Directory Server Diagnosis Performing initial setup: Trying to find home server... * Verifying that the local machine PrimaryDC, is a Directory Server. Home Server = PrimaryDC * Connecting to directory service on server PrimaryDC. * Identified AD Forest. Collecting AD specific global data * Collecting site info. Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=domain,DC=com,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),....... The previous call succeeded Iterating through the sites Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=com Getting ISTG and options for the site * Identifying all servers. Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=domain,DC=com,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),....... The previous call succeeded.... The previous call succeeded Iterating through the list of servers Getting information for the server CN=NTDS Settings,CN=AdditionalDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=com objectGuid obtained InvocationID obtained dnsHostname obtained site info obtained All the info for the server collected Getting information for the server CN=NTDS Settings,CN=ReadOnlyDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=com objectGuid obtained InvocationID obtained dnsHostname obtained site info obtained Server is an RODC All the info for the server collected Getting information for the server CN=NTDS Settings,CN=PrimaryDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=com objectGuid obtained InvocationID obtained dnsHostname obtained site info obtained All the info for the server collected * Identifying all NC cross-refs. * Found 3 DC(s). Testing 3 of them. Done gathering initial info. Doing initial required tests Testing server: Default-First-Site-Name\AdditionalDC Starting test: Connectivity * Active Directory LDAP Services Check Determining IP4 connectivity * Active Directory RPC Services Check The clock difference between the home server PrimaryDC and target server AdditionalDC is greater than one minute. This may cause Kerberos authentication failures. Please check that the time service is working properly. You may need to resynchonize the time between these servers. ......................... AdditionalDC passed test Connectivity Testing server: Default-First-Site-Name\ReadOnlyDC Starting test: Connectivity * Active Directory LDAP Services Check Determining IP4 connectivity * Active Directory RPC Services Check ......................... ReadOnlyDC passed test Connectivity Testing server: Default-First-Site-Name\PrimaryDC Starting test: Connectivity * Active Directory LDAP Services Check Determining IP4 connectivity * Active Directory RPC Services Check ......................... PrimaryDC passed test Connectivity Doing primary tests Testing server: Default-First-Site-Name\AdditionalDC Starting test: Advertising The DC AdditionalDC is advertising itself as a DC and having a DS. The DC AdditionalDC is advertising as an LDAP server The DC AdditionalDC is advertising as having a writeable directory The DC AdditionalDC is advertising as a Key Distribution Center Warning: AdditionalDC is not advertising as a time server. ......................... AdditionalDC failed test Advertising Test omitted by user request: CheckSecurityError Test omitted by user request: CutoffServers Starting test: FrsEvent * The File Replication Service Event log test Skip the test because the server is running DFSR. ......................... AdditionalDC passed test FrsEvent Starting test: DFSREvent The DFS Replication Event Log. There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL replication problems may cause Group Policy problems. A warning event occurred. EventID: 0x80001396 Time Generated: 07/03/2021 07:59:49 Event String: The DFS Replication service is stopping communication with partner PrimaryDC for replication group Domain System Volume due to an error. The service will retry the connection periodically. Additional Information: Error: 9036 (Paused for backup or restore) Connection ID: B66AFA87-C776-48FE-8759-F9D043318AB3 Replication Group ID: 331CF903-BD01-4D01-84EE-1D67801586E5 A warning event occurred. EventID: 0x80001396 Time Generated: 07/03/2021 10:20:47 Event String: The DFS Replication service is stopping communication with partner PrimaryDC for replication group Domain System Volume due to an error. The service will retry the connection periodically. Additional Information: Error: 1723 (The RPC server is too busy to complete this operation.) Connection ID: B66AFA87-C776-48FE-8759-F9D043318AB3 Replication Group ID: 331CF903-BD01-4D01-84EE-1D67801586E5 An error event occurred. EventID: 0xC000138A Time Generated: 07/03/2021 10:21:41 Event String: The DFS Replication service encountered an error communicating with partner PrimaryDC for replication group Domain System Volume. Partner DNS address: PrimaryDC.domain.com Optional data if available: Partner WINS Address: PrimaryDC Partner IP Address: 192.168.50.3 The service will retry the connection periodically. Additional Information: Error: 1753 (There are no more endpoints available from the endpoint mapper.) Connection ID: B66AFA87-C776-48FE-8759-F9D043318AB3 Replication Group ID: 331CF903-BD01-4D01-84EE-1D67801586E5 An error event occurred. EventID: 0xC000138A Time Generated: 07/03/2021 10:25:30 Event String: The DFS Replication service encountered an error communicating with partner PrimaryDC for replication group Domain System Volume. Partner DNS address: PrimaryDC.domain.com Optional data if available: Partner WINS Address: PrimaryDC Partner IP Address: 192.168.50.3 The service will retry the connection periodically. Additional Information: Error: 1753 (There are no more endpoints available from the endpoint mapper.) Connection ID: B66AFA87-C776-48FE-8759-F9D043318AB3 Replication Group ID: 331CF903-BD01-4D01-84EE-1D67801586E5 ......................... AdditionalDC failed test DFSREvent Starting test: SysVolCheck * The File Replication Service SYSVOL ready