(2014-12-03) Incorrect Statement When Demoting An RODC While Retaining Metadata

When demoting an RODC, you have two options for an end result:

1. The RODC is demoted and became a domain joined member server
2. The RODC is demoted and became a stand-alone server (non-domain joined) and its metadata is kept in AD

Let’s go through the process and demote an RODC.

Figure 1: The Active Directory Domain Services Configuration Wizard – Credentials For Demotion

–

Figure 2: The Active Directory Domain Services Configuration Wizard – Explicitly Confirming The Demotion

–

Figure 3: The Active Directory Domain Services Configuration Wizard – Choosing Whether Or Not To Retain The Metadata Of The RODC

–

Figure 4: The Active Directory Domain Services Configuration Wizard – Password For The Local Administrator

–

Figure 5: The Active Directory Domain Services Configuration Wizard – Summary Of The End Result

–

The PowerShell script:

#
# Windows PowerShell script for AD DS Deployment
#

Import-Module ADDSDeployment
Uninstall-ADDSDomainController `
-DemoteOperationMasterRole:$true `
-RetainDCMetadata:$true `
-Force:$true

–

The statement in figure 5 is incorrect. Because I selected "Retain Metadata" (see figure 3), the statement should be: "When the process is complete, this server will be a stand-alone server (non-domain joined)". When you retain the metadata of an RODC, it becomes "unoccupied" which allows you to attach to when promoting a new RODC with the same name.

If you did not select "Retain Metadata", the statement in figure 5 is correct.

–

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

(2014-09-19) Checking The Health Of Your DC After Promotion

You have promoted your brand new DC. How do you know it is functioning correctly?

–

There are a few number of things you can do to determine its health. All the tests below were done on a W2K12R2 DC.

–

[1] Check inbound and outbound AD replication

To determine this, execute: REPADMIN /SHOWREPL /REPSTO

Make sure all last attempts are really recent, and at least within the tombstone lifetime of the AD forest

Figure 1: Last Attempts For Inbound AD Replication

–

Figure 2: Last Attempts For Outbound AD Replication

–

To check the replication latency/convergence also see: (2014-02-16) Testing Active Directory Replication Latency/Convergence Through PowerShell (Update 3)

–

[2] If the DC is a GC, check it has finished the build of the GC partitions and it is advertising itself as such

To determine this, execute: Get-WinEvent -LogName "Directory Service" | ?{$_.Id -eq 1119} | FL

Figure 3: The DC Now Advertising As A GC

–

[3] Check the SYSVOL has been initialized and finished initial replication

To determine this, execute: Get-WinEvent -LogName "DFS Replication" | ?{$_.Id -eq 4604} | FL

Figure 4: The DC Reporting SYSVOL Has Been Initialized And Performed Initial Replication

–

In addition, check the NETLOGON and SYSVOL shares are in place.

To determine this, execute: NET SHARE

Figure 5: The NETLOGON And SYSVOL Published

–

To check the replication latency/convergence also see: (2014-02-17) Testing SYSVOL Replication Latency/Convergence Through PowerShell (Update 3)

–

[4] Check Event Logs

The following event logs will help determine the health of the DC. Check the events with warnings or errors and resolve anything that needs to be resolved

Event Logs:

• Directory Service
• DFS Replication
• File Replication Service
• DNS Server
• Application
• System

[5] Run DCDIAG

To do this, execute: DCDIAG /C /D /V

Figure 6: DCDIAG Verbose Output

–

Directory Server Diagnosis

Performing initial setup:
   Trying to find home server…
   * Verifying that the local machine C1FSRWDC1, is a Directory Server.
   Home Server = C1FSRWDC1
   * Connecting to directory service on server C1FSRWDC1.
   * Identified AD Forest.
   Collecting AD specific global data
   * Collecting site info.
   Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=ADCORP,DC=LAB,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),…….
   The previous call succeeded
   Iterating through the sites
   Looking at base site object: CN=NTDS Site Settings,CN=BRANCH01,CN=Sites,CN=Configuration,DC=ADCORP,DC=LAB
   Getting ISTG and options for the site
   Looking at base site object: CN=NTDS Site Settings,CN=BRANCH02,CN=Sites,CN=Configuration,DC=ADCORP,DC=LAB
   Getting ISTG and options for the site
   Looking at base site object: CN=NTDS Site Settings,CN=DMZ,CN=Sites,CN=Configuration,DC=ADCORP,DC=LAB
   Getting ISTG and options for the site
   Looking at base site object: CN=NTDS Site Settings,CN=DTCNTR01,CN=Sites,CN=Configuration,DC=ADCORP,DC=LAB
   Getting ISTG and options for the site
   * Identifying all servers.
   Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=ADCORP,DC=LAB,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),…….
   The previous call succeeded….
   The previous call succeeded
   Iterating through the list of servers
   Getting information for the server CN=NTDS Settings,CN=R1FSRWDC2,CN=Servers,CN=DTCNTR01,CN=Sites,CN=Configuration,DC=ADCORP,DC=LAB
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   Getting information for the server CN=NTDS Settings,CN=C1FSRWDC2,CN=Servers,CN=DTCNTR01,CN=Sites,CN=Configuration,DC=ADCORP,DC=LAB
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   Getting information for the server CN=NTDS Settings,CN=R1FSRWDC1,CN=Servers,CN=DTCNTR01,CN=Sites,CN=Configuration,DC=ADCORP,DC=LAB
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   Getting information for the server CN=NTDS Settings,CN=C1FSRWDC1,CN=Servers,CN=DTCNTR01,CN=Sites,CN=Configuration,DC=ADCORP,DC=LAB
   objectGuid obtained
   InvocationID obtained
   dnsHostname obtained
   site info obtained
   All the info for the server collected
   * Identifying all NC cross-refs.
   * Found 4 DC(s). Testing 1 of them.
   Done gathering initial info.

Doing initial required tests
  
   Testing server: DTCNTR01\C1FSRWDC1
      Starting test: Connectivity
         * Active Directory LDAP Services Check
         Determining IP4 connectivity
         * Active Directory RPC Services Check
         ……………………. C1FSRWDC1 passed test Connectivity

Doing primary tests
  
   Testing server: DTCNTR01\C1FSRWDC1
      Starting test: Advertising
         The DC C1FSRWDC1 is advertising itself as a DC and having a DS.
         The DC C1FSRWDC1 is advertising as an LDAP server
         The DC C1FSRWDC1 is advertising as having a writeable directory
         The DC C1FSRWDC1 is advertising as a Key Distribution Center
         The DC C1FSRWDC1 is advertising as a time server
         The DS C1FSRWDC1 is advertising as a GC.
         ……………………. C1FSRWDC1 passed test Advertising
      Starting test: CheckSecurityError
         * Dr Auth:  Beginning security errors check!
         Found KDC C1FSRWDC1 for domain CHILD.ADCORP.LAB in site DTCNTR01
         Checking machine account for DC C1FSRWDC1 on DC C1FSRWDC1.
         * SPN found :LDAP/C1FSRWDC1.CHILD.ADCORP.LAB/CHILD.ADCORP.LAB
         * SPN found :LDAP/C1FSRWDC1.CHILD.ADCORP.LAB
         * SPN found :LDAP/C1FSRWDC1
         * SPN found :LDAP/C1FSRWDC1.CHILD.ADCORP.LAB/CHILD
         * SPN found :LDAP/227b8ded-a71a-44a7-80d3-184f44f49957._msdcs.ADCORP.LAB
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/227b8ded-a71a-44a7-80d3-184f44f49957/CHILD.ADCORP.LAB
         * SPN found :HOST/C1FSRWDC1.CHILD.ADCORP.LAB/CHILD.ADCORP.LAB
         * SPN found :HOST/C1FSRWDC1.CHILD.ADCORP.LAB
         * SPN found :HOST/C1FSRWDC1
         * SPN found :HOST/C1FSRWDC1.CHILD.ADCORP.LAB/CHILD
         * SPN found :GC/C1FSRWDC1.CHILD.ADCORP.LAB/ADCORP.LAB
         [C1FSRWDC1] No security related replication errors were found on this
         DC!  To target the connection to a specific source DC use
         /ReplSource:<DC>.
         ……………………. C1FSRWDC1 passed test CheckSecurityError
      Starting test: CutoffServers
         * Configuration Topology Aliveness Check
         * Analyzing the alive system replication topology for DC=ForestDnsZones,DC=ADCORP,DC=LAB.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the alive system replication topology for DC=DomainDnsZones,DC=CHILD,DC=ADCORP,DC=LAB.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the alive system replication topology for DC=CHILD,DC=ADCORP,DC=LAB.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the alive system replication topology for CN=Schema,CN=Configuration,DC=ADCORP,DC=LAB.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the alive system replication topology for CN=Configuration,DC=ADCORP,DC=LAB.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the alive system replication topology for DC=ADCORP,DC=LAB.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         ……………………. C1FSRWDC1 passed test CutoffServers
      Starting test: FrsEvent
         * The File Replication Service Event log test
         Skip the test because the server is running DFSR.
         ……………………. C1FSRWDC1 passed test FrsEvent
      Starting test: DFSREvent
         The DFS Replication Event Log.
         There are warning or error events within the last 24 hours after the
         SYSVOL has been shared.  Failing SYSVOL replication problems may cause
         Group Policy problems.
         An error event occurred.  EventID: 0xC00004B2
            Time Generated: 08/07/2014   01:27:17
            Event String:
            The DFS Replication service failed to contact domain controller  to access configuration information. Replication is stopped. The service will try again during the next configuration polling cycle, which will occur in 60 minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues.
            
