Solved

TWO AD 2003 whose sysvol Policies do not replicated correctly

Posted on 2014-01-14
7
302 Views
Last Modified: 2014-04-28
Hi,
I have 2 AD 2003 and the sysvol policies do not all replicate well.
One thing I have figured out was that I was missing one {CC2C2824-9480-4530-B4B3-45D5F505F450} on one of them but I guess if other policies are missing or incomplete that would explain why some users get a change password every 90 days and some don't!
How can I fix those replication problem.
tx!
0
Comment
Question by:philjans
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 40

Expert Comment

by:Adam Brown
ID: 39780526
Check your error logs on each Domain controller for errors. There are a lot of things that can break FRS, which handles replication. http://technet.microsoft.com/en-us/library/bb727056.aspx has a guide on troubleshooting if you are getting errors. http://support.microsoft.com/kb/272279 has some stuff you can try to fix the problem.
0
 
LVL 19

Expert Comment

by:helpfinder
ID: 39780572
check these commands:
repadmin /showrepl
dcdiag /test:replications

check results or if they generate some error logs
0
 
LVL 5

Accepted Solution

by:
alicain earned 250 total points
ID: 39780750
Hello philjans,

SYSVOL recoveries like this can take a considerable amount of effort to resolve and investing some time to first find the root cause of why they are not replicating before trying to fix it is time well spent.

Start by checking the event logs for NTFRS related errors and look to get them resolved.  Running Repadmin, DCDIAG and FRSUTIL on the DCs will also help identify issues.

Before making any configuration changes, it is prudent to take a backup of the policies and scripts folders on each DC before you start so you can go back and look where things where if needed.  Be very careful to take the copy at the policies/scripts level so that you DO NOT copy the junction points.

There were numerous hotfixes for NTFRS in the 2003 days, so ensuring they are at least at Service Pack 2 is wise.

Once the cause of the replication failures has been identified and resolved, you are going to need to identified which of the two domain controllers has the best SYSVOL, which will then be used to recover and reinitialise from.  Full details of the process can be found here :
http://support.microsoft.com/kb/290762  Using the BurFlags registry key to reinitialize File Replication Service replica sets.  If you go down this route and you have DFS-R in your environment, be sure to use the SYSVOL "replica set specific" key.

Regards,
Alastair.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 26

Expert Comment

by:Leon Fester
ID: 39782001
sysvol policies do not all replicate well
Replication is one of the basic functions of AD so you should be more concerned about your overall AD health than just the sysvol not replicating.

Do a health check on your AD but running
dcdiag /e /v /f:dcdiag.txt and search the results for failures.

It could just be as simple as a missing DNS record or worse case scenario you could have some AD corruption.

You do have the option to force replication by performing setting the burflags for a non-authoritative  restore. Just make sure that you correctly identify which server has the most up to date information.
http://support.microsoft.com/kb/290762
0
 

Author Comment

by:philjans
ID: 39782497
It will take a couple of hours (or days) to go through all your recommendations but I am always fascinated about something, I have been using AD 2003 for more then 10 years and I gee AD is fragile and always have bugs it it and replication problems: we are talking about 10 little files to keep replicated from one folder to another one and that shouldn't be this hard. I will migrate 2003 to the latest one and I hope that since the decade and more AD have been out, they created something less maintenance intensive and more robust.
Thanks for all your inputs, I will proceed them.
0
 
LVL 5

Expert Comment

by:alicain
ID: 39782538
Hi Philhans,

You are probably correct, but I think it is fair to say that the AD Directory (NTDS) replication is very robust and tends to see considerable less issues than NTFRS, which still has its roots back in the early Windows NT days, much of it is now based on very old code.  Patched up-to-date it fails far less than it used to in Windows 2000/2003 with no service packs.  Its replacement with DFS-R in Windows 2008 is, as they say, a paradigm shift.

The other util that I should have mentioned it GPOTool, which you can run against each DC to help you determine which SYSVOL is in the best state as the basis of the recovery.

Regards,
Alastair.
0
 
LVL 26

Assisted Solution

by:Leon Fester
Leon Fester earned 250 total points
ID: 39784606
we are talking about 10 little files to keep replicated from one folder to another one and that shouldn't be this hard.
Replication is not that hard...it's just very dependant on DNS working correctly.
While the average techie will look for servers based on A host and PTR records (A host and PTR records), Active Directory domain controllers uses SRV records to find the other DC's.

Most replication issues occur because of DNS issues.

DCDIAG is your primary tool for AD health checks and you can easily do this on a daily basis by scheduling the task to report errors on a daily basis.

DCDIAG /e /q /I /f:<logfile.txt>
/e - Tests all the servers in the enterprise.
/q - Quiet. Prints only error messages.
/i - Ignores superfluous error messages
/f - Redirects all output to a log file
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question