Announcement

Collapse
No announcement yet.

SYSVOL share issue? 2 DC server 2003 environment

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • SYSVOL share issue? 2 DC server 2003 environment

    Alright I wasn't sure where to classify this question as it is causing issues across multiple platforms and services. I think I've narrowed it down to a SYSVOL share problem so I put it here. This is the situation:

    I am a new Network Administrator at a company, been here for a few months so I'm still getting used to our environment. But we have a small IT dept and the old Network Admin is gone, so I only have limited documentation about why things were done the way they were. At one location we have two domain controllers with the following configuration-

    PDC: Server 2003
    name: usm
    Running: DHCP, AD, & DNS

    DC: Server 2003 SP2
    name: tam
    Running: DNS & AD

    I originally found a couple of issues due to a Vista machine randomly logging on to a temp account. While tracking down event logs on the Vista machine, I looked into events on the DC's. On the server named "usm" (the PDC) I noticed the following events:

    ID: 1080
    Category: Userenv
    Description: Windows cannot search for Organizational Unit hierarchy. (52). Group Policy processing aborted.

    ID: 1030
    Category: Userenv
    Description: Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this.

    ID: 1006
    Category: Userenv
    Description: Windows cannot bind to xyz.com domain. (Local Error). Group Policy processing aborted.

    ID: 1054
    Category: Userenv
    Description: Windows cannot obtain the domain controller name for your computer network. (The specified domain either does not exist or could not be contacted. ). Group Policy processing aborted.


    Also there are DCDiag errors:

    Starting test: NetLogons
    Unable to connect to the NETLOGON share! (\\USM\netlogon)
    [USM] An net use or LsaPolicy operation failed with error 1203, No network provider accepted the given network path..
    ......................... USM failed test NetLogons

    Starting test: Advertising
    Warning: DsGetDcName returned information for \\tam.xyz.com, when we were trying to reach USM.
    Server is not responding or is not considered suitable.
    Warning: USM is not advertising as a global catalog.
    Check that server finished GC promotion.
    Check the event log on server that enough source replicas for the GC are available.
    ......................... USM failed test Advertising

    Starting test: frsevent
    There are warning or error events within the last 24 hours after the
    SYSVOL has been shared. Failing SYSVOL replication problems may cause
    Group Policy problems.

    Starting test: FsmoCheck
    Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
    A Global Catalog Server could not be located - All GC's are down.
    ......................... xyz.com failed test FsmoCheck


    Due to the above errors I checked the SYSVOL directory on "USM" (the PDC). And there's no share, and no policy folders in the SYSVOL directory.

    On the DC "TAM" the only DCDIAG error I receive is:

    Starting test: FsmoCheck
    Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
    A Global Catalog Server could not be located - All GC's are down.
    ......................... xyz.com failed test FsmoCheck


    So here's what I think happened:
    At one point server "TAM" was replaced as PDC with server "USM." When this happened, for some reason the group policy share didn't replicate. Now there are conflicts when loading GPOs or when trying to edit them in AD. My question is, can I simply share out the sysvol directory with the same permissions/share rights that are on server "TAM" and then let the information replicate from "TAM" to "USM?" I am also thinking that perhaps the DNS is not reporting correct, although both DNS servers show the PDC is "USM." The reason I think it's not reporting correctly is because of the DCDIAG error regarding the failed advertisement check on server "USM."

    Anyone have a suggestion? I can share out the SYSVOL easily enough but wanted to see if anyone knew if it would cause problems with more than one server hosting the share (I thought that was the point of GP & replication, to have backup DCs to host the policies). Also, if it should have had SYSVOL shared, any idea what would have caused it not to be? Such as, when using DCPROMO an incorrect option was selected? I have pretty good faith in the previous Network Admin, so I don't think he would have removed the share manually without some good reason. In any case, thanks in advance for your time reading this (sorry such a long post)!

    ~Kara
    ~Kara
    'What we do not make conscious emerges later as fate.' Carl Jung

  • #2
    Re: SYSVOL share issue? 2 DC server 2003 environment

    I might think that running DCPROMO on USM to demote it first and then running DCPROMO again on USM might be the easiest way to get things back to normal.

    Comment


    • #3
      Re: SYSVOL share issue? 2 DC server 2003 environment

      Hey, thanks for the fast reply!

      So what are the implications/risks of doing that? Do we have to worry about lost AD information since there will be no PDC for the time that it takes to do all of that? I'm used to only supporting 1 server in an environment, so I'm still learning the whole replication thing

      Thanks so much!

      ~Kara
      ~Kara
      'What we do not make conscious emerges later as fate.' Carl Jung

      Comment


      • #4
        Re: SYSVOL share issue? 2 DC server 2003 environment

        In AD there is no PDC and BDC. All servers are equals (sort of). Here is some info from MS:

        Removing Active Directory from a Domain Controller
        NOTE: When a domain controller is demoted, if it is not the last domain controller in the domain, it performs a final replication and then transfers the roles to another domain controller. As part of the demotion process, the Dcpromo utility removes the configuration data for the domain controller from Active Directory. This data takes the form of an NTDS Settings object, which exists as a child to the server object in Active Directory Sites and Services Manager. After the domain controller is demoted it no longer has Active Directory information available, and uses the Security Accounts Manager (SAM) database for local database information. If the domain controller is a global catalog, that role is not transferred to another domain controller. In this case, you must manually select the check box in Active Directory Sites and Services Manager for another domain controller to take over the role.