test File Replication Service's SYSVOL is ready ......................... AdditionalDC passed test SysVolCheck Starting test: KccEvent * The KCC Event log test A warning event occurred. EventID: 0x80000B46 Time Generated: 07/03/2021 10:24:55 Event String: The security of this directory server can be significantly enhanced by configuring the server to reject SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP binds that do not request signing (integrity verification) and LDAP simple binds that are performed on a clear text (non-SSL/TLS-encrypted) connection. Even if no clients are using such binds, configuring the server to reject them will improve the security of this server. Some clients may currently be relying on unsigned SASL binds or LDAP simple binds over a non-SSL/TLS connection, and will stop working if this configuration change is made. To assist in identifying these clients, if such binds occur this directory server will log a summary event once every 24 hours indicating how many such binds occurred. You are encouraged to configure those clients to not use such binds. Once no such events are observed for an extended period, it is recommended that you configure the server to reject such binds. For more details and information on how to make this configuration change to the server, please see http://go.microsoft.com/fwlink/?LinkID=87923. You can enable additional logging to log an event each time a client makes such a bind, including information on which client made the bind. To do so, please raise the setting for the "LDAP Interface Events" event logging category to level 2 or higher. A warning event occurred. EventID: 0x80000BE1 Time Generated: 07/03/2021 10:24:55 Event String: The security of this directory server can be significantly enhanced by configuring the server to enforce validation of Channel Binding Tokens received in LDAP bind requests sent over LDAPS connections. Even if no clients are issuing LDAP bind requests over LDAPS, configuring the server to validate Channel Binding Tokens will improve the security of this server. For more details and information on how to make this configuration change to the server, please see https://go.microsoft.com/fwlink/?linkid=2102405. Found no KCC errors in "Directory Service" Event log in the last 15 minutes. ......................... AdditionalDC passed test KccEvent Starting test: KnowsOfRoleHolders Role Schema Owner = CN=NTDS Settings,CN=PrimaryDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=com Role Domain Owner = CN=NTDS Settings,CN=PrimaryDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=com Role PDC Owner = CN=NTDS Settings,CN=PrimaryDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=com Role Rid Owner = CN=NTDS Settings,CN=PrimaryDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=com Role Infrastructure Update Owner = CN=NTDS Settings,CN=PrimaryDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=com ......................... AdditionalDC passed test KnowsOfRoleHolders Starting test: MachineAccount Checking machine account for DC AdditionalDC on DC AdditionalDC. * SPN found :LDAP/AdditionalDC.domain.com/domain.com * SPN found :LDAP/AdditionalDC.domain.com * SPN found :LDAP/AdditionalDC * SPN found :LDAP/AdditionalDC.domain.com/domain * SPN found :LDAP/efed48a9-ce26-4880-84ce-58e731ae20c3._msdcs.domain.com * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/efed48a9-ce26-4880-84ce-58e731ae20c3/domain.com * SPN found :HOST/AdditionalDC.domain.com/domain.com * SPN found :HOST/AdditionalDC.domain.com * SPN found :HOST/AdditionalDC * SPN found :HOST/AdditionalDC.domain.com/domain * SPN found :GC/AdditionalDC.domain.com/domain.com ......................... AdditionalDC passed test MachineAccount Starting test: NCSecDesc * Security Permissions check for all NC's on DC AdditionalDC. * Security Permissions Check for DC=ForestDnsZones,DC=domain,DC=com (NDNC,Version 3) * Security Permissions Check for DC=DomainDnsZones,DC=domain,DC=com (NDNC,Version 3) * Security Permissions Check for CN=Schema,CN=Configuration,DC=domain,DC=com (Schema,Version 3) * Security Permissions Check for CN=Configuration,DC=domain,DC=com (Configuration,Version 3) * Security Permissions Check for DC=domain,DC=com (Domain,Version 3) ......................... AdditionalDC passed test NCSecDesc Starting test: NetLogons * Network Logons Privileges Check Verified share \\AdditionalDC\netlogon Verified share \\AdditionalDC\sysvol ......................... AdditionalDC passed test NetLogons Starting test: ObjectsReplicated AdditionalDC is in domain DC=domain,DC=com Checking for CN=AdditionalDC,OU=Domain Controllers,DC=domain,DC=com in domain DC=domain,DC=com on 3 servers Authoritative attribute userCertificate on ReadOnlyDC (writeable) usnLocalChange = 580300 LastOriginatingDsa = 11cad932-9841-49d1-8a32-25e0161e6497 usnOriginatingChange = 7524672 timeLastOriginatingChange = 2020-12-08 09:44:47 VersionLastOriginatingChange = 3 Out-of-date attribute userCertificate on AdditionalDC (writeable) usnLocalChange = 5648972 LastOriginatingDsa = ff75dc1b-b962-4b60-b3bc-f5258cffe7c5 usnOriginatingChange = 5648972 timeLastOriginatingChange = 2020-04-28 12:37:58 VersionLastOriginatingChange = 1 Out-of-date attribute userCertificate on PrimaryDC (writeable) usnLocalChange = 8476 LastOriginatingDsa = ff75dc1b-b962-4b60-b3bc-f5258cffe7c5 usnOriginatingChange = 5648972 timeLastOriginatingChange = 2020-04-28 12:37:58 VersionLastOriginatingChange = 1 Checking for CN=NTDS Settings,CN=AdditionalDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=com in domain CN=Configuration,DC=domain,DC=com on 3 servers Object is up-to-date on all servers. ......................... AdditionalDC failed test ObjectsReplicated Test omitted by user request: OutboundSecureChannels Starting test: Replications * Replications Check * Replication Latency Check DC=ForestDnsZones,DC=domain,DC=com Latency information for 19 entries in the vector were ignored. 