locked
Sysvol Replication and Group Policy Error RRS feed

  • Question

  • I have been experiencing the erros above for a while in my organization for a while. The volume of errors is daunting, I don't even know where to start troubleshooting, your assistance will be well appreciated. I run dcdiag /V /C /D /E /s on one of my domain controllers, result is below:

    SVR-HQ-S001
    There are warning or an error event within the last 24 hours after the SYSVOL has been shared.  Failing SYSVOL replication problems may cause Group Policy problems.
    EventID: 0x800034C4 (FrsEvent)
    The File Replication Service is having trouble enabling replication from SVR-DC2-S001 to SVR-HQ-S001 for c:\windows\sysvol\domain using the DNS name SVR-dc2-s001.MYDOMAIN.com. FRS will keep Retrying.
    Likely problems:
    [1] FRS can not correctly resolve the DNS name  SVR-dc2-s001.MYDOMAIN.com from this  computer.  [2] FRS is not running on SVR-dc2-s001.MYDOMAIN.com.  [3] The topology information in the Active Directory Domain Services for this replica has not yet replicated to all the Domain Controllers.
    The DFS Replication Event Log
    EventID: 0x8000D00A/0x000003EC/0x000003E9/0xC0006598/0xC000002A/ 0xC0000028/0x86012002/0xC000043D/0x40000022/0x00000065/0x00000067/0x0000006C/0xC0000029
    Checking Service: RpcSs
    Error - Invalid service type: RpcSs on SVR-HQ-S001, current value  WIN32_OWN_PROCESS, expected value WIN32_SHARE_PROCESS
    test: SystemLog
    EventID: 0xC00010E1: The name "DOMAIN     :1d" could not be registered on the interface with IP address  10.1.8.28. The computer with the IP address  10.1.11.54 did not allow the name to be claime by this computer.
    EventID: 0xC000001B: While processing a TGS request for the target  server krbtgt/MYDOMAIN.COM, the account  adrmsadmin@MYDOMAIN.COM did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 8). The requested etypes were 18. The accounts available etypes were 23  -133  -128  3  1. (also webadmin2@MYDOMAIN.COM, SVR-DC1-ADRMS2$@MYDOMAIN.COM, SVR-TECH-W068$@MYDOMAIN.COM, testadmin, sadmin@MYDOMAIN.COM, akinwumit@MYDOMAIN.COM, SVR-TECH-W300$@MYDOMAIN.COM, besadmin@MYDOMAIN.COM,
    EventID: 0x0000165B: The session setup from computer 'DMG41200-01164' failed because the security database does not  contain a trust account 'DMG41200-01164$' referenced by the specified computer. 
    (also 'CONTROL-LP25', ‘SVR-LIGALI-W22', SVR-EXCH-SIEBEL, SVR-UMU1-W01$,SVR-LAF1-W10$,SVR-NTW-MONITOR, SVR-LIG-W01$,SVR-SBL-WEB3, SVR-HQ-S017, SVR-BRD1-W200,)
    User actions:
    If this is the first occurrence of this event for  the specified computer and account, this may be a transient issue that doesn't require any action at this time. Otherwise, the following steps may be taken to resolve this problem: If 'DMG41200-01164$' is a legitimate machine  account for the computer 'DMG41200-01164', then  'DMG41200-01164' should be rejoined to the domain.    
     If 'DMG41200-01164$' is a legitimate interdomain trust account, then the trust should be recreated.    Otherwise, assuming that 'DMG41200-01164$' is not a legitimate account, the following action should  be taken on 'DMG41200-01164':   If 'DMG41200-01164' is a Domain Controller, then the trust associated with 'DMG41200-01164$' should be deleted.  If 'DMG41200-01164' is not a Domain Controller,  it should be disjoined from the domain.
    EventID: 0x000016AF: During the past 4.25 hours there have been 6788 connections to this Domain Controller from client machines whose IP addresses don't map to any of the existing sites in the enterprise. Those clients, therefore, have undefined sites and may connect to any Domain Controller including those that are in far distant locations from the clients. A client's site is determined by the mapping of its subnet to one of the existing sites. To move the above clients to one of the sites, please consider creating subnet object(s) covering the above IP addresses with mapping to one of the existing sites.  The names and IP addresses of the clients in question have been logged on this computer in the following log file 'SystemRoot\debug\netlogon.log' and, potentially,in the log file SystemRoot\debug\netlogon.bak' created if the former log becomes full. The log(s) may contain additional unrelated debugging information. To filter out the needed information, please search for lines which contain text 'NO_CLIENT_SITE:'. The first word after this string is the client name and the second word is the client IP address. The maximum size of the log(s) is controlled by the following registry DWORD value 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\LogFileMaxSize'; the default is 20000000 bytes.  The current maximum size is 20000000 bytes.  To set a different maximum size, create the above registry value and set the desired maximum size in bytes.
    Test: Verifyenterprisereferences
    The following problems were found while verifying various important DN references.  Note, that  these problems can be reported because of latency in replication.  So follow up to resolve the following  problems, only if the same problem is reported on all DCs for a given domain or if  the problem persists after replication has had reasonable time to replicate changes.

