Active Directory Replication

Is the "TCP\IP Netbios helper" service running?

Yes TCP/IP NetBIOS Helper is running - set to Automatic

At a first glanze, it looks like you got a DNS problems. ("dcdiag /fix" does nothing else then to write back the SPN used for replication).

Do you have three domain controllers at the moment?

1. Run and post: netdom query dc

2. Run and post: repadmin /replsum

3. Run and post: ipconfig /all (on all DCs listed in #1)

1...................
C:\>netdom query dc
List of domain controllers with accounts in the domain:

WINSERVER11
WINSERVER13
WINSERVER8
The command completed successfully.

2....................
C:\>repadmin /replsum
Replication Summary Start Time: 2010-11-26 15:12:00

Beginning data collection for replication summary, this may take awhile:
  ......


Source DSA          largest delta    fails/total %%   error
 WINSERVER11               23m:58s    0 /  10    0
 WINSERVER13               21m:20s    0 /  10    0
 WINSERVER8                23m:58s    0 /  10    0


Destination DSA     largest delta    fails/total %%   error
 WINSERVER11               20m:14s    0 /  10    0
 WINSERVER13               23m:59s    0 /  10    0
 WINSERVER8                21m:21s    0 /  10    0

3................

Winserver8
 

Windows IP Configuration

   Host Name . . . . . . . . . . . . : WINSERVER8
   Primary Dns Suffix  . . . . . . . : Diplomat.local
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : Diplomat.local

Ethernet adapter Local Area Connection 2:

   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Broadcom BCM5716C NetXtreme II GigE (NDIS VBD Client) #2
   Physical Address. . . . . . . . . : 84-2B-2B-18-2B-07
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::849e:afd4:9d7d:814d%13(Preferred) 
   IPv4 Address. . . . . . . . . . . : 10.0.254.9(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.0.254.240
   DHCPv6 IAID . . . . . . . . . . . : 310651691
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-13-EF-85-1F-84-2B-2B-18-2B-08
   DNS Servers . . . . . . . . . . . : 10.0.254.8
   NetBIOS over Tcpip. . . . . . . . : Disabled

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Broadcom BCM5716C NetXtreme II GigE (NDIS VBD Client)
   Physical Address. . . . . . . . . : 84-2B-2B-18-2B-08
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::4da9:550a:833b:4a2f%11(Preferred) 
   IPv4 Address. . . . . . . . . . . : 10.0.254.8(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.0.254.241
   DHCPv6 IAID . . . . . . . . . . . : 243542827
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-13-EF-85-1F-84-2B-2B-18-2B-08
   DNS Servers . . . . . . . . . . . : ::1
                                       10.0.254.8
                                       127.0.0.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{E184EFF1-5BF9-4878-BCF9-0FFC4BE0B5F9}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{245E2C8F-3ED4-412D-9ECC-8E8732DD3D91}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 12:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Select allOpen in new window

Winserver11
 

Windows IP Configuration



   Host Name . . . . . . . . . . . . : winserver11

   Primary Dns Suffix  . . . . . . . : Diplomat.local

   Node Type . . . . . . . . . . . . : Hybrid

   IP Routing Enabled. . . . . . . . : No

   WINS Proxy Enabled. . . . . . . . : No

   DNS Suffix Search List. . . . . . : Diplomat.local



Ethernet adapter Intel Pro 1000 MT Gigabit Ethernet Adapter - Onboard:



   Connection-specific DNS Suffix  . : 

   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection

   Physical Address. . . . . . . . . : 00-11-43-D1-19-C7

   DHCP Enabled. . . . . . . . . . . : No

   IP Address. . . . . . . . . . . . : 10.0.254.10

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   IP Address. . . . . . . . . . . . : 10.0.254.11

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   Default Gateway . . . . . . . . . : 10.0.254.241

   DNS Servers . . . . . . . . . . . : 10.0.254.11

   Primary WINS Server . . . . . . . : 10.0.254.11

Select allOpen in new window

Winserver13
 

Windows IP Configuration



   Host Name . . . . . . . . . . . . : Winserver13

   Primary Dns Suffix  . . . . . . . : Diplomat.local

   Node Type . . . . . . . . . . . . : Unknown

   IP Routing Enabled. . . . . . . . : No

   WINS Proxy Enabled. . . . . . . . : No

   DNS Suffix Search List. . . . . . : Diplomat.local



Ethernet adapter Local Area Connection:



   Connection-specific DNS Suffix  . : 

   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection

   Physical Address. . . . . . . . . : 00-11-43-D1-17-8D

   DHCP Enabled. . . . . . . . . . . : No

   IP Address. . . . . . . . . . . . : 10.0.254.13

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   Default Gateway . . . . . . . . . : 10.0.254.240

   DNS Servers . . . . . . . . . . . : 10.0.254.13

Select allOpen in new window

Replication is ok (strangely), but:

Any reason you got two NICs in the same IP-scope on Winserver8?

Any reason you got two IP-addresses on Winserver11?

Is your DNS AD-integrated?

Winserve8 is using SMTP connectors on differnent ports as was Winserver11.

