Solved

Windows 2008 R2 Server Group Policy Not Replicating between Domain Controllers

Posted on 2011-03-18
44
3,811 Views
Last Modified: 2012-05-11
Hi,

I've installed 2 x Windows 2008 R2 Domain Controllers in what was once a 2003 R2 Domain, I've decommisioned the 2003 R2 original DC via Transfering FSMO roles and DCpromo out. Since that I've raised the Domain and Forest Level to 2008 R2.

Everything else replication wise seems to be working, except for the Group Policies. I know this because the Sysvol Policies folder on the non PDC emulator have older files in.

The problem is some clients are getting Group Policies from the updated DC1 and some are getting them from the non replicated DC2.

What's up with the Replication of Group Policy containers ?

Also in the interim is there a setting to force clients to only use DC1 for Group Policy ?

Thanks,

Craig
0
Comment
Question by:Japsterex
  • 23
  • 19
  • +1
44 Comments
 
LVL 74

Accepted Solution

by:
Glen Knight earned 500 total points
Comment Utility
Can you try a non-authoratitive restore using the D2 Burflags as explained here: http://support.microsoft.com/kb/290762
Do this on the server that is showing the older versions of the policues.
0
 
LVL 10

Expert Comment

by:Muzafar Momin
Comment Utility
user spotlight for AD and check the relication status, also try restarting DC
0
 

Author Comment

by:Japsterex
Comment Utility
Thanks Demazter,

I worked through the kb290762, the non-authoratitive restore was going fine until I checked the Event logs, then realised I was working on the wrong server :-/

Um is there anyway to reverse what I've done ? I can see all the sysvol stuff has been moved to a "Pre-Existing" folder so I know the Good stuff from DC1 is safe but DC1\SYSVOL share no longer exists !

Any ideas ?
0
 

Author Comment

by:Japsterex
Comment Utility
Right,

I've recreated the SYSVOL & NETLOGON shares on DC1 and put the files back from the "Pre Existing Folder"

Luckily the replication did not occur from the out of date DC2 server.

I repeated the Non-Authoratitive restore on DC2 to pull the data from DC1 but it's complaining that it can't replicate from DC1, same as it has done all along.

Looking back through the logs on DC2 it's never successfully replicated from DC1. It seems that the only fact that they are almost up-to-date and functionining correctly as they were both new as of Dec 2010.

What next ? DCPROMO DC2 out and then back in again ?
0
 
LVL 74

Expert Comment

by:Glen Knight
Comment Utility
OK, let's take a deeper look.

Can you post the results of IPCONFIG /ALL and DCDIAG from both servers please.
0
 

Author Comment

by:Japsterex
Comment Utility
DC1

Windows IP Configuration

   Host Name . . . . . . . . . . . . : DC01
   Primary Dns Suffix  . . . . . . . : mycompany.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : mycompany.com

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
   Physical Address. . . . . . . . . : 00-50-56-A5-00-02
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::4936:b0dc:e918:924%10(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.10.1.247(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.10.1.4
   DHCPv6 IAID . . . . . . . . . . . : 234884137
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-7C-5B-2C-00-0C-29-4D-1E-85

   DNS Servers . . . . . . . . . . . : ::1
                                       10.10.1.247
                                       10.10.1.253
                                       127.0.0.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{E820BDED-0799-4DC8-A16C-C73D40D6BE65}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

DC2

Windows IP Configuration

   Host Name . . . . . . . . . . . . : dc02
   Primary Dns Suffix  . . . . . . . : mycompany.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : mycompany.com

Ethernet adapter Local Area Connection:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
   Physical Address. . . . . . . . . : 00-50-56-A5-00-05
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::897c:14b:51d8:aede%10(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.10.1.253(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.10.1.4
   DHCPv6 IAID . . . . . . . . . . . : 234901590
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-91-78-86-00-50-56-A5-00-03

   DNS Servers . . . . . . . . . . . : ::1
                                       10.10.1.253
                                       10.10.1.247
                                       127.0.0.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{6C5E3727-6CCB-471F-BCC5-0FD79F5533F3}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

DCDIAG will follow

0
 
LVL 74

Expert Comment

by:Glen Knight
Comment Utility
first think I would say, is change the IP configuration so that for the DNS servers the first DNS entry is the other server and the second is itself.  The third entry can be removed.
0
 

Author Comment

by:Japsterex
Comment Utility
Ok will give that a try.

