Sysvol file replication issues between servers

Posted on 2011-09-18
Last Modified: 2012-05-12
Hi all

We have an old windows 2003 server which we are in the process of replacing with a new SBS 2011 server. We've put the new server in and used the answer file to install the SBS and during which, the installation process has started handling some of the network roles (DHCP, DNS, Exchange etc).

The Exchange mailboxes moved over without a hitch.

However since adding a few new GPOs we've found that new GPOs aren't implemented, they don't even show in RSOP query. If we check \\domain\sysvol on the old windows server and on the new one we get two different sets of results. The old server shows the latest policies\<GUID> folder being from July. From the new server we see that the latest policy folder is dated today.

We see this in the FRS event log on the old server;
Event Type:        Error
Event Source:    NtFrs
Event Category:                None
Event ID:              13549
Date:                     18/09/2011
Time:                    22:26:05
User:                     N/A
Computer:          OLD_SERVER
The File Replication Service is unable to replicate from a partner computer because the event time associated with the file to be replicated is too far into the future.  It is 30 minutes greater than the current time.  This can happen if the system time on the partner computer was set incorrectly when the file was created or updated.  To preserve the integrity of the replica set this file update will not be performed or propagated further.
The file name is: "{220BE2AD-0766-449A-83B4-2786AC73F7F9}"
The connection to the partner computer is:
Note: If this time difference is close to a multiple of 60 minutes then it is likely that this file may have been created or updated on the partner computer while the computer was set to the incorrect time zone when its computer time was initially set.  Check that the timezone and time are correctly set on the partner computer.

The File Replication service on the old server also stops after about 30 seconds.

We have also noticed that if we reboot the old server, while it's offline, none of the other workstations or servers can access the \\domain\sysvol share, with an error stating something like "The username could not be found".

The times and dates and time zones on the workstations and both servers appears to be the same.

Any ideas?

Question by:stonneway
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Author Comment

ID: 36557450
I've also noticed that on the new server I can go to the sysvol share and browse the policy folders of any new GPOs  that I've created on this server.

However I can't browse any of the policy folders of any of the GPOs that were created on the old server, before the new server was installed. If I try i just get permission errors though I'm accessing both servers using the same account.
LVL 10

Expert Comment

ID: 36557505
It seems the that you have time sync issue on server. If your SBS 2011 installation is completed then you should transfer the FSMO role from old to new SBS.

1. Check DNS configuration on both server's NIC, they should point itself as a primary DNS and others as a alternate DNS.
2. Then check and configure authoritative time server, PDC emulator in your forest root domain should be a time server and other will sync with it.


Author Comment

ID: 36557518
The DNS on both servers are set as you describe. The time on both is identical to within a few seconds and the time zone is also the same.
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

LVL 10

Expert Comment

ID: 36557527
Post ipconfig /all, dcdiag /q and repadmin /showreps output. Also make sure that all required services are in started state on both server.

Accepted Solution

OliverLo earned 250 total points
ID: 36557555
Hi Stonneway,

Please try these steps:
1.      Stop the netlogon and ntfrs services on both servers
2.      Check if the sysvol share are visible on both server using net share command line
If on of the server does not show any sysvol share then, set the value SYSVOLREADY to 1 on this servers. This key is located there:
I think this value it used by the netlogon service to share sysvol and configure the right permission on the share.

3.      Copy sysvol folder on the functional server (the SBS one I believe) to get a backup

4.      Force replication by setting the D4 value to Burflags on the good server (containing the correct sysvol share)
The burflag DWORD value is located there :
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup

5.      Restart the netlogon and the ntfrs service
Once you restart the ntfrs service, the ntfrs replication should be initialized between your old server and SBS.

You have a complete description of the authoritative sysvol restore process in the "Authoritative FRS restore" section of this article:

I hope this will work for you.
Do not forget to copy you sysvol share on both server in case you'd need it.
LVL 24

Assisted Solution

Sandeshdubey earned 250 total points
ID: 36558155
This error occurs whenever you have a file set into an FRS folder that has a time stamp that is too far in the future (60 minutes by default). Since FRS relies on timestamps as well as its own index to ensure that the most recent file is kept and all older versions are overwritten it demands some time synchronization. If you are using a multi time zone system, ensure that the time zones are set correctly on each computer. Often when the FRS time catches up with the timestamp this error will "correct" itself.

If the time is in sync you can try this before you do a full rebuild of sysvol.
1. Stop NetLogon and FRS on the domain controller.
2. Rename the Ntfrs.jdb file in the Windir\Ntfrs\Jet folder.
3. Rename the Edb.chk file in the Windir\Ntfrs\Jet\Sys folder.
4. Rename the Edb.log file, the Res1.log file, and the Res2.log file in the Windir\Ntfrs\Jet\Log folder.
5. Restart Netlogon.
6. Restart FRS

If the above does not work you need to rebuild the sysvol.
Take the backup of sysvol folder of both DC.Ran d4(auth restore) on healthy dc in your case it shuold be old DC and d2(non-auth restore) on new installed DC.Below is the KB article for your reference.


Author Comment

ID: 36559015
Hi Sandeshdubey and OliverLo

Do either of the steps outline required a server outage of any kind? From what I can read about them they shouldn't but I thought I would check.



Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question