Solved

DC is not replicating SysVol

Posted on 2015-01-22
34
288 Views
Last Modified: 2015-01-29
I have a Two DC server 2012 environment that was initially a 2008 domain. I have one domain controller that is not replicating the SysVol folder. The DC with all the roles is just fine, I can put a test text file in the policy folder and it will show up in the domain policy folder, but it will not show up in the second DC policy folder. This is having a huge impact on GP settings on my workstations. I am attaching a GP health report to aid in the troubleshooting. One suggestion that i had received was to migrate the replication to DRFS from FRS, but since this started out as a 2008 domain would it not already being using DRFS and is there a way to check to see what the domain is using to replicate?
0
Comment
Question by:Kelly-Brady
  • 17
  • 16
34 Comments
 

Author Comment

by:Kelly-Brady
ID: 40564980
Here is the health report
Policy-Manager----GPO-Health-Results-Red
0
 
LVL 1

Expert Comment

by:crcsupport
ID: 40565070
You can check under DFS Management console. If sysvol replication uses DFSR, then it will show there as one of replication volume. Or, dfsrmig /getglobalstate command will show 'Eliminated', then DFSR.

If your domain functional level is still 2003, I guess it's using FRS, not DFSR

If it's still using FRS, then this troubleshooting guide will help;
https://msdn.microsoft.com/en-us/library/bb727056.aspx

Until you fix the problem, you can just copy the policy files to the trouble server. Copy the policy files to the sysvol location. Then, you can connect to the trouble DC by doing this (GPMC, right-click domain, 'Change Domain Cointroller') to see if you can browse the copied policy files can be browsed.
0
 
LVL 1

Expert Comment

by:crcsupport
ID: 40565107
I'm also interested in this topic. I was able to troubleshoot DFSR issues, some of them, but not faimilar with FRS. I'll keep my eyes on this topic..Maybe some other experts can help.
0
 

Author Comment

by:Kelly-Brady
ID: 40565109
Ok it is there and this is what I get when I run the report using that Console
Health-Domain-Redacted.pdf
0
 
LVL 1

Expert Comment

by:crcsupport
ID: 40565130
OK, then you use DFSR. Is DC1 is the troubled one not receiving replication?
run dcdiag /s:dc1 from dc2 and run dcdiag /s:dc1 from dc1. Can you post here?

DC1 shows, server unavailable for reporting and DFRS service restarting, it has some problem.
Also, check DFS and DFSR services are ok..
0
 

Author Comment

by:Kelly-Brady
ID: 40565166
No the troubled one is DC02 and I will run those now
0
 

Author Comment

by:Kelly-Brady
ID: 40565242
Here are dcdiag commands from both the DC's ran against both the DC's
DC01-To-DC01.txt
DC01-to-DC02.txt
DC02-to-DC01.txt
DC02-to-DC02.txt
0
 
LVL 1

Expert Comment

by:crcsupport
ID: 40565259
DC2 to DC1,
----------
Performing initial setup:
   Ldap search capability attribute search failed on server dc01.xxxxxxxx.local,
   return value = 81
   The host dc01.xxxxxxxx.local could not be resolved to an IP address. Check the
   DNS server, DHCP, server name, etc.
-----------------
Did you check DNS records and SRV records in your DNS server?

Check A record for DC01
Check SRV records in _sites/Default_First_Site/_tcp and have your two DCs are listed for ldap and kerbero.

Then, turn off firewall setting on DC01, then run replication from DC01;
dfsrdiag syncnow /rgname:"Domain System Volume" /partner:DC02 /time:15 /v
Then, check if sysvol is repliacted.
0
 
LVL 1

Expert Comment

by:crcsupport
ID: 40565313
also, there's DFSR log in c:\windows\debug. it may tell you more what's causing
0
 

Author Comment

by:Kelly-Brady
ID: 40565328
I checked and other then some old SRV records from a previous DC it all looked good. I did remove the old records while I was in there
0
 

Author Comment

by:Kelly-Brady
ID: 40565345
I will attach the log and maybe something will jump out at you. I am looking up a few of the errors now.
Dfsr00132.log
0
 
LVL 1

Accepted Solution

by:
crcsupport earned 500 total points
ID: 40565602
Try to force authoritative sysvol replication.  
For example, DC02 has the most up-to-date GPOs (usually PDC emuldator), then you replicate from this server to DC01.

making msDFMSR-Option=1, you make the server authoritative and replicate.
Sometimes, when non autoritative server thinks it's authoritative, tries to replicate sysvol, but then finds GPO version it has, is older than other DCs, and replication fails.


This authoritative sysvol replication procedure will eliminate the possibility of the cause.

