none
New DC never shares sysvol or NTDS and gets Event 13565 and then 13508 Trouble replicating? RRS feed

  • Question

  • I have an old 2003 DC that (as part of the migration process) is being upgraded to R2, and then I'm installing a 2008 R2 server to be our new DC and file server. I do the ADPrep on the old server, then DCPromo the 2008 server, and it creates teh sysvol folder, but it never shares it, never replicates it.  I'm doing a run through before the actual move scheduled for this weekend, and I haven't been able to get aeroudn this in any of the tests. I tried disab;ling the firewall on 2008, as well as disabling ip6, I also confirmed that the old DC ahs DNS entries for the new dc (svr), checked that the old DC is stil set as the DNS serve ron the new DC. Everthing that I've seen to check, but nothing gets me past the two errors:

    13565 File Replication Service is initializing the system volume with data from another domain controller. Computer NewDC cannot become a domain controller until this process is complete. The system volume will then be shared as SYSVOL.  AND

    13508 The File Replication Service is having trouble enabling replication from oldDC.ourdomain.net to newDCfor c:\windows\sysvol\domain using the DNS name oldDC.ourdomain.net. FRS will keep retrying.

    I'm supposed to do this sunday, and would REALLY like to have this resolved before we put it in place (rather than after and hope no other problems come up). Any suggestions are MUCH appreciated.

    Saturday, October 29, 2011 12:30 AM

Answers

  • If this is the only DC in the environment take the backup of sysvol folder(both policies and script folder) and peform authorative restore(D4).

    Steps:
    D4 also knowas as authorative,
    To complete an authoritative restore, stop the FRS service, configure the
    BurFlags
    registry key, and then restart the FRS service.
    To do so:
    1.Click Start, and then click Run.
    2.In the Open box, type cmd and then press ENTER.
    3.In the Command box, type net stop ntfrs.
    4.Click Start, and then click Run.
    5.In the Open box, type regedit and then press ENTER.
    6.Locate the following subkey in the registry:
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup
    7.In the right pane, double click BurFlags.
    8.In the Edit DWORD Value dialog box, type D4 and then click OK.
    9.Quit Registry Editor, and then switch to the Command box.
    10.In the Command box, type net start ntfrs.
    11.Quit the Command box.
    When the FRS service is restarted, the following actions occur:
    •The value for the BurFlags registry key is set back to 0.
    •An event 13566 is logged to signal that an authoritative restore is started.
    •Files in the reinitialized FRS replicated directories remain unchanged and become authoritative on direct replication. Additionally, the files become indirect replication partners through transitive replication.
    •The FRS database is rebuilt based on current file inventory.
    •When the process is complete, an event 13516 is logged to signal that FRS is operational. If the event is not logged, there is a problem with the FRS configuration.

    Reference KB:http://support.microsoft.com/kb/290762

    Regards,
    Sandesh Dubey.
    -------------------------------
    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator
    My Blog: http://sandeshdubey.wordpress.com
    This posting is provided AS IS with no warranties, and confers no rights.

     

    • Marked as answer by MickBurke Tuesday, November 1, 2011 3:27 AM
    Saturday, October 29, 2011 4:36 AM
  • Hi,

    Event id 13568 indicates that the server' replica set is in journal wrap state.

    To resolve the issue, perform D4 (Auth) restore on on Old DC, it will recover the replica set from journal wrap and you will get 13516 on server. Once you are done with above perform D2 (Non-auth) on new DC.

    Once again same KB, you will need to follow this:http://support.microsoft.com/kb/290762

    Regards,
    Abhijit Waikar.
    -------------------------------
    MCSA|MCSA:Messaging|MCTS|MCITP:SA
    My Blog: http://abhijitw.wordpress.com
    This posting is provided AS IS with no warranties, and confers no rights.

    • Marked as answer by MickBurke Tuesday, November 1, 2011 3:30 AM
    Saturday, October 29, 2011 4:42 AM

All replies

  • I have seen may cases when we introduce 2008 DC in the 2003 network somtimes the sysvol and netlogon share are not available and also the sysvol content are not replicated and you will get the event id 13565 & 13508 as you have mentioned.