I did find that DNS was not running on Winserver13 and had recently rebooted after a Windows update. None of the other servers are set to automatic on Windows update so that might have been the cause of my problems, have turned off auto update now.

I am still getting errors when I run DCdiag /fix which i would like to get to the bottom of, see below....
 

Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   Home Server = WINSERVER8

   * Identified AD Forest. 
   Done gathering initial info.


Doing initial required tests

   
   Testing server: Default-First-Site-Name\WINSERVER8

      Starting test: Connectivity

         ......................... WINSERVER8 passed test Connectivity



Doing primary tests

   
   Testing server: Default-First-Site-Name\WINSERVER8

      Starting test: Advertising

         Warning: DsGetDcName returned information for

         \\winserver11.Diplomat.local, when we were trying to reach WINSERVER8.

         SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.

         ......................... WINSERVER8 failed test Advertising

      Starting test: FrsEvent

         ......................... WINSERVER8 passed test FrsEvent

      Starting test: DFSREvent

         ......................... WINSERVER8 passed test DFSREvent

      Starting test: SysVolCheck

         ......................... WINSERVER8 passed test SysVolCheck

      Starting test: KccEvent

         ......................... WINSERVER8 passed test KccEvent

      Starting test: KnowsOfRoleHolders

         ......................... WINSERVER8 passed test KnowsOfRoleHolders

      Starting test: MachineAccount

         ......................... WINSERVER8 passed test MachineAccount

      Starting test: NCSecDesc

         ......................... WINSERVER8 passed test NCSecDesc

      Starting test: NetLogons

         Unable to connect to the NETLOGON share! (\\WINSERVER8\netlogon)

         [WINSERVER8] An net use or LsaPolicy operation failed with error 67,

         The network name cannot be found..

         ......................... WINSERVER8 failed test NetLogons

      Starting test: ObjectsReplicated

         ......................... WINSERVER8 passed test ObjectsReplicated

      Starting test: Replications

         ......................... WINSERVER8 passed test Replications

      Starting test: RidManager

         ......................... WINSERVER8 passed test RidManager

      Starting test: Services

         ......................... WINSERVER8 passed test Services

      Starting test: SystemLog

         ......................... WINSERVER8 passed test SystemLog

      Starting test: VerifyReferences

         ......................... WINSERVER8 passed test VerifyReferences

   
   
   Running partition tests on : ForestDnsZones

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : DomainDnsZones

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : Schema

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation

   
   Running partition tests on : Configuration

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidation

   
   Running partition tests on : Diplomat

      Starting test: CheckSDRefDom

         ......................... Diplomat passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Diplomat passed test CrossRefValidation

   
   Running enterprise tests on : Diplomat.local

      Starting test: LocatorCheck

         ......................... Diplomat.local passed test LocatorCheck

      Starting test: Intersite

         ......................... Diplomat.local passed test Intersite

Select allOpen in new window

Is your domain/forest zone AD-integrated?

I belive so....



 

Enumerated zone list:
	Zone count = 3

 Zone name                      Type       Storage         Properties

 .                              Cache      AD-Domain       
 _msdcs.Diplomat.local          Primary    AD-Forest       Secure Aging 
 Diplomat.local                 Primary    AD-Domain       Secure Aging 


Command completed successfully.

Select allOpen in new window

Are all three DCs listed in the Name server tab on the zone?

If so, I would make things a little more easy during troubleshooting.

Configure that all three DCs uses 10.0.254.8 as primary DNS and itself as secondary.

On all DCs run:

ipconfig /flushdns
ipconfig /registerdns (to register the A-record)

Restart the netlogon service (to register SRV records)

Ok done that all 3 DC were listed in the Name server tab on the zone

Run "dcdiag /test:dns /v > dnsdiag.txt".

Please attach the file.

Here you go dnsdiag.txt

DNS looking good on Winserver8.

Run and attach:

dcdiag /v /e /c /f:dcdiag.txt

>
 dcdiag.txt

On Winserver8 you should check the _msdcs DNS zone for inactive/orphaned CNAME registration. Delete incorrect registrations.

You'll find the DC's GUID by running ie. "repadmin /showrepl" on each DC.

ie.
SITE\DC-name
DC object GUID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxx

On Winserver11 it looks like the RPC service is not running in shared mode:

Run this on Winserver11: sc config rpcss type=share


Run a new "dcdiag /v /e /f:dcdiag2.txt" (skip the /c)

Not having any luck running sc config rpcss type=share on Winserver11

I get this:
DESCRIPTION:
        Modifies a service entry in the registry and Service Database.
USAGE:
        sc <server> config [service name] <option1> <option2>...

OPTIONS:
NOTE: The option name includes the equal sign.
 type= <own|share|interact|kernel|filesys|rec|adapt>
 start= <boot|system|auto|demand|disabled>
 error= <normal|severe|critical|ignore>
 binPath= <BinaryPathName>
 group= <LoadOrderGroup>
 tag= <yes|no>
 depend= <Dependencies(separated by / (forward slash))>
 obj= <AccountName|ObjectName>
 DisplayName= <display name>
 password= <password>

That worked here is dcdiag2.txt
 dcdiag2.txt

You need to start the NTFRS service on Winserver11.

