Group Policy / FRS Issues

homerslmpson
homerslmpson used Ask the Experts™
on
Hi all.
We have a problem that needs attention ASAP.  I am hoping we can tackle this together.

We have a few branch offices and the main office.

The main office has domain controller 1 (DC1) and domain controller 2 (DC2).
There are 3 branch offices.  Each one has a domain controller (DC3, DC4 and DC5).
They are all running Windows Server 2003 (some R2, some not).

DC1 seems to be the PDC and contains accurate group policy info.
Whenever a group policy change is made, it appears to be made on DC1.

DC2 and all the others are not being updated.
If you check the SYSVOL folder you will find many more folders than what on DC1.
They seems to have an extended name. Kind of like a GUID on the end of the folder names.

I need the updated group policies to get applied ASAP but FRS seems to be an issue.

I tried stopping the FRS service on DC5 and changing the burflag to D2 for non-authoritative mode. I then restarted the FRS service.
This moved all of the previous group policies into a new folder.

I am now waiting for replication to occur from DC1 to DC5.  Until this happens, DC5 will not a domain controller.

I tried to force replication but it doesn't appear to be working.

I got one error which is 13508.  It seems like DC5 is having a problem enabling replication with DC5.

Can I just copy the 5 known good folders from DC1 onto DC5?  

I don't know why replication is not happening.

Any help is appreciated.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Commented:
A really simple question:  have you checked the time on DC5?  If it is out of sync with DC1, it will never replicate.  You can set it with this command:

net time \\(domain controller name) /set /y

Author

Commented:
Yeah the time is set accurately.

At this point I don't know what to do because if replication isn't working at all, this machine will not be a domain controller.

And we very much need it to be a domain controller.

Commented:
What else is running on DC5?

You can always attempt demoting and repromoting DC5.  Just make sure that SQL is not running on DC5.  SQL tends to break if running on a DC that is then demoted.  If you do decide to demote DC5, once demotion is complete, verify on DC1 that all instances of DC5 as a DC have been removed.  It may be necessary to use the NTDSutil to perform a metadata cleanup on DC1 before you can repromote DC5.  You can read more about it here:
http://www.petri.co.il/delete_failed_dcs_from_ad.htm
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Commented:
Can you tell us if there are any other errors in the event logs related to FRS?

Also, are these sites connected via site-to-site VPNs? What sort of firewalls do you have?

You can run this command on DC5 to get a better idea of what is going on:

ntfrsutl version <FQDN of remote domain controller>

Author

Commented:
OK I have good news.
The files have successfully copied over on their own.

This is good.

Now for the bad.

It appears that all of the problem files were copied.

Ex:
On DC1 in the policies folder I have the following {ABC-123}, {DEF-345}, etc.

Now on DC5 (and all the other DC's) I see {ABC-123}_NTFRS_5451f5, {DEF-345}_NTFRS_57e4

I was expecting all of the clean policies from DC1 to copy over.

What happened?

Author

Commented:
wdurrett:             Can you tell us if there are any other errors in the event logs related to FRS?Also, are these sites connected via site-to-site VPNs? What sort of firewalls do you have?You can run this command on DC5 to get a better idea of what is going on:ntfrsutl version <FQDN of remote domain controller>

The only event is the same 13508 error.  It seems to be an ongoing issue.

I did the command you mentioned but I don't know what the results mean:
"NtFrsApi Version Information   NtFrsApi Major      : 0   NtFrsApi Minor      : 0   NtFrsApi Compiled on: Feb 16 2007 20:01:19NtFrs Version Information   NtFrs Major        : 0   NtFrs Minor        : 0   NtFrs Compiled on  : Mar 24 2005 15:06:43   Latest changes:   Install Override fixOS Version 5.2 (3790) - SP (1.0) SM: 0x0110  PT: 0x02Processor:  INTEL Level: 0x0006  Revision: 0x170a  Processor num/mask: 4/0000000f"

Commented:
Are we sure DC5 is replicating from DC1?  It is possible that these problem polities replicated to DC2, DC3, and DC4.  Perhaps DC5 is actually getting the policies from the other DCs.

Also, couple of previous answers to event 13508:
http://www.experts-exchange.com/Networking/Q_21296990.html
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_21740439.html
http://technet.microsoft.com/en-us/library/bb727056.aspx

Commented:
You may want to upgrade your server to SP2.

It is a good thing that replication is now taking place.

Here is a MSFT article about the folder names:
http://support.microsoft.com/kb/328492

Author

Commented:
The problem I think is DC2.  This is a secondary DNS server located at the same branch as DC1.
 It has many many errors in the DNS event log.

I looked at some of the info posted in the link above and decided to run the DNS tests mentioned.  