I recommend to leave msDFSR-Option=1 for DC2 (authoritative, usually PDC emulator master role) and msDFSR-OPtion=0 (non-authorittive) so that your DCs don't get confused when some connections problem happen.

http://support.microsoft.com/kb/2218556/en-US

While you're following the instruction, you have to force AD replication. I If you don't do this, DCs will not get the change you made in ADSIEDIT and 'dfsrdiag PollAD' command (PollAD is Case Sensitive) will not work. It checks the DFSR setting from AD attributes you made change through ADSIEDIT.

http://support.microsoft.com/kb/232072

Once you are done with this,
run sysvol replication again ;
dfsrdiag syncnow /rgname:"domain system volume" /partner:DC01 /time:1 /v

then open GPMC console, click the domain, click 'Status' tab, then click 'Detect Now'. See if it returns error.
0
 

Author Comment

by:Kelly-Brady
ID: 40565650
I thought DC01 was acting as the PDC emulator, but what you are saying is that it is actually DC02. Also I should leave the option on DC02 at one, and leave the option on DC01 at 0
0
 
LVL 1

Expert Comment

by:crcsupport
ID: 40565655
You should find the PDC master role running;

netdom query fsmo

Is the PDC role the DC has the most up-to-date GPOs? Probably it is because GPMC console will connect to the PDC and you have created GPOs. Then, that's the server you have to make option=1.

If the PDC is not the DC having the most up-to-date GPOs,

copy policy files and scripts from the other DC to the PDC (make backup of any existing policy files and scripts before doing this in PDC). Then, follow the instruction. Basically, you're making the PDC as the sysvol authoritative replication upstream server doing this way, then restructure DFSR tree.
0
 

Author Comment

by:Kelly-Brady
ID: 40566763
DC01 has all the FSMO roles and also is the most current. Every GPO in the Sysvol folder on DC01 matches the domain sysvol folder. However DC02 does not had the three newly created policies, but it does have one that is not in either of the other sysvol folders and it's Unique ID also does not match any policy in the GPMC. So it must be an old policy that was deleted but DC01 has held onto it. I have ran the syncnow command after changing the settings, and i will let you know what it comes back with.
0
 

Author Comment

by:Kelly-Brady
ID: 40566789
Ok it still is not replicating and I have attached screen shots from the ADSI screen and also the GPMC Detect now.
GPMC-DetectNow.png
msDFSR-capture.png
0
 
LVL 1

Expert Comment

by:crcsupport
ID: 40566818
you have to follow the instruction exactly in the order of steps. did you follow the steps, not just changing  the option value?

If you just make the option change, it doesn't make any change. You have to stop the fdsr replication, then make change, then replicate AD to make the option effective, then start fdsr replication.
If you don't follow the instruction, it will not work.
0
Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

 

Author Comment

by:Kelly-Brady
ID: 40566846
There are two options on that page, should I use the Authoritative option and run it on DC01?
0
 
LVL 1

Expert Comment

by:crcsupport
ID: 40566875
First, backup policies and scripts on both servers.
All the instruction is in the link. If you don't use DFS for your file server other than your AD sysvol replication, it's pretty safe to do anytime because it changes the only FDSR value and it replicates AD to make the value effective.
You're making your PDC server as  a authoritative FDSR master server, then it will start replcating.

Trust the instruction and follow. It worked in my multiple cases.

While you're following the instruction, you have to do AD replication (not sysvol replication) in Step 3 as this;

http://support.microsoft.com/kb/232072





------------------------------------------------------------------------------
How to perform an authoritative synchronization of DFSR-replicated SYSVOL

In the ADSIEDIT.MSC tool, modify the following DN and two attributes on the domain controller you want to make authoritative (preferrably the PDC Emulator, which is usually the most up to date for SYSVOL contents):

CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=<the server name>,OU=Domain Controllers,DC=<domain>

msDFSR-Enabled=FALSE
msDFSR-options=1

Modify the following DN and single attribute on all other domain controllers in that domain:

CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=<each other server name>,OU=Domain Controllers,DC=<domain>

msDFSR-Enabled=FALSE

Force Active Directory replication throughout the domain and validate its success on all DCs.

Start the DFSR service set as authoritative:

You will see Event ID 4114 in the DFSR event log indicating SYSVOL is no longer being replicated.

On the same DN from Step 1, set:

msDFSR-Enabled=TRUE
Force Active Directory replication throughout the domain and validate its success on all DCs.

Run the following command from an elevated command prompt on the same server that you set as authoritative:

DFSRDIAG POLLAD

You will see Event ID 4602 in the DFSR event log indicating SYSVOL has been initialized. That domain controller has now done a “D4” of SYSVOL.

Start the DFSR service on the other non-authoritative DCs. You will see Event ID 4114 in the DFSR event log indicating SYSVOL is no longer being replicated on each of them.

