Solved

2008 with no sysvol share

Posted on 2013-11-03
15
335 Views
Last Modified: 2013-11-06
Have an interesting issue. Have 3 DC(s) - (2) 2008(s – TM & Exchange) & (1) 2003 (Docserv).

The network has been replicating with no issues for prob close to 2 – 2 ½ years since those servers were put in. The 2003 holds the domain roles. Why - No reason just prob never moved them. The domain is at 2003 level.

I just did an application upgrade the end of the following week that made me change script shares in sysvol which I normally do on the Exchange server and then manually replicate to the other 2 which did with no errors (so never checked the other 2). Mult times last week I had users get the old script value which I ignored at the beginning since Microsoft does like to remember old shares but I took a longer look last Friday and found the that TM server was still retaining the old sysvol info. I immediately did a manual replication on that server from Exchange with no errors but the sysvol didn’t update. I looked at Event Viewer and found was in Journal Wrap ONLY on that server since approx 5 days prior to when I changed the scripts.

I created the “Enable Journal Wrap Automatic Restore” which took about 30 minutes prior to having the subsequent error show in EV stating that the replica set was being deleted in an attempt to recover from an error state. Since then (approx 2 hours since starting) NO other value have shown in EV and doing a Net Share does not list sysvol share. I did a repadmin /showreps with NO errors shown. For safety sake I also changed the Tombstone from Not Set to 180 days WHICH DID replicate to TM. I can do a manual replication from TM to the other servers and also start a replication of the other servers to TM from the other 2 DCs without any errors showing that I can see but still no sysvol.

I am hesitant to do a non-authoritative restore using BurFlags and since mult people were out from the office last 2 weeks their backups took a huge hit.

Thoughts??
0
Comment
Question by:bcp_cnsllc
  • 9
  • 5
15 Comments
 
LVL 5

Expert Comment

by:alicain
Comment Utility
The first thing to note is that AD Replication and sysvol's NTFRS replication, while sharing some configuration are separate replication mechanisms.

What is it that you do to "manually replicate" changes to the scripts folder - this should not be necessary and was probably a sign of some underlying issue that needed fixing.

Before doing anything, I'd suggest taking a backup of the policies and scripts folders on each DC before you start so you can go back and look where things where if needed.  Be very careful to take the copy at the policies/scripts level so that you DO NOT copy the junction points.

Are you using DRS replication for any other folders?  If so, and you do go down the D2 route, do it at the SYSVOL replica set level, so that as little as possible is affected.

You are right to be relatively cautious with the non-authoritative restore.  It is best to identify the root cause of the issues before doing the D2 otherwise it either will not be successful or issues will return.  

However, the automatic journal wrap recovery is just a D2 by another name, and that has not successfully completed - as can be seen by the fact SYSVOL share is not yet available.  So we need to find and fix the root cause of that...

Start by checking the event logs for NTFRS related errors and look to get them resolved.  Running DCDIAG and FRSUTIL on the DCs will also help identify issues.

It was common for the NTFRS service in Windows 2003 to get into an unresponsive start, so a restart of the service on the other DCs might kick things into action too.

Once you are happy there are no other errors, you can start going about the recovery.  As it sounds like there has been many problems in the past, you may need to go down the path of identifying the DC that has SYSVOL in the best condition and doing a authoritative restore on that and non-authoritative on the others (disable NTFRS on all of them before starting).

There were numerous hotfixes for NTFRS in the 2003 days, so ensuring they are at least at Service Pack 2 is wise.

Should also say that having Exchange on the DC is not recommended, although probably not related to this issue.

SYSVOL recoveries like this can take a considerable amount of time to resolve and investing some time to find the root cause of why they were not replicating before trying to fix it is time well spent.

Regards,
Alastair.
0
 

Author Comment

by:bcp_cnsllc
Comment Utility
I will start looking into what you said.

"What is it that you do to "manually replicate" changes to the scripts folder - this should not be necessary and was probably a sign of some underlying issue that needed fixing."
Do not at all read anything more than what I wrote related to this. I am old school and know how to replicate changes manually through Sites and Services, etc. When make changes in AD or scripting, many times I do a manual to get it done quicker than wait for the time interval.

Even though the network was a 2003 upgrade, there is nothing wrong on the 2003 DC nor the other 2008 that I can tell. Looking at EV logs on the other DCs show no apparent issues related to replication or AD.
0
 

Author Comment

by:bcp_cnsllc
Comment Utility
Results of the dcdiag. Replaced local domain name with ***

C:\Users\Administrator.***>dcdiag

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server...
   Home Server = TM
   * Identified AD Forest.
   Done gathering initial info.

Doing initial required tests

   Testing server: Default-First-Site-Name\TM
      Starting test: Connectivity
         ......................... TM passed test Connectivity

Doing primary tests

   Testing server: Default-First-Site-Name\TM
      Starting test: Advertising
         Warning: DsGetDcName returned information for
         \\Exchange2010.***.local, when we were trying to reach TM.
         SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
         ......................... TM failed test Advertising
      Starting test: FrsEvent
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         ......................... TM failed test FrsEvent
      Starting test: DFSREvent
         ......................... TM passed test DFSREvent
      Starting test: SysVolCheck
         ......................... TM passed test SysVolCheck
      Starting test: KccEvent
         ......................... TM passed test KccEvent
      Starting test: KnowsOfRoleHolders
         ......................... TM passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         ......................... TM passed test MachineAccount
      Starting test: NCSecDesc
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=ForestDnsZones,DC=***,DC=local
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=DomainDnsZones,DC=***,DC=local
         ......................... TM failed test NCSecDesc
      Starting test: NetLogons
         Unable to connect to the NETLOGON share! (\\TM\netlogon)
         [TM] An net use or LsaPolicy operation failed with error 67,
         The network name cannot be found..
         ......................... TM failed test NetLogons
      Starting test: ObjectsReplicated
         ......................... TM passed test ObjectsReplicated
      Starting test: Replications
         ......................... TM passed test Replications
      Starting test: RidManager
         ......................... TM passed test RidManager
      Starting test: Services
         ......................... TM passed test Services
      Starting test: SystemLog
         ......................... TM passed test SystemLog
      Starting test: VerifyReferences
         ......................... TM passed test VerifyReferences


   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : ***
      Starting test: CheckSDRefDom
         ......................... *** passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... *** passed test CrossRefValidation

   Running enterprise tests on : ***.local
      Starting test: LocatorCheck
         ......................... ***.local passed test LocatorCheck
      Starting test: Intersite
         ......................... ***.local passed test Intersite

C:\Users\Administrator.***>
0
 
LVL 5

Expert Comment

by:alicain
Comment Utility
The main thing that stands out there is :
         \\Exchange2010.***.local, when we were trying to reach TM.
         SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
         ......................... TM failed test Advertising

This suggests that there are connectivity issues between the server TM and Exchange2012.  Is it registered in DNS correctly?  Are there any network/firewall issues preventing connectivity?

Also, to force NTFRS replication, we need to use NTFRSUtil rather than as we do in Sites and Services for AD replication, as discussed here:
http://blogs.technet.com/b/justinturner/archive/2007/04/27/quick-tip-force-frs-replication.aspx

Regards,
Alastair.
0
 

Author Comment

by:bcp_cnsllc
Comment Utility
No issues with Exchange being registered in DNS. This network has been up and running in it's current condition for just under 3 years min with no issues beside bad designed apps that client uses for their work.
0
 

Author Comment

by:bcp_cnsllc
Comment Utility
If I do this what damage could I do??

 Run the following command on all domain controllers in the forest.

Net Stop NTFRS (stop the file replication service)

On my Exchange server
Go Into Registry Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup

Change the BurFlags DWORD to = D4 on the Primary Domain Controller and change to D2 on ONLY the TM server.

Start the NTFRS service again by using Net Start NTFRS command
0
 

Author Comment

by:bcp_cnsllc
Comment Utility
Remember that Exchange is not the role holder - the 2003 is but I believe Exchange to be working properly.

Would the above restore both the netlogon and sysvol shares??
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 5

Expert Comment

by:alicain
Comment Utility
The Burflags D4 is an authoritative restore.  If there are any changes to files or additional files on the other DCs that have not been replicated, they would be lost.

As mentioned previously, finding the root cause of the issue is important and that error in the DCDiag output is indication of something.  The output of a "DCDiag /v /e" would be useful to see the whole picture.

If you do go down the route of an authoritative restore, I'd recommend a D2 on both of the other DCs, not just one of them.

The registry key mentioned there is the Global rather than replica set specific, so if you have other replica sets for DFS other than SYSVOL, they will also be authoritatively restored, which would be a major activity if you have large replicated DFS shares.
For info see : http://support.microsoft.com/kb/290762

Regards,
Alastair.
0
 

Author Comment

by:bcp_cnsllc
Comment Utility
latency information (Win2K DC).
            DC=DomainDnsZones,DC=***,DC=local
               Latency information for 3 entries in the vector were ignored.
                  3 were retired Invocations.  0 were either: read-only replicas
 and are not verifiably latent, or dc's no longer replicating this nc.  0 had no
 latency information (Win2K DC).
            CN=Schema,CN=Configuration,DC=***,DC=local
               Latency information for 7 entries in the vector were ignored.
                  7 were retired Invocations.  0 were either: read-only replicas
 and are not verifiably latent, or dc's no longer replicating this nc.  0 had no
 latency information (Win2K DC).
            CN=Configuration,DC=***,DC=local
               Latency information for 7 entries in the vector were ignored.
                  7 were retired Invocations.  0 were either: read-only replicas
 and are not verifiably latent, or dc's no longer replicating this nc.  0 had no
 latency information (Win2K DC).
            DC=***,DC=local
               Latency information for 7 entries in the vector were ignored.
                  7 were retired Invocations.  0 were either: read-only replicas
 and are not verifiably latent, or dc's no longer replicating this nc.  0 had no
 latency information (Win2K DC).
         ......................... TM passed test Replications
      Starting test: RidManager
         * Available RID Pool for the Domain is 5601 to 1073741823
         * docserv.***.local is the RID Master
         * DsBind with RID Master was successful
         * rIDAllocationPool is 4601 to 5100
         * rIDPreviousAllocationPool is 4601 to 5100
         * rIDNextRID: 4605
         ......................... TM passed test RidManager
      Starting test: Services
         * Checking Service: EventSystem
         * Checking Service: RpcSs
         * Checking Service: NTDS
         * Checking Service: DnsCache
         * Checking Service: NtFrs
         * Checking Service: IsmServ
         * Checking Service: kdc
         * Checking Service: SamSs
         * Checking Service: LanmanServer
         * Checking Service: LanmanWorkstation
         * Checking Service: w32time
         * Checking Service: NETLOGON
         ......................... TM passed test Services
      Starting test: SystemLog
         * The System Event log test
         Found no errors in "System" Event log in the last 60 minutes.
         ......................... TM passed test SystemLog
      Test omitted by user request: Topology
      Test omitted by user request: VerifyEnterpriseReferences
      Starting test: VerifyReferences
         The system object reference (serverReference)
         CN=TM,OU=Domain Controllers,DC=***,DC=local and backlink on
         CN=TM,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,D
C=***,DC=local
         are correct.
         The system object reference (serverReferenceBL)
         CN=TM,CN=Domain System Volume (SYSVOL share),CN=File Replication Servic
e,CN=System,DC=***,DC=local
         and backlink on
         CN=NTDS Settings,CN=TM,CN=Servers,CN=Default-First-Site-Name,CN=Sites,C
N=Configuration,DC=***,DC=local
         are correct.
         ......................... TM passed test VerifyReferences
      Test omitted by user request: VerifyReplicas

   Testing server: Default-First-Site-Name\EXCHANGE2010
      Starting test: Advertising
         The DC EXCHANGE2010 is advertising itself as a DC and having a DS.
         The DC EXCHANGE2010 is advertising as an LDAP server
         The DC EXCHANGE2010 is advertising as having a writeable directory
         The DC EXCHANGE2010 is advertising as a Key Distribution Center
         The DC EXCHANGE2010 is advertising as a time server
         The DS EXCHANGE2010 is advertising as a GC.
         ......................... EXCHANGE2010 passed test Advertising
      Test omitted by user request: CheckSecurityError
      Test omitted by user request: CutoffServers
      Starting test: FrsEvent
         * The File Replication Service Event log test
         ......................... EXCHANGE2010 passed test FrsEvent
      Starting test: DFSREvent
         The DFS Replication Event Log.
         ......................... EXCHANGE2010 passed test DFSREvent
      Starting test: SysVolCheck
         * The File Replication Service SYSVOL ready test
         File Replication Service's SYSVOL is ready
         ......................... EXCHANGE2010 passed test SysVolCheck
      Starting test: KccEvent
         * The KCC Event log test
         Found no KCC errors in "Directory Service" Event log in the last 15 min
utes.
         ......................... EXCHANGE2010 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         Role Schema Owner = CN=NTDS Settings,CN=DOCSERV,CN=Servers,CN=Default-F
irst-Site-Name,CN=Sites,CN=Configuration,DC=***,DC=local
         Role Domain Owner = CN=NTDS Settings,CN=DOCSERV,CN=Servers,CN=Default-F
irst-Site-Name,CN=Sites,CN=Configuration,DC=***,DC=local
         Role PDC Owner = CN=NTDS Settings,CN=DOCSERV,CN=Servers,CN=Default-Firs
t-Site-Name,CN=Sites,CN=Configuration,DC=***,DC=local
         Role Rid Owner = CN=NTDS Settings,CN=DOCSERV,CN=Servers,CN=Default-Firs
t-Site-Name,CN=Sites,CN=Configuration,DC=***,DC=local
         Role Infrastructure Update Owner = CN=NTDS Settings,CN=DOCSERV,CN=Serve
rs,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=***,DC=local
         ......................... EXCHANGE2010 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         Checking machine account for DC EXCHANGE2010 on DC EXCHANGE2010.
         * SPN found :LDAP/Exchange2010.***.local/***.local
         * SPN found :LDAP/Exchange2010.***.local
         * SPN found :LDAP/EXCHANGE2010
         * SPN found :LDAP/Exchange2010.***.local/***
         * SPN found :LDAP/66084428-1d3a-4573-8aec-b6df49534296._msdcs.***.loca
l
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/66084428-1d3a-4573-8a
ec-b6df49534296/***.local
         * SPN found :HOST/Exchange2010.***.local/***.local
         * SPN found :HOST/Exchange2010.***.local
         * SPN found :HOST/EXCHANGE2010
         * SPN found :HOST/Exchange2010.***.local/***
         * SPN found :GC/Exchange2010.***.local/***.local
         ......................... EXCHANGE2010 passed test MachineAccount
      Starting test: NCSecDesc
         * Security Permissions check for all NC's on DC EXCHANGE2010.
         The forest is not ready for RODC. Will skip checking ERODC ACEs.
         * Security Permissions Check for
           DC=ForestDnsZones,DC=***,DC=local
            (NDNC,Version 3)
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=ForestDnsZones,DC=***,DC=local
         * Security Permissions Check for
           DC=DomainDnsZones,DC=***,DC=local
            (NDNC,Version 3)
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
            Replicating Directory Changes In Filtered Set
         access rights for the naming context:
         DC=DomainDnsZones,DC=***,DC=local
         * Security Permissions Check for
           CN=Schema,CN=Configuration,DC=***,DC=local
            (Schema,Version 3)
         * Security Permissions Check for
           CN=Configuration,DC=***,DC=local
            (Configuration,Version 3)
         * Security Permissions Check for
           DC=***,DC=local
            (Domain,Version 3)
         ......................... EXCHANGE2010 failed test NCSecDesc
      Starting test: NetLogons
         * Network Logons Privileges Check
         Verified share \\EXCHANGE2010\netlogon
         Verified share \\EXCHANGE2010\sysvol
         ......................... EXCHANGE2010 passed test NetLogons
      Starting test: ObjectsReplicated
         EXCHANGE2010 is in domain DC=***,DC=local
         Checking for CN=EXCHANGE2010,OU=Domain Controllers,DC=***,DC=local in
domain DC=***,DC=local on 3 servers
            Object is up-to-date on all servers.
         Checking for CN=NTDS Settings,CN=EXCHANGE2010,CN=Servers,CN=Default-Fir
st-Site-Name,CN=Sites,CN=Configuration,DC=***,DC=local in domain CN=Configurati
on,DC=***,DC=local on 3 servers
            Object is up-to-date on all servers.
         ......................... EXCHANGE2010 passed test ObjectsReplicated
      Test omitted by user request: OutboundSecureChannels
      Starting test: Replications
         * Replications Check
         * Replication Latency Check
            DC=ForestDnsZones,DC=***,DC=local
               Latency information for 3 entries in the vector were ignored.
                  3 were retired Invocations.  0 were either: read-only replicas
 and are not verifiably latent, or dc's no longer replicating this nc.  0 had no
 latency information (Win2K DC).
            DC=DomainDnsZones,DC=***,DC=local
               Latency information for 3 entries in the vector were ignored.
                  3 were retired Invocations.  0 were either: read-only replicas
 and are not verifiably latent, or dc's no longer replicating this nc.  0 had no
 latency information (Win2K DC).
            CN=Schema,CN=Configuration,DC=***,DC=local
               Latency information for 7 entries in the vector were ignored.
                  7 were retired Invocations.  0 were either: read-only replicas
 and are not verifiably latent, or dc's no longer replicating this nc.  0 had no
 latency information (Win2K DC).
            CN=Configuration,DC=***,DC=local
               Latency information for 7 entries in the vector were ignored.
                  7 were retired Invocations.  0 were either: read-only replicas
 and are not verifiably latent, or dc's no longer replicating this nc.  0 had no
 latency information (Win2K DC).
            DC=***,DC=local
               Latency information for 7 entries in the vector were ignored.
                  7 were retired Invocations.  0 were either: read-only replicas
 and are not verifiably latent, or dc's no longer replicating this nc.  0 had no
 latency information (Win2K DC).
         ......................... EXCHANGE2010 passed test Replications
      Starting test: RidManager
         * Available RID Pool for the Domain is 5601 to 1073741823
         * docserv.***.local is the RID Master
         * DsBind with RID Master was successful
         * rIDAllocationPool is 5101 to 5600
         * rIDPreviousAllocationPool is 5101 to 5600
         * rIDNextRID: 5117
         ......................... EXCHANGE2010 passed test RidManager
      Starting test: Services
         * Checking Service: EventSystem
         * Checking Service: RpcSs
         * Checking Service: NTDS
         * Checking Service: DnsCache
         * Checking Service: NtFrs
         * Checking Service: IsmServ
         * Checking Service: kdc
         * Checking Service: SamSs
         * Checking Service: LanmanServer
         * Checking Service: LanmanWorkstation
         * Checking Service: w32time
            Invalid service startup type: w32time on EXCHANGE2010, current
            value DEMAND_START, expected value AUTO_START
         * Checking Service: NETLOGON
         ......................... EXCHANGE2010 failed test Services
      Starting test: SystemLog
         * The System Event log test
         Found no errors in "System" Event log in the last 60 minutes.
         ......................... EXCHANGE2010 passed test SystemLog
      Test omitted by user request: Topology
      Test omitted by user request: VerifyEnterpriseReferences
      Starting test: VerifyReferences
         The system object reference (serverReference)
         CN=EXCHANGE2010,OU=Domain Controllers,DC=***,DC=local and backlink on
         CN=EXCHANGE2010,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Confi
guration,DC=***,DC=local
          are correct.
         The system object reference (serverReferenceBL)
         CN=EXCHANGE2010,CN=Domain System Volume (SYSVOL share),CN=File Replicat
ion Service,CN=System,DC=***,DC=local
         and backlink on
         CN=NTDS Settings,CN=EXCHANGE2010,CN=Servers,CN=Default-First-Site-Name,
CN=Sites,CN=Configuration,DC=***,DC=local
         are correct.
         ......................... EXCHANGE2010 passed test VerifyReferences
      Test omitted by user request: VerifyReplicas

            Test omitted by user request: DNS
            Test omitted by user request: DNS

         Test omitted by user request: DNS
         Test omitted by user request: DNS

      Test omitted by user request: DNS
      Test omitted by user request: DNS

   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test
         CrossRefValidation

   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test
         CrossRefValidation

   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation

   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation

   Running partition tests on : ***
      Starting test: CheckSDRefDom
         ......................... *** passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ......................... *** passed test CrossRefValidation

   Running enterprise tests on : ***.local
      Test omitted by user request: DNS
      Test omitted by user request: DNS
      Starting test: LocatorCheck
         GC Name: \\docserv.***.local
         Locator Flags: 0xe00003fd
         PDC Name: \\docserv.***.local
         Locator Flags: 0xe00003fd
         Time Server Name: \\docserv.***.local
         Locator Flags: 0xe00003fd
         Preferred Time Server Name: \\docserv.***.local
         Locator Flags: 0xe00003fd
         KDC Name: \\Exchange2010.***.local
         Locator Flags: 0xe00031fc
         ......................... ***.local passed test LocatorCheck
      Starting test: Intersite
         Skipping site Default-First-Site-Name, this site is outside the scope
         provided by the command line arguments provided.
         ......................... ***.local passed test Intersite

C:\Users\Administrator.***>
0
 

Author Comment

by:bcp_cnsllc
Comment Utility
ok if i do a d2 restore, could I just do on the TM server that is missing the netlogon and sysvol shares??

The concern I have is that the TM server is important in that it is running an app with SQL on it and just concerned about corrupting that server or the Exchange server.
0
 
LVL 5

Accepted Solution

by:
alicain earned 500 total points
Comment Utility
The authoritative restore will not have any impact outside of SYSVOL and any DFS replica sets ie corrupting the server or affecting Exchange, but there are implications on SYSVOL, which needs to be available.

You could just attempt the D2 on the server that currently not sharing SYSVOL, and that may resolve the issue - but that is the same as the journal wrap automatic restore, so I'm holding  much confidence that it will complete this way.
0
 

Author Comment

by:bcp_cnsllc
Comment Utility
Did a straight d2 and "appears" to be working as of now. Will monitor it for the next few days and see what happens.

Thanks for the help.
0
 
LVL 5

Expert Comment

by:alicain
Comment Utility
That sounds positive, but do keep a close eye on it.

Running a "GPOTool /v" would be wise to make sure all your GPOs are consistent.

It's also useful to create an empty file within say the policies folder on each DC, with a filename of the DC name and watch to see them replicate around, that'll show if all the DCs are successfully replicating NTFRS.
0
 

Author Comment

by:bcp_cnsllc
Comment Utility
Already ran the GPOTool and did 3 new scripts created on each DC and saw replicate between the 3.
0
 
LVL 24

Expert Comment

by:Sandeshdubey
Comment Utility
Fom the log it is clear that sysvol/ netlogon share is not avaialble on TM server.You can verify the same by net share command.Check the sysvol folder are the policies and script folder replicated or not.If it is not replicated you need to perfrom authorative and non authorative of sysvol folder to fix the same.

Assuming you have two DC.On healthy DC ran D4(auth restore) and on TM DC ran D2(nonauth restore).Essentially the "http://support.microsoft.com/kb/290762/" article.

Take the backup of policies and script folder from all DC and copy the same to alternate location before you proceed.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

There are two modes of restricted groups GPOs. Replacing mode:   Additive mode:   How do they work? Replacing mode: Everything (users, groups, computers) that is member of the local administrators group will be cleared out. After th…
In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now