Just had to reboot both of them as SYSVOL had disappeared from both DC's and everything here ground to a halt. Saying no GC's were available, all authentication ceased, guess that was something to do with the Burflags thing I kicked off on DC2 ?

We are in a serious problem now as neither of the DCs are working,

HELP PLEASE !!!!

0
 
LVL 74

Expert Comment

by:Glen Knight
Comment Utility
when you accidentally changed the burflags on the "good" DC did you set it back to 0 when you "halted" the process?
0
 
LVL 74

Expert Comment

by:Glen Knight
Comment Utility
Next question is do you have a system state backup?
0
 

Author Comment

by:Japsterex
Comment Utility
yes the burflags reset themselves to 0 when when you restart the NTFRS service

yes I have a system state backup on backup exec
0
 

Author Comment

by:Japsterex
Comment Utility
but I can't get it to restore because the credentials used to restore from the backup exec server is a domain account and no domain controllers are available to authenticate it
0
 

Author Comment

by:Japsterex
Comment Utility
how do I do a manual restore as I have the c$ backups too
0
 
LVL 74

Expert Comment

by:Glen Knight
Comment Utility
OK, let's get one working, on the one that WAS the working machine, configure DNS to have only 127.0.0.1 in the IP configuration for DNS, no other entries.

Then in Active Directory Sites and Services, expand the DC (the good one) right click on NTDS Settings and select properties, make sure there is a check box in the Global Catalog box.

then reboot the good DC.

Don't do anything with the other one at this stage, let's get one working and go from there.
0
 

Author Comment

by:Japsterex
Comment Utility
Very grateful for you help :)

Right none of the AD apps work becuase it says that the PDC emulator cannot be contacted. The DC1 which was the good one now gone bad, was the FMSO roles holder. It says even though the DC1 owns the FSMO roles it doesn't recognise them or something like that.

One thing that's adding to the issue is these are Virtual Machines, under VMware. I do however have a snapshot for DC1 that I took before I applied 2008 R2 SP1 last week.

Do you think this may be the better option ?

0
 
LVL 74

Expert Comment

by:Glen Knight
Comment Utility
Not at this stage.

Let's try and get DC1 working.

Have you changed the IP configuration? Does it have DNS installed on itself?

if you run:

NETDOM QUERY FSMO

and

NETDOM QUERY DC

from a command prompt, what do you get?

IF we needed to "kill" DC'2 is there anything on there that might be causing problems?  It's possible that DC2 was never replicating correctly and if that's the case there could be a FSMO role transition issue.
0
 

Author Comment

by:Japsterex
Comment Utility
OK yes changed the DNS to itself.

NETDOM QUERY FSMO says this :

The specified domain either does not exist or could not be contacted.

The command failed to complete successfully.

NETDOM QUERY DC says the same.

If we needed to DCpromo DC2 out this wouldn't be a major problem as long as we got DC1 running

What next ?

0
 

Author Comment

by:Japsterex
Comment Utility
When I go to Domains and Trusts I get this also,

domain error
0
 

Author Comment

by:Japsterex
Comment Utility
All references to the domain have disappeared, from DNS, DHCP everywhere.

Also all our mail services have stopped due to their reliance on AD I guess, DC2 is also in the same state regarding the above posts.

I'm starting to worry now :-/
0
 
LVL 74

Expert Comment

by:Glen Knight
Comment Utility
OK, can you do this on both DC's for me and post the results.

