J0kada
asked on
2012 Virtual DC's not replicating Sysvol / netlogon
Dear experts,
I have a major issue replicating 2 virtual DC's in 2 locations.
This is giving headaches for almost a week now.
Setup:
- Site to site VPN tunnel (full access)
- each site has 2 physical servers running server 2012 failover cluster services.
Background info:
As this was a newly created domain, I had a separate physical server on which I installed the first DC and connected the 2 cluster nodes.
Then a new virtual server 2012 DC (let's call this DC1) was created on the cluster and the physical one decommissioned (transferred all roles to new DC and did a dcpromo)
Now after 3 months a second location is migrated to the newly created domain.
Being at the second location, all goes well installing the cluster, adding the nodes to the domain. Until I want to install a new DC (DC2) for this site.
The second domain controller does not show the SYSVOL and NETLOGON shares.
dcdiag on DC1 shows all ok.
All firewall rules have been set to allow ALL
dcdiag on DC2 is showing
Connectivity test was also failing until Regististry key SysvolReady was set to 1 (was 0)
Also Sysvol folder is now showing but has an empty domain.local folder.
Netlogon is still not showing.
Conclusion:
The DC02 seems to work, as AD users are replicated both ways.
Also DNS seems to be replicating, but it takes quiet some time to update records.
Sysvol / netlogon folders are not replicating.
repadmin /showrepl dc01 /verbose /all /intersite >c:\repl.txt is not showing any issues.
repadmin /showrepl dc02 /verbose /all /intersite >c:\repl.txt is not showing any issues
Does anyone have an idea how to fix this?
Thanks in advance.
I have a major issue replicating 2 virtual DC's in 2 locations.
This is giving headaches for almost a week now.
Setup:
- Site to site VPN tunnel (full access)
- each site has 2 physical servers running server 2012 failover cluster services.
Background info:
As this was a newly created domain, I had a separate physical server on which I installed the first DC and connected the 2 cluster nodes.
Then a new virtual server 2012 DC (let's call this DC1) was created on the cluster and the physical one decommissioned (transferred all roles to new DC and did a dcpromo)
Now after 3 months a second location is migrated to the newly created domain.
Being at the second location, all goes well installing the cluster, adding the nodes to the domain. Until I want to install a new DC (DC2) for this site.
The second domain controller does not show the SYSVOL and NETLOGON shares.
dcdiag on DC1 shows all ok.
All firewall rules have been set to allow ALL
dcdiag on DC2 is showing
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = DC02
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: BE-Location2\DC02
Starting test: Connectivity
......................... DC02 passed test Connectivity
Doing primary tests
Testing server: BE-Beringen\DC02
Starting test: Advertising
......................... DC02 passed test Advertising
Starting test: FrsEvent
......................... DC02 passed test FrsEvent
Starting test: DFSREvent
There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL
replication problems may cause Group Policy problems.
......................... DC02 failed test DFSREvent
Starting test: SysVolCheck
......................... DC02 passed test SysVolCheck
Starting test: KccEvent
......................... DC02 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... DC02 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... DC02 passed test MachineAccount
Starting test: NCSecDesc
......................... DC02 passed test NCSecDesc
Starting test: NetLogons
Unable to connect to the NETLOGON share! (\\DC02\netlogon)
[DC02] An net use or LsaPolicy operation failed with error 67, The network name cannot be found..
......................... DC02 failed test NetLogons
Starting test: ObjectsReplicated
......................... DC02 passed test ObjectsReplicated
Starting test: Replications
......................... DC02 passed test Replications
Starting test: RidManager
......................... DC02 passed test RidManager
Starting test: Services
......................... DC02 passed test Services
Starting test: SystemLog
An error event occurred. EventID: 0x00000422
Time Generated: 06/27/2013 13:15:12
Event String:
The processing of Group Policy failed. Windows attempted to read the file \\domain.local\SysVol\domain.local\P
olicies\{66F02AA2-DFD8-4A19-AF53-9491F673EE1B}\gpt.ini from a domain controller and was not successful. Group Policy set
tings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of
the following:
......................... DC02 failed test SystemLog
Starting test: VerifyReferences
......................... DC02 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : domain
Starting test: CheckSDRefDom
......................... domain passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... domain passed test CrossRefValidation
Running enterprise tests on : domain.local
Starting test: LocatorCheck
......................... domain.local passed test LocatorCheck
Starting test: Intersite
......................... domain.local passed test Intersite
PS C:\Users\administrator.domain>
Connectivity test was also failing until Regististry key SysvolReady was set to 1 (was 0)
Also Sysvol folder is now showing but has an empty domain.local folder.
