Promoting Server 2003 to a Domain Controler would not replicate files and the SYSVOL share

afamm
afamm used Ask the Experts™
on
Hello Guys,
I had 3 Windows 2003 server and a domain controller . I installed another Server and promoted the server to a domain controller. The promotion came up as successful but would not show the SYSVOL share. I also happen to see that i am getting errors 8026 on the old domain controller which originally had exchange server (LAP bind was unseccessful on directory Mailserver.local for distinguished namexxxxxxxx server down(connection agreement 'config CA_XXX_MAilserver'#3504).
I am also getting error13508 without 13509 on the newly promoted Server.
I have forced replication and have done repadmin /showreps command on the old DC and its come up with errors.
IS this a DNS issue?Any suggestion.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2012

Commented:
It could be a couple of issues. Does the DCs point to only internal DNS servers? Can you post the repadmin results? Make sure that the DCs point only to internal DNS servers. Also, restart the netlogon service.
Henrik JohanssonSystems engineer
Top Expert 2008

Commented:
Either DNS or firewall issue.
See http://support.microsoft.com/kb/555381 about how to configure firewall for DC-communication.

Author

Commented:
DNS server is installed on Both DC's and they both had DNS IP pointing to itself. Originally the second DC had its DNS pointing to the IP address of the first DC (which was the only DNS on the network before the new DC was added.)
The Repadmin result ia as follows:

C:\Documents and Settings\Administrator>repadmin /showreps
Default-First-Site-Name\DELL1
DSA Options : IS_GC
objectGuid  : 4b77d825-ffdc-4e03-8be3-b14f8398463f
invocationID: 4b77d825-ffdc-4e03-8be3-b14f8398463f

==== INBOUND NEIGHBORS ======================================

DC=LAP,DC=local
    Default-First-Site-Name\LAPB1 via RPC
        objectGuid: 35320b54-0a1e-494b-85d5-29d738dd9956
        Last attempt @ 2008-09-02 21:52.17 failed, result 8524:
            Can't retrieve message string 8524 (0x214c), error 1815.
        Last success @ 2008-08-29 12:26.58.
        106 consecutive failure(s).
    Default-First-Site-Name\DELL2 via RPC
        objectGuid: ac9bdcba-e7cb-4e36-85e3-c135b74897da
        Last attempt @ 2008-09-02 21:52.18 failed, result 8524:
            Can't retrieve message string 8524 (0x214c), error 1815.
        Last success @ 2008-09-02 17:10.45.
        5 consecutive failure(s).
    Default-First-Site-Name\LAPB1 via RPC
        objectGuid: 0a3655c8-1025-45c7-b213-dad3044152b0
        Last attempt @ 2008-09-02 21:52.18 was successful.

CN=Configuration,DC=LAP,DC=local
    Default-First-Site-Name\LAPB1 via RPC
        objectGuid: 35320b54-0a1e-494b-85d5-29d738dd9956
        Last attempt @ 2008-09-02 21:52.17 failed, result 8524:
            Can't retrieve message string 8524 (0x214c), error 1815.
        Last success @ 2008-08-29 12:26.58.
        106 consecutive failure(s).
    Default-First-Site-Name\DELL2 via RPC
        objectGuid: ac9bdcba-e7cb-4e36-85e3-c135b74897da
        Last attempt @ 2008-09-02 21:52.17 failed, result 8524:
            Can't retrieve message string 8524 (0x214c), error 1815.
        Last success @ 2008-09-02 17:10.45.
        5 consecutive failure(s).
    Default-First-Site-Name\LAPB1 via RPC
        objectGuid: 0a3655c8-1025-45c7-b213-dad3044152b0
        Last attempt @ 2008-09-02 22:03.41 was successful.

CN=Schema,CN=Configuration,DC=LAP,DC=local
    Default-First-Site-Name\LAPB1 via RPC
        objectGuid: 35320b54-0a1e-494b-85d5-29d738dd9956
        Last attempt @ 2008-09-02 21:52.17 failed, result 8524:
            Can't retrieve message string 8524 (0x214c), error 1815.
        Last success @ 2008-08-29 12:26.58.
        106 consecutive failure(s).
    Default-First-Site-Name\LAPB1 via RPC
        objectGuid: 0a3655c8-1025-45c7-b213-dad3044152b0
        Last attempt @ 2008-09-02 21:52.17 was successful.
    Default-First-Site-Name\DELL2 via RPC
        objectGuid: ac9bdcba-e7cb-4e36-85e3-c135b74897da
        Last attempt @ 2008-09-02 21:52.18 failed, result 8524:
            Can't retrieve message string 8524 (0x214c), error 1815.
        Last success @ 2008-09-02 17:10.45.
        5 consecutive failure(s).