        You may want to search the MS web site a little more, but I'm thinking that you should have no problem.

        Comment


        • #5
          Re: SYSVOL share issue? 2 DC server 2003 environment

          Wow!! I'm impressed with the quick responses. Thanks so much for your help. I'll post an update with the results (won't be for possibly a couple of days since I'm going to be doing this in the evenings from home instead of during production hours.

          Thanks again,
          Kara
          ~Kara
          'What we do not make conscious emerges later as fate.' Carl Jung

          Comment


          • #6
            Re: SYSVOL share issue? 2 DC server 2003 environment

            Hmmm first of all it looks like you don't have a GC.
            Make at least one of the servers a GC.
            See for an example: http://www.computerperformance.co.uk...al_catalog.htm

            Personally I think it's better to try some options of demoting and promoting and the above one is a start.
            Marcel
            Technical Consultant
            Netherlands
            http://www.phetios.com
            http://blog.nessus.nl

            MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
            "No matter how secure, there is always the human factor."

            "Enjoy life today, tomorrow may never come."
            "If you're going through hell, keep going. ~Winston Churchill"

            Comment


            • #7
              Re: SYSVOL share issue? 2 DC server 2003 environment

              Hey Dumber thanks for the response. On the link I noticed the following:

              "...However, Domain Controllers that are also Global Catalog Servers know about other domains..."

              Which made me realize that I thought I knew what a global catalog server was, but I didn't. So it does sound like it can't find the GC server, however I only have one domain at this site. So is that a problem?

              My other question is, do I need to worry about my file shares loosing the security settings when I demote the PDC? Since there will not longer be active directory information on that server, I am afraid the server will "think" that the users don't exist and thus the permissions will break.

              Thanks!
              ~Kara
              ~Kara
              'What we do not make conscious emerges later as fate.' Carl Jung

              Comment


              • #8
                Re: SYSVOL share issue? 2 DC server 2003 environment

                You need to make sure that TAM is a GC, but other than that, demoting USM should have no affect on permissions on any other server. TAM will take over all DC responsibility. Also, the first DC in a domain is also always the GC, so USM is currently a GC if it was the first in the domain.

                Comment


                • #9
                  Re: SYSVOL share issue? 2 DC server 2003 environment

                  Originally posted by karatecki View Post
                  Hey Dumber thanks for the response. On the link I noticed the following:

                  "...However, Domain Controllers that are also Global Catalog Servers know about other domains..."

                  Which made me realize that I thought I knew what a global catalog server was, but I didn't. So it does sound like it can't find the GC server, however I only have one domain at this site. So is that a problem?
                  Joeqwerty already responded about you're security question so i'll skip that.

                  Yes you need at least one GC per domain.
                  http://technet2.microsoft.com/window....mspx?mfr=true

                  Also Joeqwerty stated that the first domain controller in a Domain is always a GC. He's correct about that, however according you're error messages I would check and doublecheck it to make sure if you have at least one GC.
                  Marcel
                  Technical Consultant
                  Netherlands
                  http://www.phetios.com
                  http://blog.nessus.nl

                  MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                  "No matter how secure, there is always the human factor."

                  "Enjoy life today, tomorrow may never come."
                  "If you're going through hell, keep going. ~Winston Churchill"

                  Comment


                  • #10
                    Re: SYSVOL share issue? 2 DC server 2003 environment

                    Hmm...I checked into that last night. TAM is definitely configured as a GC. The weird thing is that it doesn't detect itself as one. Perhaps this explains the issue with the Vista machine randomly not able to authenticate and thus signing the user on to a temp profile, see quote from Dumber's link:

                    "For security, until they contact a Global Catalog server Domain Controller cannot proceed with the logon request."

                    I'm not completely clear as to whether this applies since I only have one domain in this location. In any case, my plan is to continue researching and becoming as clear as I can about the process, and do it tonight while the servers aren't in production. I think I just have one question for you guys left. To double check, when I demote USM, it won't remove it from the domain, it will simply transfer PDC responsibility to TAM right?

                    Thanks again!

                    ~Kara
                    ~Kara
                    'What we do not make conscious emerges later as fate.' Carl Jung

                    Comment


                    • #11
                      Re: SYSVOL share issue? 2 DC server 2003 environment

                      well...
                      Because you don't have a running GC personally I won't demote the other server. This because i'm not sure if you can promote it again without a GC. Maybe Joeqwerty knows what happens but because of my knowledge I wouldn't take the risk

                      ok, this Message is interesting:

                      Starting test: Advertising
                      Warning: DsGetDcName returned information for \\tam.xyz.com, when we were trying to reach USM.
                      Server is not responding or is not considered suitable.
                      Warning: USM is not advertising as a global catalog.
                      Check that server finished GC promotion.
                      Check the event log on server that enough source replicas for the GC are available.
                      Can you make the other DC also a GC and post back when he's done?
                      Marcel
                      Technical Consultant
                      Netherlands
                      http://www.phetios.com
                      http://blog.nessus.nl

                      MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                      "No matter how secure, there is always the human factor."

