DEHLI
asked on
Is my Server 2003 DC Replicating Properly?
I recently put a new Domain Controller online. After dcpromo I installed DNS, and selected it as a global catalog. I then let it sit for over 24 hours to let it replicate. The link we are on that connects to the rest of my domain is slow so I figured it would take a while. I started looking into the Event logs to make sure everything was going ok. I started seeing these events in the Application section about every 5 minutes.
Source: SceCli Type: warning
Event ID: 1202
Security policies were propagated with warning. 0x5 : Access is denied.
Under the File Replication Service tab in the Event Viewer I am getting this warning off and on.
Source: NTFrs Type: Warning
Event ID: 13565
File Replication Service is initializing the system volume with data from another domain controller. computer MYDC cannot become a domain controller until this process is complete. The system volume will then be shared as SYSVOL.
To check for the SYSVOL share, at the command prompt type: net share
When File replication Service completes the initialization process, the SYSVOL share will appear.
The initialization of the system volume can take some time. The time is dependent on the amount of data in the system volume, the availability of other domain controllers, and the replication interval between domain controllers.
I have looked into a lot of fixes for the 1202 error i am getting. I have looked in every GPO policy that is on my domain and none of them affect the FRS. And the other DCs that are functioning on the domain are not having this problem. I have looked in the registry under: HKEY_LOCAL_MACHINE\System\ CurrentCon trolSet\Se rvices\NTF RS for the security subkey, but there is not one. I have ran DCdiag and will attach it at the bottom. Any guidance on what is going on with my DC and/or how to fix the warnings would be great.
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: DEL\MYDC
Starting test: Connectivity
......................... MYDC passed test Connectivity
Doing primary tests
Testing server: DEL\DELSDC02
Starting test: Replications
REPLICATION-RECEIVED LATENCY WARNING
DELSDC02: Current time is 2010-11-15 18:03:19.
DC=ForestDnsZones,DC=afg,D C=usmc,DC= mil
Last replication recieved from TheirDC01 at 2010-10-16 23:20:14.
Last replication recieved from TheirDC02 at 2010-09-19 18:19:56.
DC=lnk,DC=afg,DC=usmc,DC=m il
Last replication recieved from TheirDC03 at 2010-09-16 22:22:39.
......................... MYDC passed test Replications
Starting test: NCSecDesc
......................... MYDC passed test NCSecDesc
Starting test: NetLogons
Unable to connect to the NETLOGON share! (\\MYDC\netlogon)
[MYDC] An net use or LsaPolicy operation failed with error 1203, No network provider accepted the given network path..
......................... MYDC failed test NetLogons
Starting test: Advertising
Warning: DsGetDcName returned information for \\TheirDC.FQDN, when we were trying to reach MYDC.
Server is not responding or is not considered suitable.
Warning: MYDC is not advertising as a global catalog.
Check that server finished GC promotion.
Check the event log on server that enough source replicas for the GC are available.
......................... MYDC failed test Advertising
Starting test: KnowsOfRoleHolders
......................... MYDC passed test KnowsOfRoleHolders
Starting test: RidManager
......................... MYDC passed test RidManager
Starting test: MachineAccount
......................... MYDC passed test MachineAccount
Starting test: Services
......................... MYDC passed test Services
Starting test: ObjectsReplicated
......................... MYDC passed test ObjectsReplicated
Starting test: frssysvol
......................... MYDC passed test frssysvol
Starting test: frsevent
There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL replication problems may cause Group Policy problems.
......................... MYDC failed test frsevent
Starting test: kccevent
......................... MYDC passed test kccevent
Starting test: systemlog
......................... MYDC passed test systemlog
Starting test: VerifyReferences
......................... MYDC passed test VerifyReferences
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Running partition tests on : dwr
Starting test: CrossRefValidation
......................... dwr passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... dwr passed test CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running enterprise tests on : FQDN
Starting test: Intersite
......................... FQDN passed test Intersite
Starting test: FsmoCheck
......................... FQDN passed test FsmoCheck
Source: SceCli Type: warning
Event ID: 1202
Security policies were propagated with warning. 0x5 : Access is denied.
Under the File Replication Service tab in the Event Viewer I am getting this warning off and on.
Source: NTFrs Type: Warning
Event ID: 13565
File Replication Service is initializing the system volume with data from another domain controller. computer MYDC cannot become a domain controller until this process is complete. The system volume will then be shared as SYSVOL.
To check for the SYSVOL share, at the command prompt type: net share
When File replication Service completes the initialization process, the SYSVOL share will appear.
The initialization of the system volume can take some time. The time is dependent on the amount of data in the system volume, the availability of other domain controllers, and the replication interval between domain controllers.
I have looked into a lot of fixes for the 1202 error i am getting. I have looked in every GPO policy that is on my domain and none of them affect the FRS. And the other DCs that are functioning on the domain are not having this problem. I have looked in the registry under: HKEY_LOCAL_MACHINE\System\
Domain Controller Diagnosis
Performing initial setup:
Done gathering initial info.
