Announcement

Collapse
No announcement yet.

New DC not sharing sysvol after dcpromo in domain with 1 other unhealthy dc

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • New DC not sharing sysvol after dcpromo in domain with 1 other unhealthy dc

    I can't replace my old unhealthy DC with my new healthy DC. When I try, sysvol does not replicate. Event log tells me that replication cannot find the domain. But i don't understand why because I can ping the domain, and the dc's, and all users can log on and retrieve gp settings.
    I tried deleting the old DC once before I realized the new DC i had promoted wasn't sharing sysvol. Now my network is a mess. Because I tried to delete the old DC before it's replacement was fully operational, DNS got screwed up. I tried to manually rebuild dns a ms-kb, but as you'll see from the dcdiag output, there must still be more to do. Please. any help. I am going crazy.

    Please see DCDIAG /V /C /E attached
    Attached Files

  • #2
    Re: New DC not sharing sysvol after dcpromo in domain with 1 other unhealthy dc

    I assume the DNS is running on the old broken DC?

    Primary zone?

    If you logon to it can you see the proper srv records etc?
    VCP on vSphere (4), MCITP:EA/DBA, MCTS:Blahblah

    Comment


    • #3
      Re: New DC not sharing sysvol after dcpromo in domain with 1 other unhealthy dc

      It's a little late now but the gold rule is to ensure your domain environment is healthy before adding/removing domain controllers. This means ensuring replication is working properly. Adding a "fresh new" DC to rescue the situation because your old DC is fubar will only compound the problem.

      Time for you to dig out the replication monitor utility (on the server 2003 cd, tools folder) to look under the hood and see what the problem is. I've got a KB article or two from Microsoft that is real good at walking one through replication issules. If you get stuck, let me know and I'll dig up the KB article for you.

      I would also check Active Directory Sites and Services and make sure the KCC has accurately set up replication partners between all DCs.

      Jas
      VCDX3 #34, VCDX4, VCDX5, VCAP4-DCA #14, VCAP4-DCD #35, VCAP5-DCD, VCPx4, vEXPERTx4, MCSEx3, MCSAx2, MCP, CCAx2, A+
      boche.net - VMware Virtualization Evangelist
      My advice has no warranties. Follow at your own risk.

      Comment


      • #4
        Re: New DC not sharing sysvol after dcpromo in domain with 1 other unhealthy dc

        Originally posted by gepeto View Post
        I assume the DNS is running on the old broken DC?

        Primary zone?

        If you logon to it can you see the proper srv records etc?
        DNS is running on the broken DC.
        I can see the srv records. When the new computer was promoted, it added all it's dns records, and the broken dc's records matched. That's one reason I feel comfortable that I was able to rebuild the DNS for the broken computer OK.

        Primary Zone?


        Originally posted by jasonboche View Post
        It's a little late now but the gold rule is to ensure your domain environment is healthy before adding/removing domain controllers. This means ensuring replication is working properly. Adding a "fresh new" DC to rescue the situation because your old DC is fubar will only compound the problem.

        Time for you to dig out the replication monitor utility (on the server 2003 cd, tools folder) to look under the hood and see what the problem is. I've got a KB article or two from Microsoft that is real good at walking one through replication issules. If you get stuck, let me know and I'll dig up the KB article for you.

        I would also check Active Directory Sites and Services and make sure the KCC has accurately set up replication partners between all DCs.

        Jas
        Sites and services replication partners was OK when I had two DC's (i un-promoted the new computer untill I get this solved)

        I will dig up that monitor....

        Comment


        • #5
          Re: New DC not sharing sysvol after dcpromo in domain with 1 other unhealthy dc

          is the DC configured to work with the correct DNS Server (IP in Network configuration)? if that DC is also a DNS holder then configuring it to point to itself is fine.
          could you do few things please?
          1) post all the errors in the File replication Service event log from both DCs
          2) run FRSDiag on both DCs and post the results.
          3) goto ADUC goto view -> click on Advance. then goto "System" -> File Replication Service -> Sysvol, and see if both the DC's (GUID) are there, it might be the FRS lost the partnership form the DS for that DC.
          4) goto the DCs windows\debug and post all the FRS log files (5 files by default there are).

          after you post all of those I would maybe be able to find the reason behind it.

          even if your SYSVOL is a mess and you got a backup of SYStem State of one of the DCs (I don't care from when), we could fix your SYSVOL
          data without a big problem, I am not going to go into it now, but it's possible - no big deal.
          Last edited by Akila; 14th July 2008, 22:52.

          Comment


          • #6
            Re: New DC not sharing sysvol after dcpromo in domain with 1 other unhealthy dc

            Originally posted by Akila View Post
            is the DC configured to work with the correct DNS Server (IP in Network configuration)? if that DC is also a DNS holder then configuring it to point to itself is fine.
            could you do few things please?
            Sure, i'll do my best.
            Thank you for your help.

            Originally posted by Akila View Post
            1) post all the errors in the File replication Service event log from both DCs
            There are no errors in either logs. a couple warnings.

            However, I found it interesting that there is a information event on the new dc that says replication connection was successful.

            On the old DC, it seems there are no events for replication

            Originally posted by Akila View Post
            2) run FRSDiag on both DCs and post the results.
            I will attach two txt files: frsdiag-newdc.txt and frsdiag-olddc.txt

            Originally posted by Akila View Post
            3) goto ADUC goto view -> click on Advance. then goto "System" -> File
            Replication Service -> Sysvol, and see if both the DC's (GUID) are there, it might be the FRS lost the partnership form the DS for that DC.
            I looked here and both dc's are listed (by their netbios computer name, not by guid)

            Note: In my efforts I actually created this dc object for the old dc in the location you are referring to. I did this while following this MSkb article: 312862
            the new dc object that I see now was not created by me however. it must have been created automatically with dcpromo

            Originally posted by Akila View Post
            4) goto the DCs windows\debug and post all the FRS log files (5 files by default there are).
            I will post them in two zip files, each one labbelled olddc and newdc

            Originally posted by Akila View Post
            after you post all of those I would maybe be able to find the reason behind it.

            even if your SYSVOL is a mess and you got a backup of SYStem State of one of the DCs (I don't care from when), we could fix your SYSVOL
            data without a big problem, I am not going to go into it now, but it's possible - no big deal.
            "- no big deal" has been the most comforting thing i've read these past few weeks. I appreciate your help. Thanks.

            -Ryan
            Attached Files

            Comment


            • #7
              Re: New DC not sharing sysvol after dcpromo in domain with 1 other unhealthy dc

              after a briefly view over the log files it seems you got a DNS issue rather then an FRS issue.
              could you please make sure that all DNS configurations on the DCs are configured to work with the correct DNS server?

              start running tests on each DC using nslookup try to resolve DCs/DOMAIN/etc.
              try and ping the glue record of the DC of every DC from all DCs and see (e.g. ping c83cb93d-7687-4942-bab7-2aa9f988cebd._msdcs.mydomain.com) you can find the CNAME under DNS ->_msdcs -> double click on the GUID record and see the full record name there as I posted in the example the CNAME record needs to match the DC's A record as far as IP,etc).

              please run the following command on both DCs after you made sure that the DNS configuration are configured on the DCs as it should.

              "nltest /dsregdns"

              if that doesn't help , then please cross the DCs DNS Configuration (in the TCP/IP settings) to work with the other server,
              then run the command again.

              e.g. if DC1 points to work with it's own DNS server and DC2 has the same Configuration to work with itself, then cross it, i.e. DC1 should be configured to work with DC2 DNS and the same goes for DC2 that should work with DC1 DNS service - then run the command again and see.
              Last edited by Akila; 16th July 2008, 14:39.

              Comment


              • #8
                Re: New DC not sharing sysvol after dcpromo in domain with 1 other unhealthy dc

                Originally posted by Akila View Post
                after a briefly view over the log files it seems you got a DNS issue rather then an FRS issue.
                could you please make sure that all DNS configurations on the DCs are configured to work with the correct DNS server?

                start running tests on each DC using nslookup try to resolve DCs/DOMAIN/etc.
                When the new DC is pointing to itself, nslookup succeeds with server=localhost
                however the old dc always reports server=unknown
                and when the new dc is pointing to the other dns server then nslookup also reports server=unkown.

                Originally posted by Akila View Post
                try and ping the glue record of the DC of every DC from all DCs and see (e.g. ping c83cb93d-7687-4942-bab7-2aa9f988cebd._msdcs.mydomain.com) you can find the CNAME under DNS ->_msdcs -> double click on the GUID record and see the full record name there as I posted in the example the CNAME record needs to match the DC's A record as far as IP,etc).
                Both dc's are able to resolve and ping using the glue record. I've confirmed that both cname records for the glue record exist and both match their respective A records (ie, the cname is pointing to the A record, which is pointing to the correct ip)

                Originally posted by Akila View Post
                please run the following command on both DCs after you made sure that the DNS configuration are configured on the DCs as it should.

                "nltest /dsregdns"
                Even when I changed the connection settings so dns is cross pointing to each other, I received the same result. The new dc has an error, and the old dc shows success.

                OLD DC
                Flags: 0
                Connection Status = 0 0x0 NERR_Success
                The command completed successfully

                NEW DC
                Flags: 0
                Connection Status = 1311 0x51f ERROR_NO_LOGON_SERVERS
                The command completed successfully

                Originally posted by Akila View Post
                if that doesn't help , then please cross the DCs DNS Configuration (in the TCP/IP settings) to work with the other server,
                then run the command again.

                e.g. if DC1 points to work with it's own DNS server and DC2 has the same Configuration to work with itself, then cross it, i.e. DC1 should be configured to work with DC2 DNS and the same goes for DC2 that should work with DC1 DNS service - then run the command again and see.
                I did this, and it had no effect that I noticed. Should I leave them crossed, or put it back to pointing at themselves?

                Comment


                • #9
                  Re: New DC not sharing sysvol after dcpromo in domain with 1 other unhealthy dc

                  There is no single, correct way to configure where DCs point for DNS. As long as name resolution is fast, correct, and uses as little network bandwidth as possible, the solution is a good one. What customers should focus on is developing and implementing a consistent methodology. Following are the most common methodologies chosen:

                  * DC points to another DC (often in its site, if available), then to itself, and then potentially to a third server.

                  * DC points to itself, then to another (often in its site, if available), and then potentially to a third server. One potential negative to this is that false errors will often be generated during a shutdown or startup because of race conditions while services are stopping or starting.

                  * All DCs point to a single centralized server, then to themselves, and then potentially to a third server. This option allows all DCs to typically have a consistent view of the environment from a DNS perspective. It can also make it easier to troubleshoot certain issues.


                  Another question for you, do you say that the AD Data is replicating without a problem, but only SYSVOL fails to replicate?
                  do you have a good copy of your SYSVOL data any where (e.g. on one of the DCs,Backups,etc)?
                  Last edited by Akila; 17th July 2008, 08:21.

                  Comment


                  • #10
                    Re: New DC not sharing sysvol after dcpromo in domain with 1 other unhealthy dc

                    Yea, it looks like the new DC has all the ad data, all except for sysvol. I'm not able to say for sure that sysvol is the only thing missing, but I can speculate based on my experience and say at least it looks like every object in aduc and adss exists on both dc's, and all dns as well.

                    As for a good copy of sysvol, well the old DC holds a good copy of sysvol that I can access.

                    Are you suggesting I copy it manually? I wondered about doing that, but I didn't want to risk causing any more damage by brutely copying and forcing the share when there might be some finer details in the whole frs process that i'm not aware of.

                    Originally posted by Akila View Post
                    There is no single, correct way to configure where DCs point for DNS. As long as name resolution is fast, correct, and uses as little network bandwidth as possible, the solution is a good one. What customers should focus on is developing and implementing a consistent methodology. Following are the most common methodologies chosen:

                    * DC points to another DC (often in its site, if available), then to itself, and then potentially to a third server.

                    * DC points to itself, then to another (often in its site, if available), and then potentially to a third server. One potential negative to this is that false errors will often be generated during a shutdown or startup because of race conditions while services are stopping or starting.

                    * All DCs point to a single centralized server, then to themselves, and then potentially to a third server. This option allows all DCs to typically have a consistent view of the environment from a DNS perspective. It can also make it easier to troubleshoot certain issues.


                    Another question for you, do you say that the AD Data is replicating without a problem, but only SYSVOL fails to replicate?
                    do you have a good copy of your SYSVOL data any where (e.g. on one of the DCs,Backups,etc)?

                    Comment


                    • #11
                      Re: New DC not sharing sysvol after dcpromo in domain with 1 other unhealthy dc

                      No, don't copy the file manually to the new DC or you might find yourself with morph folders (duplicates).

                      before I give you an action plan I want you to do few things (I am still not sure I would give you that plan,I might give you a plan for the DNS)

                      the old DC is still a DC, right?

                      1) make sure that the OLD DC has the most up to date files in the SYSVOL.
                      2) make sure that the policies (GPO's) count are the same on the AD and the SYSVOL (GPT <-> GPC) , that could be done by going into SYSVOL -> policies , there you would find many (or few depends on the amount of GPO's you got) folders with strange numbers on them, those numbers are actually the GUID of the GPC in the AD.
                      open on the old DC (make sure you are connected to that DC and not the new DC in the ADUC), ADUC -> system -> group policy (i think, if not I am sure you would find it), and cross match the GUID of all your Polices to the matching GUID folders in the SYSVOL.
                      3) open GPMC and go over all the GPOs and in the main window you would see the GUID of every GPO, what you should be looking for is that the AD version and the SYSVOL version matches , it looks something like that "AD(9) SYSVOL (9)" - more or less.
                      Last edited by Akila; 17th July 2008, 20:09.

