RepAdmin errors on my main DC not in synch

A couple of weeks ago I had and issue with my main Domain controller not being accessible for several hours due to network cabling related issues.  A week later the same was down during the morning ours for a while relating to a space issues.  In the meantime my secondary DC continued to work fine.  At the moment I have been getting several errors relating to the server with the FSMO role is out of synch.

I also noticed that Netlogon service on the main server is in a paused state.  Users are able to log on fine.  What do I need to do to get these two in synch?

   Testing server: Default-First-Site-Name\THUNDERBALL-DC
      Starting test: Advertising
         Warning: DsGetDcName returned information for
         \\Morpheus.Shamrock.local, when we were trying to reach
         ......................... THUNDERBALL-DC failed test Advertising
      Starting test: FrsEvent
         ......................... THUNDERBALL-DC passed test FrsEvent
      Starting test: DFSREvent
         ......................... THUNDERBALL-DC passed test DFSREvent
      Starting test: SysVolCheck
         ......................... THUNDERBALL-DC passed test SysVolCheck
      Starting test: KccEvent
         ......................... THUNDERBALL-DC passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... THUNDERBALL-DC passed test
      Starting test: MachineAccount
         ......................... THUNDERBALL-DC passed test MachineAccount
      Starting test: NCSecDesc
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         ......................... THUNDERBALL-DC failed test NCSecDesc
      Starting test: NetLogons
         ......................... THUNDERBALL-DC passed test NetLogons
      Starting test: ObjectsReplicated
         ......................... THUNDERBALL-DC passed test ObjectsReplicated
      Starting test: Replications
         [Replications Check,Replications Check] Inbound replication is
         To correct, run "repadmin /options THUNDERBALL-DC
         [Replications Check,THUNDERBALL-DC] Outbound replication is disabled.
         To correct, run "repadmin /options THUNDERBALL-DC
         ......................... THUNDERBALL-DC failed test Replications
      Starting test: RidManager
         ......................... THUNDERBALL-DC passed test RidManager
      Starting test: Services
            w32time Service is stopped on [THUNDERBALL-DC]
            NETLOGON Service is paused on [THUNDERBALL-DC]
         ......................... THUNDERBALL-DC failed test Services
      Starting test: SystemLog
         A warning event occurred.  EventID: 0x00000458
            Time Generated: 10/17/2013   08:28:19
            Event String:
            The Group Policy Client Side Extension Folder Redirection was unable
 to apply one or more settings because the changes must be processed before syst
em startup or user logon. The system will wait for Group Policy processing to fi
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mike KlineCommented:
For the filtered set errors you can run RODC prep to help with those, more on that here

Have you tried enabling replication (both inbound and outbound) on THunderball-DC with the repadmin commands specified.

Can you run repadmin /showreps on Thunderball-DC?


tips54Author Commented:
I ended up Seizing the roles from the server to another.  I am will demo the server and promote it back to DC.   I was going to transfer the roles back to Thunderball-dc.   Could I transfer the roles back to it?  I saw a couple of article stating not to transfer the FSMO roles back to a server is was  Seized from?
tips54Author Commented:
any thoughts?
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

It's indeed not a good idea to leave the server running as domain controller after you seized the FSMO roles to another server. This since each FSMO role can only run on 1 domain controller. Please see also
There it's also stated that a reinstallation of Windows is best.

If you like to re-use the server than you might try the following but I'm not 100% sure it won't give any problems. At least I would not recommend to do a demote while it's on the network and you might want to demote the server in such a way that it's not possible for the server to communicate on the network.

After the demotion of server THUNDERBALL-DC you can do an AD metadata cleanup for THUNDERBALL-DC. Also go through DNS and delete all entries related to this server and also have a look at AD Sites and Services and delete the server if it's still visible there.

Also verify (and correct if necessary) that the Inter Site Topology Generators (ISTG) is pointing to the correct server.

Before adding the server back as domain controller you might consider changing the servername to something different so not removed entries or problems related to the "old" THUNDERBALL-DC servername are always recognizable.
SandeshdubeySenior Server EngineerCommented:
THUNDERBALL-DC indicates both inbound and outbound replication is disabled.This normally occurs if server is in USN rollback state.Have you restored this DC with snapshot/image backup.Also if the server reports low disk space netlogon can go to paused state.

- To confirm if the server is in usnrollback checked the below parameters.
*Netlogon service is in paused state.
*DSA Not Writable key with value 4 is created in HKLM\System\CurrentControlSet\Services\NTDS registry path.
*Event id 2103 is logged which states that The Active Directory database has been restored using an unsupported restoration procedure.

As you have seized the role then you need to forcefully demote DC followed by metadata cleanup.Once done you can promote the Server back as DC and move the FSMO role back.
Complete Step by Step Guideline to Remove an Orphaned Domain controller (including seizing FSMOs, running a metadata cleanup, and more)

Also dont forget to configure authorative time server role in DC.
Authorative time server:
tips54Author Commented:
This issue was resolved by demoting and re-promoting the server to a DC.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
tips54Author Commented:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.