Solved

Sysvol and Netlogon Not Replicating on 2008 Server

Posted on 2011-03-23
22
1,334 Views
Last Modified: 2012-05-11
Help!!!  I have a small office that I was replacing the Server 2003 with a Server 2008.  Everything went fine with the Install and my AD replicated (users, computers, etc) as well as DNS, but my Netlogon and Sysvol directories aren't shared on the new server and replication isn't occurring.  I'm getting errors in the Event Viewer.  I've tried just about everything.  Here's my question.  Can I manually share these directories (copy the login scripts over manually) and run DCGPOFIX and recreate the default policy?  The old server is still up and running, but until I can get these directories I can't shut it down.

Thanks!
0
Comment
Question by:chattiegirl
  • 9
  • 9
  • 4
22 Comments
 
LVL 18

Expert Comment

by:Netflo
ID: 35204196
I would not apply the DCGPOFIX, they are used as a last resort. First of all copy the contents of the NETLOGON and SYSVOL folders, as they are crucial at this stage where you have access to them.

To troubleshoot replication check in the Event Viewer under File Replication Service, as this may point to your Server 2003 box being in a state of Journal Wrap, this can be easily fixed too.

Replication errors can occur if you have a class A network private address and the subnet masks don't match between the servers - I've seen this common mistake before. This can be corrected, most likely on your Server 2008 box and restart the NETLOGON service to poll again.

Do not attempt to create these shares on your new server, you have an underlying problem which needs to be fixed first.

Do you have any error messages in Event Viewer DNS as well? Please post your findings before moving on with the article below.

Please go through the following article for further reading and resolution:
http://support.microsoft.com/kb/257338
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35204702
The most common cause of this is misconfuguration of DNS.

Check the network card of both servers, make sure they are both using a valid internal Windows DNS server.  There should be no ISP DNS entries here.

If you make any changes above restart the NETLOGON service to reregister entries in DNS.  If you have more than one internal DNS server it might be worth configuring the DC's to just use one server, make sure it's the same one in both DC if you do this.

Run DCDIAG on both domain controllers and post results along with the output from IPCONFIG /ALL.

Consider doing a non-authoritative rebuild by setting burflags to D2 on the DC you are having problems with as per: http://support.microsoft.com/kb/290762
0
 

Author Comment

by:chattiegirl
ID: 35228985
I'm sure this is a DNS issue but I can't find it.  I have both servers pointing to the original server for DNS, I can ping with no issues, but when I run DCDIAG from Server 2 (the replacement server) I get a DSGETDCNAME returns the name of Server-1 when it is trying to reach Server-2.  Why would it give me that?
0
 
LVL 18

Expert Comment

by:Netflo
ID: 35229713
Can you please post the results as per Demazters last post:



Run DCDIAG on both domain controllers and post results along with the output from IPCONFIG /ALL.
0
 

Author Comment

by:chattiegirl
ID: 35232866
Okay, here is the IPCONFIG output:

Server1:
Host Name . . . . . . . . . . . . : Server1
   Primary Dns Suffix  . . . . . . . : our.domain.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : our.domain.com
                                       domain.com
 
Ethernet adapter Local Area Connection:
 
   Connection-specific DNS Suffix  . :  
   Description . . . . . . . . . . . : Broadcom NetXtreme Gigabit Ethernet
   Physical Address. . . . . . . . . : 00-0D-60-16-57-A7
   DHCP Enabled. . . . . . . . . . . : No
   IP Address. . . . . . . . . . . . : 192.168.1.2
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.1.1
   DNS Servers . . . . . . . . . . . : 192.168.1.2

Server2:

   Host Name . . . . . . . . . . . . : SERVER2
   Primary Dns Suffix  . . . . . . . : our.domain.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : our.domain.com
                                       domain.com

Ethernet adapter Local Area Connection 2:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Broadcom BCM5709C NetXtreme II GigE (NDIS VBD Client)
   Physical Address. . . . . . . . . : E4-1F-13-C2-6F-5E
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 192.168.1.7(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.1.1
   DNS Servers . . . . . . . . . . . : 192.168.1.2
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Local Area Connection* 8:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 02-00-54-55-4E-01
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Local Area Connection* 11:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : isatap.{20502625-7595-4F77-9D7D-974AA94DCA7C}
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
0
 

Author Comment

by:chattiegirl
ID: 35233111
And the results of DCDIAG

Server1:
Domain Controller Diagnosis

Performing initial setup:
   Done gathering initial info.

