How long does SYSVOL take to rebuild?

Situation; two servers DC1 and DC2 Both wiped out by Ransomeware. I have a good bare metal copy of Server DC2 and I decide to junk DC1. The restore goes fine. I take over the FSMO roles on the new server and use a metadata cleanup to remove DC1. I added the Server 192.168.254.10 to the NIC as DNS.

When the server starts up I have no access to any AD windows and very little is available in Adminastrative tools. Using DCdiag I find the SYSVOL and NETLOGON arent shared.

Checking the Event viewer I see that DC2 cant become the DC until it has rebuilt SYSVOL and has it as a share. Its been running foor 48 hours on a disk which has 500Gb of data on it and its a SATA3.

1. How long can I expect it to take? The hard disk light is flashing and the drives are flashing.

I have been through the logs this is the entry for FRS;

File Replication Service is scanning the data in the system volume. Computer SERVER01 cannot become a domain controller until this process is complete. The system volume will then be shared as SYSVOL.

To check for the SYSVOL share, at the command prompt, type:
net share

When File Replication Service completes the scanning process, the SYSVOL share will appear.

The initialization of the system volume can take some time. The time is dependent on the amount of data in the system volume.

This is the entry in DFS;

The DFS replication service succesfully contacted doman controller <DC1.local> to access configuration information

This is the result of DCDIAG anfter doing a fix:

Directory Server Diagnosis

Performing initial setup:

  Trying to find home server...

  Home Server = SERVER01

  * Identified AD Forest.

  Done gathering initial info.

Doing initial required tests

 

  Testing server: Default-First-Site-Name\SERVER01

      Starting test: Connectivity

        ......................... SERVER01 passed test Connectivity

Doing primary tests

  Testing server: Default-First-Site-Name\SERVER01

      Starting test: Advertising

        Fatal Error:DsGetDcName (SERVER01) call failed, error 1355

        The Locator could not find the server.

        ......................... SERVER01 failed test Advertising

      Starting test: FrsEvent

        ......................... SERVER01 passed test FrsEvent

      Starting test: DFSREvent

        ......................... SERVER01 passed test DFSREvent

      Starting test: SysVolCheck

        ......................... SERVER01 passed test SysVolCheck

      Starting test: KccEvent

        ......................... SERVER01 passed test KccEvent

      Starting test: KnowsOfRoleHolders

        ......................... SERVER01 passed test KnowsOfRoleHolders

      Starting test: MachineAccount

        ......................... SERVER01 passed test MachineAccount

      Starting test: NCSecDesc

        ......................... SERVER01 passed test NCSecDesc

      Starting test: NetLogons

        Unable to connect to the NETLOGON share! (\\SERVER01\netlogon)

        [SERVER01] An net use or LsaPolicy operation failed with error 67,

        The network name cannot be found..

        ......................... SERVER01 failed test NetLogons

      Starting test: ObjectsReplicated

        ......................... SERVER01 passed test ObjectsReplicated

      Starting test: Replications

        ......................... SERVER01 passed test Replications

      Starting test: RidManager

        ......................... SERVER01 passed test RidManager

      Starting test: Services

        ......................... SERVER01 passed test Services

      Starting test: SystemLog

        An error event occurred.  EventID: 0x0000271A

            Time Generated: 09/03/2018  09:21:19

            Event String:

            The server {9BA05972-F6A8-11CF-A442-00A0C90A8F39} did not register with DCOM within the required timeout.

        An error event occurred.  EventID: 0x0000271A

            Time Generated: 09/03/2018  09:21:19

            Event String:

            The server {9BA05972-F6A8-11CF-A442-00A0C90A8F39} did not register with DCOM within the required timeout.

        An error event occurred.  EventID: 0x00000469

           Time Generated: 09/03/2018  09:21:33

            Event String:

            The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has successfully processed. If you do not see a success message for several hours, then contact your administrator.

        An error event occurred.  EventID: 0x00000469

            Time Generated: 09/03/2018  09:22:58

            Event String:

            The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has successfully processed. If you do not see a success message for several hours, then contact your administrator.

        An error event occurred.  EventID: 0xC00038D6

           Time Generated: 09/03/2018  09:37:45

            Event String:

            The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.

        ......................... SERVER01 failed test SystemLog

      Starting test: VerifyReferences

        ......................... SERVER01 passed test VerifyReferences

  Running partition tests on : ForestDnsZones

      Starting test: CheckSDRefDom

        ......................... ForestDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

        ......................... ForestDnsZones passed test

        CrossRefValidation

  Running partition tests on : DomainDnsZones

      Starting test: CheckSDRefDom

        ......................... DomainDnsZones passed test CheckSDRefDom

      Starting test: CrossRefValidation

        ......................... DomainDnsZones passed test

        CrossRefValidation

  Running partition tests on : Schema

      Starting test: CheckSDRefDom

        ......................... Schema passed test CheckSDRefDom

      Starting test: CrossRefValidation

        ......................... Schema passed test CrossRefValidation

  Running partition tests on : Configuration

      Starting test: CheckSDRefDom

        ......................... Configuration passed test CheckSDRefDom

      Starting test: CrossRefValidation

         ......................... Configuration passed test CrossRefValidation

  Running partition tests on : <domain>

      Starting test: CheckSDRefDom

        ......................... <domain> passed test CheckSDRefDom

      Starting test: CrossRefValidation

        ......................... jodal2 passed test CrossRefValidation

  Running enterprise tests on : <domain>.local

      Starting test: LocatorCheck

        Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355

        A Global Catalog Server could not be located - All GC's are down.

        Warning: DcGetDcName(TIME_SERVER) call failed, error 1355

        A Time Server could not be located.

        The server holding the PDC role is down.

        Warning: DcGetDcName(GOOD_TIME_SERVER_PREFERRED) call failed, error

        1355

        A Good Time Server could not be located.

        Warning: DcGetDcName(KDC_REQUIRED) call failed, error 1355

        A KDC could not be located - All the KDCs are down.

        ......................... <domain>.local failed test LocatorCheck

      Starting test: Intersite

        ......................... <domain>.local passed test Intersite


2. Help, is it stuck?
Fiona CheesemanAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Abhilash PappiyilTechnical Lead - Network SupportCommented:
Sysvol replication should be completed within a few minutes depends on the number of gpos. Refer if this is the ONLY issue you are facing.

https://support.microsoft.com/en-in/help/312862/recovering-missing-frs-objects-and-frs-attributes-in-active-directory
https://www.experts-exchange.com/questions/26509978/SYSVOL-Share-Missing-after-Enable-Journal-Wrap-Automatic-Restore-on-SBS-2008.html

If NOT, refer below. [""Hope you have a valid backup of your servers with you, so that in a worst case scenario you can restore the backup to a earlier live state and most of the ransomware affected sites, we had to restore the servers from the backup""].



1) Which is the Ip address of your available DC (DC2), 192.168.254.10?. If not, enter the same IP of the DC in the preffered DNS. Also verify if the old DC's entries has been cleared from DNS server properties (nS records) as well as other SRV records. If not, delete them manually.

2) When running the command "netdom query dc", confirm you are only able to see your available DC (DC2).

3) Confirm which file replication technology is being used? FRS or DFS ?. Run the command "dfsrmig.exe /getglobalstate" (Refer:-https://www.mysysadmintips.com/windows/servers/626-find-out-if-your-domain-sysvol-replication-is-run-by-frs-or-dfs-r)

4) Check if all the policies are still exist under "C:\Windows\Sysvol\Domain\Policies"? If its get deleted or the policies folder is empty, then you may need to restore it from recent backup. If you are not getting any errors under FRS/DFS, you can simply restore the contents to the policies folder from your backup.

If you are getting FRS or DFS errors, refer steps below.

4) If the Preffered DNS is correct, netdom query shows only 1 DC, FRS is being used. Then perform a non-authoratative restore of sysvol on the single DC:- [Verify you have a backup of the "C:\Windows\Sysvol\Domain\Policies" folder]


a) Net stop FRS

b) Browse to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup.
In the right-hand window look for the REG_DWORD value "BurFlags". Right-click this value and choose Modify, and change the value data to D2.

c) net start FRS.
 
6) If its DFS, perform the first part of the article (https://support.microsoft.com/en-in/help/2218556/how-to-force-an-authoritative-and-non-authoritative-synchronization-fo)
 
Hope that helps.

