How many DCs do you have? Do me a favor, and run the following, and post the results. Keep in mind, you must go into your _msdcs. and your testadservs.net zones properties, Zone transfers, and allow zone transfers for the commands to run. You can turn this off after you've completed the run c:\nslookup (hit enter and copy/paste results) While still in the command, then run: (hit enter and copy/paste results) Then run the following, please, and post the results. Note: the following scripts were obtained from Active Directory Sites and Subnets Scripting http://www.activxperts.com/activmonitor/windowsmanagement/scripts/activedirectory/sites Lists Active Directory sites. ========== Set objRootDSE = GetObject("LDAP://RootDSE") strConfigurationNC = objRootDSE.Get("configurationNamingContext") strSitesContainer = "LDAP://cn=Sites," & strConfigurationNC Set objSitesContainer = GetObject(strSitesContainer) objSitesContainer.Filter = Array("site") For Each objSite In objSitesContainer WScript.Echo "Name: " & objSite.Name Next ========== List All Domain Controllers ========== Returns a list of all the domain controllers in the fabrikam.com domain. Const ADS_SCOPE_SUBTREE = 2 Set objConnection = CreateObject("ADODB.Connection") Set objCommand = CreateObject("ADODB.Command") objConnection.Provider = "ADsDSOObject" objConnection.Open "Active Directory Provider" Set objCOmmand.ActiveConnection = objConnection objCommand.CommandText = _ "Select distinguishedName from " & _ "'LDAP://cn=Configuration,DC=fabrikam,DC=com' " _ & "where objectClass='nTDSDSA'" objCommand.Properties("Page Size") = 1000 objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE Set objRecordSet = objCommand.Execute objRecordSet.MoveFirst Do Until objRecordSet.EOF Wscript.Echo "Computer Name: " & _ objRecordSet.Fields("distinguishedName").Value objRecordSet.MoveNext Loop ========== -- Ace This posting is provided "AS-IS" with no warranties or guarantees and confers no rights. Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution. Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003 Microsoft Certified Trainer Microsoft MVP - Directory Services If you feel this is an urgent issue and require immediate assistance, please contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.
Thanks for posting this information. The "[UnKnown]" is caused by no PTR record for the DNS servers' IP address in the reverse zone, or no reverse zone. Otherwise, it actually looks clean from reading through it. You do have numerous sites and the DCs and netlogon service is registering everything. If I am missing any, it is because of the large number of DCs and I may be missing one or tow. It appears you have one domain called mydomain.local. Without me going through each and every DC to check in the output, are all DCs, GCs? In a single domain forest, it is recommended to make all DCs Global Catalogs. I assume on each DC that you have DNS set to point to itself as the first DNS address, and one of the DCs in it's own Site as the second entry. No need to add additional DNS servers. If not, that is the recommended configuration. Which site has the RODC that is giving you problems? Ace
This is my third request for the inspection of the log file below. Look into it and see if you can find your clients within the site that is failing. This should be run on a dc that is authenticating your out of site clients. This is how I troubleshoot this issue. Before attempting anything else I would like to know the results contained within. start notepad.exe C:\WINDOWS\Debug\Netlogon.log -- Paul Bergson MVP - Directory Services MCTS, MCT, MCSE, MCSA, Security+, BS CSci 2008, 2003, 2000 (Early Achiever), NT4 Microsoft's Thrive IT Pro of the Month - June 2009 http://www.pbbergs.com Please no e-mails, any questions should be posted in the NewsGroup This posting is provided "AS IS" with no warranties, and confers no rights.
Alright lets run diagnostics on your domain. If you don't have the support tools installed, install them from your server install disk. d:\support\tools\setup.exe Run dcdiag, netdiag and repadmin in verbose mode. -> DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log -> netdiag.exe /v > c:\netdiag.log (On each dc) -> repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt -> ntfrsutl ds your_dc_name > c:\sysvol.log -> dnslint /ad /s "ip address of your dc" **Note: Using the /E switch in dcdiag will run diagnostics against ALL dc's in the forest. If you have significant numbers of DC's this test could generate significant detail and take a long time. You also want to take into account slow links to dc's will also add to the testing time. If you download a gui script I wrote it should be simple to set and run (DCDiag and NetDiag). It also has the option to run individual tests without having to learn all the switch options. The details will be output in notepad text files that pop up automagically. The script is located on my website at http://www.pbbergs.com/windows/downloads.htm Just select both dcdiag and netdiag make sure verbose is set. (Leave the default settings for dcdiag as set when selected) When complete search for fail, error and warning messages. Description and download for dnslint http://support.microsoft.com/kb/321045 -- Paul Bergson MVP - Directory Services MCTS, MCT, MCSE, MCSA, Security+, BS CSci 2008, 2003, 2000 (Early Achiever), NT4 Microsoft's Thrive IT Pro of the Month - June 2009 http://www.pbbergs.com Please no e-mails, any questions should be posted in the NewsGroup This posting is provided "AS IS" with no warranties, and confers no rights.