Doing initial required tests
   
   Testing server: Default-First-Site-Name\SERVER1
      Starting test: Connectivity
         ......................... SERVER1 passed test Connectivity

Doing primary tests
   
   Testing server: Default-First-Site-Name\SERVER1
      Starting test: Replications
         ......................... SERVER1 passed test Replications
      Starting test: NCSecDesc
         ......................... SERVER1 passed test NCSecDesc
      Starting test: NetLogons
         ......................... SERVER1 passed test NetLogons
      Starting test: Advertising
         ......................... SERVER1 passed test Advertising
      Starting test: KnowsOfRoleHolders
         ......................... SERVER1 passed test KnowsOfRoleHolders
      Starting test: RidManager
         ......................... SERVER1 passed test RidManager
      Starting test: MachineAccount
         ......................... SERVER1 passed test MachineAccount
      Starting test: Services
            RPCLOCATOR Service is stopped on [SERVER1]
            TrkWks Service is stopped on [SERVER1]
            TrkSvr Service is stopped on [SERVER1]
         ......................... SERVER1 failed test Services
      Starting test: ObjectsReplicated
         ......................... SERVER1 passed test ObjectsReplicated
      Starting test: frssysvol
         Error: No record of File Replication System, SYSVOL started.
         The Active Directory may be prevented from starting.
         ......................... SERVER1 passed test frssysvol
      Starting test: kccevent
         ......................... SERVER1 passed test kccevent
      Starting test: systemlog
         ......................... SERVER1 passed test systemlog
   
   Running enterprise tests on : ourdomain.com
      Starting test: Intersite
         ......................... ourdomain.com passed test Intersite
      Starting test: FsmoCheck
         ......................... ourdomain.com passed test FsmoCheck


Server 2:
Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = SERVER2
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests
   
   Testing server: Default-First-Site-Name\SERVER2
      Starting test: Connectivity
         ......................... SERVER2 passed test Connectivity
 
Doing primary tests
   
   Testing server: Default-First-Site-Name\SERVER2
      Starting test: Advertising
         Warning: DsGetDcName returned information for
         \\Server1.our.domain.com, when we were trying to reach
         SERVER2.
         SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
         ......................... SERVER2 failed test Advertising
      Starting test: FrsEvent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... SERVER2 passed test FrsEvent
      Starting test: DFSREvent
         ......................... SERVER2 passed test DFSREvent
      Starting test: SysVolCheck
         ......................... SERVER2 passed test SysVolCheck
      Starting test: KccEvent
         ......................... SERVER2 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... SERVER2 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... SERVER2 passed test MachineAccount
      Starting test: NCSecDesc
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have  
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=ForestDnsZones,DC=our,DC=domain,DC=com
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have  
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=DomainDnsZones,DC=our,DC=domain,DC=com
         ......................... SERVER2 failed test NCSecDesc
      Starting test: NetLogons
         Unable to connect to the NETLOGON share! (\\SERVER2\netlogon)
         [SERVER2] An net use or LsaPolicy operation failed with error 67,
         The network name cannot be found..
         ......................... SERVER2 failed test NetLogons
      Starting test: ObjectsReplicated
         ......................... SERVER2 passed test ObjectsReplicated
      Starting test: Replications
         ......................... SERVER2 passed test Replications
      Starting test: RidManager
         ......................... SERVER2 passed test RidManager
      Starting test: Services
         ......................... SERVER2 passed test Services
      Starting test: SystemLog
         ......................... SERVER2 passed test SystemLog
      Starting test: VerifyReferences
         ......................... SERVER2 passed test VerifyReferences
   
   
   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation
   
   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation
   
   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
   
   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
   
   Running partition tests on : our
      Starting test: CheckSDRefDom
         ......................... our passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... our passed test CrossRefValidation
   
   Running enterprise tests on : our.domain.com
      Starting test: LocatorCheck
         ......................... our.domain.com passed test LocatorCheck
      Starting test: Intersite
         ......................... our.domain.com passed test Intersite


Thanks!

0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35233115
This is a multihomed server? Doyou use it for VPN?

It isn't recommended to have a domain controller with multiple NIC's and this is probably part of your problem.
0
 

Author Comment

by:chattiegirl
ID: 35233259
No, I have the second NIC disabled.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35233328
Not according to your IPCONFIG, you have 2 NIC's enabled with different IP addresses.
0
 

Author Comment

by:chattiegirl
ID: 35233431
Okay, I'm missing where you say I have different IP addresses.  Not trying to be dense, but I'm just not seeing it.  

