Solved

Replaced DC with 2012R2, sysvol share not created!

Posted on 2014-03-05
40
2,096 Views
Last Modified: 2014-03-10
So I had a 2003 domain controller that I did a planned replacement.  I demoted it, renamed it, changed it's IP.  It's original name is RENOHEALTH, and my other two DC's are RENOMAIN and DCIMAGE.

Had new 2012 server, renamed it to RENOHEALTH, set to original IP, installed directory services.  AD seems to look OK, ADSS shows replication between my 3 DC's.  But get strange errors in event logs, and sysvol share isn't showing up.  Tried so many things in the last few hours, I'm brain fried but have users coming in tomorrow morning.

Here are the results of the dcdiag /v:
Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   * Verifying that the local machine renohealth, is a Directory Server. 
   Home Server = renohealth

   * Connecting to directory service on server renohealth.

   * Identified AD Forest. 
   Collecting AD specific global data 
   * Collecting site info.

   Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=renogov,DC=com,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
   The previous call succeeded 
   Iterating through the sites 
   Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=renogov,DC=com
   Getting ISTG and options for the site
   * Identifying all servers.

   Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=renogov,DC=com,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
   The previous call succeeded....
   The previous call succeeded
   Iterating through the list of servers 
   Getting information for the server CN=NTDS Settings,CN=RENOMAIN,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=renogov,DC=com 
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   Getting information for the server CN=NTDS Settings,CN=DCIMAGE,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=renogov,DC=com 
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   Getting information for the server CN=NTDS Settings,CN=RENOHEALTH,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=renogov,DC=com 
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   * Identifying all NC cross-refs.

   * Found 3 DC(s). Testing 1 of them.

   Done gathering initial info.


Doing initial required tests

   
   Testing server: Default-First-Site-Name\RENOHEALTH

      Starting test: Connectivity

         * Active Directory LDAP Services Check
         Determining IP4 connectivity 
         * Active Directory RPC Services Check
         ......................... RENOHEALTH passed test Connectivity



Doing primary tests

   
   Testing server: Default-First-Site-Name\RENOHEALTH

      Starting test: Advertising

         Warning: DsGetDcName returned information for \\DCIMAGE.renogov.com, when we were trying to reach RENOHEALTH.

         SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.

         ......................... RENOHEALTH failed test Advertising

      Test omitted by user request: CheckSecurityError

      Test omitted by user request: CutoffServers

      Starting test: FrsEvent

         * The File Replication Service Event log test 
         ......................... RENOHEALTH passed test FrsEvent

      Starting test: DFSREvent

         The DFS Replication Event Log. 
         Skip the test because the server is running FRS.

         ......................... RENOHEALTH passed test DFSREvent

      Starting test: SysVolCheck

         * The File Replication Service SYSVOL ready test 
         The registry lookup failed to determine the state of the SYSVOL.  The error returned  was 0x0

         "The operation completed successfully.".  Check the FRS event log to see if the SYSVOL has successfully been

         shared. 
         ......................... RENOHEALTH passed test SysVolCheck

      Starting test: KccEvent

         * The KCC Event log test
         Found no KCC errors in "Directory Service" Event log in the last 15 minutes.
         ......................... RENOHEALTH passed test KccEvent

      Starting test: KnowsOfRoleHolders

         Role Schema Owner = CN=NTDS Settings,CN=RENOMAIN,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=renogov,DC=com
         Role Domain Owner = CN=NTDS Settings,CN=RENOMAIN,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=renogov,DC=com
         Role PDC Owner = CN=NTDS Settings,CN=RENOMAIN,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=renogov,DC=com
         Role Rid Owner = CN=NTDS Settings,CN=RENOMAIN,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=renogov,DC=com
         Role Infrastructure Update Owner = CN=NTDS Settings,CN=RENOMAIN,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=renogov,DC=com
         ......................... RENOHEALTH passed test KnowsOfRoleHolders

      Starting test: MachineAccount

         Checking machine account for DC RENOHEALTH on DC RENOHEALTH.
         * SPN found :LDAP/renohealth.renogov.com/renogov.com
         * SPN found :LDAP/renohealth.renogov.com
         * SPN found :LDAP/RENOHEALTH
         * SPN found :LDAP/renohealth.renogov.com/RENOGOV
         * SPN found :LDAP/a80b988d-1815-4b48-9f8f-69b6d762a43b._msdcs.renogov.com
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/a80b988d-1815-4b48-9f8f-69b6d762a43b/renogov.com
         * SPN found :HOST/renohealth.renogov.com/renogov.com
         * SPN found :HOST/renohealth.renogov.com
         * SPN found :HOST/RENOHEALTH
         * SPN found :HOST/renohealth.renogov.com/RENOGOV
         * SPN found :GC/renohealth.renogov.com/renogov.com
         ......................... RENOHEALTH passed test MachineAccount

      Starting test: NCSecDesc

         * Security Permissions check for all NC's on DC RENOHEALTH.
         The forest is not ready for RODC. Will skip checking ERODC ACEs.
         * Security Permissions Check for

           DC=ForestDnsZones,DC=renogov,DC=com
            (NDNC,Version 3)
         * Security Permissions Check for

           DC=DomainDnsZones,DC=renogov,DC=com
            (NDNC,Version 3)
         * Security Permissions Check for

           CN=Schema,CN=Configuration,DC=renogov,DC=com
            (Schema,Version 3)
         * Security Permissions Check for

           CN=Configuration,DC=renogov,DC=com
            (Configuration,Version 3)
         * Security Permissions Check for

           DC=renogov,DC=com
            (Domain,Version 3)
         ......................... RENOHEALTH passed test NCSecDesc

      Starting test: NetLogons

         * Network Logons Privileges Check
         Unable to connect to the NETLOGON share! (\\RENOHEALTH\netlogon)

         [RENOHEALTH] An net use or LsaPolicy operation failed with error 67, The network name cannot be found..

         ......................... RENOHEALTH failed test NetLogons

      Starting test: ObjectsReplicated

         RENOHEALTH is in domain DC=renogov,DC=com
         Checking for CN=RENOHEALTH,OU=Domain Controllers,DC=renogov,DC=com in domain DC=renogov,DC=com on 1 servers
            Object is up-to-date on all servers.
         Checking for CN=NTDS Settings,CN=RENOHEALTH,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=renogov,DC=com in domain CN=Configuration,DC=renogov,DC=com on 1 servers
            Object is up-to-date on all servers.
         ......................... RENOHEALTH passed test ObjectsReplicated

      Test omitted by user request: OutboundSecureChannels

      Starting test: Replications

         * Replications Check
         * Replication Latency Check
            DC=ForestDnsZones,DC=renogov,DC=com
               Latency information for 15 entries in the vector were ignored.
                  15 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            DC=DomainDnsZones,DC=renogov,DC=com
               Latency information for 15 entries in the vector were ignored.
                  15 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            CN=Schema,CN=Configuration,DC=renogov,DC=com
               Latency information for 15 entries in the vector were ignored.
                  15 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            CN=Configuration,DC=renogov,DC=com
               Latency information for 15 entries in the vector were ignored.
                  15 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            DC=renogov,DC=com
               Latency information for 15 entries in the vector were ignored.
                  15 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
         ......................... RENOHEALTH passed test Replications

      Starting test: RidManager

         * Available RID Pool for the Domain is 12103 to 1073741823
         * RENOMAIN.renogov.com is the RID Master
         * DsBind with RID Master was successful
         * rIDAllocationPool is 11603 to 12102
         * rIDPreviousAllocationPool is 11603 to 12102
         * rIDNextRID: 11603
         ......................... RENOHEALTH passed test RidManager

