Check this KB 555846 article. For Active Directory queries, post here. http://social.technet.microsoft.com/Forums/en-US/winserverDS/threads Thanks

Hello, please give some more details about amount of DCs and how they are located. Also please upload the following files, so we can get a complete overview: ipconfig /all >c:\ipconfig.txt [from each DC/DNS Server] dcdiag /v /c /d /e /s:dcname >c:\dcdiag.txt netdiag /v >c:\netdiag.txt [from each DC, netdiag may work but isn't supported with Windows server 2008 and don't run on Windows server 2008 R2] repadmin /showrepl dc* /verbose /all /intersite >c:\repl.txt ["dc* is a place holder for the starting name of the DCs if they all begin the same (if more then one DC exists)] dnslint /ad /s "DCipaddress" (http://support.microsoft.com/kb/321045) As the output will become large, DON'T post them into the thread, please use Windows Sky Drive (skydrive.live.com) [with open access!] and add the link from it here. Also the /e in dcdiag scans the complete forest, so better run it on COB.Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

I've got a single domain with some W2K3 and some 2008R2 servers, and I've noticed some errors in dcdiag. This one: Starting test: VerifyEnterpriseReferences The following problems were found while verifying various important DN references. Note, that these problems can be reported because of latency in replication. So follow up to resolve the following problems, only if the same problem is reported on all DCs for a given domain or if the problem persists after replication has had reasonable time to replicate changes. [1] Problem: Missing Expected Value Base Object: CN=BEVERLY,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=rafmuseum,DC=local Base Object Description: "SYSVOL FRS Member Object" Value Object Attribute Name: frsComputerReference Value Object Description: "DC Account Object" Recommended Action: Check if this server is deleted, and if so clean up this DCs SYSVOL FRS Member Object. Also see Knowledge Base Article: Q312862 [2] Problem: Missing Expected Value Base Object: CN=BEVERLY,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=rafmuseum,DC=local Base Object Description: "SYSVOL FRS Member Object" Value Object Attribute Name: serverReference Value Object Description: "DSA Object" Recommended Action: Check if this server is deleted, and if so clean up this DCs SYSVOL FRS Member Object. Also see Knowledge Base Article Q312862 ...I cleaned up by removing the long-gone DC. The server was removed gracefully from the domain as far as I recall. Having done this, I now see: Running partition tests on : ForestDnsZones Starting test: CheckSDRefDom For the partition (DC=ForestDnsZones,DC=rafmuseum,DC=local) we encountered the following error retrieving the cross-ref's (CN=786a4114-f391-4110-aa7d-65ab28ea1ecc,CN=Partitions,CN=Configurat on,DC=rafmuseum,DC=local) information: LDAP Error 0x0 (0). ......................... ForestDnsZones failed test CheckSDRefDom Starting test: CrossRefValidation For the partition (DC=ForestDnsZones,DC=rafmuseum,DC=local) we encountered the following error retrieving the cross-ref's (CN=786a4114-f391-4110-aa7d-65ab28ea1ecc,CN=Partitions,CN=Configurat on,DC=rafmuseum,DC=local) information: LDAP Error 0x0 (0). ......................... ForestDnsZones failed test CrossRefValidation I don't know what those partitions refer to and don't especially want to try deleting them before taking advice. The deleted server doesn't appear in AD Sites & Services or Metadata Cleanup.Tim Gowen

OK https://skydrive.live.com/#cid=32B65BF3DD545B34&id=32B65BF3DD545B34%21139 There are three AD sites with their DCs which are Windows 2008 R2 unless otherwise stated: LONDON catalina provost rapide (W2K3) COSFORD tutor STAFFORD varsity (read-only DC) There was another DC in London called Canberra which, although it thought it was a DC, wasn't appearing in Active Directory as a DC. It was running DNS but nothing should be pointing to it. I have removed it from AD Sites & Services and AD Integrated DNS. This is in addition to the other DC which caused me to post here in the first place. It looks as though it's my one remaining W2K3 DC which has the issues.Tim Gowen

Those two servers are quite far apart. Varsity is a RODC. I cannot find any non-existent servers in AD using ADSIEdit or LDP. I have the hotfix but I will probably wait for a Service Pack because this doesn't seem to be affecting performance. Tim Gowen

Hello, for the DES encryption error please see: http://support.microsoft.com/kb/978055 and http://support.microsoft.com/kb/977321 While processing a TGS request for the target server krbtgt/RAFMUSEUM.LOCAL, the account VICTOR$@RAFMUSEUM.LOCAL did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 8). The requested etypes were 18. The accounts available etypes were 23 -133 -128 3 1. Mentioned DCOM errors often belong to the firewall settings. An error event occurred. EventID: 0xC0002719 Time Generated: 02/07/2012 12:22:27 Event String: DCOM was unable to communicate with the computer 194.72.6.57 using any of the configured protocols. An error event occurred. EventID: 0xC0002719 Time Generated: 02/07/2012 12:22:42 Event String: DCOM was unable to communicate with the computer 195.27.1.2 using any of the configured protocols. An error event occurred. EventID: 0xC0002719 Time Generated: 02/07/2012 12:22:48 Event String: DCOM was unable to communicate with the computer 8.8.8.8 using any of the configured protocols. ......................... CATALINA failed test SystemLog How are the machines connected, any firewalls in between: *** ERROR: The home server CATALINA is not in sync with CN=NTDS Settings\0ADEL:3199b53f-597f-4a33-8f42-1782b0119d6c,CN=VARSITY\0ADEL:c72d39f2-67cd-4d70-9651-3af7153626f2,CN=Servers,CN=Stafford,CN=Sites,CN=Configuration,DC=rafmuseum,DC=local, unable to proceed. Suggest you run: dcdiag /s:CN=NTDS Settings\0ADEL:3199b53f-597f-4a33-8f42-1782b0119d6c,CN=VARSITY\0ADEL:c72d39f2-67cd-4d70-9651-3af7153626f2,CN=Servers,CN=Stafford,CN=Sites,CN=Configuration,DC=rafmuseum,DC=local <options> So there are definitely connectivity problems and also it seems that old machines ecist in the AD database. To be sure please check with ntdsutil: http://msmvps.com/blogs/mweber/archive/2010/05/16/active-directory-metadata-cleanup.aspxBest regards Meinolf Weber MVP, MCP, MCTS Microsoft MVP - Directory Services My Blog: http://msmvps.com/blogs/mweber/ Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.