Server 1 is set to 192.168.1.2 and Server 2 is 192.168.1.7.  What other IP address is assigned?
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35233705
Ahhhh!! Sorry, you have posted them both together.  I misread that and thought they were from the same server.

The disabled NIC is that disabled in Windows or the BIOS? If Windows can you disable in the BIOS?

Can you check the icons for the network connections are they correct? The disabled NIC has a disabled icon? And the enabled on has an enabled icon?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:chattiegirl
ID: 35233838
Yes, they have the appropriate disabled/enabled icons.  I can't disable in the BIOS at this time.  I'm not onsite.

I'm just completely perplexed because I can ping everything fine, by Netbios name and FQDN.  I just can't get the stupid replication to work so I can shut down that original server.  The users see no issues (they can login, browse, see shares, etc.), other than they have an extra server sitting in their server room waiting to be moved out.  But if I shut it down without the sysvol and netlogon shares, then nobody logs in.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35233931
On the server where SYSVOL is not mounting can you try setting the burflag value to D2 as per: http://support.microsoft.com/kb/290762

Please be careful to do this on the correct server and do not do any other procedure.
0
 
LVL 18

Expert Comment

by:Netflo
ID: 35234033
From the good server, I would recommend copying the contents of the NETLOGON and SYSVOL folders to a safe location first too. Would be a great shame to lose those policies and scripts.
0
 

Author Comment

by:chattiegirl
ID: 35234153
Policies are default - nothing special, nothing customized.  I've backed them up, but is it a big deal if the policies have to be recreated manually?  I've done the burflag and I get the same error I've had all along in the NTFRS event log 13508.  Again, I can ping in both directions.  Just not getting where it's hung up.

I just want to be able to shut down the original server.
0
 
LVL 18

Expert Comment

by:Netflo
ID: 35234487
Can you please refer to the following article and verify that the folders listed below exist on your problematic server. I've had a scenario similar to this, where once I stopped the NTFRS server, created the folder structure and restarted the NTFRS and everything was up.

http://support.microsoft.com/?id=315457

On all domain controllers in the domain, verify that the file structure and junction points are correct. To do this, follow these steps:
Verify that the following folders exist in the SYSVOL tree :
\SYSVOL
\SYSVOL\domain
\SYSVOL\staging\domain
\SYSVOL\staging areas
\SYSVOL\domain\Policies
\SYSVOL\domain\scripts
\SYSVOL\SYSVOL
Verify that the following reparse points exist:
\SYSVOL\SYSVOL\ DNS Domain Name
This reparse point must be linked to the \SYSVOL\domain folder.

\SYSVOL\staging areas\DNS Domain Name
This reparse point must be linked to the \SYSVOL\staging\domain folder.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35234665
Let's do the burflags procedure again, but this time do D4 on the working server and D2 on the non-working sever.

Do the D4 first and follow the procedure through, then complete the D2 procedure on the non-working server.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35234746
You may also want to consider demoting the server that isn't working, rebooting then re-promoting it.  It's possible it may have not promoted correctly.
0
 
LVL 74

Expert Comment

by:Glen Knight
ID: 35234757
Before you do that.  Make sir the DNS zone is not active directory integrated and that it's set to allow secure and non-secure updates.  These settings can be found on the properties of the forward lookup zone for your internal domain.
0
 

Author Comment

by:chattiegirl
ID: 35234879
It is active directory integrated.  Would that be causing this?  Or do I just want to change that before demoting/repromoting.  Note that I have already demoted/re-promoted it in hopes that it would correct itself, but I haven't changed the DNS zone.  Can you spell out exactly what I should do?  Burflags first or demotion first.  And where does AD DNS fit in?

Thanks!
0
 
LVL 74

Accepted Solution

by:
Glen Knight earned 500 total points
ID: 35235080
Ok, do the burflags D4 first.

If that doesn't work then do the following:

change the DNS zone so it isn't AD integrated
make sure secure and insecure updates are allowed
make sure both servers are configured to use the same sever for DNS
configure servers to use only one DNS server
reboot both servers
demote non-working server
reboot non-working server
re-promote non working server
reboot non-working server
allow sufficient time for replication to complete
check SYSVOL
0
 

Author Comment

by:chattiegirl
ID: 35237690
Thank you so much.  The D4 burflags is what did the trick.  I appreciate you sticking with this through the end.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

I was asked if I could set up a fax machine so that incoming faxes were delivered to people's Exchange inboxes and so that they could send faxes from their desktops without needing to print the document first.  I knew it was possible but I had no id…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now