Discussion:
After going thru stages (FRS to DFS-R) reaching stable Eliminated - now seeing Eliminating, last 4 -5 days?
(too old to reply)
"Beoweolf" .com>
2009-05-25 19:08:12 UTC
Permalink
Domain consisted of DC's running Server 2003, which were upgraded to Server
2003 R2. I then upgraded member server to Server 2008, just to test
compatiblity. Eventually decided to bring Domain and Forest to Server 2008,
allowing full use/observation of new 2008 features.

Once all servers were at 2008 (yes, ADprep - both forest and Domain were
run). last step was to move from Sysvol to DFS-r replication. Took each step
seriously, waited until each completed, then used tools to confirm each
stage was stable before moving to next. After a couple of days, we
progressed to state "eliminated" to clean up the last vestiges of Sysvol.

Everything seemed to be stable. Can't figure out why it keeps reporting
"Eliminating"? Replication is working.

It appears to be a permissions problem: I have checked firewall (both DC).
anyone have experience with this error? Nest troubleshooting step?

......................... ZSRV passed test Advertising
Starting test: FrsEvent
......................... ZSRV passed test FrsEvent
Starting test: DFSREvent
There are warning or error events within the last 24 hours after
the
SYSVOL has been shared. Failing SYSVOL replication problems may
cause
Group Policy problems.
......................... ZSRV failed test DFSREvent
Starting test: SysVolCheck
......................... ZSRV passed test SysVolCheck
Starting test: KccEvent
......................... ZSRV passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... ZSRV passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... ZSRV passed test MachineAccount
Starting test: NCSecDesc
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=zen-ad,DC=local
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=zen-ad,DC=local
......................... ZSRV failed test NCSecDesc
Starting test: NetLogons
[ZSRV] User credentials does not have permission to perform this
operation.
The account used for this test must have network logon privileges
for this machine's domain.
......................... ZSRV failed test NetLogons
Starting test: ObjectsReplicated
......................... ZSRV passed test ObjectsReplicated
Starting test: Replications
......................... ZSRV passed test Replications
Isaac Oben [MCITP:EA, MCSE]
2009-05-26 01:59:28 UTC
Permalink
Hello

Why did you have to move sysvol to dfsr..I can seem to understand that
part..How many DCs do you have in your network> are all of them having same
issue ror just one?
Post by "Beoweolf" .com>
Domain consisted of DC's running Server 2003, which were upgraded to
Server 2003 R2. I then upgraded member server to Server 2008, just to test
compatiblity. Eventually decided to bring Domain and Forest to Server
2008, allowing full use/observation of new 2008 features.
Once all servers were at 2008 (yes, ADprep - both forest and Domain were
run). last step was to move from Sysvol to DFS-r replication. Took each
step seriously, waited until each completed, then used tools to confirm
each stage was stable before moving to next. After a couple of days, we
progressed to state "eliminated" to clean up the last vestiges of Sysvol.
Everything seemed to be stable. Can't figure out why it keeps reporting
"Eliminating"? Replication is working.
It appears to be a permissions problem: I have checked firewall (both DC).
anyone have experience with this error? Nest troubleshooting step?
......................... ZSRV passed test Advertising
Starting test: FrsEvent
......................... ZSRV passed test FrsEvent
Starting test: DFSREvent
There are warning or error events within the last 24 hours after
the
SYSVOL has been shared. Failing SYSVOL replication problems may
cause
Group Policy problems.
......................... ZSRV failed test DFSREvent
Starting test: SysVolCheck
......................... ZSRV passed test SysVolCheck
Starting test: KccEvent
......................... ZSRV passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... ZSRV passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... ZSRV passed test MachineAccount
Starting test: NCSecDesc
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
DC=DomainDnsZones,DC=zen-ad,DC=local
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
DC=ForestDnsZones,DC=zen-ad,DC=local
......................... ZSRV failed test NCSecDesc
Starting test: NetLogons
[ZSRV] User credentials does not have permission to perform this
operation.
The account used for this test must have network logon privileges
for this machine's domain.
......................... ZSRV failed test NetLogons
Starting test: ObjectsReplicated
......................... ZSRV passed test ObjectsReplicated
Starting test: Replications
......................... ZSRV passed test Replications
"Beoweolf" .com>
2009-05-26 18:44:49 UTC
Permalink
Replication is taking place, that has been confirmed by Repadmin, in both
directions. The status of DFSR migration is in a state that does not match
any of the expected states (start, prepared, redirected ,eliminated). As it
progressed through each state, it was confirmed, allowed to stabilize,
before continuing to the next step. Once at the final step; the move to
Eliminated was delayed overnight and confirmed after a re-boot/re-start. So,
I had expected everything to have completed successfully (which was reported
/ confirmed) by the program before initiating the final stage. The next time
it was check, another follow-up. The status had changed to what is listed
below:

