Link to home
Start Free TrialLog in
Avatar of PortlandSBS
PortlandSBS

asked on

how do I recreate sysvol share?

I have (this is a long story, but hopefully near the end of this journey...) a DC on an SBS2003 network that has had the following issues:

Network had SBS2003 and WS2003(DC).

AD was screwed up to the point that Microsoft dialed in and demoted SBS2003 and repromoted it in AD.  SBS2003 seems to be working now, but now the DC that was there is having replication issues.  There are numerous replication issues, and the SYSVOL and NETLOGON shares on the WS2003 server are not there.

To solve this, I was going to DCPROMO the DC down, and then re-promote it.  No joy... The error it gives shortly after the final "this is it... I am going to dcpromo it down" button push is that "the operation failed because AD could not transfer the remaining data in the directory partition CN=Schema,CN=Configuration...  The distinguished name specified for this replication is invalid".  Kind of the reason I need to demote and repromote this DC.

Sooo...

I start doing the investigative work (this is truly an "onion" problem... peel it back, another issue...) and I notice that SYSVOL and NETLOGON are not on the DC.  I have tried...

KB816113 - no joy
DCPROMO /FORCEREMOVAL  <- too scared to do this one... MS article is really fuzzy on what this will do.  My understanding is that the DC will be totally gone from the AD structure and you have to do a metadata cleanup to get it out of the domain.

Again, with the forceremoval (and I'm not sure if my question needs to be renamed...) what, exactly does this do?  

Does it:
Totally remove the computer/server from the domain?  If so, when I bring it back in, can I give it the same name and have the applications that are running on it and need security credentials untouched and it will know what to do?  (Yes, I walked into this, and there are apps running on the DC, but small business needs to have such things.  Buying $4000 in computers and licenses for a computer sitting as a backup DC is not economically feasible... but then again, paying me $5000 to clean this up isn't either...)
If it does remove the computer from the domain, can I just re-promote it and all will be well in the world?

thanks, and if there are ways to get SYSVOL and NETLOGON back on this DC, I would appreciate it.
Avatar of PortlandSBS
PortlandSBS

ASKER

Oh, and I know this question will be asked...

No, there was no system state backup prior to me arriving on site.  

Yes, there is one now.
Is this the only DC in your domain?


SG
You could use the "burflag" method to get it back.

Run a "D2" if you got more then one DC, and a "D4" if this is a single DC in the domain.

http://support.microsoft.com/kb/290762/en-us

If you run a "D4" things in the SYSVOL might be lost.


SG
I tried the BurFlags and no joy  (actualy, I don't know why I say that... I was never in the military... but anyways...)

Also, there is an SBS2003 box that is the main DC (FSMO roles, GC Server)

I used D2 as the value in the registry.

Thanks for your quick help.  Should I post a DCDiag from both SBS2003 and WS2003 here?

Jeff
Run a "dcdiag /v /e /c > dcdiag.txt & dcdiag.txt" and attach the file and we'll see if we can spot something.

Is the SYSVOL working ok on the 2003 server?

SG
Here are the files from the WS2003 (Gandalf) and the SBS2003 (Elrond)  I changed the domain name to sbs2003domain to protect the client.

Thank you so much for your help.

How do I check the SYSVOL on the 2003 server?

Jeff
dcdiag-redacted.txt
gandalf-redacted.txt
from a client: Start/Run --> \\gandalf\sysvol  [enter]

or \\gandalf.yourdomain.com\sysvol

I'll browse through the logs.

SG
SG,

SYSVOL and NETLOGON aren't there.  They are on Elrond (SBS2003 box).

Jeff
It's getting more interesting.  There is no sysvol in the c:\windows directory, but in the e:\Windows.  E:\windows has nothing but NTDS and SYSVOL directories there, and they are not shared.

In HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters sysvol is set to e:\windows\sysvol.

Just more information to help.  (I hope)

Jeff
Just to answer one of your questions about "dcpromo /forceremoval":

If your can't demote a DC in a normal way you can use the forceremoval switch on the failed DC. Then do a metadata cleanup from a healty DC to remove traces (metadata) of the problem DC. The problem (former) DC can be re-installed and promoted back again. If you wanna use the same name you got to be sure that *ALL* traces of it is gone!

