none
Unable to connect to the NETLOGON share! (\\servername\netlogon)

    Question

  • I have joined a new server (server 2012 R2) to an existing domain (existing dc is SBS 2008) and promoted it to a domain controller. 

    When i run repadmin /showrepl the replication is fine.

    But when i run dcdiag i get this error:

    Starting test: Netlogons

    Unable to connect to the NETLOGON share! (\\servername\netlogon)

    [SERVERNAME] An net use or LsaPolicy operation failed with error 67, The network name cannot be found. . 

    ................................SERVERNAME failed test NetLogons

    I have tried demoting it and then promoting it again but i still have the same error.

    I have also tried changing the SysvolReady flag from 0 to 1 and then back to 0 (under this path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters)


    The primary DNS server is the other DC, the secondary DNS server is itself.

    Searching through forums has got me information out of my understanding, at a basic level what's the problem and how do i fix it?

    This server is due to take over from the SBS 2008 server (which will be shut down and removed) and was due to take over the FSMO roles but i'm not comfortable going ahead with that until i can fix this issue. 




    • Edited by shaun8421 Thursday, January 26, 2017 10:11 AM
    Thursday, January 26, 2017 9:19 AM

Answers

  • Ok...I ran the D4 restore and this fixed it all up. SYSVOL and NETLOGON are now replicating to the new DC from the old DC.

    I did the following:

    1. Stop File Replication Service (make sure you do this right before step 2 or it will restart by itself after a few mins).

    2. Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup and set the burflags value to D4 (hexadecimal). Click OK. 

    3. Start File Replication Service

    4. Check File Replication Service in eventvwr and confirmed with event 13516  that it completed successfully. The restore process took 2 seconds in total.

    5. Look at the other DC and confirm sysvol and netlogon is now replicating. 

    This process doesn't 'restore' but instead rebuilds the frs database. Even though eventvwr suggests you should do an automatic restore, don't even bother. Just rebuild the frs database as above in steps 1-4. 

    • Marked as answer by shaun8421 Wednesday, February 1, 2017 8:56 AM
    Wednesday, February 1, 2017 8:56 AM

All replies

  • Hi

    You should be looking at your DNS setup,

    The primary DNS server is the other DC, the secondary DNS server is itself.>>> All DC should be point to itself on dns as primary.When you fix that,run "ipconfig /flushdns",then "ipconfig /registerdns" finaly check again.


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Thursday, January 26, 2017 11:28 AM
  • I switched them around (itself is primary, other one is secondary) - no difference. 
    Thursday, January 26, 2017 11:38 AM
  • Hey,

    As Burak mentioned it does look like a possible DNS issue. I take it communication between the 2 DC's are fine and ping replies?

    First thing I would check is that you do not have DNS enabled on any additional NICs on the domain controller (you untick the DNS reference box in advanced setttings on IPv4 on any additional NICs apart from management).

    There is also a MS tool to help diagnose any DNS issues within the domain which may help:

    https://support.microsoft.com/en-us/help/321045/description-of-the-dnslint-utility


    Thursday, January 26, 2017 12:06 PM
  • check that the AD related ports are opened between DC's;

    http://blogs.msmvps.com/acefekay/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple/

    Also please paste unedited "ipconfig /all" result from both DC.


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Thursday, January 26, 2017 12:52 PM
  • I can ping the opposite domain controller from each domain controller i.e. a can ping b b can ping a. There is only 1 NIC on the server. 

    I ran dcdiag /test:dns /v /s:servername /DnsBasic and i got the following output (sanitised) appears to be ok? 


    PS C:\> dcdiag /test:dns /v /s:server2 /dnsbasic

    Directory Server Diagnosis

    Performing initial setup:
       * Connecting to directory service on server server2.
       * Identified AD Forest.
       Collecting AD specific global data
       * Collecting site info.
       Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=domainname,DC=local,LDAP_SCOPE_SUBTREE,(objectCategory=n
    DSSiteSettings),.......
       The previous call succeeded
       Iterating through the sites
       Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domainname,D
    =local
       Getting ISTG and options for the site
       * Identifying all servers.
       Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=domainname,DC=local,LDAP_SCOPE_SUBTREE,(objectClass=ntDS
    sa),.......
       The previous call succeeded....
       The previous call succeeded
       Iterating through the list of servers
       Getting information for the server CN=NTDS Settings,CN=server1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Confi
    uration,DC=domainname,DC=local
       objectGuid obtained
       InvocationID obtained
       dnsHostname obtained
       site info obtained
       All the info for the server collected
       Getting information for the server CN=NTDS Settings,CN=server2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Co
    figuration,DC=domainname,DC=local
       objectGuid obtained
       InvocationID obtained
       dnsHostname obtained
       site info obtained
      All the info for the server collected
       * Identifying all NC cross-refs.
       * Found 2 DC(s). Testing 1 of them.
       Done gathering initial info.

