New DC not sharing sysvol, netlogon

[Big0range]

I recently set up a new DC to pull the old one out of service. It's currently seen as a DC by dcpromo, and it has been made the FSMO and is seen as such by all domain controllers. The sysvol folder structure exists, but is not shared; this of course causes problems with FRS. Plus, when the old DC is offline, I have authentication problems (Exchange won't run, machines find the domain controller). My understanding is that this should have been shared and replicated at the time of setting the machine to be a DC. If I manually share the sysvol and netlogon folders, will there be any problems, or do I need to re-assign the operations master roles back to the old DC and undo then redo the new DC's role as a DC with dcpromo?

Thanks for helping!

 

[joelrob]

Manually sharing will not help, I've been there, it doesn't work. My system did the exact same thing to me and I later found out it was because Symantec Anti-Virus Small Business Edition would not allow the folders to be shared. I had to disable Symantec, unpromote the server, shut down, restart and re-promo the server.

 

[svsawkar]

Your SYSVOL is not sharing because this new server is trying to replicate the existing policies from the dying server. Bring the old server back up, restart the ntfrs service. This should kick off FRS replication if the schedule is open and the dependancies have been correctly configured. You should see at 13509 or 13516 in the NTFRS event log. After this, make sure to DCPROMO the dying server down.

If this is not possible, metadata cleanup the dying server. Q216498. This will wack the NTFRS subscription object of the dead server allowing this new DC to come up successfully. You may not have any policies, so you will need to recreate the default policies. There are a few scripts floating out there that will do this for you.

/Siddharth

 

[Big0range]

Tried joelrob's idea first - disabled virus detection and ids software, demoted and re-promoted, still no luck.
All fsmo roles have been moved back to the old dc, it's running fine except I can't view event logs. Can't rename the evt files because it says they're being used, but can't view them with event viewer, so I'm not sure exactly what's happening on the old DC.
FRS schedule seems fine, but I'm not sure what you refer to, svsawkar, when you mention the dependancies being correctly configured. I'm not sure if the problem is with the new DC I built or the old DC which was built by someone else no longer with us. I think I might try to promote another 2000 server just to see if it has the same problems...
BTW, this is a mixed-mode domain and the new DC is running ADC as part of an incorporated Exchange upgrade, if that help at all.

 

[svsawkar]

Follow what I wrote before, as bringing up new servers won't work at this point.

/Siddharth

 

[Big0range]

Upgraded an existing 2000 member server to a DC successfully. It has the sysvol and netlogon folders shared, which is not happening with my dc-to be. I also get the event error "Windows cannot query for the list of Group Policy objects" and "Windows cannot establish a connection to [domain.com] with (1787)". I think these errors would be in the current DC's event log if I could see it because dcdiag says "the server holding the PDC role is down" and FRS is "having trouble enabling replication from" dc-to-be to the current dc, although the PDC is the current/old DC and there are no errors regarding the newly promoted test-dc.
Aaaarrrgh!!!
Whatever the issue, it seems to be central to the dc-to-be.

 

[svsawkar]

Alrighty, keep fighting it

/Siddharth

 

[ReddLefty]

This happened to me and I did something I found written absolutly nowhere (it was a calculated risk after reading all the MS KBs there was on it).

If you have any content in the following registry in your DC-to-be:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\SysVol

Then this is what is blocking it from starting. The key must be empty for the SYSVOL to mount properly and setup the shares and then start the replication. The key must exist, just the insides should be empty. Of course, make a backup cause it worked for me, but might not for you.


It was a long time ago, so I forget if my "SysVolReady" was at 1 (ready) or 0 (not ready) in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Netlogon\Parameters. But, you can toggle it to see. It won't hurt anything besides sharing or not the items. Don't forget to RESTART the NTFRS service every time you play with those keys.



"In space, nobody can hear you click..."

 

[Big0range]

Heeyyyyy, I have the SysVol key, and it is empty, but I don't have a Netlogon key (!). I'm tempted to move the ADC agreements off and re-build it to see if that clears up the issues.

 

[1UnixNewbie]

Kinda late to post, but better late than never. Had a similar problem. The FRS service was not running on the PDC when i promoted the member server and the Sysvol appeaered but did not replicate with the PDC. There is not alot of info on this subject which surprises me, but search microsoft for FRS authoritative restore. Actually the article # is 316790

I went into the registry on the working DC and changed a value to D4 to make it authoritative for the next replication attempt. It worked. It appears that since replication did not work during the reboot after promotion of the member server, it never realized the PDC to be authoritative for the initail replication. The Sysvol and Netlogon shares ARE NOT shared until after the initial replication which accurs after the reboot after dcpromo.

Hope this wasn't to little too late!!!