Solved

New DC W2K3 not replicating correctly

Posted on 2014-03-30
39
370 Views
Last Modified: 2014-05-04
Hi,
At a client site, a new DC was added in recently (NTSERVER3) as the current DC (NTSERVER1) will eventually be demoted back to a member server and taken offline. I am wanting to move the FSMO roles over to make this one the primary DC.
I noticed that 'SYSVOL' and 'NETLOGON' were not created, I went and looked at Active Directory Sites and Services and noticed that there were no servers listed under NTDS Settings under NTSERVER3, I assumed that I should see NTSERVER1 listed there. I also noticed one other thing is that a prior DC (NTSERVER2) was still listed under "Servers" under "Default-First-Site-Name", this server was demoted and removed last year but still shows up here. Is it safe to delete this server? Under the server (NTSERVER2) it has a folder called "Exchange Settings" with an entry "Active Directory Connector (NTSERVER2)" which is the name and "ADC Service" as the type.

Under the new server (NTSERVER3) there was no automatically created server listed there for NTSERVER1, I had to manually add it in as a "New Active Directory Connection". Will this start replicating with NTSERVER1 now? These are the only 2 DCs in the domain (NTSERVER1 and NTSERVER3) as the other one NTSERVER2 was demoted and taken offline last year. But as mentioned there are still entries left over from before.

Any help with this is greatly appreciated as I have limited knowledge of Active Directory, replication between DCs, etc...

Thanks in advance for taking the time to respond back to this, your help is greatly appreciated.

Thanks,

ElliTech
0
Comment
Question by:ellitech
  • 28
  • 7
  • 4
39 Comments
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
can you please run dcdiag /q and repadmin /showrepl on new and existing DC and post back results please ?

How many DCs you are able to find in domain controllers OU ?
Is NTSERVER2 is still listed there as DC ?

Also run below command on NTSERVER1
nltest /dsgetdc:domain.com and see what domain controllers are there

if you are sure that you have already demoted NTSERVER2 in past, you can run Metadata cleanup through Ntdsutil utility on NTSERVER1 and check if you are able to find NTSERVER2 there, if found just remove that

Check below article to cleanup metadata for failed server
http://support.microsoft.com/kb/216498

Also go to AD sites and services\navigate to site\servers\servername\ntds  settings and in right side you will find connection objects
if you don't find any, create new connection object by right clicking Ntds Settings in left pen and then force replication by right clicking connection object and click on "Replicate now".

May be then you can reboot your server and check if replication is working

Mahesh.
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
Versions of the two DCs.

Look on site and services, to see ntds and the setup there.

check the domain controller OU to see if the system is shown there.

dcdiag.
Does the new system have a DNS service and does it point to the other server and itself?

look at the eventlog for info on what us going on.
0
 

Author Comment

by:ellitech
Comment Utility
C:\>nltest /dsgetdc:acc.local
           DC: \\ntserver1.acc.local
      Address: \\192.168.2.151
     Dom Guid: f06b76ff-ab48-4721-abf8-10182f3b7063
     Dom Name: acc.local
  Forest Name: acc.local
 Dc Site Name: Default-First-Site-Name
Our Site Name: Default-First-Site-Name
        Flags: PDC GC DS LDAP KDC TIMESERV GTIMESERV WRITABLE DNS_DC DNS_DOMAIN
DNS_FOREST CLOSE_SITE
The command completed successfully
0
 

Author Comment

by:ellitech
Comment Utility
C:\Documents and Settings\ACCAdmin>dcdiag /q
         REPLICATION-RECEIVED LATENCY WARNING
         NTSERVER1:  Current time is 2014-03-30 16:28:27.
            DC=DomainDnsZones,DC=acc,DC=local
               Last replication recieved from NTSERVER2 at 2011-07-22 16:53:29.
               WARNING:  This latency is over the Tombstone Lifetime of 60 days!

            DC=ForestDnsZones,DC=acc,DC=local
               Last replication recieved from NTSERVER2 at 2011-07-22 16:53:29.
               WARNING:  This latency is over the Tombstone Lifetime of 60 days!

            CN=Schema,CN=Configuration,DC=acc,DC=local
               Last replication recieved from NTSERVER2 at 2011-07-22 16:53:28.
               WARNING:  This latency is over the Tombstone Lifetime of 60 days!

