0

As the title suggest I am basically screwed. Before all this happen; I had one problem: My group policies were not replicating from PDC to other DCs. I have three Dc's in production.

Policies Residing in PDC (Dc1)

Policies Residing in DC2

Policies Residing in DC3

As you can see Policy number (78B9346A) which was created on Dec 22nd in PDC did not replicate to the two other DC's. I also created a test file on the Sysvol folder for DC1 and it didn't replicate to the other DC's. You can see that in the image below:

Test file created in Sysvol in PDC

Prior to the replication issue all my Dc’s were running Windows Server 2008 R2. Now they are running Windows Server 2012. They have been upgraded and everything worked fine except the replications. I installed the DFS role on my PDC. When I looked at the replication group setup for Domain System Volume, it included one of the Decommissioned Dc’s as a member. I figured that is causing the replication problem. I tried to edit the replication group but I couldn’t, so I deleted and tried to recreate it. That is when all the issue popped up. When I recreated the group:

replication Group

I started getting the event ID 6410 and 6002.

Event 6410 says: The DFS Replication service failed to initialize replicated folder C:\Windows\SYSVOL\domain because the service detected that one of its working folders overlaps a Windows system folder. This is an unsupported configuration.

Event 6002 says: The DFS Replication service detected invalid msDFSR-Subscriber object data while polling for configuration information. I went back to DFS management and run a diagnostic report and I got the error below:

Health report

Now, I am clueless on what to do next and how to get the replication up and running. Some of the computers in my environment receives the policies, and some don’t. I really appreciate any help that will help me fix this issue. I have no backup, so I can perform an authoritative restore. Thanks in advance for any replies and I am sorry if I posted this in the wrong place.

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
Doug
  • 189
  • 2
  • 2
  • 6
  • 3
    I would punt. "Oh no, all the things exploded!! We must have been hacked or it's a bug or cosmic rays! Or all of those things. Let's bring in an Active Directory consultant from some MSP to fix it and/or blame for our horrible environment. Also, we should buy some backup software." – HopelessN00b Dec 28 '15 at 18:32
  • Thanks Ryan for your help. I followed the instructions on Microsoft KB article step-by-step, but it didn't work. I did not get Event 4114, instead i got event 6002 "The DFS Replication service detected invalid msDFSR-Subscriber object data while polling for configuration information." kept showing up. – Doug Dec 28 '15 at 20:05

2 Answers2

2

You have to use Ldifde to recreate CN=Domain System Volume. Export CN=Domain System Volume from another domain controller, then modify the export file to match the name of the DC that's missing Domain System Volume and reimport it.

Look in ADSIEdit to see what I'm talking about:

DFSR

Export:

LDIFDE –f output.txt –d "CN=Domain System Volume,CN=DFSR-LocalSettings,CN=AnotherDC,OU=Domain Controllers,DC=dom,DC=com" –p base

Then change the exported file - update the dn: (Distinguished Name) and the msDFSR-MemberReference so that the dn: corresponds to the domain controller that is missing its CN=Domain System Volume, and the msDFSR-MemberReference refers to CN=AnotherDC,DC=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=domain,DC=com

Then import it back in with Ldifde -i -f import.txt

Hope that helps. Ldifde is the only way to recreate the Domain System Volume subscription. If none of your DCs have Domain System Volume objects... then, you are pretty well screwed. This is why we take backups of things. (And don't use the DFSR Management GUI to mess with Sysvol.)

Ryan Ries
  • 55,481
  • 10
  • 142
  • 199
  • Thank you Ryan. It looks like Domain System Volume is there under each domain controller. See the image below: http://i.imgur.com/NoJgJab.png – Doug Dec 28 '15 at 22:07
  • Go through and delete all the ones that are GUIDs. `CN=Domain System Volume` should be the only one in there. – Ryan Ries Dec 28 '15 at 22:19
  • Also, DC01 is missing its `Domain System Volume` subscription... you'll have to recreate it with Ldifde. – Ryan Ries Dec 28 '15 at 22:26
  • Hi Ryan, My appologies, i did not expand the DC01 when i took a screenshot. As you can see in the image below all 3 domain controllers have the Domain system Volume. http://imgur.com/p6vDIS5 I went ahead and removed the GUIDs. Should I also delete the replication group i manually created using the DFS management? See below: http://imgur.com/CvhfX6t – Doug Dec 29 '15 at 14:23
  • So bounce the DFSR service, still the same 6002 errors? If so, it's time to call Microsoft support. This situation is too bothersome to continue troubleshooting in Serverfault comments. – Ryan Ries Dec 29 '15 at 14:46
  • Thanks for help Ryan. I appreciate it sir. As a side note I restarted the DFS service and got event 6002 again. Looked to it a little further and found that msDFRS-MemberReference under Domain system Volume properties in ADSI says I am thinking it should either point to itself or another domain controller. I will give that try and see what happens. If it works great, if not i will contact MS support. – Doug Dec 29 '15 at 15:49
1