I got the following results when running DCdiag /test:DNS

"Domain Controller DiagnosisPerforming initial setup:   Done gathering initial info.Doing initial required tests     Testing server: Wayne\DC2      Starting test: Connectivity         ......................... DC2 passed test ConnectivityDoing primary tests     Testing server: Wayne\DC2DNS Tests are running and not hung. Please wait a few minutes...     Running partition tests on : ForestDnsZones     Running partition tests on : DomainDnsZones     Running partition tests on : Schema     Running partition tests on : Configuration     Running partition tests on : MyDomain     Running enterprise tests on : MyDomain.com      Starting test: DNS         Test results for domain controllers:                        DC: DC2.MyDomain.com            Domain: MyDomain.com                                 TEST: Delegations (Del)                  Error: DNS server: DC2.MyDomain.com. IP:192.168.1.73 [Broken delegated domain MyDomain.com.MyDomain.com.]                  Error: DNS server: DC3.MyDomain.com. IP:192.168.3.73 [Broken delegated domain MyDomain.com.MyDomain.com.]                  Error: DNS server: DC5.MyDomain.com. IP:192.168.4.74 [Broken delegated domain MyDomain.com.MyDomain.com.]                  Error: DNS server: DC4.MyDomain.com. IP:192.168.2.16 [Broken delegated domain MyDomain.com.MyDomain.com.]                  Error: DNS server: DC1.MyDomain.com. IP:192.168.1.62 [Broken delegated domain MyDomain.com.MyDomain.com.]                 Summary of test results for DNS servers used by the above domain controllers:            DNS server: 192.168.1.62 (DC1.MyDomain.com.)               1 test failure on this DNS server               Delegation is broken for the domain MyDomain.com.MyDomain.com. on the DNS server 192.168.1.62                          DNS server: 192.168.1.73 (DC2.MyDomain.com.)               1 test failure on this DNS server               Delegation is broken for the domain MyDomain.com.MyDomain.com. on the DNS server 192.168.1.73                          DNS server: 192.168.2.16 (DC4.MyDomain.com.)               1 test failure on this DNS server               Delegation is broken for the domain MyDomain.com.MyDomain.com. on the DNS server 192.168.2.16                          DNS server: 192.168.3.73 (DC3.MyDomain.com.)               1 test failure on this DNS server               Delegation is broken for the domain MyDomain.com.MyDomain.com. on the DNS server 192.168.3.73                          DNS server: 192.168.4.74 (DC5.MyDomain.com.)               1 test failure on this DNS server               Delegation is broken for the domain MyDomain.com.MyDomain.com. on the DNS server 192.168.4.74                       Summary of DNS test results:                                                    Auth Basc Forw Del  Dyn  RReg Ext                 ________________________________________________________________            Domain: MyDomain.com               DC2                     PASS PASS PASS FAIL PASS PASS n/a                   ......................... MyDomain.com failed test DNS"

Can someone please give me a hand with this?
I am not sure what to do to correct the problem.

Commented:
Well, it appears your delegation records are messed up:

Please evaluate: (as an example)
http://www.experts-exchange.com/Networking/Protocols/DNS/Q_24349599.html

Author

Commented:
I tried to figure this out using the link posted above but I am having a hard time.

Can someone please let me know what steps I can take?

Commented:
No problem:

On DC1: (which will be your primary domain controller emulator (PDCe))

start>>programs>>administrative tools>>DNS snapin

right click and select "connect to server">>type in the name of your primary DNS server.

right click again and select "connect to server" add the second DNS server.

Now, expand DC1's server DNS until you look into the forward lookup zones. In the forward lookup zones, you will see your domain forward lookup zone as well as probably a MSDCS forward lookup zone.

Under your domain forward lookup zone, you will see another MSDCS file folder. (That file folder holds your delegation records). Is that greyed out? That's all we have to know at this point in time.  

Author

Commented:
I checked all DCs and found no greyed-out folders or files.

See the attached image.  Is there somewhere else I should be looking?



Capture.PNG

Commented:
I have seen this before.

On the dcdiag you posted, I noticed that you have "MyDomain.com.MyDomain.com."  This indicates that there is an incorrect Host record that is creating its own subdomain.  This is due to the absence of a trailing period on MyDomain.com. and is somewhat common.

Locate the bad host record and correct it.

Author

Commented:
Please take a look at the attached image.

I stopped trying to hide the company info.  It is what it is, lol.

I found a "domain" named "com" which looks like it may be the issue.

I wanted to get your input first wdurrett before I remove it.

Capture.PNG

Author

Commented:
OK I know I mentioned getting the advice from wdurrett but anyone's input regarding the image / comment above would be appreciated.
Commented:
Sorry dude, I was in Mexico for the weekend.  I am back now and ready to help.

Yes, you can remove that entire folder.  The www record should go in the top level folder.

Author

Commented:
It's OK man.  I understand.  I hope you enjoyed yourself in Mexico!

The w w w record is already in the top folder with the same external IP address.

I deleted the COM folder from each DNS server.

Is there any thing else I am supposed to do to make these changes be known?

Author

Commented:
The steps given were successful.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial