none
Replication for Sysvol (Group Policy Files) Stopped

    Question

  • I am running 2 DCs on server 2012.  I have noticed that the contents of the following folders are inconsistent:

    c:\Windows\SYSVOL\sysvol\ads.contoso.com\Policies

    One server states that there are 82 items and the other server 79.  When I create policies they also do not replicate.

    I have run repladmin and dfsrdiag which clearly states no replication is occurring.  I have tried the authorative and non-authorative methods to force the replication through ADSIedit and still nothing.  I have pretty much spent the last 48 hours searching for solutions via Google and found nothing that works, this includes setting the MaxOfflineTimeInDays=380 just incase it was due to a stale system.

    Can anyone advise / assist with this issue?

    Thanks

    Saturday, January 28, 2017 11:32 AM

Answers

  • - Check ports for AD replication are not blocked in both side of DC.

    - Each DC dns ip address point to itself and only have one NIC.

    Then run "ipconfig /registerdns" and restart netlogon service.If issue still persist,just perform D2 restore on problematic DC;

    https://support.microsoft.com/en-us/help/2218556/how-to-force-an-authoritative-and-non-authoritative-synchronization-for-dfsr-replicated-sysvol-like-d4-d2-for-frs

    Also check this; http://www.absoluteuc.org/server_is_not_responding_or_is_not_considered_suitable


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Wednesday, February 1, 2017 5:46 PM

All replies

  • Hi

     easiest way for your situation (you already tried to non & authoritavite restore process,etc.) forcefully demote problematic DC,then perform metadata cleanup and promote it as domain controller again.

    Metadata cleanup ; https://technet.microsoft.com/en-us/library/cc816907(v=ws.10).aspx?f=255&mspperror=-2147217396

    Note: Also verfiy all necessary ports should be avaible between DC's.

    https://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx

    http://blogs.msmvps.com/acefekay/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple/


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    • Proposed as answer by Todd Heron Saturday, January 28, 2017 12:37 PM
    Saturday, January 28, 2017 11:41 AM
  • Hi,

    Thanks for your reply.  Surely if I conduct a metadata cleanup I wont need to demote the server as the server is removed from all AD records during the metadata cleanup.  Do you agree?

    So my process would be to do the following:

    1.  Cleanup metadata . ntdsutil (my prefferred method)

    2.  Bring the server backup and remove the AD DS role.

    2.  Reboot add new role AD DS & promote the server to a DC

    Do you agree?

    Sunday, January 29, 2017 12:14 PM
  • Hi

     Perform metadata cleanup then promote a clean installation OS server as domain controller again.(i always prefer clean installation OS for dc's.)


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Monday, January 30, 2017 6:37 AM
  • Hi I did this.  I have now promoted the DC but I have noticed that the Sysvol folder is empty
    Monday, January 30, 2017 6:38 AM
  • Hi

     check the port availability between DC's.All necessary ports needs to be accessible;

    https://technet.microsoft.com/en-us/library/dd772723(v=ws.10).aspx

    http://blogs.msmvps.com/acefekay/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple/

    Also you can check with PortQryUI & network analyze tools;

    PortQryUI ; https://www.microsoft.com/en-us/download/details.aspx?id=24009

    Otherwise please share "dcdiag" result from newly promoted DC..


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Monday, January 30, 2017 6:44 AM
  • Hi,
    Metadata cleanup is a required procedure after a forced removal of Active Directory Domain Services (AD DS).
    Generally, we demote the DC and then clean up metadata, but backup is always the first step.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, January 30, 2017 6:50 AM
    Moderator
  • All firewalls are turned off because we have our own external firewalls.  Ports 389 are open on both DCs.  I am starting to wonder if the other DC has the problem too.  But this makes a problem considering I cannot replicate it with anything else before I fix this one

    UDP port 389 is LISTENING

    portqry.exe -n 10.32.34.6 -e 389 -p BOTH exits with return code 0x00000000.

    • Edited by ChrisUKDE Monday, January 30, 2017 7:02 AM
    Monday, January 30, 2017 7:01 AM
  • I promoted the new server to dc2 and ran dcdiag and got this error:

    Starting test: NetLogons
       Unable to connect to the NETLOGON share! (\\SDC\netlogon)
       [SDC] An net use or LsaPolicy operation failed with error 67, The network name cannot be found.

    Any clue?

    Monday, January 30, 2017 5:49 PM
  • Please share "ipconfig /all" result from this problematic DC..