                      Comment


                      • #12
                        Re: New DC not sharing sysvol after dcpromo in domain with 1 other unhealthy dc

                        Originally posted by Akila View Post
                        No, don't copy the file manually to the new DC or you might find yourself with morph folders (duplicates).

                        before I give you an action plan I want you to do few things (I am still not sure I would give you that plan,I might give you a plan for the DNS)

                        the old DC is still a DC, right?

                        1) make sure that the OLD DC has the most up to date files in the SYSVOL
                        2) make sure that the policies (GPO's) count are the same on the AD and the SYSVOL (GPT <-> GPC) , that could be done by going into SYSVOL -> policies , there you would find many (or few depends on the amount of GPO's you got) folders with strange numbers on them, those numbers are actually the GUID of the GPC in the AD.
                        open on the old DC (make sure you are connected to that DC and not the new DC in the ADUC), ADUC -> system -> group policy (i think, if not I am sure you would find it), and cross match the GUID of all your Polices to the matching GUID folders in the SYSVOL.
                        There is an anomoly with a policy in the sysvol policy folder. One of the policies exists in both aduc and sysvol, but in aduc the type=unknown.
                        Using explorer I discovered the NTFS Permissions we're set improperly, and i couldn't open it. So I changed ownership and permissions to match the other policies in the sysvol. After this it still appears in aduc as type=unknown

                        Other then that one policy, all guid's in sysvol and ad match

                        Originally posted by Akila View Post
                        3) open GPMC and go over all the GPOs and in the main window you would see the GUID of every GPO, what you should be looking for is that the AD version and the SYSVOL version matches , it looks something like that "AD(9) SYSVOL (9)" - more or less.
                        There are two broken shortcuts to policies in the domain root. both are labelled not found, and have a policy icon with a red x through it. The "default domain policy" is there. I have two other policies in the root, and they are also there. I'm not sure where these broken links came from.

                        Other then that, the version matches on all the policies for sysvol and ad

                        Comment


                        • #13
                          Re: New DC not sharing sysvol after dcpromo in domain with 1 other unhealthy dc

                          try using also gpotool, that tool would help you check consistency btween AD and SYSVOL,etc.
                          try and ID those broken PGOs, what are they, the most important GPOs are the "Default Domain Controller Policy" and Default Domain Policy" other then that it could always be deleted and recreated.
                          if one of those Policies are broken there is still a little tool DCGPOFIX.exe, this tool can restore the "Default Domain Controller Policy" and Default Domain Policy"
                          to their original state after Installation.
                          when you run dcgpofix, you will lose any changes made to these policy objects.
                          dcgpofix is located in the C:\windows\repair folder.
                          Last edited by Akila; 18th July 2008, 13:41.

                          Comment


                          • #14
                            Re: New DC not sharing sysvol after dcpromo in domain with 1 other unhealthy dc

                            OK. So I deleted the dead gpo links in the root of the domain, and the folder in sysvol that was currupt. The domain controller policy and the default domain policy are all in good shape and where they should be. Every policy in AD matches SYSVOL. Group Policy and SYSVOL should be healthy now.

                            Originally posted by Akila View Post
                            try using also gpotool, that tool would help you check consistency btween AD and SYSVOL,etc.
                            try and ID those broken PGOs, what are they, the most important GPOs are the "Default Domain Controller Policy" and Default Domain Policy" other then that it could always be deleted and recreated.
                            if one of those Policies are broken there is still a little tool DCGPOFIX.exe, this tool can restore the "Default Domain Controller Policy" and Default Domain Policy"
                            to their original state after Installation.
                            when you run dcgpofix, you will lose any changes made to these policy objects.
                            dcgpofix is located in the C:\windows\repair folder.

                            Comment


                            • #15
                              Re: New DC not sharing sysvol after dcpromo in domain with 1 other unhealthy dc

                              ok , let us do a test b4 we do anything dramatic.

                              fact:
                              1)OLDDC (apparently the broken DC - right?)
                              2)NEWDC

                              Action:
                              1) log onto NEWDC, goto SYSVOL\Domain\domain.com Directory.
                              2) create a txt filed called newdc.txt
                              3) log onto OLDDC, goto SYSVOL\Domain\domain.com Directory
                              4) create a txt filed called olddc.txt
                              5) check on both DCs that the file was replicated (both exist on both DCs).

                              6) create a GPO (don't even link it to anything)
                              7) find the GUID for that GPO (you know by now how to do it)
                              8 ) check on both DCs if it exists).

                              let me know what are the results.
                              Last edited by Akila; 22nd July 2008, 18:33.

                              Comment

                              Working...
                              X