Solved

dcdiag failed for sysvol replication

Posted on 2015-01-05
12
253 Views
Last Modified: 2015-01-06
Hi,
just added 2 new domain controllers to our network recently and so i ran dcdiag to make sure replication was ok and all tests passed except for one.  Message is frsevent there are warning or error events within the last 24 hours after the sysvol has been shared.  Failing sysvol replication problems may cause group policy problems.  I actually saw this error in the past few months and it is the only error that comes up when running dcdiag.  Any ideas on how to correct it?
0
Comment
Question by:dankyle67
  • 6
  • 6
12 Comments
 
LVL 32

Accepted Solution

by:
it_saige earned 500 total points
ID: 40531418
Most likely (since you came from a 2003 Server DC), the jet database used for File Replication Services (FRS) was corrupted on the FRS replica master (not uncommon).  Microsoft has released a TID that addresses reinitializing the FRS recplica sets here: http://support.microsoft.com/kb/290762

In a nutshell, the process involves stopping the FRS service, editing the BurFlags setting in the registry and restarting the FRS Service.

If I remember correctly, you have already removed your 2003 Server(s) from the domain and only have 2 2012 DC's.  You first want to ensure that you have stopped and disabled the FRS service on all DC's (with exception to the DC that is running the PDCe FSMO role).  Then on the server that is running the PDCe FSMO role:

1. Stop the FRS service.

2. Modify the registry setting for the BurFlags key using a value of D4.

3. Restart the FRS service.


After you verify successful FRS replica set reinitialization (look for event 13516), on the remain DC's:

1. Modify the registry setting for the BurFlags key using a value of D2.

2. Re-enable and restart the FRS service.


-saige-
0
 

Author Comment

by:dankyle67
ID: 40531475
Hi, we still have 2 2003 domain controllers since there are still some legacy apps running on them that we havent decided yet on how to proceed on moving them off to another server.  Will the instructions you provided still apply if we have the 2003 domain controllers still on the network?  As i mentioned, a few months ago prior to the extending of the schema to accomodate the promotion of the 2012 domain controller, i had run dcdiag a few times then and had already gotten the sysvol frs error.  Aside from group policy issues, is there anything major that would occur if i didnt correct this sysvol replication issue?
0
 
LVL 32

Expert Comment

by:it_saige
ID: 40531483
Yes, they still apply to the 2003 domain controllers.  Just make sure that you follow the instructions.  Start with stopping and disabling the FRS on all DC's except the PDCe FSMO role holder and so forth and so on.

-saige-
0
 

Author Comment

by:dankyle67
ID: 40531494
Can i do this when users are on the system or should i wait till after hours?
0
 
LVL 32

Expert Comment

by:it_saige
ID: 40531514
You can definately do this while users are logged in.

-saige-
0
 

Author Comment

by:dankyle67
ID: 40532409
Ok just finished the process and looks good.  Is there a single test that will verify frs is good on all domain controllers?  I ran dcdiag on each one and no errors this time with frs sysvol sharing so i guess its good.
0
 
LVL 32

Expert Comment

by:it_saige
ID: 40532419
You can download the File Replication Service Diagnostics Tool: http://www.microsoft.com/en-us/download/details.aspx?id=8613

I would also recommend reading this blog entry from the Directory Services Team: How to get the most from your FRSDiag…

You can also validate the FRS Event Log entries: http://msdn.microsoft.com/en-us/library/bb727056.aspx

And check the status of your SYSVOL and NETLOGON shares: http://technet.microsoft.com/en-us/library/cc728051%28v=ws.10%29.aspx

-saige-
0
 

Author Comment

by:dankyle67
ID: 40532632
Ok just one other thing, i ran dcdiag again and all tests passed except now i see it gave message about system log failed test.  When i looked at event viewer system log, it references something about not being able to communicate using dcom on computer 8.8.8.8 which is google dns.  Any ideas on how to fix this?
0
 
LVL 32

Expert Comment

by:it_saige
ID: 40532689
Do you have the google dns server in the ip settings for any of your server nics?  If you do, this is wrong.  Your servers nics should preference to internal dns servers, while your dns servers should forward to external dns servers.