**********************************************************************

" The following Domain Controllers are not in sync with Global state
('Eliminated'):
Domain Controller (Local Migration State) - DC Type
===================================================

ZSRV1 ('Eliminating') - Primary DC
ZSRV ('Eliminating') - Writable DC

Migration has not yet reached a consistent state on all Domain Controllers.
State information might be stale due to AD latency. "

**********************************************************************

As mentioned; I didn't need to change to DFS. DFS is a feature of 2008
server forest function level, the basis of building this network is to test
the features of an Upgraded server 2008 network. In the attached DC diag
partial listing it shows 2 DC's - the errors in the list are the problem

**********************************************************************
" Starting test: NCSecDesc
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=zen-ad,DC=local
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=zen-ad,DC=local
......................... ZSRV failed test NCSecDesc "
**********************************************************************

The message following seems to indicate a permission problem (not sure if
its complaining about the ID used to invoke the test or the ID service ID
used to logon to the server).

**********************************************************************
" [ZSRV] User credentials does not have permission to perform this
operation.
The account used for this test must have network logon privileges
for this machine's domain. "
***********************************************************************
Post by Isaac Oben [MCITP:EA, MCSE]
Hello
Why did you have to move sysvol to dfsr..I can seem to understand that
part..How many DCs do you have in your network> are all of them having
same issue ror just one?
Post by "Beoweolf" .com>
Domain consisted of DC's running Server 2003, which were upgraded to
Server 2003 R2. I then upgraded member server to Server 2008, just to
test compatiblity. Eventually decided to bring Domain and Forest to
Server 2008, allowing full use/observation of new 2008 features.
Once all servers were at 2008 (yes, ADprep - both forest and Domain were
run). last step was to move from Sysvol to DFS-r replication. Took each
step seriously, waited until each completed, then used tools to confirm
each stage was stable before moving to next. After a couple of days, we
progressed to state "eliminated" to clean up the last vestiges of Sysvol.
Everything seemed to be stable. Can't figure out why it keeps reporting
"Eliminating"? Replication is working.
It appears to be a permissions problem: I have checked firewall (both
DC). anyone have experience with this error? Nest troubleshooting step?
......................... ZSRV passed test Advertising
Starting test: FrsEvent
......................... ZSRV passed test FrsEvent
Starting test: DFSREvent
There are warning or error events within the last 24 hours after
the
SYSVOL has been shared. Failing SYSVOL replication problems may
cause
Group Policy problems.
......................... ZSRV failed test DFSREvent
Starting test: SysVolCheck
......................... ZSRV passed test SysVolCheck
Starting test: KccEvent
......................... ZSRV passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... ZSRV passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... ZSRV passed test MachineAccount
Starting test: NCSecDesc
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
DC=DomainDnsZones,DC=zen-ad,DC=local
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
DC=ForestDnsZones,DC=zen-ad,DC=local
......................... ZSRV failed test NCSecDesc
Starting test: NetLogons
[ZSRV] User credentials does not have permission to perform this
operation.
The account used for this test must have network logon privileges
for this machine's domain.
......................... ZSRV failed test NetLogons
Starting test: ObjectsReplicated
......................... ZSRV passed test ObjectsReplicated
Starting test: Replications
......................... ZSRV passed test Replications
Marcin
2009-05-26 23:26:55 UTC
Permalink
As far as I understand, the error mesage you are referring to indicates that
you haven't run adprep /rodcprep in your domain(s). However, I'm not sure to
what extent this is related to the issue you are experiencing.
Have you tried recommendations listed in
http://technet.microsoft.com/en-us/library/dd639976(WS.10).aspx#BKMK_MigrationAppearsStalledAtEliminating

