Hello,

We're experiencing some very slow network logins in our domain (funct level
2003). We have one 2003 and one 2008 DC which also operate as DNS servers.
In trying to solve slow logins I've going trough our DNS records. In both
DNS servers there is a duplicate entry for our DC's in forward lookup zone.
One entry is normal like "Server01 to IP 172.20.1.22" but the second is
"(same as parent folder) to 172.20.1.22" which means blank name as a server
name. What is the purpose of this entry and can it be deleted? Is there some
use for it?

Also. All hints of DNS debugging steps and tools are appreciated! There
seems to be something abnormal in the domain now but at glance all seems to
be configured correctly.

Thanks
W

Hello,

Addition to the previous posting.

Our second DC (Win2008) had a misconfigured network card team so that it
enabled the DC to obtain IP address via DHCP to on NIC. I corrected this and
removed false DNS entries.

W


"William Stokes" <will@operamail.com> kirjoitti
viestissä:%23qwv1cajJHA.1388@TK2MSFTNGP06.phx.gbl...

Quote:

Hello, We're experiencing some very slow network logins in our domain (funct level 2003). We have one 2003 and one 2008 DC which also operate as DNS servers. In trying to solve slow logins I've going trough our DNS records. In both DNS servers there is a duplicate entry for our DC's in forward lookup zone. One entry is normal like "Server01 to IP 172.20.1.22" but the second is "(same as parent folder) to 172.20.1.22" which means blank name as a server name. What is the purpose of this entry and can it be deleted? Is there some use for it? Also. All hints of DNS debugging steps and tools are appreciated! There seems to be something abnormal in the domain now but at glance all seems to be configured correctly. Thanks W

Hello William,

Slow logins often belong to incorrect DNS settings on the machines NIC. Make
sure to use only domain internal DNS servers on the NIC on all machines.
Please post an unedited ipconfig /all from the DC/DNS servers and also a
problem machine.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

Quote:

Hello, We're experiencing some very slow network logins in our domain (funct level 2003). We have one 2003 and one 2008 DC which also operate as DNS servers. In trying to solve slow logins I've going trough our DNS records. In both DNS servers there is a duplicate entry for our DC's in forward lookup zone. One entry is normal like "Server01 to IP 172.20.1.22" but the second is "(same as parent folder) to 172.20.1.22" which means blank name as a server name. What is the purpose of this entry and can it be deleted? Is there some use for it? Also. All hints of DNS debugging steps and tools are appreciated! There seems to be something abnormal in the domain now but at glance all seems to be configured correctly. Thanks W

Hello,

Here's IP configs for both DC/DNS servers and one XP cli. The XP cli is
localised language but I am sure it's readable to you=)

1. Windows 2003 SP2 DC/DNS server

Windows IP Configuration

Host Name . . . . . . . . . . . . : Win2003
Primary Dns Suffix . . . . . . . : domain.com
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : domain.com

Ethernet adapter BCOMMs:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : BASP Virtual Adapter
Physical Address. . . . . . . . . : 00-13-72-5E-F6-6D
DHCP Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 172.20.1.22
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.20.1.254
DNS Servers . . . . . . . . . . . : 172.20.1.22
172.20.1.24


2. Windows 2008 SP2 DC/DNS server

Windows IP Configuration

Host Name . . . . . . . . . . . . : Win2008
Primary Dns Suffix . . . . . . . : domain.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : domain.com

Ethernet adapter Local Area Connection 5:

Connection-specific DNS Suffix . : domain.com
Description . . . . . . . . . . . : BASP Virtual Adapter
Physical Address. . . . . . . . . : 00-22-19-8C-5D-96
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 172.20.1.24(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.20.1.254
DNS Servers . . . . . . . . . . . : 172.20.1.24
172.20.1.22
NetBIOS over Tcpip. . . . . . . . : Enabled


3. Windows XP client

Windows IP-määritykset

Isäntänimi . . . . . . . . . . . : WinXP Cli
Ensisijainen DNS-liite . . . . . : domain.com
Solmutyyppi . . . . . . . . . . . : Hybridi
IP-reititys käytössä . . . . . . : Ei
WINS-välityspalvelin käytössä . . : Ei
DNS-liitteiden etsintäluettelo . : domain.com
domain.com

Ethernet-sovitin Lähiverkkoyhteys:

Yhteyskohtainen DNS-liite . . . . : domain.com
Kuvaus . . . . . . . . . . . . . : Intel(R) 82566DM-2 Gigabit
Network C
onnection
Fyysinen osoite . . . . . . . . . : 00-1A-A0-E9-D9-5C
DHCP käytössä . . . . . . . . . . : Kyllä
Automaattinen määritys käytössä . : Kyllä
IP-osoite . . . . . . . . . . . . : 172.20.1.63
Aliverkon peite . . . . . . . . . : 255.255.255.0
Oletusyhdyskäytävä. . . . . . . . : 172.20.1.254
DHCP-palvelin . . . . . . . . . . : 172.20.1.22
DNS-palvelimet . . . . . . . . . : 172.20.1.22
172.20.1.24
Käyttölupa myönnetty . . . . . . : 13. helmikuuta 2009 15:31:46
Käyttölupa vanhentuu . . . . . . : 9. maaliskuuta 2009 15:31:46


DNS servers are configured to forward DNS queries to our ISP if IP is
outside our network.

It seems to me that if client uses the 2008 server as a loginserver there's
less delay in login. If it uses Win2003 DC it takes a whole lot longer.

I cannot pinpoint exact moment problems started but last Monday I raised the
domain funtionality level from 2000 to 2003 and also deleted one site and
one subnet which were no longer used. Also I changed our single site name.

Anyway. All seems to work but the login takes long. Approximetely 1-13
minutes depending on the client and which DC it happens to use.

Hope you can give advice.

-W






"Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> kirjoitti
viestissä:ff16fb66193a28cb5bca07f8325c@msnews.microsoft.com...

Quote:

Hello William, Slow logins often belong to incorrect DNS settings on the machines NIC. Make sure to use only domain internal DNS servers on the NIC on all machines. Please post an unedited ipconfig /all from the DC/DNS servers and also a problem machine. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm Hello, We're experiencing some very slow network logins in our domain (funct level 2003). We have one 2003 and one 2008 DC which also operate as DNS servers. In trying to solve slow logins I've going trough our DNS records. In both DNS servers there is a duplicate entry for our DC's in forward lookup zone. One entry is normal like "Server01 to IP 172.20.1.22" but the second is "(same as parent folder) to 172.20.1.22" which means blank name as a server name. What is the purpose of this entry and can it be deleted? Is there some use for it? Also. All hints of DNS debugging steps and tools are appreciated! There seems to be something abnormal in the domain now but at glance all seems to be configured correctly. Thanks W

Hello William,

The ipconfig's looks ok.

The 2008 is SP2, is that correct? If yes, you should NEVER use BETA version
in production environment.

What do you mean with changed the single site name?

Please run and post and unedited netdiag /v and dcdiag /v from both servers.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

Quote:

Hello, Here's IP configs for both DC/DNS servers and one XP cli. The XP cli is localised language but I am sure it's readable to you=) 1. Windows 2003 SP2 DC/DNS server Windows IP Configuration Host Name . . . . . . . . . . . . : Win2003 Primary Dns Suffix . . . . . . . : domain.com Node Type . . . . . . . . . . . . : Unknown IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : domain.com Ethernet adapter BCOMMs: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : BASP Virtual Adapter Physical Address. . . . . . . . . : 00-13-72-5E-F6-6D DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 172.20.1.22 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 172.20.1.254 DNS Servers . . . . . . . . . . . : 172.20.1.22 172.20.1.24 2. Windows 2008 SP2 DC/DNS server Windows IP Configuration Host Name . . . . . . . . . . . . : Win2008 Primary Dns Suffix . . . . . . . : domain.com Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : domain.com Ethernet adapter Local Area Connection 5: Connection-specific DNS Suffix . : domain.com Description . . . . . . . . . . . : BASP Virtual Adapter Physical Address. . . . . . . . . : 00-22-19-8C-5D-96 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes IPv4 Address. . . . . . . . . . . : 172.20.1.24(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 172.20.1.254 DNS Servers . . . . . . . . . . . : 172.20.1.24 172.20.1.22 NetBIOS over Tcpip. . . . . . . . : Enabled 3. Windows XP client Windows IP-määritykset Isäntänimi . . . . . . . . . . . : WinXP Cli Ensisijainen DNS-liite . . . . . : domain.com Solmutyyppi . . . . . . . . . . . : Hybridi IP-reititys käytössä . . . . . . : Ei WINS-välityspalvelin käytössä . . : Ei DNS-liitteiden etsintäluettelo . : domain.com domain.com Ethernet-sovitin Lähiverkkoyhteys: Yhteyskohtainen DNS-liite . . . . : domain.com Kuvaus . . . . . . . . . . . . . : Intel(R) 82566DM-2 Gigabit Network C onnection Fyysinen osoite . . . . . . . . . : 00-1A-A0-E9-D9-5C DHCP käytössä . . . . . . . . . . : Kyllä Automaattinen määritys käytössä . : Kyllä IP-osoite . . . . . . . . . . . . : 172.20.1.63 Aliverkon peite . . . . . . . . . : 255.255.255.0 Oletusyhdyskäytävä. . . . . . . . : 172.20.1.254 DHCP-palvelin . . . . . . . . . . : 172.20.1.22 DNS-palvelimet . . . . . . . . . : 172.20.1.22 172.20.1.24 Käyttölupa myönnetty . . . . . . : 13. helmikuuta 2009 15:31:46 Käyttölupa vanhentuu . . . . . . : 9. maaliskuuta 2009 15:31:46 DNS servers are configured to forward DNS queries to our ISP if IP is outside our network. It seems to me that if client uses the 2008 server as a loginserver there's less delay in login. If it uses Win2003 DC it takes a whole lot longer. I cannot pinpoint exact moment problems started but last Monday I raised the domain funtionality level from 2000 to 2003 and also deleted one site and one subnet which were no longer used. Also I changed our single site name. Anyway. All seems to work but the login takes long. Approximetely 1-13 minutes depending on the client and which DC it happens to use. Hope you can give advice. -W "Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> kirjoitti viestissä:ff16fb66193a28cb5bca07f8325c@msnews.microsoft.com... Hello William, Slow logins often belong to incorrect DNS settings on the machines NIC. Make sure to use only domain internal DNS servers on the NIC on all machines. Please post an unedited ipconfig /all from the DC/DNS servers and also a problem machine. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm Hello, We're experiencing some very slow network logins in our domain (funct level 2003). We have one 2003 and one 2008 DC which also operate as DNS servers. In trying to solve slow logins I've going trough our DNS records. In both DNS servers there is a duplicate entry for our DC's in forward lookup zone. One entry is normal like "Server01 to IP 172.20.1.22" but the second is "(same as parent folder) to 172.20.1.22" which means blank name as a server name. What is the purpose of this entry and can it be deleted? Is there some use for it? Also. All hints of DNS debugging steps and tools are appreciated! There seems to be something abnormal in the domain now but at glance all seems to be configured correctly. Thanks W

Ok. I dont run Betas at prod=)

What I ment in the previous posting is that we used to have two AD sites.
Since we consolidated our company to a single geographical location our
other site was deleted and I also renamed our current site to reflex better
our location (in the real world)

So there was one site deleted, one subnet deleted and our current site, in
which all computers and servers belong to, renamed.

I'll do the diags asap.

Thanks!
W



"Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> kirjoitti
viestissä:ff16fb66194288cb5c04eaec46cc@msnews.microsoft.com...

Quote:

Hello William, The ipconfig's looks ok. The 2008 is SP2, is that correct? If yes, you should NEVER use BETA version in production environment. What do you mean with changed the single site name? Please run and post and unedited netdiag /v and dcdiag /v from both servers. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm Hello, Here's IP configs for both DC/DNS servers and one XP cli. The XP cli is localised language but I am sure it's readable to you=) 1. Windows 2003 SP2 DC/DNS server Windows IP Configuration Host Name . . . . . . . . . . . . : Win2003 Primary Dns Suffix . . . . . . . : domain.com Node Type . . . . . . . . . . . . : Unknown IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : domain.com Ethernet adapter BCOMMs: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : BASP Virtual Adapter Physical Address. . . . . . . . . : 00-13-72-5E-F6-6D DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 172.20.1.22 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 172.20.1.254 DNS Servers . . . . . . . . . . . : 172.20.1.22 172.20.1.24 2. Windows 2008 SP2 DC/DNS server Windows IP Configuration Host Name . . . . . . . . . . . . : Win2008 Primary Dns Suffix . . . . . . . : domain.com Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : domain.com Ethernet adapter Local Area Connection 5: Connection-specific DNS Suffix . : domain.com Description . . . . . . . . . . . : BASP Virtual Adapter Physical Address. . . . . . . . . : 00-22-19-8C-5D-96 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes IPv4 Address. . . . . . . . . . . : 172.20.1.24(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 172.20.1.254 DNS Servers . . . . . . . . . . . : 172.20.1.24 172.20.1.22 NetBIOS over Tcpip. . . . . . . . : Enabled 3. Windows XP client Windows IP-määritykset Isäntänimi . . . . . . . . . . . : WinXP Cli Ensisijainen DNS-liite . . . . . : domain.com Solmutyyppi . . . . . . . . . . . : Hybridi IP-reititys käytössä . . . . . . : Ei WINS-välityspalvelin käytössä . . : Ei DNS-liitteiden etsintäluettelo . : domain.com domain.com Ethernet-sovitin Lähiverkkoyhteys: Yhteyskohtainen DNS-liite . . . . : domain.com Kuvaus . . . . . . . . . . . . . : Intel(R) 82566DM-2 Gigabit Network C onnection Fyysinen osoite . . . . . . . . . : 00-1A-A0-E9-D9-5C DHCP käytössä . . . . . . . . . . : Kyllä Automaattinen määritys käytössä . : Kyllä IP-osoite . . . . . . . . . . . . : 172.20.1.63 Aliverkon peite . . . . . . . . . : 255.255.255.0 Oletusyhdyskäytävä. . . . . . . . : 172.20.1.254 DHCP-palvelin . . . . . . . . . . : 172.20.1.22 DNS-palvelimet . . . . . . . . . : 172.20.1.22 172.20.1.24 Käyttölupa myönnetty . . . . . . : 13. helmikuuta 2009 15:31:46 Käyttölupa vanhentuu . . . . . . : 9. maaliskuuta 2009 15:31:46 DNS servers are configured to forward DNS queries to our ISP if IP is outside our network. It seems to me that if client uses the 2008 server as a loginserver there's less delay in login. If it uses Win2003 DC it takes a whole lot longer. I cannot pinpoint exact moment problems started but last Monday I raised the domain funtionality level from 2000 to 2003 and also deleted one site and one subnet which were no longer used. Also I changed our single site name. Anyway. All seems to work but the login takes long. Approximetely 1-13 minutes depending on the client and which DC it happens to use. Hope you can give advice. -W "Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> kirjoitti viestissä:ff16fb66193a28cb5bca07f8325c@msnews.microsoft.com... Hello William, Slow logins often belong to incorrect DNS settings on the machines NIC. Make sure to use only domain internal DNS servers on the NIC on all machines. Please post an unedited ipconfig /all from the DC/DNS servers and also a problem machine. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm Hello, We're experiencing some very slow network logins in our domain (funct level 2003). We have one 2003 and one 2008 DC which also operate as DNS servers. In trying to solve slow logins I've going trough our DNS records. In both DNS servers there is a duplicate entry for our DC's in forward lookup zone. One entry is normal like "Server01 to IP 172.20.1.22" but the second is "(same as parent folder) to 172.20.1.22" which means blank name as a server name. What is the purpose of this entry and can it be deleted? Is there some use for it? Also. All hints of DNS debugging steps and tools are appreciated! There seems to be something abnormal in the domain now but at glance all seems to be configured correctly. Thanks W

Hello,

It took a while but here's dcdiag's

This on for 2008 server:


Directory Server Diagnosis


Performing initial setup:

Trying to find home server...

* Verifying that the local machine PSAO104, is a Directory Server.
Home Server = PSAO104

* Connecting to directory service on server PSAO104.

* Identified AD Forest.
Collecting AD specific global data
* Collecting site info.

Calling
ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=sao,DC=fi,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
The previous call succeeded
Iterating through the sites
Looking at base site object: CN=NTDS Site
Settings,CN=Leankatu,CN=Sites,CN=Configuration,DC=sao,DC=fi
Getting ISTG and options for the site
* Identifying all servers.

Calling
ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=sao,DC=fi,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
The previous call succeeded....
The previous call succeeded
Iterating through the list of servers
Getting information for the server CN=NTDS
Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration,DC=sao,DC=fi
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS
Settings,CN=PSAO104,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration,DC=sao,DC=fi
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
* Identifying all NC cross-refs.

* Found 2 DC(s). Testing 1 of them.

Done gathering initial info.


Doing initial required tests


Testing server: Leankatu\PSAO104

Starting test: Connectivity

* Active Directory LDAP Services Check
Determining IP4 connectivity
Determining IP6 connectivity
* Active Directory RPC Services Check
......................... PSAO104 passed test Connectivity



Doing primary tests


Testing server: Leankatu\PSAO104

Starting test: Advertising

The DC PSAO104 is advertising itself as a DC and having a DS.
The DC PSAO104 is advertising as an LDAP server
The DC PSAO104 is advertising as having a writeable directory
The DC PSAO104 is advertising as a Key Distribution Center
The DC PSAO104 is advertising as a time server
The DS PSAO104 is advertising as a GC.
......................... PSAO104 passed test Advertising

Test omitted by user request: CheckSecurityError

Test omitted by user request: CutoffServers

Starting test: FrsEvent

* The File Replication Service Event log test
......................... PSAO104 passed test FrsEvent

Starting test: DFSREvent

The DFS Replication Event Log.
......................... PSAO104 passed test DFSREvent

Starting test: SysVolCheck

* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... PSAO104 passed test SysVolCheck

Starting test: KccEvent

* The KCC Event log test
Found no KCC errors in "Directory Service" Event log in the last 15
minutes.
......................... PSAO104 passed test KccEvent

Starting test: KnowsOfRoleHolders

Role Schema Owner = CN=NTDS
Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration,DC=sao,DC=fi
Role Domain Owner = CN=NTDS
Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration,DC=sao,DC=fi
Role PDC Owner = CN=NTDS
Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration,DC=sao,DC=fi
Role Rid Owner = CN=NTDS
Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration,DC=sao,DC=fi
Role Infrastructure Update Owner = CN=NTDS
Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration,DC=sao,DC=fi
......................... PSAO104 passed test KnowsOfRoleHolders

Starting test: MachineAccount

Checking machine account for DC PSAO104 on DC PSAO104.
* SPN found :LDAP/PSAO104.sao.fi/sao.fi
* SPN found :LDAP/PSAO104.sao.fi
* SPN found :LDAP/PSAO104
* SPN found :LDAP/PSAO104.sao.fi/SAO
* SPN found
:LDAP/fc47108d-5620-4838-a55c-cce5eaa1e2f1._msdcs.sao.fi
* SPN found
:E3514235-4B06-11D1-AB04-00C04FC2DCD2/fc47108d-5620-4838-a55c-cce5eaa1e2f1/sao.fi
* SPN found :HOST/PSAO104.sao.fi/sao.fi
* SPN found :HOST/PSAO104.sao.fi
* SPN found :HOST/PSAO104
* SPN found :HOST/PSAO104.sao.fi/SAO
* SPN found :GC/PSAO104.sao.fi/sao.fi
......................... PSAO104 passed test MachineAccount

Starting test: NCSecDesc

* Security Permissions check for all NC's on DC PSAO104.
The forest is not ready for RODC. Will skip checking ERODC ACEs.
* Security Permissions Check for

DC=ForestDnsZones,DC=sao,DC=fi
(NDNC,Version 3)
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have

Replicating Directory Changes In Filtered Set
access rights for the naming context:

DC=ForestDnsZones,DC=sao,DC=fi
* Security Permissions Check for

DC=DomainDnsZones,DC=sao,DC=fi
(NDNC,Version 3)
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have

Replicating Directory Changes In Filtered Set
access rights for the naming context:

DC=DomainDnsZones,DC=sao,DC=fi
* Security Permissions Check for

CN=Schema,CN=Configuration,DC=sao,DC=fi
(Schema,Version 3)
* Security Permissions Check for

CN=Configuration,DC=sao,DC=fi
(Configuration,Version 3)
* Security Permissions Check for

DC=sao,DC=fi
(Domain,Version 3)
......................... PSAO104 failed test NCSecDesc

Starting test: NetLogons

* Network Logons Privileges Check
Verified share \\PSAO104\netlogon
Verified share \\PSAO104\sysvol
[PSAO104] User credentials does not have permission to perform this

operation.

The account used for this test must have network logon privileges

for this machine's domain.

