Solving some Active Directory issues

I am working on upgrading my lab AD to Win2K16.  I am also writing an article about it too.  First time it did not work, but I was able to restore everything - thanks goodness I backed up both DC’s.  And this time doing a dcdiag before I do the upgrade and it has shown some issues. I am going to use this article to track the issues I found, and what I did to solve them.  Maybe it will help someone, but also, if it happens again, I will have a head start on dealing with it myself.

I should note that I am trying to make things healthy to upgrade.  I am doing that since I have MSDN licenses were I have a fixed number of license so I cannot just delete a win2K12 VM and deploy a win2K16 node.  Which is too bad.  If I was a customer I would not do this, but in fact deploy a new server and do this the ‘normal’ way, or, I would call MS for help. But, I have to figure this out myself, and get things healthy so the upgrade works - since it is my only choice.

Problems

• I had a could not be resolved to an IP address issue.  But it was for a very odd name - 121a90e4-*._msdcs.thewhites.ca so I was not really sure about it.
• I also got a Time skew error between client and 1 DC but that made no sense to me technically.
• There was Group Policy problems.
• There was DFS Replication problems. First with attempting to establish a replication link and other general such as RPC server is unavailable.
• Topology errors around my main DC not able to get changes from the other server.
• There was also some DNS errors with the new (second) DC.

Solution

• I was able to find in my DNS the entry mentioned in the test and make sure it had the right IP address.
• I restarted server (which includes both netlogin and DFS Namespace) on both DC’s.
• I tried to force a sync but that did not work.
• I changed the DNS IP address on the second server so that primary was it, and secondary was the first DC.  It was in fact originally primary as first DC and secondary as itself.
• I now do the same dcdiag command but as the actual administrator.  The command I used was (did not have to specify credentials as I was working as the administrator:

dcdiag.exe /s:logan.thewhites.ca /a /v /c /f:c:\dc_test.log

• With the minor changes I did, and using the administrator account I had fixed all the issues except for the DFS replication / SYSVOL one.
• The replication issues are tough - a demote and promote did not help.  What I had to do - I thought - was to delete the SYSVOL folder structure on the second DC.  That turned out to be a little tough.  I ended up adding me to the ACL with admin rights and then was able to delete it.
• With the second DC demoted, and no SYSVOL, I made sure that the dcdiag results were in fact healthy.  I also waited a few days and did the dcdiag again and confirmed again it was healthy.
• So now I installed the role of AD DS and promoted and restarted.
• Next is to do a dcdiag again.  What will I find in the dcdiag log?  I am a little nervous as I have been working on this for a while. First thing I see in the log:

Testing server: Default-First-Site-Name\LOGAN2

Starting test: Connectivity

* Active Directory LDAP Services Check
The host 73c7fe77-999d-4220-8d00-cbd32f52c69a._msdcs.thewhites.ca

could not be resolved to an IP address. Check the DNS server, DHCP,

server name, etc.

Got error while checking LDAP and RPC connectivity. Please check your

firewall settings.

……………………. LOGAN2 failed test Connectivity

• So I need to fix that IP address again. But wait, it all looks good.  That weird IP is properly defined and points at logan2 so that is good. So I check the IPv4 adapter DNS settings, and I think they are wrong.  Preferred is logan, and alternate is 127.0.0.1.  So I change preferred to logan2 and alternate to logan 1.  I believe that is correct. I can ping long and short logan2.www.
• And now another dcdiag. And now I have a successful connectivity check, so the tweak of DNS on the adapter fixed that issue.

So we have everything good and healthy now but for the SYSVOL replication. That is tough.

SYSVOL replication issue

• We check the current dcdiag log.
• It still has a little issue on DFS replication.

Starting test: DFSREvent

The DFS Replication Event Log.
There are warning or error events within the last 24 hours after the

SYSVOL has been shared. Failing SYSVOL replication problems may cause

Group Policy problems.
A warning event occurred. EventID: 0x80001A94

Time Generated: 10/15/2017 12:17:51

Event String:

The DFS Replication service has detected that no connections are configured for replication group Domain System Volume. No data is being replicated for this replication group.

• So I use DFS Management in admin tools to see a little more. But it looks good.

• So now I check the Diagnostic Report.  Wonder if it will help? I use all defaults.

• This is exactly what I saw before.  Before I demoted and cleaned up.  In Google I find that the Cannot access WMI repository is not an issue.  Did not find a lot on it but I hope that is true. So now I guess I need to force a sync?
• I find a DFS command that mentions Win2K12:

Dfsrdiag syncnow /rgname:”domain system volume” /partner:dc2 /time:1 /verbose

• This command says “Operation Succeeded”.  So I will wait a bit and do the dcdiag again and see what happens. The dcdiag didn’t change much, so I checked the Health Report.

• I have restarted both DC’s and I try the dcdiag again. Next is what I find on this issue in the log file.

Starting test: DFSREvent

The DFS Replication Event Log.
There are warning or error events within the last 24 hours after the

SYSVOL has been shared. Failing SYSVOL replication problems may cause

Group Policy problems.
A warning event occurred. EventID: 0x80001A94

Time Generated: 10/15/2017 12:17:51

Event String:

The DFS Replication service has detected that no connections are configured for replication group Domain System Volume. No data is being replicated for this replication group.