You are still having issues that Winserver11 is returned when trying to get Winserver13. This can be a pain when using multihomed Domain Controllers (as you should avoid it). Did you verify that you don't have any outdated A-records (for the DCs) and CNAME'S?

Winserver11 is having problems, I rebooted it today as it suggested in the dcdiag text but I'm now having problems connection Outlook and logging on to machines. I get the error when trying to replicate. I have also noticed that there is no DNS information in the forward lookup zones on Winserver11

 
The CNAME's seem to be ok:

 

Can you take a screenshot of the _msdcs subdomin located under the forward lookup zone Diplomat.local?

It looks like it has been delegated.

It's  not getting any better, it seems as though Winserver11 has a hold over the domain unless that is up nothing can login, but is does seem to be referenced by 8 and 13, I would like to get 11 off the domain so there is no further dependance on it.
 

Running dcdiag run on each machine (dcdiag /v /e /f:dcdiag2.txt)
Winserver11:
 DCDiag1-11.txt
Winserver13:
 DCDiag1-13.txt
Winserver8:
 DCDiag1-8.txt

When you go into ADSI Edit on Winserver8 the default settings are pointing to Winserver11??

All DC are at the same site.
WINSERVER11 time is not in sync with the others it been out by about 1 hour since it was re-booted yesterday

Also WINSERVER11 is not showing anything for the forwarders in DNS it's all empty so i won't be able to delete anthing from there.

How do I set the Order of the bindings, Winserver 8 uses 2 NICs?

If Winserver11 is more than 5 minutes off sync with the others, it will not replicate (kereros auth. will fail). AD integrated DNS is in the application NC and will be affected by this.

Winserver11 should sync its time with the PDC holder.

Here's how I like to setup the domain time: http://adfordummiez.com/?p=67

Binding order: http://theregime.wordpress.com/2008/03/04/how-to-setview-the-nic-bind-order-in-windows/

Typo: *kerberos auth. will fail

Winserver11time now in sync and have removed and replicated the msdc zone in 8 and 13.

Winserver11 did not replicate

Also

Looking at AD sites and service in Winserver11 you get this
 
Looking at Ad Sites and services on Winserver 8 you get this
 

Have you tried to demote winserver11 and the process failed?

Is the winserver11 in use anymore? If you want to remove it you have to run a force removal + MD cleanup if there are any traces.

 

I tried to remove winserver11 yesterday and it failed, I would like to remove it as a DC but looks like its lost its way.

Can't logon on the 11 or 13 now

So #11 has no role in you domain?

Who holdes the FSMO's? "netdom query fsmo"
Transfer or sieze any from FSMO from #11.

If you tried to demote it but it failed, you have to run "dcpromo /forceremoval" on #11, and run a MD Cleanup from a working DC. http://www.petri.co.il/delete_failed_dcs_from_ad.htm


Are 8 and 13 Global Catalogs? cmd > "dsquery server -isgc"
If they are not GC, promote them to GCs.

All DCs uses #8 as primary DNS. Correct? Are your clients also using this as primary (DHCP scopes)?

Where is your Exchange located?
Is this a 2003 Exchange? -> Yes -> Verify that the Recipient Update Service is pointing to the correct DC.
http://www.msexchange.org/tutorials/MF017.html

Typing netdom query on any of the 3 servers results in the same:

"The specified domain either does not exist or could not be contacted"

If I run "dcpromo /forceremoval" on #11 it warns that it is a GC

I went through the MD cleanup and that showed no trace of #11

But when you run  "dsquery server -isgc" it show that only Winserver13 is the GC

Exchange(2010) is on #8, #11 usede to be Exchange2003 untill we got the new machine #8

Nor sure what to do now

Stangley i just ran the "netdom query fsmo2 on#8 and got a result back (I didn't the first time)

C:\Users\Administrator.DIPLOMAT0>netdom query fsmo
Schema master               WINSERVER8.Diplomat.local
Domain naming master        WINSERVER8.Diplomat.local
PDC                         WINSERVER8.Diplomat.local
RID pool manager            WINSERVER8.Diplomat.local
Infrastructure master       WINSERVER8.Diplomat.local
The command completed successfully.

Could the problem be that #11 used to be GC but #13 has not/never updated as GC which is why we can't logon?

C:\>dsquery server -isgc
"CN=WINSERVER13,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration, DC=Diplomat,DC=local"

If you don't have a GC, users can login.

Try to promote #8 to a GC.

I went through the MD cleanup and that showed no trace of #11

Then it's removed from the domain. You just have to make sure that clients don't use this ex DC as a DNS/WINS.

#8 has promoted ok

"CN=WINSERVER13,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration, DC=Diplomat,DC=local"
"CN=WINSERVER8,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration, DC=Diplomat,DC=local"


So how do I make sure that nothing else tries to use #11 as the GC?
I can't logon the the Exchange console on #8 as "specified name is not a forest, ADDC,...."
I can't RDP on to #13 or #11 "Specified domain does not exist..."
I Can't get any emails on Oulook or OWA

It should all be working but it just isn't

It's all behaving very strange I can get on to OWA now but just had this error on Exchange console:
Still can't RDP #13
I can get to files share on domain servers?

