Solved

Group Policies replication between Domain Controllers

Posted on 2014-02-19
11
4,474 Views
Last Modified: 2014-03-11
My Environment:
*Windows Server 2003 R2 and Windows Server 2008
*Windows Server 2003 Functional Level

When creating or modifying Group Policies on any of the Domain Controller, the GP does not replicates into the other DC. As a temp solution I have to copy the policy from the sysvol directory on the DC where it was created to the sysvol directory of my other DC.

Can someone guide me on how to resolve this?

Thanks
0
Comment
Question by:LuiLui77
  • 4
  • 4
  • 3
11 Comments
 
LVL 35

Expert Comment

by:Mahesh
ID: 39871100
Does your AD replication is working properly
Have you checked through AD sites and services by triggering manually
Can you please post output of below commands
dcdiag /v
repadmin /showrepl
dcdiag /test:replications
dcdiag /test:netlogons

If there are DNS failures, 1st you need to clear those
Check your DNS zones for correct NS records, host (A) records for DCs...

Also run net share in cmd on both DCs, are you able to view netlogon and Sysvol folders ?

Download FRSDIAG. from Microsoft, its free

Install it on PDC Emulator.

Create a file called FRSCANARYTEST.TXT in the \\domain\sysvol\domain path

(ex: \\contoso.com\sysvol\contoso.com\FRSCANARYTEST.txt).

Then run propagation test from tool
check below article for step by step

http://blogs.technet.com/b/askds/archive/2008/05/22/verifying-file-replication-during-the-windows-server-2008-dfsr-sysvol-migration-down-and-dirty-style.aspx

If test fails check for FRS event ID 13568 on both DCs (Journal WRAP)

You may try below workaround if AD replication is working perfectly to rectify Sysvol \ GPO issue.
PLEASE TAKE AD SYSTEM STATE BACKUP BEFORE DOING BELOW OPERATION

http://support.microsoft.com/kb/290762 - Using the BurFlags registry key to reinitialize File Replication Service replica sets

High Level Steps
Authoritative Restore
Stop File Replication service on both Domain Controllers (IMP NOTE - I ASSUME THAT YOU ONLY HAVE TWO DOMAIN CONTROLLERS TOTAL IN DOMAIN. IF YOU HAVE MORE THAN TWO, YOU MUST STOP NTFRS SERVICE ON ALL DCS)
On PDC Server, Click Start, and then click Run.
In the Open box, type regedit and then press ENTER.
Locate the following subkey in the registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup
In the right pane, double click BurFlags.
In the Edit DWORD Value dialog box, type D4 and then click OK.
Quit Registry Editor, and then switch to the Command box.
In the Command box, type net start ntfrs.
Quit the Command box.

When the FRS service is restarted, the following actions occur: •The value for the BurFlags registry key is set back to 0.
• An event 13566 is logged to signal that an authoritative restore is started.
•Files in the reinitialized FRS replicated directories remain unchanged and become authoritative on direct replication. Additionally, the files become indirect replication partners through transitive replication.
•The FRS database is rebuilt based on current file inventory.
•When the process is complete, an event 13516 is logged to signal that FRS is operational. If the event is not logged, there is a problem with the FRS configuration.

Non Authoritative Restore
Now go to another DC and follow below steps
Note that File replication service is already stopped above
Click Start, and then click Run.
In the Open box, type regedit and then press ENTER.
Locate the following subkey in the registry:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup

In the right pane, double-click BurFlags.
In the Edit DWORD Value dialog box, type D2 and then click OK.
Quit Registry Editor, and then switch to the Command box.
In the Command box, type net start ntfrs.
Quit the Command box.

When the FRS service restarts, the following actions occur: •The value for BurFlags registry key returns to 0.
Files in the reinitialized FRS folders are moved to a Pre-existing folder.
An event 13565 is logged to signal that a non authoritative restore is started.
The FRS database is rebuilt.
The member performs an initial join of the replica set from an upstream partner or from the computer that is specified in the Replica Set Parent registry key if a parent has been specified for SYSVOL replica sets.
The reinitialized computer runs a full replication of the affected replica sets when the relevant replication schedule begins.
When the process is complete, an event 13516 is logged to signal that FRS is operational. If the event is not logged, there is a problem with the FRS configuration.

NON AUTHORITATIVE RESTORE NEEDS TO BE DONE ON EVERY DOMAIN CONTROLLER IN DOMAIN

NOW CHECK IF SYSVOL REPLICATION IS WORKING PROPERLY BY CREATING NEW GPO

Mahesh
0
 
LVL 35

Expert Comment

by:Nick Sui
ID: 39872717
Check out this Tip written by me:
http://www.windowsnetworking.com/kbase/WindowsTips/WindowsServer2008/AdminTips/Admin/AQuickTipToMakeSureFRSIsWorkingInADomain.html

If not then find out the reason as to why it is not working!

Sys.
0
 

Author Comment

by:LuiLui77
ID: 39874254
Does FRS needs to be configured manually on the DCs, or is it configured automatically when you promote a server?

Is there a possibility that FSR is simply not configured? Asking because I cannot see any FSR configured on the Domain Controllers.
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39874671
FRS is configured by default on domain Controllers with windows 2003 \2008 in co-existence with 2003

Go to services.msc and check if you can locate file replication service there

Just run net share from command prompt and check if you are able to view netlogon and Sysvol folders on server

Mahesh
0
 
LVL 35

Expert Comment

by:Nick Sui
ID: 39876523
Did you follow the link above for verifying FRS Replication?

>>>Is there a possibility that FSR is simply not configured? Asking because I cannot see any FSR configured on the Domain Controllers.