            Additional Information:
            Error: 1355 (The specified domain either does not exist or could not be contacted.)
         An error event occurred.  EventID: 0xC00004B2
            Time Generated: 08/07/2014   01:44:39
            Event String:
            The DFS Replication service failed to contact domain controller  to access configuration information. Replication is stopped. The service will try again during the next configuration polling cycle, which will occur in 60 minutes. This event can be caused by TCP/IP connectivity, firewall, Active Directory Domain Services, or DNS issues.
            
            Additional Information:
            Error: 1355 (The specified domain either does not exist or could not be contacted.)
         A warning event occurred.  EventID: 0x80001780
            Time Generated: 08/07/2014   01:59:24
            Event String:
            The DFS Replication service failed to update configuration in Active Directory Domain Services. The service will retry this operation periodically.
            
            Additional Information:
            Object Category: msDFSR-LocalSettings
            Object DN: CN=DFSR-LocalSettings,CN=C1FSRWDC1,OU=Domain Controllers,DC=CHILD,DC=ADCORP,DC=LAB
            Error: 2 (The system cannot find the file specified.)
            Domain Controller: C1FSRWDC2.CHILD.ADCORP.LAB
            Polling Cycle: 60
         A warning event occurred.  EventID: 0x80001A94
            Time Generated: 08/07/2014   01:59:24
            Event String:
            The DFS Replication service has detected that no connections are configured for replication group Domain System Volume. No data is being replicated for this replication group.
            
            Additional Information:
            Replication Group ID: 1CED6656-CE5C-43B6-9F18-288417F99AF5
            Member ID: D840EF8E-56EC-47CF-B19D-87CFA2C8BABB
         A warning event occurred.  EventID: 0x80001206
            Time Generated: 08/07/2014   01:59:25
            Event String:
            The DFS Replication service initialized SYSVOL at local path D:\AD\SYSVOL\domain and is waiting to perform initial replication. The replicated folder will remain in the initial synchronization state until it has replicated with its partner C1FSRWDC2.CHILD.ADCORP.LAB. If the server was in the process of being promoted to a domain controller, the domain controller will not advertize and function as a domain controller until this issue is resolved. This can occur if the specified partner is also in the initial synchronization state, or if sharing violations are encountered on this server or the synchronization partner. If this event occurred during the migration of SYSVOL from File Replication service (FRS) to DFS Replication, changes will not replicate out until this issue is resolved. This can cause the SYSVOL folder on this server to become out of sync with other domain controllers.
            
            Additional Information:
            Replicated Folder Name: SYSVOL Share
            Replicated Folder ID: E59797D1-0652-4D1F-8ACF-4AB0D2DA8632
            Replication Group Name: Domain System Volume
            Replication Group ID: 1CED6656-CE5C-43B6-9F18-288417F99AF5
            Member ID: D840EF8E-56EC-47CF-B19D-87CFA2C8BABB
            Read-Only: 0
         ……………………. C1FSRWDC1 failed test DFSREvent
      Starting test: SysVolCheck
         * The File Replication Service SYSVOL ready test
         File Replication Service’s SYSVOL is ready
         ……………………. C1FSRWDC1 passed test SysVolCheck
      Starting test: FrsSysVol
         * The File Replication Service SYSVOL ready test
         File Replication Service’s SYSVOL is ready
         ……………………. C1FSRWDC1 passed test FrsSysVol
      Starting test: KccEvent
         * The KCC Event log test
         Found no KCC errors in "Directory Service" Event log in the last 15 minutes.
         ……………………. C1FSRWDC1 passed test KccEvent
      Starting test: KnowsOfRoleHolders
         Role Schema Owner = CN=NTDS Settings,CN=R1FSRWDC2,CN=Servers,CN=DTCNTR01,CN=Sites,CN=Configuration,DC=ADCORP,DC=LAB
         Role Domain Owner = CN=NTDS Settings,CN=R1FSRWDC2,CN=Servers,CN=DTCNTR01,CN=Sites,CN=Configuration,DC=ADCORP,DC=LAB
         Role PDC Owner = CN=NTDS Settings,CN=C1FSRWDC1,CN=Servers,CN=DTCNTR01,CN=Sites,CN=Configuration,DC=ADCORP,DC=LAB
         Role Rid Owner = CN=NTDS Settings,CN=C1FSRWDC1,CN=Servers,CN=DTCNTR01,CN=Sites,CN=Configuration,DC=ADCORP,DC=LAB
         Role Infrastructure Update Owner = CN=NTDS Settings,CN=C1FSRWDC1,CN=Servers,CN=DTCNTR01,CN=Sites,CN=Configuration,DC=ADCORP,DC=LAB
         ……………………. C1FSRWDC1 passed test KnowsOfRoleHolders
      Starting test: MachineAccount
         Checking machine account for DC C1FSRWDC1 on DC C1FSRWDC1.
         * SPN found :LDAP/C1FSRWDC1.CHILD.ADCORP.LAB/CHILD.ADCORP.LAB
         * SPN found :LDAP/C1FSRWDC1.CHILD.ADCORP.LAB
         * SPN found :LDAP/C1FSRWDC1
         * SPN found :LDAP/C1FSRWDC1.CHILD.ADCORP.LAB/CHILD
         * SPN found :LDAP/227b8ded-a71a-44a7-80d3-184f44f49957._msdcs.ADCORP.LAB
         * SPN found :E3514235-4B06-11D1-AB04-00C04FC2DCD2/227b8ded-a71a-44a7-80d3-184f44f49957/CHILD.ADCORP.LAB
         * SPN found :HOST/C1FSRWDC1.CHILD.ADCORP.LAB/CHILD.ADCORP.LAB
         * SPN found :HOST/C1FSRWDC1.CHILD.ADCORP.LAB
         * SPN found :HOST/C1FSRWDC1
         * SPN found :HOST/C1FSRWDC1.CHILD.ADCORP.LAB/CHILD
         * SPN found :GC/C1FSRWDC1.CHILD.ADCORP.LAB/ADCORP.LAB
         ……………………. C1FSRWDC1 passed test MachineAccount
      Starting test: NCSecDesc
         * Security Permissions check for all NC’s on DC C1FSRWDC1.
         * Security Permissions Check for
           DC=ForestDnsZones,DC=ADCORP,DC=LAB
            (NDNC,Version 3)
         * Security Permissions Check for
           DC=DomainDnsZones,DC=CHILD,DC=ADCORP,DC=LAB
            (NDNC,Version 3)
         * Security Permissions Check for
           DC=CHILD,DC=ADCORP,DC=LAB
            (Domain,Version 3)
         * Security Permissions Check for
           CN=Schema,CN=Configuration,DC=ADCORP,DC=LAB
            (Schema,Version 3)
         * Security Permissions Check for
           CN=Configuration,DC=ADCORP,DC=LAB
            (Configuration,Version 3)
         * Security Permissions Check for
           DC=ADCORP,DC=LAB
            (Domain,Version 3)
         ……………………. C1FSRWDC1 passed test NCSecDesc
      Starting test: NetLogons
         * Network Logons Privileges Check
         Verified share \\C1FSRWDC1\netlogon
         Verified share \\C1FSRWDC1\sysvol
         ……………………. C1FSRWDC1 passed test NetLogons
      Starting test: ObjectsReplicated
         C1FSRWDC1 is in domain DC=CHILD,DC=ADCORP,DC=LAB
         Checking for CN=C1FSRWDC1,OU=Domain Controllers,DC=CHILD,DC=ADCORP,DC=LAB in domain DC=CHILD,DC=ADCORP,DC=LAB on 1 servers
            Object is up-to-date on all servers.
         Checking for CN=NTDS Settings,CN=C1FSRWDC1,CN=Servers,CN=DTCNTR01,CN=Sites,CN=Configuration,DC=ADCORP,DC=LAB in domain CN=Configuration,DC=ADCORP,DC=LAB on 1 servers
            Object is up-to-date on all servers.
         ……………………. C1FSRWDC1 passed test ObjectsReplicated
      Starting test: OutboundSecureChannels
         * The Outbound Secure Channels test
         ** Did not run Outbound Secure Channels test because /testdomain: was
         not entered
         ……………………. C1FSRWDC1 passed test OutboundSecureChannels
      Starting test: Replications
         * Replications Check
         * Replication Latency Check
            DC=ForestDnsZones,DC=ADCORP,DC=LAB
               Latency information for 25 entries in the vector were ignored.
                  25 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc’s no longer replicating this nc.  0 had no latency information (Win2K DC). 
            CN=Schema,CN=Configuration,DC=ADCORP,DC=LAB
               Latency information for 25 entries in the vector were ignored.
                  25 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc’s no longer replicating this nc.  0 had no latency information (Win2K DC). 
            CN=Configuration,DC=ADCORP,DC=LAB
               Latency information for 25 entries in the vector were ignored.
                  25 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc’s no longer replicating this nc.  0 had no latency information (Win2K DC). 
            DC=ADCORP,DC=LAB
               Latency information for 16 entries in the vector were ignored.
                  15 were retired Invocations.  1 were either: read-only replicas and are not verifiably latent, or dc’s no longer replicating this nc.  0 had no latency information (Win2K DC). 
            DC=DomainDnsZones,DC=CHILD,DC=ADCORP,DC=LAB
               Latency information for 12 entries in the vector were ignored.
                  12 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc’s no longer replicating this nc.  0 had no latency information (Win2K DC). 
            DC=CHILD,DC=ADCORP,DC=LAB
               Latency information for 12 entries in the vector were ignored.
                  12 were retired Invocations.  0 were either: read-only replicas and are not verifiably latent, or dc’s no longer replicating this nc.  0 had no latency information (Win2K DC). 
         ……………………. C1FSRWDC1 passed test Replications
      Starting test: RidManager
         * Available RID Pool for the Domain is 30607 to 1073741823
         * C1FSRWDC1.CHILD.ADCORP.LAB is the RID Master
         * DsBind with RID Master was successful
         * rIDAllocationPool is 30107 to 30606
         * rIDPreviousAllocationPool is 30107 to 30606
         * rIDNextRID: 30107
         ……………………. C1FSRWDC1 passed test RidManager
      Starting test: Services
         * Checking Service: EventSystem
         * Checking Service: RpcSs
         * Checking Service: NTDS
         * Checking Service: DnsCache
         * Checking Service: DFSR
         * Checking Service: IsmServ
         * Checking Service: kdc
         * Checking Service: SamSs
         * Checking Service: LanmanServer
         * Checking Service: LanmanWorkstation
         * Checking Service: w32time
         * Checking Service: NETLOGON
         ……………………. C1FSRWDC1 passed test Services
      Starting test: SystemLog
         * The System Event log test
         Found no errors in "System" Event log in the last 60 minutes.
         ……………………. C1FSRWDC1 passed test SystemLog
      Starting test: Topology
         * Configuration Topology Integrity Check
         * Analyzing the connection topology for DC=ForestDnsZones,DC=ADCORP,DC=LAB.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the connection topology for DC=DomainDnsZones,DC=CHILD,DC=ADCORP,DC=LAB.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the connection topology for DC=CHILD,DC=ADCORP,DC=LAB.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the connection topology for CN=Schema,CN=Configuration,DC=ADCORP,DC=LAB.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the connection topology for CN=Configuration,DC=ADCORP,DC=LAB.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         * Analyzing the connection topology for DC=ADCORP,DC=LAB.
         * Performing upstream (of target) analysis.
         * Performing downstream (of target) analysis.
         ……………………. C1FSRWDC1 passed test Topology
      Starting test: VerifyEnterpriseReferences
         ……………………. C1FSRWDC1 passed test
         VerifyEnterpriseReferences
      Starting test: VerifyReferences
         The system object reference (serverReference)
         CN=C1FSRWDC1,OU=Domain Controllers,DC=CHILD,DC=ADCORP,DC=LAB and
         backlink on
         CN=C1FSRWDC1,CN=Servers,CN=DTCNTR01,CN=Sites,CN=Configuration,DC=ADCORP,DC=LAB
         are correct.
         The system object reference (serverReferenceBL)
         CN=C1FSRWDC1,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=CHILD,DC=ADCORP,DC=LAB
         and backlink on
         CN=NTDS Settings,CN=C1FSRWDC1,CN=Servers,CN=DTCNTR01,CN=Sites,CN=Configuration,DC=ADCORP,DC=LAB
         are correct.
         The system object reference (msDFSR-ComputerReferenceBL)
         CN=C1FSRWDC1,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=CHILD,DC=ADCORP,DC=LAB
         and backlink on
         CN=C1FSRWDC1,OU=Domain Controllers,DC=CHILD,DC=ADCORP,DC=LAB are
         correct.
         ……………………. C1FSRWDC1 passed test VerifyReferences
      Starting test: VerifyReplicas
         ……………………. C1FSRWDC1 passed test VerifyReplicas
  