19 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). DC=DomainDnsZones,DC=domain,DC=com Latency information for 19 entries in the vector were ignored. 19 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). CN=Schema,CN=Configuration,DC=domain,DC=com Latency information for 19 entries in the vector were ignored. 19 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). CN=Configuration,DC=domain,DC=com Latency information for 20 entries in the vector were ignored. 20 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). DC=domain,DC=com Latency information for 19 entries in the vector were ignored. 19 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). ......................... AdditionalDC passed test Replications Starting test: RidManager * Available RID Pool for the Domain is 43103 to 1073741823 * PrimaryDC.domain.com is the RID Master * DsBind with RID Master was successful * rIDAllocationPool is 32103 to 32602 * rIDPreviousAllocationPool is 32103 to 32602 * rIDNextRID: 32111 ......................... AdditionalDC passed test RidManager Starting test: Services * Checking Service: EventSystem * Checking Service: RpcSs * Checking Service: NTDS * Checking Service: DnsCache * Checking Service: DFSR * Checking Service: IsmServ * Checking Service: kdc * Checking Service: SamSs * Checking Service: LanmanServer * Checking Service: LanmanWorkstation * Checking Service: w32time * Checking Service: NETLOGON ......................... AdditionalDC passed test Services An error event occurred. EventID: 0x0000272C Time Generated: 07/03/2021 10:06:05 Event String: DCOM was unable to communicate with the computer SkypeSRV.domain.com using any of the configured protocols; requested by PID 1d00 (C:\Windows\system32\taskhostw.exe), while activating CLSID {D99E6E74-FC88-11D0-B498-00A0C90312F3}. processing to finish completely before the next startup or logon for this user, and this may result in slow startup and boot performance. An error event occurred. EventID: 0x00002720 Time Generated: 07/03/2021 10:19:49 Event String: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {6B3B8D23-FA8D-40B9-8DBD-B950333E2C52} and APPID {4839DDB7-58C2-48F5-8283-E1D1807D0D7D} to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool. An error event occurred. EventID: 0x00002720 Time Generated: 07/03/2021 10:19:49 Event String: The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {6B3B8D23-FA8D-40B9-8DBD-B950333E2C52} and APPID {4839DDB7-58C2-48F5-8283-E1D1807D0D7D} to the user NT AUTHORITY\LOCAL SERVICE SID (S-1-5-19) from address LocalHost (Using LRPC) running in the application container Unavailable SID (Unavailable). This security permission can be modified using the Component Services administrative tool. An error event occurred. EventID: 0x0000272C Time Generated: 07/03/2021 10:20:24 Event String: DCOM was unable to communicate with the computer SkypeSRV.domain.com using any of the configured protocols; requested by PID 2338 (C:\Windows\system32\taskhostw.exe), while activating CLSID {D99E6E74-FC88-11D0-B498-00A0C90312F3}. A warning event occurred. EventID: 0x00009015 Time Generated: 07/03/2021 10:21:30 Event String: When asking for client authentication, this server sends a list of trusted certificate authorities to the client. The client uses this list to choose a client certificate that is trusted by the server. Currently, this server trusts so many certificate authorities that the list has grown too long. This list has thus been truncated. The administrator of this machine should review the certificate authorities trusted for client authentication and remove those that do not really need to be trusted. An error event occurred. EventID: 0x00002715 Time Generated: 07/03/2021 10:23:35 Event String: DCOM got error "1115" attempting to start the service BITS with arguments "Unavailable" in order to run the server: {4991D34B-80A1-4291-83B6-3328366B9097} An error event occurred. EventID: 0xC0001B63 Time Generated: 07/03/2021 10:24:11 Event String: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the STInfoService service. An error event occurred. EventID: 0x0000272C Time Generated: 07/03/2021 10:25:44 Event String: DCOM was unable to communicate with the computer SkypeSRV.domain.com using any of the configured protocols; requested by PID e18 (C:\Windows\system32\taskhostw.exe), while activating CLSID {D99E6E74-FC88-11D0-B498-00A0C90312F3}. An error event occurred. EventID: 0x0000272C Time Generated: 07/03/2021 10:25:59 Event String: DCOM was unable to communicate with the computer SkypeSRV.domain.com using any of the configured protocols; requested by PID 760 (C:\Windows\system32\taskhostw.exe), while activating CLSID {D99E6E74-FC88-11D0-B498-00A0C90312F3}. A warning event occurred. EventID: 0x00001796 Time Generated: 07/03/2021 10:29:44 Event String: Microsoft Windows Server has detected that NTLM authentication is presently being used between clients and this server. This event occurs once per boot of the server on the first time a client uses NTLM with this server. NTLM is a weaker authentication mechanism. Please check: Which applications are using NTLM authentication? Are there configuration issues preventing the use of stronger authentication such as Kerberos authentication? If NTLM must be supported, is Extended Protection configured? Details on how to complete these checks can be found at http://go.microsoft.com/fwlink/?LinkId=225699. An error event occurred. EventID: 0x0000272C Time Generated: 07/03/2021 10:31:00 Event String: DCOM was unable to communicate with the computer SkypeSRV.domain.com using any of the configured protocols; requested by PID 79c (C:\Windows\system32\taskhostw.exe), while activating CLSID {D99E6E74-FC88-11D0-B498-00A0C90312F3}. ......................... AdditionalDC failed test SystemLog Test omitted by user request: Topology Test omitted by user request: VerifyEnterpriseReferences Starting test: VerifyReferences The system object reference (serverReference) CN=AdditionalDC,OU=Domain