Additional Information:

Replication Group ID: 5B761ECB-2772-4161-A25B-B6CD472880CC

Member ID: 15328019-3468-4FCC-98F7-505C516553B8

A warning event occurred. EventID: 0x80001396

Time Generated: 10/15/2017 13:28:40

Event String:

The DFS Replication service is stopping communication with partner LOGAN2 for replication group Domain System Volume due to an error. The service will retry the connection periodically.

Additional Information:

Error: 9033 (The request was cancelled by a shutdown)

Connection ID: 3C884060-9C8A-464A-B77F-BCB6AC19ED75

Replication Group ID: 5B761ECB-2772-4161-A25B-B6CD472880CC

An error event occurred. EventID: 0xC000138A

Time Generated: 10/15/2017 13:28:50

Event String:

The DFS Replication service encountered an error communicating with partner LOGAN2 for replication group Domain System Volume.

Partner DNS address: logan2.thewhites.ca

Optional data if available:

Partner WINS Address: logan2

Partner IP Address: 192.168.9.10

The service will retry the connection periodically.

Additional Information:

Error: 1753 (There are no more endpoints available from the endpoint mapper.)

Connection ID: 3C884060-9C8A-464A-B77F-BCB6AC19ED75

Replication Group ID: 5B761ECB-2772-4161-A25B-B6CD472880CC

A warning event occurred. EventID: 0x80001396

Time Generated: 10/15/2017 13:34:42

Event String:

The DFS Replication service is stopping communication with partner LOGAN2 for replication group Domain System Volume due to an error. The service will retry the connection periodically.

Additional Information:

Error: 9033 (The request was cancelled by a shutdown)

Connection ID: 3C884060-9C8A-464A-B77F-BCB6AC19ED75

Replication Group ID: 5B761ECB-2772-4161-A25B-B6CD472880CC

An error event occurred. EventID: 0xC0001390

Time Generated: 10/15/2017 13:35:16

Event String:

The DFS Replication service failed to communicate with partner LOGAN2 for replication group Domain System Volume. This error can occur if the host is unreachable, or if the DFS Replication service is not running on the server.

Partner DNS Address: logan2.thewhites.ca

Optional data if available:

Partner WINS Address: logan2

Partner IP Address: 192.168.9.10

The service will retry the connection periodically.

Additional Information:

Error: 1722 (The RPC server is unavailable.)

Connection ID: 3C884060-9C8A-464A-B77F-BCB6AC19ED75

Replication Group ID: 5B761ECB-2772-4161-A25B-B6CD472880CC

……………………. LOGAN failed test DFSREvent

• This does not all make sense.  In the DFS Management tool we can see the connection.  We can force it to connect at the command line and it says it worked.  But, it doesn’t.

So today I talked with Dave Kawula about this. On the new DC, we changed the DNS to be only pointing at the original DC - Logan. Then at the command line did a repadmin /kcc, then repadmin /syncall, then a repadmin /syncall /P.  After that I was able to do a Replicate Now in Sites and Services for both both sides with no issues.  I was also able to create a new user in Logan, and have it show up right away on Logan2.  So things are working.  I now have changed the primary DNS to be itself, and the secondary DNS to be Logan, on Logan 2. I still can create a user on Logan and have it show up on Logan2.  I am thinking that now AD sync is working, in 24 hours the error in the event log that is shown in the DCDIAG reports will go away.  We will see.  The DFS Health Report has not changed but I am going to ignore that and see how things go.

What is left?

• Would be nice to fix the SYSVOL thing in the DCDIAG report as it is the only issue left.
• Should I see a SYSVOL when I do a net share on logan2? Not sure.  But I think so?
• Do the Win2K16 upgrade!

Links

• On SYSVOL replication on Win2K12 - http://www.windowstricks.in/2015/04/force-dfs-replication-force-dfsr-members-to-replicate-on-windows-server-2008-and-2012.html
• I am disappointed to say there is not many links on this subject.  Lots on doing DCDIAG but very few, or none, on understanding what the logs or results of DCDIAG mean.  And the contents is not all that obvious as to what needs to be done.
• Would this help - I wish I knew enough to say yes or no - https://support.microsoft.com/en-us/help/2218556/how-to-force-an-authoritative-and-non-authoritative-synchronization-fo

Thanks

• I really appreciate the help from Trevor Pott - it was most appreciated. He got me past the first few issues. Check out his blog if you want entertaining education.
• James Kilby was able to get me a little further and again that is most appreciated. One of the more persnickety issues was also solved with James help.
• Dave Kawula was a big help and it seems he got AD working for me quite nicely.  I very much appreciate his help, and you can find is blog here.

I appreciate the help from the community very much.  I appreciate it a great deal, and of course it reminds me to try and empower and help others too.

I am going to let things run a few days before I actually declare things truly solved.

Updates:

• 1/26/18 - just a few grammar and spelling tweaks.

Michael

=== END ===