SYSVOL not replicating
CW
I have a problem with my domain controllers.
I have two, dep-s-dc(Win 2k3 Ent) and dep-s-004(Win 2k8 Ent)
dep-s-dc was our main server when the company started out and as such hosted
nearly everything, DNS, DHCP, Exchange, AD and DC
Over time we have got bigger and bought more servers. I installed dep-s-004
as a domain secondary controller. recently we have had problems with dep-s-dc
and it was looking bad so I moved the FSMO roles to dep-s-004 making this the
primary. All roles were transfered without problems.
I have now noticed however that new client when logging on take an age to
populate the domain list. Also group policy has stopped working. When you
click on a policy you get the following message "The network name cannot be
found". You get this message on dep-s-dc and dep-s-004. There are also errors
relating to NTfrs in the event logs on both machines.
I have done a lot of research and can't seem to pinpoint the error.
Replication does seem to be working. If I create an account on dep-s-004 and
check dep-s-dc it appears. ping and nslookup are ok between the two servers.
It just seems to be the sysvol and netlogon that are not being replicated.
they are on dep-s-dc but not on dep-s-004
How can I solve this?
Meinolf Weber
Check out this article:
http://support.microsoft.com/kb/315457
Also run diagnostics tools against all DC's, install them from the support
tools folder on the installation disk, dcdiag /v, netdiag /v and repadmin
/showreps if you have errors post the complete output here, even it is a
huge amount. Split in into more postings.
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
Ruchi Manuja
i would like you to run dcdiag and netdiag on both servers. to check
replication please run repadmin /showreps >rep.txt. also can you please tell
which event id in ntfrs logs you are seeing. is it only 13508 or do you see
13509 as well.
Thanks
CW
thanks for the replies.
Here are the errors I get on each server
dep-s-dc: 13568, 13512, 13501
dep-s-004: 13508, I do not get the 13509 after the 13508
This is the output form the repadmin /showreps >rep.txt
Default-First-Site\DEP-S-004
DSA Options: IS_GC
Site Options: (none)
DSA object GUID: 89d08d88-9a88-46a0-99cb-449ca63ccefe
DSA invocationID: 7d80b828-9a00-4d53-b2f1-6b5034680818
==== INBOUND NEIGHBORS ======================================
DC=depoel,DC=local
Default-First-Site\DEP-S-DC via RPC
DSA object GUID: 4dd6baa0-77d7-43d9-948c-13b6f86c03cb
Last attempt @ 2008-06-16 09:33:06 was successful.
CN=Configuration,DC=depoel,DC=local
Default-First-Site\DEP-S-DC via RPC
DSA object GUID: 4dd6baa0-77d7-43d9-948c-13b6f86c03cb
Last attempt @ 2008-06-16 09:28:34 was successful.
CN=Schema,CN=Configuration,DC=depoel,DC=local
Default-First-Site\DEP-S-DC via RPC
DSA object GUID: 4dd6baa0-77d7-43d9-948c-13b6f86c03cb
Last attempt @ 2008-06-16 09:28:34 was successful.
DC=DomainDnsZones,DC=depoel,DC=local
Default-First-Site\DEP-S-DC via RPC
DSA object GUID: 4dd6baa0-77d7-43d9-948c-13b6f86c03cb
Last attempt @ 2008-06-16 09:28:34 was successful.
DC=ForestDnsZones,DC=depoel,DC=local
Default-First-Site\DEP-S-DC via RPC
DSA object GUID: 4dd6baa0-77d7-43d9-948c-13b6f86c03cb
Last attempt @ 2008-06-16 09:28:34 was successful.
-----------------------------------
dep-s-dc
Default-First-Site\DEP-S-DC
DC Options: IS_GC
Site Options: (none)
DC object GUID: 4dd6baa0-77d7-43d9-948c-13b6f86c03cb
DC invocationID: 4dd6baa0-77d7-43d9-948c-13b6f86c03cb
==== INBOUND NEIGHBORS ======================================
DC=depoel,DC=local
Default-First-Site\DEP-S-004 via RPC
DC object GUID: 89d08d88-9a88-46a0-99cb-449ca63ccefe
Last attempt @ 2008-06-16 09:34:47 was successful.