hth
Marcin
Post by "Beoweolf" .com>
Replication is taking place, that has been confirmed by Repadmin, in both
directions. The status of DFSR migration is in a state that does not match
any of the expected states (start, prepared, redirected ,eliminated). As
it progressed through each state, it was confirmed, allowed to stabilize,
before continuing to the next step. Once at the final step; the move to
Eliminated was delayed overnight and confirmed after a re-boot/re-start.
So, I had expected everything to have completed successfully (which was
reported / confirmed) by the program before initiating the final stage.
The next time it was check, another follow-up. The status had changed to
**********************************************************************
" The following Domain Controllers are not in sync with Global state
Domain Controller (Local Migration State) - DC Type
===================================================
ZSRV1 ('Eliminating') - Primary DC
ZSRV ('Eliminating') - Writable DC
Migration has not yet reached a consistent state on all Domain
Controllers.
State information might be stale due to AD latency. "
**********************************************************************
As mentioned; I didn't need to change to DFS. DFS is a feature of 2008
server forest function level, the basis of building this network is to
test the features of an Upgraded server 2008 network. In the attached DC
diag partial listing it shows 2 DC's - the errors in the list are the
problem
**********************************************************************
" Starting test: NCSecDesc
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
DC=DomainDnsZones,DC=zen-ad,DC=local
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
DC=ForestDnsZones,DC=zen-ad,DC=local
......................... ZSRV failed test NCSecDesc "
**********************************************************************
The message following seems to indicate a permission problem (not sure if
its complaining about the ID used to invoke the test or the ID service ID
used to logon to the server).
**********************************************************************
" [ZSRV] User credentials does not have permission to perform this
operation.
The account used for this test must have network logon privileges
for this machine's domain. "
***********************************************************************
Post by Isaac Oben [MCITP:EA, MCSE]
Hello
Why did you have to move sysvol to dfsr..I can seem to understand that
part..How many DCs do you have in your network> are all of them having
same issue ror just one?
Post by "Beoweolf" .com>
Domain consisted of DC's running Server 2003, which were upgraded to
Server 2003 R2. I then upgraded member server to Server 2008, just to
test compatiblity. Eventually decided to bring Domain and Forest to
Server 2008, allowing full use/observation of new 2008 features.
Once all servers were at 2008 (yes, ADprep - both forest and Domain were
run). last step was to move from Sysvol to DFS-r replication. Took each
step seriously, waited until each completed, then used tools to confirm
each stage was stable before moving to next. After a couple of days, we
progressed to state "eliminated" to clean up the last vestiges of Sysvol.
Everything seemed to be stable. Can't figure out why it keeps reporting
"Eliminating"? Replication is working.
It appears to be a permissions problem: I have checked firewall (both
DC). anyone have experience with this error? Nest troubleshooting step?
......................... ZSRV passed test Advertising
Starting test: FrsEvent
......................... ZSRV passed test FrsEvent
Starting test: DFSREvent
There are warning or error events within the last 24 hours after
the
SYSVOL has been shared. Failing SYSVOL replication problems may
cause
Group Policy problems.
......................... ZSRV failed test DFSREvent
Starting test: SysVolCheck
......................... ZSRV passed test SysVolCheck
Starting test: KccEvent
......................... ZSRV passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... ZSRV passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... ZSRV passed test MachineAccount
Starting test: NCSecDesc
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
DC=DomainDnsZones,DC=zen-ad,DC=local
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
DC=ForestDnsZones,DC=zen-ad,DC=local
......................... ZSRV failed test NCSecDesc
Starting test: NetLogons
[ZSRV] User credentials does not have permission to perform this
operation.
The account used for this test must have network logon privileges
for this machine's domain.
......................... ZSRV failed test NetLogons
Starting test: ObjectsReplicated
......................... ZSRV passed test ObjectsReplicated
Starting test: Replications
......................... ZSRV passed test Replications
"Beoweolf" .com>
2009-05-27 00:38:42 UTC
Permalink
Yes, that was tried during the first couple of days. except for manually
removing any files/folders. was holding the drastic actions until I
exhausted other possibilities. No need for premature actions, at least
wanted to consult with peers first.

As far as the possibility of Not running adprep I have no idea where that is
even possible, the system would be spitting out a lot more errors, if it was
replicating at all. Besides, there are no RODC's on the network, so that
seems not a likely consideration either way.

Looks like I am either going to wait it out, see if it self corrects or
learn to live with the error messages. I hate when that happens!

