Solved

Newly promoted DCs aren't creating SYSVOL/NETLOGON

Posted on 2013-01-18
3
6,423 Views
Last Modified: 2013-01-19
Experts, I've been fighting a new problem all night.  Googling around for different answers has not led me down a path that has led to resolution yet.

I'll get right to the symptoms:

  -  In a 2012 virtual environment, (DCs are server 2012) - any new DC that's stood up does not create the SYSVOL/NETLOGON shares.

  -  These are completely new DCs, in the same AD site.

  -  There are no problems with replication.  "repadmin /replsummary" shows me that everything is fine between every server.

  -  "dcdiag" is showing an error on each of the new DCs:
   Testing server: SITE\SERVERNAME
      Starting test: Advertising
         Warning: DsGetDcName returned information for
         \\WORKINGSERVER.DOMAIN.COM, when we were trying to reach NEWSERVER.
         SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.

      Starting test: DFSREvent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.

      Starting test: NetLogons
         Unable to connect to the NETLOGON share! (\\NEWSERVER\netlogon)
         [NEWSERVER] An net use or LsaPolicy operation failed with error 67,
         The network name cannot be found..

Open in new window


  -  All other tests check fine with "dcdiag".

  -  I have one working DC (original), that does not experience these issues.  This is on any newly promoted DC (I've stood up about 5 new ones that I've been troubleshooting).

//===================================================

For troubleshooting, here are a few steps I've already accomplished.

 -- I know DNS is supposed to have the DNS pointing to itself as primary / and secondary to another DC, but for testing I've got all of the new servers currently pointing a single DNS entry to the working server.

 -- I've demoted cleaned out AD metadata using ntdsutil / adsiedit / sites & services, then repromoted a couple of the new DCs.

-- DNS checks fine, in that the new servers are creating correct entries in _msdcs.domain.com, as well as the forward lookup zone for the domain.



I really am at a loss here, as I don't understand why this is happening.  I would completely understand if these were servers that may have existed before in the domain, but they're not - every new server I stand up and promote to be a DC is showing this exact same problem.

Would anybody happen to have any ideas?
0
Comment
Question by:usslindstrom
  • 2
3 Comments
 
LVL 4

Accepted Solution

by:
Haslerct earned 500 total points
ID: 38795604
Is the servers harden before the promotion as dc?

Network/os Firewall losses up between all dc and the server you want to promote?
0
 
LVL 5

Author Comment

by:usslindstrom
ID: 38795621
Thanks for jumping in here.  Let me answer your questions.

Is the servers harden before the promotion as dc?
     No sir.  These are base installs of 2012.

Network/os Firewall losses up between all dc and the server you want to promote?
     I have no firewall between the servers, they're all on the same L2 segment.  All of the ports required for AD are open as well.

//List of required ports:

    UDP Port 88 for Kerberos authentication
    UDP and TCP Port 135 for domain controllers-to-domain controller and client to domain controller operations.
    TCP Port 139 and UDP 138 for File Replication Service between domain controllers.
    UDP Port 389 for LDAP to handle normal queries from client computers to the domain controllers.
    TCP and UDP Port 445 for File Replication Service
    TCP and UDP Port 464 for Kerberos Password Change
    TCP Port 3268 and 3269 for Global Catalog from client to domain controller.
    TCP and UDP Port 53 for DNS from client to domain controller and domain controller to domain controller.

All ports are listening on the "good" DC as well as the "bad" ones.

Open in new window

0
 
LVL 5

Author Closing Comment

by:usslindstrom
ID: 38797639
I've been able to find the solution after all.

In my particular case, I had to follow the instructions layed out here:

http://support.microsoft.com/kb/947022?wa=wsignin1.0

It involved resetting the SYSVOL ready flag.
0

Join & Write a Comment

I don't know if many of you have made the great mistake of using the Cisco Thin Client model with the management software VXC. If you have then you are probably more then familiar with the incredibly clunky interface, the numerous work arounds, and …
Resolve DNS query failed errors for Exchange
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now