» w2k3 - не реплицируется SYSVOL

В сети было два DC. Поднял третий, затем убил с концами первый. Делал вроде бы все правильно, роли передал как положено. На новый DC SYSVOL не передается, сервис Netlogon не поднимается. Сама AD при этом реплицируется без ошибок. DNS вроде тоже без дыр. Думаю, засада где-то в топологии репликации SYSVOL. На новом DC в регистри в .../Ntfrs/Parameters/Replicasets есть соответствующий ключ с неким именем 8f9b....

Должен ли присутствовать ключ с таким же именем на другом DC? В моем случае он отсутствует.

Gaidamak Навернаяка dcdiag или netdiag на что-то ругается!
Для начала:
repadmin /showreps
repadmin /showconn
nltest /sc_query:имя_домена - проверка безопасного канала на 2003
repadmin/syncall

net stop ntfrs
dcdiag /fix
netdiag /fix
net start ntfrs
DCDIAG.EXE /e /test:frssysvol

Если останется все по-прежнему, то читай статью
How to rebuild the SYSVOL tree and its content in a domain
Еще тут неплохие статьи по диагностике проблем
http://support.microsoft.com/kb/249256/ru
http://support.microsoft.com/kb/229896/EN-US/

Цитата:

Навернаяка dcdiag или netdiag на что-то ругается

Да. Они ругаются на то, что SYSVOL не реплицируется и Netlogon не шарится. Все остальное без ошибок, включая репликацию AD.


Вот наиболее вменяемое сообщение об ошибке:



The File Replication Service is having trouble enabling replication from OFFICE to CONTACT for c:\windows\sysvol\domain using the DNS name office.metholding.int. FRS will keep retrying.
Following are some of the reasons you would see this warning.

-----
[1] FRS can not correctly resolve the DNS name office.metholding.int from this computer.
[2] FRS is not running on office.metholding.int.
[3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers.
----

Пункты 1 и 2 исключаются, как диагностировать 3, я пока не знаю.

Статью про rebuild читал еще в пятницу, пишут, черти, что это временное решение проблемы. Пока делать это не пробовал, ибо там же пишут, что все может гигнуться нах, а в рабочее время это маст дай. Если найдется гуру, согласный глянуть на мой dcdiag /e /v /c, отправлю мылом, чтобы не засорять форум.

ИМХО диагностировать проблемы ntfrs лучше утилитой ntfrsutl. Как показала практика, при введении дополнительного контроллера, могут не все записи создаться для нормальной работы ntfrs и такая ситуация происходит достаточно часто.

Gaidamak Пихай сюда с тэгом more, тогда не засоришь ничего
Читай тут про этот тэг в самом низу - http://i.ru-board.com/codes.html
http://forum.ru-board.com/topic.cgi?forum=2&topic=1716#1

Вот выход dcdiag /e /v /c

FAILED в DNS-тесте относится к неответу одного из удаленных non-Windows NS-серверов.

[more]

Domain Controller Diagnosis

Performing initial setup:
* Verifying that the local machine contact, is a DC.
* Connecting to directory service on server contact.
* Collecting site info.
* Identifying all servers.
* Identifying all NC cross-refs.
* Found 2 DC(s). Testing 2 of them.
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\OFFICE
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... OFFICE passed test Connectivity

Testing server: Default-First-Site-Name\CONTACT
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... CONTACT passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\OFFICE
Starting test: Replications
* Replications Check
* Replication Latency Check
DC=ForestDnsZones,DC=xxx,DC=int
Latency information for 7 entries in the vector were ignored.
7 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=DomainDnsZones,DC=xxx,DC=int
Latency information for 6 entries in the vector were ignored.
6 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
CN=Schema,CN=Configuration,DC=xxx,DC=int
Latency information for 12 entries in the vector were ignored.
12 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
CN=Configuration,DC=xxx,DC=int
Latency information for 12 entries in the vector were ignored.
12 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=xxx,DC=int
Latency information for 11 entries in the vector were ignored.
11 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
* Replication Site Latency Check
......................... OFFICE passed test Replications
Starting test: Topology
* Configuration Topology Integrity Check
* Analyzing the connection topology for DC=ForestDnsZones,DC=xxx,DC=int.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for DC=DomainDnsZones,DC=xxx,DC=int.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for CN=Schema,CN=Configuration,DC=xxx,DC=int.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for CN=Configuration,DC=xxx,DC=int.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for DC=xxx,DC=int.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
......................... OFFICE passed test Topology
Starting test: CutoffServers
* Configuration Topology Aliveness Check
* Analyzing the alive system replication topology for DC=ForestDnsZones,DC=xxx,DC=int.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for DC=DomainDnsZones,DC=xxx,DC=int.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for CN=Schema,CN=Configuration,DC=xxx,DC=int.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for CN=Configuration,DC=xxx,DC=int.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for DC=xxx,DC=int.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
......................... OFFICE passed test CutoffServers
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC OFFICE.
* Security Permissions Check for
DC=ForestDnsZones,DC=xxx,DC=int
(NDNC,Version 2)
* Security Permissions Check for
DC=DomainDnsZones,DC=xxx,DC=int
(NDNC,Version 2)
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=xxx,DC=int
(Schema,Version 2)
* Security Permissions Check for
CN=Configuration,DC=xxx,DC=int
(Configuration,Version 2)
* Security Permissions Check for
DC=xxx,DC=int
(Domain,Version 2)
......................... OFFICE passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\OFFICE\netlogon
Verified share \\OFFICE\sysvol
......................... OFFICE passed test NetLogons
Starting test: Advertising
The DC OFFICE is advertising itself as a DC and having a DS.
The DC OFFICE is advertising as an LDAP server
The DC OFFICE is advertising as having a writeable directory
The DC OFFICE is advertising as a Key Distribution Center
The DC OFFICE is advertising as a time server
The DS OFFICE is advertising as a GC.
......................... OFFICE passed test Advertising
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings,CN=OFFICE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xxx,DC=int
Role Domain Owner = CN=NTDS Settings,CN=OFFICE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xxx,DC=int
Role PDC Owner = CN=NTDS Settings,CN=OFFICE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xxx,DC=int
Role Rid Owner = CN=NTDS Settings,CN=OFFICE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xxx,DC=int
Role Infrastructure Update Owner = CN=NTDS Settings,CN=CONTACT,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xxx,DC=int
......................... OFFICE passed test KnowsOfRoleHolders
Starting test: RidManager
* Available RID Pool for the Domain is 7602 to 1073741823
* office.xxx.int is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 6102 to 6601
* rIDPreviousAllocationPool is 6102 to 6601
* rIDNextRID: 6115
......................... OFFICE passed test RidManager
Starting test: MachineAccount
Checking machine account for DC OFFICE on DC OFFICE.
* SPN found :LDAP/office.xxx.int/xxx.int
* SPN found :LDAP/office.xxx.int
* SPN found :LDAP/OFFICE
* SPN found :LDAP/office.xxx.int/xxx
* SPN found :LDAP/52d27d6b-328a-4623-8227-5844fcfdf32b._msdcs.xxx.int
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/52d27d6b-328a-4623-8227-5844fcfdf32b/xxx.int
* SPN found :HOST/office.xxx.int/xxx.int
* SPN found :HOST/office.xxx.int
* SPN found :HOST/OFFICE
* SPN found :HOST/office.xxx.int/xxx
* SPN found :GC/office.xxx.int/xxx.int
......................... OFFICE passed test MachineAccount
Starting test: Services
* Checking Service: Dnscache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: RpcSs
* Checking Service: w32time
* Checking Service: NETLOGON
......................... OFFICE passed test Services
Starting test: OutboundSecureChannels
* The Outbound Secure Channels test
** Did not run Outbound Secure Channels test
because /testdomain: was not entered
......................... OFFICE passed test OutboundSecureChannels
Starting test: ObjectsReplicated
OFFICE is in domain DC=xxx,DC=int
Checking for CN=OFFICE,OU=Domain Controllers,DC=xxx,DC=int in domain DC=xxx,DC=int on 2 servers
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=OFFICE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xxx,DC=int in domain CN=Configuration,DC=xxx,DC=int on 2 servers
Object is up-to-date on all servers.
......................... OFFICE passed test ObjectsReplicated
Starting test: frssysvol
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... OFFICE passed test frssysvol
Starting test: frsevent
* The File Replication Service Event log test
......................... OFFICE passed test frsevent
Starting test: kccevent
* The KCC Event log test
Found no KCC errors in Directory Service Event log in the last 15 minutes.
......................... OFFICE passed test kccevent
Starting test: systemlog
* The System Event log test
Found no errors in System Event log in the last 60 minutes.
......................... OFFICE passed test systemlog
Starting test: VerifyReplicas
......................... OFFICE passed test VerifyReplicas
Starting test: VerifyReferences
The system object reference (serverReference)

CN=OFFICE,OU=Domain Controllers,DC=xxx,DC=int and backlink on

CN=OFFICE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xxx,DC=int

are correct.
The system object reference (frsComputerReferenceBL)

CN=OFFICE,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=xxx,DC=int

and backlink on CN=OFFICE,OU=Domain Controllers,DC=xxx,DC=int

are correct.
The system object reference (serverReferenceBL)

CN=OFFICE,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=xxx,DC=int

and backlink on

CN=NTDS Settings,CN=OFFICE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xxx,DC=int

are correct.
......................... OFFICE passed test VerifyReferences
Starting test: VerifyEnterpriseReferences
......................... OFFICE passed test VerifyEnterpriseReferences
Starting test: CheckSecurityError
* Dr Auth: Beginning security errors check!
Found KDC OFFICE for domain xxx.int in site Default-First-Site-Name
Checking machine account for DC OFFICE on DC OFFICE.
* SPN found :LDAP/office.xxx.int/xxx.int
* SPN found :LDAP/office.xxx.int
* SPN found :LDAP/OFFICE
* SPN found :LDAP/office.xxx.int/xxx
* SPN found :LDAP/52d27d6b-328a-4623-8227-5844fcfdf32b._msdcs.xxx.int
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/52d27d6b-328a-4623-8227-5844fcfdf32b/xxx.int
* SPN found :HOST/office.xxx.int/xxx.int
* SPN found :HOST/office.xxx.int
* SPN found :HOST/OFFICE
* SPN found :HOST/office.xxx.int/xxx
* SPN found :GC/office.xxx.int/xxx.int
[OFFICE] No security related replication errors were found on this DC! To target the connection to a specific source DC use /ReplSource:<DC>.
......................... OFFICE passed test CheckSecurityError

