tips54
asked on
RepAdmin errors on my main DC not in synch
A couple of weeks ago I had and issue with my main Domain controller not being accessible for several hours due to network cabling related issues. A week later the same was down during the morning ours for a while relating to a space issues. In the meantime my secondary DC continued to work fine. At the moment I have been getting several errors relating to the server with the FSMO role is out of synch.
I also noticed that Netlogon service on the main server is in a paused state. Users are able to log on fine. What do I need to do to get these two in synch?
Testing server: Default-First-Site-Name\TH
Starting test: Advertising
Warning: DsGetDcName returned information for
\\Morpheus.Shamrock.local,
THUNDERBALL-DC.
SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
......................... THUNDERBALL-DC failed test Advertising
Starting test: FrsEvent
......................... THUNDERBALL-DC passed test FrsEvent
Starting test: DFSREvent
......................... THUNDERBALL-DC passed test DFSREvent
Starting test: SysVolCheck
......................... THUNDERBALL-DC passed test SysVolCheck
Starting test: KccEvent
......................... THUNDERBALL-DC passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... THUNDERBALL-DC passed test
KnowsOfRoleHolders
Starting test: MachineAccount
......................... THUNDERBALL-DC passed test MachineAccount
Starting test: NCSecDesc
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=Shamr
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=Shamr
......................... THUNDERBALL-DC failed test NCSecDesc
Starting test: NetLogons
......................... THUNDERBALL-DC passed test NetLogons
Starting test: ObjectsReplicated
......................... THUNDERBALL-DC passed test ObjectsReplicated
Starting test: Replications
[Replications Check,Replications Check] Inbound replication is
disabled.
To correct, run "repadmin /options THUNDERBALL-DC
-DISABLE_INBOUND_REPL"
[Replications Check,THUNDERBALL-DC] Outbound replication is disabled.
To correct, run "repadmin /options THUNDERBALL-DC
-DISABLE_OUTBOUND_REPL"
......................... THUNDERBALL-DC failed test Replications
Starting test: RidManager
......................... THUNDERBALL-DC passed test RidManager
Starting test: Services
w32time Service is stopped on [THUNDERBALL-DC]
NETLOGON Service is paused on [THUNDERBALL-DC]
......................... THUNDERBALL-DC failed test Services
Starting test: SystemLog
A warning event occurred. EventID: 0x00000458
Time Generated: 10/17/2013 08:28:19
Event String:
The Group Policy Client Side Extension Folder Redirection was unable
to apply one or more settings because the changes must be processed before syst
em startup or user logon. The system will wait for Group Policy processing to fi
I also noticed that Netlogon service on the main server is in a paused state. Users are able to log on fine. What do I need to do to get these two in synch?
Testing server: Default-First-Site-Name\TH
Starting test: Advertising
Warning: DsGetDcName returned information for
\\Morpheus.Shamrock.local,
THUNDERBALL-DC.
SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
......................... THUNDERBALL-DC failed test Advertising
Starting test: FrsEvent
......................... THUNDERBALL-DC passed test FrsEvent
Starting test: DFSREvent
......................... THUNDERBALL-DC passed test DFSREvent
Starting test: SysVolCheck
......................... THUNDERBALL-DC passed test SysVolCheck
Starting test: KccEvent
......................... THUNDERBALL-DC passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... THUNDERBALL-DC passed test
KnowsOfRoleHolders
Starting test: MachineAccount
......................... THUNDERBALL-DC passed test MachineAccount
Starting test: NCSecDesc
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=Shamr
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=Shamr
......................... THUNDERBALL-DC failed test NCSecDesc
Starting test: NetLogons
......................... THUNDERBALL-DC passed test NetLogons
Starting test: ObjectsReplicated
......................... THUNDERBALL-DC passed test ObjectsReplicated
Starting test: Replications
[Replications Check,Replications Check] Inbound replication is
disabled.
To correct, run "repadmin /options THUNDERBALL-DC
-DISABLE_INBOUND_REPL"
[Replications Check,THUNDERBALL-DC] Outbound replication is disabled.
To correct, run "repadmin /options THUNDERBALL-DC
-DISABLE_OUTBOUND_REPL"
......................... THUNDERBALL-DC failed test Replications
Starting test: RidManager
......................... THUNDERBALL-DC passed test RidManager
Starting test: Services
w32time Service is stopped on [THUNDERBALL-DC]
NETLOGON Service is paused on [THUNDERBALL-DC]
......................... THUNDERBALL-DC failed test Services
Starting test: SystemLog
A warning event occurred. EventID: 0x00000458
Time Generated: 10/17/2013 08:28:19
Event String:
The Group Policy Client Side Extension Folder Redirection was unable
to apply one or more settings because the changes must be processed before syst
em startup or user logon. The system will wait for Group Policy processing to fi
ASKER
I ended up Seizing the roles from the server to another. I am will demo the server and promote it back to DC. I was going to transfer the roles back to Thunderball-dc. Could I transfer the roles back to it? I saw a couple of article stating not to transfer the FSMO roles back to a server is was Seized from?
