4

I've just started working for a new company where there was perviously no-one really managing the IT environment, and it's quite a small company that has only one Domain Controller (plus other servers doing other things).

While I was trying to figure out if I should write log on scripts or to use GPOs for certain things, I've noticed that this 2003 Server is missing the NETLOGON folder. The SYSVOL and the Policies (GPO) folder is there, just not NETLOGON.

I've tried most of the answers on Google with no luck, including playing with the BurFlags and NTFRS.

The only thing I haven't tried is the DCGPOFIX command. And I'm not to sure if it will be relevant as I still do have the 'Policies' folder for Group Policy, and Group Policy is working fine. Does anyone have any suggestions?

Here is a dump of the error from dcdiag and there are no other errors on the DC:

Starting test: NetLogons
Unable to connect to the NETLOGON share! (\\DC\netlogon)
[DC] An net use or LsaPolicy operation failed with error 1203, Win32 Error 1203.
......................... DC failed test NetLogons

Thanks in advance!

venomin
  • 41
  • 2
  • if you create a new test user, can you login from a workstation using that account? I'm wondering if your users are authenticating or if they are just using cached credentials. This would be a way of non-disruptive testing. – Citizen Feb 19 '15 at 01:39
  • Hi Paul, yeah everyone can log in fine. I'd already created a test account to play with, and I myself can log into all the machines myself on my own account on the domain. -Min – venomin Feb 19 '15 at 03:19
  • Do you mean the NETLOGON share is missing but the underlying folders are there i.e. the C:\Windows\SYSVOL\sysvol\\SCRIPTS folder actually exists but isn't shared as NETLOGON? – Sim Feb 23 '15 at 23:53
  • When you say that you have tried playing with the BURFLAG and NTFRS what exactly have you tried? Also are there any AD or NTFRS errors in the Event Logs? – Sim Feb 24 '15 at 01:06
  • Hi Sim, no, the NETLOGON folder and any subfolders and/or files that should be under it are non-existent. The SCRIPTS folder is also not there. As for the BURFLAG, I've tried to set it to D2 and then D4 (which shouldn't be the problem since it's the sole Domain Controller) and have stopped and started the NTFRS service between setting those flags. No NTDS or NTFRS errors in the Event Log. – venomin Feb 24 '15 at 02:01
  • Have you tried the steps in http://support.microsoft.com/kb/947022/en-us ? This shouild kick-start the Netlogon service to reshare and recreate the scripts folder. Also this thread might be helpful https://social.technet.microsoft.com/Forums/en-US/399b3cd2-f5a0-40ce-8efc-c0027b5255c5/netlogon-share-missing-on-primary-domain-controller?forum=smallbusinessserver – Sim Feb 24 '15 at 02:23
  • I would think long and hard before resorting to DCGPOFIX as that will reset all the policies to their defaults. Are there any old backups of the Domain Controller that you could use to try alternative methods rebuild the netlogon structure? – Sim Feb 24 '15 at 02:27
  • Sorry for the late reply, but yes I've tried all those links with no luck unfortunately! And there are some old backups, but I have a feeling that it was like this since the beginning of time, so I have no reason to believe that a restore from a backup would fix this issue. Not really sure on what alternative methods there are to rebuild the netlogon structure, if you can shed some light on that for me. – venomin Mar 17 '15 at 01:57

1 Answers1

0

Try performing an authoritative restore from a working domain controller.
http://support.microsoft.com/en-us/kb/290762

Garrett Dumas
  • 267
  • 2
  • 9
  • Hi Garrett, as explained, there is only the one Domain Controller, and I've alraedy tried the Authoritative Restore (which shouldn't have worked anyway cos of the the single Domain Controller). New DC being purchased now, so I might just start working with a clean DC that I can build correctly. – venomin Mar 17 '15 at 01:55
  • My apologies - missed that part. In this case the best thing to do would be to introduce a second domain controller, transfer FSMO roles to it, demote the original, and re-promote it. – Garrett Dumas Mar 17 '15 at 16:03