Controllers,DC=domain,DC=com and backlink on CN=AdditionalDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=com are correct. The system object reference (serverReferenceBL) CN=AdditionalDC,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=domain,DC=com and backlink on CN=NTDS Settings,CN=AdditionalDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=com are correct. The system object reference (msDFSR-ComputerReferenceBL) CN=AdditionalDC,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=domain,DC=com and backlink on CN=AdditionalDC,OU=Domain Controllers,DC=domain,DC=com are correct. ......................... AdditionalDC passed test VerifyReferences Test omitted by user request: VerifyReplicas Testing server: Default-First-Site-Name\ReadOnlyDC Starting test: Advertising The DC ReadOnlyDC is advertising itself as a DC and having a DS. The DC ReadOnlyDC is advertising as an LDAP server The DC ReadOnlyDC is not advertising as having a writeable directory because it is an RODC The DC ReadOnlyDC is advertising as a Key Distribution Center Warning: ReadOnlyDC is not advertising as a time server. ......................... ReadOnlyDC failed test Advertising Test omitted by user request: CheckSecurityError Test omitted by user request: CutoffServers Starting test: FrsEvent * The File Replication Service Event log test Skip the test because the server is running DFSR. ......................... ReadOnlyDC passed test FrsEvent Starting test: DFSREvent The DFS Replication Event Log. There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL replication problems may cause Group Policy problems. A warning event occurred. EventID: 0x80001396 Time Generated: 07/03/2021 08:00:36 Event String: The DFS Replication service is stopping communication with partner PrimaryDC for replication group Domain System Volume due to an error. The service will retry the connection periodically. Additional Information: Error: 9036 (Paused for backup or restore) Connection ID: 7CA4A8B4-4EAE-4C7A-A481-834E30EE1576 Replication Group ID: 331CF903-BD01-4D01-84EE-1D67801586E5 A warning event occurred. EventID: 0x80001396 Time Generated: 07/03/2021 10:21:35 Event String: The DFS Replication service is stopping communication with partner PrimaryDC for replication group Domain System Volume due to an error. The service will retry the connection periodically. Additional Information: Error: 1723 (The RPC server is too busy to complete this operation.) Connection ID: 7CA4A8B4-4EAE-4C7A-A481-834E30EE1576 Replication Group ID: 331CF903-BD01-4D01-84EE-1D67801586E5 An error event occurred. EventID: 0xC000138A Time Generated: 07/03/2021 10:22:29 Event String: The DFS Replication service encountered an error communicating with partner PrimaryDC for replication group Domain System Volume. Partner DNS address: PrimaryDC.domain.com Optional data if available: Partner WINS Address: PrimaryDC Partner IP Address: 192.168.50.3 The service will retry the connection periodically. Additional Information: Error: 1753 (There are no more endpoints available from the endpoint mapper.) Connection ID: 7CA4A8B4-4EAE-4C7A-A481-834E30EE1576 Replication Group ID: 331CF903-BD01-4D01-84EE-1D67801586E5 ......................... ReadOnlyDC failed test DFSREvent Starting test: SysVolCheck * The File Replication Service SYSVOL ready test File Replication Service's SYSVOL is ready ......................... ReadOnlyDC passed test SysVolCheck Starting test: KccEvent * The KCC Event log test A warning event occurred. EventID: 0x80000B46 Time Generated: 07/03/2021 10:28:51 Event String: The security of this directory server can be significantly enhanced by configuring the server to reject SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP binds that do not request signing (integrity verification) and LDAP simple binds that are performed on a clear text (non-SSL/TLS-encrypted) connection. Even if no clients are using such binds, configuring the server to reject them will improve the security of this server. Some clients may currently be relying on unsigned SASL binds or LDAP simple binds over a non-SSL/TLS connection, and will stop working if this configuration change is made. To assist in identifying these clients, if such binds occur this directory server will log a summary event once every 24 hours indicating how many such binds occurred. You are encouraged to configure those clients to not use such binds. Once no such events are observed for an extended period, it is recommended that you configure the server to reject such binds. For more details and information on how to make this configuration change to the server, please see http://go.microsoft.com/fwlink/?LinkID=87923. You can enable additional logging to log an event each time a client makes such a bind, including information on which client made the bind. To do so, please raise the setting for the "LDAP Interface Events" event logging category to level 2 or higher. A warning event occurred. EventID: 0x80000BE1 Time Generated: 07/03/2021 10:28:51 Event String: The security of this directory server can be significantly enhanced by configuring the server to enforce validation of Channel Binding Tokens received in LDAP bind requests sent over LDAPS connections. Even if no clients are issuing LDAP bind requests over LDAPS, configuring the server to validate Channel Binding Tokens will improve the security of this server. For more details and information on how to make this configuration change to the server, please see https://go.microsoft.com/fwlink/?linkid=2102405. Found no KCC errors in "Directory Service" Event log in the last 15 minutes. ......................... ReadOnlyDC passed test KccEvent Starting test: KnowsOfRoleHolders Role Schema Owner = CN=NTDS Settings,CN=PrimaryDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=com Role Domain Owner = CN=NTDS Settings,CN=PrimaryDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=com Role PDC Owner = CN=NTDS