Welcome to Dirteam.com/ActiveDir.org Blogs Sign in | Join | Help

Unexplained dcDiag Errors

So I have been banging my head against a wall trying to figure out why I have been getting these crazy errors in dcDiag.  From all that I can tell replication is working as expected but yet I am getting errors that are mostly undocumented and difficult to find out any real information on.

Starting test: VerifyReplicas
            For the partition

            (DC=ForestDnsZones,DC=Domain,DC=COM) we encountered

            the following error retrieving the cross-ref's


               LDAP Error 0x52b (1323).
......................... DC-02 failed test VerifyReplicas

Starting test: VerifyEnterpriseReferences
   Can't determine the age of the cross-ref


   for the partition DC=ForestDnsZones,DC=Domain,DC=COM, so

   following errors relating to this cross-ref/partition may disappear

   after replication  coalesces.  Please ensure that replication is

   working from the Domain Naming FSMO to this DC, and retry this test to

   see if errors continue.
   Can't determine the age of the cross-ref
......................... DC-02 failed test VerifyEnterpriseReferences

Starting test: CutoffServers
   * Configuration Topology Aliveness Check
   * Analyzing the alive system replication topology for DC=ForestDnsZones,DC=Domain,DC=COM.
   * Performing upstream (of target) analysis.
   DsReplicaSyncAllW failed with error The naming context specified for this replication operation is invalid..
   * Performing downstream (of target) analysis.
   DsReplicaSyncAllW failed with error The naming context specified for this replication operation is invalid..
......................... DC-02 passed test CutoffServers


I went through and verified i was in the Domain Admins group, I verified that the Domain Admins security group had full permissions to the objects in error.  Did extensive research on the internet in a number of different Bing searches to try and come up with even a hint as to what the problem was.  Still nothing.  I posed the question to DS MVP colleagues and the one thing Jorge pointed out was this was some type of password issue related to the 0x52b error.  I had run across something on the internet as well related to password and had been why I checked into the permissions on the objects.

Finally a thought crossed my mind... I was using a trusted administrator user account from a User Forest, so out of desperation I logged on as a local admin.       BAM!!!!!!  All the errors went away.  So the password error was probably some how related, but I couldn't explain why...

Long story short - When running dcDiag always use a domain local admin account.

Published Friday, June 14, 2013 1:23 PM by Paul Bergson


No Comments
Anonymous comments are disabled