      Starting test: Services

         * Checking Service: EventSystem
         * Checking Service: RpcSs
         * Checking Service: NTDS
         * Checking Service: DnsCache
         * Checking Service: NtFrs
         * Checking Service: IsmServ
         * Checking Service: kdc
         * Checking Service: SamSs
         * Checking Service: LanmanServer
         * Checking Service: LanmanWorkstation
         * Checking Service: w32time
         * Checking Service: NETLOGON
         ......................... RENOHEALTH passed test Services

      Starting test: SystemLog

         * The System Event log test
         Found no errors in "System" Event log in the last 60 minutes.
         ......................... RENOHEALTH passed test SystemLog

      Test omitted by user request: Topology

      Test omitted by user request: VerifyEnterpriseReferences

      Starting test: VerifyReferences

         The system object reference (serverReference) CN=RENOHEALTH,OU=Domain Controllers,DC=renogov,DC=com and

         backlink on CN=RENOHEALTH,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=renogov,DC=com

         are correct. 
         The system object reference (serverReferenceBL)

         CN=RENOHEALTH,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=renogov,DC=com

         and backlink on

         CN=NTDS Settings,CN=RENOHEALTH,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=renogov,DC=com

         are correct. 
         The system object reference (frsComputerReferenceBL)

         CN=RENOHEALTH,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=renogov,DC=com

         and backlink on CN=RENOHEALTH,OU=Domain Controllers,DC=renogov,DC=com are correct. 
         ......................... RENOHEALTH passed test VerifyReferences

      Test omitted by user request: VerifyReplicas

   
      Test omitted by user request: DNS

      Test omitted by user request: DNS

   
   Running partition tests on : ForestDnsZones

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test CrossRefValidation

   
   Running partition tests on : DomainDnsZones

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test CrossRefValidation

   
   Running partition tests on : Schema

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation

   
   Running partition tests on : Configuration

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidation

   
   Running partition tests on : renogov

      Starting test: CheckSDRefDom

         ......................... renogov passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... renogov passed test CrossRefValidation

   
   Running enterprise tests on : renogov.com

      Test omitted by user request: DNS

      Test omitted by user request: DNS

      Starting test: LocatorCheck

         GC Name: \\DCIMAGE.renogov.com

         Locator Flags: 0xe00033fc
         PDC Name: \\RENOMAIN.renogov.com
         Locator Flags: 0xe00031bd
         Time Server Name: \\DCIMAGE.renogov.com
         Locator Flags: 0xe00033fc
         Preferred Time Server Name: \\DCIMAGE.renogov.com
         Locator Flags: 0xe00033fc
         KDC Name: \\DCIMAGE.renogov.com
         Locator Flags: 0xe00033fc
         ......................... renogov.com passed test LocatorCheck

      Starting test: Intersite

         Skipping site Default-First-Site-Name, this site is outside the scope provided by the command line arguments

         provided. 
         ......................... renogov.com passed test Intersite




Here are the results of repadmin /showrepl :

Repadmin: running command /showrepl against full DC localhost
Default-First-Site-Name\RENOHEALTH
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: a80b988d-1815-4b48-9f8f-69b6d762a43b
DSA invocationID: 351e7bf4-fa83-46c3-87fe-0b5a43851aba

==== INBOUND NEIGHBORS ======================================

DC=renogov,DC=com
    Default-First-Site-Name\RENOMAIN via RPC
        DSA object GUID: 58a8e065-4dc2-4f76-9a54-8873386843be
        Last attempt @ 2014-03-05 23:47:08 was successful.
    Default-First-Site-Name\DCIMAGE via RPC
        DSA object GUID: 4e3982bd-ac01-4b86-b9d0-3a72e6bc8605
        Last attempt @ 2014-03-05 23:47:15 was successful.

CN=Configuration,DC=renogov,DC=com
    Default-First-Site-Name\RENOMAIN via RPC
        DSA object GUID: 58a8e065-4dc2-4f76-9a54-8873386843be
        Last attempt @ 2014-03-05 23:09:34 was successful.
    Default-First-Site-Name\DCIMAGE via RPC
        DSA object GUID: 4e3982bd-ac01-4b86-b9d0-3a72e6bc8605
        Last attempt @ 2014-03-05 23:09:39 was successful.

CN=Schema,CN=Configuration,DC=renogov,DC=com
    Default-First-Site-Name\RENOMAIN via RPC
        DSA object GUID: 58a8e065-4dc2-4f76-9a54-8873386843be
        Last attempt @ 2014-03-05 23:09:34 was successful.
    Default-First-Site-Name\DCIMAGE via RPC
        DSA object GUID: 4e3982bd-ac01-4b86-b9d0-3a72e6bc8605
        Last attempt @ 2014-03-05 23:09:39 was successful.

DC=DomainDnsZones,DC=renogov,DC=com
    Default-First-Site-Name\DCIMAGE via RPC
        DSA object GUID: 4e3982bd-ac01-4b86-b9d0-3a72e6bc8605
        Last attempt @ 2014-03-05 23:44:06 was successful.
    Default-First-Site-Name\RENOMAIN via RPC
        DSA object GUID: 58a8e065-4dc2-4f76-9a54-8873386843be
        Last attempt @ 2014-03-05 23:47:14 was successful.

DC=ForestDnsZones,DC=renogov,DC=com
    Default-First-Site-Name\RENOMAIN via RPC
        DSA object GUID: 58a8e065-4dc2-4f76-9a54-8873386843be
        Last attempt @ 2014-03-05 23:09:34 was successful.
    Default-First-Site-Name\DCIMAGE via RPC
        DSA object GUID: 4e3982bd-ac01-4b86-b9d0-3a72e6bc8605
        Last attempt @ 2014-03-05 23:09:39 was successful.

Open in new window

0
Comment
Question by:hutch_ks_itguy
  • 23
  • 8
  • 3
  • +3
40 Comments
 

Author Comment

by:hutch_ks_itguy
ID: 39908451
Also here are the same results from an existing Server 2008R2 DC named RENOMAIN

dcdiag /v:


Domain Controller Diagnosis

Performing initial setup:
   * Verifying that the local machine RENOMAIN, is a DC. 
   * Connecting to directory service on server RENOMAIN.
   * Collecting site info.
   * Identifying all servers.
   * Identifying all NC cross-refs.
   * Found 3 DC(s). Testing 1 of them.
   Done gathering initial info.

Doing initial required tests
   
   Testing server: Default-First-Site-Name\RENOMAIN
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         * Active Directory RPC Services Check
         ......................... RENOMAIN passed test Connectivity

