Feb 07 2011

Possible Error messages on Windows Server 2008 and Windows Server 2008 R2 Domain Controllers

Until now I have seen multiple error messages that are shown on Domain Controllers with the new OS versions. For some of them exist already a Hotfix from Microsoft and some belong to configuration settings, that have to be done manual.

Also the by default enabled built-in firewall requires additional configuration settings. Of course the firewall can be disabled but in case you are ordered to run them this maybe helps you. Some articles about the Windows Firewall within Domains you will find at the end of this article.

So starting with the major Active Directory support tool DCDIAG. The output can show the following error, especially on a fresh installed Domain Controller:


Starting test: Connectivity
* Active Directory LDAP Services Check
Message 0x621 not found.
Got error while checking LDAP and RPC connectivity. Please check your firewall settings.
……………………. <DC Name> failed test Connectivity

FIX: The connectivity test that is run by the Dcdiag.exe tool fails together with error code 0x621



Also the test VerifyEnterpriseReferences in the DCDIAG output fails, if not complete removed Domain Controllers exist or they are not correct registered.

Then the output always points to the highlighted Knowledge Base Article.

Update for the mentioned Knowledge Base Article: Q312862 is DONE on 14.03.2011 to contain also the replication technology DFS-R.

You can use the TechNet article “Update the FRS or DFS Replication Member Object” to verify or change or remove the Value.

Problem: Missing Expected Value
              Base Object: CN=NTSERVER,OU=Domain Controllers,DC=mw08,DC=loc
              Base Object Description: “DC Account Object”
              Value Object Attribute Name: frsComputerReferenceBL
              Value Object Description: “SYSVOL FRS Member Object”
              Recommended Action: See Knowledge Base Article: Q312862

failed test VerifyEnterpriseReferences


Another shown message in the DCDIAG output is:


Update 13.02.2011: As explained more detailed in the Friday MailSack from “Ask the Dicectory Services Team” use the following option not always:

This can be resolved with the following command in an elevated command prompt(RUNAS):

sc config rpcss type= share

You can run this command also against a remote located Domain Controller:

sc \\Servername config rpcss type= share

Really important is, that you take care about the space between (type= share)!!!


Update 11.05.2011: The KB Article 2512643 “DCDIAG.EXE /E or /A or /C expected errors” explains also some possible reason for here mentioned errors, so do not ignore them, because of the KB article, just compare them carefully to be sure it is safe to ignore them.


Your Active Directory forest has multiple Domain Controllers that are located at different sites. Because of this you use some switches to reduce the discovery scope of DCDIAG you realize that it takes a long time to run until the result is shown.

FIX: The Dcdiag.exe tool takes a long time to run in Windows Server 2008 R2 and in Windows 7


DCDIAG may show for the FRS, KCC and System Event log test the following error, when you run it against the Enterprise with “/e” from one Domain Controller:

0x6ba The RPC server is unavailable

The by default enabled firewall in Windows Server 2008 or higher is the reason. You can either disable the firewall complete (maybe not allowed in your network) or configure the Windows Firewall with Advanced Security as shown here for “Remote Administration” (RPC):

Open the console and choose the “Inbound Rules” and in the right pane scroll down to “Remote Administration” (RPC), which you set to enabled on the “General” tab


Add on the “Scope” tab the local and remote ip addresses of the Domain Controllers in the forest/domain where you need to have access


On the “Advanced” tab specify the profiles to that the rule will apply


allow the “Remote Administration” (RPC) in the firewall on the involved 2008 R2 DCs, the error is not shown


You use the command line tool DSGET together with Windows Server 2008 R2 and Windows 7 you will have incorrect results if used together with the –memberof switch and together with the –expand.

You expect only the output from the Group Information but also the User Information is shown. This is corrected with the following Hotfix:

FIX: The “dsget user -memberof -expand” command returns incorrect results in Windows Server 2008 R2 and in Windows 7


After the installation of the DHCP Server Role on a Windows Server 2008 R2 you see in the Application event log “Event ID 8193” from Source “VSS”.


This belongs to a permission change, the “NT AUTHORITY\NETWORK SERVICE” Security Principal is removed, on the following registry key and all sub keys during the DHCP Server role installation:


To resolve the error message you can use this KB article .


Using a Firewall in a Domain environment

Active Directory and Active Directory Domain Services Port Requirements

How to configure a firewall for domains and trusts

Active Directory in Networks Segmented by Firewalls

Active Directory Replication over Firewalls

2 responses so far

2 Responses to “Possible Error messages on Windows Server 2008 and Windows Server 2008 R2 Domain Controllers”

  1.   Advanced systemcare 7.2 pro crackon 28 Sep 2014 at 13:48

    Admiring the time and effort you put into your blog and detailed information you present.
    It’s good to come across a blog every once in a while that isn’t the same out of date rehashed information.
    Excellent read! I’ve saved your site and I’m adding your RSS
    feeds to my Google account.


Trackback URI | Comments RSS

Leave a Reply