Sysvol contents missing and no NetLogon share

Mauricio Botero · 23-10-2007

Hello,
I have about 8 sites with over 20 something DCs and 4 domains. In this one
site that I am having my problem, DomainA has this one Domain controller
(DCA) that just recently was converted from physical to virtual. I know
immediately your gonna think what ever problems your having probably stemmed
from converting a dc (USN rollback). Well I did the P2V while doing some
other stuff to prevent USN Rollback. After the P2V everything was working
fine; Replication, authentication, etc. It's been a week or two, and I got
reports that some clients were failing to apply Group Policy. Traced these
clients trying to get Group Policy from DCA and saw that this DC's SYSVOL
share \\DCA\sysvol was empty, and that there is no NetLogon share as well.

First I attempted to rebuild the sysvol structure using the
NTFRS_CMD_FILE_MOVE_ROOT file creation process. This did not work for me.

Tried stopping FRS, changing the burflags entry to d2, then starting the FRS
again and the log entries were showing results (saying that the membership in
the domain set was resetting, the files were moved to the preexisting folder,
etc); still no contents in the Sysvol share. I forced replication from one of
its inbound replication partners and replication was succcesful.

I think that the reason there is no Netlogon share under \\DCA\Netlogon is
because netlogon actually lives underneath the folders of Sysvol?

Any suggestions? Below are the only failures in the dcdiag on that server
(netdiag gives no errors):
-----------------------------------------------------------------------------------------------------------
Starting test: NetLogons
Unable to connect to the NETLOGON share! (\\DCA\netlogon)
[DCA] An net use or LsaPolicy operation failed with error 1203, No
network provider accepted the given network path..
-----------------------------------------------------------------------------------------------------------

I also get this error in the system log:
-----------------------------------------------------------------------------------------------------------
Event Type: Error
Event Source: NETLOGON
Event Category: None
Event ID: 5706
Date: 10/23/2007
Time: 1:49:25 PM
User: N/A
Computer: DCA
Description:
The Netlogon service could not create server share
F:\SYSVOL\sysvol\DomainA.COM\SCRIPTS. The following error occurred:
The system cannot find the path specified.
-----------------------------------------------------------------------------------------------------------

I also get this error in the application log(the frequency of this error is
odd):
-----------------------------------------------------------------------------------------------------------
Event Type: Error
Event Source: SceSrv
Event Category: None
Event ID: 1003
Date: 10/22/2007
Time: 3:05:55 PM
User: N/A
Computer: DCA
Description:
Notification of policy change from LSA/SAM has been retried and failed.
Error 4312 to save policy change for account S-1-5-21-x-x-x-x in the default
GPOs. For more debugging information, please look security\logs\scepol.log
under Windows root.
-----------------------------------------------------------------------------------------------------------

Thanks in advance

DJH · 24-10-2007

Hey,

In the FRS event log, do you have a recent eventID 13516:
"The File Replication Service is no longer preventing the computer DCA from
becoming a domain controller. The system volume has been successfully
initialized and the Netlogon service has been notified that the system volume
is now ready to be shared as SYSVOL."

I thought that the SYSVOL and NETLOGON shares were created once FRS had
succesfully replicated with another DC. So if those shares are missing I
would have thought there were issues with FRS/replication..

> I think that the reason there is no Netlogon share under \\DCA\Netlogon is
> because netlogon actually lives underneath the folders of Sysvol?
Regardless of where the folder is it would be shared as "Netlogon" so the
UNC path would be \\DCA\Netlogon - dcdiag will use a UNC path to verify if
other machines on the network can access it

I'd remove the replication objects under sites/servies -> DC -> NTDS settings
Restart Netlogon/FRS on the problem DC
wait 30 mins - then see if KCC can re-create them

No more errors in dcdiag?
No problems with a netdiag /test:dns ?
Is the virtual server using the same IP as the original physical box?

