none
Sysvol broken - Windows Server 2012

    Question

  • I have a 2 DC environment which is only 6 months old.

    The FSMO server recently went down unexpectedly so FSMO was forced to the 2nd DC.

    A new DC was then created and is now replicating with the other server but I've noticed a major issue now with sysvol

    Sysvol appears to have broken.

    - dcdiag shows that DFSREvent failed.  

       Everything else has passed it's test

    - Checked the DFS Replication event log and saw that the DFS replication service failed to communicate with the partner.

      (the issue is this server is now retired)  So this server should be replicating with another server.

    - I was recieving a lot of errors in DFS with errors 4612 and 5008 so checked on the registry of the FSMO server and in HKLM/currentcontrolset/services/DFSR/Parameters/sysvols/seedingSysVols/domain, the parent company server was the old FSMO server.

    I've changed this now to the new FSMO server

    I'm just wondering if anyone can suggest what steps I can take to get the sysvol replicating sucessfully so that both DCs can handle gpo's.

    The only option that all seem to point to is a DFSR Sysvol Authoritative restore but I don't have a backup as I don't think sysvol was setup correctly on this even before it became the master chief?


    Wednesday, November 25, 2015 2:27 PM

Answers

  • I've had lots of issues with this.

    My major concern was with GPOs not pushing out and users hitting DC2 and not getting their profiles loaded so I've demoted DC2 so I'm just working off DC1 now.

    I know that DC1 isn't the sysvol authoritative server actually up to now, no DC was so can I make this the AD sysvol authoritative server?

    I want to make sure this DC is working perfectly before promoting another DC and running into the same issues.

    any help would be great? 

    take a look at this article, which warns against performing authoritative server changes unless really necessary
    https://support.microsoft.com/en-us/kb/2958414

    If you *do* head down the path of auth restore etc, this article may help:
    http://jackstromberg.com/2014/07/sysvol-and-group-policy-out-of-sync-on-server-2012-r2-dcs-using-dfsr/

    Also, note that you're discussing a DS/DFS issue within the GP forum - you will likely gather broader experiences/advice in another forum instead of here.


    Don [doesn't work for MSFT, and they're probably glad about that ;]


    • Edited by DonPick Thursday, November 26, 2015 8:45 PM
    • Marked as answer by XanLia Friday, November 27, 2015 10:50 AM
    Thursday, November 26, 2015 8:41 PM
  • thanks for all your help

    The resolution to this for me was that I needed to complete an Authoritative /non-authoritative sysvol restore.  GPOs are now replicating successfully between DCs.

    • Marked as answer by XanLia Friday, December 04, 2015 9:48 AM
    Friday, December 04, 2015 9:48 AM

All replies

  • Hi

     

    The FSMO server recently went down unexpectedly so FSMO was forced to the 2nd DC.

    A new DC was then created and is now replicating with the other server but I've noticed a major issue now with sysvol >>>> Did you do metadata cleanup for completely remove this problematic DC,also did you promote the new server as same hostname and ip with this problematic DC(thats the point),

    please check "dcdiag" on dc for health...

    Also you can check these articles for "Restoring and Rebuilding SYSVOL"

    https://technet.microsoft.com/en-us/library/cc816596(v=ws.10).aspx

    https://support.microsoft.com/en-us/kb/315457
    http://support.microsoft.com/kb/290762 to perform the D4 & D2.


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Wednesday, November 25, 2015 2:41 PM
  • Hi Burak,

    No the server that died was a different named DC to the new one that was promoted.

    So for example DC1 was FSMO and DC2 was the 2nd DC.

    DC1 died so I forced DC2 as FSMO and then completed a dc promo on DC3

    I'll complete a metadata cleanup and follow the restoring & rebuilding sysvol articles you sent me thanks.

    Wednesday, November 25, 2015 3:04 PM
  • yeah metadata was run and there's no trace of the old DC in AD DS

    dcdiag has been run and it passes all successfully excpept for one part

    Testing Server: DFSREvent

    There are warning or error events within the last 24 hours after teh SYSVOL has been shared.  Failing sysvol replication problems may cause Group Policy problems.