    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Monday, January 30, 2017 6:15 PM
  • SDC

    Windows IP Configuration

       Host Name . . . . . . . . . . . . : SDC
       Primary Dns Suffix  . . . . . . . : ads.domain.net
       Node Type . . . . . . . . . . . . : Hybrid
       IP Routing Enabled. . . . . . . . : No
       WINS Proxy Enabled. . . . . . . . : No
       DNS Suffix Search List. . . . . . : ads.domain.net

    Ethernet adapter Ethernet:

       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Intel(R) I210 Gigabit Network Connection
       Physical Address. . . . . . . . . : 0C-C4-7A-0C-D8-0E
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes
       IPv4 Address. . . . . . . . . . . : 10.32.34.6(Preferred)
       Subnet Mask . . . . . . . . . . . : 255.255.255.0
       Default Gateway . . . . . . . . . : 10.32.34.1
       DNS Servers . . . . . . . . . . . : 10.32.34.5
                                           127.0.0.1
       NetBIOS over Tcpip. . . . . . . . : Enabled

    Tunnel adapter isatap.{348FC051-107A-43C5-ADEF-4C208B90FF5E}:

       Media State . . . . . . . . . . . : Media disconnected
       Connection-specific DNS Suffix  . :
       Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
       Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP Enabled. . . . . . . . . . . : No
       Autoconfiguration Enabled . . . . : Yes

    PDC

    Windows-IP-Konfiguration


       Hostname  . . . . . . . . . . . . : PDC
       Primäres DNS-Suffix . . . . . . . : ads.domain.net
       Knotentyp . . . . . . . . . . . . : Hybrid
       IP-Routing aktiviert  . . . . . . : Nein
       WINS-Proxy aktiviert  . . . . . . : Nein
       DNS-Suffixsuchliste . . . . . . . : ads.domain.net

    Ethernet-Adapter Ethernet 2:

       Verbindungsspezifisches DNS-Suffix:
       Beschreibung. . . . . . . . . . . : Red Hat VirtIO Ethernet Adapt
       Physische Adresse . . . . . . . . : 52-54-00-41-CC-D5
       DHCP aktiviert. . . . . . . . . . : Nein
       Autokonfiguration aktiviert . . . : Ja
       IPv4-Adresse  . . . . . . . . . . : 10.32.34.5(Bevorzugt)
       Subnetzmaske  . . . . . . . . . . : 255.255.255.0
       Standardgateway . . . . . . . . . : 10.32.34.1
       DNS-Server  . . . . . . . . . . . : 10.32.34.6
                                           127.0.0.1
       NetBIOS über TCP/IP . . . . . . . : Aktiviert

    Tunneladapter isatap.{43FF69EB-2DAD-4E4E-8F91-68B2504902C0}:

       Medienstatus. . . . . . . . . . . : Medium getrennt
       Verbindungsspezifisches DNS-Suffix:
       Beschreibung. . . . . . . . . . . : Microsoft-ISATAP-Adapter #2
       Physische Adresse . . . . . . . . : 00-00-00-00-00-00-00-E0
       DHCP aktiviert. . . . . . . . . . : Nein
       Autokonfiguration aktiviert . . . : Ja

    A further note on the SDC there is no Sysvol or netlogon folders displayed after running the command NET SHARE

    Monday, January 30, 2017 6:40 PM
  • All DC's dns ip needs to be set to itself as primary and the alternate as the other dc.When you fix just run "ipconfig /flushdns" ,"ipconfig /registerdns".

    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Monday, January 30, 2017 7:39 PM
  • So I have completed that.  No change though I am afraid
    Monday, January 30, 2017 9:51 PM
  • I thought you may like to see the dcdiag output.  Its a bit of a mess:


    Directory Server Diagnosis


    Performing initial setup:

       Trying to find home server...

       Home Server = SDC

       * Identified AD Forest. 
       Done gathering initial info.


    Doing initial required tests

       
       Testing server: Default-First-Site-Name\SDC

          Starting test: Connectivity

             ......................... SDC passed test Connectivity



    Doing primary tests

       
       Testing server: Default-First-Site-Name\SDC

          Starting test: Advertising

             Warning: DsGetDcName returned information for \\PDC.ads.domain.net,

             when we were trying to reach SDC.

             SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.

