none
Domain Controller Issues

    Question

  • We had a domain controller go out on us by the Molex connectors to the hard drives burning up. I have been working on this for a couple of weeks now. I was told that this sort of event can cause AD to become corrupted.  I did not think this was a big deal at the time though as we have a total of 5 DCs on the 2008 R2 domain. The domain originally was a 2003 R2 domain and has been upgraded with new servers. Now it is all 2008 R2 servers with the new one 2012.

    The problem began when we replaced the hardware and set it up to replace the domain controller. When I got the new DC ready to add to the domain, something went wrong. It looked like it was working correctly at first. DNS and AD was replicating fine. But none of my policies from GP were running. We map network drives using GP, they never mapped. Then  I found out that the Netshare and SysVol shares were not there.

     I ran DCDiag on the new DC and got an error stating that the new DC was not advertising nor was it able to find the NetShare and SysVol shares. I have attempted to force replication, but it did not work. I tried to recreate the NetShare and Sysvol folders using the BurFlag fix, but that did not work. The registry keys this called for was “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Cumulative Replica Sets\GUID”

    I tried to use a link that had instructions for the process, but I got stopped when it wanted me to run Linkd, as system did not recognized the command.

      I have since taken that DC off the domain. Now the four DCs that were already on the domain are working just fine. SysVol, DNS, and AD replicate. It just will not let me add a new DC that has a copy of the Sysvol and NetShare folder. I have tried both 2012 and 2008 R2 OS, but get the same results each time.  The new DC is set up with Sever 2012 Hyper-V host with the DC being the VM. It is the only server on the host at the moment. 

    Tuesday, October 01, 2013 8:14 PM

All replies

  • Hi

    Please check the path; c:\windows\SYSVOL\SYSVOL\domain.name\SCRIPTS

    Does that path exist and is shared as NETLOGON ? If not, create it and share it manually.

    For the GPO run DCGPOFIX to fix if the folder was empty.

    That will fix the gpo's MMC. (but it will empty all gpo name that was there)

    Regards


    MCP | MCTS - Exchange 2007, Configuring | Member of TechNet Wiki Community Council | French Moderator on TechNet Wiki (Translation Widget)

    Wednesday, October 02, 2013 2:35 AM
    Moderator
  • I have only got the Sysvol to domain name and nothing after that, no Netlogon at all. I had seen that it was not advised to manually create the Netlogon share so I had not done that.
    Thursday, October 03, 2013 1:11 PM
  • If the scripts folder is not there I would create it and share it. It has never replicated and the burflag didn't forced it's creation.

    Check for the Policies's folder too there, it's the folder where your GPO are stored.

    The Netlogon & SYSVOL share must exist or you will have problem. 

    Regards


    MCP | MCTS - Exchange 2007, Configuring | Member of the TechNet Wiki Community Council | Member of the TechNet Wiki International Council | French Moderator on TechNet Wiki (Translation Widget)| Citrix Certified Administrator : XenApp | Citrix Certified Administrator : XenDesktop

    Thursday, October 03, 2013 2:38 PM
    Moderator
  • Yagmoth555 is completely right, the share must exist...

    maybe a NON-Authoritative restore can do the trick, have look here: http://social.technet.microsoft.com/Forums/windowsserver/en-US/d7da6b61-0c48-40d3-bb0b-f33db9b13852/netlogon-and-sysvol-shares-are-not-created-after-dcpromo-in-windows-2012


    Thursday, October 03, 2013 3:06 PM
  • I manual made the Netlogon and Sysvol, but they would not populate and when I reboot they vanish again.
    Thursday, October 03, 2013 6:05 PM
  • Hi

    The fact that the folder vanish when you reboot is strange. As the error come when you dcpromo, does that server is in a remote site or not ? 

    If yes can you get the server in house and dcpromo it while he's on the same network as the other DC. To be sure it's not related to a network error that this problem came. You can ship the DC after.

    Regards


    MCP | MCTS - Exchange 2007, Configuring | Member of the TechNet Wiki Community Council | Member of the TechNet Wiki International Council | French Moderator on TechNet Wiki (Translation Widget)| Citrix Certified Administrator : XenApp | Citrix Certified Administrator : XenDesktop

    Friday, October 04, 2013 1:38 AM
    Moderator
  • Ludovic: Yes I did do that. It did not fix it.
    Friday, October 04, 2013 12:00 PM
  • Yagmoth: I did not see any errors in the log files. The event log does not have consistent errors. THe errors in the Event log is a GroupPolicy error:

    The processing of Group Policy failed. Windows attempted to read the file \\DOMAIN\SysVol\DOMAIN\Policies\ID\gpt.ini from a domain controller and was not successful. Group Policy settings may not be applied until this event is resolved. This issue may be transient and could be caused by one or more of the following:  a) Name Resolution/Network Connectivity to the current domain controller.  b) File Replication Service Latency (a file created on another domain controller has not replicated to the current domain controller).  c) The Distributed File System (DFS) client has been disabled.

    This domain started as a 2003 domain several years ago, so we are still using FRS. I want to migrate to DFS, but I want to deal with one thing at a time

    I have also gotten this NETLOGON error once:

    The Netlogon service could not create server share C:\Windows\SYSVOL\sysvol\DOMAIN\SCRIPTS.  The following error occurred:

    The system cannot find the file specified.

    The only consistent error I get is Kerberos-Key-Distrubution warning, but I did not really think this was related:

    The Key Distribution Center (KDC) cannot find a suitable certificate to use for smart card logons, or the KDC certificate could not be verified. Smart card logon may not function correctly if this problem is not resolved. To correct this problem, either verify the existing KDC certificate using certutil.exe or enroll for a new KDC certificate.

    The server is at a remote site. Originally I did set up and configure the DC in house. I discovered things were not working like I had thought when I set it up in its current location. At that time I thought maybe I should redo it when it was at the site it was suppose to be. But I have had the same thing happen every time I have tried to set it up. I have tried several times to rebuild the DC from scratch. Started with Server 2012 and when I had problems went to 2008 R2 as this what all of the servers are now. The host server is 2012 and it seems to be working ok. Shows up in DNS and AD. The DC shows up in both DNS and AD.


    Friday, October 04, 2013 12:22 PM
  • Hi,

    Thanks for your response.

    Please take a look at this KB article:

    The NETLOGON share is not present after you install Active Directory Domain Services  on a new full or read-only Windows Server 2008-based domain controller

    http://support.microsoft.com/kb/947022/en-us

    Meanwhile, there is a similar thread has been discussed:

    Event IDs 1058 and 5706

    http://social.technet.microsoft.com/Forums/windowsserver/en-US/7647b524-2e2c-48eb-9415-07032717db49/event-ids-1058-and-5706?forum=winserverDS

    Hope this helps.

    Regards.

    If you have any feedback on our support, please click here


    Vivian Wang
    TechNet Community Support

    Monday, October 07, 2013 5:55 AM
    Moderator
  • Vivian: A lot of information here. I have been looking at it to see if I can track down my problem. It has pointed out a few issues that I am working to resolve. Have not resolved the original yet, but I am still working on this. Even if this does not fix my issue, it was still very interesting and helpful. Thank you. I will post more when I find more out.
    Wednesday, October 09, 2013 12:42 PM
  • So far nothing has worked. I am still unable to add domain controllers. We are currently using FRS for replication instead of DFRS, could this be an issue? All of the domain controller servers are 2008 R2. When AD was put together it we had 2003 OS. All of the 2008 R2 server were done as a clean install and not an upgrade. Could attempting to add a 2012 DC server have caused FRS issues?
    Thursday, October 17, 2013 1:59 PM
  • Update. I have created a domain controller on a dedicated box and it is working. Yet I can not get a domain controller to work when the system is virtual machine. Is there something that needs to be done differently for virtual machines using Hyper-V for the visualization?
    Monday, October 21, 2013 8:02 PM
  • I have my domain issue resolved at this point. I can add domain controllers to the domain, though I am not really sure what the fix was on this one. The virtual domain controllers has been fixed also. In Hyper-V virtual machines, you need an IDE drive to boot from and a SCSI drive to store SysVol and NTDS folders on in order to replicate. I have been successful in a test environment doing this so far. Thank you to all who responded to my question.
    Thursday, November 07, 2013 8:33 PM