We help IT Professionals succeed at work.

SYSVOL folder not syncing and Event ID 13552 & 13555

btny
btny used Ask the Experts™
on
Hi,

Over the weekend we changed our entire network IP scope from 192.168.1.X to 10.220.10.X

This included two domain controllers a W2K3 and W2K8.  

I noticed after the migration that the SYSVOL folder on the 2K3 server only had about 4 GPOs in it where the 2K8 one has 8.

Using netdiag and dcdiag showed FRS issues until I restarted the service.  Now it shows no issues but I am getting windows events Event ID 13552 & 13555

So basically our GPOs are not applying now which is no good!

Thanks in advance
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Sandesh DubeyTechnical Lead
Top Expert 2011

Commented:
On the Server where event id 13552 and 13555 has occured follow below step.Take the systemstate backup of the server before you proceed.Also take ntfrs folder backup from  C:\windows\ntfrs.
i.e stop the frs service and copy the content ntfrs folder to temp location.

The most likely cause of these errors is that the FRS Jet database, or a Jet database log file, is corrupt. To fix the problem:
1. Open a CMD prompt on the domain controller and stop the NetLogon and Ntfrs services:

    net stop NetLogon
    net stop Ntfrs

2. Type:

    del %systemroot%\ntfrs\jet\Ntfrs.jdb
    del %systemroot%\ntfrs\jet\Sys\Edb.chk
    del %systemroot%\ntfrs\jet\log\edb.log
    del %systemroot%\ntfrs\jet\log\res1.log
    del %systemroot%\ntfrs\jet\log\res2.log

3. Type:

    net start NetLogon
    net start Ntfrs

4. Check the FRS event log for expected warning 13514 and 13520.

5. Close the FRS event log and go get a cup of coffee.

6. In five minutes, recheck the FRS event log for informational messages 13553, 13554, and 13516.

Hi,

The most likely cause of these errors is that the FRS Jet database, or a Jet database log file, is corrupt.

 To fix the problem:
1. stop the NetLogon and Ntfrs service on 2k3 dc:
    net stop NetLogon
    net stop Ntfrs
2. Type:
    del %systemroot%\ntfrs\jet\Ntfrs.jdb
    del %systemroot%\ntfrs\jet\Sys\Edb.chk
    del %systemroot%\ntfrs\jet\log\edb.log
    del %systemroot%\ntfrs\jet\log\res1.log
    del %systemroot%\ntfrs\jet\log\res2.log
3. Type:
    net start NetLogon
    net start Ntfrs
4. Check the FRS event log for expected warning 13514 and 13520.
5. In five minutes, recheck the FRS event log for informational messages 13553, 13554, and 13516.

Note:
-- Take a %systemroot%\ntfrs folder backup before you perform these steps.
-- If any of the DFS or other replica sets hosted by this server then copy the data under its share or replica tree root to a safe location.

Ref: http://www.eventid.net/display.asp?eventid=13552&eventno=571&source=NtFrs&phase=1

Regards,
AbhijitW.


Author

Commented:
Thanks however after doing that my SYSVOL folder is no longer shared and within it I have a folder called ntfrs_preexisting___see_eventlog

It seems AD is very weird now since opening users and computers isnt connecting to a DC

Author

Commented:
New users cannot log onto the domain now either.. oh boy

Commented:
The netlogon service probably has problems. But most FRS errors are a result of a DNS related issue. Go to the command prompt of the server and type:

DCdiag /test:DNS

You may have to fix SRV records, clean up DNS metadata, and restart FRS. If that doesn't work, you might have to use an authoritative restore of the sysvol on the 2003 server by using the burflag method.

DNS is of the utmost importance for FRS to work properly. Once DNS is fixed concentrate on fixing the sysvol.

Make sure a DCdiag /test:DNS is perfect on ALL your servers.