Run a "dcdiag /e /v /f:dcdiag4.txt" on server 8

Results of "dcdiag /e /v /f:dcdiag4.txt"
 dcdiag4.txt

Is the firewall enabled on the 2008 server?

From a previous screen shot of the _msdcs domain:

bcd2bca9-7429-4998-9508-ec7ff154a2c4._msdcs.Diplomat.local = winserver11

Starting test: KccEvent

         * The KCC Event log test
         An error event occurred.  EventID: 0xC0000583

            Time Generated: 12/06/2010   11:32:42

            Event String:

            Active Directory Domain Services failed to

            construct a mutual authentication service

            principal name (SPN) for the following directory

            service.
       

            Directory service:

            bcd2bca9-7429-4998-9508-ec7ff154a2c4._msdcs.Diplomat.local

Make sure that the two CNAME records in _msdcs is correct and that the corresponding A-record also is correct.

Also run this on #13:

sc config rpcss type= share
(remember space after =)

Is the time between 8 and 13 in sync?

#13 is logging FRS 13565. Have you tried to set the Burflags to D2?

Looks like #11 has crept back in:
 
Will i need to delete _msdcs.diplomat.local zone and Force a replication:

repadmin /syncall /A /P /e

Disable the network on 11 or turn it off. Delete the CNAME and other records belonging to 11. (look through the _msdcs tree)

No need to delete the zone.

I have deleted the references to #11 in the _MSDCS Tree there are still references to #11 in _sites _tcp _udp and domain uds zones and forest dns zones should i remove these aswell

Yes. All traces in DNS must be deleted

I have removed all trace in DNS on #8 and #13 still no outlook connectivity still cannot RDP onto #13 what is the next step?

You didn't answer these:

Also run this on #13:

sc config rpcss type= share
(remember space after =)

Is the time between 8 and 13 in sync?

#13 is logging FRS 13565. Have you tried to set the Burflags to D2?

Ok I have run sc config rpcss type= share and
I have set the Burflag to 2 on #13 and restarted ntfrs service
#8 #13 are displaying the same time.

What next?

I didn't mean you should set the Burflags to D2. The dcdiag log indicated that you had done that, so I just asked you :)

If you're going to set the Burflags to D2, #8 need to share its SYSVOL and be authoritative. When you have DNS/advertising issus you should not set the Burflags.
If you do so #13 will dump its SYSVOL content to the Pre_Existing folder and wait for new content from an upstream partner. It will not find an upstream partner if #8 isn't advertising correctly.

Run a new dcdiag and also include a dnslint report.

dnslint /ad /s 10.0.254.8 /v

DCDIAG5.txt dcdiag5.txt

I can't run dnslint 'not recognised....'

Sorry about the Burflags should I put them back or is it too late #13 had them set to 0?

This depth of AD is beyond me, I only hope with your help  I can fix it, the boss is getting worried it could be game over.

Get dnslint here: http://support.microsoft.com/kb/321045

The flag will return to 0 once the ntfrs service is started. Is #8 sharing its SYSVOL with content?

I think we'll get your domain back in shape, but it might take some time as this is a "offline" forum. If you're in a hurry you could always contact MS Support.

Please run the dnslint and attach the report. I'll check the dcdiag in a couple of hours. Dinner time.

Thanks for sticking with me.
 dnslint.htm

I'm not sure #8 or #13 are sharing SYSVOL I ran a 'net share' on #8 and got these shares:

ADMIN$; C$; D$; IPC$; Address; ExchangeOAB; GroupMetrics

It looks like you set the Burflags to D4 on #8?

Is #13 sharing its SYSVOL?

I didn't change the Burflags on #8 they are still set to 0, should i change them to D4

NET share on #13 shows ADMIN$; C$;  IPC$;

No netlogon or sysvol shares on #13 or #8

Do not change the flag yet.

Do you have any content of %Windows%Sysvol\Sysvol\Domain Name\NTFRS_Preexisting folder on any DC?

Or, do you have a backup of your SYSVOL? (ie. a system state)

I have a copy of SYSVOL from Winserver11, a backup systemstate (22/11/2010) or I could get the current one from Winserver11, but that won't be untill tomorrow as I disabled the NIC

Btw. Do you use DFS?

If yes, you should not set the global Burflags.

Not sure if i use DFS, how can i tell?

Also, before I proceed,  do I need to do anything with the SYSVOL files from Winserver11 Backup, or does that come later?

Verify HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Cumulative Replica Sets\GUID

If you only have one GUID, then that's the SYSVOL replica, and you are not using DFS.

Keep the backup files as backup. If you have many custom made GPOs and scripts, we'll need to get them from #11 or a system state backup.

You set the Burflags here if you don't have DFS:

HKLM\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup

Complete up to point 4, then I get Event ID 13566:

File Replication Service is scanning the data in the system volume. Computer WINSERVER8 cannot become a domain controller until this process is complete. The system volume will then be shared as SYSVOL.
 