That cannot be the case! How are you checking FRS configuration on domain controllers?

I would expect that you follow the link given by me as to see if FRS is working or not and then follow this link to further troubleshoot issues with FRS:
http://technet.microsoft.com/en-us/library/bb727056.aspx

HTH
Sys.
0
 

Author Comment

by:LuiLui77
ID: 39882991
These were my troubleshooting steps (as recommended) and findings:

- I have created a txt file on the Script folder in SYSVOL of each DC to see if they would replicate into every DC. They are not replicating.
- I ran "net share" command on both DCs and NETLOGON and SYSVOL are shared.
- I have confirmed that the FRS is running on both DCs.
- I found consecutives FRS event 13508 on my primary DC logged for years. From my Primary DC I ran "ntfsrutl ver <remote dc>" to check and verify that FRS was working properly on the remote DC. I could connect to remote FRS w/o errors.
- I checked on FRS events on the remote DC. I have found event 13568 multiple times for couple of years preceded by event 13501 which is "The file replication service is starting". Event 13868 displays the following:

"The File Replication Service has detected that the replica set "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" is in JRNL_WRAP_ERROR.
 
 Replica set name is    : "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)"
 Replica root path is   : "c:\windows\sysvol\domain"
 Replica root volume is : "\\.\C:"
 A Replica set hits JRNL_WRAP_ERROR when the record that it is trying to read from the NTFS USN journal is not found.  This can occur because of one of the following reasons.
 
 [1] Volume "\\.\C:" has been formatted.
 [2] The NTFS USN journal on volume "\\.\C:" has been deleted.
 [3] The NTFS USN journal on volume "\\.\C:" has been truncated. Chkdsk can truncate the journal if it finds corrupt entries at the end of the journal.
 [4] File Replication Service was not running on this computer for a long time.
 [5] File Replication Service could not keep up with the rate of Disk IO activity on "\\.\C:".
 Setting the "Enable Journal Wrap Automatic Restore" registry parameter to 1 will cause the following recovery steps to be taken to automatically recover from this error state.
 [1] At the first poll, which will occur in 5 minutes, this computer will be deleted from the replica set. If you do not want to wait 5 minutes, then run "net stop ntfrs" followed by "net start ntfrs" to restart the File Replication Service.
 [2] At the poll following the deletion this computer will be re-added to the replica set. The re-addition will trigger a full tree sync for the replica set.
 
WARNING: During the recovery process data in the replica tree may be unavailable. You should reset the registry parameter described above to 0 to prevent automatic recovery from making the data unexpectedly unavailable if this error condition occurs again.
 
To change this registry parameter, run regedit.
 
Click on Start, Run and type regedit."




The last event before the first 13568, were 13516 and 13501:

Event 13516:
"The File Replication Service is no longer preventing the computer DC-V1 from becoming a domain controller. The system volume has been successfully initialized and the Netlogon service has been notified that the system volume is now ready to be shared as SYSVOL.
 
Type "net share" to check for the SYSVOL share."

The event 13568 clearly states the recovery process to restore the Journal Wrap, which is done by modifying a registry key.

Should I go ahead with this Journal Wrap recovery process?
0
 
LVL 35

Accepted Solution

by:
Mahesh earned 500 total points
ID: 39883473
This is what I suspected in your case. Your Sysvol is in Journal wrap.
1st of all let me know if event ID 13568 is logged on both DCs or only on remote DC ?

If it logged on remote DC only, you must do non authoritative restore on remote DC
Check my comment Non Authoritative restore or refer non authoritative restore section in article http://support.microsoft.com/kb/290762 - Using the BurFlags registry key to reinitialize File Replication Service replica sets

If it logged on both DCs, you must follow authoritative restore on PDC and non-authoritative restore on remote DC as stated in my very 1st comment. Just follow instructions accurate to avoid miss configuration
The same is stated in above article as well.

Mahesh
0
 

Author Comment

by:LuiLui77
ID: 39884007
Event ID 13568 only on remote DC. (When I say remote DC is another DC in the same site, not holding any FSMO roles)

Will this procedure cause any impact on my environment? asking just to see if I can do this in operation hours.

What does it means that my sysvol is in journal wrap?
0
 
LVL 35

Expert Comment

by:Nick Sui
ID: 39884670
>>>What does it means that my sysvol is in journal wrap?

NTFS Journal (which is about 512 MB in size) is in bad state. There is a table in OS which keeps details about Replication Change Orders to be replicated to other DCs. This DC or the DCs in Journal Wrap have lost the control over tracked changes and now they cannot determine the starting point for the replication - So FRS Stops.

>>>Will this procedure cause any impact on my environment? asking just to see if I can do this in operation hours.

Depends on the SYSVOL and NETLOGON size. Are they large in size? If yes, I would expect you to perform these steps in non-business hours.

HTH
Sys.
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39884817
When you perform non authoritative restore of Sysvol on DC where you face event id 13568, the moment you enter registry key and start file replication (NTFRS) service, your Sysvol and Netlogon shares will be vanished from that DC
Then it will get rebuild and freshly get copied from another DC

Since this is in same site \ same subnet, it will not take more than 10 Mins to complete the operation

I believe your Sysvol size is hardly maximum 100 MB for which it will take much laser time
(5 minutes). You may proceed in lunch time

Once you followed method mentioned in article, after few minutes you will find event id 13516 in FRS event logs on DC and that's all
Then just run net share command on DC thru cmd and check if Sysvol and netlogon are again shared

Then try to create new GPOs and check if it is replicating to each other

Mahesh
0
 

Author Closing Comment

by:LuiLui77
ID: 39921899
Worked Marvelously, Thank you Mahesh
0

Join & Write a Comment

Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now