I ran into a similar situation and found this guide to be helpful. https://community.spiceworks.com/how_to/160786-how-to-re-build-sysvol-dfsr-replication-group-without-demoting-promoting-dc. It leverages processes used in the dcpromo operation to recreate the DFS replication group for the SYSVOL dirs.

  1. Take a backup!
  2. Stop the DFSR service on all DCs Make sure that all the existing DFS groups targeting the SYSVOL share are deleted on all DCs in DFS Management
  3. Open ADSI Edit
  4. If you don't see your domain listed in the left pane go to Action > Connect to.... You should see a window with some default connection info. For me the default information was correct so I clicked OK
  5. Expand the tree for your domain and look for OU=Domain Controllers
  6. Expand each Domain Controller and locate CN=DFSR-LocalSettings
  7. Assuming you do not have any other DFS groups associated with these DCs delete everything in the CN=DFSR-LocalSettings folder
  8. Go back to your domain in the left pane and locate CN=Systems > CN=DFSR-GlobalSettings and delete any subfolder that isn't an active DFS group. Please verify before deleting!
  9. Force replication to all DCs. Run repadmin /syncall /AdeP on ALL DCs. Verify from AFSI Edit on the other DCs that the changes are visible.
  10. Add the following registry entries on your primary DC substituting your AD domain name for <your ad domain>.
# Create the key below
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\DFSR\Parameters\SysVols\Promoting SysVols
# Add the following DWORD32 entry
Sysvol Information is Committed=1

# Create the key below
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\DFSR\Parameters\SysVols\Promoting SysVols\<your ad domian>
# Create the following DWORD32 entry
Is Primary=1
# Create the following string entries
Command=DcPromo
Parent Computer= 
Replicated Folder Name=<your ad domain>
Replicated Folder Root=C:\Windows\SYSVOL\Domain
Replicated Folder Root Set=C:\Windows\SYSVOL\sysvol\<your ad domain>
Replicated Folder Stage=C:\Windows\SYSVOL\staging areas\<your ad domain>
Replication Group Name=<your ad domain>
Replication Group Type=Domain
  1. Start the DFSR service on the primary DC and wait a minute or two for things to start up.
  2. If it worked the registry entries you created should be gone. Instead you should see the following key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\DFSR\Parameters\SysVols\Seeding Sysvols
  3. Check the DC in AFSI Edit for a CN=Domain System Volume entry under DFSR-LocalSettings. You should also see the primary DC under CN=System > CN=DFSR-GlobalSettings > CN=Domain System Volume > CN=Topology > CN=<your primary dc>
  4. Force sync on all DCs again repadmin /syncall /AdeP
  5. One by one go through each DC and add the following registry entries
# Create the key below
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\DFSR\Parameters\SysVols\Promoting SysVols
# Add the following DWORD32 entry
Sysvol Information is Committed=1

# Create the key below
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\DFSR\Parameters\SysVols\Promoting SysVols\<your ad domian>
# Create the following DWORD32 entry
Is Primary=0
# Create the following string entries
Command=DcPromo
Parent Computer=<your primary dc>
Replicated Folder Name=<your ad domain>
Replicated Folder Root=C:\Windows\SYSVOL\Domain
Replicated Folder Root Set=C:\Windows\SYSVOL\sysvol\<your ad domain>
Replicated Folder Stage=C:\Windows\SYSVOL\staging areas\<your ad domain>
Replication Group Name=<your ad domain>
Replication Group Type=Domain
  1. Start the DFSR service
  2. Force replication again repadmin /syncall /AdeP
  3. Check for the DC in AFSI Edit on the primary DC for a CN=Domain System Volume entry under DFSR-LocalSettings. You should also see the DC under CN=System > CN=DFSR-GlobalSettings > CN=Domain System Volume > CN=Topology > CN=<your dc>
  4. Check DFS Managment to see if it is working. A healthy DFS Managment view will look like this Healthy DFS SYSVOL

Once you repeat steps 15-18 on each DC your environment should be working. You may have to wait several minutes for everything to sync.

Thanks to ZooM_00 on Spiceworks for pointing me in the right direction!

Charlie Snyder
  • 46
  • 3