Link to home
Start Free TrialLog in
Avatar of J0kada
J0kada

asked on

2012 Virtual DC's not replicating Sysvol / netlogon

Dear experts,

I have a major issue replicating 2 virtual DC's in 2 locations.
This is giving headaches for almost a week now.

Setup:
- Site to site VPN tunnel (full access)
- each site has 2 physical servers running server 2012 failover cluster services.

Background info:
As this was a newly created domain, I had a separate physical server on which I installed the first DC and connected the 2 cluster nodes.
Then a new virtual server 2012 DC (let's call this DC1) was created on the cluster and the physical one decommissioned (transferred all roles to new DC and did a dcpromo)
Now after 3 months a second location is migrated to the newly created domain.

Being at the second location, all goes well installing the cluster, adding the nodes to the domain. Until I want to install a new DC (DC2) for this site.

The second domain controller does not show the SYSVOL and NETLOGON shares.

dcdiag on DC1 shows all ok.
All firewall rules have been set to allow ALL
dcdiag on DC2 is showing
Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = DC02
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: BE-Location2\DC02
      Starting test: Connectivity
         ......................... DC02 passed test Connectivity

Doing primary tests

   Testing server: BE-Beringen\DC02
      Starting test: Advertising
         ......................... DC02 passed test Advertising
      Starting test: FrsEvent
         ......................... DC02 passed test FrsEvent
      Starting test: DFSREvent
         There are warning or error events within the last 24 hours after the SYSVOL has been shared.  Failing SYSVOL
         replication problems may cause Group Policy problems.
         ......................... DC02 failed test DFSREvent
      Starting test: SysVolCheck
         ......................... DC02 passed test SysVolCheck
      Starting test: KccEvent
         ......................... DC02 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... DC02 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... DC02 passed test MachineAccount
      Starting test: NCSecDesc
         ......................... DC02 passed test NCSecDesc
      Starting test: NetLogons
         Unable to connect to the NETLOGON share! (\\DC02\netlogon)
         [DC02] An net use or LsaPolicy operation failed with error 67, The network name cannot be found..
         ......................... DC02 failed test NetLogons
      Starting test: ObjectsReplicated
         ......................... DC02 passed test ObjectsReplicated
      Starting test: Replications
         ......................... DC02 passed test Replications
      Starting test: RidManager
         ......................... DC02 passed test RidManager
      Starting test: Services
         ......................... DC02 passed test Services
      Starting test: SystemLog
         An error event occurred.  EventID: 0x00000422
            Time Generated: 06/27/2013   13:15:12
            Event String:
            The processing of Group Policy failed. Windows attempted to read the file \\domain.local\SysVol\domain.local\P
olicies\{66F02AA2-DFD8-4A19-AF53-9491F673EE1B}\gpt.ini from a domain controller and was not successful. Group Policy set
tings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of
 the following:
         ......................... DC02 failed test SystemLog
      Starting test: VerifyReferences
         ......................... DC02 passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : domain
      Starting test: CheckSDRefDom
         ......................... domain passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... domain passed test CrossRefValidation

   Running enterprise tests on : domain.local
      Starting test: LocatorCheck
         ......................... domain.local passed test LocatorCheck
      Starting test: Intersite
         ......................... domain.local passed test Intersite
PS C:\Users\administrator.domain>

Open in new window


Connectivity test was also failing until  Regististry key SysvolReady was set to 1 (was 0)
Also Sysvol folder is now showing but has an empty domain.local folder.

Netlogon is still not showing.

Conclusion:
The DC02 seems to work, as AD users are replicated both ways.
Also DNS seems to be replicating, but it takes quiet some time to update records.
Sysvol / netlogon folders are not replicating.

repadmin /showrepl dc01 /verbose /all /intersite >c:\repl.txt is not showing any issues.
repadmin /showrepl dc02 /verbose /all /intersite >c:\repl.txt is not showing any issues


Does anyone have an idea how to fix this?
Thanks in advance.
Avatar of Jaihunt
Jaihunt
Flag of India image

Are you trying DC in cluster nodes ?? How you will configure resources ?

Its not recommended.

http://msmvps.com/blogs/clusterhelp/archive/2008/02/12/domain-controllers-as-cluster-nodes-bad-idea.aspx

http://www.aidanfinn.com/?p=13844
Avatar of J0kada
J0kada

ASKER

You are correct it is not recommended for server 2008.
However it should be supported as of server 2012.
And this is a completely new environment with only 2012 servers running.

http://social.technet.microsoft.com/Forums/windowsserver/en-US/643206e9-4a4a-421c-bd9a-1ff679a23616/running-domain-controller-in-virtualization-on-windows-server-2012
Check the KB article again

http://support.microsoft.com/kb/281662/

It is not supported to combine the Active Directory Domain Services role and the Failover Cluster feature on Windows Server 2012
Avatar of J0kada

ASKER

Correct, but the AD feature is not enabled/installed on the cluster nodes.
The only features are Failover clustering, Hyper-V, DHCP and file sharing.
I do not wish to make a cluster node a domain controller.