Doing primary tests
   
   Testing server: Default-First-Site-Name\RENOMAIN
      Starting test: Replications
         * Replications Check
         * Replication Latency Check
            DC=ForestDnsZones,DC=renogov,DC=com
               Latency information for 15 entries in the vector were ignored.
                  15 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            DC=DomainDnsZones,DC=renogov,DC=com
               Latency information for 15 entries in the vector were ignored.
                  15 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            CN=Schema,CN=Configuration,DC=renogov,DC=com
               Latency information for 15 entries in the vector were ignored.
                  15 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            CN=Configuration,DC=renogov,DC=com
               Latency information for 15 entries in the vector were ignored.
                  15 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
            DC=renogov,DC=com
               Latency information for 15 entries in the vector were ignored.
                  15 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC).  
         ......................... RENOMAIN passed test Replications
      Test omitted by user request: Topology
      Test omitted by user request: CutoffServers
      Starting test: NCSecDesc
         * Security Permissions check for all NC's on DC RENOMAIN.
         * Security Permissions Check for
           DC=ForestDnsZones,DC=renogov,DC=com
            (NDNC,Version 2)
         * Security Permissions Check for
           DC=DomainDnsZones,DC=renogov,DC=com
            (NDNC,Version 2)
         * Security Permissions Check for
           CN=Schema,CN=Configuration,DC=renogov,DC=com
            (Schema,Version 2)
         * Security Permissions Check for
           CN=Configuration,DC=renogov,DC=com
            (Configuration,Version 2)
         * Security Permissions Check for
           DC=renogov,DC=com
            (Domain,Version 2)
         ......................... RENOMAIN passed test NCSecDesc
      Starting test: NetLogons
         * Network Logons Privileges Check
         Verified share \\RENOMAIN\netlogon
         Verified share \\RENOMAIN\sysvol
         ......................... RENOMAIN passed test NetLogons
      Starting test: Advertising
         The DC RENOMAIN is advertising itself as a DC and having a DS.
         The DC RENOMAIN is advertising as an LDAP server
         The DC RENOMAIN is advertising as having a writeable directory
         The DC RENOMAIN is advertising as a Key Distribution Center
         Warning: RENOMAIN is not advertising as a time server.
         The DS RENOMAIN is advertising as a GC.
         ......................... RENOMAIN failed test Advertising
      Starting test: KnowsOfRoleHolders
         Role Schema Owner = CN=NTDS Settings,CN=RENOMAIN,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=renogov,DC=com
         Role Domain Owner = CN=NTDS Settings,CN=RENOMAIN,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=renogov,DC=com
         Role PDC Owner = CN=NTDS Settings,CN=RENOMAIN,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=renogov,DC=com
         Role Rid Owner = CN=NTDS Settings,CN=RENOMAIN,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=renogov,DC=com
         Role Infrastructure Update Owner = CN=NTDS Settings,CN=RENOMAIN,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=renogov,DC=com
         ......................... RENOMAIN passed test KnowsOfRoleHolders
      Starting test: RidManager
         * Available RID Pool for the Domain is 12103 to 1073741823
         * RENOMAIN.renogov.com is the RID Master
         * DsBind with RID Master was successful
         * rIDAllocationPool is 9603 to 10102
         * rIDPreviousAllocationPool is 9603 to 10102
         * rIDNextRID: 9619
         ......................... RENOMAIN passed test RidManager
      Starting test: MachineAccount
         Checking machine account for DC RENOMAIN on DC RENOMAIN.
         * SPN found :LDAP/RENOMAIN.renogov.com/renogov.com
         * SPN found :LDAP/RENOMAIN.renogov.com
         * SPN found :LDAP/RENOMAIN
         * SPN found :LDAP/RENOMAIN.renogov.com/RENOGOV
         * SPN found :LDAP/58a8e065-4dc2-4f76-9a54-8873386843be._msdcs.renogov.com
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/58a8e065-4dc2-4f76-9a54-8873386843be/renogov.com
         * SPN found :HOST/RENOMAIN.renogov.com/renogov.com
         * SPN found :HOST/RENOMAIN.renogov.com
         * SPN found :HOST/RENOMAIN
         * SPN found :HOST/RENOMAIN.renogov.com/RENOGOV
         * SPN found :GC/RENOMAIN.renogov.com/renogov.com
         ......................... RENOMAIN passed test MachineAccount
      Starting test: Services
         * Checking Service: Dnscache
         * Checking Service: NtFrs
         * Checking Service: IsmServ
         * Checking Service: kdc
         * Checking Service: SamSs
         * Checking Service: LanmanServer
         * Checking Service: LanmanWorkstation
         * Checking Service: RpcSs
         * Checking Service: w32time
            Could not open w32time Service on [RENOMAIN]:failed with 1060: The specified service does not exist as an installed service.
         * Checking Service: NETLOGON
         ......................... RENOMAIN failed test Services
      Test omitted by user request: OutboundSecureChannels
      Starting test: ObjectsReplicated
         RENOMAIN is in domain DC=renogov,DC=com
         Checking for CN=RENOMAIN,OU=Domain Controllers,DC=renogov,DC=com in domain DC=renogov,DC=com on 1 servers
            Object is up-to-date on all servers.
         Checking for CN=NTDS Settings,CN=RENOMAIN,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=renogov,DC=com in domain CN=Configuration,DC=renogov,DC=com on 1 servers
            Object is up-to-date on all servers.
         ......................... RENOMAIN passed test ObjectsReplicated
      Starting test: frssysvol
         * The File Replication Service SYSVOL ready test 
         File Replication Service's SYSVOL is ready 
         ......................... RENOMAIN passed test frssysvol
      Starting test: frsevent
         * The File Replication Service Event log test 
         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems. 
         An Error Event occured.  EventID: 0xC0003500
            Time Generated: 03/05/2014   22:25:31
            (Event String could not be retrieved)
         ......................... RENOMAIN failed test frsevent
      Starting test: kccevent
         * The KCC Event log test
         Found no KCC errors in Directory Service Event log in the last 15 minutes.
         ......................... RENOMAIN passed test kccevent
      Starting test: systemlog
         * The System Event log test
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 03/05/2014   22:55:22
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 03/05/2014   22:55:23
            (Event String could not be retrieved)
         ......................... RENOMAIN failed test systemlog
      Test omitted by user request: VerifyReplicas
      Starting test: VerifyReferences
         The system object reference (serverReference)

         CN=RENOMAIN,OU=Domain Controllers,DC=renogov,DC=com and backlink on

         CN=RENOMAIN,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=renogov,DC=com

         are correct. 
         The system object reference (frsComputerReferenceBL)

         CN=RENOMAIN,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=renogov,DC=com

         and backlink on CN=RENOMAIN,OU=Domain Controllers,DC=renogov,DC=com

         are correct. 
         The system object reference (serverReferenceBL)

         CN=RENOMAIN,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=renogov,DC=com

         and backlink on

         CN=NTDS Settings,CN=RENOMAIN,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=renogov,DC=com

         are correct. 
         ......................... RENOMAIN passed test VerifyReferences
      Test omitted by user request: VerifyEnterpriseReferences
      Test omitted by user request: CheckSecurityError
   
   Running partition tests on : ForestDnsZones
      Starting test: CrossRefValidation
         ......................... ForestDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... ForestDnsZones passed test CheckSDRefDom
   
   Running partition tests on : DomainDnsZones
      Starting test: CrossRefValidation
         ......................... DomainDnsZones passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... DomainDnsZones passed test CheckSDRefDom
   
   Running partition tests on : Schema
      Starting test: CrossRefValidation
         ......................... Schema passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Schema passed test CheckSDRefDom
   
   Running partition tests on : Configuration
      Starting test: CrossRefValidation
         ......................... Configuration passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... Configuration passed test CheckSDRefDom
   
   Running partition tests on : renogov
      Starting test: CrossRefValidation
         ......................... renogov passed test CrossRefValidation
      Starting test: CheckSDRefDom
         ......................... renogov passed test CheckSDRefDom
   
   Running enterprise tests on : renogov.com
      Starting test: Intersite
         Skipping site Default-First-Site-Name, this site is outside the scope

         provided by the command line arguments provided. 
         ......................... renogov.com passed test Intersite
      Starting test: FsmoCheck
         GC Name: \\RENOMAIN.renogov.com
         Locator Flags: 0xe00031bd
         PDC Name: \\RENOMAIN.renogov.com
         Locator Flags: 0xe00031bd
         Time Server Name: \\DCIMAGE.renogov.com
         Locator Flags: 0xe00033fc
         Preferred Time Server Name: \\DCIMAGE.renogov.com
         Locator Flags: 0xe00033fc
         KDC Name: \\RENOMAIN.renogov.com
         Locator Flags: 0xe00031bd
         ......................... renogov.com passed test FsmoCheck
      Test omitted by user request: DNS
      Test omitted by user request: DNS


Here are the results from repadmin /showrepl :



repadmin running command /showrepl against server localhost



Default-First-Site-Name\RENOMAIN

DC Options: IS_GC 

Site Options: (none)

DC object GUID: 58a8e065-4dc2-4f76-9a54-8873386843be

DC invocationID: 60b1355c-c7f4-4dd1-a3dd-67a0d21202a3



==== INBOUND NEIGHBORS ======================================



DC=renogov,DC=com

    Default-First-Site-Name\DCIMAGE via RPC

        DC object GUID: 4e3982bd-ac01-4b86-b9d0-3a72e6bc8605

        Last attempt @ 2014-03-05 23:56:24 was successful.

