RFVDB
asked on
Active Directory DC Replication Issues
Helping a client with their 2x 2012 Domain Controllers.
Their DC1 which holds the FSMO roles had Event Error 4012, DFSR: That it had dropped replication of the SYSVOL\domain path as its been disconnected for X amount of days.
I executed KB 2218556 to make DC1 non-authoritative - ran all needed steps. I didn't get the needed Event in Event Viewer showing that replication had succeeded. However when creating user objects in AD Users and Computers they replicate to the other DC?
I looked on DC2 and found Event Warning 2213 DFSR: The DFS Replication service stopped replication on volume c: This occurs when a DFSR JET database is not shut down cleanly... Looking online a microsoft article recommended doing KB 2218556 to make DC2 authoritative because DC1's event viewer for DFS Replication was showing that it was still waiting to perform initial replication.
Did this and waited for 1 hour and never saw Event ID 4602 in the DFSR event log on DC2 indicating SYSVOL has been initialized. I then ran the WMIC command In Event 2213 to continue replication and soon after this DC2 had the error DC1 had: Event Error 4012, DFSR: That it had dropped replication of the SYSVOL\domain path as its been disconnected for X amount of days.
So I then execute KB 2218556 to perform a non-authoritative synchronization of DFSR-replicated SYSVOL. waited for another 30 mins or so. Both DCs were stuck on the DFSR event warning 4614 that the DFS Replication service initialized SYSVOL and is waiting to perform initial replication. So it seemed both were waiting for the other! No Event 4604 per the Microsoft KB.
I didn't know what to do at this point so restarted DFSR on both of them. After a number of informational DFSR messages DC1 came up with Event ID 1206 that DFS Replication service successfully contacted domain controller DC1. Nothing about DC2 (I noticed that DC1's primary DNS server was itself and DC2 was the secondary one - maybe that's why?).
DC2's DFSR event log eventually indicated Event 5014 that DFSR is stoping communication with partner DC1 for replication group Domain System Volume due to an error, the service will retry the connection periodically. Then Event ID 5004 which stated that DFS Replication service successfully established an inbound connection with partner DC1 for replication group Domain System Volume.
During this entire time, creating test AD Users in AD Users and Groups has them replicate to either DCs as they show up very rapidly in AD Users and Groups on both. Also running repadmin /showrepl and repadmin /replsummary, both show successful replication.
However, when running the DFS Management Diagnostic Report, the Propogation Test Succeeds, but the propogation report shows two tests complete and the health report for both DCs still says "This member is waiting for initial replication for replicated folder SYSVOL Share".
Checking back today 9 hours later, the Event IDs haven't changed from the above and the DFS Management Diagnostic reports are still the same as above.
So I can create users and replicate back and forth but I have the above errors. I don't know what to at this point. Thanks.
Their DC1 which holds the FSMO roles had Event Error 4012, DFSR: That it had dropped replication of the SYSVOL\domain path as its been disconnected for X amount of days.
I executed KB 2218556 to make DC1 non-authoritative - ran all needed steps. I didn't get the needed Event in Event Viewer showing that replication had succeeded. However when creating user objects in AD Users and Computers they replicate to the other DC?
I looked on DC2 and found Event Warning 2213 DFSR: The DFS Replication service stopped replication on volume c: This occurs when a DFSR JET database is not shut down cleanly... Looking online a microsoft article recommended doing KB 2218556 to make DC2 authoritative because DC1's event viewer for DFS Replication was showing that it was still waiting to perform initial replication.
Did this and waited for 1 hour and never saw Event ID 4602 in the DFSR event log on DC2 indicating SYSVOL has been initialized. I then ran the WMIC command In Event 2213 to continue replication and soon after this DC2 had the error DC1 had: Event Error 4012, DFSR: That it had dropped replication of the SYSVOL\domain path as its been disconnected for X amount of days.
