Содержание
- Ошибка репликации Active Directory: Target Principal Name is Incorrect
- Troubleshooting Active Directory Replication Problems
- Introduction and resources for troubleshooting Active Directory replication
- Event and tool solution recommendations
- Ruling out intentional disruptions or hardware failures
- Intentional disconnections
- Hardware failures or upgrades
- Firewall configuration
- Responding to failure of an outdated server running Windows 2000 Server
- Root causes
- General approach to fixing problems
- Using Repadmin to retrieve replication status
- To generate a repadmin /showrepl spreadsheet for domain controllers
- Replication problems and resolutions
- repadmin /showrepl error messages that indicate replication problems
- Next steps
Ошибка репликации Active Directory: Target Principal Name is Incorrect
При попытке ручной репликации данных между контроллерами домена Active Directory в остатке Active Directory Sites and Services (dssite.msc) появилась ошибка:
При проверке репликации с помощью repadmin, у одного из DC появляется ошибка:
В журнале событий DC есть такие ошибки:
Source: Security-Kerberos
Event ID: 4
В первую очередь проверьте:
- Доступность проблемного контроллера домена с помощью простого ICMP ping
- Проверьте, что на нем доступен порт TCP 445 и опубликованы сетевые папки SysVol и NetLogon;
Если все ОК, значит проблема в том, между контроллерами домена нарушен безопасный канал передачи данных. Проверьте его с помощью PowerShell команды:
Служба KDC на целевом контроллере домена не может расшифровать тикет Kerberos из-за того, что в ней хранится старый пароль этого контроллера домена.
Чтобы исправить проблему, нужно сбросить этот пароль. Сначала нужно найти текущий контроллер домена с FSMO ролью PDC.
netdom query fsmo |find «PDC»
В нашем примере PDC находится на MSK-DC02. Мы будем исопользовать это имя в команде netdom resetpwd далее.
Остановите службу Kerberos Key Distribution Center (KDC) на контроллере домена, на котором появляется ошибка “The target principal name is incorrect” и измените тип запуска на Disabled. Можно изменить настройки службы из консоли services.msc или с помощью PowerShell:
Get-Service kdc -ComputerName msk-dc03 | Set-Service –startuptype disabled –passthru
Перезагрузите этот контроллер домена.
Теперь нужно сбросить безопасный канал связи с контроллером домена с ролью PDC:
netdom resetpwd /server:msk-dc02 /userd:winitproadministrator /passwordd:*
Укажите пароль администратора домена.
Перезагрузите проблемный DC и запустите службу KDC. Попробуйте запустить репликацию и проверить ошибки.
repadmin /syncall
repadmin /replsum
repadmin /showrepl
Если репликация успешно выполнена, в журнале Directory Service Event Viewerа должно появится событие Event ID 1394:
Проверьте состояние вашего домена и контроллеров домена Active Directory согласно этого гайда.
Источник
Troubleshooting Active Directory Replication Problems
Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Try our Virtual Agent — It can help you quickly identify and fix common Active Directory replication issues
Active Directory replication problems can have several different sources. For example, Domain Name System (DNS) problems, networking issues, or security problems can all cause Active Directory replication to fail.
The rest of this topic explains tools and a general methodology to fix Active Directory replication errors. The following subtopics cover symptoms, causes, and how to resolve specific replication errors:
Introduction and resources for troubleshooting Active Directory replication
Inbound or outbound replication failure causes Active Directory objects that represent the replication topology, replication schedule, domain controllers, users, computers, passwords, security groups, group memberships, and Group Policy to be inconsistent between domain controllers. Directory inconsistency and replication failure cause either operational failures or inconsistent results, depending on the domain controller that is contacted for the operation, and can prevent the application of Group Policy and access control permissions. Active Directory Domain Services (AD DS) depends on network connectivity, name resolution, authentication and authorization, the directory database, the replication topology, and the replication engine. When the root cause of a replication problem is not immediately obvious, determining the cause among the many possible causes requires systematic elimination of probable causes.
For a UI-based tool to help monitor replication and diagnose errors, download and run the Microsoft Support and Recovery Assistant tool, or use the Active Directory Replication Status Tool if you only want to analyze the replication status.
For a comprehensive document that describes how you can use the Repadmin tool to troubleshoot Active Directory replication is available; see Monitoring and Troubleshooting Active Directory Replication Using Repadmin.
For information about how Active Directory replication works, see the following technical references:
Ideally, the red (Error) and yellow (Warning) events in the Directory Service event log suggest the specific constraint that is causing replication failure on the source or destination domain controller. If the event message suggests steps for a solution, try the steps that are described in the event. The Repadmin tool and other diagnostic tools also provide information that can help you resolve replication failures.
For detailed information about using Repadmin for troubleshooting replication problems, see Monitoring and Troubleshooting Active Directory Replication Using Repadmin.
Ruling out intentional disruptions or hardware failures
Sometimes replication errors occur because of intentional disruptions. For example, when you troubleshoot Active Directory replication problems, rule out intentional disconnections and hardware failures or upgrades first.
Intentional disconnections
If replication errors are reported by a domain controller that is attempting replication with a domain controller that has been built in a staging site and is currently offline awaiting its deployment in the final production site (a remote site, such as a branch office), you can account for those replication errors. To avoid separating a domain controller from the replication topology for extended periods, which causes continuous errors until the domain controller is reconnected, consider adding such computers initially as member servers and using the install from media (IFM) method to install Active Directory Domain Services (AD DS). You can use the Ntdsutil command-line tool to create installation media that you can store on removable media (CD, DVD, or other media) and ship to the destination site. Then, you can use the installation media to install AD DS on the domain controllers at the site, without the use of replication.
Hardware failures or upgrades
If replication problems occur as a result of hardware failure (for example, failure of a motherboard, disk subsystem, or hard drive), notify the server owner so that the hardware problem can be resolved.
Periodic hardware upgrades can also cause domain controllers to be out of service. Ensure that your server owners have a good system of communicating such outages in advance.
Firewall configuration
By default, Active Directory replication remote procedure calls (RPCs) occur dynamically over an available port through the RPC Endpoint Mapper (RPCSS) on port 135. Make sure that Windows Firewall with Advanced Security and other firewalls are configured properly to allow for replication. For information about specifying the port for Active Directory replication and port settings, see article 224196 in the Microsoft Knowledge Base.
For information about the ports that Active Directory replication uses, see Active Directory Replication Tools and Settings.
For information about managing Active Directory replication over firewalls, see Active Directory Replication over Firewalls.
Responding to failure of an outdated server running Windows 2000 Server
If a domain controller running Windows 2000 Server has failed for longer than the number of days in the tombstone lifetime, the solution is always the same:
- Move the server from the corporate network to a private network.
- Either forcefully remove Active Directory or reinstall the operating system.
- Remove the server metadata from Active Directory so that the server object cannot be revived.
You can use a script to clean up server metadata on most Windows operating systems. For information about using this script, see Remove Active Directory Domain Controller Metadata.
By default, NTDS Settings objects that are deleted are revived automatically for a period of 14 days. Therefore, if you do not remove server metadata (use Ntdsutil or the script mentioned previously to perform metadata cleanup), the server metadata is reinstated in the directory, which prompts replication attempts to occur. In this case, errors will be logged persistently as a result of the inability to replicate with the missing domain controller.
Root causes
If you rule out intentional disconnections, hardware failures, and outdated Windows 2000 domain controllers, the remainder of replication problems almost always have one of the following root causes:
- Network connectivity: The network connection might be unavailable, or network settings are not configured properly.
- Name resolution: DNS misconfigurations are a common cause of replication failures.
- Authentication and authorization: Authentication and authorization problems cause «Access denied» errors when a domain controller tries to connect to its replication partner.
- Directory database (store): The directory database might not be able to process transactions fast enough to keep up with replication time-outs.
- Replication engine: If intersite replication schedules are too short, replication queues might be too large to process in the time that is required by the outbound replication schedule. In this case, replication of some changes can be stalled indefinitely potentially, long enough to exceed the tombstone lifetime.
- Replication topology: Domain controllers must have intersite links in AD DS that map to real wide area network (WAN) or virtual private network (VPN) connections. If you create objects in AD DS for the replication topology that are not supported by the actual site topology of your network, replication that requires the misconfigured topology fails.
General approach to fixing problems
Use the following general approach to fixing replication problems:
Monitor replication health daily, or use Repadmin.exe to retrieve replication status daily.
Attempt to resolve any reported failure in a timely manner by using the methods that are described in event messages and this guide. If software might be causing the problem, uninstall the software before you continue with other solutions.
If the problem that is causing replication to fail cannot be resolved by any known methods, remove AD DS from the server and then reinstall AD DS. For more information about reinstalling AD DS, see Decommissioning a Domain Controller.
If AD DS cannot be removed normally while the server is connected to the network, use one of the following methods to resolve the problem:
- Force AD DS removal in Directory Services Restore Mode (DSRM), clean up server metadata, and then reinstall AD DS.
- Reinstall the operating system, and rebuild the domain controller.
For more information about forcing removal of AD DS, see Forcing the Removal of a Domain Controller.
Using Repadmin to retrieve replication status
Replication status is an important way for you to evaluate the status of the directory service. If replication is working without errors, you know the domain controllers that are online. You also know that the following systems and services are working:
- DNS infrastructure
- Kerberos authentication protocol
- Windows Time service (W32time)
- Remote procedure call (RPC)
- Network connectivity
Use Repadmin to monitor replication status daily by running a command that assesses the replication status of all the domain controllers in your forest. The procedure generates a .csv file that you can open in Microsoft Excel and filter for replication failures.
You can use the following procedure to retrieve the replication status of all domain controllers in the forest.
Membership in Enterprise Admins, or equivalent, is the minimum required to complete this procedure.
- Repadmin.exe
- Excel (Microsoft Office)
To generate a repadmin /showrepl spreadsheet for domain controllers
Open a Command Prompt as an administrator: On the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, provide Enterprise Admins credentials, if required, and then click Continue.
At the command prompt, type the following command, and then press ENTER: repadmin /showrepl * /csv > showrepl.csv
Click the Office button, click Open, navigate to showrepl.csv, and then click Open.
Hide or delete column A as well as the Transport Type column, as follows:
Select a column that you want to hide or delete.
- To hide the column, right-click the column, and then click Hide.
- To delete the column, right-click the selected column, and then click Delete.
Select row 1 beneath the column heading row. On the View tab, click Freeze Panes, and then click Freeze Top Row.
Select the entire spreadsheet. On the Data tab, click Filter.
In the Last Success Time column, click the down arrow, and then click Sort Ascending.
In the Source DC column, click the filter down arrow, point to Text Filters, and then click Custom Filter.
In the Custom AutoFilter dialog box, under Show rows where, click does not contain. In the adjacent text box, type del to eliminate from view the results for deleted domain controllers.
Repeat step 11 for the Last Failure Time column, but use the value does not equal, and then type the value 0.
Resolve replication failures.
For every domain controller in the forest, the spreadsheet shows the source replication partner, the time that replication last occurred, and the time that the last replication failure occurred for each naming context (directory partition). By using Autofilter in Excel, you can view the replication health for working domain controllers only, failing domain controllers only, or domain controllers that are the least or most current, and you can see the replication partners that are replicating successfully.
Replication problems and resolutions
Replication problems are reported in event messages and in various error messages that occur when an application or service attempts an operation. Ideally, these messages are collected by your monitoring application or when you retrieve replication status.
Most replication problems are identified in the event messages that are logged in the Directory Service event log. Replication problems might also be identified in the form of error messages in the output of the repadmin /showrepl command.
repadmin /showrepl error messages that indicate replication problems
To identify Active Directory replication problems, use the repadmin /showrepl command, as described in the previous section. The following table shows error messages that this command generates, along with the root causes of the errors and links to topics that provide solutions for the errors.
| Repadmin error | Root Cause | Solution |
|---|---|---|
| The time since last replication with this server has exceeded the tombstone lifetime. | A domain controller has failed inbound replication with the named source domain controller long enough for a deletion to have been tombstoned, replicated, and garbage-collected from AD DS. | Event ID 2042: It has been too long since this machine replicated |
| No inbound neighbors. | If no items appear in the «Inbound Neighbors» section of the output that is generated by repadmin /showrepl, the domain controller was not able to establish replication links with another domain controller. | Fixing Replication Connectivity Problems (Event ID 1925) |
| Access is denied. | A replication link exists between two domain controllers, but replication cannot be performed properly as a result of an authentication failure. | Fixing Replication Security Problems |
| Last attempt at failed with the «Target account name is incorrect.» | This problem can be related to connectivity, DNS, or authentication issues. If this is a DNS error, the local domain controller could not resolve the globally unique identifier (GUID)-based DNS name of its replication partner. | Fixing Replication DNS Lookup Problems (Event IDs 1925, 2087, 2088) Fixing Replication Security Problems Fixing Replication Connectivity Problems (Event ID 1925) |
| LDAP Error 49. | The domain controller computer account might not be synchronized with the Key Distribution Center (KDC). | Fixing Replication Security Problems |
| Cannot open LDAP connection to local host | The administration tool could not contact AD DS. | Fixing Replication DNS Lookup Problems (Event IDs 1925, 2087, 2088) |
| Active Directory replication has been preempted. | The progress of inbound replication was interrupted by a higher-priority replication request, such as a request that was generated manually with the repadmin /sync command. | Wait for replication to complete. This informational message indicates normal operation. |
| Replication posted, waiting. | The domain controller posted a replication request and is waiting for an answer. Replication is in progress from this source. | Wait for replication to complete. This informational message indicates normal operation. |
The following table lists common events that might indicate problems with Active Directory replication, along with root causes of the problems and links to topics that provide solutions for the problems.
| Event ID and source | Root cause | Solution |
|---|---|---|
| 1311 NTDS KCC | The replication configuration information in AD DS does not accurately reflect the physical topology of the network. | Fixing Replication Topology Problems (Event ID 1311) |
| 1388 NTDS Replication | Strict replication consistency is not in effect, and a lingering object has been replicated to the domain controller. | Fixing Replication Lingering Object Problems (Event IDs 1388, 1988, 2042) |
| 1925 NTDS KCC | The attempt to establish a replication link for a writable directory partition failed. This event can have different causes, depending on the error. | Fixing Replication Connectivity Problems (Event ID 1925) Fixing Replication DNS Lookup Problems (Event IDs 1925, 2087, 2088) |
| 1988 NTDS Replication | The local domain controller has attempted to replicate an object from a source domain controller that is not present on the local domain controller because it may have been deleted and already garbage-collected. Replication does not proceed for this directory partition with this partner until the situation is resolved. | Fixing Replication Lingering Object Problems (Event IDs 1388, 1988, 2042) |
| 2042 NTDS Replication | Replication has not occurred with this partner for a tombstone lifetime, and replication cannot proceed. | Fixing Replication Lingering Object Problems (Event IDs 1388, 1988, 2042) |
| 2087 NTDS Replication | AD DS could not resolve the DNS host name of the source domain controller to an IP address, and replication failed. | Fixing Replication DNS Lookup Problems (Event IDs 1925, 2087, 2088) |
| 2088 NTDS Replication | AD DS could not resolve the DNS host name of the source domain controller to an IP address, but replication succeeded. | Fixing Replication DNS Lookup Problems (Event IDs 1925, 2087, 2088) |
| 5805 Net Logon | A machine account failed to authenticate, which is usually caused by either multiple instances of the same computer name or the computer name not replicating to every domain controller. | Fixing Replication Security Problems |
For more information about replication concepts, see Active Directory Replication Technologies.
Next steps
For more information, including support articles specific to error codes see the support article: How to troubleshoot common Active Directory replication errors
Источник
- Remove From My Forums
-
Question
-
Hi All,
I am looking for support in ref to the following errors that I am finding in the Directory Service event log on a Windows Server 2012 Version 6.2
that I support. Can anybody explain what the errors are in ref to, and if it’s a critical error we should be fixing and how to fix it?———————————————————————————-
Event ID: 1228
System Monitor was unable to open Active Directory Domain Services performance counters. An attempt to query the following performance counter registry key failed.
Registry key:
SYSTEMCurrentControlSetServicesNTDSPerformanceFirst CounterAdditional Data
Error value:
2 The system cannot find the file specified.———————————————————————————
Event ID: 1228
System Monitor was unable to open Active Directory Domain Services performance counters. An attempt to query the following performance counter registry key failed.
Registry key:
SYSTEMCurrentControlSetServicesDirectoryServicesPerformanceFirst Counter
Additional Data
Error value:
2 The system cannot find the file specified.
Directory service events error
This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.
Answered by:
Question
I’m in the process of upgrading our single Windows 2003 R2 Active Directory infrastructure to Windows Server 2008 R2. I have 10 domain controllers which are located at various sites.
I have upgraded 6 of the 10 DC’s to Windows Server 2008 R2 with no issues. We need to keep the same name/IP’s so I’ve been demoting the Windows 2003 DC, giving it a new name/IP and then promoting the new Windows Server 2008 R2 DC as its replacement with its old name/IP.
This morning I noticed the following event log on a Windows 2003 DC. This is the only DC which reports the error. It appears to report against the DC that I upgraded to Windows Server 2008 R2 yesterday.
If I perform a repadmin /replsum replication appears to work correctly. I can connect to the SYSVOL share on the source and destination servers by typing net view \xyzDC .
Is this error message something of concern?
Источник
Directory service events error
This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.
Answered by:
Question
I’m in the process of upgrading our single Windows 2003 R2 Active Directory infrastructure to Windows Server 2008 R2. I have 10 domain controllers which are located at various sites.
I have upgraded 6 of the 10 DC’s to Windows Server 2008 R2 with no issues. We need to keep the same name/IP’s so I’ve been demoting the Windows 2003 DC, giving it a new name/IP and then promoting the new Windows Server 2008 R2 DC as its replacement with its old name/IP.
This morning I noticed the following event log on a Windows 2003 DC. This is the only DC which reports the error. It appears to report against the DC that I upgraded to Windows Server 2008 R2 yesterday.
If I perform a repadmin /replsum replication appears to work correctly. I can connect to the SYSVOL share on the source and destination servers by typing net view \xyzDC .
Is this error message something of concern?
Источник
Virtualized Domain Controller Troubleshooting
Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
This topic provides detailed methodology on troubleshooting the virtualized domain controller feature.
Introduction
The most important way to improve your troubleshooting skills is build a test lab and rigorously examine normal, working scenarios. If you encounter errors, they are more obvious and easy to understand, since you then have a solid foundation of how domain controller promotion works. This also allows you to build your analysis and network analysis skills. This goes for all distributed systems technologies, not just virtualized domain controller deployment.
The critical elements to advanced troubleshooting of domain controller configuration are:
Linear analysis combined with focus and attention to detail.
Understanding network capture analysis
Understanding the built-in logs
The first and second are beyond the scope of this topic, but the third can be explained in some detail. Virtualized domain controller troubleshooting requires a logical and linear method. The key is to approach the issue using the data provided and only resort to complex tools and analysis when you have exhausted the provided output and logging.
Troubleshooting virtualized domain controller cloning
This sections covers:
The troubleshooting strategy for virtualized domain controller cloning follows this general format:
Tools for Troubleshooting
Logging Options
The built-in logs are the most important tool for troubleshooting issues with domain controller cloning. All of these logs are enabled and configured for maximum verbosity, by default.
| Operation | Log |
|---|---|
| Cloning | — Event viewerWindows logsSystem — Event viewerApplications and services logsDirectory Service — %systemroot%debugdcpromo.log |
| Promotion | — %systemroot%debugdcpromo.log — Event viewerApplications and services logsDirectory Service — Event viewerWindows logsSystem — Event viewerApplications and services logsFile Replication Service — Event viewerApplications and services logsDFS Replication |
Tools and Commands for Troubleshooting Domain Controller Configuration
To troubleshoot issues not explained by the logs, use the following tools as a starting point:
Network Monitor 3.4
General Methodology for Troubleshooting Domain Controller Cloning
Is the VM booting into DS Repair Mode (DSRM)? This indicates troubleshooting is necessary. To log on in DSRM, use .Administrator account and specify the DSRM password.
Examine the Dcpromo.log.
Did initial cloning steps succeed but domain controller promotion fail?
Do errors indicate issues with the local domain controller or with the AD DS environment, such as errors returned from the PDC emulator?
Examine the System and Directory Services event logs and the dccloneconfig.xml and CustomDCCloneAllowList.xml
Does an incompatible application need to be in the CustomDCCloneAllowList.xml allow list?
Is the IP address or computer name either duplicated or invalid in the dccloneconfig.xml?
Is the Active Directory site invalid in the dccloneconfig.xml?
Is the IP address not set in the dccloningconfig.xml and there is no DHCP server available?
Is the PDC emulator online and available through the RPC protocol?
Is the domain controller a member of the Cloneable Domain Controllers group? Is the permission Allow a DC to create a clone of itself set on the domain root for that group?
Does the Dccloneconfig.xml file contain syntax errors that prevent correct parsing?
Is the hypervisor supported?
Did domain controller promotion fail after cloning began successfully?
Was the maximum number of auto-generated domain controller names (9999) exceeded?
Is the MAC address duplicated?
Is host name of the clone the same as the source DC?
- Is there a Dccloneconfig.xml file in one of the allowed locations?
Is the VM booting into normal mode and cloning completed, but the domain controller is not functioning correctly?
First check if the host name is changed on the clone. If the host name is different, cloning has at least partially completed.
Does the domain controller have a duplicate IP address of the source domain controller from the dccloneconfig.xml, but the source domain controller was offline during cloning?
If the domain controller is advertising, treat the issue as any normal post-promotion issue you would have without cloning.
If the domain controller is not advertising, examine the Directory Service, System, Application, File Replication and DFS Replication event logs for post-promotion errors.
Disabling DSRM Boot
Once booted into DSRM due to any error, diagnose the cause for failure and if the dcpromo.log does not indicate that cloning cannot be retried, fix the cause for failure and reset the DSRM flag. A failed clone does not return to normal mode on its own on the next reboot; you must remove the DS Restore Mode boot flag in order to try cloning again. All of these steps require running as an elevated administrator.
Removing DSRM with Msconfig.exe
To turn DSRM boot off using a GUI, use the System Configuration tool:
On the Boot tab, under Boot Options, de-select Safe boot (it is already selected with the option Active Directory repair enabled)
Click OK and restart when prompted
Removing DSRM with Bcdedit.exe
To turn DSRM boot off from the command-line, use the Boot Configuration Data Store Editor:
Open a CMD prompt and run:
Restart the computer with:
Bcdedit.exe also works in a Windows PowerShell console. The commands there are:
Bcdedit.exe /deletevalue safeboot
Server Core and the Event Log
The event logs contain much of the useful information about virtualized domain controller cloning operations. By default, a Windows Server 2012 computer installation is a Server Core installation, which means there is no graphical interface and therefore, no way to run the local Event Viewer snap-in.
To review the event logs on a server running a Server Core installation:
Run the Wevtutil.exe tool locally
Run PowerShell cmdlet Get-WinEvent locally
If you have enabled the Windows Advanced Firewall rules for the «Remote Event Log Management» groups (or equivalent ports) to allow inbound communication, you can manage the event log remotely using Eventvwr.exe, wevtutil.exe, or Get-Winevent. This can be done on Server Core installation using NETSH.exe, Group Policy, or the new Set-NetFirewallRule cmdlet in Windows PowerShell 3.0.
Do not attempt to add the graphical shell back to the computer while it is in DSRM. Windows servicing stack (CBS) cannot operate correctly while in Safe Mode or DSRM. Attempts to add features or roles while in DSRM will not complete and leave the computer in an unstable state until it is booted normally. Since a virtualized domain controller clone in DSRM cannot boot normally, and should not be booted normally under most circumstances, it is impossible to safely add the graphical shell. Doing so is unsupported and may leave you with an unusable server.
Troubleshooting Specific Problems
Events
All virtualized domain controller cloning events write to the Directory Services event log of the clone domain controller VM. The Application, File Replication Service, and DFS Replication event logs may also contain useful troubleshooting information for failed cloning. Failures during the RPC call to the PDC emulator may be available in the event log on the PDC emulator.
Below are the Windows Server 2012 cloning-specific events in the Directory Services event log, with notes and suggested resolutions for errors.
Directory Services Event Log
| Events | Description |
|---|---|
| Event ID | 2160 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Informational |
| Message | The local has found a virtual domain controller cloning configuration file. |
The virtual domain controller cloning configuration file is found at: %1
The existence of the virtual domain controller cloning configuration file indicates that the local virtual domain controller is a clone of another virtual domain controller. The will start to clone itself. Notes and resolution This is a success event and only an issue if unexpected. Examine the DSA Working Directory, %systemroot%ntds, and root of any local or removable disks for the dcclconeconfig.xml file.
| Events | Description |
|---|---|
| Event ID | 2161 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Informational |
| Message | The local did not find the virtual domain controller cloning configuration file. The local machine is not a cloned DC. |
| Notes and resolution | This is a success event and only an issue if unexpected. Examine the DSA Working Directory, %systemroot%ntds, and root of any local or removable disks for the dcclconeconfig.xml file. |
| Events | Description |
|---|---|
| Event ID | 2162 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Error |
| Message | Virtual domain controller cloning failed.
Please check events logged in System event logs and %systemroot%debugdcpromo.log for more information on errors that correspond to the virtual domain controller cloning attempt. Error code: %1 |
| Notes and resolution | Follow message instructions, this error is a catchall. |
| Events | Description |
|---|---|
| Event ID | 2163 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Informational |
| Message | DsRoleSvc service was started to clone the local virtual domain controller. |
| Notes and resolution | This is a success event and only an issue if unexpected. Examine the DSA Working Directory, %systemroot%ntds, and root of any local or removable disks for the dcclconeconfig.xml file. |
| Events | Description |
|---|---|
| Event ID | 2164 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Error |
| Message | failed to start the DsRoleSvc service to clone the local virtual domain controller. |
| Notes and resolution | Examine the service settings for the DS Role Server service (DsRoleSvc) and ensure its start type is set to manual. Validate that no third party program is preventing the start of this service. |
| Events | Description |
|---|---|
| Event ID | 2165 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Error |
| Message | failed to start a thread during the cloning of the local virtual domain controller.
Thread name:%3 |
| Notes and resolution | Contact Microsoft Product Support |
| Events | Description |
|---|---|
| Event ID | 2166 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Error |
| Message | needs RPCSS service to initiate rebooting into DSRM. Waiting for RPCSS to initialize into a running state failed.
Error code:%1 |
| Notes and resolution | Examine the System event log and service settings for the RPC Server service (Rpcss) |
| Events | Description |
|---|---|
| Event ID | 2168 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Informational |
| Message | Microsoft-Windows-ActiveDirectory_DomainService
The DC is running on a supported hypervisor. VM Generation ID is detected. Current value of VM Generation ID: %1 |
| Notes and resolution | This is a success event and only an issue if unexpected. |
| Events | Description |
|---|---|
| Event ID | 2169 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Informational |
| Message | There is no VM Generation ID detected. The DC is hosted on a physical machine, a down-level version of Hyper-V, or a hypervisor that does not support the VM Generation ID.
Failure code returned when checking VM Generation ID:%1 |
| Notes and resolution | This is a success event if not intending to clone. Otherwise, examine the System event log and review hypervisor product support documentation. |
| Events | Description |
|---|---|
| Event ID | 2170 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Warning |
| Message | A Generation ID change has been detected.
Generation ID cached in DS (old value):%1 Generation ID currently in VM (new value):%2 The Generation ID change occurs after the application of a virtual machine snapshot, after a virtual machine import operation or after a live migration operation. will create a new invocation ID to recover the domain controller. Virtualized domain controllers should not be restored using virtual machine snapshots. The supported method to restore or rollback the content of an Active Directory Domain Services database is to restore a system state backup made with an Active Directory Domain Services aware backup application. |
| Notes and resolution | This is a success event if intending to clone. Otherwise, examine the System event log. |
| Events | Description |
|---|---|
| Event ID | 2171 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Informational |
| Message | No Generation ID change has been detected.
Generation ID cached in DS (old value):%1 Generation ID currently in VM (new value):%2 |
| Notes and resolution | This is a success event if not intending to clone, and should be seen at every reboot of a virtualized DC. Otherwise, examine the System event log. |
| Events | Description |
|---|---|
| Event ID | 2172 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Informational |
| Message | Read the msDS-GenerationId attribute of the Domain Controller’s computer object.
msDS-GenerationId attribute value:%1 |
| Notes and resolution | This is a success event if intending to clone. Otherwise, examine the System event log. |
| Events | Description |
|---|---|
| Event ID | 2173 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Informational |
| Message | Failed to read the msDS-GenerationId attribute of the Domain Controller’s computer object. This may be caused by database transaction failure, or the generation id does not exist in the local database. The msDS-GenerationId does not exist during the first reboot after dcpromo or the DC is not a virtual domain controller.
