Solved

NETLOGON not replicating

Posted on 2004-04-14
13
4,282 Views
Last Modified: 2010-05-18
Built a new domain controller on an exisiting domain that has been running for over two years with no problems.  When I promoted the machine to a DC it got all our logon scripts replicated to it.  However, any new changes to a logon script are not replicated to it and vice versa.  I even created a dummy text file and copied it to the netlogon share of an existing DC, all DCs except the new one got it.  Then I copied a different text file to the new one and no other DCs got it.  I can't find anything on any of the DCs event logs that occur on a regular basis that could explain why this is not working.

Any ideas?

Thanks,
Joe
0
Comment
Question by:jvieira
  • 6
  • 4
  • 3
13 Comments
 
LVL 20

Expert Comment

by:Debsyl99
Comment Utility
Hi there,

It sounds like there's a replication problem - have you run dc diag to try to diagnose any errors? It's part of the win2k resource kit, but you can download it here - It's probably worth a run - Post back any errors if you can't diagnose them.
DcDiag.exe: Domain Controller Diagnostic Tool
http://www.microsoft.com/windows2000/techinfo/reskit/tools/new/dcdiag-o.asp
Windows 2000 Support Tools: DCDiag.exe Utility Update
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=23870A87-8422-408C-9375-2D9AAF939FA3
Troubleshoot Windows 2000 domain controllers with DCDiag
http://techrepublic.com.com/5100-6268-1058178.html?tag=viewfull

Deb :))
0
 
LVL 7

Assisted Solution

by:PaulADavis
PaulADavis earned 125 total points
Comment Utility
have you checked on the replication configuration in AD Sites and Services..... possibly something is wrong there.
check under your default-first-site to see which computers are listed in under the servers container.....if your new dc is not there then that could be the problem.
you can add the server by right-clicking on the servers container.

if the server is there then you can check on the ntds settings of your servers to see what the replication settings are, or you also have the ability to make a "new connection" if the new server isn't listed.

also, in the properties of the new dc (in AD users and computers), check "trust computer for delegation" .....

also, in dns,  check up on your srv records under your forward lookup zone (_msdcs, _tcp, etc)... check that your new dc is listed and wheter it has records similar to your other dc's (ldap, etc).

just for kicks.... is the file replication service running on the new dc?
0
 

Author Comment

by:jvieira
Comment Utility
Here are the results of dcdiag:


Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests
   
   Testing server: Edison\USNJ-DC2
      Starting test: Connectivity
         ......................... USNJ-DC2 passed test Connectivity

Doing primary tests
   
   Testing server: Edison\USNJ-DC2
      Starting test: Replications
         ......................... USNJ-DC2 passed test Replications
      Starting test: NCSecDesc
         Error US\Domain Controllers doesn't have
            Replicating Directory Changes All
         access rights for the naming context:
         DC=us,DC=DMR
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes All
         access rights for the naming context:
         CN=Schema,CN=Configuration,DC=DMR
         Error BUILTIN\Administrators doesn't have
            Replicating Directory Changes All
         access rights for the naming context:
         CN=Schema,CN=Configuration,DC=DMR
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes All
         access rights for the naming context:
         CN=Configuration,DC=DMR
         Error BUILTIN\Administrators doesn't have
            Replicating Directory Changes All
         access rights for the naming context:
         CN=Configuration,DC=DMR
         ......................... USNJ-DC2 failed test NCSecDesc
      Starting test: NetLogons
         ......................... USNJ-DC2 passed test NetLogons
      Starting test: Advertising
         ......................... USNJ-DC2 passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... USNJ-DC2 passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... USNJ-DC2 passed test RidManager
      Starting test: MachineAccount
         ......................... USNJ-DC2 passed test MachineAccount
      Starting test: Services
         ......................... USNJ-DC2 passed test Services
      Starting test: ObjectsReplicated
         ......................... USNJ-DC2 passed test ObjectsReplicated
      Starting test: frssysvol
         ......................... USNJ-DC2 passed test frssysvol
      Starting test: frsevent
         ......................... USNJ-DC2 passed test frsevent
      Starting test: kccevent
         ......................... USNJ-DC2 passed test kccevent
      Starting test: systemlog
         ......................... USNJ-DC2 passed test systemlog
      Starting test: VerifyReferences
         Some objects relating to the DC USNJ-DC2 have problems:
            [1] Problem: Missing Expected Value

             Base Object: CN=USNJ-DC2,OU=Domain Controllers,DC=us,DC=DMR

             Base Object Description: "DC Account Object"

             Value Object Attribute Name: frsComputerReferenceBL

             Value Object Description: "SYSVOL FRS Member Object"

