Solved

Safest way to fix a Jrnl_wrap_error please

Posted on 2010-08-18
15
405 Views
Last Modified: 2012-08-13
I am getting a Jrnl_wrap_error on our DC that contains all the fsmo roles.  What's the safest way to fix this?  

I understand that this was likely caused by a DNS issue and I am hoping i have fixed as well:

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Lotus_Domino/Q_26409480.html#a33465617

I am looking Jrnl_wrap_error up and have found the following here:

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_23440305.html?sfQueryTermInfo=1+10+30+error+jrnl+wrap

I have also read this:

http://blogs.technet.com/b/instan/archive/2009/07/14/what-happens-in-a-journal-wrap.aspx

and frankly I am afraid of doing a d4 restore on our domain.  would it be easier to temporarily move the fsmo roles to a different DC and rebuild the one with the journal wrap error?  Can this be done during the workday?  The DC with the error is an "extra" domain controller that was built for the purpose of holding fsmo roles and validating logons only.

Also, none of our other DCs have this error.  The one that has it was accidently disconnected from the network for a while, could this have caused the problem?
0
Comment
Question by:maureen99
  • 7
  • 5
  • 2
  • +1
15 Comments
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 33466265
Safest way is to follow this MS KB Article:
http://support.microsoft.com/kb/292438/Add the registry key and it should resolve itself.

0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 250 total points
ID: 33466328
When you say "disconnected for a while"  -- how long was the disconnect?
You can run a D2 on this box   http://support.microsoft.com/kb/290762
Thanks
Mike
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 33466958
You don't have to transfer any FSMOs roles. Stop the ntfrs service on the journal wraped DC, set the flag to D2 and start the ntfrs service. This can be don't during daytime as this DC will not serve any purpose anyway.

If you use DFS you should not set the Global burflag key, but the SYSVOL's spesific key.


>The one that has it was accidently disconnected from the network for a while...

If there was an exessive replication occurring when it got online again, the NTFRS journal might have wrapped around (like Instan says in the blog entry you posted)
0
 

Author Comment

by:maureen99
ID: 33467000
It was disconnected for about a week before it was discovered.

How dangerous is the D2 burflag restore?  I read in one  of the links above that a person had to rebuild their entire domain although they don't say if it was a d2 or d4 restore.

That's why I wonder if it would be better for me just to transfer the roles and rebuild the DC.  Any opinions or thoughts on how much can go wrong with a d2 restore?
0
 
LVL 21

Assisted Solution

by:snusgubben
snusgubben earned 250 total points
ID: 33467040
The D4 restore is the "tricky" one where things might go wrong. MS says use this as a last resort.

The D2 (non-authoritative) is safe as it will not bulk reset the SYSVOL, but only re-initialize the affected SYSVOL replica set.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33467136
D2 is safe.

The rebuild would also work, but I'd use the D2.
0
 

Author Comment

by:maureen99
ID: 33477022
I do have another question, should I attempt the D2 restore if I am seeing any warnings or errors in the server's replications partners?

I am seeing a netlogon error on one of the replication partners:
Registration of the DNS record '04b26097-7847-4057-91f1-dd561676c32b._msdcs.ic.internal. 600 IN CNAME server2.my.domain.' failed with the following error:
DNS RR set that ought to exist, does not exist.  
0
 

Author Comment

by:maureen99
ID: 33477081
I am seeing the following on a second replication partner:

Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this.

With these two messages should I still proceed with the d2 restore?
0
 

Author Comment

by:maureen99
ID: 33477112
Also, does it matter if one of the rep partners is windows 2000 sp4 and this machine is windows 2003 sp2?
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 33477441
You should make sure that DNS is ok.

Run: dnslint /ad /s 10.0.0.12 /v  (replace 10.0.0.12 with an IP og one of your authoritative DNS servers)

Also make sure that your DCs only points to internal DNS server and not to any ISP public DNS (on the DC's NIC)


> Windows cannot query for the list of Group Policy objects...

Does this DC log 1030 and 1058 events?


> Also, does it matter if one of the rep partners is windows 2000 sp4 and this machine is windows 2003 sp2?

No
0
 

Author Comment

by:maureen99
ID: 33478348

"> Windows cannot query for the list of Group Policy objects...

