none
No SYSVOL & NETLOGON on a DC (FRS is broken)

    Question

  • Need some help on the subjcet.

    On one of the DCs, FRS is not working...

    Have tried D4/D2 (Auth/non-auth) restore to no avail.

    NtFrs logs amongst others: 

    - ERROR - Invalid Partner: AuthClient:domain name\dcname$

    - DS: ERROR - Can't free system member DCname:  Ldap Status: Insufficient Rights

    - DS: Marking connection inconsistent

    I can also see that the there is no GUID in the Cumulative Replica Sets/Replica Sets in the registry of the affected DC...

    I have tried to recreate the missing objects (CN=NTFRS Subscriptions etc.) using ADSIEEDIT but getting the GUID baclk in the registry is the issue..

    D2 is not working because no GUID set for Cumulative Replica Sets/Replica Sets.

    Any help/advice on resolving this would be appreciated.

    NOTE:

    DC is Windows 2012 R2, SYSVOL still uses FRS. When this is resolved and no issues with all DCs, FRS would be migrated to DFSR...

    Please help.

    Thanks.


    Thursday, December 04, 2014 1:58 PM

Answers

  • Hello Vivian,

    Thanks very much for getting back to me. Yes I saw that link and tried it out but to no avail because the replica sets GUIDs were missing etc.

    I resolved the issue by demoting the DC and re-promoting it. FRS worked after re-promotion and was able to migrate FRS to DFSR successfully. SO SYSVOL is now using DFSR on all DCs.

    Once again, thanks for your help.

    • Proposed as answer by cguan Tuesday, December 16, 2014 2:03 AM
    • Marked as answer by TUNLIX Tuesday, December 16, 2014 7:58 AM
    Monday, December 15, 2014 12:40 PM

All replies

  • Hi,

    I think you may check the health of DC by running dcdiag /q and repadmin /replsummary , is there any error?

    Regards.


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com


    Friday, December 05, 2014 8:48 AM
    Moderator
  • Hello Vivian,

    DC is replicating fine. No issues with AD replication. It's just the SYSVOL FRS which is troubled.

    repadmin /replsum & showrepl shows no issues.

    Dcdiag /q  reports---> DC failed test advertising and netlogons.  unable to connect  to the NETLOGIN share! A net use or Lsapolicy operation failed with error 67....


    Friday, December 05, 2014 8:57 AM
  • have you came across with this link below, check it out it might help:

    http://support.microsoft.com/kb/2218556


    Every second counts..make use of it. Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
    IT Stuff Quick Bytes

    Friday, December 05, 2014 9:06 AM
  • Hello cguan,

    Thanks. I have not seen the link before...

    However, its not applicable to this situation as SYSVOL currently uses FRS to function and not DFSR.

    When this issue is resolved, dfsrmig tool would be used to migrate FRS to DFSR.

    Friday, December 05, 2014 9:30 AM
  • Hi,

    Sorry for the delay reply.

    So did you use the BurFlags registry key to reinitialize File Replication Service replica sets as this article mentioned?

    http://support.microsoft.com/kb/290762/

    Regards.


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com

    Monday, December 15, 2014 5:08 AM
    Moderator
  • Hello Vivian,

    Thanks very much for getting back to me. Yes I saw that link and tried it out but to no avail because the replica sets GUIDs were missing etc.

    I resolved the issue by demoting the DC and re-promoting it. FRS worked after re-promotion and was able to migrate FRS to DFSR successfully. SO SYSVOL is now using DFSR on all DCs.

    Once again, thanks for your help.

    • Proposed as answer by cguan Tuesday, December 16, 2014 2:03 AM
    • Marked as answer by TUNLIX Tuesday, December 16, 2014 7:58 AM
    Monday, December 15, 2014 12:40 PM
  • Since this was the only thread I could find with the exact error:-

    "DS: ERROR - Can't free system member DCname:  Ldap Status: Insufficient Rights"

    I thought I'd add my 2p (albeit 2 years later), based on the exact same scenario of needing to update to 2012 R2 prior to moving to DFSR, and simply demoting/promoting didn't fix for me...

    When you enable verbose debug logging:

    HKLM\System\CurrentControlSet\Services\ntfrs\Parameters - Debug Log Severity (DWORD) - 5

    ... And restart the service, you will get an extra line just before the "Can't free system member" which actually gives you the info you need; the process of freeing system member is actually it trying to delete the whole object from within the FRS container:-

    CN=YourDCName,CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System,DC=YourDomain,DC=COM

    And the reason for me that this process couldn't complete was because the "Protect from Accidental Deletion" flag was set on the AD object, which puts a Deny Delete under the Everyone context, trumping any other ACLs.

    Removing this flag / the deny ACL, then restarting NTFRS service will suddenly kick FRS into life.

    (Un)Protect from accidental deletion

    You can see this in Active Directory Users and Computers (no ADSIEdit needed), by enabling the Advanced Features item within the View menu.

    Don't forget to disable verbose logging once you're done!



    • Edited by Sizzl Monday, August 01, 2016 12:18 PM
    Monday, August 01, 2016 12:15 PM