Active directory not replicating after migration.

We have just started a migration from Windows SBS 2008 to Windows 2012 Essentials R2,

unbeknownst to the technician who setup the Win 2012 Server as a AD replica, one of the staff decided to plug in the 2nd network card which received a DHCP address, once the DNS had installed and active directory had started,

All the FSMO roles were moved to the Win2012 server as per the migration guide and running NETDOM QUERY FSMO states all the roles are on the new server.

however the sysvol share and netlogon share are not on the new server, and the DNS server has the following error in its logs on the new server

"The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed."


here is the DCDIAG result
Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = WSE
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\WSE
      Starting test: Connectivity
         ......................... WSE passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\WSE
      Starting test: Advertising
         Warning: DsGetDcName returned information for \\SBSSRV.ha.local, when
         we were trying to reach WSE.
         SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
         ......................... WSE failed test Advertising
      Starting test: FrsEvent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... WSE passed test FrsEvent
      Starting test: DFSREvent
         ......................... WSE passed test DFSREvent
      Starting test: SysVolCheck
         ......................... WSE passed test SysVolCheck
      Starting test: KccEvent
         ......................... WSE passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... WSE passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... WSE passed test MachineAccount
      Starting test: NCSecDesc
         ......................... WSE passed test NCSecDesc
      Starting test: NetLogons
         ......................... WSE passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... WSE passed test ObjectsReplicated
      Starting test: Replications
         ......................... WSE passed test Replications
      Starting test: RidManager
         ......................... WSE passed test RidManager
      Starting test: Services
         ......................... WSE passed test Services
      Starting test: SystemLog
         An error event occurred.  EventID: 0x40000004
            Time Generated: 10/18/2013   21:34:58
            Event String:
            The Kerberos client received a KRB_AP_ERR_MODIFIED error from the se
rver ServerAdmin$. The target name used was host/wse. This indicates that the ta
rget server failed to decrypt the ticket provided by the client. This can occur
when the target server principal name (SPN) is registered on an account other th
an the account the target service is using. Ensure that the target SPN is only r
egistered on the account used by the server. This error can also happen if the t
arget service account password is different than what is configured on the Kerbe
ros Key Distribution Center for that target service. Ensure that the service on
the server and the KDC are both configured to use the same password. If the serv
er name is not fully qualified, and the target domain (HA.LOCAL) is different fr
om the client domain (HA.LOCAL), check if there are identically named server acc
ounts in these two domains, or use the fully-qualified name to identify the serv
er.
         An error event occurred.  EventID: 0x0000041E
            Time Generated: 10/18/2013   22:17:45
            Event String:
            The processing of Group Policy failed. Windows could not obtain the
name of a domain controller. This could be caused by a name resolution failure.
Verify your Domain Name System (DNS) is configured and working correctly.
         An error event occurred.  EventID: 0xC0001132
            Time Generated: 10/18/2013   22:20:54
            Event String:
            There is no domain controller available for domain HA.
         ......................... WSE failed test SystemLog
      Starting test: VerifyReferences
         ......................... WSE passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : ha
      Starting test: CheckSDRefDom
         ......................... ha passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ha passed test CrossRefValidation

   Running enterprise tests on : ha.local
      Starting test: LocatorCheck
         ......................... ha.local passed test LocatorCheck
      Starting test: Intersite
         ......................... ha.local passed test Intersite


how can we resolve this if at all possible.


many thanks
safemode_nzAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

SandeshdubeySenior Server EngineerCommented:
From the log it is clear that netlogon share is missing.It seems that sysvol has not replicated to new DC and both netlogon and sysvol is missing.

Check the sysvol and netlogon share are available or not.Ran net share command to check the same.

Check the sysvol folder are the policies and script folder replicated or not.If it is not replicated you need to perfrom authorative and non authorative of sysvol folder to fix the same.

Assuming you have two DC Win2008 and Win2012.On 2008DC ran D4(auth restore) and on 2012DC ran D2(nonauth restore):http://support.microsoft.com/kb/290762

If sysvol is using DFSR then see http://jorgequestforknowledge.wordpress.com/2010/08/12/restoring-the-sysvol-non-authoritatively-when-either-using-ntfrs-or-dfs-r-part-3/

Take the backup of policies and script folder from 2008DC and copy the same to alternate location before you proceed.

Also ensure correct dns setting on DC as this:http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/

See this similar thread:http://social.technet.microsoft.com/Forums/windowsserver/en-US/21fc4107-897d-4ec4-8fbc-7d8c35652e0b/netlogon-and-sysvol-shares-are-not-created-after-dcpromo-in-windows-2003?forum=winserverDS
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Cris HannaSr IT Support EngineerCommented:
It sounds as if you're SBS 2008 server was in Journal_wrap.   Did you run the source prep tool on the SBS 2008 server before starting the migration? http://blogs.technet.com/b/sbs/archive/2010/11/30/the-sbs-2008-migration-preparation-tool-source-tool-keeps-reporting-that-the-server-is-in-journal-wrap-error.aspx

Is the SBS 2008 server still up?
0
safemode_nzAuthor Commented:
Thank you both very much for your feedback,

Sandeshdubey - The burflags have now got the active directory synchronising and it seems to have fixed the main issue. We have a SYSVOL and NETLOGON now and group policy is working brilliantly.

CrisHanna_MVP - I ran the source prep tool and BPA, neither indicated any issues at the time.

DCDIAG is now clear on both server, all tests are passing however, I still have the following message in the DNS server on the 2012 server

"The DNS server is waiting for Active Directory Domain Services (AD DS) to signal that the initial synchronization of the directory has been completed. The DNS server service cannot start until the initial synchronization is complete because critical DNS data might not yet be replicated onto this domain controller. If events in the AD DS event log indicate that there is a problem with DNS name resolution, consider adding the IP address of another DNS server for this domain to the DNS server list in the Internet Protocol properties of this computer. This event will be logged every two minutes until AD DS has signaled that the initial synchronization has successfully completed."

the message only appears at boot, it doesn't keep appearing every 2 minutes so I am guessing this is normal,

my only worry is that if I go into the monitoring tab and do a simple test or recursive test, it fails, however there are no errors in the DNS log file and DNS appears to work (e.g. I can statically assign one of the client PCs to only use the new 2012 DNS server and it gets to the internet fine.

is this an issue?
0
SandeshdubeySenior Server EngineerCommented:
EventID 4004/4015 normally appears when the DC and the DNS server is on the same system and they are pointing itself for the name resolution. When we reboot the system, there is timing mismatch between Active directory and the DNS and both tries to start their service and leading to failure log this event.
 
Try to point this DC to other available local dns and make sure you are not using any other public DNS IP address either in the clients or DC's NIC.Also Check NIC binding the NIC which is online and has ip details should be in first order.If multiple NIC are present then disabled the unrequired NIC.http://theregime.wordpress.com/2008/03/04/how-to-setview-the-nic-bind-order-in-windows/
 
Troubleshoot Event ID 4015 — DNS Server Active Directory Integration
http://social.technet.microsoft.com/wiki/contents/articles/1364.windows-server-2008-troubleshoot-event-id-4015-dns-server-active-directory-integration.aspx
 
Event ID: 4015 Source: DNS
 http://www.eventid.net/display.asp?eventid=4015&eventno=333&source=DNS&phase=1
 
Best practices for DNS client settings on DC and domain members.
http://abhijitw.wordpress.com/2012/03/03/best-practices-for-dns-client-settings-on-domain-controller/
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.