csg-unit
asked on
All GPO with GUIDS beginning with numbers are deleting themselves 2012 R2
Hello
This seems like the deepest type of SYSVOL corruption that I've encountered. I've been working with a large client on replication issues in a 2012 R2 - only environment.
I did a non-authoratative restore from PDC to DC2 and DC3 at remote sites on Tuesday night. Everything seemed to proceed perfectly that night and throughout wednesday and thursday morning. However today (Thursday afternoon) someone noticed that all of the GPOs that began with NUMBERS in the GUIDS disappeared from PDC Only. This had to have happened today. The ones that start with letters for example {CE31B9E2-D06E-420B-97E6-4 A44C62C98A 8} are all still present. The ones that start with numbers are Gone.
this leaves 26 of the original 88. I was able to pull 85 from DC3 or DC2 and says you require permission to copy the last three GPOs "Please contact your administrator." and as you probably already figured, I am administrator.
I tried manually copying the policies back to sysvol and it quickly re-deleted them.
What could be happening here?
This seems like the deepest type of SYSVOL corruption that I've encountered. I've been working with a large client on replication issues in a 2012 R2 - only environment.
I did a non-authoratative restore from PDC to DC2 and DC3 at remote sites on Tuesday night. Everything seemed to proceed perfectly that night and throughout wednesday and thursday morning. However today (Thursday afternoon) someone noticed that all of the GPOs that began with NUMBERS in the GUIDS disappeared from PDC Only. This had to have happened today. The ones that start with letters for example {CE31B9E2-D06E-420B-97E6-4
this leaves 26 of the original 88. I was able to pull 85 from DC3 or DC2 and says you require permission to copy the last three GPOs "Please contact your administrator." and as you probably already figured, I am administrator.
I tried manually copying the policies back to sysvol and it quickly re-deleted them.
What could be happening here?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
3, What i meant is to check HDD on server which is PDC -But if you have SAN don't bother
IPC or I know it as share IPC$ remote IPC - Bad sign
(Inter-Process Communication (IPC$) is used for data sharing between applications and computers)
Seize PDC FSMO role by different server ASAP!!
You might also need to remove ADDS role on that server with current PDC and then clean up metada in AD and reinstall ADDS on that server
IPC or I know it as share IPC$ remote IPC - Bad sign
(Inter-Process Communication (IPC$) is used for data sharing between applications and computers)
Seize PDC FSMO role by different server ASAP!!
You might also need to remove ADDS role on that server with current PDC and then clean up metada in AD and reinstall ADDS on that server
ASKER
I changed FSMO role holder to DC3
as for the last comment that sounds easier said than done. I'll take a look, thanks. in the mean time I am still open to suggestions.
as for the last comment that sounds easier said than done. I'll take a look, thanks. in the mean time I am still open to suggestions.
ASKER
Additionally I want to point out that this client for some reason is still using FRS for SYSVOL Replication instead of DFSR despite being an all 2012 R2 environment (DCs, still some '08 members) in a 2008 forest level.
ASKER
Repadmin: running command /showrepl against full DC localhost
Default-First-Site-Name\PD C
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 0022f952-3ecb-4caf-a754-df ab65fe93ad
DSA invocationID: 8463c260-9822-4824-8f82-86 249f9f00a8
==== INBOUND NEIGHBORS ========================== ========== ==
DC=MyDomain,DC=local
Hotsite\DC3 via RPC
DSA object GUID: 504c1d7a-fcc0-41c6-8e88-45 f5dc2b4f63
Last attempt @ 2016-09-29 14:52:39 was successful.
Default-First-Site-Name\DC 2 via RPC
DSA object GUID: 088c6fd7-1fd7-420b-ac7c-20 13edb6a255
Last attempt @ 2016-09-29 15:04:42 was successful.
CN=Configuration,DC=MyDoma in,DC=loca l
Hotsite\DC3 via RPC
DSA object GUID: 504c1d7a-fcc0-41c6-8e88-45 f5dc2b4f63
Last attempt @ 2016-09-29 14:52:39 was successful.
Default-First-Site-Name\DC 2 via RPC
DSA object GUID: 088c6fd7-1fd7-420b-ac7c-20 13edb6a255
Last attempt @ 2016-09-29 14:55:32 was successful.
CN=Schema,CN=Configuration ,DC=MyDoma in,DC=loca l
Hotsite\DC3 via RPC
DSA object GUID: 504c1d7a-fcc0-41c6-8e88-45 f5dc2b4f63
Last attempt @ 2016-09-29 14:52:39 was successful.
Default-First-Site-Name\DC 2 via RPC
DSA object GUID: 088c6fd7-1fd7-420b-ac7c-20 13edb6a255
Last attempt @ 2016-09-29 14:55:32 was successful.
DC=DomainDnsZones,DC=MyDom ain,DC=loc al
Hotsite\DC3 via RPC
DSA object GUID: 504c1d7a-fcc0-41c6-8e88-45 f5dc2b4f63
Last attempt @ 2016-09-29 14:52:39 was successful.
Default-First-Site-Name\DC 2 via RPC
DSA object GUID: 088c6fd7-1fd7-420b-ac7c-20 13edb6a255
Last attempt @ 2016-09-29 14:55:32 was successful.
