Solved

Windows 2008 R2 Server Group Policy Not Replicating between Domain Controllers

Posted on 2011-03-18
44
3,856 Views
Last Modified: 2012-05-11
Hi,

I've installed 2 x Windows 2008 R2 Domain Controllers in what was once a 2003 R2 Domain, I've decommisioned the 2003 R2 original DC via Transfering FSMO roles and DCpromo out. Since that I've raised the Domain and Forest Level to 2008 R2.

Everything else replication wise seems to be working, except for the Group Policies. I know this because the Sysvol Policies folder on the non PDC emulator have older files in.

The problem is some clients are getting Group Policies from the updated DC1 and some are getting them from the non replicated DC2.

What's up with the Replication of Group Policy containers ?

Also in the interim is there a setting to force clients to only use DC1 for Group Policy ?

Thanks,

Craig
0
Comment
Question by:Japsterex
  • 23
  • 19
  • +1
44 Comments
 
LVL 74

Accepted Solution

by:
Glen Knight earned 500 total points
ID: 35164420
Can you try a non-authoratitive restore using the D2 Burflags as explained here: http://support.microsoft.com/kb/290762
Do this on the server that is showing the older versions of the policues.
0
 
LVL 10

Expert Comment

by:Muzafar Momin
ID: 35164635
user spotlight for AD and check the relication status, also try restarting DC
0
 

Author Comment

by:Japsterex
ID: 35164711
Thanks Demazter,

I worked through the kb290762, the non-authoratitive restore was going fine until I checked the Event logs, then realised I was working on the wrong server :-/

Um is there anyway to reverse what I've done ? I can see all the sysvol stuff has been moved to a "Pre-Existing" folder so I know the Good stuff from DC1 is safe but DC1\SYSVOL share no longer exists !

Any ideas ?
0
 

Author Comment

by:Japsterex
ID: 35165012
Right,

I've recreated the SYSVOL & NETLOGON shares on DC1 and put the files back from the "Pre Existing Folder"

Luckily the replication did not occur from the out of date DC2 server.

I repeated the Non-Authoratitive restore on DC2 to pull the data from DC1 but it's complaining that it can't replicate from DC1, same as it has done all along.

Looking back through the logs on DC2 it's never successfully replicated from DC1. It seems that the only fact that they are almost up-to-date and functionining correctly as they were both new as of Dec 2010.

What next ? DCPROMO DC2 out and then back in again ?
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35165025
OK, let's take a deeper look.

Can you post the results of IPCONFIG /ALL and DCDIAG from both servers please.
0
 

Author Comment

by:Japsterex
ID: 35165170
DC1

Windows IP Configuration

   Host Name . . . . . . . . . . . . : DC01
   Primary Dns Suffix  . . . . . . . : mycompany.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : mycompany.com

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
   Physical Address. . . . . . . . . : 00-50-56-A5-00-02
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::4936:b0dc:e918:924%10(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.10.1.247(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.10.1.4
   DHCPv6 IAID . . . . . . . . . . . : 234884137
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-7C-5B-2C-00-0C-29-4D-1E-85

   DNS Servers . . . . . . . . . . . : ::1
                                       10.10.1.247
                                       10.10.1.253
                                       127.0.0.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{E820BDED-0799-4DC8-A16C-C73D40D6BE65}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

DC2

Windows IP Configuration

   Host Name . . . . . . . . . . . . : dc02
   Primary Dns Suffix  . . . . . . . : mycompany.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : mycompany.com

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
   Physical Address. . . . . . . . . : 00-50-56-A5-00-05
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::897c:14b:51d8:aede%10(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.10.1.253(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.10.1.4
   DHCPv6 IAID . . . . . . . . . . . : 234901590
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-91-78-86-00-50-56-A5-00-03

   DNS Servers . . . . . . . . . . . : ::1
                                       10.10.1.253
                                       10.10.1.247
                                       127.0.0.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{6C5E3727-6CCB-471F-BCC5-0FD79F5533F3}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

DCDIAG will follow

0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35165181
first think I would say, is change the IP configuration so that for the DNS servers the first DNS entry is the other server and the second is itself.  The third entry can be removed.
0
 

Author Comment

by:Japsterex
ID: 35165442
Ok will give that a try.

Just had to reboot both of them as SYSVOL had disappeared from both DC's and everything here ground to a halt. Saying no GC's were available, all authentication ceased, guess that was something to do with the Burflags thing I kicked off on DC2 ?

We are in a serious problem now as neither of the DCs are working,

HELP PLEASE !!!!