To check for the SYSVOL share, at the command prompt, type:
net share
 
When File Replication Service completes the scanning process, the SYSVOL share will appear.
 
The initialization of the system volume can take some time. The time is dependent on the amount of data in the system volume.

Please download frsdiag: http://www.microsoft.com/downloads/en/details.aspx?FamilyId=43CB658E-8553-4DE7-811A-562563EB5EBF&displaylang=en

Run a frsdiag and attach the two connstat files created.

No joy with the above so have attached frsdiag files (there are quite a few)
 ntfrs-sysvol.zip

It's been a long day, I'll check back in the morning, thanks for you help today

No Joy, still no SYSVOL share, and EventID 13566 still present in logs

How does the folder structure looks like under: %Windows%Sysvol\

Also verify that the "SysVol" key is present under:

HKLM\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\

The structure below SYSVOL is as below, but there are no files in any of the folders.

SYSVOL from #11 has a lot more in it:
 
The  "SysVol" key is present under: HKLM\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\  

#11 have both the Default Domain Policy and Default Domain Controller Policy. #8 don't have those.

Take a copy of #11's SYSVOL and place the copy on the same partition.


Try to make #11 authoritative:

Stop ntfrs on both servers.
Burflags = D4 on #11
Burflags = D2 on #8

Start ntfrs on #11.
Check if Event ID 13553 and 13516 is logged on #11

Do you mean put a copy of the #11 SYSVOL onto #8 replacing what is aready on #8?

No, just a "backup" of #11's sysvol content. (do not copy the content between the DC's)

So just to be clear...
I will take the backup copy of #11 SYSVOL and replace the SYSVOL in #11 then
Try to make #11 authoritative:
Stop ntfrs on both servers.
Burflags = D4 on #11
Burflags = D2 on #8
Start ntfrs on #11.
Check if Event ID 13553 and 13516 is logged on #11

Do not replace any SYSVOL on #11. I just want you to take a copy of it before you set the burflags.

The D4 flag should not touch the content (as D2 will), but to be on the safe side...

Got event ID 13565 on#11

Event 13565 indicate that the Burflags is set to D2.

Event 13566 indicate that the Burflags is set to D4.

In post http:#34283696 you attached a dcdiag, before we even started to talk about the Burflags.

A warning event occurred.  EventID: 0x800034FE
Time Generated: 12/06/2010   08:56:00

EventID: 0x800034FE = 13566

Did you set the flag before we took it up?

Can you try to restart #11, stop the ntfrs, set the burflags to D4.

Make sure ntfrs is not running on #8 during this.

All Burflags were set to 0 before I change #13 to 2 in post http:#34283262. Then have only NOW just changed the Burflags on #11 and #8. Both #8 and #13 have Burflags set at 2 and both have ntfrs STOPPED.
I will now restart #11

I assume you mean "D2" (hex), not "2"?

ooooh I'd been putting 2 as in Decimal not "D2" Hexidecimal. Are those values ignored shall i repeat the exercise on #11/#8 using the HEX "D4" and "D2"
Stop ntfrs on both servers.
Burflags = D4 on #11
Burflags = D2 on #8
Start ntfrs on #11.

Looking at the SYSVOL folders on all machines my observations are this
#8 & #13 look to be the same
#11 is different to it backup from 22/11/2010

hehe.. Yes, if you havn't done it already, set the burflags to:

stop ntfrs on both
"D4" on #11
"D2" on #8

start ntfrs on #11. Check if the event are present.

If they are, start ntfrs on #8. Check FRS events.

#13 is out of the replica set, so you shouldn't do anything on this.

Same as before Got event ID 13565 on#11, bummer!

What about if i use the backup SYSVOL I have from 22/11/2010 on #11?

It has no purpose to use the backup as long as you can make an authroitative restore of the sysvol replica set.

Try to set the burflags on the cummulative replica set on #11:

Stop ntfrs

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Cumulative Replica Sets\GUID

Key= Burflags
Value (hex) = D4

start ntfrs.

Burflags already set at (hex)=d4
number of partners =0

Is the Global Burflags = 0 and the replica spesific burflags = D4?

Is the "number of partners" = 0 on both #8 and #11?

I have attache the Reg hive from #11 and #8 for ntfrs for you to look at. I can't see a global setting for #11 but #8 has 2 partners.
 ntfrs-11.txt

 ntfrs-8.txt

Yes
Event ID: 13553, 13554, 13516

Replication has started on #8 shall i run a dcdiag?
SYSVOL showing as shared

That's good. Does the SYSVOL hold any Polices?

Set the flag (if not already set) to D2 on #11. Start ntfrs and check the event log

Do i need to turn on ntfrs on #11 and #13 now?

I can noe RDP #13 and #11 but oulook still not connecting

#13 is not a domain controller anymore. It might see itself as one, but hes off the domain.

All SYSVOL folders on #8 are empty

#11 was the one that failed removal on the domain

Start ntfrs on #11 if you have set it to D2

ohh.. long post so it's easy to mix it up.