Back to your case. This is not looking good :(

The SBS server was demoted and promoted back again by recomendation from Microsoft. Correct??
Was the FSMO transfered to Gandalf before you did this?

You are missing the SYSVOL on Gandalf. Not on Elrond?

Elrond is failing RID. This can be due to the restore/demotion-promotion. Take a look at this: http://support.microsoft.com/kb/839879

It seems like both DC is missing their A-record in DNS.

There was alot of other errors, but many of those can be due to i.e. DNS errors or failures du to the demotion of the FSMO DC.

SBS DCs is kinda bitchy since they need to hold the FSMO roles, so my best advice to you is to remove Gandalf (2003 server) from your domain and make Elrond work again. It's much easier to make one DC healthy then two. You can the demote-promote Gandalf back as an additional DC.


SG
I saw at http://www.freelists.org/post/thin/OT-Sysvol-share-recreating,3 that changing
HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\SysvolReady from 0 to 1 did the trick.  It did for sysvol, but now to NETLOGON...

Thank you for your help!  Halfway there!

Jeff
SG,

I figured it didn't look too good.  The good news is that the domain is functional from the users' point of view.  From the back office (pun intended) things don't look so swell.

SYSVOL is back on Gandalf with the setting the registry value for sysvol from 0 to 1 (see above post).

Microsoft did the demote/promote as a last remote, and they drove the car, so to speak.  They did all the work on it, and it was (believe it or not) worse before all of this.  The GC and FSMO roles were transferred to Gandalf before the demote/promote of Elrond.

The FSMO roles and GC were moved back to Elrond.  After that, there were 4 entities that needed to be restored from Gandalf's system state backup, so MS engineer did that, and that is where things kind of fell apart.  

As it stands now, the domain is functional, and I will bring the plan to the business owner to make the decision.  This is a manufacturing business and Gandalf is the key server for the manufacturing floor, and Elrond is the main one for mail (being SBS and all).

As for the last paragraph, I am totally with you on that, and that is why I called MS in there to do that part of the troubleshooting/work.  Demoting a SBS box is verboten in everything I read, and the MS guy went to great lengths before saying that this needed to be done.  from there, we did two system state backups, just to be sure.

Again, thank you, and I will do what you suggested in the RID failure.  (after church)

Thank you,

Jeff
I wouldn't do anything with the RID error before you got DNS fully functional.

Set the primary DNS on every NIC on both Gandalf and Elrod to point to Elrods IP. Remove any secondary DNS.

On Elrod:
open cmd:
ipconfig /flushdns
ipconfig /registerdns
netdiag /fixdns

Restart the netlogon service from services.msc

Do the same on Gandalf (even try if netlogon is stopped/paused).

Run: "dcdiag /test:dns /v > dns.txt & dns.txt"

Check for errors.


SG

Here are the files...

Thank you, and I will look them over in a few...

Jeff
dns-elrond-redacted.txt
oops, for Gandalf (WS2003 computer)
dns-gandalf-redacted.txt
The basic DNS test now runs fine on Elrod. There is a forwarding DNS that is not a valid DNS server. You should take a look at that in the forwarding tab on Elrod.

Let Gandalt point to itself as primary DNS with Elrod as secondary.

Do you have the _msdcs zone on Gandalt?


SG
There are no forward lookup zones on Gandalf.  I did set up Gandalf as primary DNS, and Elrond as secondary DNS on Gandalf, plus I removed the 169.254 forwarder on Elrond.  DNS is looking better now.

The current status for AD is that I have the SYSVOL share on Gandalf, but no NETLOGON.

Just keeping folks at home up to date.

Again, thank you for your help.

Jeff
An update... What we are going to do is this:

1.  Remove Gandalf (DC with replication issues) from the domain with the dcpromo /forceremoval .  Clean out the Metadata on Elrond.
2.  Add a different WS2003 server to the domain, and promote it to a DC.  Verify that everything is replicating, and the domain is a wonderful place for AD.
3.  After the domain is verified, and AD is running without errors, bring Elrond back in and promote it to a DC.
4.  Verify AD functionality.
ASKER CERTIFIED SOLUTION
Avatar of snusgubben
snusgubben
Flag of Norway image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
AD is working fine now!  Now, on to DNS...