Testing server: Default-First-Site-Name\CONTACT
Starting test: Replications
* Replications Check
* Replication Latency Check
DC=ForestDnsZones,DC=xxx,DC=int
Latency information for 7 entries in the vector were ignored.
7 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=DomainDnsZones,DC=xxx,DC=int
Latency information for 6 entries in the vector were ignored.
6 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
CN=Schema,CN=Configuration,DC=xxx,DC=int
Latency information for 12 entries in the vector were ignored.
12 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
CN=Configuration,DC=xxx,DC=int
Latency information for 12 entries in the vector were ignored.
12 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=xxx,DC=int
Latency information for 11 entries in the vector were ignored.
11 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
* Replication Site Latency Check
......................... CONTACT passed test Replications
Starting test: Topology
* Configuration Topology Integrity Check
* Analyzing the connection topology for DC=ForestDnsZones,DC=xxx,DC=int.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for DC=DomainDnsZones,DC=xxx,DC=int.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for CN=Schema,CN=Configuration,DC=xxx,DC=int.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for CN=Configuration,DC=xxx,DC=int.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the connection topology for DC=xxx,DC=int.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
......................... CONTACT passed test Topology
Starting test: CutoffServers
* Configuration Topology Aliveness Check
* Analyzing the alive system replication topology for DC=ForestDnsZones,DC=xxx,DC=int.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for DC=DomainDnsZones,DC=xxx,DC=int.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for CN=Schema,CN=Configuration,DC=xxx,DC=int.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for CN=Configuration,DC=xxx,DC=int.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
* Analyzing the alive system replication topology for DC=xxx,DC=int.
* Performing upstream (of target) analysis.
* Performing downstream (of target) analysis.
......................... CONTACT passed test CutoffServers
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC CONTACT.
* Security Permissions Check for
DC=ForestDnsZones,DC=xxx,DC=int
(NDNC,Version 2)
* Security Permissions Check for
DC=DomainDnsZones,DC=xxx,DC=int
(NDNC,Version 2)
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=xxx,DC=int
(Schema,Version 2)
* Security Permissions Check for
CN=Configuration,DC=xxx,DC=int
(Configuration,Version 2)
* Security Permissions Check for
DC=xxx,DC=int
(Domain,Version 2)
......................... CONTACT passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Unable to connect to the NETLOGON share! (\\CONTACT\netlogon)
[CONTACT] An net use or LsaPolicy operation failed with error 1203, Win32 Error 1203.
......................... CONTACT failed test NetLogons
Starting test: Advertising
Warning: DsGetDcName returned information for \\office.xxx.int, when we were trying to reach CONTACT.
Server is not responding or is not considered suitable.
The DC CONTACT is advertising itself as a DC and having a DS.
The DC CONTACT is advertising as an LDAP server
The DC CONTACT is advertising as having a writeable directory
The DC CONTACT is advertising as a Key Distribution Center
The DC CONTACT is advertising as a time server
......................... CONTACT failed test Advertising
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings,CN=OFFICE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xxx,DC=int
Role Domain Owner = CN=NTDS Settings,CN=OFFICE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xxx,DC=int
Role PDC Owner = CN=NTDS Settings,CN=OFFICE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xxx,DC=int
Role Rid Owner = CN=NTDS Settings,CN=OFFICE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xxx,DC=int
Role Infrastructure Update Owner = CN=NTDS Settings,CN=CONTACT,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xxx,DC=int
......................... CONTACT passed test KnowsOfRoleHolders
Starting test: RidManager
* Available RID Pool for the Domain is 7602 to 1073741823
* office.xxx.int is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 7102 to 7601
* rIDPreviousAllocationPool is 7102 to 7601
* rIDNextRID: 7104
......................... CONTACT passed test RidManager
Starting test: MachineAccount
Checking machine account for DC CONTACT on DC CONTACT.
* SPN found :LDAP/contact.xxx.int/xxx.int
* SPN found :LDAP/contact.xxx.int
* SPN found :LDAP/CONTACT
* SPN found :LDAP/contact.xxx.int/xxx
* SPN found :LDAP/7eaed0d7-7cf3-4a76-a67e-c02f6a7fbadd._msdcs.xxx.int
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/7eaed0d7-7cf3-4a76-a67e-c02f6a7fbadd/xxx.int
* SPN found :HOST/contact.xxx.int/xxx.int
* SPN found :HOST/contact.xxx.int
* SPN found :HOST/CONTACT
* SPN found :HOST/contact.xxx.int/xxx
* SPN found :GC/contact.xxx.int/xxx.int
......................... CONTACT passed test MachineAccount
Starting test: Services
* Checking Service: Dnscache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: RpcSs
* Checking Service: w32time
* Checking Service: NETLOGON
......................... CONTACT passed test Services
Starting test: OutboundSecureChannels
* The Outbound Secure Channels test
** Did not run Outbound Secure Channels test
because /testdomain: was not entered
......................... CONTACT passed test OutboundSecureChannels
Starting test: ObjectsReplicated
CONTACT is in domain DC=xxx,DC=int
Checking for CN=CONTACT,OU=Domain Controllers,DC=xxx,DC=int in domain DC=xxx,DC=int on 2 servers
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=CONTACT,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xxx,DC=int in domain CN=Configuration,DC=xxx,DC=int on 2 servers
Object is up-to-date on all servers.
......................... CONTACT passed test ObjectsReplicated
Starting test: frssysvol
* The File Replication Service SYSVOL ready test
The registry lookup failed to determine the state of the SYSVOL. The

error returned was 0 (Win32 Error 0). Check the FRS event log to see

if the SYSVOL has successfully been shared.
......................... CONTACT passed test frssysvol
Starting test: frsevent
* The File Replication Service Event log test
There are warning or error events within the last 24 hours after the

SYSVOL has been shared. Failing SYSVOL replication problems may cause

Group Policy problems.
An Warning Event occured. EventID: 0x800034FD
Time Generated: 12/17/2007 11:43:01
(Event String could not be retrieved)
An Warning Event occured. EventID: 0x800034C8
Time Generated: 12/17/2007 11:43:01
(Event String could not be retrieved)
......................... CONTACT failed test frsevent
Starting test: kccevent
* The KCC Event log test
Found no KCC errors in Directory Service Event log in the last 15 minutes.
......................... CONTACT passed test kccevent
Starting test: systemlog
* The System Event log test
Found no errors in System Event log in the last 60 minutes.
......................... CONTACT passed test systemlog
Starting test: VerifyReplicas
......................... CONTACT passed test VerifyReplicas
Starting test: VerifyReferences
The system object reference (serverReference)

CN=CONTACT,OU=Domain Controllers,DC=xxx,DC=int and backlink on

CN=CONTACT,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xxx,DC=int

are correct.
The system object reference (frsComputerReferenceBL)

CN=CONTACT,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=xxx,DC=int

and backlink on CN=CONTACT,OU=Domain Controllers,DC=xxx,DC=int

are correct.
The system object reference (serverReferenceBL)

CN=CONTACT,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=xxx,DC=int

and backlink on

CN=NTDS Settings,CN=CONTACT,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xxx,DC=int

are correct.
......................... CONTACT passed test VerifyReferences
Starting test: VerifyEnterpriseReferences
......................... CONTACT passed test VerifyEnterpriseReferences
Starting test: CheckSecurityError
* Dr Auth: Beginning security errors check!
Found KDC OFFICE for domain xxx.int in site Default-First-Site-Name
Checking machine account for DC CONTACT on DC OFFICE.
* SPN found :LDAP/contact.xxx.int/xxx.int
* SPN found :LDAP/contact.xxx.int
* SPN found :LDAP/CONTACT
* SPN found :LDAP/contact.xxx.int/xxx
* SPN found :LDAP/7eaed0d7-7cf3-4a76-a67e-c02f6a7fbadd._msdcs.xxx.int
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/7eaed0d7-7cf3-4a76-a67e-c02f6a7fbadd/xxx.int
* SPN found :HOST/contact.xxx.int/xxx.int
* SPN found :HOST/contact.xxx.int
* SPN found :HOST/CONTACT
* SPN found :HOST/contact.xxx.int/xxx
* SPN found :GC/contact.xxx.int/xxx.int
Checking for CN=CONTACT,OU=Domain Controllers,DC=xxx,DC=int in domain DC=xxx,DC=int on 2 servers
Object is up-to-date on all servers.
[CONTACT] No security related replication errors were found on this DC! To target the connection to a specific source DC use /ReplSource:<DC>.
......................... CONTACT passed test CheckSecurityError

DNS Tests are running and not hung. Please wait a few minutes...

Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom

Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom

Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom

Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom

Running partition tests on : xxx
Starting test: CrossRefValidation
......................... xxx passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... xxx passed test CheckSDRefDom

Running enterprise tests on : xxx.int
Starting test: Intersite
Skipping site Default-First-Site-Name, this site is outside the scope

provided by the command line arguments provided.
......................... xxx.int passed test Intersite
Starting test: FsmoCheck
GC Name: \\office.xxx.int
Locator Flags: 0xe00003fd
PDC Name: \\office.xxx.int
Locator Flags: 0xe00003fd
Time Server Name: \\office.xxx.int
Locator Flags: 0xe00003fd
Preferred Time Server Name: \\office.xxx.int
Locator Flags: 0xe00003fd
KDC Name: \\office.xxx.int
Locator Flags: 0xe00003fd
......................... xxx.int passed test FsmoCheck
Starting test: DNS
Test results for domain controllers:

DC: office.xxx.int
Domain: xxx.int


TEST: Authentication (Auth)
Authentication test: Successfully completed

TEST: Basic (Basc)
Microsoft(R) Windows(R) Server 2003, Standard Edition (Service Pack level: 2.0) is supported
NETLOGON service is running
kdc service is running
DNSCACHE service is running
DNS service is running
DC is a DNS server
Network adapters information:
Adapter [00000007] Intel(R) PRO/1000 MT Dual Port Network Connection:
MAC address is 00:04:23:C4:F0:FC
IP address is static
IP address: 10.10.1.5
DNS servers:
10.10.1.5 (<name unavailable>) [Valid]
10.10.1.2 (<name unavailable>) [Valid]
The A record for this DC was found
The SOA record for the Active Directory zone was found
The Active Directory zone on this DC/DNS server was found (primary)
Root zone on this DC/DNS server was not found

TEST: Forwarders/Root hints (Forw)
Recursion is enabled
Forwarders Information:
10.10.1.2 (<name unavailable>) [Valid]

TEST: Delegations (Del)
Delegation information for the zone: xxx.int.
Delegated domain name: out3.xxx.int.
DNS server: ns.out3.xxx.int. IP:10.10.20.118 [Valid]
Delegated domain name: out1.xxx.int.
Error: DNS server: ns.out1.xxx.int. IP:10.10.20.114 [Broken delegation]
Delegated domain name: koks.xxx.int.
DNS server: ns.koks.xxx.int. IP:10.10.20.106 [Valid]
Delegated domain name: tchm.xxx.int.
DNS server: ns.tchm.xxx.int. IP:10.10.20.102 [Valid]
Delegated domain name: out2.xxx.int.
DNS server: ns.out2.xxx.int. IP:10.30.0.1 [Valid]

TEST: Dynamic update (Dyn)
Warning: Dynamic update is enabled on the zone but not secure xxx.int.
Test record _dcdiag_test_record added successfully in zone xxx.int.
Test record _dcdiag_test_record deleted successfully in zone xxx.int.

TEST: Records registration (RReg)
Network Adapter [00000007] Intel(R) PRO/1000 MT Dual Port Network Connection:
Matching A record found at DNS server 10.10.1.5:
office.xxx.int

Matching CNAME record found at DNS server 10.10.1.5:
52d27d6b-328a-4623-8227-5844fcfdf32b._msdcs.xxx.int

Matching DC SRV record found at DNS server 10.10.1.5:
_ldap._tcp.dc._msdcs.xxx.int

Matching GC SRV record found at DNS server 10.10.1.5:
_ldap._tcp.gc._msdcs.xxx.int

Matching PDC SRV record found at DNS server 10.10.1.5:
_ldap._tcp.pdc._msdcs.xxx.int

Matching A record found at DNS server 10.10.1.2:
office.xxx.int

Matching CNAME record found at DNS server 10.10.1.2:
52d27d6b-328a-4623-8227-5844fcfdf32b._msdcs.xxx.int

Matching DC SRV record found at DNS server 10.10.1.2:
_ldap._tcp.dc._msdcs.xxx.int

Matching GC SRV record found at DNS server 10.10.1.2:
_ldap._tcp.gc._msdcs.xxx.int

Matching PDC SRV record found at DNS server 10.10.1.2:
_ldap._tcp.pdc._msdcs.xxx.int



DC: contact.xxx.int
Domain: xxx.int


TEST: Authentication (Auth)
Authentication test: Successfully completed

TEST: Basic (Basc)
Microsoft(R) Windows(R) Server 2003, Standard Edition (Service Pack level: 2.0) is supported
NETLOGON service is running
kdc service is running
DNSCACHE service is running
DNS service is running
DC is a DNS server
Network adapters information:
Adapter [00000007] Intel(R) PRO/1000 EB Network Connection with I/O Acceleration:
MAC address is 00:15:17:0E:F2:26
IP address is static
IP address: 10.10.1.1
DNS servers:
10.10.1.5 (<name unavailable>) [Valid]
10.10.1.2 (<name unavailable>) [Valid]
The A record for this DC was found
The SOA record for the Active Directory zone was found
The Active Directory zone on this DC/DNS server was found (secondary)
Root zone on this DC/DNS server was not found

TEST: Forwarders/Root hints (Forw)
Recursion is enabled
Forwarders Information:
10.10.1.2 (<name unavailable>) [Valid]

TEST: Delegations (Del)
Delegation information for the zone: xxx.int.
Delegated domain name: out3.xxx.int.
DNS server: ns.out3.xxx.int. IP:10.10.20.118 [Valid]
Delegated domain name: out1.xxx.int.
Error: DNS server: ns.out1.xxx.int. IP:10.10.20.114 [Broken delegation]
Delegated domain name: koks.xxx.int.
DNS server: ns.koks.xxx.int. IP:10.10.20.106 [Valid]
Delegated domain name: tchm.xxx.int.
DNS server: ns.tchm.xxx.int. IP:10.10.20.102 [Valid]
Delegated domain name: out2.xxx.int.
DNS server: ns.out2.xxx.int. IP:10.30.0.1 [Valid]

TEST: Dynamic update (Dyn)
Dynamic Update tests are skipped since xxx.int
is a secondary zone. DNS Record updates can't happen on the secondary zones

TEST: Records registration (RReg)
Network Adapter [00000007] Intel(R) PRO/1000 EB Network Connection with I/O Acceleration:
Matching A record found at DNS server 10.10.1.5:
contact.xxx.int

Matching CNAME record found at DNS server 10.10.1.5:
7eaed0d7-7cf3-4a76-a67e-c02f6a7fbadd._msdcs.xxx.int

Matching DC SRV record found at DNS server 10.10.1.5:
_ldap._tcp.dc._msdcs.xxx.int


Summary of test results for DNS servers used by the above domain controllers:

DNS server: 10.10.20.114 (ns.out1.xxx.int.)
2 test failures on this DNS server
This is not a valid DNS server. PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 10.10.20.114
[Error details: 9005 (Type: Win32 - Description: DNS operation refused.)]
Delegation to the domain out1.xxx.int. is operational

DNS server: 10.10.1.2 (<name unavailable>)
All tests passed on this DNS server
This is a valid DNS server.
Name resolution is funtional. _ldap._tcp SRV record for the forest root domain is registered

DNS server: 10.10.1.5 (<name unavailable>)
All tests passed on this DNS server
This is a valid DNS server.
Name resolution is funtional. _ldap._tcp SRV record for the forest root domain is registered

DNS server: 10.10.20.102 (ns.tchm.xxx.int.)
All tests passed on this DNS server
This is a valid DNS server.
Delegation to the domain tchm.xxx.int. is operational

DNS server: 10.10.20.106 (ns.koks.xxx.int.)
All tests passed on this DNS server
This is a valid DNS server.
Delegation to the domain koks.xxx.int. is operational

DNS server: 10.10.20.118 (ns.out3.xxx.int.)
All tests passed on this DNS server
This is a valid DNS server.
Delegation to the domain out3.xxx.int. is operational

DNS server: 10.30.0.1 (ns.out2.xxx.int.)
All tests passed on this DNS server
This is a valid DNS server.
Delegation to the domain out2.xxx.int. is operational

Summary of DNS test results:

Auth Basc Forw Del Dyn RReg Ext
________________________________________________________________
Domain: xxx.int
office PASS PASS PASS FAIL WARN PASS n/a
contact PASS PASS PASS FAIL n/a PASS n/a

......................... xxx.int failed test DNS

[/more]


Добавлено:
ntfrs ds

[more]

NTFRS CONFIGURATION IN THE DS
SUBSTITUTE DCINFO FOR DC
FRS DomainControllerName: (null)
Computer Name : CONTACT
Computer DNS Name : contact.xxx.int

BINDING TO THE DS:
ldap_connect : contact.xxx.int
DsBind : contact.xxx.int

NAMING CONTEXTS:
SitesDn : CN=Sites,cn=configuration,dc=xxx,dc=int
ServicesDn : CN=Services,cn=configuration,dc=xxx,dc=int
DefaultNcDn: DC=xxx,DC=int
ComputersDn: CN=Computers,DC=xxx,DC=int
DomainCtlDn: OU=Domain Controllers,DC=xxx,DC=int
Fqdn : CN=CONTACT,OU=Domain Controllers,DC=xxx,DC=int
Searching : Fqdn

COMPUTER: CONTACT
DN : cn=contact,ou=domain controllers,dc=xxx,dc=int
Guid : 70571d7b-7f31-47dd-b615f34f34b52f4a
UAC : 0x00082000
Server BL : CN=CONTACT,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xxx,DC=int
Settings : cn=ntds settings,cn=contact,cn=servers,cn=default-first-site-name,cn=sites,cn=configuration,dc=xxx,dc=int
DNS Name : contact.xxx.int
WhenCreated : 12/10/2007 17:43:20 Russian Standard Time Russian Daylight Time [-180]
WhenChanged : 12/14/2007 15:56:11 Russian Standard Time Russian Daylight Time [-180]

SUBSCRIPTION: NTFRS SUBSCRIPTIONS
DN : cn=ntfrs subscriptions,cn=contact,ou=domain controllers,dc=xxx,dc=int
Guid : 1bf6250c-f8b4-48b5-80b98750dbb06e93
Working : c:\windows\ntfrs
Actual Working: c:\windows\ntfrs
WhenCreated : 12/10/2007 17:56:17 Russian Standard Time Russian Daylight Time [-180]
WhenChanged : 12/10/2007 17:56:17 Russian Standard Time Russian Daylight Time [-180]

SUBSCRIBER: DOMAIN SYSTEM VOLUME (SYSVOL SHARE)
DN : cn=domain system volume (sysvol share),cn=ntfrs subscriptions,cn=contact,ou=domain controllers,dc=xxx,dc=int
Guid : 43eaa9fd-808f-41d0-b00dcb1d3fbd5305
Member Ref: CN=CONTACT,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=xxx,DC=int
Root : c:\windows\sysvol\domain
Stage : c:\windows\sysvol\staging\domain
WhenCreated : 12/10/2007 17:56:17 Russian Standard Time Russian Daylight Time [-180]
WhenChanged : 12/10/2007 17:56:17 Russian Standard Time Russian Daylight Time [-180]
Subscriber Member Back Links:
cn=contact,cn=domain system volume (sysvol share),cn=file replication service,cn=system,dc=xxx,dc=int

SETTINGS: FILE REPLICATION SERVICE
DN : cn=file replication service,cn=system,dc=xxx,dc=int
Guid : dc5905bf-4c3c-4473-b6fe66d62e3615fb
WhenCreated : 6/4/2004 19:8:5 Russian Standard Time Russian Daylight Time [-180]
WhenChanged : 12/10/2007 17:51:49 Russian Standard Time Russian Daylight Time [-180]

SET: DOMAIN SYSTEM VOLUME (SYSVOL SHARE)
DN : cn=domain system volume (sysvol share),cn=file replication service,cn=system,dc=xxx,dc=int
Guid : 64721cf2-c61d-4d90-9e7712b9e495230d
Type : 2
Primary Member: (null)
File Filter : *.tmp, *.bak, ~*
Dir Filter : (null)
FRS Flags : (null)
WhenCreated : 6/4/2004 19:15:42 Russian Standard Time Russian Daylight Time [-180]
WhenChanged : 12/10/2007 17:52:11 Russian Standard Time Russian Daylight Time [-180]

