?
Solved

SYSVOL Replication broken on one DC

Posted on 2008-06-17
8
Medium Priority
?
754 Views
Last Modified: 2012-08-13
For one reason or another, there is a missing NTFRSSubscriber object in AD for a particular domain controller, which is causing SYSVOL replication to fail for that DC.  We have 10 DCs and replication between nine of them is fine, with just the one that is missing the NTFRSSubscriber object causing a problem.  Obvious problems are as you would expect, e.g. NETLOGON share and group policy not replicating properly.

I've used FRSDiag to troubleshoot this and I've read the MS articles on how to replace these objects and the architecture of FRS so I'm comfortable with what I need to do to fix this.  I've also tested it several times in my test lab successfully.  I've read these links:

http://technet2.microsoft.com/windowsserver/en/library/7636aede-a944-4765-8973-40dc1e1f2d561033.mspx?mfr=true

http://support.microsoft.com/kb/312862

http://support.microsoft.com/default.aspx?kbid=811219

http://support.microsoft.com/kb/315457

The only issue I have is that this problem has very likely been around for a long time and I don't know (and cannot test) the implications of bringing a server back into the SYSVOL replication after being out for so long.

Does anyone have any practical experience of this situation?

I have system state backups, GPO backups and copies of the NETLOGON scripts that I need.
0
Comment
Question by:Wilkip
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 13

Expert Comment

by:ocon827679
ID: 21805533
Use the procedure in: http://support.microsoft.com/kb/290762/en-us to do a non-authoritative restore of sysvol from the problem machine.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 21807268
The simple way to fix this is to demote this DC and then rerun DCPROMO.

Since you already have 9 more DCs, the implications shouldn't be a problem unless Exchange is installed.

What else is installed on this server?  (Applications).
0
 

Author Comment

by:Wilkip
ID: 21807513
Hi, thanks for the replies.

Ocon827679 - I did think about doing that but will that procedure actually replace the missing ntfrssubcriber object?  From the testing I've done in my lab I can simply add that object back in and the DC starts replicating again so I'm fairly sure that will fix the problem.  Admittedly, I manually deleted it, left it for a day or so for the errors to buiild up then replaced it again.  The thing I'm not sure about is if having been out of the loop for so long it will cause any problems.  I don't think it will but I wanted to check!  I don't know how long it has been like this as I have only recently joined the company.

Netman66 - In my lab testing I was unable to demote a DC where the NETLOGON share was not replicating.  Could I force a demotion?  The server in question currently holds a lot of the FSMO roles but these can be moved without problem.

Don't get me wrong, I'm grateful for the comments, I just want to understand exactly what I'm doing here.
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:Wilkip
ID: 21807533
Additional comment - the DC in question doesn't have any other apps on it, no Exchange or anything like that.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 21808053
If you can Transfer the roles and make at least one more GC (and be certain everything took hold) then you can run: dcpromo /forceremoval

This will nuke AD from this server.
You will then need to clean up all the records from this server in DNS, delete the server object (if it exists) from AD Sites and Services and also do a Metadata cleanup: http://support.microsoft.com/kb/216498

You can also D2 the server to allow replication to re-establish, but if it cannot replicate properly you're no further ahead.

0
 

Author Comment

by:Wilkip
ID: 21810858
Does anybody think it worth following the procedure in the follwoing KB article?  The part under 'Recovering deleted FRS subscriber objects'

http://support.microsoft.com/kb/312862

This I what I've been doing in my testing and it seems to work OK, it was just tha fact that it hasn't been replicating for a while.

If this isn't worth trying then I'll force a demotion but it seems to me that simply replacing the missing object would be the easiest way to go.

What I'm really looking for is someone to say "No you don't want to do that because of (whatever)" or "That should be OK and is worth a try before forcing a demtion and having to do the cleanup"  I know the cleanup won't take long, I've done them before, I just want to make this a learning experience so I know the options if I ever see this scenario again.
0
 
LVL 51

Assisted Solution

by:Netman66
Netman66 earned 1000 total points
ID: 21811491
As long as you're careful with what you're touching in ADSIedit, then you could try that.  Being out of date is fine, everything will get overwritten anyway since the other DCs have newer content.

0
 

Accepted Solution

by:
Wilkip earned 0 total points
ID: 21812102
OK, excellent,  That's what I wanted to hear :o)  I've done this many times in the lab so I'm happy that I know what I'm replacing and I'm used to working in ADSIEdit.

I'll give it a go and see.  If it doesn't work then I'll force the demotion and start again.

Back in a bit
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question