Group Policy / FRS Issues
Hi all.
We have a problem that needs attention ASAP. I am hoping we can tackle this together.
We have a few branch offices and the main office.
The main office has domain controller 1 (DC1) and domain controller 2 (DC2).
There are 3 branch offices. Each one has a domain controller (DC3, DC4 and DC5).
They are all running Windows Server 2003 (some R2, some not).
DC1 seems to be the PDC and contains accurate group policy info.
Whenever a group policy change is made, it appears to be made on DC1.
DC2 and all the others are not being updated.
If you check the SYSVOL folder you will find many more folders than what on DC1.
They seems to have an extended name. Kind of like a GUID on the end of the folder names.
I need the updated group policies to get applied ASAP but FRS seems to be an issue.
I tried stopping the FRS service on DC5 and changing the burflag to D2 for non-authoritative mode. I then restarted the FRS service.
This moved all of the previous group policies into a new folder.
I am now waiting for replication to occur from DC1 to DC5. Until this happens, DC5 will not a domain controller.
I tried to force replication but it doesn't appear to be working.
I got one error which is 13508. It seems like DC5 is having a problem enabling replication with DC5.
Can I just copy the 5 known good folders from DC1 onto DC5?
I don't know why replication is not happening.
Any help is appreciated.
We have a problem that needs attention ASAP. I am hoping we can tackle this together.
We have a few branch offices and the main office.
The main office has domain controller 1 (DC1) and domain controller 2 (DC2).
There are 3 branch offices. Each one has a domain controller (DC3, DC4 and DC5).
They are all running Windows Server 2003 (some R2, some not).
DC1 seems to be the PDC and contains accurate group policy info.
Whenever a group policy change is made, it appears to be made on DC1.
DC2 and all the others are not being updated.
If you check the SYSVOL folder you will find many more folders than what on DC1.
They seems to have an extended name. Kind of like a GUID on the end of the folder names.
I need the updated group policies to get applied ASAP but FRS seems to be an issue.
I tried stopping the FRS service on DC5 and changing the burflag to D2 for non-authoritative mode. I then restarted the FRS service.
This moved all of the previous group policies into a new folder.
I am now waiting for replication to occur from DC1 to DC5. Until this happens, DC5 will not a domain controller.
I tried to force replication but it doesn't appear to be working.
I got one error which is 13508. It seems like DC5 is having a problem enabling replication with DC5.
Can I just copy the 5 known good folders from DC1 onto DC5?
I don't know why replication is not happening.
Any help is appreciated.
ASKER
Yeah the time is set accurately.
At this point I don't know what to do because if replication isn't working at all, this machine will not be a domain controller.
And we very much need it to be a domain controller.
At this point I don't know what to do because if replication isn't working at all, this machine will not be a domain controller.
And we very much need it to be a domain controller.
What else is running on DC5?
You can always attempt demoting and repromoting DC5. Just make sure that SQL is not running on DC5. SQL tends to break if running on a DC that is then demoted. If you do decide to demote DC5, once demotion is complete, verify on DC1 that all instances of DC5 as a DC have been removed. It may be necessary to use the NTDSutil to perform a metadata cleanup on DC1 before you can repromote DC5. You can read more about it here:
http://www.petri.co.il/delete_failed_dcs_from_ad.htm
You can always attempt demoting and repromoting DC5. Just make sure that SQL is not running on DC5. SQL tends to break if running on a DC that is then demoted. If you do decide to demote DC5, once demotion is complete, verify on DC1 that all instances of DC5 as a DC have been removed. It may be necessary to use the NTDSutil to perform a metadata cleanup on DC1 before you can repromote DC5. You can read more about it here:
http://www.petri.co.il/delete_failed_dcs_from_ad.htm
Can you tell us if there are any other errors in the event logs related to FRS?
Also, are these sites connected via site-to-site VPNs? What sort of firewalls do you have?
You can run this command on DC5 to get a better idea of what is going on:
ntfrsutl version <FQDN of remote domain controller>
Also, are these sites connected via site-to-site VPNs? What sort of firewalls do you have?
You can run this command on DC5 to get a better idea of what is going on:
ntfrsutl version <FQDN of remote domain controller>
ASKER
OK I have good news.
The files have successfully copied over on their own.
This is good.
Now for the bad.
It appears that all of the problem files were copied.
Ex:
On DC1 in the policies folder I have the following {ABC-123}, {DEF-345}, etc.