MEMBER: OFFICE
DN : cn=office,cn=domain system volume (sysvol share),cn=file replication service,cn=system,dc=xxx,dc=int
Guid : 3e6dcfe3-bd27-4123-9bc2ea0baa140a32
Server Ref : CN=NTDS Settings,CN=OFFICE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xxx,DC=int
Computer Ref : cn=office,ou=domain controllers,dc=xxx,dc=int
Cracked Domain : xxx.int
Cracked Name : 00000002 xxx\OFFICE$
Cracked Domain : xxx.int
Cracked Name : fffffff4 S-1-5-21-4224015703-2337520368-4057290139-4113
Computer's DNS : office.xxx.int
WhenCreated : 4/26/2006 13:45:30 Russian Standard Time Russian Daylight Time [-180]
WhenChanged : 12/10/2007 17:52:12 Russian Standard Time Russian Daylight Time [-180]

CXTION: EC155527-A663-4A21-9243-F8E145C05753
DN : cn=ec155527-a663-4a21-9243-f8e145c05753,cn=ntds settings,cn=office,cn=servers,cn=default-first-site-name,cn=sites,cn=configuration,dc=xxx,dc=int
Guid : 3f515306-e540-461a-83f232c0def5aa56
Partner Dn : cn=ntds settings,cn=contact,cn=servers,cn=default-first-site-name,cn=sites,cn=configuration,dc=xxx,dc=int
Partner Rdn : NTDS SETTINGS
Enabled : TRUE
WhenCreated : 12/10/2007 17:56:38 Russian Standard Time Russian Daylight Time [-180]
WhenChanged : 12/10/2007 18:3:48 Russian Standard Time Russian Daylight Time [-180]
Options : 0x00000001 [AutoGenCxtion ]
Schedule
Day 1: 111111111111111111111111
Day 2: 111111111111111111111111
Day 3: 111111111111111111111111
Day 4: 111111111111111111111111
Day 5: 111111111111111111111111
Day 6: 111111111111111111111111
Day 7: 111111111111111111111111

MEMBER: CONTACT
DN : cn=contact,cn=domain system volume (sysvol share),cn=file replication service,cn=system,dc=xxx,dc=int
Guid : 8f9b0398-036e-4265-8a5026f950eb793e
Server Ref : CN=NTDS Settings,CN=CONTACT,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=xxx,DC=int
Computer Ref : cn=contact,ou=domain controllers,dc=xxx,dc=int
Cracked Domain : xxx.int
Cracked Name : 00000002 xxx\CONTACT$
Cracked Domain : xxx.int
Cracked Name : fffffff4 S-1-5-21-4224015703-2337520368-4057290139-1335
Computer's DNS : contact.xxx.int
WhenCreated : 12/10/2007 17:56:17 Russian Standard Time Russian Daylight Time [-180]
WhenChanged : 12/10/2007 17:56:17 Russian Standard Time Russian Daylight Time [-180]

CXTION: A706CC88-BA8E-4939-89ED-D098E2E6DECB
DN : cn=a706cc88-ba8e-4939-89ed-d098e2e6decb,cn=ntds settings,cn=contact,cn=servers,cn=default-first-site-name,cn=sites,cn=configuration,dc=xxx,dc=int
Guid : 2e800843-ac62-45cb-a9cc9b197e6ebfee
Partner Dn : cn=ntds settings,cn=office,cn=servers,cn=default-first-site-name,cn=sites,cn=configuration,dc=xxx,dc=int
Partner Rdn : NTDS SETTINGS
Enabled : TRUE
WhenCreated : 12/10/2007 18:1:8 Russian Standard Time Russian Daylight Time [-180]
WhenChanged : 12/10/2007 18:1:8 Russian Standard Time Russian Daylight Time [-180]
Options : 0x00000001 [AutoGenCxtion ]
Schedule
Day 1: 111111111111111111111111
Day 2: 111111111111111111111111
Day 3: 111111111111111111111111
Day 4: 111111111111111111111111
Day 5: 111111111111111111111111
Day 6: 111111111111111111111111
Day 7: 111111111111111111111111

[/more]


Добавлено:
ntfrs sets

[more]
ACTIVE REPLICA SETS
Replica: DOMAIN SYSTEM VOLUME (SYSVOL SHARE) (64721cf2-c61d-4d90-9e7712b9e495230d)
ComputerName : CONTACT
Member : CONTACT (8f9b0398-036e-4265-8a5026f950eb793e)
Name : DOMAIN SYSTEM VOLUME (SYSVOL SHARE) (8f9b0398-036e-4265-8a5026f950eb793e)
RootGuid : 74b0a20d-456d-4e08-88f4ef8465116568
OrigGuid : ccbde26e-f288-4ed0-b7a74e84250e0355
Reference : 2
CnfFlags : 00000029 Flags [Multimaster Seeding PrimaryUndefined ]
RepSetObjFlags: 00000000 Flags [<Flags Clear>]
SetType : 2
Consistent : 1
IsOpen : 1
IsJournaling : 1
IsAccepting : 0
IsSeeding : 0
NeedsUpdate : 0
ServiceState : 3 (ACTIVE)
FStatus : FrsErrorSuccess
Number : 1
Root : c:\windows\sysvol\domain
Stage : c:\windows\sysvol\staging\domain
Volume : \\.\C:
FileFilter : *.tmp, *.bak, ~*
DirFilter :
Expires : 00000000 00000000
InLogRetry : 0
InLogSeq : 0
ApiState : 0
ApiStatus : 0
ApiHack : 0
OutLogSeq : 1
OutLogJLx : 1
OutLogJTx : -1
OutLogMax : 0
OutLogMin : 1
OutLogState : 1
OutLogVV's : 0
OutLogClean : 0
PreinstallFID : 00050000 00002a74
InLogCommit : 00000000 02dad3a0
JrnlStart : 00000000 00000000
JrnlEnd : 00000000 02d524c0
LastUsn : 00000000 02dad3a0
Replica Version Vector
VvEntry: ccbde26e-f288-4ed0-b7a74e84250e0355 = 01c83f2c 9407758e
Outlog Version Vector
VvEntry: ccbde26e-f288-4ed0-b7a74e84250e0355 = 00000000 00000001

Cxtion: EC155527-A663-4A21-9243-F8E145C05753 (3f515306-e540-461a-83f232c0def5aa56)
Partner : OFFICE (3e6dcfe3-bd27-4123-9bc2ea0baa140a32)
PartDnsName : office.xxx.int
PartSrvName : xxx\OFFICE$
PartPrincName: xxx\OFFICE$
PartSid : S-1-5-21-4224015703-2337520368-4057290139-4113
OrigGuid : 00000000-0000-0000-0000000000000000
State : 1
Flags : 00000000 Flags [<Flags Clear>]
CxtionOptions: 00000000 Flags [<Flags Clear>]
Inbound : FALSE
JrnlCxtion : FALSE
PartnerAuth : 0
TermCoSn : 0
JoinCmd : 0x00000000
CoCount : 0
CommQueue : 0
CoPQ : 00000000
UnjoinTrigger: 0
UnjoinReset : 0
Comm Packets : 0
PartnerMajor : 0
PartnerMinor : 0
JoinGuid : 00000000-0000-0000-0000000000000000
LastJoinTime : Mon Jan 1, 1601 03:00:00
LastSndStatus: Error???
NoFailedSnds : 0
OutLog Partner
BytesSent : 0
OutLogPartner : FrsPrintType
Cxtion : EC155527-A663-4A21-9243-F8E145C05753
Partner : OFFICE
Flags : 00000000 Flags [<Flags Clear>]
State : OLP_UNJOINED
CoTx : 0
CoLx : 0
COLxRestart : 0
COLxVVJoinDone : 0
CoTxSave : 0
CoTslot : 1
OutstandingCos : 0
OutstandingQuota: 8
AckVersion :
Ack: |........---------------|
Ack: |_T______---------------|
Ack: | ---------------|

Cxtion: A706CC88-BA8E-4939-89ED-D098E2E6DECB (2e800843-ac62-45cb-a9cc9b197e6ebfee)
Partner : OFFICE (3e6dcfe3-bd27-4123-9bc2ea0baa140a32)
PartDnsName : office.xxx.int
PartSrvName : xxx\OFFICE$
PartPrincName: xxx\OFFICE$
PartSid : S-1-5-21-4224015703-2337520368-4057290139-4113
OrigGuid : 00000000-0000-0000-0000000000000000
State : 1
Flags : 40000000 Flags [InitSync ]
CxtionOptions: 00000000 Flags [<Flags Clear>]
Inbound : TRUE
JrnlCxtion : FALSE
PartnerAuth : 0
TermCoSn : 0
JoinCmd : 0x00000000
CoCount : 0
CommQueue : 0
CoPQ : 00000000
UnjoinTrigger: 0
UnjoinReset : 0
Comm Packets : 0
PartnerMajor : 0
PartnerMinor : 0
JoinGuid : 00000000-0000-0000-0000000000000000
LastJoinTime : Mon Jan 1, 1601 03:00:00
LastSndStatus: Error???
NoFailedSnds : 0

Cxtion: <Jrnl Cxtion> (418cf4c5-7050-416e-9029c527ed48b457)
Partner : <Jrnl Cxtion> (418cf4c5-7050-416e-9029c527ed48b457)
PartDnsName : <Jrnl Cxtion>
PartSrvName : <Jrnl Cxtion>
PartPrincName: <Jrnl Cxtion>
PartSid : <Jrnl Cxtion>
OrigGuid : 00000000-0000-0000-0000000000000000
State : 7
Flags : 000000c0 Flags [JoinGuidValid UnJoinGuidValid ]
CxtionOptions: 00000000 Flags [<Flags Clear>]
Inbound : TRUE
JrnlCxtion : TRUE
PartnerAuth : 1
TermCoSn : 0
JoinCmd : 0x00000000
CoCount : 0
CommQueue : 0
CoPQ : 00000000
UnjoinTrigger: 0
UnjoinReset : 0
Comm Packets : 0
PartnerMajor : 0
PartnerMinor : 0
JoinGuid : 72fef00a-e729-df80-51e4c1f3512cce87
LastJoinTime :

DELETED REPLICA SETS


[/more]

Gaidamak

Цитата:

Статью про rebuild читал еще в пятницу, пишут, черти, что это временное решение проблемы.