My traditional response to lingering, chronic error messages on an active
system considers it as a sign of a lazy administrator or worse - probable
incompetence. So this is not something which gives me a "warm 'n fuzzy"
feeling.
Post by Marcin
As far as I understand, the error mesage you are referring to indicates
that you haven't run adprep /rodcprep in your domain(s). However, I'm not
sure to what extent this is related to the issue you are experiencing.
Have you tried recommendations listed in
http://technet.microsoft.com/en-us/library/dd639976(WS.10).aspx#BKMK_MigrationAppearsStalledAtEliminating
hth
Marcin
Post by "Beoweolf" .com>
Replication is taking place, that has been confirmed by Repadmin, in both
directions. The status of DFSR migration is in a state that does not
match any of the expected states (start, prepared, redirected
,eliminated). As it progressed through each state, it was confirmed,
allowed to stabilize, before continuing to the next step. Once at the
final step; the move to Eliminated was delayed overnight and confirmed
after a re-boot/re-start. So, I had expected everything to have completed
successfully (which was reported / confirmed) by the program before
initiating the final stage. The next time it was check, another
**********************************************************************
" The following Domain Controllers are not in sync with Global state
Domain Controller (Local Migration State) - DC Type
===================================================
ZSRV1 ('Eliminating') - Primary DC
ZSRV ('Eliminating') - Writable DC
Migration has not yet reached a consistent state on all Domain Controllers.
State information might be stale due to AD latency. "
**********************************************************************
As mentioned; I didn't need to change to DFS. DFS is a feature of 2008
server forest function level, the basis of building this network is to
test the features of an Upgraded server 2008 network. In the attached DC
diag partial listing it shows 2 DC's - the errors in the list are the
problem
**********************************************************************
" Starting test: NCSecDesc
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
DC=DomainDnsZones,DC=zen-ad,DC=local
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
DC=ForestDnsZones,DC=zen-ad,DC=local
......................... ZSRV failed test NCSecDesc "
**********************************************************************
The message following seems to indicate a permission problem (not sure if
its complaining about the ID used to invoke the test or the ID service ID
used to logon to the server).
**********************************************************************
" [ZSRV] User credentials does not have permission to perform this
operation.
The account used for this test must have network logon privileges
for this machine's domain. "
***********************************************************************
Post by Isaac Oben [MCITP:EA, MCSE]
Hello
Why did you have to move sysvol to dfsr..I can seem to understand that
part..How many DCs do you have in your network> are all of them having
same issue ror just one?
Post by "Beoweolf" .com>
Domain consisted of DC's running Server 2003, which were upgraded to
Server 2003 R2. I then upgraded member server to Server 2008, just to
test compatiblity. Eventually decided to bring Domain and Forest to
Server 2008, allowing full use/observation of new 2008 features.
Once all servers were at 2008 (yes, ADprep - both forest and Domain
were run). last step was to move from Sysvol to DFS-r replication. Took
each step seriously, waited until each completed, then used tools to
confirm each stage was stable before moving to next. After a couple of
days, we progressed to state "eliminated" to clean up the last vestiges
of Sysvol.
Everything seemed to be stable. Can't figure out why it keeps
reporting "Eliminating"? Replication is working.
It appears to be a permissions problem: I have checked firewall (both
DC). anyone have experience with this error? Nest troubleshooting step?
......................... ZSRV passed test Advertising
Starting test: FrsEvent
......................... ZSRV passed test FrsEvent
Starting test: DFSREvent
There are warning or error events within the last 24 hours
after the
SYSVOL has been shared. Failing SYSVOL replication problems
may cause
Group Policy problems.
......................... ZSRV failed test DFSREvent
Starting test: SysVolCheck
......................... ZSRV passed test SysVolCheck
Starting test: KccEvent
......................... ZSRV passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... ZSRV passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... ZSRV passed test MachineAccount
Starting test: NCSecDesc
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
DC=DomainDnsZones,DC=zen-ad,DC=local
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
DC=ForestDnsZones,DC=zen-ad,DC=local
......................... ZSRV failed test NCSecDesc
Starting test: NetLogons
[ZSRV] User credentials does not have permission to perform this
operation.
The account used for this test must have network logon privileges
for this machine's domain.
......................... ZSRV failed test NetLogons
Starting test: ObjectsReplicated
......................... ZSRV passed test ObjectsReplicated
Starting test: Replications
......................... ZSRV passed test Replications
Loading...