DCDiag error after upgrading to DFS-R

After switching a domain to use DFS-R rather than FRS for SYSVOL replication you may experience the following error when running dcdiag.exe

      Starting test: VerifyReferences
         Some objects relating to the DC LONDON have problems:
            [1] Problem: Missing Expected Value
             Base Object:
            CN=LONDON,OU=UK,OU=Domain Controllers,DC=nwtraders,DC=msft
             Base Object Description: "DC Account Object"
             Value Object Attribute Name: frsComputerReferenceBL
             Value Object Description: "SYSVOL FRS Member Object"
             Recommended Action: See Knowledge Base Article: Q312862
         ......................... LONDON failed test VerifyReferences

DFR-S replication of the SYSVOL replication group looks to be otherwise healthy.

This error is caused by some poor logic in dcdiag.exe when the domain controllers have been moved from the default “Domain Controllers” OU. If you move the domain controllers back to the default “Domain Controllers” OU the error will disappear. However, leaving them where they are is likely to cause no problems, other than give you a dcdiag.exe error.

Microsoft plan to fix this in Windows Server 2012.
Replication errors after adding a 2008 R2 DC

I was recently working on adding some 2008 R2 DCs to a 2003-only AD environment as part of a wider plan to upgrade them all in the next 12 months or so. As soon as I added the first DC I noticed something was up, replication wasn’t working. The Event log on the new 2008 R2 DC was filled with Event ID 1645:

Active Directory Domain Services did not perform an authenticated remote procedure call (RPC) to another directory server because the desired service principal name (SPN) for the destination directory server is not registered on the Key Distribution Center (KDC) domain controller that resolves the SPN.

Destination directory server:




User Action

Verify that the names of the destination directory server and domain are correct. Also, verify that the SPN is registered on the KDC domain controller. If the destination directory server has been recently promoted, it will be necessary for the local directory server’s account data to replicate to the KDC before this directory server can be authenticated.

