dcdiag failed for sysvol replication

Hi,
just added 2 new domain controllers to our network recently and so i ran dcdiag to make sure replication was ok and all tests passed except for one.  Message is frsevent there are warning or error events within the last 24 hours after the sysvol has been shared.  Failing sysvol replication problems may cause group policy problems.  I actually saw this error in the past few months and it is the only error that comes up when running dcdiag.  Any ideas on how to correct it?
dankyle67Asked:
Who is Participating?
 
it_saigeConnect With a Mentor DeveloperCommented:
Most likely (since you came from a 2003 Server DC), the jet database used for File Replication Services (FRS) was corrupted on the FRS replica master (not uncommon).  Microsoft has released a TID that addresses reinitializing the FRS recplica sets here: http://support.microsoft.com/kb/290762

In a nutshell, the process involves stopping the FRS service, editing the BurFlags setting in the registry and restarting the FRS Service.

If I remember correctly, you have already removed your 2003 Server(s) from the domain and only have 2 2012 DC's.  You first want to ensure that you have stopped and disabled the FRS service on all DC's (with exception to the DC that is running the PDCe FSMO role).  Then on the server that is running the PDCe FSMO role:

1. Stop the FRS service.

2. Modify the registry setting for the BurFlags key using a value of D4.

3. Restart the FRS service.


After you verify successful FRS replica set reinitialization (look for event 13516), on the remain DC's:

1. Modify the registry setting for the BurFlags key using a value of D2.

2. Re-enable and restart the FRS service.


-saige-
0
 
dankyle67Author Commented:
Hi, we still have 2 2003 domain controllers since there are still some legacy apps running on them that we havent decided yet on how to proceed on moving them off to another server.  Will the instructions you provided still apply if we have the 2003 domain controllers still on the network?  As i mentioned, a few months ago prior to the extending of the schema to accomodate the promotion of the 2012 domain controller, i had run dcdiag a few times then and had already gotten the sysvol frs error.  Aside from group policy issues, is there anything major that would occur if i didnt correct this sysvol replication issue?
0
 
it_saigeDeveloperCommented:
Yes, they still apply to the 2003 domain controllers.  Just make sure that you follow the instructions.  Start with stopping and disabling the FRS on all DC's except the PDCe FSMO role holder and so forth and so on.

-saige-
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
dankyle67Author Commented:
Can i do this when users are on the system or should i wait till after hours?
0
 
it_saigeDeveloperCommented:
You can definately do this while users are logged in.

-saige-
0
 
dankyle67Author Commented:
Ok just finished the process and looks good.  Is there a single test that will verify frs is good on all domain controllers?  I ran dcdiag on each one and no errors this time with frs sysvol sharing so i guess its good.
0
 
it_saigeDeveloperCommented:
You can download the File Replication Service Diagnostics Tool: http://www.microsoft.com/en-us/download/details.aspx?id=8613

I would also recommend reading this blog entry from the Directory Services Team: How to get the most from your FRSDiag…

You can also validate the FRS Event Log entries: http://msdn.microsoft.com/en-us/library/bb727056.aspx

And check the status of your SYSVOL and NETLOGON shares: http://technet.microsoft.com/en-us/library/cc728051%28v=ws.10%29.aspx

-saige-
0
 
dankyle67Author Commented:
Ok just one other thing, i ran dcdiag again and all tests passed except now i see it gave message about system log failed test.  When i looked at event viewer system log, it references something about not being able to communicate using dcom on computer 8.8.8.8 which is google dns.  Any ideas on how to fix this?
0
 
it_saigeDeveloperCommented:
Do you have the google dns server in the ip settings for any of your server nics?  If you do, this is wrong.  Your servers nics should preference to internal dns servers, while your dns servers should forward to external dns servers.

-saige-
0
 
dankyle67Author Commented:
You were correct. One of the DNS servers had the Google ip as alternate DNS server so once I changed it to one of the other DNS servers the dcdiag ran error free. Is it better to have the primary DNS as one of the other servers and the alternate as pointing to itself on nic card settings of DNS server?
0
 
it_saigeDeveloperCommented:
There are two primary thought processes when it comes to assigning Primary/Secondary (Tertiary, Quarnary, etc.) DNS servers.  And both of these thought process are based on a simple question; Can my DNS server end up on an island.

With the way Microsoft DNS operates and integrates with AD, the answer is simple:  It really does not matter which configuration you use.

1. Primary DNS is Local Server IP; Secondary/Tertiary/Quarnary DNS are additional DC's running DNS.

2. Primary DNS is Addtional DC running DNS; Secondary/Tertiary/Quarnary DNS are additional DC's running DNS with one of them being the Local Server IP.


One thing you do want to keep in mind is that there is not a consensus (not even within the Microsoft Active Directory team).
From the Active Directory team at Microsoft:

It depends on who you ask. :-) We in MS have been arguing this amongst ourselves for 11 years now. Here are the general guidelines that the Microsoft AD and Networking Support teams give to customers, based on our not inconsiderable experience with customers and their CritSits:
 1.If a DC is hosting DNS, it should point to itself at least somewhere in the client list of DNS servers.
 2.If at all possible on a DC, client DNS should point to another DNS server as primary and itself as secondary or tertiary. It should not point to self as primary due to various DNS islanding and performance issues that can occur. (This is where the arguments usually start)
 3.When referencing a DNS server on itself, a DNS client should always use a loopback address and not a real IP address.
 4.Unless there is a valid reason not to that you can concretely explain with more pros than cons, all DC’s in a domain should be running DNS and hosting at least their own DNS zone; all DC’s in the forest should be hosting the _MSDCS zones. This is default when DNS is configured on a new Win2003 or later forest’s DC’s. (Lots more arguments here).
 5.DC’s should have at least two DNS client entries.
 6.Clients should have these DNS servers specified via DHCP or by deploying via group policy/group policy preferences, to avoid admin errors; both of those scenarios allow you to align your clients with subnets, and therefore specific DNS servers. Having all the clients & members point to the same one or two DNS servers will eventually lead to an outage and a conversation with us and your manager. If every DC is a DNS server, clients can be fine-tuned to keep their traffic as local as possible and DNS will be highly available with special work or maintenance. It also means that branch offices can survive WAN outages and keep working, if they have local DC’s running DNS.
 7.We don’t care if you use Windows or 3rd party DNS. It’s no skin off our nose: you already paid us for the DC’s and we certainly don’t need you to buy DNS-only Windows servers. But we won’t be able to assist you with your BIND server, and their free product’s support is not free.
 8.(Other things I didn’t say that are people’s pet peeves, leading to even more arguments).

 There are plans afoot to consolidate all this info, expand it, and get our message consistent and consolidated. This has started in the Windows Server 2008 R2 BPA for DNS. We also recently released a new namespace planning site that explains and prevents some design pitfalls:

DNS Namespace Planning Solution Center
http://support.microsoft.com/namespace

 And we offer this great guide and portal site:

Creating a DNS Infrastructure Design
http://technet.microsoft.com/en-us/library/cc725625(WS.10).aspx

 DNS Portal
http://technet.microsoft.com/en-us/network/bb629410.aspx
Source

Best Practices for Active Directory-Integrated DNS
DNS best practices
Verifying Your Basic DNS Configuration

From my personal experience, I have tried both ways and ultimately found that both can work equally well depending upon the circumstances of their configuration (Single Site/Single Domain, Multi Site/Single Domain, Single Site/Multi Domain, Multi Site/Multi Domain).

-saige-
0
 
dankyle67Author Commented:
Thanks again.  Lots of informative insights and you made the DNS process a lot more clearer to me.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.