So I then execute KB 2218556 to perform a non-authoritative synchronization of DFSR-replicated SYSVOL. waited for another 30 mins or so. Both DCs were stuck on the DFSR event warning 4614 that the DFS Replication service initialized SYSVOL and is waiting to perform initial replication. So it seemed both were waiting for the other! No Event 4604 per the Microsoft KB.
I didn't know what to do at this point so restarted DFSR on both of them. After a number of informational DFSR messages DC1 came up with Event ID 1206 that DFS Replication service successfully contacted domain controller DC1. Nothing about DC2 (I noticed that DC1's primary DNS server was itself and DC2 was the secondary one - maybe that's why?).
DC2's DFSR event log eventually indicated Event 5014 that DFSR is stoping communication with partner DC1 for replication group Domain System Volume due to an error, the service will retry the connection periodically. Then Event ID 5004 which stated that DFS Replication service successfully established an inbound connection with partner DC1 for replication group Domain System Volume.
During this entire time, creating test AD Users in AD Users and Groups has them replicate to either DCs as they show up very rapidly in AD Users and Groups on both. Also running repadmin /showrepl and repadmin /replsummary, both show successful replication.
However, when running the DFS Management Diagnostic Report, the Propogation Test Succeeds, but the propogation report shows two tests complete and the health report for both DCs still says "This member is waiting for initial replication for replicated folder SYSVOL Share".
Checking back today 9 hours later, the Event IDs haven't changed from the above and the DFS Management Diagnostic reports are still the same as above.
So I can create users and replicate back and forth but I have the above errors. I don't know what to at this point. Thanks.
I agree to Will.
The fact that new AD user objects get replicated immediately is irrelevant in this case because this is using a different replication mechanism. DFSR is for the SYSVOL only and that includes logon scripts / GPO's etc. As long as the DC thinks that DFS is not working it will not share out the SYSVOL to clients.
I agree with Will: Depromoting / Re-Promoting the faulty DC is probably your quickest route at this point.
I agree with Will: Depromoting / Re-Promoting the faulty DC is probably your quickest route at this point.
ASKER
Thanks. After demoting it should I delete some of the folders in the Sysvol folders so it doesn't try and use them again when repromoting such as:
%WINDIR%SYSVOLdomainPolici
%WINDIR%SYSVOLdomainScript
Also, I don't need to remove the AD roles after demoting right. I can just demote and then promote?
Thanks!
%WINDIR%SYSVOLdomainPolici
%WINDIR%SYSVOLdomainScript
Also, I don't need to remove the AD roles after demoting right. I can just demote and then promote?
Thanks!
Yes, I recommend deleting the folders. But there's no need to remove the role.
Also, I don't need to remove the AD roles after demoting right. I can just demote and then promote?
That is correct. You do not need to remove the role. If you do, it will just make you re-add them.
Will.
ASKER
OK thanks all.
I did demote and promote DC1, however that didn't do the trick. I used the DFS Management Tool to test Sysvol Replication and it never finishes.
Is there a good solid System Event or tool to immediately know if Sysvol replication is fully functional?
I didn't delete the two Sysvol folders I mentioned above though as I wasn't sure.
So I guess my next action is to do the demote/promote again with deleting these Sysvol folders:
%WINDIR%SYSVOLdomainPolici
%WINDIR%SYSVOLdomainScript
Right?
I did demote and promote DC1, however that didn't do the trick. I used the DFS Management Tool to test Sysvol Replication and it never finishes.
Is there a good solid System Event or tool to immediately know if Sysvol replication is fully functional?
I didn't delete the two Sysvol folders I mentioned above though as I wasn't sure.
So I guess my next action is to do the demote/promote again with deleting these Sysvol folders:
%WINDIR%SYSVOLdomainPolici
%WINDIR%SYSVOLdomainScript
Right?
The way to tell if SYSVOL replication is fully functional is to check the event log. There is a DFSR replication log and it will show an event 4604. Also if you type net share at a command prompt, you will see that the SYSVOL has been shared out.
ASKER
OK thanks.