Modify the following DN and single attribute on all other domain controllers in that domain:

CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=<each other server name>,OU=Domain Controllers,DC=<domain>

msDFSR-Enabled=TRUE

Run the following command from an elevated command prompt on all non-authoritative DCs (i.e. all but the formerly authoritative one):

DFSRDIAG POLLAD
0
 
LVL 1

Expert Comment

by:crcsupport
ID: 40566876
Yes, you have to make your pdc role master as a FDSR authoritative so that the other DC doesn't get confused thinking he's the king.
0
 
LVL 1

Expert Comment

by:crcsupport
ID: 40566902
How to perform an authoritative synchronization of DFSR-replicated SYSVOL (like "D4" for FRS)
authoritative DFSR
In Step 3 and 7, do the AD replication.  You have two DCs, so you will do two manual AD replications on the two NTDS settings.

How to force AD replication
ad repl
0
 

Author Comment

by:Kelly-Brady
ID: 40566996
I am following the article step by step but after step 8 I do not see the ID 4602. I also chose the option of "Replicate from the Selected Machine" and not "To the Selected machine". Also one thing to note is it will only allow replication from DC01, my guess is that it is because DC01 is holding the FSMO roles.
Replicate.png
0
 
LVL 1

Expert Comment

by:crcsupport
ID: 40567014
Right, replication is initiated 'From' other DCs through AD Sits and Services.
Give about 5 mintues, then open Event viewer, go to Applications and Services Log/DFS Replication, you'll see 4602 soon or a bit later.

If it doesn't, run dfsrdiag PollAD again, then restart DFS and DFSR services. then, check agian
0
 

Author Comment

by:Kelly-Brady
ID: 40567021
It is now replicating DC02 Sysvol to the Domain SysVol. DC01 is now not replicating to the domain Sysvol and the three new GPO's are not in the Domain Sysvol.
0
 
LVL 1

Expert Comment

by:crcsupport
ID: 40567035
is DC02 your PDC or DC01? Also, all your GPOs should be in PDC. If not copy the policy files to the PDC and do the step to make PDC as authoritative.
Do not remove existing GPOs from the both server, it will progate to your workstations and make trouble.
0
 

Author Comment

by:Kelly-Brady
ID: 40567055
DC01 is but I messed up and set the ReadOnly flag to true, once I discovered my mistake and corrected it replicated the three new GPO's to the domain SysVol but they still did not make it to the DC02. Maybe I will start all over from the beginning of the steps.
0
 
LVL 1

Expert Comment

by:crcsupport
ID: 40567056
Also, if DC02 is not PDC, make msDFSR-options=0.
So DC01 (msFDSR-options=1) in Step 1 and DC02 (msFDSR-options=0) in Step 2 while following the instruction
0
 

Author Comment

by:Kelly-Brady
ID: 40567058
This is what event viewer is showing, should I try and do what is says?

"The DFS Replication service stopped replication on the folder with the following local path: C:\Windows\SYSVOL\domain. This server has been disconnected from other partners for 63 days, which is longer than the time allowed by the MaxOfflineTimeInDays parameter (60). DFS Replication considers the data in this folder to be stale, and this server will not replicate the folder until this error is corrected.
 
To resume replication of this folder, use the DFS Management snap-in to remove this server from the replication group, and then add it back to the group. This causes the server to perform an initial synchronization task, which replaces the stale data with fresh data from other members of the replication group. "
0
 
LVL 1

Expert Comment

by:crcsupport
ID: 40567067
Which server's event viewer is this?
No, you cant' use DFS management console. Sysvol replication uses DFSF, but it's controlled by AD itself.
0
 

Author Comment

by:Kelly-Brady
ID: 40567070
That is DC02, and I did not think so either. I was pretty sure that it is the directory is protected from making changes using the consoles.
0
 
LVL 1

Expert Comment

by:crcsupport
ID: 40567078
Good luck.
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 40568545
0
 

Author Closing Comment

by:Kelly-Brady
ID: 40576031
It took a couple try's but this did get it working again, now I wish there was a way to have it notify if it stops working. To much on my plate to babysit Group policy. Thank you for all your help.
0
 
LVL 1

Expert Comment

by:crcsupport
ID: 40577777
You can find the event item and make up a powershell script to send the event detail to your email. There are many scripts you can try from MS technet script repository.

https://gallery.technet.microsoft.com/scriptcenter/site/search?query=email%20event&f%5B1%5D.Value=email%20event&f%5B1%5D.Type=SearchText&f%5B0%5D.Value=PowerShell&f%5B0%5D.Type=ScriptLanguage&f%5B0%5D.Text=PowerShell&ac=5
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

This article will review the basic installation and configuration for Windows Software Update Services (WSUS) in a Windows 2012 R2 environment.  WSUS is a Microsoft tool that allows administrators to manage and control updates to be approved and ins…
I don't know if many of you have made the great mistake of using the Cisco Thin Client model with the management software VXC. If you have then you are probably more then familiar with the incredibly clunky interface, the numerous work arounds, and …
In this Micro Tutorial viewers will learn how they can get their files copied out from their unbootable system without need to use recovery services. As an example non-bootable Windows 2012R2 installation is used which has boot problems.
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now