• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1929
  • Last Modified:

how do I recreate sysvol share?

I have (this is a long story, but hopefully near the end of this journey...) a DC on an SBS2003 network that has had the following issues:

Network had SBS2003 and WS2003(DC).

AD was screwed up to the point that Microsoft dialed in and demoted SBS2003 and repromoted it in AD.  SBS2003 seems to be working now, but now the DC that was there is having replication issues.  There are numerous replication issues, and the SYSVOL and NETLOGON shares on the WS2003 server are not there.

To solve this, I was going to DCPROMO the DC down, and then re-promote it.  No joy... The error it gives shortly after the final "this is it... I am going to dcpromo it down" button push is that "the operation failed because AD could not transfer the remaining data in the directory partition CN=Schema,CN=Configuration...  The distinguished name specified for this replication is invalid".  Kind of the reason I need to demote and repromote this DC.

Sooo...

I start doing the investigative work (this is truly an "onion" problem... peel it back, another issue...) and I notice that SYSVOL and NETLOGON are not on the DC.  I have tried...

KB816113 - no joy
DCPROMO /FORCEREMOVAL  <- too scared to do this one... MS article is really fuzzy on what this will do.  My understanding is that the DC will be totally gone from the AD structure and you have to do a metadata cleanup to get it out of the domain.

Again, with the forceremoval (and I'm not sure if my question needs to be renamed...) what, exactly does this do?  

Does it:
Totally remove the computer/server from the domain?  If so, when I bring it back in, can I give it the same name and have the applications that are running on it and need security credentials untouched and it will know what to do?  (Yes, I walked into this, and there are apps running on the DC, but small business needs to have such things.  Buying $4000 in computers and licenses for a computer sitting as a backup DC is not economically feasible... but then again, paying me $5000 to clean this up isn't either...)
If it does remove the computer from the domain, can I just re-promote it and all will be well in the world?

thanks, and if there are ways to get SYSVOL and NETLOGON back on this DC, I would appreciate it.
0
PortlandSBS
Asked:
PortlandSBS
  • 12
  • 8
1 Solution
 
PortlandSBSAuthor Commented:
Oh, and I know this question will be asked...

No, there was no system state backup prior to me arriving on site.  

Yes, there is one now.
0
 
snusgubbenCommented:
Is this the only DC in your domain?


SG
0
 
snusgubbenCommented:
You could use the "burflag" method to get it back.

Run a "D2" if you got more then one DC, and a "D4" if this is a single DC in the domain.

http://support.microsoft.com/kb/290762/en-us

If you run a "D4" things in the SYSVOL might be lost.


SG
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
PortlandSBSAuthor Commented:
I tried the BurFlags and no joy  (actualy, I don't know why I say that... I was never in the military... but anyways...)

Also, there is an SBS2003 box that is the main DC (FSMO roles, GC Server)

I used D2 as the value in the registry.

Thanks for your quick help.  Should I post a DCDiag from both SBS2003 and WS2003 here?

Jeff
0
 
snusgubbenCommented:
Run a "dcdiag /v /e /c > dcdiag.txt & dcdiag.txt" and attach the file and we'll see if we can spot something.

Is the SYSVOL working ok on the 2003 server?

SG
0
 
PortlandSBSAuthor Commented:
Here are the files from the WS2003 (Gandalf) and the SBS2003 (Elrond)  I changed the domain name to sbs2003domain to protect the client.

Thank you so much for your help.

How do I check the SYSVOL on the 2003 server?

Jeff
dcdiag-redacted.txt
gandalf-redacted.txt
0
 
snusgubbenCommented:
from a client: Start/Run --> \\gandalf\sysvol  [enter]

or \\gandalf.yourdomain.com\sysvol

I'll browse through the logs.

SG
0
 
PortlandSBSAuthor Commented:
SG,

SYSVOL and NETLOGON aren't there.  They are on Elrond (SBS2003 box).

Jeff
0
 
PortlandSBSAuthor Commented:
It's getting more interesting.  There is no sysvol in the c:\windows directory, but in the e:\Windows.  E:\windows has nothing but NTDS and SYSVOL directories there, and they are not shared.

In HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters sysvol is set to e:\windows\sysvol.

Just more information to help.  (I hope)

Jeff
0
 
snusgubbenCommented:
Just to answer one of your questions about "dcpromo /forceremoval":

If your can't demote a DC in a normal way you can use the forceremoval switch on the failed DC. Then do a metadata cleanup from a healty DC to remove traces (metadata) of the problem DC. The problem (former) DC can be re-installed and promoted back again. If you wanna use the same name you got to be sure that *ALL* traces of it is gone!