      Starting test: DNS
        
         DNS Tests are running and not hung. Please wait a few minutes…
         See DNS test in enterprise tests section for results
         ……………………. C1FSRWDC1 passed test DNS
  
   Running partition tests on : ForestDnsZones
      Starting test: CheckSDRefDom
         ……………………. ForestDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ……………………. ForestDnsZones passed test
         CrossRefValidation
  
   Running partition tests on : DomainDnsZones
      Starting test: CheckSDRefDom
         ……………………. DomainDnsZones passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ……………………. DomainDnsZones passed test
         CrossRefValidation
  
   Running partition tests on : CHILD
      Starting test: CheckSDRefDom
         ……………………. CHILD passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ……………………. CHILD passed test CrossRefValidation
  
   Running partition tests on : Schema
      Starting test: CheckSDRefDom
         ……………………. Schema passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ……………………. Schema passed test CrossRefValidation
  
   Running partition tests on : Configuration
      Starting test: CheckSDRefDom
         ……………………. Configuration passed test CheckSDRefDom
      Starting test: CrossRefValidation
         ……………………. Configuration passed test CrossRefValidation
  
   Running enterprise tests on : ADCORP.LAB
      Starting test: DNS
         Test results for domain controllers:
           
            DC: C1FSRWDC1.CHILD.ADCORP.LAB
            Domain: CHILD.ADCORP.LAB
           
                 
               TEST: Authentication (Auth)
                  Authentication test: Successfully completed
                 
               TEST: Basic (Basc)
                  The OS
                  Microsoft Windows Server 2012 R2 Datacenter (Service Pack level: 0.0)
                  is supported.
                  NETLOGON service is running
                  kdc service is running
                  DNSCACHE service is running
                  DNS service is running
                  DC is a DNS server
                  Network adapters information:
                  Adapter [00000010] Intel(R) PRO/1000 MT Network Connection:
                     MAC address is 00:0C:29:9E:4E:46
                     IP Address is static
                     IP address: 10.1.1.11
                     DNS servers:
                        10.1.1.11 (C1FSRWDC1) [Valid]
                        10.1.1.1 (<name unavailable>) [Valid]
                        127.0.0.1 (C1FSRWDC1) [Valid]
                  The A host record(s) for this DC was found
                  The SOA record for the Active Directory zone was found
                  The Active Directory zone on this DC/DNS server was found primary
                  Root zone on this DC/DNS server was not found
                 
               TEST: Forwarders/Root hints (Forw)
                  Recursion is enabled
                  Forwarders Information:
                     10.1.1.254 (<name unavailable>) [Invalid (unreachable)]
                     Error: All forwarders in the forwarder list are invalid.
                  Root hint Information:
                     Name: a.root-servers.net. IP: 198.41.0.4 [Invalid (unreachable)]
                     Name: b.root-servers.net. IP: 128.9.0.107 [Invalid (unreachable)]
                     Name: c.root-servers.net. IP: 192.33.4.12 [Invalid (unreachable)]
                     Name: d.root-servers.net. IP: 128.8.10.90 [Invalid (unreachable)]
                     Name: e.root-servers.net. IP: 192.203.230.10 [Invalid (unreachable)]
                     Name: f.root-servers.net. IP: 192.5.5.241 [Invalid (unreachable)]
                     Name: g.root-servers.net. IP: 192.112.36.4 [Invalid (unreachable)]
                     Name: h.root-servers.net. IP: 128.63.2.53 [Invalid (unreachable)]
                     Name: i.root-servers.net. IP: 192.36.148.17 [Invalid (unreachable)]
                     Name: j.root-servers.net. IP: 192.58.128.30 [Invalid (unreachable)]
                     Name: k.root-servers.net. IP: 193.0.14.129 [Invalid (unreachable)]
                     Name: l.root-servers.net. IP: 198.32.64.12 [Invalid (unreachable)]
                     Name: m.root-servers.net. IP: 202.12.27.33 [Invalid (unreachable)]
                  Error: Both root hints and forwarders are not configured or
                  broken. Please make sure at least one of them works.
                 
               TEST: Delegations (Del)
                  No delegations were found in this zone on this DNS server
                 
               TEST: Dynamic update (Dyn)
                  Test record dcdiag-test-record added successfully in zone CHILD.ADCORP.LAB
                  Test record dcdiag-test-record deleted successfully in zone CHILD.ADCORP.LAB
                 
               TEST: Records registration (RReg)
                  Network Adapter
                  [00000010] Intel(R) PRO/1000 MT Network Connection:
                     Matching CNAME record found at DNS server 10.1.1.11:
                     227b8ded-a71a-44a7-80d3-184f44f49957._msdcs.ADCORP.LAB

                     Matching A record found at DNS server 10.1.1.11:
                     C1FSRWDC1.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _ldap._tcp.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _ldap._tcp.d38f52d2-f045-485a-af19-105ca6d9683f.domains._msdcs.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _kerberos._tcp.dc._msdcs.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _ldap._tcp.dc._msdcs.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _kerberos._tcp.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _kerberos._udp.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _kpasswd._tcp.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _ldap._tcp.DTCNTR01._sites.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _kerberos._tcp.DTCNTR01._sites.dc._msdcs.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _ldap._tcp.DTCNTR01._sites.dc._msdcs.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _kerberos._tcp.DTCNTR01._sites.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _ldap._tcp.gc._msdcs.ADCORP.LAB

                     Matching A record found at DNS server 10.1.1.11:
                     gc._msdcs.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _gc._tcp.DTCNTR01._sites.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _ldap._tcp.DTCNTR01._sites.gc._msdcs.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _ldap._tcp.pdc._msdcs.CHILD.ADCORP.LAB

                     Matching CNAME record found at DNS server 10.1.1.1:
                     227b8ded-a71a-44a7-80d3-184f44f49957._msdcs.ADCORP.LAB

                     Matching A record found at DNS server 10.1.1.1:
                     C1FSRWDC1.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.1:
                     _ldap._tcp.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.1:
                     _ldap._tcp.d38f52d2-f045-485a-af19-105ca6d9683f.domains._msdcs.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.1:
                     _kerberos._tcp.dc._msdcs.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.1:
                     _ldap._tcp.dc._msdcs.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.1:
                     _kerberos._tcp.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.1:
                     _kerberos._udp.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.1:
                     _kpasswd._tcp.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.1:
                     _ldap._tcp.DTCNTR01._sites.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.1:
                     _kerberos._tcp.DTCNTR01._sites.dc._msdcs.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.1:
                     _ldap._tcp.DTCNTR01._sites.dc._msdcs.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.1:
                     _kerberos._tcp.DTCNTR01._sites.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.1:
                     _ldap._tcp.gc._msdcs.ADCORP.LAB