DC=ForestDnsZones,DC=MyDom ain,DC=loc al
Hotsite\DC3 via RPC
DSA object GUID: 504c1d7a-fcc0-41c6-8e88-45 f5dc2b4f63
Last attempt @ 2016-09-29 14:52:39 was successful.
Default-First-Site-Name\DC 2 via RPC
DSA object GUID: 088c6fd7-1fd7-420b-ac7c-20 13edb6a255
Last attempt @ 2016-09-29 14:55:32 was successful.
Default-First-Site-Name\PD
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 0022f952-3ecb-4caf-a754-df
DSA invocationID: 8463c260-9822-4824-8f82-86
==== INBOUND NEIGHBORS ==========================
DC=MyDomain,DC=local
Hotsite\DC3 via RPC
DSA object GUID: 504c1d7a-fcc0-41c6-8e88-45
Last attempt @ 2016-09-29 14:52:39 was successful.
Default-First-Site-Name\DC
DSA object GUID: 088c6fd7-1fd7-420b-ac7c-20
Last attempt @ 2016-09-29 15:04:42 was successful.
CN=Configuration,DC=MyDoma
Hotsite\DC3 via RPC
DSA object GUID: 504c1d7a-fcc0-41c6-8e88-45
Last attempt @ 2016-09-29 14:52:39 was successful.
Default-First-Site-Name\DC
DSA object GUID: 088c6fd7-1fd7-420b-ac7c-20
Last attempt @ 2016-09-29 14:55:32 was successful.
CN=Schema,CN=Configuration
Hotsite\DC3 via RPC
DSA object GUID: 504c1d7a-fcc0-41c6-8e88-45
Last attempt @ 2016-09-29 14:52:39 was successful.
Default-First-Site-Name\DC
DSA object GUID: 088c6fd7-1fd7-420b-ac7c-20
Last attempt @ 2016-09-29 14:55:32 was successful.
DC=DomainDnsZones,DC=MyDom
Hotsite\DC3 via RPC
DSA object GUID: 504c1d7a-fcc0-41c6-8e88-45
Last attempt @ 2016-09-29 14:52:39 was successful.
Default-First-Site-Name\DC
DSA object GUID: 088c6fd7-1fd7-420b-ac7c-20
Last attempt @ 2016-09-29 14:55:32 was successful.
DC=ForestDnsZones,DC=MyDom
Hotsite\DC3 via RPC
DSA object GUID: 504c1d7a-fcc0-41c6-8e88-45
Last attempt @ 2016-09-29 14:52:39 was successful.
Default-First-Site-Name\DC
DSA object GUID: 088c6fd7-1fd7-420b-ac7c-20
Last attempt @ 2016-09-29 14:55:32 was successful.
Well sometimes it's hard to give guys help here, as I can't see diagram of the infrastructure you dealing with
But well, i would rather remove those 2008 dc, too old for year 2016
But well, i would rather remove those 2008 dc, too old for year 2016
Do DCdiag aswell
ASKER
Three remote sites, each has a DC. site 1 was PDC, site 3 is DC3, site 2 is DC2. I changed fsmo role holder from pdc to dc3. They each have about 100 computers each. there are only 2008 member servers that have no role in this issue.
OK, Now i got it, not easy to reinstall ADDS, but you could create new VM on Hyper-v
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Well, i would suggest one more thing , Backup polices using group policy management console and import it do dc same way
ASKER
This was ultimately fixed by wrestling with permissions on some locked files for the entire night in the SYSVOL, performing many authoritative restores to force propagation until everything was in place, and while I had the chance I quickly migrated to DFSR from FRS and confirmed all was working. I also had to delete some 700MB of msi files that had no function in the sysvol share before all this began, which helped propagation immensely, which goes without saying.
This was a huge step in the evolution of the networks' health. I suggest migrating to DFSR to everyone with a modern environment.
This was a huge step in the evolution of the networks' health. I suggest migrating to DFSR to everyone with a modern environment.
ASKER
Starting test: Services
Could not open Remote ipc to [PDC.Mydomain.Local]: error 0x4b8
"An extended error has occurred."
......................... PDC failed test Services
Starting test: SystemLog
An error event occurred. EventID: 0x00000422
Time Generated: 09/29/2016 12:58:15
Event String:
The processing of Group Policy failed. Windows attempted to read the file \\Mydomain.local\sysvol\My
An error event occurred. EventID: 0x00000422
Time Generated: 09/29/2016 12:59:26
Event String:
The processing of Group Policy failed. Windows attempted to read the file \ (same as above message)
etc.etc..
etc.etc..
2. I can still do an authoratative restore from DC3 but it crushes the bandwidth for 2 hours and must be done tonight, but this has to be fixed by morning (I may open a microsoft professional services ticket)
3. What do you mean by the PDC Role Hard drive? It is a VM using a SAN in hyper-v. the SAN is showing good, but I suppose I can run a chkdsk afterhours, but it is almost too time consuming to think about right now.
4. the central store shows:
\\Mydomain.local\sysvol\My
The other DCs are OK