Link to home
Start Free TrialLog in
Avatar of Trihimbulus
Trihimbulus

asked on

DC's not replicating

I have two domain controllers in my domain in the same site. One is Win2003 Server and the other is Win2k Server. I recently had to image my win2k server onto larger hard drives (in the same machine.) This was an exact mirror image, which should have been transparent- of course. The server was down for about a day to do the imgaing- so I guess this is where the hiccup happened.

I went to AD Sites and Services on my PDC to try and force replication and received an error saying that the other server is not accepting replication requests. Then I chose the other server (win2k server, Secondary DC) and it said the same thing. How do I fix this??
Avatar of MidnightOne
MidnightOne
Flag of United States of America image

Trihimbulus:

Can you post up the precise error messages you get from your event logs?

Thanks!

MidnightOne
Avatar of oBdA
oBdA

Did you at any point restart this machine after you saved the image, but before you put in the new disk and restored the image to it?
Avatar of Trihimbulus

ASKER

OBdA, No I did not. I used Acronis True Image Server for Windows. I applied the image in a pre-boot environment off the Acronis Boot CD. The restoration of the image did take about 12 hours though.

I just pulled up the Event viewer and I looks like I am having some problems. I will substitue ABC.COM as the name of my domain.

1) Userenv / 1030
Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this.

2) Userenv / 1058
Windows cannot access the file gpt.ini for GPO CN={D264A78E-B00F-454D-823A-0264297878A3},CN=Policies,CN=System,DC=ABC,DC=com. The file must be present at the location <\\ABC.com\SysVol\ABC.com\Policies\{D264A78E-B00F-454D-823A-0264297878A3}\gpt.ini>. (Access is denied. ). Group Policy processing aborted.

*** NOTE: I did the image restoration about 2 weeks ago and just recently see these errors above

Th error that pops up after I try to force replication in Sites and Services is:

"The following error occured during the attempt to synchronize naming context ABC.COM from domain controller DC1 to domain controller DC2:
The destination server is currently rejecting replication requests. This operation will not continue.
Have you considered the machine account passwords are out of sync with the domain? This could happen when you reimage a DC and the domain has reset passwords.

Try using the nltest utility to reset the secure channel with the domain and see if that helps.

Remember to stop and set to manual the KDC service on the DC you resetting to the domain.
Oh and check the time on each DC--sometimes the obvious escapes us :)

afterwards reset the KDC to auto again
roger that- will let you know what happens.
which switches should I use with the nltest utility?
Also, I am guessing that I run this command from the DC2 (Backup Domain Controller)
Maybe a bad question on my part; since you're using Acronis, I'm assuming that you took this image while the machine was online?
If so, then you're probably suffering from this:
How to detect and recover from a USN rollback in Windows Server 2003
http://support.microsoft.com/?kbid=875495
not the best idea to image a DC and put it back on the network, you are best off follwing oBdA's link and resinstalling AD - your NTDS site links will be all kind of messed up due to the server going back to a previous state, who knows how many changes since you imaged the machine originally...
Here are the switches to use for the nltest tool
First do a query to see if the channel is ok. As shown below.

W:\Program Files\Support Tools>nltest /sc_query:domain
Flags: 30 HAS_IP  HAS_TIMESERV
Trusted DC Name \\DC1.domain.local
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully

W:\Program Files\Support Tools>nltest /sc_reset:domain\dc1
Flags: 30 HAS_IP  HAS_TIMESERV
Trusted DC Name \\DC1.domain.local
Trusted DC Connection Status Status = 0 0x0 NERR_Success
The command completed successfully

W:\Program Files\Support Tools>
The Server that I iaged was Windows 2000 Server and even the Acronis Tech Support said that I should do the imaging process while it is online.
DC1 is the Primary Domain Controller (Windows 2003 Server)
DC2 is the Secondary Domain Controller (Windows 2000 Server) <-- this is the server that was imaged
I imaged it, and the restored the image to the new hard drives in the same day (though due to the image restoration, the server was offline for about 12 hours)
itforall- can you please be more specific- as I have never used thenltest tool. Do I need to run the sc_reset on DC2? (as this was the server that was imaged)?

