Announcement

Collapse
No announcement yet.

Replication not working, Create policy on 1 dc, not replicated on others

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Replication not working, Create policy on 1 dc, not replicated on others

    Hi
    I have inherited a very unhealthly AD environment comprising of 5 DCs with 1 2008 DC and 4 DC on 2003 R2 (2 are in a DMZ environment for our hosted Exchange 2007 setup).

    There were 2 DCs which were switched off and never properly demoted, so active directory still saw these DCs in the environment. Unfortuntely they had been off for so long they they exceed their tombstone period as well.

    I was able to successfully remove the DCs which were broken by using the forceful removal procedure.

    I actually used a script which I have to say was really easy to use. I have previously with a different company done this the manual way and can say the script works really well and is easy and removes most items from the environment apart from the name servers and a few items in DNS.


    http://gallery.technet.microsoft.com...7-0e1cc4d577f3


    When I run DCDiag and some other replication tests, things seem to be better but I am still not able to see replication working properly.



    The way I test this is by creating a new Group policy on ADUK03 and whilst it creates this policy on this DC, the other DCs never see this policy.
    When I navigate to



    \\DC1\sysvol\ssp-intl.uk.ssp\Policies
    \\DC2\sysvol\ssp-intl.uk.ssp\Policies


    I am seeing different policies. One folder has 51 objects (where I created the new GPOs), the other DCs only see 44 objects. Even if i force replication using repadmin /showreps, it says its replication successfully, but still cannot see objects.

    It seems like a problem with sysvol, any ideas of what I could try to diagnose the issue?

    Could it also be we have 1 DC running 2008 R2 and the other DCs are 2003, would this make a difference.

  • #2
    Re: Replication not working, Create policy on 1 dc, not replicated on others

    IMHO do a manual metadata cleanup -- scripts introduce more possibility for errors
    Are you in a position to flatten DCs one by one and create new ones replicating from a reference "known good" DC?
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: Replication not working, Create policy on 1 dc, not replicated on others

      Hi

      The metadata cleanup has now been done. Too be honest i dont know which one is a good DC. I would assume the DC that has more group policy objects on it is probably the healthier one.

      I suppose i could decommision a dc 1 at a time.

      Comment


      • #4
        Re: Replication not working, Create policy on 1 dc, not replicated on others

        Thanks I will look into that.

        Before I do that I thought It may help to show you guys what it is showing on the logs, just to confirm whether it is a sysvol issue (certainly from the logs it does look like it)

        Output from DCDIAG - run on 1 of the DCs. I will only show the errors.
        Starting test: FrsEvent
        There are warning or error events within the last 24 hours after the
        SYSVOL has been shared. Failing SYSVOL replication problems may cause
        Group Policy problems.
        ......................... ADUK01 passed test FrsEvent
        Starting test: SystemLog
        An error event occurred. EventID: 0x00000C8A
        Time Generated: 11/28/2012 09:17:15
        Event String:
        This computer could not authenticate with \\DC1, a Windows domain controller for domain SSPUK, and therefore this computer might deny logon requests. This inability to authenticate might be caused by another computer on the same network using the same name or the password for this computer account is not recognized. If this message appears again, contact your system administrator.
        A warning event occurred. EventID: 0x000016AA
        Time Generated: 11/28/2012 09:35:19
        Event String:
        None of the IP addresses (10.3.254.223) of this Domain Controller map to the configured site 'CORE'. While this may be a temporary situation due to IP address changes, it is generally recommended that the IP address of the Domain Controller (accessible to machines in its domain) maps to the Site which it services. If the above list of IP addresses is stable, consider moving this server to a site (or create one if it does not already exist) such that the above IP address maps to the selected site. This may require the creation of a new subnet object (whose range includes the above IP address) which maps to the selected site object.
        A warning event occurred. EventID: 0x000016AF
        Time Generated: 11/28/2012 09:45:27
        Event String:
        During the past 4.12 hours there have been 70 connections to this Domain Controller from client machines whose IP addresses don't map to any of the existing sites in the enterprise. Those clients, therefore, have undefined sites and may connect to any Domain Controller including those that are in far distant locations from the clients. A client's site is determined by the mapping of its subnet to one of the existing sites. To move the above clients to one of the sites, please consider creating subnet object(s) covering the above IP addresses with mapping to one of the existing sites. The names and IP addresses of the clients in question have been logged on this computer in the following log file '%SystemRoot%\debug\netlogon.log' and, potentially, in the log file '%SystemRoot%\debug\netlogon.bak' created if the former log becomes full. The log(s) may contain additional unrelated debugging information. To filter out the needed information, please search for lines which contain text 'NO_CLIENT_SITE:'. The first word after this string is the client name and the second word is the client IP address. The maximum size of the log(s) is controlled by the following registry DWORD value 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi ces\Netlogon\Parameters\LogFileMaxSize'; the default is 20000000 bytes. The current maximum size is 20000000 bytes. To set a different maximum size, create the above registry value and set the desired maximum size in bytes.
        An error event occurred. EventID: 0x00000C9B
        Time Generated: 11/28/2012 09:59:33
        Event String:
        The session setup to the Windows NT or Windows 2000 Domain Controller \\FILESTORE1 for the domain SSPUK failed because \\FILESTORE1 does not support signing or sealing the Netlogon session. Either upgrade the Domain controller or set the RequireSignOrSeal registry entry on this machine to 0.
        ......................... ADUK01 failed test SystemLog