    However to fix the same you need to perform authorative and non authorative restore of sysvol.As you have two DC in the network you need to take the backup of sysvol folder(Policies & Scripts) of old DC.Perform D2(auth restore) on old DC and D4(non-auth restore) on new 2008DC.

    This is probably what you need to do to get it back.Essentially the "http://support.microsoft.com/kb/290762/" article.

     
    Regards,
    Sandesh Dubey.
    -------------------------------
    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator
    My Blog: http://sandeshdubey.wordpress.com
    This posting is provided AS IS with no warranties, and confers no rights.

    Saturday, October 29, 2011 12:47 AM
  • Hi,

    did you only use ONE existing DC/DNS server as preferred on the NIC during the promotion process?

    I presume DC is also a DNS & GC & this DC is pointing to only local DNS server only, if not point it to local dns server as well as install latest Service pack & patches and run "ipconfig /flushdns & ipconfig /registerdns" and restart the server. Then give some time for replication and check again.

    Is that server any kind of multi-homed, more then one ip address or NIC used? If yes, plz use single NIC and single IP and disable others.

    If above doesn't help use below KB articles and perform D2 and D4, make 2003 authorative (D4) and 2008 non-authorative (D2)- http://support.microsoft.com/kb/315457/ or http://support.microsoft.com/kb/290762

    FYI,D2 and D4 ;What is it for ?
    http://blogs.technet.com/b/janelewis/archive/2006/09/18/457100.aspx

    Note: Prior to that please make sure that sysvol is backed up(copy and paste) on each DC.

    Hope this helps.
     
    Regards,
    Abhijit Waikar.
    -------------------------------
    MCSA|MCSA:Messaging|MCTS|MCITP:SA
    My Blog: http://abhijitw.wordpress.com
    This posting is provided AS IS with no warranties, and confers no rights.


    • Edited by Abhijit Waikar Saturday, October 29, 2011 3:11 AM
    • Proposed as answer by Diskman35 Friday, July 7, 2017 10:35 PM
    Saturday, October 29, 2011 1:37 AM
  • Correction of previous post: 

    You need to Perform D4(auth restore) on old DC and D2(non-auth restore) on new 2008DC.

    Regards,
    Sandesh Dubey.
    -------------------------------
    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator
    My Blog: http://sandeshdubey.wordpress.com
    This posting is provided AS IS with no warranties, and confers no rights.

    Saturday, October 29, 2011 3:08 AM
  • Thanks. I went back and checked the old DC personally (teh one still in use, not the VM I created from a backup of it) and found that it is alredy getting a 13568 event. In the original environment this is the only DC, so I'm wondering what my best option is to get that straight, and thinking it might resolve the issue when i migrate. Thoughts?
    Saturday, October 29, 2011 4:05 AM
  • If this is the only DC in the environment take the backup of sysvol folder(both policies and script folder) and peform authorative restore(D4).

    Steps:
    D4 also knowas as authorative,
    To complete an authoritative restore, stop the FRS service, configure the
    BurFlags
    registry key, and then restart the FRS service.
    To do so:
    1.Click Start, and then click Run.
    2.In the Open box, type cmd and then press ENTER.
    3.In the Command box, type net stop ntfrs.
    4.Click Start, and then click Run.
    5.In the Open box, type regedit and then press ENTER.
    6.Locate the following subkey in the registry:
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup
    7.In the right pane, double click BurFlags.
    8.In the Edit DWORD Value dialog box, type D4 and then click OK.
    9.Quit Registry Editor, and then switch to the Command box.
    10.In the Command box, type net start ntfrs.
    11.Quit the Command box.
    When the FRS service is restarted, the following actions occur:
    •The value for the BurFlags registry key is set back to 0.
    •An event 13566 is logged to signal that an authoritative restore is started.
    •Files in the reinitialized FRS replicated directories remain unchanged and become authoritative on direct replication. Additionally, the files become indirect replication partners through transitive replication.
    •The FRS database is rebuilt based on current file inventory.
    •When the process is complete, an event 13516 is logged to signal that FRS is operational. If the event is not logged, there is a problem with the FRS configuration.

    Reference KB:http://support.microsoft.com/kb/290762

    Regards,
    Sandesh Dubey.
    -------------------------------
    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator
    My Blog: http://sandeshdubey.wordpress.com
    This posting is provided AS IS with no warranties, and confers no rights.

