Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

GPO problems... is not syncing correctly with remote dc 1

Status
Not open for further replies.
reynolwi

reynolwi

IS-IT--Management
Sep 7, 2006
452
US
I have tried to create GPOs on the the Primary DC (holds all FSMO roles) which is here at corporate and even created them on the remote domain controller, but no matter what the remote domain controller is not showing the correct information.

I can go in and look at the GPOs and its not showing settings or anything on some. The one i created locally is showing only 1 thing i did in it. If i try and open it on the dc here at corporate i get an error message saying it failed to open.

Its almost like something isnt syncing up right. Ive looked in the event logs on the remote server and all im finding really is what i have shown below.

Event Type: Error
Event Source: AutoEnrollment
Event Category: None
Event ID: 13
Date: 1/21/2008
Time: 4:36:24 PM
User: N/A
Computer: Server2
Description:
Automatic certificate enrollment for local system failed to enroll for one Domain Controller certificate (0x80070005). Access is denied.


Event Type: Warning
Event Source: NtFrs
Event Category: None
Event ID: 13508
Date: 1/21/2008
Time: 5:11:45 PM
User: N/A
Computer: server2
Description:
The File Replication Service is having trouble enabling replication from Server1 to Server2 for c:\windows\sysvol\domain using the DNS name server1.domain.net. FRS will keep retrying.
Following are some of the reasons you would see this warning.

[1] FRS can not correctly resolve the DNS name server1.domain.net from this computer.
[2] FRS is not running on txcs1.rrwds.net.
[3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers.

This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.


Wm. Reynolds
RRWDS | TxPSS


- - - - - - - - - - - - -
Network Error:
Hit any user to continue
 
Sort by date Sort by votes
when i go to edit the GPOs i made on the remote domain controller on the local domain controller it tells me i cant access it because i dont have permission.

what is happening here?


Wm. Reynolds
RRWDS | TxPSS


- - - - - - - - - - - - -
Network Error:
Hit any user to continue
 
Upvote 0 Downvote
You can ignore the cert enrollment pretty much for this problem.

FRS is your issue since that is the way that GPO's are replicated.

First things to check are as it says is the FRS service actually running.
Can you resolve the FQDN of each server from the other?

Has somebody possibly blocked the RPC ports between the servers with a firewall say?

Are password changes on one DC replicating to the other ok?

Neill
 
Upvote 0 Downvote
everything seems to be replicating back and forth. i can see the gpos on both servers but the remote on doesnt show any details at all about the GPO is you look at the settings tab. it says no settings defined on all the ones that i created on the main ad server back at corporate. the one thing i did notice kinda strange and i meant to look at it again today is that on the remote server when i created the gpos locally it took a long time to populate the settings into the settings tab and none of the local clients for that remote ad server where loading that gpo either. Its like it doesnt exist but it does populate back to the main ad server except the main server is denied access to it when i try and edit it.

Wm. Reynolds
RRWDS | TxPSS


- - - - - - - - - - - - -
Network Error:
Hit any user to continue
 
Upvote 0 Downvote
Possibly a cheeky question but you did change the target DC for the GPO editor? If memory serves it always defaults to the PDC emulator even on another DC unless you change it manually.

Memory might not serve of course. :)

Neill
 
Upvote 0 Downvote
i did change it because for some reason like i was explaining the remote dc was not showing any settings in any pre-existing gpo and the clients were not loading any GPO. I switched the gpo editor to point to the remote dc and created gpos there for those local clients and still no luck. its like that dc is having problems processing gpos and i not sure why because its replicating ad info just fine and im not seeing errors in ad replication. Ive used replication monitor and checked and its all replicating fine and ive looked for errors in FRS and dont see any errors. the remote dc is processing a security policy because its being applied as i can the post in the application log. In the app log i just see those autoenrollment errors. Now, DFS has been installed recently and i know the DFS replication service is running on the DC because i was trying to make it a file server as well for that location and to replicate data to the standalone file server we have here at corporate but that was a failure because i cant get it to replicate or give me access when i set it up.

i can translate and ping the FQDN of both servers so DNS and WINS are running. The remote dc is an AD, GC, DNS, WINS, DHCP, and was hopeing file server but i cant get the GPO to function to point to shared directories on this computer nor can i get DFS replication to run.

Wm. Reynolds
RRWDS | TxPSS


- - - - - - - - - - - - -
Network Error:
Hit any user to continue
 
Upvote 0 Downvote
what does dcdiag and netdiag say about this?



RoadKi11

"This apparent fear reaction is typical, rather than try to solve technical problems technically, policy solutions are often chosen." - Fred Cohen
 
Upvote 0 Downvote
On DC1 try:
nslookup dc1
and
nslookup dc2

then on DC2 try:
nslookup dc2
and
nslookup dc1

do not do nslookup dcX.domain.net

Report the results, i want to see if the servers are correctly resolving themselves and each other.

Also, start and/or restart the "File Replication" service on both servers.




RoadKi11

"This apparent fear reaction is typical, rather than try to solve technical problems technically, policy solutions are often chosen." - Fred Cohen
 
Upvote 0 Downvote
ok when i do that from the dc here at corporate which holds all the roles this is what i get...

nslookup dc1
server: dc1.domain.net
address: 10.25.18.10

name: dc1.domain.net
address: 10.25.18.10


nslookup dc2
server: dc1.domain.net
address: 10.25.18.10

name: dc2.domain.net
address: 10.25.19.10


thats not right is it? i couldnt test dc2 because i lost the tunnel for some reason and i cant get in remotely so im thinkin i have a internet issue cant explain why because we havent had an issue in almost 4 months and havent had a vpn issue in 5 months.

Wm. Reynolds
RRWDS | TxPSS


- - - - - - - - - - - - -
Network Error:
Hit any user to continue
 
Upvote 0 Downvote
DC1 looks good for DNS lookups, i would still like to see DC2's response to the nslookups. Dont forget to start or restart the "File Replication" service on both servers. Did you setup multiple sites in sites and services or are you running out of one site?



RoadKi11

"This apparent fear reaction is typical, rather than try to solve technical problems technically, policy solutions are often chosen." - Fred Cohen
 
Upvote 0 Downvote
im workin on getting the tunnel back up it is a connectivity issue with our cable provider... I have it set in 2 different sites and i will be adding a 3rd site to the mix here in the next month. I'll post back with dc2s nslookup here hopefully tonight.

Wm. Reynolds
RRWDS | TxPSS


- - - - - - - - - - - - -
Network Error:
Hit any user to continue
 
Upvote 0 Downvote
ok now that i have everything up and running again. It wasnt the ISP it was a bad connection between the switch and the punchblock.... anyways

remote server shows the following in nslookup

dc2
server: dc1.domain.net
address: 10.25.18.10

name: dc2.domain.net
address: 10.25.19.10

i restarted the file replication service on both and i'll check the gpos on both servers and see if anything changed and report that back as well tomorrow


Wm. Reynolds
RRWDS | TxPSS


- - - - - - - - - - - - -
Network Error:
Hit any user to continue
 
Upvote 0 Downvote
ok the dc here at corporate just showed this FRS error...


Event Type: Error
Event Source: NtFrs
Event Category: None
Event ID: 13568
Date: 1/26/2008
Time: 12:02:34 AM
User: N/A
Computer: DC1
Description:
The File Replication Service has detected that the replica set "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" is in JRNL_WRAP_ERROR.

Replica set name is : "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)"
Replica root path is : "c:\windows\sysvol\domain"
Replica root volume is : "\\.\C:"
A Replica set hits JRNL_WRAP_ERROR when the record that it is trying to read from the NTFS USN journal is not found. This can occur because of one of the following reasons.

[1] Volume "\\.\C:" has been formatted.
[2] The NTFS USN journal on volume "\\.\C:" has been deleted.
[3] The NTFS USN journal on volume "\\.\C:" has been truncated. Chkdsk can truncate the journal if it finds corrupt entries at the end of the journal.
[4] File Replication Service was not running on this computer for a long time.
[5] File Replication Service could not keep up with the rate of Disk IO activity on "\\.\C:".
Setting the "Enable Journal Wrap Automatic Restore" registry parameter to 1 will cause the following recovery steps to be taken to automatically recover from this error state.
[1] At the first poll, which will occur in 5 minutes, this computer will be deleted from the replica set. If you do not want to wait 5 minutes, then run "net stop ntfrs" followed by "net start ntfrs" to restart the File Replication Service.
[2] At the poll following the deletion this computer will be re-added to the replica set. The re-addition will trigger a full tree sync for the replica set.

WARNING: During the recovery process data in the replica tree may be unavailable. You should reset the registry parameter described above to 0 to prevent automatic recovery from making the data unexpectedly unavailable if this error condition occurs again.

To change this registry parameter, run regedit.

Click on Start, Run and type regedit.

Expand HKEY_LOCAL_MACHINE.
Click down the key path:
"System\CurrentControlSet\Services\NtFrs\Parameters"
Double click on the value name
"Enable Journal Wrap Automatic Restore"
and update the value.

If the value name is not present you may add it with the New->DWORD Value function under the Edit Menu item. Type the value name exactly as shown above.

For more information, see Help and Support Center at *****

and the remote dc is showing this...

Event Type: Warning
Event Source: NtFrs
Event Category: None
Event ID: 13508
Date: 1/26/2008
Time: 12:01:43 AM
User: N/A
Computer: DC2
Description:
The File Replication Service is having trouble enabling replication from DC1 to DC2 for c:\windows\sysvol\domain using the DNS name dc1.domain.net. FRS will keep retrying.
Following are some of the reasons you would see this warning.

[1] FRS can not correctly resolve the DNS name dc1.domain.net from this computer.
[2] FRS is not running on dc1.domain.net.
[3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers.

This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.

For more information, see Help and Support Center at Data:
0000: d5 04 00 00 Õ...



does this give any insight?


Wm. Reynolds
RRWDS | TxPSS


- - - - - - - - - - - - -
Network Error:
Hit any user to continue
 
Upvote 0 Downvote
ok im thinking i might have a slightly bigger problem. I went to add back the remote dc into exchange system manager because ive been having problems with exchange becoming unresponsive and it was suggested to add the other dc back in. Well i cant get it to add to the Domain Controller tab in exchange system manager. It keeps saying it can not locate and to check the name and try again. I can add it as a Global catalog server, but it can not locate when i try and add it as a domain controller.



Wm. Reynolds
RRWDS | TxPSS


- - - - - - - - - - - - -
Network Error:
Hit any user to continue
 
Upvote 0 Downvote
I would try fixing the JRNL_WRAP_ERROR on DC1 as it states:

"Enable Journal Wrap Automatic Restore" registry parameter to 1

Click on Start, Run and type regedit.

Expand HKEY_LOCAL_MACHINE.
Click down the key path:
"System\CurrentControlSet\Services\NtFrs\Parameters"
Double click on the value name
"Enable Journal Wrap Automatic Restore"
and update the value.

If the value name is not present you may add it with the New->DWORD Value function under the Edit Menu item. Type the value name exactly as shown above.


Restart the "File Replication" service on DC1 then check the NtFrs event logs, you should see some events simular to these:

Event ID: 13553 which says something like this:
The File Replication Service successfully added this computer to the following replica set:
"DOMAIN SYSTEM VOLUME (SYSVOL SHARE)"

Event ID: 13516 which says:
The File Replication Service is no longer preventing the computer DC1 from becoming a domain controller. The system volume has been successfully initialized and the Netlogon service has been notified that the system volume is now ready to be shared as SYSVOL.



RoadKi11

"This apparent fear reaction is typical, rather than try to solve technical problems technically, policy solutions are often chosen." - Fred Cohen
 
Upvote 0 Downvote
wow... i dont know why that happened but now the remote dc is actually showing the gpo information and its all replicating correctly. Thanks...

Now if anyone can tell me why i cant get DFS replication to work i'll be even happier. Keeps telling me i dont have permission to open the folder. Through the share or on the local computer. Do i have to have 3 servers setup to do replication or can i not just do 2? Im trying to do my file server here at corporate and the remote dc because its also the file server.

Wm. Reynolds
RRWDS | TxPSS


- - - - - - - - - - - - -
Network Error:
Hit any user to continue
 
Upvote 0 Downvote
Well im not totally up to speed with DFS. I glanced back through the thread and i dont see if you stated what version of 2k3 you are running. Are you running 2k3 R2 on both servers, and if so did you install disc 2 of the media on both servers? I would probably start a new thread as this seems to be a different issue than the one we just resolved.



RoadKi11

"This apparent fear reaction is typical, rather than try to solve technical problems technically, policy solutions are often chosen." - Fred Cohen
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

MaioMaio
  • Locked
  • Question
Server Remote Desktop License
Replies
0
Views
423
MaioMaio
MaioMaio
ravalos
  • Locked
  • Question
Problem with PDFs in IIS
Replies
1
Views
963
gbaughma
gbaughma
microsGuy16
  • Locked
  • Question
Can not copy files to Mapped drive
Replies
0
Views
466
microsGuy16
microsGuy16
ADB100
  • Locked
  • Question
Single Windows 7 Ultimate workstation not applying Registry, Drive Map or Printers GPO settings
Replies
1
Views
264
technome
technome
andyferris
  • Locked
  • Question
DC Event logs auditing cannot be set by GPO
Replies
1
Views
228
RRankin355
RRankin355

Part and Inventory Search

Sponsor

Back
Top