Do it on #13 :)

Event ID 13565 on #11 when starting ntfrs

Same on #13: Event ID 13565 on #11 when starting ntfrs

File Replication Service is initializing the system volume with data from another domain controller. Computer WINSERVER13 cannot become a domain controller until this process is complete. The system volume will then be shared as SYSVOL.
 
To check for the SYSVOL share, at the command prompt, type:
net share
 
When File Replication Service completes the initialization process, the SYSVOL share will appear.

Is netlogon shared on #8?

Do you think we need the contents of #11 SYSVOL as it is the only one with anything in.

Also should i take #11 back off the LAN as it is apearing back in the DNS recods?

I guess you have #11 as a name server (name server tab on the domain zone). Remove it from the tab. Also remove records it has created.

You need two policies to be able to authenticate. The Default Domain Policy (GUID=E31xxxxx-) and the Default Domain Controller Policy (GUID = 6Axxxxxxxx-).

If you have not modified these you can create them all over with a tool called DCGPOFIX. (you have to run setup /domainprep when on the Exchange when you do this).

Or you can restore them from a backup. If you have the GPMC on #11 you can run a backup directly, copy them over and restore them on #8.

*Default domain policy = GUID starts with 31B2F340-xxxxxxx

I'll be offline most of the evening, but I'll check back with you.

If you decide to create those two polices from scratch. Here is a thread about it.
https://www.experts-exchange.com/questions/24403319/Default-Domain-Policy.html

You got to be sure that both SYSVOL and NETLOGON is shared on #8.

That sounds Heavy, can you break it down a bit.
The GUIDs are thes the folders under \SYSVOL\Domain\Policies
6AC1xxxx
8FACExxx
31B2F3xxx
as shown in post 34291280
I have not modified any policies thay are 'out of the box' where do i get DCGPOFIX or will it be easier to the second option.
I can see domain object in GPEDIT on #11 but don't know how to proceed.
 

If you have not made any changed to the default policies since the domain was created, it's easier to use dcgpofix.

First run cmd > net view on #8

If only SYSVOL shows up and not the NETLOGON share, follow this KB

http://support.microsoft.com/kb/947022/en-us

Will it be safe to run dcgpofix on #8 which is also an Exchange 2010 server?

I can't get the NETLOGON share using the above proceedure. I have notice this Event ID:5706

The Netlogon service could not create server share C:\Windows\SYSVOL\sysvol\Diplomat.local\SCRIPTS.  The following error occurred:
The system cannot find the file specified.

And also Event ID: 1058

The processing of Group Policy failed. Windows attempted to read the file \\Diplomat.local\SysVol\Diplomat.local\Policies\{de3b4a4c-6ef8-475b-af25-2af764b7aefd}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.

You'll get GPO errors. Don't bother them at the moment.

Stop both ntfrs and netlogon service on #8. Start them up again. Check if NETLOGON is shared.

ntfrs needs to be started first

Regarding the dcgpofix tool, you can run it but it will set the default permissions on the default GPOs.

"setup /prepareAD" from the Exchange media should fix it up.

http://social.technet.microsoft.com/Forums/en-US/exchangesvrgeneral/thread/be31c490-0784-498b-8a60-e5332170ea76/

stopped both ntfrs and netlogon, restarted ntfrs first, but still no netlogon share
Event ID 5705

Regarding the 5705 error, there was not much info out there.

Found this for NT and 2000: http://support.microsoft.com/kb/173882 (see the workaround for 2000)

This one says the same for 2003: http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+Operating+System&ProdVer=5.0&EvtID=5705&EvtSrc=NetLogon&LCID=1033

Sorry my bad, it was event ID 5706

Take a look at this KB if it will help you.

http://support.microsoft.com/kb/258805

Still getting 5706

The Netlogon service could not create server share C:\Windows\SYSVOL\sysvol\Diplomat.local\SCRIPTS.  The following error occurred:
The system cannot find the file specified.

I have also run latested DCDIAG from #8
 dcdiag6.txt

What is the value of:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

SysvolReady:
Sysvol:
DBflag (is it presen?):

If Dbflag is not present, stop netlogon, create it (Reg_sz, value = 0)

You have configured your forwarders wrong: (this will only affect none local DNS queries):

10.0.254.11 (WINSERVER11) [Valid]
10.0.254.240 (<name unavailable>) [Valid]

Open the DNS consol, right click the #8 -> Proterties -> Forwarders tab.

You should either use root hints or your ISP DNS as forwarders.

Dcdiag looking better. You will have some errors due to Netlogon not shared.

I have removed the entries for  the forwarders just leaving the root hints is that correct?

 dcdiag7.txt

SysvolReady: = 1
Sysvol: = c:|windows\SYSVOL\sysvol
DBflag = 0
 netlogon.txt

Sysvol: = c:|windows\SYSVOL\sysvol

Is there a | (pipe) after C:?

Should be c:\windows\SYSVOL\sysvol

Sorry, thats my poor typing, I attached the reg hive for that and as you will see those bits are ok

HAve you started the ntfrs on #13 with the Burflags = D2?

