gabiosz
asked on
No Netlogon or SYSVOL & GC Unavailable
Hi,
I have a bit of a problm that came to light today. I have to force remove a Windows 2000 SP4 Server from a 2 server domain as it wasn't functioing correctly and I was about to add a new Windows Server 2003 R2 server to the domain. Initailly the new server would not add due to a permissions problem. I (thought I'd) traced it to the 2000 server not being correctly shown in the AD, however once forcably removed I could not re-join it, even as a member server. No computer can be joined to the domian currently. I then noticed through netdiag /fix that the NETLOGON and SYSVOL share were not present, and the server had was not able to see a Global Catalogue. The Remaining server is a GC and I am able to access all the AD although I am not able to edit the GPO.
Please help, I'd rather not have to re-build the AD and I'd like to get this up and running again.
Thanks
I have a bit of a problm that came to light today. I have to force remove a Windows 2000 SP4 Server from a 2 server domain as it wasn't functioing correctly and I was about to add a new Windows Server 2003 R2 server to the domain. Initailly the new server would not add due to a permissions problem. I (thought I'd) traced it to the 2000 server not being correctly shown in the AD, however once forcably removed I could not re-join it, even as a member server. No computer can be joined to the domian currently. I then noticed through netdiag /fix that the NETLOGON and SYSVOL share were not present, and the server had was not able to see a Global Catalogue. The Remaining server is a GC and I am able to access all the AD although I am not able to edit the GPO.
Please help, I'd rather not have to re-build the AD and I'd like to get this up and running again.
Thanks
Ok so right now you have 1 server and are trying to join a second server -
OK the machine you brought down did it hold all the fsmo roles?
If so you will need to seize the fsmo roles from the down machine to the existing machine left.
http://support.microsoft.com/kb/255504
Now wipe the machine from AD using metadata clean up
http://technet.microsoft.com/en-us/library/cc736378.aspx
Now the machine you took down can not come back to the domain without wiping it.
Now the existing machine should hold all the roles and be a global catalog. Verify it holds all the fsmo roles
from a command prompt
DCdiag /test:Knowsofroleholders /v
If the remaining machine is a win2k machine you will need to run adprep /forest prep form the win2k3 cd (run the command on th win2k machine - this preps AD for the win2k3 server)
Once thats all you should be good to add the server to the domain
OK the machine you brought down did it hold all the fsmo roles?
If so you will need to seize the fsmo roles from the down machine to the existing machine left.
http://support.microsoft.com/kb/255504
Now wipe the machine from AD using metadata clean up
http://technet.microsoft.com/en-us/library/cc736378.aspx
Now the machine you took down can not come back to the domain without wiping it.
Now the existing machine should hold all the roles and be a global catalog. Verify it holds all the fsmo roles
from a command prompt
DCdiag /test:Knowsofroleholders /v
If the remaining machine is a win2k machine you will need to run adprep /forest prep form the win2k3 cd (run the command on th win2k machine - this preps AD for the win2k3 server)
Once thats all you should be good to add the server to the domain
ASKER
All the FSMO rolls are currently held by the remaining DC and I have run DCDiag /Fix and NetDiag /Fix several times to no avail.
I got this error in the system log too:
The Netlogon service could not create server share C:\WINNT\SYSVOL\sysvol\dom
The system cannot find the file specified.
I got this error in the system log too:
The Netlogon service could not create server share C:\WINNT\SYSVOL\sysvol\dom
The system cannot find the file specified.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
the only thing that dcdaig now seems to throw up is:
Starting test: NetLogons
Unable to connect to the NETLOGON share! (\\SERVER\netlogon)
[SERVER] An net use or LsaPolicy operation failed with error 1203, Win3
2 Error 1203.
The GC issue seems to have been resolved by some of my earlier efforts.
I had already cleaned up the metadata sucessfully...