            CN=Configuration,DC=acc,DC=local
               Last replication recieved from NTSERVER2 at 2011-07-22 16:53:28.
               WARNING:  This latency is over the Tombstone Lifetime of 60 days!

            DC=acc,DC=local
               Last replication recieved from NTSERVER2 at 2011-07-22 16:53:28.
               WARNING:  This latency is over the Tombstone Lifetime of 60 days!

         An Warning Event occured.  EventID: 0x80000785
            Time Generated: 03/30/2014   16:16:10
            Event String: The attempt to establish a replication link for
         An Warning Event occured.  EventID: 0x80000785
            Time Generated: 03/30/2014   16:16:13
            Event String: The attempt to establish a replication link for
         ......................... NTSERVER1 failed test kccevent
         An Error Event occured.  EventID: 0xC0002720
            Time Generated: 03/30/2014   15:59:31
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0xC0009007
            Time Generated: 03/30/2014   15:59:31
            Event String: A fatal error occurred while creating an SSL
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 03/30/2014   16:15:17
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 03/30/2014   16:15:17
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 03/30/2014   16:15:18
            (Event String could not be retrieved)
         An Error Event occured.  EventID: 0x00000457
            Time Generated: 03/30/2014   16:15:27
            (Event String could not be retrieved)
         ......................... NTSERVER1 failed test systemlog
0
 

Author Comment

by:ellitech
Comment Utility
Can NTSERVER2 be deleted from Active Directory Sites and Services / Servers ?
0
 

Author Comment

by:ellitech
Comment Utility
Checking replication topology fails on NTSERVER3, it says "The following error occured during the attempt to contact the domain controller: The directory property cannot be found in the cache"

This was run on NTSERVER1, if ran from NTSERVER3 it will complete without an error, however NTSERVER2 will show up under Active Directory Sites and Services, although it was decommissioned already (last year)
0
 

Author Comment

by:ellitech
Comment Utility
C:\Documents and Settings\ACCAdmin>repadmin /showrepl

repadmin running command /showrepl against server localhost

Default-First-Site-Name\NTSERVER1
DC Options: IS_GC
Site Options: (none)
DC object GUID: 75b2ee58-f206-41c7-9c02-b2d286a056f6
DC invocationID: c1c52665-17d2-4296-a2fa-0c0a0d4d3787


Source: Default-First-Site-Name\NTSERVER2
******* 770 CONSECUTIVE FAILURES since 2014-03-22 15:59:13
Last error: 8524 (0x214c):
            Can't retrieve message string 8524 (0x214c), error 1815.

Naming Context: DC=acc,DC=local
Source: Default-First-Site-Name\NTSERVER2
******* WARNING: KCC could not add this REPLICA LINK due to error.

Naming Context: CN=Configuration,DC=acc,DC=local
Source: Default-First-Site-Name\NTSERVER2
******* WARNING: KCC could not add this REPLICA LINK due to error.

Naming Context: CN=Schema,CN=Configuration,DC=acc,DC=local
Source: Default-First-Site-Name\NTSERVER2
******* WARNING: KCC could not add this REPLICA LINK due to error.

Naming Context: DC=DomainDnsZones,DC=acc,DC=local
Source: Default-First-Site-Name\NTSERVER2
******* WARNING: KCC could not add this REPLICA LINK due to error.

Naming Context: DC=ForestDnsZones,DC=acc,DC=local
Source: Default-First-Site-Name\NTSERVER2
******* WARNING: KCC could not add this REPLICA LINK due to error.

Source: Default-First-Site-Name\NTSERVER3
******* 770 CONSECUTIVE FAILURES since 2014-03-22 15:59:11
Last error: 8524 (0x214c):
            Can't retrieve message string 8524 (0x214c), error 1815.

Naming Context: DC=acc,DC=local
Source: Default-First-Site-Name\NTSERVER3
******* WARNING: KCC could not add this REPLICA LINK due to error.

Naming Context: CN=Configuration,DC=acc,DC=local
Source: Default-First-Site-Name\NTSERVER3
******* WARNING: KCC could not add this REPLICA LINK due to error.