             ......................... SDC failed test Advertising

          Starting test: FrsEvent

             ......................... SDC passed test FrsEvent

          Starting test: DFSREvent

             There are warning or error events within the last 24 hours after the

             SYSVOL has been shared.  Failing SYSVOL replication problems may cause

             Group Policy problems. 
             ......................... SDC failed test DFSREvent

          Starting test: SysVolCheck

             ......................... SDC passed test SysVolCheck

          Starting test: KccEvent

             A warning event occurred.  EventID: 0x80000B46

                Time Generated: 01/30/2017   14:09:22

                Event String:

                The security of this directory server can be significantly enhanced by configuring the server to reject SASL (Negotiate,  Kerberos, NTLM, or Digest) LDAP binds that do not request signing (integrity verification) and LDAP simple binds that  are performed on a cleartext (non-SSL/TLS-encrypted) connection.  Even if no clients are using such binds, configuring the server to reject them will improve the security of this server. 


             A warning event occurred.  EventID: 0x800004C4

                Time Generated: 01/30/2017   14:09:26

                Event String:

                LDAP over Secure Sockets Layer (SSL) will be unavailable at this time because the server was unable to obtain a certificate. 


             ......................... SDC passed test KccEvent

          Starting test: KnowsOfRoleHolders

             ......................... SDC passed test KnowsOfRoleHolders

          Starting test: MachineAccount

             ......................... SDC passed test MachineAccount

          Starting test: NCSecDesc

             ......................... SDC passed test NCSecDesc

          Starting test: NetLogons

             Unable to connect to the NETLOGON share! (\\SDC\netlogon)

             [SDC] An net use or LsaPolicy operation failed with error 67,

             The network name cannot be found..

             ......................... SDC failed test NetLogons

          Starting test: ObjectsReplicated

             ......................... SDC passed test ObjectsReplicated

          Starting test: Replications

             ......................... SDC passed test Replications

          Starting test: RidManager

             ......................... SDC passed test RidManager

          Starting test: Services

             ......................... SDC passed test Services

          Starting test: SystemLog

             A warning event occurred.  EventID: 0x00009016

                Time Generated: 01/30/2017   13:23:38

                Event String:

                No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.

             A warning event occurred.  EventID: 0x00009016

                Time Generated: 01/30/2017   13:23:38

                Event String:

                No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.

             A warning event occurred.  EventID: 0x00009016

                Time Generated: 01/30/2017   13:23:39

                Event String:

                No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.

             A warning event occurred.  EventID: 0x00009016

                Time Generated: 01/30/2017   13:23:39

                Event String:

                No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.

             A warning event occurred.  EventID: 0x00009016

                Time Generated: 01/30/2017   13:23:39

                Event String:

                No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.

             A warning event occurred.  EventID: 0x00009016

                Time Generated: 01/30/2017   13:23:39

                Event String:

                No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.

             A warning event occurred.  EventID: 0x00009016

                Time Generated: 01/30/2017   13:33:39

                Event String:

                No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.

             A warning event occurred.  EventID: 0x00009016

                Time Generated: 01/30/2017   13:33:39

                Event String:

                No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.

             A warning event occurred.  EventID: 0x00009016

                Time Generated: 01/30/2017   13:33:40

                Event String:

                No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.

             A warning event occurred.  EventID: 0x00009016

                Time Generated: 01/30/2017   13:33:40

                Event String:

                No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.

             A warning event occurred.  EventID: 0x00009016

                Time Generated: 01/30/2017   13:33:40

                Event String:

                No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.

             A warning event occurred.  EventID: 0x00009016

                Time Generated: 01/30/2017   13:33:40

                Event String:

                No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.

             A warning event occurred.  EventID: 0x00009016

                Time Generated: 01/30/2017   13:43:40

                Event String:

                No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.

             A warning event occurred.  EventID: 0x00009016

                Time Generated: 01/30/2017   13:43:40

                Event String:

                No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.

             A warning event occurred.  EventID: 0x00009016

                Time Generated: 01/30/2017   13:43:41

                Event String:

                No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.

             A warning event occurred.  EventID: 0x00009016

                Time Generated: 01/30/2017   13:43:41

                Event String:

                No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.

             A warning event occurred.  EventID: 0x00009016

                Time Generated: 01/30/2017   13:43:41

                Event String:

                No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.

             A warning event occurred.  EventID: 0x00009016

                Time Generated: 01/30/2017   13:43:41

                Event String:

                No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.

             An error event occurred.  EventID: 0x00000457

                Time Generated: 01/30/2017   13:46:08

                Event String:

                Driver Samsung M2020 Series required for printer samprint is unknown. Contact the administrator to install the driver before you log in again.

             An error event occurred.  EventID: 0x00000457

                Time Generated: 01/30/2017   13:46:09

                Event String:

                Driver Microsoft Print To PDF required for printer Microsoft Print to PDF is unknown. Contact the administrator to install the driver before you log in again.