Failure code:%1 |
| Notes and resolution | This is a success event if intending to clone and it is the first VM reboot after cloning has completed. It can also be ignored on non-virtual Domain controllers. Otherwise, examine the System event log. |
| Events | Description |
|---|---|
| Event ID | 2174 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Informational |
| Message | The DC is neither a virtual domain controller clone nor a restored virtual domain controller snapshot. |
| Notes and resolution | This is a success event if not intending to clone. Otherwise, examine the System event log. |
| Events | Description |
|---|---|
| Event ID | 2175 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Error |
| Message | Virtual domain controller clone configuration file exists on an unsupported platform. |
| Notes and resolution | This occurs when a dccloneconfig.xml is found but a VM Generation-ID could not be found, such as when a dccloneconfig.xml file is found on a physical computer or on a hypervisor that does not support VM Generation-ID. |
| Events | Description |
|---|---|
| Event ID | 2176 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Informational |
| Message | Renamed virtual domain controller clone configuration file.
New file name:%2 |
| Notes and resolution | Rename expected when booting a source VM back up, because the VM Generation ID has not changed. This prevents the source domain controller from trying to clone. |
| Events | Description |
|---|---|
| Event ID | 2177 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Error |
| Message | Renaming virtual domain controller clone configuration file failed.
Failure code:%2 %3 |
| Notes and resolution | Rename attempt expected when booting a source VM back up, because the VM Generation ID has not changed. This prevents the source domain controller from trying to clone. Manually rename the file and investigate installed third party products that may be preventing the file rename. |
| Events | Description |
|---|---|
| Event ID | 2178 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Informational |
| Message | Detected virtual domain controller clone configuration file, but VM Generation ID has not been changed. The local DC is the clone source DC. Rename the clone configuration file. |
| Notes and resolution | Expected when booting a source VM back up, because the VM Generation ID has not changed. This prevents the source domain controller from trying to clone. |
| Events | Description |
|---|---|
| Event ID | 2179 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Informational |
| Message | The msDS-GenerationId attribute of the Domain Controller’s computer object has been set to the following parameter:
GenerationID attribute:%1 |
| Notes and resolution | This is a success event and only an issue if unexpected. |
| Events | Description |
|---|---|
| Event ID | 2180 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Warning |
| Message | Failed to set the msDS-GenerationId attribute of the Domain Controller’s computer object.
Failure code:%1 |
| Notes and resolution | Examine the System event log and Dcpromo.log. Lookup the specific error in MS TechNet, MS Knowledgebase, and MS blogs to determine its usual meaning, and then troubleshoot based on those results. |
| Events | Description |
|---|---|
| Event ID | 2182 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Informational |
| Message | Internal event: The Directory Service has been asked to clone a remote DSA: |
| Notes and resolution | This is a success event and only an issue if unexpected. |
| Events | Description |
|---|---|
| Event ID | 2183 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Informational |
| Message | Internal event: completed the request to clone the remote Directory System Agent.
Original DC name:%3 Request clone DC name:%4 Request clone DC site:%5 Error value:%1 %2 |
| Notes and resolution | This is a success event and only an issue if unexpected. |
| Events | Description |
|---|---|
| Event ID | 2184 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Error |
| Message | failed to create a domain controller account for the cloned DC.
Original DC name:%1 Allowed number of cloned DC:%2 The limit on the number of domain controller accounts that can be generated by cloning was exceeded. |
| Notes and resolution | A single source domain controller name can only automatically generate 9999 times if domain controllers are not demoted, based on the naming convention. Use the element in the XML to generate a new unique name or clone from a differently named DC. |
| Events | Description |
|---|---|
| Event ID | 2191 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Informational |
| Message | set the following registry value to disable DNS updates.
Registry Value: %2 Registry Value data: %3 During the cloning process, the local machine may have the same computer name as the clone source machine for a short time. DNS A and AAAA record registration are disabled during this period so clients cannot send requests to the local machine undergoing cloning. The cloning process will enable DNS updates again after cloning is completed. |
| Notes and resolution | This is a success event and only an issue if unexpected. |
| Events | Description |
|---|---|
| Event ID | 2192 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Error |
| Message | failed to set the following registry value to disable DNS updates.
Registry Value: %2 Registry Value data: %3 During the cloning process, the local machine may have the same computer name as the clone source machine for a short time. DNS A and AAAA record registration are disabled during this period so clients cannot send requests to the local machine undergoing cloning. |
| Notes and resolution | Examine Application and System event logs. Investigate third party application that may be blocking registry updates. |
| Events | Description |
|---|---|
| Event ID | 2193 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Informational |
| Message | set the following registry value to enable DNS updates.
Registry Value: %2 Registry Value data: %3 During the cloning process, the local machine may have the same computer name as the clone source machine for a short time. DNS A and AAAA record registration are disabled during this period so clients cannot send requests to the local machine undergoing cloning. |
| Notes and resolution | This is a success event and only an issue if unexpected. |
| Events | Description |
|---|---|
| Event ID | 2194 |
| — | — |
| Severity | Error |
| Message | failed to set the following registry value to enable DNS updates.
Registry Value: %2 Registry Value data: %3 During the cloning process, the local machine may have the same computer name as the clone source machine for a short time. DNS A and AAAA record registration are disabled during this period so clients cannot send requests to the local machine undergoing cloning. |
| Notes and resolution | Examine Application and System event logs. Investigate third party application that may be blocking registry updates. |
| Events | Description |
|---|---|
| Event ID | 2195 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Error |
| Message | Failed to set DSRM boot.
When virtual domain controller cloning failed or virtual domain controller clone configuration file appears on a non-supported hypervisor, the local machine will reboot into DSRM for troubleshooting. Setting DSRM boot failed. |
| Notes and resolution | Examine Application and System event logs. Investigate third party application that may be blocking registry updates. |
| Events | Description |
|---|---|
| Event ID | 2196 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Error |
| Message | Failed to enable shutdown privilege.
When virtual domain controller cloning failed or virtual domain controller clone configuration file appears on a non-supported hypervisor, the local machine will reboot into DSRM for troubleshooting. Enabling shutdown privilege failed. |
| Notes and resolution | Examine Application and System event logs. Investigate third party application that may be blocking privilege usage. |
| Events | Description |
|---|---|
| Event ID | 2197 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Error |
| Message | Failed to initiate system shutdown.
When virtual domain controller cloning failed or virtual domain controller clone configuration file appears on a non-supported hypervisor, the local machine will reboot into DSRM for troubleshooting. Initiating system shutdown failed. |
| Notes and resolution | Examine Application and System event logs. Investigate third party application that may be blocking privilege usage. |
| Events | Description |
|---|---|
| Event ID | 2198 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Error |
| Message | failed to create or modify the following cloned DC object.
%3 |
| Notes and resolution | Lookup the specific error in MS TechNet, MS Knowledgebase, and MS blogs to determine its usual meaning, and then troubleshoot based on those results. |
| Events | Description |
|---|---|
| Event ID | 2199 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Error |
| Message | failed to create the following cloned DC object because the object already exists.
%2 |
| Notes and resolution | Validate the dccloneconfig.xml did not specify an existing domain controller or that copies of the dccloneconfig.xml have been used on multiple clones without editing the name. If the collision is still unexpected, determine which administrator promoted it; contact them to discuss if the existing domain controller should be demoted, the existing domain controller metadata cleaned, or if the clone should use a different name. |
| Events | Description |
|---|---|
| Event ID | 2203 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Error |
| Message | Last virtual domain controller cloning failed. This is the first reboot since then so this should be a re-try of the cloning. However, neither virtual domain controller clone configuration file exists nor virtual machine generation ID change is detected. Boot into DSRM.
Last virtual domain controller cloning failed:%1 Virtual domain controller clone configuration file exists:%2 Virtual machine generation ID change is detected:%3 |
| Notes and resolution | Expected if cloning failed previously, due to missing or invalid dccloneconfig.xml |
| Events | Description |
|---|---|
| Event ID | 2210 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Error |
| Message | failed to create objects for clone domain controller.
Clone domain controller name: %1 Exception value: %3 DSID: %5 |
| Notes and resolution | Review the System and Directory Services event logs and the dcpromo.log for further details on why cloning failed. |
| Events | Description |
|---|---|
| Event ID | 2211 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Informational |
| Message | has created objects for clone domain controller.
Clone domain controller name: %1 Retry loop: %2 |
| Notes and resolution | This is a success event and only an issue if unexpected. |
| Events | Description |
|---|---|
| Event ID | 2212 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Informational |
| Message | started to create objects for the clone domain controller.
Clone RODC: %4 |
| Notes and resolution | This is a success event and only an issue if unexpected. |
| Events | Description |
|---|---|
| Event ID | 2213 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Informational |
| Message | created a new KrbTgt object for Read-Only domain controller cloning.
New KrbTgt Object Guid: %2 |
| Notes and resolution | This is a success event and only an issue if unexpected. |
| Events | Description |
|---|---|
| Event ID | 2214 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Informational |
| Message | will create a computer object for the clone domain controller.
Original domain controller: %2 Clone domain controller: %3 |
| Notes and resolution | This is a success event and only an issue if unexpected. |
| Events | Description |
|---|---|
| Event ID | 2215 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Informational |
| Message | will add the clone domain controller in the following site.
Site: %2 |
| Notes and resolution | This is a success event and only an issue if unexpected. |
| Events | Description |
|---|---|
| Event ID | 2216 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Informational |
| Message | will create a servers container for the clone domain controller.
Servers Container: %2 |
| Notes and resolution | This is a success event and only an issue if unexpected. |
| Events | Description |
|---|---|
| Event ID | 2217 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Informational |
| Message | will create a server object for the clone domain controller.
Server Object: %2 |
| Notes and resolution | This is a success event and only an issue if unexpected. |
| Events | Description |
|---|---|
| Event ID | 2218 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Informational |
| Message | will create a NTDS Settings object for the clone domain controller.
Object: %2 |
| Notes and resolution | This is a success event and only an issue if unexpected. |
| Events | Description |
|---|---|
| Event ID | 2219 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Informational |
| Message | will create connection objects for the clone Read-Only domain controller.
Clone Id: %1 |
| Notes and resolution | This is a success event and only an issue if unexpected. |
| Events | Description |
|---|---|
| Event ID | 2220 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Informational |
| Message | will create SYSVOL objects for the clone Read-Only domain controller.
Clone Id: %1 |
| Notes and resolution | This is a success event and only an issue if unexpected. |
| Events | Description |
|---|---|
| Event ID | 2221 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Error |
| Message | failed to generate a random password for the cloned domain controller.
Clone domain controller name: %2 Error: %3 %4 |
| Notes and resolution | Examine the system event log for further details on why the machine account password could not be created. |
| Events | Description |
|---|---|
| Event ID | 2222 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Error |
| Message | failed to set password for the cloned domain controller.
Clone domain controller name: %2 Error: %3 %4 |
| Notes and resolution | Examine the system event log for further details on why the machine account password could not be set. |
| Events | Description |
|---|---|
| Event ID | 2223 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Informational |
| Message | successfully set machine account password for the cloned domain controller.
Clone domain controller name: %2 Total retry times: %3 |
| Notes and resolution | This is a success event and only an issue if unexpected. |
| Events | Description |
|---|---|
| Event ID | 2224 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Error |
| Message | Virtual domain controller cloning failed. The following %1 Managed Service Account(s) exist on the cloned machine:
For cloning to succeed, all Managed Service Accounts must be removed. This can be done using the Remove-ADComputerServiceAccount PowerShell cmdlet. |
| Notes and resolution | Expected when using standalone MSAs (not group MSA). Do not follow the event advice to remove the account — it is incorrectly written. Use Uninstall-AdServiceAccount — https://technet.microsoft.com/library/hh852310.
Standalone MSAs — first released in Windows Server 2008 R2 — were replaced in Windows Server 2012 with group MSAs (gMSA). GMSAs support cloning. |
| Events | Description |
|---|---|
| Event ID | 2225 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Informational |
| Message | The cached secrets of the following security principal have been successfully removed from local domain controller:
After cloning a read-only domain controller, secrets which were previously cached on the cloning source read-only domain controller will be removed on the cloned domain controller. |
| Notes and resolution | This is a success event and only an issue if unexpected. |
| Events | Description |
|---|---|
| Event ID | 2226 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Error |
| Message | Failed to remove cached secrets of the following security principal from local domain controller:
After cloning a read-only domain controller, secrets which were previously cached on the cloning source read-only domain controller need to be removed on the clone in order to decrease the risk that an attacker can obtain those credentials from stolen or compromised clone. If the security principal is a highly privileged account and should be protected against this, please use rootDSE operation rODCPurgeAccount to manually clear its secrets on local domain controller. |
| Notes and resolution | Examine the System and Directory Services event logs for further information. |
| Events | Description |
|---|---|
| Event ID | 2227 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Error |
| Message | Exception is raised while trying to remove cached secrets from local domain controller.
Exception value: %1 After cloning a read-only domain controller, secrets which were previously cached on the cloning source read-only domain controller need to be removed on the clone in order to decrease the risk that an attacker can obtain those credentials from stolen or compromised clone. If any of these security principals is a highly privileged account and should be protected against this, please use rootDSE operation rODCPurgeAccount to manually clear its secrets on local domain controller. |
| Notes and resolution | Examine the System and Directory Services event logs for further information. |
| Events | Description |
|---|---|
| Event ID | 2228 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Error |
| Message | The Virtual machine generation ID in the Active Directory database of this domain controller is different from the current value of this virtual machine. However, a virtual domain controller clone configuration file (DCCloneConfig.xml) could not be located so domain controller cloning was not attempted. If a domain controller cloning operation was intended, please ensure that a DCCloneConfig.xml is provided in any one of the supported locations. In addition, the IP address of this domain controller conflicts with another domain controller’s IP address. To ensure no disruptions in service occur, the domain controller has been configured to boot into DSRM.
The duplicate IP address: %1 |
| Notes and resolution | This protection mechanism stops duplicate domain controllers when possible (it will not when using DHCP, for example). Add a valid DcCloneConfig.xml file, remove the DSRM flag, and re-attempt cloning |
| Events | Description |
|---|---|
| Event ID | 29218 |
| Source | Microsoft-Windows-DirectoryServices-DSROLE-Server |
| Severity | Error |
| Message | Virtual domain controller cloning failed. The cloning operation could not be completed and the cloned domain controller was rebooted into Directory Services Restore Mode (DSRM).
Please check previously logged events and %systemroot%debugdcpromo.log for more information on errors that correspond to the virtual domain controller cloning attempt and whether or not this clone image can be reused. If one or more log entries indicate that the cloning process cannot be retried, the image must be securely destroyed. Otherwise you may fix the errors, clear the DSRM boot flag, and reboot normally; upon reboot, the cloning operation will be retried. |
| Notes and resolution | Review the System and Directory Services event logs and the dcpromo.log for further details on why cloning failed. |
| Events | Description |
|---|---|
| Event ID | 29219 |
| Source | Microsoft-Windows-DirectoryServices-DSROLE-Server |
| Severity | Informational |
| Message | Virtual domain controller cloning succeeded. |
| Notes and resolution | This is a success event and only an issue if unexpected. |
| Events | Description |
|---|---|
| Event ID | 29248 |
| Source | Microsoft-Windows-DirectoryServices-DSROLE-Server |
| Severity | Error |
| Message | Virtual domain controller cloning failed to obtain Winlogon Notification. The returned error code is %1 (%2).
For more information on this error, please review %systemroot%debugdcpromo.log for errors that correspond to the virtual domain controller cloning attempt. |
| Notes and resolution | Contact Microsoft Product Support |
| Events | Description |
|---|---|
| Event ID | 29249 |
| Source | Microsoft-Windows-DirectoryServices-DSROLE-Server |
| Severity | Error |
| Message | Virtual domain controller cloning failed to parse virtual domain controller configuration file.
The returned HRESULT code is %1. The configuration file is:%2 Please fix the errors in the configuration file and retry the cloning operation. For more information about this error, please see %systemroot%debugdcpromo.log. |
| Notes and resolution | Examine the dclconeconfig.xml file for syntax errors using an XML editor and the DCCloneConfigSchema.xsd schema file. |
| Events | Description |
|---|---|
| Event ID | 29250 |
| Source | Microsoft-Windows-DirectoryServices-DSROLE-Server |
| Severity | Error |
| Message | Virtual domain controller cloning failed. There are software or services currently enabled on the cloned virtual domain controller that are not present in the allowed application list for virtual domain controller cloning.
Following are the missing entries: %1 (if any) was used as the defined inclusion list. The cloning operation cannot be completed if there are non-cloneable applications installed. Please run Active Directory PowerShell Cmdlet Get-ADDCCloningExcludedApplicationList to check which applications are installed on the cloned machine, but not included in the allow list, and add them to the allow list if they are compatible with virtual domain controller cloning. If any of these applications are not compatible with virtual domain controller cloning, please uninstall them before re-trying the cloning operation. The virtual domain controller cloning process searches for the allowed application list file, CustomDCCloneAllowList.xml, based on the following search order; the first file found is used and all others are ignored: 1. The registry value name: HKey_Local_MachineSystemCurrentControlSetServicesNTDSParametersAllowListFolder 2. The same directory where the DSA Working Directory folder resides 4. Removable read/write media in order of drive letter at the root of the drive |
| Notes and resolution | Follow the message instructions |
| Events | Description |
|---|---|
| Event ID | 29251 |
| Source | Microsoft-Windows-DirectoryServices-DSROLE-Server |
| Severity | Error |
| Message | Virtual domain controller cloning failed to reset the IP addresses of the clone machine.
The returned error code is %1 (%2). This error might be caused by misconfiguration in network configuration sections in the virtual domain controller configuration file. Please see %systemroot%debugdcpromo.log for more information about errors that correspond to IP addresses resetting during virtual domain controller cloning attempts. Details on resetting machine IP addresses on the cloned machine can be found at https://go.microsoft.com/fwlink/?LinkId=208030 |
| Notes and resolution | Verify the IP information set in the dccloneconfig.xml is valid and does not duplicate the original source machine. |
| Events | Description |
|---|---|
| Event ID | 29253 |
| Source | Microsoft-Windows-DirectoryServices-DSROLE-Server |
| Severity | Error |
| Message | Virtual domain controller cloning failed. The clone domain controller was unable to locate the primary domain controller (PDC) operations master in the cloned computer’s home domain of the cloned machine.
The returned error code is %1 (%2). Please verify that the primary domain controller in the home domain of the cloned machine is assigned to a live domain controller, is online, and is operational. Verify that the cloned machine has LDAP/RPC connectivity to the primary domain controller over the required ports and protocols. |
| Notes and resolution | Validate the cloned domain controller IP and DNS information is set. Use Dcdiag.exe /test:locatorcheck to validate if the PDCE is online, use Nltest.exe /server:
/dclist: to valid RPC, obtain a network capture from the PDCE while cloning fails and analyze the traffic. |
| Events | Description |
|---|---|
| Event ID | 29254 |
| Source | Microsoft-Windows-DirectoryServices-DSROLE-Server |
| Severity | Error |
| Message | Virtual domain controller cloning failed to bind to the primary domain controller %1.
The returned error code is %2 (%3). Please verify that the primary domain controller %1 is online and is operational. Verify that the cloned machine has LDAP/RPC connectivity to the primary domain controller over the required ports and protocols. |
| Notes and resolution | Validate the cloned domain controller IP and DNS information is set. Use Dcdiag.exe /test:locatorcheck to validate if the PDCE is online, use Nltest.exe /server:
/dclist: to valid RPC, obtain a network capture from the PDCE while cloning fails and analyze the traffic. |
| Events | Description |
|---|---|
| Event ID | 29255 |
| Source | Microsoft-Windows-DirectoryServices-DSROLE-Server |
| Severity | Error |
| Message | Virtual domain controller cloning failed.
An attempt to create objects on the primary domain controller %1 required for the image being cloned returned error %2 (%3). Please verify that the cloned domain controller has privilege to clone itself. Check for related events in the Directory Service event log on primary domain controller %1. |
| Notes and resolution | Lookup the specific error in MS TechNet, MS Knowledgebase, and MS blogs to determine its typical meaning, and then troubleshoot based on those results. |
| Events | Description |
|---|---|
| Event ID | 29256 |
| Source | Microsoft-Windows-DirectoryServices-DSROLE-Server |
| Severity | Error |
| Message | An attempt to set the Boot into Directory Services Restore Mode flag failed with error code %1.
Please see %systemroot%debugdcpromo.log for more information about errors. |
| Notes and resolution | Examine the Directory Services log and dcpromo.log for details. Examine Application and System event logs. Investigate third party application that may be blocking privilege usage. |
| Events | Description |
|---|---|
| Event ID | 29257 |
| Source | Microsoft-Windows-DirectoryServices-DSROLE-Server |
| Severity | Error |
| Message | Virtual domain controller cloning has done. An attempt to reboot the machine failed with error code %1.
Please reboot the machine to finish the cloning operation. |
| Notes and resolution | Examine Application and System event logs. Investigate third party application that may be blocking privilege usage. |
| Events | Description |
|---|---|
| Event ID | 29264 |
| Source | Microsoft-Windows-DirectoryServices-DSROLE-Server |
| Severity | Error |
| Message | An attempt to clear the Boot into Directory Services Restore Mode flag failed with error code %1.
Please see %systemroot%debugdcpromo.log for more information about errors. |
| Notes and resolution | Examine the Directory Services log and dcpromo.log for details. Examine Application and System event logs. Investigate third party application that may be blocking privilege usage. |
| Events | Description |
|---|---|
| Event ID | 29265 |
| Source | Microsoft-Windows-DirectoryServices-DSROLE-Server |
| Severity | Informational |
| Message | Virtual domain controller cloning succeeded. The virtual domain controller cloning configuration file %1 has been renamed to %2. |
| Notes and resolution | N/A, this is a success event. |
| Events | Description |
|---|---|
| Event ID | 29266 |
| Source | Microsoft-Windows-DirectoryServices-DSROLE-Server |
| Severity | Error |
| Message | Virtual domain controller cloning succeeded. The attempt to rename virtual domain controller cloning configuration file %1 failed with error code %2 (%3). |
| Notes and resolution | Manually rename the dccloneconfig.xml file. |
| Events | Description |
|---|---|
| Event ID | 29267 |
| Source | Microsoft-Windows-DirectoryServices-DSROLE-Server |
| Severity | Error |
| Message | Virtual domain controller cloning failed to check the virtual domain controller cloning allowed application list.
The returned error code is %1 (%2). This error might be caused by a syntax error in the clone allow list file (The file currently being checked is: %3). For more information about this error, please see %systemroot%debugdcpromo.log. |
| Notes and resolution | Follow the event instructions |
Error Messages
There are no direct interactive errors for failed virtualized domain controller cloning; all cloning information logs in the System and Directory Services logs and the domain controller promotion logs in dcpromo.log. However, if the server boots into DS Restore Mode, investigate immediately, as promotion or cloning failed.
The dcpromo.log is the first place to check for cloning failure. Depending on the failure listed, it may be necessary to subsequently review Directory Services and System logs for further diagnosis.
Known Issues and Support Scenarios
The following are common issues seen during the Windows Server 2012 development process. All of these issues are «by design» and have either a valid workaround or more appropriate technique to avoid them in the first place. Some may be resolved in later releases of Windows Server 2012.
| Issue | Cloning fails, DSRM |
|---|---|
| Symptoms | Clone boots into Directory Services Restore Mode |
| Resolution and Notes | Validate all steps followed from sections Deploying Virtualized Domain Controller section and General Methodology for Troubleshooting Domain Controller Cloning
Described in KB 2742844. |
| Issue | Extra IP leases when using DHCP to clone |
|---|---|
| Symptoms | After successfully cloning a DC and using DHCP, the first boot of the clone takes a DHCP lease. Then when the server is renamed and restarted as a DC, it takes a second DHCP lease. The first IP address is not released and you end up with a «phantom» lease |
| Resolution and Notes | Manually delete the unused address lease in DHCP or allow it to expire normally. Described in KB 2742836. |
| Issue | Cloning fails into DSRM after very long delay |
|---|---|
| Symptoms | Cloning appears to pause at «Domain controller cloning is at X% completion» for between 8 and 15 minutes. After this, the cloning fails and boots into DSRM. |
| Resolution and Notes | The cloned computer cannot get a dynamic IP address from DHCP or SLAAC, or is using a duplicate IP address, or cannot find the PDC. Multiple retry attempts performed by cloning lead to the delay. Resolve the networking issue to allow cloning.
Described in KB 2742844. |
| Issue | Cloning does not recreate all service principal names |
|---|---|
| Symptoms | If a set of three-part service principal names (SPN) includes both a NetBIOS name with a port and an otherwise identical NetBIOS name without a port, the non-port entry is not recreated with the new computer name. For example:
customspn/DC1:200/app1 INVALID USE OF SYMBOLS this is recreated with the new computer name customspn/DC1/app1 INVALID USE OF SYMBOLS this is not recreated with the new computer name Fully qualified names are recreated and SPNs without three parts are recreated, regardless of ports. For example, these are recreated successfully on the clone: customspn/DC1:202 INVALID USE OF SYMBOLS this is recreated customspn/DC1 INVALID USE OF SYMBOLS this is recreated customspn/DC1.corp.contoso.com:202 INVALID USE OF SYMBOLS this is recreated name customspn/DC1.corp.contoso.com INVALID USE OF SYMBOLS this is recreated |
| Resolution and Notes | This is a limitation of the domain controller rename process in Windows, not just in cloning. Three-part SPNS are not handled by the renaming logic in any scenario. Most included Windows services are unaffected by this, as they recreate any missing SPNs as needed. Other applications may require manually entering the SPN to resolve the issue.
Described in KB 2742874. |
| Issue | Cloning fails, boots into DSRM, general networking errors |
|---|---|
| Symptoms | Clone boots into Directory Services Repair Mode. There are general networking errors. |
| Resolution and Notes | Ensure that the new clone does not have a duplicate static MAC address assigned from the source domain controller; you can see if a VM uses static MAC addresses by running this command on the hypervisor host for both the source and clone virtual machines:
Get-VM -VMName test-vm | Get-VMNetworkAdapter | fl * Change the MAC address to a unique static address or switch to using dynamic MAC addresses. Described in KB 2742844 |
| Issue | Cloning fails, boots into DSRM as a duplicate of the source DC |
|---|---|
| Symptoms | A new clone boots up without cloning. The dccloneconfig.xml is not renamed and the server starts in DS Restore Mode. The Directory Services event log shows Error 2164
failed to start the DsRoleSvc service to clone the local virtual domain controller. |
| Resolution and Notes | Examine the service settings for the DS Role Server service (DsRoleSvc) and ensure its start type is set to Manual. Validate that no third party program is preventing the start of this service.
For more information about how to reclaim this secondary DC while ensuring that updates get replicated outbound, see Microsoft KB article 2742970. |
| Issue | Cloning fails, boots into DSRM, error 8610 |
|---|---|
| Symptoms | Clone boots into Directory Services Restore Mode. Dcpromo .log shows 8610 error (which is ERROR_DS_ROLE_NOT_VERIFIED 8610 or 0x21A2) |
| Resolution and Notes | Will happen if the PDC can be discoverable but it has not performed sufficient replication to allow itself to assume the role. For example, if cloning is started and another administrator moves the PDCE FSMO role to a new DC.
Described in KB 2742916. |
| Issue | Cloning fails, boots into DSRM, general networking errors |
|---|---|
| Symptoms | Clone boots into Directory Services Restore Mode. There are general networking errors. |
| Resolution and Notes | Ensure that the new clone does not have a duplicate static MAC address assigned from the source domain controller; you can see if a VM uses static MAC addresses by running this command on the Hyper-V host for both the source and clone virtual machines:
Get-VM -VMName test-vm | Get-VMNetworkAdapter | fl * Change the MAC address to a unique static address or switch to using dynamic MAC addresses. Described in KB 2742844. |
| Issue | Cloning fails, boots into DSRM |
|---|---|
| Symptoms | Clone boots into Directory Services Repair Mode |
| Resolution and Notes | Ensure that the dccloneconfig.xml contains the schema definition (see sampledccloneconfig.xml, line 2):
Described in KB 2742844 |
| Issue | No logon servers are available error logging into DSRM |
|---|---|
| Symptoms | Clone boots into Directory Services Repair Mode. You attempt to logon and receive error:
There are currently no logon servers are available to service the logon request |
| Resolution and Notes | Ensure you logon with the DSRM administrator account, and not the domain account. Use the left arrow and type a user name of:
.administrator Described in KB 2742908 |
| Issue | Clone Source fails into DSRM, error |
|---|---|
| Symptoms | During cloning, fails 8437 «Create clone DC objects on PDC failed» (0x20f5) |
| Resolution and Notes | Duplicate computer name was set in DCCloneConfig.xml as the source DC or an existing DC. The computer name also needs to be in the NetBIOS computer name format (15 characters or fewer, not an FQDN).
Fix the dccloneconfig.xml file by setting a unique, valid name. Described in KB 2742959 |
| Issue | New-addccloneconfigfile error «index was out of range» |
|---|---|
| Symptoms | When running the new-addccloneconfigfile cmdlet, you receive error:
Index was out of range. Must be non-negative and less than the size of the collection. |
| Resolution and Notes | You must run the cmdlet in an administrator-elevated Windows PowerShell console. This error is caused by lack of local administrator group membership on the computer.