Naming Context: CN=Schema,CN=Configuration,DC=acc,DC=local
Source: Default-First-Site-Name\NTSERVER3
******* WARNING: KCC could not add this REPLICA LINK due to error.
0
 

Author Comment

by:ellitech
Comment Utility
Any advice on this is greatly appreciated...

I would like to just go ahead and delete NTSERVER2 from Sites and Services...
0
 

Author Comment

by:ellitech
Comment Utility
I ran metadata cleanup as per below:


metadata cleanup: remove selected server
Transferring / Seizing FSMO roles off the selected server.
Removing FRS metadata for the selected server.
Searching for FRS members under "CN=NTSERVER2,OU=Domain Controllers,DC=acc,DC=lo
cal".

Removing FRS member "CN=NTSERVER2,CN=Domain System Volume (SYSVOL share),CN=File
 Replication Service,CN=System,DC=acc,DC=local".
Deleting subtree under "CN=NTSERVER2,CN=Domain System Volume (SYSVOL share),CN=F
ile Replication Service,CN=System,DC=acc,DC=local".
Deleting subtree under "CN=NTSERVER2,OU=Domain Controllers,DC=acc,DC=local".
The attempt to remove the FRS settings on CN=NTSERVER2,CN=Servers,CN=Default-Fir
st-Site-Name,CN=Sites,CN=Configuration,DC=acc,DC=local failed because "Element n
ot found.";
metadata cleanup is continuing.
"CN=NTSERVER2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC
=acc,DC=local" removed from server "ntserver1"
0
 

Author Comment

by:ellitech
Comment Utility
One thing that I am unsure of is this, under sites and services, it will still list 'ntserver2', underneath it NTDS Settings is gone but there is a folder called Exchange Settings and in it is an old listing called "Active Directory Connector (NTSERVER2) with a Type of "ADC Service".

Can this be deleted manually?
0
 

Author Comment

by:ellitech
Comment Utility
I logged into NTSERVER3 and checked the NTDSUTIL there and it does not list NTSERVER2 only NTSERVER1 and NTSERVER3 as it should, I still need to be able to delete the entry for the NTSERVER2 as well as the folder and the connector listed underneath it as mentioned above.

Thoughts?
0
 

Author Comment

by:ellitech
Comment Utility
C:\Documents and Settings\ACCAdmin>repadmin /showrepl

repadmin running command /showrepl against server localhost

Default-First-Site-Name\NTSERVER1
DC Options: IS_GC
Site Options: (none)
DC object GUID: 75b2ee58-f206-41c7-9c02-b2d286a056f6
DC invocationID: c1c52665-17d2-4296-a2fa-0c0a0d4d3787


Source: Default-First-Site-Name\NTSERVER3
******* 778 CONSECUTIVE FAILURES since 2014-03-22 15:59:11
Last error: 8524 (0x214c):
            Can't retrieve message string 8524 (0x214c), error 1815.

Naming Context: DC=acc,DC=local
Source: Default-First-Site-Name\NTSERVER3
******* WARNING: KCC could not add this REPLICA LINK due to error.

Naming Context: CN=Configuration,DC=acc,DC=local
Source: Default-First-Site-Name\NTSERVER3
******* WARNING: KCC could not add this REPLICA LINK due to error.

Naming Context: CN=Schema,CN=Configuration,DC=acc,DC=local
Source: Default-First-Site-Name\NTSERVER3
******* WARNING: KCC could not add this REPLICA LINK due to error.
0
 

Author Comment

by:ellitech
Comment Utility
I found this, checked on the exchange server and it is pointing to NTSERVER1 which is fine...

Not sure if this will help your situation or not but open Exchange System Manager. Under "Recipients" click on "Recipient Update Services" and see which domain controller the two entries are pointing to. Chances are it is pointing to the DC that's down. I believe you can either manually point it to the other DC or force it to update by right-clicking and choosing Update Now. That should force it to look at the other DC.

This makes me think that I can in fact delete out NTSERVER2 and the Exchange Settings folder that is underneath it...

Thoughts?
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
Since NTSERVER2 is offline for more than 60 days, you can safely delete its object from active directory as notified in repadmin /showrepl
I think you already did it
Now remove it from AD sites and services and force AD replication between NTSERVER1 and NTSERVER3
If here you found any replication problem, you need to correct it.

