• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1493
  • Last Modified:

GPO Relication Problem

Hi Experts

One of clients has a 2003 SBS server and we have introduced a 2011 SBS server to the network and ran a migration.

However,  GPO’s are not replicating between the old to the new  server. The contents of \\contoso.local\SYSVOL\contoso.local\Policies are different between both the servers.

•      So, clicking on the Default Domain Policy GPO from the new server shows 'Failed to open the Group Policy object. You may not have the appropriate rights'. the system cannot find the file specified.

•      Problem may be DNS related. Dcdiag /test:dns shows the following:

           
Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   Home Server = CONSBS2K11

   * Identified AD Forest. 
   Done gathering initial info.


Doing initial required tests

   
   Testing server: Default-First-Site-Name\CONSBS2K11

      Starting test: Connectivity

         ......................... CONSBS2K11 passed test Connectivity



Doing primary tests

   
   Testing server: Default-First-Site-Name\CONSBS2K11

   
      Starting test: DNS

         

         DNS Tests are running and not hung. Please wait a few minutes...

         ......................... CONSBS2K11 passed test DNS

   
   Running partition tests on : ForestDnsZones

   
   Running partition tests on : DomainDnsZones

   
   Running partition tests on : Schema

   
   Running partition tests on : Configuration

   
   Running partition tests on : contoso

   
   Running enterprise tests on : contoso.local

      Starting test: DNS

         Test results for domain controllers:

            
            DC: CONSBS2K11.contoso.local

            Domain: contoso.local

            

                  
               TEST: Records registration (RReg)
                  Network Adapter

                  [00000007] Broadcom NetXtreme Gigabit Ethernet:

                     Error: 
                     Missing SRV record at DNS server 192.168.100.3:
                     _ldap._tcp.908f74aa-4eba-4837-96b1-e5d80ec00ff4.domains._msdcs.contoso.local
                     
                     Error: 
                     Missing SRV record at DNS server 192.168.100.2:
                     _ldap._tcp.908f74aa-4eba-4837-96b1-e5d80ec00ff4.domains._msdcs.contoso.local
                     
               Warning: Record Registrations not found in some network adapters

         
               CONSBS2K11                   PASS PASS PASS PASS PASS WARN n/a  
         ......................... contoso.local passed test DNS

Open in new window


Primary DNS on the new server points to itself. Alternative points to the source server.

•      In the ‘File Replication Service’ log, there are a lot of these:


The File Replication Service is having trouble enabling replication from SERVER2003 to CONSBS2K11 for c:\windows\sysvol\domain using the DNS name SERVER2003.contoso.local. FRS will keep retrying. 
 Following are some of the reasons you would see this warning. 
 
 [1] FRS can not correctly resolve the DNS name SERVER2003.contoso.local from this computer. 
 [2] FRS is not running on SERVER2003.contoso.local. 
 [3] The topology information in the Active Directory Domain Services for this replica has not yet replicated to all the Domain Controllers. 
 
 This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.

Open in new window


•      Running gpupdate shows this:


Updating Policy...

User policy could not be updated successfully. The following errors were encount
ered:


The processing of Group Policy failed. Windows attempted to read the file \\advo
cate.local\sysvol\contoso.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}
\gpt.ini from a domain controller and was not successful. Group Policy settings
may not be applied until this event is resolved. This issue may be transient and
could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller
has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.
Computer policy could not be updated successfully. The following errors were enc
ountered:

The processing of Group Policy failed. Windows attempted to read the file \\advo
cate.local\sysvol\contoso.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}
\gpt.ini from a domain controller and was not successful. Group Policy settings
may not be applied until this event is resolved. This issue may be transient and
could be caused by one or more of the following:
a) Name Resolution/Network Connectivity to the current domain controller.
b) File Replication Service Latency (a file created on another domain controller
has not replicated to the current domain controller).
c) The Distributed File System (DFS) client has been disabled.

To diagnose the failure, review the event log or run GPRESULT /H GPReport.html f
rom the command line to access information about Group Policy results.

Open in new window



The policy mentioned above ({31B2F340-016D-11D2-945F-00C04FB984F9}) is on the old server, but not the new server.

One thing worth mentioning is that there appears to be no NETLOGON share on the old server.

The source server is still online. I'm not sure if it's worth mentioning that the we stopped the SBSCore Service on the old server (using this: http://www.jeremycole.com/blog/2008/06/24/how-to-stop-the-sbcore-service-service-or-how-to-use-sbs2003-as-a-normal-server/) so technically, there are -3 days left to complete the migration.

Many thanks
Glen
0
glen226
Asked:
glen226
1 Solution
 
aindelicatoCommented:
Use the export/import options.
0
 
glen226Author Commented:
@aindelicato - Sorry I'm not sure what you mean.
0
 
Narender GakkaAWS / DevOps / Cloud ConsultantCommented:
did you try to access the share from the client  \\advo
cate.local\sysvol\contoso.local as its the location where all your group policy objects are stored and are accessed whenever your group policy refreshes.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
snusgubbenCommented:
Try to restart the ntfrs service on the 2003 server and check the FRS event log to see if it's in a Journal Wrap or something.
0
 
glen226Author Commented:
@vikshi -  \\advocate.local\sysvol\contoso.local  should read \\contoso.local\sysvol\contoso.local    - i've done a bad find and replace job in the question that I can't change now. Drats.

