SYSVOL Replication broken on one DC
For one reason or another, there is a missing NTFRSSubscriber object in AD for a particular domain controller, which is causing SYSVOL replication to fail for that DC. We have 10 DCs and replication between nine of them is fine, with just the one that is missing the NTFRSSubscriber object causing a problem. Obvious problems are as you would expect, e.g. NETLOGON share and group policy not replicating properly.
I've used FRSDiag to troubleshoot this and I've read the MS articles on how to replace these objects and the architecture of FRS so I'm comfortable with what I need to do to fix this. I've also tested it several times in my test lab successfully. I've read these links:
http://technet2.microsoft.com/windowsserver/en/library/7636aede-a944-4765-8973-40dc1e1f2d561033.mspx?mfr=true
http://support.microsoft.com/kb/312862
http://support.microsoft.com/default.aspx?kbid=811219
http://support.microsoft.com/kb/315457
The only issue I have is that this problem has very likely been around for a long time and I don't know (and cannot test) the implications of bringing a server back into the SYSVOL replication after being out for so long.
Does anyone have any practical experience of this situation?
I have system state backups, GPO backups and copies of the NETLOGON scripts that I need.
I've used FRSDiag to troubleshoot this and I've read the MS articles on how to replace these objects and the architecture of FRS so I'm comfortable with what I need to do to fix this. I've also tested it several times in my test lab successfully. I've read these links:
http://technet2.microsoft.com/windowsserver/en/library/7636aede-a944-4765-8973-40dc1e1f2d561033.mspx?mfr=true
http://support.microsoft.com/kb/312862
http://support.microsoft.com/default.aspx?kbid=811219
http://support.microsoft.com/kb/315457
The only issue I have is that this problem has very likely been around for a long time and I don't know (and cannot test) the implications of bringing a server back into the SYSVOL replication after being out for so long.
Does anyone have any practical experience of this situation?
I have system state backups, GPO backups and copies of the NETLOGON scripts that I need.
ocon827679
Use the procedure in: http://support.microsoft.com/kb/290762/en-us to do a non-authoritative restore of sysvol from the problem machine.
The simple way to fix this is to demote this DC and then rerun DCPROMO.
Since you already have 9 more DCs, the implications shouldn't be a problem unless Exchange is installed.
What else is installed on this server? (Applications).
Since you already have 9 more DCs, the implications shouldn't be a problem unless Exchange is installed.
What else is installed on this server? (Applications).
ASKER
Hi, thanks for the replies.
Ocon827679 - I did think about doing that but will that procedure actually replace the missing ntfrssubcriber object? From the testing I've done in my lab I can simply add that object back in and the DC starts replicating again so I'm fairly sure that will fix the problem. Admittedly, I manually deleted it, left it for a day or so for the errors to buiild up then replaced it again. The thing I'm not sure about is if having been out of the loop for so long it will cause any problems. I don't think it will but I wanted to check! I don't know how long it has been like this as I have only recently joined the company.
Netman66 - In my lab testing I was unable to demote a DC where the NETLOGON share was not replicating. Could I force a demotion? The server in question currently holds a lot of the FSMO roles but these can be moved without problem.
Don't get me wrong, I'm grateful for the comments, I just want to understand exactly what I'm doing here.
Ocon827679 - I did think about doing that but will that procedure actually replace the missing ntfrssubcriber object? From the testing I've done in my lab I can simply add that object back in and the DC starts replicating again so I'm fairly sure that will fix the problem. Admittedly, I manually deleted it, left it for a day or so for the errors to buiild up then replaced it again. The thing I'm not sure about is if having been out of the loop for so long it will cause any problems. I don't think it will but I wanted to check! I don't know how long it has been like this as I have only recently joined the company.
Netman66 - In my lab testing I was unable to demote a DC where the NETLOGON share was not replicating. Could I force a demotion? The server in question currently holds a lot of the FSMO roles but these can be moved without problem.
Don't get me wrong, I'm grateful for the comments, I just want to understand exactly what I'm doing here.
ASKER
Additional comment - the DC in question doesn't have any other apps on it, no Exchange or anything like that.
If you can Transfer the roles and make at least one more GC (and be certain everything took hold) then you can run: dcpromo /forceremoval
This will nuke AD from this server.
You will then need to clean up all the records from this server in DNS, delete the server object (if it exists) from AD Sites and Services and also do a Metadata cleanup: http://support.microsoft.com/kb/216498
You can also D2 the server to allow replication to re-establish, but if it cannot replicate properly you're no further ahead.
This will nuke AD from this server.
You will then need to clean up all the records from this server in DNS, delete the server object (if it exists) from AD Sites and Services and also do a Metadata cleanup: http://support.microsoft.com/kb/216498
You can also D2 the server to allow replication to re-establish, but if it cannot replicate properly you're no further ahead.
ASKER
Does anybody think it worth following the procedure in the follwoing KB article? The part under 'Recovering deleted FRS subscriber objects'
http://support.microsoft.com/kb/312862
This I what I've been doing in my testing and it seems to work OK, it was just tha fact that it hasn't been replicating for a while.
If this isn't worth trying then I'll force a demotion but it seems to me that simply replacing the missing object would be the easiest way to go.
What I'm really looking for is someone to say "No you don't want to do that because of (whatever)" or "That should be OK and is worth a try before forcing a demtion and having to do the cleanup" I know the cleanup won't take long, I've done them before, I just want to make this a learning experience so I know the options if I ever see this scenario again.
http://support.microsoft.com/kb/312862
This I what I've been doing in my testing and it seems to work OK, it was just tha fact that it hasn't been replicating for a while.
If this isn't worth trying then I'll force a demotion but it seems to me that simply replacing the missing object would be the easiest way to go.
What I'm really looking for is someone to say "No you don't want to do that because of (whatever)" or "That should be OK and is worth a try before forcing a demtion and having to do the cleanup" I know the cleanup won't take long, I've done them before, I just want to make this a learning experience so I know the options if I ever see this scenario again.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.