I'm running a high available Virtual DC on those nodes.
Also, this is the second site with this setup. Our primary site is running fine. Only my second DC won't replicate sysvol folders.
Test DNS resolution working fine or not ?
are you able resolve DC1 from DC2. DC2 from DC1 ?
Check any dns errors occurred in the event logs.
Avatar of J0kada

ASKER

Dns resolution is working fine.
aliases created on both sides are replicating to one another (takes 5 -10 mins to replicate)
All zones have been loaded from DC01 at dcpromo. (and are also replicating)

DNS error 4015 was shown on DC01 & 02 when DC02 was rebooted:
The DNS server has encountered a critical error from the Active Directory. Check that the Active Directory is functioning properly. The extended error debug information (which may be empty) is "". The event data contains the error.

last entry in DNS logs from both DC's:
The DNS server has finished the background loading and signing of zones. All zones are now available for DNS updates and zone transfers, as allowed by their individual zone configuration.

as per
http://support.microsoft.com/kb/321045

on IP it seems non authorative but when it tests on name it is authorative for the domain:

DNSLint Report

System Date: Thu Jun 27 15:29:12 2013 

Command run: 

C:\Windows\system32\dnslint.exe /ad /s 10.0.0.70

 Root of Active Directory Forest: 

    domain.local
Active Directory Forest Replication GUIDs Found:
 
DC: dc01
GUID: e5c11431-2dd7-4ea9-906b-36dc16e7bd82

DC: dc02
GUID: 69c042c0-e136-4118-b031-5521b5cf2aa5


Total GUIDs found: 2

--------------------------------------------------------------------------------

The following 3 DNS servers were checked for records related to AD forest replication:

DNS server: User Specified DNS Server
IP Address: 10.0.0.70
 UDP port 53 responding to queries: YES
TCP port 53 responding to queries: Not tested
Answering authoritatively for domain: Unknown

SOA record data from server:
 Authoritative name server: dc01.domain.local
Hostmaster: hostmaster.domain.local
Zone serial number: 302
Zone expires in: 1.00 day(s)
Refresh period: 900 seconds
Retry delay: 600 seconds
Default (minimum) TTL: 3600 seconds


Additional authoritative (NS) records from server:
 dc01.domain.local Unknown
 dc02.domain.local Unknown




Alias (CNAME) and glue (A) records for forest GUIDs from server:
 CNAME: e5c11431-2dd7-4ea9-906b-36dc16e7bd82._msdcs.domain.local
Alias: dc01.domain.local
Glue: 10.0.0.70

CNAME: 69c042c0-e136-4118-b031-5521b5cf2aa5._msdcs.domain.local
Alias: dc02.domain.local
Glue: 10.20.0.70


Total number of CNAME records found on this server: 2

Total number of CNAME records missing on this server: 0

Total number of glue (A) records this server could not find: 0



--------------------------------------------------------------------------------

DNS server: dc01.domain.local
IP Address: 10.0.0.70
 UDP port 53 responding to queries: YES
TCP port 53 responding to queries: Not tested
Answering authoritatively for domain: YES

SOA record data from server:
 Authoritative name server: dc01.domain.local
Hostmaster: hostmaster.domain.local
Zone serial number: 302
Zone expires in: 1.00 day(s)
Refresh period: 900 seconds
Retry delay: 600 seconds
Default (minimum) TTL: 3600 seconds


Additional authoritative (NS) records from server:
 dc01.domain.local Unknown
 dc02.domain.local Unknown




Alias (CNAME) and glue (A) records for forest GUIDs from server:
 CNAME: e5c11431-2dd7-4ea9-906b-36dc16e7bd82._msdcs.domain.local
Alias: dc01.domain.local
Glue: 10.0.0.70

CNAME: 69c042c0-e136-4118-b031-5521b5cf2aa5._msdcs.domain.local
Alias: dc02.domain.local
Glue: 10.20.0.70


Total number of CNAME records found on this server: 2

Total number of CNAME records missing on this server: 0

Total number of glue (A) records this server could not find: 0



--------------------------------------------------------------------------------

DNS server: dc02.domain.local
IP Address: 10.20.0.70
 UDP port 53 responding to queries: YES
TCP port 53 responding to queries: Not tested
Answering authoritatively for domain: YES

SOA record data from server:
 Authoritative name server: dc02.domain.local
Hostmaster: hostmaster.domain.local
Zone serial number: 302
Zone expires in: 1.00 day(s)
Refresh period: 900 seconds
Retry delay: 600 seconds
Default (minimum) TTL: 3600 seconds


Additional authoritative (NS) records from server:
 dc01.domain.local Unknown
 dc02.domain.local Unknown




Alias (CNAME) and glue (A) records for forest GUIDs from server:
 CNAME: e5c11431-2dd7-4ea9-906b-36dc16e7bd82._msdcs.domain.local
Alias: dc01.domain.local
Glue: 10.0.0.70

CNAME: 69c042c0-e136-4118-b031-5521b5cf2aa5._msdcs.domain.local
Alias: dc02.domain.local
Glue: 10.20.0.70


Total number of CNAME records found on this server: 2

Total number of CNAME records missing on this server: 0

Total number of glue (A) records this server could not find: 0



--------------------------------------------------------------------------------

Notes:
One or more DNS servers may not be authoritative for the domain



--------------------------------------------------------------------------------

Legend: warning, error

Open in new window

Avatar of J0kada

ASKER

Yes I found those as well. Thing is, as of server 2012 DFS is used over FRS.
All FRS test commands are deprecated.

I was able to find how to troubleshoot DFS (via DFS management)
but not for DFS used by AD.
ASKER CERTIFIED SOLUTION
Avatar of J0kada
J0kada

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of J0kada

ASKER

Performed a so called D2/D4 restore for both domain controllers.