While running DCDIAG on our Windows Server 2008R2 Enterprise Domain Controllers, I discovered the following error message on both DCs.
These domain controllers where migrated from a Windows server 2003 to a windows server 2008R2 and SYSVOL was successfully migrated from FRS to DFSR over a year ago.
Share name Resource Remark
-------------------------------------------------------------------------------
C$ C:\ Default share
IPC$ Remote IPC
ADMIN$ C:\Windows Remote Admin
NETLOGON C:\Windows\SYSVOL_DFSR\sysvol\xxx.local\SCRIPTS
Logon server share
SYSVOL C:\Windows\SYSVOL_DFSR\sysvol Logon server share
The command completed successfully.
Over two months ago a read-only Domain Controller was added but only now has this error message been discovered.
Virtual Domain Controller
Starting test: VerifyReferences
Some objects relating to the DC EDISON-DC0 have problems:
[1] Problem: Missing Expected Value
Base Object: CN=EDISON-DC0,OU=Domain_ControllersOU_(WSUS_Notify),OU=Domain Controllers,DC=xxx,DC=local
Base Object Description: "DC Account Object"
Value Object Attribute Name: frsComputerReferenceBL
Value Object Description: "SYSVOL FRS Member Object"
Recommended Action: See Knowledge Base Article: Q312862
......................... EDISON-DC0 failed test VerifyReferences
Physical Domain Controller
Starting test: VerifyReferences
Some objects relating to the DC BABBAGE have problems:
[1] Problem: Missing Expected Value
Base Object: CN=BABBAGE,OU=Domain_ControllersOU_(WSUS_Notify),OU=Domain Controllers,DC=xxx,DC=local
Base Object Description: "DC Account Object"
Value Object Attribute Name: frsComputerReferenceBL
Value Object Description: "SYSVOL FRS Member Object"
Recommended Action: See Knowledge Base Article: Q312862
......................... BABBAGE failed test VerifyReferences
Windows Server 2012 Standard Read-Only Domain Controller
Windows PowerShell
Copyright (C) 2012 Microsoft Corporation. All rights reserved.
PS C:\Windows\system32> dcdiag
Directory Server Diagnosis
Performing initial setup:
Trying to find home server…
Home Server = xxx-RODC0
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: xxx\xxx-RODC0
Starting test: Connectivity
……………………. xxx-RODC0 passed test Connectivity
Doing primary tests
Testing server: xxx\xxx-RODC0
Starting test: Advertising
……………………. xxx-RODC0 passed test Advertising
Starting test: FrsEvent
……………………. xxx-RODC0 passed test FrsEvent
Starting test: DFSREvent
……………………. xxx-RODC0 passed test DFSREvent
Starting test: SysVolCheck
……………………. xxx-RODC0 passed test SysVolCheck
Starting test: KccEvent
……………………. xxx-RODC0 passed test KccEvent
Starting test: KnowsOfRoleHolders
……………………. xxx-RODC0 passed test KnowsOfRoleHolders
Starting test: MachineAccount
……………………. xxx-RODC0 passed test MachineAccount
Starting test: NCSecDesc
……………………. xxx-RODC0 passed test NCSecDesc
Starting test: NetLogons
……………………. xxx-RODC0 passed test NetLogons
Starting test: ObjectsReplicated
……………………. xxx-RODC0 passed test ObjectsReplicated
Starting test: Replications
……………………. xxx-RODC0 passed test Replications
Starting test: Services
……………………. xxx-RODC0 passed test Services
Starting test: SystemLog
……………………. xxx-RODC0 passed test SystemLog
Starting test: VerifyReferences
……………………. xxx-RODC0 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
……………………. ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
……………………. ForestDnsZones passed test CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
……………………. DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
……………………. DomainDnsZones passed test CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
……………………. Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
……………………. Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
……………………. Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
……………………. Configuration passed test CrossRefValidation
Running partition tests on : xxx
Starting test: CheckSDRefDom
……………………. xxx passed test CheckSDRefDom
Starting test: CrossRefValidation
……………………. xxx passed test CrossRefValidation
Running enterprise tests on : xxx.local
Starting test: LocatorCheck
……………………. xxx.local passed test LocatorCheck
Starting test: Intersite
……………………. xxx.local passed test Intersite
PS C:\Windows\system32>
The error message only shows up on the Windows Server 2008R2 Domain Controllers.
So I decided to remove BABBAGE and EDISON-DC0 from the Domain_ControllersOU_(WSUS_Notify) OU and place them back in the Domain Controllers OU and rerun the DCDIAG command. This time there was no issue with failed test VerifyReferences on either BABBAGE or EDISON-DC0.
The issue seems to be related to using additional OUs inside of the Domain Controllers OU to configure WSUS for the Domain Controllers.
I had two OUs within the Domain Controllers OU
Domain_ControllersOU_(WSUS_Notify) – BABBAGE & EDISON-DC0
Domain_ControllersOU_(WSUS_Schedule) – RODC
Any thoughts on how to resolve this so that I can use two separate WSUS policies to to patch the DCs manually and the RODC by schedule @ 03:00 would be appreciated.
Best Answer
This is a known bug on 2008 R2 RODC's and the relevant hotfix is found here.
Upon promotion, the RODC is unable to create a DFSR Settings object for its own Computer account (since it's read-only), and so it has to ask another DC to create it.
If the RODC subsequently tries to write an attribute value to the newly created object but (using serverless binding) connects to another writable DC that haven't yet replicated the newly created DFSR Settings object from the first writable DC, you end up with inconsistencies like missing backlinks.