    Default-First-Site-Name\RENOHEALTH via RPC

        DC object GUID: a80b988d-1815-4b48-9f8f-69b6d762a43b

        Last attempt @ 2014-03-05 23:56:26 was successful.



CN=Configuration,DC=renogov,DC=com

    Default-First-Site-Name\DCIMAGE via RPC

        DC object GUID: 4e3982bd-ac01-4b86-b9d0-3a72e6bc8605

        Last attempt @ 2014-03-05 23:51:00 was successful.

    Default-First-Site-Name\RENOHEALTH via RPC

        DC object GUID: a80b988d-1815-4b48-9f8f-69b6d762a43b

        Last attempt @ 2014-03-05 23:51:00 was successful.



CN=Schema,CN=Configuration,DC=renogov,DC=com

    Default-First-Site-Name\DCIMAGE via RPC

        DC object GUID: 4e3982bd-ac01-4b86-b9d0-3a72e6bc8605

        Last attempt @ 2014-03-05 23:51:00 was successful.

    Default-First-Site-Name\RENOHEALTH via RPC

        DC object GUID: a80b988d-1815-4b48-9f8f-69b6d762a43b

        Last attempt @ 2014-03-05 23:51:00 was successful.



DC=DomainDnsZones,DC=renogov,DC=com

    Default-First-Site-Name\RENOHEALTH via RPC

        DC object GUID: a80b988d-1815-4b48-9f8f-69b6d762a43b

        Last attempt @ 2014-03-05 23:51:48 was successful.

    Default-First-Site-Name\DCIMAGE via RPC

        DC object GUID: 4e3982bd-ac01-4b86-b9d0-3a72e6bc8605

        Last attempt @ 2014-03-05 23:52:09 was successful.



DC=ForestDnsZones,DC=renogov,DC=com

    Default-First-Site-Name\RENOHEALTH via RPC

        DC object GUID: a80b988d-1815-4b48-9f8f-69b6d762a43b

        Last attempt @ 2014-03-05 23:51:00 was successful.

    Default-First-Site-Name\DCIMAGE via RPC

        DC object GUID: 4e3982bd-ac01-4b86-b9d0-3a72e6bc8605

        Last attempt @ 2014-03-05 23:51:00 was successful.

Open in new window

0
 

Author Comment

by:hutch_ks_itguy
ID: 39908454
ipconfig /all from RENOHEALTH

Windows IP Configuration

   Host Name . . . . . . . . . . . . : renohealth
   Primary Dns Suffix  . . . . . . . : renogov.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : renogov.com

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) 82574L Gigabit Network Connection
   Physical Address. . . . . . . . . : 00-50-56-BA-59-C3
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.10.2.1(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.10.2.251
   DNS Servers . . . . . . . . . . . : 10.10.1.7
                                       10.10.4.15
                                       127.0.0.1
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter isatap.{2661C9EE-6E69-4E3E-A8C9-4651A38B757F}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes





IPCONFIG /ALL from RENOMAIN:

Windows IP Configuration

   Host Name . . . . . . . . . . . . : RENOMAIN
   Primary Dns Suffix  . . . . . . . : renogov.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : renogov.com

Ethernet adapter Local Area Connection 5:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
   Physical Address. . . . . . . . . : 00-50-56-BA-20-D7
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv4 Address. . . . . . . . . . . : 10.10.1.7(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.10.1.251
   DNS Servers . . . . . . . . . . . : 10.10.1.7
                                       10.10.2.1
   Primary WINS Server . . . . . . . : 10.10.1.7
   NetBIOS over Tcpip. . . . . . . . : Enabled

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{EF7FD2DB-5B02-4CF6-874B-6AD796379BE9}:

   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #4
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Open in new window

0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 39908592
Gor rid of the forest so you could see the trees    

    * Network Logons Privileges Check
         Unable to connect to the NETLOGON share! (\\RENOHEALTH\netlogon)

         [RENOHEALTH] An net use or LsaPolicy operation failed with error 67, The network name cannot be found..

         ......................... RENOHEALTH failed test NetLogons

Testing server: Default-First-Site-Name\RENOHEALTH

      Starting test: Advertising

         Warning: DsGetDcName returned information for \\DCIMAGE.renogov.com, when we were trying to reach RENOHEALTH.

         SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.

         ......................... RENOHEALTH failed test Advertising

The registry lookup failed to determine the state of the SYSVOL.  The error returned  was 0x0

         "The operation completed successfully.".  Check the FRS event log to see if the SYSVOL has successfully been shared.

 * Network Logons Privileges Check
         Unable to connect to the NETLOGON share! (\\RENOHEALTH\netlogon)

         [RENOHEALTH] An net use or LsaPolicy operation failed with error 67, The network name cannot be found..

         ......................... RENOHEALTH failed test NetLogons
Could not open w32time Service on [RENOMAIN]:failed with 1060: The specified service does not exist as an installed service.

Starting test: frsevent
         * The File Replication Service Event log test
         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems.
         An Error Event occured.  EventID: 0xC0003500
            Time Generated: 03/05/2014   22:25:31
            (Event String could not be retrieved)
         ......................... RENOMAIN failed test frsevent

10.10.2.1(Preferred) should be at top of DNS Servers
vice having 10.10.2.251
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 10.10.2.251
   DNS Servers . . . . . . . . . . . : 10.10.1.7
                                       10.10.4.15
                                       127.0.0.1
0
 
LVL 13

Expert Comment

by:Santosh Gupta
ID: 39908666
if sysvol is not shared/enable then do the following...

Set the SysvolReady Flag registry value to "0" and then back to "1" in the registry.

 Click Start, click Run, type regedit, and then click OK.
 Locate the following subkey in Registry Editor:

 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters]

 In the details pane, right-click SysvolReady Flag, and then click Modify.
 In the Value data box, type 0 and then click OK.
 Again in the details pane, right-click SysvolReady Flag, and then click
 Modify.  In the Value data box, type 1, and then click OK.

 Then run NET SHARE and see if the SYSVOL and NETLOGON share is present.
0
 

Author Comment

by:hutch_ks_itguy
ID: 39908996
OK I set the DNS servers to:

10.10.2.1
10.10.1.7
10.10.4.15

10.10.2.251 is the gateway



I looked at the reg key you mentioned SysvolReady and it's already set to 0.  I tried changing it to 1 and restarting netlogon but same results.
0
 

Author Comment

by:hutch_ks_itguy
ID: 39909007
It seems that the SYSVOL share is actually there, but doesn't seem to have anything in it!  Also, I'm seeing this in the event log:

The Netlogon service could not create server share C:\Windows\SYSVOL\sysvol\renogov.com\SCRIPTS.  The following error occurred:
The system cannot find the file specified.