Thanks,
Abhi...
0
Fiona CheesemanAuthor Commented:
Hi Abhi. Here is the answer to your questions I think there is a fundamental DNS error but I dont know how to correct it. I have put the results of the test DNS after answering your questions.
1) Its set as its own IP as the deferred 192.168.254.10 the old server was .3
I have the server running into a small 5 port hub with nothing else connected. No router nothing. I dont thank thats important

2) The specified domain either does not exist or could not be contacted.
3) FRS
4) Policies exist under NtFrs_PreExisting___See_EventLog

I might be able to boot up the infected DC1 and extract the SYSVOL and NETLOGON but it may be infected and it was before I seized the FSMO's

This is the result of TEST DNS
C:\Windows\system32>dcdiag /test:dns
Directory Server Diagnosis
Performing initial setup:
   Trying to find home server...
   Home Server = SERVER01
   * Identified AD Forest.
   Done gathering initial info.
Doing initial required tests
   Testing server: Default-First-Site-Name\SERVER01
      Starting test: Connectivity
         ......................... SERVER01 passed test Connectivity
Doing primary tests
   Testing server: Default-First-Site-Name\SERVER01
      Starting test: DNS
         DNS Tests are running and not hung. Please wait a few minutes...
         ......................... SERVER01 passed test DNS
   Running partition tests on : ForestDnsZones
   Running partition tests on : DomainDnsZones
   Running partition tests on : Schema
   Running partition tests on : Configuration
   Running partition tests on : <DOMAINNAME>
   Running enterprise tests on : <DOMAINNAME>.local
      Starting test: DNS
         Test results for domain controllers:

            DC: SERVER01.<DOMAINNAME>.local
            Domain: <DOMAINNAME>.local
               TEST: Basic (Basc)
                  Warning: adapter
                  [00000010] Intel(R) I210 Gigabit Network Connection has
                  invalid DNS server: 192.168.254.254 (<name unavailable>)
               TEST: Forwarders/Root hints (Forw)
                  Error: All forwarders in the forwarder list are invalid.
                  Error: Both root hints and forwarders are not configured or
                  broken. Please make sure at least one of them works.
               TEST: Delegations (Del)
                  Error: DNS server: <OLDSERVERNAME>.<DOMAINNAME>.local.
                  IP:192.168.254.3
                  [Broken delegated domain _msdcs.<DOMAINNAME>.local.]
                  Error: DNS server: <OLDSERVERNAME>.<DOMAINNAME>.local.
                  IP:192.168.254.3
                  [Broken delegated domain remote.<DOMAINNAME>.local.]
         Summary of test results for DNS servers used by the above domain
         controllers:
            DNS server: 192.168.254.3 (<OLDSERVERNAME>.<DOMAINNAME>.local.)
               3 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 192.168.254.3
            DNS server: 192.168.254.254 (<name unavailable>)
               2 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 192.168.254.254               Name resolution is not functional. _ldap.
_tcp.<DOMAINNAME>.local. failed on the DNS server 192.168.254.254

            DNS server: 128.63.2.53 (h.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 128.63.2.53
            DNS server: 128.8.10.90 (d.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 128.8.10.90
            DNS server: 128.9.0.107 (b.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 128.9.0.107
            DNS server: 192.112.36.4 (g.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 192.112.36.4
            DNS server: 192.203.230.10 (e.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 192.203.230.10
            DNS server: 192.33.4.12 (c.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 192.33.4.12
            DNS server: 192.36.148.17 (i.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 192.36.148.17
            DNS server: 192.5.5.241 (f.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 192.5.5.241
            DNS server: 192.58.128.30 (j.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 192.58.128.30
            DNS server: 193.0.14.129 (k.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 193.0.14.129
            DNS server: 198.32.64.12 (l.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 198.32.64.12
            DNS server: 198.41.0.4 (a.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 198.41.0.4
            DNS server: 202.12.27.33 (m.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DN
S server 202.12.27.33
         Summary of DNS test results:

                                            Auth Basc Forw Del  Dyn  RReg Ext
            _________________________________________________________________
            Domain: <DOMAINNAME>.local
               SERVER01                     PASS WARN FAIL FAIL PASS PASS n/a

         ......................... <DOMAINNAME>.local failed test DNS
0
arnoldCommented:
Make sure your DNS entries do not refer to external servers.
Your DNS does not have entries in the reverse 192.168.254 zone defining 254 in PTR dc2.yourdomain.local.

Same applies to the reverse 127.0.0 zone.
In newer systems, the name server records (DNS) shoukd not use 127.0.0.1; it should only have LAN ip, 192.168.254.254

This is why it seems the te sy leVes your DNS exploring external root servers for records about your domain.
Confirm your DNS server has yourdomain.local amd _msdcs.yourdomain.local forward AD integrated zones.