CN=Configuration,DC=depoel,DC=local
Default-First-Site\DEP-S-004 via RPC
DC object GUID: 89d08d88-9a88-46a0-99cb-449ca63ccefe
Last attempt @ 2008-06-16 09:26:44 was successful.
CN=Schema,CN=Configuration,DC=depoel,DC=local
Default-First-Site\DEP-S-004 via RPC
DC object GUID: 89d08d88-9a88-46a0-99cb-449ca63ccefe
Last attempt @ 2008-06-16 09:26:44 was successful.
DC=DomainDnsZones,DC=depoel,DC=local
Default-First-Site\DEP-S-004 via RPC
DC object GUID: 89d08d88-9a88-46a0-99cb-449ca63ccefe
Last attempt @ 2008-06-16 09:27:41 was successful.
DC=ForestDnsZones,DC=depoel,DC=local
Default-First-Site\DEP-S-004 via RPC
DC object GUID: 89d08d88-9a88-46a0-99cb-449ca63ccefe
Last attempt @ 2008-06-16 09:26:44 was successful.
---------------------------------
Meinolf Weber
Pleae post the complete error message form the event viwer and not only the
numbers, on any event in the right corner is a 2 paper button which will
copy all info to clipboard, just paste then into the posting.
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
> Hi,
CW
Log Name: File Replication Service
Source: NtFrs
Date: 15/06/2008 17:10:38
Event ID: 13508
Task Category: None
Level: Warning
Keywords: Classic
User: N/A
Computer: dep-s-004.depoel.local
Description:
The File Replication Service is having trouble enabling replication from
DEP-S-DC to DEP-S-004 for c:\windows\sysvol\domain using the DNS name
dep-s-dc.depoel.local. FRS will keep retrying.
Following are some of the reasons you would see this warning.
[1] FRS can not correctly resolve the DNS name dep-s-dc.depoel.local from
this computer.
[2] FRS is not running on dep-s-dc.depoel.local.
[3] The topology information in the Active Directory Domain Services for
this replica has not yet replicated to all the Domain Controllers.
This event log message will appear once per connection, After the problem
is fixed you will see another event log message indicating that the
connection has been established.
----------------------------------------------
dep-s-dc
Event Type: Error
Event Source: NtFrs
Event Category: None
Event ID: 13568
Date: 13/06/2008
Time: 13:17:26
User: N/A
Computer: DEP-S-DC
Description:
The File Replication Service has detected that the replica set "DOMAIN
SYSTEM VOLUME (SYSVOL SHARE)" is in JRNL_WRAP_ERROR.
Replica set name is : "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)"
Replica root path is : "c:\windows\sysvol\domain"
Replica root volume is : "\\.\C:"
A Replica set hits JRNL_WRAP_ERROR when the record that it is trying to
read from the NTFS USN journal is not found. This can occur because of one
of the following reasons.
[1] Volume "\\.\C:" has been formatted.
[2] The NTFS USN journal on volume "\\.\C:" has been deleted.
[3] The NTFS USN journal on volume "\\.\C:" has been truncated. Chkdsk can
truncate the journal if it finds corrupt entries at the end of the journal.
[4] File Replication Service was not running on this computer for a long
time.
[5] File Replication Service could not keep up with the rate of Disk IO
activity on "\\.\C:".
Setting the "Enable Journal Wrap Automatic Restore" registry parameter to 1
will cause the following recovery steps to be taken to automatically recover
from this error state.
[1] At the first poll, which will occur in 5 minutes, this computer will be
deleted from the replica set. If you do not want to wait 5 minutes, then run
"net stop ntfrs" followed by "net start ntfrs" to restart the File
Replication Service.
[2] At the poll following the deletion this computer will be re-added to
the replica set. The re-addition will trigger a full tree sync for the
replica set.
WARNING: During the recovery process data in the replica tree may be
unavailable. You should reset the registry parameter described above to 0 to
prevent automatic recovery from making the data unexpectedly unavailable if
this error condition occurs again.
To change this registry parameter, run regedit.
Click on Start, Run and type regedit.
Expand HKEY_LOCAL_MACHINE.
Click down the key path:
"System\CurrentControlSet\Services\NtFrs\Parameters"
Double click on the value name
"Enable Journal Wrap Automatic Restore"
and update the value.
If the value name is not present you may add it with the New->DWORD Value
function under the Edit Menu item. Type the value name exactly as shown above.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Event Type: Warning
Event Source: NtFrs
Event Category: None
Event ID: 13512
Date: 13/06/2008
Time: 13:17:24
User: N/A
Computer: DEP-S-DC
Description:
The File Replication Service has detected an enabled disk write cache on the
drive containing the directory c:\windows\ntfrs\jet on the computer DEP-S-DC.
The File Replication Service might not recover when power to the drive is
interrupted and critical updates are lost.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Event Type: Information
Event Source: NtFrs
Event Category: None
Event ID: 13501
Date: 13/06/2008
Time: 13:17:22
User: N/A
Computer: DEP-S-DC
Description:
The File Replication Service is starting.
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Meinolf Weber
Did you try the suggestions stated in the errors?
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
> dep-s-004
CW
[1] FRS can not correctly resolve the DNS name dep-s-dc.depoel.local from
this computer.
DNS shows no errors and ping and nslookup both show correct results from
both machines
[2] FRS is not running on dep-s-dc.depoel.local.
FRS is running on both machines
[3] The topology information in the Active Directory Domain Services for
this replica has not yet replicated to all the Domain Controllers.
I have done manual replication which states it has been successful. There is
only about 15MB to sync.
[1] Volume "\\.\C:" has been formatted.
Not true
[2] The NTFS USN journal on volume "\\.\C:" has been deleted.
[3] The NTFS USN journal on volume "\\.\C:" has been truncated.
I am not sure what where this is located, but nothing has been deleted
I have tried many Microsoft articles to try and sort this but so far I am
drawing a blank
CW
following errors:
---dep-s-004---
Repadmin can't connect to a "home server", because of the following error.
Try specifying a different
home server with /homeserver:[dns name]
Error: An LDAP lookup operation failed with the following error:
LDAP Error 81(0x51): Server Down
Server Win32 Error 0(0x0):
Extended Information:
---dep-s-dc---
Repadmin experienced the following error trying to resolve the DC_NAME: now
Error: An error occured:
Win32 Error 8419(0x20e3): The DSA object could not be found.
I am looking into the these errors at the moment
Meinolf Weber
On both servers run repadmin /showutdvec servername dc=domain,dc=com and
compare the USN numbers.
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
> I have just tried the replicate now function on both servers which
CW
Hi Meinolf,
Thanks for all the help so far.
This was from dep-s-dc
Caching GUIDs.
..
Default-First-Site\DEP-S-DC @ USN 8344534 @ Time 2008-06-17
09:57:06
Default-First-Site\DEP-S-004 @ USN 555501 @ Time 2008-06-17
09:57:04
This was from dep-s-004
Caching GUIDs.
..
Default-First-Site\DEP-S-DC @ USN 8344534 @ Time 2008-06-17
09:57:07
Default-First-Site\DEP-S-004 @ USN 555504 @ Time 2008-06-17
09:57:09
CW
Meinolf Weber
Even it is a big output, please post the dcdiag /v from both servers here,
use more then one if it not fit in one posting and label them 1,2.....
At the beginning you stated about problem, did you restore something on the
DC's?
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
> Is there anything else I can check?
>
CW
I have split it into 3 parts. This is part 1, 2 is the results of dcdiag /v
from dep-s-004, 3 is the results from dcdiag /v from dep-s-dc
I didn't restore anything on the DC's. I switched the FSMO roles from
dep-s-dc to dep-s-004 and I noticed that the SYSVOL and NETLOGON folder are
not replicated. To be honest it looks like they never were.
From the tests below I think this will be the problem on dep-s-004
An Warning Event occurred. EventID: 0x800034C4
Time Generated: 06/17/2008 18:19:49
EvtFormatMessage failed, error 15100 Win32 Error 15100.
(Event String (event log = File Replication Service) could not be
retrieved, error 0x3afc)
An Warning Event occurred. EventID: 0x800034C4
Time Generated: 06/17/2008 21:52:45
EvtFormatMessage failed, error 15100 Win32 Error 15100.
(Event String (event log = File Replication Service) could not be
retrieved, error 0x3afc)
The problem is I just seems to chasing a never ending loop of event ids that
all point to different things
CW
This is the result from dep-s-dc
Domain Controller Diagnosis
Performing initial setup:
* Verifying that the local machine dep-s-dc, is a DC.
* Connecting to directory service on server dep-s-dc.
* Collecting site info.
* Identifying all servers.
* Identifying all NC cross-refs.
* Found 2 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site\DEP-S-DC
Starting test: Connectivity
* Active Directory LDAP Services Check
* Active Directory RPC Services Check
......................... DEP-S-DC passed test Connectivity
Doing primary tests
Testing server: Default-First-Site\DEP-S-DC
Starting test: Replications
* Replications Check
* Replication Latency Check
* Replication Site Latency Check
......................... DEP-S-DC passed test Replications
Test omitted by user request: Topology
Test omitted by user request: CutoffServers
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC DEP-S-DC.
* Security Permissions Check for
DC=TAPI3Directory,DC=depoel,DC=local
(NDNC,Version 2)
* Security Permissions Check for
DC=ForestDnsZones,DC=depoel,DC=local
(NDNC,Version 2)
* Security Permissions Check for
DC=DomainDnsZones,DC=depoel,DC=local
(NDNC,Version 2)
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=depoel,DC=local
(Schema,Version 2)
* Security Permissions Check for
CN=Configuration,DC=depoel,DC=local
(Configuration,Version 2)
* Security Permissions Check for
DC=depoel,DC=local
(Domain,Version 2)
......................... DEP-S-DC passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Verified share \\DEP-S-DC\netlogon
Verified share \\DEP-S-DC\sysvol
......................... DEP-S-DC passed test NetLogons
Starting test: Advertising
The DC DEP-S-DC is advertising itself as a DC and having a DS.
The DC DEP-S-DC is advertising as an LDAP server
The DC DEP-S-DC is advertising as having a writeable directory
The DC DEP-S-DC is advertising as a Key Distribution Center
The DC DEP-S-DC is advertising as a time server
The DS DEP-S-DC is advertising as a GC.
......................... DEP-S-DC passed test Advertising
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS
Settings,CN=DEP-S-004,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=depoel,DC=local
Role Domain Owner = CN=NTDS
Settings,CN=DEP-S-004,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=depoel,DC=local
Role PDC Owner = CN=NTDS
Settings,CN=DEP-S-004,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=depoel,DC=local
Role Rid Owner = CN=NTDS
Settings,CN=DEP-S-004,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=depoel,DC=local
Role Infrastructure Update Owner = CN=NTDS
Settings,CN=DEP-S-004,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=depoel,DC=local
......................... DEP-S-DC passed test KnowsOfRoleHolders
Starting test: RidManager
* Available RID Pool for the Domain is 2605 to 1073741823
* dep-s-004.depoel.local is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 1605 to 2104
* rIDPreviousAllocationPool is 1105 to 1604
* rIDNextRID: 1514
* Warning :There is less than 19% available RIDs in the current pool
......................... DEP-S-DC passed test RidManager
Starting test: MachineAccount
Checking machine account for DC DEP-S-DC on DC DEP-S-DC.