Starting test: NetLogons
Unable to connect to the NETLOGON share! (\\SERVER\netlogon)
[SERVER] An net use or LsaPolicy operation failed with error 1203, Win3
2 Error 1203.
The GC issue seems to have been resolved by some of my earlier efforts.
I had already cleaned up the metadata sucessfully...
You can try to rebuild the SYSVOL with the burflag method. If you forced remove a DC then you need to do a metadata cleanup then try the burflag method.
http://www.petri.co.il/delete_failed_dcs_from_ad.htm
http://support.microsoft.com/kb/315457/
http://www.petri.co.il/delete_failed_dcs_from_ad.htm
http://support.microsoft.com/kb/315457/
ASKER
I shoudl mention that this was originally a Windows 2000 Server that was upgraded to Windows Server 2003 STD....
Is the BurFlag key different in that case?
Is the BurFlag key different in that case?
No its fine
ASKER
I'm working through that guide, however I don't thve the LINKD command, where do i find this?
Still no NETLOGON either.
Also now getting various errors in the event log, however it is looking more promising!
Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 5706
Date: 10/12/2008
Time: 21:31:27
User: N/A
Computer: SERVER
Description:
The Netlogon service could not create server share C:\WINNT\SYSVOL\sysvol\rvs
The system cannot find the file specified.
--------------------------
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1030
Date: 10/12/2008
Time: 21:37:32
User: NT AUTHORITY\SYSTEM
Computer: SERVER
Description:
Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this.
--------------------------
Event Type: Error
Event Source: MSExchangeAL
Event Category: LDAP Operations
Event ID: 8026
Date: 10/12/2008
Time: 21:19:15
User: N/A
Computer: SERVER
Description:
LDAP Bind was unsuccessful on directory server.rvsl.local for distinguished name ''. Directory returned error:[0x34] Unavailable.
Still no NETLOGON either.
Also now getting various errors in the event log, however it is looking more promising!
Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 5706
Date: 10/12/2008
Time: 21:31:27
User: N/A
Computer: SERVER
Description:
The Netlogon service could not create server share C:\WINNT\SYSVOL\sysvol\rvs
The system cannot find the file specified.
--------------------------
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1030
Date: 10/12/2008
Time: 21:37:32
User: NT AUTHORITY\SYSTEM
Computer: SERVER
Description:
Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this.
--------------------------
Event Type: Error
Event Source: MSExchangeAL
Event Category: LDAP Operations
Event ID: 8026
Date: 10/12/2008
Time: 21:19:15
User: N/A
Computer: SERVER
Description:
LDAP Bind was unsuccessful on directory server.rvsl.local for distinguished name ''. Directory returned error:[0x34] Unavailable.
ASKER
I have nothing at all in the SYSVOL folder collection... the folders are now all present and correct, but they are all empty, that's not right is it? Shouldn't there be GPOs in them?
No it builds them empty you will need to do a restore to get the GP's back or recreate them if they were small
ASKER
Right.... good, there was very little specified in them, how would I go about re-creating them in the simplest possible way?
You would need to create the gpo's from the gpmc console
Before you embark on recreating ... mak eusre that all is well and replication is happening and no errors are showing in event log
ASKER
ok, I'm still getting this in the event log, does this mean the GPOs are not orphaned? will this go when I re-create them?
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1058
Date: 10/12/2008
Time: 23:16:50
User: NT AUTHORITY\SYSTEM
Computer: SERVER
Description:
Windows cannot access the file gpt.ini for GPO CN={6AC1786C-016F-11D2-945
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1058
Date: 10/12/2008
Time: 23:16:50
User: NT AUTHORITY\SYSTEM
Computer: SERVER
Description:
Windows cannot access the file gpt.ini for GPO CN={6AC1786C-016F-11D2-945
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Is this still an issue? Thats referring to a policy that is no longer there
I would also run DCDiag /Fix and NetDiag /Fix to try to re-register all the needed services and such.
Brian