        Just for further info, The DC1 it shows, is a LDAP DC on a legacy Linux domain which we are slowly phasing out. It possibly may be in here because of DNS records and because there is a trust between the AD domain and the LDAP domain.

        Comment


        • #5
          Re: Replication not working, Create policy on 1 dc, not replicated on others

          get rid of your linux server, then see how things go..

          also, make a decision on which DC is your root DC... then use this as the authoritative source if you do rebuilds.
          pick the one that holds the master roles ...
          Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

          Comment


          • #6
            Re: Replication not working, Create policy on 1 dc, not replicated on others

            Hello

            Bit of an update on this one. Still not making much progress I'm afraid but I was speaking one of our consultants who advised me that before I attempt to look at the sysvol issues, I should really make sure that the networking/routing is all working as this could be a contributing factor to the issue.

            So I have been looking into that and found some discripencies, not sure if this could be contributing to the issue so thought I would post on here and get some feedback.

            As I mentioned before we have 5 DCs (ADUK01, ADUK02, ADUK03 ADUK04 and ADUK05). ADUK04 and 05 are in the DMZ.

            What I noticed was ADUK01 is not able to communicate/ping, tracert to any of the DCs in the DMZ, within the local LAN they can communicate.

            As these DCs are in the DMZ, I thought it could be an issue on the firewall part, so consulted our ISP who maintain the firewall and they came back to me to say that they can't see an issue with the routing/firewalling.

            The packet sniffer they used indicates it sees the echo request and passes the traffic to the correct interface, but receives no return traffic. I have had a look at the firewall rules myself and can agree that doesnt seem to be an issue on the firewall side, I can see a rule with all of the local DCs within one rule, so what would apply for one DC should apply for all. They have suggested there may be some issue with routes/AV blocking on the DC side.

            I can confirm that it isnt an issue with the AV as then I would have seen the issue in the logs and all the rest of the DCs would have had the same issue as they are all part of the same policy.

            The only difference with this DC is its Windows 2008 R2 and the rest are all Windows 2003.

            I did however start looking at routing problems and noticed that there were no persistent routes on DC1 but there were routes for DC2, and DC3.
            Below are the routing tables for each:

            ADUK01:
            ================================================== =========================
            Interface List
            11...00 15 5d fa 70 8d ......Microsoft Virtual Machine Bus Network Adapter
            1...........................Software Loopback Interface 1
            12...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
            13...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface
            ================================================== =========================
            IPv4 Route Table
            ================================================== =========================
            Active Routes:
            Network Destination Netmask Gateway Interface Metric
            0.0.0.0 0.0.0.0 10.3.254.252 10.3.254.223 261
            10.3.0.0 255.255.0.0 On-link 10.3.254.223 261
            10.3.254.223 255.255.255.255 On-link 10.3.254.223 261
            10.3.255.255 255.255.255.255 On-link 10.3.254.223 261
            10.10.200.10 255.255.255.255 10.3.254.8 10.3.254.223 6
            127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
            127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
            127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
            224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
            224.0.0.0 240.0.0.0 On-link 10.3.254.223 261
            255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
            255.255.255.255 255.255.255.255 On-link 10.3.254.223 261
            ================================================== =========================
            Persistent Routes:
            Network Address Netmask Gateway Address Metric
            0.0.0.0 0.0.0.0 10.3.254.252 Default
            10.10.200.10 255.255.255.255 10.3.254.8 1
            ================================================== =========================
            IPv6 Route Table
            ================================================== =========================
            Active Routes:
            If Metric Network Destination Gateway
            1 306 ::1/128 On-link
            1 306 ff00::/8 On-link
            ================================================== =========================
            Persistent Routes:
            None
            ADUK02:

            IPv4 Route Table
            ================================================== =========================
            Interface List
            0x1 ........................... MS TCP Loopback interface
            0x10003 ...00 13 72 65 92 97 ...... Intel(R) PRO/1000 MT Network Connection #2
            ================================================== =========================
            ================================================== =========================
            Active Routes:
            Network Destination Netmask Gateway Interface Metric
            0.0.0.0 0.0.0.0 10.3.254.252 10.3.254.225 10
            10.2.1.2 255.255.255.255 10.3.1.100 10.3.254.225 1
            10.3.0.0 255.255.0.0 10.3.254.225 10.3.254.225 10
            10.3.254.225 255.255.255.255 127.0.0.1 127.0.0.1 10
            10.10.200.10 255.255.255.255 10.3.254.8 10.3.254.225 1
            10.100.0.153 255.255.255.255 10.3.254.252 10.3.254.225 10
            10.100.0.154 255.255.255.255 10.3.254.252 10.3.254.225 10
            10.230.32.19 255.255.255.255 10.3.254.8 10.3.254.225 1
            10.255.255.255 255.255.255.255 10.3.254.225 10.3.254.225 10
            127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
            192.168.16.8 255.255.255.255 10.3.254.8 10.3.254.225 1
            224.0.0.0 240.0.0.0 10.3.254.225 10.3.254.225 10
            255.255.255.255 255.255.255.255 10.3.254.225 10.3.254.225 1
            Default Gateway: 10.3.254.252
            ================================================== =========================
            Persistent Routes:
            Network Address Netmask Gateway Address Metric
            10.230.32.19 255.255.255.255 10.3.254.8 1
            10.10.200.10 255.255.255.255 10.3.254.8 1
            192.168.16.8 255.255.255.255 10.3.254.8 1
            ADUK03:

            IPv4 Route Table
            ================================================== =========================
            Interface List
            0x1 ........................... MS TCP Loopback interface
            0x2 ...00 21 f6 00 00 59 ...... Virtual Iron Accelerated Miniport Ethernet Adapter
            ================================================== =========================
            ================================================== =========================
            Active Routes:
            Network Destination Netmask Gateway Interface Metric
            0.0.0.0 0.0.0.0 10.3.254.252 10.3.254.224 10
            10.1.1.128 255.255.255.255 10.3.1.100 10.3.254.224 1
            10.3.0.0 255.255.0.0 10.3.254.224 10.3.254.224 10
            10.3.254.224 255.255.255.255 127.0.0.1 127.0.0.1 10
            10.10.200.10 255.255.255.255 10.3.254.8 10.3.254.224 1
            10.255.255.255 255.255.255.255 10.3.254.224 10.3.254.224 10
            127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
            224.0.0.0 240.0.0.0 10.3.254.224 10.3.254.224 10
            255.255.255.255 255.255.255.255 10.3.254.224 10.3.254.224 1
            Default Gateway: 10.3.254.252
            ================================================== =========================
            Persistent Routes:
            Network Address Netmask Gateway Address Metric
            10.10.200.10 255.255.255.255 10.3.254.8 1
            ADUK04:
            IPv4 Route Table
            ================================================== =========================
            Interface List
            0x1 ........................... MS TCP Loopback interface
            0x10003 ...00 0c 29 49 ce 63 ...... vmxnet3 Ethernet Adapter
            ================================================== =========================
            ================================================== =========================
            Active Routes:
            Network Destination Netmask Gateway Interface Metric
            0.0.0.0 0.0.0.0 10.2.1.254 10.2.1.1 10
            10.2.1.0 255.255.255.0 10.2.1.1 10.2.1.1 10
            10.2.1.1 255.255.255.255 127.0.0.1 127.0.0.1 10
            10.255.255.255 255.255.255.255 10.2.1.1 10.2.1.1 10
            127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
            224.0.0.0 240.0.0.0 10.2.1.1 10.2.1.1 10
            255.255.255.255 255.255.255.255 10.2.1.1 10.2.1.1 1
            Default Gateway: 10.2.1.254
            ================================================== =========================
            Persistent Routes:
            None
            ADUK05:
            IPv4 Route Table
            ================================================== =========================
            Interface List
            0x1 ........................... MS TCP Loopback interface
            0x10003 ...00 0c 29 6e 45 2d ...... vmxnet3 Ethernet Adapter
            ================================================== =========================
            ================================================== =========================
            Active Routes:
            Network Destination Netmask Gateway Interface Metric
            0.0.0.0 0.0.0.0 10.2.1.254 10.2.1.2 10
            10.2.1.0 255.255.255.0 10.2.1.2 10.2.1.2 10
            10.2.1.2 255.255.255.255 127.0.0.1 127.0.0.1 10
            10.100.0.152 255.255.255.255 10.2.1.254 10.2.1.2 10
            10.255.255.255 255.255.255.255 10.2.1.2 10.2.1.2 10
            127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
            224.0.0.0 240.0.0.0 10.2.1.2 10.2.1.2 10
            255.255.255.255 255.255.255.255 10.2.1.2 10.2.1.2 1
            Default Gateway: 10.2.1.254
            ================================================== =========================
            Persistent Routes:
            None
            I noticed on the ADUK01 it has different routes than ADUK03, I have tried to add the persistent routes which I believe it may use to communicate to the DCs in the DMZ but to no avail.
            Could this be contributing to the issue?
            Any advice would be greatly appreciated....

            Thanks

            Comment

            Working...
            X