Back to your case. This is not looking good :(

The SBS server was demoted and promoted back again by recomendation from Microsoft. Correct??
Was the FSMO transfered to Gandalf before you did this?

You are missing the SYSVOL on Gandalf. Not on Elrond?

Elrond is failing RID. This can be due to the restore/demotion-promotion. Take a look at this: http://support.microsoft.com/kb/839879

It seems like both DC is missing their A-record in DNS.

There was alot of other errors, but many of those can be due to i.e. DNS errors or failures du to the demotion of the FSMO DC.

SBS DCs is kinda bitchy since they need to hold the FSMO roles, so my best advice to you is to remove Gandalf (2003 server) from your domain and make Elrond work again. It's much easier to make one DC healthy then two. You can the demote-promote Gandalf back as an additional DC.


SG
0
 
PortlandSBSAuthor Commented:
I saw at http://www.freelists.org/post/thin/OT-Sysvol-share-recreating,3 that changing
HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\SysvolReady from 0 to 1 did the trick.  It did for sysvol, but now to NETLOGON...

Thank you for your help!  Halfway there!

Jeff
0
 
PortlandSBSAuthor Commented:
SG,

I figured it didn't look too good.  The good news is that the domain is functional from the users' point of view.  From the back office (pun intended) things don't look so swell.

SYSVOL is back on Gandalf with the setting the registry value for sysvol from 0 to 1 (see above post).

Microsoft did the demote/promote as a last remote, and they drove the car, so to speak.  They did all the work on it, and it was (believe it or not) worse before all of this.  The GC and FSMO roles were transferred to Gandalf before the demote/promote of Elrond.

The FSMO roles and GC were moved back to Elrond.  After that, there were 4 entities that needed to be restored from Gandalf's system state backup, so MS engineer did that, and that is where things kind of fell apart.  

As it stands now, the domain is functional, and I will bring the plan to the business owner to make the decision.  This is a manufacturing business and Gandalf is the key server for the manufacturing floor, and Elrond is the main one for mail (being SBS and all).

As for the last paragraph, I am totally with you on that, and that is why I called MS in there to do that part of the troubleshooting/work.  Demoting a SBS box is verboten in everything I read, and the MS guy went to great lengths before saying that this needed to be done.  from there, we did two system state backups, just to be sure.

Again, thank you, and I will do what you suggested in the RID failure.  (after church)

Thank you,

Jeff
0
 
snusgubbenCommented:
I wouldn't do anything with the RID error before you got DNS fully functional.

Set the primary DNS on every NIC on both Gandalf and Elrod to point to Elrods IP. Remove any secondary DNS.

On Elrod:
open cmd:
ipconfig /flushdns
ipconfig /registerdns
netdiag /fixdns

Restart the netlogon service from services.msc

Do the same on Gandalf (even try if netlogon is stopped/paused).

Run: "dcdiag /test:dns /v > dns.txt & dns.txt"

Check for errors.


SG

0
 
PortlandSBSAuthor Commented:
Here are the files...

Thank you, and I will look them over in a few...

Jeff
dns-elrond-redacted.txt
0
 
PortlandSBSAuthor Commented:
oops, for Gandalf (WS2003 computer)
dns-gandalf-redacted.txt
0
 
snusgubbenCommented:
The basic DNS test now runs fine on Elrod. There is a forwarding DNS that is not a valid DNS server. You should take a look at that in the forwarding tab on Elrod.

Let Gandalt point to itself as primary DNS with Elrod as secondary.

Do you have the _msdcs zone on Gandalt?


SG
0
 
PortlandSBSAuthor Commented:
There are no forward lookup zones on Gandalf.  I did set up Gandalf as primary DNS, and Elrond as secondary DNS on Gandalf, plus I removed the 169.254 forwarder on Elrond.  DNS is looking better now.

The current status for AD is that I have the SYSVOL share on Gandalf, but no NETLOGON.

Just keeping folks at home up to date.

Again, thank you for your help.

Jeff
0
 
PortlandSBSAuthor Commented:
An update... What we are going to do is this:

1.  Remove Gandalf (DC with replication issues) from the domain with the dcpromo /forceremoval .  Clean out the Metadata on Elrond.
2.  Add a different WS2003 server to the domain, and promote it to a DC.  Verify that everything is replicating, and the domain is a wonderful place for AD.
3.  After the domain is verified, and AD is running without errors, bring Elrond back in and promote it to a DC.
4.  Verify AD functionality.
0
 
snusgubbenCommented:
1. Clean out Metadata for Gandalf. The job is done from Elrod.
3. You mean bring Gandalf back in!

0
 
PortlandSBSAuthor Commented:
AD is working fine now!  Now, on to DNS...
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 12
  • 8
Tackle projects and never again get stuck behind a technical roadblock.
Join Now