So I have been banging my head against a wall trying to figure out why I have been getting these crazy errors in dcDiag. From all that I can tell replication is working as expected but yet I am getting errors that are mostly undocumented and difficult to find out any real information on.
Starting test: VerifyReplicas
For the partition
(DC=ForestDnsZones,DC=Domain,DC=COM) we encountered
the following error retrieving the cross-ref's
(CN=78c43cf5-2740-4337-a139-341965555f1,CN=Partitions,CN=Configuration,DC=Domain,DC=COM)
information:
LDAP Error 0x52b (1323).
……………………. DC-02 failed test VerifyReplicas
Starting test: VerifyEnterpriseReferences
Can't determine the age of the cross-ref
CN=78c43cf5-2740-4337-a139-341965555f1,CN=Partitions,CN=Configuration,DC=Domain,DC=COM
for the partition DC=ForestDnsZones,DC=Domain,DC=COM, so
following errors relating to this cross-ref/partition may disappear
after replication coalesces. Please ensure that replication is
working from the Domain Naming FSMO to this DC, and retry this test to
see if errors continue.
Can't determine the age of the cross-ref
……………………. DC-02 failed test VerifyEnterpriseReferences
Starting test: CutoffServers
* Configuration Topology Aliveness Check
* Analyzing the alive system replication topology for DC=ForestDnsZones,DC=Domain,DC=COM.
* Performing upstream (of target) analysis.
DsReplicaSyncAllW failed with error The naming context specified for this replication operation is invalid..
* Performing downstream (of target) analysis.
DsReplicaSyncAllW failed with error The naming context specified for this replication operation is invalid..
……………………. DC-02 passed test CutoffServers
I went through and verified i was in the Domain Admins group, I verified that the Domain Admins security group had full permissions to the objects in error. Did extensive research on the internet in a number of different Bing searches to try and come up with even a hint as to what the problem was. Still nothing. I posed the question to DS MVP colleagues and the one thing Jorge pointed out was this was some type of password issue related to the 0x52b error. I had run across something on the internet as well related to password and had been why I checked into the permissions on the objects.
Finally a thought crossed my mind… I was using a trusted administrator user account from a User Forest, so out of desperation I logged on as a local admin. BAM!!!!!! All the errors went away. So the password error was probably some how related, but I couldn't explain why…
Long story short – When running dcDiag always use a domain local admin account.
Greetings! Very helpful advice on this article! It is the little changes that make the biggest changes. Thanks a lot for sharing!