0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35165461
when you accidentally changed the burflags on the "good" DC did you set it back to 0 when you "halted" the process?
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35165496
Next question is do you have a system state backup?
0
 

Author Comment

by:Japsterex
ID: 35165536
yes the burflags reset themselves to 0 when when you restart the NTFRS service

yes I have a system state backup on backup exec
0
 

Author Comment

by:Japsterex
ID: 35165705
but I can't get it to restore because the credentials used to restore from the backup exec server is a domain account and no domain controllers are available to authenticate it
0
 

Author Comment

by:Japsterex
ID: 35165710
how do I do a manual restore as I have the c$ backups too
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35165719
OK, let's get one working, on the one that WAS the working machine, configure DNS to have only 127.0.0.1 in the IP configuration for DNS, no other entries.

Then in Active Directory Sites and Services, expand the DC (the good one) right click on NTDS Settings and select properties, make sure there is a check box in the Global Catalog box.

then reboot the good DC.

Don't do anything with the other one at this stage, let's get one working and go from there.
0
 

Author Comment

by:Japsterex
ID: 35165839
Very grateful for you help :)

Right none of the AD apps work becuase it says that the PDC emulator cannot be contacted. The DC1 which was the good one now gone bad, was the FMSO roles holder. It says even though the DC1 owns the FSMO roles it doesn't recognise them or something like that.

One thing that's adding to the issue is these are Virtual Machines, under VMware. I do however have a snapshot for DC1 that I took before I applied 2008 R2 SP1 last week.

Do you think this may be the better option ?

0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35165945
Not at this stage.

Let's try and get DC1 working.

Have you changed the IP configuration? Does it have DNS installed on itself?

if you run:

NETDOM QUERY FSMO

and

NETDOM QUERY DC

from a command prompt, what do you get?

IF we needed to "kill" DC'2 is there anything on there that might be causing problems?  It's possible that DC2 was never replicating correctly and if that's the case there could be a FSMO role transition issue.
0
 

Author Comment

by:Japsterex
ID: 35166038
OK yes changed the DNS to itself.

NETDOM QUERY FSMO says this :

The specified domain either does not exist or could not be contacted.

The command failed to complete successfully.

NETDOM QUERY DC says the same.

If we needed to DCpromo DC2 out this wouldn't be a major problem as long as we got DC1 running

What next ?

0
 

Author Comment

by:Japsterex
ID: 35166059
When I go to Domains and Trusts I get this also,

domain error
0
 

Author Comment

by:Japsterex
ID: 35166128
All references to the domain have disappeared, from DNS, DHCP everywhere.

Also all our mail services have stopped due to their reliance on AD I guess, DC2 is also in the same state regarding the above posts.

I'm starting to worry now :-/
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35166132
OK, can you do this on both DC's for me and post the results.

From a command prompt run NTDSUTIL, type ROLES and press enter

Then type CONNECTIONS and press enter

at the next prompt type CONNECT TO SERVER DC1 (when you do this on DC2 type DC2 instead of DC1) and press enter

once that's connected type Q and press enter

Type SELECT OPERTAION TARGET and press enter

Type LIST ROLES FOR CONNECTED SERVER

Can you paste the output from both DC's here.

Keep pressing Q and enter to exit NTDSUTIL
0
 

Author Comment

by:Japsterex
ID: 35166146
Oh and DC2 is the Root CA for the domain, but I guess we can move that once we get DC1 working
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35166164
OK, that completely changes things!

Restore the snapshot and we can recover from there.
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 

Author Comment

by:Japsterex
ID: 35166206
DC1

Server "hcuk2k8dc01" knows about 5 roles
Schema - CN=NTDS Settings,CN=HCUK2K8DC01,CN=Servers,CN=HC-UK,CN=Sites,CN=Configu
ration,DC=hc-uk,DC=com
Naming Master - CN=NTDS Settings,CN=HCUK2K8DC01,CN=Servers,CN=HC-UK,CN=Sites,CN=
Configuration,DC=hc-uk,DC=com
PDC - CN=NTDS Settings,CN=HCUK2K8DC01,CN=Servers,CN=HC-UK,CN=Sites,CN=Configurat
ion,DC=hc-uk,DC=com
RID - CN=NTDS Settings,CN=HCUK2K8DC01,CN=Servers,CN=HC-UK,CN=Sites,CN=Configurat
ion,DC=hc-uk,DC=com
Infrastructure - CN=NTDS Settings,CN=HCUK2K8DC01,CN=Servers,CN=HC-UK,CN=Sites,CN
=Configuration,DC=hc-uk,DC=com

DC2

Schema - CN=NTDS Settings,CN=HCUK2K8DC01,CN=Servers,CN=HC-UK,CN=Sites,CN=Configu
ration,DC=hc-uk,DC=com
Naming Master - CN=NTDS Settings,CN=HCUK2K8DC01,CN=Servers,CN=HC-UK,CN=Sites,CN=
Configuration,DC=hc-uk,DC=com
PDC - CN=NTDS Settings,CN=HCUK2K8DC01,CN=Servers,CN=HC-UK,CN=Sites,CN=Configurat
ion,DC=hc-uk,DC=com
RID - CN=NTDS Settings,CN=HCUK2K8DC01,CN=Servers,CN=HC-UK,CN=Sites,CN=Configurat
ion,DC=hc-uk,DC=com
Infrastructure - CN=NTDS Settings,CN=HCUK2K8DC01,CN=Servers,CN=HC-UK,CN=Sites,CN
=Configuration,DC=hc-uk,DC=com
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35166215
OK, that's good, so at least AD thinks it's right (hold fire on that restore for now)
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35166241
On DC1, goto the DNS console and expand the servername and forward lookup zones, for the internal forward lookup zone, right click on it and select properties.