Временное решение, это что написано в самом конце статьи (How to temporarily stabilize the domain SYSVOL tree), а не временное - то что выше.

Мгм... то есть действия получается такие.

Останавливаю FRS на обоих контроллерах. Все содержимое SYSVOL на основном контроллере (охх...) убираю в произвольный фолдер в том же разделе. На дополнительном и вовсе грохаю нах.

Потом на основном контроллере выставляю burflags в D4, на дополнительном в D2.

Поднимаю FRS на обоих контроллерах и на основном запихиваю руками изначальное содержимое SYSVOL на прежнее место.

И после этого будет счастье.

Я все правильно понял? Что-то мое личное знакомство с билгейцем говорит о том, что после такого изнасилования и вправду все может грохнуться навсегда, и нужно затевать такую вивисекцию в субботу с предварительным бэкапом образов системных разделов...

Primary Member: (null)
Ну вот оно и вылезло. Исправляется ручками при помощи adsiedit, конкретно в свойствах cn=domain system volume (sysvol share) ищешь атрибут frsPrimaryMember и прописываешь значение CN=основной контроллер,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=xxx,DC=int
Потом по первой ссылке ipmanyak делаешь то, что связано с флагами d2 d4


Добавлено:

Цитата:

Что-то мое личное знакомство с билгейцем говорит о том, что после такого изнасилования и вправду все может грохнуться навсегда

Какое изнасилование, флагами ты инициируешь репликацию как бы с нуля, а содержимое sysvol сохраняешь для страховки, но я бы лучше бекап сделал этой папочки. На дополнительном эту папку грохать не стоит у нее точки соединения очень критичны.

Цитата:

конкретно в свойствах cn=domain system volume (sysvol share) ищешь атрибут frsPrimaryMember и прописываешь значение

А точный путь к этой ветке на подскажешь?

Цитата:

А точный путь к этой ветке на подскажешь?

Domain NC -> DC=xxx,DC=int -> CN=System -> CN=File Replication Service

Дальше по этой ветке:

CN=Domain System Volume (SYSVOL Share)

Под ним два CN на оба моих сервера с атрибутом nTFRSMember. Больше ничего нет. На втором сервере то же самое.

И что в таком случае делать? Менять атрибут у одной из записей? И как это сделать, если атрибут fRSPrimaryMember редактор вообще не показывает в списке валидных. Жуть...

Цитата:

Под ним два CN на оба моих сервера с атрибутом nTFRSMember. Больше ничего нет. На втором сервере то же самое.

И что в таком случае делать? Менять атрибут у одной из записей? И как это сделать, если атрибут fRSPrimaryMember редактор вообще не показывает в списке валидных. Жуть...

В свойствах самОй папки Domain System Volume (SYSVOL Share) этот атрибут находится.

Угу, большое спасибо за помощь, дальнейшие телодвижения продолжу завтра

Ухх... все поднялось. Гран респект cthsq и ipmaniak за дельные советы!

Gaidamak Расскажи по шагам что и как делал для потомков !

Краткое содержание:

1. В сети было два DC. Одному из них пришло время помирать по железу.
2. Поднял новый DC. Раскидал роли с помирающего DC.
3. Понизил старый DC. Убил на нем CA и поднял новый на другом сервере.
4. Вывел старый сервер из домена и выключил нах.
5. На новом сервере перестали шариться Sysvol и Netlogon
6. Долго курил разные мануалы. Потом выложил логи сюда.
7. Добрые люди поглядели в ntfrsutl ds и ткнули пальцем в отсутствующий в реплике
Primary Member, каковой за каким-то хреном встал в (null).
8. При помощи adsiedit прописал туда адрес сервера с правильным Sysvol.
9. На обоих серверах погасил Ntfrs.
10. Прописал в регистри в HKLM/SYSTEM/Current Control Set/Services/Ntfrs/Parameters/
"Backup/Restore"/Process at startup/Burflags значение D4 на сервере с правильным Sysvol и D2 на втором.
11. Поднял Ntfrs на первом, затем на втором. Все получилось.
12. Ура!!!

Говорю гигантское спасибо этому топику.

Извените за вторжение, но у меня похожая проблема(или мне так кажется).
Несколько раз пробывал второй DC AD, но помирали по железу, я их(DC) коректно убивал, но недавно выеснилось что записи остались и теперь основной сервак пытается постоянно провести репликацию с несуществующими серваками.
Вот чё пишет:

"
Тип события:    Предупреждение
Источник события:    NTDS KCC
Категория события:    Проверка согласованности знаний
Код события:    1925
Дата:        21.03.2009
Время:        2:10:19
Пользователь:        NT AUTHORITY\АНОНИМНЫЙ ВХОД
Компьютер:    ************
Описание:
Попытка установки связи репликации для следующего раздела каталога, доступного для изменения, завершилась ошибкой.

Раздел каталога:
DC=*****,DC=***
Исходный контроллер домена:
CN=NTDS Settings,CN=*******,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=*****,DC=***
Адрес исходного контроллера домена:
***********************************_msdcs.***********
Межсайтовый транспорт (если существует):


До устранения этой ошибки выполнение репликации между данным и исходным контроллерами домена будет невозможно.

Действие пользователя
Проверьте доступность исходного контроллера домена и работоспособность сетевого подключения.

Дополнительные данные
Значение ошибки:
8524 Операция DSA не смогла быть выполнена, т.к. произошла ошибка поиска в DNS.

"
Помогите от ентого избавится!!!

проблема то другая совсем. Вам нужно несуществующие контролерры домена удалить. И роли проверить что бы были на существующем все.
Видимо не совсем корректно убивали .

у меня похожая проблема, вот лог второго контроллера, смущают несколько записей со статусом null. Подскажите где именно в ADSIEDIT исправить.

Добавлено:
NTFRS CONFIGURATION IN THE DS
SUBSTITUTE DCINFO FOR DC
FRS DomainControllerName: (null)
Computer Name : NTSERVER2
Computer DNS Name : ntserver2.vector.smolensk.ru

BINDING TO THE DS:
ldap_connect : ntserver2.vector.smolensk.ru
DsBind : ntserver2.vector.smolensk.ru

NAMING CONTEXTS:
SitesDn : CN=Sites,cn=configuration,dc=vector,dc=smolensk,dc=ru
ServicesDn : CN=Services,cn=configuration,dc=vector,dc=smolensk,dc=ru
DefaultNcDn: DC=vector,DC=smolensk,DC=ru
ComputersDn: CN=Computers,DC=vector,DC=smolensk,DC=ru
DomainCtlDn: OU=Domain Controllers,DC=vector,DC=smolensk,DC=ru
Fqdn : CN=NTSERVER2,OU=Domain Controllers,DC=vector,DC=smolensk,DC=ru
Searching : Fqdn

COMPUTER: NTSERVER2
DN : cn=ntserver2,ou=domain controllers,dc=vector,dc=smolensk,dc=ru
Guid : ba512924-c509-4499-aa90081c54080762
UAC : 0x00082000
Server BL : CN=NTSERVER2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=vector,DC=smolensk,DC=ru
Settings : cn=ntds settings,cn=ntserver2,cn=servers,cn=default-first-site-name,cn=sites,cn=configuration,dc=vector,dc=smolensk,dc=ru
DNS Name : ntserver2.vector.smolensk.ru
WhenCreated : 2/12/2010 11:14:28 [-180]
WhenChanged : 5/12/2010 10:16:17 [-180]

SUBSCRIPTION: NTFRS SUBSCRIPTIONS
DN : cn=ntfrs subscriptions,cn=ntserver2,ou=domain controllers,dc=vector,dc=smolensk,dc=ru
Guid : 0b48684d-4423-47f0-a06cf9ea2d92aff3
Working : c:\windows\ntfrs
Actual Working: c:\windows\ntfrs
WhenCreated : 3/1/2010 13:2:15 [-180]
WhenChanged : 3/1/2010 13:2:15 [-180]

SUBSCRIBER: DOMAIN SYSTEM VOLUME (SYSVOL SHARE)
DN : cn=domain system volume (sysvol share),cn=ntfrs subscriptions,cn=ntserver2,ou=domain controllers,dc=vector,dc=smolensk,dc=ru
Guid : 8f60bd10-561d-4a07-8b8233a141dc9fb4
Member Ref: CN=NTSERVER2,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=vector,DC=smolensk,DC=ru
Root : c:\windows\sysvol\domain
Stage : c:\windows\sysvol\staging\domain
WhenCreated : 3/1/2010 13:2:15 [-180]
WhenChanged : 3/1/2010 13:2:15 [-180]
Subscriber Member Back Links:
cn=ntserver2,cn=domain system volume (sysvol share),cn=file replication service,cn=system,dc=vector,dc=smolensk,dc=ru

SETTINGS: FILE REPLICATION SERVICE
DN : cn=file replication service,cn=system,dc=vector,dc=smolensk,dc=ru
Guid : 85d46be4-954b-4e1f-806643f285dc0515
WhenCreated : 1/4/2005 13:28:37 [-180]
WhenChanged : 3/1/2010 12:54:57 [-180]

SET: DOMAIN SYSTEM VOLUME (SYSVOL SHARE)
DN : cn=domain system volume (sysvol share),cn=file replication service,cn=system,dc=vector,dc=smolensk,dc=ru
Guid : d22a090b-4bde-471a-8230a15863b66896
Type : 2
Primary Member: CN=NTSERVER,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=vector,DC=smolensk,DC=ru
File Filter : *.tmp, *.bak, ~*
Dir Filter : (null)
FRS Flags : (null)
WhenCreated : 1/4/2005 13:33:43 [-180]
WhenChanged : 5/12/2010 13:3:31 [-180]

MEMBER: NTSERVER
DN : cn=ntserver,cn=domain system volume (sysvol share),cn=file replication service,cn=system,dc=vector,dc=smolensk,dc=ru
Guid : 87045b26-ea57-44a0-b7d6537ace0215d6
Server Ref : CN=NTDS Settings,CN=NTSERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=vector,DC=smolensk,DC=ru
Computer Ref : cn=ntserver,ou=domain controllers,dc=vector,dc=smolensk,dc=ru
Cracked Domain : vector.smolensk.ru
Cracked Name : 00000002 VECTOR\NTSERVER$
Cracked Domain : vector.smolensk.ru
Cracked Name : fffffff4 S-1-5-21-57989841-630328440-682003330-2668
Computer's DNS : ntserver.vector.smolensk.ru
WhenCreated : 2/16/2007 9:17:11 [-180]
WhenChanged : 3/1/2010 12:56:49 [-180]

