4

There seems to be something wrong with my primary domain controller. No matter what I do, I cannot get other domain controllers to create sysvol and netlogon folders when they've been promoted. my dcdiag shows these errors on my new domain controllers:

Starting test: Advertising
   Warning: DsGetDcName returned information for \\ds1.directory.myorg.com, when we were trying to
   reach DS3.
   SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
   ......................... DS3 failed test Advertising

Starting test: NetLogons
   Unable to connect to the NETLOGON share! (\\DS3\netlogon)
   [DS3] An net use or LsaPolicy operation failed with error 67, The network name cannot be found..
   ......................... DS3 failed test NetLogons

dfsrmig.exe /getmigrationstate shows this on both domain controllers:

All domain controllers have migrated successfully to the Global state ('Eliminated').

I've tried manually sharing C:/Windows/SYSVOL/sysvol to match my primary DC, but that didn't seem to work. Other than the SYSVOL and NETLOGON folders to being created/replicated, everything looks OK.

Intrepid
  • 163
  • 1
  • 5
  • 13
  • 2
    don't manually share those folders. Why do you run dfsrmig? Did you just finish DFSR migration? Did you check the basics such as DNS settings on all DCs? In my experience, when there is replication issue, at least half of the time, it's DNS issue – strongline Jul 17 '17 at 18:37
  • DNS settings look OK. Both servers have the Primary DC listed as their DNS. The newly promoted DC has A and NS entries in the DNS server. Everything looks good DNS wise, but maybe there is some other diagnostics I can run to make sure? – Intrepid Jul 17 '17 at 19:11
  • if you have only 2 DCs, and the 2nd DC was just created, you shouldn't list it as your DNS server as it is not ready yet to answer any queries. You have to use your first DC on both boxes. – strongline Jul 17 '17 at 19:32
  • It is definitely ready to answer queries, and does successfully. Besides, like I said in my earlier comment, both DC's had the primary DC listed as it's DNS server. I have since read that the best practice is to list the other one's ip address as it's primary DNS server. I have changed it now, but it didn't make any difference. – Intrepid Jul 17 '17 at 19:42
  • how long did you promote the DC? How big the AD and SYSVOL folder are? It may take a while depending on the bandwidth. Besides the SYSVOL folder issue, is AD replication itself OK? – strongline Jul 17 '17 at 19:46
  • I promoted it 2 days ago and it's not that big. About 1000 records. SYSVOL folder is 44KB. We are a mac based organization and only use Windows DC for Active Directory authentication. Everything seems to be fine. AD replication is working and I can view and make changes to AD from the new DC. – Intrepid Jul 17 '17 at 20:13
  • are you using FRS or DFSR? check the replication service health. If you still use FRS, maybe you can do a nonauthoritative mode restore (google burflags) – strongline Jul 18 '17 at 12:43
  • I am using DFSR... I think I found something that looks wrong. My DFSR on my Primary DC is showing errors that it is not able to replicate to it's partner. This is because I demoted it's partner a few weeks ago and removed the DC role from it. Why is it still trying to connect? – Intrepid Jul 18 '17 at 14:56
  • remove the demoted DC from replicate set. – strongline Jul 18 '17 at 15:33

1 Answers1

1

My SYSVOL and NETLOGON folders were not being synchronized because my primary DC was not set as an authoritative DFSR member. It was still trying to replicate to a demoted DC. I followed the "How to perform an authoritative synchronization of DFSR-replicated SYSVOL" in this guide on my Primary DC: https://support.microsoft.com/en-us/help/2218556/how-to-force-an-authoritative-and-non-authoritative-synchronization-fo

Intrepid
  • 163
  • 1
  • 5
  • 13
  • Thanks, it helped me! Also in case someone else hits that same problem, when `DFSRDIAG` appears to not be installed on the target DC, the magic spell to invoke is `Install-WindowsFeature RSAT-DFS-Mgmt-Con` (here using Powershell dialect.) – AntoineL Jun 01 '20 at 19:19