Also check your Exchange server for any possible pointers towards NTSERVE2 and simply remove them
This includes DNS entries on Exchange Network cards, DNS entries on DNS server, Exchange configuration domain controller etc

Mahesh.
0
 

Author Comment

by:ellitech
Comment Utility
I have removed the entries from 'sites and services' but I am still getting an error when I try to force replication as well as when the following command is run:

C:\Documents and Settings\ACCAdmin>repadmin /showrepl

repadmin running command /showrepl against server localhost

Default-First-Site-Name\NTSERVER1
DC Options: IS_GC
Site Options: (none)
DC object GUID: 75b2ee58-f206-41c7-9c02-b2d286a056f6
DC invocationID: c1c52665-17d2-4296-a2fa-0c0a0d4d3787


Source: Default-First-Site-Name\NTSERVER3
******* 854 CONSECUTIVE FAILURES since 2014-03-22 15:59:11
Last error: 8524 (0x214c):
            Can't retrieve message string 8524 (0x214c), error 1815.

Naming Context: DC=acc,DC=local
Source: Default-First-Site-Name\NTSERVER3
******* WARNING: KCC could not add this REPLICA LINK due to error.

Naming Context: CN=Configuration,DC=acc,DC=local
Source: Default-First-Site-Name\NTSERVER3
******* WARNING: KCC could not add this REPLICA LINK due to error.

Naming Context: CN=Schema,CN=Configuration,DC=acc,DC=local
Source: Default-First-Site-Name\NTSERVER3
******* WARNING: KCC could not add this REPLICA LINK due to error.
0
 

Author Comment

by:ellitech
Comment Utility
When I try to force replication from sites and services under NTSERVER3 and clicking on NTSERVER1, it says "The following error occurred during the attempt to contact the domain controller NTSERVER3: The RPC Server is unavailable"
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
What entries did you remove, you may have to rejoin/dcpromo the newly added system just in case some of the entries you removed belonged to it.

Often there are no issues, with reusing a name, however, there are times and possibly this is one of them that the prior reference interfered with the recent addition/setup.
0
 

Author Comment

by:ellitech
Comment Utility
Should I remove and re-add the DNS role or you are taking about demoting back to a member server?

Can't DNS be removed and then re-added as a role?
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
You need to check if server GUID and DNS entries are correct

Just go to DNS server and under _msdcs.domain.com you should be able to locate DC guid (CNAME) for both DCs
Just append _msdcs.domain.com to that guid and check if you are able to ping that one with correct Domain controller IP, if not then go to AD sites\sitename\servers\servername\ntds settings properties and on general tab you will find Domain controllers GUID
Copy that GUID completely and ping that
Check if it resolving properly, if yes replace that with faulty one found under DNS

Also check if both servers NS records \ host records are as appropriate in DNS

Its look like CNAME records failure and causing replication is failing

Also once that done just restart netlogon service and dns service on domain controller and then under ntds settings under sites and services just delete old connection objects in right hand side and create them manually again and check if now replication is working (Do not delete NTDS settings folder, you need to delete connection objects only that will found on right side)
Those connection objects will get created automatically by right clicking on NTDS settings and all task , and then click on check replication topology

You also may give a try to command repadmin /syncall to trigger replication manually

Mahesh.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 76

Expert Comment

by:arnold
Comment Utility
Your issue could also be because of the different IP segments in use.  Can your DCs/DNS servers ping each other.

on every IP each DC has.
Dual network DCs would register both of their network interfaces as dc1.yourdomain.com
i.e.
dc1.yourdomain.com IN A IP1
dc1.yourdomain.com IN A IP2

if IP2 is not accessible by all, the replication if it tries to access DC1 on IP2 will hang and fail.
0
 

Author Comment

by:ellitech
Comment Utility
Mahesh,
I believe you are on to something here, quick question, I went and looked like you said:

 Just go to DNS server and under _msdcs.domain.com you should be able to locate DC guid (CNAME) for both DCs

However, there is ONLY one entry there for NTSERVER1, if you ping it resolves to NTSERVER1 as well. Shouldn't there be a second entry there for NTSERVER3?