    ...................................... server failed test DRSREVent

    There's plenty of errors in the  such as event 5002

    The DFS replication service encountered an error communicating with partner 'DC01' (old FSMO server that died) for replication group Domain System Volume.

    Event 5008 and Event 4612 are now showing 

    5008 is a similar event to 5002

    The DFS Replication service failed to communicate with partner DC01 (old FSMO server) for replication group Domain System Volume.  this error can occur if the host is unreachable, or if the DFS Replication service is not running on the server. (but it is actually running)

    As I said earlier, for this error I found a KB that advised that the primary server was pointing to the wrong server in HKLM/currentcontrolset/services/DFSR/Parameters/sysvols/seedingSysVols/domain, the parent company server was the old FSMO server. and change the server from the old FSMO server (DC1) to the new FSMO server DC2.


    • Edited by XanLia Wednesday, November 25, 2015 4:13 PM
    Wednesday, November 25, 2015 4:01 PM
  • Thanks again Burak, but I don't have the parameters listed in the below KB as I'm using windows server 2012

    https://social.technet.microsoft.com/forums/windowsserver/en-US/24c820da-960a-4ebd-8892-8fc291393543/dfsr-event-id-5008

    Wednesday, November 25, 2015 5:04 PM
  • I've just seen that I've no Authoritative server.

    I think this is the next step but because I've no backup I'm not sure if it can actually be done cause where is it going to find the restore point?

    so can I make the new FSMO DC the authoritative DC and assume it'll run like clockwork?

    close to breakdown

    Wednesday, November 25, 2015 5:24 PM
  • Hi

     I guess the main issue about connectivity,first check these step by step

    • General network connectivity issues
    • DNS errors
    • Firewall settings
    • Lack of software updates on replication partners

     Also you can specialy check the ports with Network monitör https://support.microsoft.com/en-us/kb/154596

    This is a Detailed troubleshooting article about connectivy issues,(DFSR Event 5002 (DFS Replication)

    http://social.technet.microsoft.com/wiki/contents/articles/1207.dfsr-event-5002-dfs-replication.aspx


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Wednesday, November 25, 2015 6:11 PM
  • I've had lots of issues with this.

    My major concern was with GPOs not pushing out and users hitting DC2 and not getting their profiles loaded so I've demoted DC2 so I'm just working off DC1 now.

    I know that DC1 isn't the sysvol authoritative server actually up to now, no DC was so can I make this the AD sysvol authoritative server?

    I want to make sure this DC is working perfectly before promoting another DC and running into the same issues.

    any help would be great? 

    Thursday, November 26, 2015 5:02 PM
  • For make sure,run

    - Dcdiag and check the health status

    - dcdiag /test:dns check dns service

    - netdom query fsmo check the dc holds 5 fsmo roles.

    - ipconfig /all check ip configuration correct..


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Thursday, November 26, 2015 6:16 PM
  • I've had lots of issues with this.

    My major concern was with GPOs not pushing out and users hitting DC2 and not getting their profiles loaded so I've demoted DC2 so I'm just working off DC1 now.

    I know that DC1 isn't the sysvol authoritative server actually up to now, no DC was so can I make this the AD sysvol authoritative server?

    I want to make sure this DC is working perfectly before promoting another DC and running into the same issues.

    any help would be great? 

    take a look at this article, which warns against performing authoritative server changes unless really necessary
    https://support.microsoft.com/en-us/kb/2958414

    If you *do* head down the path of auth restore etc, this article may help:
    http://jackstromberg.com/2014/07/sysvol-and-group-policy-out-of-sync-on-server-2012-r2-dcs-using-dfsr/

    Also, note that you're discussing a DS/DFS issue within the GP forum - you will likely gather broader experiences/advice in another forum instead of here.


    Don [doesn't work for MSFT, and they're probably glad about that ;]


    • Edited by DonPick Thursday, November 26, 2015 8:45 PM
    • Marked as answer by XanLia Friday, November 27, 2015 10:50 AM
    Thursday, November 26, 2015 8:41 PM
  • thanks for all your help

    The resolution to this for me was that I needed to complete an Authoritative /non-authoritative sysvol restore.  GPOs are now replicating successfully between DCs.

    • Marked as answer by XanLia Friday, December 04, 2015 9:48 AM
    Friday, December 04, 2015 9:48 AM