Described in KB 2742927 |
| Issue | Cloning fails, duplicate DC |
|---|---|
| Symptoms | Clone boots without cloning, duplicates existing source DC |
| Resolution and Notes | The computer was copied and started but does not contain a DcCloneConfig.xml file in any of the supported locations, and did not have a duplicate IP address with the source domain controller. The DC must be correctly removed in order to avoid data loss.
Described in KB 2742970 |
| Issue | New-ADDCCloneConfigFile fails with The server is not operational error when it checks if the source domain controller is a member of the Cloneable Domain controllers group if a GC is not available. |
|---|---|
| Symptoms | When running New-ADDCCloneConfigFile to create a dccloneconfig.xml file, you receive error:
Code — The server is not operational |
| Resolution and Notes | Verify connectivity to a GC from the server where you run New-ADDCCloneConfigFile and verify that the membership of the source domain controller in the Cloneable Domain Controllers group has replicated to that GC.
Run the following command as a means of flushing the DC locator cache for cases where a GC or DC may have been taken offline recently: Code — nltest /dsgetdc: /GC /FORCE |
Advanced Troubleshooting
This module seeks to teach advanced troubleshooting by using working logs as samples, with some explanation of what occurred. If you understand what a successful virtualized domain controller operation looks like, failures become obvious in your environment. These logs are presented by their source, with the ascending order of expected events (even when they are warnings and errors) related to a cloned domain controller within each log.
Cloning a Domain Controller
In this example, the clone domain controller uses DHCP to get an IP address, replicates SYSVOL using FRS or DFSR (see the appropriate log as necessary), is a global catalog, and uses a blank dccloneconfig.xml file.
Directory Services Event Log
The Directory Services log contains the majority of event-based cloning operational information. The hypervisor changes the VM-Generation ID and the NTDS service notes it, then invalidates the RID pool and changes the invocation ID. The new VM-Generation ID is set and the server replicates Active Directory data inbound. The DFSR service is stopped and its database that hosts SYSVOL is deleted, forcing a non-authoritative sync inbound. The USN high watermark is adjusted.
| Event ID | Source | Message | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2160 | ActiveDirectory_DomainService | The local Active Directory Domain Services has found a virtual domain controller cloning configuration file.
The virtual domain controller cloning configuration file is found at: The existence of the virtual domain controller cloning configuration file indicates that the local virtual domain controller is a clone of another virtual domain controller. The Active Directory Domain Services will start to clone itself. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| 2191 | ActiveDirectory_DomainService | Active Directory Domain Services set the following registry value to disable DNS updates.
Registry Value data: During the cloning process, the local machine may have the same computer name as the clone source machine for a short time. DNS A and AAAA record registration are disabled during this period so clients cannot send requests to the local machine undergoing cloning. The cloning process will enable DNS updates again after cloning is completed. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| 2191 | ActiveDirectory_DomainService | Active Directory Domain Services set the following registry value to disable DNS updates.
Registry Value data: During the cloning process, the local machine may have the same computer name as the clone source machine for a short time. DNS A and AAAA record registration are disabled during this period so clients cannot send requests to the local machine undergoing cloning. The cloning process will enable DNS updates again after cloning is completed. «Information 2/7/2012 3:12:49 PM Microsoft-Windows-ActiveDirectory_DomainService 2191 Internal Configuration» Active Directory Domain Services set the following registry value to disable DNS updates. Registry Value data: During the cloning process, the local machine may have the same computer name as the clone source machine for a short time. DNS A and AAAA record registration are disabled during this period so clients cannot send requests to the local machine undergoing cloning. The cloning process will enable DNS updates again after cloning is completed. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| 2172 | ActiveDirectory_DomainService | Read the msDS-GenerationId attribute of the Domain Controller’s computer object.
msDS-GenerationId attribute value: |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| 2170 | ActiveDirectory_DomainService | A Generation ID change has been detected.
Generation ID cached in DS (old value): Generation ID currently in VM (new value): The Generation ID change occurs after the application of a virtual machine snapshot, after a virtual machine import operation or after a live migration operation. Active Directory Domain Services will create a new invocation ID to recover the domain controller. Virtualized domain controllers should not be restored using virtual machine snapshots. The supported method to restore or rollback the content of an Active Directory Domain Services database is to restore a system state backup made with an Active Directory Domain Services aware backup application. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| 1109 | ActiveDirectory_DomainService | The invocationID attribute for this directory server has been changed. The highest update sequence number at the time the backup was created is as follows:
InvocationID attribute (old value): InvocationID attribute (new value): Update sequence number: The invocationID is changed when a directory server is restored from backup media, is configured to host a writeable application directory partition, has been resumed after a virtual machine snapshot has been applied, after a virtual machine import operation, or after a live migration operation. Virtualized domain controllers should not be restored using virtual machine snapshots. The supported method to restore or rollback the content of an Active Directory Domain Services database is to restore a system state backup made with an Active Directory Domain Services-aware backup application. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| 1000 | ActiveDirectory_DomainService | Microsoft Active Directory Domain Services startup complete. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| 1394 | ActiveDirectory_DomainService | All problems preventing updates to the Active Directory Domain Services database have been cleared. New updates to the Active Directory Domain Services database are succeeding. The Net Logon service has restarted | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| 2163 | ActiveDirectory_DomainService | DsRoleSvc service was started to clone the local virtual domain controller. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| 326 | NTDS ISAM | NTDS (536) NTDSA: The database engine attached a database (1, C:WindowsNTDSntds.dit). (Time=0 seconds)
Internal Timing Sequence: [1] 0.000, [2] 0.000, [3] 0.000, [4] 0.000, [5] 0.000, [6] 0.016, [7] 0.000, [8] 0.000, [9] 0.000, [10] 0.000, [11] 0.000, [12] 0.000. Saved Cache: 1 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| 103 | NTDS ISAM | NTDS (536) NTDSA: The database engine stopped the instance (0).
Dirty Shutdown: 0 Internal Timing Sequence: [1] 0.000, [2] 0.000, [3] 0.000, [4] 0.000, [5] 0.032, [6] 0.000, [7] 0.000, [8] 0.000, [9] 0.031, [10] 0.000, [11] 0.000, [12] 0.000, [13] 0.000, [14] 0.000, [15] 0.000. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| 102 | NTDS ISAM | NTDS (536) NTDSA: The database engine (6.02.8225.0000) is starting a new instance (0). | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| 105 | NTDS ISAM | NTDS (536) NTDSA: The database engine started a new instance (0). (Time=0 seconds)
Internal Timing Sequence: [1] 0.016, [2] 0.000, [3] 0.015, [4] 0.078, [5] 0.000, [6] 0.000, [7] 0.000, [8] 0.000, [9] 0.046, [10] 0.000, [11] 0.000. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| 1004 | ActiveDirectory_DomainService | Active Directory Domain Services was shut down successfully. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| 102 | NTDS ISAM | NTDS (536) NTDSA: The database engine (6.02.8225.0000) is starting a new instance (0). | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| 326 | NTDS ISAM | NTDS (536) NTDSA: The database engine attached a database (1, C:WindowsNTDSntds.dit). (Time=0 seconds)
Internal Timing Sequence: [1] 0.000, [2] 0.015, [3] 0.016, [4] 0.000, [5] 0.031, [6] 0.000, [7] 0.000, [8] 0.000, [9] 0.000, [10] 0.000, [11] 0.000, [12] 0.000. Saved Cache: 1 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| 105 | NTDS ISAM | NTDS (536) NTDSA: The database engine started a new instance (0). (Time=1 seconds)
Internal Timing Sequence: [1] 0.031, [2] 0.000, [3] 0.000, [4] 0.391, [5] 0.000, [6] 0.000, [7] 0.000, [8] 0.000, [9] 0.031, [10] 0.000, [11] 0.000. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| 1109 | ActiveDirectory_DomainService | The invocationID attribute for this directory server has been changed. The highest update sequence number at the time the backup was created is as follows:
InvocationID attribute (old value): InvocationID attribute (new value): Update sequence number: The invocationID is changed when a directory server is restored from backup media, is configured to host a writeable application directory partition, has been resumed after a virtual machine snapshot has been applied, after a virtual machine import operation, or after a live migration operation. Virtualized domain controllers should not be restored using virtual machine snapshots. The supported method to restore or rollback the content of an Active Directory Domain Services database is to restore a system state backup made with an Active Directory Domain Services-aware backup application. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| 1168 | ActiveDirectory_DomainService | Internal error: An Active Directory Domain Services error has occurred.
Error value (decimal): Error value (hexadecimal): 7011658 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| 1110 | ActiveDirectory_DomainService | Promotion of this domain controller to a global catalog will be delayed for the following interval.
This delay is necessary so that the required directory partitions can be prepared before the global catalog is advertised. In the registry, you can specify the number of seconds that the directory system agent will wait before promoting the local domain controller to a global catalog. For more information about the Global Catalog Delay Advertisement registry value, see the Resource Kit Distributed Systems Guide |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| 103 | NTDS ISAM | NTDS (536) NTDSA: The database engine stopped the instance (0).
Dirty Shutdown: 0 Internal Timing Sequence: [1] 0.000, [2] 0.000, [3] 0.000, [4] 0.000, [5] 0.047, [6] 0.000, [7] 0.000, [8] 0.000, [9] 0.016, [10] 0.000, [11] 0.000, [12] 0.000, [13] 0.000, [14] 0.000, [15] 0.000. |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| 1004 | ActiveDirectory_DomainService | Active Directory Domain Services was shut down successfully. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| 1539 | ActiveDirectory_DomainService | Active Directory Domain Services could not disable the software-based disk write cache on the following hard disk.
Data might be lost during system failures |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| 2179 | ActiveDirectory_DomainService | The msDS-GenerationId attribute of the Domain Controller’s computer object has been set to the following parameter: | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| 2173 | ActiveDirectory_DomainService | Failed to read the msDS-GenerationId attribute of the Domain Controller’s computer object. This may be caused by database transaction failure, or the generation id does not exist in the local database. The msDS-GenerationId does not exist during the first reboot after dcpromo or the DC is not a virtual domain controller.
6 |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| 1000 | ActiveDirectory_DomainService | Microsoft Active Directory Domain Services startup complete, version 6.2.8225.0 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| 1394 | ActiveDirectory_DomainService | All problems preventing updates to the Active Directory Domain Services database have been cleared. New updates to the Active Directory Domain Services database are succeeding. The Net Logon service has restarted. | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| 1128 | ActiveDirectory_DomainService | 1128 Knowledge Consistency Checker «A replication connection was created from the following source directory service to the local directory service.
Source directory service: Local directory service: Creation Point Internal ID: f0a025d |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| 1999 | ActiveDirectory_DomainService | The source directory service has optimized the update sequence number (USN) presented by the destination directory service. The source and destination directory services have a common replication partner. The destination directory service is up to date with the common replication partner, and the source directory service was installed using a backup of this partner.
Destination directory service ID: Common directory service ID: Common property USN: As a result, the up-to-dateness vector of the destination directory service has been configured with the following settings. Previous object USN: Previous property USN: System Event LogThe next indications of cloning operations are in the System Event log. As the hypervisor tells the guest computer that it was cloned or restored from a snapshot, the domain controller immediately invalidates its RID pool to avoid duplicating security principals later. As cloning proceeds, various expected operations and messages appear, mostly around services starting and stopping and some expected errors caused by this. When completed the System event log notes overall cloning success.
|
Scenario:
- DC1 / Windows Server 2016 (ver 1607 GUI)
- DC2 / Windows Server 2016 (ver 1607 GUI)
- All servers on same single subnet with 1 G network connectivity, no delay no timeouts
Both DC’s are migrated from old server 2003/2008 servers to 2016 servers.[all are VM guests]. I migrated OS and AD one by one, example I first removed DC2, and installed 2016, then promoted it as DC.
afterwards when I tried to remove DC1 but got some errors therefore I remove it by dcrpromo / forcefully it and deleted its entries from DC2. afterwards i installed new 2016 on DC1 and promoted it as DC.
now both DC are on server 2016 working fine, user can login with both servers, GPO applying fine, replicating all data ok.
in DC1 > Event viewer > Directory Services , I am seeing following errors on a daily basis
Text
Error: 1863 This is the replication status for the following directory partition on this directory server. Directory partition: DC=ForestDnsZones,DC=MYDOMAIN This directory server has not received replication information from a number of directory servers within the configured latency interval. Latency Interval (Hours): 24 Number of directory servers in all sites: 1 Number of directory servers in this site: 1 The latency interval can be modified with the following registry key. Registry Key: HKLMSystemCurrentControlSetServicesNTDSParametersReplicator latency error interval (hours) To identify the directory servers by name, use the dcdiag.exe tool. You can also use the support tool repadmin.exe to display the replication latencies of the directory servers. The command is "repadmin /showvector /latency <partition-dn>".
& same errors with
Text
Directory partition:CN=Schema,CN=Configuration, DC=MYDOMAIN Directory partition: DC=MYDOMAIN
Following are some diagnostics outputs I gathered from the DC.
Text
C:>dcdiag /s:DC1 /v
Directory Server Diagnosis
Performing initial setup:
* Connecting to directory service on server DC1.
* Identified AD Forest.
Collecting AD specific global data
* Collecting site info.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=MYDOMAIN,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
The previous call succeeded
Iterating through the sites
Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MYDOMAIN
Getting ISTG and options for the site
* Identifying all servers.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=MYDOMAIN,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
The previous call succeeded....
The previous call succeeded
Iterating through the list of servers
Getting information for the server CN=NTDS Settings,CN=AGPINF02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MYDOMAIN
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MYDOMAIN
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
* Identifying all NC cross-refs.
* Found 2 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-NameDC1
Starting test: Connectivity
* Active Directory LDAP Services Check
Determining IP4 connectivity
* Active Directory RPC Services Check
......................... DC1 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-NameDC1
Starting test: Advertising
The DC DC1 is advertising itself as a DC and having a DS.
The DC DC1 is advertising as an LDAP server
The DC DC1 is advertising as having a writeable directory
The DC DC1 is advertising as a Key Distribution Center
The DC DC1 is advertising as a time server
The DS DC1 is advertising as a GC.
......................... DC1 passed test Advertising
Test omitted by user request: CheckSecurityError
Test omitted by user request: CutoffServers
Starting test: FrsEvent
* The File Replication Service Event log test
Skip the test because the server is running DFSR.
......................... DC1 passed test FrsEvent
Starting test: DFSREvent
The DFS Replication Event Log.
......................... DC1 passed test DFSREvent
Starting test: SysVolCheck
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... DC1 passed test SysVolCheck
Starting test: KccEvent
* The KCC Event log test
Found no KCC errors in "Directory Service" Event log in the last 15 minutes.
......................... DC1 passed test KccEvent
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MYDOMAIN
Role Domain Owner = CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MYDOMAIN
Role PDC Owner = CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MYDOMAIN
Role Rid Owner = CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MYDOMAIN
Role Infrastructure Update Owner = CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MYDOMAIN
......................... DC1 passed test KnowsOfRoleHolders
Starting test: MachineAccount
Checking machine account for DC DC1 on DC DC1.
* SPN found :LDAP/DC1.MYDOMAIN/MYDOMAIN
* SPN found :LDAP/DC1.MYDOMAIN
* SPN found :LDAP/DC1
* SPN found :LDAP/DC1.MYDOMAIN/MYDOMAIN
* SPN found :LDAP/6ba45128-449c-412a-83ee-845e83940c1e._msdcs.MYDOMAIN
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/6ba45128-449c-412a-83ee-845e83940c1e/MYDOMAIN
* SPN found :HOST/DC1.MYDOMAIN/MYDOMAIN
* SPN found :HOST/DC1.MYDOMAIN
* SPN found :HOST/DC1
* SPN found :HOST/DC1.MYDOMAIN/MYDOMAIN
* SPN found :GC/DC1.MYDOMAIN/MYDOMAIN
......................... DC1 passed test MachineAccount
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC DC1.
The forest is not ready for RODC. Will skip checking ERODC ACEs.
* Security Permissions Check for
DC=ForestDnsZones,DC=MYDOMAIN
(NDNC,Version 3)
* Security Permissions Check for
DC=DomainDnsZones,DC=MYDOMAIN
(NDNC,Version 3)
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=MYDOMAIN
(Schema,Version 3)
* Security Permissions Check for
CN=Configuration,DC=MYDOMAIN
(Configuration,Version 3)
* Security Permissions Check for
DC=MYDOMAIN
(Domain,Version 3)
......................... DC1 passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \DC1netlogon
Verified share \DC1sysvol
......................... DC1 passed test NetLogons
Starting test: ObjectsReplicated
DC1 is in domain DC=MYDOMAIN
Checking for CN=DC1,OU=Domain Controllers,DC=MYDOMAIN in domain DC=MYDOMAIN on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MYDOMAIN in domain CN=Configuration,DC=MYDOMAIN on 1 servers
Object is up-to-date on all servers.
......................... DC1 passed test ObjectsReplicated
Test omitted by user request: OutboundSecureChannels
Starting test: Replications
* Replications Check
* Replication Latency Check
DC=ForestDnsZones,DC=MYDOMAIN
Latency information for 14 entries in the vector were ignored.
14 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=DomainDnsZones,DC=MYDOMAIN
Latency information for 17 entries in the vector were ignored.
17 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
CN=Schema,CN=Configuration,DC=MYDOMAIN
Latency information for 25 entries in the vector were ignored.
25 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
CN=Configuration,DC=MYDOMAIN
Latency information for 27 entries in the vector were ignored.
27 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=MYDOMAIN
Latency information for 27 entries in the vector were ignored.
27 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
......................... DC1 passed test Replications
Starting test: RidManager
* Available RID Pool for the Domain is 20630 to 1073741823
* DC1.MYDOMAIN is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 20130 to 20629
* rIDPreviousAllocationPool is 20130 to 20629
* rIDNextRID: 20130
......................... DC1 passed test RidManager
Starting test: Services
* Checking Service: EventSystem
* Checking Service: RpcSs
* Checking Service: NTDS
* Checking Service: DnsCache
* Checking Service: DFSR
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: w32time
* Checking Service: NETLOGON
......................... DC1 passed test Services
Starting test: SystemLog
* The System Event log test
An error event occurred. EventID: 0x0000272C
Time Generated: 08/28/2018 11:11:46
Event String:
DCOM was unable to communicate with the computer 8.8.4.4 using any of the configured protocols; requested by PID bd0 (C:Windowssystem32dcdiag.exe).
An error event occurred. EventID: 0x0000272C
Time Generated: 08/28/2018 11:12:07
Event String:
DCOM was unable to communicate with the computer 208.67.220.222 using any of the configured protocols; requested by PID bd0 (C:Windowssystem32dcdiag.exe).
An error event occurred. EventID: 0x0000272C
Time Generated: 08/28/2018 11:12:29
Event String:
DCOM was unable to communicate with the computer 8.8.8.8 using any of the configured protocols; requested by PID bd0 (C:Windowssystem32dcdiag.exe).
......................... DC1 failed test SystemLog
Test omitted by user request: Topology
Test omitted by user request: VerifyEnterpriseReferences
Starting test: VerifyReferences
The system object reference (serverReference) CN=DC1,OU=Domain Controllers,DC=MYDOMAIN and backlink on
CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MYDOMAIN are correct.
The system object reference (serverReferenceBL)
CN=DC1,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=MYDOMAIN and backlink on
CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MYDOMAIN are
correct.
The system object reference (msDFSR-ComputerReferenceBL)
CN=DC1,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=MYDOMAIN and backlink on
CN=DC1,OU=Domain Controllers,DC=MYDOMAIN are correct.
......................... DC1 passed test VerifyReferences
Test omitted by user request: VerifyReplicas
Test omitted by user request: DNS
Test omitted by user request: DNS
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : MYDOMAIN
Starting test: CheckSDRefDom
......................... MYDOMAIN passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... MYDOMAIN passed test CrossRefValidation
Running enterprise tests on : MYDOMAIN
Test omitted by user request: DNS
Test omitted by user request: DNS
Starting test: LocatorCheck
GC Name: \DC1.MYDOMAIN
Locator Flags: 0xe001f3fd
PDC Name: \DC1.MYDOMAIN
Locator Flags: 0xe001f3fd
Time Server Name: \DC1.MYDOMAIN
Locator Flags: 0xe001f3fd
Preferred Time Server Name: \DC1.MYDOMAIN
Locator Flags: 0xe001f3fd
KDC Name: \DC1.MYDOMAIN
Locator Flags: 0xe001f3fd
......................... MYDOMAIN passed test LocatorCheck
Starting test: Intersite
Skipping site Default-First-Site-Name, this site is outside the scope provided by the command line arguments
provided.
......................... MYDOMAIN passed test Intersite
C:>
Text
C:>dcdiag /s:DC1 /v
Directory Server Diagnosis
Performing initial setup:
* Connecting to directory service on server DC1.
* Identified AD Forest.
Collecting AD specific global data
* Collecting site info.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=MYDOMAIN,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
The previous call succeeded
Iterating through the sites
Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MYDOMAIN
Getting ISTG and options for the site
* Identifying all servers.
Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=MYDOMAIN,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
The previous call succeeded....
The previous call succeeded
Iterating through the list of servers
Getting information for the server CN=NTDS Settings,CN=AGPINF02,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MYDOMAIN
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MYDOMAIN
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
* Identifying all NC cross-refs.
* Found 2 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-NameDC1
Starting test: Connectivity
* Active Directory LDAP Services Check
Determining IP4 connectivity
* Active Directory RPC Services Check
......................... DC1 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-NameDC1
Starting test: Advertising
The DC DC1 is advertising itself as a DC and having a DS.
The DC DC1 is advertising as an LDAP server
The DC DC1 is advertising as having a writeable directory
The DC DC1 is advertising as a Key Distribution Center
The DC DC1 is advertising as a time server
The DS DC1 is advertising as a GC.
......................... DC1 passed test Advertising
Test omitted by user request: CheckSecurityError
Test omitted by user request: CutoffServers
Starting test: FrsEvent
* The File Replication Service Event log test
Skip the test because the server is running DFSR.
......................... DC1 passed test FrsEvent
Starting test: DFSREvent
The DFS Replication Event Log.
......................... DC1 passed test DFSREvent
Starting test: SysVolCheck
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... DC1 passed test SysVolCheck
Starting test: KccEvent
* The KCC Event log test
Found no KCC errors in "Directory Service" Event log in the last 15 minutes.
......................... DC1 passed test KccEvent
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MYDOMAIN
Role Domain Owner = CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MYDOMAIN
Role PDC Owner = CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MYDOMAIN
Role Rid Owner = CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MYDOMAIN
Role Infrastructure Update Owner = CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MYDOMAIN
......................... DC1 passed test KnowsOfRoleHolders
Starting test: MachineAccount
Checking machine account for DC DC1 on DC DC1.
* SPN found :LDAP/DC1.MYDOMAIN/MYDOMAIN
* SPN found :LDAP/DC1.MYDOMAIN
* SPN found :LDAP/DC1
* SPN found :LDAP/DC1.MYDOMAIN/MYDOMAIN
* SPN found :LDAP/6ba45128-449c-412a-83ee-845e83940c1e._msdcs.MYDOMAIN
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/6ba45128-449c-412a-83ee-845e83940c1e/MYDOMAIN
* SPN found :HOST/DC1.MYDOMAIN/MYDOMAIN
* SPN found :HOST/DC1.MYDOMAIN
* SPN found :HOST/DC1
* SPN found :HOST/DC1.MYDOMAIN/MYDOMAIN
* SPN found :GC/DC1.MYDOMAIN/MYDOMAIN
......................... DC1 passed test MachineAccount
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC DC1.
The forest is not ready for RODC. Will skip checking ERODC ACEs.
* Security Permissions Check for
DC=ForestDnsZones,DC=MYDOMAIN
(NDNC,Version 3)
* Security Permissions Check for
DC=DomainDnsZones,DC=MYDOMAIN
(NDNC,Version 3)
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=MYDOMAIN
(Schema,Version 3)
* Security Permissions Check for
CN=Configuration,DC=MYDOMAIN
(Configuration,Version 3)
* Security Permissions Check for
DC=MYDOMAIN
(Domain,Version 3)
......................... DC1 passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \DC1netlogon
Verified share \DC1sysvol
......................... DC1 passed test NetLogons
Starting test: ObjectsReplicated
DC1 is in domain DC=MYDOMAIN
Checking for CN=DC1,OU=Domain Controllers,DC=MYDOMAIN in domain DC=MYDOMAIN on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MYDOMAIN in domain CN=Configuration,DC=MYDOMAIN on 1 servers
Object is up-to-date on all servers.
......................... DC1 passed test ObjectsReplicated
Test omitted by user request: OutboundSecureChannels
Starting test: Replications
* Replications Check
* Replication Latency Check
DC=ForestDnsZones,DC=MYDOMAIN
Latency information for 14 entries in the vector were ignored.
14 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=DomainDnsZones,DC=MYDOMAIN
Latency information for 17 entries in the vector were ignored.
17 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
CN=Schema,CN=Configuration,DC=MYDOMAIN
Latency information for 25 entries in the vector were ignored.
25 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
CN=Configuration,DC=MYDOMAIN
Latency information for 27 entries in the vector were ignored.
27 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=MYDOMAIN
Latency information for 27 entries in the vector were ignored.
27 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
......................... DC1 passed test Replications
Starting test: RidManager
* Available RID Pool for the Domain is 20630 to 1073741823
* DC1.MYDOMAIN is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 20130 to 20629
* rIDPreviousAllocationPool is 20130 to 20629
* rIDNextRID: 20130
......................... DC1 passed test RidManager
Starting test: Services
* Checking Service: EventSystem
* Checking Service: RpcSs
* Checking Service: NTDS
* Checking Service: DnsCache
* Checking Service: DFSR
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: w32time
* Checking Service: NETLOGON
......................... DC1 passed test Services
Starting test: SystemLog
* The System Event log test
An error event occurred. EventID: 0x0000272C
Time Generated: 08/28/2018 11:11:46
Event String:
DCOM was unable to communicate with the computer 8.8.4.4 using any of the configured protocols; requested by PID bd0 (C:Windowssystem32dcdiag.exe).
An error event occurred. EventID: 0x0000272C
Time Generated: 08/28/2018 11:12:07
Event String:
DCOM was unable to communicate with the computer 208.67.220.222 using any of the configured protocols; requested by PID bd0 (C:Windowssystem32dcdiag.exe).
An error event occurred. EventID: 0x0000272C
Time Generated: 08/28/2018 11:12:29
Event String:
DCOM was unable to communicate with the computer 8.8.8.8 using any of the configured protocols; requested by PID bd0 (C:Windowssystem32dcdiag.exe).
......................... DC1 failed test SystemLog
Test omitted by user request: Topology
Test omitted by user request: VerifyEnterpriseReferences
Starting test: VerifyReferences
The system object reference (serverReference) CN=DC1,OU=Domain Controllers,DC=MYDOMAIN and backlink on
CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MYDOMAIN are correct.
The system object reference (serverReferenceBL)
CN=DC1,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=MYDOMAIN and backlink on
CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=MYDOMAIN are
correct.
The system object reference (msDFSR-ComputerReferenceBL)
CN=DC1,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=MYDOMAIN and backlink on
CN=DC1,OU=Domain Controllers,DC=MYDOMAIN are correct.
......................... DC1 passed test VerifyReferences
Test omitted by user request: VerifyReplicas
Test omitted by user request: DNS
Test omitted by user request: DNS
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : MYDOMAIN
Starting test: CheckSDRefDom
......................... MYDOMAIN passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... MYDOMAIN passed test CrossRefValidation
Running enterprise tests on : MYDOMAIN
Test omitted by user request: DNS
Test omitted by user request: DNS
Starting test: LocatorCheck
GC Name: \DC1.MYDOMAIN
Locator Flags: 0xe001f3fd
PDC Name: \DC1.MYDOMAIN
Locator Flags: 0xe001f3fd
Time Server Name: \DC1.MYDOMAIN
Locator Flags: 0xe001f3fd
Preferred Time Server Name: \DC1.MYDOMAIN
Locator Flags: 0xe001f3fd
KDC Name: \DC1.MYDOMAIN
Locator Flags: 0xe001f3fd
......................... MYDOMAIN passed test LocatorCheck
Starting test: Intersite
Skipping site Default-First-Site-Name, this site is outside the scope provided by the command line arguments
provided.
......................... MYDOMAIN passed test Intersite
C:>
Text
C:>repadmin /showrepl
Repadmin: running command /showrepl against full DC localhost
Default-First-Site-NameDC1
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 6ba45128-449c-412a-83ee-845e83940c1e
DSA invocationID: 059d420b-c86d-4f20-b025-c44dff06c4f4
==== INBOUND NEIGHBORS ======================================
DC=MYDOMAIN
Default-First-Site-NameDC2 via RPC
DSA object GUID: a4573032-2365-413a-b502-3e7bdd6c4f24
Last attempt @ 2018-08-28 11:07:05 was successful.
