Solved

SYSVOL Replication broken on one DC

Posted on 2008-06-17
8
744 Views
Last Modified: 2012-08-13
For one reason or another, there is a missing NTFRSSubscriber object in AD for a particular domain controller, which is causing SYSVOL replication to fail for that DC.  We have 10 DCs and replication between nine of them is fine, with just the one that is missing the NTFRSSubscriber object causing a problem.  Obvious problems are as you would expect, e.g. NETLOGON share and group policy not replicating properly.

I've used FRSDiag to troubleshoot this and I've read the MS articles on how to replace these objects and the architecture of FRS so I'm comfortable with what I need to do to fix this.  I've also tested it several times in my test lab successfully.  I've read these links:

http://technet2.microsoft.com/windowsserver/en/library/7636aede-a944-4765-8973-40dc1e1f2d561033.mspx?mfr=true

http://support.microsoft.com/kb/312862

http://support.microsoft.com/default.aspx?kbid=811219

http://support.microsoft.com/kb/315457

The only issue I have is that this problem has very likely been around for a long time and I don't know (and cannot test) the implications of bringing a server back into the SYSVOL replication after being out for so long.

Does anyone have any practical experience of this situation?

I have system state backups, GPO backups and copies of the NETLOGON scripts that I need.
0
Comment
Question by:Wilkip
  • 4
  • 3
8 Comments
 
LVL 13

Expert Comment

by:ocon827679
Comment Utility
Use the procedure in: http://support.microsoft.com/kb/290762/en-us to do a non-authoritative restore of sysvol from the problem machine.
0
 
LVL 51

Expert Comment

by:Netman66
Comment Utility
The simple way to fix this is to demote this DC and then rerun DCPROMO.

Since you already have 9 more DCs, the implications shouldn't be a problem unless Exchange is installed.

What else is installed on this server?  (Applications).
0
 

Author Comment

by:Wilkip
Comment Utility
Hi, thanks for the replies.

Ocon827679 - I did think about doing that but will that procedure actually replace the missing ntfrssubcriber object?  From the testing I've done in my lab I can simply add that object back in and the DC starts replicating again so I'm fairly sure that will fix the problem.  Admittedly, I manually deleted it, left it for a day or so for the errors to buiild up then replaced it again.  The thing I'm not sure about is if having been out of the loop for so long it will cause any problems.  I don't think it will but I wanted to check!  I don't know how long it has been like this as I have only recently joined the company.

Netman66 - In my lab testing I was unable to demote a DC where the NETLOGON share was not replicating.  Could I force a demotion?  The server in question currently holds a lot of the FSMO roles but these can be moved without problem.

Don't get me wrong, I'm grateful for the comments, I just want to understand exactly what I'm doing here.
0
 

Author Comment

by:Wilkip
Comment Utility
Additional comment - the DC in question doesn't have any other apps on it, no Exchange or anything like that.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 51

Expert Comment

by:Netman66
Comment Utility
If you can Transfer the roles and make at least one more GC (and be certain everything took hold) then you can run: dcpromo /forceremoval

This will nuke AD from this server.
You will then need to clean up all the records from this server in DNS, delete the server object (if it exists) from AD Sites and Services and also do a Metadata cleanup: http://support.microsoft.com/kb/216498

You can also D2 the server to allow replication to re-establish, but if it cannot replicate properly you're no further ahead.

0
 

Author Comment

by:Wilkip
Comment Utility
Does anybody think it worth following the procedure in the follwoing KB article?  The part under 'Recovering deleted FRS subscriber objects'

http://support.microsoft.com/kb/312862

This I what I've been doing in my testing and it seems to work OK, it was just tha fact that it hasn't been replicating for a while.

If this isn't worth trying then I'll force a demotion but it seems to me that simply replacing the missing object would be the easiest way to go.

What I'm really looking for is someone to say "No you don't want to do that because of (whatever)" or "That should be OK and is worth a try before forcing a demtion and having to do the cleanup"  I know the cleanup won't take long, I've done them before, I just want to make this a learning experience so I know the options if I ever see this scenario again.
0
 
LVL 51

Assisted Solution

by:Netman66
Netman66 earned 250 total points
Comment Utility
As long as you're careful with what you're touching in ADSIedit, then you could try that.  Being out of date is fine, everything will get overwritten anyway since the other DCs have newer content.

0
 

Accepted Solution

by:
Wilkip earned 0 total points
Comment Utility
OK, excellent,  That's what I wanted to hear :o)  I've done this many times in the lab so I'm happy that I know what I'm replacing and I'm used to working in ADSIEdit.

I'll give it a go and see.  If it doesn't work then I'll force the demotion and start again.

Back in a bit
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Companies that have implemented Microsoft’s Active Directory need to ensure that the Active Directory is configured and operating properly. If there are issues found and not resolved, it eventually leads the components to fail or stop working and fi…
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now