Solved

Domain has bad or corrupt sysvol, missing IPv6 DNS in gc, no GUID in registry for NTFRS

Posted on 2016-08-28
7
110 Views
Last Modified: 2016-09-03
Two DCs in the domain, both have sysvol corruption that I can't seem to fix.  

For starters, sysvol in both had only the domain pointer, no polices or scripts subfolders.  I wanted to repair them by changing the registry settings to do a non-authoritative restore in HKLM\system\current control set\serives\ntfrs\parameters\backup/restore\process at startup and change BurFlags to D2.  

Imagine my surprise to see that the only thing in Ntfrs was Parameters and it was essentially empty.  So I used a reference DC from another domain to rebuild it.  But then I got stumped.  I don't know where to find the GUID value fr the replica sets subfolders.

Undaunted, I figured restarting File Replication Service (Ntfrs).  Much to my amazement, it was set to disabled on both DCs.  So I changed to automatic, thinking I had solved the problem.  Even more to my amazement, ntfrs will not start on either DC. I get an error 1053 service did not respond in a timely fashion. I bumped up the timeout value from 60000 to 100000 and still the same result.

Of course dcdiag craps out all over the place.  In particular, there are lots of SChannel errors, and the event logs are full of them, too.  I wasn't paying that much attention to them but could they be a conspirator in this?  Dcdiag just failed with systemlog test with a bunch of SChannel errors trying to reach the remote endpoint, and then failed again waiting for file replication service.  All other tests passed.

I mentioned in the title that any IPv6 AAAA records were absent in _msdcs zone for gc and pdc.  I also checked to see that all FSMO roles were on one server (the original one in the domain), and they were.  Just doesn't feel like a DNS issue though.

Now my questions I hope you can help me answer:

1. why won't ntfrs start on either DC?  If it were to, that would hopefully rebuild the registry.  Nothing in the event
2.  why the Schannel errors, or more precisely, how do I fix them?  Related to the other issues?
3.  what in particular is keeping replication from working?  FIrst server seems to have a correct sysvol, but not the second.  If I create private and scripts folders, NETLOGON wipes them out.

One last detail.  When I open DFS Manager and run a health report, the second DC (bad sysvol) shows as an error that the local path does not match the newly configured local path and a warning that the DC is awaiting initial replication of sysvol.  Let's just say its been a long, long time before this came to my attention.
0
Comment
Question by:lmheimendinger
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 37

Expert Comment

by:Mahesh
ID: 41774514
have you upgraded your ad from windows 2003 or 2008?

If not, you are running DFSR sysvol and not ntfrs sysvol

what happens if you run below command from command prompt

Net Share

Is it showing sysvol and netlogon as shared folders?


You need to do DFSR sysvol authoritative restore 1st and then do non-authoritative restore

Refer below article for DFSR sysvol restoration
https://www.experts-exchange.com/articles/17360/Active-Directory-DFSR-Sysvol-Authoritative-and-Non-Authoritative-Restore-Sequence.html

Also ensure that each domain controller point to itself own IP as 1st dns entry and other domain controller as secondary dns in network card properties and restart the netlogon service on domain controllers so that all missing DNS records will get recreated
0
 
LVL 26

Expert Comment

by:DrDave242
ID: 41775021
have you upgraded your ad from windows 2003 or 2008?
If not, you are running DFSR sysvol and not ntfrs sysvol
This is very important. (Not trying to steal credit here, just reinforcing.) If this domain was created using domain controllers running 2008 or newer, the File Replication Service (FRS) most likely isn't being used at all. Instead, Sysvol is being replicated by using Distributed File System Replication, so don't worry about getting FRS to start.

DFSR has its own event log, so that would be a decent place to look for errors.

For starters, sysvol in both had only the domain pointer, no polices or scripts subfolders.
Does that mean that the Policies and Scripts folders are completely missing from the Sysvol\domain folder? If so, the authoritative/nonauthoritative restore procedure suggested by Mahesh above won't help, because there's nothing to restore. If one of the DCs does contain those folders in its Sysvol hierarchy, though (and those folders actually contain data), use that DC as the authoritative source and follow the steps in the link.
0
 

Author Comment

by:lmheimendinger
ID: 41775113
On the PDC, SYSVOL is now correct, and Mahesh's solution moved the ball significantly forward. SYSVOL seems to have replicated successfully.  Now replication on c:\users is failing because:

On the replicated server, I am getting 4114 event id that c:\windows\sysvol\domain has been disabled.
                                                                4304 "preventing from replicating a file due to consistent sharing violations

On the PDC replicating server, I am 5012 event id that "partner did not recognize the connection or replication group"
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 37

Accepted Solution

by:
Mahesh earned 500 total points
ID: 41775280
OK
Are you saying that Sysvol is OK on PDC server? are you able to see event ID 4604 or 4602 ?
In that case Sysvol is working correctly on PDC...

If yes, now you should try non-authoritative restore on another server..
That should work

Also what about of Policies folder and its contents?
and where C:\users came in picture?

Also event id 5012 indicates that you might be having some AD replication /name resolution issue
Check AD replication and name resolution is working correctly
repadmin /syncall
check below article
https://social.technet.microsoft.com/wiki/contents/articles/1205.dfsr-event-5012-dfs-replication.aspx
0
 

Author Comment

by:lmheimendinger
ID: 41775293
Yup, those events are showing up.  Polices folder seems replicated.

c:\users and c:\company are in the DFRS replication.  Essentials (Windows 2012 R2) is installed as a role and I think this is an offshoot of that.
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 41775305
OK
Now non-authoritative DFSR Sysvol restore on ADC server should work, try that
Also ensure that AD replication and name resolution is working correctly
run dcdiag /v on both servers to check for any potential issues
0
 

Author Closing Comment

by:lmheimendinger
ID: 41783057
close enough to fix replication thanks
0

Featured Post

Secure Your Active Directory - April 20, 2017

Active Directory plays a critical role in your company’s IT infrastructure and keeping it secure in today’s hacker-infested world is a must.
Microsoft published 300+ pages of guidance, but who has the time, money, and resources to implement? Register now to find an easier way.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
You Must Change password - RDS 2012 R2 5 51
IP Address white listing in Windows Firewall 5 23
Server 2012 r2 bare metal recovery 12 45
My Server Turned Off 6 44
I don't know if many of you have made the great mistake of using the Cisco Thin Client model with the management software VXC. If you have then you are probably more then familiar with the incredibly clunky interface, the numerous work arounds, and …
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
In this Micro Tutorial viewers will learn how to use Windows Server Backup to create full image of their system. Tutorial shows how to install Windows Server Backup Feature on Windows 2012R2 and how to configure scheduled Bare Metal Recovery backup.…
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question