\\contoso.local\SYSVOL\contoso.local\Policies from the new (destination) server has these files:

02/08/2012  17:48    <DIR>          {3EFB0718-89E3-4321-A422-14D53A54E325}
02/08/2012  18:03    <DIR>          {581D6970-6F45-4F8E-9D35-17637B5A1B15}
02/08/2012  18:03    <DIR>          {614E8A5A-0358-4F81-B2B2-710F0983EF93}
02/08/2012  18:03    <DIR>          {78C51603-B22A-4CD5-886C-0AB18FE26E99}
02/08/2012  17:48    <DIR>          {9D32E6DC-13C4-4521-A13D-35E2652DC390}
02/08/2012  17:48    <DIR>          {9E6A1E80-6946-4ED6-A71D-474BBAA0CA79}
02/08/2012  17:48    <DIR>          {B198968E-E8AB-4537-80AD-D9C62FB11E60}
02/08/2012  17:48    <DIR>          {DC22402C-A6F3-49BE-AA21-CEA1FD4B24C4}

Open in new window


\\contoso.local\SYSVOL\contoso.local\Policies from the old (source) server has these files:

02/11/2010  11:54    <DIR>          {31B2F340-016D-11D2-945F-00C04FB984F9}
26/07/2012  17:29    <DIR>          {6AC1786C-016F-11D2-945F-00C04fB984F9}
30/09/2008  13:07    <DIR>          {E97865FB-DE47-41DE-A897-B5013EF813FD}

Open in new window

0
 
glen226Author Commented:
@snusgubben - I have restarted source and destination servers quite a few times.

Oddly, this command suggests that replication is okay (though it's clearly not).

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = CONSBS2K11
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\CONSBS2K11
      Starting test: Connectivity
         ......................... CONSBS2K11 passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\CONSBS2K11
      Starting test: Replications
         ......................... CONSBS2K11 passed test Replications


   Running partition tests on : ForestDnsZones

   Running partition tests on : DomainDnsZones

   Running partition tests on : Schema

   Running partition tests on : Configuration

   Running partition tests on : contoso

   Running enterprise tests on : contoso.local

Open in new window

0
 
glen226Author Commented:
@snusgubben - I have found something that may be e of interest on the old server File Replication Service log:


The File Replication Service has detected that the replica set "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" is in JRNL_WRAP_ERROR. 
 
 Replica set name is    : "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" 
 Replica root path is   : "c:\windows\sysvol\domain" 
 Replica root volume is : "\\.\C:" 
 A Replica set hits JRNL_WRAP_ERROR when the record that it is trying to read from the NTFS USN journal is not found.  This can occur because of one of the following reasons. 
 
 [1] Volume "\\.\C:" has been formatted. 
 [2] The NTFS USN journal on volume "\\.\C:" has been deleted. 
 [3] The NTFS USN journal on volume "\\.\C:" has been truncated. Chkdsk can truncate the journal if it finds corrupt entries at the end of the journal. 
 [4] File Replication Service was not running on this computer for a long time. 
 [5] File Replication Service could not keep up with the rate of Disk IO activity on "\\.\C:". 
 Setting the "Enable Journal Wrap Automatic Restore" registry parameter to 1 will cause the following recovery steps to be taken to automatically recover from this error state. 
 [1] At the first poll, which will occur in 5 minutes, this computer will be deleted from the replica set. If you do not want to wait 5 minutes, then run "net stop ntfrs" followed by "net start ntfrs" to restart the File Replication Service. 
 [2] At the poll following the deletion this computer will be re-added to the replica set. The re-addition will trigger a full tree sync for the replica set. 
 
WARNING: During the recovery process data in the replica tree may be unavailable. You should reset the registry parameter described above to 0 to prevent automatic recovery from making the data unexpectedly unavailable if this error condition occurs again. 
 
To change this registry parameter, run regedit. 
 
Click on Start, Run and type regedit. 
 
Expand HKEY_LOCAL_MACHINE. 
Click down the key path: 
   "System\CurrentControlSet\Services\NtFrs\Parameters" 
Double click on the value name 
   "Enable Journal Wrap Automatic Restore" 
and update the value. 
 
If the value name is not present you may add it with the New->DWORD Value function under the Edit Menu item. Type the value name exactly as shown above.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Open in new window

0
 
snusgubbenCommented:
The new server don't have the default domain policy and the default domain controller policy yet.

The dcdiag only give you the status of AD Replication, not FRS.

Do you have any 135xx errors on the old server?
0
 
glen226Author Commented:
@snusgubben  - Yes. The error above was 13568.
0
 
snusgubbenCommented:
I didn't refresh the browser, so I didn't see your latest post before I answered. But anyway the old server is in a Journal Wrap state.

You should take a backup of your SYSVOL, and set the Burflags to D4 on the old server and D2 on the new server to get out of the JW.

http://adfordummiez.com/?p=61
0
 
glen226Author Commented:
Thanks for your help :) All resolved. I wish I check the Replication log of the source server at 6am  :\
0
 
Sarang TinguriaSr EngineerCommented:
Simple steps

1)Login to old server
2)Check FRS logs if its health and connectivity with Problem server using \\new_server
3)Stop NTFRS service on old
4)Navgate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup\burflag
5) Set this to D4 -> Restart NTFRS-> Wait for Event ID 13516 to come
6) Login to New server
7) Follow step 4 and set the Burflag to D2 ->-> Restart NTFRS-> Wait for Event ID 13516 to come
0

Featured Post

Free recovery tool for Microsoft Active Directory

Veeam Explorer for Microsoft Active Directory provides fast and reliable object-level recovery for Active Directory from a single-pass, agentless backup or storage snapshot — without the need to restore an entire virtual machine or use third-party tools.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now