C:\Documents and Settings\ACCAdmin>ping 75b2ee58-f206-41c7-9c02-b2d286a056f6._ms
dcs.acc.local

Pinging ntserver1.acc.local [192.168.2.151] with 32 bytes of data:

Reply from 192.168.2.151: bytes=32 time<1ms TTL=128
Reply from 192.168.2.151: bytes=32 time<1ms TTL=128
Reply from 192.168.2.151: bytes=32 time<1ms TTL=128
Reply from 192.168.2.151: bytes=32 time<1ms TTL=128

Ping statistics for 192.168.2.151:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms


How can I fix this? Your help in this matter Mahesh is greatly appreciated!!

Thanks,

ElliTech
0
 

Author Comment

by:ellitech
Comment Utility
Oh, I checked on NTSERVER1 and NTSERVER3 under DNS and there is only the one entry there as I indicated above...

ElliTech
0
 

Author Comment

by:ellitech
Comment Utility
Mahesh,
I ran the "repadmin /syncall" and got the following error message:

C:\Documents and Settings\ACCAdmin>repadmin /syncall
CALLBACK MESSAGE: Error contacting server 44e3bd77-c272-47c4-9221-854bf4ad5620._
msdcs.acc.local (network error): 1722 (0x6ba):
    Can't retrieve message string 1722 (0x6ba), error 1815.
CALLBACK MESSAGE: SyncAll Finished.

Any ideas as to where this is coming from?

ElliTech
0
 

Author Comment

by:ellitech
Comment Utility
I am making progress, I created a CNAME for NTSERVER3 and it will now resolve when it is pinged as per below:

C:\Documents and Settings\ACCAdmin>ping 44e3bd77-c272-47c4-9221-854bf4ad5620._msdcs.acc.local

Pinging ntserver3.acc.local [192.168.2.150] with 32 bytes of data:

Reply from 192.168.2.150: bytes=32 time<1ms TTL=128
Reply from 192.168.2.150: bytes=32 time<1ms TTL=128
Reply from 192.168.2.150: bytes=32 time<1ms TTL=128
Reply from 192.168.2.150: bytes=32 time<1ms TTL=128

Ping statistics for 192.168.2.150:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms
0
 

Author Comment

by:ellitech
Comment Utility
I used what I found in the result from the command repadmin /syncall that I ran two posts above, is this correct?

I appear to be making progress and need some reassurance from you Mahesh as you seem to understand this very well.

Thank-you Mahesh for taking the time to respond back, your help in this matter is greatly appreciated.

Thanks,

ElliTech
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
if not then go to AD sites\sitename\servers\NTSERVER3\ntds settings properties and on general tab you will find Domain controllers GUID
Copy that GUID completely and make new Host(A) record under _msdcs.domain.com zone if not created earlier
Once created,Check if it resolving properly
Also check DNS records (NS records and Host(A) records for both DCs on both server and check if they are correct

Also logon to both servers one by one
Navigate to %systemroot%\system32\netlogon.dns and rename that file to netlogon.dns.old and then restart netlogon service, this will recreate netlogon.dns file on server

Also try resetting Domain Controller computer account one by one by following process mentioned in below article
http://support.microsoft.com/kb/325850

Netdom utility is required for this

If you already have windows 2003 support tools installed on DC, you will find above tool
Other wise download and install windows 2003 support tools on both DC prior to follow above KB article
http://www.microsoft.com/en-in/download/details.aspx?id=15326

Then check if AD replication is working or not...you may delete connection objects under ntds settings folder and recreate them with "Check replication Topology"
Also check with repadmin /showrepl command

Also check below article for any another know issues you may found
http://support.microsoft.com/kb/837513

Mahesh.
0
 

Author Comment

by:ellitech
Comment Utility
Mahesh,
I renamed the netlogon.dns on both to .old and then restarted the netlogon service on each server. Tried to 'replicate now' on each server under ntds settings and it worked on both servers.
Then I ran repadmin /showrepl and it worked now!!

Your awesome, below is the result.


