Probably not the ideal place to post but I am sure...
# _generalj
James Rankin
08/19/2024, 4:16 PMProbably not the ideal place to post but I am sure there are many on this board with great AD experience....
I recently powered my lab back on after 8 months or so, and my AD replication had stopped working on one DC. So I removed it from its role, seized all the FSMO roles to the second DC, then reinstalled ADDS and promoted it back to a DC. Everything seems to be OK - apart from the SYSVOL and NETLOGON shares don't seem to have created, and I can't work out why. I can administer AD from both DCs, creating an object on ADUC on one DC replicates fine to another, AD Sites and Services seems all OK and replication works when triggered manually.....anyone got any ideas why the two shares haven't created themselves? I have left it for a good few hours and nothing seems to have happened....
TIA
James Rankin
08/19/2024, 4:17 PMDCDiag output below
James Rankin
08/19/2024, 4:17 PMStarting test: Connectivity
......................... DC001 passed test Connectivity
Doing primary tests
Testing server: HOME\DC001
Starting test: Advertising
Warning: DsGetDcName returned information for \\DC002.james-rankin.com, when we were trying to reach DC001.
SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
......................... DC001 failed test Advertising
Starting test: FrsEvent
......................... DC001 passed test FrsEvent
Starting test: DFSREvent
There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL
replication problems may cause Group Policy problems.
......................... DC001 failed test DFSREvent
Starting test: SysVolCheck
......................... DC001 passed test SysVolCheck
Starting test: KccEvent
......................... DC001 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... DC001 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... DC001 passed test MachineAccount
Starting test: NCSecDesc
......................... DC001 passed test NCSecDesc
Starting test: NetLogons
Unable to connect to the NETLOGON share! (\\DC001\netlogon)
[DC001] An net use or LsaPolicy operation failed with error 67, The network name cannot be found..
......................... DC001 failed test NetLogons
Starting test: ObjectsReplicated
......................... DC001 passed test ObjectsReplicated
Starting test: Replications
......................... DC001 passed test Replications
Starting test: RidManager
......................... DC001 passed test RidManager
Starting test: Services
......................... DC001 passed test Services
Starting test: SystemLog
......................... DC001 passed test SystemLog
Starting test: VerifyReferences
......................... DC001 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : james-rankin
Starting test: CheckSDRefDom
......................... james-rankin passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... james-rankin passed test CrossRefValidation
Running enterprise tests on : james-rankin.com
Starting test: LocatorCheck
......................... james-rankin.com passed test LocatorCheck
Starting test: Intersite
......................... james-rankin.com passed test Intersite
s
Stephen Daniel Wagner
08/19/2024, 4:27 PMSounds like something tombstoned....
You'd need to really jump on to your event log on both DCs to find out what's going on. I can't remember of DC's stayed joined to the domain after demoting as a DC, but if it did, did you unjoin from the domain?
w
Webster Webster
08/19/2024, 4:55 PMDid you do an AD and DNS cleanup BEFORE you brought the original DC back
As a DC? I thought you heard me teach that in one of my AD webinars or classes?
j
James Rankin
08/19/2024, 6:22 PMNope, possibly missed the cleanup stage.....I didn't unjoin it from the domain either
James Rankin
08/19/2024, 6:22 PMNot really anything showing in the event logs, it's bizarre
James Rankin
08/19/2024, 6:26 PMIs there some command for the AD/DNS cleanup?
w
Webster Webster
08/19/2024, 6:39 PMSimple nowadays. In ADUC, delete the old demoted DC. In ADS&S, do the same. In DNS, manually expand EVERY node and delete the old DC.
Now you are ready to repromote the old DC to a new DC.
j
James Rankin
08/19/2024, 6:39 PMLet me give this a bash then
j
John bullough
08/19/2024, 6:42 PMCould try burflags, should allow you to restore sysvol and netlogon shares:
https://learn.microsoft.com/en-us/troubleshoot/windows-server/group-policy/rebuild-sysvol-tree-and-content-in-a-domain
w
Webster Webster
08/19/2024, 6:49 PMThe problem comes from reusing the host name. The old host name and guid/sid own the dns records and the newly promoted dc with the reused name doesn’t have the rights to update the original dns records.
đź‘Ť 1
j
James Rankin
08/19/2024, 8:48 PMSo I tried the cleanup, same error. Next I tried decommissioning the original failed DC entirely and replacing it with a brand new one with a new name. When I promote the new server to be a domain controller, I get the exact same error I got with the "old" one.
w
Webster Webster
08/19/2024, 9:05 PMWeird. Just for a test, try this. In the NIC properties, deselect IPv6. I can’t join ANY VM to my lab domain if IPv6 is selected on any DC or non DC. This should not happen, but it is a 100% failure rate in my lab if any VM has IPv6 enabled.
Just try it. I don’t know when IPv6 broke or what Windows update broke it.
j
James Rankin
08/19/2024, 9:08 PMWTF - just noticed that the time zone is set incorrectly on the functional server......swore I checked this earlier
James Rankin
08/19/2024, 9:08 PMDuh
James Rankin
08/19/2024, 9:08 PMInteresting that you can only change it through PowerShell as well, that's something I've never noticed before
James Rankin
08/19/2024, 9:09 PMOK, let's see if this changes anything (IPv6 is disabled - my router hands out a custom DNS server to anything requesting an IPv6 address so it's disabled on all my lab machines)
James Rankin
08/19/2024, 9:16 PMBleurgh.....still getting the same errors in dcdiag. I'm going to sleep on it
w
Webster Webster
08/19/2024, 9:48 PMThen try the burflags as suggested earlier
j
James Rankin
08/20/2024, 1:15 PMOK so I worked through the "force authoritative synchronization for DFS-R sysvol" process. During this process I found that the DFS management tools weren't installed on my "new" domain controller, which seemed odd. After this was rectified and completed, I now have a SYSVOL share (woo-hoo!) with stuff in it....and dcdiag is not reporting the same errors as before