Netlogon is still not showing.
Conclusion:
The DC02 seems to work, as AD users are replicated both ways.
Also DNS seems to be replicating, but it takes quiet some time to update records.
Sysvol / netlogon folders are not replicating.
repadmin /showrepl dc01 /verbose /all /intersite >c:\repl.txt is not showing any issues.
repadmin /showrepl dc02 /verbose /all /intersite >c:\repl.txt is not showing any issues
Does anyone have an idea how to fix this?
Thanks in advance.
ASKER
You are correct it is not recommended for server 2008.
However it should be supported as of server 2012.
And this is a completely new environment with only 2012 servers running.
http://social.technet.micr osoft.com/ Forums/win dowsserver /en-US/643 206e9-4a4a -421c-bd9a -1ff679a23 616/runnin g-domain-c ontroller- in-virtual ization-on -windows-s erver-2012
However it should be supported as of server 2012.
And this is a completely new environment with only 2012 servers running.
http://social.technet.micr
Check the KB article again
http://support.microsoft.com/kb/281662/
It is not supported to combine the Active Directory Domain Services role and the Failover Cluster feature on Windows Server 2012
http://support.microsoft.com/kb/281662/
It is not supported to combine the Active Directory Domain Services role and the Failover Cluster feature on Windows Server 2012
ASKER
Correct, but the AD feature is not enabled/installed on the cluster nodes.
The only features are Failover clustering, Hyper-V, DHCP and file sharing.
I do not wish to make a cluster node a domain controller.
I'm running a high available Virtual DC on those nodes.
Also, this is the second site with this setup. Our primary site is running fine. Only my second DC won't replicate sysvol folders.
The only features are Failover clustering, Hyper-V, DHCP and file sharing.
I do not wish to make a cluster node a domain controller.
I'm running a high available Virtual DC on those nodes.
Also, this is the second site with this setup. Our primary site is running fine. Only my second DC won't replicate sysvol folders.
Test DNS resolution working fine or not ?
are you able resolve DC1 from DC2. DC2 from DC1 ?
Check any dns errors occurred in the event logs.
are you able resolve DC1 from DC2. DC2 from DC1 ?
Check any dns errors occurred in the event logs.
ASKER
Dns resolution is working fine.
aliases created on both sides are replicating to one another (takes 5 -10 mins to replicate)
All zones have been loaded from DC01 at dcpromo. (and are also replicating)
DNS error 4015 was shown on DC01 & 02 when DC02 was rebooted:
The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "". The event data contains the error.
last entry in DNS logs from both DC's:
The DNS server has finished the background loading and signing of zones. All zones are now available for DNS updates and zone transfers, as allowed by their individual zone configuration.
as per
http://support.microsoft.c om/kb/3210 45
on IP it seems non authorative but when it tests on name it is authorative for the domain:
aliases created on both sides are replicating to one another (takes 5 -10 mins to replicate)
All zones have been loaded from DC01 at dcpromo. (and are also replicating)
DNS error 4015 was shown on DC01 & 02 when DC02 was rebooted:
The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "". The event data contains the error.
last entry in DNS logs from both DC's:
The DNS server has finished the background loading and signing of zones. All zones are now available for DNS updates and zone transfers, as allowed by their individual zone configuration.
