Sign in
 
HomeWindows Server 2012Windows Server 2008 R2Windows Server 2003LibraryForums
Windows Server TechCenter >
Failed Non autherative restore onlocation ADC

Answered Failed Non autherative restore onlocation ADC

  • Monday, April 30, 2012 11:16 AM
     
     
    Sign In to Vote
    0

    Found following errors after running the dcdiag /v..

    1 An net use or LsaPolicy operation failed with error 1203,
    No network provider accepted the given network path.

    2. failed test Advertising
          Starting test: KnowsOfRoleHolders

    3. The registry lookup failed to determine the state of the SYSVOL

    4.  An Warning Event occured.  EventID: 0x800034FD
                Time Generated: 04/30/2012   01:25:28
                (Event String could not be retrieved)
             ......................... XXXXXXXADC failed test frsevent

     

All Replies

  • Monday, April 30, 2012 11:24 AM
     
     
    Sign In to Vote
    0

    Can you please post unedited result of dcdiag /v ?

    From you logs its seems to be an issue with sysvol and netlogon share.

    Is the sysvol and netlogon share replicaiton working fine on the domain controller?

    Refer - http://social.technet.microsoft.com/wiki/contents/articles/8548.sysvol-and-netlogon-share-importance-in-active-directory.aspx

    Refer bleow link to understand this better and troubleshoot the issue.

    Regards,

    _Prashant_

    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

     
  • Monday, April 30, 2012 11:24 AM
     
     
    Sign In to Vote
    0

    Hello,

    If you have another DC with a GC then you can simply proceed like that:

    • Re-install the OS of your additional DC
    • Perform a metadata cleanup: http://technet.microsoft.com/en-us/library/cc816907%28v=ws.10%29.aspx
    • Seize FSMO roles to the other DC if the restored DC was an FSMO holder: http://support.microsoft.com/kb/324801
    • Promote the re-installed server as a DC and make it a DNS and GC server

    If you still want to investigate more about your actual issue, please post the output of these commands on all DCs you have:

    • ipconfig /all > c:\ipconfig.txt
    • dcdiag /v > c:\dcdiag.txt

    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.   

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Trainer

     
  • Monday, April 30, 2012 11:27 AM
    Moderator
     
     
    Sign In to Vote
    0

    The above information is not enough, please elaborate? Few questions, how did you perform non-authoritative restore, is it physical or virtual machine, how many forest/domain you have, how many sites and DC you have?

    What is the reason for performing authoritative restore? If you provide answers to above question, i'm sure we will be in better position to help you.

    I presume there is no network connectivity with the DC holding FSMO role or there is DNS misconfiguration issues, which is not allowing communication between DC's? In the mean time, you can refer below article too.

    What does DCDIAG actually… do?  http://blogs.technet.com/b/askds/archive/2011/03/22/what-does-dcdiag-actually-do.aspx

    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

     
  • Monday, April 30, 2012 11:34 AM
     
     
    Sign In to Vote
    0

    Hello,

    as this is too less information please provide the following output files:

    ipconfig /all >c:\ipconfig.txt [from each DC/DNS Server]
    dcdiag /v /c /d /e /s:dcname >c:\dcdiag.txt
    repadmin /showrepl dc* /verbose /all /intersite >c:\repl.txt  ["dc* is a place holder for the starting name of the DCs if they all begin the same (if more then one DC exists)]
    dnslint /ad /s "DCipaddress" (http://support.microsoft.com/kb/321045)

    As the output will become large, DON'T post them into the thread, please use Windows Sky Drive (skydrive.live.com) [with open access!] and add the link from it here. Also the /e in dcdiag scans the complete forest, so better run it on COB.

    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

     
  • Monday, April 30, 2012 11:39 AM
     
     
    Sign In to Vote
    0

    Hi prasanth

    Is the sysvol and netlogon share replicaiton working fine on the domain controller?

    Share was now opening \\server\sysvol previously not , but still error was same.

     
  • Monday, April 30, 2012 11:40 AM
     
     
    Sign In to Vote
    0

    Since you have performed non authorative restore are you are getting An net use or LsaPolicy operation failed with error 1203,No network provider accepted the given network path,it seems that the netlogon and sysvol share is not available.Run net share command to check the status, also the FRS test failed.To start with first check the dns setting on the server most of the time it is due dns misconfig.

    Ensure the following on DC:
    1. Each DC / DNS server points to its private IP address as primary DNS server and other remote/local DNS servers as secondary in TCP/IP properties.
    2. Each DC has just one IP address and single network adapter is enabled.
    3. Contact your ISP and get valid DNS IPs from them and add it in to the forwarders, Do not set public DNS server in TCP/IP setting of DC.
    4. Once you are done, run "ipconfig /flushdns & ipconfig /registerdns", restart DNS and NETLOGON service each DC.
    Do not put private DNS IP addresses in forwarder list.
    5.Assigning static IP address to DC if IP address is assigned by DHCP server to DC.It is strongly not recommended.

    Also do let us know how have you restored the server.Have you restored on physical/virtual DC?How was the dc restored from systemstate or image backup,cloning,etc.

    Also post the entire dcdiag and repadmin output.Check the event log as well and post the warning and errors if any.

    Alternate if it is production server and impacting the business you can forcefully demote DC followed by metadata cleanup and promote the server back as DC.

    Hope this helps

    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

     
  • Monday, April 30, 2012 3:32 PM
     
     
    Sign In to Vote
    0

    Hi awinish

    how did you perform non-authoritative restore -----Reg Value : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore/Process
    at Startup - D2.

    physical machine.

    how many forest/domain you have, how many sites and DC you have ---- 36 sites 2 Dcs.

    What is the reason for performing authoritative restore --- sysvol folder was not updated is having around 300 MB of difference....

    there is physical connectivity with DC refer below.

    Starting test: FsmoCheck
             GC Name: \\1ADC.suzlon.com
             Locator Flags: 0xe000017c
             PDC Name: \\1DC.suzlon.com
             Locator Flags: 0xe000037d
             Time Server Name: \\2DEXC.suzlon.com
             Locator Flags: 0xe000017c
             Preferred Time Server Name: \\1DC.domain.com
             Locator Flags: 0xe000037d
             KDC Name: \\2DC.domain.com
             Locator Flags: 0xe000017c

    Can u any body hep to find the difference between below two points

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore/Process
    at Startup - D2

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters.-- Add Dword Enable non autherative (not on top of my head)..........

     
  • Monday, April 30, 2012 3:39 PM
     
     
    Sign In to Vote
    0

    Hello,

    how did you perform non-authoritative restore -----Reg Value : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore/Process
    at Startup - D2.

    So you restored the SYSVOL replication using Burflags. Please also set the other DC as authoritative one by using D4 value.

    For more information about this restore: http://support.microsoft.com/kb/290762

    You can start disabling temporary your security softwares (especially your antivirus) on DCs and check results. Also, check that needed ports for AD replication are all opened in both directions.

    List of ports: http://social.technet.microsoft.com/wiki/contents/articles/584.active-directory-replication-over-firewalls.aspx

    You can use PortQryUI or PortQry V2 for checking.

    Please also use Microsoft Skydrive to upload the output of commands already suggested.

    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.   

    Microsoft Student Partner 2010 / 2011
    Microsoft Certified Professional
    Microsoft Certified Systems Administrator: Security
    Microsoft Certified Systems Engineer: Security
    Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
    Microsoft Certified Technology Specialist: Windows 7, Configuring
    Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
    Microsoft Certified IT Professional: Enterprise Administrator
    Microsoft Certified IT Professional: Server Administrator
    Microsoft Certified Trainer

    • Edited by Mr XMVP Monday, April 30, 2012 4:01 PM add info
    •  
     
  • Monday, April 30, 2012 3:46 PM
     
     
    Sign In to Vote
    0

    You mentioned you perform non authorative restore of DC but instead you have perfrom non authorative restore of sysvol. However since you have two DC in the network assuming that there is no replication issue between the DC you need to perfrom authorative restore(D4) on healthy DC and non authorative restore(D2) on other DC(having problem).To set the value you need to see below path.

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore/Process
    at Startup  & double click BurFlags and set d4/d2 accordingly.

    Kindly take the backup of the sysvol folder from the content of the sysvol to temp location and perform the authorative and non authorative restore of sysvol.

    1) Normally for an Authoritative Restore you stop at NTFRS services on all DCs.
    2) Set burflags to D4 on a known good sysvol (or at this time restore sysvol data from backup then set burflags to D4) then start NTFRS on this server.  You may want to rename the old folders with .old extensions prior to restoring good data.
    3) Clean up the folders on all the remaining servers (Policies, Scripts, etc) - renamed them with .old extensions.
    4) Set burflags to D2 on all remaining servers and start NTFRS.
    5) Wait for FRS to replicate.
    6) Clean up the .old stuff if things look good.

    Essentially the "http://support.microsoft.com/kb/290762/" article.

    Regarding the path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters the same is used when FRS is in Journal Wrap error state and to fix the same a new key Enable Journal Wrap Automatic Restore is created and the value is set to 1 for automatic recovery.

    Hope this helps

    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.


     
  • Monday, April 30, 2012 4:15 PM
    Moderator
     
     
    Sign In to Vote
    0

    Are you performing backup of the sysvol or AD? From your post, it appears its not AD database restore but Sysvol/Restore. To perform non authoritative restore of the sysvol, only setting the burflag is not sufficient, you need to reinitialize FRS service.The below KB article is applicable to windows 2008 R2 even considering you are not using DFSR.

    How to force a non-authoritative restore of the data in the Sysvol folder on a domain controller in Windows 2000 Server and in Windows Server 2003

    http://support.microsoft.com/kb/840674

    Using the BurFlags registry key to reinitialize File Replication Service replica sets  http://support.microsoft.com/kb/290762

    You can also use Jorge's blog for rebuilding sysvol.

    http://jorgequestforknowledge.wordpress.com/2011/06/22/restoring-the-sysvol-non-authoritatively-when-either-using-ntfrs-or-dfs-r-part-4/

    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

     
  • Saturday, August 11, 2012 5:52 AM
     
     Answered
    Sign In to Vote
    0
    It has been noticed that this issue is getting frequntly because AD files like ntds.dit etc are not added in exception in AV scanning, after excluding the files from AV scanning, till 4 months issue has not reported.
    • Marked As Answer by Safvan Saturday, August 11, 2012 5:52 AM
    •