Pico
Site Admin
Joined: 18 Jan 2004 |
Posts: 250 |
Location: HostMachine.net |
|
|
Posted: 25.12.2018, 12:44 |
|
|
|
|
|
Hi,
the most frequent issue I encountered over the years are missing SYSVOL and NETLOGON shares. The consequences are errors on client and also on DC server itself, for example, when trying to RDP to domain controller, you get error:
"The requested domain either does not exist or is not accessible"
So, if you cannot login to DC via RDP, you will be able to login locally (or via ILO, iRMC, DRAC...any KVM console).
Another very common issue is also when adding new DC Domain Controller 2016 or 2019 to existing domain with previous single DC (or SBS 2008 or SBS 2011) environemnt, the new DC will simply not replicate SYSVOL and NETLOGON shares, DCDiag will most probably return also Global Catalog not found error:
"Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
A Global Catalog Server could not be located - All GC's are down."
1. First check for proper IP and DNS settings on domain controller. It might somehow IP got lost, maybe reset to DHCP, or DNS reverted to some public DNS. Just check those settings on DC, it takes few seconds:
Make sure 1st DNS of NEW-DC points to OLD-DC, and 2nd DNS to itself.
2. But most probably your DC stopped sharing SYSVOL and NETLOGON shares. Just check on DC:
\\SERVERNAME
If you do not see both SYSVOL and NETLOGON shares, that's your reason for problems!
If only NETLOGON share is missing, then you will have problems with GPO group policy.
Resolution?
NO PROBLEMS, let's go:
- First, check under C:\Windows\SYSVOL\domain if there are \Policies and \Scripts folders.
If they are missing, restore them from BACKUP (first to some OTHER location, then copy them over to above mentioned location)
- You may check the registry first and set SysVolReady to 1:
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters |
- Then STOP File Replication Service
- Open Registry Editor regedit and navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup
Change the BurFlags DWORD value
- to D4 (hex) on the Single or Primary or Old DC/SBS, which has healthy share content \\OLD-SERVER\SYSVOL\domain, and
- to D2 (hex) on all Secondary DCs (if they exist).
Explanation: Value of D4 means Authoritative Restore, meaning this DC will keep existing content of C:\Windows\SYSVOL\domain and offer it for replication to other DCs, while D2 value means NON-Authoritative restore, meaning this DC will pull contents of C:\Windows\SYSVOL\domain from other (Authoritative) DC. In case of single DC, D4 value is the only logical choice...but you must manually restore contents of C:\Windows\SYSVOL\domain from backup before proceeding.
- START File Replication Service back on:
The \\SERVERNAME\SYSVOL share should be now up and visible.
- If \\SERVERNAME\NETLOGON share is still missing, you need to first check, if there is some content under C:\Windows\SYSVOL\domain folder (should be at least folder \Policies and \Scripts there). If this folder contains only _DO_NOT_REMOVE_... preexisting, then you should restore the contents of whole C:\Windows\SYSVOL folder from BACKUP (maybe shut down NTFRS service during the restore process to release files for overwriting), only then proceed to the following step:
Then you just need to flip SysVolReady flag from 1 to 0 and back to 1 to send signal to the system that files are ready to share.
To do so you open regedit again, navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters and change value of SysVolReady from 1 to 0 and then back to 1.
NETLOGON share should appear now.
[/code]
|
_________________ Site admin alias Labsy
Vsi nasveti in tehnične rešitve so podani v dobri veri in za ljudi z razčiščenimi pojmi o veljavni zakonodaji.
Odgovornost prevzemam izključno in samo za tiste posege, ki jih opravim lastnoročno.
|