Doing initial required tests
Testing server: DEL\MYDC
Starting test: Connectivity
......................... MYDC passed test Connectivity
Doing primary tests
Testing server: DEL\DELSDC02
Starting test: Replications
REPLICATION-RECEIVED LATENCY WARNING
DELSDC02: Current time is 2010-11-15 18:03:19.
DC=ForestDnsZones,DC=afg,D
Last replication recieved from TheirDC01 at 2010-10-16 23:20:14.
Last replication recieved from TheirDC02 at 2010-09-19 18:19:56.
DC=lnk,DC=afg,DC=usmc,DC=m
Last replication recieved from TheirDC03 at 2010-09-16 22:22:39.
......................... MYDC passed test Replications
Starting test: NCSecDesc
......................... MYDC passed test NCSecDesc
Starting test: NetLogons
Unable to connect to the NETLOGON share! (\\MYDC\netlogon)
[MYDC] An net use or LsaPolicy operation failed with error 1203, No network provider accepted the given network path..
......................... MYDC failed test NetLogons
Starting test: Advertising
Warning: DsGetDcName returned information for \\TheirDC.FQDN, when we were trying to reach MYDC.
Server is not responding or is not considered suitable.
Warning: MYDC is not advertising as a global catalog.
Check that server finished GC promotion.
Check the event log on server that enough source replicas for the GC are available.
......................... MYDC failed test Advertising
Starting test: KnowsOfRoleHolders
......................... MYDC passed test KnowsOfRoleHolders
Starting test: RidManager
......................... MYDC passed test RidManager
Starting test: MachineAccount
......................... MYDC passed test MachineAccount
Starting test: Services
......................... MYDC passed test Services
Starting test: ObjectsReplicated
......................... MYDC passed test ObjectsReplicated
Starting test: frssysvol
......................... MYDC passed test frssysvol
Starting test: frsevent
There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL replication problems may cause Group Policy problems.
......................... MYDC failed test frsevent
Starting test: kccevent
......................... MYDC passed test kccevent
Starting test: systemlog
......................... MYDC passed test systemlog
Starting test: VerifyReferences
......................... MYDC passed test VerifyReferences
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Running partition tests on : dwr
Starting test: CrossRefValidation
......................... dwr passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... dwr passed test CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running enterprise tests on : FQDN
Starting test: Intersite
......................... FQDN passed test Intersite
Starting test: FsmoCheck
......................... FQDN passed test FsmoCheck
ASKER
We have to run McAfee. The DNS TCP\IP properties are set to the other DCs IPs. It is a 2003 server.
Remove or disable your AV.
Currently your Netlogon share hasn't been created yet or your DC hasn't become a GC yet.
You can demote the server then run metadata cleanup on an existing DC then repromote server could have been an issue with the connection
Currently your Netlogon share hasn't been created yet or your DC hasn't become a GC yet.
You can demote the server then run metadata cleanup on an existing DC then repromote server could have been an issue with the connection
ASKER
I am removing the AV.
Will the Netlogon share be created? How long does it usually take for a DC to become a GC over a slow link?
I am confused about the demote and re-promote suggestion? I feel like that would bring me back to step one and start all the slow replication over again. Or do you think this DC is not replicating anymore and giving it more time will not do anything?
Will the Netlogon share be created? How long does it usually take for a DC to become a GC over a slow link?
I am confused about the demote and re-promote suggestion? I feel like that would bring me back to step one and start all the slow replication over again. Or do you think this DC is not replicating anymore and giving it more time will not do anything?
Well you have an option to wait to see if something happens but could be some other issue that would be fixed by starting from square one.
ASKER
Do you think the 1202 event could be blocking the Replication process? I have been looking around and still can not find anything anywhere on how to resolve that issue other then the registry edit on the key string i don't have.
The error is fine that is not causing the problem with replication thought
ASKER
If there was problems with replication they would show in the Event log correct? (sorry am a noob at server)
The last event i have in the File replication Service tab was from 5pm yesterday. It was the warning 13565. I have not had another event yet. The event before that was the FRS starting. I am not sure if it is just not giving me updates or if it really has been replicating non-stop that long.
The last event i have in the File replication Service tab was from 5pm yesterday. It was the warning 13565. I have not had another event yet. The event before that was the FRS starting. I am not sure if it is just not giving me updates or if it really has been replicating non-stop that long.
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Post a repadmin /syncall
ASKER
I have never demoted a DC before. What all would it entail as far as prep?
The repadmin /syncall says: CALLBACK MESSAGE: Finished.
SyncALL terminated with no error.
The repadmin /syncall says: CALLBACK MESSAGE: Finished.
SyncALL terminated with no error.
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Everything was fine, it was just taking forever. And if I had restarted it would not changed nothing other then starting all the way over. Remaking would be the best thing to do over a faster link, but my link is VERY slow.
Are you running Symantec AV by chance?
Make sure the server is pointing to another DNS server within the TCP\IP properties as primary until the full promotion is done.
Did you promote 2003 or 2008 server?