After the bare metal, did you restore systemstate
0
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

Fiona CheesemanAuthor Commented:
Thanks Arnold,

No I did not restore system state. I agree about the 127.0.0.1. I have inherited this system. I would not use that only the 192.168.254.10 which is the only DC. I still dont know how long it should take and if this is relevant to the time taken in rebuilding the SYSVOL. I also notice that brflags is 0. I dont want to stop anything in case it starts from the beginning. I am 72 hours in.

Ill see if I can implemnt your changes, I have been going through the DNS server screen and have removed the old server where I can find it..
0
arnoldCommented:
Since you only restored one DC, and performed the metadata cleanup, there is nothing that should delay, the issue with sysvol not being shared is likely a journal type of error in the event log, and the error shoukd include how to correct it.  The d2/d4 burflags .... Repair, it should take 10-15 minutes.

Remove the 127.0.0.1 from the name server list leaving only the 192.168.254.20
In DNS, check the soa record on the domain , _msdtc.

Check whether c:\windows\system32\sysvol exists, within there shoukd be sysvol, domain ......

The files, gpos should be there.
0
Fiona CheesemanAuthor Commented:
Thanks Arnold, I feel you are sending me in the right direction.

I have removed all the 127.0.0.1 accounts and done some other DNS stuff including changing the CNAME and other settings to remove the olfd server

I have run dcdiag /test:sysvolcheck and its says its there
running /test netlogons fail with error 67

Nothing on netshare. Do I reboot and rsik restarting the 72 hour rebuild proces which is the last message in the RFS event long?

My dns tests pass but obviusly cant access the external servers
0
arnoldCommented:
Look in the %windir%\system32\sysvol do you gave files here?
The gpos and scripts exist in both the file system and referenced in AD they are not recreated from AD.

Use the d2 burflags fix, deals with issue if jurnl error exists in the eventlog.

The burflags, registry fix needs only the restart of the service.

The existence pf the files, will get the shares reset up once it passes the fix.

https://support.microsoft.com/en-us/help/290762/using-the-burflags-registry-key-to-reinitialize-file-replication-servi

Oh, not sure in what context error 67 shows up
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
arnoldCommented:
Reread your post, I think to verify that the file structure in c:\windoes\system32\sysvol contains sysvol\addomain\.........
This is where the sysvol and there-in is the netlogon shares are