DC=DomainDnsZones,DC=LAP,DC=local
    Default-First-Site-Name\LAPB1 via RPC
        objectGuid: 0a3655c8-1025-45c7-b213-dad3044152b0
        Last attempt @ 2008-09-02 21:52.18 was successful.

DC=ForestDnsZones,DC=LAP,DC=local
    Default-First-Site-Name\LAPB1 via RPC
        objectGuid: 0a3655c8-1025-45c7-b213-dad3044152b0
        Last attempt @ 2008-09-02 21:52.18 was successful.

==== OUTBOUND NEIGHBORS FOR CHANGE NOTIFICATIONS ============

DC=LAP,DC=local
    Default-First-Site-Name\LAPB1 via RPC
        objectGuid: 0a3655c8-1025-45c7-b213-dad3044152b0
    Default-First-Site-Name\DELL2 via RPC
        objectGuid: ac9bdcba-e7cb-4e36-85e3-c135b74897da

CN=Configuration,DC=LAP,DC=local
    Default-First-Site-Name\LAPB1 via RPC
        objectGuid: 0a3655c8-1025-45c7-b213-dad3044152b0
    Default-First-Site-Name\DELL2 via RPC
        objectGuid: ac9bdcba-e7cb-4e36-85e3-c135b74897da

CN=Schema,CN=Configuration,DC=LAP,DC=local
    Default-First-Site-Name\DELL2 via RPC
        objectGuid: ac9bdcba-e7cb-4e36-85e3-c135b74897da
    Default-First-Site-Name\LAPB1 via RPC
        objectGuid: 35320b54-0a1e-494b-85d5-29d738dd9956
    Default-First-Site-Name\LAPB1 via RPC
        objectGuid: 0a3655c8-1025-45c7-b213-dad3044152b0

DC=DomainDnsZones,DC=LAP,DC=local
    Default-First-Site-Name\LAPB1 via RPC
        objectGuid: 0a3655c8-1025-45c7-b213-dad3044152b0

DC=ForestDnsZones,DC=LAP,DC=local
    Default-First-Site-Name\LAPB1 via RPC
        objectGuid: 0a3655c8-1025-45c7-b213-dad3044152b0

C:\Documents and Settings\Administrator>
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Top Expert 2012

Commented:
How much trouble would it be for you to demote then repromote the server? Couple of things to make sure of. Make sure the FRS service is started, DFS is started, no firewall is blocking replication. Check this link out.

http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_23599357.html

Author

Commented:
I have gone through the link and need to know how to option a and b below. THe old server was upgraded from 2000 to 2003 and i think the LDAP port was changed at he time of the migration (could that be an issue). I need to really get to the bottom of this as my boss is running out of patience.

1) the AD NTDS (ntds.dit) was corrupted
2) the 2ndary DC was not configured properly to have the AD replication ports (51112 and 51113) restricted per M$ KB article: 555381 (http://support.microsoft.com/kb/555381)

so... the solution turned out to be:

a) reboot FSMO in directory services recovery mode (aka safe mode for DCs)
b) run cmd-line tools to re-build the ntds.dit
c) edit registry to get AD Rep. working again
d) test via telnet that AD Rep was properly restricted to said ports
e) reboot!

After that FRS and DFS all worked perfectly, and all has been humming along nicely!


Also in the below registry settings do i need to create a DWORD and call it the port number? ie 53211-cfdb.

b. on all Domain Controllers in the Forest, add the following two registry values with regedit (or use a .reg file - see References below)
         i. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\TCP/IP Port
             - DWORD containing the selected TCP port number  for AD replication (e.g. 53211 - cfdb (hex))
         ii. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\RPC TCP/IP Port Assignment
             - DWORD containing the selected TCP port number for FRS (e.g. 53212 - cfdc (hex))
 
Henrik JohanssonSystems engineer
Top Expert 2008

Commented:
I don't see why the upgrade should mess with the LDAP-port number. The standard port is 389.
The replication port assignment shall be the port number. 53211 is the same as cfdb when converting between decimal and hexadecimal.

Author

Commented:
1.Remind me how to confirm the LDAP Port Please.

2.Also Can you please advice on the registry settings. What do i call the Dword as their are no Dword in the "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\parameters" called "TCP/IP Port" nor  "RPC TCP/IP Port Assignment"in the case of (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters)
Do i need to create the dewords specifically called  "tcp/ip port" and "rpc tcp/ip port assignment" and sssign same port to both domain controllers.