* SPN found :LDAP/dep-s-dc.depoel.local/depoel.local
* SPN found :LDAP/dep-s-dc.depoel.local
* SPN found :LDAP/DEP-S-DC
* SPN found :LDAP/dep-s-dc.depoel.local/DEPOEL
* SPN found
:LDAP/4dd6baa0-77d7-43d9-948c-13b6f86c03cb._msdcs.depoel.local
* SPN found
:E3514235-4B06-11D1-AB04-00C04FC2DCD2/4dd6baa0-77d7-43d9-948c-13b6f86c03cb/depoel.local
* SPN found :HOST/dep-s-dc.depoel.local/depoel.local
* SPN found :HOST/dep-s-dc.depoel.local
* SPN found :HOST/DEP-S-DC
* SPN found :HOST/dep-s-dc.depoel.local/DEPOEL
* SPN found :GC/dep-s-dc.depoel.local/depoel.local
......................... DEP-S-DC passed test MachineAccount
Starting test: Services
* Checking Service: Dnscache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: RpcSs
* Checking Service: w32time
* Checking Service: NETLOGON
......................... DEP-S-DC passed test Services
Test omitted by user request: OutboundSecureChannels
Starting test: ObjectsReplicated
DEP-S-DC is in domain DC=depoel,DC=local
Checking for CN=DEP-S-DC,OU=Domain Controllers,DC=depoel,DC=local
in domain DC=depoel,DC=local on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS
Settings,CN=DEP-S-DC,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=depoel,DC=local
in domain CN=Configuration,DC=depoel,DC=local on 1 servers
Object is up-to-date on all servers.
......................... DEP-S-DC passed test ObjectsReplicated
Starting test: frssysvol
* The File Replication Service SYSVOL ready test
File Replication Service's SYSVOL is ready
......................... DEP-S-DC passed test frssysvol
Starting test: frsevent
* The File Replication Service Event log test
......................... DEP-S-DC passed test frsevent
Starting test: kccevent
* The KCC Event log test
Found no KCC errors in Directory Service Event log in the last 15
minutes.
......................... DEP-S-DC passed test kccevent
Starting test: systemlog
* The System Event log test
Found no errors in System Event log in the last 60 minutes.
......................... DEP-S-DC passed test systemlog
Test omitted by user request: VerifyReplicas
Starting test: VerifyReferences
The system object reference (serverReference)
CN=DEP-S-DC,OU=Domain Controllers,DC=depoel,DC=local and backlink on
CN=DEP-S-DC,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=depoel,DC=local
are correct.
The system object reference (frsComputerReferenceBL)
CN=DEP-S-DC,CN=Domain System Volume (SYSVOL share),CN=File
Replication Service,CN=System,DC=depoel,DC=local
and backlink on CN=DEP-S-DC,OU=Domain Controllers,DC=depoel,DC=local
are correct.
The system object reference (serverReferenceBL)
CN=DEP-S-DC,CN=Domain System Volume (SYSVOL share),CN=File
Replication Service,CN=System,DC=depoel,DC=local
and backlink on
CN=NTDS
Settings,CN=DEP-S-DC,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=depoel,DC=local
are correct.
......................... DEP-S-DC passed test VerifyReferences
Test omitted by user request: VerifyEnterpriseReferences
Test omitted by user request: CheckSecurityError
Running partition tests on : TAPI3Directory
Starting test: CrossRefValidation
......................... TAPI3Directory passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... TAPI3Directory passed test CheckSDRefDom
Running partition tests on : ForestDnsZones
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Running partition tests on : DomainDnsZones
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Running partition tests on : Schema
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Running partition tests on : Configuration
Starting test: CrossRefValidation
......................... Configuration passed test
CrossRefValidation
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Running partition tests on : depoel
Starting test: CrossRefValidation
......................... depoel passed test CrossRefValidation
Starting test: CheckSDRefDom
......................... depoel passed test CheckSDRefDom
Running enterprise tests on : depoel.local
Starting test: Intersite
Skipping site Default-First-Site, this site is outside the scope
provided by the command line arguments provided.
......................... depoel.local passed test Intersite
Starting test: FsmoCheck
GC Name: \\dep-s-dc.depoel.local
Locator Flags: 0xe00001fc
PDC Name: \\dep-s-004.depoel.local
Locator Flags: 0xe00013fd
Time Server Name: \\dep-s-dc.depoel.local
Locator Flags: 0xe00001fc
Preferred Time Server Name: \\dep-s-dc.depoel.local
Locator Flags: 0xe00001fc
KDC Name: \\dep-s-dc.depoel.local
Locator Flags: 0xe00001fc
......................... depoel.local passed test FsmoCheck
Test omitted by user request: DNS
Test omitted by user request: DNS
CW
This is the result from dep-s-004
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
* Verifying that the local machine dep-s-004, is a Directory Server.
Home Server = dep-s-004
* Connecting to directory service on server dep-s-004.
* Identified AD Forest.
Collecting AD specific global data
* Collecting site info.
Calling
ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=depoel,DC=local,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
The previous call succeeded
Iterating through the sites
Looking at base site object: CN=NTDS Site
Settings,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=depoel,DC=local
Getting ISTG and options for the site
* Identifying all servers.
Calling
ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=depoel,DC=local,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
The previous call succeeded....
The previous call succeeded
Iterating through the list of servers
Getting information for the server CN=NTDS
Settings,CN=DEP-S-DC,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=depoel,DC=local
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
Getting information for the server CN=NTDS
Settings,CN=DEP-S-004,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=depoel,DC=local
objectGuid obtained
InvocationID obtained
dnsHostname obtained
site info obtained
All the info for the server collected
* Identifying all NC cross-refs.
* Found 2 DC(s). Testing 1 of them.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site\DEP-S-004
Starting test: Connectivity
* Active Directory LDAP Services Check
Determining IP4 connectivity
Determining IP6 connectivity
* Active Directory RPC Services Check
......................... DEP-S-004 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site\DEP-S-004
Starting test: Advertising
Warning: DsGetDcName returned information for
\\dep-s-dc.depoel.local,
when we were trying to reach DEP-S-004.
SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
......................... DEP-S-004 failed test Advertising
Test omitted by user request: CheckSecurityError
Test omitted by user request: CutoffServers
Starting test: FrsEvent
* The File Replication Service Event log test
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may
cause
Group Policy problems.
An Warning Event occurred. EventID: 0x800034C4
Time Generated: 06/17/2008 18:19:49
EvtFormatMessage failed, error 15100 Win32 Error 15100.
(Event String (event log = File Replication Service) could not be
retrieved, error 0x3afc)
An Warning Event occurred. EventID: 0x800034C4
Time Generated: 06/17/2008 21:52:45
EvtFormatMessage failed, error 15100 Win32 Error 15100.
(Event String (event log = File Replication Service) could not be
retrieved, error 0x3afc)
......................... DEP-S-004 passed test FrsEvent
Starting test: DFSREvent
The DFS Replication Event Log.
......................... DEP-S-004 passed test DFSREvent
Starting test: SysVolCheck
* The File Replication Service SYSVOL ready test
The registry lookup failed to determine the state of the SYSVOL. The
error returned was 0x0 "Win32 Error 0". Check the FRS event log to
see if the SYSVOL has successfully been shared.
......................... DEP-S-004 passed test SysVolCheck
Starting test: KccEvent
* The KCC Event log test
Found no KCC errors in "Directory Service" Event log in the last 15
minutes.
......................... DEP-S-004 passed test KccEvent
Starting test: KnowsOfRoleHolders
Role Schema Owner = CN=NTDS
Settings,CN=DEP-S-004,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=depoel,DC=local
Role Domain Owner = CN=NTDS
Settings,CN=DEP-S-004,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=depoel,DC=local
Role PDC Owner = CN=NTDS
Settings,CN=DEP-S-004,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=depoel,DC=local
Role Rid Owner = CN=NTDS
Settings,CN=DEP-S-004,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=depoel,DC=local
Role Infrastructure Update Owner = CN=NTDS
Settings,CN=DEP-S-004,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=depoel,DC=local
......................... DEP-S-004 passed test KnowsOfRoleHolders
Starting test: MachineAccount
Checking machine account for DC DEP-S-004 on DC DEP-S-004.
* SPN found :LDAP/dep-s-004.depoel.local/depoel.local
* SPN found :LDAP/dep-s-004.depoel.local
* SPN found :LDAP/DEP-S-004
* SPN found :LDAP/dep-s-004.depoel.local/DEPOEL
* SPN found
:LDAP/89d08d88-9a88-46a0-99cb-449ca63ccefe._msdcs.depoel.local
* SPN found
:E3514235-4B06-11D1-AB04-00C04FC2DCD2/89d08d88-9a88-46a0-99cb-449ca63ccefe/depoel.local
* SPN found :HOST/dep-s-004.depoel.local/depoel.local
* SPN found :HOST/dep-s-004.depoel.local
* SPN found :HOST/DEP-S-004
* SPN found :HOST/dep-s-004.depoel.local/DEPOEL
* SPN found :GC/dep-s-004.depoel.local/depoel.local
......................... DEP-S-004 passed test MachineAccount
Starting test: NCSecDesc
* Security Permissions check for all NC's on DC DEP-S-004.
* Security Permissions Check for
DC=ForestDnsZones,DC=depoel,DC=local
(NDNC,Version 3)
* Security Permissions Check for
DC=DomainDnsZones,DC=depoel,DC=local
(NDNC,Version 3)
* Security Permissions Check for
CN=Schema,CN=Configuration,DC=depoel,DC=local
(Schema,Version 3)
* Security Permissions Check for
CN=Configuration,DC=depoel,DC=local
(Configuration,Version 3)
* Security Permissions Check for
DC=depoel,DC=local
(Domain,Version 3)
......................... DEP-S-004 passed test NCSecDesc
Starting test: NetLogons
* Network Logons Privileges Check
Unable to connect to the NETLOGON share! (\\DEP-S-004\netlogon)
[DEP-S-004] An net use or LsaPolicy operation failed with error 67,
Win32 Error 67.
......................... DEP-S-004 failed test NetLogons
Starting test: ObjectsReplicated
DEP-S-004 is in domain DC=depoel,DC=local
Checking for CN=DEP-S-004,OU=Domain Controllers,DC=depoel,DC=local
in domain DC=depoel,DC=local on 1 servers
Object is up-to-date on all servers.
Checking for CN=NTDS
Settings,CN=DEP-S-004,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=depoel,DC=local
in domain CN=Configuration,DC=depoel,DC=local on 1 servers
Object is up-to-date on all servers.
......................... DEP-S-004 passed test ObjectsReplicated
Test omitted by user request: OutboundSecureChannels
Starting test: Replications
* Replications Check
* Replication Latency Check
* Replication Site Latency Check
......................... DEP-S-004 passed test Replications
Starting test: RidManager
* Available RID Pool for the Domain is 2605 to 1073741823
* dep-s-004.depoel.local is the RID Master
* DsBind with RID Master was successful
* rIDAllocationPool is 2105 to 2604
* rIDPreviousAllocationPool is 2105 to 2604
* rIDNextRID: 2105
......................... DEP-S-004 passed test RidManager
Starting test: Services
* Checking Service: EventSystem
* Checking Service: RpcSs
* Checking Service: NTDS
* Checking Service: DnsCache
* Checking Service: NtFrs
* Checking Service: IsmServ
* Checking Service: kdc
* Checking Service: SamSs
* Checking Service: LanmanServer
* Checking Service: LanmanWorkstation
* Checking Service: w32time
* Checking Service: NETLOGON
......................... DEP-S-004 passed test Services
Starting test: SystemLog
* The System Event log test
Found no errors in "System" Event log in the last 60 minutes.
......................... DEP-S-004 passed test SystemLog
Test omitted by user request: Topology
Test omitted by user request: VerifyEnterpriseReferences
Starting test: VerifyReferences
The system object reference (serverReference)
CN=DEP-S-004,OU=Domain Controllers,DC=depoel,DC=local and backlink on
CN=DEP-S-004,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=depoel,DC=local
are correct.
The system object reference (serverReferenceBL)
CN=DEP-S-004,CN=Domain System Volume (SYSVOL share),CN=File
Replication Service,CN=System,DC=depoel,DC=local
and backlink on
CN=NTDS
Settings,CN=DEP-S-004,CN=Servers,CN=Default-First-Site,CN=Sites,CN=Configuration,DC=depoel,DC=local
are correct.
......................... DEP-S-004 passed test VerifyReferences
Test omitted by user request: VerifyReplicas
Test omitted by user request: DNS
Test omitted by user request: DNS
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test
CrossRefValidation
Running partition tests on : depoel
Starting test: CheckSDRefDom
......................... depoel passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... depoel passed test CrossRefValidation
Running enterprise tests on : depoel.local
Test omitted by user request: DNS
Test omitted by user request: DNS
Starting test: LocatorCheck
GC Name: \\dep-s-dc.depoel.local
Locator Flags: 0xe00001fc
PDC Name: \\dep-s-004.depoel.local
Locator Flags: 0xe00013fd
Time Server Name: \\dep-s-dc.depoel.local
Locator Flags: 0xe00001fc
Preferred Time Server Name: \\dep-s-dc.depoel.local
Locator Flags: 0xe00001fc
KDC Name: \\dep-s-dc.depoel.local
Locator Flags: 0xe00001fc
......................... depoel.local passed test LocatorCheck
Meinolf Weber
See this one, even it states for 2000:
http://support.microsoft.com/kb/257338
Seems this is for 2003
http://windowsitpro.com/article/articleid/79572/jsi-tip-7394-how-do-i-troubleshoot-missing-sysvol-and-netlogon-shares-on-windows-server-2003-domain-controllers.html
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
> PART 3
CW
test.
repadmin /showreps %upstreamcomputer%
repadmin /showreps %downstreamcomputer%
fails on both servers with the following error.
[d:\nt\ds\ds\src\util\repadmin\repbind.c, 154] LDAP error 81 (Server Down)
Win32 Err 58.
Meinolf Weber
Please check the system time:
run on the problem DC:
net time \\ComputerName_Of_Authoritative_Time_Server /set /y
net stop ntfrs
net start ntfrs
Additional check permissions:
Corrupted permissions on the Sysvol share or any of the objects below it
can cause this error. The ACL should include full access for Administrators,
Creator/Owner and system, read for server operators and authenticated users.
The ownership on these folders and files may also become corrupt and have
to be reset to Administrators.
Then go on here for the event id's:
http://technet.microsoft.com/en-us/library/bb727056.aspx
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
> I have been through all the tests and everything looks ok apart from
CW
completed the net time but nothing changed. All permissions are correct and
owners are correct for sysvol.
I have been through the guide mentioned, thats the first place I originally
started.
The section I focused on was "Troubleshooting FRS Events 13508 without FRS
Event 13509" as this is the event I get most.
I have gone though everything and everything has passed. The only thing I
need to check is if its being blocked by a firewall. is there a way to test
this?
dep-s-004 has windows firewall running but has "File Replication" as an
exception. I am assuming this is ntfrs. When I open windows firewall on
dep-s-dc I get the following "Windows Firewall cannot run because another
program or service is running that might use the network address translation
componant (Ipnat.sys)". I am assuming it is not blocking anything.
Does ntfrs use port 389??
Meinolf Weber
See symptom 5-7 from this:
http://support.microsoft.com/kb/555381
Best regards
Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
> Hi Meinolf,
CW
I am currently looking into the possibility that it maybe the firewall on
dep-s-dc. The problem is I can't configure it as it is an RRAS server as
well. So I am going to get another RRAS server up and running and disable it
on dep-s-dc. Then configure the firewall and hopefully everything will work.
I will keep you posted.
Thanks for all the help you have been great support.