While running DCDIAG on our Windows Server 2008R2 Enterprise Domain Controllers, I discovered the following error message on both DCs.
These domain controllers where migrated from a Windows server 2003 to a windows server 2008R2 and SYSVOL was successfully migrated from FRS to DFSR over a year ago.
Share name Resource Remark
-------------------------------------------------------------------------------
C$ C:\ Default share
IPC$ Remote IPC
ADMIN$ C:\Windows Remote Admin
NETLOGON C:\Windows\SYSVOL_DFSR\sysvol\xxx.local\SCRIPTS
Logon server share
SYSVOL C:\Windows\SYSVOL_DFSR\sysvol Logon server share
The command completed successfully.
Over two months ago a read-only Domain Controller was added but only now has this error message been discovered.
Virtual Domain Controller
Starting test: VerifyReferences
Some objects relating to the DC EDISON-DC0 have problems:
[1] Problem: Missing Expected Value
Base Object: CN=EDISON-DC0,OU=Domain_ControllersOU_(WSUS_Notify),OU=Domain Controllers,DC=xxx,DC=local
Base Object Description: "DC Account Object"
Value Object Attribute Name: frsComputerReferenceBL
Value Object Description: "SYSVOL FRS Member Object"
Recommended Action: See Knowledge Base Article: Q312862
......................... EDISON-DC0 failed test VerifyReferences
Physical Domain Controller
Starting test: VerifyReferences
Some objects relating to the DC BABBAGE have problems:
[1] Problem: Missing Expected Value
Base Object: CN=BABBAGE,OU=Domain_ControllersOU_(WSUS_Notify),OU=Domain Controllers,DC=xxx,DC=local
Base Object Description: "DC Account Object"
Value Object Attribute Name: frsComputerReferenceBL
Value Object Description: "SYSVOL FRS Member Object"
Recommended Action: See Knowledge Base Article: Q312862
......................... BABBAGE failed test VerifyReferences
Windows Server 2012 Standard Read-Only Domain Controller
Windows PowerShell Copyright (C) 2012 Microsoft Corporation. All rights reserved.
PS C:\Windows\system32> dcdiag
Directory Server Diagnosis
Performing initial setup: Trying to find home server... Home Server = xxx-RODC0 * Identified AD Forest. Done gathering initial info.
Doing initial required tests
Testing server: xxx\xxx-RODC0 Starting test: Connectivity ......................... xxx-RODC0 passed test Connectivity
Doing primary tests
Testing server: xxx\xxx-RODC0 Starting test: Advertising ......................... xxx-RODC0 passed test Advertising Starting test: FrsEvent ......................... xxx-RODC0 passed test FrsEvent Starting test: DFSREvent ......................... xxx-RODC0 passed test DFSREvent Starting test: SysVolCheck ......................... xxx-RODC0 passed test SysVolCheck Starting test: KccEvent ......................... xxx-RODC0 passed test KccEvent Starting test: KnowsOfRoleHolders ......................... xxx-RODC0 passed test KnowsOfRoleHolders Starting test: MachineAccount ......................... xxx-RODC0 passed test MachineAccount Starting test: NCSecDesc ......................... xxx-RODC0 passed test NCSecDesc Starting test: NetLogons ......................... xxx-RODC0 passed test NetLogons Starting test: ObjectsReplicated ......................... xxx-RODC0 passed test ObjectsReplicated Starting test: Replications ......................... xxx-RODC0 passed test Replications Starting test: Services ......................... xxx-RODC0 passed test Services Starting test: SystemLog ......................... xxx-RODC0 passed test SystemLog Starting test: VerifyReferences ......................... xxx-RODC0 passed test VerifyReferences
Running partition tests on : ForestDnsZones Starting test: CheckSDRefDom ......................... ForestDnsZones passed test CheckSDRefDom Starting test: CrossRefValidation ......................... ForestDnsZones passed test CrossRefValidation
Running partition tests on : DomainDnsZones Starting test: CheckSDRefDom ......................... DomainDnsZones passed test CheckSDRefDom Starting test: CrossRefValidation ......................... DomainDnsZones passed test CrossRefValidation
Running partition tests on : Schema Starting test: CheckSDRefDom ......................... Schema passed test CheckSDRefDom Starting test: CrossRefValidation ......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration Starting test: CheckSDRefDom ......................... Configuration passed test CheckSDRefDom Starting test: CrossRefValidation ......................... Configuration passed test CrossRefValidation
Running partition tests on : xxx Starting test: CheckSDRefDom ......................... xxx passed test CheckSDRefDom Starting test: CrossRefValidation ......................... xxx passed test CrossRefValidation
Running enterprise tests on : xxx.local Starting test: LocatorCheck ......................... xxx.local passed test LocatorCheck Starting test: Intersite ......................... xxx.local passed test Intersite PS C:\Windows\system32>
The error message only shows up on the Windows Server 2008R2 Domain Controllers.
So I decided to remove BABBAGE and EDISON-DC0 from the Domain_ControllersOU_(WSUS_Notify) OU and place them back in the Domain Controllers OU and rerun the DCDIAG command. This time there was no issue with failed test VerifyReferences on either BABBAGE or EDISON-DC0.
The issue seems to be related to using additional OUs inside of the Domain Controllers OU to configure WSUS for the Domain Controllers.
I had two OUs within the Domain Controllers OU
Domain_ControllersOU_(WSUS_Notify) - BABBAGE & EDISON-DC0 Domain_ControllersOU_(WSUS_Schedule) - RODC
Any thoughts on how to resolve this so that I can use two separate WSUS policies to to patch the DCs manually and the RODC by schedule @ 03:00 would be appreciated.