C:\Documents and Settings\ACCAdmin>repadmin /showrepl

repadmin running command /showrepl against server localhost

Default-First-Site-Name\NTSERVER1
DC Options: IS_GC
Site Options: (none)
DC object GUID: 75b2ee58-f206-41c7-9c02-b2d286a056f6
DC invocationID: c1c52665-17d2-4296-a2fa-0c0a0d4d3787

==== INBOUND NEIGHBORS ======================================

DC=acc,DC=local
    Default-First-Site-Name\NTSERVER3 via RPC
        DC object GUID: 44e3bd77-c272-47c4-9221-854bf4ad5620
        Last attempt @ 2014-04-01 18:02:21 was successful.

CN=Configuration,DC=acc,DC=local
    Default-First-Site-Name\NTSERVER3 via RPC
        DC object GUID: 44e3bd77-c272-47c4-9221-854bf4ad5620
        Last attempt @ 2014-04-01 18:02:21 was successful.

CN=Schema,CN=Configuration,DC=acc,DC=local
    Default-First-Site-Name\NTSERVER3 via RPC
        DC object GUID: 44e3bd77-c272-47c4-9221-854bf4ad5620
        Last attempt @ 2014-04-01 18:02:21 was successful.

DC=ForestDnsZones,DC=acc,DC=local
    Default-First-Site-Name\NTSERVER3 via RPC
        DC object GUID: 44e3bd77-c272-47c4-9221-854bf4ad5620
        Last attempt @ 2014-04-01 18:02:21 was successful.

DC=DomainDnsZones,DC=acc,DC=local
    Default-First-Site-Name\NTSERVER3 via RPC
        DC object GUID: 44e3bd77-c272-47c4-9221-854bf4ad5620
        Last attempt @ 2014-04-01 18:02:21 was successful.


Is there any other commands that I should run to ensure that everything is replicating properly? I really, really appreciate everything that you have done for me, you and others like yourself are the reason why I have been a faithful subscriber now for 7-8 years.

Thanks Mahesh!!

Please let me know if there is anything else that I should run to test dns and replication

Thanks

ElliTech
0
 

Author Comment

by:ellitech
Comment Utility
Mahesh,
There is one last issue, I ran the 'repadmin /replsummary' and it comes back clean, one issue that still needs to be resolved before moving forward with moving the FSMO roles from NTSERVER1 to NTSERVER3 is the NETLOGON and SYSVOL folders are not being created on NTSERVER3.
I was trying the force an authoritative (D4) and non-authoritative (D2) synchronization between the two DC's but it does not work,

What is your advise? DCPROMO the DC and demote and then DCPROMO the DC and make it a DC again?

Not sure what to do at this point.

Any advise Mahesh is greatly appreciated, the DNS replication is working awesome now as per below:
C:\Documents and Settings\ACCAdmin>repadmin /replsummary
Replication Summary Start Time: 2014-04-01 20:00:53

Beginning data collection for replication summary, this may take awhile:
  .....


Source DC           largest delta  fails/total  %%  error
 NTSERVER1                 14m:08s    0 /   5    0
 NTSERVER3                 06m:34s    0 /   5    0


Destination DC    largest delta    fails/total  %%  error
 NTSERVER1                 06m:34s    0 /   5    0
 NTSERVER3                 14m:08s    0 /   5    0




I appreciate everything that you have done Mahesh, I look forward to hearing back from you on this.

Thanks,

ElliTech
0
 
LVL 76

Expert Comment

by:arnold
Comment Utility
IMHO, while mahesh's suggestions are excellent and incisive. The issue likely stems from an errand join as a members server, or a transient failure during dcpromo.

As you note there are still issues.  Looking at the event log security. Does it indicate the reason for the netlogon/sysvol replication issues.?

One can not envision all possible issues that might not be visible at the moment, but manifest after role transfer.
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
Ok

Just run below commands on NTSERVER1 and NTSERVER3 for sysvol replication check
dcdiag /test:netlogons
This command should fail on NTSERVER3

Can you just check net share command on both servers to check if sysvol and netlogon folder is shared or not on both servers please ?

