileges
             for this machine's domain.
             ......................... SERVERNAME failed test NetLogons
          Starting test: ObjectsReplicated

    These are not an error messages. It only states that you are not having sufficient previlage to run this queries.

    Please make sure that you run Dcdiag test using Domain administrator creadentials.

    i.e Right click on command prompt ---->Run as diffferent user--->Put your domain administrator credentials and run Dcdiag command let

    Hope this helps

    Regards,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    2012년 5월 10일 목요일 오후 11:44
  • From the dcdiag output the health of DC seems to be ok except that netlogon and FRS test failed since you did not executed the command correctly with sufficient permission.

    To use dcdiag in Win2008, you must run the dcdiag command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

    Please run the command again as mentioned and post the log if the error persist.


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    2012년 5월 11일 금요일 오전 1:32
  • You need to go though the below article for the DCDIAG usage. Also, is UAC is enabled, if yes you have to run cmd using elevated privileges.

    What does DCDIAG actually… do?

    http://blogs.technet.com/b/askds/archive/2011/03/22/what-does-dcdiag-actually-do.aspx


    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    2012년 5월 11일 금요일 오전 11:01
    중재자
  •       Starting test: NetLogons
             [SERVERNAME] User credentials does not have permission to perform
             this operation.
             The account used for this test must have network logon privileges
             for this machine's domain.
             ......................... SERVERNAME failed test NetLogons

    That is because you need to run dcdiag using an elevated prompt. Using run as an administrator option on CMD will fix that.

    However, for final check, run dcdiag /v with an elevated prompt and check if there is any errors. If yes, please post it here.


    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.   

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Trainer

    • 편집됨 Mr XMVP 2012년 5월 11일 금요일 오후 12:06
    • 답변으로 제안됨 Roman_Mazanka 2016년 9월 29일 목요일 오후 3:21
    • 답변으로 제안 취소됨 Roman_Mazanka 2016년 9월 29일 목요일 오후 3:21
    2012년 5월 11일 금요일 오후 12:04
  • Hello,

    seems you ar esuing an account that is not member of the domain admins or you have forgotten to use elevated permissions, ALSO REQUIRED for domain admins.

    So please run the commands again with using RUN AS Administrator.

    About known problems with dcdiag tools see also http://msmvps.com/blogs/mweber/archive/2011/02/07/possible-error-messages-on-windows-server-2008-and-windows-server-2008-r2-domain-controllers.aspx


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    2012년 5월 14일 월요일 오전 8:07
  • Still Showing 2001-SR-ADC01 failed test KccEvent
    2019년 7월 2일 화요일 오전 9:57
  • The output is showing some access denied messages. This means that the credentials you are using are insufficient for some purposes. yes, you should use the elevated command prompt, but I assume you may have already done this and are wondering how it can still be happening.

    As you have only recently been made a domainadmin it follows that your new status may not have replicated to all domain controllers. The version of your credentials may not be enough when being used against the device where the access fails.

    There may be replication errors between domain controllers, there may be duplicate accounts with different credentials. Welcome to the world of domain controller. Did the last one leave in good standing?

    2020년 5월 24일 일요일 오후 12:33