CN=Configuration,DC=MYDOMAIN
Default-First-Site-NameDC2 via RPC
DSA object GUID: a4573032-2365-413a-b502-3e7bdd6c4f24
Last attempt @ 2018-08-28 10:54:31 was successful.
CN=Schema,CN=Configuration,DC=MYDOMAIN
Default-First-Site-NameDC2 via RPC
DSA object GUID: a4573032-2365-413a-b502-3e7bdd6c4f24
Last attempt @ 2018-08-28 10:54:31 was successful.
DC=DomainDnsZones,DC=MYDOMAIN
Default-First-Site-NameDC2 via RPC
DSA object GUID: a4573032-2365-413a-b502-3e7bdd6c4f24
Last attempt @ 2018-08-28 10:54:31 was successful.
DC=ForestDnsZones,DC=MYDOMAIN
Default-First-Site-NameDC2 via RPC
DSA object GUID: a4573032-2365-413a-b502-3e7bdd6c4f24
Last attempt @ 2018-08-28 10:54:31 was successful.
Text
C:>repadmin /replsummary Replication Summary Start Time: 2018-08-28 11:09:26 Beginning data collection for replication summary, this may take awhile: ..... Source DSA largest delta fails/total %% error DC2 14m:55s 0 / 5 0 DC1 14m:01s 0 / 5 0 Destination DSA largest delta fails/total %% error DC2 14m:01s 0 / 5 0 DC1 14m:55s 0 / 5 0
Text
C:>dcdiag /test:dfsrevent
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = DC1
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-NameDC1
Starting test: Connectivity
......................... DC1 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-NameDC1
Starting test: DFSREvent
......................... DC1 passed test DFSREvent
Running partition tests on : ForestDnsZones
Running partition tests on : DomainDnsZones
Running partition tests on : Schema
Running partition tests on : Configuration
Running partition tests on : MYDOMAIN
Running enterprise tests on : MYDOMAIN
Text
C:>DCDiag /Test:DNS
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = DC1
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-NameDC1
Starting test: Connectivity
......................... DC1 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-NameDC1
Starting test: DNS
DNS Tests are running and not hung. Please wait a few minutes...
......................... DC1 passed test DNS
Running partition tests on : ForestDnsZones
Running partition tests on : DomainDnsZones
Running partition tests on : Schema
Running partition tests on : Configuration
Running partition tests on : MYDOMAIN
Running enterprise tests on : MYDOMAIN
Starting test: DNS
Test results for domain controllers:
DC: DC1.MYDOMAIN
Domain: MYDOMAIN
TEST: Dynamic update (Dyn)
Warning: Failed to delete the test record dcdiag-test-record in zone MYDOMAIN
DC1 PASS PASS PASS PASS WARN PASS n/a
......................... MYDOMAIN passed test DNS
Text
C:>NET SHARE
Share name Resource Remark
-------------------------------------------------------------------------------
C$ C: Default share
D$ D: Default share
IPC$ Remote IPC
ADMIN$ C:Windows Remote Admin
NETLOGON C:WindowsSYSVOL_DFSRsysvolMYDOMAINSCRIPTS
Logon server share
SYSVOL C:WindowsSYSVOL_DFSRsysvol Logon server share
The command completed successfully.
Text
C:>gpotool /verbose
Domain: MYDOMAIN
Validating DCs...
Available DCs:
DC1.MYDOMAIN
DC2.MYDOMAIN
Searching for policies...
Found 2 policies
============================================================
Policy {31B2F340-016D-11D2-945F-00C04FB984F9}
Friendly name: Default Domain Policy
Policy OK
Details:
------------------------------------------------------------
DC: DC1.MYDOMAIN
Friendly name: Default Domain Policy
Created: 6/25/2004 4:07:52 PM
Changed: 8/27/2018 11:36:17 AM
DS version: 246(user) 627(machine)
Sysvol version: 246(user) 627(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: [{00000000-0000-0000-0000-000000000000}{2EA1A81B-48E5-45E9-8BB7
-A6E3AC170006}{3BFAE46A-7F3A-467B-8CEA-6AA34DC71F53}{3EC4E9D3-714D-471F-88DC-4DD
4471AAB47}{CAB54552-DEEA-4691-817E-ED4A4D1AFC72}][{3060E8D0-7020-11D2-842D-00C04
FA372D4}{3060E8CE-7020-11D2-842D-00C04FA372D4}][{35378EAC-683F-11D2-A89A-00C04FB
BCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}{D02B1F73-3407-48AE-BA88-E8213C6761F
1}][{42B5FAAE-6536-11D2-AE5A-0000F87571E3}{40B66650-4972-11D1-A7CA-0000F87571E3}
][{5794DAFD-BE60-433F-88A2-1A31939AC01F}{2EA1A81B-48E5-45E9-8BB7-A6E3AC170006}][
{6232C319-91AC-4931-9385-E70C2B099F0E}{3EC4E9D3-714D-471F-88DC-4DD4471AAB47}][{A
2E30F80-D7DE-11D2-BBDE-00C04F86AE3B}{FC715823-C5FB-11D1-9EEF-00A0C90347FF}][{A3F
3E39B-5D83-4940-B954-28315B82F0A8}{3BFAE46A-7F3A-467B-8CEA-6AA34DC71F53}][{AADCE
D64-746C-4633-A97C-D61349046527}{CAB54552-DEEA-4691-817E-ED4A4D1AFC72}]
Machine extensions: [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957D-509E-11D1-A
7CC-0000F87571E3}{2D4156A2-897A-11DB-BA21-001185AD2B89}{53D6AB1B-2488-11D1-A28C-
00C04FB94F17}{53D6AB1D-2488-11D1-A28C-00C04FB94F17}{B05566AC-FE9C-4368-BE01-7A4C
BB6CBA11}{D02B1F72-3407-48AE-BA88-E8213C6761F1}][{827D319E-6EAC-11D2-A4EA-00C04F
79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79
F83A}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}{53D6AB1D-2488-11D1-A28C-00C04FB94F17
}]
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: DC2.MYDOMAIN
Friendly name: Default Domain Policy
Created: 6/25/2004 4:07:52 PM
Changed: 8/27/2018 11:36:24 AM
DS version: 246(user) 627(machine)
Sysvol version: 246(user) 627(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: [{00000000-0000-0000-0000-000000000000}{2EA1A81B-48E5-45E9-8BB7
-A6E3AC170006}{3BFAE46A-7F3A-467B-8CEA-6AA34DC71F53}{3EC4E9D3-714D-471F-88DC-4DD
4471AAB47}{CAB54552-DEEA-4691-817E-ED4A4D1AFC72}][{3060E8D0-7020-11D2-842D-00C04
FA372D4}{3060E8CE-7020-11D2-842D-00C04FA372D4}][{35378EAC-683F-11D2-A89A-00C04FB
BCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}{D02B1F73-3407-48AE-BA88-E8213C6761F
1}][{42B5FAAE-6536-11D2-AE5A-0000F87571E3}{40B66650-4972-11D1-A7CA-0000F87571E3}
][{5794DAFD-BE60-433F-88A2-1A31939AC01F}{2EA1A81B-48E5-45E9-8BB7-A6E3AC170006}][
{6232C319-91AC-4931-9385-E70C2B099F0E}{3EC4E9D3-714D-471F-88DC-4DD4471AAB47}][{A
2E30F80-D7DE-11D2-BBDE-00C04F86AE3B}{FC715823-C5FB-11D1-9EEF-00A0C90347FF}][{A3F
3E39B-5D83-4940-B954-28315B82F0A8}{3BFAE46A-7F3A-467B-8CEA-6AA34DC71F53}][{AADCE
D64-746C-4633-A97C-D61349046527}{CAB54552-DEEA-4691-817E-ED4A4D1AFC72}]
Machine extensions: [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957D-509E-11D1-A
7CC-0000F87571E3}{2D4156A2-897A-11DB-BA21-001185AD2B89}{53D6AB1B-2488-11D1-A28C-
00C04FB94F17}{53D6AB1D-2488-11D1-A28C-00C04FB94F17}{B05566AC-FE9C-4368-BE01-7A4C
BB6CBA11}{D02B1F72-3407-48AE-BA88-E8213C6761F1}][{827D319E-6EAC-11D2-A4EA-00C04F
79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{B1BE8D72-6EAC-11D2-A4EA-00C04F79
F83A}{53D6AB1B-2488-11D1-A28C-00C04FB94F17}{53D6AB1D-2488-11D1-A28C-00C04FB94F17
}]
Functionality version: 2
------------------------------------------------------------
============================================================
Policy {6AC1786C-016F-11D2-945F-00C04FB984F9}
Friendly name: Default Domain Controllers Policy
Policy OK
Details:
------------------------------------------------------------
DC: DC1.MYDOMAIN
Friendly name: Default Domain Controllers Policy
Created: 6/25/2004 4:07:52 PM
Changed: 8/22/2018 7:06:03 AM
DS version: 0(user) 210(machine)
Sysvol version: 0(user) 210(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: not found
Machine extensions: [{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A
0D0-00A0C90F574B}][{F3CCC681-B74C-4060-9F26-CD84525DCA2A}{0F3F3735-573D-9804-99E
4-AB2A69BA5FD4}]
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: DC2.MYDOMAIN
Friendly name: Default Domain Controllers Policy
Created: 6/25/2004 4:07:52 PM
Changed: 8/21/2018 3:07:18 AM
DS version: 0(user) 210(machine)
Sysvol version: 0(user) 210(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: not found
Machine extensions: [{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A
0D0-00A0C90F574B}][{F3CCC681-B74C-4060-9F26-CD84525DCA2A}{0F3F3735-573D-9804-99E
4-AB2A69BA5FD4}]
Functionality version: 2
------------------------------------------------------------
============================================================
Policies OK
C:>
.
check
Best Answer
Ok it seems the problems related to tombstone lifetime value. It was set to 700+ days.
I set it to 3 days & left the domains running, after few days , the error stopped appearing in the event logs.
Was this post helpful?
thumb_up
thumb_down
View Best Answer in replies below
Read these next…
Green Brand Rep Wrap-Up: January 2023
Spiceworks Originals
Hi, y’all — Chad here. A while back, we used to feature the top posts from our brand reps (aka “Green Gals/Guys/et. al.) in a weekly or monthly wrap-up post. I can’t specifically recall which, as that was approximately eleven timelines ago. Luckily, our t…
Help with domain controller setup
Windows
I just got a new job as the only IT person for a business with around 270 employees (I would say probably less than half use computers) They don’t have any policies or procedures when it comes to IT, as they have never had an IT person. My background cons…
Malicious URLs
Security
We have firewall, we have endpoint protection, we have Safe links and Attachments for Office 365 (Microsoft Defense for Office 365 Plan 1), and still receiving links that lead to malicious web sites.It seems like security companies still didn’t develop a …
Snap! — Old Batteries, Lovable Bots, Quantum Breakthrough, Should We Trust AI?
Spiceworks Originals
Your daily dose of tech news, in brief.
Welcome to the Snap!
Flashback: February 8, 1996: The massive Internet collaboration “24 Hours in Cyberspace” takes place (Read more HERE.)
Bonus Flashback: February 8, 1974: Americans end outer spa…
Large collection of Mac Minis
Best Practices & General IT
We are getting rid of a lot of older equipment that doesn’t have a purpose anymore on our campus. Most of it is 2010 and 2014 Mac Minis. When they were purchased, they were the absolute base model, so nothing special about them. I’ve reached out to multip…
| description | ms.assetid | title | author | ms.author | manager | ms.date | ms.topic |
|---|---|---|---|---|---|---|---|
|
Learn more about: Virtualized Domain Controller Troubleshooting |
249ba1be-b0d3-4a77-99af-3699074a2b6e |
Virtualized Domain Controller Troubleshooting |
iainfoulds |
daveba |
daveba |
05/31/2017 |
article |
Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
This topic provides detailed methodology on troubleshooting the virtualized domain controller feature.
-
Troubleshooting virtualized domain controller cloning
-
Troubleshooting virtualized domain controller safe restore
Introduction
The most important way to improve your troubleshooting skills is build a test lab and rigorously examine normal, working scenarios. If you encounter errors, they are more obvious and easy to understand, since you then have a solid foundation of how domain controller promotion works. This also allows you to build your analysis and network analysis skills. This goes for all distributed systems technologies, not just virtualized domain controller deployment.
The critical elements to advanced troubleshooting of domain controller configuration are:
-
Linear analysis combined with focus and attention to detail.
-
Understanding network capture analysis
-
Understanding the built-in logs
The first and second are beyond the scope of this topic, but the third can be explained in some detail. Virtualized domain controller troubleshooting requires a logical and linear method. The key is to approach the issue using the data provided and only resort to complex tools and analysis when you have exhausted the provided output and logging.
Troubleshooting virtualized domain controller cloning
This sections covers:
-
Tools for Troubleshooting
-
Logging Options
-
General Methodology for Troubleshooting Domain Controller Cloning
-
Server Core and the Event Log
-
Troubleshooting Specific Problems
The troubleshooting strategy for virtualized domain controller cloning follows this general format:
Tools for Troubleshooting
Logging Options
The built-in logs are the most important tool for troubleshooting issues with domain controller cloning. All of these logs are enabled and configured for maximum verbosity, by default.
| Operation | Log |
|---|---|
| Cloning | — Event viewerWindows logsSystem — Event viewerApplications and services logsDirectory Service — %systemroot%debugdcpromo.log |
| Promotion | — %systemroot%debugdcpromo.log — Event viewerApplications and services logsDirectory Service — Event viewerWindows logsSystem — Event viewerApplications and services logsFile Replication Service — Event viewerApplications and services logsDFS Replication |
Tools and Commands for Troubleshooting Domain Controller Configuration
To troubleshoot issues not explained by the logs, use the following tools as a starting point:
-
Dcdiag.exe
-
Repadmin.exe
-
Network Monitor 3.4
General Methodology for Troubleshooting Domain Controller Cloning
-
Is the VM booting into DS Repair Mode (DSRM)? This indicates troubleshooting is necessary. To log on in DSRM, use .Administrator account and specify the DSRM password.
-
Examine the Dcpromo.log.
-
Did initial cloning steps succeed but domain controller promotion fail?
-
Do errors indicate issues with the local domain controller or with the AD DS environment, such as errors returned from the PDC emulator?
-
-
Examine the System and Directory Services event logs and the dccloneconfig.xml and CustomDCCloneAllowList.xml
-
Does an incompatible application need to be in the CustomDCCloneAllowList.xml allow list?
-
Is the IP address or computer name either duplicated or invalid in the dccloneconfig.xml?
-
Is the Active Directory site invalid in the dccloneconfig.xml?
-
Is the IP address not set in the dccloningconfig.xml and there is no DHCP server available?
-
Is the PDC emulator online and available through the RPC protocol?
-
Is the domain controller a member of the Cloneable Domain Controllers group? Is the permission Allow a DC to create a clone of itself set on the domain root for that group?
-
Does the Dccloneconfig.xml file contain syntax errors that prevent correct parsing?
-
Is the hypervisor supported?
-
Did domain controller promotion fail after cloning began successfully?
-
Was the maximum number of auto-generated domain controller names (9999) exceeded?
-
Is the MAC address duplicated?
-
-
-
Is host name of the clone the same as the source DC?
- Is there a Dccloneconfig.xml file in one of the allowed locations?
-
Is the VM booting into normal mode and cloning completed, but the domain controller is not functioning correctly?
-
First check if the host name is changed on the clone. If the host name is different, cloning has at least partially completed.
-
Does the domain controller have a duplicate IP address of the source domain controller from the dccloneconfig.xml, but the source domain controller was offline during cloning?
-
If the domain controller is advertising, treat the issue as any normal post-promotion issue you would have without cloning.
-
If the domain controller is not advertising, examine the Directory Service, System, Application, File Replication and DFS Replication event logs for post-promotion errors.
-
Disabling DSRM Boot
Once booted into DSRM due to any error, diagnose the cause for failure and if the dcpromo.log does not indicate that cloning cannot be retried, fix the cause for failure and reset the DSRM flag. A failed clone does not return to normal mode on its own on the next reboot; you must remove the DS Restore Mode boot flag in order to try cloning again. All of these steps require running as an elevated administrator.
Removing DSRM with Msconfig.exe
To turn DSRM boot off using a GUI, use the System Configuration tool:
-
Run msconfig.exe
-
On the Boot tab, under Boot Options, de-select Safe boot (it is already selected with the option Active Directory repair enabled)
-
Click OK and restart when prompted
Removing DSRM with Bcdedit.exe
To turn DSRM boot off from the command-line, use the Boot Configuration Data Store Editor:
-
Open a CMD prompt and run:
Bcdedit.exe /deletevalue safeboot -
Restart the computer with:
[!NOTE]
Bcdedit.exe also works in a Windows PowerShell console. The commands there are:Bcdedit.exe /deletevalue safeboot
Restart-computer
Server Core and the Event Log
The event logs contain much of the useful information about virtualized domain controller cloning operations. By default, a Windows Server 2012 computer installation is a Server Core installation, which means there is no graphical interface and therefore, no way to run the local Event Viewer snap-in.
To review the event logs on a server running a Server Core installation:
-
Run the Wevtutil.exe tool locally
-
Run PowerShell cmdlet Get-WinEvent locally
-
If you have enabled the Windows Advanced Firewall rules for the «Remote Event Log Management» groups (or equivalent ports) to allow inbound communication, you can manage the event log remotely using Eventvwr.exe, wevtutil.exe, or Get-Winevent. This can be done on Server Core installation using NETSH.exe, Group Policy, or the new Set-NetFirewallRule cmdlet in Windows PowerShell 3.0.
[!WARNING]
Do not attempt to add the graphical shell back to the computer while it is in DSRM. Windows servicing stack (CBS) cannot operate correctly while in Safe Mode or DSRM. Attempts to add features or roles while in DSRM will not complete and leave the computer in an unstable state until it is booted normally. Since a virtualized domain controller clone in DSRM cannot boot normally, and should not be booted normally under most circumstances, it is impossible to safely add the graphical shell. Doing so is unsupported and may leave you with an unusable server.
Troubleshooting Specific Problems
Events
All virtualized domain controller cloning events write to the Directory Services event log of the clone domain controller VM. The Application, File Replication Service, and DFS Replication event logs may also contain useful troubleshooting information for failed cloning. Failures during the RPC call to the PDC emulator may be available in the event log on the PDC emulator.
Below are the Windows Server 2012 cloning-specific events in the Directory Services event log, with notes and suggested resolutions for errors.
Directory Services Event Log
| Events | Description |
|---|---|
| Event ID | 2160 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Informational |
| Message | The local <COMPUTERNAME> has found a virtual domain controller cloning configuration file.
The virtual domain controller cloning configuration file is found at: %1 The existence of the virtual domain controller cloning configuration file indicates that the local virtual domain controller is a clone of another virtual domain controller. The <COMPUTERNAME> will start to clone itself. |
| Notes and resolution | This is a success event and only an issue if unexpected. Examine the DSA Working Directory, %systemroot%ntds, and root of any local or removable disks for the dcclconeconfig.xml file. |
| Events | Description |
|---|---|
| Event ID | 2161 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Informational |
| Message | The local <COMPUTERNAME> did not find the virtual domain controller cloning configuration file. The local machine is not a cloned DC. |
| Notes and resolution | This is a success event and only an issue if unexpected. Examine the DSA Working Directory, %systemroot%ntds, and root of any local or removable disks for the dcclconeconfig.xml file. |
| Events | Description |
|---|---|
| Event ID | 2162 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Error |
| Message | Virtual domain controller cloning failed.
Please check events logged in System event logs and %systemroot%debugdcpromo.log for more information on errors that correspond to the virtual domain controller cloning attempt. Error code: %1 |
| Notes and resolution | Follow message instructions, this error is a catchall. |
| Events | Description |
|---|---|
| Event ID | 2163 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Informational |
| Message | DsRoleSvc service was started to clone the local virtual domain controller. |
| Notes and resolution | This is a success event and only an issue if unexpected. Examine the DSA Working Directory, %systemroot%ntds, and root of any local or removable disks for the dcclconeconfig.xml file. |
| Events | Description |
|---|---|
| Event ID | 2164 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Error |
| Message | <COMPUTERNAME> failed to start the DsRoleSvc service to clone the local virtual domain controller. |
| Notes and resolution | Examine the service settings for the DS Role Server service (DsRoleSvc) and ensure its start type is set to manual. Validate that no third party program is preventing the start of this service. |
| Events | Description |
|---|---|
| Event ID | 2165 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Error |
| Message | <COMPUTERNAME> failed to start a thread during the cloning of the local virtual domain controller.
Error code:%1 Error message:%2 Thread name:%3 |
| Notes and resolution | Contact Microsoft Product Support |
| Events | Description |
|---|---|
| Event ID | 2166 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Error |
| Message | <COMPUTERNAME> needs RPCSS service to initiate rebooting into DSRM. Waiting for RPCSS to initialize into a running state failed.
Error code:%1 |
| Notes and resolution | Examine the System event log and service settings for the RPC Server service (Rpcss) |
| Events | Description |
|---|---|
| Event ID | 2168 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Informational |
| Message | Microsoft-Windows-ActiveDirectory_DomainService
The DC is running on a supported hypervisor. VM Generation ID is detected. Current value of VM Generation ID: %1 |
| Notes and resolution | This is a success event and only an issue if unexpected. |
| Events | Description |
|---|---|
| Event ID | 2169 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Informational |
| Message | There is no VM Generation ID detected. The DC is hosted on a physical machine, a down-level version of Hyper-V, or a hypervisor that does not support the VM Generation ID.
Additional Data Failure code returned when checking VM Generation ID:%1 |
| Notes and resolution | This is a success event if not intending to clone. Otherwise, examine the System event log and review hypervisor product support documentation. |
| Events | Description |
|---|---|
| Event ID | 2170 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Warning |
| Message | A Generation ID change has been detected.
Generation ID cached in DS (old value):%1 Generation ID currently in VM (new value):%2 The Generation ID change occurs after the application of a virtual machine snapshot, after a virtual machine import operation or after a live migration operation. <COMPUTERNAME> will create a new invocation ID to recover the domain controller. Virtualized domain controllers should not be restored using virtual machine snapshots. The supported method to restore or rollback the content of an Active Directory Domain Services database is to restore a system state backup made with an Active Directory Domain Services aware backup application. |
| Notes and resolution | This is a success event if intending to clone. Otherwise, examine the System event log. |
| Events | Description |
|---|---|
| Event ID | 2171 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Informational |
| Message | No Generation ID change has been detected.
Generation ID cached in DS (old value):%1 Generation ID currently in VM (new value):%2 |
| Notes and resolution | This is a success event if not intending to clone, and should be seen at every reboot of a virtualized DC. Otherwise, examine the System event log. |
| Events | Description |
|---|---|
| Event ID | 2172 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Informational |
| Message | Read the msDS-GenerationId attribute of the Domain Controller’s computer object.
msDS-GenerationId attribute value:%1 |
| Notes and resolution | This is a success event if intending to clone. Otherwise, examine the System event log. |
| Events | Description |
|---|---|
| Event ID | 2173 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Informational |
| Message | Failed to read the msDS-GenerationId attribute of the Domain Controller’s computer object. This may be caused by database transaction failure, or the generation id does not exist in the local database. The msDS-GenerationId does not exist during the first reboot after dcpromo or the DC is not a virtual domain controller.
Additional Data Failure code:%1 |
| Notes and resolution | This is a success event if intending to clone and it is the first VM reboot after cloning has completed. It can also be ignored on non-virtual Domain controllers. Otherwise, examine the System event log. |
| Events | Description |
|---|---|
| Event ID | 2174 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Informational |
| Message | The DC is neither a virtual domain controller clone nor a restored virtual domain controller snapshot. |
| Notes and resolution | This is a success event if not intending to clone. Otherwise, examine the System event log. |
| Events | Description |
|---|---|
| Event ID | 2175 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Error |
| Message | Virtual domain controller clone configuration file exists on an unsupported platform. |
| Notes and resolution | This occurs when a dccloneconfig.xml is found but a VM Generation-ID could not be found, such as when a dccloneconfig.xml file is found on a physical computer or on a hypervisor that does not support VM Generation-ID. |
| Events | Description |
|---|---|
| Event ID | 2176 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Informational |
| Message | Renamed virtual domain controller clone configuration file.
Additional Data Old file name:%1 New file name:%2 |
| Notes and resolution | Rename expected when booting a source VM back up, because the VM Generation ID has not changed. This prevents the source domain controller from trying to clone. |
| Events | Description |
|---|---|
| Event ID | 2177 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Error |
| Message | Renaming virtual domain controller clone configuration file failed.
Additional Data File name:%1 Failure code:%2 %3 |
| Notes and resolution | Rename attempt expected when booting a source VM back up, because the VM Generation ID has not changed. This prevents the source domain controller from trying to clone. Manually rename the file and investigate installed third party products that may be preventing the file rename. |
| Events | Description |
|---|---|
| Event ID | 2178 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Informational |
| Message | Detected virtual domain controller clone configuration file, but VM Generation ID has not been changed. The local DC is the clone source DC. Rename the clone configuration file. |
| Notes and resolution | Expected when booting a source VM back up, because the VM Generation ID has not changed. This prevents the source domain controller from trying to clone. |
| Events | Description |
|---|---|
| Event ID | 2179 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Informational |
| Message | The msDS-GenerationId attribute of the Domain Controller’s computer object has been set to the following parameter:
GenerationID attribute:%1 |
| Notes and resolution | This is a success event and only an issue if unexpected. |
| Events | Description |
|---|---|
| Event ID | 2180 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Warning |
| Message | Failed to set the msDS-GenerationId attribute of the Domain Controller’s computer object.
Additional Data Failure code:%1 |
| Notes and resolution | Examine the System event log and Dcpromo.log. Lookup the specific error in MS TechNet, MS Knowledgebase, and MS blogs to determine its usual meaning, and then troubleshoot based on those results. |
| Events | Description |
|---|---|
| Event ID | 2182 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Informational |
| Message | Internal event: The Directory Service has been asked to clone a remote DSA: |
| Notes and resolution | This is a success event and only an issue if unexpected. |
| Events | Description |
|---|---|
| Event ID | 2183 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Informational |
| Message | Internal event: <COMPUTERNAME> completed the request to clone the remote Directory System Agent.
Original DC name:%3 Request clone DC name:%4 Request clone DC site:%5 Additional Data Error value:%1 %2 |
| Notes and resolution | This is a success event and only an issue if unexpected. |
| Events | Description |
|---|---|
| Event ID | 2184 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Error |
| Message | <COMPUTERNAME> failed to create a domain controller account for the cloned DC.
Original DC name:%1 Allowed number of cloned DC:%2 The limit on the number of domain controller accounts that can be generated by cloning <COMPUTERNAME>was exceeded. |
| Notes and resolution | A single source domain controller name can only automatically generate 9999 times if domain controllers are not demoted, based on the naming convention. Use the <computername> element in the XML to generate a new unique name or clone from a differently named DC. |
| Events | Description |
|---|---|
| Event ID | 2191 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Informational |
| Message | <COMPUTERNAME> set the following registry value to disable DNS updates.
Registry Key:%1 Registry Value: %2 Registry Value data: %3 During the cloning process, the local machine may have the same computer name as the clone source machine for a short time. DNS A and AAAA record registration are disabled during this period so clients cannot send requests to the local machine undergoing cloning. The cloning process will enable DNS updates again after cloning is completed. |
| Notes and resolution | This is a success event and only an issue if unexpected. |
| Events | Description |
|---|---|
| Event ID | 2192 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Error |
| Message | <COMPUTERNAME> failed to set the following registry value to disable DNS updates.
Registry Key:%1 Registry Value: %2 Registry Value data: %3 Error code:%4 Error message:%5 During the cloning process, the local machine may have the same computer name as the clone source machine for a short time. DNS A and AAAA record registration are disabled during this period so clients cannot send requests to the local machine undergoing cloning. |
| Notes and resolution | Examine Application and System event logs. Investigate third party application that may be blocking registry updates. |
| Events | Description |
|---|---|
| Event ID | 2193 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Informational |
| Message | <COMPUTERNAME> set the following registry value to enable DNS updates.
Registry Key:%1 Registry Value: %2 Registry Value data: %3 During the cloning process, the local machine may have the same computer name as the clone source machine for a short time. DNS A and AAAA record registration are disabled during this period so clients cannot send requests to the local machine undergoing cloning. |
| Notes and resolution | This is a success event and only an issue if unexpected. |
| Events | Description |
|---|---|
| Event ID | 2194 |
| — | — |
| Severity | Error |
| Message | <COMPUTERNAME> failed to set the following registry value to enable DNS updates.