    Doing initial required tests

       Testing server: Default-First-Site-Name\server2
          Starting test: Connectivity
             * Active Directory LDAP Services Check
             Determining IP4 connectivity
             * Active Directory RPC Services Check
             ......................... server2 passed test Connectivity

    Doing primary tests

       Testing server: Default-First-Site-Name\server2
          Test omitted by user request: Advertising
          Test omitted by user request: CheckSecurityError
          Test omitted by user request: CutoffServers
          Test omitted by user request: FrsEvent
          Test omitted by user request: DFSREvent
          Test omitted by user request: SysVolCheck
          Test omitted by user request: KccEvent
          Test omitted by user request: KnowsOfRoleHolders
          Test omitted by user request: MachineAccount
          Test omitted by user request: NCSecDesc
          Test omitted by user request: NetLogons
          Test omitted by user request: ObjectsReplicated
          Test omitted by user request: OutboundSecureChannels
          Test omitted by user request: Replications
          Test omitted by user request: RidManager
          Test omitted by user request: Services
          Test omitted by user request: SystemLog
          Test omitted by user request: Topology
          Test omitted by user request: VerifyEnterpriseReferences
          Test omitted by user request: VerifyReferences
          Test omitted by user request: VerifyReplicas

          Starting test: DNS

             DNS Tests are running and not hung. Please wait a few minutes...
             See DNS test in enterprise tests section for results
             ......................... server2 passed test DNS

       Running partition tests on : ForestDnsZones
          Test omitted by user request: CheckSDRefDom
          Test omitted by user request: CrossRefValidation

       Running partition tests on : DomainDnsZones
          Test omitted by user request: CheckSDRefDom
          Test omitted by user request: CrossRefValidation

       Running partition tests on : Schema
          Test omitted by user request: CheckSDRefDom
          Test omitted by user request: CrossRefValidation

       Running partition tests on : Configuration
          Test omitted by user request: CheckSDRefDom
          Test omitted by user request: CrossRefValidation

       Running partition tests on : domainname
          Test omitted by user request: CheckSDRefDom
          Test omitted by user request: CrossRefValidation

       Running enterprise tests on : domainname.local
          Starting test: DNS
             Test results for domain controllers:

                DC: server2.domainname.local
                Domain: domainname.local


                   TEST: Authentication (Auth)
                      Authentication test: Successfully completed

                   TEST: Basic (Basc)
                      The OS Microsoft Windows Server 2012 R2 Standard (Service Pack level: 0.0) is supported.
                      NETLOGON service is running
                      kdc service is running
                      DNSCACHE service is running
                      DNS service is running
                      DC is a DNS server
                      Network adapters information:
                      Adapter [00000010] Microsoft Hyper-V Network Adapter:
                         MAC address is 00:15:5D:31:F2:AA
                         IP Address is static
                         IP address: 192.168.26.20, fe80::78dd:ba19:9e8b:9805
                         DNS servers:
                            192.168.26.20 (server2) [Valid]
                            192.168.24.20 (server1) [Valid]
                      The A host record(s) for this DC was found
                      The SOA record for the Active Directory zone was found
                      The Active Directory zone on this DC/DNS server was found primary
                      Root zone on this DC/DNS server was not found

             Summary of test results for DNS servers used by the above domain controllers:

                DNS server: 192.168.24.20 (server1)
                   All tests passed on this DNS server
                   Name resolution is functional._ldap._tcp SRV record for the forest root domain is registered

                DNS server: 192.168.26.20 (server2)
                   All tests passed on this DNS server
                   Name resolution is functional._ldap._tcp SRV record for the forest root domain is registered

             Summary of DNS test results:

                                                Auth Basc Forw Del  Dyn  RReg Ext
                _________________________________________________________________
                Domain: domainname.local
                   server2                     PASS PASS n/a  n/a  n/a  n/a  n/a

             ......................... domainname.local passed test DNS
          Test omitted by user request: LocatorCheck
          Test omitted by user request: Intersite


    • Edited by shaun8421 Thursday, January 26, 2017 12:58 PM
    Thursday, January 26, 2017 12:57 PM
  • check that the AD related ports are opened between DC's;

    http://blogs.msmvps.com/acefekay/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple/

    Also please paste unedited "ipconfig /all" result from both DC.


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    There is no firewall between them all ports allowed.

    Here is ipconfig of problem server:


    Windows IP Configuration

       Host Name . . . . . . . . . . . . : server2
       Primary Dns Suffix  . . . . . . . : domainname.local
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : domainname.local

    Ethernet adapter Ethernet:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft Hyper-V Network Adapter
       Physical Address. . . . . . . . . : 00-15-5D-31-F2-AA
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       Link-local IPv6 Address . . . . . : fe80::78dd:ba19:9e8b:9805%12(Preferred)
       IPv4 Address. . . . . . . . . . . : 192.168.26.20(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . . . : 192.168.26.1
       DHCPv6 IAID . . . . . . . . . . . : 301995357
       DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-20-0F-6A-5D-00-15-5D-31-F2-AA
       DNS Servers . . . . . . . . . . . : ::1
                                           192.168.26.20
                                           192.168.24.1
       NetBIOS over Tcpip. . . . . . . . : Enabled

    Tunnel adapter isatap.{7DC5A57A-7480-4003-95B2-52A33A6AAB51}:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    Thursday, January 26, 2017 1:08 PM
  • Dear,

    Have you tried by your domain name, instead of server name.

    eg \\contoso.local\netlogon.