From a command prompt run NTDSUTIL, type ROLES and press enter

Then type CONNECTIONS and press enter

at the next prompt type CONNECT TO SERVER DC1 (when you do this on DC2 type DC2 instead of DC1) and press enter

once that's connected type Q and press enter

Type SELECT OPERTAION TARGET and press enter

Type LIST ROLES FOR CONNECTED SERVER

Can you paste the output from both DC's here.

Keep pressing Q and enter to exit NTDSUTIL
0
 

Author Comment

by:Japsterex
Comment Utility
Oh and DC2 is the Root CA for the domain, but I guess we can move that once we get DC1 working
0
 
LVL 74

Expert Comment

by:Glen Knight
Comment Utility
OK, that completely changes things!

Restore the snapshot and we can recover from there.
0
Are end users causing IT problems again?

You’ve taken the time to design and update all your end user’s email signatures, only to find out they’re messing up the HTML, changing the font and ruining the imagery. What can you do to prevent this? Find out how you can save your signatures from end users today.

 

Author Comment

by:Japsterex
Comment Utility
DC1

Server "hcuk2k8dc01" knows about 5 roles
Schema - CN=NTDS Settings,CN=HCUK2K8DC01,CN=Servers,CN=HC-UK,CN=Sites,CN=Configu
ration,DC=hc-uk,DC=com
Naming Master - CN=NTDS Settings,CN=HCUK2K8DC01,CN=Servers,CN=HC-UK,CN=Sites,CN=
Configuration,DC=hc-uk,DC=com
PDC - CN=NTDS Settings,CN=HCUK2K8DC01,CN=Servers,CN=HC-UK,CN=Sites,CN=Configurat
ion,DC=hc-uk,DC=com
RID - CN=NTDS Settings,CN=HCUK2K8DC01,CN=Servers,CN=HC-UK,CN=Sites,CN=Configurat
ion,DC=hc-uk,DC=com
Infrastructure - CN=NTDS Settings,CN=HCUK2K8DC01,CN=Servers,CN=HC-UK,CN=Sites,CN
=Configuration,DC=hc-uk,DC=com

DC2

Schema - CN=NTDS Settings,CN=HCUK2K8DC01,CN=Servers,CN=HC-UK,CN=Sites,CN=Configu
ration,DC=hc-uk,DC=com
Naming Master - CN=NTDS Settings,CN=HCUK2K8DC01,CN=Servers,CN=HC-UK,CN=Sites,CN=
Configuration,DC=hc-uk,DC=com
PDC - CN=NTDS Settings,CN=HCUK2K8DC01,CN=Servers,CN=HC-UK,CN=Sites,CN=Configurat
ion,DC=hc-uk,DC=com
RID - CN=NTDS Settings,CN=HCUK2K8DC01,CN=Servers,CN=HC-UK,CN=Sites,CN=Configurat
ion,DC=hc-uk,DC=com
Infrastructure - CN=NTDS Settings,CN=HCUK2K8DC01,CN=Servers,CN=HC-UK,CN=Sites,CN
=Configuration,DC=hc-uk,DC=com
0
 
LVL 74

Expert Comment

by:Glen Knight
Comment Utility
OK, that's good, so at least AD thinks it's right (hold fire on that restore for now)
0
 
LVL 74

Expert Comment

by:Glen Knight
Comment Utility
On DC1, goto the DNS console and expand the servername and forward lookup zones, for the internal forward lookup zone, right click on it and select properties.

Where it says Zone Type, click Change and uncheck the box that says "Store this zone in Active Directory" click OK and OK.

Then restart the DNS service.

What happens  when you try to run DCDIAG on DC1?
0
 

Author Comment

by:Japsterex
Comment Utility
Ok done that,

here's the DC diag file dump dcdiag.txt
0
 
LVL 74

Expert Comment

by:Glen Knight
Comment Utility
OK, back to the  DNS console, right click on the zone again and select properties, change the updates section to secure and non-secure updates.

Once done, restart the NETLOGON service and run DCDIAG /FIX

Then try the NETDOM QUERY FSMO command again
0
 

Author Comment

by:Japsterex
Comment Utility
Same result I'm afraid :-

The specified domain either does not exist or could not be contacted.