Now on DC5 (and all the other DC's) I see {ABC-123}_NTFRS_5451f5, {DEF-345}_NTFRS_57e4
I was expecting all of the clean policies from DC1 to copy over.
What happened?
The files have successfully copied over on their own.
This is good.
Now for the bad.
It appears that all of the problem files were copied.
Ex:
On DC1 in the policies folder I have the following {ABC-123}, {DEF-345}, etc.
Now on DC5 (and all the other DC's) I see {ABC-123}_NTFRS_5451f5, {DEF-345}_NTFRS_57e4
I was expecting all of the clean policies from DC1 to copy over.
What happened?
ASKER
wdurrett: Can you tell us if there are any other errors in the event logs related to FRS?Also, are these sites connected via site-to-site VPNs? What sort of firewalls do you have?You can run this command on DC5 to get a better idea of what is going on:ntfrsutl version <FQDN of remote domain controller>
The only event is the same 13508 error. It seems to be an ongoing issue.
I did the command you mentioned but I don't know what the results mean:
"NtFrsApi Version Information NtFrsApi Major : 0 NtFrsApi Minor : 0 NtFrsApi Compiled on: Feb 16 2007 20:01:19NtFrs Version Information NtFrs Major : 0 NtFrs Minor : 0 NtFrs Compiled on : Mar 24 2005 15:06:43 Latest changes: Install Override fixOS Version 5.2 (3790) - SP (1.0) SM: 0x0110 PT: 0x02Processor: INTEL Level: 0x0006 Revision: 0x170a Processor num/mask: 4/0000000f"
The only event is the same 13508 error. It seems to be an ongoing issue.
I did the command you mentioned but I don't know what the results mean:
"NtFrsApi Version Information NtFrsApi Major : 0 NtFrsApi Minor : 0 NtFrsApi Compiled on: Feb 16 2007 20:01:19NtFrs Version Information NtFrs Major : 0 NtFrs Minor : 0 NtFrs Compiled on : Mar 24 2005 15:06:43 Latest changes: Install Override fixOS Version 5.2 (3790) - SP (1.0) SM: 0x0110 PT: 0x02Processor: INTEL Level: 0x0006 Revision: 0x170a Processor num/mask: 4/0000000f"
Are we sure DC5 is replicating from DC1? It is possible that these problem polities replicated to DC2, DC3, and DC4. Perhaps DC5 is actually getting the policies from the other DCs.
Also, couple of previous answers to event 13508:
https://www.experts-exchange.com/questions/21296990/Event-Id-13508-The-File-Replication-Service-is-having-trouble-enabling-replication.html
https://www.experts-exchange.com/questions/21740439/FILE-REPLICATION-SERVICE-is-having-trouble-Event-ID-13508.html
http://technet.microsoft.com/en-us/library/bb727056.aspx
Also, couple of previous answers to event 13508:
https://www.experts-exchange.com/questions/21296990/Event-Id-13508-The-File-Replication-Service-is-having-trouble-enabling-replication.html
https://www.experts-exchange.com/questions/21740439/FILE-REPLICATION-SERVICE-is-having-trouble-Event-ID-13508.html
http://technet.microsoft.com/en-us/library/bb727056.aspx
You may want to upgrade your server to SP2.
It is a good thing that replication is now taking place.
Here is a MSFT article about the folder names:
http://support.microsoft.com/kb/328492
It is a good thing that replication is now taking place.
Here is a MSFT article about the folder names:
http://support.microsoft.com/kb/328492
ASKER
The problem I think is DC2. This is a secondary DNS server located at the same branch as DC1.
It has many many errors in the DNS event log.
I looked at some of the info posted in the link above and decided to run the DNS tests mentioned.
I got the following results when running DCdiag /test:DNS
"Domain Controller DiagnosisPerforming initial setup: Done gathering initial info.Doing initial required tests Testing server: Wayne\DC2 Starting test: Connectivity ......................... DC2 passed test ConnectivityDoing primary tests Testing server: Wayne\DC2DNS Tests are running and not hung. Please wait a few minutes... Running partition tests on : ForestDnsZones Running partition tests on : DomainDnsZones Running partition tests on : Schema Running partition tests on : Configuration Running partition tests on : MyDomain Running enterprise tests on : MyDomain.com Starting test: DNS Test results for domain controllers: DC: DC2.MyDomain.com Domain: MyDomain.com TEST: Delegations (Del) Error: DNS server: DC2.MyDomain.com. IP:192.168.1.73 [Broken delegated domain MyDomain.com.MyDomain.com.
