Solved

SYSVOL Replication broken on one DC

Posted on 2008-06-17
8
752 Views
Last Modified: 2012-08-13
For one reason or another, there is a missing NTFRSSubscriber object in AD for a particular domain controller, which is causing SYSVOL replication to fail for that DC.  We have 10 DCs and replication between nine of them is fine, with just the one that is missing the NTFRSSubscriber object causing a problem.  Obvious problems are as you would expect, e.g. NETLOGON share and group policy not replicating properly.

I've used FRSDiag to troubleshoot this and I've read the MS articles on how to replace these objects and the architecture of FRS so I'm comfortable with what I need to do to fix this.  I've also tested it several times in my test lab successfully.  I've read these links:

http://technet2.microsoft.com/windowsserver/en/library/7636aede-a944-4765-8973-40dc1e1f2d561033.mspx?mfr=true

http://support.microsoft.com/kb/312862

http://support.microsoft.com/default.aspx?kbid=811219

http://support.microsoft.com/kb/315457

The only issue I have is that this problem has very likely been around for a long time and I don't know (and cannot test) the implications of bringing a server back into the SYSVOL replication after being out for so long.

Does anyone have any practical experience of this situation?

I have system state backups, GPO backups and copies of the NETLOGON scripts that I need.
0
Comment
Question by:Wilkip
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 13

Expert Comment

by:ocon827679
ID: 21805533
Use the procedure in: http://support.microsoft.com/kb/290762/en-us to do a non-authoritative restore of sysvol from the problem machine.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 21807268
The simple way to fix this is to demote this DC and then rerun DCPROMO.

Since you already have 9 more DCs, the implications shouldn't be a problem unless Exchange is installed.

What else is installed on this server?  (Applications).
0
 

Author Comment

by:Wilkip
ID: 21807513
Hi, thanks for the replies.

Ocon827679 - I did think about doing that but will that procedure actually replace the missing ntfrssubcriber object?  From the testing I've done in my lab I can simply add that object back in and the DC starts replicating again so I'm fairly sure that will fix the problem.  Admittedly, I manually deleted it, left it for a day or so for the errors to buiild up then replaced it again.  The thing I'm not sure about is if having been out of the loop for so long it will cause any problems.  I don't think it will but I wanted to check!  I don't know how long it has been like this as I have only recently joined the company.

Netman66 - In my lab testing I was unable to demote a DC where the NETLOGON share was not replicating.  Could I force a demotion?  The server in question currently holds a lot of the FSMO roles but these can be moved without problem.

Don't get me wrong, I'm grateful for the comments, I just want to understand exactly what I'm doing here.
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 

Author Comment

by:Wilkip
ID: 21807533
Additional comment - the DC in question doesn't have any other apps on it, no Exchange or anything like that.
0
 
LVL 51

Expert Comment

by:Netman66
ID: 21808053
If you can Transfer the roles and make at least one more GC (and be certain everything took hold) then you can run: dcpromo /forceremoval

This will nuke AD from this server.
You will then need to clean up all the records from this server in DNS, delete the server object (if it exists) from AD Sites and Services and also do a Metadata cleanup: http://support.microsoft.com/kb/216498

You can also D2 the server to allow replication to re-establish, but if it cannot replicate properly you're no further ahead.

0
 

Author Comment

by:Wilkip
ID: 21810858
Does anybody think it worth following the procedure in the follwoing KB article?  The part under 'Recovering deleted FRS subscriber objects'

http://support.microsoft.com/kb/312862

This I what I've been doing in my testing and it seems to work OK, it was just tha fact that it hasn't been replicating for a while.

If this isn't worth trying then I'll force a demotion but it seems to me that simply replacing the missing object would be the easiest way to go.

What I'm really looking for is someone to say "No you don't want to do that because of (whatever)" or "That should be OK and is worth a try before forcing a demtion and having to do the cleanup"  I know the cleanup won't take long, I've done them before, I just want to make this a learning experience so I know the options if I ever see this scenario again.
0
 
LVL 51

Assisted Solution

by:Netman66
Netman66 earned 250 total points
ID: 21811491
As long as you're careful with what you're touching in ADSIedit, then you could try that.  Being out of date is fine, everything will get overwritten anyway since the other DCs have newer content.

0
 

Accepted Solution

by:
Wilkip earned 0 total points
ID: 21812102
OK, excellent,  That's what I wanted to hear :o)  I've done this many times in the lab so I'm happy that I know what I'm replacing and I'm used to working in ADSIEdit.

I'll give it a go and see.  If it doesn't work then I'll force the demotion and start again.

Back in a bit
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question