             An error event occurred.  EventID: 0x00000457

                Time Generated: 01/30/2017   13:46:09

                Event String:

                Driver Send to Microsoft OneNote 16 Driver required for printer Send To OneNote 2016 is unknown. Contact the administrator to install the driver before you log in again.

             A warning event occurred.  EventID: 0x000727A5

                Time Generated: 01/30/2017   13:51:56

                Event String:

                The WinRM service is not listening for WS-Management requests. 


             A warning event occurred.  EventID: 0xA004001B

                Time Generated: 01/30/2017   14:09:11

                Event String: Intel(R) I210 Gigabit Network Connection


             A warning event occurred.  EventID: 0x00001796

                Time Generated: 01/30/2017   14:09:25

                Event String:

                Microsoft Windows Server has detected that NTLM authentication is presently being used between clients and this server. This event occurs once per boot of the server on the first time a client uses NTLM with this server.


             A warning event occurred.  EventID: 0x00009016

                Time Generated: 01/30/2017   14:09:26

                Event String:

                No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.

             A warning event occurred.  EventID: 0x00009016

                Time Generated: 01/30/2017   14:09:26

                Event String:

                No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.

             An error event occurred.  EventID: 0x00000457

                Time Generated: 01/30/2017   14:11:50

                Event String:

                Driver Samsung M2020 Series required for printer samprint is unknown. Contact the administrator to install the driver before you log in again.

             An error event occurred.  EventID: 0x00000457

                Time Generated: 01/30/2017   14:11:53

                Event String:

                Driver Microsoft Print To PDF required for printer Microsoft Print to PDF is unknown. Contact the administrator to install the driver before you log in again.

             An error event occurred.  EventID: 0x00000457

                Time Generated: 01/30/2017   14:12:06

                Event String:

                Driver Send to Microsoft OneNote 16 Driver required for printer Send To OneNote 2016 is unknown. Contact the administrator to install the driver before you log in again.

             ......................... SDC failed test SystemLog

          Starting test: VerifyReferences

             ......................... SDC passed test VerifyReferences

       
       
       Running partition tests on : ForestDnsZones

          Starting test: CheckSDRefDom

             ......................... ForestDnsZones passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... ForestDnsZones passed test

             CrossRefValidation

       
       Running partition tests on : DomainDnsZones

          Starting test: CheckSDRefDom

             ......................... DomainDnsZones passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... DomainDnsZones passed test

             CrossRefValidation

       
       Running partition tests on : Schema

          Starting test: CheckSDRefDom

             ......................... Schema passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... Schema passed test CrossRefValidation

       
       Running partition tests on : Configuration

          Starting test: CheckSDRefDom

             ......................... Configuration passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... Configuration passed test CrossRefValidation

       
       Running partition tests on : ads

          Starting test: CheckSDRefDom

             ......................... ads passed test CheckSDRefDom

          Starting test: CrossRefValidation

             ......................... ads passed test CrossRefValidation

       
       Running enterprise tests on : ads.domain.net

          Starting test: LocatorCheck

             ......................... ads.domain.net passed test LocatorCheck

          Starting test: Intersite

             ......................... ads.domain.net passed test Intersite

    Monday, January 30, 2017 10:17 PM
  • Wendy,

    Do you have any ideas for me?

    If it looks like my DC is tombstoned how can I get the AD data from it and transfer to a new DC?

    Tuesday, January 31, 2017 6:18 PM
  • - Check ports for AD replication are not blocked in both side of DC.

    - Each DC dns ip address point to itself and only have one NIC.

    Then run "ipconfig /registerdns" and restart netlogon service.If issue still persist,just perform D2 restore on problematic DC;

    https://support.microsoft.com/en-us/help/2218556/how-to-force-an-authoritative-and-non-authoritative-synchronization-for-dfsr-replicated-sysvol-like-d4-d2-for-frs

    Also check this; http://www.absoluteuc.org/server_is_not_responding_or_is_not_considered_suitable


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Wednesday, February 1, 2017 5:46 PM
  • Hi,

    I am checking how the issue going, if you still have any questions, please feel free to contact us.

    And if the replies as above are helpful, we would appreciate you to mark them as answers, and if you resolve it using your own solution, please share your experience and solution here. It will be greatly helpful to others who have the same question.

    Appreciate for your feedback.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, February 3, 2017 8:06 AM
    Moderator
  • Hi, everything is running perfect I conducted an authorative restore and now its replicating.
    Friday, February 3, 2017 10:12 AM