Juien, You are saying you only have one domain, correct? If so, ALLL domain controllers should be GCs, as I stated in my previous post. More info on this: "If a single domain forest, you can have all DCs a GC. If multiple domains, it is recommended for a GC to not be on the FSMO IM Role, unless you make all DCs GCs" http://msmvps.com/blogs/ulfbsimonweidner/archive/2005/03/08/37975.aspx And run those tools for Paul to help with a diagnosis. Ace
Good to hear you figured it out. However, curious, why wasn't a site link created between the two sites in the first place? Did you by chance also disable the ability to let AD (KCC and ISTG) allow to create automatic links? Ace
I'm not sure of what your rodc name is and I only see snips of the logs so I'm unclear if all these errors are related to your RODC. The DSA object could be worriesome and wonder that the best thing might be to demote and promote your rodc. Is this an option? If so, then demote and once complete run another set of diagnostics and check to see if the errors have cleaned up. If not note these as opposed to before the demotion. As far as netDiag is concerned you can extract it from the 2003 support tools. I don't believe there are any issues with the 2003 tools for 2008 but I'll see if I can find out. It won't hurt anything since it is a reporting tool. I just would like to know if the RODC has a trust established with the rest of your domain. -- Paul Bergson MVP - Directory Services MCTS, MCT, MCSE, MCSA, Security+, BS CSci 2008, 2003, 2000 (Early Achiever), NT4 Microsoft's Thrive IT Pro of the Month - June 2009 http://www.pbbergs.com Please no e-mails, any questions should be posted in the NewsGroup This posting is provided "AS IS" with no warranties, and confers no rights.
I'm glad to hear things are working. As for pwd caching, I believe you have quite a few responses regarding this from eariler in the thread. Basically you set cacing with the Password Replication Policy. Keep in mind, if a user wants to change his password, or has to change (due to password expiration), the client machine must still contact a writeable DC. Administering the Password Replication Policy: http://technet.microsoft.com/en-us/library/cc754646(WS.10).aspx Without my digging through the multiple postings in this thread (there are just too many), I'm providing a few links below to read up on. Password Replication Policy Administration, May 14, 2009 ... When you prepopulate the RODC password cache, you trigger the RODC to ... ... To prepopulate the password cache for an RODC by using Active ... ... make sure that the user in question is a member of Allowed RODC Password Replication Group (and is not a member - directly or indirectly - of the Denied RODC Password Replication Group... ... Right click on the RODC account in ADUC. Go to Policy replication tab and add the group or users which you want cash in RODC and give prmission as Allow... http://technet.microsoft.com/en-us/library/cc753470(WS.10).aspx Password Replication PolicyMay 1, 2009, ... The Password Replication Policy acts as an access control list (ACL). It determines if an RODC should be permitted to cache a password. ... http://technet.microsoft.com/en-us/library/cc730883(WS.10).aspx Ask the Directory Services Team : Understanding “Read Only Domain ...Jan 18, 2008 ... Another really cool feature is the “Prepopulate the password cache for an RODC” button. This button (pictured) allows an administrator to ... http://blogs.technet.com/askds/arch...ad-only-domain-controller-authentication.aspx Password Question On RODC7 posts - 3 authors - Last post: Dec 4, 2009 As far as I know, there is not password cache in RODC. ... The RODC has the password cache for Bob. One day RODC requests Bob to change the ... http://social.technet.microsoft.com...e/thread/b70f29c0-28ae-45e4-9e7e-dd9a466d8791 Credential Caching on a Windows Server 2008 RODC http://mcpmag.com/articles/2008/12/01/credential-caching-on-a-windows-server-2008-rodc.aspx RODC Filtered Attribute Set, Credential Caching, and the Authentication Process with an RODC http://technet.microsoft.com/en-us/library/cc753459(WS.10).aspx AD DS: Read-Only Domain Controllers, August 26, 2009, A read-only domain controller (RODC) is a new type of domain controller in the Windows Server® 2008 operating system. With an RODC, organizations can easily deploy a domain controller in locations where physical security cannot be guaranteed. An RODC hosts read-only partitions of the Active Directory database... http://technet.microsoft.com/en-us/library/cc732801(WS.10).aspx I hope that helps. Ace
Sounds like you have done a great job, congratulations! -- Paul Bergson MVP - Directory Services MCTS, MCT, MCSE, MCSA, Security+, BS CSci 2008, 2003, 2000 (Early Achiever), NT4 Microsoft's Thrive IT Pro of the Month - June 2009 http://www.pbbergs.com Please no e-mails, any questions should be posted in the NewsGroup This posting is provided "AS IS" with no warranties, and confers no rights.
Very good to hear! It seems either the firewall strategy may have caused it, or not allowing auto-bridge to do it's job connecting all sites. Glad to hear it was resolved. Ace
