Active Directory Error 13568 - Replication Issue
Seems whenever I add a new Group Policy, the policy is added to Group policy manager and shows up on the sysvol on DC1 (DC1 is the schema master, 2003 server), but that is where is stops. All other DC's, which is a mixture of 2003 and 2008 are not getting any sysvol replication (FRS). DC1 is also not replicating updates or changed policies to the other DC’s.
Sites and services do replicate and shows no errors on dc1. I only find the below error on on startup. (please see attached)
Error.txt
Sites and services do replicate and shows no errors on dc1. I only find the below error on on startup. (please see attached)
Error.txt
ASKER
Hi Mike,
I have used the " Enable Journal Wrap Automatic Restore registry parameter to 1", but i am concerned that this problem is located on the Schema master that houses the Group policy objects. I guess i am just hesitant to do it on the main DC. Do you see any issues with it?
I have used the " Enable Journal Wrap Automatic Restore registry parameter to 1", but i am concerned that this problem is located on the Schema master that houses the Group policy objects. I guess i am just hesitant to do it on the main DC. Do you see any issues with it?
The schema master doesn't have anything to do with group policy, you only need that FSMO role if you are making changes to the schema (rare)
Thanks
Mike
Thanks
Mike
first check that you have proper Connection objects has been created in Sites and Services
Browse \\WorkingDC.domain.local copy sysvol & netlogon and keep backup on ProblemDC & WorkingDC (If can not browse check network connectivity/Port and don't proceed further)
Go to ProblemDC stop NTFRS service open regedit go to "HKEY_LOCAL_MACHINE\System
Check Now your sysvol and netlogon shares are available
Above is called non-Authoritive Restore (D2)
Refer http://support.microsoft.com/kb/257338 for more info
What happens in a Journal Wrap?
http://blogs.technet.com/b/instan/archive/2009/07/14/what-happens-in-a-journal-wrap.aspx
Browse \\WorkingDC.domain.local copy sysvol & netlogon and keep backup on ProblemDC & WorkingDC (If can not browse check network connectivity/Port and don't proceed further)
Go to ProblemDC stop NTFRS service open regedit go to "HKEY_LOCAL_MACHINE\System
Check Now your sysvol and netlogon shares are available
Above is called non-Authoritive Restore (D2)
Refer http://support.microsoft.com/kb/257338 for more info
What happens in a Journal Wrap?
http://blogs.technet.com/b/instan/archive/2009/07/14/what-happens-in-a-journal-wrap.aspx
ASKER
Hi Mike,
One last question, if dc1 (schema master) is down or offline i am unable to pull up Group Policy Management. I am not sure why that is.
Error is when server is down..
The Specified domain controller could not be contacted. This affects the following domain in the console
The error was:
The specified domain does not exist or could not be contacted.
One last question, if dc1 (schema master) is down or offline i am unable to pull up Group Policy Management. I am not sure why that is.
Error is when server is down..
The Specified domain controller could not be contacted. This affects the following domain in the console
The error was:
The specified domain does not exist or could not be contacted.
I will recommend to first verify the health of DCs by dcdiag /q and repadmin /replsum and post the log if error is reported.The error mesage you posted indicates that FRS is in Journal Wrap error state.Perfroming sysvol restore normaly fix the issue but if there is replication issue between DCs then this will not work.
I will proceed like this check the health of DC first if no error reported then fix the journal wrap error as below.
Your first step should be finding why JRNL_WRAP_ERROR error has occurred. Normally, JRNL_WRAP_ERROR occurs due to drive/partition being corrupted, antivirus locking and corrupting the file during sysvol scan, heavy size of the files inside sysvol and netlogon shares.
The solution is listed in your event log.
Expand HKEY_LOCAL_MACHINE.
Click down the key path: "System\CurrentControlSet\
Double click on the value name "Enable Journal Wrap Automatic Restore" and update the value to 1.
If the JRNL_WRAP_ERROR occurs frequently, you need to exclude sysvol/netlogon from antvirus scan, check the drive for corruption or bad sector and also restore a sysvol using burflag key.http://msdn.microsoft.com/en-us/library/windows/desktop/cc507518%28v=vs.85%29.aspx
Kindly take the backup of the sysvol folder of windows 2008/2003 DC that is copy paste the content of the sysvol to temp location and perform the authorative and non authorative restore of sysvol as mentioned above.
Also ensure correct dns setting as this:http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/
I will proceed like this check the health of DC first if no error reported then fix the journal wrap error as below.