    [1] Problem: Missing Expected Value Base Object: CN=ANCHOR,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=MYDOMAIN,DC=com Base Object Description: "SYSVOL FRS Member Object"  Value Object Attribute Name: serverReference Value Object Description: "DC Account Object" Recommended Action: Check if this server is deleted, and if so clean up this DCs SYSVOL FRS Member Object.  Also see Knowledge  Base Article:  Q312862.
    [3] Problem: Missing Expected Value Base Object: CN=SVR-IBD1-S01,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=MYDOMAIN,DC=com
     Base Object Description: "SYSVOL FRS Member Object" Value Object Attribute Name: serverReference  Value Object Description: "DC Account Object"  Recommended Action: Check if this server is deleted, and if so clean up this DCs SYSVOL FRS Member Object.  Also see Knowledge Base Article:  Q312862 (Also, SVR-OSO1-S01, SVR-IKO1-S01, SVR-VI1-S01, SVR-KAD1-S01, SVR-ONK1-S01, SVR-WAR1-S01, SVR-ASA1-S01, SVR-JOS1-S01, SVR-ONI1-S01, SVR-CAB1-S01, SVR-AGU1-S02, SVR-AKR1-S02, SVR-HQ-S010, WEBMAIL, SVR-BRD1-S03, SVR-BRD1-S00003, SVR-HQ-SMSERVER, SVR-APA2-S01, SVR-UYO1-S01, SVR-IKJ2-S01, SVR-PHC3-S01, SVR-PHC4-S01, SVR-IBD2-S01, SVR-IPJ1-S01, SVR-PAM1-S01, SVR-ADK1-S01, SVR-HQ-S012, SVR-KAT1-S01, SVR-ASH1-S01, SVR-TRN1-S09, SVR-ABL1-S01, SVR-MDG1-S02, SVR-BON1-S01, SVR-TIN1-S01, SVR-KAN1-S04, SVR-HQ-S014, SVR-HQ-S006, SVR-GOM1-S02, SVR-HQ-S009, SVR-IKT1-S01,SVR-AKO1-S02,SVR-ENU1-S01,SVR-IDJ1-S01,SVR-BEN2-S01,SVR-NNW1-S02,SVR-ALB1-S02,SVR-KAN1-S01,SVR-UMU1-S01,SVR-TRD1-S01,SVR-APA5-S01)