Settings,CN=PrimaryDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=com Role Rid Owner = CN=NTDS Settings,CN=PrimaryDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=com Role Infrastructure Update Owner = CN=NTDS Settings,CN=PrimaryDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=com ......................... ReadOnlyDC passed test KnowsOfRoleHolders Starting test: MachineAccount Checking machine account for DC ReadOnlyDC on DC ReadOnlyDC. * SPN found :LDAP/ReadOnlyDC.domain.com/domain.com * SPN found :LDAP/ReadOnlyDC.domain.com * SPN found :LDAP/ReadOnlyDC * SPN found :LDAP/ReadOnlyDC.domain.com/domain * SPN found :LDAP/4385950f-1f3c-4ae7-9221-2a1b9a6093d5._msdcs.domain.com * SPN found :HOST/ReadOnlyDC.domain.com/domain.com * SPN found :HOST/ReadOnlyDC.domain.com * SPN found :HOST/ReadOnlyDC * SPN found :HOST/ReadOnlyDC.domain.com/domain * SPN found :GC/ReadOnlyDC.domain.com/domain.com ......................... ReadOnlyDC passed test MachineAccount Starting test: NCSecDesc * Security Permissions check for all NC's on DC ReadOnlyDC. * Security Permissions Check for CN=Schema,CN=Configuration,DC=domain,DC=com (Schema,Version 3) * Security Permissions Check for CN=Configuration,DC=domain,DC=com (Configuration,Version 3) * Security Permissions Check for DC=domain,DC=com (Domain,Version 3) ......................... ReadOnlyDC passed test NCSecDesc Starting test: NetLogons * Network Logons Privileges Check Verified share \\ReadOnlyDC\netlogon Verified share \\ReadOnlyDC\sysvol ......................... ReadOnlyDC passed test NetLogons Starting test: ObjectsReplicated ReadOnlyDC is in domain DC=domain,DC=com Checking for CN=ReadOnlyDC,OU=Domain Controllers,DC=domain,DC=com in domain DC=domain,DC=com on 3 servers Object is up-to-date on all servers. Checking for CN=NTDS Settings,CN=ReadOnlyDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=com in domain CN=Configuration,DC=domain,DC=com on 3 servers Object is up-to-date on all servers. ......................... ReadOnlyDC passed test ObjectsReplicated Test omitted by user request: OutboundSecureChannels Starting test: Replications * Replications Check * Replication Latency Check CN=Schema,CN=Configuration,DC=domain,DC=com Latency information for 20 entries in the vector were ignored. 20 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). CN=Configuration,DC=domain,DC=com Latency information for 21 entries in the vector were ignored. 21 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). DC=domain,DC=com Latency information for 20 entries in the vector were ignored. 20 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). ......................... ReadOnlyDC passed test Replications Test skipped for RODC: RidManager Starting test: Services * Checking Service: EventSystem * Checking Service: RpcSs * Checking Service: NTDS * Checking Service: DnsCache * Checking Service: DFSR * Checking Service: IsmServ * Checking Service: kdc * Checking Service: SamSs * Checking Service: LanmanServer * Checking Service: LanmanWorkstation * Checking Service: w32time * Checking Service: NETLOGON ......................... ReadOnlyDC passed test Services logon. The error was : %%1274 A warning event occurred. EventID: 0x00000458 Time Generated: 07/03/2021 10:18:01 Event String: The Group Policy Client Side Extension Software Installation was unable to apply one or more settings because the changes must be processed before system startup or user logon. The system will wait for Group Policy processing to finish completely before the next startup or logon for this user, and this may result in slow startup and boot performance. A warning event occurred. EventID: 0x00001796 Time Generated: 07/03/2021 10:28:55 Event String: Microsoft Windows Server has detected that NTLM authentication is presently being used between clients and this server. This event occurs once per boot of the server on the first time a client uses NTLM with this server. NTLM is a weaker authentication mechanism. Please check: Which applications are using NTLM authentication? Are there configuration issues preventing the use of stronger authentication such as Kerberos authentication? If NTLM must be supported, is Extended Protection configured? Details on how to complete these checks can be found at http://go.microsoft.com/fwlink/?LinkId=225699. A warning event occurred. EventID: 0x00002724 Time Generated: 07/03/2021 10:29:01 Event String: This computer has at least one dynamically assigned IPv6 address.For reliable DHCPv6 server operation, you should use only static IPv6 addresses. ......................... ReadOnlyDC failed test SystemLog Test omitted by user request: Topology Test omitted by user request: VerifyEnterpriseReferences Starting test: VerifyReferences The system object reference (serverReference) CN=ReadOnlyDC,OU=Domain Controllers,DC=domain,DC=com and backlink on CN=ReadOnlyDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=com are correct. The system object reference (serverReferenceBL) CN=ReadOnlyDC,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=domain,DC=com and backlink on CN=NTDS Settings,CN=ReadOnlyDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=com are correct. The system object reference (msDFSR-ComputerReferenceBL) CN=ReadOnlyDC,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=domain,DC=com and backlink on CN=ReadOnlyDC,OU=Domain Controllers,DC=domain,DC=com are correct. ......................... ReadOnlyDC passed test VerifyReferences Test omitted by user request: VerifyReplicas Testing server: Default-First-Site-Name\PrimaryDC Starting test: Advertising The DC PrimaryDC is advertising itself as a DC and having a DS. The DC PrimaryDC is advertising as an LDAP server The DC PrimaryDC is advertising as having a writeable directory The DC PrimaryDC is advertising as a Key Distribution Center The DC PrimaryDC is advertising as a time server The DS PrimaryDC is advertising as a GC. ......................... PrimaryDC passed test Advertising