2

I ran a c:\dcidag /v /c /e test (/v = verbose, /c = comprehensive, /e = every DC) on all of my (currently) 5 Domain Controllers, and received this summary of results at the end:

                             Aut. B s. Reenv. Del. Din. RReg.
Ext.
_________________________________________________________________
Domain: mydomain.com

dc-serv-1                    PASS PASS PASS PASS PASS PASS n/a  
dc-serv-2                    PASS PASS PASS PASS PASS PASS n/a  
dc-serv-3                    PASS PASS PASS PASS PASS PASS n/a  
dc-serv-4                    PASS PASS PASS PASS PASS PASS n/a  
dc-serv-5                    PASS PASS PASS PASS PASS PASS n/a

So, that’s a good thing, obviously. But when I read through the results in detail, I found that every server, except the server from which the test was run, was failing three tests:

Starting test: DFSREvent

     The event log DFS Replication on server
     dc-serv-2.mydomain.com could not be queried, error 0x6ba
     "The RPC server is unavailable."
     ......................... dc-serv-2 failed test DFSREvent

Starting test: KccEvent

     The event log Directory Service on server
     dc-serv-2.mydomain.com could not be queried, error 0x6ba
     "The RPC server is unavailable."
     ......................... dc-serv-2 failed test KccEvent

Starting test: SystemLog

     The event log System on server dc-serv-2.mydomain.com could not
     be queried, error 0x6ba "The RPC server is unavailable."
     ......................... dc-serv-2 failed test SystemLog

If I ran the test from dc-serv-1, then dc-serv-1 (the local server) would pass everything, but dc-serv-2 through -5 would fail those same three tests, and pass everything else.

I found this support page https://support.microsoft.com/en-us/kb/2512643 which seems to indicate that this is normal for Windows Server 2008+. I am running Windows Server 2012 R2 on all DCs.

The support page says that the cause is a firewall issue, which makes sense since the local server passes without issues. The support page says that I can just ignore these errors (which also makes sense considering the final status is listed as PASS) or I can open the firewall to allow the logs to be read.

Are there any advantages/disadvantages to fixing these errors by opening the firewall?

Daniel
  • 1,614
  • 9
  • 29
  • 47

2 Answers2

4

I don't see much value in opening the firewall in order to pass the test other than eliminating those errors from the DCDIAG results. Reading the event logs isn't a fundamental operation of AD and the sole purpose of reading them during DCDIAG is to discover and illuminate AD related errors that may be in the logs.

If you've manually reviewed the logs and are confident that there are no issues that might have been discovered by the DCDIAG inspection of the logs then I'd probably suggest ignoring that particular error.

EDIT

I should add that I don't recommend nor do I advocate turning off the Windows Firewall. The Windows Firewall is an important part of a layered security approach.

joeqwerty
  • 109,901
  • 6
  • 81
  • 172
0

Putting firewalls between DCs hasn't been support for a long time (unless something changed recently) to resolve the error on WFAS per the article open Remote Event Log Management (NP-In) Remote Event Log Management (RPC) Remote Event Log Management (RPC-EPMAP). I don't know that it means its a "normal error" it means its caused by default firewall settings.

Jim B
  • 24,081
  • 4
  • 36
  • 60