    Thanks


    Syed Abdul Kadar M.

    Thursday, January 26, 2017 2:40 PM
  • DNS Servers . . . . . . . . . . . : ::1 >>>>

    Your dns resolve from Ipv6,but needs to be resolve from Ipv4.Just modify the provider order to point to Ipv4,if you can't disable Ipv6.(but ipv6 disable not recommded.)

    Modify the protocol bindings and network provider order ; https://technet.microsoft.com/en-us/library/cc732472(v=ws.10).aspx


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Thursday, January 26, 2017 3:09 PM
  • DNS Servers . . . . . . . . . . . : ::1 >>>>

    Your dns resolve from Ipv6,but needs to be resolve from Ipv4.Just modify the provider order to point to Ipv4,if you can't disable Ipv6.(but ipv6 disable not recommded.)

    Modify the protocol bindings and network provider order ; https://technet.microsoft.com/en-us/library/cc732472(v=ws.10).aspx


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    When I opened that, IPv4 was already above IPv6 for both File and Printer Sharing and Client for Microsoft Networks. Is that right?
    Thursday, January 26, 2017 8:38 PM
  • I tried to perform a non-authoritative restore of sysvol on the bad DC as well by setting the registry key to D2, restarted FRS service and still didn't bring it across. Forced a replication and after an hr still no difference... :(
    Friday, January 27, 2017 3:14 AM
  • Something noteworthy is i'm also getting this error:

    Starting test: 

    Testing server: Default-First-Site-Name\server2

         Starting test: Advertising

                  Warning: DsGetDcName returned information for \\server1.domainname.local, when we were trying to reach SERVER2. SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.

    ................................. SERVER2 failed test Advertising

    Starting test: FrsEvent

          There are warning or error events within the last 24 hours after SYSVOL has been shared. Failing SYSVOL replication problems may cause Group Policy problems.

    .................................. SERVER2 passed test FrsEvent

    Friday, January 27, 2017 3:19 AM
  • Easy way,just forcefully remove server2 (problematic DC) then perform a metadata cleanup and add as domain controller again.

    Metadata cleanup; https://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspx?f=255&mspperror=-2147217396


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Friday, January 27, 2017 11:00 AM
  • Looks like there's an issue with FRS replication. There is a jrnl_wrap_error preventing the files/folders from being replicated. The only way to fix is to perform an authoritative restore of FRS database. 
    Monday, January 30, 2017 2:13 AM
  • To fix "jrnl_wrap_error" check that;

    https://blogs.msmvps.com/acefekay/2013/08/28/how-to-recover-a-journal-wrap-error-jrnl_wrap_error-and-a-corrupted-sysvol-from-a-good-dc-what-option-do-i-use-d4-or-d2-whats-the-difference-between-d4-and-d2/


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Monday, January 30, 2017 6:39 AM
  • Ok...I ran the D4 restore and this fixed it all up. SYSVOL and NETLOGON are now replicating to the new DC from the old DC.

    I did the following:

    1. Stop File Replication Service (make sure you do this right before step 2 or it will restart by itself after a few mins).

    2. Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup and set the burflags value to D4 (hexadecimal). Click OK. 

    3. Start File Replication Service

    4. Check File Replication Service in eventvwr and confirmed with event 13516  that it completed successfully. The restore process took 2 seconds in total.

    5. Look at the other DC and confirm sysvol and netlogon is now replicating. 

    This process doesn't 'restore' but instead rebuilds the frs database. Even though eventvwr suggests you should do an automatic restore, don't even bother. Just rebuild the frs database as above in steps 1-4. 

    • Marked as answer by shaun8421 Wednesday, February 1, 2017 8:56 AM
    Wednesday, February 1, 2017 8:56 AM
  • Hey Shaun, I just came across this post as I have a nearly identical issue. If you can recall when you had this issue when your newly joined DC , when you did the D4 restore did you perform it on the DC that threw the NETLOGON error, or the other DC that it was replicating from?
    Monday, April 30, 2018 11:30 PM
  • I really can't remember (so long ago!), but I'm pretty sure I did it on the SBS server, the other DC. 
    Monday, April 30, 2018 11:36 PM
  • That's what I did last night and it solved the replication errors I was receiving. Thanks for this post, it was golden!
    Tuesday, May 1, 2018 4:41 PM
  • All I did was manually create the scripts inside the C:\Windows\SYSVOL_DFSR\sysvol\domain name\. Didn't need to give it any permission. After that I restarted netlogon service and netlogon got shared automatically.

    Tuesday, January 15, 2019 9:13 PM