     

    • Marked as answer by MickBurke Tuesday, November 1, 2011 3:27 AM
    Saturday, October 29, 2011 4:36 AM
  • Hi,

    Event id 13568 indicates that the server' replica set is in journal wrap state.

    To resolve the issue, perform D4 (Auth) restore on on Old DC, it will recover the replica set from journal wrap and you will get 13516 on server. Once you are done with above perform D2 (Non-auth) on new DC.

    Once again same KB, you will need to follow this:http://support.microsoft.com/kb/290762

    Regards,
    Abhijit Waikar.
    -------------------------------
    MCSA|MCSA:Messaging|MCTS|MCITP:SA
    My Blog: http://abhijitw.wordpress.com
    This posting is provided AS IS with no warranties, and confers no rights.

    • Marked as answer by MickBurke Tuesday, November 1, 2011 3:30 AM
    Saturday, October 29, 2011 4:42 AM
  • Thanks, one more question.... Should I do this to the actual server while in place BEFORE I do the backup that I create the virtual machine from, or should I do it on the VM that I'll actually be migrating from in the lab, and then (if all goes well) putting back in place with the two new servers (also VMs) once the move of the data and exchange stores are complete? (my migration is basicly a backup of the existing server, restoring to a vm on a new server, installing two new 2008 VMs, moving data to one, and making it the DC, and installign Exchange 2010 on the other and moving that. Eventually, retiringg the original server after we get a new SQL server installed in a few weeks.)

    I guess the sub questions from this are:
    Does this need to be in the enviroment (i.e. able to contact the members of the domiain (workstations and laptops) durring the restore process? If not I'd rather do it on the VM.
    Is there any danger in this? Again, if so I'd rather do it on the VM to make sure that we don't kill the actual server (which is the fall back if the migration fails, or doesn't complete by Tuesday AM).


    Thanks SO MUCH for your assistance!

    Saturday, October 29, 2011 4:45 AM
  • If the error exist on the physical server you to need to first fix this and then proceed with migration of second DC.

    Regards,
    Sandesh Dubey.
    -------------------------------
    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator
    My Blog: http://sandeshdubey.wordpress.com
    This posting is provided AS IS with no warranties, and confers no rights

    Saturday, October 29, 2011 4:57 AM
  • Should I do this to the actual server while in place BEFORE I do the backup that I create the virtual machine from, or should I do it on the VM that I'll actually be migrating from in the lab,

    YEs, you can do it on the Virtual server and if all goes well (it should go well) then putting back in place with two servers is a good idea.

    (my migration is basicly a backup of the existing server, restoring to a vm on a new server, installing two new 2008 VMs, moving data to one, and making it the DC, and installign Exchange 2010 on the other and moving that. Eventually, retiringg the original server after we get a new SQL server installed in a few weeks.)

    Ensure that when you doing migration from 2003 to 2008 you will also need to transfer FSMO roles to new DC and new DC holding the PDC Emulator FSMO role needs to be time server too and it needs port 123 UDP be opened on the firewall.
    http://abhijitw.wordpress.com/2011/10/08/time-server-configuration-to-sync-pdc-emulator-to-an-external-time-source/

    http://awinish.wordpress.com/2011/10/07/time-server-role-in-forestdomain/

    Transferring FSMO Roles
    http://www.petri.co.il/transferring_fsmo_roles.htm

    Does this need to be in the enviroment (i.e. able to contact the members of the domiain (workstations and laptops) durring the restore process? If not I'd rather do it on the VM.
    You can do it production environment but anyway do it on VM.

    Is there any danger in this? Again, if so I'd rather do it on the VM to make sure that we don't kill the actual server (which is the fall back if the migration fails, or doesn't complete by Tuesday AM).
    There is nothing to worry about this process, Before performing anything do take a SYSVOL folder backup (copy and paste) of each DC.

    Regards,
    Abhijit Waikar.
    -------------------------------
    MCSA|MCSA:Messaging|MCTS|MCITP:SA
    My Blog: http://abhijitw.wordpress.com
    This posting is provided AS IS with no warranties, and confers no rights.