                      "Enjoy life today, tomorrow may never come."
                      "If you're going through hell, keep going. ~Winston Churchill"

                      Comment


                      • #12
                        Re: SYSVOL share issue? 2 DC server 2003 environment

                        I just wanted to give an update on this process. I'm getting ready to contact Microsoft and open a ticket. We're going to go through them to resolve the issue and I'll post what the fix ends up being. I'm not used to working for a company who doesn't mind paying MS to help out, it's nice

                        So I'll let everyone know how it goes!
                        Thanks!
                        Kara
                        ~Kara
                        'What we do not make conscious emerges later as fate.' Carl Jung

                        Comment


                        • #13
                          Re: SYSVOL share issue? 2 DC server 2003 environment

                          ok. Keep us updated!
                          Marcel
                          Technical Consultant
                          Netherlands
                          http://www.phetios.com
                          http://blog.nessus.nl

                          MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                          "No matter how secure, there is always the human factor."

                          "Enjoy life today, tomorrow may never come."
                          "If you're going through hell, keep going. ~Winston Churchill"

                          Comment


                          • #14
                            Re: SYSVOL share issue? 2 DC server 2003 environment

                            hi kara

                            A Global Catalog Server could not be located - All GC's are down.
                            this doesnt absolutly meen that u realy dont have a gc in your domain

                            first i think it woult be simply to fix the problems.
                            and not demote any of the dcs.

                            u have an ntfrs issue - sysvol share, and u need to fix that first
                            u cant just share it!!
                            you need to tell the other dc who is the authoritative.
                            this will be the one with the gp and script content.
                            if there is any u could afterwords restore the content from backupup
                            to alternative location and copy it there.

                            how to make the dc share authorative? -
                            check in google for ntfrs share authorative. - its a registry edit
                            of a key called burflag.

                            then after restart to both dcs, check for issue.
                            u can test if a dc is a gc, not just by the gui.
                            use ldp.exe to see if the gc published himself as one

                            slomi

                            Comment


                            • #15
                              Sweet Victory!!

                              Thank you all for your help. I resolved this issue today and wanted to post the fix. One of the most frustrating things to me is when I'm troubleshooting something...I find the perfect thread which describes exactly my issue...I'm reading and reading and at the end, there's no resolution, there's no update at all that says even as much as "well, we just gave up and reloaded". Anyway, now that I can climb off my soapbox, here's a short summary...

                              dav9, in a very confusing sort of way you hit the nail on the head. When I originally read your response I did search the "burflag" registry setting but I had such difficulty figuring out what you meant in your response I wasn't sure if I was getting the correct settings.

                              There were many issues to resolve, and here they are:
                              1. I went over the DNS settings on the NewServer (usm) with a fine toothed comb, and did find that the GC was in the DNS correctly. Although, I want to the OldServer(tam) and disabled it's DNS server, and pointed it to the NewServer.

                              2. Then, I double-checked that the NewServer was indeed set as a GC.

                              3. The NewServer had many 13508 NTFRS errors, and the OldServer had NTFRS errors 13568 (as well as NTFRS error 13570 which indicates space limitations on C:\, I think this may be the original cause of the 13570 error which indicates "Journal Wrap" corruption or something to that effect).

                              4. On the old server, which was the only one that had info in the SYSVOL folder, I copied all files to a temp directory.

                              5. Stopped NTFRS on both servers. On the new server, I configured the burflap registry setting to be the authoritative restore (D4 value in the registry entry described in the MS KB article http://support.microsoft.com/kb/290762). On the old server configured for the non-authoritative (D2) restore.

                              6. Started NTFRS on both servers, eureka!! Success!! No NTFRS errors, just logs indicating that it was functioning correctly.

                              7. Verified correct permissions on New Server, noticed that due to the restore, both SYSVOL folders were empty, restored those folders to the New Server from the backup taken in step 4. Then, forced a replication in AD sites and services, verified SYSVOL info replicated to old server.

                              I hope that big long explanation helps someone someday. And again, thanks to everyone who posted here to help me with this.

                              ***EDIT***
                              There is no need to do both an authoritative (D4) and non-authoritative (D2) restore, it worked for me because I had 2 domain controllers and only had one set of data I needed. Really what I should have done is ONLY the D2 restore on the old server (the one that wasn't replicating). This tells the computer that it is to restore data from an upstream server. A D4 restoration tells the server to replace all data on all other domain controllers with it's data...which may only be needed in a DR type situation. Anyway, there is another good post w/ info here:
                              http://help.lockergnome.com/windows2...ict474496.html

                              ~Kara
                              Last edited by karatecki; 22nd July 2008, 14:09. Reason: Clarifying a mistake I made in my process
                              ~Kara
                              'What we do not make conscious emerges later as fate.' Carl Jung

                              Comment

                              Working...
                              X