                     Matching A record found at DNS server 10.1.1.1:
                     gc._msdcs.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.1:
                     _gc._tcp.DTCNTR01._sites.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.1:
                     _ldap._tcp.DTCNTR01._sites.gc._msdcs.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.1:
                     _ldap._tcp.pdc._msdcs.CHILD.ADCORP.LAB

                     Matching CNAME record found at DNS server 10.1.1.11:
                     227b8ded-a71a-44a7-80d3-184f44f49957._msdcs.ADCORP.LAB

                     Matching A record found at DNS server 10.1.1.11:
                     C1FSRWDC1.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _ldap._tcp.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _ldap._tcp.d38f52d2-f045-485a-af19-105ca6d9683f.domains._msdcs.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _kerberos._tcp.dc._msdcs.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _ldap._tcp.dc._msdcs.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _kerberos._tcp.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _kerberos._udp.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _kpasswd._tcp.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _ldap._tcp.DTCNTR01._sites.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _kerberos._tcp.DTCNTR01._sites.dc._msdcs.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _ldap._tcp.DTCNTR01._sites.dc._msdcs.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _kerberos._tcp.DTCNTR01._sites.CHILD.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _ldap._tcp.gc._msdcs.ADCORP.LAB

                     Matching A record found at DNS server 10.1.1.11:
                     gc._msdcs.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _gc._tcp.DTCNTR01._sites.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _ldap._tcp.DTCNTR01._sites.gc._msdcs.ADCORP.LAB

                     Matching  SRV record found at DNS server 10.1.1.11:
                     _ldap._tcp.pdc._msdcs.CHILD.ADCORP.LAB

        
         Summary of test results for DNS servers used by the above domain
         controllers:
        
            DNS server: 10.1.1.254 (<name unavailable>)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 10.1.1.254               [Error details: 1460 (Type: Win32 – Description: This operation returned because the timeout period expired.)]
               Name resolution is not functional. _ldap._tcp.ADCORP.LAB. failed on the DNS server 10.1.1.254
               [Error details: 1460 (Type: Win32 – Description: This operation returned because the timeout period expired.)]
              
            DNS server: 128.63.2.53 (h.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 128.63.2.53               [Error details: 1460 (Type: Win32 – Description: This operation returned because the timeout period expired.)]
               Name resolution is not functional. _ldap._tcp.ADCORP.LAB. failed on the DNS server 128.63.2.53
               [Error details: 1460 (Type: Win32 – Description: This operation returned because the timeout period expired.)]
              
            DNS server: 128.8.10.90 (d.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 128.8.10.90               [Error details: 1460 (Type: Win32 – Description: This operation returned because the timeout period expired.)]
               Name resolution is not functional. _ldap._tcp.ADCORP.LAB. failed on the DNS server 128.8.10.90
               [Error details: 1460 (Type: Win32 – Description: This operation returned because the timeout period expired.)]
              
            DNS server: 128.9.0.107 (b.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 128.9.0.107               [Error details: 1460 (Type: Win32 – Description: This operation returned because the timeout period expired.)]
               Name resolution is not functional. _ldap._tcp.ADCORP.LAB. failed on the DNS server 128.9.0.107
               [Error details: 1460 (Type: Win32 – Description: This operation returned because the timeout period expired.)]
              
            DNS server: 192.112.36.4 (g.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.112.36.4               [Error details: 1460 (Type: Win32 – Description: This operation returned because the timeout period expired.)]
               Name resolution is not functional. _ldap._tcp.ADCORP.LAB. failed on the DNS server 192.112.36.4
               [Error details: 1460 (Type: Win32 – Description: This operation returned because the timeout period expired.)]
              
            DNS server: 192.203.230.10 (e.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.203.230.10               [Error details: 1460 (Type: Win32 – Description: This operation returned because the timeout period expired.)]
               Name resolution is not functional. _ldap._tcp.ADCORP.LAB. failed on the DNS server 192.203.230.10
               [Error details: 1460 (Type: Win32 – Description: This operation returned because the timeout period expired.)]
              
            DNS server: 192.33.4.12 (c.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.33.4.12               [Error details: 1460 (Type: Win32 – Description: This operation returned because the timeout period expired.)]
               Name resolution is not functional. _ldap._tcp.ADCORP.LAB. failed on the DNS server 192.33.4.12
               [Error details: 1460 (Type: Win32 – Description: This operation returned because the timeout period expired.)]
              
            DNS server: 192.36.148.17 (i.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.36.148.17               [Error details: 1460 (Type: Win32 – Description: This operation returned because the timeout period expired.)]
               Name resolution is not functional. _ldap._tcp.ADCORP.LAB. failed on the DNS server 192.36.148.17
               [Error details: 1460 (Type: Win32 – Description: This operation returned because the timeout period expired.)]
              
            DNS server: 192.5.5.241 (f.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.5.5.241               [Error details: 1460 (Type: Win32 – Description: This operation returned because the timeout period expired.)]
               Name resolution is not functional. _ldap._tcp.ADCORP.LAB. failed on the DNS server 192.5.5.241
               [Error details: 1460 (Type: Win32 – Description: This operation returned because the timeout period expired.)]
              
            DNS server: 192.58.128.30 (j.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.58.128.30               [Error details: 1460 (Type: Win32 – Description: This operation returned because the timeout period expired.)]
               Name resolution is not functional. _ldap._tcp.ADCORP.LAB. failed on the DNS server 192.58.128.30
               [Error details: 1460 (Type: Win32 – Description: This operation returned because the timeout period expired.)]
              
            DNS server: 193.0.14.129 (k.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 193.0.14.129               [Error details: 1460 (Type: Win32 – Description: This operation returned because the timeout period expired.)]
               Name resolution is not functional. _ldap._tcp.ADCORP.LAB. failed on the DNS server 193.0.14.129
               [Error details: 1460 (Type: Win32 – Description: This operation returned because the timeout period expired.)]
              
            DNS server: 198.32.64.12 (l.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 198.32.64.12               [Error details: 1460 (Type: Win32 – Description: This operation returned because the timeout period expired.)]
               Name resolution is not functional. _ldap._tcp.ADCORP.LAB. failed on the DNS server 198.32.64.12
               [Error details: 1460 (Type: Win32 – Description: This operation returned because the timeout period expired.)]
              
            DNS server: 198.41.0.4 (a.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 198.41.0.4               [Error details: 1460 (Type: Win32 – Description: This operation returned because the timeout period expired.)]
               Name resolution is not functional. _ldap._tcp.ADCORP.LAB. failed on the DNS server 198.41.0.4
               [Error details: 1460 (Type: Win32 – Description: This operation returned because the timeout period expired.)]
              
            DNS server: 202.12.27.33 (m.root-servers.net.)
               1 test failure on this DNS server
               PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 202.12.27.33               [Error details: 1460 (Type: Win32 – Description: This operation returned because the timeout period expired.)]
               Name resolution is not functional. _ldap._tcp.ADCORP.LAB. failed on the DNS server 202.12.27.33
               [Error details: 1460 (Type: Win32 – Description: This operation returned because the timeout period expired.)]
              
            DNS server: 10.1.1.1 (<name unavailable>)
               All tests passed on this DNS server
               Name resolution is functional._ldap._tcp SRV record for the forest root domain is registered
              
            DNS server: 10.1.1.11 (C1FSRWDC1)
               All tests passed on this DNS server
               Name resolution is functional._ldap._tcp SRV record for the forest root domain is registered
              
         Summary of DNS test results:
        
                                            Auth Basc Forw Del  Dyn  RReg Ext
            _________________________________________________________________
            Domain: CHILD.ADCORP.LAB
               C1FSRWDC1                    PASS PASS FAIL PASS PASS PASS n/a 
        
         ……………………. ADCORP.LAB failed test DNS
      Starting test: LocatorCheck
         GC Name: \\C1FSRWDC1.CHILD.ADCORP.LAB
         Locator Flags: 0xe000f1fd
         PDC Name: \\C1FSRWDC1.CHILD.ADCORP.LAB
         Locator Flags: 0xe000f1fd
         Time Server Name: \\C1FSRWDC1.CHILD.ADCORP.LAB
         Locator Flags: 0xe000f1fd
         Preferred Time Server Name: \\C1FSRWDC1.CHILD.ADCORP.LAB
         Locator Flags: 0xe000f1fd
         KDC Name: \\C1FSRWDC1.CHILD.ADCORP.LAB
         Locator Flags: 0xe000f1fd
         ……………………. ADCORP.LAB passed test LocatorCheck
      Starting test: FsmoCheck
         GC Name: \\C1FSRWDC1.CHILD.ADCORP.LAB
         Locator Flags: 0xe000f1fd
         PDC Name: \\C1FSRWDC1.CHILD.ADCORP.LAB
         Locator Flags: 0xe000f1fd
         Time Server Name: \\C1FSRWDC1.CHILD.ADCORP.LAB
         Locator Flags: 0xe000f1fd
         Preferred Time Server Name: \\C1FSRWDC1.CHILD.ADCORP.LAB
         Locator Flags: 0xe000f1fd
         KDC Name: \\C1FSRWDC1.CHILD.ADCORP.LAB
         Locator Flags: 0xe000f1fd
         ……………………. ADCORP.LAB passed test FsmoCheck
      Starting test: Intersite
         Skipping site BRANCH01, this site is outside the scope provided by the
         command line arguments provided.
         Skipping site BRANCH02, this site is outside the scope provided by the
         command line arguments provided.
         Skipping site DMZ, this site is outside the scope provided by the
         command line arguments provided.
         Skipping site DTCNTR01, this site is outside the scope provided by the
         command line arguments provided.
         ……………………. ADCORP.LAB passed test Intersite

–

Additional Information:

• Troubleshooting Domain Controller Deployment
• DFS Replication: How to troubleshoot missing SYSVOL and Netlogon shares
• NTFRS Replication: Troubleshooting missing SYSVOL and NETLOGON shares on Windows domain controllers

–

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

(2014-08-02) Fixing AD/SYSVOL Replication And Reconnecting A Disconnected AD Domain (Part 7)

PART 6 is here.

