Fiona Cheeseman
asked on
How long does SYSVOL take to rebuild?
Situation; two servers DC1 and DC2 Both wiped out by Ransomeware. I have a good bare metal copy of Server DC2 and I decide to junk DC1. The restore goes fine. I take over the FSMO roles on the new server and use a metadata cleanup to remove DC1. I added the Server 192.168.254.10 to the NIC as DNS.
When the server starts up I have no access to any AD windows and very little is available in Adminastrative tools. Using DCdiag I find the SYSVOL and NETLOGON arent shared.
Checking the Event viewer I see that DC2 cant become the DC until it has rebuilt SYSVOL and has it as a share. Its been running foor 48 hours on a disk which has 500Gb of data on it and its a SATA3.
1. How long can I expect it to take? The hard disk light is flashing and the drives are flashing.
I have been through the logs this is the entry for FRS;
File Replication Service is scanning the data in the system volume. Computer SERVER01 cannot become a domain controller until this process is complete. The system volume will then be shared as SYSVOL.
To check for the SYSVOL share, at the command prompt, type:
net share
When File Replication Service completes the scanning process, the SYSVOL share will appear.
The initialization of the system volume can take some time. The time is dependent on the amount of data in the system volume.
This is the entry in DFS;
The DFS replication service succesfully contacted doman controller <DC1.local> to access configuration information
This is the result of DCDIAG anfter doing a fix:
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = SERVER01
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\SE RVER01
Starting test: Connectivity
......................... SERVER01 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\SE RVER01
Starting test: Advertising
Fatal Error:DsGetDcName (SERVER01) call failed, error 1355
The Locator could not find the server.
......................... SERVER01 failed test Advertising
Starting test: FrsEvent
......................... SERVER01 passed test FrsEvent
Starting test: DFSREvent
......................... SERVER01 passed test DFSREvent
Starting test: SysVolCheck
......................... SERVER01 passed test SysVolCheck
Starting test: KccEvent
......................... SERVER01 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... SERVER01 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... SERVER01 passed test MachineAccount
Starting test: NCSecDesc
......................... SERVER01 passed test NCSecDesc
Starting test: NetLogons
Unable to connect to the NETLOGON share! (\\SERVER01\netlogon)
[SERVER01] An net use or LsaPolicy operation failed with error 67,
The network name cannot be found..
......................... SERVER01 failed test NetLogons
Starting test: ObjectsReplicated
......................... SERVER01 passed test ObjectsReplicated
Starting test: Replications
......................... SERVER01 passed test Replications
Starting test: RidManager
......................... SERVER01 passed test RidManager
Starting test: Services
......................... SERVER01 passed test Services
Starting test: SystemLog
An error event occurred. EventID: 0x0000271A
Time Generated: 09/03/2018 09:21:19
Event String:
The server {9BA05972-F6A8-11CF-A442-0 0A0C90A8F3 9} did not register with DCOM within the required timeout.
An error event occurred. EventID: 0x0000271A
Time Generated: 09/03/2018 09:21:19
Event String:
The server {9BA05972-F6A8-11CF-A442-0 0A0C90A8F3 9} did not register with DCOM within the required timeout.
An error event occurred. EventID: 0x00000469
Time Generated: 09/03/2018 09:21:33
Event String:
The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has successfully processed. If you do not see a success message for several hours, then contact your administrator.
An error event occurred. EventID: 0x00000469
Time Generated: 09/03/2018 09:22:58
Event String:
The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has successfully processed. If you do not see a success message for several hours, then contact your administrator.
An error event occurred. EventID: 0xC00038D6
Time Generated: 09/03/2018 09:37:45
Event String:
The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.
......................... SERVER01 failed test SystemLog
Starting test: VerifyReferences
......................... SERVER01 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : <domain>
Starting test: CheckSDRefDom
......................... <domain> passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... jodal2 passed test CrossRefValidation
Running enterprise tests on : <domain>.local
Starting test: LocatorCheck
Warning: DcGetDcName(GC_SERVER_REQU IRED) call failed, error 1355
A Global Catalog Server could not be located - All GC's are down.
Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(GOOD_TIME_SERV ER_PREFERR ED) call failed, error
1355
A Good Time Server could not be located.
Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355
A KDC could not be located - All the KDCs are down.
......................... <domain>.local failed test LocatorCheck
Starting test: Intersite
......................... <domain>.local passed test Intersite
2. Help, is it stuck?
When the server starts up I have no access to any AD windows and very little is available in Adminastrative tools. Using DCdiag I find the SYSVOL and NETLOGON arent shared.
Checking the Event viewer I see that DC2 cant become the DC until it has rebuilt SYSVOL and has it as a share. Its been running foor 48 hours on a disk which has 500Gb of data on it and its a SATA3.
1. How long can I expect it to take? The hard disk light is flashing and the drives are flashing.
I have been through the logs this is the entry for FRS;
File Replication Service is scanning the data in the system volume. Computer SERVER01 cannot become a domain controller until this process is complete. The system volume will then be shared as SYSVOL.
To check for the SYSVOL share, at the command prompt, type:
net share
When File Replication Service completes the scanning process, the SYSVOL share will appear.
The initialization of the system volume can take some time. The time is dependent on the amount of data in the system volume.
This is the entry in DFS;
The DFS replication service succesfully contacted doman controller <DC1.local> to access configuration information
This is the result of DCDIAG anfter doing a fix:
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = SERVER01
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\SE
Starting test: Connectivity
......................... SERVER01 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\SE
Starting test: Advertising
Fatal Error:DsGetDcName (SERVER01) call failed, error 1355
The Locator could not find the server.
......................... SERVER01 failed test Advertising
Starting test: FrsEvent
......................... SERVER01 passed test FrsEvent
Starting test: DFSREvent
......................... SERVER01 passed test DFSREvent
Starting test: SysVolCheck
......................... SERVER01 passed test SysVolCheck
Starting test: KccEvent
......................... SERVER01 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... SERVER01 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... SERVER01 passed test MachineAccount
Starting test: NCSecDesc
......................... SERVER01 passed test NCSecDesc
Starting test: NetLogons
Unable to connect to the NETLOGON share! (\\SERVER01\netlogon)
[SERVER01] An net use or LsaPolicy operation failed with error 67,
The network name cannot be found..
......................... SERVER01 failed test NetLogons
Starting test: ObjectsReplicated
......................... SERVER01 passed test ObjectsReplicated
Starting test: Replications
......................... SERVER01 passed test Replications
Starting test: RidManager
......................... SERVER01 passed test RidManager
Starting test: Services
......................... SERVER01 passed test Services
Starting test: SystemLog
An error event occurred. EventID: 0x0000271A
Time Generated: 09/03/2018 09:21:19
Event String:
The server {9BA05972-F6A8-11CF-A442-0
An error event occurred. EventID: 0x0000271A
Time Generated: 09/03/2018 09:21:19
Event String:
The server {9BA05972-F6A8-11CF-A442-0
An error event occurred. EventID: 0x00000469
Time Generated: 09/03/2018 09:21:33
Event String:
The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has successfully processed. If you do not see a success message for several hours, then contact your administrator.
An error event occurred. EventID: 0x00000469
Time Generated: 09/03/2018 09:22:58
Event String:
The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has successfully processed. If you do not see a success message for several hours, then contact your administrator.
An error event occurred. EventID: 0xC00038D6
Time Generated: 09/03/2018 09:37:45
Event String:
The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.
......................... SERVER01 failed test SystemLog
Starting test: VerifyReferences
......................... SERVER01 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : <domain>
Starting test: CheckSDRefDom
......................... <domain> passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... jodal2 passed test CrossRefValidation
Running enterprise tests on : <domain>.local
Starting test: LocatorCheck
Warning: DcGetDcName(GC_SERVER_REQU
A Global Catalog Server could not be located - All GC's are down.
Warning: DcGetDcName(TIME_SERVER) call failed, error 1355
A Time Server could not be located.
The server holding the PDC role is down.
Warning: DcGetDcName(GOOD_TIME_SERV
1355
A Good Time Server could not be located.
Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355
A KDC could not be located - All the KDCs are down.
......................... <domain>.local failed test LocatorCheck
Starting test: Intersite
......................... <domain>.local passed test Intersite
2. Help, is it stuck?
ASKER
Hi Abhi. Here is the answer to your questions I think there is a fundamental DNS error but I dont know how to correct it. I have put the results of the test DNS after answering your questions.
1) Its set as its own IP as the deferred 192.168.254.10 the old server was .3
I have the server running into a small 5 port hub with nothing else connected. No router nothing. I dont thank thats important
2) The specified domain either does not exist or could not be contacted.
3) FRS
4) Policies exist under NtFrs_PreExisting___See_Ev entLog
I might be able to boot up the infected DC1 and extract the SYSVOL and NETLOGON but it may be infected and it was before I seized the FSMO's
This is the result of TEST DNS
C:\Windows\system32>dcdiag /test:dns
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = SERVER01
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\SE RVER01
Starting test: Connectivity
......................... SERVER01 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\SE RVER01
Starting test: DNS
DNS Tests are running and not hung. Please wait a few minutes...
......................... SERVER01 passed test DNS
Running partition tests on : ForestDnsZones
Running partition tests on : DomainDnsZones
Running partition tests on : Schema
Running partition tests on : Configuration
Running partition tests on : <DOMAINNAME>
Running enterprise tests on : <DOMAINNAME>.local
Starting test: DNS
Test results for domain controllers:
DC: SERVER01.<DOMAINNAME>.loca l
Domain: <DOMAINNAME>.local
TEST: Basic (Basc)
Warning: adapter
[00000010] Intel(R) I210 Gigabit Network Connection has
invalid DNS server: 192.168.254.254 (<name unavailable>)
TEST: Forwarders/Root hints (Forw)
Error: All forwarders in the forwarder list are invalid.
Error: Both root hints and forwarders are not configured or
broken. Please make sure at least one of them works.
TEST: Delegations (Del)
Error: DNS server: <OLDSERVERNAME>.<DOMAINNAM E>.local.
IP:192.168.254.3
[Broken delegated domain _msdcs.<DOMAINNAME>.local. ]
Error: DNS server: <OLDSERVERNAME>.<DOMAINNAM E>.local.
IP:192.168.254.3
[Broken delegated domain remote.<DOMAINNAME>.local. ]
Summary of test results for DNS servers used by the above domain
controllers:
DNS server: 192.168.254.3 (<OLDSERVERNAME>.<DOMAINNA ME>.local. )
3 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 192.168.254.3
DNS server: 192.168.254.254 (<name unavailable>)
2 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 192.168.254.254 Name resolution is not functional. _ldap.
_tcp.<DOMAINNAME>.local. failed on the DNS server 192.168.254.254
DNS server: 128.63.2.53 (h.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 128.63.2.53
DNS server: 128.8.10.90 (d.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 128.8.10.90
DNS server: 128.9.0.107 (b.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 128.9.0.107
DNS server: 192.112.36.4 (g.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 192.112.36.4
DNS server: 192.203.230.10 (e.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 192.203.230.10
DNS server: 192.33.4.12 (c.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 192.33.4.12
DNS server: 192.36.148.17 (i.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 192.36.148.17
DNS server: 192.5.5.241 (f.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 192.5.5.241
DNS server: 192.58.128.30 (j.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 192.58.128.30
DNS server: 193.0.14.129 (k.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 193.0.14.129
DNS server: 198.32.64.12 (l.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 198.32.64.12
DNS server: 198.41.0.4 (a.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 198.41.0.4
DNS server: 202.12.27.33 (m.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 202.12.27.33
Summary of DNS test results:
Auth Basc Forw Del Dyn RReg Ext
__________________________ __________ __________ __________ _________
Domain: <DOMAINNAME>.local
SERVER01 PASS WARN FAIL FAIL PASS PASS n/a
......................... <DOMAINNAME>.local failed test DNS
1) Its set as its own IP as the deferred 192.168.254.10 the old server was .3
I have the server running into a small 5 port hub with nothing else connected. No router nothing. I dont thank thats important
2) The specified domain either does not exist or could not be contacted.
3) FRS
4) Policies exist under NtFrs_PreExisting___See_Ev
I might be able to boot up the infected DC1 and extract the SYSVOL and NETLOGON but it may be infected and it was before I seized the FSMO's
This is the result of TEST DNS
C:\Windows\system32>dcdiag
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = SERVER01
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\SE
Starting test: Connectivity
......................... SERVER01 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\SE
Starting test: DNS
DNS Tests are running and not hung. Please wait a few minutes...
......................... SERVER01 passed test DNS
Running partition tests on : ForestDnsZones
Running partition tests on : DomainDnsZones
Running partition tests on : Schema
Running partition tests on : Configuration
Running partition tests on : <DOMAINNAME>
Running enterprise tests on : <DOMAINNAME>.local
Starting test: DNS
Test results for domain controllers:
DC: SERVER01.<DOMAINNAME>.loca
Domain: <DOMAINNAME>.local
TEST: Basic (Basc)
Warning: adapter
[00000010] Intel(R) I210 Gigabit Network Connection has
invalid DNS server: 192.168.254.254 (<name unavailable>)
TEST: Forwarders/Root hints (Forw)
Error: All forwarders in the forwarder list are invalid.
Error: Both root hints and forwarders are not configured or
broken. Please make sure at least one of them works.
TEST: Delegations (Del)
Error: DNS server: <OLDSERVERNAME>.<DOMAINNAM
IP:192.168.254.3
[Broken delegated domain _msdcs.<DOMAINNAME>.local.
Error: DNS server: <OLDSERVERNAME>.<DOMAINNAM
IP:192.168.254.3
[Broken delegated domain remote.<DOMAINNAME>.local.
Summary of test results for DNS servers used by the above domain
controllers:
DNS server: 192.168.254.3 (<OLDSERVERNAME>.<DOMAINNA
3 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 192.168.254.3
DNS server: 192.168.254.254 (<name unavailable>)
2 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 192.168.254.254 Name resolution is not functional. _ldap.
_tcp.<DOMAINNAME>.local. failed on the DNS server 192.168.254.254
DNS server: 128.63.2.53 (h.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 128.63.2.53
DNS server: 128.8.10.90 (d.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 128.8.10.90
DNS server: 128.9.0.107 (b.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 128.9.0.107
DNS server: 192.112.36.4 (g.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 192.112.36.4
DNS server: 192.203.230.10 (e.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 192.203.230.10
DNS server: 192.33.4.12 (c.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 192.33.4.12
DNS server: 192.36.148.17 (i.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 192.36.148.17
DNS server: 192.5.5.241 (f.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 192.5.5.241
DNS server: 192.58.128.30 (j.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 192.58.128.30
DNS server: 193.0.14.129 (k.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 193.0.14.129
DNS server: 198.32.64.12 (l.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 198.32.64.12
DNS server: 198.41.0.4 (a.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 198.41.0.4
DNS server: 202.12.27.33 (m.root-servers.net.)
1 test failure on this DNS server
PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 202.12.27.33
Summary of DNS test results:
Auth Basc Forw Del Dyn RReg Ext
__________________________
Domain: <DOMAINNAME>.local
SERVER01 PASS WARN FAIL FAIL PASS PASS n/a
......................... <DOMAINNAME>.local failed test DNS
Make sure your DNS entries do not refer to external servers.
Your DNS does not have entries in the reverse 192.168.254 zone defining 254 in PTR dc2.yourdomain.local.
Same applies to the reverse 127.0.0 zone.
In newer systems, the name server records (DNS) shoukd not use 127.0.0.1; it should only have LAN ip, 192.168.254.254
This is why it seems the te sy leVes your DNS exploring external root servers for records about your domain.
Confirm your DNS server has yourdomain.local amd _msdcs.yourdomain.local forward AD integrated zones.
After the bare metal, did you restore systemstate
Your DNS does not have entries in the reverse 192.168.254 zone defining 254 in PTR dc2.yourdomain.local.
Same applies to the reverse 127.0.0 zone.
In newer systems, the name server records (DNS) shoukd not use 127.0.0.1; it should only have LAN ip, 192.168.254.254
This is why it seems the te sy leVes your DNS exploring external root servers for records about your domain.
Confirm your DNS server has yourdomain.local amd _msdcs.yourdomain.local forward AD integrated zones.
After the bare metal, did you restore systemstate
ASKER
Thanks Arnold,
No I did not restore system state. I agree about the 127.0.0.1. I have inherited this system. I would not use that only the 192.168.254.10 which is the only DC. I still dont know how long it should take and if this is relevant to the time taken in rebuilding the SYSVOL. I also notice that brflags is 0. I dont want to stop anything in case it starts from the beginning. I am 72 hours in.
Ill see if I can implemnt your changes, I have been going through the DNS server screen and have removed the old server where I can find it..
No I did not restore system state. I agree about the 127.0.0.1. I have inherited this system. I would not use that only the 192.168.254.10 which is the only DC. I still dont know how long it should take and if this is relevant to the time taken in rebuilding the SYSVOL. I also notice that brflags is 0. I dont want to stop anything in case it starts from the beginning. I am 72 hours in.
Ill see if I can implemnt your changes, I have been going through the DNS server screen and have removed the old server where I can find it..
Since you only restored one DC, and performed the metadata cleanup, there is nothing that should delay, the issue with sysvol not being shared is likely a journal type of error in the event log, and the error shoukd include how to correct it. The d2/d4 burflags .... Repair, it should take 10-15 minutes.
Remove the 127.0.0.1 from the name server list leaving only the 192.168.254.20
In DNS, check the soa record on the domain , _msdtc.
Check whether c:\windows\system32\sysvol exists, within there shoukd be sysvol, domain ......
The files, gpos should be there.
Remove the 127.0.0.1 from the name server list leaving only the 192.168.254.20
In DNS, check the soa record on the domain , _msdtc.
Check whether c:\windows\system32\sysvol
The files, gpos should be there.
ASKER
Thanks Arnold, I feel you are sending me in the right direction.
I have removed all the 127.0.0.1 accounts and done some other DNS stuff including changing the CNAME and other settings to remove the olfd server
I have run dcdiag /test:sysvolcheck and its says its there
running /test netlogons fail with error 67
Nothing on netshare. Do I reboot and rsik restarting the 72 hour rebuild proces which is the last message in the RFS event long?
My dns tests pass but obviusly cant access the external servers
I have removed all the 127.0.0.1 accounts and done some other DNS stuff including changing the CNAME and other settings to remove the olfd server
I have run dcdiag /test:sysvolcheck and its says its there
running /test netlogons fail with error 67
Nothing on netshare. Do I reboot and rsik restarting the 72 hour rebuild proces which is the last message in the RFS event long?
My dns tests pass but obviusly cant access the external servers
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Reread your post, I think to verify that the file structure in c:\windoes\system32\sysvol contains sysvol\addomain\.........
This is where the sysvol and there-in is the netlogon shares are
https://social.technet.microsoft.com/Forums/en-US/c1d59f4f-9e4d-4390-b069-6215c65674d8/netlogon-share-does-not-exist-and-dcdiag-failed-test-quotnetlogonsquot-67
This is where the sysvol and there-in is the netlogon shares are
https://social.technet.microsoft.com/Forums/en-US/c1d59f4f-9e4d-4390-b069-6215c65674d8/netlogon-share-does-not-exist-and-dcdiag-failed-test-quotnetlogonsquot-67
ASKER
This is the tree from sysvol;
Folder PATH listing
Volume serial number is AA66-D7EA
C:.
domain
³ NtFrs_PreExisting___See_Ev entLog
³ ClientAgent
³ ³ machine
³ ³ user
³ Policies
³ ³ {157C2D89-BC20-4599-86B3-1 A9124BEA36 8}
³ ³ ³ Machine
³ ³ ³ User
³ ³ {31B2F340-016D-11D2-945F-0 0C04FB984F 9}
³ ³ ³ MACHINE
³ ³ ³ ³ Microsoft
³ ³ ³ ³ Windows NT
³ ³ ³ ³ SecEdit
³ ³ ³ USER
³ ³ {32F5006B-8FA4-4CF2-B2A8-1 9C562C7DE4 3}
³ ³ ³ Machine
³ ³ ³ ³ Microsoft
³ ³ ³ ³ ³ Windows NT
³ ³ ³ ³ ³ SecEdit
³ ³ ³ ³ Scripts
³ ³ ³ ³ Shutdown
³ ³ ³ ³ Startup
³ ³ ³ User
³ ³ {571A7E64-9E8C-4688-8271-B 63A2B032CD 8}
³ ³ ³ Machine
³ ³ ³ User
³ ³ {6AC1786C-016F-11D2-945F-0 0C04fB984F 9}
³ ³ ³ MACHINE
³ ³ ³ ³ Microsoft
³ ³ ³ ³ Windows NT
³ ³ ³ ³ SecEdit
³ ³ ³ USER
³ ³ {9101A509-BF30-4193-94FF-B 3BAF888369 E}
³ ³ ³ Machine
³ ³ ³ User
³ ³ {B7664CE7-F589-4F5F-BA41-A 4CB005D96D A}
³ ³ ³ Machine
³ ³ ³ ³ SBS
³ ³ ³ User
³ ³ ³ SBS
³ ³ {BAB1A7AD-2FD7-4F2E-B70A-A 8BEBF4E4DC B}
³ ³ ³ Machine
³ ³ ³ ³ Scripts
³ ³ ³ User
³ ³ {CDDBEBAA-93AC-4325-9F25-9 3D67207F5E 5}
³ ³ ³ Machine
³ ³ ³ ³ SBS
³ ³ ³ User
³ ³ ³ MICROSOFT
³ ³ ³ ³ IEAK
³ ³ ³ ³ BRANDING
³ ³ ³ ³ ³ favs
³ ³ ³ ³ LOCK
³ ³ ³ SBS
³ ³ {E2457517-4375-4CA9-9C83-5 E6271490AE D}
³ ³ ³ Machine
³ ³ ³ User
³ ³ ³ Documents & Settings
³ ³ {E725B43E-EAF3-443E-97A6-9 AA08CDF849 9}
³ ³ ³ Machine
³ ³ ³ User
³ ³ {F1ED6FDE-1967-47EC-BE6C-E 72D371D07E 0}
³ ³ ³ Machine
³ ³ ³ User
³ ³ {F3E7E05D-88FA-41B5-85EE-D E7A5374B9D 3}
³ ³ Machine
³ ³ User
³ ³ Preferences
³ ³ Drives
³ scripts
ÃÄÄÄstaging
ÃÄÄÄstaging areas
³ jodal2.local
sysvol
jodal2.local
NtFrs_PreExisting___See_Ev entLog
ClientAgent
³ machine
³ user
Policies
³ {157C2D89-BC20-4599-86B3-1 A9124BEA36 8}
³ ³ Machine
³ ³ User
³ {31B2F340-016D-11D2-945F-0 0C04FB984F 9}
³ ³ MACHINE
³ ³ ³ Microsoft
³ ³ ³ Windows NT
³ ³ ³ SecEdit
³ ³ USER
³ {32F5006B-8FA4-4CF2-B2A8-1 9C562C7DE4 3}
³ ³ Machine
³ ³ ³ Microsoft
³ ³ ³ ³ Windows NT
³ ³ ³ ³ SecEdit
³ ³ ³ Scripts
³ ³ ³ Shutdown
³ ³ ³ Startup
³ ³ User
³ {571A7E64-9E8C-4688-8271-B 63A2B032CD 8}
³ ³ Machine
³ ³ User
³ {6AC1786C-016F-11D2-945F-0 0C04fB984F 9}
³ ³ MACHINE
³ ³ ³ Microsoft
³ ³ ³ Windows NT
³ ³ ³ SecEdit
³ ³ USER
³ {9101A509-BF30-4193-94FF-B 3BAF888369 E}
³ ³ Machine
³ ³ User
³ {B7664CE7-F589-4F5F-BA41-A 4CB005D96D A}
³ ³ Machine
³ ³ ³ SBS
³ ³ User
³ ³ SBS
³ {BAB1A7AD-2FD7-4F2E-B70A-A 8BEBF4E4DC B}
³ ³ Machine
³ ³ ³ Scripts
³ ³ User
³ {CDDBEBAA-93AC-4325-9F25-9 3D67207F5E 5}
³ ³ Machine
³ ³ ³ SBS
³ ³ User
³ ³ MICROSOFT
³ ³ ³ IEAK
³ ³ ³ BRANDING
³ ³ ³ ³ favs
³ ³ ³ LOCK
³ ³ SBS
³ {E2457517-4375-4CA9-9C83-5 E6271490AE D}
³ ³ Machine
³ ³ User
³ ³ Documents & Settings
³ {E725B43E-EAF3-443E-97A6-9 AA08CDF849 9}
³ ³ Machine
³ ³ User
³ {F1ED6FDE-1967-47EC-BE6C-E 72D371D07E 0}
³ ³ Machine
³ ³ User
³ {F3E7E05D-88FA-41B5-85EE-D E7A5374B9D 3}
³ Machine
³ User
³ Preferences
³ Drives
scripts
Folder PATH listing
Volume serial number is AA66-D7EA
C:.
domain
³ NtFrs_PreExisting___See_Ev
³ ClientAgent
³ ³ machine
³ ³ user
³ Policies
³ ³ {157C2D89-BC20-4599-86B3-1
³ ³ ³ Machine
³ ³ ³ User
³ ³ {31B2F340-016D-11D2-945F-0
³ ³ ³ MACHINE
³ ³ ³ ³ Microsoft
³ ³ ³ ³ Windows NT
³ ³ ³ ³ SecEdit
³ ³ ³ USER
³ ³ {32F5006B-8FA4-4CF2-B2A8-1
³ ³ ³ Machine
³ ³ ³ ³ Microsoft
³ ³ ³ ³ ³ Windows NT
³ ³ ³ ³ ³ SecEdit
³ ³ ³ ³ Scripts
³ ³ ³ ³ Shutdown
³ ³ ³ ³ Startup
³ ³ ³ User
³ ³ {571A7E64-9E8C-4688-8271-B
³ ³ ³ Machine
³ ³ ³ User
³ ³ {6AC1786C-016F-11D2-945F-0
³ ³ ³ MACHINE
³ ³ ³ ³ Microsoft
³ ³ ³ ³ Windows NT
³ ³ ³ ³ SecEdit
³ ³ ³ USER
³ ³ {9101A509-BF30-4193-94FF-B
³ ³ ³ Machine
³ ³ ³ User
³ ³ {B7664CE7-F589-4F5F-BA41-A
³ ³ ³ Machine
³ ³ ³ ³ SBS
³ ³ ³ User
³ ³ ³ SBS
³ ³ {BAB1A7AD-2FD7-4F2E-B70A-A
³ ³ ³ Machine
³ ³ ³ ³ Scripts
³ ³ ³ User
³ ³ {CDDBEBAA-93AC-4325-9F25-9
³ ³ ³ Machine
³ ³ ³ ³ SBS
³ ³ ³ User
³ ³ ³ MICROSOFT
³ ³ ³ ³ IEAK
³ ³ ³ ³ BRANDING
³ ³ ³ ³ ³ favs
³ ³ ³ ³ LOCK
³ ³ ³ SBS
³ ³ {E2457517-4375-4CA9-9C83-5
³ ³ ³ Machine
³ ³ ³ User
³ ³ ³ Documents & Settings
³ ³ {E725B43E-EAF3-443E-97A6-9
³ ³ ³ Machine
³ ³ ³ User
³ ³ {F1ED6FDE-1967-47EC-BE6C-E
³ ³ ³ Machine
³ ³ ³ User
³ ³ {F3E7E05D-88FA-41B5-85EE-D
³ ³ Machine
³ ³ User
³ ³ Preferences
³ ³ Drives
³ scripts
ÃÄÄÄstaging
ÃÄÄÄstaging areas
³ jodal2.local
sysvol
jodal2.local
NtFrs_PreExisting___See_Ev
ClientAgent
³ machine
³ user
Policies
³ {157C2D89-BC20-4599-86B3-1
³ ³ Machine
³ ³ User
³ {31B2F340-016D-11D2-945F-0
³ ³ MACHINE
³ ³ ³ Microsoft
³ ³ ³ Windows NT
³ ³ ³ SecEdit
³ ³ USER
³ {32F5006B-8FA4-4CF2-B2A8-1
³ ³ Machine
³ ³ ³ Microsoft
³ ³ ³ ³ Windows NT
³ ³ ³ ³ SecEdit
³ ³ ³ Scripts
³ ³ ³ Shutdown
³ ³ ³ Startup
³ ³ User
³ {571A7E64-9E8C-4688-8271-B
³ ³ Machine
³ ³ User
³ {6AC1786C-016F-11D2-945F-0
³ ³ MACHINE
³ ³ ³ Microsoft
³ ³ ³ Windows NT
³ ³ ³ SecEdit
³ ³ USER
³ {9101A509-BF30-4193-94FF-B
³ ³ Machine
³ ³ User
³ {B7664CE7-F589-4F5F-BA41-A
³ ³ Machine
³ ³ ³ SBS
³ ³ User
³ ³ SBS
³ {BAB1A7AD-2FD7-4F2E-B70A-A
³ ³ Machine
³ ³ ³ Scripts
³ ³ User
³ {CDDBEBAA-93AC-4325-9F25-9
³ ³ Machine
³ ³ ³ SBS
³ ³ User
³ ³ MICROSOFT
³ ³ ³ IEAK
³ ³ ³ BRANDING
³ ³ ³ ³ favs
³ ³ ³ LOCK
³ ³ SBS
³ {E2457517-4375-4CA9-9C83-5
³ ³ Machine
³ ³ User
³ ³ Documents & Settings
³ {E725B43E-EAF3-443E-97A6-9
³ ³ Machine
³ ³ User
³ {F1ED6FDE-1967-47EC-BE6C-E
³ ³ Machine
³ ³ User
³ {F3E7E05D-88FA-41B5-85EE-D
³ Machine
³ User
³ Preferences
³ Drives
scripts
Since you only have one DC, copy the entries from the pre-existing location out
The pre-existing is the result of a replication setup where the other system was the base reference,
The pre-existing is the result of a replication setup where the other system was the base reference,
ASKER
I think the SYSVOL is all over the place. I have read the burflags posts everywhere but I didnt want to stop the service. I have done that now according to the article. So we will see what happens, I dont hold out much hope as the SYSVOL NETLOGON and GC are not working.
Use ad sites and services ntds to make sure it reflects the dome DC and has GC checked.
You need to copy out the data from the pre-existing out the structure has to be within sysvol.
Your issue is that the ntfrs when being setup referenced an empty sysvol thus everything that existed on this system was moved the pre-existing ....
You need to copy out the data from the pre-existing out the structure has to be within sysvol.
Your issue is that the ntfrs when being setup referenced an empty sysvol thus everything that existed on this system was moved the pre-existing ....
ASKER
I have left the entries there before doing the burflag, shall I stop and delete them or leave them there?
ASKER
cant get into ad sites and services.
Not sure which entries you are talking about, but deleting would not be a good idea.
What happens, fo you get an error?
After copying out data in the sysvol, repeat an autho ..(just making clear you still only have a single DC on which you are working)
D2 :D4 deal with whether you are using ......an authoritative ........
After copying out data in the sysvol, repeat an autho ..(just making clear you still only have a single DC on which you are working)
D2 :D4 deal with whether you are using ......an authoritative ........
ASKER
I stopped the service moved as many files as I could and restarted. It wouldnt try replicating so I moved them back and started again.
ASKER
Hi Arnold - a recap
It is plugged into a switch without any other devices connected.
Its a single DC which I seized the FSMO and used a metadata to cleanup and remove the old server.
I have removed all references in the DNS to the old server
The server has one NIC configured with 192.168.254.10 for the DNS (Its own IP)
DCDIAG TEST DNS Passes except forwarding as its on its own and cant resolve the IPs as they are expternal
I am doing a D4 rebuild as we type.
Thanks
It is plugged into a switch without any other devices connected.
Its a single DC which I seized the FSMO and used a metadata to cleanup and remove the old server.
I have removed all references in the DNS to the old server
The server has one NIC configured with 192.168.254.10 for the DNS (Its own IP)
DCDIAG TEST DNS Passes except forwarding as its on its own and cant resolve the IPs as they are expternal
I am doing a D4 rebuild as we type.
Thanks
Files should not be moved, but copied. Out of every pre-existing
Burflags authoritative needs to be performed on this system that shoukd reset/reinitialize and share the sysvol and netlogon shares.
Pkease address whether you are still operating with a single DC.
Check application/system event log that deals with what us preventing the sharing of the netlogon it will tell you what the remedy is.
Burflags authoritative needs to be performed on this system that shoukd reset/reinitialize and share the sysvol and netlogon shares.
Pkease address whether you are still operating with a single DC.
Check application/system event log that deals with what us preventing the sharing of the netlogon it will tell you what the remedy is.
ASKER
Yes its a single DC. The old DC is available but as its infected with Ransomeware I dont want to go near it unless I have to.
presumably the other DC is off the network.
what was the result of running the D4 burflags after the data from pre-existing staging copied out?
what about events in the event log dealing with netlogon??
what was the result of running the D4 burflags after the data from pre-existing staging copied out?
what about events in the event log dealing with netlogon??
ASKER
Hi Arnold
I did a reboot and then checked. It says the same as it did before. I started it at 18:52 and its now 20:52 UK time.
The last entry in the event viewer says :
File Replication Service is scanning the data in the system volume. Computer SERVER01 cannot become a domain controller until this process is complete. The system volume will then be shared as SYSVOL.
To check for the SYSVOL share, at the command prompt, type:
net share
When File Replication Service completes the scanning process, the SYSVOL share will appear.
The initialization of the system volume can take some time. The time is dependent on the amount of data in the system volume.
I did a reboot and then checked. It says the same as it did before. I started it at 18:52 and its now 20:52 UK time.
The last entry in the event viewer says :
File Replication Service is scanning the data in the system volume. Computer SERVER01 cannot become a domain controller until this process is complete. The system volume will then be shared as SYSVOL.
To check for the SYSVOL share, at the command prompt, type:
net share
When File Replication Service completes the scanning process, the SYSVOL share will appear.
The initialization of the system volume can take some time. The time is dependent on the amount of data in the system volume.
It shoukd not this take long, the D4 burflags fix should reset/reinitialize the database.
Based on your post, the number of files do not seem to be large.
Please confirm that you do not have a jrnl related error preventing the ........
Based on your post, the number of files do not seem to be large.
Please confirm that you do not have a jrnl related error preventing the ........
ASKER
303766 files
jrnl related error preventing the ........ tell me more?
jrnl related error preventing the ........ tell me more?
there shouldn't be that many files in the sysvol though if you copied the pre-existing it's half. But still too many files commonly.
See whether some of the files are in the staging area trying to replicate in/out......
Sysvol, gpos and scripts.
The D4 burflags deals with journal wrap error that prevents the ....
Try the following, search using advanced within the sysvol for files larger than 100k
Since your DC was compromised. Make sure there are no large files.
Potentially being more selective when copying gpo's
Some scripts
Is your environment physical servers or VMs?
Dealing whether a setup if a brand new second DC, joined, have its sysvol populated with gpos scripts and resetting it using D4 burflags, while ntfrs shutoff on the current DC. Having it assert primary role at which point you should have a functional DC.
Or use the new system with authoritative systemstate restore while off network to see if you can get a functional DC running.
The jrnl wrap error deals with reinitializing the db .........
But if you do not have this error.
Another option is to move everything out of the sysvol,
To get it shared, then copy gpos, scripts back.
In.
You've been at this for some time........
Restoring files from backup ...
See whether some of the files are in the staging area trying to replicate in/out......
Sysvol, gpos and scripts.
The D4 burflags deals with journal wrap error that prevents the ....
Try the following, search using advanced within the sysvol for files larger than 100k
Since your DC was compromised. Make sure there are no large files.
Potentially being more selective when copying gpo's
Some scripts
Is your environment physical servers or VMs?
Dealing whether a setup if a brand new second DC, joined, have its sysvol populated with gpos scripts and resetting it using D4 burflags, while ntfrs shutoff on the current DC. Having it assert primary role at which point you should have a functional DC.
Or use the new system with authoritative systemstate restore while off network to see if you can get a functional DC running.
The jrnl wrap error deals with reinitializing the db .........
But if you do not have this error.
Another option is to move everything out of the sysvol,
To get it shared, then copy gpos, scripts back.
In.
You've been at this for some time........
Restoring files from backup ...
ASKER
The actual answer is ten minutes and set the Burflag to D4.
As its said it may take time I assumed "Microsoft minutes" and let it run for 72 hours each time, when the right flag was set in the right place it took 10 minutes.
There were other issues with the GP, DNS and that the old server was still stuck in other places, plus I set the D4 flag in a backup part of the registry so it didnt work until I put it in the right area.
As its said it may take time I assumed "Microsoft minutes" and let it run for 72 hours each time, when the right flag was set in the right place it took 10 minutes.
There were other issues with the GP, DNS and that the old server was still stuck in other places, plus I set the D4 flag in a backup part of the registry so it didnt work until I put it in the right area.
https://support.microsoft.com/en-in/help/312862/recovering-missing-frs-objects-and-frs-attributes-in-active-directory
https://www.experts-exchange.com/questions/26509978/SYSVOL-Share-Missing-after-Enable-Journal-Wrap-Automatic-Restore-on-SBS-2008.html
If NOT, refer below. [""Hope you have a valid backup of your servers with you, so that in a worst case scenario you can restore the backup to a earlier live state and most of the ransomware affected sites, we had to restore the servers from the backup""].
1) Which is the Ip address of your available DC (DC2), 192.168.254.10?. If not, enter the same IP of the DC in the preffered DNS. Also verify if the old DC's entries has been cleared from DNS server properties (nS records) as well as other SRV records. If not, delete them manually.
2) When running the command "netdom query dc", confirm you are only able to see your available DC (DC2).
3) Confirm which file replication technology is being used? FRS or DFS ?. Run the command "dfsrmig.exe /getglobalstate" (Refer:-https://www.mysysadmintips.com/windows/servers/626-find-out-if-your-domain-sysvol-replication-is-run-by-frs-or-dfs-r)
4) Check if all the policies are still exist under "C:\Windows\Sysvol\Domain\
If you are getting FRS or DFS errors, refer steps below.
4) If the Preffered DNS is correct, netdom query shows only 1 DC, FRS is being used. Then perform a non-authoratative restore of sysvol on the single DC:- [Verify you have a backup of the "C:\Windows\Sysvol\Domain\
a) Net stop FRS
b) Browse to HKEY_LOCAL_MACHINE\SYSTEM\
In the right-hand window look for the REG_DWORD value "BurFlags". Right-click this value and choose Modify, and change the value data to D2.
c) net start FRS.
6) If its DFS, perform the first part of the article (https://support.microsoft.com/en-in/help/2218556/how-to-force-an-authoritative-and-non-authoritative-synchronization-fo)
Hope that helps.
Thanks,
Abhi...