Can you post a screen shot of your SYSVOL tree on #8 like you did earlier?

ntfrs is running on #13 with the Burflags = D2

SYSVOL still has no files contained within the tree:

 

Netlogon now shared:


Share name   Resource                        Remark

-------------------------------------------------------------------------------
ADMIN$       C:\Windows                      Remote Admin                      
C$           C:\                             Default share                    
D$           D:\                             Default share                    
IPC$                                         Remote IPC                        
Address      D:\Exchange2010\Mailbox\addr... "Access to address objects"      
Download     D:\Download                    
ExchangeOAB  D:\Exchange2010\ExchangeOAB     OAB Distribution share            
GroupMetrics D:\Exchange2010\GroupMetrics    MailTips group metrics publishing
NETLOGON     C:\Windows\SYSVOL\sysvol\Diplomat.local\SCRIPTS  Logon server share                
SYSVOL       C:\Windows\SYSVOL\sysvol        Logon server share                

 
All starting to look good now, Outlook still won't connect keeps asking for password

Winserver11 is still apearing in the DNS on #8
I guess I should remove all the records of #11 from DNS on #8

Should i stop/remove DNS from #11

Burflags on #13 now at 0

Will i need to stop ntfrs on #8 and #13 them remove the #11 DNS records from both machines?

No you don't need to stop anything. It's #11 who will register its own records.

I restartted netlogon on #13 i and now it is sharing netlogon and sysvol.

I'm going to disconnect #11 and remove #11 record from #8 and #13.

Will i be able to use #11 at some point in the furture or should I re-build it?

Looks like Group policy is looking for a different GUID {de3b4a4c-6ef8-475b-af25-2af764b7aefd}, I know you said not to worry about that at the moment but though you should know.

The processing of Group Policy failed. Windows attempted to read the file \\Diplomat.local\SysVol\Diplomat.local\Policies\{de3b4a4c-6ef8-475b-af25-2af764b7aefd}\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.

dcdiag8 dcdiag8.txt

Regarding #11, you need to remove AD from it with "dcpromo /forceremoval".
This will uninstall AD from it and it will be placed in a workgroup. I would reinstall it with a new name and IP if I was to decide.

{de3b4a4c-6ef8-475b-af25-2af764b7aefd} is a custom made GPO. You can copy it from #11 and place it like you did with the other two GPO.

Another option is to remove it (with use of GPMC).

How is your clients reacting with Outlook? Make sure the clients don't use #11 as DNS.

When you have copied or removed the {de3b4a4c-6ef8-475b-af25-2af764b7aefd} policy. Run a new dcdiag.

Just remember not to copy it to both #8 and #13. If you do that it will morph.

Just copy it to #8 and FRS will replicate it over to #13

The thing is i can't find a folder with GUID {de3b4a4c-6ef8-475b-af25-2af764b7aefd} on any of the servers?? could use a copy of another GUID folder and rename it to this GUID?

So how do i remove the policy? How do you use GPMC? Wher can i find it?

Outlook still not connecting all client using 10.0.254.8 as primary and 8.8.8.8 as secondary DNS

Domain clients should never use any public DNS (like google dns). Only internal DNS.That's why you use Forwarders on your internal DNS.

Open gpmc.msc from #8.

Under "Group Policy Objects" are all GPO's stored (with friendly names, not GUID)

Click on the GPO and in the right pane it tells where it's linked. Right click and untick "link enable"

You can rename another folder to match the GUID. I don't know what this GPO does, but if you want it back, you can restore it from the system state you had.

TYPO: You CAN NOT rename

Have set Client DNS to #8 and #13

Looking in GPMC at the Group Policy Objects ther are 3 but none have the GUID  {de3b4a4c-6ef8-475b-af25-2af764b7aefd}
There are these:
Defaul Domain Controler Policy {6AC178...... and
Default Domain Policy {31B2F3.... and
New Group Policy Object {8FACE7... This errors with can't find file when you click on it

Check GPMC on #13 if you see the missing GPO there.

GPMC won't run on #13 can't find the MSC for it either (2003 Server)

You need to download and install GPMC for 2003.

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=0a6d4c24-8cbd-4b35-9272-dd3cbfc81887

That shows the same policies as on #8

Lookin at the folders on #11 i don't see that GUID either??

How do we get over this, is this what is stoping Outlook from connecting?

On #8:

open adsiedit.msc

Look for the presens under the domain partition for the CN = GUID

CN=Policies,CN=System,DC=diplomat,DC=local

this has nothing to do with the Outlook.. but I would make the dcdiag clean before troubleshooting that issue.

Same GUIDS in ADSI, it's a baffling

 

hmm.. where is this GUID comming from..

Open regedit on #8 and #13 and look for the GUID under

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Group Policy\History

Not there either, I even looked on the disabled #11 no trace of this GUID de3b4a4c-6ef8-475b-af25-2af764b7aefd

Open AD Users & Computers -> View -> Tick Advanced features

Look in the System container -> Polices. (this should be the same as in adsiedit, but check for sure).

If there are no traces, open cmd and run:

dfsutil /PurgeMUPCache

Run a new dcdiag.

clear system log before running dcdiag

The GUID is not showing in System container -> Polices but i don't have dfsutil on #8 can i run it from #13?