WARNING/DISCLAIMER: I provide this information on a FYI basis. Be very very very careful in actually doing these steps on your production systems as it may brake or destroy your AD domain or AD forest. You are fully responsible for any steps you use from this blog post. If you do not understand what you are doing, either hire someone who does, or call Microsoft for support!

According to the DFS Replication Event Log the Staging Area was inaccessible.

Figure 1: Event ID 4212 For The Missing Staging Area

–

Looking at the folder structure I was missing the folder "staging" and its subfolder "domain" and the "staging areas" with the junction point.

The complete folder structure for the SYSVOL is:

• <Drive>:\<Folder>\<SYSVOL or SYSVOL_DFSR>
  • domain
  • staging
    • domain
  • staging areas
    • <FQDN AD domain> = JUNCTION POINT to <Drive>:\<Folder>\<SYSVOL or SYSVOL_DFSR>\staging\domain (see: Create the SYSVOL Root and Staging Areas Junction Point)
  • sysvol
    • <FQDN AD domain> = JUNCTION POINT to <Drive>:\<Folder>\<SYSVOL or SYSVOL_DFSR>\domain (see: Create the SYSVOL Root and Staging Areas Junction Point)

Stopping the DFSR service and then creating the yellow marked folders and junction points, and then restarting the DFSR service again solver all SYSVOL related problems! YES!

–

Executing DFSRDIAG DUMPADCFG on both RWDCs should show very similar output and the DFSR Service Event Log should show the following event ID:

Figure 2: Event ID 4604 For DFSR Service Having Initialized The SYSVOL And Having Performed Initial Replication

–

My test environment is running only W2K12R2 RWDCs. However, in the original scenario the ‘C1FSRWDC1.CHILD.ADCORP.LAB’ RWDC was running W2K8R2. Because of that, but also depending on what occurred with the RWDC (e.g. dirty shutdown) you might end up with the event  2213.

EVENT LOG: DFS Replication
SOURCE DFSR
EVENT ID: 2213
The DFS Replication service stopped replication on volume D:. This occurs when a DFSR JET database is not shut down cleanly and Auto Recovery is disabled. To resolve this issue, back up the files in the affected replicated folders, and then use the ResumeReplication WMI method to resume replication.
Additional Information:
Volume: D:
GUID: 74D84752-A63E-11E0-8F2A-00155D006D28
Recovery Steps
1. Back up the files in all replicated folders on the volume. Failure to do so may result in data loss due to unexpected conflict resolution during the recovery of the replicated folders.
2. To resume the replication for this volume, use the WMI method ResumeReplication of the DfsrVolumeConfig class. For example, from an elevated command prompt, type the following command:
wmic /namespace:\\root\microsoftdfs path dfsrVolumeConfig where volumeGuid="74D84752-A63E-11E0-8F2A-00155D006D28" call ResumeReplication

–

See:

• Changes that are not replicated to a downstream server are lost on the upstream server after an automatic recovery process occurs in a DFS Replication environment in Windows Server 2008 R2
• DFSR event ID 2213 in Windows Server 2008 R2 or Windows Server 2012

–

I hope you enjoyed this ride. I did!

–

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

(2014-08-01) Fixing AD/SYSVOL Replication And Reconnecting A Disconnected AD Domain (Part 6)

PART 5 is here.

WARNING/DISCLAIMER: I provide this information on a FYI basis. Be very very very careful in actually doing these steps on your production systems as it may brake or destroy your AD domain or AD forest. You are fully responsible for any steps you use from this blog post. If you do not understand what you are doing, either hire someone who does, or call Microsoft for support!

So I decided to undelete ‘CN=DFSR-LocalSettings’.

Figure 1: Undeleting The ‘DFS-R-LocalSettings’ Object Of ‘C1FSRWDC1.CHILD.ADCORP.LAB’ On ‘C1FSRWDC1.CHILD.ADCORP.LAB’

–

It is not possible to undelete ‘CN=Domain System Volume’ and ‘CN=SYSVOL Subscription’ using LDP as one of the required, but missing, attributes has binary values (‘msDFSR-ReplicationGroupGuid’ on ‘CN=Domain System Volume’, ‘msDFSR-ContentSetGuid’ and ‘msDFSR-ReplicationGroupGuid’ on ‘CN=SYSVOL Subscription’). It is not as easy as copying and pasting values into LDP. Does it stop here? No it does not! This is where PowerShell comes into the rescue! With PowerShell it is possible to use an existing object as a template to update or create another object.

First things first, let’s update the object ‘CN=DFSR-LocalSettings’ of ‘C1FSRWDC1.CHILD.ADCORP.LAB’ using ‘C1FSRWDC2.CHILD.ADCORP.LAB’ as the template.

Import-Module ActiveDirectory
$templateDomainSystemVolume = Get-ADObject "CN=Domain System Volume,CN=DFSR-LocalSettings,CN=C1FSRWDC2,OU=Domain Controllers,DC=CHILD,DC=ADCORP,DC=LAB" `
    -Properties "msDFSR-ReplicationGroupGuid","showInAdvancedViewOnly"
$templateDomainSystemVolume
New-ADObject -Instance $templateDomainSystemVolume -name "Domain System Volume" `
    -type "msDFSR-Subscriber" `
    -path "CN=DFSR-LocalSettings,CN=C1FSRWDC1,OU=Domain Controllers,DC=CHILD,DC=ADCORP,DC=LAB" `
    -OtherAttributes @{'msDFSR-MemberReference'="CN=C1FSRWDC1,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=CHILD,DC=ADCORP,DC=LAB"}

–

Figure 2: Updating The ‘DFS-R-LocalSettings’ Object Of ‘C1FSRWDC1.CHILD.ADCORP.LAB’ Using ‘C1FSRWDC2.CHILD.ADCORP.LAB’ as the template

–

Now, let’s recreate the object ‘CN=Domain System Volume’ of ‘C1FSRWDC1.CHILD.ADCORP.LAB’ using ‘C1FSRWDC2.CHILD.ADCORP.LAB’ as the template.

Import-Module ActiveDirectory
$templateSYSVOLSubscription = Get-ADObject "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=C1FSRWDC2,OU=Domain Controllers,DC=CHILD,DC=ADCORP,DC=LAB" `
    -Properties "msDFSR-ContentSetGuid","msDFSR-ReplicationGroupGuid","msDFSR-Enabled","msDFSR-ReadOnly","msDFSR-ReplicationGroupGuid","msDFSR-RootPath","msDFSR-StagingPath","showInAdvancedViewOnly"
$templateSYSVOLSubscription
New-ADObject -Instance $templateSYSVOLSubscription "SYSVOL Subscription" `
    -type "msDFSR-Subscription" `
    -path "CN=Domain System Volume,CN=DFSR-LocalSettings,CN=C1FSRWDC1,OU=Domain Controllers,DC=CHILD,DC=ADCORP,DC=LAB"

–

Figure 3: Recreating The ‘CN=Domain System Volume’ Object Of ‘C1FSRWDC1.CHILD.ADCORP.LAB’ using ‘C1FSRWDC2.CHILD.ADCORP.LAB’ as the template

–

Now, let’s recreate the object ‘CN=SYSVOL Subscription’ of ‘C1FSRWDC1.CHILD.ADCORP.LAB’ using ‘C1FSRWDC2.CHILD.ADCORP.LAB’ as the template

Import-Module ActiveDirectory
$templateSYSVOLSubscription = Get-ADObject "CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=C1FSRWDC2,OU=Domain Controllers,DC=CHILD,DC=ADCORP,DC=LAB" `
    -Properties "msDFSR-ContentSetGuid","msDFSR-ReplicationGroupGuid","msDFSR-Enabled","msDFSR-ReadOnly","msDFSR-ReplicationGroupGuid","msDFSR-RootPath","msDFSR-StagingPath","showInAdvancedViewOnly"
$templateSYSVOLSubscription
New-ADObject -Instance $templateSYSVOLSubscription "SYSVOL Subscription" `
    -type "msDFSR-Subscription" `
    -path "CN=Domain System Volume,CN=DFSR-LocalSettings,CN=C1FSRWDC1,OU=Domain Controllers,DC=CHILD,DC=ADCORP,DC=LAB"

–

REMARK: either RWDC may have been migrated from NTFRS to DFSR whereas the SYSVOL is not named SYSVOL, but rather SYSVOL_DFSR. When using the DC object "CN=SYSVOL Subscription" CHECK if the applied paths are correct!

–

Figure 4: Recreating The ‘CN=SYSVOL Subscription’ Object Of ‘C1FSRWDC1.CHILD.ADCORP.LAB’ using ‘C1FSRWDC2.CHILD.ADCORP.LAB’ as the template

–

Now also restart the DFSR service on both ‘C1FSRWDC1.CHILD.ADCORP.LAB’ and ‘C1FSRWDC2.CHILD.ADCORP.LAB’. It should start inbound replicating the SYSVOL contents immediately! In my case it didn’t! Damn!

–

PART 7 continues here.

–

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

(2014-07-31) Fixing AD/SYSVOL Replication And Reconnecting A Disconnected AD Domain (Part 5)

PART 4 is here.