Does this DC log 1030 and 1058 events?"
No but it does not show a netlogon share under manage-->shared folders-->shares

Here's my dnslint:
DNSLint Report

System Date: Thu Aug 19 13:05:43 2010

Command run:

dnslint /ad /s 192.168.37.10 /v

Root of Active Directory Forest:

    my.domain

Active Directory Forest Replication GUIDs Found:

DC: serverJRNWRPERR
GUID: 22f0cccb-761a-4079-9909-19e221cf252b

DC: server3
GUID: 3bdc1b6f-776e-4652-9fe8-518e4515860d

DC: server2
GUID: 04b26097-7847-4057-91f1-dd561676c32b

DC: serverL
GUID: 7d6e305a-8882-43e5-bf03-6900e7b479bf


Total GUIDs found: 4

--------------------------------------------------------------------------------

The following 5 DNS servers were checked for records related to AD forest replication:

DNS server: server3.my.domain
IP Address: 192.168.37.10
UDP port 53 responding to queries: YES
TCP port 53 responding to queries: Not tested
Answering authoritatively for domain: YES

SOA record data from server:
Authoritative name server: server3.my.domain
Hostmaster: admin.my.domain
Zone serial number: 11278
Zone expires in: 1.00 day(s)
Refresh period: 900 seconds
Retry delay: 600 seconds
Default (minimum) TTL: 3600 seconds


Additional authoritative (NS) records from server:
serverJRNWRPERR.my.domain 192.168.37.13
server2.my.domain 192.168.37.3
server3.my.domain 192.168.37.10
serverOLD.my.domain 192.168.25.8
serverL.my.domain 192.168.25.10


Alias (CNAME) and glue (A) records for forest GUIDs from server:
CNAME: 22f0cccb-761a-4079-9909-19e221cf252b._msdcs.my.domain
Alias: serverJRNWRPERR.my.domain
Glue: 192.168.37.13

CNAME: 3bdc1b6f-776e-4652-9fe8-518e4515860d._msdcs.my.domain
Alias: server3.my.domain
Glue: 192.168.37.10

CNAME: 04b26097-7847-4057-91f1-dd561676c32b._msdcs.my.domain
Alias: server2.my.domain
Glue: 192.168.37.3

CNAME: 7d6e305a-8882-43e5-bf03-6900e7b479bf._msdcs.my.domain
Alias: serverL.my.domain
Glue: 192.168.25.9


Total number of CNAME records found on this server: 4
Total number of CNAME records missing on this server: 0
Total number of glue (A) records this server could not find: 0



--------------------------------------------------------------------------------

DNS server: serverJRNWRPERR.my.domain
IP Address: 192.168.37.13
UDP port 53 responding to queries: NO
TCP port 53 responding to queries: Not tested
Answering authoritatively for domain: Unknown

SOA record data from server:
Authoritative name server: Unknown
Hostmaster: Unknown
Zone serial number: Unknown
Zone expires in: Unknown
Refresh period: Unknown
Retry delay: Unknown
Default (minimum) TTL: Unknown


Total number of CNAME records found on this server: 0
Total number of CNAME records missing on this server: 0
Total number of glue (A) records this server could not find: 0



--------------------------------------------------------------------------------

DNS server: server2.my.domain
IP Address: 192.168.37.3
UDP port 53 responding to queries: YES
TCP port 53 responding to queries: Not tested
Answering authoritatively for domain: YES

SOA record data from server:
Authoritative name server: server2.my.domain
Hostmaster: admin.my.domain
Zone serial number: 11278
Zone expires in: 1.00 day(s)
Refresh period: 900 seconds
Retry delay: 600 seconds
Default (minimum) TTL: 3600 seconds


Additional authoritative (NS) records from server:
serverJRNWRPERR.my.domain 192.168.37.13
server2.my.domain 192.168.37.3
server3.my.domain 192.168.37.10
serverOLD.my.domain 192.168.25.8
serverL.my.domain 192.168.25.10


Alias (CNAME) and glue (A) records for forest GUIDs from server:
CNAME: 22f0cccb-761a-4079-9909-19e221cf252b._msdcs.my.domain
Alias: serverJRNWRPERR.my.domain
Glue: 192.168.37.13

CNAME: 3bdc1b6f-776e-4652-9fe8-518e4515860d._msdcs.my.domain
Alias: server3.my.domain
Glue: 192.168.37.10

CNAME: 04b26097-7847-4057-91f1-dd561676c32b._msdcs.my.domain
Alias: server2.my.domain
Glue: 192.168.37.3

CNAME: 7d6e305a-8882-43e5-bf03-6900e7b479bf._msdcs.my.domain
Alias: serverL.my.domain
Glue: 192.168.25.10


Total number of CNAME records found on this server: 4
Total number of CNAME records missing on this server: 0
Total number of glue (A) records this server could not find: 0