I ran the first nltest ?sc_query:ABC.COM and received the results as you have shown
When you started the imaging, the current state of the machine was frozen by the Acronis driver; changes to the system that occured during the imaging weren't written anymore to the image that you were currently taking. The DC continued its regular operations, including user password changes, computer password changes, user creation, whatever else happened in your AD in this time. These changes didn't make it on the image, so you now have the exact same situation as if you'd taken an image booting into DOS, then restarting the machine and letting it run for the while, then restoring the image you took earlier on.
This is the exact same situation as described in the 875495 article (and the 885875 article referenced in there), and if you check the "Detecting a USN rollback" section in these articles, you're likely to find that your USNs are out of sequence.
Do you think what itforall had recommended may fix my problem- or am I going to have to re-install Active Directory?
Check first if you indeed have the USN problem. If so, then this has nothing to do with machine password being out of sync.
Since this happened to your W2k machine, you can only dcpromo the machine down and up again:
How to detect and recover from a USN rollback in Windows 2000 Server > Recovering from a USN rollback
http://support.microsoft.com/?kbid=885875/#XSLTH3193121124120121120120

Try to transfer any remaining FSMO roles to the other DC before the demotion; if it doesn't work, you'll have to seize the roles.
Clean out your AD metadata after the demotion, and before you promote the server again.

How to remove data in Active Directory after an unsuccessful domain controller demotion
http://support.microsoft.com/?kbid=216498

Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller
http://support.microsoft.com/?kbid=255504

How to view and transfer FSMO roles in Windows Server 2003
http://support.microsoft.com/?kbid=324801

How to view and transfer FSMO roles in the graphical user interface
http://support.microsoft.com/?kbid=255690
on the server that is broken DC2

run this command
nltest /sc_query:domain

Oh by the way if you use this on the PDC, it will always error

if it is not a success, reset it using the other command above
remember to stop the KDC and set to manual on DC2 so it will have to use DC1 for kerberos tickets during the reboot that follows a successful reset.
if this doesn't work see below

at this point, using the process oBdA mentions we would already be complete
although there is a dcpromo /forceremoval missing in the steps
http://support.microsoft.com/kb/332199
that will remove the AD stuff from DC2
then use 216498 article to clean up DC1

I know you don't want to hear it but a slash and burn (steps mentioned by0BdA) would take 1.5 hours tops
this thread is at least two days old...
You guys are right- I think I should uninstall-reinstall AD. Ok, I did some research and don't I need to transfer some roles to my PDC before I uninstall AD on this machine?
the research you did probably pointed you in the direction of allowing DCPROMO to transfer the roles for you, i wouldnt take this path at all, DCPROMO has to many issues when demoting to let it take control of such a big task

find out where your roles are using ad users and computer, domains and trusts, and using the schema console, and make sure none of them are on your server your about to promote, if they are then transfer them to a different server.

There is no PDC, all DC's are equal, you can house the roles on any DC
You already have all the necessary links to transfer/seize the roles in my post above; check out the 332199 article by itforall as well.
apologies oBdA i didnt notice those links as i skimmed through
Sorry, I have been gone so long. Kind of been avoiding this for a while. Well now it seems that when I make a change to an account on the PDC- it will not enforce itself and does not work. If a user gets locked out, they are screwed until I get this replication issue resolved. I ran the nltest /sc_query on the Secondary DC (the one I imaged) and it ran without error. I guess I am going to have to depromote (dcpromo /forceremoval) and transfer the FSMO role "Infrastructure Master"-currently held by the Secondary DC to my PDC. What is weird though is that if I make a change to an account or computer on the PDC, should the change take effect after I do this? Or do I have it all wrong?

I read a MS Whitepaper and it says the following:

"NOTE: The Infrastructure Master (IM) role should be held by a domain controller that is not a Global Catalog server(GC). If the Infrastructure Master runs on a Global Catalog server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a Global Catalog server holds a partial replica of every object in the forest. As a result, cross-domain object references in that domain will not be updated and a warning to that effect will be logged on that DC's event log.

