• Status: Solved
  • Priority: Low
  • Security: Public
  • Views: 113
  • Last Modified:

Server 2008 R2 Sysvol is replicating only one way

Hello.

Problem was discovered recently as I were adding more GPO, and they did not work as expected. So the problem is that sysvol DFSR share is not in sync between DCs.

All DC are server 2008 R2

The strange part is that sysvol replicates to all DC in all sites, but if GPO is created on PDC (DC_PDC) role holder it does not replicate to any members. IF GPO is created on member DC (that is not PDC) then DC_PDC recieve new policy right away. So basically, all DCs does not pull changes from DC_PDC or DC_PDC does not give changes to member DCs.

More strange thing, yesterday at one point it did replicate, while system state backup job was started on PDC. But today again, nothing.


In Events only error logs are:

On member server:

The DFS Replication service is stopping communication with partner DC_PDC for replication group Domain System Volume due to an error. The service will retry the connection periodically.
 Paused for backup or restore

The DFS Replication service failed to communicate with partner DC_PDC for replication group Domain System Volume. The partner did not recognize the connection or the replication group configuration.
 The connection is invalid

and in few minutes:

The DFS Replication service successfully established an inbound connection with partner DC_PDC for replication group Domain System Volume.

Also these logs are on DC_PDC, but always there are EventID 5004 (established connection)
 
DFRS service is working fine, as other folders are replicated as expected

dcdiag /test:advertising  passes DC_PDC, passes member DC
dcdiag /test:dns  passes DC_PDC, passes member DC
dcdiag /test:DFSREvent  passes DC_PDC, passes member DC

DFSDIAG /TestReferral /DFSPath:\\domain.local\SYSVOL  does not give any errors
DFSDIAG /testdcs also no errors

also checked Kaspersky for servers, it has exclude on sysvol dir.

Maybe someone have any ideas on what direction to search, I'm already out of ideas. Thanks
0
Andrew Spas
Asked:
Andrew Spas
  • 3
  • 3
1 Solution
 
MaheshArchitectCommented:
can you check one thing:
when you create new GPO in GPMC console, where that GPMC console is connected? I mean to which DC? is that connected to PDC server?
In that case ensure that GPMC is connected to same DC as GPMC and create new GPO and check if its able to replicate to PDC master

I don't think sysvol have replication issue, you can confirm by checking all DCs have same amount of folders under sysvol policies folder
0
 
Andrew SpasAuthor Commented:
Hi, thanks for answer.

If I create new policy in GPMC (its connected to PDC DC) also GPMC is opened on PDC, policy is created, I can find the policy folder in sysvol, when I connect to member DC, I can see the new policy, but if I try to open it, it gives error "Ths system cannot find the path specified", also if I check sysvol folder on Member DC, there is no newly created policy folder there (so on member server there is -1 folder than on PDC). Also if I add text files in sysvol\scripts, they are not replicated from PDC_DC

But If I open GPMC on member server (GPMC connected to member server) create policy there, it also appears on PDC DC (also folder is created there in sysvol) and I can open it from GPMC without any errors.
0
 
MaheshArchitectCommented:
can you check dfsr event log on member DC and PDC for any errors where sysvol replication is stopped

if sysvol is replicating from member Dc to PDc and not vice versa, try below
you can transfer fsmo roles to member DC and make him PDC
check on every DC that new fsmo master is set to new DC by running command "netdom query fsmo"
then do sysvol non authoritative restore on old PDC master
steps can be found here:
https://www.experts-exchange.com/articles/17360/Active-Directory-DFSR-Sysvol-Authoritative-and-Non-Authoritative-Restore-Sequence.html
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
Andrew SpasAuthor Commented:
Only errors in Event logs are

ID 5014  The DFS Replication service is stopping communication with partner
ID  5002 The DFS Replication service encountered an error communicating with partner
ID 5004  The DFS Replication service successfully established an inbound connection with partner

There are no new logs, with replication errors, while I created test GPOs today.

Still, to do sysvol non authoritative restore, was the last on the list, as I am afraid to break something even more. As yesterday there was a succesfull sync also from PDC->All DCs, I hope there is different fix. Maybe there is a way to diagnose, monitor the sysvol replication more detailed?
0
 
MaheshArchitectCommented:
The process i suggested is very simple to try and did not break anything and limited to single dc+ we are taking all care to ensure all prerequisites are met
This is the only way to fix dfsr sysvol replication failures
0
 
Andrew SpasAuthor Commented:
As I transferred the PDC role to different server, replication started to work to and from all servers. Kinda strange behavior.  Will monitor the sysvol, if it will go out of sync from the old_PDC, will perform non authoritative restore.

Thank you.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Microsoft Windows 7 Basic

This introductory course to Windows 7 environment will teach you about working with the Windows operating system. You will learn about basic functions including start menu; the desktop; managing files, folders, and libraries.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now