--------------------------------------------------------------------------------

DNS server: serverOLD.my.domain
IP Address: 192.168.25.8
UDP port 53 responding to queries: YES
TCP port 53 responding to queries: Not tested
Answering authoritatively for domain: NO

SOA record data from server:
Authoritative name server: Unknown
Hostmaster: Unknown
Zone serial number: Unknown
Zone expires in: Unknown
Refresh period: Unknown
Retry delay: Unknown
Default (minimum) TTL: Unknown

Total number of CNAME records found on this server: 0
Total number of CNAME records missing on this server: 0
Total number of glue (A) records this server could not find: 0


--------------------------------------------------------------------------------

DNS server: serverL.my.domain
IP Address: 192.168.25.10
UDP port 53 responding to queries: YES
TCP port 53 responding to queries: Not tested
Answering authoritatively for domain: YES

SOA record data from server:
Authoritative name server: serverL.my.domain
Hostmaster: admin.my.domain
Zone serial number: 11278
Zone expires in: 1.00 day(s)
Refresh period: 900 seconds
Retry delay: 600 seconds
Default (minimum) TTL: 3600 seconds


Additional authoritative (NS) records from server:
serverL.my.domain 192.168.25.9
serverJRNWRPERR.my.domain 192.168.37.13
server2.my.domain 192.168.37.3
server3.my.domain 192.168.37.10
serverOLD.my.domain 192.168.25.8


Alias (CNAME) and glue (A) records for forest GUIDs from server:
CNAME: 22f0cccb-761a-4079-9909-19e221cf252b._msdcs.my.domain
Alias: serverJRNWRPERR.my.domain
Glue: 192.168.37.13

CNAME: 3bdc1b6f-776e-4652-9fe8-518e4515860d._msdcs.my.domain
Alias: server3.my.domain
Glue: 192.168.37.10

CNAME: 04b26097-7847-4057-91f1-dd561676c32b._msdcs.my.domain
Alias: server2.my.domain
Glue: 192.168.37.3

CNAME: 7d6e305a-8882-43e5-bf03-6900e7b479bf._msdcs.my.domain
Alias: serverL.my.domain
Glue: 192.168.25.9

Total number of CNAME records found on this server: 4
Total number of CNAME records missing on this server: 0
Total number of glue (A) records this server could not find: 0

--------------------------------------------------------------------------------

Notes:
One or more DNS servers is not authoritative for the domain
One or more DNS servers did not respond to UDP queries
Zone serial numbers were not identical on every DNS server
One or more zone files may have expired
SOA record data was unavailable and/or missing on one or more DNS servers
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 33478450
I guess it's the DC in Journal Wrap that don't share the SYSVOL?

I would go ahead with the D2 approach, let it replicate, then run a "dcdiag /e" to see if things are ok.

When the DC is out of JW, I would check the dns servers for misconfiguration/missing entries with "dcdiag /test:dns /v" and dnslint.
0
 

Author Comment

by:maureen99
ID: 33479149
I did the d2 restore and got the following messges in the frs event log:



The File Replication Service successfully added this computer to the following replica set:
    "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)"
 
Information related to this event is shown below:
Computer DNS name is "ic-750.ic.internal"
Replica set member name is "IC-750"
Replica set root path is "c:\windows\sysvol\domain"
Replica staging directory path is "c:\windows\sysvol\staging\domain"
Replica working directory path is "c:\windows\ntfrs\jet"

For more information, see Help and Support Center at

_______
The File Replication Service successfully added the connections shown below to the replica set:
    "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)"
 
      "lcserver2.ic.internal"
      "dcserver3.ic.internal"
      "lcserver2.ic.internal"
      "dcserver2.ic.internal"
      "dcserver2.ic.internal"
       
More information may appear in subsequent event log messages.
For more information, see Help and Support Center at
______
The File Replication Service is no longer preventing the computer IC-750 from becoming a domain controller. The system volume has been successfully initialized and the Netlogon service has been notified that the system volume is now ready to be shared as SYSVOL.
 
Type "net share" to check for the SYSVOL share.

I am guessing it was successful?
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 33480924
yep it seems recovered.

Like I said I would check DNS to see if that might be a cause for the JW.

It don't have to be a permanent issue that caused this. Things like high disc I/O, truncating the NTFS USN journal (with i.e. chkdsk) are things that might cause this.
0
 

Author Closing Comment

by:maureen99
ID: 33512114
Thanks very much the help is greatly appreciated!!
0

Join & Write a Comment

Learn about cloud computing and its benefits for small business owners.
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now