Test omitted by user request: CheckSecurityError Test omitted by user request: CutoffServers Starting test: FrsEvent * The File Replication Service Event log test Skip the test because the server is running DFSR. ......................... PrimaryDC passed test FrsEvent Starting test: DFSREvent The DFS Replication Event Log. There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL replication problems may cause Group Policy problems. An error event occurred. EventID: 0xC00004B2 Time Generated: 07/03/2021 10:22:55 Event String: The DFS Replication service failed to contact domain controller to access configuration information. Replication is stopped. The service will try again during the next configuration polling cycle, which will occur in 60 minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues. Additional Information: Error: 160 (One or more arguments are not correct.) ......................... PrimaryDC failed test DFSREvent Starting test: SysVolCheck * The File Replication Service SYSVOL ready test File Replication Service's SYSVOL is ready ......................... PrimaryDC passed test SysVolCheck Starting test: KccEvent * The KCC Event log test A warning event occurred. EventID: 0x80000B46 Time Generated: 07/03/2021 10:22:35 Event String: The security of this directory server can be significantly enhanced by configuring the server to reject SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP binds that do not request signing (integrity verification) and LDAP simple binds that are performed on a clear text (non-SSL/TLS-encrypted) connection. Even if no clients are using such binds, configuring the server to reject them will improve the security of this server. Some clients may currently be relying on unsigned SASL binds or LDAP simple binds over a non-SSL/TLS connection, and will stop working if this configuration change is made. To assist in identifying these clients, if such binds occur this directory server will log a summary event once every 24 hours indicating how many such binds occurred. You are encouraged to configure those clients to not use such binds. Once no such events are observed for an extended period, it is recommended that you configure the server to reject such binds. For more details and information on how to make this configuration change to the server, please see http://go.microsoft.com/fwlink/?LinkID=87923. You can enable additional logging to log an event each time a client makes such a bind, including information on which client made the bind. To do so, please raise the setting for the "LDAP Interface Events" event logging category to level 2 or higher. A warning event occurred. EventID: 0x80000BE1 Time Generated: 07/03/2021 10:22:35 Event String: The security of this directory server can be significantly enhanced by configuring the server to enforce validation of Channel Binding Tokens received in LDAP bind requests sent over LDAPS connections. Even if no clients are issuing LDAP bind requests over LDAPS, configuring the server to validate Channel Binding Tokens will improve the security of this server. For more details and information on how to make this configuration change to the server, please see https://go.microsoft.com/fwlink/?linkid=2102405. A warning event occurred. EventID: 0x80000828 Time Generated: 07/03/2021 10:22:57 Event String: Active Directory Domain Services could not use DNS to resolve the IP address of the source domain controller listed below. To maintain the consistency of Security groups, group policy, users and computers and their passwords, Active Directory Domain Services successfully replicated using the NetBIOS or fully qualified computer name of the source domain controller. Invalid DNS configuration may be affecting other essential operations on member computers, domain controllers or application servers in this Active Directory Domain Services forest, including logon authentication or access to network resources. You should immediately resolve this DNS configuration error so that this domain controller can resolve the IP address of the source domain controller using DNS. Alternate server name: AdditionalDC Failing DNS host name: efed48a9-ce26-4880-84ce-58e731ae20c3._msdcs.domain.com NOTE: By default, only up to 10 DNS failures are shown for any given 12 hour period, even if more than 10 failures occur. To log all individual failure events, set the following diagnostics registry value to 1: Registry Path: HKLM\System\CurrentControlSet\Services\NTDS\Diagnostics\22 DS RPC Client User Action: 1) If the source domain controller is no longer functioning or its operating system has been reinstalled with a different computer name or NTDSDSA object GUID, remove the source domain controller's metadata with ntdsutil.exe, using the steps outlined in MSKB article 216498. 2) Confirm that the source domain controller is running Active Directory Domain Services and is accessible on the network by typing "net view \\" or "ping ". 3) Verify that the source domain controller is using a valid DNS server for DNS services, and that the source domain controller's host record and CNAME record are correctly registered, using the DNS Enhanced version of DCDIAG.EXE available on http://www.microsoft.com/dns dcdiag /test:dns 4) Verify that this destination domain controller is using a valid DNS server for DNS services, by running the DNS Enhanced version of DCDIAG.EXE command on the console of the destination domain controller, as follows: dcdiag /test:dns 5) For further analysis of DNS error failures see KB 824449: http://support.microsoft.com/?kbid=824449 Additional Data Error value: 11001 No such host is known. A warning event occurred. EventID: 0x800004C4 Time Generated: 07/03/2021 10:25:50 Event String: LDAP over Secure Sockets Layer (SSL) will be unavailable at this time because the server was unable to obtain a certificate. Additional Data Error value: 8009030e No credentials are available in the security package Found no KCC