If you don't find anyone on NTSERVER3, just check if physical folder is exists as
%systemroot%\sysvol and size of this folder

Then compare this size with NTSERVER1 %systemroot%\Sysvol

Please navigate to sysvol through local paths only

Also check if directory structure on NTSERVER3 is matching that on NTSERVER1

If every thing is matching correctly you can try below on NTSERVER3

1.Click Start, click Run, type regedit, and then click OK.
2.Locate the following subkey in Registry Editor:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

3.In the details pane, right-click the SysvolReady flag, and then click Modify.
4. In the Value data box, type 0, and then click OK.
5.Again in the details pane, right-click the SysvolReady flag, and then click Modify.
6.In the Value data box, type 1, and then click OK.
Then check if sysvol and netlogon are get shared
http://support.microsoft.com/kb/947022  - reference article

If above trick didn't works, then only option left is to demote NTSERVER3 gracefully with dcpromo and promote it again
To do graceful demotion, 1st point it to NTSERVER1 in his DNS properties and take one reboot of server and then try to do graceful demotion with dcpromo
If graceful demotion fails, you need to demote it forcefully with dcpromo /forceremoval which will remove active directory from that server forcefully but its entry remains on NTSERVER1
Then clear metadata for failed server from active directory through Ntdsutil
http://support.microsoft.com/kb/216498

Mahesh.
0
 

Author Comment

by:ellitech
Comment Utility
Mahesh,
I modifed the key as mentioned about and now SYSVOL is there but empty (does this take a while to replicate I imagine)

I am not seeing NETLOGON though...

C:\Documents and Settings\accadmin>net share

Share name   Resource                        Remark

-------------------------------------------------------------------------------
IPC$                                         Remote IPC
ADMIN$       C:\WINDOWS                      Remote Admin
C$           C:\                             Default share
ACCPub       C:\DFSRoots\ACCPub
The command completed successfully.


C:\Documents and Settings\accadmin>net share

Share name   Resource                        Remark

-------------------------------------------------------------------------------
IPC$                                         Remote IPC
ADMIN$       C:\WINDOWS                      Remote Admin
C$           C:\                             Default share
ACCPub       C:\DFSRoots\ACCPub
SYSVOL       C:\WINDOWS\SYSVOL\sysvol        Logon server share
The command completed successfully.
0
 

Author Comment

by:ellitech
Comment Utility
Cleaned up...


C:\Documents and Settings\accadmin>net share

Share            name                                      Resource                        Remark

-------------------------------------------------------------------------------
IPC$                                                              Remote IPC
ADMIN$       C:\WINDOWS                           Remote Admin
C$               C:\                                              Default share
ACCPub       C:\DFSRoots\ACCPub
SYSVOL        C:\WINDOWS\SYSVOL\sysvol     Logon server share

The command completed successfully.
0
 
LVL 35

Expert Comment

by:Mahesh
Comment Utility
Let me know if you are getting event ID 13568 in File replication event logs on NTSERVER3

You can try Non authoritative restore of Sysvol on NTSERVER3

Please follow below process on NTSERVER3
Stop ntfrs service (File replication service)
Locate the following subkey in the registry:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup
In the right pane, double-click BurFlags.
In the Edit DWORD Value dialog box, type D2 and then click OK.
Quit Registry Editor, and then switch to the Command box.
In the Command box, type net start ntfrs.
Quit the Command box.

When the FRS service restarts, the following actions occur:
•The value for BurFlags registry key returns to 0.
•Files in the reinitialized FRS folders are moved to a Pre-existing folder.
•An event 13565 is logged to signal that a nonauthoritative restore is started.
•The FRS database is rebuilt.
•The member performs an initial join of the replica set from an upstream partner or from the computer that is specified in the Replica Set Parent registry key if a parent has been specified for SYSVOL replica sets.
•The reinitialized computer runs a full replication of the affected replica sets when the relevant replication schedule begins.
•When the process is complete, an event 13516 is logged to signal that FRS is operational. If the event is not logged, there is a problem with the FRS configuration

Original MS article
http://support.microsoft.com/kb/290762
Then check if Sysvol and netlogon both folders are shared on NTSERVER3

If above process did not work, then you can try with demoting and promoting server (NTSERVER3), it will work hopefully

If still problem exits then follow below article very carefully to rebuild Complete Sysvol from scratch
http://support.microsoft.com/kb/315457
This process is the last sort and don't do that without help of some directory specialist \ consultant

Mahesh
0
 

Author Comment

by:ellitech
Comment Utility
The File Replication Service successfully added this computer to the following replica set:
    "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)"
 
Information related to this event is shown below:
Computer DNS name is "ntserver3.acc.local"
Replica set member name is "NTSERVER3"
Replica set root path is "c:\windows\sysvol\domain"
Replica staging directory path is "c:\windows\sysvol\staging\domain"
Replica working directory path is "c:\windows\ntfrs\jet"

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
0
 

Author Comment

by:ellitech
Comment Utility
The File Replication Service is no longer preventing the computer NTSERVER3 from becoming a domain controller. The system volume has been successfully initialized and the Netlogon service has been notified that the system volume is now ready to be shared as SYSVOL.
 