Registry Key:%1 Registry Value: %2 Registry Value data: %3 Error code:%4 Error message:%5 During the cloning process, the local machine may have the same computer name as the clone source machine for a short time. DNS A and AAAA record registration are disabled during this period so clients cannot send requests to the local machine undergoing cloning. |
| Notes and resolution | Examine Application and System event logs. Investigate third party application that may be blocking registry updates. |
| Events | Description |
|---|---|
| Event ID | 2195 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Error |
| Message | Failed to set DSRM boot.
Error code:%1 Error message:%2 When virtual domain controller cloning failed or virtual domain controller clone configuration file appears on a non-supported hypervisor, the local machine will reboot into DSRM for troubleshooting. Setting DSRM boot failed. |
| Notes and resolution | Examine Application and System event logs. Investigate third party application that may be blocking registry updates. |
| Events | Description |
|---|---|
| Event ID | 2196 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Error |
| Message | Failed to enable shutdown privilege.
Error code:%1 Error message:%2 When virtual domain controller cloning failed or virtual domain controller clone configuration file appears on a non-supported hypervisor, the local machine will reboot into DSRM for troubleshooting. Enabling shutdown privilege failed. |
| Notes and resolution | Examine Application and System event logs. Investigate third party application that may be blocking privilege usage. |
| Events | Description |
|---|---|
| Event ID | 2197 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Error |
| Message | Failed to initiate system shutdown.
Error code:%1 Error message:%2 When virtual domain controller cloning failed or virtual domain controller clone configuration file appears on a non-supported hypervisor, the local machine will reboot into DSRM for troubleshooting. Initiating system shutdown failed. |
| Notes and resolution | Examine Application and System event logs. Investigate third party application that may be blocking privilege usage. |
| Events | Description |
|---|---|
| Event ID | 2198 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Error |
| Message | <COMPUTERNAME> failed to create or modify the following cloned DC object.
Additional data: Object: %1 Error value: %2 %3 |
| Notes and resolution | Lookup the specific error in MS TechNet, MS Knowledgebase, and MS blogs to determine its usual meaning, and then troubleshoot based on those results. |
| Events | Description |
|---|---|
| Event ID | 2199 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Error |
| Message | <COMPUTERNAME> failed to create the following cloned DC object because the object already exists.
Additional data: Source DC: %1 Object: %2 |
| Notes and resolution | Validate the dccloneconfig.xml did not specify an existing domain controller or that copies of the dccloneconfig.xml have been used on multiple clones without editing the name. If the collision is still unexpected, determine which administrator promoted it; contact them to discuss if the existing domain controller should be demoted, the existing domain controller metadata cleaned, or if the clone should use a different name. |
| Events | Description |
|---|---|
| Event ID | 2203 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Error |
| Message | Last virtual domain controller cloning failed. This is the first reboot since then so this should be a re-try of the cloning. However, neither virtual domain controller clone configuration file exists nor virtual machine generation ID change is detected. Boot into DSRM.
Last virtual domain controller cloning failed:%1 Virtual domain controller clone configuration file exists:%2 Virtual machine generation ID change is detected:%3 |
| Notes and resolution | Expected if cloning failed previously, due to missing or invalid dccloneconfig.xml |
| Events | Description |
|---|---|
| Event ID | 2210 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Error |
| Message | <COMPUTERNAME> failed to create objects for clone domain controller.
Additional data: Clone Id: %6 Clone domain controller name: %1 Retry loop: %2 Exception value: %3 Error value: %4 DSID: %5 |
| Notes and resolution | Review the System and Directory Services event logs and the dcpromo.log for further details on why cloning failed. |
| Events | Description |
|---|---|
| Event ID | 2211 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Informational |
| Message | <COMPUTERNAME> has created objects for clone domain controller.
Additional data: Clone Id: %3 Clone domain controller name: %1 Retry loop: %2 |
| Notes and resolution | This is a success event and only an issue if unexpected. |
| Events | Description |
|---|---|
| Event ID | 2212 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Informational |
| Message | <COMPUTERNAME> started to create objects for the clone domain controller.
Additional data: Clone Id: %1 Clone name: %2 Clone site: %3 Clone RODC: %4 |
| Notes and resolution | This is a success event and only an issue if unexpected. |
| Events | Description |
|---|---|
| Event ID | 2213 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Informational |
| Message | <COMPUTERNAME> created a new KrbTgt object for Read-Only domain controller cloning.
Additional data: Clone Id: %1 New KrbTgt Object Guid: %2 |
| Notes and resolution | This is a success event and only an issue if unexpected. |
| Events | Description |
|---|---|
| Event ID | 2214 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Informational |
| Message | <COMPUTERNAME> will create a computer object for the clone domain controller.
Additional data: Clone Id: %1 Original domain controller: %2 Clone domain controller: %3 |
| Notes and resolution | This is a success event and only an issue if unexpected. |
| Events | Description |
|---|---|
| Event ID | 2215 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Informational |
| Message | <COMPUTERNAME> will add the clone domain controller in the following site.
Additional data: Clone Id: %1 Site: %2 |
| Notes and resolution | This is a success event and only an issue if unexpected. |
| Events | Description |
|---|---|
| Event ID | 2216 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Informational |
| Message | <COMPUTERNAME> will create a servers container for the clone domain controller.
Additional data: Clone Id: %1 Servers Container: %2 |
| Notes and resolution | This is a success event and only an issue if unexpected. |
| Events | Description |
|---|---|
| Event ID | 2217 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Informational |
| Message | <COMPUTERNAME> will create a server object for the clone domain controller.
Additional data: Clone Id: %1 Server Object: %2 |
| Notes and resolution | This is a success event and only an issue if unexpected. |
| Events | Description |
|---|---|
| Event ID | 2218 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Informational |
| Message | <COMPUTERNAME> will create a NTDS Settings object for the clone domain controller.
Additional data: Clone Id: %1 Object: %2 |
| Notes and resolution | This is a success event and only an issue if unexpected. |
| Events | Description |
|---|---|
| Event ID | 2219 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Informational |
| Message | <COMPUTERNAME> will create connection objects for the clone Read-Only domain controller.
Additional data: Clone Id: %1 |
| Notes and resolution | This is a success event and only an issue if unexpected. |
| Events | Description |
|---|---|
| Event ID | 2220 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Informational |
| Message | <COMPUTERNAME> will create SYSVOL objects for the clone Read-Only domain controller.
Additional data: Clone Id: %1 |
| Notes and resolution | This is a success event and only an issue if unexpected. |
| Events | Description |
|---|---|
| Event ID | 2221 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Error |
| Message | <COMPUTERNAME> failed to generate a random password for the cloned domain controller.
Additional data: Clone Id: %1 Clone domain controller name: %2 Error: %3 %4 |
| Notes and resolution | Examine the system event log for further details on why the machine account password could not be created. |
| Events | Description |
|---|---|
| Event ID | 2222 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Error |
| Message | <COMPUTERNAME> failed to set password for the cloned domain controller.
Additional data: Clone Id: %1 Clone domain controller name: %2 Error: %3 %4 |
| Notes and resolution | Examine the system event log for further details on why the machine account password could not be set. |
| Events | Description |
|---|---|
| Event ID | 2223 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Informational |
| Message | <COMPUTERNAME> successfully set machine account password for the cloned domain controller.
Additional data: Clone Id: %1 Clone domain controller name: %2 Total retry times: %3 |
| Notes and resolution | This is a success event and only an issue if unexpected. |
| Events | Description |
|---|---|
| Event ID | 2224 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Error |
| Message | Virtual domain controller cloning failed. The following %1 Managed Service Account(s) exist on the cloned machine:
%2 For cloning to succeed, all Managed Service Accounts must be removed. This can be done using the Remove-ADComputerServiceAccount PowerShell cmdlet. |
| Notes and resolution | Expected when using standalone MSAs (not group MSA). Do not follow the event advice to remove the account — it is incorrectly written. Use Uninstall-AdServiceAccount — https://technet.microsoft.com/library/hh852310.
Standalone MSAs — first released in Windows Server 2008 R2 — were replaced in Windows Server 2012 with group MSAs (gMSA). GMSAs support cloning. |
| Events | Description |
|---|---|
| Event ID | 2225 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Informational |
| Message | The cached secrets of the following security principal have been successfully removed from local domain controller:
%1 After cloning a read-only domain controller, secrets which were previously cached on the cloning source read-only domain controller will be removed on the cloned domain controller. |
| Notes and resolution | This is a success event and only an issue if unexpected. |
| Events | Description |
|---|---|
| Event ID | 2226 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Error |
| Message | Failed to remove cached secrets of the following security principal from local domain controller:
%1 Error: %2 (%3) After cloning a read-only domain controller, secrets which were previously cached on the cloning source read-only domain controller need to be removed on the clone in order to decrease the risk that an attacker can obtain those credentials from stolen or compromised clone. If the security principal is a highly privileged account and should be protected against this, please use rootDSE operation rODCPurgeAccount to manually clear its secrets on local domain controller. |
| Notes and resolution | Examine the System and Directory Services event logs for further information. |
| Events | Description |
|---|---|
| Event ID | 2227 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Error |
| Message | Exception is raised while trying to remove cached secrets from local domain controller.
Additional data: Exception value: %1 Error value: %2 DSID: %3 After cloning a read-only domain controller, secrets which were previously cached on the cloning source read-only domain controller need to be removed on the clone in order to decrease the risk that an attacker can obtain those credentials from stolen or compromised clone. If any of these security principals is a highly privileged account and should be protected against this, please use rootDSE operation rODCPurgeAccount to manually clear its secrets on local domain controller. |
| Notes and resolution | Examine the System and Directory Services event logs for further information. |
| Events | Description |
|---|---|
| Event ID | 2228 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Error |
| Message | The Virtual machine generation ID in the Active Directory database of this domain controller is different from the current value of this virtual machine. However, a virtual domain controller clone configuration file (DCCloneConfig.xml) could not be located so domain controller cloning was not attempted. If a domain controller cloning operation was intended, please ensure that a DCCloneConfig.xml is provided in any one of the supported locations. In addition, the IP address of this domain controller conflicts with another domain controller’s IP address. To ensure no disruptions in service occur, the domain controller has been configured to boot into DSRM.
Additional data: The duplicate IP address: %1 |
| Notes and resolution | This protection mechanism stops duplicate domain controllers when possible (it will not when using DHCP, for example). Add a valid DcCloneConfig.xml file, remove the DSRM flag, and re-attempt cloning |
| Events | Description |
|---|---|
| Event ID | 29218 |
| Source | Microsoft-Windows-DirectoryServices-DSROLE-Server |
| Severity | Error |
| Message | Virtual domain controller cloning failed. The cloning operation could not be completed and the cloned domain controller was rebooted into Directory Services Restore Mode (DSRM).
Please check previously logged events and %systemroot%debugdcpromo.log for more information on errors that correspond to the virtual domain controller cloning attempt and whether or not this clone image can be reused. If one or more log entries indicate that the cloning process cannot be retried, the image must be securely destroyed. Otherwise you may fix the errors, clear the DSRM boot flag, and reboot normally; upon reboot, the cloning operation will be retried. |
| Notes and resolution | Review the System and Directory Services event logs and the dcpromo.log for further details on why cloning failed. |
| Events | Description |
|---|---|
| Event ID | 29219 |
| Source | Microsoft-Windows-DirectoryServices-DSROLE-Server |
| Severity | Informational |
| Message | Virtual domain controller cloning succeeded. |
| Notes and resolution | This is a success event and only an issue if unexpected. |
| Events | Description |
|---|---|
| Event ID | 29248 |
| Source | Microsoft-Windows-DirectoryServices-DSROLE-Server |
| Severity | Error |
| Message | Virtual domain controller cloning failed to obtain Winlogon Notification. The returned error code is %1 (%2).
For more information on this error, please review %systemroot%debugdcpromo.log for errors that correspond to the virtual domain controller cloning attempt. |
| Notes and resolution | Contact Microsoft Product Support |
| Events | Description |
|---|---|
| Event ID | 29249 |
| Source | Microsoft-Windows-DirectoryServices-DSROLE-Server |
| Severity | Error |
| Message | Virtual domain controller cloning failed to parse virtual domain controller configuration file.
The returned HRESULT code is %1. The configuration file is:%2 Please fix the errors in the configuration file and retry the cloning operation. For more information about this error, please see %systemroot%debugdcpromo.log. |
| Notes and resolution | Examine the dclconeconfig.xml file for syntax errors using an XML editor and the DCCloneConfigSchema.xsd schema file. |
| Events | Description |
|---|---|
| Event ID | 29250 |
| Source | Microsoft-Windows-DirectoryServices-DSROLE-Server |
| Severity | Error |
| Message | Virtual domain controller cloning failed. There are software or services currently enabled on the cloned virtual domain controller that are not present in the allowed application list for virtual domain controller cloning.
Following are the missing entries: %2 %1 (if any) was used as the defined inclusion list. The cloning operation cannot be completed if there are non-cloneable applications installed. Please run Active Directory PowerShell Cmdlet Get-ADDCCloningExcludedApplicationList to check which applications are installed on the cloned machine, but not included in the allow list, and add them to the allow list if they are compatible with virtual domain controller cloning. If any of these applications are not compatible with virtual domain controller cloning, please uninstall them before re-trying the cloning operation. The virtual domain controller cloning process searches for the allowed application list file, CustomDCCloneAllowList.xml, based on the following search order; the first file found is used and all others are ignored: 1. The registry value name: HKey_Local_MachineSystemCurrentControlSetServicesNTDSParametersAllowListFolder 2. The same directory where the DSA Working Directory folder resides 3. %windir%NTDS 4. Removable read/write media in order of drive letter at the root of the drive |
| Notes and resolution | Follow the message instructions |
| Events | Description |
|---|---|
| Event ID | 29251 |
| Source | Microsoft-Windows-DirectoryServices-DSROLE-Server |
| Severity | Error |
| Message | Virtual domain controller cloning failed to reset the IP addresses of the clone machine.
The returned error code is %1 (%2). This error might be caused by misconfiguration in network configuration sections in the virtual domain controller configuration file. Please see %systemroot%debugdcpromo.log for more information about errors that correspond to IP addresses resetting during virtual domain controller cloning attempts. Details on resetting machine IP addresses on the cloned machine can be found at https://go.microsoft.com/fwlink/?LinkId=208030 |
| Notes and resolution | Verify the IP information set in the dccloneconfig.xml is valid and does not duplicate the original source machine. |
| Events | Description |
|---|---|
| Event ID | 29253 |
| Source | Microsoft-Windows-DirectoryServices-DSROLE-Server |
| Severity | Error |
| Message | Virtual domain controller cloning failed. The clone domain controller was unable to locate the primary domain controller (PDC) operations master in the cloned computer’s home domain of the cloned machine.
The returned error code is %1 (%2). Please verify that the primary domain controller in the home domain of the cloned machine is assigned to a live domain controller, is online, and is operational. Verify that the cloned machine has LDAP/RPC connectivity to the primary domain controller over the required ports and protocols. |
| Notes and resolution | Validate the cloned domain controller IP and DNS information is set. Use Dcdiag.exe /test:locatorcheck to validate if the PDCE is online, use Nltest.exe /server:<PDCE> /dclist:<domain> to valid RPC, obtain a network capture from the PDCE while cloning fails and analyze the traffic. |
| Events | Description |
|---|---|
| Event ID | 29254 |
| Source | Microsoft-Windows-DirectoryServices-DSROLE-Server |
| Severity | Error |
| Message | Virtual domain controller cloning failed to bind to the primary domain controller %1.
The returned error code is %2 (%3). Please verify that the primary domain controller %1 is online and is operational. Verify that the cloned machine has LDAP/RPC connectivity to the primary domain controller over the required ports and protocols. |
| Notes and resolution | Validate the cloned domain controller IP and DNS information is set. Use Dcdiag.exe /test:locatorcheck to validate if the PDCE is online, use Nltest.exe /server:<PDCE> /dclist:<domain> to valid RPC, obtain a network capture from the PDCE while cloning fails and analyze the traffic. |
| Events | Description |
|---|---|
| Event ID | 29255 |
| Source | Microsoft-Windows-DirectoryServices-DSROLE-Server |
| Severity | Error |
| Message | Virtual domain controller cloning failed.
An attempt to create objects on the primary domain controller %1 required for the image being cloned returned error %2 (%3). Please verify that the cloned domain controller has privilege to clone itself. Check for related events in the Directory Service event log on primary domain controller %1. |
| Notes and resolution | Lookup the specific error in MS TechNet, MS Knowledgebase, and MS blogs to determine its typical meaning, and then troubleshoot based on those results. |
| Events | Description |
|---|---|
| Event ID | 29256 |
| Source | Microsoft-Windows-DirectoryServices-DSROLE-Server |
| Severity | Error |
| Message | An attempt to set the Boot into Directory Services Restore Mode flag failed with error code %1.
Please see %systemroot%debugdcpromo.log for more information about errors. |
| Notes and resolution | Examine the Directory Services log and dcpromo.log for details. Examine Application and System event logs. Investigate third party application that may be blocking privilege usage. |
| Events | Description |
|---|---|
| Event ID | 29257 |
| Source | Microsoft-Windows-DirectoryServices-DSROLE-Server |
| Severity | Error |
| Message | Virtual domain controller cloning has done. An attempt to reboot the machine failed with error code %1.
Please reboot the machine to finish the cloning operation. |
| Notes and resolution | Examine Application and System event logs. Investigate third party application that may be blocking privilege usage. |
| Events | Description |
|---|---|
| Event ID | 29264 |
| Source | Microsoft-Windows-DirectoryServices-DSROLE-Server |
| Severity | Error |
| Message | An attempt to clear the Boot into Directory Services Restore Mode flag failed with error code %1.
Please see %systemroot%debugdcpromo.log for more information about errors. |
| Notes and resolution | Examine the Directory Services log and dcpromo.log for details. Examine Application and System event logs. Investigate third party application that may be blocking privilege usage. |
| Events | Description |
|---|---|
| Event ID | 29265 |
| Source | Microsoft-Windows-DirectoryServices-DSROLE-Server |
| Severity | Informational |
| Message | Virtual domain controller cloning succeeded. The virtual domain controller cloning configuration file %1 has been renamed to %2. |
| Notes and resolution | N/A, this is a success event. |
| Events | Description |
|---|---|
| Event ID | 29266 |
| Source | Microsoft-Windows-DirectoryServices-DSROLE-Server |
| Severity | Error |
| Message | Virtual domain controller cloning succeeded. The attempt to rename virtual domain controller cloning configuration file %1 failed with error code %2 (%3). |
| Notes and resolution | Manually rename the dccloneconfig.xml file. |
| Events | Description |
|---|---|
| Event ID | 29267 |
| Source | Microsoft-Windows-DirectoryServices-DSROLE-Server |
| Severity | Error |
| Message | Virtual domain controller cloning failed to check the virtual domain controller cloning allowed application list.
The returned error code is %1 (%2). This error might be caused by a syntax error in the clone allow list file (The file currently being checked is: %3). For more information about this error, please see %systemroot%debugdcpromo.log. |
| Notes and resolution | Follow the event instructions |
Error Messages
There are no direct interactive errors for failed virtualized domain controller cloning; all cloning information logs in the System and Directory Services logs and the domain controller promotion logs in dcpromo.log. However, if the server boots into DS Restore Mode, investigate immediately, as promotion or cloning failed.
The dcpromo.log is the first place to check for cloning failure. Depending on the failure listed, it may be necessary to subsequently review Directory Services and System logs for further diagnosis.
Known Issues and Support Scenarios
The following are common issues seen during the Windows Server 2012 development process. All of these issues are «by design» and have either a valid workaround or more appropriate technique to avoid them in the first place. Some may be resolved in later releases of Windows Server 2012.
| Issue | Cloning fails, DSRM |
|---|---|
| Symptoms | Clone boots into Directory Services Restore Mode |
| Resolution and Notes | Validate all steps followed from sections Deploying Virtualized Domain Controller section and General Methodology for Troubleshooting Domain Controller Cloning
Described in KB 2742844. |
| Issue | Extra IP leases when using DHCP to clone |
|---|---|
| Symptoms | After successfully cloning a DC and using DHCP, the first boot of the clone takes a DHCP lease. Then when the server is renamed and restarted as a DC, it takes a second DHCP lease. The first IP address is not released and you end up with a «phantom» lease |
| Resolution and Notes | Manually delete the unused address lease in DHCP or allow it to expire normally. Described in KB 2742836. |
| Issue | Cloning fails into DSRM after very long delay |
|---|---|
| Symptoms | Cloning appears to pause at «Domain controller cloning is at X% completion» for between 8 and 15 minutes. After this, the cloning fails and boots into DSRM. |
| Resolution and Notes | The cloned computer cannot get a dynamic IP address from DHCP or SLAAC, or is using a duplicate IP address, or cannot find the PDC. Multiple retry attempts performed by cloning lead to the delay. Resolve the networking issue to allow cloning.
Described in KB 2742844. |
| Issue | Cloning does not recreate all service principal names |
|---|---|
| Symptoms | If a set of three-part service principal names (SPN) includes both a NetBIOS name with a port and an otherwise identical NetBIOS name without a port, the non-port entry is not recreated with the new computer name. For example:
customspn/DC1:200/app1 INVALID USE OF SYMBOLS this is recreated with the new computer name customspn/DC1/app1 INVALID USE OF SYMBOLS this is not recreated with the new computer name Fully qualified names are recreated and SPNs without three parts are recreated, regardless of ports. For example, these are recreated successfully on the clone: customspn/DC1:202 INVALID USE OF SYMBOLS this is recreated customspn/DC1 INVALID USE OF SYMBOLS this is recreated customspn/DC1.corp.contoso.com:202 INVALID USE OF SYMBOLS this is recreated name customspn/DC1.corp.contoso.com INVALID USE OF SYMBOLS this is recreated |
| Resolution and Notes | This is a limitation of the domain controller rename process in Windows, not just in cloning. Three-part SPNS are not handled by the renaming logic in any scenario. Most included Windows services are unaffected by this, as they recreate any missing SPNs as needed. Other applications may require manually entering the SPN to resolve the issue.
Described in KB 2742874. |
| Issue | Cloning fails, boots into DSRM, general networking errors |
|---|---|
| Symptoms | Clone boots into Directory Services Repair Mode. There are general networking errors. |
| Resolution and Notes | Ensure that the new clone does not have a duplicate static MAC address assigned from the source domain controller; you can see if a VM uses static MAC addresses by running this command on the hypervisor host for both the source and clone virtual machines:
Get-VM -VMName test-vm | Get-VMNetworkAdapter | fl * Change the MAC address to a unique static address or switch to using dynamic MAC addresses. Described in KB 2742844 |
| Issue | Cloning fails, boots into DSRM as a duplicate of the source DC |
|---|---|
| Symptoms | A new clone boots up without cloning. The dccloneconfig.xml is not renamed and the server starts in DS Restore Mode. The Directory Services event log shows Error 2164
<COMPUTERNAME> failed to start the DsRoleSvc service to clone the local virtual domain controller. |
| Resolution and Notes | Examine the service settings for the DS Role Server service (DsRoleSvc) and ensure its start type is set to Manual. Validate that no third party program is preventing the start of this service.
For more information about how to reclaim this secondary DC while ensuring that updates get replicated outbound, see Microsoft KB article 2742970. |
| Issue | Cloning fails, boots into DSRM, error 8610 |
|---|---|
| Symptoms | Clone boots into Directory Services Restore Mode. Dcpromo .log shows 8610 error (which is ERROR_DS_ROLE_NOT_VERIFIED 8610 or 0x21A2) |
| Resolution and Notes | Will happen if the PDC can be discoverable but it has not performed sufficient replication to allow itself to assume the role. For example, if cloning is started and another administrator moves the PDCE FSMO role to a new DC.
Described in KB 2742916. |
| Issue | Cloning fails, boots into DSRM, general networking errors |
|---|---|
| Symptoms | Clone boots into Directory Services Restore Mode. There are general networking errors. |
| Resolution and Notes | Ensure that the new clone does not have a duplicate static MAC address assigned from the source domain controller; you can see if a VM uses static MAC addresses by running this command on the Hyper-V host for both the source and clone virtual machines:
Get-VM -VMName test-vm | Get-VMNetworkAdapter | fl * Change the MAC address to a unique static address or switch to using dynamic MAC addresses. Described in KB 2742844. |
| Issue | Cloning fails, boots into DSRM |
|---|---|
| Symptoms | Clone boots into Directory Services Repair Mode |
| Resolution and Notes | Ensure that the dccloneconfig.xml contains the schema definition (see sampledccloneconfig.xml, line 2):
<d3c:DCCloneConfig xmlns:d3c=»uri:microsoft.com:schemas:DCCloneConfig»> Described in KB 2742844 |
| Issue | No logon servers are available error logging into DSRM |
|---|---|
| Symptoms | Clone boots into Directory Services Repair Mode. You attempt to logon and receive error:
There are currently no logon servers are available to service the logon request |
| Resolution and Notes | Ensure you logon with the DSRM administrator account, and not the domain account. Use the left arrow and type a user name of:
.administrator Described in KB 2742908 |
| Issue | Clone Source fails into DSRM, error |
|---|---|
| Symptoms | During cloning, fails 8437 «Create clone DC objects on PDC failed» (0x20f5) |
| Resolution and Notes | Duplicate computer name was set in DCCloneConfig.xml as the source DC or an existing DC. The computer name also needs to be in the NetBIOS computer name format (15 characters or fewer, not an FQDN).
Fix the dccloneconfig.xml file by setting a unique, valid name. Described in KB 2742959 |
| Issue | New-addccloneconfigfile error «index was out of range» |
|---|---|
| Symptoms | When running the new-addccloneconfigfile cmdlet, you receive error:
Index was out of range. Must be non-negative and less than the size of the collection. |
| Resolution and Notes | You must run the cmdlet in an administrator-elevated Windows PowerShell console. This error is caused by lack of local administrator group membership on the computer.
Described in KB 2742927 |
| Issue | Cloning fails, duplicate DC |
|---|---|
| Symptoms | Clone boots without cloning, duplicates existing source DC |
| Resolution and Notes | The computer was copied and started but does not contain a DcCloneConfig.xml file in any of the supported locations, and did not have a duplicate IP address with the source domain controller. The DC must be correctly removed in order to avoid data loss.
Described in KB 2742970 |
| Issue | New-ADDCCloneConfigFile fails with The server is not operational error when it checks if the source domain controller is a member of the Cloneable Domain controllers group if a GC is not available. |
|---|---|
| Symptoms | When running New-ADDCCloneConfigFile to create a dccloneconfig.xml file, you receive error:
Code — The server is not operational |
| Resolution and Notes | Verify connectivity to a GC from the server where you run New-ADDCCloneConfigFile and verify that the membership of the source domain controller in the Cloneable Domain Controllers group has replicated to that GC.
Run the following command as a means of flushing the DC locator cache for cases where a GC or DC may have been taken offline recently: Code — nltest /dsgetdc: /GC /FORCE |
Advanced Troubleshooting
This module seeks to teach advanced troubleshooting by using working logs as samples, with some explanation of what occurred. If you understand what a successful virtualized domain controller operation looks like, failures become obvious in your environment. These logs are presented by their source, with the ascending order of expected events (even when they are warnings and errors) related to a cloned domain controller within each log.
Cloning a Domain Controller
In this example, the clone domain controller uses DHCP to get an IP address, replicates SYSVOL using FRS or DFSR (see the appropriate log as necessary), is a global catalog, and uses a blank dccloneconfig.xml file.
Directory Services Event Log
The Directory Services log contains the majority of event-based cloning operational information. The hypervisor changes the VM-Generation ID and the NTDS service notes it, then invalidates the RID pool and changes the invocation ID. The new VM-Generation ID is set and the server replicates Active Directory data inbound. The DFSR service is stopped and its database that hosts SYSVOL is deleted, forcing a non-authoritative sync inbound. The USN high watermark is adjusted.
| Event ID | Source | Message |
|---|---|---|
| 2160 | ActiveDirectory_DomainService | The local Active Directory Domain Services has found a virtual domain controller cloning configuration file.
The virtual domain controller cloning configuration file is found at: <path>DCCloneConfig.xml The existence of the virtual domain controller cloning configuration file indicates that the local virtual domain controller is a clone of another virtual domain controller. The Active Directory Domain Services will start to clone itself. |
| 2191 | ActiveDirectory_DomainService | Active Directory Domain Services set the following registry value to disable DNS updates.
Registry Key: SYSTEMCurrentControlSetServicesNetlogonParameters Registry Value: UseDynamicDns Registry Value data: 0 During the cloning process, the local machine may have the same computer name as the clone source machine for a short time. DNS A and AAAA record registration are disabled during this period so clients cannot send requests to the local machine undergoing cloning. The cloning process will enable DNS updates again after cloning is completed. |
| 2191 | ActiveDirectory_DomainService | Active Directory Domain Services set the following registry value to disable DNS updates.