The command failed to complete successfully.

 dcdiagfix.txt

Also see DCdiag fix log
0
 
LVL 74

Expert Comment

by:Glen Knight
Comment Utility
let's go with the snapshot restore then, once you've done that, reboot the server, and post DCDIAG results.
0
 

Author Comment

by:Japsterex
Comment Utility
ok thanks

snapshot reverted, seems to be ok can see the sysvol folder on DC1, phew !

here's the dcdiag file dcdiag-post-snapshot.txt
0
 

Author Comment

by:Japsterex
Comment Utility
FRS service currently off on DC2 shall I leave it that way ?
0
 
LVL 74

Expert Comment

by:Glen Knight
Comment Utility
The first thing we need to do now is make sure this server is working properly, then we will worry about the other.

Change the IP configuration again so it's using only 127.0.0.1 for DNS, restart the netlogon service and run DCDIAG /FIX

Do you have nic teaming enabled on the DC1?

Don't do anything with DC2 at the moment.

0
 

Author Comment

by:Japsterex
Comment Utility
No teaming on DC1 adapters as there's only 1 virtual adapter.

changed to 127.0.0.1 only

restarted netlogon

DCdiagfix log attached.

One thing I noticed is that DNS does not have a forward lookup zone at the moment.

When the machine started after the snapshot application it did ask for a reboot, I will do this now, while I'm waiting for your reply
 dcdiagfix--2-.txt
0
 
LVL 74

Expert Comment

by:Glen Knight
Comment Utility
If there is no forward lookup zone then you will need to create one, this is pretty critical!
0
 

Author Comment

by:Japsterex
Comment Utility
will there be any zone backups anywhere I can import ?

There was quite a lot of manually entered stuff in the zone to do with vmware etc and stuff to do with exhange OWA.

btw certain parts of VM are playing up, prob down to the DNS issue.

Shall I create a new one or try to import it from backup ?
0
 
LVL 74

Expert Comment

by:Glen Knight
Comment Utility
I would create a new one, for now make it so it's not AD integrated and so it allows secure and non-secure updates.
0
 

Author Comment

by:Japsterex
Comment Utility
ok created a new one, also because the reverse lookup zone is still there most of the stuff I need it there so I can copy it over.

ok what next ?
0
 
LVL 74

Expert Comment

by:Glen Knight
Comment Utility
Can you take a backup of the SYSVOL

Then turn on the FRS service in DC2 and follow the burflags and set DC2 to D2.  Please make sure it's DC2 ;)
0
 

Author Comment

by:Japsterex
Comment Utility
sounds like a good idea ;-)

man you've been a great help today :-D

I'll give it a go now
0
 

Author Closing Comment

by:Japsterex
Comment Utility
demazter is a credit to Experts-Exchange, went far beyond my original question to help and get my systems back online after a silly mistake I made in applying his fix.

Once again thanks man you're the best :-)
0
 
LVL 74

Expert Comment

by:Glen Knight
Comment Utility
So all is working now?
0
 

Author Comment

by:Japsterex
Comment Utility
Hi demazter,

yes things are back to normal now and the DC2 is replicating following the application of the burflags D2 to the correct server ;-)

Just applying SP1 back to DC1 now since the snapshot we used was pre SP1

Big thanks
0
 
LVL 74

Expert Comment

by:Glen Knight
Comment Utility
Excellent, glad it's all sorted :)
0
 
LVL 20

Expert Comment

by:Iain MacMillan
Comment Utility
wow - outstanding work on this problem.  I have a physical DC on my LAN, in the event of issues with VM'ed DC's.
0

Featured Post

Want to promote your upcoming event?

Is your company attending an event or exhibiting at a trade show soon? Are you speaking at a conference? Spread the word by using a promotional banner in your email signature. This will ensure your organization’s most important contacts are in the know.

Join & Write a Comment

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now