Should I be setting that SysvolReady key back to 0, or should I leave it at 1?
0
 
LVL 13

Expert Comment

by:Santosh Gupta
ID: 39909015
pls try below.

1. try to access \\domainname.com and \\RENOHEALTH from any machine.
2. Run ARP -a RENOHEALTH
    and match the MAC address with your new RENOHEALTH MAC address.
3. Check the DNS for NS, A, PTR records of RENOHEALTH are good.
4. run DCDIAG /TEST:DNS and share the result

note:SysvolReady key should be 1
0
 

Author Comment

by:hutch_ks_itguy
ID: 39909037
From another server, I checked these

1.  was able to access \\renohealth  and I saw the SYSVOL listed among the shares but still no NETLOGON...   I was able to access \\renogov.com which took me to RENOMAIN but I'm sure it's because that servers primary dns is RENOMAIN
2.  ARP -a RENOHEALTH    gives me a arp - bad argument: RENOHEALTH
3.  Looking at DNS (on which servers?) seems to be OK but I'm not 100% pro on the SRV records and such
4.  Here are DCDIAG results from RENOHEALTH


Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   Home Server = renohealth

   * Identified AD Forest.
   Done gathering initial info.


Doing initial required tests

   
   Testing server: Default-First-Site-Name\RENOHEALTH

      Starting test: Connectivity

         ......................... RENOHEALTH passed test Connectivity



Doing primary tests

   
   Testing server: Default-First-Site-Name\RENOHEALTH

   
      Starting test: DNS

         

         DNS Tests are running and not hung. Please wait a few minutes...

         ......................... RENOHEALTH passed test DNS

   
   Running partition tests on : ForestDnsZones

   
   Running partition tests on : DomainDnsZones

   
   Running partition tests on : Schema

   
   Running partition tests on : Configuration

   
   Running partition tests on : renogov

   
   Running enterprise tests on : renogov.com

      Starting test: DNS

         ......................... renogov.com passed test DNS
0
 
LVL 13

Expert Comment

by:Santosh Gupta
ID: 39909083
1. earlier you said sysvol was not there, now you can see the sysvol share and other files. thats good thing.

2.  DNS test went good.

3. now again run the dcdiag /v

pls check if you have still any issue or error in event log.
0
 

Author Comment

by:hutch_ks_itguy
ID: 39909087
I really also wonder if I didn't screw something up because the new DC has the same name as the old 2003 DC, and the same IP address.

I tried to match everything up the best I could, and follow suggested practice along the way !

I also wonder if there's an issue(s) with my other DC's that's keeping things from working properly..  I've had some issues with Group Policy's and login scripts not synching properly, which is why I started trying to replace out the old domain controller in the first place.
0
 

Author Comment

by:hutch_ks_itguy
ID: 39909092
Yes, sysvol is there but nothing is in it.  well almost nothing.

inside is \\renohealth\SYSVOL\renogov.com

but no scripts folders or policies, etc.


I will check event logs, but I've got to get ready for work so I can be there when the users start arriving.  This could be bad!
0
 
LVL 13

Expert Comment

by:Santosh Gupta
ID: 39909143
Hi, dont worry, you have other two domain controllers are wokring fine. so hope it could not be bad.

Try to run force replication and sysvol will replicate soon.

between you can share latest DCDIAG /V report.
0
 

Author Comment

by:hutch_ks_itguy
ID: 39909145
I'm not sure I know how to force replication to occur.


I see a lot of Group Policy errors popping up in the new server event log:

The processing of Group Policy failed. Windows could not apply the registry-based policy settings for the Group Policy object LDAP://CN=Machine,CN={A28981B2-63C6-4EFB-B265-6361FE1CE116},CN=Policies,CN=System,DC=renogov,DC=com. Group Policy settings will not be resolved until this event is resolved. View the event details for more information on the file name and path that caused the failure.
0
 

Author Comment

by:hutch_ks_itguy
ID: 39909161
I restarted the FRS service, and also ran a DCDIAG /fix and here are those results:

Directory Server Diagnosis


Performing initial setup:

   Trying to find home server...

   Home Server = renohealth

   * Identified AD Forest. 
   Done gathering initial info.


Doing initial required tests

   
   Testing server: Default-First-Site-Name\RENOHEALTH

      Starting test: Connectivity

         ......................... RENOHEALTH passed test Connectivity



Doing primary tests

   
   Testing server: Default-First-Site-Name\RENOHEALTH

      Starting test: Advertising

         ......................... RENOHEALTH passed test Advertising

      Starting test: FrsEvent

         There are warning or error events within the last 24 hours after the

         SYSVOL has been shared.  Failing SYSVOL replication problems may cause

         Group Policy problems. 
         ......................... RENOHEALTH passed test FrsEvent

      Starting test: DFSREvent

         ......................... RENOHEALTH passed test DFSREvent

      Starting test: SysVolCheck

         ......................... RENOHEALTH passed test SysVolCheck

      Starting test: KccEvent

         ......................... RENOHEALTH passed test KccEvent

      Starting test: KnowsOfRoleHolders

         ......................... RENOHEALTH passed test KnowsOfRoleHolders

      Starting test: MachineAccount

         ......................... RENOHEALTH passed test MachineAccount

      Starting test: NCSecDesc

         ......................... RENOHEALTH passed test NCSecDesc

      Starting test: NetLogons

         Unable to connect to the NETLOGON share! (\\RENOHEALTH\netlogon)

         [RENOHEALTH] An net use or LsaPolicy operation failed with error 67,

         The network name cannot be found..

         ......................... RENOHEALTH failed test NetLogons

      Starting test: ObjectsReplicated

         ......................... RENOHEALTH passed test ObjectsReplicated

      Starting test: Replications

         ......................... RENOHEALTH passed test Replications

      Starting test: RidManager

         ......................... RENOHEALTH passed test RidManager

      Starting test: Services

         ......................... RENOHEALTH passed test Services

      Starting test: SystemLog

         An error event occurred.  EventID: 0x00000448

            Time Generated: 03/06/2014   06:16:47

            Event String:

            The processing of Group Policy failed. Windows could not apply the registry-based policy settings for the Group Policy object LDAP://CN=Machine,CN={A28981B2-63C6-4EFB-B265-6361FE1CE116},CN=Policies,CN=System,DC=renogov,DC=com. Group Policy settings will not be resolved until this event is resolved. View the event details for more information on the file name and path that caused the failure.

         An error event occurred.  EventID: 0x00000448

            Time Generated: 03/06/2014   06:21:48

            Event String:

            The processing of Group Policy failed. Windows could not apply the registry-based policy settings for the Group Policy object LDAP://CN=Machine,CN={A28981B2-63C6-4EFB-B265-6361FE1CE116},CN=Policies,CN=System,DC=renogov,DC=com. Group Policy settings will not be resolved until this event is resolved. View the event details for more information on the file name and path that caused the failure.

         An error event occurred.  EventID: 0x00000448

            Time Generated: 03/06/2014   06:26:48

            Event String:

            The processing of Group Policy failed. Windows could not apply the registry-based policy settings for the Group Policy object LDAP://CN=Machine,CN={A28981B2-63C6-4EFB-B265-6361FE1CE116},CN=Policies,CN=System,DC=renogov,DC=com. Group Policy settings will not be resolved until this event is resolved. View the event details for more information on the file name and path that caused the failure.

         An error event occurred.  EventID: 0x00000448

            Time Generated: 03/06/2014   06:31:49

            Event String:

            The processing of Group Policy failed. Windows could not apply the registry-based policy settings for the Group Policy object LDAP://CN=Machine,CN={A28981B2-63C6-4EFB-B265-6361FE1CE116},CN=Policies,CN=System,DC=renogov,DC=com. Group Policy settings will not be resolved until this event is resolved. View the event details for more information on the file name and path that caused the failure.