If all the domain controllers in a domain also host the global catalog, all the domain controllers have the current data, and it is not important which domain controller holds the infrastructure master role."

Another question. Once I depromote the DC, will it still be a member of the domain?

What do you guys recommend. It looks like I need to do this soon.
Also finding this error on my PRIMARY DOMAIN CONTROLLER (Global Catalog, RID, PDC).

1) USERENV 1058
Windows cannot access the file gpt.ini for GPO CN={D264A78E-B00F-454D-823A-0264297878A3},CN=Policies,CN=System,DC=ABC,DC=com. The file must be present at the location <\\ABC.com\SysVol\ABC.com\Policies\{D264A78E-B00F-454D-823A-0264297878A3}\gpt.ini>. (Access is denied. ). Group Policy processing aborted.

2) Userenv / 1030
Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this.

UPDATE - UPDATE - UPDATE - UPDATE - UPDATE !!!!!!!!!!!

GUYS I DID IT!!!  I had to do a dcpromo /forceremoval. I followed the directions to cleanup the metadata on the DC. I re-installed Active Directory on the other DC (Win2k server). Under AD Sites and Services- the NTDS settings did not appear with the "automatically generated" so I specified each server manually. Now when I force replication, it successfully completes.

I am not out of the woods yet though. I just need a little more help and I will close this question out. Thanks to everyone so far for all of the help.

On my PRIMARY DOMAIN CONTROLLER, a few problems.

1)   Before I did the dcpromo /force removal- I transferred the FSMO role "Infrastructure Master" to my PDC. So now all FSMO roles are now housed on this server. Now when I try to transfer this role back to the Backup domain controller- it does not appear under the "Change To" files under Operations Masters.

2)   Getting some errors in the event viewer under SYSTEM on my PDC. Same errors as before and a new one. My DC's seem to be replicating now though. Here are the errors:

 Userenv / 1030 / ERROR / USER: NT AUTHORITY\SYSTEM
Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this.

Userenv / 1058 / ERROR / USER: NT AUTHORITY\SYSTEM
Windows cannot access the file gpt.ini for GPO CN={D264A78E-B00F-454D-823A-0264297878A3},CN=Policies,CN=System,DC=BPC,DC=com. The file must be present at the location <\\BPC.com\SysVol\BPC.com\Policies\{D264A78E-B00F-454D-823A-0264297878A3}\gpt.ini>. (The network name cannot be found. ). Group Policy processing aborted.

PLEASE REPLY!!!!!
ASKER CERTIFIED SOLUTION
Avatar of oBdA
oBdA

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Yep oBdA - for 2), they are appearing exactly every five minutes. I have been hearing mixed revews about the dfsutil /purgemupcache workaround. I will give this a shot in the morning.
oBdA,

New problem. When I try to open Group Policy- it says "Access is denied" and displays a red X over the GPO.

What do I do?? Please help!!
Under details it says The network name cannot be found.
When you open a command prompt and enter
net share
do you have the Netlogon and Sysvol shares listed?
Yes, SYSVOL and Netlogon are both listed. I also checked the permissions on ht Sysvol share and using the adsiedit.msc and permissions are all correct for Admins and System.
Weird- Now I can access it. Seems to be intermittent. Still getting those errors though.
Even after running "dfsutil /purgemupcache"? Then check here:
Applying Group Policy causes Userenv errors and events to occur on your computers that are running Windows Server 2003, Windows XP, or Windows 2000
http://support.microsoft.com/?kbid=887303
For the record- what does this command/utility do?
It's one of the troubleshooting methods recommended in the above article, and it's the easiest to run.
Check the "MUP Cache" section here for details:
How DFS Works
http://technet2.microsoft.com/WindowsServer/en/Library/a9096e88-1634-4da6-b820-537341d349061033.mspx
Looks like dfsutil /purgemupcache stopped the errors!
oBdA- my hat is off to you buddy! I will remember this fix!!!