Windows 2008 R2 Server Group Policy Not Replicating between Domain Controllers

user spotlight for AD and check the relication status, also try restarting DC

Thanks Demazter,

I worked through the kb290762, the non-authoratitive restore was going fine until I checked the Event logs, then realised I was working on the wrong server :-/

Um is there anyway to reverse what I've done ? I can see all the sysvol stuff has been moved to a "Pre-Existing" folder so I know the Good stuff from DC1 is safe but DC1\SYSVOL share no longer exists !

Any ideas ?

Right,

I've recreated the SYSVOL & NETLOGON shares on DC1 and put the files back from the "Pre Existing Folder"

Luckily the replication did not occur from the out of date DC2 server.

I repeated the Non-Authoratitive restore on DC2 to pull the data from DC1 but it's complaining that it can't replicate from DC1, same as it has done all along.

Looking back through the logs on DC2 it's never successfully replicated from DC1. It seems that the only fact that they are almost up-to-date and functionining correctly as they were both new as of Dec 2010.

What next ? DCPROMO DC2 out and then back in again ?

OK, let's take a deeper look.

Can you post the results of IPCONFIG /ALL and DCDIAG from both servers please.

DC1

Windows IP Configuration

   Host Name . . . . . . . . . . . . : DC01
   Primary Dns Suffix  . . . . . . . : mycompany.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : mycompany.com

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
   Physical Address. . . . . . . . . : 00-50-56-A5-00-02
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::4936:b0dc:e918:924%10(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.10.1.247(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.10.1.4
   DHCPv6 IAID . . . . . . . . . . . : 234884137
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-7C-5B-2C-00-0C-29-4D-1E-85

   DNS Servers . . . . . . . . . . . : ::1
                                       10.10.1.247
                                       10.10.1.253
                                       127.0.0.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{E820BDED-0799-4DC8-A16C-C73D40D6BE65}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

DC2

Windows IP Configuration

   Host Name . . . . . . . . . . . . : dc02
   Primary Dns Suffix  . . . . . . . : mycompany.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : mycompany.com

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
   Physical Address. . . . . . . . . : 00-50-56-A5-00-05
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::897c:14b:51d8:aede%10(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.10.1.253(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.10.1.4
   DHCPv6 IAID . . . . . . . . . . . : 234901590
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-91-78-86-00-50-56-A5-00-03

   DNS Servers . . . . . . . . . . . : ::1
                                       10.10.1.253
                                       10.10.1.247
                                       127.0.0.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{6C5E3727-6CCB-471F-BCC5-0FD79F5533F3}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

DCDIAG will follow

first think I would say, is change the IP configuration so that for the DNS servers the first DNS entry is the other server and the second is itself.  The third entry can be removed.

Ok will give that a try.

Just had to reboot both of them as SYSVOL had disappeared from both DC's and everything here ground to a halt. Saying no GC's were available, all authentication ceased, guess that was something to do with the Burflags thing I kicked off on DC2 ?

We are in a serious problem now as neither of the DCs are working,

HELP PLEASE !!!!

when you accidentally changed the burflags on the "good" DC did you set it back to 0 when you "halted" the process?

Next question is do you have a system state backup?

yes the burflags reset themselves to 0 when when you restart the NTFRS service

yes I have a system state backup on backup exec

but I can't get it to restore because the credentials used to restore from the backup exec server is a domain account and no domain controllers are available to authenticate it

how do I do a manual restore as I have the c$ backups too

OK, let's get one working, on the one that WAS the working machine, configure DNS to have only 127.0.0.1 in the IP configuration for DNS, no other entries.

Then in Active Directory Sites and Services, expand the DC (the good one) right click on NTDS Settings and select properties, make sure there is a check box in the Global Catalog box.

then reboot the good DC.

Don't do anything with the other one at this stage, let's get one working and go from there.

Very grateful for you help :)

Right none of the AD apps work becuase it says that the PDC emulator cannot be contacted. The DC1 which was the good one now gone bad, was the FMSO roles holder. It says even though the DC1 owns the FSMO roles it doesn't recognise them or something like that.

One thing that's adding to the issue is these are Virtual Machines, under VMware. I do however have a snapshot for DC1 that I took before I applied 2008 R2 SP1 last week.

Do you think this may be the better option ?

Not at this stage.

Let's try and get DC1 working.

Have you changed the IP configuration? Does it have DNS installed on itself?

if you run:

NETDOM QUERY FSMO

and

NETDOM QUERY DC

from a command prompt, what do you get?

IF we needed to "kill" DC'2 is there anything on there that might be causing problems?  It's possible that DC2 was never replicating correctly and if that's the case there could be a FSMO role transition issue.

OK yes changed the DNS to itself.

NETDOM QUERY FSMO says this :

The specified domain either does not exist or could not be contacted.

The command failed to complete successfully.

NETDOM QUERY DC says the same.

If we needed to DCpromo DC2 out this wouldn't be a major problem as long as we got DC1 running

What next ?

When I go to Domains and Trusts I get this also,

All references to the domain have disappeared, from DNS, DHCP everywhere.

Also all our mail services have stopped due to their reliance on AD I guess, DC2 is also in the same state regarding the above posts.

I'm starting to worry now :-/

OK, can you do this on both DC's for me and post the results.

From a command prompt run NTDSUTIL, type ROLES and press enter

Then type CONNECTIONS and press enter

at the next prompt type CONNECT TO SERVER DC1 (when you do this on DC2 type DC2 instead of DC1) and press enter

once that's connected type Q and press enter

Type SELECT OPERTAION TARGET and press enter

Type LIST ROLES FOR CONNECTED SERVER

Can you paste the output from both DC's here.