errors in "Directory Service" Event log in the last 15 minutes. ......................... PrimaryDC passed test KccEvent Starting test: KnowsOfRoleHolders Role Schema Owner = CN=NTDS Settings,CN=PrimaryDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=com Role Domain Owner = CN=NTDS Settings,CN=PrimaryDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=com Role PDC Owner = CN=NTDS Settings,CN=PrimaryDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=com Role Rid Owner = CN=NTDS Settings,CN=PrimaryDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=com Role Infrastructure Update Owner = CN=NTDS Settings,CN=PrimaryDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=com ......................... PrimaryDC passed test KnowsOfRoleHolders Starting test: MachineAccount Checking machine account for DC PrimaryDC on DC PrimaryDC. * SPN found :LDAP/PrimaryDC.domain.com/domain.com * SPN found :LDAP/PrimaryDC.domain.com * SPN found :LDAP/PrimaryDC * SPN found :LDAP/PrimaryDC.domain.com/domain * SPN found :LDAP/43c392bd-d51d-43dd-bec0-a00f8991338c._msdcs.domain.com * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/43c392bd-d51d-43dd-bec0-a00f8991338c/domain.com * SPN found :HOST/PrimaryDC.domain.com/domain.com * SPN found :HOST/PrimaryDC.domain.com * SPN found :HOST/PrimaryDC * SPN found :HOST/PrimaryDC.domain.com/domain * SPN found :GC/PrimaryDC.domain.com/domain.com ......................... PrimaryDC passed test MachineAccount Starting test: NCSecDesc * Security Permissions check for all NC's on DC PrimaryDC. * Security Permissions Check for DC=ForestDnsZones,DC=domain,DC=com (NDNC,Version 3) * Security Permissions Check for DC=DomainDnsZones,DC=domain,DC=com (NDNC,Version 3) * Security Permissions Check for CN=Schema,CN=Configuration,DC=domain,DC=com (Schema,Version 3) * Security Permissions Check for CN=Configuration,DC=domain,DC=com (Configuration,Version 3) * Security Permissions Check for DC=domain,DC=com (Domain,Version 3) ......................... PrimaryDC passed test NCSecDesc Starting test: NetLogons * Network Logons Privileges Check Verified share \\PrimaryDC\netlogon Verified share \\PrimaryDC\sysvol ......................... PrimaryDC passed test NetLogons Starting test: ObjectsReplicated PrimaryDC is in domain DC=domain,DC=com Checking for CN=PrimaryDC,OU=Domain Controllers,DC=domain,DC=com in domain DC=domain,DC=com on 3 servers Object is up-to-date on all servers. Checking for CN=NTDS Settings,CN=PrimaryDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=com in domain CN=Configuration,DC=domain,DC=com on 3 servers Object is up-to-date on all servers. ......................... PrimaryDC passed test ObjectsReplicated Test omitted by user request: OutboundSecureChannels Starting test: Replications * Replications Check * Replication Latency Check DC=ForestDnsZones,DC=domain,DC=com Latency information for 19 entries in the vector were ignored. 19 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). DC=DomainDnsZones,DC=domain,DC=com Latency information for 19 entries in the vector were ignored. 19 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). CN=Schema,CN=Configuration,DC=domain,DC=com Latency information for 19 entries in the vector were ignored. 19 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). CN=Configuration,DC=domain,DC=com Latency information for 20 entries in the vector were ignored. 20 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). DC=domain,DC=com Latency information for 19 entries in the vector were ignored. 19 were retired Invocations. 0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc. 0 had no latency information (Win2K DC). ......................... PrimaryDC passed test Replications Starting test: RidManager * Available RID Pool for the Domain is 43103 to 1073741823 * PrimaryDC.domain.com is the RID Master * DsBind with RID Master was successful * rIDAllocationPool is 42603 to 43102 * rIDPreviousAllocationPool is 42603 to 43102 * rIDNextRID: 42610 ......................... PrimaryDC passed test RidManager Starting test: Services * Checking Service: EventSystem * Checking Service: RpcSs * Checking Service: NTDS * Checking Service: DnsCache * Checking Service: DFSR * Checking Service: IsmServ * Checking Service: kdc * Checking Service: SamSs * Checking Service: LanmanServer * Checking Service: LanmanWorkstation * Checking Service: w32time * Checking Service: NETLOGON ......................... PrimaryDC passed test Services Starting test: SystemLog * The System Event log test A warning event occurred. EventID: 0x00009016 Time Generated: 07/03/2021 09:32:46 Event String: No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application A warning event occurred. EventID: 0x00009016 Time Generated: 07/03/2021 09:56:25 Event String: No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this. An error event occurred. EventID: 0x0000272C Time Generated: 07/03/2021 10:05:23 Event String: DCOM was unable to communicate with the computer SkypeSRV.domain.com using any of the configured protocols; requested by PID 1a00 (C:\Windows\system32\taskhostw.exe), while activating CLSID {D99E6E74-FC88-11D0-B498-00A0C90312F3}. A warning event occurred. EventID: 0x00009016 Time Generated: 07/03/2021 10:10:06 Event String: No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this. A warning event occurred. EventID: 0x00009016 Time Generated: 07/03/2021 10:10:47 Event String: No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this. An error event occurred. EventID: 0x0000272C Time Generated: 07/03/2021 10:20:48 Event String: DCOM was unable to communicate with the computer SkypeSRV.domain.com using any of the configured protocols; requested by PID 196c (C:\Windows\system32\taskhostw.exe), while activating CLSID {D99E6E74-FC88-11D0-B498-00A0C90312F3}. An error event occurred. EventID: 0xC0001B58 Time Generated: 07/03/2021 10:21:51 Event String: The Diagnostic Service Host service failed to start due to the following error: A