     HQ\SVR-DC1-S001 
        Starting test: FrsEvent
     There are warning or error events within the last 24 hours after the SYSVOL has been shared.  Failing SYSVOL replication problems may cause  Group Policy problems.
    EventID: 0x800034C4  Event String: -  The File Replication Service is having trouble enabling replication from SVR-DC2-S001 to SVR-DC1-S001 for c:\windows\sysvol\domain using the DNS name SVR-dc2-s001.MYDOMAIN.com. FRS will keep retrying.  - The File Replication Service is having trouble enabling replication from SVR-DC2-S004 to SVR-DC1-S001 for c:\windows\sysvol\domain using the DNS name SVR-DC2-S004.MYDOMAIN.com. FRS will keep retrying.  Following are some of the reasons you would see this warning.
     [1] FRS can not correctly resolve the DNS name SVR-dc2-s001.MYDOMAIN.com from this computer
     [2] FRS is not running on SVR-dc2-s001.MYDOMAIN.com.  [3] The topology information in the Active Directory Domain Services for this replica has not yet replicated to all the Domain Controllers. 
    The File Replication Service is having trouble enabling replication from SVR-DC2-S004 to SVR-DC1-S001 for c:\windows\sysvol\domain using the DNS name SVR-DC2-S004.MYDOMAIN.com. FRS will keep retrying.  Following are some of the reasons you would see this warning.
    [1] FRS can not correctly resolve the DNS name SVR-DC2-S004.MYDOMAIN.com from this computer.  [2] FRS is not running on SVR-DC2-S004.MYDOMAIN.com.  [3] The topology information in the Active Directory Domain Services for this replica has not yet replicated to all the Domain Controllers.
    test: Replications
             * Replications Check
             DC=ForestDnsZones,DC=MYDOMAIN,DC=com has 33 cursors.
             DC=DomainDnsZones,DC=MYDOMAIN,DC=com has 28 cursors.
             CN=Schema,CN=Configuration,DC=MYDOMAIN,DC=com has 238 cursors.
             CN=Configuration,DC=MYDOMAIN,DC=com has 238 cursors.
             DC=MYDOMAIN,DC=com has 231 cursors.
             * Replication Latency Check
                DC=ForestDnsZones,DC=MYDOMAIN,DC=com
                   Latency information for 25 entries in the vector were ignored.
                      25 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC). 
                DC=DomainDnsZones,DC=MYDOMAIN,DC=com
                   Latency information for 20 entries in the vector were ignored.
                      20 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC). 
                CN=Schema,CN=Configuration,DC=MYDOMAIN,DC=com
                   Latency information for 230 entries in the vector were ignored.
                      230 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC). 
                CN=Configuration,DC=MYDOMAIN,DC=com
                   Latency information for 230 entries in the vector were ignored.
                      230 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC). 
                DC=MYDOMAIN,DC=com
                   Latency information for 223 entries in the vector were ignored.
                      223 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc's no longer replicating this nc.  0 had no latency information (Win2K DC). 
    test: SystemLog
    EventID: 0x00000065: The assignment of application DeviceLock Service from policy Password Policy Update failed.  The error was : %%1274
    EventID: 0x00000067: The removal of the assignment of application DeviceLock Service from policy Password Policy Update failed.  The error was : %%2
    EventID: 0x0000006C: Failed to apply changes to software installation settings.  The installation of software deployed through Group Policy for this user has been delayed until the next logon because the changes must be applied before the user logon.  The error was : %%1274
    EventID: 0x000016AD: The session setup from the computer( SVR-HQ-S017, SVR-BRD1-W200,) failed to authenticate. The following error occurred:  Access is denied.

    Test: Verifyenterprisereferences
    The following problems were found while verifying various important DN references.  Note, that  these problems can be reported because of latency in replication.  So follow up to resolve the following  problems, only if the same problem is reported on all DCs for a given domain or if  the problem persists after replication has had reasonable time to replicate changes.

    [1] Problem: Missing Expected Value Base Object: CN=ANCHOR,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=MYDOMAIN,DC=com Base Object Description: "SYSVOL FRS Member Object"  Value Object Attribute Name: serverReference Value Object Description: "DC Account Object" Recommended Action: Check if this server is deleted, and if so clean up this DCs SYSVOL FRS Member Object.  Also see Knowledge  Base Article:  Q312862.
    [3] Problem: Missing Expected Value Base Object: CN=SVR-IBD1-S01,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=MYDOMAIN,DC=com
     Base Object Description: "SYSVOL FRS Member Object" Value Object Attribute Name: serverReference  Value Object Description: "DC Account Object"  Recommended Action: Check if this server is deleted, and if so clean up this DCs SYSVOL FRS Member Object.  Also see Knowledge Base Article:  Q312862

