Active Directory DC Replication Issues

Helping a client with their 2x 2012 Domain Controllers.

Their DC1 which holds the FSMO roles had Event Error 4012, DFSR: That it had dropped replication of the SYSVOL\domain path as its been disconnected for X amount of days.

I executed KB 2218556 to make DC1 non-authoritative - ran all needed steps. I didn't get the needed Event in Event Viewer showing that replication had succeeded. However when creating user objects in AD Users and Computers they replicate to the other DC?

I looked on DC2 and found Event Warning 2213 DFSR: The DFS Replication service stopped replication on volume c: This occurs when a DFSR JET database is not shut down cleanly... Looking online  a microsoft article recommended doing KB 2218556 to make DC2 authoritative because DC1's event viewer for DFS Replication was showing that it was still waiting to perform initial replication.

Did this and waited for 1 hour and never saw Event ID 4602 in the DFSR event log on DC2 indicating SYSVOL has been initialized. I then ran the WMIC command In Event 2213 to continue replication and soon after this DC2 had the error DC1 had: Event Error 4012, DFSR: That it had dropped replication of the SYSVOL\domain path as its been disconnected for X amount of days.

So I then execute KB 2218556 to perform a non-authoritative synchronization of DFSR-replicated SYSVOL. waited for another 30 mins or so. Both DCs were stuck on the DFSR event warning 4614 that the DFS Replication service initialized SYSVOL and is waiting to perform initial replication. So it seemed both were waiting for the other! No Event 4604 per the Microsoft KB.

I didn't know what to do at this point so restarted DFSR on both of them. After a number of informational DFSR messages DC1 came up with Event ID 1206 that DFS Replication service successfully contacted domain controller DC1. Nothing about DC2 (I noticed that DC1's primary DNS server was itself and DC2 was the secondary one - maybe that's why?).

DC2's DFSR event log eventually indicated Event 5014 that DFSR is stoping communication with partner DC1 for replication group Domain System Volume due to an error, the service will retry the connection periodically. Then Event ID 5004 which stated that DFS Replication service successfully established an inbound connection with partner DC1 for replication group Domain System Volume.

During this entire time, creating test AD Users in AD Users and Groups has them replicate to either DCs as they show up very rapidly in AD Users and Groups on both. Also running repadmin /showrepl and repadmin /replsummary, both show successful replication.

However, when running the DFS Management Diagnostic Report, the Propogation Test Succeeds, but the propogation report shows two tests complete and the health report for both DCs still says "This member is waiting for initial replication for replicated folder SYSVOL Share".

Checking back today 9 hours later, the Event IDs haven't changed from the above and the DFS Management Diagnostic reports are still the same as above.

So I can create users and replicate back and forth but I have the above errors. I don't know what to at this point. Thanks.
RFVDBAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
There are different partitions which replicate among Active Directory. Sysvol is specific to NetLogon and Group Policy objects. It seems like you have been making a lot of changes, and spending a ton of time on this issue.

Why not try demoting DC1 and then rep-romoteing it? This way you will be certain that it is getting updates from the replication partner.

If DC1 is the fsmo role holder transfer them to DC2 and the demote DC1 and re-promote.

Will.
AmitIT ArchitectCommented:
I agree to Will.
albatros99Commented:
The fact that new AD user objects get replicated immediately is irrelevant in this case because this is using a different replication mechanism. DFSR is for the SYSVOL only and that includes logon scripts / GPO's etc.  As long as the DC thinks that DFS is not working it will not share out the SYSVOL to clients.

I agree with Will: Depromoting / Re-Promoting the faulty DC is probably your quickest route at this point.
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

RFVDBAuthor Commented:
Thanks. After demoting it should I delete some of the folders in the Sysvol folders so it doesn't try and use them again when repromoting such as:

%WINDIR%SYSVOLdomainPolicies
%WINDIR%SYSVOLdomainScripts

Also, I don't need to remove the AD roles after demoting right. I can just demote and then promote?

Thanks!
albatros99Commented:
Yes, I recommend deleting the folders. But there's no need to remove the role.
Will SzymkowskiSenior Solution ArchitectCommented:
Also, I don't need to remove the AD roles after demoting right. I can just demote and then promote?