-saige-
0
 

Author Comment

by:dankyle67
ID: 40532711
You were correct. One of the DNS servers had the Google ip as alternate DNS server so once I changed it to one of the other DNS servers the dcdiag ran error free. Is it better to have the primary DNS as one of the other servers and the alternate as pointing to itself on nic card settings of DNS server?
0
 
LVL 32

Expert Comment

by:it_saige
ID: 40533475
There are two primary thought processes when it comes to assigning Primary/Secondary (Tertiary, Quarnary, etc.) DNS servers.  And both of these thought process are based on a simple question; Can my DNS server end up on an island.

With the way Microsoft DNS operates and integrates with AD, the answer is simple:  It really does not matter which configuration you use.

1. Primary DNS is Local Server IP; Secondary/Tertiary/Quarnary DNS are additional DC's running DNS.

2. Primary DNS is Addtional DC running DNS; Secondary/Tertiary/Quarnary DNS are additional DC's running DNS with one of them being the Local Server IP.


One thing you do want to keep in mind is that there is not a consensus (not even within the Microsoft Active Directory team).
From the Active Directory team at Microsoft:

It depends on who you ask. :-) We in MS have been arguing this amongst ourselves for 11 years now. Here are the general guidelines that the Microsoft AD and Networking Support teams give to customers, based on our not inconsiderable experience with customers and their CritSits:
 1.If a DC is hosting DNS, it should point to itself at least somewhere in the client list of DNS servers.
 2.If at all possible on a DC, client DNS should point to another DNS server as primary and itself as secondary or tertiary. It should not point to self as primary due to various DNS islanding and performance issues that can occur. (This is where the arguments usually start)
 3.When referencing a DNS server on itself, a DNS client should always use a loopback address and not a real IP address.
 4.Unless there is a valid reason not to that you can concretely explain with more pros than cons, all DC’s in a domain should be running DNS and hosting at least their own DNS zone; all DC’s in the forest should be hosting the _MSDCS zones. This is default when DNS is configured on a new Win2003 or later forest’s DC’s. (Lots more arguments here).
 5.DC’s should have at least two DNS client entries.
 6.Clients should have these DNS servers specified via DHCP or by deploying via group policy/group policy preferences, to avoid admin errors; both of those scenarios allow you to align your clients with subnets, and therefore specific DNS servers. Having all the clients & members point to the same one or two DNS servers will eventually lead to an outage and a conversation with us and your manager. If every DC is a DNS server, clients can be fine-tuned to keep their traffic as local as possible and DNS will be highly available with special work or maintenance. It also means that branch offices can survive WAN outages and keep working, if they have local DC’s running DNS.
 7.We don’t care if you use Windows or 3rd party DNS. It’s no skin off our nose: you already paid us for the DC’s and we certainly don’t need you to buy DNS-only Windows servers. But we won’t be able to assist you with your BIND server, and their free product’s support is not free.
 8.(Other things I didn’t say that are people’s pet peeves, leading to even more arguments).

 There are plans afoot to consolidate all this info, expand it, and get our message consistent and consolidated. This has started in the Windows Server 2008 R2 BPA for DNS. We also recently released a new namespace planning site that explains and prevents some design pitfalls:

DNS Namespace Planning Solution Center
http://support.microsoft.com/namespace

 And we offer this great guide and portal site:

Creating a DNS Infrastructure Design
http://technet.microsoft.com/en-us/library/cc725625(WS.10).aspx

 DNS Portal
http://technet.microsoft.com/en-us/network/bb629410.aspx
Source

Best Practices for Active Directory-Integrated DNS
DNS best practices
Verifying Your Basic DNS Configuration

From my personal experience, I have tried both ways and ultimately found that both can work equally well depending upon the circumstances of their configuration (Single Site/Single Domain, Multi Site/Single Domain, Single Site/Multi Domain, Multi Site/Multi Domain).

-saige-
0
 

Author Comment

by:dankyle67
ID: 40533597
Thanks again.  Lots of informative insights and you made the DNS process a lot more clearer to me.
0

Join & Write a Comment

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now