-Garren-
asked on
AD/SYSVOL Sync Issues
Hey you Experts!
I need your expertise. Let me first explain our setup, followed by what I've tried to remedy the issue. I apologize for the length, I've tried to include only the most relevant info right off the bat. We have 3 DCs (2 virtual, 1 physical). They are set for redundancy, we are doing a mix of virtual/physical simply to have a hybrid environment for fault protection. We had Windows Server 2008 loaded up on all of them, we started having replication issued, the physical box failed, and was replaced with 2012 R2. We have planned on moving the other two boxes to 2012 R2 (either 1 virtual, or continue with 2 virtual) but have not done so yet. The replacement kept the same IP/host name but a proper DCPROMO was done. We are a small/medium sized school district if that helps in any way (down time from users in the summer for big projects/cost/etc).
We are using FRS rather than DFS. We have Windows Firewall enabled for our DCs. I can't think of any other helpful info at the moment, so I will now pose my issue followed by what I've tried.
Here are some symptoms: Our GPO environment is faulting. On the GPC side, a change will be made, but the GPT side (SYSVOL) sometimes will not show the same change. For example, I delete GPO_Test from GPC, but GPT still has the stagnant entry. Another symptom is GPOs (when running a gpresult) with a test user/machine, with log-on/log-off in between, will either show that it was Approved/Denied or just not even processed at all, completely MIA. Ok, so here's what I've been looking at, and what I've tried..
*ACL/Security permissions issues.
*AD/SYSVOL (GPC/GPT) sync issues.
*File Replication issues.
For security, I checked group membership/ACL permissions/etc and everything looks fine. I checked security filtering on the GPO to make sure it's applied against the right users, it's fine. Of course, I made sure the GPO is being applied to the right OU and the user is in that OU (link established), and it's good.
For sync issues, I checked the DS/Computer versions and so forth and it all shows as the same versions/revisions. I ran gpotool.exe and it came back with the versions/etc. I did run a PowerShell script for orphaned GPOs, and found some. I checked to make sure they were truly orphans and did a clean up, re-ran the script and now show no orphans.
For replication issues, there are events in Event Viewer that there are replication issues (even before the physical DC swap), but nothing extremely specific or overall very helpful. I've run dcdiag on all three boxes and it says FRS is fine. I've checked on all three boxes to make sure FRS as a service is started and running.
I can't think of anything else relevant to put into this discussion. At this point, ANYTHING will help. Thanks!
I need your expertise. Let me first explain our setup, followed by what I've tried to remedy the issue. I apologize for the length, I've tried to include only the most relevant info right off the bat. We have 3 DCs (2 virtual, 1 physical). They are set for redundancy, we are doing a mix of virtual/physical simply to have a hybrid environment for fault protection. We had Windows Server 2008 loaded up on all of them, we started having replication issued, the physical box failed, and was replaced with 2012 R2. We have planned on moving the other two boxes to 2012 R2 (either 1 virtual, or continue with 2 virtual) but have not done so yet. The replacement kept the same IP/host name but a proper DCPROMO was done. We are a small/medium sized school district if that helps in any way (down time from users in the summer for big projects/cost/etc).
We are using FRS rather than DFS. We have Windows Firewall enabled for our DCs. I can't think of any other helpful info at the moment, so I will now pose my issue followed by what I've tried.
Here are some symptoms: Our GPO environment is faulting. On the GPC side, a change will be made, but the GPT side (SYSVOL) sometimes will not show the same change. For example, I delete GPO_Test from GPC, but GPT still has the stagnant entry. Another symptom is GPOs (when running a gpresult) with a test user/machine, with log-on/log-off in between, will either show that it was Approved/Denied or just not even processed at all, completely MIA. Ok, so here's what I've been looking at, and what I've tried..
*ACL/Security permissions issues.
*AD/SYSVOL (GPC/GPT) sync issues.
*File Replication issues.
For security, I checked group membership/ACL permissions/etc and everything looks fine. I checked security filtering on the GPO to make sure it's applied against the right users, it's fine. Of course, I made sure the GPO is being applied to the right OU and the user is in that OU (link established), and it's good.
For sync issues, I checked the DS/Computer versions and so forth and it all shows as the same versions/revisions. I ran gpotool.exe and it came back with the versions/etc. I did run a PowerShell script for orphaned GPOs, and found some. I checked to make sure they were truly orphans and did a clean up, re-ran the script and now show no orphans.
For replication issues, there are events in Event Viewer that there are replication issues (even before the physical DC swap), but nothing extremely specific or overall very helpful. I've run dcdiag on all three boxes and it says FRS is fine. I've checked on all three boxes to make sure FRS as a service is started and running.
I can't think of anything else relevant to put into this discussion. At this point, ANYTHING will help. Thanks!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
your first step should be to identify which system is reflected in the AD as having the master roles.
Your issue is likely the result of the physical (whose name/ip you kept) and likely was the primary master on various roles.
Role transfer should have been done through seizure using ntdsutil making one of the VMs as the primary on the various RID,SChema, etc.
Then when you rebuild the physical, you can do with it as you see fit.
If the above is correct, you would need to rebuild the physical yet again because you would need to use one of the VMs to seize the roles which means the newly rebuilt system can not be put online without OS reinstall. Make sure to backup the system state on one of the Vms just in case.
Not sure whether demoting the physical and possibly disjoining from the AD domain, seizing the roles/cleaning the metadata of any reference to the old name. Then making sure your VMs are not having replication issues.
Add the physical back as a new member server, and then dcpromo it as another DC.
Do both the VMs have the fileserver serivces for windows 2003 installed?
Does each Vm have the syslog/netlogon shares?
Your issue is likely the result of the physical (whose name/ip you kept) and likely was the primary master on various roles.
Role transfer should have been done through seizure using ntdsutil making one of the VMs as the primary on the various RID,SChema, etc.
Then when you rebuild the physical, you can do with it as you see fit.
If the above is correct, you would need to rebuild the physical yet again because you would need to use one of the VMs to seize the roles which means the newly rebuilt system can not be put online without OS reinstall. Make sure to backup the system state on one of the Vms just in case.
Not sure whether demoting the physical and possibly disjoining from the AD domain, seizing the roles/cleaning the metadata of any reference to the old name. Then making sure your VMs are not having replication issues.
Add the physical back as a new member server, and then dcpromo it as another DC.
Do both the VMs have the fileserver serivces for windows 2003 installed?
Does each Vm have the syslog/netlogon shares?
ASKER
A good starting point, there is some deeply rooted corruption I've noted over the last couple weeks from running various AD tools from Technet and others. I'll close this ticket as there is a very long process I'm going to have to go through.
Have you considered running DNSLint to diagnose any replication issues between you DC's?
An explanation of the tool and how to use it is below.
https://support.microsoft.com/en-us/kb/321045/
I also assume you have run a Repadmin and all reps are looking good?
Regards
Guy