That is correct. You do not need to remove the role. If you do, it will just make you re-add them.

Will.
RFVDBAuthor Commented:
OK thanks all.

I did demote and promote DC1, however that didn't do the trick. I used the DFS Management Tool to test Sysvol Replication and it never finishes.

Is there a good solid System Event or tool to immediately know if Sysvol replication is fully functional?

I didn't delete the two Sysvol folders I mentioned above though as I wasn't sure.

So I guess my next action is to do the demote/promote again with deleting these Sysvol folders:

%WINDIR%SYSVOLdomainPolicies
%WINDIR%SYSVOLdomainScripts

Right?
albatros99Commented:
The way to tell if SYSVOL replication is fully functional is to check the event log. There is a DFSR replication log and it will show an event 4604. Also if you type net share at a command prompt, you will see that the SYSVOL has been shared out.
RFVDBAuthor Commented:
OK thanks.

I demoted DC1 again. I deleted the entire SYSVOL folder just in case. Repromoted and it recreated the sysvol folder. But still DFSR is not working for the sysvol folder. Checked net share 12 hours later and no sysvol share.
RFVDBAuthor Commented:
I just created a DC3 from a fresh 2012R2 install and same issue. after an hour net share still shows no sysvol share. Looks like DC2's DFSR share is somehow messed up. There's got to be a way to fix it on DC2.

DFSR Events on new DC3 are:
4614: The DFS Replication service initialized SYSVOL at local path C:\Windows\SYSVOL\domain and is waiting to perform initial replication.
6806: The DFS Replication service has detected that at least one connection is configured for replication group Domain System Volume.
6016: The DFS Replication service failed to update configuration in Active Directory Domain Services. The service will retry this operation periodically.
6806: The DFS Replication service has detected that at least one connection is configured for replication group Domain System Volume.
LATEST ONE: 6018: The DFS Replication service successfully updated configuration in Active Directory Domain Services.

Please let me know if you need any other information.
Will SzymkowskiSenior Solution ArchitectCommented:
You might want to perform a authoritative restore on sysvol.
https://technet.microsoft.com/en-us/library/cc816596(v=ws.10).aspx

Will.
RFVDBAuthor Commented:
Thanks. It says on the first paragraph to not perform such an action unless you have another Domain Controller with a functioning Sysvol. Since DC2 is the only one with a functioning Sysvol it doesn't seem a safe course.

Any other alternatives?

I found this:
https://jorgequestforknowledge.wordpress.com/2010/08/12/restoring-the-sysvol-non-authoritatively-when-either-using-ntfrs-or-dfs-r-part-3/

Is that a potentially safe action to take?

I also found an article where an admin removed the contents of the Sysvol Share, Restarted DFSR, then re-added the contents and that fixed the issue. Is that a safe thing to do? I've never touched or manually removed or added the contents of the active directory Sysvol shares.
Will SzymkowskiSenior Solution ArchitectCommented:
Is that a safe thing to do?
Typically it is best to restore your Sysvol from a recent system state backup. You would then do an authoritative restore (becasue it does not have any replicaiton partners).

You could try the suggesting from the link you provided but i could be cautious and perform something like this in a lab environment before doing it in production.

Will.
RFVDBAuthor Commented:
Eventually did an authoritative restore on DC2 again and was told under step 4 to actually restart DFS, even though it states to just "start" it and since its been running, I've always skipped this step. Doing that fixed the issue.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Will SzymkowskiSenior Solution ArchitectCommented:
Glad to hear it is working now.

Will.
RFVDBAuthor Commented:
I've requested that this question be closed as follows:

Accepted answer: 0 points for RFVDB's comment #a40821109

for the following reason:

My Solution tried again and it worked.
Will SzymkowskiSenior Solution ArchitectCommented:
Why are you not accepting my comment as the solution? I have stated you needed to perform an Authroitative Restore many times. You last comment "Eventually did an authoritative restore on DC2 again "

All of the below comments of mine stated doing an authoritative restore
D: 40792063
ID: 40798379

Answers should be accepted accordingly.

Will.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.