m musa
asked on
active directory USN rollback
i have 3 servers
1- (DC1) primary ad with all rules and GC windows 2008 r2
2- (DC2) secondary ad windows 2012
3- (EX1) exchange server 2010 windows 2008 r2
before one month i restored dc1 from snapshot in vmware and the problems start appear, then i searched in internet and after 2 days i did that
1- Stop the NTFRS service
2- Start up regEdit Drill down to HKLM\System\CurrentControl
3- Drill down to HKLM\SYSTEM\CurrentControl
4- Reboot the server
that fixed my problem, but yesterday i added a new user to dc1 and its appear in dc2 and ex1 then added email address in exchange but it seems that domain users cannot see this user and the outlook show that user does not exist when i try to setup email, and the user not found when i try to add folder permission and i can't login to email via owa
but after i shutdown dc2 everything back to normal and email work without any problem
so its clear that there is a USN rollback problem but i have a lot of configuration in dc1, so my question is: can i demote dc2 then repromote to fix USN number between two server even if the problem in dc1 not dc2 ?
sorry for my english and thank you
1- (DC1) primary ad with all rules and GC windows 2008 r2
2- (DC2) secondary ad windows 2012
3- (EX1) exchange server 2010 windows 2008 r2
before one month i restored dc1 from snapshot in vmware and the problems start appear, then i searched in internet and after 2 days i did that
1- Stop the NTFRS service
2- Start up regEdit Drill down to HKLM\System\CurrentControl
3- Drill down to HKLM\SYSTEM\CurrentControl
4- Reboot the server
that fixed my problem, but yesterday i added a new user to dc1 and its appear in dc2 and ex1 then added email address in exchange but it seems that domain users cannot see this user and the outlook show that user does not exist when i try to setup email, and the user not found when i try to add folder permission and i can't login to email via owa
but after i shutdown dc2 everything back to normal and email work without any problem
so its clear that there is a USN rollback problem but i have a lot of configuration in dc1, so my question is: can i demote dc2 then repromote to fix USN number between two server even if the problem in dc1 not dc2 ?
sorry for my english and thank you
ASKER
thank you for quick reply
there was no error in event logs at all but USN number for dc1 (on dc2) is higher than it is in dc1 so there is no replication to make error
as i remember when i do dcdiag from dc1 witch i restored i got no errors but from dc2 i got error inbound replications from dc1 but can't remember the error text or number
and how can i tell witch server has corrupted sysvol ?
thanks in advanced
there was no error in event logs at all but USN number for dc1 (on dc2) is higher than it is in dc1 so there is no replication to make error
as i remember when i do dcdiag from dc1 witch i restored i got no errors but from dc2 i got error inbound replications from dc1 but can't remember the error text or number
and how can i tell witch server has corrupted sysvol ?
thanks in advanced
Hi,
When there is a sysvol corruption on a DC, it will report into event log (FRS logs). If you are sure that the server falls under USN rollback then the option would be restore from systemstate or demote and promote. I would recommend to demote and promote the DC.
Before than that refer this article https://support.microsoft.com/en-in/help/875495/how-to-detect-and-recover-from-a-usn-rollback-in-windows-server-2003 and confirm the USN rollback.
You need to consider the following scenario in this case
1) Sieze the roles to 2nd DC (transfer won't work)
2) dcpromo /force removal
3) Metdata cleanup to remove the failed DC
4) Remove all the DNS entries from all the zones
5) Join back the server to domain or directly run dcpromo to promote as DC
6) Transfer back all the roles
Good luck
When there is a sysvol corruption on a DC, it will report into event log (FRS logs). If you are sure that the server falls under USN rollback then the option would be restore from systemstate or demote and promote. I would recommend to demote and promote the DC.
Before than that refer this article https://support.microsoft.com/en-in/help/875495/how-to-detect-and-recover-from-a-usn-rollback-in-windows-server-2003 and confirm the USN rollback.
You need to consider the following scenario in this case
1) Sieze the roles to 2nd DC (transfer won't work)
2) dcpromo /force removal
3) Metdata cleanup to remove the failed DC
4) Remove all the DNS entries from all the zones
5) Join back the server to domain or directly run dcpromo to promote as DC
6) Transfer back all the roles
Good luck
ASKER
what i exactly did is that:
restore dc1 only from snapshot then the next day i undone the restore and back to original copy that was working before restore and the problems start appears so that i am sure there is a usn rollback but i wander if the only problem that the usn number between two server why not demote the second one or remove it and create a new secondary server because the primary one has a huge files and configuration, the new server may fix the usn numbers.
note that now if i turn on the secondary server its work fine and if i change user password from dc1 or dc2 its changed in the user's accounts that mean 2 servers sync in someways.
so the last advise please what should i do
thanks again
restore dc1 only from snapshot then the next day i undone the restore and back to original copy that was working before restore and the problems start appears so that i am sure there is a usn rollback but i wander if the only problem that the usn number between two server why not demote the second one or remove it and create a new secondary server because the primary one has a huge files and configuration, the new server may fix the usn numbers.
note that now if i turn on the secondary server its work fine and if i change user password from dc1 or dc2 its changed in the user's accounts that mean 2 servers sync in someways.
so the last advise please what should i do
thanks again
Okay. If you create an user in 2nd DC, will that replicate to 1st DC? and vice versa?
Also, if you create a text file under sysvol folder, is that replicating too?
Did you read the article which I posted earlier and ran the command to compare the vector ID?
Also, if you create a text file under sysvol folder, is that replicating too?
Did you read the article which I posted earlier and ran the command to compare the vector ID?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
ok i'll demote and repromote the dc1 but why sieze not transfer, if i do transfer how to check if its done
Hi,
You can try transfer but most of the time it won't work. Once you transferred 'netdom query fsmo' and see it's holds the correct server.
You can try transfer but most of the time it won't work. Once you transferred 'netdom query fsmo' and see it's holds the correct server.
ASKER
thank you :)
It looks like the DC1 has got corrupted sysvol, the procedure you did earlier was just rebuild the sysvol itself (D2) burflag method. What you should have done is On the server which has a good copy of Sysvol, mark the Sysvol structure as the Source and then rebuild the structure.
To confirm whether the DC1 is still in journal wrap, go to event viewer>>File replication logs. If you are getting the error then follow the steps;
To rebuild the sysvol structure on a server which is not replicating correctly, stop the File Replication Service on all domain controllers, configure the BurFlags registry keys, and then restart the File Replication Service by following these steps
Click Start, and then Run.
In the Open box, type cmd and click Ok.
In the Command box, type net stop ntfrs.
Click Start, and then Run.
In the Open box, type regedit and then click Ok.
Locate the following subkey in the registry: HKEY_LOCAL_MACHINE\System\
In the right-hand pane, double-click BurFlags.
On the server which has a good copy of Sysvol, mark the Sysvol structure as the Source, by following these steps:
In the Edit DWORD Value dialog box, type D4 and then click Ok.
Close the Registry Editor, and then switch to the command box.
In the command box, type net start ntfrs.
Close the command box.
Once the File Replication Service has started on the source server, on all other domain controllers:
In the Edit DWORD Value dialog box, type D2 and then click Ok.
Close the Registry Editor, and then switch to the command box.
In the command box, type net start ntfrs.
Close the command box.
Still if you see the replication errors, then you may need to demote and promote the server (after seizing the fsmo roles to second DC).