On DCA, assuming its AD integrated DNS, open up DNS, expand _msdcs.domain
There will be a CNAME record with the DC's GUID
x656556-gffggfgf-bvbvbv-fgffg-rtyttytyty ALIAS (CNAME) DCA.Domain.local

Copy the FQDN of this CNAME, then log onto another DC...lets say its DCB.
From DCB can you resolve this FQDN?

Mauricio Botero · 24-10-2007

Thanks for responding back.
For your first question,
> In the FRS event log, do you have a recent eventID 13516:
> "The File Replication Service is no longer preventing the computer DCA from
> becoming a domain controller. The system volume has been successfully
> initialized and the Netlogon service has been notified that the system volume
> is now ready to be shared as SYSVOL."

Yes that is the very last entry in my FRS log

> I thought that the SYSVOL and NETLOGON shares were created once FRS had
> succesfully replicated with another DC. So if those shares are missing I
> would have thought there were issues with FRS/replication..

So far all the tests for replication between DCA and its partners show up
great. repadmin /showrepls shows no problems, dcdiag shows no problems under
replication tests,etc...

> > I think that the reason there is no Netlogon share under \\DCA\Netlogon is
> > because netlogon actually lives underneath the folders of Sysvol?
> Regardless of where the folder is it would be shared as "Netlogon" so the
> UNC path would be \\DCA\Netlogon - dcdiag will use a UNC path to verify if
> other machines on the network can access it
>
> I'd remove the replication objects under sites/servies -> DC -> NTDS settings
> Restart Netlogon/FRS on the problem DC
> wait 30 mins - then see if KCC can re-create them

Ok I will try that...

> No more errors in dcdiag?

Nope, no other errors

> No problems with a netdiag /test:dns ?

Nope, those tests pass

> Is the virtual server using the same IP as the original physical box?

Yes. Also I did clear the arp cache already on the network equipment that
handles DCA and its replication partners (and almost all the other DCs in the
main site) right after the virtualization.

> On DCA, assuming its AD integrated DNS, open up DNS, expand _msdcs.domain
> There will be a CNAME record with the DC's GUID
> x656556-gffggfgf-bvbvbv-fgffg-rtyttytyty ALIAS (CNAME) DCA.Domain.local
>
> Copy the FQDN of this CNAME, then log onto another DC...lets say its DCB.
> From DCB can you resolve this FQDN?

It is ADI Dns zones, and yes I can resolve it.

Mauricio Botero · 25-10-2007

I deleted the connections and they came right back a minute later. FRS and
netlogon were restarted. No luck. Still no contents in the SYSVOL share and
still not netlogon share.

DJH · 25-10-2007

hmm im not sure then mate..

Try this doc:
http://www.jsifaq.com/SF/Tips/Tip.aspx?id=7394

Failing that, sounds like a rebuild..

cheers
DJH

"Mauricio Botero" wrote:

> I deleted the connections and they came right back a minute later. FRS and
> netlogon were restarted. No luck. Still no contents in the SYSVOL share and
> still not netlogon share.

DJH · 12-11-2007

http://support.microsoft.com/default.aspx/kb/315457

we had a similar problem with a DC this morning

we read the article above and determined that sysvol was missing its
junction point - we re-created the junction point, restarted FRS and hey
presto the share's re-appeared and no more frs errors in the eventlog.

I think when FRS starts it looks for the location of sysvol by referencing
the junction point. Anyway I thought id post back here but im sure you ended
up resolving your issue by now. If you did, what was the fix?

"DJH" wrote:

> hmm im not sure then mate..
>
> Try this doc:
> http://www.jsifaq.com/SF/Tips/Tip.aspx?id=7394
>
> Failing that, sounds like a rebuild..
>
> cheers
> DJH
>
> "Mauricio Botero" wrote:
>
> > I deleted the connections and they came right back a minute later. FRS and
> > netlogon were restarted. No luck. Still no contents in the SYSVOL share and
> > still not netlogon share.