WARNING/DISCLAIMER: I provide this information on a FYI basis. Be very very very careful in actually doing these steps on your production systems as it may brake or destroy your AD domain or AD forest. You are fully responsible for any steps you use from this blog post. If you do not understand what you are doing, either hire someone who does, or call Microsoft for support!

After promoting the second RWDC for the child AD domain ‘CHILD.ADCORP.LAB’ I noticed, it was taking some time to have the SYSVOL replicated to that new RWDC. While the SYSVOL is not replicated, the RWDC will not advertise itself. And if it does not advertise itself, it is basically useless! Let start by checking the event viewer on both RWDCs, the source and the destination RWDC.

On the destination RWDC ‘C1FSRWDC2.CHILD.ADCORP.LAB’ (the one receiving) you may see the following event IDs:

Figure 1: Event ID 4614 For DFSR Service Initializing The SYSVOL And Waiting For Initial Replication

–

The DFS Replication service initialized SYSVOL at local path D:\AD\SYSVOL\domain and is waiting to perform initial replication. The replicated folder will remain in the initial synchronization state until it has replicated with its partner C1FSRWDC1.CHILD.ADCORP.LAB. If the server was in the process of being promoted to a domain controller, the domain controller will not advertize and function as a domain controller until this issue is resolved. This can occur if the specified partner is also in the initial synchronization state, or if sharing violations are encountered on this server or the synchronization partner. If this event occurred during the migration of SYSVOL from File Replication service (FRS) to DFS Replication, changes will not replicate out until this issue is resolved. This can cause the SYSVOL folder on this server to become out of sync with other domain controllers.
 
Additional Information:
Replicated Folder Name: SYSVOL Share
Replicated Folder ID: E59797D1-0652-4D1F-8ACF-4AB0D2DA8632
Replication Group Name: Domain System Volume
Replication Group ID: 1CED6656-CE5C-43B6-9F18-288417F99AF5
Member ID: 79EAC8E2-CD53-4136-843E-AB4CDEB2A0C5
Read-Only: 0

Figure 2: Event ID 5012 For DFSR Service On ‘C1FSRWDC2.CHILD.ADCORP.LAB’ Not Being Able To Communicate With ‘C1FSRWDC1.CHILD.ADCORP.LAB’

–

The DFS Replication service failed to communicate with partner C1FSRWDC1 for replication group Domain System Volume. The partner did not recognize the connection or the replication group configuration.
 
Partner DNS Address: C1FSRWDC1.CHILD.ADCORP.LAB
 
Optional data if available:
Partner WINS Address: C1FSRWDC1
Partner IP Address: 10.1.1.11
 
 
The service will retry the connection periodically.
 
Additional Information:
Error: 9026 (The connection is invalid)
Connection ID: AF63F561-E219-4792-8473-754A85D9ECF9
Replication Group ID: 1CED6656-CE5C-43B6-9F18-288417F99AF5

Figure 3: Event ID 4612 For DFSR Service Initializing The SYSVOL And Waiting For Initial Replication

–

The DFS Replication service initialized SYSVOL at local path D:\AD\SYSVOL\domain and is waiting to perform initial replication. The replicated folder will remain in the initial synchronization state until it has replicated with its partner C1FSRWDC1.CHILD.ADCORP.LAB. If the server was in the process of being promoted to a domain controller, the domain controller will not advertise and function as a domain controller until this issue is resolved. This can occur if the specified partner is also in the initial synchronization state, or if sharing violations are encountered on this server or the sync partner. If this event occurred during the migration of SYSVOL from File Replication service (FRS) to DFS Replication, changes will not replicate out until this issue is resolved. This can cause the SYSVOL folder on this server to become out of sync with other domain controllers.
 
Additional Information:
Replicated Folder Name: SYSVOL Share
Replicated Folder ID: E59797D1-0652-4D1F-8ACF-4AB0D2DA8632
Replication Group Name: Domain System Volume
Replication Group ID: AF63F561-E219-4792-8473-754A85D9ECF9
Member ID: 79EAC8E2-CD53-4136-843E-AB4CDEB2A0C5
Read-Only: 0

Figure 4: Event ID 5002 For DFSR Service On ‘C1FSRWDC2.CHILD.ADCORP.LAB’ Not Being Able To Communicate With ‘C1FSRWDC1.CHILD.ADCORP.LAB’

–

On the source RWDC ‘C1FSRWDC1.CHILD.ADCORP.LAB’ (the one sending) you will not see any event ID, and it appears as if everything is OK, but it is not! Let’s have a look at how each server sees its own configuration and execute DFSRDIAG DUMPADCFG on each RWDC.

Figure 5: The AD Configuration For ‘C1FSRWDC1.CHILD.ADCORP.LAB’

–

Figure 6: The AD Configuration For ‘C1FSRWDC2.CHILD.ADCORP.LAB’

–

Wow, that a difference! Something is wrong definitely wrong here. Using ADSIEDIT it can be seen that ‘C1FSRWDC1.CHILD.ADCORP.LAB’ is missing the objects ‘CN=DFSR-LocalSettings’, ‘CN=Domain System Volume’ and ‘CN=SYSVOL Subscription’. Somehow these got deleted as these were available as deleted objects.

–

PART 6 continues here.

–

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

(2014-07-30) Fixing AD/SYSVOL Replication And Reconnecting A Disconnected AD Domain (Part 4)

PART 3 is here.

WARNING/DISCLAIMER: I provide this information on a FYI basis. Be very very very careful in actually doing these steps on your production systems as it may brake or destroy your AD domain or AD forest. You are fully responsible for any steps you use from this blog post. If you do not understand what you are doing, either hire someone who does, or call Microsoft for support!

Now on ‘C1FSRWDC1.CHILD.ADCORP.LAB’ (figure 1a) or on ‘R1FSRWDC1.ADCORP.LAB’ (figure 1b) use Active Directory Sites And Services to force the replication of the configuration partition from ‘C1FSRWDC1.CHILD.ADCORP.LAB’ to ‘R1FSRWDC1.ADCORP.LAB’ (the RWDC where the undeletions occurred). Make sure to do this with enterprise admin credentials, otherwise you get an access denied.

Figure 1a: Forcing Replication Of Configuration Partition From ‘C1FSRWDC1.CHILD.ADCORP.LAB’ To ‘R1FSRWDC1.ADCORP.LAB’ On ‘C1FSRWDC1.CHILD.ADCORP.LAB’

–

Figure 1b: Forcing Replication Of Configuration Partition From ‘C1FSRWDC1.CHILD.ADCORP.LAB’ To ‘R1FSRWDC1.ADCORP.LAB’ On ‘R1FSRWDC1.ADCORP.LAB’

–

Only when getting the following error….

Figure 2: Mutual Authentication Error When Replicating

–

…mutual authentication needs to be disabled on the receiving RWDC ‘R1FSRWDC1.ADCORP.LAB’. To do that implement the following registry setting and then restart the Active Directory Domain Services (NTDS) service:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
• Replicator Allow SPN Fallback = 1 (DWORD)

The following command can be used:

REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters" /v "Replicator Allow SPN Fallback" /t REG_DWORD /d 1
NET STOP NTDS
NET START NTDS

–

Now try to execute the step as mentioned in either figure 1a or figure 1b to force the replication of the configuration partition. To make sure everything is updated correctly, while using Active Directory Sites And Services force the replication of the AD domain partitions (forest root AD domain and child) between the RWDCs. Then force the replication of the configuration partition once again.

Now remember that if the options as shown in figure 1a or figure 1b are not available, it is still possible to use REPADMIN instead! Also see Repadmin for Experts.

# On R1FSRWDC1.ADCORP.LAB (forest root AD domain RWDC) turn OFF the KCC adding/removing replication
# links (repsFrom) based on available connection objects
REPADMIN /OPTIONS R1FSRWDC1.ADCORP.LAB +DISABLE_NTDSCONN_XLATE

# Create a replication link (repsFrom) for the configuration NC from C1FSRWDC1.CHILD.ADCORP.LAB to R1FSRWDC1.ADCORP.LAB
# and initiate a replication request
REPADMIN /ADD "CN=Configuration,DC=ADCORP,DC=LAB" R1FSRWDC1.ADCORP.LAB C1FSRWDC1.CHILD.ADCORP.LAB

# Create a replication link (repsFrom) for the child AD domain NC from C1FSRWDC1.CHILD.ADCORP.LAB to R1FSRWDC1.ADCORP.LAB
# and initiate a replication request. This does assume the receiving RWDC is also a GC
REPADMIN /ADD "DC=CHILD,DC=ADCORP,DC=LAB" R1FSRWDC1.ADCORP.LAB C1FSRWDC1.CHILD.ADCORP.LAB /READONLY

# Force the replication of the configuration NC between C1FSRWDC1.CHILD.ADCORP.LAB to R1FSRWDC1.ADCORP.LAB
REPADMIN /REPLICATE R1FSRWDC1.ADCORP.LAB C1FSRWDC1.CHILD.ADCORP.LAB "CN=Configuration,DC=ADCORP,DC=LAB" /FORCE /FULL

# Force the replication of the child AD domain NC between C1FSRWDC1.CHILD.ADCORP.LAB to R1FSRWDC1.ADCORP.LAB
REPADMIN /REPLICATE R1FSRWDC1.ADCORP.LAB C1FSRWDC1.CHILD.ADCORP.LAB "DC=CHILD,DC=ADCORP,DC=LAB" /FORCE /FULL

# Force the replication of the configuration NC between C1FSRWDC1.CHILD.ADCORP.LAB to R1FSRWDC1.ADCORP.LAB
REPADMIN /REPLICATE R1FSRWDC1.ADCORP.LAB C1FSRWDC1.CHILD.ADCORP.LAB "CN=Configuration,DC=ADCORP,DC=LAB" /FORCE /FULL

# Displays the status of inbound AD replication for all hosted NCs
REPADMIN /SHOWREPL

# On R1FSRWDC1.ADCORP.LAB (forest root AD domain RWDC) turn ON the KCC adding/removing replication
# links (repsFrom) based on available connection objects
REPADMIN /OPTIONS R1FSRWDC1.ADCORP.LAB -DISABLE_NTDSCONN_XLATE

–

Figure 3: Establishing Replication Links And Forcing AD Replication For Specific NCs

–

Figure 4: Checking The Inbound AD Replication Status

–

Mutual authentication needs to be again on the receiving RWDC ‘R1FSRWDC1.ADCORP.LAB’. To do that remove the following registry setting and then restart the Active Directory Domain Services (NTDS) service:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
• Replicator Allow SPN Fallback = 1 (DWORD)

The following command can be used:

REG DELETE "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters" /v "Replicator Allow SPN Fallback"
NET STOP NTDS
NET START NTDS

–

Now ALL RWDCs in the AD forest have the exact same view of which RWDC is hosting which AD domain NC and application NC! Yiihhhaaa!