Can someone please give me a hand with this?
I am not sure what to do to correct the problem.
It has many many errors in the DNS event log.
I looked at some of the info posted in the link above and decided to run the DNS tests mentioned.
I got the following results when running DCdiag /test:DNS
"Domain Controller DiagnosisPerforming initial setup: Done gathering initial info.Doing initial required tests Testing server: Wayne\DC2 Starting test: Connectivity ......................... DC2 passed test ConnectivityDoing primary tests Testing server: Wayne\DC2DNS Tests are running and not hung. Please wait a few minutes... Running partition tests on : ForestDnsZones Running partition tests on : DomainDnsZones Running partition tests on : Schema Running partition tests on : Configuration Running partition tests on : MyDomain Running enterprise tests on : MyDomain.com Starting test: DNS Test results for domain controllers: DC: DC2.MyDomain.com Domain: MyDomain.com TEST: Delegations (Del) Error: DNS server: DC2.MyDomain.com. IP:192.168.1.73 [Broken delegated domain MyDomain.com.MyDomain.com.
Can someone please give me a hand with this?
I am not sure what to do to correct the problem.
Well, it appears your delegation records are messed up:
Please evaluate: (as an example)
https://www.experts-exchange.com/questions/24349599/URGENT-MSDCS-records-registering-directly-under-FWD-lookup-zone-not-under-FQDN-name-space.html
Please evaluate: (as an example)
https://www.experts-exchange.com/questions/24349599/URGENT-MSDCS-records-registering-directly-under-FWD-lookup-zone-not-under-FQDN-name-space.html
ASKER
I tried to figure this out using the link posted above but I am having a hard time.
Can someone please let me know what steps I can take?
Can someone please let me know what steps I can take?
No problem:
On DC1: (which will be your primary domain controller emulator (PDCe))
start>>programs>>administr
right click and select "connect to server">>type in the name of your primary DNS server.
right click again and select "connect to server" add the second DNS server.
Now, expand DC1's server DNS until you look into the forward lookup zones. In the forward lookup zones, you will see your domain forward lookup zone as well as probably a MSDCS forward lookup zone.
Under your domain forward lookup zone, you will see another MSDCS file folder. (That file folder holds your delegation records). Is that greyed out? That's all we have to know at this point in time.
On DC1: (which will be your primary domain controller emulator (PDCe))
start>>programs>>administr
right click and select "connect to server">>type in the name of your primary DNS server.
right click again and select "connect to server" add the second DNS server.
Now, expand DC1's server DNS until you look into the forward lookup zones. In the forward lookup zones, you will see your domain forward lookup zone as well as probably a MSDCS forward lookup zone.
Under your domain forward lookup zone, you will see another MSDCS file folder. (That file folder holds your delegation records). Is that greyed out? That's all we have to know at this point in time.
ASKER
I checked all DCs and found no greyed-out folders or files.
See the attached image. Is there somewhere else I should be looking?
Capture.PNG
See the attached image. Is there somewhere else I should be looking?
Capture.PNG
I have seen this before.
On the dcdiag you posted, I noticed that you have "MyDomain.com.MyDomain.com
Locate the bad host record and correct it.
On the dcdiag you posted, I noticed that you have "MyDomain.com.MyDomain.com
Locate the bad host record and correct it.
ASKER
Please take a look at the attached image.
I stopped trying to hide the company info. It is what it is, lol.
I found a "domain" named "com" which looks like it may be the issue.
I wanted to get your input first wdurrett before I remove it.
Capture.PNG
I stopped trying to hide the company info. It is what it is, lol.
I found a "domain" named "com" which looks like it may be the issue.
I wanted to get your input first wdurrett before I remove it.
Capture.PNG
ASKER
OK I know I mentioned getting the advice from wdurrett but anyone's input regarding the image / comment above would be appreciated.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
It's OK man. I understand. I hope you enjoyed yourself in Mexico!
The w w w record is already in the top folder with the same external IP address.
I deleted the COM folder from each DNS server.
Is there any thing else I am supposed to do to make these changes be known?
The w w w record is already in the top folder with the same external IP address.
I deleted the COM folder from each DNS server.
Is there any thing else I am supposed to do to make these changes be known?
ASKER
The steps given were successful.
net time \\(domain controller name) /set /y