[Webinar] Streamline your web hosting managementRegister Today


TWO AD 2003 whose sysvol Policies do not replicated correctly

Posted on 2014-01-14
Medium Priority
Last Modified: 2014-04-28
I have 2 AD 2003 and the sysvol policies do not all replicate well.
One thing I have figured out was that I was missing one {CC2C2824-9480-4530-B4B3-45D5F505F450} on one of them but I guess if other policies are missing or incomplete that would explain why some users get a change password every 90 days and some don't!
How can I fix those replication problem.
Question by:philjans
LVL 44

Expert Comment

by:Adam Brown
ID: 39780526
Check your error logs on each Domain controller for errors. There are a lot of things that can break FRS, which handles replication. http://technet.microsoft.com/en-us/library/bb727056.aspx has a guide on troubleshooting if you are getting errors. http://support.microsoft.com/kb/272279 has some stuff you can try to fix the problem.
LVL 19

Expert Comment

ID: 39780572
check these commands:
repadmin /showrepl
dcdiag /test:replications

check results or if they generate some error logs

Accepted Solution

alicain earned 750 total points
ID: 39780750
Hello philjans,

SYSVOL recoveries like this can take a considerable amount of effort to resolve and investing some time to first find the root cause of why they are not replicating before trying to fix it is time well spent.

Start by checking the event logs for NTFRS related errors and look to get them resolved.  Running Repadmin, DCDIAG and FRSUTIL on the DCs will also help identify issues.

Before making any configuration changes, it is prudent to take a backup of the policies and scripts folders on each DC before you start so you can go back and look where things where if needed.  Be very careful to take the copy at the policies/scripts level so that you DO NOT copy the junction points.

There were numerous hotfixes for NTFRS in the 2003 days, so ensuring they are at least at Service Pack 2 is wise.

Once the cause of the replication failures has been identified and resolved, you are going to need to identified which of the two domain controllers has the best SYSVOL, which will then be used to recover and reinitialise from.  Full details of the process can be found here :
http://support.microsoft.com/kb/290762  Using the BurFlags registry key to reinitialize File Replication Service replica sets.  If you go down this route and you have DFS-R in your environment, be sure to use the SYSVOL "replica set specific" key.

Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

LVL 26

Expert Comment

by:Leon Fester
ID: 39782001
sysvol policies do not all replicate well
Replication is one of the basic functions of AD so you should be more concerned about your overall AD health than just the sysvol not replicating.

Do a health check on your AD but running
dcdiag /e /v /f:dcdiag.txt and search the results for failures.

It could just be as simple as a missing DNS record or worse case scenario you could have some AD corruption.

You do have the option to force replication by performing setting the burflags for a non-authoritative  restore. Just make sure that you correctly identify which server has the most up to date information.

Author Comment

ID: 39782497
It will take a couple of hours (or days) to go through all your recommendations but I am always fascinated about something, I have been using AD 2003 for more then 10 years and I gee AD is fragile and always have bugs it it and replication problems: we are talking about 10 little files to keep replicated from one folder to another one and that shouldn't be this hard. I will migrate 2003 to the latest one and I hope that since the decade and more AD have been out, they created something less maintenance intensive and more robust.
Thanks for all your inputs, I will proceed them.

Expert Comment

ID: 39782538
Hi Philhans,

You are probably correct, but I think it is fair to say that the AD Directory (NTDS) replication is very robust and tends to see considerable less issues than NTFRS, which still has its roots back in the early Windows NT days, much of it is now based on very old code.  Patched up-to-date it fails far less than it used to in Windows 2000/2003 with no service packs.  Its replacement with DFS-R in Windows 2008 is, as they say, a paradigm shift.

The other util that I should have mentioned it GPOTool, which you can run against each DC to help you determine which SYSVOL is in the best state as the basis of the recovery.

LVL 26

Assisted Solution

by:Leon Fester
Leon Fester earned 750 total points
ID: 39784606
we are talking about 10 little files to keep replicated from one folder to another one and that shouldn't be this hard.
Replication is not that hard...it's just very dependant on DNS working correctly.
While the average techie will look for servers based on A host and PTR records (A host and PTR records), Active Directory domain controllers uses SRV records to find the other DC's.

Most replication issues occur because of DNS issues.

DCDIAG is your primary tool for AD health checks and you can easily do this on a daily basis by scheduling the task to report errors on a daily basis.

DCDIAG /e /q /I /f:<logfile.txt>
/e - Tests all the servers in the enterprise.
/q - Quiet. Prints only error messages.
/i - Ignores superfluous error messages
/f - Redirects all output to a log file

Featured Post

Easily manage email signatures in Office 365

Managing email signatures in Office 365 can be a challenging task if you don't have the right tool. CodeTwo Email Signatures for Office 365 will help you implement a unified email signature look, no matter what email client is used by users. Test it for free!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let's recap what we learned from yesterday's Skyport Systems webinar.
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

590 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question