    HQ\SVR-DC2-S001
    test: RidManager:  Warning :There is less than 17% available RIDs in the current pool


    Site2\SVR-BDC-01
    Test: DFSREvent : There are warning or error events within the last 24 hours after the SYSVOL has been shared.  Failing SYSVOL replication problems may cause Group Policy problems.
    EventID: 0xC0000422: Unused message
    EventID: 0xC0000406: Encountered exception 0xc0000005 attempting to format the event  record! The event record data is bad!
    test: Services: Checking Service: RpcSs  Invalid service type: RpcSs on ABG-BDC-01, current value  WIN32_OWN_PROCESS, expected value WIN32_SHARE_PROCESS
    test: SystemLog:
    The System Event log test
     EventID: 0x000016AD The session setup from the computer SVR-UMU1-W01 failed to authenticate. The following error occurred:  %%5   EventID: 0x00000457 (Event String (event log = System) could not be retrieved,error 0x13d)

    Site2\SVR-DC2-S004

    • Moved by Elytis Cheng Monday, August 15, 2011 5:32 AM (From:Group Policy)
    • Changed type Elytis Cheng Thursday, August 18, 2011 3:15 AM
    Saturday, August 13, 2011 7:25 PM

Answers

  • Hi,

     

    With the information what you had upload, I find some errors and there is some reference to troubleshooting:

     

    1.    An net use or LsaPolicy operation failed with error 1203, No network provider accepted the given network path..

     

    It seems that the netlogon share and also that more DCs in the domain exist can't connect to.

     

    check the status of the SYSVOL and NETLOGON shares. Also, please refer to:

            

    Troubleshooting missing SYSVOL and NETLOGON shares on Windows domain controllers

    http://support.microsoft.com/kb/257338/en-us

     

    2.    Fatal Error:DsGetDcName (PLUTO) call failed, error 1722

     

    It seems that there is DNS related issue. The RPC server is unavailable.

     

    To troubleshooting this issue, please refer to the following links:

     

    Troubleshooting RPC Endpoint Mapper errors

    http://support.microsoft.com/kb/839880

     

     

    Hope this helps!

    • Marked as answer by Elytis Cheng Sunday, August 21, 2011 2:24 AM
    Thursday, August 18, 2011 10:19 AM

All replies

  • Hi,

    I believe you've recieved a Journal wrap error in your environment.. Is the sysvol folder shared?

    The below article will definitely help you understand the "how this occurs" and "how to resolve".

    Awinish shared this article in an another thread and the author of the blog explained it clearly..

    take a look..

    http://blogs.technet.com/b/instan/archive/2009/07/14/what-happens-in-a-journal-wrap.aspx

    The related thread on this.. http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/955a28cc-3468-4f5a-9a87-653624b06150 


    Regards, Mohan R Sr. Administrator - Server Support
    Sunday, August 14, 2011 10:34 AM
  • Hello,

    please upload the following fil,es to Windows Sky drive and also describe the used OS versions, incl SP/patch level, from the DCs:

    ipconfig /all >c:\ipconfig.txt [from each DC/DNS Server]
    dcdiag /v /c /d /e /s:dcname >c:\dcdiag.txt
    repadmin /showrepl dc* /verbose /all /intersite >c:\repl.txt  ["dc* is a place holder for the starting name of the DCs if they all begin the same (if more then one DC exists)]
    dnslint /ad /s "DCipaddress" (http://support.microsoft.com/kb/321045)


    As the output will become large, DON'T post them into the thread, please use Windows Sky Drive (skydrive.live.com) [with open access!] and add the link from it here. Also the /e in dcdiag scans the complete forest, so better run it on COB.

    Also have a look into: http://msmvps.com/blogs/mweber/archive/2011/02/07/possible-error-messages-on-windows-server-2008-and-windows-server-2008-r2-domain-controllers.aspx


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Sunday, August 14, 2011 12:03 PM
  • Hi,

     

    It may occur with missing sysvol share.