CXTION: B6C0E397-5CE8-4BF2-9152-AB0346BA0D52
DN : cn=b6c0e397-5ce8-4bf2-9152-ab0346ba0d52,cn=ntds settings,cn=ntserver,cn=servers,cn=default-first-site-name,cn=sites,cn=configuration,dc=vector,dc=smolensk,dc=ru
Guid : 26a0610c-2fc9-4e21-89c386acfd7b3e90
Partner Dn : cn=ntds settings,cn=ntserver2,cn=servers,cn=default-first-site-name,cn=sites,cn=configuration,dc=vector,dc=smolensk,dc=ru
Partner Rdn : NTDS SETTINGS
Enabled : TRUE
WhenCreated : 3/1/2010 13:6:14 [-180]
WhenChanged : 5/12/2010 10:31:13 [-180]
Options : 0x00000001 [AutoGenCxtion ]
Schedule
Day 1: 111111111111111111111111
Day 2: 111111111111111111111111
Day 3: 111111111111111111111111
Day 4: 111111111111111111111111
Day 5: 111111111111111111111111
Day 6: 111111111111111111111111
Day 7: 111111111111111111111111

MEMBER: NTSERVER2
DN : cn=ntserver2,cn=domain system volume (sysvol share),cn=file replication service,cn=system,dc=vector,dc=smolensk,dc=ru
Guid : 7f3a5a16-f995-4f38-8e95e75987af2794
Server Ref : CN=NTDS Settings,CN=NTSERVER2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=vector,DC=smolensk,DC=ru
Computer Ref : cn=ntserver2,ou=domain controllers,dc=vector,dc=smolensk,dc=ru
Cracked Domain : vector.smolensk.ru
Cracked Name : 00000002 VECTOR\NTSERVER2$
Cracked Domain : vector.smolensk.ru
Cracked Name : fffffff4 S-1-5-21-57989841-630328440-682003330-5386
Computer's DNS : ntserver2.vector.smolensk.ru
WhenCreated : 3/1/2010 13:2:15 [-180]
WhenChanged : 3/1/2010 13:2:15 [-180]

CXTION: D27FE3EC-1EBB-4298-8D5B-62ED63AB8D63
DN : cn=d27fe3ec-1ebb-4298-8d5b-62ed63ab8d63,cn=ntds settings,cn=ntserver2,cn=servers,cn=default-first-site-name,cn=sites,cn=configuration,dc=vector,dc=smolensk,dc=ru
Guid : 418a3eb9-703b-4ee2-b9de23947235f942
Partner Dn : cn=ntds settings,cn=ntserver,cn=servers,cn=default-first-site-name,cn=sites,cn=configuration,dc=vector,dc=smolensk,dc=ru
Partner Rdn : NTDS SETTINGS
Enabled : TRUE
WhenCreated : 3/1/2010 13:6:5 [-180]
WhenChanged : 3/3/2010 8:35:13 [-180]
Options : 0x00000001 [AutoGenCxtion ]
Schedule
Day 1: 111111111111111111111111
Day 2: 111111111111111111111111
Day 3: 111111111111111111111111
Day 4: 111111111111111111111111
Day 5: 111111111111111111111111
Day 6: 111111111111111111111111
Day 7: 111111111111111111111111

неужели никто не подскажет???

kriker посты выше читали? покажите с тегом code результаты
dcdiag /v и netdiag /v

dcdiag

Код:
Domain Controller Diagnosis

Performing initial setup:
* Verifying that the local machine ntserver2, is a DC.
* Connecting to directory service on server ntserver2.
* Collecting site info.
* Identifying all servers.
* Identifying all NC cross-refs.
* Found 2 DC(s). Testing 1 of them.
Done gathering initial info.

Doing initial required tests

Testing server: Default-First-Site-Name\NTSERVER2
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... NTSERVER2 passed test Connectivity

Doing primary tests

Testing server: Default-First-Site-Name\NTSERVER2
Starting test: Replications
* Replications Check
* Replication Latency Check
DC=ForestDnsZones,DC=vector,DC=smolensk,DC=ru
Latency information for 2 entries in the vector were ignored.
2 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=DomainDnsZones,DC=vector,DC=smolensk,DC=ru
Latency information for 2 entries in the vector were ignored.
2 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
CN=Schema,CN=Configuration,DC=vector,DC=smolensk,DC=ru
Latency information for 4 entries in the vector were ignored.
4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
CN=Configuration,DC=vector,DC=smolensk,DC=ru
Latency information for 4 entries in the vector were ignored.
4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
DC=vector,DC=smolensk,DC=ru
Latency information for 4 entries in the vector were ignored.
4 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC).
......................... NTSERVER2 passed test Replications
Test omitted by user request: Topology
Test omitted by user request: CutoffServers
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC NTSERVER2.
* Security Permissions Check for
DC=ForestDnsZones,DC=vector,DC=smolensk,DC=ru
(NDNC,Version 2)
* Security Permissions Check for
DC=DomainDnsZones,DC=vector,DC=smolensk,DC=ru
(NDNC,Version 2)
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=vector,DC=smolensk,DC=ru
(Schema,Version 2)
* Security Permissions Check for
CN=Configuration,DC=vector,DC=smolensk,DC=ru
(Configuration,Version 2)
* Security Permissions Check for
DC=vector,DC=smolensk,DC=ru
(Domain,Version 2)
......................... NTSERVER2 passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Unable to connect to the NETLOGON share! (\\NTSERVER2\netlogon)
[NTSERVER2] An net use or LsaPolicy operation failed with error 1203, ЌЁ ®¤-  Ё§ б«г¦Ў ¤®бвгЇ  Є бҐвЁ -Ґ ᬮЈ«  ®Ўа Ў®в вм § ¤ --л© бҐвҐў®© Їгвм..
......................... NTSERVER2 failed test NetLogons
Starting test: Advertising
Warning: DsGetDcName returned information for \\ntserver.vector.smolensk.ru, when we were trying to reach NTSERVER2.
Server is not responding or is not considered suitable.
The DC NTSERVER2 is advertising itself as a DC and having a DS.
The DC NTSERVER2 is advertising as an LDAP server
The DC NTSERVER2 is advertising as having a writeable directory
The DC NTSERVER2 is advertising as a Key Distribution Center
The DC NTSERVER2 is advertising as a time server
The DS NTSERVER2 is advertising as a GC.
......................... NTSERVER2 failed test Advertising
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS Settings,CN=NTSERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=vector,DC=smolensk,DC=ru
Role Domain Owner = CN=NTDS Settings,CN=NTSERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=vector,DC=smolensk,DC=ru
Role PDC Owner = CN=NTDS Settings,CN=NTSERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=vector,DC=smolensk,DC=ru
Role Rid Owner = CN=NTDS Settings,CN=NTSERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=vector,DC=smolensk,DC=ru
Role Infrastructure Update Owner = CN=NTDS Settings,CN=NTSERVER,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=vector,DC=smolensk,DC=ru
......................... NTSERVER2 passed test KnowsOfRoleHolders
Starting test: RidManager
* Available RID Pool for the Domain is 7130 to 1073741823
* ntserver.vector.smolensk.ru is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 6630 to 7129
* rIDPreviousAllocationPool is 6630 to 7129
* rIDNextRID: 6632
......................... NTSERVER2 passed test RidManager
Starting test: MachineAccount
Checking machine account for DC NTSERVER2 on DC NTSERVER2.
* SPN found :LDAP/ntserver2.vector.smolensk.ru/vector.smolensk.ru
* SPN found :LDAP/ntserver2.vector.smolensk.ru
* SPN found :LDAP/NTSERVER2
* SPN found :LDAP/ntserver2.vector.smolensk.ru/VECTOR
* SPN found :LDAP/b18e9417-5253-4706-934b-5375efaf16f7._msdcs.vector.smolensk.ru
* SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/b18e9417-5253-4706-934b-5375efaf16f7/vector.smolensk.ru
* SPN found :HOST/ntserver2.vector.smolensk.ru/vector.smolensk.ru
* SPN found :HOST/ntserver2.vector.smolensk.ru
* SPN found :HOST/NTSERVER2
* SPN found :HOST/ntserver2.vector.smolensk.ru/VECTOR
* SPN found :GC/ntserver2.vector.smolensk.ru/vector.smolensk.ru
......................... NTSERVER2 passed test MachineAccount
Starting test: Services
* Checking Service: Dnscache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: RpcSs
* Checking Service: w32time
* Checking Service: NETLOGON
......................... NTSERVER2 passed test Services
Test omitted by user request: OutboundSecureChannels
Starting test: ObjectsReplicated
NTSERVER2 is in domain DC=vector,DC=smolensk,DC=ru
Checking for CN=NTSERVER2,OU=Domain Controllers,DC=vector,DC=smolensk,DC=ru in domain DC=vector,DC=smolensk,DC=ru on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS Settings,CN=NTSERVER2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=vector,DC=smolensk,DC=ru in domain CN=Configuration,DC=vector,DC=smolensk,DC=ru on 1 servers
Object is up-to-date on all servers.
......................... NTSERVER2 passed test ObjectsReplicated
Starting test: frssysvol
* The File Replication Service SYSVOL ready test
The registry lookup failed to determine the state of the SYSVOL. The

error returned was 0 (ЋЇҐа жЁп гбЇҐи-® § ўҐаиҐ- .). Check the FRS

event log to see if the SYSVOL has successfully been shared.
......................... NTSERVER2 passed test frssysvol
Starting test: frsevent
* The File Replication Service Event log test
There are warning or error events within the last 24 hours after the