         An error event occurred.  EventID: 0x00000448

            Time Generated: 03/06/2014   06:36:50

            Event String:

            The processing of Group Policy failed. Windows could not apply the registry-based policy settings for the Group Policy object LDAP://CN=Machine,CN={A28981B2-63C6-4EFB-B265-6361FE1CE116},CN=Policies,CN=System,DC=renogov,DC=com. Group Policy settings will not be resolved until this event is resolved. View the event details for more information on the file name and path that caused the failure.

         An error event occurred.  EventID: 0x00000448

            Time Generated: 03/06/2014   06:41:50

            Event String:

            The processing of Group Policy failed. Windows could not apply the registry-based policy settings for the Group Policy object LDAP://CN=Machine,CN={A28981B2-63C6-4EFB-B265-6361FE1CE116},CN=Policies,CN=System,DC=renogov,DC=com. Group Policy settings will not be resolved until this event is resolved. View the event details for more information on the file name and path that caused the failure.

         An error event occurred.  EventID: 0x00000448

            Time Generated: 03/06/2014   06:46:51

            Event String:

            The processing of Group Policy failed. Windows could not apply the registry-based policy settings for the Group Policy object LDAP://CN=Machine,CN={A28981B2-63C6-4EFB-B265-6361FE1CE116},CN=Policies,CN=System,DC=renogov,DC=com. Group Policy settings will not be resolved until this event is resolved. View the event details for more information on the file name and path that caused the failure.

         An error event occurred.  EventID: 0x00000448

            Time Generated: 03/06/2014   06:51:52

            Event String:

            The processing of Group Policy failed. Windows could not apply the registry-based policy settings for the Group Policy object LDAP://CN=Machine,CN={A28981B2-63C6-4EFB-B265-6361FE1CE116},CN=Policies,CN=System,DC=renogov,DC=com. Group Policy settings will not be resolved until this event is resolved. View the event details for more information on the file name and path that caused the failure.

         An error event occurred.  EventID: 0x00000448

            Time Generated: 03/06/2014   06:56:52

            Event String:

            The processing of Group Policy failed. Windows could not apply the registry-based policy settings for the Group Policy object LDAP://CN=Machine,CN={A28981B2-63C6-4EFB-B265-6361FE1CE116},CN=Policies,CN=System,DC=renogov,DC=com. Group Policy settings will not be resolved until this event is resolved. View the event details for more information on the file name and path that caused the failure.

         An error event occurred.  EventID: 0x00000448

            Time Generated: 03/06/2014   07:01:53

            Event String:

            The processing of Group Policy failed. Windows could not apply the registry-based policy settings for the Group Policy object LDAP://CN=Machine,CN={A28981B2-63C6-4EFB-B265-6361FE1CE116},CN=Policies,CN=System,DC=renogov,DC=com. Group Policy settings will not be resolved until this event is resolved. View the event details for more information on the file name and path that caused the failure.

         An error event occurred.  EventID: 0x00000448

            Time Generated: 03/06/2014   07:06:53

            Event String:

            The processing of Group Policy failed. Windows could not apply the registry-based policy settings for the Group Policy object LDAP://CN=Machine,CN={A28981B2-63C6-4EFB-B265-6361FE1CE116},CN=Policies,CN=System,DC=renogov,DC=com. Group Policy settings will not be resolved until this event is resolved. View the event details for more information on the file name and path that caused the failure.

         An error event occurred.  EventID: 0x00000448

            Time Generated: 03/06/2014   07:11:54

            Event String:

            The processing of Group Policy failed. Windows could not apply the registry-based policy settings for the Group Policy object LDAP://CN=Machine,CN={A28981B2-63C6-4EFB-B265-6361FE1CE116},CN=Policies,CN=System,DC=renogov,DC=com. Group Policy settings will not be resolved until this event is resolved. View the event details for more information on the file name and path that caused the failure.

         ......................... RENOHEALTH failed test SystemLog

      Starting test: VerifyReferences

         ......................... RENOHEALTH passed test VerifyReferences

   
   
   Running partition tests on : ForestDnsZones

      Starting test: CheckSDRefDom

         ......................... ForestDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... ForestDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : DomainDnsZones

      Starting test: CheckSDRefDom

         ......................... DomainDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... DomainDnsZones passed test

         CrossRefValidation

   
   Running partition tests on : Schema

      Starting test: CheckSDRefDom

         ......................... Schema passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Schema passed test CrossRefValidation

   
   Running partition tests on : Configuration

      Starting test: CheckSDRefDom

         ......................... Configuration passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidation

   
   Running partition tests on : renogov

      Starting test: CheckSDRefDom

         ......................... renogov passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... renogov passed test CrossRefValidation

   
   Running enterprise tests on : renogov.com

      Starting test: LocatorCheck

         ......................... renogov.com passed test LocatorCheck

      Starting test: Intersite

         ......................... renogov.com passed test Intersite

Open in new window

0
 
LVL 13

Expert Comment

by:Santosh Gupta
ID: 39909230
Please try this..
http://jorgequestforknowledge.wordpress.com/2010/08/12/restoring-the-sysvol-non-authoritatively-when-either-using-ntfrs-or-dfs-r-part-3/

also check in Site and Services, if you are able to ping DNS Alias also right click on link and click on replicate now and see you are able to replicate.
 ADS
0
 

Author Comment

by:hutch_ks_itguy
ID: 39910016
Yes I can ping the DNS alias listed in the NTDS settings, it resolves to RENOHEALTH.renogov.com and responds on 10.10.2.1 properly

I started going through that authoritive or non authoritive document last night, but it looks kind of confusing..  which should I be trying?
0
 

Author Comment

by:hutch_ks_itguy
ID: 39910024
Also in NTDS I tried to force the replication again..  and get the following in my event logs:

The Netlogon service could not create server share C:\Windows\SYSVOL\sysvol\renogov.com\SCRIPTS.  The following error occurred:
The system cannot find the file specified.

and also

The processing of Group Policy failed. Windows could not apply the registry-based policy settings for the Group Policy object LDAP://CN=Machine,CN={A28981B2-63C6-4EFB-B265-6361FE1CE116},CN=Policies,CN=System,DC=renogov,DC=com. Group Policy settings will not be resolved until this event is resolved. View the event details for more information on the file name and path that caused the failure.
0
 
LVL 13

Assisted Solution

by:Santosh Gupta
Santosh Gupta earned 250 total points
ID: 39910088
Try authoritative restore from document and make your healthy DC as primary.
0
 

Author Comment

by:hutch_ks_itguy
ID: 39910133
I followed the steps for an authoritative restore, but no idea how long it should be taking..  it says I should see those listed events in the event logs.  I don't see them, but also don't know where to look for them.

I also don't know what you mean about make your healthy DC as primary, I never saw anything like that in the document you linked to.


It's only been 3 minutes, but not sure if I'll see something happening or not.

Thanks!!
0
 

Author Comment

by:hutch_ks_itguy
ID: 39910134
I do see this:

The DFS Replication service successfully contacted domain controller renohealth.renogov.com to access configuration information.