3. Is it correct to have both domain controllers as catalogue servers

4. how do i reboot FSMO in directory services recovery mode (aka safe mode for DCs)
and  run cmd-line tools to re-build the ntds.dit
Henrik JohanssonSystems engineer
Top Expert 2008

Commented:
1. Install adminpak.msi (%windir%\system32 on server-OS) and use dsquery to query the AD
C:\>dsquery user -samid <samAccountName>

2. The DWORD-values doesn't exist by default and you nead to create them manual
The names are "TCP/IP Port" in NTDS\Parameters and "RPC TCP/IP Port assignment" in NTFRS\Parameters.
Set the value to the numeric port number.
This nead to be done on *all* DCs and you nead to reboot the server to apply the change.

3. Yes, the recommendation is to have atleast two GC in same site to get redudance when one of them is offline

4. Reboot the DC and press F8 before graphical boot to display the Windows boot menu and choose recovery mode

Author

Commented:
Form the example and link should  the hexadecimal registry entry be  ie. 53212 - cfdc (hex)) or just the port number 53212 without (-cfdc).
Top Expert 2012

Commented:
I hate to say  this but I don't remember 100% but I believe it was just the number.
Henrik JohanssonSystems engineer
Top Expert 2008

Commented:
As I said above, 53211 (decimal) is the same thing as cfdb (hexadecimal)
53212=cfdc
The value entered is depending on what format you have chosen in the radio button.
Default format for DWORD-values is hexadecimal, so you enter cfdb or cfdc from the examples.
If you change the radio button to decimal, you enter 53211 or 53212 as value.

Author

Commented:
I have changed and edited the registry with the suggested ports and replication still fails.
Would this be as a result of implace the upgrade from 2000 to 2003 done years ago using active directory connector?.
I also just realised that the server is just running with standard not even sp1. I am upgrading it to SP1 and 2.
Any other suggestions Guys?
Top Expert 2012

Commented:
Did  you do the changes in Directory Restore Mode?
Henrik JohanssonSystems engineer
Top Expert 2008

Commented:
What error do you get when replication fails?
Is firewall blocking the replication ports?

Author

Commented:
I have diabled the symantec antivirus on the server . The error message received is event ID 3508 without ID 3509.
I have not been able to do the directory restore mode. (Not too clear as to what i need to do when i get to the recovery mode) I should be able to do this tomorrow in out of business hour if i can get a direction on this.
I will update the registry changes as i used the 53211 and 53212 in hexadecimal as opposed to the CFDd and cfdb.  I guess you meant that i should use the numbers when i choose decimal and letters(cfdc and cfdb) when i choose hexadecimal?.
Henrik JohanssonSystems engineer
Top Expert 2008

Commented:
Not necessary to take it to recovery mode to configure the replication ports.
Yes, 53211 and 53212 is the decimal value and not the hexadecimal values.
53211(hex) = 340497(dec) => outside of valid decimal range 49152..65535
53211(dec) = ccdb(hex)

If you've set it to 53211 in hexadecimal, you get a value outside valid range and have definitive a reason for the problems to why you don't get the replication to work.
Change it to a valid value and reboot the servers.
Henrik JohanssonSystems engineer
Top Expert 2008

Commented:
minor typo in last post
4th line shall be "53211(dec) = cfdb(hex)"

Author

Commented:
All registry entries done and server rebooted but still failed replication with the below error logs. (3555 and 1352)

Event ID: 1352

 The File Replication Service is unable to add this computer to the following replica set:
    "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)"
 
This could be caused by a number of problems such as:
  --  an invalid root path,
  --  a missing directory,
  --  a missing disk volume,
  --  a file system on the volume that does not support NTFS 5.0
 
The information below may help to resolve the problem:
Computer DNS name is "dell1.LAP.local"
Replica set member name is "DELL1"
Replica set root path is "c:\winnt\sysvol\domain"
Replica staging directory path is "c:\winnt\sysvol\staging\domain"
Replica working directory path is "c:\winnt\ntfrs\jet"
Windows error status code is  
FRS error status code is FrsErrorMismatchedJournalId
 
Other event log messages may also help determine the problem.  Correct the problem and the service will attempt to restart replication automatically at a later time.


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.



Event ID 3555

The File Replication Service is in an error state. Files will not replicate to or from one or all of the replica sets on this computer until the following recovery steps are performed:
 
 Recovery Steps:
 
 [1] The error state may clear itself if you stop and restart the FRS service. This can be done by performing the following in a command window:
 
    net stop ntfrs
    net start ntfrs
 
If this fails to clear up the problem then proceed as follows.
 
 [2] For Active Directory Domain Controllers that DO NOT host any DFS alternates or other replica sets with replication enabled:
 
If there is at least one other Domain Controller in this domain then restore the "system state" of this DC from backup (using ntbackup or other backup-restore utility) and make it non-authoritative.
 