SYSVOL has been shared. Failing SYSVOL replication problems may cause

Group Policy problems.
An Warning Event occured. EventID: 0x800034FD
Time Generated: 05/13/2010 20:15:56
(Event String could not be retrieved)
An Warning Event occured. EventID: 0x800034C4
Time Generated: 05/13/2010 20:17:44
(Event String could not be retrieved)
An Warning Event occured. EventID: 0x800034C4
Time Generated: 05/13/2010 20:25:44
(Event String could not be retrieved)
......................... NTSERVER2 failed test frsevent
Starting test: kccevent
* The KCC Event log test
Found no KCC errors in Directory Service Event log in the last 15 minutes.
......................... NTSERVER2 passed test kccevent
Starting test: systemlog
* The System Event log test
An Error Event occured. EventID: 0x00000457
Time Generated: 05/13/2010 22:22:01
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 05/13/2010 22:22:01
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 05/13/2010 22:22:01
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 05/13/2010 22:22:01
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 05/13/2010 22:22:02
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 05/13/2010 22:22:02
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 05/13/2010 22:22:02
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 05/13/2010 22:22:02
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 05/13/2010 22:22:03
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 05/13/2010 22:22:03
(Event String could not be retrieved)
An Error Event occured. EventID: 0x00000457
Time Generated: 05/13/2010 22:22:03
(Event String could not be retrieved)
......................... NTSERVER2 failed test systemlog
Test omitted by user request: VerifyReplicas
Starting test: VerifyReferences
The system object reference (serverReference)

CN=NTSERVER2,OU=Domain Controllers,DC=vector,DC=smolensk,DC=ru and

backlink on

CN=NTSERVER2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=vector,DC=smolensk,DC=ru

are correct.
The system object reference (frsComputerReferenceBL)

CN=NTSERVER2,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=vector,DC=smolensk,DC=ru

and backlink on

CN=NTSERVER2,OU=Domain Controllers,DC=vector,DC=smolensk,DC=ru are

correct.
The system object reference (serverReferenceBL)

CN=NTSERVER2,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=vector,DC=smolensk,DC=ru

and backlink on

CN=NTDS Settings,CN=NTSERVER2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=vector,DC=smolensk,DC=ru

are correct.
......................... NTSERVER2 passed test VerifyReferences
Test omitted by user request: VerifyEnterpriseReferences
Test omitted by user request: CheckSecurityError

Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom

Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom

Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom

Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom

Running partition tests on : vector
Starting test: CrossRefValidation
......................... vector passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... vector passed test CheckSDRefDom

Running enterprise tests on : vector.smolensk.ru
Starting test: Intersite
Skipping site Default-First-Site-Name, this site is outside the scope

provided by the command line arguments provided.
......................... vector.smolensk.ru passed test Intersite
Starting test: FsmoCheck
GC Name: \\ntserver.vector.smolensk.ru
Locator Flags: 0xe00003fd
PDC Name: \\ntserver.vector.smolensk.ru
Locator Flags: 0xe00003fd
Time Server Name: \\ntserver.vector.smolensk.ru
Locator Flags: 0xe00003fd
Preferred Time Server Name: \\ntserver.vector.smolensk.ru
Locator Flags: 0xe00003fd
KDC Name: \\ntserver.vector.smolensk.ru
Locator Flags: 0xe00003fd
......................... vector.smolensk.ru passed test FsmoCheck
Test omitted by user request: DNS
Test omitted by user request: DNS

[more] [more] Господа, здравствуйте.
Сделал как написано здесь http://forum.ru-board.com/topic.cgi?forum=8&topic=25131&start=0
в ADSI запись реплицировалась и на другой сервер, флаги D4 и D2 после изменения на серверах выставились в 0, но вывод ntfsr ds всё равно пишет FRS DomainControllerName: (null)


NTFRS CONFIGURATION IN THE DS
SUBSTITUTE DCINFO FOR DC
FRS DomainControllerName: (null)
Computer Name : MSK-SRV17DC
Computer DNS Name : MSK-SRV17DC.MY_FIRM.com

BINDING TO THE DS:
ldap_connect : MSK-SRV17DC.MY_FIRM.com
DsBind : MSK-SRV17DC.MY_FIRM.com

NAMING CONTEXTS:
SitesDn : CN=Sites,cn=configuration,dc=MY_FIRM,dc=com
ServicesDn : CN=Services,cn=configuration,dc=MY_FIRM,dc=com
DefaultNcDn: DC=MY_FIRM,DC=com
ComputersDn: CN=Computers,DC=MY_FIRM,DC=com
DomainCtlDn: OU=Domain Controllers,DC=MY_FIRM,DC=com
Fqdn : CN=MSK-SRV17DC,OU=Domain Controllers,DC=MY_FIRM,DC=com
Searching : Fqdn

COMPUTER: MSK-SRV17DC
DN : cn=msk-srv17dc,ou=domain controllers,dc=MY_FIRM,dc=com
Guid : 1934be18-749d-427d-b81a4c410499c22c
UAC : 0x00082000
Server BL : CN=MSK-SRV17DC,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=MY_FIRM,DC=com
Settings : cn=ntds settings,cn=msk-srv17dc,cn=servers,cn=default-first-site,cn=sites,cn=configuration,dc=MY_FIRM,dc=com
DNS Name : MSK-SRV17DC.MY_FIRM.com
WhenCreated : 12/6/2013 10:58:0 RTZ 2 (
WhenChanged : 3/20/2016 19:56:18 RTZ 2 (

SUBSCRIPTION: NTFRS SUBSCRIPTIONS
DN : cn=ntfrs subscriptions,cn=msk-srv17dc,ou=domain controllers,dc=MY_FIRM,dc=com
Guid : 2bb37985-8b8a-40ad-8d35a75fd22eb05b
Working : c:\windows\ntfrs
Actual Working: c:\windows\ntfrs
WhenCreated : 12/8/2013 19:18:14 RTZ 2 (
WhenChanged : 12/8/2013 19:18:14 RTZ 2 (

SUBSCRIBER: DOMAIN SYSTEM VOLUME (SYSVOL SHARE)
DN : cn=domain system volume (sysvol share),cn=ntfrs subscriptions,cn=msk-srv17dc,ou=domain controllers,dc=MY_FIRM,dc=com
Guid : 527a8ade-cf54-4707-98c09e7776f40776
Member Ref: CN=MSK-SRV17DC,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=MY_FIRM,DC=com
Root : c:\windows\sysvol\domain
Stage : c:\windows\sysvol\staging\domain
WhenCreated : 12/8/2013 19:18:14 RTZ 2 (
WhenChanged : 12/8/2013 19:18:14 RTZ 2 (
Subscriber Member Back Links:
cn=msk-srv17dc,cn=domain system volume (sysvol share),cn=file replication service,cn=system,dc=MY_FIRM,dc=com

SETTINGS: FILE REPLICATION SERVICE
DN : cn=file replication service,cn=system,dc=MY_FIRM,dc=com
Guid : 456995e2-cc92-4791-9f725c6a23992617
WhenCreated : 6/21/2007 16:0:7 RTZ 2 (
WhenChanged : 12/8/2013 19:14:1 RTZ 2 (

SET: DOMAIN SYSTEM VOLUME (SYSVOL SHARE)
DN : cn=domain system volume (sysvol share),cn=file replication service,cn=system,dc=MY_FIRM,dc=com
Guid : dc5fa9e5-352f-469b-b7c7dfc470bea746
Type : 2
Primary Member: CN=MSK-SRV17DC,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=MY_FIRM,DC=com
File Filter : *.tmp, *.bak, ~*
Dir Filter : (null)
FRS Flags : (null)
WhenCreated : 6/21/2007 16:7:56 RTZ 2 (
WhenChanged : 3/22/2016 10:23:44 RTZ 2 (

MEMBER: DC
DN : cn=dc,cn=domain system volume (sysvol share),cn=file replication service,cn=system,dc=MY_FIRM,dc=com
Guid : 8c70bb59-4162-4a69-85ee9c28a78229cb
Server Ref : CN=NTDS Settings,CN=DC,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=MY_FIRM,DC=com
Computer Ref : cn=dc,ou=domain controllers,dc=MY_FIRM,dc=com
Cracked Domain : MY_FIRM.com
Cracked Name : 00000002 MY_FIRM\DC$
Cracked Domain : MY_FIRM.com
Cracked Name : fffffff4 S-1-5-21-12947018-2755733833-2693536531-1005
Computer's DNS : dc.MY_FIRM.com
WhenCreated : 6/19/2015 19:11:55 RTZ 2 (
WhenChanged : 6/19/2015 19:27:0 RTZ 2 (

CXTION: 49EE8CA1-51A7-4E8F-99F9-9372831D3CBD
DN : cn=49ee8ca1-51a7-4e8f-99f9-9372831d3cbd,cn=ntds settings,cn=dc,cn=servers,cn=default-first-site,cn=sites,cn=configuration,dc=MY_FIRM,dc=com
Guid : 7ef15d9d-d974-4291-812c6b11bcb789a9
Partner Dn : cn=ntds settings,cn=msk-srv17dc,cn=servers,cn=default-first-site,cn=sites,cn=configuration,dc=MY_FIRM,dc=com
Partner Rdn : NTDS SETTINGS
Enabled : TRUE
WhenCreated : 6/19/2015 19:16:45 RTZ 2 (
WhenChanged : 7/3/2015 14:13:40 RTZ 2 (
Options : 0x00000001 [AutoGenCxtion ]
Schedule
Day 1: 111111111111111111111111
Day 2: 111111111111111111111111
Day 3: 111111111111111111111111
Day 4: 111111111111111111111111
Day 5: 111111111111111111111111
Day 6: 111111111111111111111111
Day 7: 111111111111111111111111

CXTION: 5B057248-3F3F-4153-95A3-C79CA9826D69
DN : cn=5b057248-3f3f-4153-95a3-c79ca9826d69,cn=ntds settings,cn=dc,cn=servers,cn=default-first-site,cn=sites,cn=configuration,dc=MY_FIRM,dc=com
Guid : 167706e2-a321-4037-b4fb4ac69cb1a248
Partner Dn : cn=ntds settings,cn=dc1,cn=servers,cn=default-first-site,cn=sites,cn=configuration,dc=MY_FIRM,dc=com
Partner Rdn : NTDS SETTINGS
Enabled : TRUE
WhenCreated : 7/22/2015 5:13:52 RTZ 2 (
WhenChanged : 7/22/2015 5:14:10 RTZ 2 (
Options : 0x00000001 [AutoGenCxtion ]
Schedule
Day 1: 111111111111111111111111
Day 2: 111111111111111111111111
Day 3: 111111111111111111111111
Day 4: 111111111111111111111111
Day 5: 111111111111111111111111
Day 6: 111111111111111111111111
Day 7: 111111111111111111111111

