Server 2008 R2 Sysvol is replicating only one way

Hello.

Problem was discovered recently as I were adding more GPO, and they did not work as expected. So the problem is that sysvol DFSR share is not in sync between DCs.

All DC are server 2008 R2

The strange part is that sysvol replicates to all DC in all sites, but if GPO is created on PDC (DC_PDC) role holder it does not replicate to any members. IF GPO is created on member DC (that is not PDC) then DC_PDC recieve new policy right away. So basically, all DCs does not pull changes from DC_PDC or DC_PDC does not give changes to member DCs.

More strange thing, yesterday at one point it did replicate, while system state backup job was started on PDC. But today again, nothing.


In Events only error logs are:

On member server:

The DFS Replication service is stopping communication with partner DC_PDC for replication group Domain System Volume due to an error. The service will retry the connection periodically.
 Paused for backup or restore

The DFS Replication service failed to communicate with partner DC_PDC for replication group Domain System Volume. The partner did not recognize the connection or the replication group configuration.
 The connection is invalid

and in few minutes:

The DFS Replication service successfully established an inbound connection with partner DC_PDC for replication group Domain System Volume.

Also these logs are on DC_PDC, but always there are EventID 5004 (established connection)
 
DFRS service is working fine, as other folders are replicated as expected

dcdiag /test:advertising  passes DC_PDC, passes member DC
dcdiag /test:dns  passes DC_PDC, passes member DC
dcdiag /test:DFSREvent  passes DC_PDC, passes member DC

DFSDIAG /TestReferral /DFSPath:\\domain.local\SYSVOL  does not give any errors
DFSDIAG /testdcs also no errors

also checked Kaspersky for servers, it has exclude on sysvol dir.

Maybe someone have any ideas on what direction to search, I'm already out of ideas. Thanks
Andrew SpasAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MaheshArchitectCommented:
can you check one thing:
when you create new GPO in GPMC console, where that GPMC console is connected? I mean to which DC? is that connected to PDC server?
In that case ensure that GPMC is connected to same DC as GPMC and create new GPO and check if its able to replicate to PDC master

I don't think sysvol have replication issue, you can confirm by checking all DCs have same amount of folders under sysvol policies folder
0
Andrew SpasAuthor Commented:
Hi, thanks for answer.

If I create new policy in GPMC (its connected to PDC DC) also GPMC is opened on PDC, policy is created, I can find the policy folder in sysvol, when I connect to member DC, I can see the new policy, but if I try to open it, it gives error "Ths system cannot find the path specified", also if I check sysvol folder on Member DC, there is no newly created policy folder there (so on member server there is -1 folder than on PDC). Also if I add text files in sysvol\scripts, they are not replicated from PDC_DC

But If I open GPMC on member server (GPMC connected to member server) create policy there, it also appears on PDC DC (also folder is created there in sysvol) and I can open it from GPMC without any errors.
0
MaheshArchitectCommented:
can you check dfsr event log on member DC and PDC for any errors where sysvol replication is stopped

if sysvol is replicating from member Dc to PDc and not vice versa, try below
you can transfer fsmo roles to member DC and make him PDC
check on every DC that new fsmo master is set to new DC by running command "netdom query fsmo"
then do sysvol non authoritative restore on old PDC master
steps can be found here:
https://www.experts-exchange.com/articles/17360/Active-Directory-DFSR-Sysvol-Authoritative-and-Non-Authoritative-Restore-Sequence.html
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
The Five Tenets of the Most Secure Backup

Data loss can hit a business in any number of ways. In reality, companies should expect to lose data at some point. The challenge is having a plan to recover from such an event.

Andrew SpasAuthor Commented:
Only errors in Event logs are

ID 5014  The DFS Replication service is stopping communication with partner
ID  5002 The DFS Replication service encountered an error communicating with partner
ID 5004  The DFS Replication service successfully established an inbound connection with partner

There are no new logs, with replication errors, while I created test GPOs today.

Still, to do sysvol non authoritative restore, was the last on the list, as I am afraid to break something even more. As yesterday there was a succesfull sync also from PDC->All DCs, I hope there is different fix. Maybe there is a way to diagnose, monitor the sysvol replication more detailed?
0
MaheshArchitectCommented:
The process i suggested is very simple to try and did not break anything and limited to single dc+ we are taking all care to ensure all prerequisites are met
This is the only way to fix dfsr sysvol replication failures
0
Andrew SpasAuthor Commented:
As I transferred the PDC role to different server, replication started to work to and from all servers. Kinda strange behavior.  Will monitor the sysvol, if it will go out of sync from the old_PDC, will perform non authoritative restore.

Thank you.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.