Registry Key: SYSTEMCurrentControlSetServicesDnscacheParameters Registry Value: RegistrationEnabled Registry Value data: 0 During the cloning process, the local machine may have the same computer name as the clone source machine for a short time. DNS A and AAAA record registration are disabled during this period so clients cannot send requests to the local machine undergoing cloning. The cloning process will enable DNS updates again after cloning is completed. «Information 2/7/2012 3:12:49 PM Microsoft-Windows-ActiveDirectory_DomainService 2191 Internal Configuration» Active Directory Domain Services set the following registry value to disable DNS updates. Registry Key: SYSTEMCurrentControlSetServicesTcpipParameters Registry Value: DisableDynamicUpdate Registry Value data: 1 During the cloning process, the local machine may have the same computer name as the clone source machine for a short time. DNS A and AAAA record registration are disabled during this period so clients cannot send requests to the local machine undergoing cloning. The cloning process will enable DNS updates again after cloning is completed. |
| 2172 | ActiveDirectory_DomainService | Read the msDS-GenerationId attribute of the Domain Controller’s computer object.
msDS-GenerationId attribute value: <Number> |
| 2170 | ActiveDirectory_DomainService | A Generation ID change has been detected.
Generation ID cached in DS (old value): <Number> Generation ID currently in VM (new value): <Number> The Generation ID change occurs after the application of a virtual machine snapshot, after a virtual machine import operation or after a live migration operation. Active Directory Domain Services will create a new invocation ID to recover the domain controller. Virtualized domain controllers should not be restored using virtual machine snapshots. The supported method to restore or rollback the content of an Active Directory Domain Services database is to restore a system state backup made with an Active Directory Domain Services aware backup application. |
| 1109 | ActiveDirectory_DomainService | The invocationID attribute for this directory server has been changed. The highest update sequence number at the time the backup was created is as follows:
InvocationID attribute (old value): <GUID> InvocationID attribute (new value): <GUID> Update sequence number: <Number> The invocationID is changed when a directory server is restored from backup media, is configured to host a writeable application directory partition, has been resumed after a virtual machine snapshot has been applied, after a virtual machine import operation, or after a live migration operation. Virtualized domain controllers should not be restored using virtual machine snapshots. The supported method to restore or rollback the content of an Active Directory Domain Services database is to restore a system state backup made with an Active Directory Domain Services-aware backup application. |
| 1000 | ActiveDirectory_DomainService | Microsoft Active Directory Domain Services startup complete. |
| 1394 | ActiveDirectory_DomainService | All problems preventing updates to the Active Directory Domain Services database have been cleared. New updates to the Active Directory Domain Services database are succeeding. The Net Logon service has restarted |
| 2163 | ActiveDirectory_DomainService | DsRoleSvc service was started to clone the local virtual domain controller. |
| 326 | NTDS ISAM | NTDS (536) NTDSA: The database engine attached a database (1, C:WindowsNTDSntds.dit). (Time=0 seconds)
Internal Timing Sequence: [1] 0.000, [2] 0.000, [3] 0.000, [4] 0.000, [5] 0.000, [6] 0.016, [7] 0.000, [8] 0.000, [9] 0.000, [10] 0.000, [11] 0.000, [12] 0.000. Saved Cache: 1 |
| 103 | NTDS ISAM | NTDS (536) NTDSA: The database engine stopped the instance (0).
Dirty Shutdown: 0 Internal Timing Sequence: [1] 0.000, [2] 0.000, [3] 0.000, [4] 0.000, [5] 0.032, [6] 0.000, [7] 0.000, [8] 0.000, [9] 0.031, [10] 0.000, [11] 0.000, [12] 0.000, [13] 0.000, [14] 0.000, [15] 0.000. |
| 102 | NTDS ISAM | NTDS (536) NTDSA: The database engine (6.02.8225.0000) is starting a new instance (0). |
| 105 | NTDS ISAM | NTDS (536) NTDSA: The database engine started a new instance (0). (Time=0 seconds)
Internal Timing Sequence: [1] 0.016, [2] 0.000, [3] 0.015, [4] 0.078, [5] 0.000, [6] 0.000, [7] 0.000, [8] 0.000, [9] 0.046, [10] 0.000, [11] 0.000. |
| 1004 | ActiveDirectory_DomainService | Active Directory Domain Services was shut down successfully. |
| 102 | NTDS ISAM | NTDS (536) NTDSA: The database engine (6.02.8225.0000) is starting a new instance (0). |
| 326 | NTDS ISAM | NTDS (536) NTDSA: The database engine attached a database (1, C:WindowsNTDSntds.dit). (Time=0 seconds)
Internal Timing Sequence: [1] 0.000, [2] 0.015, [3] 0.016, [4] 0.000, [5] 0.031, [6] 0.000, [7] 0.000, [8] 0.000, [9] 0.000, [10] 0.000, [11] 0.000, [12] 0.000. Saved Cache: 1 |
| 105 | NTDS ISAM | NTDS (536) NTDSA: The database engine started a new instance (0). (Time=1 seconds)
Internal Timing Sequence: [1] 0.031, [2] 0.000, [3] 0.000, [4] 0.391, [5] 0.000, [6] 0.000, [7] 0.000, [8] 0.000, [9] 0.031, [10] 0.000, [11] 0.000. |
| 1109 | ActiveDirectory_DomainService | The invocationID attribute for this directory server has been changed. The highest update sequence number at the time the backup was created is as follows:
InvocationID attribute (old value): <GUID> InvocationID attribute (new value): <GUID> Update sequence number: <Number> The invocationID is changed when a directory server is restored from backup media, is configured to host a writeable application directory partition, has been resumed after a virtual machine snapshot has been applied, after a virtual machine import operation, or after a live migration operation. Virtualized domain controllers should not be restored using virtual machine snapshots. The supported method to restore or rollback the content of an Active Directory Domain Services database is to restore a system state backup made with an Active Directory Domain Services-aware backup application. |
| 1168 | ActiveDirectory_DomainService | Internal error: An Active Directory Domain Services error has occurred.
Additional Data Error value (decimal): 2 Error value (hexadecimal): 2 Internal ID: 7011658 |
| 1110 | ActiveDirectory_DomainService | Promotion of this domain controller to a global catalog will be delayed for the following interval.
Interval (minutes): 5 This delay is necessary so that the required directory partitions can be prepared before the global catalog is advertised. In the registry, you can specify the number of seconds that the directory system agent will wait before promoting the local domain controller to a global catalog. For more information about the Global Catalog Delay Advertisement registry value, see the Resource Kit Distributed Systems Guide |
| 103 | NTDS ISAM | NTDS (536) NTDSA: The database engine stopped the instance (0).
Dirty Shutdown: 0 Internal Timing Sequence: [1] 0.000, [2] 0.000, [3] 0.000, [4] 0.000, [5] 0.047, [6] 0.000, [7] 0.000, [8] 0.000, [9] 0.016, [10] 0.000, [11] 0.000, [12] 0.000, [13] 0.000, [14] 0.000, [15] 0.000. |
| 1004 | ActiveDirectory_DomainService | Active Directory Domain Services was shut down successfully. |
| 1539 | ActiveDirectory_DomainService | Active Directory Domain Services could not disable the software-based disk write cache on the following hard disk.
Hard disk: c: Data might be lost during system failures |
| 2179 | ActiveDirectory_DomainService | The msDS-GenerationId attribute of the Domain Controller’s computer object has been set to the following parameter:
GenerationID attribute: <Number> |
| 2173 | ActiveDirectory_DomainService | Failed to read the msDS-GenerationId attribute of the Domain Controller’s computer object. This may be caused by database transaction failure, or the generation id does not exist in the local database. The msDS-GenerationId does not exist during the first reboot after dcpromo or the DC is not a virtual domain controller.
Additional Data Failure code: 6 |
| 1000 | ActiveDirectory_DomainService | Microsoft Active Directory Domain Services startup complete, version 6.2.8225.0 |
| 1394 | ActiveDirectory_DomainService | All problems preventing updates to the Active Directory Domain Services database have been cleared. New updates to the Active Directory Domain Services database are succeeding. The Net Logon service has restarted. |
| 1128 | ActiveDirectory_DomainService | 1128 Knowledge Consistency Checker «A replication connection was created from the following source directory service to the local directory service.
Source directory service: CN=NTDS Settings,<Domain Controller DN> Local directory service: CN=NTDS Settings, <Domain Controller DN> Additional Data Reason Code: 0x2 Creation Point Internal ID: f0a025d |
| 1999 | ActiveDirectory_DomainService | The source directory service has optimized the update sequence number (USN) presented by the destination directory service. The source and destination directory services have a common replication partner. The destination directory service is up to date with the common replication partner, and the source directory service was installed using a backup of this partner.
Destination directory service ID: <GUID> (<FQDN>) Common directory service ID: <GUID> Common property USN: <Number> As a result, the up-to-dateness vector of the destination directory service has been configured with the following settings. Previous object USN: 0 Previous property USN: 0 Database GUID: <GUID> Object USN: <Number> Property USN: <Number> |
System Event Log
The next indications of cloning operations are in the System Event log. As the hypervisor tells the guest computer that it was cloned or restored from a snapshot, the domain controller immediately invalidates its RID pool to avoid duplicating security principals later. As cloning proceeds, various expected operations and messages appear, mostly around services starting and stopping and some expected errors caused by this. When completed the System event log notes overall cloning success.
| Event ID | Source | Message |
|---|---|---|
| 16654 | Directory-Services-SAM | A pool of account-identifiers (RIDs) has been invalidated. This may occur in the following expected cases:
1. A domain controller is restored from backup. 2. A domain controller running on a virtual machine is restored from snapshot. 3. An administrator has manually invalidated the pool |
| 7036 | Service Control Manager | The Active Directory Domain Services service entered the running state. |
| 7036 | Service Control Manager | The Kerberos Key Distribution Center service entered the running state. |
| 3096 | Netlogon | The primary Domain Controller for this domain could not be located. |
| 7036 | Service Control Manager | The Security Accounts Manager service entered the running state. |
| 7036 | Service Control Manager | The Server service entered the running state. |
| 7036 | Service Control Manager | The Netlogon service entered the running state. |
| 7036 | Service Control Manager | The Active Directory Web Services service entered the running state. |
| 7036 | Service Control Manager | The DFS Replication service entered the running state. |
| 7036 | Service Control Manager | The File Replication Service service entered the running state. |
| 14533 | Microsoft-Windows-DfsSvc | DFS has finished building all namespaces. |
| 14531 | Microsoft-Windows-DfsSvc | DFS server has finished initializing. |
| 7036 | Service Control Manager | The DFS Namespace service entered the running state. |
| 7023 | Service Control Manager | The Intersite Messaging service terminated with the following error:
The specified server cannot perform the requested operation. |
| 7036 | Service Control Manager | The Intersite Messaging service entered the stopped state. |
| 5806 | Netlogon | Dynamic updates have been manually disabled on this domain controller.
USER ACTION Reconfigure this domain controller to use dynamic updates or manually add the DNS records from the file ‘%SystemRoot%System32ConfigNetlogon.dns’ to the DNS database.» |
| 16651 | Directory-Services-SAM | The request for a new account-identifier pool failed. The operation will be retried until the request succeeds. The error is
The requested FSMO operation failed. The current FSMO holder could not be contacted. |
| 7036 | Service Control Manager | The DNS Server service entered the running state. |
| 7036 | Service Control Manager | The DS Role Server service entered the running state. |
| 7036 | Service Control Manager | The Netlogon service entered the stopped state. |
| 7036 | Service Control Manager | The File Replication Service service entered the stopped state. |
| 7036 | Service Control Manager | The Kerberos Key Distribution Center service entered the stopped state. |
| 7036 | Service Control Manager | The DNS Server service entered the stopped state. |
| 7036 | Service Control Manager | The Active Directory Domain Services service entered the stopped state. |
| 7036 | Service Control Manager | The Netlogon service entered the running state. |
| 7040 | Service Control Manager | The start type of the Active Directory Domain Services service was changed from auto start to disabled. |
| 7036 | Service Control Manager | The Netlogon service entered the stopped state. |
| 7036 | Service Control Manager | The File Replication Service service entered the running state. |
| 29219 | DirectoryServices-DSROLE-Server | Virtual domain controller cloning succeeded. |
| 29223 | DirectoryServices-DSROLE-Server | This server is now a Domain Controller. |
| 29265 | DirectoryServices-DSROLE-Server | Virtual domain controller cloning succeeded. The virtual domain controller cloning configuration file C:WindowsNTDSDCCloneConfig.xml has been renamed to C:WindowsNTDSDCCloneConfig.20120207-151533.xml. |
| 1074 | User32 | The process C:Windowssystem32lsass.exe (DC2) has initiated the restart of computer DC2 on behalf of user NT AUTHORITYSYSTEM for the following reason: Operating System: Reconfiguration (Planned)
Reason Code: 0x80020004 Shutdown Type: restart Comment: « |
DCPROMO.LOG
The Dcpromo.log contains the actual promotion portion of cloning that the Directory Services event log does not describe. Since the log does not provide the level of explanation that the event log entries impart, this section of the module contains additional annotation.
The promotion process means that the cloning starts, the DC is scrubbed of its current configuration and re-promoted using the existing AD database (much like an IFM promotion), then the DC replicates inbound change deltas of AD and SYSVOL, and cloning is complete.
[!NOTE]
The log has been modified in this module for readability, by removing the date column.For further explanation of the dcpromo.log see the Understand and Troubleshoot AD DS Simplified Administration in Windows Server 2012.
https://go.microsoft.com/fwlink/p/?LinkId=237244
-
Start clone-based promotion
-
Set the Directory Services Restore Mode flag so that the server does not boot back up normally as the original clone and cause naming or Directory Service collisions
-
Update the Directory Services event log
15:14:01 [INFO] vDC Cloneing: Setting Boot into DSRM flag succeeded.
15:14:01 [WARNING] Cannot get user Token for Format Message: 1725l
15:14:01 [INFO] vDC Cloning: Created vDCCloningUpdate event.
15:14:01 [INFO] vDC Cloning: Created vDCCloningComplete event.
- Stop the NetLogon service so that the domain controller does not advertise
15:14:01 [INFO] Stopping service NETLOGON
15:14:01 [INFO] ControlService(STOP) on NETLOGON returned 1(gle=0)
15:14:01 [INFO] DsRolepWaitForService: waiting for NETLOGON to enter one of 7 states
15:14:01 [INFO] DsRolepWaitForService: QueryServiceStatus on NETLOGON returned 1 (gle=0), SvcStatus.dwCS=3
15:14:02 [INFO] DsRolepWaitForService: QueryServiceStatus on NETLOGON returned 1 (gle=0), SvcStatus.dwCS=1
15:14:02 [INFO] DsRolepWaitForService: exiting because NETLOGON entered STOPPED state
15:14:02 [INFO] DsRolepWaitForService(for any end state) on NETLOGON service returned 0
15:14:02 [INFO] ControlService(STOP) on NETLOGON returned 0(gle=1062)
15:14:02 [INFO] Exiting service-stop loop after service NETLOGON entered STOPPED state
15:14:02 [INFO] StopService on NETLOGON returned 0
15:14:02 [INFO] Configuring service NETLOGON to 1 returned 0
15:14:02 [INFO] Updating service status to 4
15:14:02 [INFO] vDC Cloning: Set vDCCloningUpdate event.
-
Examine the dccloneconfig.xml file for administrator-specified customizations.
-
In this sample case it is a blank file, so all settings are automatically generated and automatic IP addressing is required from the network
15:14:02 [INFO] vDC Cloning: Clone config file C:WindowsNTDSDCCloneConfig.xml is considered to be a blank file (containing 0 bytes)
15:14:02 [INFO] vDC Cloning: Parsing clone config file C:WindowsNTDSDCCloneConfig.xml returned HRESULT 0x0
- Validate that there are no services or programs installed that are not part of the DefaultDCCloneAllowList.xml or CustomDCCloneAllowList.xml
15:14:02 [INFO] vDC Cloning: Checking allowed list:
15:14:03 [INFO] vDC Cloning: Completed checking allowed list:
15:14:03 [INFO] vDC Cloning: Set vDCCloningUpdate event.
- Enable DHCP on the network adapters, since IP information was not specified by the administrator
15:14:03 [INFO] vDC Cloning: Enable DHCP:
15:14:03 [INFO] WMI Instance: Win32_NetworkAdapterConfiguration.Index=12
15:14:03 [INFO] Method: EnableDHCP
15:14:03 [INFO] HRESULT code: 0x0 (0)
15:14:03 [INFO] Return Value: 0x0 (0)
15:14:03 [INFO] vDC Cloning: Set vDCCloningUpdate event.
15:14:03 [INFO] vDC Cloning: Set vDCCloningUpdate event.
-
Locate the PDC emulator
-
Set the clone’s site (automatically generated in this case)
-
Set the clone’s name (automatically generated in this case)
15:14:03 [INFO] vDC Cloning: Found PDC. Name: DC1.root.fabrikam.com
15:14:04 [INFO] vDC Cloning: Set vDCCloningUpdate event.
15:14:04 [INFO] vDC Cloning: Winlogon UI Notification #1: Domain Controller cloning is at 5% completion...
15:14:05 [INFO] vDC Cloning: Winlogon UI Notification #2: Domain Controller cloning is at 10% completion...
15:14:05 [INFO] vDC Cloning: Set vDCCloningUpdate event.
15:14:05 [INFO] Site of the cloned DC: Default-First-Site-Name
-
Create the new clone computer object
-
Rename the clone to match the new name
15:14:05 [INFO] vDC Cloning: Clone DC objects are created on PDC.
15:14:05 [INFO] Name of the cloned DC: DC2-CL0001
15:14:05 [INFO] DsRolepSetRegStringValue on SystemCurrentControlSetServicesNTDSParametersCloneMachineName to DC2-CL0001 returned 0
15:14:05 [INFO] vDC Cloning: Save CloneMachineName in registry: 0x0 (0)
- Provide the promotion settings, based on previous dccloneconfig.xml or automatic generation rules
15:14:05 [INFO] vDC Cloning: Promotion parameters setting:
15:14:05 [INFO] DNS Domain Name: root.fabrikam.com
15:14:05 [INFO] Replica Partner: \DC1.root.fabrikam.com
15:14:05 [INFO] Site Name: Default-First-Site-Name
15:14:05 [INFO] DS Database Path: C:WindowsNTDS
15:14:05 [INFO] DS Log Path: C:WindowsNTDS
15:14:05 [INFO] SysVol Root Path: C:WindowsSYSVOL
15:14:05 [INFO] Account: root.fabrikam.comDC2-CL0001$
15:14:05 [INFO] Options: DSROLE_DC_CLONING (0x800400)
- Start promotion
15:14:05 [INFO] Promote DC as a clone
15:14:05 [INFO] vDC Cloning: Winlogon UI Notification #3: Domain Controller cloning is at 15% completion...
15:14:05 [INFO] vDC Cloning: Set vDCCloningUpdate event.
15:14:05 [INFO] vDC Cloning: Winlogon UI Notification #4: Domain Controller cloning is at 16% completion...
15:14:05 [INFO] vDC Cloning: Set vDCCloningUpdate event.
15:14:05 [INFO] Validate supplied paths
15:14:05 [INFO] Validating path C:WindowsNTDS.
15:14:05 [INFO] Path is a directory
15:14:05 [INFO] Path is on a fixed disk drive.
15:14:05 [INFO] Validating path C:WindowsNTDS.
15:14:05 [INFO] Path is a directory
15:14:05 [INFO] Path is on a fixed disk drive.
15:14:05 [INFO] Validating path C:WindowsSYSVOL.
15:14:05 [INFO] Path is on a fixed disk drive.
15:14:05 [INFO] Path is on an NTFS volume
15:14:05 [INFO] vDC Cloning: Winlogon UI Notification #5: Domain Controller cloning is at 17% completion...
15:14:05 [INFO] vDC Cloning: Set vDCCloningUpdate event.
15:14:05 [INFO] Start the worker task
15:14:05 [INFO] vDC Cloning: Set vDCCloningUpdate event.
15:14:05 [INFO] vDC Cloning: Winlogon UI Notification #6: Domain Controller cloning is at 20% completion...
15:14:05 [INFO] Request for promotion returning 0
15:14:05 [INFO] vDC Cloning: Winlogon UI Notification #7: Domain Controller cloning is at 21% completion...
15:14:05 [INFO] vDC Cloning: Set vDCCloningUpdate event.
- Stop and configure all of the AD DS-related services (NTDS, NTFRS/DFSR, KDC, DNS)
[!NOTE]
The DNS service taking a long time to shutdown is expected in this scenario, as it is using AD-integrated zones that were no longer available even before the NTDS service stopped — see the DNS events described later in this section of the module.
15:14:15 [INFO] Stopping service NTDS
15:14:15 [INFO] Stopping service NtFrs
15:14:15 [INFO] ControlService(STOP) on NtFrs returned 1(gle=0)
15:14:15 [INFO] DsRolepWaitForService: waiting for NtFrs to enter one of 7 states
15:14:15 [INFO] DsRolepWaitForService: QueryServiceStatus on NtFrs returned 1 (gle=0), SvcStatus.dwCS=3
15:14:16 [INFO] DsRolepWaitForService: QueryServiceStatus on NtFrs returned 1 (gle=0), SvcStatus.dwCS=1
15:14:16 [INFO] DsRolepWaitForService: exiting because NtFrs entered STOPPED state
15:14:16 [INFO] DsRolepWaitForService(for any end state) on NtFrs service returned 0
15:14:16 [INFO] ControlService(STOP) on NtFrs returned 0(gle=1062)
15:14:16 [INFO] Exiting service-stop loop after service NtFrs entered STOPPED state
15:14:16 [INFO] StopService on NtFrs returned 0
15:14:16 [INFO] Configuring service NtFrs to 1 returned 0
15:14:16 [INFO] Stopping service Kdc
15:14:16 [INFO] ControlService(STOP) on Kdc returned 1(gle=0)
15:14:16 [INFO] DsRolepWaitForService: waiting for Kdc to enter one of 7 states
15:14:16 [INFO] DsRolepWaitForService: QueryServiceStatus on Kdc returned 1 (gle=0), SvcStatus.dwCS=3
15:14:17 [INFO] DsRolepWaitForService: QueryServiceStatus on Kdc returned 1 (gle=0), SvcStatus.dwCS=1
15:14:17 [INFO] DsRolepWaitForService: exiting because Kdc entered STOPPED state
15:14:17 [INFO] DsRolepWaitForService(for any end state) on Kdc service returned 0
15:14:17 [INFO] ControlService(STOP) on Kdc returned 0(gle=1062)
15:14:17 [INFO] Exiting service-stop loop after service Kdc entered STOPPED state
15:14:17 [INFO] StopService on Kdc returned 0
15:14:17 [INFO] Configuring service Kdc to 1 returned 0
15:14:17 [INFO] Stopping service DNS
15:14:17 [INFO] ControlService(STOP) on DNS returned 1(gle=0)
15:14:17 [INFO] DsRolepWaitForService: waiting for DNS to enter one of 7 states
15:14:17 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=3
15:14:18 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=3
15:14:19 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=3
15:14:20 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=3
15:14:21 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=3
15:14:22 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=3
15:14:23 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=3
15:14:24 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=3
15:14:25 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=3
15:14:26 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=3
15:14:27 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=3
15:14:28 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=3
15:14:29 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=3
15:14:30 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=3
15:14:31 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=3
15:14:32 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=3
15:14:33 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=3
15:14:34 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=3
15:14:35 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=3
15:14:36 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=3
15:14:37 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=3
15:14:38 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=3
15:14:39 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=3
15:14:40 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=3
15:14:41 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=3
15:14:42 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=3
15:14:43 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=3
15:14:44 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=3
15:14:45 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=3
15:14:46 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=3
15:14:47 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=3
15:14:48 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=3
15:14:49 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=3
15:14:50 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=3
15:14:51 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=3
15:14:52 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=3
15:14:53 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=3
15:14:54 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=3
15:14:55 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=3
15:14:56 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=3
15:14:57 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=3
15:14:58 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=3
15:14:59 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=3
15:15:00 [INFO] DsRolepWaitForService: QueryServiceStatus on DNS returned 1 (gle=0), SvcStatus.dwCS=1
15:15:00 [INFO] DsRolepWaitForService: exiting because DNS entered STOPPED state
15:15:00 [INFO] DsRolepWaitForService(for any end state) on DNS service returned 0
15:15:00 [INFO] ControlService(STOP) on DNS returned 0(gle=1062)
15:15:00 [INFO] Exiting service-stop loop after service DNS entered STOPPED state
15:15:00 [INFO] StopService on DNS returned 0
15:15:00 [INFO] Configuring service DNS to 1 returned 0
15:15:00 [INFO] ControlService(STOP) on NTDS returned 1(gle=1062)
15:15:00 [INFO] DsRolepWaitForService: waiting for NTDS to enter one of 7 states
15:15:00 [INFO] DsRolepWaitForService: QueryServiceStatus on NTDS returned 1 (gle=0), SvcStatus.dwCS=3
15:15:01 [INFO] DsRolepWaitForService: QueryServiceStatus on NTDS returned 1 (gle=0), SvcStatus.dwCS=1
15:15:01 [INFO] DsRolepWaitForService: exiting because NTDS entered STOPPED state
15:15:01 [INFO] DsRolepWaitForService(for any end state) on NTDS service returned 0
15:15:01 [INFO] ControlService(STOP) on NTDS returned 0(gle=1062)
15:15:01 [INFO] Exiting service-stop loop after service NTDS entered STOPPED state
15:15:01 [INFO] StopService on NTDS returned 0
15:15:01 [INFO] Configuring service NTDS to 1 returned 0
15:15:01 [INFO] Configuring service NTDS
15:15:01 [INFO] Configuring service NTDS to 64 returned 0
15:15:01 [INFO] vDC Cloning: Winlogon UI Notification #8: Domain Controller cloning is at 22% completion...
15:15:01 [INFO] vDC Cloning: Set vDCCloningUpdate event.
15:15:01 [INFO] vDC Cloning: Winlogon UI Notification #9: Domain Controller cloning is at 25% completion...
15:15:01 [INFO] vDC Cloning: Set vDCCloningUpdate event.
- Force NT5DS (NTP) time synchronization with another domain controller (typically the PDCE)
15:15:02 [INFO] Forcing time sync
-
Contact a domain controller that holds the source domain controller account of the clone
-
Flush any existing Kerberos tickets
15:15:02 [INFO] Searching for a domain controller for the domain root.fabrikam.com that contains the account DC2$
15:15:02 [INFO] Located domain controller DC1.root.fabrikam.com for domain root.fabrikam.com
15:15:02 [INFO] vDC Cloning: Winlogon UI Notification #10: Domain Controller cloning is at 26% completion...
15:15:02 [INFO] vDC Cloning: Set vDCCloningUpdate event.
15:15:02 [INFO] Directing kerberos authentication to DC1.root.fabrikam.com returns 0
15:15:02 [INFO] DsRolepFlushKerberosTicketCache() successfully flushed the Kerberos ticket cache
15:15:02 [INFO] vDC Cloning: Winlogon UI Notification #11: Domain Controller cloning is at 27% completion...
15:15:02 [INFO] vDC Cloning: Set vDCCloningUpdate event.
15:15:02 [INFO] Using site Default-First-Site-Name for server \DC1.root.fabrikam.com
15:15:02 [INFO] vDC Cloning: Set vDCCloningUpdate event.
15:15:02 [INFO] vDC Cloning: Set vDCCloningUpdate event.
- Stop the NetLogon service and set its start type
15:15:02 [INFO] Stopping service NETLOGON
15:15:02 [INFO] Stopping service NETLOGON
15:15:02 [INFO] vDC Cloning: Winlogon UI Notification #12: Domain Controller cloning is at 29% completion...
15:15:02 [INFO] ControlService(STOP) on NETLOGON returned 1(gle=0)
15:15:02 [INFO] DsRolepWaitForService: waiting for NETLOGON to enter one of 7 states
15:15:02 [INFO] DsRolepWaitForService: QueryServiceStatus on NETLOGON returned 1 (gle=0), SvcStatus.dwCS=3
15:15:03 [INFO] DsRolepWaitForService: QueryServiceStatus on NETLOGON returned 1 (gle=0), SvcStatus.dwCS=1
15:15:03 [INFO] DsRolepWaitForService: exiting because NETLOGON entered STOPPED state
15:15:03 [INFO] DsRolepWaitForService(for any end state) on NETLOGON service returned 0
15:15:03 [INFO] ControlService(STOP) on NETLOGON returned 0(gle=1062)
15:15:03 [INFO] Exiting service-stop loop after service NETLOGON entered STOPPED state
15:15:03 [INFO] StopService on NETLOGON returned 0
15:15:03 [INFO] Configuring service NETLOGON to 1 returned 0
15:15:03 [INFO] Stopped NETLOGON
15:15:03 [INFO] vDC Cloning: Set vDCCloningUpdate event.
15:15:03 [INFO] vDC Cloning: Winlogon UI Notification #13: Domain Controller cloning is at 30% completion...