Keep pressing Q and enter to exit NTDSUTIL

Oh and DC2 is the Root CA for the domain, but I guess we can move that once we get DC1 working

OK, that completely changes things!

Restore the snapshot and we can recover from there.

DC1

Server "hcuk2k8dc01" knows about 5 roles
Schema - CN=NTDS Settings,CN=HCUK2K8DC01,CN=Servers,CN=HC-UK,CN=Sites,CN=Configu
ration,DC=hc-uk,DC=com
Naming Master - CN=NTDS Settings,CN=HCUK2K8DC01,CN=Servers,CN=HC-UK,CN=Sites,CN=
Configuration,DC=hc-uk,DC=com
PDC - CN=NTDS Settings,CN=HCUK2K8DC01,CN=Servers,CN=HC-UK,CN=Sites,CN=Configurat
ion,DC=hc-uk,DC=com
RID - CN=NTDS Settings,CN=HCUK2K8DC01,CN=Servers,CN=HC-UK,CN=Sites,CN=Configurat
ion,DC=hc-uk,DC=com
Infrastructure - CN=NTDS Settings,CN=HCUK2K8DC01,CN=Servers,CN=HC-UK,CN=Sites,CN
=Configuration,DC=hc-uk,DC=com

DC2

Schema - CN=NTDS Settings,CN=HCUK2K8DC01,CN=Servers,CN=HC-UK,CN=Sites,CN=Configu
ration,DC=hc-uk,DC=com
Naming Master - CN=NTDS Settings,CN=HCUK2K8DC01,CN=Servers,CN=HC-UK,CN=Sites,CN=
Configuration,DC=hc-uk,DC=com
PDC - CN=NTDS Settings,CN=HCUK2K8DC01,CN=Servers,CN=HC-UK,CN=Sites,CN=Configurat
ion,DC=hc-uk,DC=com
RID - CN=NTDS Settings,CN=HCUK2K8DC01,CN=Servers,CN=HC-UK,CN=Sites,CN=Configurat
ion,DC=hc-uk,DC=com
Infrastructure - CN=NTDS Settings,CN=HCUK2K8DC01,CN=Servers,CN=HC-UK,CN=Sites,CN
=Configuration,DC=hc-uk,DC=com

OK, that's good, so at least AD thinks it's right (hold fire on that restore for now)

On DC1, goto the DNS console and expand the servername and forward lookup zones, for the internal forward lookup zone, right click on it and select properties.

Where it says Zone Type, click Change and uncheck the box that says "Store this zone in Active Directory" click OK and OK.

Then restart the DNS service.

What happens  when you try to run DCDIAG on DC1?

Ok done that,

here's the DC diag file dump dcdiag.txt

OK, back to the  DNS console, right click on the zone again and select properties, change the updates section to secure and non-secure updates.

Once done, restart the NETLOGON service and run DCDIAG /FIX

Then try the NETDOM QUERY FSMO command again

Same result I'm afraid :-

The specified domain either does not exist or could not be contacted.

The command failed to complete successfully.

 dcdiagfix.txt

Also see DCdiag fix log

let's go with the snapshot restore then, once you've done that, reboot the server, and post DCDIAG results.

ok thanks

snapshot reverted, seems to be ok can see the sysvol folder on DC1, phew !

here's the dcdiag file dcdiag-post-snapshot.txt

FRS service currently off on DC2 shall I leave it that way ?

The first thing we need to do now is make sure this server is working properly, then we will worry about the other.

Change the IP configuration again so it's using only 127.0.0.1 for DNS, restart the netlogon service and run DCDIAG /FIX

Do you have nic teaming enabled on the DC1?

Don't do anything with DC2 at the moment.

No teaming on DC1 adapters as there's only 1 virtual adapter.

changed to 127.0.0.1 only

restarted netlogon

DCdiagfix log attached.

One thing I noticed is that DNS does not have a forward lookup zone at the moment.

When the machine started after the snapshot application it did ask for a reboot, I will do this now, while I'm waiting for your reply
 dcdiagfix--2-.txt

If there is no forward lookup zone then you will need to create one, this is pretty critical!

will there be any zone backups anywhere I can import ?

There was quite a lot of manually entered stuff in the zone to do with vmware etc and stuff to do with exhange OWA.

btw certain parts of VM are playing up, prob down to the DNS issue.

Shall I create a new one or try to import it from backup ?

I would create a new one, for now make it so it's not AD integrated and so it allows secure and non-secure updates.

ok created a new one, also because the reverse lookup zone is still there most of the stuff I need it there so I can copy it over.

ok what next ?

Can you take a backup of the SYSVOL

Then turn on the FRS service in DC2 and follow the burflags and set DC2 to D2.  Please make sure it's DC2 ;)

sounds like a good idea ;-)

man you've been a great help today :-D

I'll give it a go now

demazter is a credit to Experts-Exchange, went far beyond my original question to help and get my systems back online after a silly mistake I made in applying his fix.

Once again thanks man you're the best :-)

So all is working now?

Hi demazter,

yes things are back to normal now and the DC2 is replicating following the application of the burflags D2 to the correct server ;-)

Just applying SP1 back to DC1 now since the snapshot we used was pre SP1

Big thanks

Excellent, glad it's all sorted :)

wow - outstanding work on this problem.  I have a physical DC on my LAN, in the event of issues with VM'ed DC's.