Type "net share" to check for the SYSVOL share.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
0
 

Author Comment

by:ellitech
Comment Utility
C:\Documents and Settings\ACCAdmin>Repadmin /showreps
Default-First-Site-Name\NTSERVER1
DC Options: IS_GC
Site Options: (none)
DC object GUID: 75b2ee58-f206-41c7-9c02-b2d286a056f6
DC invocationID: c1c52665-17d2-4296-a2fa-0c0a0d4d3787

==== INBOUND NEIGHBORS ======================================

DC=acc,DC=local
    Default-First-Site-Name\NTSERVER3 via RPC
        DC object GUID: 44e3bd77-c272-47c4-9221-854bf4ad5620
        Last attempt @ 2014-04-02 18:16:06 was successful.

CN=Configuration,DC=acc,DC=local
    Default-First-Site-Name\NTSERVER3 via RPC
        DC object GUID: 44e3bd77-c272-47c4-9221-854bf4ad5620
        Last attempt @ 2014-04-02 18:09:19 was successful.

CN=Schema,CN=Configuration,DC=acc,DC=local
    Default-First-Site-Name\NTSERVER3 via RPC
        DC object GUID: 44e3bd77-c272-47c4-9221-854bf4ad5620
        Last attempt @ 2014-04-02 18:09:19 was successful.

DC=ForestDnsZones,DC=acc,DC=local
    Default-First-Site-Name\NTSERVER3 via RPC
        DC object GUID: 44e3bd77-c272-47c4-9221-854bf4ad5620
        Last attempt @ 2014-04-02 18:09:19 was successful.

DC=DomainDnsZones,DC=acc,DC=local
    Default-First-Site-Name\NTSERVER3 via RPC
        DC object GUID: 44e3bd77-c272-47c4-9221-854bf4ad5620
        Last attempt @ 2014-04-02 18:09:19 was successful.
0
 

Author Comment

by:ellitech
Comment Utility
Still NOT getting the NETLOGON folder on NTSERVER3 and the SYSVOL folder only has a folder of 'acc.local' but it remains empty. I am guessing the next step may be the demotion and promotion of NTSERVER3 using dcpromo

Any other ideas Mahesh?

Thanks again so much for all of your help

ElliTech
0
 
LVL 35

Accepted Solution

by:
Mahesh earned 500 total points
Comment Utility
Can you check if sysvol and netlogon are populated correct on NTSERVER1 ?

You could please try demotion and promotion the affected DC, may resolve problem hopefully

Also check sysvol folder structure on NTSERVER1 and check if there are folders like Policies_NTFRSxxxxxxxx where xxx represents guid

If you found can you please post screen shot of same ?

Most probably those folders are morphed folders and culprit and then we can find a way to resolve the issue hopefully

Also check path to netlogon share in compmgmt.msc\shares on NTSERVER1 and check if its not pointing to any morphed folder

Check below articles
http://www.pcreview.co.uk/forums/fix-morphed-sysvol-folders-policies-and-scripts-t1449599.html
http://social.technet.microsoft.com/Forums/en-US/64721a4c-8699-426e-ad8d-232907931d23/cleaning-up-frs-sysvol-morphed-folders-without-rename?forum=winserverDS

Mahesh.
0
 

Author Closing Comment

by:ellitech
Comment Utility
Thanks Mahesh for all of your troubles, I have demoted the server NTSERVER3 back to a member server. I am leaving it this way temporarily and will promote it sometime in the near future.

Thanks for all of your help on this, you have been awesome and I appreciate your patience.

ElliTech
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip Migration Tip #1 – Source Server Health can be found here: http://www.experts-exchang…
Citrix XenApp, Internet Explorer 11 set to Enterprise Mode and using central hosted sites.xml file.
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now