-
Configure the DFSR/NTFRS services to run automatically
-
Delete their existing database files to force non-authoritative sync of SYSVOL when the service next starts
15:15:03 [INFO] Configuring service DFSR
15:15:03 [INFO] Configuring service DFSR to 256 returned 0
15:15:03 [INFO] Configuring service NTFRS
15:15:03 [INFO] Configuring service NTFRS to 256 returned 0
15:15:03 [INFO] Removing DFSR Database files for SysVol
15:15:03 [INFO] Removing FRS Database files in C:Windowsntfrsjet
15:15:03 [INFO] Removed C:Windowsntfrsjetlogedb.log
15:15:03 [INFO] Removed C:Windowsntfrsjetlogedbres00001.jrs
15:15:03 [INFO] Removed C:Windowsntfrsjetlogedbres00002.jrs
15:15:03 [INFO] Removed C:Windowsntfrsjetlogedbtmp.log
15:15:03 [INFO] Removed C:Windowsntfrsjetntfrs.jdb
15:15:03 [INFO] Removed C:Windowsntfrsjetsysedb.chk
15:15:03 [INFO] Removed C:Windowsntfrsjettemptmp.edb
15:15:04 [INFO] Created system volume path
15:15:04 [INFO] Configuring service DFSR
15:15:04 [INFO] Configuring service DFSR to 128 returned 0
15:15:04 [INFO] Configuring service NTFRS
15:15:04 [INFO] Configuring service NTFRS to 128 returned 0
15:15:04 [INFO] vDC Cloning: Winlogon UI Notification #14: Domain Controller cloning is at 40% completion...
15:15:04 [INFO] vDC Cloning: Set vDCCloningUpdate event.
-
Start the promotion process using the existing NTDS database file
-
Contact the RID Master
[!NOTE]
The AD DS service is not actually installed here, this is legacy instrumentation in the log
15:15:04 [INFO] Installing the Directory Service
15:15:04 [INFO] Calling NtdsInstall for root.fabrikam.com
15:15:04 [INFO] Starting Active Directory Domain Services installation
15:15:04 [INFO] Validating user supplied options
15:15:04 [INFO] Determining a site in which to install
15:15:04 [INFO] Examining an existing forest...
15:15:04 [INFO] Starting a replication cycle between DC1.root.fabrikam.com and the RID operations master (2008r2-01.root.fabrikam.com), so that the new replica will be able to create users, groups, and computer objects...
15:15:04 [INFO] Configuring the local computer to host Active Directory Domain Services
15:15:04 [INFO] EVENTLOG (Warning): NTDS General / Service Control : 1539
Active Directory Domain Services could not disable the software-based disk write cache on the following hard disk.
Hard disk:
c:
Data might be lost during system failures.
15:15:10 [INFO] EVENTLOG (Informational): NTDS General / Internal Processing : 2041
Duplicate event log entries were suppressed.
See the previous event log entry for details. An entry is considered a duplicate if
the event code and all of its insertion parameters are identical. The time period for
this run of duplicates is from the time of the previous event to the time of this event.
Event Code:
80000603
Number of duplicate entries:
2
15:15:10 [INFO] EVENTLOG (Informational): NTDS General / Internal Configuration : 2121
This Active Directory Domain Services server is disabling the Recycle Bin. Deleted objects may not be undeleted at this time.
-
Change the existing invocation ID that existed in the source computers database
-
Create a new NTDS Settings object for this clone
-
Replicate in AD object delta from the partner domain controller
[!NOTE]
Even though all objects are listed as replicated, this is just metadata needed to subsume the updates. All the unchanged objects in the cloned NTDS database already exist and do not require replication again, just like using IFM-based promotion.
15:15:10 [INFO] EVENTLOG (Informational): NTDS Replication / Replication : 1109
The invocationID attribute for this directory server has been changed. The highest update sequence number at the time the backup was created is as follows:
InvocationID attribute (old value):
24e7b22f-4706-402d-9b4f-f2690f730b40
InvocationID attribute (new value):
f74cefb2-89c2-442c-b1ba-3234b0ed62f8
Update sequence number:
20520
The invocationID is changed when a directory server is restored from backup media, is configured to host a writeable application directory partition, has been resumed after a virtual machine snapshot has been applied, after a virtual machine import operation, or after a live migration operation. Virtualized domain controllers should not be restored using virtual machine snapshots. The supported method to restore or rollback the content of an Active Directory Domain Services database is to restore a system state backup made with an Active Directory Domain Services-aware backup application.
15:15:10 [INFO] EVENTLOG (Error): NTDS General / Internal Processing : 1168
Internal error: An Active Directory Domain Services error has occurred.
Additional Data
Error value (decimal):
2
Error value (hexadecimal):
2
Internal ID:
7011658
15:15:11 [INFO] Creating the NTDS Settings object for this Active Directory Domain Controller on the remote AD DC DC1.root.fabrikam.com...
15:15:11 [INFO] Replicating the schema directory partition
15:15:11 [INFO] Replicated the schema container.
15:15:12 [INFO] Active Directory Domain Services updated the schema cache.
15:15:12 [INFO] Replicating the configuration directory partition
15:15:12 [INFO] Replicating data CN=Configuration,DC=root,DC=fabrikam,DC=com: Received 2612 out of approximately 2612 objects and 94 out of approximately 94 distinguished name (DN) values...
15:15:12 [INFO] Replicated the configuration container.
15:15:13 [INFO] Replicating critical domain information...
15:15:13 [INFO] Replicating data DC=root,DC=fabrikam,DC=com: Received 109 out of approximately 109 objects and 35 out of approximately 35 distinguished name (DN) values...
15:15:13 [INFO] Replicated the critical objects in the domain container.
-
Populate the GC partitions as needed with any missing updates
-
Complete the critical AD DS portion of the promotion
15:15:13 [INFO] EVENTLOG (Informational): NTDS General / Global Catalog : 1110
Promotion of this domain controller to a global catalog will be delayed for the following interval.
Interval (minutes):
5
This delay is necessary so that the required directory partitions can be prepared before the global catalog is advertised. In the registry, you can specify the number of seconds that the directory system agent will wait before promoting the local domain controller to a global catalog. For more information about the Global Catalog Delay Advertisement registry value, see the Resource Kit Distributed Systems Guide.
15:15:14 [INFO] EVENTLOG (Informational): NTDS General / Service Control : 1000
Microsoft Active Directory Domain Services startup complete, version 6.2.8225.0
15:15:15 [INFO] Creating new domain users, groups, and computer objects
15:15:16 [INFO] Completing Active Directory Domain Services installation
15:15:16 [INFO] NtdsInstall for root.fabrikam.com returned 0
15:15:16 [INFO] DsRolepInstallDs returned 0
15:15:16 [INFO] Installed Directory Service
- Complete the inbound replication of SYSVOL
15:15:16 [INFO] vDC Cloning: Winlogon UI Notification #15: Domain Controller cloning is at 60% completion...
15:15:16 [INFO] vDC Cloning: Set vDCCloningUpdate event.
15:15:18 [INFO] Completed system volume replication
15:15:18 [INFO] vDC Cloning: Winlogon UI Notification #16: Domain Controller cloning is at 70% completion...
15:15:18 [INFO] vDC Cloning: Set vDCCloningUpdate event.
15:15:18 [INFO] SetProductType to 2 [LanmanNT] returned 0
15:15:18 [INFO] Set the product type
15:15:18 [INFO] vDC Cloning: Winlogon UI Notification #17: Domain Controller cloning is at 71% completion...
15:15:18 [INFO] vDC Cloning: Set vDCCloningUpdate event.
15:15:18 [INFO] vDC Cloning: Winlogon UI Notification #18: Domain Controller cloning is at 72% completion...
15:15:18 [INFO] vDC Cloning: Set vDCCloningUpdate event.
15:15:18 [INFO] Set the system volume path for NETLOGON
15:15:18 [INFO] vDC Cloning: Winlogon UI Notification #19: Domain Controller cloning is at 73% completion...
15:15:18 [INFO] vDC Cloning: Set vDCCloningUpdate event.
15:15:18 [INFO] Replicating non critical information
15:15:18 [INFO] User specified to not replicate non-critical data
15:15:18 [INFO] vDC Cloning: Set vDCCloningUpdate event.
15:15:18 [INFO] vDC Cloning: Winlogon UI Notification #20: Domain Controller cloning is at 80% completion...
15:15:18 [INFO] Stopped the DS
15:15:18 [INFO] vDC Cloning: Set vDCCloningUpdate event.
15:15:18 [INFO] vDC Cloning: Winlogon UI Notification #21: Domain Controller cloning is at 90% completion...
15:15:18 [INFO] Configuring service NTDS
15:15:18 [INFO] Configuring service NTDS to 16 returned 0
- Enable client DNS registration
15:15:18 [INFO] vDC Cloning: Set DisableDynamicUpdate reg value to 0 to enable dynamic update records registration.
15:15:18 [INFO] vDC Cloning: Set UseDynamicDns reg value to 1 to enable dynamic update records registration.
15:15:18 [INFO] vDC Cloning: Set RegistrationEnabled reg value to 1 to enable dynamic update records registration.
- Run the SYSPREP modules specified by the DefaultDCCloneAllowList.xml <SysprepInformation> element.
15:15:18 [INFO] vDC Cloning: Running sysprep providers.
15:15:32 [INFO] vDC Cloning: Completed running sysprep providers.
-
Cloning promotion is complete
-
Remove the DSRM boot flag so the server boots normally next time
-
Rename the dccloneconfig.xml so that it is not read again at next bootup
-
Restart the computer
15:15:32 [INFO] The attempted domain controller operation has completed
15:15:32 [INFO] Updating service status to 4
15:15:32 [INFO] DsRolepSetOperationDone returned 0
15:15:32 [INFO] vDC Cloning: Set vDCCloningComplete event.
15:15:32 [INFO] vDC Cloneing: Clearing Boot into DSRM flag succeeded.
15:15:32 [INFO] vDC Cloning: Winlogon UI Notification #22: Cloning Domain Controller succeeded. Now rebooting...
15:15:33 [INFO] vDC Cloning: Renamed vDC clone configuration file.
15:15:33 [INFO] vDC Cloning: The old name is: C:WindowsNTDSDCCloneConfig.xml
15:15:33 [INFO] vDC Cloning: The new name is: C:WindowsNTDSDCCloneConfig.20120207-151533.xml
15:15:34 [INFO] vDC Cloning: Release Ipv4 on interface 'Wired Ethernet Connection 2', result=0.
15:15:34 [INFO] vDC Cloning: Release Ipv6 on interface 'Wired Ethernet Connection 2', result=0.
15:15:34 [INFO] Rebooting machine
Active Directory Web Services Event Log
While cloning is occurring, the NTDS.DIT database is often offline for extended periods. The ADWS service logs at least one event for this. After cloning is complete, the ADWS service starts, notes that there is not yet a valid computer certificate yet (there may or may not be, depending on your environment deploying a Microsoft PKI with auto-enrollment or not) and then starts the instance for the new domain controller.
| Event ID | Source | Message |
|---|---|---|
| 1202 | ADWS Instance Events | This computer is now hosting the specified directory instance, but Active Directory Web Services could not service it. Active Directory Web Services will retry this operation periodically.
Directory instance: NTDS Directory instance LDAP port: 389 Directory instance SSL port: 636 |
| 1000 | ADWS Instance Events | Active Directory Web Services is starting |
| 1008 | ADWS Instance Events | Active Directory Web Services has successfully reduced its security privileges |
| 1100 | ADWS Instance Events | The values specified in the <appsettings> section of the configuration file for Active Directory Web Services have been loaded without errors. |
| 1400 | ADWS Instance Events | ADWS Certificate Events»Active Directory Web Services could not find a server certificate with the specified certificate name. A certificate is required to use SSL/TLS connections. To use SSL/TLS connections, verify that a valid server authentication certificate from a trusted Certification Authority (CA) is installed on the machine.
Certificate name: <Server FQDN> |
| 1100 | ADWS Instance Events | The values specified in the <appsettings> section of the configuration file for Active Directory Web Services have been loaded without errors. |
| 1200 | ADWS Instance Events | Active Directory Web Services is now servicing the specified directory instance.
Directory instance: NTDS Directory instance LDAP port: 389 Directory instance SSL port: 636 |
DNS Server Event Log
The DNS service will experience brief expected outages while cloning occurs, as the DNS service is still running while the AD DS database is offline. This occurs if using Active Directory Integrated DNS, but not if using Standard Primary or Secondary DNS. These errors log multiple times. After cloning completes, DNS comes back online normally.
| Event ID | Source | Message |
|---|---|---|
| 4013 | DNS-Server-Service | The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed. |
| 4015 | DNS-Server-Service | The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is «»»». The event data contains the error. |
| 4000 | DNS-Server-Service | The DNS server was unable to open Active Directory. This DNS server is configured to obtain and use information from the directory for this zone and is unable to load the zone without it. Check that the Active Directory is functioning properly and reload the zone. The event data is the error code. |
| 4013 | DNS-Server-Service | The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed. |
| 2 | DNS-Server-Service | The DNS server has started. |
| 4 | DNS-Server-Service | The DNS server has finished the background loading of zones. All zones are now available for DNS updates and zone transfers, as allowed by their individual zone configuration. |
File Replication Service Event Log
The File Replication Service synchronizes non-authoritatively from a partner during cloning. Cloning accomplishes this by deleting the NTFRS database files and leaving the contents of SYSVOL untouched, for use as pre-seeded data. The two attempts to synchronize are expected.
| Event ID | Source | Message |
|---|---|---|
| 13562 | NtFrs | Following is the summary of warnings and errors encountered by File Replication Service while polling the Domain Controller DC2.root.fabrikam.com for FRS replica set configuration information.
Could not bind to a Domain Controller. Will try again at next polling cycle |
| 13502 | NtFrs | The File Replication Service is stopping. |
| 13565 | NtFrs | File Replication Service is initializing the system volume with data from another domain controller. Computer DC2 cannot become a domain controller until this process is complete. The system volume will then be shared as SYSVOL.
To check for the SYSVOL share, at the command prompt, type: net share When File Replication Service completes the initialization process, the SYSVOL share will appear. The initialization of the system volume can take some time. The time is dependent on the amount of data in the system volume, the availability of other domain controllers, and the replication interval between domain controllers. |
| 13501 | NtFrs | The File Replication Service is starting |
| 13502 | NtFrs | The File Replication Service is stopping. |
| 13503 | NtFrs | The File Replication Service has stopped. |
| 13565 | NtFrs | File Replication Service is initializing the system volume with data from another domain controller. Computer DC2 cannot become a domain controller until this process is complete. The system volume will then be shared as SYSVOL.
To check for the SYSVOL share, at the command prompt, type: net share When File Replication Service completes the initialization process, the SYSVOL share will appear. The initialization of the system volume can take some time. The time is dependent on the amount of data in the system volume, the availability of other domain controllers, and the replication interval between domain controllers. |
| 13501 | NtFrs | The File Replication Service is starting. |
| 13553 | NtFrs | The File Replication Service successfully added this computer to the following replica set:
«DOMAIN SYSTEM VOLUME (SYSVOL SHARE)» Information related to this event is shown below: Computer DNS name is <Domain Controller FQDN> Replica set member name is <Domain Controller> Replica set root path is <path> Replica staging directory path is <path> Replica working directory path is <path> |
| 13520 | NtFrs | The File Replication Service moved the preexisting files in <path> to <path>NtFrs_PreExisting___See_EventLog.
The File Replication Service may delete the files in <path>NtFrs_PreExisting___See_EventLog at any time. Files can be saved from deletion by copying them out of <path>NtFrs_PreExisting___See_EventLog. Copying the files into c:windowssysvoldomain may lead to name conflicts if the files already exist on some other replicating partner. In some cases, the File Replication Service may copy a file from <path>NtFrs_PreExisting___See_EventLog into <path> instead of replicating the file from some other replicating partner. Space can be recovered at any time by deleting the files in <path>NtFrs_PreExisting___See_EventLog.» |
| 13508 | NtFrs | The File Replication Service is having trouble enabling replication from <Domain Controller FQDN> to <Domain Controller> for <path> using the
DNS name <Domain Controller FQDN>. FRS will keep retrying. Following are some of the reasons you would see this warning. [1] FRS cannot correctly resolve the DNS name <Domain Controller FQDN> from this computer. [2] FRS is not running on <Domain Controller FQDN>. [3] The topology information in the Active Directory Domain Services for this replica has not yet replicated to all the Domain Controllers. This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established. |
| 13509 | NtFrs | The File Replication Service has enabled replication from <Domain Controller FQDN> to <Domain Controller> for <Path> after repeated retries. |
| 13516 | NtFrs | The File Replication Service is no longer preventing the computer <Domain Controller> from becoming a domain controller. The system volume has been successfully initialized and the Netlogon service has been notified that the system volume is now ready to be shared as SYSVOL.
Type «net share» to check for the SYSVOL share.» |
DFS Replication Event Log
The DFSR services synchronizes non-authoritatively from a partner during cloning. Cloning accomplishes this by deleting the DFSR database files and leaving the contents of SYSVOL untouched, for use as pre-seeded data. The two attempts to synchronize are expected.
| Event ID | Source | Message |
|---|---|---|
| 1004 | DFSR | The DFS Replication service has started. |
| 1314 | DFSR | The DFS Replication service successfully configured the debug log files.
Additional Information: Debug Log File Path: C:Windowsdebug |
| 6102 | DFSR | The DFS Replication service has successfully registered the WMI provider |
| 1206 | DFSR | The DFS Replication service successfully contacted domain controller DC2.corp.contoso.com to access configuration information. |
| 1210 | DFSR | The DFS Replication service successfully set up an RPC listener for incoming replication requests.
Additional Information: Port: 0″ |
| 4614 | DFSR | The DFS Replication service initialized SYSVOL at local path C:WindowsSYSVOLdomain and is waiting to perform initial replication. The replicated folder will remain in the initial synchronization state until it has replicated with its partner. If the server was in the process of being promoted to a domain controller, the domain controller will not advertise and function as a domain controller until this issue is resolved. This can occur if the specified partner is also in the initial synchronization state, or if sharing violations are encountered on this server or the synchronization partner. If this event occurred during the migration of SYSVOL from File Replication Service (FRS) to DFS Replication, changes will not replicate out until this issue is resolved. This can cause the SYSVOL folder on this server to become out of sync with other domain controllers.
Additional Information: Replicated Folder Name: SYSVOL Share Replicated Folder ID: <GUID> Replication Group Name: Domain System Volume Replication Group ID: <GUID> Member ID: <GUID> Read-Only: 0 |
| 4604 | DFSR | The DFS Replication service successfully initialized the SYSVOL replicated folder at local path C:WindowsSYSVOLdomain. This member has completed initial synchronization of SYSVOL with partner dc1.corp.contoso.com. To check for the presence of the SYSVOL share, open a command prompt window and then type «»net share»».
Additional Information: Replicated Folder Name: SYSVOL Share Replicated Folder ID: <GUID> Replication Group Name: Domain System Volume Replication Group ID: <GUID> Member ID: <GUID> Sync partner: <domain controller FQDN> |
Troubleshooting virtualized domain controller safe restore
Tools for Troubleshooting
Logging Options
The built-in logs are the most important tool for troubleshooting issues with domain controller safe snapshot restore. All of these logs are enabled and configured for maximum verbosity, by default.
| Operation | Log |
|---|---|
| Snapshot creation | — Event viewerApplications and services logsMicrosoftWindowsHyper-V-Worker |
| Snapshot restore | — Event viewerApplications and services logsDirectory Service — Event viewerWindows logsSystem — Event viewerWindows logsApplication — Event viewerApplications and services logsFile Replication Service — Event viewerApplications and services logsDFS Replication — Event viewerApplications and services logsDNS — Event viewerApplications and services logsMicrosoftWindowsHyper-V-Worker |
Tools and Commands for Troubleshooting Domain Controller Configuration
To troubleshoot issues not explained by the logs, use the following tools as a starting point:
-
Dcdiag.exe
-
Repadmin.exe
-
Network Monitor 3.4
General Methodology for Troubleshooting Domain Controller Safe Restore
-
Is the safe snapshot restore expected, but having issues?
-
Examine the Directory Services event log
-
Are there snapshot restore errors?
-
Are there AD replication errors?
-
-
Examine the System event log
-
Are there communication errors?
-
Are there AD errors?
-
-
-
Is the safe snapshot restore unexpected?
-
Examine the hypervisor audit logs to determine who or what caused a rollback
-
Contact all administrators of the hypervisor and interrogate them as to who rolled back the VM without notification
-
-
Is the server implementing USN rollback protection and not safely restoring?
-
Examine the Directory Services event log for an unsupported hypervisor or integration services
-
Examine the operating system and validate running Windows Server 2012?
-
Troubleshooting Specific Problems
Events
All virtualized domain controller safe snapshot restore events write to the Directory Services event log of the restored domain controller VM. The Application, System, File Replication Service, and DFS Replication event logs may also contain useful troubleshooting information for failed restores.
Below are the Windows Server 2012 safe restore-specific events in the Directory Services event log.
| Events | Description |
|---|---|
| Event ID | 2170 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Warning |
| Message | A Generation ID change has been detected.
Generation ID cached in DS (old value):%1 Generation ID currently in VM (new value):%2 The Generation ID change occurs after the application of a virtual machine snapshot, after a virtual machine import operation or after a live migration operation. <COMPUTERNAME> will create a new invocation ID to recover the domain controller. Virtualized domain controllers should not be restored using virtual machine snapshots. The supported method to restore or rollback the content of an Active Directory Domain Services database is to restore a system state backup made with an Active Directory Domain Services aware backup application. |
| Notes and resolution | This is a success event if the snapshot was expected. If not, examine the Hyper-V-Worker event log or contact the hypervisor administrator. |
| Events | Description |
|---|---|
| Event ID | 2174 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Informational |
| Message | The DC is neither a virtual domain controller clone nor a restored virtual domain controller snapshot. |
| Notes and resolution | Expected event when starting physical domain controllers or virtualized domain controllers not restored from snapshot |
| Events | Description |
|---|---|
| Event ID | 2181 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Informational |
| Message | The transaction was aborted due to the virtual machine being reverted to a previous state. This occurs after the application of a virtual machine snapshot, after a virtual machine import operation, or after a live migration operation. |
| Notes and resolution | Expected when restoring a snapshot. Transactions track the VM Generation ID changing |
| Event | Description |
|---|---|
| Event ID | 2185 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Informational |
| Message | <COMPUTERNAME> stopped the FRS or DFSR service used to replicate the SYSVOL folder.
Service name:%1 Active Directory detected that the virtual machine that hosts the domain controller was reverted to a previous state. <COMPUTERNAME> must initialize a non-authoritative restore on the local SYSVOL replica. This is performed by stopping the FRS or DFSR service used to replicate the SYSVOL folder and starting it with the appropriate registry keys and values to trigger the restore. Event 2187 will be logged when FRS or DFSR service is restarted. |
| Notes and resolution | Expected when restoring a snapshot. All SYSVOL data on this domain controller is replaced with a partner DC’s copy. |
| Event | Description |
|---|---|
| Event ID | 2186 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Error |
| Message | <COMPUTERNAME> failed to stop the FRS or DFSR service used to replicate the SYSVOL folder.
Service name:%1 Error code:%2 Error message:%3 Active Directory detected that the virtual machine that hosts the domain controller was reverted to a previous state. <COMPUTERNAME> must initialize a non-authoritative restore on the local SYSVOL replica. This is done by stopping the FRS or DFSR replication service used to replicate the SYSVOL folder and then starting it with the appropriate registry keys and values to trigger the restore. <COMPUTERNAME> failed to stop the current running service and cannot complete the non-authoritative restore. Please perform a non-authoritative restore manually. |
| Notes and resolution | Examine the System, FRS and DFSR event logs for further information. |
| Event | Description |
|---|---|
| Event ID | 2187 |
| Severity | Informational |
| Message | <COMPUTERNAME> started the FRS or DFSR service used to replicate the SYSVOL folder.
Service name:%1 Active Directory detected that the virtual machine that hosts the domain controller was reverted to a previous state. <COMPUTERNAME> needed to initialize a non-authoritative restore on the local SYSVOL replica. This was done by stopping the FRS or DFSR service used to replicate the SYSVOL folder and starting it with the appropriate registry keys and values to trigger the restore. |
| Notes and resolution | Expected when restoring a snapshot. All SYSVOL data on this domain controller is replaced with a partner DC’s copy. |
| Event | Description |
|---|---|
| Event ID | 2188 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Error |
| Message | <COMPUTERNAME> failed to start the FRS or DFSR service used to replicate the SYSVOL folder.
Service name:%1 Error code:%2 Error message:%3 Active Directory detected that the virtual machine that hosts the domain controller was reverted to a previous state. <COMPUTERNAME> needs to initialize a non-authoritative restore on the local SYSVOL replica. This is done by stopping the FRS or DFSR service used to replicate the SYSVOL and starting it with appropriate registry keys and values to trigger the restore. <COMPUTERNAME> failed to start the FRS or DFSR service used to replicate the SYSVOL folder and cannot complete the non-authoritative restore. Please perform a non-authoritative restore manually and restart the service. |
| Notes and resolution | Examine the System, FRS and DFSR event logs for further information. |
| Event | Description |
|---|---|
| Event ID | 2189 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Informational |
| Message | <COMPUTERNAME> set the following registry values to initialize SYSVOL replica during a non-authoritative restore:
Registry Key:%1 Registry Value: %2 Registry Value data: %3 Active Directory detected that the virtual machine that hosts the domain controller was reverted to a previous state. <COMPUTERNAME> needs to initialize a non-authoritative restore on the local SYSVOL replica. This is done by stopping the FRS or DFSR service used to replicate the SYSVOL folder and starting it with the appropriate registry keys and values to trigger the restore. |
| Notes and resolution | Expected when restoring a snapshot. All SYSVOL data on this domain controller is replaced with a partner DC’s copy. |
| Event | Description |
|---|---|
| Event ID | 2190 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Error |
| Message | <COMPUTERNAME> failed to set the following registry values to initialize the SYSVOL replica during a non-authoritative restore:
Registry Key:%1 Registry Value: %2 Registry Value data: %3 Error code:%4 Error message:%5 Active Directory detected that the virtual machine that hosts the domain controller role was reverted to a previous state. <COMPUTERNAME> needs to initialize a non-authoritative restore on the local SYSVOL replica. This is done by stopping the FRS or DFSR service used to replicate the SYSVOL folder and starting it with the appropriate registry keys and values to trigger the restore. <COMPUTERNAME> failed to set the above registry values and cannot complete the non-authoritative restore. Please perform a non-authoritative restore manually. |
| Notes and resolution | Examine Application and System event logs. Investigate third party applications that may be blocking registry updates. |
| Event | Description |
|---|---|
| Event ID | 2200 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Informational |
| Message | Active Directory detected that the virtual machine that hosts the domain controller was reverted to a previous state. <COMPUTERNAME> initializes replication to bring the domain controller current. Event 2201 will be logged when the replication is finished. |
| Notes and resolution | Expected when restoring a snapshot. Marks the beginning of inbound AD replication. |
| Event | Description |
|---|---|
| Event ID | 2201 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Informational |
| Message | Active Directory detected that the virtual machine that hosts the domain controller was reverted to a previous state. <COMPUTERNAME> has finished replication to bring the domain controller current. |
| Notes and resolution | Expected when restoring a snapshot. Marks the end of inbound AD replication. |
| Event | Description |
|---|---|
| Event ID | 2202 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Error |
| Message | Active Directory detected that the virtual machine that hosts the domain controller was reverted to a previous state. <COMPUTERNAME> failed replication to bring the domain controller up-to-date. The domain controller will be updated after next periodic replication. |
| Notes and resolution | Examine the Directory Services and System event logs. Use repadmin.exe to attempt forcing replication and note any failures. |
| Event | Description |
|---|---|
| Event ID | 2204 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Informational |
| Message | <COMPUTERNAME> has detected a change of virtual machine generation ID. The change means that the virtual domain controller has been reverted to a previous state. <COMPUTERNAME> will perform the following operations to protect the reverted domain controller against possible data divergence and to protect creation of security principals with duplicate SIDs:
Create a new invocation ID Invalidate current RID pool Ownership of the FSMO roles will be validated at next inbound replication. During this window if the domain controller held a FSMO role, that role will be unavailable. Start SYSVOL replication service restore operation. Start replication to bring the reverted domain controller to the most current state. Request a new RID pool. |
| Notes and resolution | Expected when restoring a snapshot. This explains all the various reset operations that will occur as part of the safe restore process. |
| Event | Description |
|---|---|
| Event ID | 2205 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Informational |
| Message | <COMPUTERNAME> invalidated current RID pool after virtual domain controller was reverted to previous state. |
| Notes and resolution | Expected when restoring a snapshot. The local RID pool must be destroyed as the domain controller has time travelled and they may have already been issued. |
| Event | Description |
|---|---|
| Event ID | 2206 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | ERROR |
| Message | <COMPUTERNAME> failed to invalidate current RID pool after virtual domain controller was reverted to previous state.