Where it says Zone Type, click Change and uncheck the box that says "Store this zone in Active Directory" click OK and OK.

Then restart the DNS service.

What happens  when you try to run DCDIAG on DC1?
0
 

Author Comment

by:Japsterex
ID: 35166359
Ok done that,

here's the DC diag file dump dcdiag.txt
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35166385
OK, back to the  DNS console, right click on the zone again and select properties, change the updates section to secure and non-secure updates.

Once done, restart the NETLOGON service and run DCDIAG /FIX

Then try the NETDOM QUERY FSMO command again
0
 

Author Comment

by:Japsterex
ID: 35166469
Same result I'm afraid :-

The specified domain either does not exist or could not be contacted.

The command failed to complete successfully.

 dcdiagfix.txt

Also see DCdiag fix log
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35166489
let's go with the snapshot restore then, once you've done that, reboot the server, and post DCDIAG results.
0
 

Author Comment

by:Japsterex
ID: 35166636
ok thanks

snapshot reverted, seems to be ok can see the sysvol folder on DC1, phew !

here's the dcdiag file dcdiag-post-snapshot.txt
0
 

Author Comment

by:Japsterex
ID: 35166648
FRS service currently off on DC2 shall I leave it that way ?
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35166690
The first thing we need to do now is make sure this server is working properly, then we will worry about the other.

Change the IP configuration again so it's using only 127.0.0.1 for DNS, restart the netlogon service and run DCDIAG /FIX

Do you have nic teaming enabled on the DC1?

Don't do anything with DC2 at the moment.

0
 

Author Comment

by:Japsterex
ID: 35166770
No teaming on DC1 adapters as there's only 1 virtual adapter.

changed to 127.0.0.1 only

restarted netlogon

DCdiagfix log attached.

One thing I noticed is that DNS does not have a forward lookup zone at the moment.

When the machine started after the snapshot application it did ask for a reboot, I will do this now, while I'm waiting for your reply
 dcdiagfix--2-.txt
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35166778
If there is no forward lookup zone then you will need to create one, this is pretty critical!
0
 

Author Comment

by:Japsterex
ID: 35166852
will there be any zone backups anywhere I can import ?

There was quite a lot of manually entered stuff in the zone to do with vmware etc and stuff to do with exhange OWA.

btw certain parts of VM are playing up, prob down to the DNS issue.

Shall I create a new one or try to import it from backup ?
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35166862
I would create a new one, for now make it so it's not AD integrated and so it allows secure and non-secure updates.
0
 

Author Comment

by:Japsterex
ID: 35166930
ok created a new one, also because the reverse lookup zone is still there most of the stuff I need it there so I can copy it over.

ok what next ?
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35167220
Can you take a backup of the SYSVOL

Then turn on the FRS service in DC2 and follow the burflags and set DC2 to D2.  Please make sure it's DC2 ;)
0
 

Author Comment

by:Japsterex
ID: 35167246
sounds like a good idea ;-)

man you've been a great help today :-D

I'll give it a go now
0
 

Author Closing Comment

by:Japsterex
ID: 35167864
demazter is a credit to Experts-Exchange, went far beyond my original question to help and get my systems back online after a silly mistake I made in applying his fix.

Once again thanks man you're the best :-)
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35167887
So all is working now?
0
 

Author Comment

by:Japsterex
ID: 35178973
Hi demazter,

yes things are back to normal now and the DC2 is replicating following the application of the burflags D2 to the correct server ;-)

Just applying SP1 back to DC1 now since the snapshot we used was pre SP1

Big thanks
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35178978
Excellent, glad it's all sorted :)
0
 
LVL 20

Expert Comment

by:Iain MacMillan
ID: 35312525
wow - outstanding work on this problem.  I have a physical DC on my LAN, in the event of issues with VM'ed DC's.
0

Featured Post

Can’t get the mobile email signature right?

Not having any luck when trying to create an email signature for mobile devices? Does the formatting keep messing up? Make sure you have great email signatures on all devices by using Exclaimer Cloud - Signatures for Office 365.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A safe way to clean winsxs folder from your windows server 2008 R2 editions
In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now