AD DS: The AD DS BPA should be able to collect data for this element

Updated: August 31, 2012

Applies To: Windows Server 2008 R2, Windows Server 2012

This topic is intended to address a specific issue identified by a Best Practices Analyzer scan. You should apply the information in this topic only to computers that have had the Active Directory Domain Services Best Practices Analyzer run against them and are experiencing the issue addressed by this topic. For more information about best practices and scans, see Best Practices Analyzer (https://go.microsoft.com/fwlink/?LinkId=122786).

Issue

The Active Directory Domain Services Best Practices Analyzer (AD DS BPA) is not able to collect data for this element.

Impact

The AD DS BPA will not be able to validate configuration data for this element.

Resolution

Troubleshoot this domain controller to determine the root cause of the problem.

Troubleshoot for any network or firewall issues to determine the root cause of the problem. Then, if the problems are not identified and resolved, troubleshoot the domain controller by completing the following tasks:

• Examine DirectoryServices_EngineReport.xml (a detailed log file for the most recent AD DS BPA scan) to determine the cause of the problem:

  1. To locate DirectoryServices_EngineReport.xml, on the computer where you run your AD DS BPA scan, navigate to %systemdrive%\Windows\Logs\BPA\Reports\Microsoft\Windows\DirectoryServices.

  2. Open DirectoryServices_EngineReport.xml in an editor application (for example, Notepad.exe), and verify the presence of the “<Error>” text. If “<Error>” text instances are present, read the error messages to determine the possible cause of the problem.

     For example, if the "LdapAtSite" DNS service (SRV) resource record that advertises a domain controller as an available Lightweight Directory Access Protocol (LDAP) server for the domain in its local site is not registered, you might see the following text in the DirectoryServices_EngineReport:

     <LdapAtSite>
     - <DomainName>
       <Value>_ldap._tcp.Site1\0ACNF:f7c849ea-8552-4408-9d2a-8f94fac55967._sites.cCSD1658209.dCSD1647692.contoso.com</Value> 
       </DomainName>
     - <Registered>
     - <Error>
       <Report>true</Report> 
       <DataItem>the DNS record LdapAtSite</DataItem> 
       <Computer>the DNS servers</Computer> 
       <Message>DNS name contains an invalid character</Message> 
       <FullyQualifiedErrorId>DotNetMethodException</FullyQualifiedErrorId> 
     - <Exception>
       <Type>System.ComponentModel.Win32Exception</Type> 
       <Message>DNS name contains an invalid character</Message> 
       </Exception>
       </Error>
       </Registered>
      </LdapAtSite>
     

• Verify that the AD DS service is running on this domain controller. For more information, see the Restartable AD DS Step-by-Step Guide(https://go.microsoft.com/fwlink/?LinkId=148205).

• Verify that the Active Directory Web Services (ADWS) service is running on this domain controller. For more information, see What's New in AD DS: Active Directory Web Services (https://go.microsoft.com/fwlink/?LinkID=141393).

• Verify that the Active Directory module for Windows PowerShell is installed and functioning properly on this domain controller. For more information, see What's New in AD DS: Active Directory Module for Windows PowerShell (https://go.microsoft.com/fwlink/?LinkId=140056).

• If you run AD DS BPA with Domain Admins credentials, AD DS BPA can fail to collect configuration data from domain controllers on other domains. So that the AD DS BPA can collect configuration data from domain controllers in other domains that belong to the same forest as the domain controller on which you are running AD DS BPA, consider running AD DS BPA with Enterprise Admins credentials.