             Recommended Action: See Knowledge Base Article: Q312862

             
            [1] Problem: Missing Expected Value

             Base Object:

            CN=NTDS Settings,CN=USNJ-DC2,CN=Servers,CN=Edison,CN=Sites,CN=Configuration,DC=DMR

             Base Object Description: "DSA Object"

             Value Object Attribute Name: serverReferenceBL

             Value Object Description: "SYSVOL FRS Member Object"

             Recommended Action: See Knowledge Base Article: Q312862

             
         ......................... USNJ-DC2 failed test VerifyReferences
   
   Running partition tests on : us
      Starting test: CrossRefValidation
         ......................... us passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... us passed test CheckSDRefDom
   
   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
   
   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
   
   Running enterprise tests on : DMR
      Starting test: Intersite
         ......................... DMR passed test Intersite
      Starting test: FsmoCheck
         ......................... DMR passed test FsmoCheck


I think everything is ok
0
 

Author Comment

by:jvieira
Comment Utility
I checked all the sites and services, dns, and dc setting and the all look correct.  The file replication service is running.  The only odd thing is that I get one Event Viewer error fro File Replication Service:
Type: Warning
Source: NtFrs
Category: None
Event ID: 13562

Decription:
Event Type:      Warning
Event Source:      NtFrs
Event Category:      None
Event ID:      13562
Date:            3/8/2004
Time:            4:42:31 PM
User:            N/A
Computer:      USNJ-DC2
Description:
Following is the summary of warnings and errors encountered by File Replication Service while polling the Domain Controller usnj-dc2.us.dmr for FRS replica set configuration information.
 
 Could not find computer object for this computer. Will try again at next polling cycle.

------

But the error only came up once and I can't find this exact error on the microsoft site.
 
 
0
 
LVL 20

Accepted Solution

by:
Debsyl99 earned 125 total points
Comment Utility
0
 
LVL 7

Expert Comment

by:PaulADavis
Comment Utility
don't know if you had a chance to check out the KB article mentioned in the dcdiag output, but it offers some interesting solutions.....

http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q312862
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:jvieira
Comment Utility
I tried the fix from the google search but it didn't work.

-Stop the File Replication Service on the failing DC
-Set the "BurFlags" Value in the following registry key to "D2"(DWORD):
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Backup
/Restore\Process at Startup

-Start the File Replication Service.

After that the Sysvol Folder should be reinitialized with the contents of
the other DC's.
0
 

Author Comment

by:jvieira
Comment Utility
I used ADSIEdit to look to see if there was anything missing and there was a lot missing for this DC.  I'm tempted to just demote the DC, wait for it to replicate to all DC and then repromote it as a DC again.  Is there and easier way or should I do this.
0
 
LVL 7

Expert Comment

by:PaulADavis
Comment Utility
have you used replmon to see what it says about replication errors?

you could demote and repromote but what if the problem is related to something in the os.... then you might have the same problem when you make it a dc again.

if you can't find a solution and need to get this over with, then why not go for the all out reinstall?
0
 
LVL 20

Expert Comment

by:Debsyl99
Comment Utility
Hi again,

It may well be easier to demote and then re-promote, but given the replication problems it is possible that the demotion may fail, so you need to be prepared for this.
How do I remove Active Directory (AD) if the demotion failed?
http://www.winnetmag.com/windowsnt20002003faq/Article/ArticleID/19746/windowsnt20002003faq_19746.html
Using the DCPROMO /FORCEREMOVAL Command to Force the Demotion of Active Directory Domain Controllers
http://support.microsoft.com/default.aspx?scid=kb;en-us;332199&Product=win2000

Deb :))
0
 

Author Comment

by:jvieira
Comment Utility
I rebuilt the machine from scratch and all is working fine.  I needed it reloved quickly.

Thank you both for your input.
0
 

Author Comment

by:jvieira
Comment Utility
Is there a way to split points to both of you?
0
 
LVL 7

Expert Comment

by:PaulADavis
Comment Utility
You split the points. Scroll down to the bottom of the question and click the "Split Points" link at the bottom of the page. Select the radio button of the comment who you want to Accept as the answer. Only one button can be selected. Set the point value (a text box above the comment) of how much you want this person to receive of the points. Then set the point values for each of the experts comments to whom you want to allocate points and these will be considered Assisted answers in helping you resolve the issue. Double check your information and then click the Submit button at the bottom of the page. One note: the total points of the splits must equal the amount you asked the question for itself, and no person can receive fewer than 20 points.

this is from the faq section of this site :-)

well, glad to hear that all is well.....

thank you and all the best to you....
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Marketing can be an uncomfortable undertaking, especially if your material is technology based. Luckily, we’ve compiled some simple and (relatively) painless tips to put an end to your trepidation and start your path to success.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now