{"id":552,"date":"2012-08-22T09:20:00","date_gmt":"2012-08-22T08:20:00","guid":{"rendered":"http:\/\/ec2-34-242-84-40.eu-west-1.compute.amazonaws.com\/?p=552"},"modified":"2012-08-22T09:20:00","modified_gmt":"2012-08-22T08:20:00","slug":"dcdiag-and-sysvol","status":"publish","type":"post","link":"https:\/\/tomgeraghty.co.uk\/index.php\/dcdiag-and-sysvol\/","title":{"rendered":"Troubleshooting SYSVOL replication between domain controllers, using DCDIAG"},"content":{"rendered":"

Since we had a power outage a few days ago, I\u2019ve seen some problems with replication of the sysvol folder throughout the domain controllers, most likely due to some file corruption on one domain controller that halted replication to the remaining domain controllers. (The domain controller in question had a disk fail in the RAID 1 array, which then refused to rebuild due to disk issues on the existing live disk.)<\/p>\n

The sysvol folder is where all group policies and logon scripts are held, and is accessible by all domain members in order to process the policies and scripts. The \u201coriginal\u201d is held on the first domain controller in the domain.<\/p>\n

Replication of the sysvol folder is separate to Active Directory replication. Sysvol replication relies on the File Replication Service running on the domain controller, and any failures are logged in the windows event logs.<\/p>\n

Firstly, we had to work out what was going on. This is best done by examining the event logs for these errors, and running some diagnostic tools on the servers \u2013 in this case, DCDIAG. DCDIAG is part of the Server 2003 support tools package.<\/p>\n