–

PART 5 continues here.

–

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

(2014-07-29) Fixing AD/SYSVOL Replication And Reconnecting A Disconnected AD Domain (Part 3)

PART 2 is here.

WARNING/DISCLAIMER: I provide this information on a FYI basis. Be very very very careful in actually doing these steps on your production systems as it may brake or destroy your AD domain or AD forest. You are fully responsible for any steps you use from this blog post. If you do not understand what you are doing, either hire someone who does, or call Microsoft for support!

To make the rest of the AD forest aware about ‘C1FSRWDC1.CHILD.ADCORP.LAB’ I chose one of the RWDCs in the forest root AD domain and undeleted the Server object and the NTDS Settings object that belonged to ‘C1FSRWDC1.CHILD.ADCORP.LAB’. Be aware though that both objects are deleted objects, but they cannot be found in the deleted objects container in the configuration partition. You will be able to find those objects in their original location. The reason for that is that both objects are configured with the systemFlag ‘DISALLOW_MOVE_ON_DELETE’. To be able to see the deleted objects and undelete them you need to enable the ‘SHOW_DELETED’ LDAP control. In this case the Recycle Bin is not enabled, therefore not every attribute can be restore. However, the previous authoritative restore will take care of that!

REMARK: If you see multiple deleted Server Objects and multiple deleted NTDS Settings Objects for the RWDC you want to undelete objects, how do you know which one to undelete? Correct, get the objectGUID for the Server object and NTDS Settings object on the RWDC ‘C1FSRWDC1.CHILD.ADCORP.LAB’, and then on the other RWDC undelete the corresponding Server object and NTDS Settings object with the same objectGUID. DO NOT just undelete any object as you might end up with multiple live objects, and then you have other issues to resolve!

First undelete the Server object through LDP.

Figure 1: Undeleting The Server Object Of ‘C1FSRWDC1.CHILD.ADCORP.LAB’ On Another RWDC

–

Then undelete the NTDS Settings object through LDP.

Figure 2: Undeleting The NTDS Settings Object Of ‘C1FSRWDC1.CHILD.ADCORP.LAB’ On Another RWDC

–

PART 4 continues here.

–

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

(2014-07-28) Fixing AD/SYSVOL Replication And Reconnecting A Disconnected AD Domain (Part 2)

PART 1 is here.

WARNING/DISCLAIMER: I provide this information on a FYI basis. Be very very very careful in actually doing these steps on your production systems as it may brake or destroy your AD domain or AD forest. You are fully responsible for any steps you use from this blog post. If you do not understand what you are doing, either hire someone who does, or call Microsoft for support!

All the objects related to the RWDC ‘C1FSRWDC1.CHILD.ADCORP.LAB’ in any way are still available on ‘C1FSRWDC1.CHILD.ADCORP.LAB’ itself, but are either deleted or not up-to-date on the rest of the RWDCs in the AD forest (think about configuration partition and the read-only child AD domain partition on GCs). To make sure those objects are either updated or undeleted, I have to increase the version of all those objects on ‘C1FSRWDC1.CHILD.ADCORP.LAB’ as it is authoritative for those objects.

The list of objects is:

• Server Object: CN=C1FSRWDC1,CN=Servers,CN=DTCNTR01,CN=Sites,CN=Configuration,DC=ADCORP,DC=LAB
• NTDS Settings Object: CN=NTDS Settings,CN=C1FSRWDC1,CN=Servers,CN=DTCNTR01,CN=Sites,CN=Configuration,DC=ADCORP,DC=LAB
• All connection objects
• RWDC computer account: CN=C1FSRWDC1,OU=Domain Controllers,DC=CHILD,DC=ADCORP,DC=LAB
• RWDC Rid Set Object: CN=RID Set,CN=C1FSRWDC1,OU=Domain Controllers,DC=CHILD,DC=ADCORP,DC=LAB
• DFSR Settings Object: CN=DFSR-LocalSettings,CN=C1FSRWDC1,OU=Domain Controllers,DC=CHILD,DC=ADCORP,DC=LAB
• SYSVOL Subscriber Object: CN=Domain System Volume,CN=DFSR-LocalSettings,CN=C1FSRWDC1,OU=Domain Controllers,DC=CHILD,DC=ADCORP,DC=LAB
• SYSVOL Subscription Object: CN=SYSVOL Subscription,CN=Domain System Volume,CN=DFSR-LocalSettings,CN=C1FSRWDC1,OU=Domain Controllers,DC=CHILD,DC=ADCORP,DC=LAB
• DFSR Membership Object: CN=C1FSRWDC1,CN=Topology,CN=Domain System Volume,CN=DFSR-GlobalSettings,CN=System,DC=CHILD,DC=ADCORP,DC=LAB

REMARK: If you are not DFS-R yet for SYSVOL replication, then you need to think about ALL NTFRS objects for that RWDC!

–

When thinking about authoritative restore of the objects above, you can think about increasing the version of every single object individually, or can increase the version of a complete subtree. I preferred to increase the version of the complete subtree as that was less work and achieved the same end result. So I will be only restoring the yellow marked objects as all child objects will have their version increased automatically.

Remember, in this scenario I do not need to restore anything, I just want to increase the version of the objects so during AD replication their version wins and updates or restores the same objects on the other RWDCs. To do this you need to either restart ‘C1FSRWDC1.CHILD.ADCORP.LAB’ in DSRM or just stop the AD service (preferred!) on it. It is not needed to increase the version with the default of 100000. In this case I just increase the version with 25. For all the steps see below.

Figure 1: Stopping The Active Directory Domain Services (NTDS) Service And All Depended Services

–

Figure 2: Authoritatively Restoring (Increasing The Version Of) The DFSR Membership Object And Any Leaf Objects

–

Figure 3: Authoritatively Restoring (Increasing The Version Of) The RWDC computer account And Any Leaf Objects

–

Figure 4: Authoritatively Restoring (Increasing The Version Of) The Server Object And Any Leaf Objects

–

In figure 2, 3 and 4 you see NTDSUTIL created both TXT and LDF files. You can find those files in the folder where NTDSUTIL was started. The TXT files just tell you for which objects the authoritative restore was done and the LDF files have the objects with the forward links that correspond with any backlink on the authoritative restored objects. When performing authoritative restores, restoring links between objects and make sure AD replication resolves any inconsistencies it is very important to import all the LDF files against a RWDC for the partition the LDF contains objects for. In this case all LDF files can be imported against ‘C1FSRWDC1.CHILD.ADCORP.LAB’. Of course not to forget, before importing the LDF files, start the AD service again! Wait a minute or so to make sure all other dependent services have started too. Oh, and do not worry about any errors regarding object class violations. The import of the LDF files first deletes the values and then repopulates the value. When trying to delete a value of a mandatory attribute, you get this error.

Figure 5: Starting The Active Directory Domain Services (NTDS) Service And Importing All LDF Files

–

PART 3 continues here.

–

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

(2014-07-27) Fixing AD/SYSVOL Replication And Reconnecting A Disconnected AD Domain (Part 1)

WARNING/DISCLAIMER: I provide this information on a FYI basis. Be very very very careful in actually doing these steps on your production systems as it may brake or destroy your AD domain or AD forest. You are fully responsible for any steps you use from this blog post. If you do not understand what you are doing, either hire someone who does, or call Microsoft for support!

–

This is a true story about a test environment from a, not to be named (to protect the innocent!), friend of mine. The AD forest was a multiple AD domain environment and each AD domain consisted of multiple RWDCs, no RODCs. To mimic the scenario, I going to to use my own test environment as it is representative enough to replay all the broken stuff that I found and eventually also fixed.