as per
http://support.microsoft.c
on IP it seems non authorative but when it tests on name it is authorative for the domain:
DNSLint Report
System Date: Thu Jun 27 15:29:12 2013
Command run:
C:\Windows\system32\dnslint.exe /ad /s 10.0.0.70
Root of Active Directory Forest:
domain.local
Active Directory Forest Replication GUIDs Found:
DC: dc01
GUID: e5c11431-2dd7-4ea9-906b-36dc16e7bd82
DC: dc02
GUID: 69c042c0-e136-4118-b031-5521b5cf2aa5
Total GUIDs found: 2
--------------------------------------------------------------------------------
The following 3 DNS servers were checked for records related to AD forest replication:
DNS server: User Specified DNS Server
IP Address: 10.0.0.70
UDP port 53 responding to queries: YES
TCP port 53 responding to queries: Not tested
Answering authoritatively for domain: Unknown
SOA record data from server:
Authoritative name server: dc01.domain.local
Hostmaster: hostmaster.domain.local
Zone serial number: 302
Zone expires in: 1.00 day(s)
Refresh period: 900 seconds
Retry delay: 600 seconds
Default (minimum) TTL: 3600 seconds
Additional authoritative (NS) records from server:
dc01.domain.local Unknown
dc02.domain.local Unknown
Alias (CNAME) and glue (A) records for forest GUIDs from server:
CNAME: e5c11431-2dd7-4ea9-906b-36dc16e7bd82._msdcs.domain.local
Alias: dc01.domain.local
Glue: 10.0.0.70
CNAME: 69c042c0-e136-4118-b031-5521b5cf2aa5._msdcs.domain.local
Alias: dc02.domain.local
Glue: 10.20.0.70
Total number of CNAME records found on this server: 2
Total number of CNAME records missing on this server: 0
Total number of glue (A) records this server could not find: 0
--------------------------------------------------------------------------------
DNS server: dc01.domain.local
IP Address: 10.0.0.70
UDP port 53 responding to queries: YES
TCP port 53 responding to queries: Not tested
Answering authoritatively for domain: YES
SOA record data from server:
Authoritative name server: dc01.domain.local
Hostmaster: hostmaster.domain.local
Zone serial number: 302
Zone expires in: 1.00 day(s)
Refresh period: 900 seconds
Retry delay: 600 seconds
Default (minimum) TTL: 3600 seconds
Additional authoritative (NS) records from server:
dc01.domain.local Unknown
dc02.domain.local Unknown
Alias (CNAME) and glue (A) records for forest GUIDs from server:
CNAME: e5c11431-2dd7-4ea9-906b-36dc16e7bd82._msdcs.domain.local
Alias: dc01.domain.local
Glue: 10.0.0.70
CNAME: 69c042c0-e136-4118-b031-5521b5cf2aa5._msdcs.domain.local
Alias: dc02.domain.local
Glue: 10.20.0.70
Total number of CNAME records found on this server: 2
Total number of CNAME records missing on this server: 0
Total number of glue (A) records this server could not find: 0
--------------------------------------------------------------------------------
DNS server: dc02.domain.local
IP Address: 10.20.0.70
UDP port 53 responding to queries: YES
TCP port 53 responding to queries: Not tested
Answering authoritatively for domain: YES
SOA record data from server:
Authoritative name server: dc02.domain.local
Hostmaster: hostmaster.domain.local
Zone serial number: 302
Zone expires in: 1.00 day(s)
Refresh period: 900 seconds
Retry delay: 600 seconds
Default (minimum) TTL: 3600 seconds
Additional authoritative (NS) records from server:
dc01.domain.local Unknown
dc02.domain.local Unknown
Alias (CNAME) and glue (A) records for forest GUIDs from server:
CNAME: e5c11431-2dd7-4ea9-906b-36dc16e7bd82._msdcs.domain.local
Alias: dc01.domain.local
Glue: 10.0.0.70
CNAME: 69c042c0-e136-4118-b031-5521b5cf2aa5._msdcs.domain.local
Alias: dc02.domain.local
Glue: 10.20.0.70
Total number of CNAME records found on this server: 2
Total number of CNAME records missing on this server: 0
Total number of glue (A) records this server could not find: 0
--------------------------------------------------------------------------------
Notes:
One or more DNS servers may not be authoritative for the domain
--------------------------------------------------------------------------------
Legend: warning, error
Check the below links it may help you to trouble shoot
http://support.microsoft.com/kb/257338
http://www.microsoftpro.nl/2010/05/22/sysvol-andor-netlogon-share-not-created-after-dcpromo/
http://support.microsoft.com/kb/257338
http://www.microsoftpro.nl/2010/05/22/sysvol-andor-netlogon-share-not-created-after-dcpromo/
ASKER
Yes I found those as well. Thing is, as of server 2012 DFS is used over FRS.
All FRS test commands are deprecated.
I was able to find how to troubleshoot DFS (via DFS management)
but not for DFS used by AD.
All FRS test commands are deprecated.
I was able to find how to troubleshoot DFS (via DFS management)
but not for DFS used by AD.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Performed a so called D2/D4 restore for both domain controllers.
Its not recommended.
http://msmvps.com/blogs/clusterhelp/archive/2008/02/12/domain-controllers-as-cluster-nodes-bad-idea.aspx
http://www.aidanfinn.com/?p=13844