Additional data: Error code: %1 Error value: %2 |
| Notes and resolution | Examine the Directory Services and System event logs. Validate that the RID Master is online can be reached from this server using Dcdiag.exe /test:ridmanager |
| Event | Description |
|---|---|
| Event ID | 2207 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | ERROR |
| Message | <COMPUTERNAME> failed to restore after virtual domain controller was reverted to previous state. A reboot into DSRM was requested. Please check previous events for more information. |
| Notes and resolution | Examine the Directory Services and System event logs. |
| Event | Description |
|---|---|
| Event ID | 2208 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Informational |
| Message | <COMPUTERNAME> deleted DFSR databases to initialize SYSVOL replica during a non-authoritative restore. |
| Notes and resolution | Expected when restoring a snapshot. This guarantees DFSR non-authoritatively synchronizes SYSVOL from a partner DC. Note that any other DFSR Replicated Folders on the same volume as SYSVOL will also non-authoritatively sync (domain controllers are not recommended to host custom DFSR sets on the same volume as SYSVOL). |
| Event | Description |
|---|---|
| Event ID | 2209 |
| Source | Microsoft-Windows-ActiveDirectory_DomainService |
| Severity | Error |
| Message | <COMPUTERNAME> failed to delete DFSR databases.
Additional data: Error code: %1 Error value: %2 Active Directory detected that the virtual machine that hosts the domain controller was reverted to a previous state. <COMPUTERNAME> needs to initialize a non-authoritative restore on the local SYSVOL replica. For DFSR, this is done by stopping the DFSR service, deleting DFSR databases, and re-starting the service. Upon restarting DFSR will rebuild the databases and start the initial sync. |
| Notes and resolution | Examine the DFSR event log. |
Error Messages
There are no direct interactive errors for failed virtualized domain controller safe snapshot restore; all cloning information logs in the Directory Services event logs. Naturally, any critical replication or server advertising errors manifest themselves as symptoms elsewhere.
Known Issues and Support Scenarios
The General Methodology for Troubleshooting Domain Controller Safe Restore are usually adequate to troubleshoot most issues.
| Issue | Cannot create new security principals on recently safe restored domain controller |
|---|---|
| Symptoms | After restoring a snapshot, attempts to create a new security principal (user, computer, group) on that domain controller fail with:
Error 0x2010 The directory service was unable to allocate a relative identifier. |
| Resolution and Notes | This issue is caused by the restored computer’s stale knowledge of the RID Master FSMO role. If the role moved to this or another domain controller after a snapshot was taken and then later restored, the restored domain controller will not have knowledge of the RID master until initial replication has completed.
To resolve the issue, allow AD replication to complete inbound to the restored domain controller. If still not working, validate that all domain controllers have the same correct knowledge of which DC hosts the RID Master. |
| Issue | Restored domain controllers do not share SYSVOL, advertise |
|---|---|
| Symptoms | After restoring a snapshot, one or more DCs do not advertise, do not share sysvol, and do not have up to date SYSVOL contents |
| Resolution and Notes | The DC’s upstream partners do not have a working SYSVOL replica that is correctly replicating with DFSR or FRS. This issue is unrelated to safe restore but is likely to manifest as a safe restore issue, because the customer was unaware of the other replication issue affecting un-restored DCs |
Advanced Troubleshooting
This module seeks to teach advanced troubleshooting by using working logs as samples, with some explanation of what occurred. If you understand what a successful virtualized domain controller operation looks like, failures become obvious in your environment. These logs are presented by their source, with the ascending order of expected events related to a cloned domain controller within each log.
Restoring a Domain Controller that Replicates SYSVOL Using DFSR
Directory Services Event Log
The Directory Services log contains the majority of safe restore operational information. The hypervisor changes the VM-Generation ID and the NTDS service notes it, then invalidates the RID pool and changes the invocation ID. The new VM-Generation ID is set and the servers replicates AD data inbound. The DFSR service is stopped and its database that hosts SYSVOL is deleted, forcing a non-authoritative sync inbound. The USN high watermark is adjusted.
| Event ID | Source | Message |
|---|---|---|
| 2170 | ActiveDirectory_DomainService | A Generation ID change has been detected.
Generation ID cached in DS (old value): <number> Generation ID currently in VM (new value): <number> The Generation ID change occurs after the application of a virtual machine snapshot, after a virtual machine import operation or after a live migration operation. Active Directory Domain Services will create a new invocation ID to recover the domain controller. Virtualized domain controllers should not be restored using virtual machine snapshots. The supported method to restore or rollback the content of an Active Directory Domain Services database is to restore a system state backup made with an Active Directory Domain Services aware backup application.» |
| 2181 | ActiveDirectory_DomainService | The transaction was aborted due to the virtual machine being reverted to a previous state. This occurs after the application of a virtual machine snapshot, after a virtual machine import operation, or after a live migration operation. |
| 2204 | ActiveDirectory_DomainService | Active Directory Domain Services has detected a change of virtual machine generation ID. The change means that the virtual domain controller has been reverted to a previous state. Active Directory Domain Services will perform the following operations to protect the reverted domain controller against possible data divergence and to protect creation of security principals with duplicate SIDs:
Create a new invocation ID Invalidate current RID pool Ownership of the FSMO roles will be validated at next inbound replication. During this window if the domain controller held a FSMO role, that role will be unavailable. Start SYSVOL replication service restore operation. Start replication to bring the reverted domain controller to the most current state. Request a new RID pool.» |
| 2181 | ActiveDirectory_DomainService | The transaction was aborted due to the virtual machine being reverted to a previous state. This occurs after the application of a virtual machine snapshot, after a virtual machine import operation, or after a live migration operation. |
| 1109 | ActiveDirectory_DomainService | The invocationID attribute for this directory server has been changed. The highest update sequence number at the time the backup was created is as follows:
InvocationID attribute (old value): <GUID> InvocationID attribute (new value): <GUID> Update sequence number: <number> The invocationID is changed when a directory server is restored from backup media, is configured to host a writeable application directory partition, has been resumed after a virtual machine snapshot has been applied, after a virtual machine import operation, or after a live migration operation. Virtualized domain controllers should not be restored using virtual machine snapshots. The supported method to restore or rollback the content of an Active Directory Domain Services database is to restore a system state backup made with an Active Directory Domain Services-aware backup application.» |
| 2179 | ActiveDirectory_DomainService | The msDS-GenerationId attribute of the Domain Controller’s computer object has been set to the following parameter:
GenerationID attribute: <number> |
| 2200 | ActiveDirectory_DomainService | Active Directory detected that the virtual machine that hosts the domain controller was reverted to a previous state. Active Directory Domain Services initializes replication to bring the domain controller current. Event 2201 will be logged when the replication is finished. |
| 2201 | ActiveDirectory_DomainService | Active Directory detected that the virtual machine that hosts the domain controller was reverted to a previous state. Active Directory Domain Services has finished replication to bring the domain controller current. |
| 2185 | ActiveDirectory_DomainService | Active Directory Domain Services stopped the FRS or DFSR service used to replicate the SYSVOL folder.
Service name: DFSR Active Directory detected that the virtual machine that hosts the domain controller was reverted to a previous state. Active Directory Domain Services must initialize a non-authoritative restore on the local SYSVOL replica. This is performed by stopping the FRS or DFSR service used to replicate the SYSVOL folder and starting it with the appropriate registry keys and values to trigger the restore. Event 2187 will be logged when FRS or DFSR service is restarted.» |
| 2208 | ActiveDirectory_DomainService | Active Directory Domain Services deleted DFSR databases to initialize SYSVOL replica during a non-authoritative restore.
Active Directory detected that the virtual machine that hosts the domain controller was reverted to a previous state. Active Directory Domain Services needs to initialize a non-authoritative restore on the local SYSVOL replica. For DFSR, this is done by stopping the DFSR service, deleting DFSR databases, and re-starting the service. Upon restarting DFSR will rebuild the databases and start the initial sync. « |
| 2187 | ActiveDirectory_DomainService | Active Directory Domain Services started the FRS or DFSR service used to replicate the SYSVOL folder.
Service name: DFSR Active Directory detected that the virtual machine that hosts the domain controller was reverted to a previous state. Active Directory Domain Services needed to initialize a non-authoritative restore on the local SYSVOL replica. This was done by stopping the FRS or DFSR service used to replicate the SYSVOL folder and starting it with the appropriate registry keys and values to trigger the restore. « |
| 1587 | ActiveDirectory_DomainService | This directory service has been restored or has been configured to host an application directory partition. As a result, its replication identity has changed. A partner has requested replication changes using our old identity. The starting sequence number has been adjusted.
The destination directory service corresponding to the following object GUID has requested changes starting at a USN that precedes the USN at which the local directory service was restored from backup media. Object GUID: <GUID> (<FQDN of partner domain controller>) USN at the time of restore: <number> As a result, the up-to-dateness vector of the destination directory service has been configured with the following settings. Previous database GUID: <GUID> Previous object USN: <number> Previous property USN: <number> New database GUID: <GUID> New object USN: <number> New property USN: <number> |
System Event Log
The System event log notes that the machine time that occurs when bringing an offline virtual machine back online and synchronizing with host time. The RID pool invalidates and the DFSR or FRS services are restarted.
| Event ID | Source | Message |
|---|---|---|
| 1 | Kernel-General | The system time has changed to ?<now> from <snapshot time/date>.
Change Reason: An application or system component changed the time. |
| 16654 | Directory-Services-SAM | A pool of account-identifiers (RIDs) has been invalidated. This may occur in the following expected cases:
1. A domain controller is restored from backup. 2. A domain controller running on a virtual machine is restored from snapshot. 3. An administrator has manually invalidated the pool. See https://go.microsoft.com/fwlink/?LinkId=226247 for more information. |
| 7036 | Service Control Manager | The DFS Replication service entered the stopped state. |
| 7036 | Service Control Manager | The DFS Replication service entered the running state. |
Application Event Log
The Application event log notes the DFSR database stopping and starting.
| Event ID | Source | Message |
|---|---|---|
| 103 | ESENT | DFSRs (1360) \.C:System Volume InformationDFSRdatabase_<GUID>dfsr.db: The database engine stopped the instance (0).
Dirty Shutdown: 0 Internal Timing Sequence: [1] 0.000, [2] 0.000, [3] 0.000, [4] 0.000, [5] 0.141, [6] 0.000, [7] 0.000, [8] 0.000, [9] 0.000, [10] 0.000, [11] 0.016, [12] 0.000, [13] 0.000, [14] 0.000, [15] 0.000. |
| 102 | ESENT | DFSRs (532) \.C:System Volume InformationDFSRdatabase_<GUID>dfsr.db: The database engine (6.02.8189.0000) is starting a new instance (0). |
| 105 | ESENT | DFSRs (532) \.C:System Volume InformationDFSRdatabase_<GUID>dfsr.db: The database engine started a new instance (0). (Time=0 seconds)
Internal Timing Sequence: [1] 0.000, [2] 0.000, [3] 0.000, [4] 0.000, [5] 0.000, [6] 0.000, [7] 0.000, [8] 0.000, [9] 0.031, [10] 0.000, [11] 0.000. |
| DFSRs (532) \.C:System Volume InformationDFSRdatabase<GUID>dfsr.db: The database engine created a new database (1, \.C:System Volume InformationDFSRdatabase<GUID>dfsr.db). (Time=0 seconds)
Internal Timing Sequence: [1] 0.000, [2] 0.000, [3] 0.016, [4] 0.062, [5] 0.000, [6] 0.016, [7] 0.000, [8] 0.000, [9] 0.015, [10] 0.000, [11] 0.000. |
DFS Replication Event Log
The DFSR service is stopped and the database that contains SYSVOL is deleted, forcing a non-authoritative synchronization inbound.
| Event ID | Source | Message |
|---|---|---|
| 1006 | DFSR | The DFS Replication service is stopping. |
| 1008 | DFSR | The DFS Replication service has stopped. |
| 1002 | DFSR | The DFS Replication service is starting. |
| 1004 | DFSR | The DFS Replication service has started. |
| 1314 | DFSR | The DFS Replication service successfully configured the debug log files.
Additional Information: Debug Log File Path: C:Windowsdebug |
| 6102 | DFSR | The DFS Replication service has successfully registered the WMI provider. |
| 1206 | DFSR | The DFS Replication service successfully contacted domain controller <domain controller FQDN> to access configuration information. |
| 1210 | DFSR | The DFS Replication service successfully set up an RPC listener for incoming replication requests.
Additional Information: Port: 0 |
| 4614 | DFSR | The DFS Replication service initialized SYSVOL at local path C:WindowsSYSVOLdomain and is waiting to perform initial replication. The replicated folder will remain in the initial synchronization state until it has replicated with its partner. If the server was in the process of being promoted to a domain controller, the domain controller will not advertise and function as a domain controller until this issue is resolved. This can occur if the specified partner is also in the initial synchronization state, or if sharing violations are encountered on this server or the synchronization partner. If this event occurred during the migration of SYSVOL from File Replication Service (FRS) to DFS Replication, changes will not replicate out until this issue is resolved. This can cause the SYSVOL folder on this server to become out of sync with other domain controllers.
Additional Information: Replicated Folder Name: SYSVOL Share Replicated Folder ID: <GUID> Replication Group Name: Domain System Volume Replication Group ID: <GUID> Member ID: <GUID> Read-Only: 0 |
| 4604 | DFSR | The DFS Replication service successfully initialized the SYSVOL replicated folder at local path C:WindowsSYSVOLdomain. This member has completed initial synchronization of SYSVOL with partner dc1.corp.contoso.com. To check for the presence of the SYSVOL share, open a command prompt window and then type «net share».
Additional Information: Replicated Folder Name: SYSVOL Share Replicated Folder ID: <GUID> Replication Group Name: Domain System Volume Replication Group ID: <GUID> Member ID: <GUID> Sync partner: <partner domain controller FQDN> |
Restoring a Domain Controller that Replicates SYSVOL Using FRS
The File Replication Event log is used instead of the DFSR event log in this case. The Application event log also writes different FRS-related events. Otherwise, the Directory Services and System Event log messages are generally the same and in the same order as previously described.
File Replication Service Event Log
The FRS service is stopped and restarted with a D2 BURFLAGS value to non-authoritatively synchronize SYSVOL.
| Event ID | Source | Message |
|---|---|---|
| 13502 | NTFRS | The File Replication Service is stopping. |
| 13503 | NTFRS | The File Replication Service has stopped. |
| 13501 | NTFRS | The File Replication Service is starting |
| 13512 | NTFRS | The File Replication Service has detected an enabled disk write cache on the drive containing the directory c:windowsntfrsjet on the computer DC4. The File Replication Service might not recover when power to the drive is interrupted and critical updates are lost. |
| 13565 | NTFRS | File Replication Service is initializing the system volume with data from another domain controller. Computer DC4 cannot become a domain controller until this process is complete. The system volume will then be shared as SYSVOL.
To check for the SYSVOL share, at the command prompt, type: net share When File Replication Service completes the initialization process, the SYSVOL share will appear. The initialization of the system volume can take some time. The time is dependent on the amount of data in the system volume, the availability of other domain controllers, and the replication interval between domain controllers.» |
| 13520 | NTFRS | The File Replication Service moved the preexisting files in <path> to <path>NtFrs_PreExisting___See_EventLog.
The File Replication Service may delete the files in <path>NtFrs_PreExisting___See_EventLog at any time. Files can be saved from deletion by copying them out of <path>NtFrs_PreExisting___See_EventLog. Copying the files into <path> may lead to name conflicts if the files already exist on some other replicating partner. In some cases, the File Replication Service may copy a file from <path>NtFrs_PreExisting___See_EventLog into <path> instead of replicating the file from some other replicating partner. Space can be recovered at any time by deleting the files in <path>NtFrs_PreExisting___See_EventLog. |
| 13553 | NTFRS | The File Replication Service successfully added this computer to the following replica set:
«DOMAIN SYSTEM VOLUME (SYSVOL SHARE)» Information related to this event is shown below: Computer DNS name is «<domain controller FQDN>« Replica set member name is «<domain controller name>« Replica set root path is «<path>« Replica staging directory path is «<path> « Replica working directory path is «<path>« |
| 13554 | NTFRS | The File Replication Service successfully added the connections shown below to the replica set:
«DOMAIN SYSTEM VOLUME (SYSVOL SHARE)» Inbound from «<partner domain controller FQDN>« Outbound to «<partner domain controller FQDN>« More information may appear in subsequent event log messages. |
| 13516 | NTFRS | The File Replication Service is no longer preventing the computer DC4 from becoming a domain controller. The system volume has been successfully initialized and the Netlogon service has been notified that the system volume is now ready to be shared as SYSVOL.
Type «net share» to check for the SYSVOL share. |
Application Event Log
The FRS database stops and starts, and is purged due to the D2 BURFLAGS operation.
| Event ID | Source | Message |
|---|---|---|
| 327 | ESENT | ntfrs (1424) The database engine detached a database (1, c:windowsntfrsjetntfrs.jdb). (Time=0 seconds)
Internal Timing Sequence: [1] 0.000, [2] 0.015, [3] 0.000, [4] 0.000, [5] 0.000, [6] 0.516, [7] 0.000, [8] 0.000, [9] 0.000, [10] 0.000, [11] 0.063, [12] 0.000. Revived Cache: 0 |
| 103 | ESENT | ntfrs (1424) The database engine stopped the instance (0).
Dirty Shutdown: 0 Internal Timing Sequence: [1] 0.000, [2] 0.000, [3] 0.000, [4] 0.000, [5] 0.000, [6] 0.000, [7] 0.000, [8] 0.000, [9] 0.031, [10] 0.000, [11] 0.016, [12] 0.000, [13] 0.000, [14] 0.047, [15] 0.000. |
| 102 | ESENT | ntfrs (3000) The database engine (6.02.8189.0000) is starting a new instance (0). |
| 105 | ESENT | ntfrs (3000) The database engine started a new instance (0). (Time=0 seconds)
Internal Timing Sequence: [1] 0.000, [2] 0.000, [3] 0.000, [4] 0.000, [5] 0.000, [6] 0.000, [7] 0.000, [8] 0.000, [9] 0.062, [10] 0.000, [11] 0.141. |
| 103 | ESENT | ntfrs (3000) The database engine stopped the instance (0).
Dirty Shutdown: 0 Internal Timing Sequence: [1] 0.000, [2] 0.000, [3] 0.000, [4] 0.000, [5] 0.000, [6] 0.000, [7] 0.000, [8] 0.000, [9] 0.000, [10] 0.000, [11] 0.000, [12] 0.000, [13] 0.015, [14] 0.000, [15] 0.000. |
| 102 | ESENT | ntfrs (3000) The database engine (6.02.8189.0000) is starting a new instance (0). |
| 105 | ESENT | ntfrs (3000) The database engine started a new instance (0). (Time=0 seconds)
Internal Timing Sequence: [1] 0.000, [2] 0.000, [3] 0.000, [4] 0.000, [5] 0.000, [6] 0.000, [7] 0.000, [8] 0.000, [9] 0.078, [10] 0.000, [11] 0.109. |
| 325 | ESENT | ntfrs (3000) The database engine created a new database (1, c:windowsntfrsjetntfrs.jdb). (Time=0 seconds)
Internal Timing Sequence: [1] 0.000, [2] 0.000, [3] 0.016, [4] 0.016, [5] 0.000, [6] 0.015, [7] 0.000, [8] 0.000, [9] 0.078, [10] 0.016, [11] 0.000. |
| 103 | ESENT | ntfrs (3000) The database engine stopped the instance (0).
Dirty Shutdown: 0 Internal Timing Sequence: [1] 0.000, [2] 0.000, [3] 0.000, [4] 0.000, [5] 0.078, [6] 0.000, [7] 0.000, [8] 0.000, [9] 0.125, [10] 0.016, [11] 0.000, [12] 0.000, [13] 0.000, [14] 0.000, [15] 0.000. |
| 102 | ESENT | ntfrs (3000) The database engine (6.02.8189.0000) is starting a new instance (0). |
| 105 | ESENT | ntfrs (3000) The database engine started a new instance (0). (Time=0 seconds)
Internal Timing Sequence: [1] 0.016, [2] 0.000, [3] 0.000, [4] 0.094, [5] 0.000, [6] 0.000, [7] 0.000, [8] 0.000, [9] 0.032, [10] 0.000, [11] 0.000. |
| 326 | ESENT | ntfrs (3000) The database engine attached a database (1, c:windowsntfrsjetntfrs.jdb). (Time=0 seconds)
Internal Timing Sequence: [1] 0.000, [2] 0.015, [3] 0.000, [4] 0.000, [5] 0.016, [6] 0.015, [7] 0.000, [8] 0.000, [9] 0.000, [10] 0.000, [11] 0.000, [12] 0.000. Saved Cache: 1 |
Last Updated on November 8, 2017 by
There are different ways to review Active Directory service related logs in a domain controller. Most common way is to review events under Event Viewer mmc.
We can review events using server manager too.
We also can use PowerShell commands to review event logs or filter events from local and remote computers without any additional service configurations. Get-EventLog is the primary cmdlet we can use for this task.
Get-EventLog -List
Above command will list down the details about the log files in your local system including the log file name, max log file size, number of entries.
Get-EventLog -LogName ‘Directory Service’ | fl
Above command will list down all the events under the log file Directory Service
we also can limit the number of events we need to list down. As an example, if we only need to list down the latest 5 events from the Directory Service log file, we can use,
Get-EventLog -Newest 5 -LogName ‘Directory Service’
We can further filter down it by listing down evens according to entry type.
Get-EventLog -Newest 5 -LogName ‘Directory Service’ -EntryType Error
Above command will list down first five “errors” in the Directory Service log file.
We also can add time limit to filter events more.
Get-EventLog -Newest 5 -LogName ‘Directory Service’ -EntryType Error –After (Get-Date).AddDays(-1)
Above command will list down the events with error type ‘error’ with in last 24 hours under Directory Service log.
We also can get the events from the remote computers.
Get-EventLog -Newest 5 -LogName ‘Directory Service’ -ComputerName ‘REBEL-SRV01’ | fl -Property *
Above command will list down the first five log entries in Directory Service log file from REBEL-SRV01 remote computer.
We also can extract events from few computers in same time.
Get-EventLog -Newest 5 -LogName ‘Directory Service’ -ComputerName “localhost”,“REBEL-SRV01”
Above command will list down the log entries from local computer and the REBEL-SRV01 remote computer.
When it comes to filtering, we can further filter events using the event source.
Get-EventLog -LogName ‘Directory Service’ -Source “NTDS KCC”
Above command will list down the events with the source NTDS KCC
It also allows to search for the specific event ids.
Get-EventLog -LogName ‘Directory Service’ | where {$_.eventID -eq 1000}
Above command will list down the events with event id 1000.
Note – There are recommended list of events which we need to audit periodically to identify potential issues in active directory environment. The complete list is available for review under https://docs.microsoft.com/en-gb/windows-server/identity/ad-ds/plan/appendix-l–events-to-monitor
This marks the end of this blog post. If you have any questions feel free to contact me on rebeladm@live.com also follow me on twitter @rebeladm to get updates about new blog posts.
Обновлено 06.05.2022
Добрый день! Уважаемые читатели и гости одного из крупнейших IT блогов Pyatilistnik.org. В прошлый раз мы с вами рассматривали менеджер пакетов Winget, который позволяет с помощью PowerShell много чего устанавливать. В сегодняшней статье я буду бороться с пресловутым синим экраном 0xc00002e2, который я поймал на одном из контроллеров домена. Что ж не приятно, но не смертельно, давайте выходить из этой ситуации.
❌Описание ситуации с BSOD 0xc00002e2 на контроллере домена
И так есть Active Directory состоящий из леса и трех доменов, в одном из доменов есть четыре контроллера домена. Один из них в какой-то момент перестал отвечать в системе мониторинга. Это была виртуальная машина на базе Vmware ESXI. Подключившись к консольному подключению я увидел вот такую картину:
После перезагрузки сервер опять выпадал в BSOD, и далее по циклу. В логах вы можете потом обнаружить, если доберетесь:
STOP c000002e2 Directory Services could not start because of the following error:
A device attached to the system is not functioning.
Error Status: 0xc0000001
Please shutdown this system and reboot into Directory Services Restore Mode, check the event log for more detailed information.
Как исправить синий экран 0xc00002e2
Надеюсь, что у вас это не последний контроллер домена в сети, поэтому самый простой способ это:
- Восстановить из резервной копии данный контроллер, при условии, что его копия не старше дня, чтобы не было проблем с репликацией
- Полностью удалить недоступный контроллер домена и заменить его на новый. Если на сервере были роли FSMO, то их сначала нужно захватить и перенести.
- Но если решились восстанавливать то давайте приступать, может, что и получиться.
Когда вы раза три увидите синий экран с кодом 0xc00002e2, то сервер загрузиться в режиме восстановления WinPE, его при желании можно вызвать клавишей F8 при загрузке. У любого контроллера домена есть специальный режим восстановления службы каталогов (Directory Services Repair Mode — DSRM).
На экране «Choose an option» выберите пункт «Troubleshoot«.
Далее выбираем пункт «Startup Settings«.
Перезагружаем сервер.
Далее при загрузке найдите пункт «Directory Services Repair Mode»
Начнется загрузка DSRM, по сути вы увидите привычную загрузку Windows, в которую вы сможете войти под локальным администратором DSRM, он задается при настройке.
Если вы не помните пароль от Администратора DSRM, то придется его сбрасывать, например через MsDART или любой другой загрузочный диск
Попав в систему вы первым делом должны запустить командную строку от имени администратора, и далее нам понадобиться одна из самых важных утилит в Active Directory ntdsutil. Вводим команды:
- Ntdsutil (Запускаем саму утилиту)
- activate instance ntds (Подключаемся к активной БД Active Directory)
- Files (Делаем запрос к файлам. где лежит БД)
- Info (Смотрим все файлы и их расположение)
(по умолчанию это будет директория C:WindowsNTDS)
В моем случае это нестандартный каталог, у меня все лежит в папке C:ADDSNTDS. Тут же вы можете посмотреть размер файла БД NTDS.dit.
Теперь попробуйте проверить целостность базы данных, для этого вводим:
У меня выскочила ошибка:
Error: Access to source database ‘C:ADDSNTDSntds.dit’ failed with Jet error — 1206. Operation terminated with error — 1206 (Jet_errDatabaseCorrupted, Non database file or corrupted db) after 0.0 seconds
Или еще распространенная ошибка:
Could not initialize the Jet engine: database is inconsistent.
Failed to open DIT for AD DS/LDS instance NTDS. Error -2147418113
Попробуем восстановить целостность Базы данных Active Directory, для этого есть всем известная утилита esentutl, она очень часто используется при работе с почтовым сервером Exchange. Перед любыми работами всегда нужно сделать резервную копию данных, для этого:
mkdir c:ntds_backup — Создаем папку для резервных копий
xcopy c:ADDSNTDS*.* c:ntds_backup — Копируем содержимое c:ADDSNTDS в c:ntds_backup
Проверим целостность файла ntds.dit:
esentutl /g c:ADDSNTDSntds.dit
Утилита вам сообщит. что с базой не все хорошо и она повреждена:
The database is not up-to-date. This operation may find that this database is corrupted because data from the log files has not yet to be placed in the database. To ensure the database is up-to-date please use the Recovery operation. Integrity check completed. Database is CORRUPTED.
После чего начнется процесс восстановления, а может и не начаться и вы легко можете опять получить ошибку Jet error — 1206.
Первый процесс закончен, попробуем исправить найденные ошибки, для этого выполните команду:
esentutl /p c:ADDSNTDS\ntds.dit
Если все хорошо, то вы должны получить сообщение «Operation completed successfully in xx seconds«.
Обязательно еще раз проверьте в целостности базы данных, выполните:
должно появиться сообщение:
Integrity test successful. It is recommended you to run semantic database analysis to ensure semantic database consistence as well.
теперь выполним семантический анализ, для этого:
ntdsutil
activate instance ntds
semantic database analysis
go
При обнаружении семантических ошибок примените ключ fixup:
Произведем сжатие БД ntds.dit:
activate instance ntds
files
compact to c:ADDSNTDSTemp
Перезапишем оригинальный файл ntds.dit:
copy c:ADDSNTDSTempntds.dit c:ADDSNTDSntds.dit
Удалите все лог файлы из каталога NTDS:
Перезагрузка
Проверка прав на файлы NTDS
Еще очень важно проверить не сброшены ли были чем-то права на файлы из папки NTDS. Для этого в командной строке введите предварительно попав нужный каталог:
Должны быть права NT AUTHORITYSYSTEM: (ID) F и BUILTINAdministrators: (id) f
Должны быть D:AI(A;ID;FA;;;SY)(A;ID;FA;;;BA)
Должно быть NT AUTHORITYSYSTEM: (ID) F и BUILTINAdministrators: (id) f
Должно быть D:AI (A; ID; FA;;; SY) (A; ID; FA;;; BA)
Надеюсь, что было полезно. С вам был Иван Сёмин, автор и создатель IT проекта Pyatilistnik.org.