Problem with sysvol replication, need help! 1

[intelwizrd]

I'm not sure where to start with this.

We have a w2k adv server running Active Directory services that has been our domain controller for a couple of years. I have recently added a 2003 server (enterprise) to the domain and promoted it to a DC. Everything appeared to be going ok but when I tried to demote our old domain controller (I am trying to replace the domain controller with the new 2003 server) I noticed that the sysvol info was not being replicated. Here are some of the error messages I have been seeing.
for clarification, server1 = w2k adv srv; server2 = w2k3 ent
==========================================
Source: NTFRS
Event ID: 13568
Computer: Server1
The File Replication Service has detected that the replica set "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)" is in JRNL_WRAP_ERROR.

Replica set name is : "DOMAIN SYSTEM VOLUME (SYSVOL SHARE)"
Replica root path is : "c:\winnt\sysvol\domain"
Replica root volume is : "\\.\C:"
A Replica set hits JRNL_WRAP_ERROR when the record that it is trying to read from the NTFS USN journal is not found. This can occur because of one of the following reasons.

[1] Volume "\\.\C:" has been formatted.
[2] The NTFS USN journal on volume "\\.\C:" has been deleted.
[3] The NTFS USN journal on volume "\\.\C:" has been truncated. Chkdsk can truncate the journal if it finds corrupt entries at the end of the journal.
[4] File Replication Service was not running on this computer for a long time.
[5] File Replication Service could not keep up with the rate of Disk IO activity on "\\.\C:".
Setting the "Enable Journal Wrap Automatic Restore" registry parameter to 1 will cause the following recovery steps to be taken to automatically recover from this error state.
[1] At the first poll, which will occur in 5 minutes, this computer will be deleted from the replica set. If you do not want to wait 5 minutes, then run "net stop ntfrs" followed by "net start ntfrs" to restart the File Replication Service.
[2] At the poll following the deletion this computer will be re-added to the replica set. The re-addition will trigger a full tree sync for the replica set.

WARNING: During the recovery process data in the replica tree may be unavailable. You should reset the registry parameter described above to 0 to prevent automatic recovery from making the data unexpectedly unavailable if this error condition occurs again.

To change this registry parameter, run regedit.

Click on Start, Run and type regedit.

Expand HKEY_LOCAL_MACHINE.
Click down the key path:
"System\CurrentControlSet\Services\NtFrs\Parameters"
Double click on the value name
"Enable Journal Wrap Automatic Restore"
and update the value.

If the value name is not present you may add it with the New->DWORD Value function under the Edit Menu item. Type the value name exactly as shown above.

========================================
Source: NTFRS
Event ID: 13508
Computer: Server2

The File Replication Service is having trouble enabling replication from Server1 to Server2 for c:\windows\sysvol\domain using the DNS name server1.mydomain. FRS will keep retrying.
Following are some of the reasons you would see this warning.

[1] FRS can not correctly resolve the DNS name server1.mydomain from this computer.
[2] FRS is not running on server1.mydomain.
[3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers.

This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.

==========================================

Source: NTFRS
Event ID: 13508
Computer: Server2

The File Replication Service is having trouble enabling replication from \\server1.mydomain to server2 for c:\windows\sysvol\domain using the DNS name \\server1.mydomain. FRS will keep retrying.
Following are some of the reasons you would see this warning.

[1] FRS can not correctly resolve the DNS name \\server1.mydomain from this computer.
[2] FRS is not running on \\server1.mydomain.
[3] The topology information in the Active Directory for this replica has not yet replicated to all the Domain Controllers.

This event log message will appear once per connection, After the problem is fixed you will see another event log message indicating that the connection has been established.

==========================================
Source: NTFRS
Event ID: 13565
Computer: Server2

File Replication Service is initializing the system volume with data from another domain controller. Computer Server2 cannot become a domain controller until this process is complete. The system volume will then be shared as SYSVOL.

To check for the SYSVOL share, at the command prompt, type:
net share

When File Replication Service completes the initialization process, the SYSVOL share will appear.

The initialization of the system volume can take some time. The time is dependent on the amount of data in the system volume, the availability of other domain controllers, and the replication interval between domain controllers.

For more information, see Help and Support Center at

http://go.microsoft.com/fwlink/events.asp.

=====================================================

I did not set up the DC (server1) so I am not sure if something was missed. Is this just an issue with 2000 and 2003 or am I missing something else. This is all I am working on at the moment and any help is appreciated. I have installed the resource kits for the servers so if you would like to see some of the info from the debugging/troubleshooting tools, just let me know.

Thanks again for your help as this is driving me crazy and as usual M$ isn't a big help.

Josh

 

[intelwizrd]

looks like i fixed the problem, well at least with the replication issue. I figured out how to reset it and it took. no problems since. now if i can only figure out the dns problems I would be set but that is another forum.

Cheers

 

[markdmac]

Boy are you lucky, I just documented this for my company. Our circumstance was that one DC was not replicating just like your is. The thing is this however, you will need to bring your 2K3 box OUT of the domain to resolve the issue.
Below is the documentation I put together for my company.
**********************************************************

It is important to identify which DC holds the most recent updates of AD. Check for recently created objects such as users or groups or machine accounts. When removing the DC from the domain, any objects that only exist on this server will be lost.

As a naming convention this document will refer to ServerGood and ServerBad where ServerGood is the DC that will remain in the domain and ServerBad is the DC to be removed.

1. Identify the bad server (ServerBad)
2. On ServerBad stop the NTFRS service and KDC Service.
3. On ServerBad run KerbTray resource kit utility and delete the Kerberos Certificates.
4. On ServerGood, run Netdom Query FSMO and check for FSMO ownership. Attempt to transfer all roles to ServerGood using AD Users and Computers
5. If you are unable to transfer roles, seize all 5 FSMO roles.
Note Only seize the FSMO roles to the remaining Active Directory domain controllers if you are removing the FSMO role holder from the domain or forest.

To seize or transfer the FSMO roles by using Ntdsutil, follow these steps:
1. On any domain controller, click Start, click Run, type ntdsutil in the Open box, and then click OK.

Note Microsoft recommends that you use the domain controller that is taking the FSMO roles.
2. Type roles, and then press ENTER.

To see a list of available commands at any of the prompts in the Ntdsutil tool, type ?, and then press ENTER.
3. Type connections, and then press ENTER.
4. Type connect to server servername, where servername is the name of the server you want to use, and then press ENTER.
5. At the server connections: prompt, type q, and then press ENTER again.
6. Type seize role, where role is the role you want to seize. For a list of roles that you can seize, type ? at the Fsmo maintenance: prompt, and then press ENTER, or consult the list of roles at the beginning of this article. For example, to seize the RID Master role, you would type seize rid master. The one exception is for the PDC Emulator role, whose syntax would be "seize pdc" and not "seize pdc emulator".

Note All five roles need to be in the forest. If the first domain controller is out of the forest then seize all roles. Determine which roles are to be on which remaining domain controllers so that all five roles are not on only one server.

Microsoft recommends that you only seize all roles when the other domain controller is not returning to the domain, otherwise fix the broken domain controller with the roles.

Note If the domain controller that formerly held any FSMO role is not present in the domain and if it has had its roles seized by the earlier steps in this article, remove it from the Active Directory by following the procedure that is outlined in the following Microsoft Knowledge Base article: For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
216498 HOW TO: Remove Data in Active Directory After an Unsuccessful Domain Controller Demotion
If the original domain controller with the FSMO roles is still online, transfer the roles. Type transfer role.
7. After you seize or transfer the roles, type q, and then press ENTER until you quit the Ntdsutil tool.
Note Do not put the Infrastructure Master role on the same domain controller as the global catalog.

To check if a domain controller is also a global catalog server:
1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services.
2. Double-click Sites in the left pane, and then browse to the appropriate site or click Default-first-site-name if no other sites are available.
3. Open the Servers folder, and then click the domain controller.
4. In the domain controller's folder, double-click NTDS Settings.
5. On the Action menu, click Properties.
6. On the General tab, locate the Global Catalog check box to see if it is selected.
6. Reboot ServerBad and verify that you can successfully log in under Active Directory Restore Mode.
7. On ServerBad run DCPROMO /FORCEREMOVAL
Refer to MSKB 332199 for additional details if needed.
8. ServerBad should now be in a workgroup.
9. On ServerGood, execute the MetaCleaner.vbs script and select the ServerBad computer name to delete it from the metabase.
Note: if MetaCleaner.vbs is unavailable you can follow MSKB 216498.
10. Launch the MMC and add the ADSIEdit snap-in.
Remove ServerBad from everything
Now that the NTDS Settings object has been deleted, you can delete the computer account, the FRS member object, the cname (or Alias) record in the _msdcs container, the A (or Host) record in DNS, the trustDomain object for a deleted child domain, and the domain controller.
1. Use ADSIEdit to delete the computer account. To do this, follow these steps:
a. Start ADSIEdit.
b. Expand the Domain NC container.
c. Expand DC=Your Domain, DC=COM, PRI, LOCAL, NET.
d. Expand OU=Domain Controllers.
e. Right-click CN=domain controller name, and then click Delete.
Note: you may need to expand the object and manually delete child objects to delete the computer account if you receive a message that you have insufficient rights to delete the computer account..
If you receive the "DSA object cannot be deleted" error when you try to delete the object, change the UserAccountControl value. To change the UserAccountControl value, right-click the domain controller in ADSIEdit, and then click Properties. Under Select a property to view, click UserAccountControl. Click Clear, change the value to 4096, and then click Set. You can now delete the object.

Note The FRS subscriber object is deleted when the computer object is deleted because it is a child of the computer account.
2. Use ADSIEdit to delete the FRS member object. To do this, follow these steps:
a. Start ADSIEdit.
b. Expand the Domain NC container.
c. Expand DC=Your Domain, DC=COM, PRI, LOCAL, NET.
d. Expand CN=System.
e. Expand CN=File Replication Service.
f. Expand CN=Domain System Volume (SYSVOL share).
g. Right-click the domain controller you are removing, and then click Delete.
3. In the DNS console, use the DNS MMC to delete the A record in DNS. The A record is also known as the Host record. To delete the A record, right-click the A record, and then click Delete. Also delete the cname (also known as the Alias) record in the _msdcs container. To do so, expand the _msdcs container, right-click the cname, and then click Delete.

Important If this was a DNS server, remove the reference to this DC under the Name Servers tab. To do this, in the DNS console, click the domain name under Forward Lookup Zones, and then remove this server from the Name Servers tab.

Note If you have reverse lookup zones, also remove the server from these zones.
4. If the deleted computer was the last domain controller in a child domain and the child domain was also deleted, use ADSIEdit to delete the trustDomain object for the child. To do this, follow these steps:
a. Start ADSIEdit.
b. Expand the Domain NC container.
c. Expand DC=Your Domain, DC=COM, PRI, LOCAL, NET.
d. Expand CN=System.
e. Right-click the Trust Domain object, and then click Delete.
5. Use Active Directory Sites and Services to remove the domain controller. To do this, follow these steps:
a. Start Active Directory Sites and Services.
b. Expand Sites.
c. Expand the server's site. The default site is Default-First-Site-Name.
d. Expand Server.
e. Right-click the domain controller, and then click Delete.
11. Remove all references to ServerBad in DNS forward and reverse lookup zones.
12. Verify that ServerBad does not exist in AD Users and Computers.
13. It is now safe to have ServerBad rejoin the domain and use DCPROMO to make it a DC again if needed.

‘ ==========================================================
‘ GUI Metadata Cleanup Utility
‘ Written By Clay Perrine - clayp@microsoft.com
‘ Version 2.1


on error resume next
dim objRoot,oDC,sPath,outval,oDCSelect,objConfiguration,objContainer,errval,ODCPath,ckdcPath,myObj
set objRoot=GetObject("LDAP://RootDSE&quot
sPath = "LDAP://OU=Domain Controllers," & objRoot.Get("defaultNamingContext&quot
Set objConfiguration = GetObject(sPath)
For Each objContainer in objConfiguration
outval = outval & vbtab & objContainer.Name & VBCRLF
Next
outval = Replace(outval, "CN=", "&quot
oDCSelect= InputBox (outval,"Type the Name of the Problem Domain Controller","&quot
sPath = "LDAP://OU=Domain Controllers," & objRoot.Get("defaultNamingContext&quot
Set objConfiguration = GetObject(sPath)
For Each objContainer in objConfiguration
Err.Clear
ckdcPath = "LDAP://" & "CN=" & oDCSelect & ",OU=Domain Controllers," & objRoot.Get("defaultNamingContext&quot
set myObj=GetObject(ckdcPath)
If err.number <>0 Then
errval= 1
End If
Next
If errval = 1 then
msgbox &quot;The Domain Controller you entered was not found in the Active Directory&quot;,,&quot;Metadata Cleanup Utility Error.&quot;
wscript.quit
End If
abort = msgbox (&quot;You are about to remove all metadata for the server &quot; & oDCSelect & &quot;! Are you sure?&quot;,4404,&quot;WARNING!!&quot
if abort <> 6 then
msgbox &quot;Metadata Cleanup Aborted.&quot;,,&quot;Metadata Cleanup Utility Error.&quot;
wscript.quit
end if
oDCSelect = &quot;CN=&quot; & oDCSelect
ODCPath =&quot;LDAP://&quot; & oDCselect & &quot;,OU=Domain Controllers,&quot; & objRoot.Get(&quot;defaultNamingContext&quot
sSitelist = &quot;LDAP://CN=Sites,CN=Configuration,&quot; & objRoot.Get(&quot;defaultNamingContext&quot
Set objConfiguration = GetObject(sSitelist)
For Each objContainer in objConfiguration
Err.Clear
sitePath = &quot;LDAP://&quot; & oDCSelect & &quot;,CN=Servers,&quot; & objContainer.Name & &quot;,CN=Sites,CN=Configuration,&quot; & objRoot.Get(&quot;defaultNamingContext&quot
set myObj=GetObject(sitePath)
If err.number = 0 Then
siteval = sitePath
End If
Next
sFRSSysvolList = &quot;LDAP://CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,&quot; & objRoot.Get(&quot;defaultNamingContext&quot
Set objConfiguration = GetObject(sFRSSysvolList)
For Each objContainer in objConfiguration
Err.Clear
SYSVOLPath = &quot;LDAP://&quot; & oDCSelect & &quot;,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,&quot; & objRoot.Get(&quot;defaultNamingContext&quot
set myObj=GetObject(SYSVOLPath)
If err.number = 0 Then
SYSVOLval = SYSVOLPath
End If
Next
SiteList = Replace(sSitelist, &quot;LDAP://&quot;, &quot;&quot
VarSitelist = &quot;LDAP://CN=Sites,CN=Configuration,&quot; & objRoot.Get(&quot;defaultNamingContext&quot
Set SiteConfiguration = GetObject(VarSitelist)
For Each SiteContainer in SiteConfiguration
Sitevar = SiteContainer.Name
VarPath =&quot;LDAP://OU=Domain Controllers,&quot; & objRoot.Get(&quot;defaultNamingContext&quot
Set DCConfiguration = GetObject(VarPath)
For Each DomContainer in DCConfiguration
DCVar = DomContainer.Name
strFromServer = &quot;&quot;
NTDSPATH = DCVar & &quot;,CN=Servers,&quot; & SiteVar & &quot;,&quot; & SiteList
GuidPath = &quot;LDAP://CN=NTDS Settings,&quot;& NTDSPATH
Set objCheck = GetObject(NTDSPATH)
For Each CheckContainer in objCheck
Err.Clear
set exists=GetObject(&quot;LDAP://&quot; & NTDSPATH)
If err.number = 0 Then
Set oGuidGet = GetObject(GuidPath)
For Each objContainer in oGuidGet
oGuid = objContainer.Name
oGuidPath = &quot;LDAP://&quot; & oGuid & &quot;,CN=NTDS Settings,&quot; & NTDSPATH
Set objSitelink = GetObject(oGuidPath)
objSiteLink.GetInfo
strFromServer = objSiteLink.Get(&quot;fromServer&quot
ispresent = Instr(1,strFromServer,oDCSelect,1)
if ispresent <> 0 then
Set objReplLinkVal = GetObject(oGuidPath)
objReplLinkVal.DeleteObject(0)
end if
next
End If
next
next
next
Set AccountObject = GetObject(ckdcPath)
temp=Accountobject.Get (&quot;userAccountControl&quot
AccountObject.Put &quot;userAccountControl&quot;, &quot;4096&quot;
AccountObject.SetInfo
Set objFRSSysvol = GetObject(SYSVOLval)
objFRSSysvol.DeleteObject(0)
Set objComputer = GetObject(ckdcPath)
objComputer.DeleteObject(0)
Set objConfig = GetObject(siteval)
objConfig.DeleteObject(0)
oDCSelect = Replace(oDCSelect, &quot;CN=&quot;, &quot;&quot
msgval = &quot;Metadata Cleanup Completed for &quot; & oDCSelect
msgbox msgval,,&quot;Notice.&quot;

 

[intelwizrd]

That must have been a pain and a half. Actualy I just recently figured out what was causing the problem and it was something i forgot to think of. About a couple of weeks or so ago I did a test add of a 2003 server to the domain and promoting it and such. Went fine except my cleanup/removal of the server was less than graceful and for about a week or so, the PDC had been trying to replicate information to a server that was no longer on the network. *smacks self in back of head* Well, that will teach me. anyway, after i cleaned up the metabase and jumpstarted the replication, everything else is working perfectly. was able to let the system replicate the sysvol info and the global catalog and it cleared up the dns issues as well.

I think just for your headache you get a star and i'm going to bookmark this just in case i need it if we change out servers or add new ones again.

Cheers

 

[markdmac]

Thanks for the star. The script at the end there was written by someone in Microsoft and it makes removal from the metabase a very simple matter. You launch it and it tells you what DC's it knows about and asks which one you want to remove. It then wipes it out for you in a second. VERY BIG TIME SAVE.