https://social.technet.microsoft.com/Forums/en-US/c1d59f4f-9e4d-4390-b069-6215c65674d8/netlogon-share-does-not-exist-and-dcdiag-failed-test-quotnetlogonsquot-67
0
Fiona CheesemanAuthor Commented:
This is the tree from sysvol;
Folder PATH listing
Volume serial number is AA66-D7EA
C:.
domain
³  NtFrs_PreExisting___See_EventLog
³       ClientAgent
³       ³   machine
³       ³    user
³       Policies
³       ³   {157C2D89-BC20-4599-86B3-1A9124BEA368}
³       ³   ³   Machine
³       ³   ³    User
³       ³   {31B2F340-016D-11D2-945F-00C04FB984F9}
³       ³   ³   MACHINE
³       ³   ³   ³    Microsoft
³       ³   ³   ³        Windows NT
³       ³   ³   ³            SecEdit
³       ³   ³    USER
³       ³   {32F5006B-8FA4-4CF2-B2A8-19C562C7DE43}
³       ³   ³   Machine
³       ³   ³   ³   Microsoft
³       ³   ³   ³   ³    Windows NT
³       ³   ³   ³   ³        SecEdit
³       ³   ³   ³    Scripts
³       ³   ³   ³       Shutdown
³       ³   ³   ³        Startup
³       ³   ³    User
³       ³   {571A7E64-9E8C-4688-8271-B63A2B032CD8}
³       ³   ³   Machine
³       ³   ³    User
³       ³   {6AC1786C-016F-11D2-945F-00C04fB984F9}
³       ³   ³   MACHINE
³       ³   ³   ³    Microsoft
³       ³   ³   ³        Windows NT
³       ³   ³   ³            SecEdit
³       ³   ³    USER
³       ³   {9101A509-BF30-4193-94FF-B3BAF888369E}
³       ³   ³   Machine
³       ³   ³    User
³       ³   {B7664CE7-F589-4F5F-BA41-A4CB005D96DA}
³       ³   ³   Machine
³       ³   ³   ³    SBS
³       ³   ³    User
³       ³   ³        SBS
³       ³   {BAB1A7AD-2FD7-4F2E-B70A-A8BEBF4E4DCB}
³       ³   ³   Machine
³       ³   ³   ³    Scripts
³       ³   ³    User
³       ³   {CDDBEBAA-93AC-4325-9F25-93D67207F5E5}
³       ³   ³   Machine
³       ³   ³   ³    SBS
³       ³   ³    User
³       ³   ³       MICROSOFT
³       ³   ³       ³    IEAK
³       ³   ³       ³       BRANDING
³       ³   ³       ³       ³    favs
³       ³   ³       ³        LOCK
³       ³   ³        SBS
³       ³   {E2457517-4375-4CA9-9C83-5E6271490AED}
³       ³   ³   Machine
³       ³   ³    User
³       ³   ³        Documents & Settings
³       ³   {E725B43E-EAF3-443E-97A6-9AA08CDF8499}
³       ³   ³   Machine
³       ³   ³  User
³       ³   {F1ED6FDE-1967-47EC-BE6C-E72D371D07E0}
³       ³   ³   Machine
³       ³   ³  User
³       ³    {F3E7E05D-88FA-41B5-85EE-DE7A5374B9D3}
³       ³       Machine
³       ³       User
³       ³          Preferences
³       ³               Drives
³       scripts
ÃÄÄÄstaging
ÃÄÄÄstaging areas
³    jodal2.local
 sysvol
     jodal2.local
         NtFrs_PreExisting___See_EventLog
            ClientAgent
            ³   machine
            ³    user
            Policies
            ³   {157C2D89-BC20-4599-86B3-1A9124BEA368}
            ³   ³   Machine
            ³   ³    User
            ³   {31B2F340-016D-11D2-945F-00C04FB984F9}
            ³   ³   MACHINE
            ³   ³   ³    Microsoft
            ³   ³   ³        Windows NT
            ³   ³   ³            SecEdit
            ³   ³    USER
            ³   {32F5006B-8FA4-4CF2-B2A8-19C562C7DE43}
            ³   ³   Machine
            ³   ³   ³   Microsoft
            ³   ³   ³   ³    Windows NT
            ³   ³   ³   ³        SecEdit
            ³   ³   ³    Scripts
            ³   ³   ³       Shutdown
            ³   ³   ³        Startup
            ³   ³    User
            ³   {571A7E64-9E8C-4688-8271-B63A2B032CD8}
            ³   ³   Machine
            ³   ³    User
            ³   {6AC1786C-016F-11D2-945F-00C04fB984F9}
            ³   ³   MACHINE
            ³   ³   ³    Microsoft
            ³   ³   ³        Windows NT
            ³   ³   ³            SecEdit
            ³   ³    USER
            ³   {9101A509-BF30-4193-94FF-B3BAF888369E}
            ³   ³   Machine
            ³   ³    User
            ³   {B7664CE7-F589-4F5F-BA41-A4CB005D96DA}
            ³   ³   Machine
            ³   ³   ³    SBS
            ³   ³    User
            ³   ³        SBS
            ³   {BAB1A7AD-2FD7-4F2E-B70A-A8BEBF4E4DCB}
            ³   ³   Machine
            ³   ³   ³    Scripts
            ³   ³    User
            ³   {CDDBEBAA-93AC-4325-9F25-93D67207F5E5}
            ³   ³   Machine
            ³   ³   ³    SBS
            ³   ³    User
            ³   ³       MICROSOFT
            ³   ³       ³    IEAK
            ³   ³       ³       BRANDING
            ³   ³       ³       ³    favs
            ³   ³       ³        LOCK
            ³   ³        SBS
            ³   {E2457517-4375-4CA9-9C83-5E6271490AED}
            ³   ³   Machine
            ³   ³    User
            ³   ³        Documents & Settings
            ³   {E725B43E-EAF3-443E-97A6-9AA08CDF8499}
            ³   ³   Machine
            ³   ³    User
            ³   {F1ED6FDE-1967-47EC-BE6C-E72D371D07E0}
            ³   ³   Machine
            ³   ³    User
            ³    {F3E7E05D-88FA-41B5-85EE-DE7A5374B9D3}
            ³       Machine
            ³        User
            ³            Preferences
            ³                Drives
             scripts
0
arnoldCommented:
Since you only have one DC, copy the entries from the pre-existing location out

The pre-existing is the result of a replication setup where the other system was the base reference,
0
Fiona CheesemanAuthor Commented:
I think the SYSVOL is all over the place. I have read the burflags posts everywhere but I didnt want to stop the service. I have done that now according to the article. So we will see what happens, I dont hold out much hope as the SYSVOL NETLOGON and GC are not working.
0
arnoldCommented:
Use ad sites and services ntds to make sure it reflects the dome DC and has GC checked.