The output looks like this:<\/p>\n

 <\/p>\n

C:\\>dcdiag<\/pre>\n
Domain Controller Diagnosis<\/pre>\n
Performing initial setup:<\/pre>\n
\u00a0 \u00a0Done gathering initial info.<\/pre>\n
Doing initial required tests<\/pre>\n
\u00a0\u00a0 Testing server: Default-First-Site-Name\\\u201dDOMAIN CONTROLLER\u201d<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0 Starting test: Connectivity<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ......................... \u201cDOMAIN CONTROLLER\u201d passed test Connectivity<\/pre>\n
Doing primary tests<\/pre>\n
\u00a0\u00a0 Testing server: Default-First-Site-Name\\\u201dDOMAIN CONTROLLER\u201d<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0 Starting test: Replications<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ......................... \u201cDOMAIN CONTROLLER\u201d passed test Replications<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0 Starting test: NCSecDesc<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ......................... \u201cDOMAIN CONTROLLER\u201d passed test NCSecDesc<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0 Starting test: NetLogons<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ......................... \u201cDOMAIN CONTROLLER\u201d passed test NetLogons<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0 Starting test: Advertising<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ......................... \u201cDOMAIN CONTROLLER\u201d passed test Advertising<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0 Starting test: KnowsOfRoleHolders<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ......................... \u201cDOMAIN CONTROLLER\u201d passed test KnowsOfRoleHolders<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0 Starting test: RidManager<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ......................... \u201cDOMAIN CONTROLLER\u201d passed test RidManager<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0 Starting test: MachineAccount<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ......................... \u201cDOMAIN CONTROLLER\u201d passed test MachineAccount<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0 Starting test: Services<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ......................... \u201cDOMAIN CONTROLLER\u201d passed test Services<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0 Starting test: ObjectsReplicated<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ......................... \u201cDOMAIN CONTROLLER\u201d passed test ObjectsReplicated<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0 Starting test: frssysvol<\/pre>\n
\u00a0\u00a0 \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0......................... \u201cDOMAIN CONTROLLER\u201d passed test frssysvol<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0 Starting test: frsevent<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 There are warning or error events within the last 24 hours after the<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 SYSVOL has been shared.\u00a0 Failing SYSVOL replication problems may cause<\/pre>\n
\u00a0\u00a0\u00a0 \u00a0\u00a0\u00a0\u00a0\u00a0Group Policy problems.<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ......................... \u201cDOMAIN CONTROLLER\u201d failed test frsevent<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0 Starting test: kccevent<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ......................... \u201cDOMAIN CONTROLLER\u201d passed test kccevent<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0 Starting test: systemlog<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 An Error Event occured.\u00a0 EventID: 0x00000457<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Time Generated: 08\/17\/2012\u00a0\u00a0 15:44:48<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 (Event String could not be retrieved)<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 An Error Event occured.\u00a0 EventID: 0x00000457<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Time Generated: 08\/17\/2012\u00a0\u00a0 15:44:50<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 (Event String could not be retrieved)<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 An Error Event occured.\u00a0 EventID: 0x00000457<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Time Generated: 08\/17\/2012\u00a0\u00a0 15:44:51<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 (Event String could not be retrieved)<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 An Error Event occured.\u00a0 EventID: 0x00000457<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Time Generated: 08\/17\/2012\u00a0\u00a0 15:44:52<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 (Event String could not be retrieved)<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 An Error Event occured.\u00a0 EventID: 0x00000457<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Time Generated: 08\/17\/2012\u00a0\u00a0 15:44:52<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 (Event String could not be retrieved)<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 An Error Event occured.\u00a0 EventID: 0x00000457<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Time Generated: 08\/17\/2012\u00a0\u00a0 15:44:52<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 (Event String could not be retrieved)<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 An Error Event occured.\u00a0 EventID: 0x00000457<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Time Generated: 08\/17\/2012\u00a0\u00a0 15:44:53<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 (Event String could not be retrieved)<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ......................... \u201cDOMAIN CONTROLLER\u201d failed test systemlog<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0 Starting test: VerifyReferences<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ......................... \u201cDOMAIN CONTROLLER\u201d passed test VerifyReferences<\/pre>\n
\u00a0\u00a0 Running partition tests on : DomainDnsZones<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0 Starting test: CrossRefValidation<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ......................... DomainDnsZones passed test CrossRefValidation<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0 Starting test: CheckSDRefDom<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ......................... DomainDnsZones passed test CheckSDRefDom<\/pre>\n
\u00a0\u00a0 Running partition tests on : ForestDnsZones<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0 Starting test: CrossRefValidation<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ......................... ForestDnsZones passed test CrossRefValidation<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0 Starting test: CheckSDRefDom<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ......................... ForestDnsZones passed test CheckSDRefDom<\/pre>\n
\u00a0\u00a0 Running partition tests on : Schema<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0 Starting test: CrossRefValidation<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ......................... Schema passed test CrossRefValidation<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0 Starting test: CheckSDRefDom<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ......................... Schema passed test CheckSDRefDom<\/pre>\n
\u00a0\u00a0 Running partition tests on : Configuration<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0 Starting test: CrossRefValidation<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ......................... Configuration passed test CrossRefValidation<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0 Starting test: CheckSDRefDom<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ......................... Configuration passed test CheckSDRefDom<\/pre>\n
\u00a0\u00a0 Running partition tests on : nic<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0 Starting test: CrossRefValidation<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ......................... nic passed test CrossRefValidation<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0 Starting test: CheckSDRefDom<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ......................... nic passed test CheckSDRefDom<\/pre>\n
\u00a0\u00a0 Running enterprise tests on : nic.local<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0 Starting test: Intersite<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ......................... nic.local passed test Intersite<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0 Starting test: FsmoCheck<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ......................... nic.local passed test FsmoCheck<\/pre>\n
 <\/p>\n
The failed tests above are due to past errors being in the event log from before the sysvol fix. If you’re having sysvol replication errors, you’ll see the replication tests failing, along with systemlog and frsevent failures.<\/p>\n
 <\/p>\n
To fix this, the intact sysvol folder needs to be forced to replicate across the domain. The process is as follows:<\/p>\n
Stop the FRS service on all domain controllers.<\/p>\n
Locate the Burflags entry under the following registry key:<\/p>\n
HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\NtFrs\\Parameters\\Backup\/Restore\\Process at Startup<\/pre>\n
And change the DWORD value to D4 on the \u201csource\u201d domain controller (this is to flag an authoritative restore, and D2 on the child domain controllers (non-authoritative). Before doing this, take a backup of the sysvol folder, but make sure you store it on the same partition, otherwise permissions may change, and this would impact group policy if you had to restore it.<\/p>\n
Then restart the FRS service on all domain controllers (the D4 one first) and wait for replication to occur. This can take up to a few hours, depending on the infrastructure, number of domain controllers, and size of the sysvol folder.<\/p>\n
 <\/p>\n
Afterwards, running<\/p>\n
Net share<\/pre>\n
At a command prompt will also show you the shared folders on the domain controller \u2013 so once this replication is complete, you should see the sysvol and netlogon shares present.<\/p>\n
 <\/p>\n
Then you can also run DCDIAG tests on each domain controller to confirm.<\/p>\n
 <\/p>\n

\n                                                                                        \t\t\t<\/a>
\n                                                                <\/p>\n","protected":false},"excerpt":{"rendered":"
Since we had a power outage a few days ago, I\u2019ve seen some problems with replication of the sysvol folder throughout the domain controllers, most likely due to some file corruption on one domain controller that halted replication to the remaining domain controllers. (The domain controller in question had a disk fail in the RAID … <\/p>\n
Continue reading “Troubleshooting SYSVOL replication between domain controllers, using DCDIAG”<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1,4],"tags":[],"class_list":["post-552","post","type-post","status-publish","format-standard","hentry","category-blog","category-tech"],"_links":{"self":[{"href":"https:\/\/tomgeraghty.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/552","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/tomgeraghty.co.uk\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/tomgeraghty.co.uk\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/tomgeraghty.co.uk\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/tomgeraghty.co.uk\/index.php\/wp-json\/wp\/v2\/comments?post=552"}],"version-history":[{"count":0,"href":"https:\/\/tomgeraghty.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/552\/revisions"}],"wp:attachment":[{"href":"https:\/\/tomgeraghty.co.uk\/index.php\/wp-json\/wp\/v2\/media?parent=552"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/tomgeraghty.co.uk\/index.php\/wp-json\/wp\/v2\/categories?post=552"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/tomgeraghty.co.uk\/index.php\/wp-json\/wp\/v2\/tags?post=552"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}