Forget about the dfsutil.

Clear the system log on #8 and #13 and run a dcdiag from #8:

dcdiag /e /v /f:dcdiag9.txt

Looking a bit deeper into the event log, it looks like the policy it is looking for id to do with GUID 8FACE762-70DE-434B-BB90-ABC3A718B9B9 has it got confused??
The Folder is called 8FACE762-70DE-434B-BB90-ABC3A718B9B9 this is the policy folder 'New Group Policy' see post 34300585 above. I have copied the GUID folder over but still getting the GPO errors

 
 

ErrorDescription The system cannot find the path specified.  
  DCName WINSERVER8.Diplomat.local 
  GPOCNName CN={8FACE762-70DE-434B-BB90-ABC3A718B9B9}, CN=Policies,CN=System,DC=Diplomat,DC=local 
  FilePath \\Diplomat.local\SysVol\Diplomat.local\Policies\{de3b4a4c-6ef8-475b-af25-2af764b7aefd}\gpt.ini

Select allOpen in new window

DCDIAG9 dcdiag9.txt

Ok have done that, Outlook still not connecting. do you want another dcdiag?

I don't need a new diag atm.

Your initial post you mentioned that the Outlook client could not connect. Was this after you move Exchange over to the new server?

Have the client ever been able to connect to the mailbox after the move?

Have you verified that the Outlook profile is pointed to the correct mailbox server?

The exchang move happened in Septembert all was working ok until about this time last week.

What i think happend was #13 rebooted following a windows update. then things started going crazy couldn't log on to outlook all the time
Then you got involved,
Then at somepoint I rebooted #11 since that reboot we could not connect to Outlook at all so this was
then when I tried removing #11 from the domain and it failed.
But the event loogs are loking much better.... but still no Outlook do you thing they want to connect to #11 which was the old 2003 Exchange sever?

When starting the Exchange console i'm getting errors 5,22
22:
(Process w3wp.exe, PID 10256) "RBAC authorization is unavailable due to the transient error: An Active Directory error 0x51 occurred when trying to check the suitability of server 'winserver11.Diplomat.local'. Error: 'Active directory response: The LDAP server is unavailable.'"

Notice it is refering to 'winserver11.Diplomat.local'

Is that my problem? Is it Exchnage that is looking for 'winserver11.Diplomat.local'?

Exchange is 100% dependend of AD, DNS and a Global Catalog.

It obviously looks like Exchange is trying to get info from #11 which it can't.

I'm not an Exchange expert, so I advice you to start a new thread in the Exchange zone.

Something like "Exchange 2010 (or was it 2007?) trying to connect to demoted DC".

Btw, can you run a new dcdiag?

You had 3 domain controllers, so I guess you'll have some users in there. Why do you run Exchange on one of the DC's and not a dedicated Exchange server?

dcdiag10.txt

#11 was the first DC and the only server so it also ran exchange 2003, then we got another machine #13 to run SQL for an accounts package. Both machines are over 5 years old now. So we invested in a new machine 2008/exchange2010 with a view to replace #11, #13 in the future.
So when we get the next server in that will replace #13. In an ideal world we would have exchange on a separate machine but we don’t have that luxury. It’s still better to have 2 DC’s even if one is an exchange server would you agree?

Thank you so much for your help with these problem, its a shame we can't complete it all the way.

Did the Exch2003 and Exch2010 co-exist in your domain, and you have removed all traces of the 2003?

Exchange should find all DC's and "update that list". In the RUS on Exchange 2003 you could set witch GC that was prefered. 2010 don't use RUS. I'm on thin ice regarding such Exchange questions, so I can't assist you with that issue :(

Atleast your AD/FRS replication is working, and the DCDIAG is 100% free of errors/warnings.

It’s still better to have 2 DC’s even if one is an exchange server would you agree?

Couldn't agree more! :)

The Exchnage servers did co-exist for a while while whist i moved over the mailboxes etc to the new machine. All Exchange services were off on #11 and everything was working ok, I hadn't yet removed exchange from that machine but would have done so soon.

Thanks again for your assistance I have started a new thread on the Exchange Forum now:

https://www.experts-exchange.com/questions/26667792/Exchange-2010-trying-to-connect-to-demoted-DC.html

If I stop ntfrs, netlogon and dns on #11 could I put it back on the network and see if exchnage will work better? or should do the dcpromo /forceremove before I put it back on?
I don't want to do this if it messes up you good work!

The problem hosting Exchange on a DC, is that if you change the server role the Exchange will break.
Demoting a DC is a change in server role.

Your domain (#8 and #13) don't see #11 as a DC, but #11 will see itself as a DC. When you have run a metadata cleanup, you should demote #11 as a DC. Since this "DC" are unable to replicate you have to use the /forceremoval switch to be able to achieve this.

I would not start #11 until you have run a "dcpromo /forceremoval" on it. After this you have to join it to the domain as a member and you can introduce it back in.

I'm not sure how Exchange 2003 will handle it.

Ok i'll do that, thanks

You certainly deserve those points

Really great EXPERT! A tribute to expert’s exchange