Your first step should be finding why JRNL_WRAP_ERROR error has occurred. Normally, JRNL_WRAP_ERROR occurs due to drive/partition being corrupted, antivirus locking and corrupting the file during sysvol scan, heavy size of the files inside sysvol and netlogon shares.
The solution is listed in your event log.
Expand HKEY_LOCAL_MACHINE.
Click down the key path: "System\CurrentControlSet\
Double click on the value name "Enable Journal Wrap Automatic Restore" and update the value to 1.
If the JRNL_WRAP_ERROR occurs frequently, you need to exclude sysvol/netlogon from antvirus scan, check the drive for corruption or bad sector and also restore a sysvol using burflag key.http://msdn.microsoft.com/en-us/library/windows/desktop/cc507518%28v=vs.85%29.aspx
Kindly take the backup of the sysvol folder of windows 2008/2003 DC that is copy paste the content of the sysvol to temp location and perform the authorative and non authorative restore of sysvol as mentioned above.
Also ensure correct dns setting as this:http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/
ASKER
Hello Sandeshdubey,
I have run both dcdiag (please see attached errors) and repadmin (no errors).
Should i contunue with the Journal Wrap Fix on this main DC?
DC1-2003-Main-DC.txt
Mdc3-2008-error.txt
I have run both dcdiag (please see attached errors) and repadmin (no errors).
Should i contunue with the Journal Wrap Fix on this main DC?
DC1-2003-Main-DC.txt
Mdc3-2008-error.txt
You can proceed with fixing the Journal wrap error on DC as no error reported in replication.Enable Journal Wrap Automatic Restore or perform authorative and non authorative restore of sysvol.Essentially the "http://support.microsoft.com/kb/290762/" article.
ASKER
Perfect, going to do on Sept 23rd - will keep ticket open and follow up then.. Thank you
ASKER
Hi I wanted to verify that i can move all the FSMO roles to one of our 2008 servers and demote this server. Please see the attached it is our current FSMO server that we are having issues with.
This server has been a dc for a couple years.
DC1-Pic1.jpg
DC1-Pic2.jpg
This server has been a dc for a couple years.
DC1-Pic1.jpg
DC1-Pic2.jpg
Why do you want to demote the dc are the mentioned steps not working?
You can demote the dc normally if normal demotion is not possible then you need to forcefully demote dc followed by metadata cleanup.
http://msmvps.com/blogs/acefekay/archive/2010/10/05/complete-step-by-step-to-remove-an-orphaned-domain-controller.aspx
I will not recommend to demote dc this should be last point of restore.
You can demote the dc normally if normal demotion is not possible then you need to forcefully demote dc followed by metadata cleanup.
http://msmvps.com/blogs/acefekay/archive/2010/10/05/complete-step-by-step-to-remove-an-orphaned-domain-controller.aspx
I will not recommend to demote dc this should be last point of restore.
ASKER
Correct- none of the above steps work.
The problem server (2003 server) contains all the FMSO roles for our domain.
Figure next step would be to move the roles to a new server?
The problem server (2003 server) contains all the FMSO roles for our domain.
Figure next step would be to move the roles to a new server?
Before you proceed with demotion can you only post the dcdiag /q and repadmin /replsum output from all DCs.
ASKER
Please see attached Files. Thinking of moving files to 2008 server lexusdc2.
lexusdc1-2003-r2.txt
lexusdc2-2008-server.txt
mbdc2-2003-r2.txt
mbdc3-2008-server.txt
Navlexus-2003-r2.txt
PREPCENTERDC1-2003-r2.txt
Settedc1-FMSO--Problem-Server--2.txt
Settedc2-2003-r2.txt
toydc2-2003-r2.txt
ToyPSDC1-2003-r2.txt
lexusdc1-2003-r2.txt
lexusdc2-2008-server.txt
mbdc2-2003-r2.txt
mbdc3-2008-server.txt
Navlexus-2003-r2.txt
PREPCENTERDC1-2003-r2.txt
Settedc1-FMSO--Problem-Server--2.txt
Settedc2-2003-r2.txt
toydc2-2003-r2.txt
ToyPSDC1-2003-r2.txt
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
d2 (non authorative) restore of sysvol worked - also had a failing Hard Drive.
Thank you
Thank you
http://blogs.technet.com/b/askds/archive/2010/08/20/friday-mail-sack-scooter-edition.aspx#frsevent
You can also do a non-authoritative restore of sysvol on the box having issues
http://support.microsoft.com/kb/290762/en-us
Thanks
Mike