    Saturday, October 29, 2011 5:21 AM
  • It is good practise to have atleast two DC in the network for redendancy.

    There are a couple of very important considerations, that you should have in mind, before you proceed with your migration scenario.
    --Check, and raise, if necessary, the Domain and Forest functional levels. You cannot upgrade directly from Windows 2000 mixed, or Windows Server 2003 interim domain functional levels.

    --The first Windows Server 2008 Domain Controller in the forest must be a Global Catalog Server, and it cannot be a Read Only Domain Controller, RODC.

    --Check the FSMO roles assignments. When you prepare the existing AD, you should run adprep /forestprep on the Schema operations master, and adprep /domainprep /gpprep on the infrastructure master.In your case as there is a single Dc you need to run on the same server.

    The installation of Windows 2008 into the domain and migration is quite simple.
    First you need to Adprep your 2003 Domain by running
    adprep /forestprep    and
    adprep /domainprep   and
    adprep /gpprep

    from the 2008 DVD on the Windows 2000 DC  - adprep is in the SOURCES folder on the DVD.

    Next install 2008 server on the new machine. You need to assign the 2008 new computer an IP address and subnet mask on the existing network. Make sure that the preferred DNS server on new machine points to the existing DNS Server on the Domain (normally the existing domain controller)

    Join the new 2008 machine to the existing domain as a member server

    From the command line promote the new machine to a domain controller with the DCPROMO command from the command line Select "Additional Domain Controller in an existing Domain"

    Once Active Directory is installed then to make the new machine a global catalog server, go to Administrative Tools, Active Directory Sites and Services,

    Expand, Sites, Default first site and Servers. Right click on the new server and select properties and tick the"Global Catalog" checkbox. (Global catalog is essential for logon as it needs to be queried to establish Universal Group Membership)

    Install DNS on the new server. Assuming that you were using Active Directory Integrated DNS on the first Domain Controller, DNS will automatically replicate

    to the new domain controller along with Active Directory. Set up forwarders as detailed at http://www.petri.co.il/configure_dns_forwarding.htm

    You must transfer the FSMO roles to the 2008 machine then the process is as outlined at http://www.petri.co.il/transferring_fsmo_roles.htm

    You then need to install DHCP on the new 2008 server (if used) and set up a scope, activate it and authorize the server.

    Change all of the clients (and the new 2008 DC itself), to point to the 2008 DC for their preferred DNS server this may be in DHCP options or the TCP/IP settings.

    You can then transfer any data to the new server

    Before removing the old DC from the domain, run DCPROMO on it to remove Active Directory.

    Netometer has a nice video - http://www.netometer.com/video/tutorials/windows-dc-2008-add-upgrade/index.php

    As for Exchnage then that should ideally be put on a 2008 MEMBER SERVER, not a DC, and it must go on a 64bit machine, you can then migrate the mailboxes etc to the new exchnage server.

    Reference article:
    http://araihan.wordpress.com/2009/08/25/migrate-from-windows-2003-active-directory-to-windows-2008-active-directory-step-by-step/
    http://markswinkels.nl/2009/01/08/how-to-migrate-a-domain-controller-from-windows-2003-to-windows-2008/

    Hope this helps.

    Regards,
    Sandesh Dubey.
    -------------------------------
    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator
    My Blog: http://sandeshdubey.wordpress.com
    This posting is provided AS IS with no warranties, and confers no rights

    Saturday, October 29, 2011 6:02 AM
  • Great info, I'm restoring in the lab again now, so I'll let you know how it goes...
    Saturday, October 29, 2011 7:01 AM
  • Hi,

     

    How is everything going? Could you please tell us the present situation? If you need any further assistance, please do not hesitate to respond back.

     

    Thanks!


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Tuesday, November 1, 2011 3:21 AM
    Moderator
  • Thanks for reminding me! The solution above in the form of the Authoritative restore worked perfectly and got me started on the project.

    I've had only a couple hours of sleep in the last 48, but the migration is well underway. Thanks again all.

    Tuesday, November 1, 2011 3:31 AM
  • Other way around, Sandesh—D2=Non-authoritative; D4=Authoritative.
    Tuesday, April 2, 2019 2:08 AM