You need to copy out the data from the pre-existing out the structure has to be within sysvol.

Your issue is that the ntfrs when being setup referenced an empty sysvol thus everything that existed on this system was moved the pre-existing ....
0
Fiona CheesemanAuthor Commented:
I have left the entries there before doing the burflag, shall I stop and delete them or leave them there?
0
Fiona CheesemanAuthor Commented:
cant get into ad sites and services.
0
arnoldCommented:
Not sure which entries you are talking about, but deleting would not be a good idea.
0
arnoldCommented:
What happens, fo you get an error?

After copying out data in the sysvol, repeat an autho ..(just making clear you still only have a single DC on which you are working)

D2 :D4 deal with whether you are using ......an authoritative ........
0
Fiona CheesemanAuthor Commented:
I stopped the service moved as many files as I could and restarted. It wouldnt try replicating so I moved them back and started again.
0
Fiona CheesemanAuthor Commented:
Hi Arnold - a recap

It is plugged into a switch without any other devices connected.
Its a single DC which I seized the FSMO and used a metadata to cleanup and remove the old server.
I have removed all references in the DNS to the old server
The server has one NIC configured with 192.168.254.10 for the DNS (Its own IP)
DCDIAG TEST DNS Passes except forwarding as its on its own and cant resolve the IPs as they are expternal
I am doing a D4 rebuild as we type.

Thanks
0
arnoldCommented:
Files should not be moved, but copied. Out of every pre-existing
Burflags authoritative needs to be performed on this system that shoukd reset/reinitialize and share  the sysvol and netlogon shares.

Pkease address whether you are still operating with a single DC.
Check application/system event log that deals with what us preventing the sharing of the netlogon it will tell you what the remedy is.
0
Fiona CheesemanAuthor Commented:
Yes its a single DC. The old DC is available but as its infected with Ransomeware I dont want to go near it unless I have to.
0
arnoldCommented:
presumably the other DC is off the network.

what was the result of running the D4 burflags after the data from pre-existing staging copied out?
what about events in the event log dealing with netlogon??
0
Fiona CheesemanAuthor Commented:
Hi Arnold
I did a reboot and then checked. It says the same as it did before. I started it at 18:52 and its now 20:52 UK time.
The last entry in the event viewer says :

File Replication Service is scanning the data in the system volume. Computer SERVER01 cannot become a domain controller until this process is complete. The system volume will then be shared as SYSVOL.

To check for the SYSVOL share, at the command prompt, type:
net share

When File Replication Service completes the scanning process, the SYSVOL share will appear.

The initialization of the system volume can take some time. The time is dependent on the amount of data in the system volume.
0
arnoldCommented:
It shoukd not this take long, the D4 burflags fix should reset/reinitialize the database.
Based on your post, the number of files do not seem to be large.

Please confirm that you do not have a jrnl related error preventing the ........
0
Fiona CheesemanAuthor Commented:
303766 files

jrnl related error preventing the ........  tell me more?
0
arnoldCommented:
there shouldn't be that many files in the sysvol though if you copied the pre-existing it's half. But still too many files commonly.
See whether some of the files are in the staging area trying to replicate in/out......

Sysvol, gpos and scripts.


The D4 burflags deals with journal wrap error that prevents the ....

Try the following, search using advanced within the sysvol for files larger than 100k

Since your DC was compromised. Make sure there are no large files.


Potentially being more selective when copying gpo's
Some scripts


Is your environment physical servers or VMs?


Dealing whether a setup if a brand new second DC, joined, have its sysvol populated with gpos scripts and resetting it using D4 burflags, while ntfrs shutoff on the current DC. Having it assert primary role at which point you should have a functional DC.
Or use the new system with authoritative systemstate restore while off network to see if you can get a functional DC running.


The jrnl wrap error deals with reinitializing the db .........
But if you do not have this error.

Another option is to move everything out of the sysvol,
To get it shared, then copy gpos, scripts back.

In.

You've been at this for some time........
Restoring files from backup ...
0
Fiona CheesemanAuthor Commented:
The actual answer is ten minutes and set the Burflag to D4.

As its said it may take time I assumed "Microsoft minutes" and let it run for 72 hours each time, when the right flag was set in the right place it took 10 minutes.

There were other issues with the GP, DNS and that the old server was still stuck in other places, plus I set the D4 flag in a backup part of the registry so it didnt work until I put it in the right area.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.