privilege that the service requires to function properly does not exist in the service account configuration. You may use the Services Microsoft Management Console (MMC) snap-in (services.msc) and the Local Security Settings MMC snap-in (secpol.msc) to view the service configuration and the account configuration. A warning event occurred. EventID: 0x000727A5 Time Generated: 07/03/2021 10:22:00 Event String: The WinRM service is not listening for WS-Management requests. User Action If you did not intentionally stop the service, use the following command to see the WinRM configuration: winrm enumerate winrm/config/listener A warning event occurred. EventID: 0x000003F6 Time Generated: 07/03/2021 10:22:26 Event String: Name resolution for the name _ldap._tcp.dc._msdcs.domain.com. timed out after none of the configured DNS servers responded. A warning event occurred. EventID: 0x000003F6 Time Generated: 07/03/2021 10:22:39 Event String: Name resolution for the name wpad timed out after none of the configured DNS servers responded. A warning event occurred. EventID: 0x000727AA Time Generated: 07/03/2021 10:22:51 Event String: The WinRM service failed to create the following SPNs: WSMAN/PrimaryDC.domain.com; WSMAN/PrimaryDC. Additional Data The error received was 1355: %%1355. User Action The SPNs can be created by an administrator using setspn.exe utility. A warning event occurred. EventID: 0x00002724 Time Generated: 07/03/2021 10:22:55 Event String: This computer has at least one dynamically assigned IPv6 address.For reliable DHCPv6 server operation, you should use only static IPv6 addresses. A warning event occurred. EventID: 0xC000042B Time Generated: 07/03/2021 10:22:57 Event String: The RD Session Host server cannot register 'TERMSRV' Service Principal Name to be used for server authentication. The following error occured: The specified domain either does not exist or could not be contacted. . A warning event occurred. EventID: 0x00001796 Time Generated: 07/03/2021 10:25:47 Event String: Microsoft Windows Server has detected that NTLM authentication is presently being used between clients and this server. This event occurs once per boot of the server on the first time a client uses NTLM with this server. NTLM is a weaker authentication mechanism. Please check: Which applications are using NTLM authentication? Are there configuration issues preventing the use of stronger authentication such as Kerberos authentication? If NTLM must be supported, is Extended Protection configured? Details on how to complete these checks can be found at http://go.microsoft.com/fwlink/?LinkId=225699. A warning event occurred. EventID: 0x00009016 Time Generated: 07/03/2021 10:25:50 Event String: No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this. A warning event occurred. EventID: 0x00009016 Time Generated: 07/03/2021 10:31:35 Event String: No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this. ......................... PrimaryDC failed test SystemLog Test omitted by user request: Topology Test omitted by user request: VerifyEnterpriseReferences Starting test: VerifyReferences The system object reference (serverReference) CN=PrimaryDC,OU=Domain Controllers,DC=domain,DC=com and backlink on CN=PrimaryDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=com are correct. The system object reference (serverReferenceBL) CN=PrimaryDC,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=domain,DC=com and backlink on CN=NTDS Settings,CN=PrimaryDC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=com are correct. The system object reference (msDFSR-ComputerReferenceBL) CN=PrimaryDC,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=domain,DC=com and backlink on CN=PrimaryDC,OU=Domain Controllers,DC=domain,DC=com are correct. ......................... PrimaryDC passed test VerifyReferences Test omitted by user request: VerifyReplicas Test omitted by user request: DNS Test omitted by user request: DNS Test omitted by user request: DNS Test omitted by user request: DNS Test omitted by user request: DNS Test omitted by user request: DNS Running partition tests on : ForestDnsZones Starting test: CheckSDRefDom ......................... ForestDnsZones passed test CheckSDRefDom Starting test: CrossRefValidation ......................... ForestDnsZones passed test CrossRefValidation Running partition tests on : DomainDnsZones Starting test: CheckSDRefDom ......................... DomainDnsZones passed test CheckSDRefDom Starting test: CrossRefValidation ......................... DomainDnsZones passed test CrossRefValidation Running partition tests on : Schema Starting test: CheckSDRefDom ......................... Schema passed test CheckSDRefDom Starting test: CrossRefValidation ......................... Schema passed test CrossRefValidation Running partition tests on : Configuration Starting test: CheckSDRefDom ......................... Configuration passed test CheckSDRefDom Starting test: CrossRefValidation ......................... Configuration passed test CrossRefValidation Running partition tests on : domain Starting test: CheckSDRefDom ......................... domain passed test CheckSDRefDom Starting test: CrossRefValidation ......................... domain passed test CrossRefValidation Running enterprise tests on : domain.com Test omitted by user request: DNS Test omitted by user request: DNS Starting test: LocatorCheck GC Name: \\PrimaryDC.domain.com Locator Flags: 0xe003f3fd PDC Name: \\PrimaryDC.domain.com Locator Flags: 0xe003f3fd Time Server Name: \\PrimaryDC.domain.com Locator Flags: 0xe003f3fd Preferred Time Server Name: \\PrimaryDC.domain.com Locator Flags: 0xe003f3fd KDC Name: \\PrimaryDC.domain.com Locator Flags: 0xe003f3fd ......................... domain.com passed test LocatorCheck Starting test: Intersite Skipping site Default-First-Site-Name, this site is outside the scope provided by the command line arguments provided. ......................... domain.com passed test Intersite