I demoted DC1 again. I deleted the entire SYSVOL folder just in case. Repromoted and it recreated the sysvol folder. But still DFSR is not working for the sysvol folder. Checked net share 12 hours later and no sysvol share.
I demoted DC1 again. I deleted the entire SYSVOL folder just in case. Repromoted and it recreated the sysvol folder. But still DFSR is not working for the sysvol folder. Checked net share 12 hours later and no sysvol share.
ASKER
I just created a DC3 from a fresh 2012R2 install and same issue. after an hour net share still shows no sysvol share. Looks like DC2's DFSR share is somehow messed up. There's got to be a way to fix it on DC2.
DFSR Events on new DC3 are:
4614: The DFS Replication service initialized SYSVOL at local path C:\Windows\SYSVOL\domain and is waiting to perform initial replication.
6806: The DFS Replication service has detected that at least one connection is configured for replication group Domain System Volume.
6016: The DFS Replication service failed to update configuration in Active Directory Domain Services. The service will retry this operation periodically.
6806: The DFS Replication service has detected that at least one connection is configured for replication group Domain System Volume.
LATEST ONE: 6018: The DFS Replication service successfully updated configuration in Active Directory Domain Services.
Please let me know if you need any other information.
DFSR Events on new DC3 are:
4614: The DFS Replication service initialized SYSVOL at local path C:\Windows\SYSVOL\domain and is waiting to perform initial replication.
6806: The DFS Replication service has detected that at least one connection is configured for replication group Domain System Volume.
6016: The DFS Replication service failed to update configuration in Active Directory Domain Services. The service will retry this operation periodically.
6806: The DFS Replication service has detected that at least one connection is configured for replication group Domain System Volume.
LATEST ONE: 6018: The DFS Replication service successfully updated configuration in Active Directory Domain Services.
Please let me know if you need any other information.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks. It says on the first paragraph to not perform such an action unless you have another Domain Controller with a functioning Sysvol. Since DC2 is the only one with a functioning Sysvol it doesn't seem a safe course.
Any other alternatives?
I found this:
https://jorgequestforknowledge.wordpress.com/2010/08/12/restoring-the-sysvol-non-authoritatively-when-either-using-ntfrs-or-dfs-r-part-3/
Is that a potentially safe action to take?
I also found an article where an admin removed the contents of the Sysvol Share, Restarted DFSR, then re-added the contents and that fixed the issue. Is that a safe thing to do? I've never touched or manually removed or added the contents of the active directory Sysvol shares.
Any other alternatives?
I found this:
https://jorgequestforknowledge.wordpress.com/2010/08/12/restoring-the-sysvol-non-authoritatively-when-either-using-ntfrs-or-dfs-r-part-3/
Is that a potentially safe action to take?
I also found an article where an admin removed the contents of the Sysvol Share, Restarted DFSR, then re-added the contents and that fixed the issue. Is that a safe thing to do? I've never touched or manually removed or added the contents of the active directory Sysvol shares.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Glad to hear it is working now.
Will.
Will.
ASKER
I've requested that this question be closed as follows:
Accepted answer: 0 points for RFVDB's comment #a40821109
for the following reason:
My Solution tried again and it worked.
Accepted answer: 0 points for RFVDB's comment #a40821109
for the following reason:
My Solution tried again and it worked.
Why are you not accepting my comment as the solution? I have stated you needed to perform an Authroitative Restore many times. You last comment "Eventually did an authoritative restore on DC2 again "
All of the below comments of mine stated doing an authoritative restore
D: 40792063
ID: 40798379
Answers should be accepted accordingly.
Will.
All of the below comments of mine stated doing an authoritative restore
D: 40792063
ID: 40798379
Answers should be accepted accordingly.
Will.
Why not try demoting DC1 and then rep-romoteing it? This way you will be certain that it is getting updates from the replication partner.
If DC1 is the fsmo role holder transfer them to DC2 and the demote DC1 and re-promote.
Will.