Robert Battaglia
asked on
Sysvol Replication Issue
Hello,
I am having an issue while migrating an SBS 2011 server to Server 2016. Everything is fine except I can't get sysvol to replicate and I seem to be locked out of the GP modules - says I don't have access to modify them. I think that the sysvol issue is causing this all to happen. I can see both of my DCs in sites and services. I can ping both from eachother and see the shares from one to the other. AD Users and Computers has replicated properly and I have moved all of five roles to the new server with no errors. If I run Dcdiag /e /test:sysvolcheck /test:advertising the new server will fail test advertising but everything else passes. If I open DFS manager on the new server I don't see any replications and if I create one manually it will not replicate properly. I also noticed that I can't add roles for things like Remote Access (VPN) I think because without the sysvol replication I am not being seen as a "real" administrator on the new server even though I am listed as one in AD Users and Computers. I have also run the AD Replication Status Tool and it did not bring back any errors on either DCs. Not sure what other information to list. Any suggestions would be great. Both servers are still running and I can't demote the old one until I get this figured out. When I ran this in my test environment I did not have any issues migrating from SBS 2011 to Server 2016.
Regards,
Rob
I am having an issue while migrating an SBS 2011 server to Server 2016. Everything is fine except I can't get sysvol to replicate and I seem to be locked out of the GP modules - says I don't have access to modify them. I think that the sysvol issue is causing this all to happen. I can see both of my DCs in sites and services. I can ping both from eachother and see the shares from one to the other. AD Users and Computers has replicated properly and I have moved all of five roles to the new server with no errors. If I run Dcdiag /e /test:sysvolcheck /test:advertising the new server will fail test advertising but everything else passes. If I open DFS manager on the new server I don't see any replications and if I create one manually it will not replicate properly. I also noticed that I can't add roles for things like Remote Access (VPN) I think because without the sysvol replication I am not being seen as a "real" administrator on the new server even though I am listed as one in AD Users and Computers. I have also run the AD Replication Status Tool and it did not bring back any errors on either DCs. Not sure what other information to list. Any suggestions would be great. Both servers are still running and I can't demote the old one until I get this figured out. When I ran this in my test environment I did not have any issues migrating from SBS 2011 to Server 2016.
Regards,
Rob
Mahesh
ca you run net share command on 2016 dc and check if Sysvol and netlogon are shared?
ASKER
I don't see them shared on the new 2016 DC.
ASKER
They are still being shared on the old SBS 2011 dc.
and on SBS are they shared?
ca you check if Sysvol is running with FRS or DFSR
run below command on 2016
dfsrmig /getglobalstate
what is says?
run below command on 2016
dfsrmig /getglobalstate
what is says?
attempt Sysvol authoritative restore (D4) on SBS DC and then attempt Sysvol non authoritative restore (D2) on 2016 DC
it should resolve your issue
it should resolve your issue
ASKER
Unable to create DFSR Migration log file. Error 5.
Current DFSR global state: 'Start'
Succeeded.
Does that mean that the old server is still running the old FSR and I have not migrated it to DFSR?
Current DFSR global state: 'Start'
Succeeded.
Does that mean that the old server is still running the old FSR and I have not migrated it to DFSR?
Looks for errors in both the File Replication Service and DFS Replication event logs on the SBS server. (I think SBS 2011 replicates SYSVOL via DFSR, since it's based on 2008 R2, but if it was a migration from an older version...)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
It was a swing migration a few years back from Server 2003 (SBS).
Probably still FRS, then, unless you migrated to DFSR at some point. What's in the FRS event log on the SBS server?
ASKER
So on SBS I change the registry key to D4 and on Server 2016 I change the key to D2?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
transfer fsmo on SBS before you attempt recovery, I forgot you did that in advance, wrong practise
ASKER
Only error in the past few months from DFS on SBS is the following. All others are information telling me that all is okay and that it is replicating.
The DFS Replication service failed to contact domain controller to access configuration information. The service will continue to replicate using previously downloaded configuration and will try again during the next configuration polling cycle, which will occur in 60 minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues.
The DFS Replication service failed to contact domain controller to access configuration information. The service will continue to replicate using previously downloaded configuration and will try again during the next configuration polling cycle, which will occur in 60 minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues.
ASKER
When you say transfer fsmo on SBS - you want me to transfer the roles back to the SBS server? I thought that was first step was to transfer the roles to the new server after making it a DC. i have always transferred roles to the new server after it has been promoted.
before ensuring if DC is promoted correctly, you should not transfer roles, Sysvol and netlogon are key shares in AD and without those shares, users cannot logon to workstations
ASKER
So I need to transfer all five roles back to SBS server then run the restore?
ASKER
I have never done that when moving from a regular Server 2008 to Server 2016. in fact I did one a month ago and all users were able to login with no problems. I transferred the roles first and sysvol replicated with no problems. Is this an SBS issue?
I still think a quick look at the FRS event log on the SBS server would be useful. It's probably just a journal wrap (because FRS), in which case the D4 will fix it...but it won't hurt to know for sure.
ASKER
FRS event log shows only one warning today and all others are informational - server started, connected to wmi, wrote to log file, etc. The only warning was posted above and was from 11:11 am today.
you may leave FSMO as is and attempt recovery on both servers
Ideally, The point here is you will have to attempt D4 on SBS and it should have PDC role for that, but you can proceed with currently whatever you have
Ideally, The point here is you will have to attempt D4 on SBS and it should have PDC role for that, but you can proceed with currently whatever you have
ASKER
Okay, I will try that and update you on what happens. I will leave the roles as is and change SBS to D4 and 2016 to D2.
ASKER
I am assuming that this will not break anything - just won't let replication occur if it does not work.
some cases you don't find journal wrap event but directory service refuses replicating Sysvol as it consider it as 'not suitable for replication at source, in that case you need to attempt D4 on source, you don't have choice apart from that
make sure you stop ntfrs service on both DCs before attempting recovery, else you may find unpredictable results
ASKER
Will do. Thanks for your input!
ASKER
Okay that worked and I can now see the sysvol and netlogon shares. But if I try to add a script to the sysvol folder on the new server I get access denied. I am logged in as a domain admin on the new server so not sure why that is happening.
Now i don't have exact MS article
However you can use below article to restore default sysvol folder permissions
Check Step 11 under
Recovery Procedure - DFSR SYSVOL
If sysvol structure is broken restore that as well if required with same step
https://www.experts-exchange.com/articles/33363/Active-Directory-System-State-Recovery-with-Sysvol-Authoritative-Restore-Authsysvol-switch-Explained.html
However you can use below article to restore default sysvol folder permissions
Check Step 11 under
Recovery Procedure - DFSR SYSVOL
If sysvol structure is broken restore that as well if required with same step
https://www.experts-exchange.com/articles/33363/Active-Directory-System-State-Recovery-with-Sysvol-Authoritative-Restore-Authsysvol-switch-Explained.html
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.
I have recommended this question be closed as follows:
Split:
-- 'Mahesh' (https:#a42773069)
-- 'Mahesh' (https:#a42773073)
If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.
seth2740
Experts-Exchange Cleanup Volunteer
I have recommended this question be closed as follows:
Split:
-- 'Mahesh' (https:#a42773069)
-- 'Mahesh' (https:#a42773073)
If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.
seth2740
Experts-Exchange Cleanup Volunteer