Which seems odd that it'd be contacting itself
0
Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

 
LVL 13

Expert Comment

by:Santosh Gupta
ID: 39910151
Thats great, pls wait for some time and see SYSVOL and other functionality.
0
 

Author Comment

by:hutch_ks_itguy
ID: 39910374
Netlogon share is there, nothing in it, but it's there now...  how long should I wait?
0
 
LVL 13

Expert Comment

by:Santosh Gupta
ID: 39910410
seems thing are moving in right direction, pls wait for a day.... then run the DCDIAG.
0
 
LVL 78

Expert Comment

by:David Johnson, CD, MVP
ID: 39910440
I really also wonder if I didn't screw something up because the new DC has the same name as the old 2003 DC, and the same IP address.  you demoted the previous computer from being a dc and then removed it from the domain, did you also check that it was removed from Active Directory?
0
 

Author Comment

by:hutch_ks_itguy
ID: 39910454
Well I thought I had done it right, using the netdom /computername /add: command, then the /makeprimary and then the /remove..

Although I was a bit confused on the metadata cleanup after removing the old DC.  It had been removed from ADUC but it was still hanging around in the ADSS ntds settings..  I followed a guide to remove it, and reran dcpromo on the new server.


Most things seem to be working, but still nothing in my SYSVOL or NETLOGON folders.  But I'm also not seeing a lot of errors (or much else) popping up in event viewer, so I'm sitting tight at the moment.

Thanks guys!
0
 
LVL 18

Expert Comment

by:sarang_tinguria
ID: 39911219
first check that you have proper Connection objects has been created in Sites and Services

Browse \\WorkingDC.domain.local copy sysvol & netlogon and keep backup on ProblemDC &  WorkingDC (If can not browse check network connectivity/Port and don't proceed further)

Go to WorkingDC  stop NTFRS service open regedit and go to "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup" change the burflag value to D4 Start NTFRS(File Replication service) service and wait for File Replication event ID 13516 now Go to ProblemDC  stop NTFRS service open regedit go to "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup" change the burflag value to D2 -> Start NTFRS(File Replication service) service and wait for File Replication event ID 13516 now

Check Now your sysvol and netlogon shares are available

Above is called Authoritive(D4) and non-Authoritive Restore (D2)

Refer http://support.microsoft.com/kb/257338 for more info

What happens in a Journal Wrap?
http://blogs.technet.com/b/instan/archive/2009/07/14/what-happens-in-a-journal-wrap.aspx
0
 
LVL 18

Expert Comment

by:sarang_tinguria
ID: 39911222
I somewhere saw DFSR in above logs ..But when a 2003 (Not R2)  is in environment there is no chance that Sysvol will be replicated using DFSR
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39912044
You don't have to run authoritative restore

Your other DCs having healthy sysvol and netlogon shares

Just try to do non authoritative restore of sysvol on windows 2012 R2 DC as mentioned in document

Also run repadmin /showrepl and check if server is promoted to Global catalog (IS_GC)

@Sarang:
Whenever you do authoritative restore of sysvol, the very 1st thing you need to stop NTFRS service on all domain controllers
You have not mentioned this in your comment as this will leads to undesired results

@hutch_KS_ITGuy
If non authoritative restore could not resolve your problem, I would demote 2012 R2 ADC from active directory gracefully / forcefully if graceful demotion fails and then do metadata cleanup for failed DC and clean all references to 2012 R2 ADC, as my old and new DC is having same hostnames, this will clear my AD properly

To demote DC gracefully \ forcefully follow below article:
http://blogs.interfacett.com/how-to-demote-a-domain-controller-dc-in-windows-server-2012-active-directory-domain-services-ad-ds

Cleanup AD metadata
http://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspx

After that I would promote new 2012 R2 ADC again

Mahesh
0
 
LVL 18

Expert Comment

by:sarang_tinguria
ID: 39912218
Mahesh.. Please read my comments carefuly..
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39912348
Sarang, Re reading your comment

Go to WorkingDC  stop NTFRS service open regedit and go to "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup" change the burflag value to D4 Start NTFRS(File Replication service) service and wait for File Replication event ID 13516 now Go to ProblemDC  stop NTFRS service open regedit go to "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup" change the burflag value to D2 -> Start NTFRS(File Replication service) service and wait for File Replication event ID 13516 now

Before starting D4 (authoritative restore) you must stop NTFRS service on all domain controllers
Above step is missing in your comment which is very important
can you please show me if it is ?

Mahesh
0
 

Author Comment

by:hutch_ks_itguy
ID: 39912546
I had tried the non-authoritative restore yesterday, twice in fact.  Still nothing in sysvol or netlogon this morning.  

In my event log I see this under File Replication Service log:

The File Replication Service is having trouble enabling replication from RENOMAIN.renogov.com to RENOHEALTH for c:\windows\sysvol\domain using the DNS name RENOMAIN.renogov.com. FRS will keep retrying. 
 Following are some of the reasons you would see this warning. 
 
 [1] FRS can not correctly resolve the DNS name RENOMAIN.renogov.com from this computer. 
 [2] FRS is not running on RENOMAIN.renogov.com. 
 [3] The topology information in the Active Directory Domain Services for this replica has not yet replicated to all the Domain Controllers. 
 
 This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.

--I am able to ping renomain and renomain.renogov.com without an issue.  The FRS service appears to be running correctly on renomain.  But number 3, I don't know about.

The repadmin /showall command looks good to me:

Repadmin: running command /showrepl against full DC localhost
Default-First-Site-Name\RENOHEALTH
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: a80b988d-1815-4b48-9f8f-69b6d762a43b
DSA invocationID: 351e7bf4-fa83-46c3-87fe-0b5a43851aba

==== INBOUND NEIGHBORS ======================================

DC=renogov,DC=com
    Default-First-Site-Name\DCIMAGE via RPC
        DSA object GUID: 4e3982bd-ac01-4b86-b9d0-3a72e6bc8605
        Last attempt @ 2014-03-07 08:25:29 was successful.
    Default-First-Site-Name\RENOMAIN via RPC
        DSA object GUID: 58a8e065-4dc2-4f76-9a54-8873386843be
        Last attempt @ 2014-03-07 08:25:29 was successful.

CN=Configuration,DC=renogov,DC=com
    Default-First-Site-Name\RENOMAIN via RPC
        DSA object GUID: 58a8e065-4dc2-4f76-9a54-8873386843be
        Last attempt @ 2014-03-07 07:52:28 was successful.
    Default-First-Site-Name\DCIMAGE via RPC
        DSA object GUID: 4e3982bd-ac01-4b86-b9d0-3a72e6bc8605
        Last attempt @ 2014-03-07 07:52:46 was successful.

CN=Schema,CN=Configuration,DC=renogov,DC=com
    Default-First-Site-Name\RENOMAIN via RPC
        DSA object GUID: 58a8e065-4dc2-4f76-9a54-8873386843be
        Last attempt @ 2014-03-07 07:51:29 was successful.
    Default-First-Site-Name\DCIMAGE via RPC
        DSA object GUID: 4e3982bd-ac01-4b86-b9d0-3a72e6bc8605
        Last attempt @ 2014-03-07 07:51:29 was successful.

DC=DomainDnsZones,DC=renogov,DC=com
    Default-First-Site-Name\DCIMAGE via RPC
        DSA object GUID: 4e3982bd-ac01-4b86-b9d0-3a72e6bc8605
        Last attempt @ 2014-03-07 08:25:20 was successful.
    Default-First-Site-Name\RENOMAIN via RPC
        DSA object GUID: 58a8e065-4dc2-4f76-9a54-8873386843be
        Last attempt @ 2014-03-07 08:25:23 was successful.

DC=ForestDnsZones,DC=renogov,DC=com
    Default-First-Site-Name\RENOMAIN via RPC
        DSA object GUID: 58a8e065-4dc2-4f76-9a54-8873386843be
        Last attempt @ 2014-03-07 07:51:29 was successful.
    Default-First-Site-Name\DCIMAGE via RPC
        DSA object GUID: 4e3982bd-ac01-4b86-b9d0-3a72e6bc8605
        Last attempt @ 2014-03-07 07:51:29 was successful.