–

My test environment:

• forest root AD domain: ADCORP.LAB
  • RWDC: R1FSRWDC1.ADCORP.LAB (GC and all 5 FSMOs)
  • RWDC: R1FSRWDC2.ADCORP.LAB (GC)
• child AD domain: CHILD.ADCORP.LAB
  • RWDC: C1FSRWDC1.CHILD.ADCORP.LAB (GC and all 3 FSMOs)
  • RWDC: C1FSRWDC2.CHILD.ADCORP.LAB (GC)

–

The scenario:

• forest root AD domain: ADCORP.LAB
  • RWDC: R1FSRWDC1.ADCORP.LAB –> everything working, no issues
  • RWDC: R1FSRWDC2.ADCORP.LAB –> everything working, no issues
• child AD domain: CHILD.ADCORP.LAB
  • RWDC: C1FSRWDC1.CHILD.ADCORP.LAB –> with broken AD replication with ‘C1FSRWDC2.CHILD.ADCORP.LAB’, but not the forest root AD RWDCs, its metadata was cleaned on ‘C1FSRWDC2.CHILD.ADCORP.LAB’ and that cleanup replicated to all other RWDCs in the AD forest. This RWDC had a complete SYSVOL content
  • RWDC: C1FSRWDC2.CHILD.ADCORP.LAB –> with broken AD replication with ‘C1FSRWDC1.CHILD.ADCORP.LAB’, but not the forest root AD RWDCs, the metadata of ‘C1FSRWDC1.CHILD.ADCORP.LAB’ was cleaned on ‘C1FSRWDC2.CHILD.ADCORP.LAB’ and that cleanup replicated to all other RWDCs in the AD forest’. Although the promotion succeeded in the past, this RWDC did not receive any content at all. Because of that it was not advertising as a DC and was therefore useless.

–

‘C1FSRWDC2.CHILD.ADCORP.LAB’ was having all kinds of issues and fixing it was quite painful. Therefore I decided to do a FORCED DEMOTION of ‘C1FSRWDC2.CHILD.ADCORP.LAB’. A forced demotion can be done through server manager or PowerShell. Through server manager just try to remove the "Active Directory Domain Services" role and at some point you will the option you need to demote the RWDC first. Through PowerShell you can execute the following commands:

Import-Module ADDSDeployment
Uninstall-ADDSDomainController -ForceRemoval:$true -Force:$true

–

Because ‘C1FSRWDC2.CHILD.ADCORP.LAB’ was force demoted, I cleaned up its metadata on ‘C1FSRWDC1.CHILD.ADCORP.LAB’. Because ‘C1FSRWDC1.CHILD.ADCORP.LAB’, the only RWDC for ‘CHILD.ADCORP.LAB’, was disconnected from the rest of the AD forest, I also had to delete the NTDS Settings object and Server object that belonged to ‘C1FSRWDC2.CHILD.ADCORP.LAB’. After removal of the metadata, I tried to repromote it to RWDC while using ‘C1FSRWDC1.CHILD.ADCORP.LAB’ as the source RWDC. The promotion can be done through server manager or PowerShell. Through server manager just click on the notification flag and choose to promote the server to a DC. Through PowerShell you can execute the following commands (MAKE SURE TO REPLACE ALL RED VALUES WITH YOUR OWN!):

Import-Module ADDSDeployment
Install-ADDSDomainController `
-AllowDomainControllerReinstall:$true `
-NoGlobalCatalog:$false `
-CreateDnsDelegation:$true `
-Credential (Get-Credential) `
-CriticalReplicationOnly:$false `
-DatabasePath "D:\AD\DB" `
-DomainName "CHILD.ADCORP.LAB" `
-InstallDns:$true `
-LogPath "D:\AD\LOG" `
-NoRebootOnCompletion:$false `
-ReplicationSourceDC "C1FSRWDC1.CHILD.ADCORP.LAB" `
-SiteName "DTCNTR01" `
-SysvolPath "D:\AD\SYSVOL" `
-Force:$true

–

At some point, the promotion of the RWDC ‘C1FSRWDC2.CHILD.ADCORP.LAB’ halted while it was trying to create the NTDS Settings object for the DC. I decided to have a look at the ‘C:\Windows\Debug\DCPROMO.LOG’ file and that’s when I noticed it was complaining about not being able to able to find a DC for the AD domain. I thought it was weird, and did not fully understood why it was saying that. The only thing I can think of is maybe incorrect DNS (delegation) information. In my test environment the promotion succeeded. In the real scenario I decided to stop the promotion and leave that DC alone for a while and focus on reconnecting the orphaned RWDC ‘C1FSRWDC1.CHILD.ADCORP.LAB’ back to the rest of the AD forest.

This is how the AD forest looked like on a forest root AD domain RWDC

Figure 1: The View Of The AD Forest On The Forest Root AD Domain RWDC

–

This is how the AD forest looked like on the (orphaned) child AD domain RWDC

Figure 2: The View Of The AD Forest On The Child AD Domain RWDC

–

‘C1FSRWDC1.CHILD.ADCORP.LAB’ knew about the rest of the AD forest, but the rest of the AD forest did not know about ‘C1FSRWDC1.CHILD.ADCORP.LAB’ anymore. To make sure AD replication started working again between the rest of the AD forest and ‘C1FSRWDC1.CHILD.ADCORP.LAB’ (and vice versa) I needed to make the AD forest aware of ‘C1FSRWDC1.CHILD.ADCORP.LAB’ again and I wanted to make sure the authoritative information from ‘C1FSRWDC1.CHILD.ADCORP.LAB’ on ‘C1FSRWDC1.CHILD.ADCORP.LAB’ itself was not lost. The rest of the AD forest still knew about the child AD domain (and the application NCs) as the cross-reference objects were still there.

Figure 3: The Cross-Reference Objects Of The Child AD Domain And The Application Partitions (NCs) On The Forest Root AD Domain RWDC

–

PART 2 continues here.

–

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

(2014-06-24) RODC Promotion (Direct Or Staged) Fails Because Of NC With No Replicas

My TEST environment, corporate forest with 2 AD domains and DMZ forest with 1 AD domain with 2 RWDCs and 2 RODCs, was running W2K12 and I still needed to update it to W2K12R2. Part of the test environment was already updated weeks ago. The only part left to upgrade were the RODCs. All RWDCs were already upgraded. So I demoted the RODCs, while keeping their metadata in place in the directory to use it later on during a new staged RODC promotion.

–

I started both RODC staged promotions at the same time and I did not expect any errors. Well, think again!

During the promotions I got the error: "While promoting Read-only Domain Controller, the expected state objects could not be found".

I saw the error in the PowerShell window as you can see below, and also in the debug log files.

Figure 1: RODC Staged Promotion With PowerShell – "While promoting Read-only Domain Controller, the expected state objects could not be found"

–

A copy of the "C:\Windows\Debug\DCPROMO.LOG" and "C:\Windows\Debug\DCPROMOUI.LOG" debug log files can be found here and here.

Going through the default stuff, Event Viewer and DCDIAG, did not show/provide any interesting information. Bummer!

Figure 2: DCPROMOUI.LOG – "While promoting Read-only Domain Controller, the expected state objects could not be found"

–

You will not find ANY clue from anywhere what the problem is. So, after a long time searching and googling, I found some information about a TAPI3 partition. The problem is related to a directory partition, but not related to the partition being named TAPI3. Based upon that I decided to check the cross-references in my directory as you can see below.

Figure 3: ADSIEDIT – Cross-References For All Partitions In The Directory

–

And that’s when I noticed the partition "DC=RegionDnsZones,DC=ADDMZ,DC=LAN". I had totally forgotten about it! It was a partition I had created in the past to test replication of DNS zones.

–

Below you will find how a healthy cross-reference looks like:

Figure 4: LDP – Healthy Cross-Reference For The Partition "DC=DomainDnsZones,DC=ADDMZ,DC=LAN"

–

Below you will find how a UNhealthy cross-reference looks like:

Figure 5: LDP – UNHealthy Cross-Reference For The Partition "DC=RegionDnsZones,DC=ADDMZ,DC=LAN"

–

See the difference? The cross-reference for the partition "DC=RegionDnsZones,DC=ADDMZ,DC=LAN", DOES NOT list any replica hosting the partition, and THAT is what is wrong here.

During my upgrade from W2K12 to W2K12R2 DCs (no in place upgrade, but rather replace) I had forgotten about this partition and unintentionally removed all hosting replicas without assigning new replicas. OOPS!

So, WHY does this go wrong with the RODC promotion? I reviewed the scripted PowerShell command I used, and I noticed the option "-ApplicationPartitionsToReplicate *". "*" basically means "go and look for all configured cross-references, enlist to host the partition and find a replica to inbound replicate the directory partition data". Everything goes right, up to the moment the RODC promotion is checking the cross-reference of the partition "DC=RegionDnsZones,DC=ADDMZ,DC=LAN" to find a replica. And as you can see, there are NO replicas specified. Although the definition of the partition is there, the so called cross-reference, the actual partition hosted on some replica is nowhere to be found! And that’s why the RODC promotion fails. It would be interesting and more helpful if the error was more intuitive/informative.

–

So, now the question: "how to solve this problem?". As always, that’s easy!

The solution is to delete the cross-reference, and for that I’m going to use NTDSUTIL. See below! You can either use the commands in the sub-menu "METADATA CLEANUP" or the commands in the sub-menu "PARTTION MANAGEMENT"

NTDSUTIL – METADATA CLEANUP

Figure 6: NTDSUTIL – METADATA CLEANUP – Help (1)

–

Figure 7: NTDSUTIL – METADATA CLEANUP – Help (2) And Removal Of The Naming Context

–

After submitting the NTDSUTIL command "REMOVE SELECTED NAMING CONTEXT" you will see the warning below

Figure 8: NTDSUTIL – REMOVE SELECTED NAMING CONTEXT – Confirmation

–

NTDSUTIL – PARTTION MANAGEMENT

Figure 9: NTDSUTIL – PARTITION MANAGEMENT – Help (1)

–

Figure 10: NTDSUTIL – PARTITION MANAGEMENT – Help (2)

–

Figure 11: NTDSUTIL – PARTITION MANAGEMENT – Listing NC Information And Deleting NC

–

The NC is now removed!

Figure 12: ADSIEDIT – Cross-References For All Partitions In The Directory

–

Allow AD replication to complete the removal of the cross-reference on all DCs, then restart the staged/direct RODC promotion and you should be good to go!

–

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————