If there are NO other Domain Controllers in this domain then restore the "system state" of this DC from backup (using ntbackup or other backup-restore utility) and choose the Advanced option which marks the sysvols as primary.
 
If there are other Domain Controllers in this domain but ALL of them have this event log message then restore one of them as primary (data files from primary will replicate everywhere) and the others as non-authoritative.
 
 
 [3] For Active Directory Domain Controllers that host DFS alternates or other replica sets with replication enabled:
 
 (3-a) If the Dfs alternates on this DC do not have any other replication partners then copy the data under that Dfs share to a safe location.
 (3-b) If this server is the only Active Directory Domain Controller for this domain then, before going to (3-c),  make sure this server does not have any inbound or outbound connections to other servers that were formerly Domain Controllers for this domain but are now off the net (and will never be coming back online) or have been fresh installed without being demoted. To delete connections use the Sites and Services snapin and look for
Sites->NAME_OF_SITE->Servers->NAME_OF_SERVER->NTDS Settings->CONNECTIONS.
 (3-c) Restore the "system state" of this DC from backup (using ntbackup or other backup-restore utility) and make it non-authoritative.
 (3-d) Copy the data from step (3-a) above to the original location after the sysvol share is published.
 
 
 [4] For other Windows servers:
 
 (4-a)  If any of the DFS alternates or other replica sets hosted by this server do not have any other replication partners then copy the data under its share or replica tree root to a safe location.
 (4-b)  net stop ntfrs
 (4-c)  rd /s /q  c:\winnt\ntfrs\jet
 (4-d)  net start ntfrs
 (4-e)  Copy the data from step (4-a) above to the original location after the service has initialized (5 minutes is a safe waiting time).
 
Note: If this error message is in the eventlog of all the members of a particular replica set then perform steps (4-a) and (4-e) above on only one of the members.

Author

Commented:
Hello Guys,
When i ran DCdiag on the Main DC. All test passed except FRSSYSVOL with error:
"No record of file replication system,sysvol started.The active Directory may be prevented from Starting"
I found a resolution that recommended to Move the File Replication Service Staging Folder. I have not done this before and do not know if it has any impact.
Any Ideas?.
Henrik JohanssonSystems engineer
Top Expert 2008

Commented:
Yes, the errors indicates problem with disk space. The error you posted sounds like 13552 (missed a 5 above?)
http://support.microsoft.com/kb/889655
http://support.microsoft.com/kb/819268

See http://technet.microsoft.com/en-us/library/bb727049.aspx#ECAA for documentation about managing sysvol.
You can also reboot into 'Directory Service Restore Mode' and use ntdsutil as described in http://support.microsoft.com/kb/816120

Author

Commented:
I have checked the partition where the NTFRS folder is installed and i have over 12GB of free space so do i still need to move the database file to another location.
When i run a DCdiag command i get the below error now.
DCdiag error: There are warning or error events within the last 24 hours after the SYSVOL has been shared. failing SYSVOL replication problems may cause policy problems.

Any suggestion?.
Henrik JohanssonSystems engineer
Top Expert 2008

Commented:
12GB free is more than enough, and you shouldn't nead to move it.
How about multihomed DC as dariusg asked? Multihomed servers can be a big headache.
Is the DCs correctly registered in DNS with necessary SRV-records? SRV-records are registered with dcdiag/fix or restarting netlogon-service. Before doing that, also check that the DNS-zone for the domain allows dynamic updates.

Author

Commented:
Hello Guys. The issue is now resolved. Thanks guys for your contributions. I spoke to Microsoft and i was advised that the FRS was corrupt. I was advised to rename the jet folder in the SYSVOL  and backed up the Domain and scripts folders in the Netlogon share. Added some entries in the registry (b2 and b4) rebooted the netlogon service.
I will forward the link to the resolution soon.
Commented:
The Resolution as stated above from Micosoft was.
Resolution :

 

1.       We Stopped the NTFRS Service and renamed the Jet Folder under C:|Windows\NTFRS Folder

2.       After Restarting the NTFRS Service recreated the Jet Blue Database

3.       We then marked the Main DC with authoritative Restore : D4 Flag for NTFRS using the KB Article Below

<http://support.microsoft.com/kb/290762 (Using the BurFlags registry key to reinitialize File Replication Service replica sets)

4.       On the Newly Promoted DC after restarting the NTFRS Service we did not find the Policies and Scripts Folder

5.       We then did a Non-Authoritative restore : D2 Flag for NTFRS using  the same KB Article mentioned

Thanks Guys
 

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial