locked
2016 SYSVOL and NETLOGON shares missing from New Domain Controllers added to 2012 and below. RRS feed

  • General discussion

  • After going through Server 2k to 2012R2 documentation and following all recommendations within said forums, the simplest solution presented itself.

    It came down to a simple registry change.

    Open administrative powershell.

    Run net share

    Review shares and find NETLOGON and SYSVOL shares, if they are there turn them off and back on in registry.

    Type regedt32 in Powershell and edit the following registry entry

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

    Change sysvolready=0   <<<< Turns off sysvol and netlogon shares.

    Change sysvolready=1   <<<< Creates and shares sysvol and netlogon automatically.

    Do this to all Domain Controllers

    Run DcDiag /v

    If you are tired of seeing old errors clear all logs in Powershell with this script.

    wevtutil el | Foreach-Object {wevtutil cl "$_"}

    I was able to fix all errors with DNS prior to using this fix.

    I still have one error I can not get around, it will not go away, 100 hours later.

          Starting test: VerifyReferences
             The system object reference (serverReference) CN=SRV6,OU=Domain Controllers,DC=acs,DC=local and backlink on
             CN=SRV6,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=acs,DC=local are correct.
             Some objects relating to the DC SRV6 have problems:
                [1] Problem: Missing Expected Value
                 Base Object:
                CN=NTDS Settings,CN=SRV6,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=acs,DC=local
                 Base Object Description: "DSA Object"
                 Value Object Attribute Name: serverReferenceBL
                 Value Object Description: "SYSVOL FRS Member Object"
                 Recommended Action: See Knowledge Base Article: Q312862

                [1] Problem: Missing Expected Value
                 Base Object: CN=SRV6,OU=Domain Controllers,DC=acs,DC=local
                 Base Object Description: "DC Account Object"
                 Value Object Attribute Name: msDFSR-ComputerReferenceBL
                 Value Object Description: "SYSVOL FRS Member Object"
                 Recommended Action: See Knowledge Base Article: Q312862

             ......................... SRV6 failed test VerifyReferences

    This is the last dcdiag error on the 2012R2 legacy server, with 5 new 2016 servers now properly replicating SYSVOL, NETLOGON. Hopefully I can Demote and remove this server with this error still in place, when this server is removed, No more error. If anyone has advice, please do, as this error may be an issue for someone else wishing to keep their server.



    • Edited by BucakrooBanzai Monday, July 31, 2017 7:27 AM
    • Changed type BucakrooBanzai Monday, July 31, 2017 7:28 AM It has answers and A good Question
    Monday, July 31, 2017 7:04 AM

All replies

  • My notes for commands I used to Prepair 2012 server for demotion.
    Most commands work on 2016, the rest will work on older servers.

    Public IP(ISP DNS) used for external domain name resolution,should always be configured in Forwarder of DNS servers.
    NEVER use public IP configured directly in the NIC either of the DC or clients.
    Make sure the DC points to another DC for it's primary DNS server, and itself second.  Latest from MS is to have the loopback adapter listed as a third option in network adaptor.


    Reinicialize netlogon shares if they disapear
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters  sysvolready change to 0 then back to 1

    Clear all logs powershell script
    wevtutil el | Foreach-Object {wevtutil cl "$_"}


    Domain Controller Diagnostic List
    dcdiag /v >>dcdiag.results.txt
    dcdiag /e
    dcdiag /d
    dcdiag /a
    dcdiag /c /v
    dcdiag /test:advertising
    dcdiag /test:netlogons
    dcdiag /v /c /d /e /s:YourDomain.local >>c:\dcdiag.log

    Specific source DC use /ReplSource:<DC>

    NetDom Query fsmo   <<<<Powershell App
    GPResult /H C:\secpol.htm      <read secpol.htm when done

    DFSRDIAG.EXE POLLAD     <<<< run on all servers
    DFSRDIAG.EXE PollAD /Member:DOMAIN\Server1
    DFSRMIG.EXE /GETMIGRATIONSTATE
    DFSRMIG.EXE /GETGLOBALSTATE

    repadmin /replsum
    repadmin /showrepl
    repadmin /showreps
    repadmin /syncall

    ntfrsutl ds DaServer
    ntfrsutl poll /now
    ntfrsutl sets

    dfsutil /spcinfo
    dfsutil /spcflush

    MMC/Tools/DFS Management     ---  right hand menu    >>> CREATE DIAGNOSTIC REPORTS


    Net stop and start ntfrs
    __________________________________________
    ntdsutil.exe
    ds behavior
    connections

    _________________________________________
    RESET DNS
    IpConfig /flushDns
    IpConfig /registerDns
    net stop dns
    net stop netlogon
    net start dns
    net start netlogon

    _______________________________________________________________
    Reset the DSRM Administrator Password
    Click, Start, click Run, type 
    ntdsutil
    and then click OK.
    At the Ntdsutil command prompt, type
    set dsrm password
    At the DSRM command prompt, type one of the following
    lines:
    To reset the password on the server on which you are
    working, type
    reset password on server null
    type the password.

    forest YourDomain.local
    (DSRM PASSWORD)->   WhateverYouLike
    _____________________________________________________________________
    Reset Time Server
    w32tm /config /manualpeerlist:time.nist.gov /syncfromflags:manual /reliable:YES /update 
    W32tm /resync /rediscover 


    _____________________________________________________________________

    Fix Journal Wrap Error
    To modify the default behavior, make the following changes in the registry
    to instruct FRS to handle the JRNL_WRAP_ERROR status automatically:
    1. Stop FRS.
    2. Start Registry Editor (Regedt32.exe).
    3. Locate and click the following key in the registry:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters
    4. On the Edit menu, click Add Value, and then add the following registry
    value:

    I inserted this Key, it was not there.

    Value name: Enable Journal Wrap Automatic Restore
    Data type: REG_DWORD
    Radix: Hexadecimal
    Value data: 1 (Default 0)
    5. Quit Registry Editor.
    6. Restart FRS.

    ______________________________________________________

    >> How to rebuild the SYSVOL tree and its content in a domain <<
    https://support.microsoft.com/en-us/help/315457/how-to-rebuild-the-sysvol-tree-and-its-content-in-a-domain

    SYSVOL on newly promoted DC is not synchronising, but replication looks ok?
    https://blogs.technet.microsoft.com/ziggy/2013/08/20/sysvol-on-newly-promoted-dc-is-not-synchronising-but-replication-looks-ok/

    How to remove completely orphaned Domain Controller 
    https://support.microsoft.com/en-us/help/555846
    PROMISSING>>>>^^^^^^^


    How to remove orphaned domains from Active Directory
    https://support.microsoft.com/en-us/help/230306/how-to-remove-orphaned-domains-from-active-directory

    DFS Replication: How to troubleshoot missing SYSVOL and Netlogon shares
    https://support.microsoft.com/en-us/help/2958414/dfs-replication-how-to-troubleshoot-missing-sysvol-and-netlogon-shares

    SYSVOL and Group Policy out of Sync on Server 2012 R2 DCs using DFSR
    http://jackstromberg.com/2014/07/sysvol-and-group-policy-out-of-sync-on-server-2012-r2-dcs-using-dfsr/

    How to configure an authoritative time server in Windows Server
    https://support.microsoft.com/en-us/help/816042/how-to-configure-an-authoritative-time-server-in-windows-server

    Step-By-Step: Migrating Active Directory FSMO Roles From Windows Server 2012 R2 to 2016 <<<< PROMISING
    https://blogs.technet.microsoft.com/canitpro/2017/05/24/step-by-step-migrating-active-directory-fsmo-roles-from-windows-server-2012-r2-to-2016/

    Restoring and Rebuilding SYSVOL
    https://technet.microsoft.com/en-us/library/cc816596(v=ws.10).aspx

    server 2012
    Fix: Active directory corrupted (NTDS ISAM Database Corruption errors in eventlog)
    https://social.technet.microsoft.com/Forums/windowsserver/en-US/172eb4bb-a8df-42ce-a1c7-472d33dc210a/fix-active-directory-corrupted-ntds-isam-database-corruption-errors-in-eventlog?forum=winserverDS

    Give Anyone Credentials with Azure Active Directory
    https://redmondmag.com/articles/2017/07/01/azureadb2b.aspx

    SYSVOL Replication Migration Guide: FRS to DFS Replication
    https://www.microsoft.com/en-us/download/details.aspx?id=4843


    https://gallery.technet.microsoft.com/PowerShell-Active-4ffedca4?ranMID=24542&ranEAID=TnL5HPStwNw&ranSiteID=TnL5HPStwNw-UrTObc1H4Xr3BI_8FIYqXQ&tduid=(9d370126878cc542a1f4dc177390473f)(256380)(2459594)(TnL5HPStwNw-UrTObc1H4Xr3BI_8FIYqXQ)()
    https://support.microsoft.com/en-us/help/816042/how-to-configure-an-authoritative-time-server-in-windows-server


    Monday, July 31, 2017 8:55 AM
  • Ran into this introducing a 2019 DC into a 2012 R2 AD with a mix of 2016 DCs.    The 2019 ran into this issue whereas the 2016 DCs did not.      
    Sunday, June 30, 2019 9:30 PM
  • This save my day ;)

    Thx

    Thursday, July 23, 2020 11:10 AM