ASKER
any thoughts?
It's indeed not a good idea to leave the server running as domain controller after you seized the FSMO roles to another server. This since each FSMO role can only run on 1 domain controller. Please see also http://www.petri.co.il/seizing_fsmo_roles.htm
There it's also stated that a reinstallation of Windows is best.
If you like to re-use the server than you might try the following but I'm not 100% sure it won't give any problems. At least I would not recommend to do a demote while it's on the network and you might want to demote the server in such a way that it's not possible for the server to communicate on the network.
After the demotion of server THUNDERBALL-DC you can do an AD metadata cleanup for THUNDERBALL-DC. Also go through DNS and delete all entries related to this server and also have a look at AD Sites and Services and delete the server if it's still visible there.
http://www.petri.co.il/delete_failed_dcs_from_ad.htm
Also verify (and correct if necessary) that the Inter Site Topology Generators (ISTG) is pointing to the correct server.
http://technet.microsoft.com/nl-nl/library/6217d59d-6c73-4a4a-8b02-01fd795fb07f#BKMK_ISTG
Before adding the server back as domain controller you might consider changing the servername to something different so not removed entries or problems related to the "old" THUNDERBALL-DC servername are always recognizable.
There it's also stated that a reinstallation of Windows is best.
If you like to re-use the server than you might try the following but I'm not 100% sure it won't give any problems. At least I would not recommend to do a demote while it's on the network and you might want to demote the server in such a way that it's not possible for the server to communicate on the network.
After the demotion of server THUNDERBALL-DC you can do an AD metadata cleanup for THUNDERBALL-DC. Also go through DNS and delete all entries related to this server and also have a look at AD Sites and Services and delete the server if it's still visible there.
http://www.petri.co.il/delete_failed_dcs_from_ad.htm
Also verify (and correct if necessary) that the Inter Site Topology Generators (ISTG) is pointing to the correct server.
http://technet.microsoft.com/nl-nl/library/6217d59d-6c73-4a4a-8b02-01fd795fb07f#BKMK_ISTG
Before adding the server back as domain controller you might consider changing the servername to something different so not removed entries or problems related to the "old" THUNDERBALL-DC servername are always recognizable.
THUNDERBALL-DC indicates both inbound and outbound replication is disabled.This normally occurs if server is in USN rollback state.Have you restored this DC with snapshot/image backup.Also if the server reports low disk space netlogon can go to paused state.
- To confirm if the server is in usnrollback checked the below parameters.
*Netlogon service is in paused state.
*DSA Not Writable key with value 4 is created in HKLM\System\CurrentControl
*Event id 2103 is logged which states that The Active Directory database has been restored using an unsupported restoration procedure.
As you have seized the role then you need to forcefully demote DC followed by metadata cleanup.Once done you can promote the Server back as DC and move the FSMO role back.
Complete Step by Step Guideline to Remove an Orphaned Domain controller (including seizing FSMOs, running a metadata cleanup, and more)
http://msmvps.com/blogs/acefekay/archive/2010/10/05/complete-step-by-step-to-remove-an-orphaned-domain-controller.aspx
Also dont forget to configure authorative time server role in DC.
Authorative time server: http://support.microsoft.com/kb/816042
- To confirm if the server is in usnrollback checked the below parameters.
*Netlogon service is in paused state.
*DSA Not Writable key with value 4 is created in HKLM\System\CurrentControl
*Event id 2103 is logged which states that The Active Directory database has been restored using an unsupported restoration procedure.
As you have seized the role then you need to forcefully demote DC followed by metadata cleanup.Once done you can promote the Server back as DC and move the FSMO role back.
Complete Step by Step Guideline to Remove an Orphaned Domain controller (including seizing FSMOs, running a metadata cleanup, and more)
http://msmvps.com/blogs/acefekay/archive/2010/10/05/complete-step-by-step-to-remove-an-orphaned-domain-controller.aspx
Also dont forget to configure authorative time server role in DC.
Authorative time server: http://support.microsoft.com/kb/816042
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
ok
http://support.microsoft.com/kb/967482
Have you tried enabling replication (both inbound and outbound) on THunderball-DC with the repadmin commands specified.
Can you run repadmin /showreps on Thunderball-DC?
Thanks
Mike