Feb 07 2011
Possible Error messages on Windows Server 2008 and Windows Server 2008 R2 Domain Controllers
Until now I have seen multiple error messages that are shown on Domain Controllers with the new OS versions. For some of them exist already a Hotfix from Microsoft and some belong to configuration settings, that have to be done manual.
Also the by default enabled built-in firewall requires additional configuration settings. Of course the firewall can be disabled but in case you are ordered to run them this maybe helps you. Some articles about the Windows Firewall within Domains you will find at the end of this article.
So starting with the major Active Directory support tool DCDIAG. The output can show the following error, especially on a fresh installed Domain Controller:
Starting test: Connectivity
* Active Directory LDAP Services Check
Message 0x621 not found.
Got error while checking LDAP and RPC connectivity. Please check your firewall settings.
……………………. <DC Name> failed test Connectivity
FIX: The connectivity test that is run by the Dcdiag.exe tool fails together with error code 0x621
Also the test VerifyEnterpriseReferences in the DCDIAG output fails, if not complete removed Domain Controllers exist or they are not correct registered.
Then the output always points to the highlighted Knowledge Base Article.
Update for the mentioned Knowledge Base Article: Q312862 is DONE on 14.03.2011 to contain also the replication technology DFS-R.
You can use the TechNet article “Update the FRS or DFS Replication Member Object” to verify or change or remove the Value.
Problem: Missing Expected Value
Base Object: CN=NTSERVER,OU=Domain Controllers,DC=mw08,DC=loc
Base Object Description: “DC Account Object”
Value Object Attribute Name: frsComputerReferenceBL
Value Object Description: “SYSVOL FRS Member Object”
Recommended Action: See Knowledge Base Article: Q312862
failed test VerifyEnterpriseReferences
Another shown message in the DCDIAG output is:
WIN32_OWN_PROCESS, expected value WIN32_SHARE_PROCESS
Update 13.02.2011: As explained more detailed in the Friday MailSack from “Ask the Dicectory Services Team” use the following option not always:
This can be resolved with the following command in an elevated command prompt(RUNAS):
sc config rpcss type= share
You can run this command also against a remote located Domain Controller:
sc \\Servername config rpcss type= share
Really important is, that you take care about the space between (type= share)!!!
Update 11.05.2011: The KB Article 2512643 “DCDIAG.EXE /E or /A or /C expected errors” explains also some possible reason for here mentioned errors, so do not ignore them, because of the KB article, just compare them carefully to be sure it is safe to ignore them.
Your Active Directory forest has multiple Domain Controllers that are located at different sites. Because of this you use some switches to reduce the discovery scope of DCDIAG you realize that it takes a long time to run until the result is shown.
DCDIAG may show for the FRS, KCC and System Event log test the following error, when you run it against the Enterprise with “/e” from one Domain Controller:
“0x6ba The RPC server is unavailable”
The by default enabled firewall in Windows Server 2008 or higher is the reason. You can either disable the firewall complete (maybe not allowed in your network) or configure the Windows Firewall with Advanced Security as shown here for “Remote Administration” (RPC):
Open the console and choose the “Inbound Rules” and in the right pane scroll down to “Remote Administration” (RPC), which you set to enabled on the “General” tab
Add on the “Scope” tab the local and remote ip addresses of the Domain Controllers in the forest/domain where you need to have access
On the “Advanced” tab specify the profiles to that the rule will apply
allow the “Remote Administration” (RPC) in the firewall on the involved 2008 R2 DCs, the error is not shown
You use the command line tool DSGET together with Windows Server 2008 R2 and Windows 7 you will have incorrect results if used together with the –memberof switch and together with the –expand.
You expect only the output from the Group Information but also the User Information is shown. This is corrected with the following Hotfix:
FIX: The “dsget user -memberof -expand” command returns incorrect results in Windows Server 2008 R2 and in Windows 7
After the installation of the DHCP Server Role on a Windows Server 2008 R2 you see in the Application event log “Event ID 8193” from Source “VSS”.
This belongs to a permission change, the “NT AUTHORITY\NETWORK SERVICE” Security Principal is removed, on the following registry key and all sub keys during the DHCP Server role installation:
To resolve the error message you can use this KB article .
Using a Firewall in a Domain environment