Open in new window

0
 

Author Comment

by:hutch_ks_itguy
ID: 39912633
I may have just discovered a slightly bigger problem.  I modified a couple logon scripts on RENOMAIN (my primary dc) and the modified scripts aren't replicating to the other domain controller DCIMAGE.

Which sounds to me like I've got a replication issue on one of the other (or both) domain controllers.

?
0
 

Author Comment

by:hutch_ks_itguy
ID: 39912650
Ran DCDIAG /V on DCIMAGE, and saw this error in it:

  Starting test: NCSecDesc

         * Security Permissions check for all NC's on DC DCIMAGE.
         The forest is not ready for RODC. Will skip checking ERODC ACEs.
         * Security Permissions Check for

           DC=ForestDnsZones,DC=renogov,DC=com
            (NDNC,Version 3)
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have

            Replicating Directory Changes In Filtered Set
         access rights for the naming context:

         DC=ForestDnsZones,DC=renogov,DC=com
         * Security Permissions Check for

           DC=DomainDnsZones,DC=renogov,DC=com
            (NDNC,Version 3)
         Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have

            Replicating Directory Changes In Filtered Set
         access rights for the naming context:

         DC=DomainDnsZones,DC=renogov,DC=com
         * Security Permissions Check for

           CN=Schema,CN=Configuration,DC=renogov,DC=com
            (Schema,Version 3)
         * Security Permissions Check for

           CN=Configuration,DC=renogov,DC=com
            (Configuration,Version 3)
         * Security Permissions Check for

           DC=renogov,DC=com
            (Domain,Version 3)
         ......................... DCIMAGE failed test NCSecDesc
0
 

Author Comment

by:hutch_ks_itguy
ID: 39912684
Seems the failure on DCIMAGE relates to not being set up for a RODC.  Not too worried about that.

However, I've now confirmed that changing a logon script on either RENOMAIN or DCIMAGE doesn't replicate to each other.  In fact a few of my login scripts are way out of sync, as in over a year apart.

I'm troubleshooting those servers now, should I start a new thread or keep going on this one?  Thanks for all the help guys.
0
 

Author Comment

by:hutch_ks_itguy
ID: 39912709
Also, I see this on RENOMAIN

This server is the owner of the following FSMO role, but does not consider it valid. For the partition which contains the FSMO, this server has not replicated successfully with any of its partners since this server has been restarted. Replication errors are preventing validation of this role.
 
Operations which require contacting a FSMO operation master will fail until this condition is corrected.
 
FSMO Role: DC=renogov,DC=com
 
User Action:
 
1. Initial synchronization is the first early replications done by a system as it is starting. A failure to initially synchronize may explain why a FSMO role cannot be validated. This process is explained in KB article 305476.
2. This server has one or more replication partners, and replication is failing for all of these partners. Use the command repadmin /showrepl to display the replication errors.  Correct the error in question. For example there maybe problems with IP connectivity, DNS name resolution, or security authentication that are preventing successful replication.
3. In the rare event that all replication partners being down is an expected occurance, perhaps because of maintenance or a disaster recovery, you can force the role to be validated. This can be done by using NTDSUTIL.EXE to seize the role to the same server. This may be done using the steps provided in KB articles 255504 and 324801 on http://support.microsoft.com.
 
The following operations may be impacted:
Schema: You will no longer be able to modify the schema for this forest.
Domain Naming: You will no longer be able to add or remove domains from this forest.
PDC: You will no longer be able to perform primary domain controller operations, such as Group Policy updates and password resets for non-Active Directory Domain Services accounts.
RID: You will not be able to allocation new security identifiers for new user accounts, computer accounts or security groups.
Infrastructure: Cross-domain name references, such as universal group memberships, will not be updated properly if their target object is moved or renamed.
0
 
LVL 25

Accepted Solution

by:
DrDave242 earned 250 total points
ID: 39913103
However, I've now confirmed that changing a logon script on either RENOMAIN or DCIMAGE doesn't replicate to each other.  In fact a few of my login scripts are way out of sync, as in over a year apart.
Logon scripts and Group Policy Objects are both stored in the SYSVOL hierarchy, so problems with SYSVOL replication will cause them to get out of sync. It's important to note that SYSVOL replication is separate from AD replication. They're related, but it's entirely possible (and really not all that uncommon) for one to be working perfectly while the other is upside down and on fire.

The first thing you should do is determine which of these DCs has the "best" copy of the SYSVOL folder hierarchy. If changes have been made (to logon scripts, for example) on more than one DC but haven't replicated to the others, there's probably not one perfect copy, so even after all of this is straightened out, you may find that some of those changes are missing and have to be re-done.

There's not a 100% surefire method for determining which copy of SYSVOL is the best, but in a situation like this, I'll typically go to each DC (assuming there aren't too many) and use Windows Explorer to look at the folders themselves (\Windows\SYSVOL\domain\Policies and \Scripts). I'll look at the number of subfolders within the Policies folder (each subfolder corresponds to a single GPO) and their modified dates. Then I'll look at the files in the Scripts folder and their modified dates. It's kind of a judgment call at that point, but if I'm in a big hurry, the one with the most files/folders and/or most recent dates wins. Honestly, the Scripts folder is easy to deal with: logon scripts are just files, so instead of worrying about its contents and their modified dates, it may be easiest to copy the Scripts folder from each DC, stash the copies somewhere outside of SYSVOL, and worry about them after replication is working again. The Policies folder isn't as trivial, since you can't just copy those subfolders from one DC to another and expect the corresponding GPOs to function properly.

This is starting to get lengthy, so for now, just locate the DC with the best copy of SYSVOL and perform the authoritative restore (Burflags D4) procedure on it. I'm pretty sure someone posted the steps for this procedure above, but if not, they're in this KB article.
0
 

Author Comment

by:hutch_ks_itguy
ID: 39913466
Just to be clear, if I go forward with this Authoritive restore on my "best" domain controller, the link you provided mentions server 2003 a lot.  

I have 2 2008 R2 dc's and a 2012 R2 dc.
0
 
LVL 25

Expert Comment

by:DrDave242
ID: 39913541
The procedure in that article is valid if SYSVOL is being replicated using the File Replication Service (FRS). This was always true in Server 2003 and earlier and is still often true today for domains that were created back in those days, regardless of whether there are any remaining DCs running 2003. It appears to be true in your environment, judging from some of your posts above, but to be sure, run the following command from an elevated command prompt on the DC with the PDC Emulator role:

dfsrmig /getglobalstate

The output should indicate that the migration state is either Start (FRS is still being used) or Eliminated (SYSVOL has been migrated to Distributed File System Replication, or DFSR). If the state is Eliminated, ignore the previous article and use this one instead.

If the output of that command shows anything else, post the results here.
0
 

Author Comment

by:hutch_ks_itguy
ID: 39913752
OK guys I went forward with the authoritative restore..  seemed to fix most (if not all) of my problems.

Login scripts are replicating properly, sysvol and netlogon shares seem OK.  I'm still digging through and testing, will sure report back!!
0
 

Author Closing Comment

by:hutch_ks_itguy
ID: 39918867
Several of these were helpful, but running the authoritative restore was what ultimately fixed my issues.  I split the points between the two most detailed and helpful solutions.  Huge thank you to all of you!!
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

Understanding the various editions available is vital when you decide to purchase Windows Server 2012. You need to have a basic understanding of the features and limitations in each edition in order to make a well-informed decision that best suits y…
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
In this Micro Tutorial viewers will learn how to restore their server from Bare Metal Backup image created with Windows Server Backup feature. As an example Windows 2012R2 is used.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now