CXTION: 7BCDC1B0-8FC0-45B6-9AA4-361A172359A3
DN : cn=7bcdc1b0-8fc0-45b6-9aa4-361a172359a3,cn=ntds settings,cn=dc,cn=servers,cn=default-first-site,cn=sites,cn=configuration,dc=MY_FIRM,dc=com
Guid : fedf985e-260d-4f0d-92c20816623e04b7
Partner Dn : cn=ntds settings\0adel:9cd3eff5-9154-4113-b66e-5782121e51fb,cn=tmg-spb,cn=servers,cn=default-first-site,cn=sites,cn=configuration,dc=MY_FIRM,dc=com
Partner Rdn : NTDS SETTINGS\0ADEL:9CD3EFF5-9154-4113-B66E-5782121E51FB
Enabled : TRUE
WhenCreated : 6/19/2015 19:16:45 RTZ 2 (
WhenChanged : 7/22/2015 5:14:10 RTZ 2 (
Options : 0x00000001 [AutoGenCxtion ]
Schedule
Day 1: 111111111111111111111111
Day 2: 111111111111111111111111
Day 3: 111111111111111111111111
Day 4: 111111111111111111111111
Day 5: 111111111111111111111111
Day 6: 111111111111111111111111
Day 7: 111111111111111111111111

MEMBER: DC1
DN : cn=dc1,cn=domain system volume (sysvol share),cn=file replication service,cn=system,dc=MY_FIRM,dc=com
Guid : a69cb481-6d09-48ec-ac01311e83211504
Server Ref : CN=NTDS Settings,CN=DC1,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=MY_FIRM,DC=com
Computer Ref : cn=dc1,ou=domain controllers,dc=MY_FIRM,dc=com
Cracked Domain : MY_FIRM.com
Cracked Name : 00000002 MY_FIRM\DC1$
Cracked Domain : MY_FIRM.com
Cracked Name : fffffff4 S-1-5-21-12947018-2755733833-2693536531-12655
Computer's DNS : DC1.MY_FIRM.com
WhenCreated : 2/16/2014 16:56:58 RTZ 2 (
WhenChanged : 2/17/2014 18:13:13 RTZ 2 (

CXTION: 35EF0574-4920-4DEC-A1E7-090A4E6D8B48
DN : cn=35ef0574-4920-4dec-a1e7-090a4e6d8b48,cn=ntds settings,cn=dc1,cn=servers,cn=default-first-site,cn=sites,cn=configuration,dc=MY_FIRM,dc=com
Guid : 33766c55-ad35-46fe-b85a35e31cda9b2d
Partner Dn : cn=ntds settings,cn=msk-srv17dc,cn=servers,cn=default-first-site,cn=sites,cn=configuration,dc=MY_FIRM,dc=com
Partner Rdn : NTDS SETTINGS
Enabled : TRUE
WhenCreated : 2/16/2014 17:1:46 RTZ 2 (
WhenChanged : 12/4/2015 11:20:52 RTZ 2 (
Options : 0x00000001 [AutoGenCxtion ]
Schedule
Day 1: 111111111111111111111111
Day 2: 111111111111111111111111
Day 3: 111111111111111111111111
Day 4: 111111111111111111111111
Day 5: 111111111111111111111111
Day 6: 111111111111111111111111
Day 7: 111111111111111111111111

CXTION: 86ACD6AA-6D4C-4EE1-B52A-46E07F64CB42
DN : cn=86acd6aa-6d4c-4ee1-b52a-46e07f64cb42,cn=ntds settings,cn=dc1,cn=servers,cn=default-first-site,cn=sites,cn=configuration,dc=MY_FIRM,dc=com
Guid : 82923249-a0f3-431c-8eedd00081e7d61c
Partner Dn : cn=ntds settings,cn=dc,cn=servers,cn=default-first-site,cn=sites,cn=configuration,dc=MY_FIRM,dc=com
Partner Rdn : NTDS SETTINGS
Enabled : TRUE
WhenCreated : 6/19/2015 19:12:40 RTZ 2 (
WhenChanged : 7/29/2015 9:54:44 RTZ 2 (
Options : 0x00000001 [AutoGenCxtion ]
Schedule
Day 1: 111111111111111111111111
Day 2: 111111111111111111111111
Day 3: 111111111111111111111111
Day 4: 111111111111111111111111
Day 5: 111111111111111111111111
Day 6: 111111111111111111111111
Day 7: 111111111111111111111111

MEMBER: EKB-SRV01DC
DN : cn=ekb-srv01dc,cn=domain system volume (sysvol share),cn=file replication service,cn=system,dc=MY_FIRM,dc=com
Guid : 3b0f635c-4b57-42e2-8dd48d0d46c284b2
Server Ref : (null)
Computer Ref : (null)
WhenCreated : 4/1/2010 12:51:16 RTZ 2 (
WhenChanged : 12/8/2013 19:14:17 RTZ 2 (
WARN - EKB-SRV01DC lacks a settings reference

MEMBER: ML-SRV02DC
DN : cn=ml-srv02dc,cn=domain system volume (sysvol share),cn=file replication service,cn=system,dc=MY_FIRM,dc=com
Guid : 432494ee-95ee-4334-987e4608f102690f
Server Ref : (null)
Computer Ref : (null)
WhenCreated : 4/4/2011 10:17:0 RTZ 2 (
WhenChanged : 12/8/2013 19:14:17 RTZ 2 (
WARN - ML-SRV02DC lacks a settings reference

MEMBER: MSK-SRV17DC
DN : cn=msk-srv17dc,cn=domain system volume (sysvol share),cn=file replication service,cn=system,dc=MY_FIRM,dc=com
Guid : 331939c7-d645-42de-bef2c77b883b51e3
Server Ref : CN=NTDS Settings,CN=MSK-SRV17DC,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=MY_FIRM,DC=com
Computer Ref : cn=msk-srv17dc,ou=domain controllers,dc=MY_FIRM,dc=com
Cracked Domain : MY_FIRM.com
Cracked Name : 00000002 MY_FIRM\MSK-SRV17DC$
Cracked Domain : MY_FIRM.com
Cracked Name : fffffff4 S-1-5-21-12947018-2755733833-2693536531-12625
Computer's DNS : MSK-SRV17DC.MY_FIRM.com
WhenCreated : 12/8/2013 19:18:14 RTZ 2 (
WhenChanged : 12/8/2013 19:18:14 RTZ 2 (

CXTION: 058849D9-519A-40C6-B8BD-1F6B61BC2EC0
DN : cn=058849d9-519a-40c6-b8bd-1f6b61bc2ec0,cn=ntds settings,cn=msk-srv17dc,cn=servers,cn=default-first-site,cn=sites,cn=configuration,dc=MY_FIRM,dc=com
Guid : 7c11dcbd-f913-49de-81287ff3c1cb6187
Partner Dn : cn=ntds settings,cn=dc,cn=servers,cn=default-first-site,cn=sites,cn=configuration,dc=MY_FIRM,dc=com
Partner Rdn : NTDS SETTINGS
Enabled : TRUE
WhenCreated : 6/19/2015 19:11:57 RTZ 2 (
WhenChanged : 7/29/2015 9:57:52 RTZ 2 (
Options : 0x00000001 [AutoGenCxtion ]
Schedule
Day 1: 111111111111111111111111
Day 2: 111111111111111111111111
Day 3: 111111111111111111111111
Day 4: 111111111111111111111111
Day 5: 111111111111111111111111
Day 6: 111111111111111111111111
Day 7: 111111111111111111111111

CXTION: B01ACF1E-7BFA-43BF-87FB-4B0FC84699CF
DN : cn=b01acf1e-7bfa-43bf-87fb-4b0fc84699cf,cn=ntds settings,cn=msk-srv17dc,cn=servers,cn=default-first-site,cn=sites,cn=configuration,dc=MY_FIRM,dc=com
Guid : eb6b6206-9085-402f-9f17cdbc669e9b79
Partner Dn : cn=ntds settings,cn=dc1,cn=servers,cn=default-first-site,cn=sites,cn=configuration,dc=MY_FIRM,dc=com
Partner Rdn : NTDS SETTINGS
Enabled : TRUE
WhenCreated : 2/16/2014 16:57:41 RTZ 2 (
WhenChanged : 10/15/2015 9:1:33 RTZ 2 (
Options : 0x00000001 [AutoGenCxtion ]
Schedule
Day 1: 111111111111111111111111
Day 2: 111111111111111111111111
Day 3: 111111111111111111111111
Day 4: 111111111111111111111111
Day 5: 111111111111111111111111
Day 6: 111111111111111111111111
Day 7: 111111111111111111111111

MEMBER: SPB-SRV12TS
DN : cn=spb-srv12ts,cn=domain system volume (sysvol share),cn=file replication service,cn=system,dc=MY_FIRM,dc=com
Guid : deb6e64b-f3b9-4e4e-b34d83ca420b7d76
Server Ref : (null)
Computer Ref : (null)
WhenCreated : 1/13/2013 19:27:28 RTZ 2 (
WhenChanged : 12/8/2013 19:14:17 RTZ 2 (
WARN - SPB-SRV12TS lacks a settings reference
[/more]

Добавлено:
[more] В общем, получил следующее:

хотя сейчас ntfrsutl ds выдаёт FRS DomainControllerName: (null) , а в ADSI параметр fRSPrimaryMember установлен как надо, а не null. На 2й DC данная настройка реплицировалась и в реестре HKLM/SYSTEM/Current Control Set/Services/Ntfrs/Parameters/
"Backup/Restore"/Process at startup/Burflags флаги сбросились на 0. Возможно, это связано с тем, что я не перезагружал сервак.

+ Из ДНС я вычистил все лишние записи DC в моих зонах и зонах обратного просмотра.

По сути, на данный момент, мне эти советы помогли - политики применяются и реплицируются между КД.
Единственная проблема осталась с оснастка домены и службы https://yadi.sk/i/-wp4MKBFqMTqd . Может знает кто почему так?
Накидаю сюда ссылок, мало ли кому поможет.

http://forum.oszone.net/thread-312712-2.html
http://sysadmins.ru/post13315112.html#13315112
http://winitpro.ru/index.php/2011/04/08/udalyaem-neispravnyj-kontroller-domena-pri-pomoshhi-utility-ntdsutil/
https://social.technet.microsoft.com/Forums/ru-RU/cbd7580a-0198-48e3-b81f-cfa7d35ec3f3/-sysvol-share?forum=ws2008r2ru
https://social.technet.microsoft.com/Forums/ru-RU/dce976e7-3a49-4e70-bf0a-3f50222eec8f/-ad?forum=WS8ru
https://support.microsoft.com/en-us/kb/312862
[/more]