Solved

SYSVOL Replication broken on one DC

Posted on 2008-06-17
8
746 Views
Last Modified: 2012-08-13
For one reason or another, there is a missing NTFRSSubscriber object in AD for a particular domain controller, which is causing SYSVOL replication to fail for that DC.  We have 10 DCs and replication between nine of them is fine, with just the one that is missing the NTFRSSubscriber object causing a problem.  Obvious problems are as you would expect, e.g. NETLOGON share and group policy not replicating properly.

I've used FRSDiag to troubleshoot this and I've read the MS articles on how to replace these objects and the architecture of FRS so I'm comfortable with what I need to do to fix this.  I've also tested it several times in my test lab successfully.  I've read these links:

http://technet2.microsoft.com/windowsserver/en/library/7636aede-a944-4765-8973-40dc1e1f2d561033.mspx?mfr=true

http://support.microsoft.com/kb/312862

http://support.microsoft.com/default.aspx?kbid=811219

http://support.microsoft.com/kb/315457

The only issue I have is that this problem has very likely been around for a long time and I don't know (and cannot test) the implications of bringing a server back into the SYSVOL replication after being out for so long.

Does anyone have any practical experience of this situation?

I have system state backups, GPO backups and copies of the NETLOGON scripts that I need.
0
Comment
Question by:Wilkip
  • 4
  • 3
8 Comments
 
LVL 13

Expert Comment

by:ocon827679
ID: 21805533
Use the procedure in: http://support.microsoft.com/kb/290762/en-us to do a non-authoritative restore of sysvol from the problem machine.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 21807268
The simple way to fix this is to demote this DC and then rerun DCPROMO.

Since you already have 9 more DCs, the implications shouldn't be a problem unless Exchange is installed.

What else is installed on this server?  (Applications).
0
 

Author Comment

by:Wilkip
ID: 21807513
Hi, thanks for the replies.

Ocon827679 - I did think about doing that but will that procedure actually replace the missing ntfrssubcriber object?  From the testing I've done in my lab I can simply add that object back in and the DC starts replicating again so I'm fairly sure that will fix the problem.  Admittedly, I manually deleted it, left it for a day or so for the errors to buiild up then replaced it again.  The thing I'm not sure about is if having been out of the loop for so long it will cause any problems.  I don't think it will but I wanted to check!  I don't know how long it has been like this as I have only recently joined the company.

Netman66 - In my lab testing I was unable to demote a DC where the NETLOGON share was not replicating.  Could I force a demotion?  The server in question currently holds a lot of the FSMO roles but these can be moved without problem.

Don't get me wrong, I'm grateful for the comments, I just want to understand exactly what I'm doing here.
0
 

Author Comment

by:Wilkip
ID: 21807533
Additional comment - the DC in question doesn't have any other apps on it, no Exchange or anything like that.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 51

Expert Comment

by:Netman66
ID: 21808053
If you can Transfer the roles and make at least one more GC (and be certain everything took hold) then you can run: dcpromo /forceremoval

This will nuke AD from this server.
You will then need to clean up all the records from this server in DNS, delete the server object (if it exists) from AD Sites and Services and also do a Metadata cleanup: http://support.microsoft.com/kb/216498

You can also D2 the server to allow replication to re-establish, but if it cannot replicate properly you're no further ahead.

0
 

Author Comment

by:Wilkip
ID: 21810858
Does anybody think it worth following the procedure in the follwoing KB article?  The part under 'Recovering deleted FRS subscriber objects'

http://support.microsoft.com/kb/312862

This I what I've been doing in my testing and it seems to work OK, it was just tha fact that it hasn't been replicating for a while.

If this isn't worth trying then I'll force a demotion but it seems to me that simply replacing the missing object would be the easiest way to go.

What I'm really looking for is someone to say "No you don't want to do that because of (whatever)" or "That should be OK and is worth a try before forcing a demtion and having to do the cleanup"  I know the cleanup won't take long, I've done them before, I just want to make this a learning experience so I know the options if I ever see this scenario again.
0
 
LVL 51

Assisted Solution

by:Netman66
Netman66 earned 250 total points
ID: 21811491
As long as you're careful with what you're touching in ADSIedit, then you could try that.  Being out of date is fine, everything will get overwritten anyway since the other DCs have newer content.

0
 

Accepted Solution

by:
Wilkip earned 0 total points
ID: 21812102
OK, excellent,  That's what I wanted to hear :o)  I've done this many times in the lab so I'm happy that I know what I'm replacing and I'm used to working in ADSIEdit.

I'll give it a go and see.  If it doesn't work then I'll force the demotion and start again.

Back in a bit
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Synchronize a new Active Directory domain with an existing Office 365 tenant
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now