......................... PSAO104 failed test NetLogons

Starting test: ObjectsReplicated

PSAO104 is in domain DC=sao,DC=fi
Checking for CN=PSAO104,OU=Domain Controllers,DC=sao,DC=fi in
domain DC=sao,DC=fi on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS
Settings,CN=PSAO104,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration,DC=sao,DC=fi
in domain CN=Configuration,DC=sao,DC=fi on 1 servers
Object is up-to-date on all servers.
......................... PSAO104 passed test ObjectsReplicated

Test omitted by user request: OutboundSecureChannels

Starting test: Replications

* Replications Check
[Replications Check,PSAO104] DsReplicaGetInfo(PENDING_OPS, NULL)

failed, error 0x2105 "Win32 Error 8453"

......................... PSAO104 failed test Replications

Starting test: RidManager

* Available RID Pool for the Domain is 3603 to 1073741823
* PSAO101.sao.fi is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 3103 to 3602
* rIDPreviousAllocationPool is 3103 to 3602
* rIDNextRID: 3105
......................... PSAO104 passed test RidManager

Starting test: Services

* Checking Service: EventSystem
* Checking Service: RpcSs
* Checking Service: NTDS
Could not open NTDS Service on PSAO104, error 0x5 "Win32 Error
5"

* Checking Service: DnsCache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: w32time
* Checking Service: NETLOGON
......................... PSAO104 failed test Services

Starting test: SystemLog

* The System Event log test
Found no errors in "System" Event log in the last 60 minutes.
......................... PSAO104 passed test SystemLog

Test omitted by user request: Topology

Test omitted by user request: VerifyEnterpriseReferences

Starting test: VerifyReferences

The system object reference (serverReference)

CN=PSAO104,OU=Domain Controllers,DC=sao,DC=fi and backlink on

CN=PSAO104,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration,DC=sao,DC=fi

are correct.
The system object reference (serverReferenceBL)

CN=PSAO104,CN=Domain System Volume (SYSVOL share),CN=File
Replication Service,CN=System,DC=sao,DC=fi

and backlink on

CN=NTDS
Settings,CN=PSAO104,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration,DC=sao,DC=fi

are correct.
......................... PSAO104 passed test VerifyReferences

Test omitted by user request: VerifyReplicas


Test omitted by user request: DNS

Test omitted by user request: DNS


Running partition tests on : ForestDnsZones

Starting test: CheckSDRefDom

......................... ForestDnsZones passed test CheckSDRefDom

Starting test: CrossRefValidation

......................... ForestDnsZones passed test

CrossRefValidation


Running partition tests on : DomainDnsZones

Starting test: CheckSDRefDom

......................... DomainDnsZones passed test CheckSDRefDom

Starting test: CrossRefValidation

......................... DomainDnsZones passed test

CrossRefValidation


Running partition tests on : Schema

Starting test: CheckSDRefDom

......................... Schema passed test CheckSDRefDom

Starting test: CrossRefValidation

......................... Schema passed test CrossRefValidation


Running partition tests on : Configuration

Starting test: CheckSDRefDom

......................... Configuration passed test CheckSDRefDom

Starting test: CrossRefValidation

......................... Configuration passed test
CrossRefValidation


Running partition tests on : sao

Starting test: CheckSDRefDom

......................... sao passed test CheckSDRefDom

Starting test: CrossRefValidation

......................... sao passed test CrossRefValidation


Running enterprise tests on : sao.fi

Test omitted by user request: DNS

Test omitted by user request: DNS

Starting test: LocatorCheck

GC Name: \\PSAO104.sao.fi

Locator Flags: 0xe00011fc
PDC Name: \\PSAO101.sao.fi
Locator Flags: 0xe00003fd
Time Server Name: \\PSAO104.sao.fi
Locator Flags: 0xe00011fc
Preferred Time Server Name: \\PSAO101.sao.fi
Locator Flags: 0xe00003fd
KDC Name: \\PSAO104.sao.fi
Locator Flags: 0xe00011fc
......................... sao.fi passed test LocatorCheck

Starting test: Intersite

Skipping site Leankatu, this site is outside the scope provided by
the

command line arguments provided.
......................... sao.fi passed test Intersite


This one for 2003 DC:


Domain Controller Diagnosis

Performing initial setup:
* Verifying that the local machine PSAO101, is a DC.
* Connecting to directory service on server PSAO101.
* Collecting site info.
* Identifying all servers.
* Identifying all NC cross-refs.
* Found 2 DC(s). Testing 1 of them.
Done gathering initial info.

Doing initial required tests

Testing server: Leankatu\PSAO101
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... PSAO101 passed test Connectivity

Doing primary tests

Testing server: Leankatu\PSAO101
Starting test: Replications
* Replications Check
* Replication Latency Check
CN=Schema,CN=Configuration,DC=sao,DC=fi
Latency information for 2 entries in the vector were ignored.
2 were retired Invocations. 0 were either: read-only
replicas and are not verifiably latent, or dc's no longer replicating this
nc. 0 had no latency information (Win2K DC).
CN=Configuration,DC=sao,DC=fi
Latency information for 2 entries in the vector were ignored.
2 were retired Invocations. 0 were either: read-only
replicas and are not verifiably latent, or dc's no longer replicating this
nc. 0 had no latency information (Win2K DC).
DC=sao,DC=fi
Latency information for 2 entries in the vector were ignored.
2 were retired Invocations. 0 were either: read-only
replicas and are not verifiably latent, or dc's no longer replicating this
nc. 0 had no latency information (Win2K DC).
* Replication Site Latency Check
......................... PSAO101 passed test Replications
Test omitted by user request: Topology
Test omitted by user request: CutoffServers
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC PSAO101.
* Security Permissions Check for
DC=ForestDnsZones,DC=sao,DC=fi
(NDNC,Version 2)
* Security Permissions Check for
DC=DomainDnsZones,DC=sao,DC=fi
(NDNC,Version 2)
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=sao,DC=fi
(Schema,Version 2)
* Security Permissions Check for
CN=Configuration,DC=sao,DC=fi
(Configuration,Version 2)
* Security Permissions Check for
DC=sao,DC=fi
(Domain,Version 2)
......................... PSAO101 passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\PSAO101\netlogon
Verified share \\PSAO101\sysvol
......................... PSAO101 passed test NetLogons
Starting test: Advertising
The DC PSAO101 is advertising itself as a DC and having a DS.
The DC PSAO101 is advertising as an LDAP server
The DC PSAO101 is advertising as having a writeable directory
The DC PSAO101 is advertising as a Key Distribution Center
The DC PSAO101 is advertising as a time server
The DS PSAO101 is advertising as a GC.
......................... PSAO101 passed test Advertising
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS
Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration,DC=sao,DC=fi
Role Domain Owner = CN=NTDS
Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration,DC=sao,DC=fi
Role PDC Owner = CN=NTDS
Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration,DC=sao,DC=fi
Role Rid Owner = CN=NTDS
Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration,DC=sao,DC=fi
Role Infrastructure Update Owner = CN=NTDS
Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration,DC=sao,DC=fi
......................... PSAO101 passed test KnowsOfRoleHolders
Starting test: RidManager
* Available RID Pool for the Domain is 3603 to 1073741823
* PSAO101.sao.fi is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 2603 to 3102
* rIDPreviousAllocationPool is 2603 to 3102
* rIDNextRID: 2683
......................... PSAO101 passed test RidManager
Starting test: MachineAccount
Checking machine account for DC PSAO101 on DC PSAO101.
* SPN found :LDAP/PSAO101.sao.fi/sao.fi
* SPN found :LDAP/PSAO101.sao.fi
* SPN found :LDAP/PSAO101
* SPN found :LDAP/PSAO101.sao.fi/SAO
* SPN found
:LDAP/6f073ef1-3578-4e0d-abd9-c9062e3b69fa._msdcs.sao.fi
* SPN found
:E3514235-4B06-11D1-AB04-00C04FC2DCD2/6f073ef1-3578-4e0d-abd9-c9062e3b69fa/sao.fi
* SPN found :HOST/PSAO101.sao.fi/sao.fi
* SPN found :HOST/PSAO101.sao.fi
* SPN found :HOST/PSAO101
* SPN found :HOST/PSAO101.sao.fi/SAO
* SPN found :GC/PSAO101.sao.fi/sao.fi
......................... PSAO101 passed test MachineAccount
Starting test: Services
* Checking Service: Dnscache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: RpcSs
* Checking Service: w32time
* Checking Service: NETLOGON
......................... PSAO101 passed test Services
Test omitted by user request: OutboundSecureChannels
Starting test: ObjectsReplicated
PSAO101 is in domain DC=sao,DC=fi
Checking for CN=PSAO101,OU=Domain Controllers,DC=sao,DC=fi in
domain DC=sao,DC=fi on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS
Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration,DC=sao,DC=fi
in domain CN=Configuration,DC=sao,DC=fi on 1 servers
Object is up-to-date on all servers.
......................... PSAO101 passed test ObjectsReplicated
Starting test: frssysvol
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... PSAO101 passed test frssysvol
Starting test: frsevent
* The File Replication Service Event log test
......................... PSAO101 passed test frsevent
Starting test: kccevent
* The KCC Event log test
Found no KCC errors in Directory Service Event log in the last 15
minutes.
......................... PSAO101 passed test kccevent
Starting test: systemlog
* The System Event log test
Found no errors in System Event log in the last 60 minutes.
......................... PSAO101 passed test systemlog
Test omitted by user request: VerifyReplicas
Starting test: VerifyReferences
The system object reference (serverReference)

CN=PSAO101,OU=Domain Controllers,DC=sao,DC=fi and backlink on

CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration,DC=sao,DC=fi

are correct.
The system object reference (frsComputerReferenceBL)

CN=PSAO101,CN=Domain System Volume (SYSVOL share),CN=File
Replication Service,CN=System,DC=sao,DC=fi

and backlink on CN=PSAO101,OU=Domain Controllers,DC=sao,DC=fi are

correct.
The system object reference (serverReferenceBL)

CN=PSAO101,CN=Domain System Volume (SYSVOL share),CN=File
Replication Service,CN=System,DC=sao,DC=fi

and backlink on

CN=NTDS
Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration,DC=sao,DC=fi

are correct.
......................... PSAO101 passed test VerifyReferences
Test omitted by user request: VerifyEnterpriseReferences
Test omitted by user request: CheckSecurityError

Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom

Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom

Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom

Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom

Running partition tests on : sao
Starting test: CrossRefValidation
......................... sao passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... sao passed test CheckSDRefDom

Running enterprise tests on : sao.fi
Starting test: Intersite
Skipping site Leankatu, this site is outside the scope provided by
the

command line arguments provided.
......................... sao.fi passed test Intersite
Starting test: FsmoCheck
GC Name: \\PSAO101.sao.fi
Locator Flags: 0xe00003fd
PDC Name: \\PSAO101.sao.fi
Locator Flags: 0xe00003fd
Time Server Name: \\PSAO101.sao.fi
Locator Flags: 0xe00003fd
Preferred Time Server Name: \\PSAO101.sao.fi
Locator Flags: 0xe00003fd
KDC Name: \\PSAO101.sao.fi
Locator Flags: 0xe00003fd
......................... sao.fi passed test FsmoCheck
Test omitted by user request: DNS
Test omitted by user request: DNS


Hope you can get something out of these. Thanks!!!

W










"Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> kirjoitti
viestissä:ff16fb66194288cb5c04eaec46cc@msnews.microsoft.com...

Quote:

Hello William, The ipconfig's looks ok. The 2008 is SP2, is that correct? If yes, you should NEVER use BETA version in production environment. What do you mean with changed the single site name? Please run and post and unedited netdiag /v and dcdiag /v from both servers. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm Hello, Here's IP configs for both DC/DNS servers and one XP cli. The XP cli is localised language but I am sure it's readable to you=) 1. Windows 2003 SP2 DC/DNS server Windows IP Configuration Host Name . . . . . . . . . . . . : Win2003 Primary Dns Suffix . . . . . . . : domain.com Node Type . . . . . . . . . . . . : Unknown IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : domain.com Ethernet adapter BCOMMs: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : BASP Virtual Adapter Physical Address. . . . . . . . . : 00-13-72-5E-F6-6D DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 172.20.1.22 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 172.20.1.254 DNS Servers . . . . . . . . . . . : 172.20.1.22 172.20.1.24 2. Windows 2008 SP2 DC/DNS server Windows IP Configuration Host Name . . . . . . . . . . . . : Win2008 Primary Dns Suffix . . . . . . . : domain.com Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : domain.com Ethernet adapter Local Area Connection 5: Connection-specific DNS Suffix . : domain.com Description . . . . . . . . . . . : BASP Virtual Adapter Physical Address. . . . . . . . . : 00-22-19-8C-5D-96 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes IPv4 Address. . . . . . . . . . . : 172.20.1.24(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 172.20.1.254 DNS Servers . . . . . . . . . . . : 172.20.1.24 172.20.1.22 NetBIOS over Tcpip. . . . . . . . : Enabled 3. Windows XP client Windows IP-määritykset Isäntänimi . . . . . . . . . . . : WinXP Cli Ensisijainen DNS-liite . . . . . : domain.com Solmutyyppi . . . . . . . . . . . : Hybridi IP-reititys käytössä . . . . . . : Ei WINS-välityspalvelin käytössä . . : Ei DNS-liitteiden etsintäluettelo . : domain.com domain.com Ethernet-sovitin Lähiverkkoyhteys: Yhteyskohtainen DNS-liite . . . . : domain.com Kuvaus . . . . . . . . . . . . . : Intel(R) 82566DM-2 Gigabit Network C onnection Fyysinen osoite . . . . . . . . . : 00-1A-A0-E9-D9-5C DHCP käytössä . . . . . . . . . . : Kyllä Automaattinen määritys käytössä . : Kyllä IP-osoite . . . . . . . . . . . . : 172.20.1.63 Aliverkon peite . . . . . . . . . : 255.255.255.0 Oletusyhdyskäytävä. . . . . . . . : 172.20.1.254 DHCP-palvelin . . . . . . . . . . : 172.20.1.22 DNS-palvelimet . . . . . . . . . : 172.20.1.22 172.20.1.24 Käyttölupa myönnetty . . . . . . : 13. helmikuuta 2009 15:31:46 Käyttölupa vanhentuu . . . . . . : 9. maaliskuuta 2009 15:31:46 DNS servers are configured to forward DNS queries to our ISP if IP is outside our network. It seems to me that if client uses the 2008 server as a loginserver there's less delay in login. If it uses Win2003 DC it takes a whole lot longer. I cannot pinpoint exact moment problems started but last Monday I raised the domain funtionality level from 2000 to 2003 and also deleted one site and one subnet which were no longer used. Also I changed our single site name. Anyway. All seems to work but the login takes long. Approximetely 1-13 minutes depending on the client and which DC it happens to use. Hope you can give advice. -W "Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> kirjoitti viestissä:ff16fb66193a28cb5bca07f8325c@msnews.microsoft.com... Hello William, Slow logins often belong to incorrect DNS settings on the machines NIC. Make sure to use only domain internal DNS servers on the NIC on all machines. Please post an unedited ipconfig /all from the DC/DNS servers and also a problem machine. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm Hello, We're experiencing some very slow network logins in our domain (funct level 2003). We have one 2003 and one 2008 DC which also operate as DNS servers. In trying to solve slow logins I've going trough our DNS records. In both DNS servers there is a duplicate entry for our DC's in forward lookup zone. One entry is normal like "Server01 to IP 172.20.1.22" but the second is "(same as parent folder) to 172.20.1.22" which means blank name as a server name. What is the purpose of this entry and can it be deleted? Is there some use for it? Also. All hints of DNS debugging steps and tools are appreciated! There seems to be something abnormal in the domain now but at glance all seems to be configured correctly. Thanks W

Weird.

I used same account on both servers. And this account is a member of domain
admins group

W

"Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> kirjoitti
viestissä:ff16fb66198558cb5e4a9dc79d86@msnews.microsoft.com...

Quote:

Hello William, What account do you use for th dcdiag? "[PSAO104] User credentials does not have permission to perform this operation. The account used for this test must have network logon privileges for this machine's domain." Check on PSAO104 that all services are running that are set to automatic. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm Hello, It took a while but here's dcdiag's This on for 2008 server: Directory Server Diagnosis Performing initial setup: Trying to find home server... * Verifying that the local machine PSAO104, is a Directory Server. Home Server = PSAO104 * Connecting to directory service on server PSAO104. * Identified AD Forest. Collecting AD specific global data * Collecting site info. Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=sao,DC=fi,LDAP_ SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),....... The previous call succeeded Iterating through the sites Looking at base site object: CN=NTDS Site Settings,CN=Leankatu,CN=Sites,CN=Configuration,DC=sao,DC=fi Getting ISTG and options for the site * Identifying all servers. Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=sao,DC=fi,LDAP_ SCOPE_SUBTREE,(objectClass=ntDSDsa),....... The previous call succeeded.... The previous call succeeded Iterating through the list of servers Getting information for the server CN=NTDS Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration,D C=sao,DC=fi objectGuid obtained InvocationID obtained dnsHostname obtained site info obtained All the info for the server collected Getting information for the server CN=NTDS Settings,CN=PSAO104,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration,D C=sao,DC=fi objectGuid obtained InvocationID obtained dnsHostname obtained site info obtained All the info for the server collected * Identifying all NC cross-refs. * Found 2 DC(s). Testing 1 of them. Done gathering initial info. Doing initial required tests Testing server: Leankatu\PSAO104 Starting test: Connectivity * Active Directory LDAP Services Check Determining IP4 connectivity Determining IP6 connectivity * Active Directory RPC Services Check ......................... PSAO104 passed test Connectivity Doing primary tests Testing server: Leankatu\PSAO104 Starting test: Advertising The DC PSAO104 is advertising itself as a DC and having a DS. The DC PSAO104 is advertising as an LDAP server The DC PSAO104 is advertising as having a writeable directory The DC PSAO104 is advertising as a Key Distribution Center The DC PSAO104 is advertising as a time server The DS PSAO104 is advertising as a GC. ......................... PSAO104 passed test Advertising Test omitted by user request: CheckSecurityError Test omitted by user request: CutoffServers Starting test: FrsEvent * The File Replication Service Event log test ......................... PSAO104 passed test FrsEvent Starting test: DFSREvent The DFS Replication Event Log. ......................... PSAO104 passed test DFSREvent Starting test: SysVolCheck * The File Replication Service SYSVOL ready test File Replication Service's SYSVOL is ready ......................... PSAO104 passed test SysVolCheck Starting test: KccEvent * The KCC Event log test Found no KCC errors in "Directory Service" Event log in the last 15 minutes. ......................... PSAO104 passed test KccEvent Starting test: KnowsOfRoleHolders Role Schema Owner = CN=NTDS Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration,D C=sao,DC=fi Role Domain Owner = CN=NTDS Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration,D C=sao,DC=fi Role PDC Owner = CN=NTDS Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration,D C=sao,DC=fi Role Rid Owner = CN=NTDS Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration,D C=sao,DC=fi Role Infrastructure Update Owner = CN=NTDS Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration,D C=sao,DC=fi ......................... PSAO104 passed test KnowsOfRoleHolders Starting test: MachineAccount Checking machine account for DC PSAO104 on DC PSAO104. * SPN found :LDAP/PSAO104.sao.fi/sao.fi * SPN found :LDAP/PSAO104.sao.fi * SPN found :LDAP/PSAO104 * SPN found :LDAP/PSAO104.sao.fi/SAO * SPN found :LDAP/fc47108d-5620-4838-a55c-cce5eaa1e2f1._msdcs.sao.fi * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/fc47108d-5620-4838-a55c-cce5eaa1 e2f1/sao.fi * SPN found :HOST/PSAO104.sao.fi/sao.fi * SPN found :HOST/PSAO104.sao.fi * SPN found :HOST/PSAO104 * SPN found :HOST/PSAO104.sao.fi/SAO * SPN found :GC/PSAO104.sao.fi/sao.fi ......................... PSAO104 passed test MachineAccount Starting test: NCSecDesc * Security Permissions check for all NC's on DC PSAO104. The forest is not ready for RODC. Will skip checking ERODC ACEs. * Security Permissions Check for DC=ForestDnsZones,DC=sao,DC=fi (NDNC,Version 3) Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have Replicating Directory Changes In Filtered Set access rights for the naming context: DC=ForestDnsZones,DC=sao,DC=fi * Security Permissions Check for DC=DomainDnsZones,DC=sao,DC=fi (NDNC,Version 3) Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have Replicating Directory Changes In Filtered Set access rights for the naming context: DC=DomainDnsZones,DC=sao,DC=fi * Security Permissions Check for CN=Schema,CN=Configuration,DC=sao,DC=fi (Schema,Version 3) * Security Permissions Check for CN=Configuration,DC=sao,DC=fi (Configuration,Version 3) * Security Permissions Check for DC=sao,DC=fi (Domain,Version 3) ......................... PSAO104 failed test NCSecDesc Starting test: NetLogons * Network Logons Privileges Check Verified share \\PSAO104\netlogon Verified share \\PSAO104\sysvol [PSAO104] User credentials does not have permission to perform this operation. The account used for this test must have network logon privileges for this machine's domain. ......................... PSAO104 failed test NetLogons Starting test: ObjectsReplicated PSAO104 is in domain DC=sao,DC=fi Checking for CN=PSAO104,OU=Domain Controllers,DC=sao,DC=fi in domain DC=sao,DC=fi on 1 servers Object is up-to-date on all servers. Checking for CN=NTDS Settings,CN=PSAO104,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration,D C=sao,DC=fi in domain CN=Configuration,DC=sao,DC=fi on 1 servers Object is up-to-date on all servers. ......................... PSAO104 passed test ObjectsReplicated Test omitted by user request: OutboundSecureChannels Starting test: Replications * Replications Check [Replications Check,PSAO104] DsReplicaGetInfo(PENDING_OPS, NULL) failed, error 0x2105 "Win32 Error 8453" ......................... PSAO104 failed test Replications Starting test: RidManager * Available RID Pool for the Domain is 3603 to 1073741823 * PSAO101.sao.fi is the RID Master * DsBind with RID Master was successful * rIDAllocationPool is 3103 to 3602 * rIDPreviousAllocationPool is 3103 to 3602 * rIDNextRID: 3105 ......................... PSAO104 passed test RidManager Starting test: Services * Checking Service: EventSystem * Checking Service: RpcSs * Checking Service: NTDS Could not open NTDS Service on PSAO104, error 0x5 "Win32 Error 5" * Checking Service: DnsCache * Checking Service: NtFrs * Checking Service: IsmServ * Checking Service: kdc * Checking Service: SamSs * Checking Service: LanmanServer * Checking Service: LanmanWorkstation * Checking Service: w32time * Checking Service: NETLOGON ......................... PSAO104 failed test Services Starting test: SystemLog * The System Event log test Found no errors in "System" Event log in the last 60 minutes. ......................... PSAO104 passed test SystemLog Test omitted by user request: Topology Test omitted by user request: VerifyEnterpriseReferences Starting test: VerifyReferences The system object reference (serverReference) CN=PSAO104,OU=Domain Controllers,DC=sao,DC=fi and backlink on CN=PSAO104,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration,DC=sao,DC= fi are correct. The system object reference (serverReferenceBL) CN=PSAO104,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=sao,DC=fi and backlink on CN=NTDS Settings,CN=PSAO104,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration,D C=sao,DC=fi are correct. ......................... PSAO104 passed test VerifyReferences Test omitted by user request: VerifyReplicas Test omitted by user request: DNS Test omitted by user request: DNS Running partition tests on : ForestDnsZones Starting test: CheckSDRefDom ......................... ForestDnsZones passed test CheckSDRefDom Starting test: CrossRefValidation ......................... ForestDnsZones passed test CrossRefValidation Running partition tests on : DomainDnsZones Starting test: CheckSDRefDom ......................... DomainDnsZones passed test CheckSDRefDom Starting test: CrossRefValidation ......................... DomainDnsZones passed test CrossRefValidation Running partition tests on : Schema Starting test: CheckSDRefDom ......................... Schema passed test CheckSDRefDom Starting test: CrossRefValidation ......................... Schema passed test CrossRefValidation Running partition tests on : Configuration Starting test: CheckSDRefDom ......................... Configuration passed test CheckSDRefDom Starting test: CrossRefValidation ......................... Configuration passed test CrossRefValidation Running partition tests on : sao Starting test: CheckSDRefDom ......................... sao passed test CheckSDRefDom Starting test: CrossRefValidation ......................... sao passed test CrossRefValidation Running enterprise tests on : sao.fi Test omitted by user request: DNS Test omitted by user request: DNS Starting test: LocatorCheck GC Name: \\PSAO104.sao.fi Locator Flags: 0xe00011fc PDC Name: \\PSAO101.sao.fi Locator Flags: 0xe00003fd Time Server Name: \\PSAO104.sao.fi Locator Flags: 0xe00011fc Preferred Time Server Name: \\PSAO101.sao.fi Locator Flags: 0xe00003fd KDC Name: \\PSAO104.sao.fi Locator Flags: 0xe00011fc ......................... sao.fi passed test LocatorCheck Starting test: Intersite Skipping site Leankatu, this site is outside the scope provided by the command line arguments provided. ......................... sao.fi passed test Intersite This one for 2003 DC: Domain Controller Diagnosis Performing initial setup: * Verifying that the local machine PSAO101, is a DC. * Connecting to directory service on server PSAO101. * Collecting site info. * Identifying all servers. * Identifying all NC cross-refs. * Found 2 DC(s). Testing 1 of them. Done gathering initial info. Doing initial required tests Testing server: Leankatu\PSAO101 Starting test: Connectivity * Active Directory LDAP Services Check * Active Directory RPC Services Check ......................... PSAO101 passed test Connectivity Doing primary tests Testing server: Leankatu\PSAO101 Starting test: Replications * Replications Check * Replication Latency Check CN=Schema,CN=Configuration,DC=sao,DC=fi Latency information for 2 entries in the vector were ignored. 2 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). CN=Configuration,DC=sao,DC=fi Latency information for 2 entries in the vector were ignored. 2 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). DC=sao,DC=fi Latency information for 2 entries in the vector were ignored. 2 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). * Replication Site Latency Check ......................... PSAO101 passed test Replications Test omitted by user request: Topology Test omitted by user request: CutoffServers Starting test: NCSecDesc * Security Permissions check for all NC's on DC PSAO101. * Security Permissions Check for DC=ForestDnsZones,DC=sao,DC=fi (NDNC,Version 2) * Security Permissions Check for DC=DomainDnsZones,DC=sao,DC=fi (NDNC,Version 2) * Security Permissions Check for CN=Schema,CN=Configuration,DC=sao,DC=fi (Schema,Version 2) * Security Permissions Check for CN=Configuration,DC=sao,DC=fi (Configuration,Version 2) * Security Permissions Check for DC=sao,DC=fi (Domain,Version 2) ......................... PSAO101 passed test NCSecDesc Starting test: NetLogons * Network Logons Privileges Check Verified share \\PSAO101\netlogon Verified share \\PSAO101\sysvol ......................... PSAO101 passed test NetLogons Starting test: Advertising The DC PSAO101 is advertising itself as a DC and having a DS. The DC PSAO101 is advertising as an LDAP server The DC PSAO101 is advertising as having a writeable directory The DC PSAO101 is advertising as a Key Distribution Center The DC PSAO101 is advertising as a time server The DS PSAO101 is advertising as a GC. ......................... PSAO101 passed test Advertising Starting test: KnowsOfRoleHolders Role Schema Owner = CN=NTDS Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration,D C=sao,DC=fi Role Domain Owner = CN=NTDS Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration,D C=sao,DC=fi Role PDC Owner = CN=NTDS Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration,D C=sao,DC=fi Role Rid Owner = CN=NTDS Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration,D C=sao,DC=fi Role Infrastructure Update Owner = CN=NTDS Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration,D C=sao,DC=fi ......................... PSAO101 passed test KnowsOfRoleHolders Starting test: RidManager * Available RID Pool for the Domain is 3603 to 1073741823 * PSAO101.sao.fi is the RID Master * DsBind with RID Master was successful * rIDAllocationPool is 2603 to 3102 * rIDPreviousAllocationPool is 2603 to 3102 * rIDNextRID: 2683 ......................... PSAO101 passed test RidManager Starting test: MachineAccount Checking machine account for DC PSAO101 on DC PSAO101. * SPN found :LDAP/PSAO101.sao.fi/sao.fi * SPN found :LDAP/PSAO101.sao.fi * SPN found :LDAP/PSAO101 * SPN found :LDAP/PSAO101.sao.fi/SAO * SPN found :LDAP/6f073ef1-3578-4e0d-abd9-c9062e3b69fa._msdcs.sao.fi * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/6f073ef1-3578-4e0d-abd9-c9062e3b 69fa/sao.fi * SPN found :HOST/PSAO101.sao.fi/sao.fi * SPN found :HOST/PSAO101.sao.fi * SPN found :HOST/PSAO101 * SPN found :HOST/PSAO101.sao.fi/SAO * SPN found :GC/PSAO101.sao.fi/sao.fi ......................... PSAO101 passed test MachineAccount Starting test: Services * Checking Service: Dnscache * Checking Service: NtFrs * Checking Service: IsmServ * Checking Service: kdc * Checking Service: SamSs * Checking Service: LanmanServer * Checking Service: LanmanWorkstation * Checking Service: RpcSs * Checking Service: w32time * Checking Service: NETLOGON ......................... PSAO101 passed test Services Test omitted by user request: OutboundSecureChannels Starting test: ObjectsReplicated PSAO101 is in domain DC=sao,DC=fi Checking for CN=PSAO101,OU=Domain Controllers,DC=sao,DC=fi in domain DC=sao,DC=fi on 1 servers Object is up-to-date on all servers. Checking for CN=NTDS Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration,D C=sao,DC=fi in domain CN=Configuration,DC=sao,DC=fi on 1 servers Object is up-to-date on all servers. ......................... PSAO101 passed test ObjectsReplicated Starting test: frssysvol * The File Replication Service SYSVOL ready test File Replication Service's SYSVOL is ready ......................... PSAO101 passed test frssysvol Starting test: frsevent * The File Replication Service Event log test ......................... PSAO101 passed test frsevent Starting test: kccevent * The KCC Event log test Found no KCC errors in Directory Service Event log in the last 15 minutes. ......................... PSAO101 passed test kccevent Starting test: systemlog * The System Event log test Found no errors in System Event log in the last 60 minutes. ......................... PSAO101 passed test systemlog Test omitted by user request: VerifyReplicas Starting test: VerifyReferences The system object reference (serverReference) CN=PSAO101,OU=Domain Controllers,DC=sao,DC=fi and backlink on CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration,DC=sao,DC= fi are correct. The system object reference (frsComputerReferenceBL) CN=PSAO101,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=sao,DC=fi and backlink on CN=PSAO101,OU=Domain Controllers,DC=sao,DC=fi are correct. The system object reference (serverReferenceBL) CN=PSAO101,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=sao,DC=fi and backlink on CN=NTDS Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration,D C=sao,DC=fi are correct. ......................... PSAO101 passed test VerifyReferences Test omitted by user request: VerifyEnterpriseReferences Test omitted by user request: CheckSecurityError Running partition tests on : ForestDnsZones Starting test: CrossRefValidation ......................... ForestDnsZones passed test CrossRefValidation Starting test: CheckSDRefDom ......................... ForestDnsZones passed test CheckSDRefDom Running partition tests on : DomainDnsZones Starting test: CrossRefValidation ......................... DomainDnsZones passed test CrossRefValidation Starting test: CheckSDRefDom ......................... DomainDnsZones passed test CheckSDRefDom Running partition tests on : Schema Starting test: CrossRefValidation ......................... Schema passed test CrossRefValidation Starting test: CheckSDRefDom ......................... Schema passed test CheckSDRefDom Running partition tests on : Configuration Starting test: CrossRefValidation ......................... Configuration passed test CrossRefValidation Starting test: CheckSDRefDom ......................... Configuration passed test CheckSDRefDom Running partition tests on : sao Starting test: CrossRefValidation ......................... sao passed test CrossRefValidation Starting test: CheckSDRefDom ......................... sao passed test CheckSDRefDom Running enterprise tests on : sao.fi Starting test: Intersite Skipping site Leankatu, this site is outside the scope provided by the command line arguments provided. ......................... sao.fi passed test Intersite Starting test: FsmoCheck GC Name: \\PSAO101.sao.fi Locator Flags: 0xe00003fd PDC Name: \\PSAO101.sao.fi Locator Flags: 0xe00003fd Time Server Name: \\PSAO101.sao.fi Locator Flags: 0xe00003fd Preferred Time Server Name: \\PSAO101.sao.fi Locator Flags: 0xe00003fd KDC Name: \\PSAO101.sao.fi Locator Flags: 0xe00003fd ......................... sao.fi passed test FsmoCheck Test omitted by user request: DNS Test omitted by user request: DNS Hope you can get something out of these. Thanks!!! W "Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> kirjoitti viestissä:ff16fb66194288cb5c04eaec46cc@msnews.microsoft.com... Hello William, The ipconfig's looks ok. The 2008 is SP2, is that correct? If yes, you should NEVER use BETA version in production environment. What do you mean with changed the single site name? Please run and post and unedited netdiag /v and dcdiag /v from both servers. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm Hello, Here's IP configs for both DC/DNS servers and one XP cli. The XP cli is localised language but I am sure it's readable to you=) 1. Windows 2003 SP2 DC/DNS server Windows IP Configuration Host Name . . . . . . . . . . . . : Win2003 Primary Dns Suffix . . . . . . . : domain.com Node Type . . . . . . . . . . . . : Unknown IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : domain.com Ethernet adapter BCOMMs: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : BASP Virtual Adapter Physical Address. . . . . . . . . : 00-13-72-5E-F6-6D DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 172.20.1.22 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 172.20.1.254 DNS Servers . . . . . . . . . . . : 172.20.1.22 172.20.1.24 2. Windows 2008 SP2 DC/DNS server Windows IP Configuration Host Name . . . . . . . . . . . . : Win2008 Primary Dns Suffix . . . . . . . : domain.com Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : domain.com Ethernet adapter Local Area Connection 5: Connection-specific DNS Suffix . : domain.com Description . . . . . . . . . . . : BASP Virtual Adapter Physical Address. . . . . . . . . : 00-22-19-8C-5D-96 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes IPv4 Address. . . . . . . . . . . : 172.20.1.24(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 172.20.1.254 DNS Servers . . . . . . . . . . . : 172.20.1.24 172.20.1.22 NetBIOS over Tcpip. . . . . . . . : Enabled 3. Windows XP client Windows IP-määritykset Isäntänimi . . . . . . . . . . . : WinXP Cli Ensisijainen DNS-liite . . . . . : domain.com Solmutyyppi . . . . . . . . . . . : Hybridi IP-reititys käytössä . . . . . . : Ei WINS-välityspalvelin käytössä . . : Ei DNS-liitteiden etsintäluettelo . : domain.com domain.com Ethernet-sovitin Lähiverkkoyhteys: Yhteyskohtainen DNS-liite . . . . : domain.com Kuvaus . . . . . . . . . . . . . : Intel(R) 82566DM-2 Gigabit Network C onnection Fyysinen osoite . . . . . . . . . : 00-1A-A0-E9-D9-5C DHCP käytössä . . . . . . . . . . : Kyllä Automaattinen määritys käytössä . : Kyllä IP-osoite . . . . . . . . . . . . : 172.20.1.63 Aliverkon peite . . . . . . . . . : 255.255.255.0 Oletusyhdyskäytävä. . . . . . . . : 172.20.1.254 DHCP-palvelin . . . . . . . . . . : 172.20.1.22 DNS-palvelimet . . . . . . . . . : 172.20.1.22 172.20.1.24 Käyttölupa myönnetty . . . . . . : 13. helmikuuta 2009 15:31:46 Käyttölupa vanhentuu . . . . . . : 9. maaliskuuta 2009 15:31:46 DNS servers are configured to forward DNS queries to our ISP if IP is outside our network. It seems to me that if client uses the 2008 server as a loginserver there's less delay in login. If it uses Win2003 DC it takes a whole lot longer. I cannot pinpoint exact moment problems started but last Monday I raised the domain funtionality level from 2000 to 2003 and also deleted one site and one subnet which were no longer used. Also I changed our single site name. Anyway. All seems to work but the login takes long. Approximetely 1-13 minutes depending on the client and which DC it happens to use. Hope you can give advice. -W "Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> kirjoitti viestissä:ff16fb66193a28cb5bca07f8325c@msnews.microsoft.com... Hello William, Slow logins often belong to incorrect DNS settings on the machines NIC. Make sure to use only domain internal DNS servers on the NIC on all machines. Please post an unedited ipconfig /all from the DC/DNS servers and also a problem machine. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm Hello, We're experiencing some very slow network logins in our domain (funct level 2003). We have one 2003 and one 2008 DC which also operate as DNS servers. In trying to solve slow logins I've going trough our DNS records. In both DNS servers there is a duplicate entry for our DC's in forward lookup zone. One entry is normal like "Server01 to IP 172.20.1.22" but the second is "(same as parent folder) to 172.20.1.22" which means blank name as a server name. What is the purpose of this entry and can it be deleted? Is there some use for it? Also. All hints of DNS debugging steps and tools are appreciated! There seems to be something abnormal in the domain now but at glance all seems to be configured correctly. Thanks W

Hello William,

What account do you use for th dcdiag? "[PSAO104] User credentials does not
have permission to perform this operation. The account used for this test
must have network logon privileges for this machine's domain."

Check on PSAO104 that all services are running that are set to automatic.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

Quote:

Hello, It took a while but here's dcdiag's This on for 2008 server: Directory Server Diagnosis Performing initial setup: Trying to find home server... * Verifying that the local machine PSAO104, is a Directory Server. Home Server = PSAO104 * Connecting to directory service on server PSAO104. * Identified AD Forest. Collecting AD specific global data * Collecting site info. Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=sao,DC=fi,LDAP_ SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),....... The previous call succeeded Iterating through the sites Looking at base site object: CN=NTDS Site Settings,CN=Leankatu,CN=Sites,CN=Configuration,DC=sao,DC=fi Getting ISTG and options for the site * Identifying all servers. Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=sao,DC=fi,LDAP_ SCOPE_SUBTREE,(objectClass=ntDSDsa),....... The previous call succeeded.... The previous call succeeded Iterating through the list of servers Getting information for the server CN=NTDS Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration,D C=sao,DC=fi objectGuid obtained InvocationID obtained dnsHostname obtained site info obtained All the info for the server collected Getting information for the server CN=NTDS Settings,CN=PSAO104,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration,D C=sao,DC=fi objectGuid obtained InvocationID obtained dnsHostname obtained site info obtained All the info for the server collected * Identifying all NC cross-refs. * Found 2 DC(s). Testing 1 of them. Done gathering initial info. Doing initial required tests Testing server: Leankatu\PSAO104 Starting test: Connectivity * Active Directory LDAP Services Check Determining IP4 connectivity Determining IP6 connectivity * Active Directory RPC Services Check ......................... PSAO104 passed test Connectivity Doing primary tests Testing server: Leankatu\PSAO104 Starting test: Advertising The DC PSAO104 is advertising itself as a DC and having a DS. The DC PSAO104 is advertising as an LDAP server The DC PSAO104 is advertising as having a writeable directory The DC PSAO104 is advertising as a Key Distribution Center The DC PSAO104 is advertising as a time server The DS PSAO104 is advertising as a GC. ......................... PSAO104 passed test Advertising Test omitted by user request: CheckSecurityError Test omitted by user request: CutoffServers Starting test: FrsEvent * The File Replication Service Event log test ......................... PSAO104 passed test FrsEvent Starting test: DFSREvent The DFS Replication Event Log. ......................... PSAO104 passed test DFSREvent Starting test: SysVolCheck * The File Replication Service SYSVOL ready test File Replication Service's SYSVOL is ready ......................... PSAO104 passed test SysVolCheck Starting test: KccEvent * The KCC Event log test Found no KCC errors in "Directory Service" Event log in the last 15 minutes. ......................... PSAO104 passed test KccEvent Starting test: KnowsOfRoleHolders Role Schema Owner = CN=NTDS Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration,D C=sao,DC=fi Role Domain Owner = CN=NTDS Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration,D C=sao,DC=fi Role PDC Owner = CN=NTDS Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration,D C=sao,DC=fi Role Rid Owner = CN=NTDS Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration,D C=sao,DC=fi Role Infrastructure Update Owner = CN=NTDS Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration,D C=sao,DC=fi ......................... PSAO104 passed test KnowsOfRoleHolders Starting test: MachineAccount Checking machine account for DC PSAO104 on DC PSAO104. * SPN found :LDAP/PSAO104.sao.fi/sao.fi * SPN found :LDAP/PSAO104.sao.fi * SPN found :LDAP/PSAO104 * SPN found :LDAP/PSAO104.sao.fi/SAO * SPN found :LDAP/fc47108d-5620-4838-a55c-cce5eaa1e2f1._msdcs.sao.fi * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/fc47108d-5620-4838-a55c-cce5eaa1 e2f1/sao.fi * SPN found :HOST/PSAO104.sao.fi/sao.fi * SPN found :HOST/PSAO104.sao.fi * SPN found :HOST/PSAO104 * SPN found :HOST/PSAO104.sao.fi/SAO * SPN found :GC/PSAO104.sao.fi/sao.fi ......................... PSAO104 passed test MachineAccount Starting test: NCSecDesc * Security Permissions check for all NC's on DC PSAO104. The forest is not ready for RODC. Will skip checking ERODC ACEs. * Security Permissions Check for DC=ForestDnsZones,DC=sao,DC=fi (NDNC,Version 3) Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have Replicating Directory Changes In Filtered Set access rights for the naming context: DC=ForestDnsZones,DC=sao,DC=fi * Security Permissions Check for DC=DomainDnsZones,DC=sao,DC=fi (NDNC,Version 3) Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have Replicating Directory Changes In Filtered Set access rights for the naming context: DC=DomainDnsZones,DC=sao,DC=fi * Security Permissions Check for CN=Schema,CN=Configuration,DC=sao,DC=fi (Schema,Version 3) * Security Permissions Check for CN=Configuration,DC=sao,DC=fi (Configuration,Version 3) * Security Permissions Check for DC=sao,DC=fi (Domain,Version 3) ......................... PSAO104 failed test NCSecDesc Starting test: NetLogons * Network Logons Privileges Check Verified share \\PSAO104\netlogon Verified share \\PSAO104\sysvol [PSAO104] User credentials does not have permission to perform this operation. The account used for this test must have network logon privileges for this machine's domain. ......................... PSAO104 failed test NetLogons Starting test: ObjectsReplicated PSAO104 is in domain DC=sao,DC=fi Checking for CN=PSAO104,OU=Domain Controllers,DC=sao,DC=fi in domain DC=sao,DC=fi on 1 servers Object is up-to-date on all servers. Checking for CN=NTDS Settings,CN=PSAO104,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration,D C=sao,DC=fi in domain CN=Configuration,DC=sao,DC=fi on 1 servers Object is up-to-date on all servers. ......................... PSAO104 passed test ObjectsReplicated Test omitted by user request: OutboundSecureChannels Starting test: Replications * Replications Check [Replications Check,PSAO104] DsReplicaGetInfo(PENDING_OPS, NULL) failed, error 0x2105 "Win32 Error 8453" ......................... PSAO104 failed test Replications Starting test: RidManager * Available RID Pool for the Domain is 3603 to 1073741823 * PSAO101.sao.fi is the RID Master * DsBind with RID Master was successful * rIDAllocationPool is 3103 to 3602 * rIDPreviousAllocationPool is 3103 to 3602 * rIDNextRID: 3105 ......................... PSAO104 passed test RidManager Starting test: Services * Checking Service: EventSystem * Checking Service: RpcSs * Checking Service: NTDS Could not open NTDS Service on PSAO104, error 0x5 "Win32 Error 5" * Checking Service: DnsCache * Checking Service: NtFrs * Checking Service: IsmServ * Checking Service: kdc * Checking Service: SamSs * Checking Service: LanmanServer * Checking Service: LanmanWorkstation * Checking Service: w32time * Checking Service: NETLOGON ......................... PSAO104 failed test Services Starting test: SystemLog * The System Event log test Found no errors in "System" Event log in the last 60 minutes. ......................... PSAO104 passed test SystemLog Test omitted by user request: Topology Test omitted by user request: VerifyEnterpriseReferences Starting test: VerifyReferences The system object reference (serverReference) CN=PSAO104,OU=Domain Controllers,DC=sao,DC=fi and backlink on CN=PSAO104,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration,DC=sao,DC= fi are correct. The system object reference (serverReferenceBL) CN=PSAO104,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=sao,DC=fi and backlink on CN=NTDS Settings,CN=PSAO104,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration,D C=sao,DC=fi are correct. ......................... PSAO104 passed test VerifyReferences Test omitted by user request: VerifyReplicas Test omitted by user request: DNS Test omitted by user request: DNS Running partition tests on : ForestDnsZones Starting test: CheckSDRefDom ......................... ForestDnsZones passed test CheckSDRefDom Starting test: CrossRefValidation ......................... ForestDnsZones passed test CrossRefValidation Running partition tests on : DomainDnsZones Starting test: CheckSDRefDom ......................... DomainDnsZones passed test CheckSDRefDom Starting test: CrossRefValidation ......................... DomainDnsZones passed test CrossRefValidation Running partition tests on : Schema Starting test: CheckSDRefDom ......................... Schema passed test CheckSDRefDom Starting test: CrossRefValidation ......................... Schema passed test CrossRefValidation Running partition tests on : Configuration Starting test: CheckSDRefDom ......................... Configuration passed test CheckSDRefDom Starting test: CrossRefValidation ......................... Configuration passed test CrossRefValidation Running partition tests on : sao Starting test: CheckSDRefDom ......................... sao passed test CheckSDRefDom Starting test: CrossRefValidation ......................... sao passed test CrossRefValidation Running enterprise tests on : sao.fi Test omitted by user request: DNS Test omitted by user request: DNS Starting test: LocatorCheck GC Name: \\PSAO104.sao.fi Locator Flags: 0xe00011fc PDC Name: \\PSAO101.sao.fi Locator Flags: 0xe00003fd Time Server Name: \\PSAO104.sao.fi Locator Flags: 0xe00011fc Preferred Time Server Name: \\PSAO101.sao.fi Locator Flags: 0xe00003fd KDC Name: \\PSAO104.sao.fi Locator Flags: 0xe00011fc ......................... sao.fi passed test LocatorCheck Starting test: Intersite Skipping site Leankatu, this site is outside the scope provided by the command line arguments provided. ......................... sao.fi passed test Intersite This one for 2003 DC: Domain Controller Diagnosis Performing initial setup: * Verifying that the local machine PSAO101, is a DC. * Connecting to directory service on server PSAO101. * Collecting site info. * Identifying all servers. * Identifying all NC cross-refs. * Found 2 DC(s). Testing 1 of them. Done gathering initial info. Doing initial required tests Testing server: Leankatu\PSAO101 Starting test: Connectivity * Active Directory LDAP Services Check * Active Directory RPC Services Check ......................... PSAO101 passed test Connectivity Doing primary tests Testing server: Leankatu\PSAO101 Starting test: Replications * Replications Check * Replication Latency Check CN=Schema,CN=Configuration,DC=sao,DC=fi Latency information for 2 entries in the vector were ignored. 2 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). CN=Configuration,DC=sao,DC=fi Latency information for 2 entries in the vector were ignored. 2 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). DC=sao,DC=fi Latency information for 2 entries in the vector were ignored. 2 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). * Replication Site Latency Check ......................... PSAO101 passed test Replications Test omitted by user request: Topology Test omitted by user request: CutoffServers Starting test: NCSecDesc * Security Permissions check for all NC's on DC PSAO101. * Security Permissions Check for DC=ForestDnsZones,DC=sao,DC=fi (NDNC,Version 2) * Security Permissions Check for DC=DomainDnsZones,DC=sao,DC=fi (NDNC,Version 2) * Security Permissions Check for CN=Schema,CN=Configuration,DC=sao,DC=fi (Schema,Version 2) * Security Permissions Check for CN=Configuration,DC=sao,DC=fi (Configuration,Version 2) * Security Permissions Check for DC=sao,DC=fi (Domain,Version 2) ......................... PSAO101 passed test NCSecDesc Starting test: NetLogons * Network Logons Privileges Check Verified share \\PSAO101\netlogon Verified share \\PSAO101\sysvol ......................... PSAO101 passed test NetLogons Starting test: Advertising The DC PSAO101 is advertising itself as a DC and having a DS. The DC PSAO101 is advertising as an LDAP server The DC PSAO101 is advertising as having a writeable directory The DC PSAO101 is advertising as a Key Distribution Center The DC PSAO101 is advertising as a time server The DS PSAO101 is advertising as a GC. ......................... PSAO101 passed test Advertising Starting test: KnowsOfRoleHolders Role Schema Owner = CN=NTDS Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration,D C=sao,DC=fi Role Domain Owner = CN=NTDS Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration,D C=sao,DC=fi Role PDC Owner = CN=NTDS Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration,D C=sao,DC=fi Role Rid Owner = CN=NTDS Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration,D C=sao,DC=fi Role Infrastructure Update Owner = CN=NTDS Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration,D C=sao,DC=fi ......................... PSAO101 passed test KnowsOfRoleHolders Starting test: RidManager * Available RID Pool for the Domain is 3603 to 1073741823 * PSAO101.sao.fi is the RID Master * DsBind with RID Master was successful * rIDAllocationPool is 2603 to 3102 * rIDPreviousAllocationPool is 2603 to 3102 * rIDNextRID: 2683 ......................... PSAO101 passed test RidManager Starting test: MachineAccount Checking machine account for DC PSAO101 on DC PSAO101. * SPN found :LDAP/PSAO101.sao.fi/sao.fi * SPN found :LDAP/PSAO101.sao.fi * SPN found :LDAP/PSAO101 * SPN found :LDAP/PSAO101.sao.fi/SAO * SPN found :LDAP/6f073ef1-3578-4e0d-abd9-c9062e3b69fa._msdcs.sao.fi * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/6f073ef1-3578-4e0d-abd9-c9062e3b 69fa/sao.fi * SPN found :HOST/PSAO101.sao.fi/sao.fi * SPN found :HOST/PSAO101.sao.fi * SPN found :HOST/PSAO101 * SPN found :HOST/PSAO101.sao.fi/SAO * SPN found :GC/PSAO101.sao.fi/sao.fi ......................... PSAO101 passed test MachineAccount Starting test: Services * Checking Service: Dnscache * Checking Service: NtFrs * Checking Service: IsmServ * Checking Service: kdc * Checking Service: SamSs * Checking Service: LanmanServer * Checking Service: LanmanWorkstation * Checking Service: RpcSs * Checking Service: w32time * Checking Service: NETLOGON ......................... PSAO101 passed test Services Test omitted by user request: OutboundSecureChannels Starting test: ObjectsReplicated PSAO101 is in domain DC=sao,DC=fi Checking for CN=PSAO101,OU=Domain Controllers,DC=sao,DC=fi in domain DC=sao,DC=fi on 1 servers Object is up-to-date on all servers. Checking for CN=NTDS Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration,D C=sao,DC=fi in domain CN=Configuration,DC=sao,DC=fi on 1 servers Object is up-to-date on all servers. ......................... PSAO101 passed test ObjectsReplicated Starting test: frssysvol * The File Replication Service SYSVOL ready test File Replication Service's SYSVOL is ready ......................... PSAO101 passed test frssysvol Starting test: frsevent * The File Replication Service Event log test ......................... PSAO101 passed test frsevent Starting test: kccevent * The KCC Event log test Found no KCC errors in Directory Service Event log in the last 15 minutes. ......................... PSAO101 passed test kccevent Starting test: systemlog * The System Event log test Found no errors in System Event log in the last 60 minutes. ......................... PSAO101 passed test systemlog Test omitted by user request: VerifyReplicas Starting test: VerifyReferences The system object reference (serverReference) CN=PSAO101,OU=Domain Controllers,DC=sao,DC=fi and backlink on CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration,DC=sao,DC= fi are correct. The system object reference (frsComputerReferenceBL) CN=PSAO101,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=sao,DC=fi and backlink on CN=PSAO101,OU=Domain Controllers,DC=sao,DC=fi are correct. The system object reference (serverReferenceBL) CN=PSAO101,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=sao,DC=fi and backlink on CN=NTDS Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration,D C=sao,DC=fi are correct. ......................... PSAO101 passed test VerifyReferences Test omitted by user request: VerifyEnterpriseReferences Test omitted by user request: CheckSecurityError Running partition tests on : ForestDnsZones Starting test: CrossRefValidation ......................... ForestDnsZones passed test CrossRefValidation Starting test: CheckSDRefDom ......................... ForestDnsZones passed test CheckSDRefDom Running partition tests on : DomainDnsZones Starting test: CrossRefValidation ......................... DomainDnsZones passed test CrossRefValidation Starting test: CheckSDRefDom ......................... DomainDnsZones passed test CheckSDRefDom Running partition tests on : Schema Starting test: CrossRefValidation ......................... Schema passed test CrossRefValidation Starting test: CheckSDRefDom ......................... Schema passed test CheckSDRefDom Running partition tests on : Configuration Starting test: CrossRefValidation ......................... Configuration passed test CrossRefValidation Starting test: CheckSDRefDom ......................... Configuration passed test CheckSDRefDom Running partition tests on : sao Starting test: CrossRefValidation ......................... sao passed test CrossRefValidation Starting test: CheckSDRefDom ......................... sao passed test CheckSDRefDom Running enterprise tests on : sao.fi Starting test: Intersite Skipping site Leankatu, this site is outside the scope provided by the command line arguments provided. ......................... sao.fi passed test Intersite Starting test: FsmoCheck GC Name: \\PSAO101.sao.fi Locator Flags: 0xe00003fd PDC Name: \\PSAO101.sao.fi Locator Flags: 0xe00003fd Time Server Name: \\PSAO101.sao.fi Locator Flags: 0xe00003fd Preferred Time Server Name: \\PSAO101.sao.fi Locator Flags: 0xe00003fd KDC Name: \\PSAO101.sao.fi Locator Flags: 0xe00003fd ......................... sao.fi passed test FsmoCheck Test omitted by user request: DNS Test omitted by user request: DNS Hope you can get something out of these. Thanks!!! W "Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> kirjoitti viestissä:ff16fb66194288cb5c04eaec46cc@msnews.microsoft.com... Hello William, The ipconfig's looks ok. The 2008 is SP2, is that correct? If yes, you should NEVER use BETA version in production environment. What do you mean with changed the single site name? Please run and post and unedited netdiag /v and dcdiag /v from both servers. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm Hello, Here's IP configs for both DC/DNS servers and one XP cli. The XP cli is localised language but I am sure it's readable to you=) 1. Windows 2003 SP2 DC/DNS server Windows IP Configuration Host Name . . . . . . . . . . . . : Win2003 Primary Dns Suffix . . . . . . . : domain.com Node Type . . . . . . . . . . . . : Unknown IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : domain.com Ethernet adapter BCOMMs: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : BASP Virtual Adapter Physical Address. . . . . . . . . : 00-13-72-5E-F6-6D DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 172.20.1.22 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 172.20.1.254 DNS Servers . . . . . . . . . . . : 172.20.1.22 172.20.1.24 2. Windows 2008 SP2 DC/DNS server Windows IP Configuration Host Name . . . . . . . . . . . . : Win2008 Primary Dns Suffix . . . . . . . : domain.com Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : domain.com Ethernet adapter Local Area Connection 5: Connection-specific DNS Suffix . : domain.com Description . . . . . . . . . . . : BASP Virtual Adapter Physical Address. . . . . . . . . : 00-22-19-8C-5D-96 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes IPv4 Address. . . . . . . . . . . : 172.20.1.24(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 172.20.1.254 DNS Servers . . . . . . . . . . . : 172.20.1.24 172.20.1.22 NetBIOS over Tcpip. . . . . . . . : Enabled 3. Windows XP client Windows IP-määritykset Isäntänimi . . . . . . . . . . . : WinXP Cli Ensisijainen DNS-liite . . . . . : domain.com Solmutyyppi . . . . . . . . . . . : Hybridi IP-reititys käytössä . . . . . . : Ei WINS-välityspalvelin käytössä . . : Ei DNS-liitteiden etsintäluettelo . : domain.com domain.com Ethernet-sovitin Lähiverkkoyhteys: Yhteyskohtainen DNS-liite . . . . : domain.com Kuvaus . . . . . . . . . . . . . : Intel(R) 82566DM-2 Gigabit Network C onnection Fyysinen osoite . . . . . . . . . : 00-1A-A0-E9-D9-5C DHCP käytössä . . . . . . . . . . : Kyllä Automaattinen määritys käytössä . : Kyllä IP-osoite . . . . . . . . . . . . : 172.20.1.63 Aliverkon peite . . . . . . . . . : 255.255.255.0 Oletusyhdyskäytävä. . . . . . . . : 172.20.1.254 DHCP-palvelin . . . . . . . . . . : 172.20.1.22 DNS-palvelimet . . . . . . . . . : 172.20.1.22 172.20.1.24 Käyttölupa myönnetty . . . . . . : 13. helmikuuta 2009 15:31:46 Käyttölupa vanhentuu . . . . . . : 9. maaliskuuta 2009 15:31:46 DNS servers are configured to forward DNS queries to our ISP if IP is outside our network. It seems to me that if client uses the 2008 server as a loginserver there's less delay in login. If it uses Win2003 DC it takes a whole lot longer. I cannot pinpoint exact moment problems started but last Monday I raised the domain funtionality level from 2000 to 2003 and also deleted one site and one subnet which were no longer used. Also I changed our single site name. Anyway. All seems to work but the login takes long. Approximetely 1-13 minutes depending on the client and which DC it happens to use. Hope you can give advice. -W "Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> kirjoitti viestissä:ff16fb66193a28cb5bca07f8325c@msnews.microsoft.com... Hello William, Slow logins often belong to incorrect DNS settings on the machines NIC. Make sure to use only domain internal DNS servers on the NIC on all machines. Please post an unedited ipconfig /all from the DC/DNS servers and also a problem machine. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm Hello, We're experiencing some very slow network logins in our domain (funct level 2003). We have one 2003 and one 2008 DC which also operate as DNS servers. In trying to solve slow logins I've going trough our DNS records. In both DNS servers there is a duplicate entry for our DC's in forward lookup zone. One entry is normal like "Server01 to IP 172.20.1.22" but the second is "(same as parent folder) to 172.20.1.22" which means blank name as a server name. What is the purpose of this entry and can it be deleted? Is there some use for it? Also. All hints of DNS debugging steps and tools are appreciated! There seems to be something abnormal in the domain now but at glance all seems to be configured correctly. Thanks W

Hello William,

Run also the adprep /rodcprep and then rund dcdiag test again. The error
about "Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have..........."
should be solved then.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

Quote:

Weird. I used same account on both servers. And this account is a member of domain admins group W "Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> kirjoitti viestissä:ff16fb66198558cb5e4a9dc79d86@msnews.microsoft.com... Hello William, What account do you use for th dcdiag? "[PSAO104] User credentials does not have permission to perform this operation. The account used for this test must have network logon privileges for this machine's domain." Check on PSAO104 that all services are running that are set to automatic. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm Hello, It took a while but here's dcdiag's This on for 2008 server: Directory Server Diagnosis Performing initial setup: Trying to find home server... * Verifying that the local machine PSAO104, is a Directory Server. Home Server = PSAO104 * Connecting to directory service on server PSAO104. * Identified AD Forest. Collecting AD specific global data * Collecting site info. Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=sao,DC=fi,LDA P_ SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),....... The previous call succeeded Iterating through the sites Looking at base site object: CN=NTDS Site Settings,CN=Leankatu,CN=Sites,CN=Configuration,DC=sao,DC=fi Getting ISTG and options for the site * Identifying all servers. Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=sao,DC=fi,LDA P_ SCOPE_SUBTREE,(objectClass=ntDSDsa),....... The previous call succeeded.... The previous call succeeded Iterating through the list of servers Getting information for the server CN=NTDS Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration ,D C=sao,DC=fi objectGuid obtained InvocationID obtained dnsHostname obtained site info obtained All the info for the server collected Getting information for the server CN=NTDS Settings,CN=PSAO104,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration ,D C=sao,DC=fi objectGuid obtained InvocationID obtained dnsHostname obtained site info obtained All the info for the server collected * Identifying all NC cross-refs. * Found 2 DC(s). Testing 1 of them. Done gathering initial info. Doing initial required tests Testing server: Leankatu\PSAO104 Starting test: Connectivity * Active Directory LDAP Services Check Determining IP4 connectivity Determining IP6 connectivity * Active Directory RPC Services Check ......................... PSAO104 passed test Connectivity Doing primary tests Testing server: Leankatu\PSAO104 Starting test: Advertising The DC PSAO104 is advertising itself as a DC and having a DS. The DC PSAO104 is advertising as an LDAP server The DC PSAO104 is advertising as having a writeable directory The DC PSAO104 is advertising as a Key Distribution Center The DC PSAO104 is advertising as a time server The DS PSAO104 is advertising as a GC. ......................... PSAO104 passed test Advertising Test omitted by user request: CheckSecurityError Test omitted by user request: CutoffServers Starting test: FrsEvent * The File Replication Service Event log test ......................... PSAO104 passed test FrsEvent Starting test: DFSREvent The DFS Replication Event Log. ......................... PSAO104 passed test DFSREvent Starting test: SysVolCheck * The File Replication Service SYSVOL ready test File Replication Service's SYSVOL is ready ......................... PSAO104 passed test SysVolCheck Starting test: KccEvent * The KCC Event log test Found no KCC errors in "Directory Service" Event log in the last 15 minutes. ......................... PSAO104 passed test KccEvent Starting test: KnowsOfRoleHolders Role Schema Owner = CN=NTDS Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration ,D C=sao,DC=fi Role Domain Owner = CN=NTDS Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration ,D C=sao,DC=fi Role PDC Owner = CN=NTDS Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration ,D C=sao,DC=fi Role Rid Owner = CN=NTDS Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration ,D C=sao,DC=fi Role Infrastructure Update Owner = CN=NTDS Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration ,D C=sao,DC=fi ......................... PSAO104 passed test KnowsOfRoleHolders Starting test: MachineAccount Checking machine account for DC PSAO104 on DC PSAO104. * SPN found :LDAP/PSAO104.sao.fi/sao.fi * SPN found :LDAP/PSAO104.sao.fi * SPN found :LDAP/PSAO104 * SPN found :LDAP/PSAO104.sao.fi/SAO * SPN found :LDAP/fc47108d-5620-4838-a55c-cce5eaa1e2f1._msdcs.sao.fi * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/fc47108d-5620-4838-a55c-cce5ea a1 e2f1/sao.fi * SPN found :HOST/PSAO104.sao.fi/sao.fi * SPN found :HOST/PSAO104.sao.fi * SPN found :HOST/PSAO104 * SPN found :HOST/PSAO104.sao.fi/SAO * SPN found :GC/PSAO104.sao.fi/sao.fi ......................... PSAO104 passed test MachineAccount Starting test: NCSecDesc * Security Permissions check for all NC's on DC PSAO104. The forest is not ready for RODC. Will skip checking ERODC ACEs. * Security Permissions Check for DC=ForestDnsZones,DC=sao,DC=fi (NDNC,Version 3) Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have Replicating Directory Changes In Filtered Set access rights for the naming context: DC=ForestDnsZones,DC=sao,DC=fi * Security Permissions Check for DC=DomainDnsZones,DC=sao,DC=fi (NDNC,Version 3) Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have Replicating Directory Changes In Filtered Set access rights for the naming context: DC=DomainDnsZones,DC=sao,DC=fi * Security Permissions Check for CN=Schema,CN=Configuration,DC=sao,DC=fi (Schema,Version 3) * Security Permissions Check for CN=Configuration,DC=sao,DC=fi (Configuration,Version 3) * Security Permissions Check for DC=sao,DC=fi (Domain,Version 3) ......................... PSAO104 failed test NCSecDesc Starting test: NetLogons * Network Logons Privileges Check Verified share \\PSAO104\netlogon Verified share \\PSAO104\sysvol [PSAO104] User credentials does not have permission to perform this operation. The account used for this test must have network logon privileges for this machine's domain. ......................... PSAO104 failed test NetLogons Starting test: ObjectsReplicated PSAO104 is in domain DC=sao,DC=fi Checking for CN=PSAO104,OU=Domain Controllers,DC=sao,DC=fi in domain DC=sao,DC=fi on 1 servers Object is up-to-date on all servers. Checking for CN=NTDS Settings,CN=PSAO104,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration ,D C=sao,DC=fi in domain CN=Configuration,DC=sao,DC=fi on 1 servers Object is up-to-date on all servers. ......................... PSAO104 passed test ObjectsReplicated Test omitted by user request: OutboundSecureChannels Starting test: Replications * Replications Check [Replications Check,PSAO104] DsReplicaGetInfo(PENDING_OPS, NULL) failed, error 0x2105 "Win32 Error 8453" ......................... PSAO104 failed test Replications Starting test: RidManager * Available RID Pool for the Domain is 3603 to 1073741823 * PSAO101.sao.fi is the RID Master * DsBind with RID Master was successful * rIDAllocationPool is 3103 to 3602 * rIDPreviousAllocationPool is 3103 to 3602 * rIDNextRID: 3105 ......................... PSAO104 passed test RidManager Starting test: Services * Checking Service: EventSystem * Checking Service: RpcSs * Checking Service: NTDS Could not open NTDS Service on PSAO104, error 0x5 "Win32 Error 5" * Checking Service: DnsCache * Checking Service: NtFrs * Checking Service: IsmServ * Checking Service: kdc * Checking Service: SamSs * Checking Service: LanmanServer * Checking Service: LanmanWorkstation * Checking Service: w32time * Checking Service: NETLOGON ......................... PSAO104 failed test Services Starting test: SystemLog * The System Event log test Found no errors in "System" Event log in the last 60 minutes. ......................... PSAO104 passed test SystemLog Test omitted by user request: Topology Test omitted by user request: VerifyEnterpriseReferences Starting test: VerifyReferences The system object reference (serverReference) CN=PSAO104,OU=Domain Controllers,DC=sao,DC=fi and backlink on CN=PSAO104,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration,DC=sao,D C= fi are correct. The system object reference (serverReferenceBL) CN=PSAO104,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=sao,DC=fi and backlink on CN=NTDS Settings,CN=PSAO104,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration ,D C=sao,DC=fi are correct. ......................... PSAO104 passed test VerifyReferences Test omitted by user request: VerifyReplicas Test omitted by user request: DNS Test omitted by user request: DNS Running partition tests on : ForestDnsZones Starting test: CheckSDRefDom ......................... ForestDnsZones passed test CheckSDRefDom Starting test: CrossRefValidation ......................... ForestDnsZones passed test CrossRefValidation Running partition tests on : DomainDnsZones Starting test: CheckSDRefDom ......................... DomainDnsZones passed test CheckSDRefDom Starting test: CrossRefValidation ......................... DomainDnsZones passed test CrossRefValidation Running partition tests on : Schema Starting test: CheckSDRefDom ......................... Schema passed test CheckSDRefDom Starting test: CrossRefValidation ......................... Schema passed test CrossRefValidation Running partition tests on : Configuration Starting test: CheckSDRefDom ......................... Configuration passed test CheckSDRefDom Starting test: CrossRefValidation ......................... Configuration passed test CrossRefValidation Running partition tests on : sao Starting test: CheckSDRefDom ......................... sao passed test CheckSDRefDom Starting test: CrossRefValidation ......................... sao passed test CrossRefValidation Running enterprise tests on : sao.fi Test omitted by user request: DNS Test omitted by user request: DNS Starting test: LocatorCheck GC Name: \\PSAO104.sao.fi Locator Flags: 0xe00011fc PDC Name: \\PSAO101.sao.fi Locator Flags: 0xe00003fd Time Server Name: \\PSAO104.sao.fi Locator Flags: 0xe00011fc Preferred Time Server Name: \\PSAO101.sao.fi Locator Flags: 0xe00003fd KDC Name: \\PSAO104.sao.fi Locator Flags: 0xe00011fc ......................... sao.fi passed test LocatorCheck Starting test: Intersite Skipping site Leankatu, this site is outside the scope provided by the command line arguments provided. ......................... sao.fi passed test Intersite This one for 2003 DC: Domain Controller Diagnosis Performing initial setup: * Verifying that the local machine PSAO101, is a DC. * Connecting to directory service on server PSAO101. * Collecting site info. * Identifying all servers. * Identifying all NC cross-refs. * Found 2 DC(s). Testing 1 of them. Done gathering initial info. Doing initial required tests Testing server: Leankatu\PSAO101 Starting test: Connectivity * Active Directory LDAP Services Check * Active Directory RPC Services Check ......................... PSAO101 passed test Connectivity Doing primary tests Testing server: Leankatu\PSAO101 Starting test: Replications * Replications Check * Replication Latency Check CN=Schema,CN=Configuration,DC=sao,DC=fi Latency information for 2 entries in the vector were ignored. 2 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). CN=Configuration,DC=sao,DC=fi Latency information for 2 entries in the vector were ignored. 2 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). DC=sao,DC=fi Latency information for 2 entries in the vector were ignored. 2 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). * Replication Site Latency Check ......................... PSAO101 passed test Replications Test omitted by user request: Topology Test omitted by user request: CutoffServers Starting test: NCSecDesc * Security Permissions check for all NC's on DC PSAO101. * Security Permissions Check for DC=ForestDnsZones,DC=sao,DC=fi (NDNC,Version 2) * Security Permissions Check for DC=DomainDnsZones,DC=sao,DC=fi (NDNC,Version 2) * Security Permissions Check for CN=Schema,CN=Configuration,DC=sao,DC=fi (Schema,Version 2) * Security Permissions Check for CN=Configuration,DC=sao,DC=fi (Configuration,Version 2) * Security Permissions Check for DC=sao,DC=fi (Domain,Version 2) ......................... PSAO101 passed test NCSecDesc Starting test: NetLogons * Network Logons Privileges Check Verified share \\PSAO101\netlogon Verified share \\PSAO101\sysvol ......................... PSAO101 passed test NetLogons Starting test: Advertising The DC PSAO101 is advertising itself as a DC and having a DS. The DC PSAO101 is advertising as an LDAP server The DC PSAO101 is advertising as having a writeable directory The DC PSAO101 is advertising as a Key Distribution Center The DC PSAO101 is advertising as a time server The DS PSAO101 is advertising as a GC. ......................... PSAO101 passed test Advertising Starting test: KnowsOfRoleHolders Role Schema Owner = CN=NTDS Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration ,D C=sao,DC=fi Role Domain Owner = CN=NTDS Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration ,D C=sao,DC=fi Role PDC Owner = CN=NTDS Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration ,D C=sao,DC=fi Role Rid Owner = CN=NTDS Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration ,D C=sao,DC=fi Role Infrastructure Update Owner = CN=NTDS Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration ,D C=sao,DC=fi ......................... PSAO101 passed test KnowsOfRoleHolders Starting test: RidManager * Available RID Pool for the Domain is 3603 to 1073741823 * PSAO101.sao.fi is the RID Master * DsBind with RID Master was successful * rIDAllocationPool is 2603 to 3102 * rIDPreviousAllocationPool is 2603 to 3102 * rIDNextRID: 2683 ......................... PSAO101 passed test RidManager Starting test: MachineAccount Checking machine account for DC PSAO101 on DC PSAO101. * SPN found :LDAP/PSAO101.sao.fi/sao.fi * SPN found :LDAP/PSAO101.sao.fi * SPN found :LDAP/PSAO101 * SPN found :LDAP/PSAO101.sao.fi/SAO * SPN found :LDAP/6f073ef1-3578-4e0d-abd9-c9062e3b69fa._msdcs.sao.fi * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/6f073ef1-3578-4e0d-abd9-c9062e 3b 69fa/sao.fi * SPN found :HOST/PSAO101.sao.fi/sao.fi * SPN found :HOST/PSAO101.sao.fi * SPN found :HOST/PSAO101 * SPN found :HOST/PSAO101.sao.fi/SAO * SPN found :GC/PSAO101.sao.fi/sao.fi ......................... PSAO101 passed test MachineAccount Starting test: Services * Checking Service: Dnscache * Checking Service: NtFrs * Checking Service: IsmServ * Checking Service: kdc * Checking Service: SamSs * Checking Service: LanmanServer * Checking Service: LanmanWorkstation * Checking Service: RpcSs * Checking Service: w32time * Checking Service: NETLOGON ......................... PSAO101 passed test Services Test omitted by user request: OutboundSecureChannels Starting test: ObjectsReplicated PSAO101 is in domain DC=sao,DC=fi Checking for CN=PSAO101,OU=Domain Controllers,DC=sao,DC=fi in domain DC=sao,DC=fi on 1 servers Object is up-to-date on all servers. Checking for CN=NTDS Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration ,D C=sao,DC=fi in domain CN=Configuration,DC=sao,DC=fi on 1 servers Object is up-to-date on all servers. ......................... PSAO101 passed test ObjectsReplicated Starting test: frssysvol * The File Replication Service SYSVOL ready test File Replication Service's SYSVOL is ready ......................... PSAO101 passed test frssysvol Starting test: frsevent * The File Replication Service Event log test ......................... PSAO101 passed test frsevent Starting test: kccevent * The KCC Event log test Found no KCC errors in Directory Service Event log in the last 15 minutes. ......................... PSAO101 passed test kccevent Starting test: systemlog * The System Event log test Found no errors in System Event log in the last 60 minutes. ......................... PSAO101 passed test systemlog Test omitted by user request: VerifyReplicas Starting test: VerifyReferences The system object reference (serverReference) CN=PSAO101,OU=Domain Controllers,DC=sao,DC=fi and backlink on CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration,DC=sao,D C= fi are correct. The system object reference (frsComputerReferenceBL) CN=PSAO101,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=sao,DC=fi and backlink on CN=PSAO101,OU=Domain Controllers,DC=sao,DC=fi are correct. The system object reference (serverReferenceBL) CN=PSAO101,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=sao,DC=fi and backlink on CN=NTDS Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration ,D C=sao,DC=fi are correct. ......................... PSAO101 passed test VerifyReferences Test omitted by user request: VerifyEnterpriseReferences Test omitted by user request: CheckSecurityError Running partition tests on : ForestDnsZones Starting test: CrossRefValidation ......................... ForestDnsZones passed test CrossRefValidation Starting test: CheckSDRefDom ......................... ForestDnsZones passed test CheckSDRefDom Running partition tests on : DomainDnsZones Starting test: CrossRefValidation ......................... DomainDnsZones passed test CrossRefValidation Starting test: CheckSDRefDom ......................... DomainDnsZones passed test CheckSDRefDom Running partition tests on : Schema Starting test: CrossRefValidation ......................... Schema passed test CrossRefValidation Starting test: CheckSDRefDom ......................... Schema passed test CheckSDRefDom Running partition tests on : Configuration Starting test: CrossRefValidation ......................... Configuration passed test CrossRefValidation Starting test: CheckSDRefDom ......................... Configuration passed test CheckSDRefDom Running partition tests on : sao Starting test: CrossRefValidation ......................... sao passed test CrossRefValidation Starting test: CheckSDRefDom ......................... sao passed test CheckSDRefDom Running enterprise tests on : sao.fi Starting test: Intersite Skipping site Leankatu, this site is outside the scope provided by the command line arguments provided. ......................... sao.fi passed test Intersite Starting test: FsmoCheck GC Name: \\PSAO101.sao.fi Locator Flags: 0xe00003fd PDC Name: \\PSAO101.sao.fi Locator Flags: 0xe00003fd Time Server Name: \\PSAO101.sao.fi Locator Flags: 0xe00003fd Preferred Time Server Name: \\PSAO101.sao.fi Locator Flags: 0xe00003fd KDC Name: \\PSAO101.sao.fi Locator Flags: 0xe00003fd ......................... sao.fi passed test FsmoCheck Test omitted by user request: DNS Test omitted by user request: DNS Hope you can get something out of these. Thanks!!! W "Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> kirjoitti viestissä:ff16fb66194288cb5c04eaec46cc@msnews.microsoft.com... Hello William, The ipconfig's looks ok. The 2008 is SP2, is that correct? If yes, you should NEVER use BETA version in production environment. What do you mean with changed the single site name? Please run and post and unedited netdiag /v and dcdiag /v from both servers. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm Hello, Here's IP configs for both DC/DNS servers and one XP cli. The XP cli is localised language but I am sure it's readable to you=) 1. Windows 2003 SP2 DC/DNS server Windows IP Configuration Host Name . . . . . . . . . . . . : Win2003 Primary Dns Suffix . . . . . . . : domain.com Node Type . . . . . . . . . . . . : Unknown IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : domain.com Ethernet adapter BCOMMs: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : BASP Virtual Adapter Physical Address. . . . . . . . . : 00-13-72-5E-F6-6D DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 172.20.1.22 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 172.20.1.254 DNS Servers . . . . . . . . . . . : 172.20.1.22 172.20.1.24 2. Windows 2008 SP2 DC/DNS server Windows IP Configuration Host Name . . . . . . . . . . . . : Win2008 Primary Dns Suffix . . . . . . . : domain.com Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : domain.com Ethernet adapter Local Area Connection 5: Connection-specific DNS Suffix . : domain.com Description . . . . . . . . . . . : BASP Virtual Adapter Physical Address. . . . . . . . . : 00-22-19-8C-5D-96 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes IPv4 Address. . . . . . . . . . . : 172.20.1.24(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 172.20.1.254 DNS Servers . . . . . . . . . . . : 172.20.1.24 172.20.1.22 NetBIOS over Tcpip. . . . . . . . : Enabled 3. Windows XP client Windows IP-määritykset Isäntänimi . . . . . . . . . . . : WinXP Cli Ensisijainen DNS-liite . . . . . : domain.com Solmutyyppi . . . . . . . . . . . : Hybridi IP-reititys käytössä . . . . . . : Ei WINS-välityspalvelin käytössä . . : Ei DNS-liitteiden etsintäluettelo . : domain.com domain.com Ethernet-sovitin Lähiverkkoyhteys: Yhteyskohtainen DNS-liite . . . . : domain.com Kuvaus . . . . . . . . . . . . . : Intel(R) 82566DM-2 Gigabit Network C onnection Fyysinen osoite . . . . . . . . . : 00-1A-A0-E9-D9-5C DHCP käytössä . . . . . . . . . . : Kyllä Automaattinen määritys käytössä . : Kyllä IP-osoite . . . . . . . . . . . . : 172.20.1.63 Aliverkon peite . . . . . . . . . : 255.255.255.0 Oletusyhdyskäytävä. . . . . . . . : 172.20.1.254 DHCP-palvelin . . . . . . . . . . : 172.20.1.22 DNS-palvelimet . . . . . . . . . : 172.20.1.22 172.20.1.24 Käyttölupa myönnetty . . . . . . : 13. helmikuuta 2009 15:31:46 Käyttölupa vanhentuu . . . . . . : 9. maaliskuuta 2009 15:31:46 DNS servers are configured to forward DNS queries to our ISP if IP is outside our network. It seems to me that if client uses the 2008 server as a loginserver there's less delay in login. If it uses Win2003 DC it takes a whole lot longer. I cannot pinpoint exact moment problems started but last Monday I raised the domain funtionality level from 2000 to 2003 and also deleted one site and one subnet which were no longer used. Also I changed our single site name. Anyway. All seems to work but the login takes long. Approximetely 1-13 minutes depending on the client and which DC it happens to use. Hope you can give advice. -W "Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> kirjoitti viestissä:ff16fb66193a28cb5bca07f8325c@msnews.microsoft.com... Hello William, Slow logins often belong to incorrect DNS settings on the machines NIC. Make sure to use only domain internal DNS servers on the NIC on all machines. Please post an unedited ipconfig /all from the DC/DNS servers and also a problem machine. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm Hello, We're experiencing some very slow network logins in our domain (funct level 2003). We have one 2003 and one 2008 DC which also operate as DNS servers. In trying to solve slow logins I've going trough our DNS records. In both DNS servers there is a duplicate entry for our DC's in forward lookup zone. One entry is normal like "Server01 to IP 172.20.1.22" but the second is "(same as parent folder) to 172.20.1.22" which means blank name as a server name. What is the purpose of this entry and can it be deleted? Is there some use for it? Also. All hints of DNS debugging steps and tools are appreciated! There seems to be something abnormal in the domain now but at glance all seems to be configured correctly. Thanks W

Ok. I'll try that and report about the impact.

I've been working on this for 4-5 days now and it just seems to me that when
client logs on to domain using our Win2008 DC the process works fast. If the
client picks Win2003 server as a logon server it takes considerably longer.
At some tests I got to wait 14 minutes for the desktop to load completely.

Thanks for your effort so far.

-W


"Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> kirjoitti
viestissä:ff16fb661987b8cb5e5ab6e4cda6@msnews.microsoft.com...

Quote:

Hello William, Run also the adprep /rodcprep and then rund dcdiag test again. The error about "Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have..........." should be solved then. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm Weird. I used same account on both servers. And this account is a member of domain admins group W "Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> kirjoitti viestissä:ff16fb66198558cb5e4a9dc79d86@msnews.microsoft.com... Hello William, What account do you use for th dcdiag? "[PSAO104] User credentials does not have permission to perform this operation. The account used for this test must have network logon privileges for this machine's domain." Check on PSAO104 that all services are running that are set to automatic. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm Hello, It took a while but here's dcdiag's This on for 2008 server: Directory Server Diagnosis Performing initial setup: Trying to find home server... * Verifying that the local machine PSAO104, is a Directory Server. Home Server = PSAO104 * Connecting to directory service on server PSAO104. * Identified AD Forest. Collecting AD specific global data * Collecting site info. Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=sao,DC=fi,LDA P_ SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),....... The previous call succeeded Iterating through the sites Looking at base site object: CN=NTDS Site Settings,CN=Leankatu,CN=Sites,CN=Configuration,DC=sao,DC=fi Getting ISTG and options for the site * Identifying all servers. Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=sao,DC=fi,LDA P_ SCOPE_SUBTREE,(objectClass=ntDSDsa),....... The previous call succeeded.... The previous call succeeded Iterating through the list of servers Getting information for the server CN=NTDS Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration ,D C=sao,DC=fi objectGuid obtained InvocationID obtained dnsHostname obtained site info obtained All the info for the server collected Getting information for the server CN=NTDS Settings,CN=PSAO104,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration ,D C=sao,DC=fi objectGuid obtained InvocationID obtained dnsHostname obtained site info obtained All the info for the server collected * Identifying all NC cross-refs. * Found 2 DC(s). Testing 1 of them. Done gathering initial info. Doing initial required tests Testing server: Leankatu\PSAO104 Starting test: Connectivity * Active Directory LDAP Services Check Determining IP4 connectivity Determining IP6 connectivity * Active Directory RPC Services Check ......................... PSAO104 passed test Connectivity Doing primary tests Testing server: Leankatu\PSAO104 Starting test: Advertising The DC PSAO104 is advertising itself as a DC and having a DS. The DC PSAO104 is advertising as an LDAP server The DC PSAO104 is advertising as having a writeable directory The DC PSAO104 is advertising as a Key Distribution Center The DC PSAO104 is advertising as a time server The DS PSAO104 is advertising as a GC. ......................... PSAO104 passed test Advertising Test omitted by user request: CheckSecurityError Test omitted by user request: CutoffServers Starting test: FrsEvent * The File Replication Service Event log test ......................... PSAO104 passed test FrsEvent Starting test: DFSREvent The DFS Replication Event Log. ......................... PSAO104 passed test DFSREvent Starting test: SysVolCheck * The File Replication Service SYSVOL ready test File Replication Service's SYSVOL is ready ......................... PSAO104 passed test SysVolCheck Starting test: KccEvent * The KCC Event log test Found no KCC errors in "Directory Service" Event log in the last 15 minutes. ......................... PSAO104 passed test KccEvent Starting test: KnowsOfRoleHolders Role Schema Owner = CN=NTDS Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration ,D C=sao,DC=fi Role Domain Owner = CN=NTDS Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration ,D C=sao,DC=fi Role PDC Owner = CN=NTDS Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration ,D C=sao,DC=fi Role Rid Owner = CN=NTDS Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration ,D C=sao,DC=fi Role Infrastructure Update Owner = CN=NTDS Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration ,D C=sao,DC=fi ......................... PSAO104 passed test KnowsOfRoleHolders Starting test: MachineAccount Checking machine account for DC PSAO104 on DC PSAO104. * SPN found :LDAP/PSAO104.sao.fi/sao.fi * SPN found :LDAP/PSAO104.sao.fi * SPN found :LDAP/PSAO104 * SPN found :LDAP/PSAO104.sao.fi/SAO * SPN found :LDAP/fc47108d-5620-4838-a55c-cce5eaa1e2f1._msdcs.sao.fi * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/fc47108d-5620-4838-a55c-cce5ea a1 e2f1/sao.fi * SPN found :HOST/PSAO104.sao.fi/sao.fi * SPN found :HOST/PSAO104.sao.fi * SPN found :HOST/PSAO104 * SPN found :HOST/PSAO104.sao.fi/SAO * SPN found :GC/PSAO104.sao.fi/sao.fi ......................... PSAO104 passed test MachineAccount Starting test: NCSecDesc * Security Permissions check for all NC's on DC PSAO104. The forest is not ready for RODC. Will skip checking ERODC ACEs. * Security Permissions Check for DC=ForestDnsZones,DC=sao,DC=fi (NDNC,Version 3) Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have Replicating Directory Changes In Filtered Set access rights for the naming context: DC=ForestDnsZones,DC=sao,DC=fi * Security Permissions Check for DC=DomainDnsZones,DC=sao,DC=fi (NDNC,Version 3) Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have Replicating Directory Changes In Filtered Set access rights for the naming context: DC=DomainDnsZones,DC=sao,DC=fi * Security Permissions Check for CN=Schema,CN=Configuration,DC=sao,DC=fi (Schema,Version 3) * Security Permissions Check for CN=Configuration,DC=sao,DC=fi (Configuration,Version 3) * Security Permissions Check for DC=sao,DC=fi (Domain,Version 3) ......................... PSAO104 failed test NCSecDesc Starting test: NetLogons * Network Logons Privileges Check Verified share \\PSAO104\netlogon Verified share \\PSAO104\sysvol [PSAO104] User credentials does not have permission to perform this operation. The account used for this test must have network logon privileges for this machine's domain. ......................... PSAO104 failed test NetLogons Starting test: ObjectsReplicated PSAO104 is in domain DC=sao,DC=fi Checking for CN=PSAO104,OU=Domain Controllers,DC=sao,DC=fi in domain DC=sao,DC=fi on 1 servers Object is up-to-date on all servers. Checking for CN=NTDS Settings,CN=PSAO104,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration ,D C=sao,DC=fi in domain CN=Configuration,DC=sao,DC=fi on 1 servers Object is up-to-date on all servers. ......................... PSAO104 passed test ObjectsReplicated Test omitted by user request: OutboundSecureChannels Starting test: Replications * Replications Check [Replications Check,PSAO104] DsReplicaGetInfo(PENDING_OPS, NULL) failed, error 0x2105 "Win32 Error 8453" ......................... PSAO104 failed test Replications Starting test: RidManager * Available RID Pool for the Domain is 3603 to 1073741823 * PSAO101.sao.fi is the RID Master * DsBind with RID Master was successful * rIDAllocationPool is 3103 to 3602 * rIDPreviousAllocationPool is 3103 to 3602 * rIDNextRID: 3105 ......................... PSAO104 passed test RidManager Starting test: Services * Checking Service: EventSystem * Checking Service: RpcSs * Checking Service: NTDS Could not open NTDS Service on PSAO104, error 0x5 "Win32 Error 5" * Checking Service: DnsCache * Checking Service: NtFrs * Checking Service: IsmServ * Checking Service: kdc * Checking Service: SamSs * Checking Service: LanmanServer * Checking Service: LanmanWorkstation * Checking Service: w32time * Checking Service: NETLOGON ......................... PSAO104 failed test Services Starting test: SystemLog * The System Event log test Found no errors in "System" Event log in the last 60 minutes. ......................... PSAO104 passed test SystemLog Test omitted by user request: Topology Test omitted by user request: VerifyEnterpriseReferences Starting test: VerifyReferences The system object reference (serverReference) CN=PSAO104,OU=Domain Controllers,DC=sao,DC=fi and backlink on CN=PSAO104,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration,DC=sao,D C= fi are correct. The system object reference (serverReferenceBL) CN=PSAO104,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=sao,DC=fi and backlink on CN=NTDS Settings,CN=PSAO104,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration ,D C=sao,DC=fi are correct. ......................... PSAO104 passed test VerifyReferences Test omitted by user request: VerifyReplicas Test omitted by user request: DNS Test omitted by user request: DNS Running partition tests on : ForestDnsZones Starting test: CheckSDRefDom ......................... ForestDnsZones passed test CheckSDRefDom Starting test: CrossRefValidation ......................... ForestDnsZones passed test CrossRefValidation Running partition tests on : DomainDnsZones Starting test: CheckSDRefDom ......................... DomainDnsZones passed test CheckSDRefDom Starting test: CrossRefValidation ......................... DomainDnsZones passed test CrossRefValidation Running partition tests on : Schema Starting test: CheckSDRefDom ......................... Schema passed test CheckSDRefDom Starting test: CrossRefValidation ......................... Schema passed test CrossRefValidation Running partition tests on : Configuration Starting test: CheckSDRefDom ......................... Configuration passed test CheckSDRefDom Starting test: CrossRefValidation ......................... Configuration passed test CrossRefValidation Running partition tests on : sao Starting test: CheckSDRefDom ......................... sao passed test CheckSDRefDom Starting test: CrossRefValidation ......................... sao passed test CrossRefValidation Running enterprise tests on : sao.fi Test omitted by user request: DNS Test omitted by user request: DNS Starting test: LocatorCheck GC Name: \\PSAO104.sao.fi Locator Flags: 0xe00011fc PDC Name: \\PSAO101.sao.fi Locator Flags: 0xe00003fd Time Server Name: \\PSAO104.sao.fi Locator Flags: 0xe00011fc Preferred Time Server Name: \\PSAO101.sao.fi Locator Flags: 0xe00003fd KDC Name: \\PSAO104.sao.fi Locator Flags: 0xe00011fc ......................... sao.fi passed test LocatorCheck Starting test: Intersite Skipping site Leankatu, this site is outside the scope provided by the command line arguments provided. ......................... sao.fi passed test Intersite This one for 2003 DC: Domain Controller Diagnosis Performing initial setup: * Verifying that the local machine PSAO101, is a DC. * Connecting to directory service on server PSAO101. * Collecting site info. * Identifying all servers. * Identifying all NC cross-refs. * Found 2 DC(s). Testing 1 of them. Done gathering initial info. Doing initial required tests Testing server: Leankatu\PSAO101 Starting test: Connectivity * Active Directory LDAP Services Check * Active Directory RPC Services Check ......................... PSAO101 passed test Connectivity Doing primary tests Testing server: Leankatu\PSAO101 Starting test: Replications * Replications Check * Replication Latency Check CN=Schema,CN=Configuration,DC=sao,DC=fi Latency information for 2 entries in the vector were ignored. 2 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). CN=Configuration,DC=sao,DC=fi Latency information for 2 entries in the vector were ignored. 2 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). DC=sao,DC=fi Latency information for 2 entries in the vector were ignored. 2 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). * Replication Site Latency Check ......................... PSAO101 passed test Replications Test omitted by user request: Topology Test omitted by user request: CutoffServers Starting test: NCSecDesc * Security Permissions check for all NC's on DC PSAO101. * Security Permissions Check for DC=ForestDnsZones,DC=sao,DC=fi (NDNC,Version 2) * Security Permissions Check for DC=DomainDnsZones,DC=sao,DC=fi (NDNC,Version 2) * Security Permissions Check for CN=Schema,CN=Configuration,DC=sao,DC=fi (Schema,Version 2) * Security Permissions Check for CN=Configuration,DC=sao,DC=fi (Configuration,Version 2) * Security Permissions Check for DC=sao,DC=fi (Domain,Version 2) ......................... PSAO101 passed test NCSecDesc Starting test: NetLogons * Network Logons Privileges Check Verified share \\PSAO101\netlogon Verified share \\PSAO101\sysvol ......................... PSAO101 passed test NetLogons Starting test: Advertising The DC PSAO101 is advertising itself as a DC and having a DS. The DC PSAO101 is advertising as an LDAP server The DC PSAO101 is advertising as having a writeable directory The DC PSAO101 is advertising as a Key Distribution Center The DC PSAO101 is advertising as a time server The DS PSAO101 is advertising as a GC. ......................... PSAO101 passed test Advertising Starting test: KnowsOfRoleHolders Role Schema Owner = CN=NTDS Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration ,D C=sao,DC=fi Role Domain Owner = CN=NTDS Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration ,D C=sao,DC=fi Role PDC Owner = CN=NTDS Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration ,D C=sao,DC=fi Role Rid Owner = CN=NTDS Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration ,D C=sao,DC=fi Role Infrastructure Update Owner = CN=NTDS Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration ,D C=sao,DC=fi ......................... PSAO101 passed test KnowsOfRoleHolders Starting test: RidManager * Available RID Pool for the Domain is 3603 to 1073741823 * PSAO101.sao.fi is the RID Master * DsBind with RID Master was successful * rIDAllocationPool is 2603 to 3102 * rIDPreviousAllocationPool is 2603 to 3102 * rIDNextRID: 2683 ......................... PSAO101 passed test RidManager Starting test: MachineAccount Checking machine account for DC PSAO101 on DC PSAO101. * SPN found :LDAP/PSAO101.sao.fi/sao.fi * SPN found :LDAP/PSAO101.sao.fi * SPN found :LDAP/PSAO101 * SPN found :LDAP/PSAO101.sao.fi/SAO * SPN found :LDAP/6f073ef1-3578-4e0d-abd9-c9062e3b69fa._msdcs.sao.fi * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/6f073ef1-3578-4e0d-abd9-c9062e 3b 69fa/sao.fi * SPN found :HOST/PSAO101.sao.fi/sao.fi * SPN found :HOST/PSAO101.sao.fi * SPN found :HOST/PSAO101 * SPN found :HOST/PSAO101.sao.fi/SAO * SPN found :GC/PSAO101.sao.fi/sao.fi ......................... PSAO101 passed test MachineAccount Starting test: Services * Checking Service: Dnscache * Checking Service: NtFrs * Checking Service: IsmServ * Checking Service: kdc * Checking Service: SamSs * Checking Service: LanmanServer * Checking Service: LanmanWorkstation * Checking Service: RpcSs * Checking Service: w32time * Checking Service: NETLOGON ......................... PSAO101 passed test Services Test omitted by user request: OutboundSecureChannels Starting test: ObjectsReplicated PSAO101 is in domain DC=sao,DC=fi Checking for CN=PSAO101,OU=Domain Controllers,DC=sao,DC=fi in domain DC=sao,DC=fi on 1 servers Object is up-to-date on all servers. Checking for CN=NTDS Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration ,D C=sao,DC=fi in domain CN=Configuration,DC=sao,DC=fi on 1 servers Object is up-to-date on all servers. ......................... PSAO101 passed test ObjectsReplicated Starting test: frssysvol * The File Replication Service SYSVOL ready test File Replication Service's SYSVOL is ready ......................... PSAO101 passed test frssysvol Starting test: frsevent * The File Replication Service Event log test ......................... PSAO101 passed test frsevent Starting test: kccevent * The KCC Event log test Found no KCC errors in Directory Service Event log in the last 15 minutes. ......................... PSAO101 passed test kccevent Starting test: systemlog * The System Event log test Found no errors in System Event log in the last 60 minutes. ......................... PSAO101 passed test systemlog Test omitted by user request: VerifyReplicas Starting test: VerifyReferences The system object reference (serverReference) CN=PSAO101,OU=Domain Controllers,DC=sao,DC=fi and backlink on CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration,DC=sao,D C= fi are correct. The system object reference (frsComputerReferenceBL) CN=PSAO101,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=sao,DC=fi and backlink on CN=PSAO101,OU=Domain Controllers,DC=sao,DC=fi are correct. The system object reference (serverReferenceBL) CN=PSAO101,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=sao,DC=fi and backlink on CN=NTDS Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration ,D C=sao,DC=fi are correct. ......................... PSAO101 passed test VerifyReferences Test omitted by user request: VerifyEnterpriseReferences Test omitted by user request: CheckSecurityError Running partition tests on : ForestDnsZones Starting test: CrossRefValidation ......................... ForestDnsZones passed test CrossRefValidation Starting test: CheckSDRefDom ......................... ForestDnsZones passed test CheckSDRefDom Running partition tests on : DomainDnsZones Starting test: CrossRefValidation ......................... DomainDnsZones passed test CrossRefValidation Starting test: CheckSDRefDom ......................... DomainDnsZones passed test CheckSDRefDom Running partition tests on : Schema Starting test: CrossRefValidation ......................... Schema passed test CrossRefValidation Starting test: CheckSDRefDom ......................... Schema passed test CheckSDRefDom Running partition tests on : Configuration Starting test: CrossRefValidation ......................... Configuration passed test CrossRefValidation Starting test: CheckSDRefDom ......................... Configuration passed test CheckSDRefDom Running partition tests on : sao Starting test: CrossRefValidation ......................... sao passed test CrossRefValidation Starting test: CheckSDRefDom ......................... sao passed test CheckSDRefDom Running enterprise tests on : sao.fi Starting test: Intersite Skipping site Leankatu, this site is outside the scope provided by the command line arguments provided. ......................... sao.fi passed test Intersite Starting test: FsmoCheck GC Name: \\PSAO101.sao.fi Locator Flags: 0xe00003fd PDC Name: \\PSAO101.sao.fi Locator Flags: 0xe00003fd Time Server Name: \\PSAO101.sao.fi Locator Flags: 0xe00003fd Preferred Time Server Name: \\PSAO101.sao.fi Locator Flags: 0xe00003fd KDC Name: \\PSAO101.sao.fi Locator Flags: 0xe00003fd ......................... sao.fi passed test FsmoCheck Test omitted by user request: DNS Test omitted by user request: DNS Hope you can get something out of these. Thanks!!! W "Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> kirjoitti viestissä:ff16fb66194288cb5c04eaec46cc@msnews.microsoft.com... Hello William, The ipconfig's looks ok. The 2008 is SP2, is that correct? If yes, you should NEVER use BETA version in production environment. What do you mean with changed the single site name? Please run and post and unedited netdiag /v and dcdiag /v from both servers. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm Hello, Here's IP configs for both DC/DNS servers and one XP cli. The XP cli is localised language but I am sure it's readable to you=) 1. Windows 2003 SP2 DC/DNS server Windows IP Configuration Host Name . . . . . . . . . . . . : Win2003 Primary Dns Suffix . . . . . . . : domain.com Node Type . . . . . . . . . . . . : Unknown IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : domain.com Ethernet adapter BCOMMs: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : BASP Virtual Adapter Physical Address. . . . . . . . . : 00-13-72-5E-F6-6D DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 172.20.1.22 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 172.20.1.254 DNS Servers . . . . . . . . . . . : 172.20.1.22 172.20.1.24 2. Windows 2008 SP2 DC/DNS server Windows IP Configuration Host Name . . . . . . . . . . . . : Win2008 Primary Dns Suffix . . . . . . . : domain.com Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : domain.com Ethernet adapter Local Area Connection 5: Connection-specific DNS Suffix . : domain.com Description . . . . . . . . . . . : BASP Virtual Adapter Physical Address. . . . . . . . . : 00-22-19-8C-5D-96 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes IPv4 Address. . . . . . . . . . . : 172.20.1.24(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 172.20.1.254 DNS Servers . . . . . . . . . . . : 172.20.1.24 172.20.1.22 NetBIOS over Tcpip. . . . . . . . : Enabled 3. Windows XP client Windows IP-määritykset Isäntänimi . . . . . . . . . . . : WinXP Cli Ensisijainen DNS-liite . . . . . : domain.com Solmutyyppi . . . . . . . . . . . : Hybridi IP-reititys käytössä . . . . . . : Ei WINS-välityspalvelin käytössä . . : Ei DNS-liitteiden etsintäluettelo . : domain.com domain.com Ethernet-sovitin Lähiverkkoyhteys: Yhteyskohtainen DNS-liite . . . . : domain.com Kuvaus . . . . . . . . . . . . . : Intel(R) 82566DM-2 Gigabit Network C onnection Fyysinen osoite . . . . . . . . . : 00-1A-A0-E9-D9-5C DHCP käytössä . . . . . . . . . . : Kyllä Automaattinen määritys käytössä . : Kyllä IP-osoite . . . . . . . . . . . . : 172.20.1.63 Aliverkon peite . . . . . . . . . : 255.255.255.0 Oletusyhdyskäytävä. . . . . . . . : 172.20.1.254 DHCP-palvelin . . . . . . . . . . : 172.20.1.22 DNS-palvelimet . . . . . . . . . : 172.20.1.22 172.20.1.24 Käyttölupa myönnetty . . . . . . : 13. helmikuuta 2009 15:31:46 Käyttölupa vanhentuu . . . . . . : 9. maaliskuuta 2009 15:31:46 DNS servers are configured to forward DNS queries to our ISP if IP is outside our network. It seems to me that if client uses the 2008 server as a loginserver there's less delay in login. If it uses Win2003 DC it takes a whole lot longer. I cannot pinpoint exact moment problems started but last Monday I raised the domain funtionality level from 2000 to 2003 and also deleted one site and one subnet which were no longer used. Also I changed our single site name. Anyway. All seems to work but the login takes long. Approximetely 1-13 minutes depending on the client and which DC it happens to use. Hope you can give advice. -W "Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> kirjoitti viestissä:ff16fb66193a28cb5bca07f8325c@msnews.microsoft.com... Hello William, Slow logins often belong to incorrect DNS settings on the machines NIC. Make sure to use only domain internal DNS servers on the NIC on all machines. Please post an unedited ipconfig /all from the DC/DNS servers and also a problem machine. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm Hello, We're experiencing some very slow network logins in our domain (funct level 2003). We have one 2003 and one 2008 DC which also operate as DNS servers. In trying to solve slow logins I've going trough our DNS records. In both DNS servers there is a duplicate entry for our DC's in forward lookup zone. One entry is normal like "Server01 to IP 172.20.1.22" but the second is "(same as parent folder) to 172.20.1.22" which means blank name as a server name. What is the purpose of this entry and can it be deleted? Is there some use for it? Also. All hints of DNS debugging steps and tools are appreciated! There seems to be something abnormal in the domain now but at glance all seems to be configured correctly. Thanks W

Hello Meinholf,

I ran Adprep/rodcprep and after that when running dcdiag from console I get
clean results.

After that I figured that perhaps afterall this is not a DNS/DC issue since
networking seems to works otherwise ok. So I tried the "normal" update all
stuff and updated all patches from MS and network drivers and software from
Dell and voilá! the slow DC has picked up its performance again. Atleast I
get fast logons no matter which DC is used.

So. I dont actiully know what the fix was but it is fixed=) There was some
MS updates to Group Policy handlind in mixed 2003/2008 environments so it
could be that (or something else). We have had problems also with one swicth
so this might have been a multilevel problem.

Anyway. Thank You for your kind help and advice!

William



"William Stokes" <will@operamail.com> kirjoitti
viestissä:emLqvWMkJHA.3380@TK2MSFTNGP04.phx.gbl...

Quote:

Ok. I'll try that and report about the impact. I've been working on this for 4-5 days now and it just seems to me that when client logs on to domain using our Win2008 DC the process works fast. If the client picks Win2003 server as a logon server it takes considerably longer. At some tests I got to wait 14 minutes for the desktop to load completely. Thanks for your effort so far. -W "Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> kirjoitti viestissä:ff16fb661987b8cb5e5ab6e4cda6@msnews.microsoft.com... Hello William, Run also the adprep /rodcprep and then rund dcdiag test again. The error about "Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have..........." should be solved then. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm Weird. I used same account on both servers. And this account is a member of domain admins group W "Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> kirjoitti viestissä:ff16fb66198558cb5e4a9dc79d86@msnews.microsoft.com... Hello William, What account do you use for th dcdiag? "[PSAO104] User credentials does not have permission to perform this operation. The account used for this test must have network logon privileges for this machine's domain." Check on PSAO104 that all services are running that are set to automatic. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm Hello, It took a while but here's dcdiag's This on for 2008 server: Directory Server Diagnosis Performing initial setup: Trying to find home server... * Verifying that the local machine PSAO104, is a Directory Server. Home Server = PSAO104 * Connecting to directory service on server PSAO104. * Identified AD Forest. Collecting AD specific global data * Collecting site info. Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=sao,DC=fi,LDA P_ SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),....... The previous call succeeded Iterating through the sites Looking at base site object: CN=NTDS Site Settings,CN=Leankatu,CN=Sites,CN=Configuration,DC=sao,DC=fi Getting ISTG and options for the site * Identifying all servers. Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=sao,DC=fi,LDA P_ SCOPE_SUBTREE,(objectClass=ntDSDsa),....... The previous call succeeded.... The previous call succeeded Iterating through the list of servers Getting information for the server CN=NTDS Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration ,D C=sao,DC=fi objectGuid obtained InvocationID obtained dnsHostname obtained site info obtained All the info for the server collected Getting information for the server CN=NTDS Settings,CN=PSAO104,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration ,D C=sao,DC=fi objectGuid obtained InvocationID obtained dnsHostname obtained site info obtained All the info for the server collected * Identifying all NC cross-refs. * Found 2 DC(s). Testing 1 of them. Done gathering initial info. Doing initial required tests Testing server: Leankatu\PSAO104 Starting test: Connectivity * Active Directory LDAP Services Check Determining IP4 connectivity Determining IP6 connectivity * Active Directory RPC Services Check ......................... PSAO104 passed test Connectivity Doing primary tests Testing server: Leankatu\PSAO104 Starting test: Advertising The DC PSAO104 is advertising itself as a DC and having a DS. The DC PSAO104 is advertising as an LDAP server The DC PSAO104 is advertising as having a writeable directory The DC PSAO104 is advertising as a Key Distribution Center The DC PSAO104 is advertising as a time server The DS PSAO104 is advertising as a GC. ......................... PSAO104 passed test Advertising Test omitted by user request: CheckSecurityError Test omitted by user request: CutoffServers Starting test: FrsEvent * The File Replication Service Event log test ......................... PSAO104 passed test FrsEvent Starting test: DFSREvent The DFS Replication Event Log. ......................... PSAO104 passed test DFSREvent Starting test: SysVolCheck * The File Replication Service SYSVOL ready test File Replication Service's SYSVOL is ready ......................... PSAO104 passed test SysVolCheck Starting test: KccEvent * The KCC Event log test Found no KCC errors in "Directory Service" Event log in the last 15 minutes. ......................... PSAO104 passed test KccEvent Starting test: KnowsOfRoleHolders Role Schema Owner = CN=NTDS Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration ,D C=sao,DC=fi Role Domain Owner = CN=NTDS Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration ,D C=sao,DC=fi Role PDC Owner = CN=NTDS Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration ,D C=sao,DC=fi Role Rid Owner = CN=NTDS Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration ,D C=sao,DC=fi Role Infrastructure Update Owner = CN=NTDS Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration ,D C=sao,DC=fi ......................... PSAO104 passed test KnowsOfRoleHolders Starting test: MachineAccount Checking machine account for DC PSAO104 on DC PSAO104. * SPN found :LDAP/PSAO104.sao.fi/sao.fi * SPN found :LDAP/PSAO104.sao.fi * SPN found :LDAP/PSAO104 * SPN found :LDAP/PSAO104.sao.fi/SAO * SPN found :LDAP/fc47108d-5620-4838-a55c-cce5eaa1e2f1._msdcs.sao.fi * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/fc47108d-5620-4838-a55c-cce5ea a1 e2f1/sao.fi * SPN found :HOST/PSAO104.sao.fi/sao.fi * SPN found :HOST/PSAO104.sao.fi * SPN found :HOST/PSAO104 * SPN found :HOST/PSAO104.sao.fi/SAO * SPN found :GC/PSAO104.sao.fi/sao.fi ......................... PSAO104 passed test MachineAccount Starting test: NCSecDesc * Security Permissions check for all NC's on DC PSAO104. The forest is not ready for RODC. Will skip checking ERODC ACEs. * Security Permissions Check for DC=ForestDnsZones,DC=sao,DC=fi (NDNC,Version 3) Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have Replicating Directory Changes In Filtered Set access rights for the naming context: DC=ForestDnsZones,DC=sao,DC=fi * Security Permissions Check for DC=DomainDnsZones,DC=sao,DC=fi (NDNC,Version 3) Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have Replicating Directory Changes In Filtered Set access rights for the naming context: DC=DomainDnsZones,DC=sao,DC=fi * Security Permissions Check for CN=Schema,CN=Configuration,DC=sao,DC=fi (Schema,Version 3) * Security Permissions Check for CN=Configuration,DC=sao,DC=fi (Configuration,Version 3) * Security Permissions Check for DC=sao,DC=fi (Domain,Version 3) ......................... PSAO104 failed test NCSecDesc Starting test: NetLogons * Network Logons Privileges Check Verified share \\PSAO104\netlogon Verified share \\PSAO104\sysvol [PSAO104] User credentials does not have permission to perform this operation. The account used for this test must have network logon privileges for this machine's domain. ......................... PSAO104 failed test NetLogons Starting test: ObjectsReplicated PSAO104 is in domain DC=sao,DC=fi Checking for CN=PSAO104,OU=Domain Controllers,DC=sao,DC=fi in domain DC=sao,DC=fi on 1 servers Object is up-to-date on all servers. Checking for CN=NTDS Settings,CN=PSAO104,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration ,D C=sao,DC=fi in domain CN=Configuration,DC=sao,DC=fi on 1 servers Object is up-to-date on all servers. ......................... PSAO104 passed test ObjectsReplicated Test omitted by user request: OutboundSecureChannels Starting test: Replications * Replications Check [Replications Check,PSAO104] DsReplicaGetInfo(PENDING_OPS, NULL) failed, error 0x2105 "Win32 Error 8453" ......................... PSAO104 failed test Replications Starting test: RidManager * Available RID Pool for the Domain is 3603 to 1073741823 * PSAO101.sao.fi is the RID Master * DsBind with RID Master was successful * rIDAllocationPool is 3103 to 3602 * rIDPreviousAllocationPool is 3103 to 3602 * rIDNextRID: 3105 ......................... PSAO104 passed test RidManager Starting test: Services * Checking Service: EventSystem * Checking Service: RpcSs * Checking Service: NTDS Could not open NTDS Service on PSAO104, error 0x5 "Win32 Error 5" * Checking Service: DnsCache * Checking Service: NtFrs * Checking Service: IsmServ * Checking Service: kdc * Checking Service: SamSs * Checking Service: LanmanServer * Checking Service: LanmanWorkstation * Checking Service: w32time * Checking Service: NETLOGON ......................... PSAO104 failed test Services Starting test: SystemLog * The System Event log test Found no errors in "System" Event log in the last 60 minutes. ......................... PSAO104 passed test SystemLog Test omitted by user request: Topology Test omitted by user request: VerifyEnterpriseReferences Starting test: VerifyReferences The system object reference (serverReference) CN=PSAO104,OU=Domain Controllers,DC=sao,DC=fi and backlink on CN=PSAO104,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration,DC=sao,D C= fi are correct. The system object reference (serverReferenceBL) CN=PSAO104,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=sao,DC=fi and backlink on CN=NTDS Settings,CN=PSAO104,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration ,D C=sao,DC=fi are correct. ......................... PSAO104 passed test VerifyReferences Test omitted by user request: VerifyReplicas Test omitted by user request: DNS Test omitted by user request: DNS Running partition tests on : ForestDnsZones Starting test: CheckSDRefDom ......................... ForestDnsZones passed test CheckSDRefDom Starting test: CrossRefValidation ......................... ForestDnsZones passed test CrossRefValidation Running partition tests on : DomainDnsZones Starting test: CheckSDRefDom ......................... DomainDnsZones passed test CheckSDRefDom Starting test: CrossRefValidation ......................... DomainDnsZones passed test CrossRefValidation Running partition tests on : Schema Starting test: CheckSDRefDom ......................... Schema passed test CheckSDRefDom Starting test: CrossRefValidation ......................... Schema passed test CrossRefValidation Running partition tests on : Configuration Starting test: CheckSDRefDom ......................... Configuration passed test CheckSDRefDom Starting test: CrossRefValidation ......................... Configuration passed test CrossRefValidation Running partition tests on : sao Starting test: CheckSDRefDom ......................... sao passed test CheckSDRefDom Starting test: CrossRefValidation ......................... sao passed test CrossRefValidation Running enterprise tests on : sao.fi Test omitted by user request: DNS Test omitted by user request: DNS Starting test: LocatorCheck GC Name: \\PSAO104.sao.fi Locator Flags: 0xe00011fc PDC Name: \\PSAO101.sao.fi Locator Flags: 0xe00003fd Time Server Name: \\PSAO104.sao.fi Locator Flags: 0xe00011fc Preferred Time Server Name: \\PSAO101.sao.fi Locator Flags: 0xe00003fd KDC Name: \\PSAO104.sao.fi Locator Flags: 0xe00011fc ......................... sao.fi passed test LocatorCheck Starting test: Intersite Skipping site Leankatu, this site is outside the scope provided by the command line arguments provided. ......................... sao.fi passed test Intersite This one for 2003 DC: Domain Controller Diagnosis Performing initial setup: * Verifying that the local machine PSAO101, is a DC. * Connecting to directory service on server PSAO101. * Collecting site info. * Identifying all servers. * Identifying all NC cross-refs. * Found 2 DC(s). Testing 1 of them. Done gathering initial info. Doing initial required tests Testing server: Leankatu\PSAO101 Starting test: Connectivity * Active Directory LDAP Services Check * Active Directory RPC Services Check ......................... PSAO101 passed test Connectivity Doing primary tests Testing server: Leankatu\PSAO101 Starting test: Replications * Replications Check * Replication Latency Check CN=Schema,CN=Configuration,DC=sao,DC=fi Latency information for 2 entries in the vector were ignored. 2 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). CN=Configuration,DC=sao,DC=fi Latency information for 2 entries in the vector were ignored. 2 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). DC=sao,DC=fi Latency information for 2 entries in the vector were ignored. 2 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). * Replication Site Latency Check ......................... PSAO101 passed test Replications Test omitted by user request: Topology Test omitted by user request: CutoffServers Starting test: NCSecDesc * Security Permissions check for all NC's on DC PSAO101. * Security Permissions Check for DC=ForestDnsZones,DC=sao,DC=fi (NDNC,Version 2) * Security Permissions Check for DC=DomainDnsZones,DC=sao,DC=fi (NDNC,Version 2) * Security Permissions Check for CN=Schema,CN=Configuration,DC=sao,DC=fi (Schema,Version 2) * Security Permissions Check for CN=Configuration,DC=sao,DC=fi (Configuration,Version 2) * Security Permissions Check for DC=sao,DC=fi (Domain,Version 2) ......................... PSAO101 passed test NCSecDesc Starting test: NetLogons * Network Logons Privileges Check Verified share \\PSAO101\netlogon Verified share \\PSAO101\sysvol ......................... PSAO101 passed test NetLogons Starting test: Advertising The DC PSAO101 is advertising itself as a DC and having a DS. The DC PSAO101 is advertising as an LDAP server The DC PSAO101 is advertising as having a writeable directory The DC PSAO101 is advertising as a Key Distribution Center The DC PSAO101 is advertising as a time server The DS PSAO101 is advertising as a GC. ......................... PSAO101 passed test Advertising Starting test: KnowsOfRoleHolders Role Schema Owner = CN=NTDS Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration ,D C=sao,DC=fi Role Domain Owner = CN=NTDS Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration ,D C=sao,DC=fi Role PDC Owner = CN=NTDS Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration ,D C=sao,DC=fi Role Rid Owner = CN=NTDS Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration ,D C=sao,DC=fi Role Infrastructure Update Owner = CN=NTDS Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration ,D C=sao,DC=fi ......................... PSAO101 passed test KnowsOfRoleHolders Starting test: RidManager * Available RID Pool for the Domain is 3603 to 1073741823 * PSAO101.sao.fi is the RID Master * DsBind with RID Master was successful * rIDAllocationPool is 2603 to 3102 * rIDPreviousAllocationPool is 2603 to 3102 * rIDNextRID: 2683 ......................... PSAO101 passed test RidManager Starting test: MachineAccount Checking machine account for DC PSAO101 on DC PSAO101. * SPN found :LDAP/PSAO101.sao.fi/sao.fi * SPN found :LDAP/PSAO101.sao.fi * SPN found :LDAP/PSAO101 * SPN found :LDAP/PSAO101.sao.fi/SAO * SPN found :LDAP/6f073ef1-3578-4e0d-abd9-c9062e3b69fa._msdcs.sao.fi * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/6f073ef1-3578-4e0d-abd9-c9062e 3b 69fa/sao.fi * SPN found :HOST/PSAO101.sao.fi/sao.fi * SPN found :HOST/PSAO101.sao.fi * SPN found :HOST/PSAO101 * SPN found :HOST/PSAO101.sao.fi/SAO * SPN found :GC/PSAO101.sao.fi/sao.fi ......................... PSAO101 passed test MachineAccount Starting test: Services * Checking Service: Dnscache * Checking Service: NtFrs * Checking Service: IsmServ * Checking Service: kdc * Checking Service: SamSs * Checking Service: LanmanServer * Checking Service: LanmanWorkstation * Checking Service: RpcSs * Checking Service: w32time * Checking Service: NETLOGON ......................... PSAO101 passed test Services Test omitted by user request: OutboundSecureChannels Starting test: ObjectsReplicated PSAO101 is in domain DC=sao,DC=fi Checking for CN=PSAO101,OU=Domain Controllers,DC=sao,DC=fi in domain DC=sao,DC=fi on 1 servers Object is up-to-date on all servers. Checking for CN=NTDS Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration ,D C=sao,DC=fi in domain CN=Configuration,DC=sao,DC=fi on 1 servers Object is up-to-date on all servers. ......................... PSAO101 passed test ObjectsReplicated Starting test: frssysvol * The File Replication Service SYSVOL ready test File Replication Service's SYSVOL is ready ......................... PSAO101 passed test frssysvol Starting test: frsevent * The File Replication Service Event log test ......................... PSAO101 passed test frsevent Starting test: kccevent * The KCC Event log test Found no KCC errors in Directory Service Event log in the last 15 minutes. ......................... PSAO101 passed test kccevent Starting test: systemlog * The System Event log test Found no errors in System Event log in the last 60 minutes. ......................... PSAO101 passed test systemlog Test omitted by user request: VerifyReplicas Starting test: VerifyReferences The system object reference (serverReference) CN=PSAO101,OU=Domain Controllers,DC=sao,DC=fi and backlink on CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration,DC=sao,D C= fi are correct. The system object reference (frsComputerReferenceBL) CN=PSAO101,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=sao,DC=fi and backlink on CN=PSAO101,OU=Domain Controllers,DC=sao,DC=fi are correct. The system object reference (serverReferenceBL) CN=PSAO101,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=sao,DC=fi and backlink on CN=NTDS Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration ,D C=sao,DC=fi are correct. ......................... PSAO101 passed test VerifyReferences Test omitted by user request: VerifyEnterpriseReferences Test omitted by user request: CheckSecurityError Running partition tests on : ForestDnsZones Starting test: CrossRefValidation ......................... ForestDnsZones passed test CrossRefValidation Starting test: CheckSDRefDom ......................... ForestDnsZones passed test CheckSDRefDom Running partition tests on : DomainDnsZones Starting test: CrossRefValidation ......................... DomainDnsZones passed test CrossRefValidation Starting test: CheckSDRefDom ......................... DomainDnsZones passed test CheckSDRefDom Running partition tests on : Schema Starting test: CrossRefValidation ......................... Schema passed test CrossRefValidation Starting test: CheckSDRefDom ......................... Schema passed test CheckSDRefDom Running partition tests on : Configuration Starting test: CrossRefValidation ......................... Configuration passed test CrossRefValidation Starting test: CheckSDRefDom ......................... Configuration passed test CheckSDRefDom Running partition tests on : sao Starting test: CrossRefValidation ......................... sao passed test CrossRefValidation Starting test: CheckSDRefDom ......................... sao passed test CheckSDRefDom Running enterprise tests on : sao.fi Starting test: Intersite Skipping site Leankatu, this site is outside the scope provided by the command line arguments provided. ......................... sao.fi passed test Intersite Starting test: FsmoCheck GC Name: \\PSAO101.sao.fi Locator Flags: 0xe00003fd PDC Name: \\PSAO101.sao.fi Locator Flags: 0xe00003fd Time Server Name: \\PSAO101.sao.fi Locator Flags: 0xe00003fd Preferred Time Server Name: \\PSAO101.sao.fi Locator Flags: 0xe00003fd KDC Name: \\PSAO101.sao.fi Locator Flags: 0xe00003fd ......................... sao.fi passed test FsmoCheck Test omitted by user request: DNS Test omitted by user request: DNS Hope you can get something out of these. Thanks!!! W "Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> kirjoitti viestissä:ff16fb66194288cb5c04eaec46cc@msnews.microsoft.com... Hello William, The ipconfig's looks ok. The 2008 is SP2, is that correct? If yes, you should NEVER use BETA version in production environment. What do you mean with changed the single site name? Please run and post and unedited netdiag /v and dcdiag /v from both servers. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm Hello, Here's IP configs for both DC/DNS servers and one XP cli. The XP cli is localised language but I am sure it's readable to you=) 1. Windows 2003 SP2 DC/DNS server Windows IP Configuration Host Name . . . . . . . . . . . . : Win2003 Primary Dns Suffix . . . . . . . : domain.com Node Type . . . . . . . . . . . . : Unknown IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : domain.com Ethernet adapter BCOMMs: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : BASP Virtual Adapter Physical Address. . . . . . . . . : 00-13-72-5E-F6-6D DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 172.20.1.22 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 172.20.1.254 DNS Servers . . . . . . . . . . . : 172.20.1.22 172.20.1.24 2. Windows 2008 SP2 DC/DNS server Windows IP Configuration Host Name . . . . . . . . . . . . : Win2008 Primary Dns Suffix . . . . . . . : domain.com Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : domain.com Ethernet adapter Local Area Connection 5: Connection-specific DNS Suffix . : domain.com Description . . . . . . . . . . . : BASP Virtual Adapter Physical Address. . . . . . . . . : 00-22-19-8C-5D-96 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes IPv4 Address. . . . . . . . . . . : 172.20.1.24(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 172.20.1.254 DNS Servers . . . . . . . . . . . : 172.20.1.24 172.20.1.22 NetBIOS over Tcpip. . . . . . . . : Enabled 3. Windows XP client Windows IP-määritykset Isäntänimi . . . . . . . . . . . : WinXP Cli Ensisijainen DNS-liite . . . . . : domain.com Solmutyyppi . . . . . . . . . . . : Hybridi IP-reititys käytössä . . . . . . : Ei WINS-välityspalvelin käytössä . . : Ei DNS-liitteiden etsintäluettelo . : domain.com domain.com Ethernet-sovitin Lähiverkkoyhteys: Yhteyskohtainen DNS-liite . . . . : domain.com Kuvaus . . . . . . . . . . . . . : Intel(R) 82566DM-2 Gigabit Network C onnection Fyysinen osoite . . . . . . . . . : 00-1A-A0-E9-D9-5C DHCP käytössä . . . . . . . . . . : Kyllä Automaattinen määritys käytössä . : Kyllä IP-osoite . . . . . . . . . . . . : 172.20.1.63 Aliverkon peite . . . . . . . . . : 255.255.255.0 Oletusyhdyskäytävä. . . . . . . . : 172.20.1.254 DHCP-palvelin . . . . . . . . . . : 172.20.1.22 DNS-palvelimet . . . . . . . . . : 172.20.1.22 172.20.1.24 Käyttölupa myönnetty . . . . . . : 13. helmikuuta 2009 15:31:46 Käyttölupa vanhentuu . . . . . . : 9. maaliskuuta 2009 15:31:46 DNS servers are configured to forward DNS queries to our ISP if IP is outside our network. It seems to me that if client uses the 2008 server as a loginserver there's less delay in login. If it uses Win2003 DC it takes a whole lot longer. I cannot pinpoint exact moment problems started but last Monday I raised the domain funtionality level from 2000 to 2003 and also deleted one site and one subnet which were no longer used. Also I changed our single site name. Anyway. All seems to work but the login takes long. Approximetely 1-13 minutes depending on the client and which DC it happens to use. Hope you can give advice. -W "Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> kirjoitti viestissä:ff16fb66193a28cb5bca07f8325c@msnews.microsoft.com... Hello William, Slow logins often belong to incorrect DNS settings on the machines NIC. Make sure to use only domain internal DNS servers on the NIC on all machines. Please post an unedited ipconfig /all from the DC/DNS servers and also a problem machine. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm Hello, We're experiencing some very slow network logins in our domain (funct level 2003). We have one 2003 and one 2008 DC which also operate as DNS servers. In trying to solve slow logins I've going trough our DNS records. In both DNS servers there is a duplicate entry for our DC's in forward lookup zone. One entry is normal like "Server01 to IP 172.20.1.22" but the second is "(same as parent folder) to 172.20.1.22" which means blank name as a server name. What is the purpose of this entry and can it be deleted? Is there some use for it? Also. All hints of DNS debugging steps and tools are appreciated! There seems to be something abnormal in the domain now but at glance all seems to be configured correctly. Thanks W

Hello William,

Thanks for posting back, nice to hear that you found it out.:-)

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

Quote:

Hello Meinholf, I ran Adprep/rodcprep and after that when running dcdiag from console I get clean results. After that I figured that perhaps afterall this is not a DNS/DC issue since networking seems to works otherwise ok. So I tried the "normal" update all stuff and updated all patches from MS and network drivers and software from Dell and voilá! the slow DC has picked up its performance again. Atleast I get fast logons no matter which DC is used. So. I dont actiully know what the fix was but it is fixed=) There was some MS updates to Group Policy handlind in mixed 2003/2008 environments so it could be that (or something else). We have had problems also with one swicth so this might have been a multilevel problem. Anyway. Thank You for your kind help and advice! William "William Stokes" <will@operamail.com> kirjoitti viestissä:emLqvWMkJHA.3380@TK2MSFTNGP04.phx.gbl... Ok. I'll try that and report about the impact. I've been working on this for 4-5 days now and it just seems to me that when client logs on to domain using our Win2008 DC the process works fast. If the client picks Win2003 server as a logon server it takes considerably longer. At some tests I got to wait 14 minutes for the desktop to load completely. Thanks for your effort so far. -W "Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> kirjoitti viestissä:ff16fb661987b8cb5e5ab6e4cda6@msnews.microsoft.com... Hello William, Run also the adprep /rodcprep and then rund dcdiag test again. The error about "Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have..........." should be solved then. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm Weird. I used same account on both servers. And this account is a member of domain admins group W "Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> kirjoitti viestissä:ff16fb66198558cb5e4a9dc79d86@msnews.microsoft.com... Hello William, What account do you use for th dcdiag? "[PSAO104] User credentials does not have permission to perform this operation. The account used for this test must have network logon privileges for this machine's domain." Check on PSAO104 that all services are running that are set to automatic. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm Hello, It took a while but here's dcdiag's This on for 2008 server: Directory Server Diagnosis Performing initial setup: Trying to find home server... * Verifying that the local machine PSAO104, is a Directory Server. Home Server = PSAO104 * Connecting to directory service on server PSAO104. * Identified AD Forest. Collecting AD specific global data * Collecting site info. Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=sao,DC=fi, LDA P_ SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),....... The previous call succeeded Iterating through the sites Looking at base site object: CN=NTDS Site Settings,CN=Leankatu,CN=Sites,CN=Configuration,DC=sao,DC=fi Getting ISTG and options for the site * Identifying all servers. Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=sao,DC=fi, LDA P_ SCOPE_SUBTREE,(objectClass=ntDSDsa),....... The previous call succeeded.... The previous call succeeded Iterating through the list of servers Getting information for the server CN=NTDS Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configurat ion ,D C=sao,DC=fi objectGuid obtained InvocationID obtained dnsHostname obtained site info obtained All the info for the server collected Getting information for the server CN=NTDS Settings,CN=PSAO104,CN=Servers,CN=Leankatu,CN=Sites,CN=Configurat ion ,D C=sao,DC=fi objectGuid obtained InvocationID obtained dnsHostname obtained site info obtained All the info for the server collected * Identifying all NC cross-refs. * Found 2 DC(s). Testing 1 of them. Done gathering initial info. Doing initial required tests Testing server: Leankatu\PSAO104 Starting test: Connectivity * Active Directory LDAP Services Check Determining IP4 connectivity Determining IP6 connectivity * Active Directory RPC Services Check ......................... PSAO104 passed test Connectivity Doing primary tests Testing server: Leankatu\PSAO104 Starting test: Advertising The DC PSAO104 is advertising itself as a DC and having a DS. The DC PSAO104 is advertising as an LDAP server The DC PSAO104 is advertising as having a writeable directory The DC PSAO104 is advertising as a Key Distribution Center The DC PSAO104 is advertising as a time server The DS PSAO104 is advertising as a GC. ......................... PSAO104 passed test Advertising Test omitted by user request: CheckSecurityError Test omitted by user request: CutoffServers Starting test: FrsEvent * The File Replication Service Event log test ......................... PSAO104 passed test FrsEvent Starting test: DFSREvent The DFS Replication Event Log. ......................... PSAO104 passed test DFSREvent Starting test: SysVolCheck * The File Replication Service SYSVOL ready test File Replication Service's SYSVOL is ready ......................... PSAO104 passed test SysVolCheck Starting test: KccEvent * The KCC Event log test Found no KCC errors in "Directory Service" Event log in the last 15 minutes. ......................... PSAO104 passed test KccEvent Starting test: KnowsOfRoleHolders Role Schema Owner = CN=NTDS Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configurat ion ,D C=sao,DC=fi Role Domain Owner = CN=NTDS Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configurat ion ,D C=sao,DC=fi Role PDC Owner = CN=NTDS Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configurat ion ,D C=sao,DC=fi Role Rid Owner = CN=NTDS Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configurat ion ,D C=sao,DC=fi Role Infrastructure Update Owner = CN=NTDS Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configurat ion ,D C=sao,DC=fi ......................... PSAO104 passed test KnowsOfRoleHolders Starting test: MachineAccount Checking machine account for DC PSAO104 on DC PSAO104. * SPN found :LDAP/PSAO104.sao.fi/sao.fi * SPN found :LDAP/PSAO104.sao.fi * SPN found :LDAP/PSAO104 * SPN found :LDAP/PSAO104.sao.fi/SAO * SPN found :LDAP/fc47108d-5620-4838-a55c-cce5eaa1e2f1._msdcs.sao.fi * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/fc47108d-5620-4838-a55c-cce 5ea a1 e2f1/sao.fi * SPN found :HOST/PSAO104.sao.fi/sao.fi * SPN found :HOST/PSAO104.sao.fi * SPN found :HOST/PSAO104 * SPN found :HOST/PSAO104.sao.fi/SAO * SPN found :GC/PSAO104.sao.fi/sao.fi ......................... PSAO104 passed test MachineAccount Starting test: NCSecDesc * Security Permissions check for all NC's on DC PSAO104. The forest is not ready for RODC. Will skip checking ERODC ACEs. * Security Permissions Check for DC=ForestDnsZones,DC=sao,DC=fi (NDNC,Version 3) Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have Replicating Directory Changes In Filtered Set access rights for the naming context: DC=ForestDnsZones,DC=sao,DC=fi * Security Permissions Check for DC=DomainDnsZones,DC=sao,DC=fi (NDNC,Version 3) Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have Replicating Directory Changes In Filtered Set access rights for the naming context: DC=DomainDnsZones,DC=sao,DC=fi * Security Permissions Check for CN=Schema,CN=Configuration,DC=sao,DC=fi (Schema,Version 3) * Security Permissions Check for CN=Configuration,DC=sao,DC=fi (Configuration,Version 3) * Security Permissions Check for DC=sao,DC=fi (Domain,Version 3) ......................... PSAO104 failed test NCSecDesc Starting test: NetLogons * Network Logons Privileges Check Verified share \\PSAO104\netlogon Verified share \\PSAO104\sysvol [PSAO104] User credentials does not have permission to perform this operation. The account used for this test must have network logon privileges for this machine's domain. ......................... PSAO104 failed test NetLogons Starting test: ObjectsReplicated PSAO104 is in domain DC=sao,DC=fi Checking for CN=PSAO104,OU=Domain Controllers,DC=sao,DC=fi in domain DC=sao,DC=fi on 1 servers Object is up-to-date on all servers. Checking for CN=NTDS Settings,CN=PSAO104,CN=Servers,CN=Leankatu,CN=Sites,CN=Configurat ion ,D C=sao,DC=fi in domain CN=Configuration,DC=sao,DC=fi on 1 servers Object is up-to-date on all servers. ......................... PSAO104 passed test ObjectsReplicated Test omitted by user request: OutboundSecureChannels Starting test: Replications * Replications Check [Replications Check,PSAO104] DsReplicaGetInfo(PENDING_OPS, NULL) failed, error 0x2105 "Win32 Error 8453" ......................... PSAO104 failed test Replications Starting test: RidManager * Available RID Pool for the Domain is 3603 to 1073741823 * PSAO101.sao.fi is the RID Master * DsBind with RID Master was successful * rIDAllocationPool is 3103 to 3602 * rIDPreviousAllocationPool is 3103 to 3602 * rIDNextRID: 3105 ......................... PSAO104 passed test RidManager Starting test: Services * Checking Service: EventSystem * Checking Service: RpcSs * Checking Service: NTDS Could not open NTDS Service on PSAO104, error 0x5 "Win32 Error 5" * Checking Service: DnsCache * Checking Service: NtFrs * Checking Service: IsmServ * Checking Service: kdc * Checking Service: SamSs * Checking Service: LanmanServer * Checking Service: LanmanWorkstation * Checking Service: w32time * Checking Service: NETLOGON ......................... PSAO104 failed test Services Starting test: SystemLog * The System Event log test Found no errors in "System" Event log in the last 60 minutes. ......................... PSAO104 passed test SystemLog Test omitted by user request: Topology Test omitted by user request: VerifyEnterpriseReferences Starting test: VerifyReferences The system object reference (serverReference) CN=PSAO104,OU=Domain Controllers,DC=sao,DC=fi and backlink on CN=PSAO104,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration,DC=sa o,D C= fi are correct. The system object reference (serverReferenceBL) CN=PSAO104,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=sao,DC=fi and backlink on CN=NTDS Settings,CN=PSAO104,CN=Servers,CN=Leankatu,CN=Sites,CN=Configurat ion ,D C=sao,DC=fi are correct. ......................... PSAO104 passed test VerifyReferences Test omitted by user request: VerifyReplicas Test omitted by user request: DNS Test omitted by user request: DNS Running partition tests on : ForestDnsZones Starting test: CheckSDRefDom ......................... ForestDnsZones passed test CheckSDRefDom Starting test: CrossRefValidation ......................... ForestDnsZones passed test CrossRefValidation Running partition tests on : DomainDnsZones Starting test: CheckSDRefDom ......................... DomainDnsZones passed test CheckSDRefDom Starting test: CrossRefValidation ......................... DomainDnsZones passed test CrossRefValidation Running partition tests on : Schema Starting test: CheckSDRefDom ......................... Schema passed test CheckSDRefDom Starting test: CrossRefValidation ......................... Schema passed test CrossRefValidation Running partition tests on : Configuration Starting test: CheckSDRefDom ......................... Configuration passed test CheckSDRefDom Starting test: CrossRefValidation ......................... Configuration passed test CrossRefValidation Running partition tests on : sao Starting test: CheckSDRefDom ......................... sao passed test CheckSDRefDom Starting test: CrossRefValidation ......................... sao passed test CrossRefValidation Running enterprise tests on : sao.fi Test omitted by user request: DNS Test omitted by user request: DNS Starting test: LocatorCheck GC Name: \\PSAO104.sao.fi Locator Flags: 0xe00011fc PDC Name: \\PSAO101.sao.fi Locator Flags: 0xe00003fd Time Server Name: \\PSAO104.sao.fi Locator Flags: 0xe00011fc Preferred Time Server Name: \\PSAO101.sao.fi Locator Flags: 0xe00003fd KDC Name: \\PSAO104.sao.fi Locator Flags: 0xe00011fc ......................... sao.fi passed test LocatorCheck Starting test: Intersite Skipping site Leankatu, this site is outside the scope provided by the command line arguments provided. ......................... sao.fi passed test Intersite This one for 2003 DC: Domain Controller Diagnosis Performing initial setup: * Verifying that the local machine PSAO101, is a DC. * Connecting to directory service on server PSAO101. * Collecting site info. * Identifying all servers. * Identifying all NC cross-refs. * Found 2 DC(s). Testing 1 of them. Done gathering initial info. Doing initial required tests Testing server: Leankatu\PSAO101 Starting test: Connectivity * Active Directory LDAP Services Check * Active Directory RPC Services Check ......................... PSAO101 passed test Connectivity Doing primary tests Testing server: Leankatu\PSAO101 Starting test: Replications * Replications Check * Replication Latency Check CN=Schema,CN=Configuration,DC=sao,DC=fi Latency information for 2 entries in the vector were ignored. 2 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). CN=Configuration,DC=sao,DC=fi Latency information for 2 entries in the vector were ignored. 2 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). DC=sao,DC=fi Latency information for 2 entries in the vector were ignored. 2 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). * Replication Site Latency Check ......................... PSAO101 passed test Replications Test omitted by user request: Topology Test omitted by user request: CutoffServers Starting test: NCSecDesc * Security Permissions check for all NC's on DC PSAO101. * Security Permissions Check for DC=ForestDnsZones,DC=sao,DC=fi (NDNC,Version 2) * Security Permissions Check for DC=DomainDnsZones,DC=sao,DC=fi (NDNC,Version 2) * Security Permissions Check for CN=Schema,CN=Configuration,DC=sao,DC=fi (Schema,Version 2) * Security Permissions Check for CN=Configuration,DC=sao,DC=fi (Configuration,Version 2) * Security Permissions Check for DC=sao,DC=fi (Domain,Version 2) ......................... PSAO101 passed test NCSecDesc Starting test: NetLogons * Network Logons Privileges Check Verified share \\PSAO101\netlogon Verified share \\PSAO101\sysvol ......................... PSAO101 passed test NetLogons Starting test: Advertising The DC PSAO101 is advertising itself as a DC and having a DS. The DC PSAO101 is advertising as an LDAP server The DC PSAO101 is advertising as having a writeable directory The DC PSAO101 is advertising as a Key Distribution Center The DC PSAO101 is advertising as a time server The DS PSAO101 is advertising as a GC. ......................... PSAO101 passed test Advertising Starting test: KnowsOfRoleHolders Role Schema Owner = CN=NTDS Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configurat ion ,D C=sao,DC=fi Role Domain Owner = CN=NTDS Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configurat ion ,D C=sao,DC=fi Role PDC Owner = CN=NTDS Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configurat ion ,D C=sao,DC=fi Role Rid Owner = CN=NTDS Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configurat ion ,D C=sao,DC=fi Role Infrastructure Update Owner = CN=NTDS Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configurat ion ,D C=sao,DC=fi ......................... PSAO101 passed test KnowsOfRoleHolders Starting test: RidManager * Available RID Pool for the Domain is 3603 to 1073741823 * PSAO101.sao.fi is the RID Master * DsBind with RID Master was successful * rIDAllocationPool is 2603 to 3102 * rIDPreviousAllocationPool is 2603 to 3102 * rIDNextRID: 2683 ......................... PSAO101 passed test RidManager Starting test: MachineAccount Checking machine account for DC PSAO101 on DC PSAO101. * SPN found :LDAP/PSAO101.sao.fi/sao.fi * SPN found :LDAP/PSAO101.sao.fi * SPN found :LDAP/PSAO101 * SPN found :LDAP/PSAO101.sao.fi/SAO * SPN found :LDAP/6f073ef1-3578-4e0d-abd9-c9062e3b69fa._msdcs.sao.fi * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/6f073ef1-3578-4e0d-abd9-c90 62e 3b 69fa/sao.fi * SPN found :HOST/PSAO101.sao.fi/sao.fi * SPN found :HOST/PSAO101.sao.fi * SPN found :HOST/PSAO101 * SPN found :HOST/PSAO101.sao.fi/SAO * SPN found :GC/PSAO101.sao.fi/sao.fi ......................... PSAO101 passed test MachineAccount Starting test: Services * Checking Service: Dnscache * Checking Service: NtFrs * Checking Service: IsmServ * Checking Service: kdc * Checking Service: SamSs * Checking Service: LanmanServer * Checking Service: LanmanWorkstation * Checking Service: RpcSs * Checking Service: w32time * Checking Service: NETLOGON ......................... PSAO101 passed test Services Test omitted by user request: OutboundSecureChannels Starting test: ObjectsReplicated PSAO101 is in domain DC=sao,DC=fi Checking for CN=PSAO101,OU=Domain Controllers,DC=sao,DC=fi in domain DC=sao,DC=fi on 1 servers Object is up-to-date on all servers. Checking for CN=NTDS Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configurat ion ,D C=sao,DC=fi in domain CN=Configuration,DC=sao,DC=fi on 1 servers Object is up-to-date on all servers. ......................... PSAO101 passed test ObjectsReplicated Starting test: frssysvol * The File Replication Service SYSVOL ready test File Replication Service's SYSVOL is ready ......................... PSAO101 passed test frssysvol Starting test: frsevent * The File Replication Service Event log test ......................... PSAO101 passed test frsevent Starting test: kccevent * The KCC Event log test Found no KCC errors in Directory Service Event log in the last 15 minutes. ......................... PSAO101 passed test kccevent Starting test: systemlog * The System Event log test Found no errors in System Event log in the last 60 minutes. ......................... PSAO101 passed test systemlog Test omitted by user request: VerifyReplicas Starting test: VerifyReferences The system object reference (serverReference) CN=PSAO101,OU=Domain Controllers,DC=sao,DC=fi and backlink on CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configuration,DC=sa o,D C= fi are correct. The system object reference (frsComputerReferenceBL) CN=PSAO101,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=sao,DC=fi and backlink on CN=PSAO101,OU=Domain Controllers,DC=sao,DC=fi are correct. The system object reference (serverReferenceBL) CN=PSAO101,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=sao,DC=fi and backlink on CN=NTDS Settings,CN=PSAO101,CN=Servers,CN=Leankatu,CN=Sites,CN=Configurat ion ,D C=sao,DC=fi are correct. ......................... PSAO101 passed test VerifyReferences Test omitted by user request: VerifyEnterpriseReferences Test omitted by user request: CheckSecurityError Running partition tests on : ForestDnsZones Starting test: CrossRefValidation ......................... ForestDnsZones passed test CrossRefValidation Starting test: CheckSDRefDom ......................... ForestDnsZones passed test CheckSDRefDom Running partition tests on : DomainDnsZones Starting test: CrossRefValidation ......................... DomainDnsZones passed test CrossRefValidation Starting test: CheckSDRefDom ......................... DomainDnsZones passed test CheckSDRefDom Running partition tests on : Schema Starting test: CrossRefValidation ......................... Schema passed test CrossRefValidation Starting test: CheckSDRefDom ......................... Schema passed test CheckSDRefDom Running partition tests on : Configuration Starting test: CrossRefValidation ......................... Configuration passed test CrossRefValidation Starting test: CheckSDRefDom ......................... Configuration passed test CheckSDRefDom Running partition tests on : sao Starting test: CrossRefValidation ......................... sao passed test CrossRefValidation Starting test: CheckSDRefDom ......................... sao passed test CheckSDRefDom Running enterprise tests on : sao.fi Starting test: Intersite Skipping site Leankatu, this site is outside the scope provided by the command line arguments provided. ......................... sao.fi passed test Intersite Starting test: FsmoCheck GC Name: \\PSAO101.sao.fi Locator Flags: 0xe00003fd PDC Name: \\PSAO101.sao.fi Locator Flags: 0xe00003fd Time Server Name: \\PSAO101.sao.fi Locator Flags: 0xe00003fd Preferred Time Server Name: \\PSAO101.sao.fi Locator Flags: 0xe00003fd KDC Name: \\PSAO101.sao.fi Locator Flags: 0xe00003fd ......................... sao.fi passed test FsmoCheck Test omitted by user request: DNS Test omitted by user request: DNS Hope you can get something out of these. Thanks!!! W "Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> kirjoitti viestissä:ff16fb66194288cb5c04eaec46cc@msnews.microsoft.com... Hello William, The ipconfig's looks ok. The 2008 is SP2, is that correct? If yes, you should NEVER use BETA version in production environment. What do you mean with changed the single site name? Please run and post and unedited netdiag /v and dcdiag /v from both servers. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm Hello, Here's IP configs for both DC/DNS servers and one XP cli. The XP cli is localised language but I am sure it's readable to you=) 1. Windows 2003 SP2 DC/DNS server Windows IP Configuration Host Name . . . . . . . . . . . . : Win2003 Primary Dns Suffix . . . . . . . : domain.com Node Type . . . . . . . . . . . . : Unknown IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : domain.com Ethernet adapter BCOMMs: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : BASP Virtual Adapter Physical Address. . . . . . . . . : 00-13-72-5E-F6-6D DHCP Enabled. . . . . . . . . . . : No IP Address. . . . . . . . . . . . : 172.20.1.22 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 172.20.1.254 DNS Servers . . . . . . . . . . . : 172.20.1.22 172.20.1.24 2. Windows 2008 SP2 DC/DNS server Windows IP Configuration Host Name . . . . . . . . . . . . : Win2008 Primary Dns Suffix . . . . . . . : domain.com Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : domain.com Ethernet adapter Local Area Connection 5: Connection-specific DNS Suffix . : domain.com Description . . . . . . . . . . . : BASP Virtual Adapter Physical Address. . . . . . . . . : 00-22-19-8C-5D-96 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes IPv4 Address. . . . . . . . . . . : 172.20.1.24(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 172.20.1.254 DNS Servers . . . . . . . . . . . : 172.20.1.24 172.20.1.22 NetBIOS over Tcpip. . . . . . . . : Enabled 3. Windows XP client Windows IP-määritykset Isäntänimi . . . . . . . . . . . : WinXP Cli Ensisijainen DNS-liite . . . . . : domain.com Solmutyyppi . . . . . . . . . . . : Hybridi IP-reititys käytössä . . . . . . : Ei WINS-välityspalvelin käytössä . . : Ei DNS-liitteiden etsintäluettelo . : domain.com domain.com Ethernet-sovitin Lähiverkkoyhteys: Yhteyskohtainen DNS-liite . . . . : domain.com Kuvaus . . . . . . . . . . . . . : Intel(R) 82566DM-2 Gigabit Network C onnection Fyysinen osoite . . . . . . . . . : 00-1A-A0-E9-D9-5C DHCP käytössä . . . . . . . . . . : Kyllä Automaattinen määritys käytössä . : Kyllä IP-osoite . . . . . . . . . . . . : 172.20.1.63 Aliverkon peite . . . . . . . . . : 255.255.255.0 Oletusyhdyskäytävä. . . . . . . . : 172.20.1.254 DHCP-palvelin . . . . . . . . . . : 172.20.1.22 DNS-palvelimet . . . . . . . . . : 172.20.1.22 172.20.1.24 Käyttölupa myönnetty . . . . . . : 13. helmikuuta 2009 15:31:46 Käyttölupa vanhentuu . . . . . . : 9. maaliskuuta 2009 15:31:46 DNS servers are configured to forward DNS queries to our ISP if IP is outside our network. It seems to me that if client uses the 2008 server as a loginserver there's less delay in login. If it uses Win2003 DC it takes a whole lot longer. I cannot pinpoint exact moment problems started but last Monday I raised the domain funtionality level from 2000 to 2003 and also deleted one site and one subnet which were no longer used. Also I changed our single site name. Anyway. All seems to work but the login takes long. Approximetely 1-13 minutes depending on the client and which DC it happens to use. Hope you can give advice. -W "Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> kirjoitti viestissä:ff16fb66193a28cb5bca07f8325c@msnews.microsoft.com... Hello William, Slow logins often belong to incorrect DNS settings on the machines NIC. Make sure to use only domain internal DNS servers on the NIC on all machines. Please post an unedited ipconfig /all from the DC/DNS servers and also a problem machine. Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm Hello, We're experiencing some very slow network logins in our domain (funct level 2003). We have one 2003 and one 2008 DC which also operate as DNS servers. In trying to solve slow logins I've going trough our DNS records. In both DNS servers there is a duplicate entry for our DC's in forward lookup zone. One entry is normal like "Server01 to IP 172.20.1.22" but the second is "(same as parent folder) to 172.20.1.22" which means blank name as a server name. What is the purpose of this entry and can it be deleted? Is there some use for it? Also. All hints of DNS debugging steps and tools are appreciated! There seems to be something abnormal in the domain now but at glance all seems to be configured correctly. Thanks W

In news:%23qwv1cajJHA.1388@TK2MSFTNGP06.phx.gbl,
William Stokes <will@operamail.com>, posted the following:

Quote:

Hello, We're experiencing some very slow network logins in our domain (funct level 2003). We have one 2003 and one 2008 DC which also operate as DNS servers. In trying to solve slow logins I've going trough our DNS records. In both DNS servers there is a duplicate entry for our DC's in forward lookup zone. One entry is normal like "Server01 to IP 172.20.1.22" but the second is "(same as parent folder) to 172.20.1.22" which means blank name as a server name. What is the purpose of this entry and can it be deleted? Is there some use for it?

Please DO NOT DELETE that record. The blank name domain record is called the
LdapIpAddress record. Each DCs' netlogon service registers that record and
will refresh itself. The LdapIpAddress is used by GPOs, DFS, and other
domain functionality. It is an extremely important record. Deleting it will
cause problems.

Glad to see Meinolf's suggestions helped out to resolve it!

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCT
Microsoft Certified Trainer
aceman@mvps.RemoveThisPart.org

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.