     

    Please refer the following links to troubleshoot this issue:

     

    How to rebuild the SYSVOL tree and its content in a domain

    http://support.microsoft.com/kb/315457

     

    Using the BurFlags registry key to reinitialize File Replication Service replica sets

    http://support.microsoft.com/kb/290762

     

    Troubleshooting Active Directory Replication Problems

    http://technet.microsoft.com/en-us/library/bb727057.aspx

     

    If the issue persist, please collect for information what Meinolf said for further analyze.

     

    Hope this helps!

    Monday, August 15, 2011 8:38 AM
  • Thank you for your offer.

    I run all the above diagnostics and I have uploaded them to Windows Skydrive. Find the link below:

    https://skydrive.live.com/redir.aspx?cid=1ec02dc57b71873f&resid=1EC02DC57B71873F!120

     

     

    Monday, August 15, 2011 12:03 PM
  • Hi,

    please configure the permission that we can get the information.

    Thanks!

    Wednesday, August 17, 2011 1:30 AM
  • You have have access to it now.
    Wednesday, August 17, 2011 12:55 PM
  • Hello,

    the ipconfig output look's ok so far, unused NICs please disable and remove registrations in DNS for the APIPA address if listed. Then run ipconfig /flushdns and ipconfig /registerdns and restart the netlogon service ONLY on this machines.

    How many DCs in total do you have, according to the output 8?

    Are there any firewall in between the DCs and is that one configured according to http://technet.microsoft.com/en-us/library/dd772723(WS.10).aspx?

    Any of the machines restored from a not supported backup like images, file copies(VMs), clones or wahtever option after a crash?

    Is the DHCP client service started on the DCs, required for correct DNS registration?

    Did you check as suggested in the dcdiag output with http://technet.microsoft.com/en-us/library/cc794759(WS.10).aspx ?


    Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
    Wednesday, August 17, 2011 2:02 PM
  • Thanks for your reply.

     

    - The total number of DCs = 8

    - There is no firewalls between the Domain Controllers.

    - No machine is restored from backup images.

    - DHCP Client Service is started on all DCs.

    - I followed the steps on http://technet.microsoft.com/en-us/library/cc794759(WS.10).aspx ?

    but got stuck on the title: To update the DFS Replication member object

    Reason: There is no Domain System Volume under DFSR-GlobalSettings. Could this be the root of all the problems?

     

    Additionally I keep getting the error below on System Center Operation Manager on all DCs:

    - Asynchronous Group Policy Setting Causing Delay

    - Group Policy Extension Failure

    - Group Policy File Access: Group Policy processing requires network connectivity to one or more domain controllers

    - DNS Server Configuration: The DNS server configuration consists of the settings that determine how the DNS server will function on a network and how those settings are stored and retrieved when they are needed.

    - DNS Server Active Directory Integration error

    - DNS External Resolution Monitor throws up alerts

     

     

     

    Thursday, August 18, 2011 7:53 AM
  • Hi,

     

    With the information what you had upload, I find some errors and there is some reference to troubleshooting:

     

    1.    An net use or LsaPolicy operation failed with error 1203, No network provider accepted the given network path..

     

    It seems that the netlogon share and also that more DCs in the domain exist can't connect to.

     

    check the status of the SYSVOL and NETLOGON shares. Also, please refer to:

            

    Troubleshooting missing SYSVOL and NETLOGON shares on Windows domain controllers

    http://support.microsoft.com/kb/257338/en-us

     

    2.    Fatal Error:DsGetDcName (PLUTO) call failed, error 1722

     

    It seems that there is DNS related issue. The RPC server is unavailable.

     

    To troubleshooting this issue, please refer to the following links:

     

    Troubleshooting RPC Endpoint Mapper errors

    http://support.microsoft.com/kb/839880

     

     

    Hope this helps!

    • Marked as answer by Elytis Cheng Sunday, August 21, 2011 2:24 AM
    Thursday, August 18, 2011 10:19 AM